Cloud IAM best practices: least privilege that actually holds
On this page
- The mental model: identities, roles, policies
- 1. Grant least privilege, from zero up
- 2. Require MFA for every human
- 3. Eliminate long-lived access keys
- 4. Use SSO: one human, one identity
- 5. Give workloads service identities, not embedded keys
- 6. Attach permissions to groups, not people
- 7. Log and review, on a schedule
- The checklist
- Same ideas, different names
- FAQ
- What does least privilege mean in cloud IAM?
- Are long-lived access keys really that dangerous?
- Is SSO worth it for a team of five?
- What is the difference between a user and a role?
- How often should we review IAM permissions?
Almost every serious cloud incident traces back to a credential: a leaked key, an over-permissioned account, an ex-employee login that still worked. IAM is where you decide, in advance, how much a single stolen credential can cost you. Here is the setup that holds up, and the habits that keep it that way.
The mental model: identities, roles, policies
Three concepts carry the whole system, whatever your provider calls them:
- Identities are the actors: humans (you, your engineers) and machines (an app server, a CI pipeline, a scheduled job).
- Policies are permission documents: which actions are allowed on which resources.
- Roles are bundles of policies with no password or key of their own. An identity assumes a role and receives short-lived credentials for the session, then they expire.
The entire discipline below reduces to one sentence: give every identity its own name, route its permissions through roles, and keep every credential short-lived.
1. Grant least privilege, from zero up
Start every identity at nothing and add the specific permissions its job requires. Never start at admin intending to trim later; nobody trims later. The point is blast radius: credentials leak (when, not if), and least privilege decides whether that leak reads one bucket or empties the account.
Practical version: use the provider’s pre-built job-function roles (read-only, billing, a service-specific admin) rather than hand-writing policies on day one, and reserve full admin for two or three named people. Perfect custom policies can come later; “developers are not account admins” cannot wait.
2. Require MFA for every human
Enforce multi-factor authentication account-wide through your identity provider: authenticator app or hardware key, not SMS if you can avoid it. Passwords get phished and reused regardless of strength; MFA is the control that stops a stolen password from becoming a takeover, and it is free. If your root or owner identity does not have MFA yet, stop reading and fix that first.
3. Eliminate long-lived access keys
A static access key is a password that never expires, works from anywhere, and lives in plaintext wherever it was pasted. Keys committed to a public repository are found and exploited by scanners within minutes, and the first thing the attacker does is spin up crypto miners on your bill.
Replace them: engineers get short-lived sessions through SSO (AWS IAM Identity Center, gcloud auth, az login), and workloads get provider-managed identities (next section). For the rare third-party tool that truly requires a static key, scope it to the minimum, store it in a secrets manager, rotate it on a schedule, and set an alarm on its usage.
4. Use SSO: one human, one identity
Federate the identity provider you already run (Google Workspace, Microsoft Entra ID, Okta) into the cloud instead of creating standalone cloud users. Every person gets exactly one identity, MFA is enforced in one place, and offboarding becomes a single disable that revokes everything at once. Shared logins are the anti-pattern this kills: an audit log that says “admin did it” forever, and a password everyone knows that nobody can rotate. If you run multiple accounts or environments, wire SSO into the landing zone so access is defined once, centrally.
5. Give workloads service identities, not embedded keys
Applications need cloud permissions too, and the wrong answer is pasting a key into config. Every provider has a mechanism that issues credentials to the workload automatically, rotated for you, never stored anywhere: IAM roles on AWS (via instance profiles or task roles), managed identities on Azure, service accounts on Google Cloud. For CI/CD running outside the cloud, OIDC federation (GitHub Actions to AWS or GCP, for example) does the same thing with no stored secret at all. One service identity per application, scoped to what that application touches, and nothing to leak.
6. Attach permissions to groups, not people
Grant roles to groups (“engineers”, “data-team”, “finance-readonly”) and put people in groups. Direct per-user grants accumulate silently, survive job changes, and make “what can Dana access?” a research project. With groups, access follows the org chart, joiners inherit the right permissions on day one, and reviews read in minutes.
7. Log and review, on a schedule
Turn on the audit trail account-wide (CloudTrail, Azure Activity Log, Google Cloud Audit Logs) and ship it somewhere tamper-resistant; this records every IAM change and every credential’s activity. Then review quarterly: the provider’s own analyzers (AWS IAM Access Analyzer, Google Cloud IAM Recommender, Microsoft Entra access reviews) list permissions that exist but have gone unused, which are precisely the ones to delete. Add an offboarding step that disables the SSO identity the same day; that one habit closes the most embarrassing hole in the industry.
