Creating a Least-Privilege IAM Policy for AWS Account Access
This guide provides detailed instructions for creating an AWS IAM policy that grants CloudThinker.io access to your AWS account following the principle of least privilege. It also explains how to create an IAM user, generate credentials, and configure CloudThinker.io to use those credentials securely.
1. Overview of Least Privilege Access
Least privilege means granting only the permissions necessary for CloudThinker.io to perform its tasks—no more, no less. This minimizes security risks by limiting access to your AWS resources.
2. Define Required Permissions for CloudThinker.io
CloudThinker.io typically requires read-only access to AWS services to gather resource information, metrics, and logs. Optionally, it may need limited write permissions (e.g., resizing EC2 instances).
Common permission sets:
Read-only access to all AWS services
Read-only access to specific services: Billing, EC2, CloudWatch, RDS
Write access to specific actions: For example, resizing EC2 instances
3. Sample IAM Policies for CloudThinker.io Access
3.1. Read-Only Access to All AWS Services
Use AWS managed policy ReadOnlyAccess as a starting point (grants read-only to most services):
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"cloudwatch:Get*",
"cloudwatch:List*",
"ec2:Describe*",
"rds:Describe*",
"billing:Get*",
"billing:List*",
"logs:Get*",
"logs:Describe*"
],
"Resource": "*"
}
]
}This example focuses on read-only actions for CloudWatch, EC2, RDS, billing, and logs. You can expand or restrict actions as needed.
3.2. Read-Only Access to Specific Services (Billing, EC2, CloudWatch, RDS)
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"aws-portal:ViewBilling",
"ec2:Describe*",
"cloudwatch:GetMetricData",
"cloudwatch:ListMetrics",
"rds:Describe*",
"logs:GetLogEvents",
"logs:DescribeLogGroups"
],
"Resource": "*"
}
]
}3.3. Write Permission for EC2 Resizing (in addition to read-only)
Add the following to allow resizing EC2 instances:
{
"Effect": "Allow",
"Action": [
"ec2:ModifyInstanceAttribute",
"ec2:StopInstances",
"ec2:StartInstances"
],
"Resource": "*"
}4. Creating the IAM User and Attaching Policy
Step 1: Create IAM User
Sign in to the AWS Management Console as an administrator.
Go to IAM > Users > Add user.
Enter a user name (e.g.,
CloudThinkerUser).Select Programmatic access to generate an Access Key ID and Secret Access Key.
Click Next: Permissions.
Step 2: Attach Policy
Choose Attach existing policies directly.
Select the policy you created or the AWS managed
ReadOnlyAccesspolicy.Alternatively, create a Customer Managed Policy with the JSON examples above and attach it here.
Click Next: Tags (optional), then Next: Review.
Click Create user.
Step 3: Save Credentials
Download or copy the Access Key ID and Secret Access Key securely.
These credentials will be used in CloudThinker.io to access your AWS account.
5. Configure CloudThinker.io with AWS Credentials
Log in to your CloudThinker.io workspace.
Navigate to Workspace Setup Setup Your Workspace
Enter the AWS Access Key ID and Secret Access Key of the IAM user you created.
Verify the connection to ensure CloudThinker.io can access your AWS resources.
CloudThinker.io will now operate with the permissions granted by the IAM policy.
6. Best Practices and Recommendations
Start with minimal permissions and add only what CloudThinker.io requires.
Use IAM Access Analyzer to monitor and refine permissions based on actual usage.
Regularly review and update IAM policies to maintain least privilege.
Avoid using root or overly permissive accounts.
Use conditions in policies if needed to restrict access further, e.g., by IP address or requiring SSL.
Last updated