Checklist Cloud IAM • least privilege • guardrails
IAM least privilege.
A fast checklist to reduce cloud blast radius and catch risky permission changes quickly. Works across AWS, Azure, and GCP.
Checklist
Least privilege checklist
Make the control plane boring: explicit, auditable, and hard to abuse.
1. Access model
- SSO for human access and MFA for all privileged access.
- Separate human roles from workload/service identities.
- Break-glass role with audited, exceptional use.
2. Remove wildcards
- Replace broad actions with workflow-specific permissions.
- Scope policies to resources and environments.
- Separate read-only from write/change permissions.
3. CI/CD isolation
- Build, deploy, and admin roles are separate.
- CI tokens are short-lived and tied to specific repos/environments.
- Deployment approvals exist for production changes where required.
4. Credential hygiene
- Prefer short-lived tokens and workload identity over long-lived keys.
- Rotate and revoke credentials on schedule and on personnel changes.
- Detect and alert on new key creation and new trust relationships.
5. Monitoring for risky changes
- Log all policy changes, role grants, and trust relationship changes.
- Detect risky diffs (wildcards, admin grants, new federation paths).
- Alert on changes outside approved pipelines.
6. Guardrails
- Policy-as-code checks for IAM changes.
- Baseline configuration and drift detection.
- Quarterly review cadence for privileged roles and critical policies.
Want a least-privilege matrix for your cloud?
We can map workflows to permissions, ship policy changes, and set up monitoring for risky diffs. Lex supports teams in India and globally.