The checklist
- Root/owner identity locked away with MFA and zero access keys
- MFA enforced for every human, app or hardware key preferred
- SSO federated from your existing identity provider; no standalone cloud users
- Admin access limited to 2 or 3 named people, and used rarely
- All other humans on least-privilege roles, granted via groups
- No long-lived access keys; SSO sessions for humans, service identities for workloads
- Unavoidable static keys scoped, vaulted, rotated, and alarmed
- CI/CD authenticating via OIDC federation, not stored secrets
- Audit logging on account-wide, stored tamper-resistant
- Quarterly access review plus same-day offboarding disable
Same ideas, different names
| Concept | AWS | Azure | Google Cloud |
|---|---|---|---|
| Identity and permissions service | IAM + IAM Identity Center | Microsoft Entra ID + RBAC | Cloud IAM + Cloud Identity |
| Human SSO | IAM Identity Center | Entra ID (native) | Cloud Identity / Workspace |
| Workload identity | IAM role (instance profile, task role) | Managed identity | Service account |
| Permission bundle | Policy | Role definition | Role |
| Audit trail | CloudTrail | Activity Log | Cloud Audit Logs |
| Unused-access finder | IAM Access Analyzer | Entra access reviews | IAM Recommender |
None of this requires new spending; it is configuration and habit. The hard part is sequencing it into a live account without breaking the workloads that currently depend on an over-permissioned key. If you would rather have someone who has done that untangling before design or review your IAM setup, talk to a Webisoft cloud engineer.
FAQ
What does least privilege mean in cloud IAM?
Every identity, human or machine, gets only the permissions its actual job requires, granted by starting from nothing and adding, never by starting from admin and trimming later. The payoff is blast radius: when a credential leaks, the damage is capped at what that one identity could touch instead of the whole account.
Are long-lived access keys really that dangerous?
Yes, they are the most common root cause of real cloud incidents. A static key pasted into code, a laptop, or a CI config works forever from anywhere, and keys committed to public repositories are typically exploited within minutes. Roles that issue short-lived credentials remove the problem instead of managing it.
Is SSO worth it for a team of five?
Yes, because you almost certainly already pay for the identity provider through Google Workspace or Microsoft 365. Federating it into your cloud takes an afternoon, gives everyone one login with MFA enforced in one place, and makes offboarding a single disable instead of a hunt across accounts.
What is the difference between a user and a role?
A user is a permanent identity with its own credentials, meant for a specific person. A role is a bundle of permissions with no credentials of its own that users and workloads assume temporarily, receiving short-lived credentials for the session. Modern IAM practice keeps permanent users to a minimum and routes almost everything through roles.
How often should we review IAM permissions?
Quarterly for a standing review of who has what, plus immediately on every offboarding or role change. The provider tools make it cheap: AWS IAM Access Analyzer, Google Cloud’s IAM Recommender, and Microsoft Entra access reviews all flag permissions that exist but have not been used, which are exactly the ones to remove.
Frequently asked questions
What does least privilege mean in cloud IAM?
Every identity, human or machine, gets only the permissions its actual job requires, granted by starting from nothing and adding, never by starting from admin and trimming later. The payoff is blast radius: when a credential leaks, the damage is capped at what that one identity could touch instead of the whole account.
Are long-lived access keys really that dangerous?
Yes, they are the most common root cause of real cloud incidents. A static key pasted into code, a laptop, or a CI config works forever from anywhere, and keys committed to public repositories are typically exploited within minutes. Roles that issue short-lived credentials remove the problem instead of managing it.
Is SSO worth it for a team of five?
Yes, because you almost certainly already pay for the identity provider through Google Workspace or Microsoft 365. Federating it into your cloud takes an afternoon, gives everyone one login with MFA enforced in one place, and makes offboarding a single disable instead of a hunt across accounts.
What is the difference between a user and a role?
A user is a permanent identity with its own credentials, meant for a specific person. A role is a bundle of permissions with no credentials of its own that users and workloads assume temporarily, receiving short-lived credentials for the session. Modern IAM practice keeps permanent users to a minimum and routes almost everything through roles.
How often should we review IAM permissions?
Quarterly for a standing review of who has what, plus immediately on every offboarding or role change. The provider tools make it cheap: AWS IAM Access Analyzer, Google Cloud's IAM Recommender, and Microsoft Entra access reviews all flag permissions that exist but have not been used, which are exactly the ones to remove.