IAM Security Best Practices

IAM entity hierarchy

Best practices — expand each card

1. Enable MFA for humans and break-glass

   Require hardware or app MFA for console; protect root with MFA and minimal use.

2. Least privilege by default

   Start with zero permissions; add actions/resources explicitly; review quarterly.

3. Prefer roles over long-lived keys

   Use IAM roles for workloads, OIDC from CI, instance profiles; rotate any remaining keys.

4. Monitor with CloudTrail

   Alert on CreateUser, AttachUserPolicy, console login anomalies.

5. Credential rotation & session duration

   Short STS lifetimes; automate key rotation where keys are unavoidable.

6. Policy conditions

   Restrict by IP, VPC endpoint, MFA presence, time window, and resource tags.