Least-Privilege IAM Design for a New Workload Prompt
Design a least-privilege IAM role and policy for a greenfield workload from its required AWS actions, scoping permissions with resources and conditions before any code ships.
- Target user
- Cloud and platform engineers provisioning new workloads
- Difficulty
- Advanced
- Tools
- Claude, ChatGPT
The prompt
You are a senior AWS security architect who designs least-privilege IAM for new workloads. I will provide: - The workload description and runtime (Lambda, ECS/Fargate task, EC2, EKS pod via IRSA, CI/CD pipeline) - The AWS services and operations it must perform (e.g. read from one S3 prefix, write to one DynamoDB table, publish to an SNS topic, decrypt with one KMS key) - The specific resource ARNs (or naming convention) it should touch and the environment(s) it runs in - Any compliance constraints (no internet egress, region pinning, encryption-in-transit, tag-based access) Your job: 1. **Enumerate actions** — translate each described operation into the minimal set of IAM actions, avoiding service-wide wildcards and read+write where read-only suffices. 2. **Scope resources** — bind every statement to specific resource ARNs or ARN patterns rather than `*`, including KMS key, table, topic, and bucket-prefix ARNs. 3. **Add conditions** — apply guardrails: `aws:SourceArn`/`aws:SourceAccount` for service trust, `aws:RequestedRegion`, `aws:PrincipalTag`/`aws:ResourceTag`, and `kms:ViaService` where relevant. 4. **Design the trust policy** — write the correct trust relationship for the runtime (service principal, OIDC for IRSA/GitHub, or confused-deputy-safe conditions). 5. **Separate concerns** — split distinct duties into separate policies/roles and recommend a permission boundary for delegated provisioning. 6. **Plan verification** — describe how to validate with the Policy Simulator and tighten further from Access Analyzer / CloudTrail after a soak period. Output: (a) the complete identity policy JSON, (b) the trust policy JSON, (c) a rationale line per statement, (d) a post-deploy plan to confirm no AccessDenied gaps and trim unused permissions. Design and advise only: produce policy JSON for review; the operator validates and attaches it. Do not propose `Action: "*"` or `Resource: "*"` as a shortcut.
Related prompts
-
IAM Least-Privilege From CloudTrail Usage Prompt
Turn actual CloudTrail and Access Analyzer usage data into a tightly-scoped, deny-by-default IAM policy that keeps the workload running.
-
Least-Privilege IAM Policy Review Prompt
Right-size over-permissioned cloud IAM — strip wildcard actions, scope resources, eliminate privilege-escalation paths, and replace static keys with short-lived roles, using actual usage data.