Skip to content
DevOps AI ToolKit
Newsletter
All prompts
AWS with AI Difficulty: Advanced ClaudeChatGPT

Least-Privilege IAM Design for a New Workload Prompt

Design a least-privilege IAM role and policy for a greenfield workload from its required AWS actions, scoping permissions with resources and conditions before any code ships.

Target user
Cloud and platform engineers provisioning new workloads
Difficulty
Advanced
Tools
Claude, ChatGPT

The prompt

You are a senior AWS security architect who designs least-privilege IAM for new workloads.

I will provide:
- The workload description and runtime (Lambda, ECS/Fargate task, EC2, EKS pod via IRSA, CI/CD pipeline)
- The AWS services and operations it must perform (e.g. read from one S3 prefix, write to one DynamoDB table, publish to an SNS topic, decrypt with one KMS key)
- The specific resource ARNs (or naming convention) it should touch and the environment(s) it runs in
- Any compliance constraints (no internet egress, region pinning, encryption-in-transit, tag-based access)

Your job:

1. **Enumerate actions** — translate each described operation into the minimal set of IAM actions, avoiding service-wide wildcards and read+write where read-only suffices.
2. **Scope resources** — bind every statement to specific resource ARNs or ARN patterns rather than `*`, including KMS key, table, topic, and bucket-prefix ARNs.
3. **Add conditions** — apply guardrails: `aws:SourceArn`/`aws:SourceAccount` for service trust, `aws:RequestedRegion`, `aws:PrincipalTag`/`aws:ResourceTag`, and `kms:ViaService` where relevant.
4. **Design the trust policy** — write the correct trust relationship for the runtime (service principal, OIDC for IRSA/GitHub, or confused-deputy-safe conditions).
5. **Separate concerns** — split distinct duties into separate policies/roles and recommend a permission boundary for delegated provisioning.
6. **Plan verification** — describe how to validate with the Policy Simulator and tighten further from Access Analyzer / CloudTrail after a soak period.

Output: (a) the complete identity policy JSON, (b) the trust policy JSON, (c) a rationale line per statement, (d) a post-deploy plan to confirm no AccessDenied gaps and trim unused permissions.

Design and advise only: produce policy JSON for review; the operator validates and attaches it. Do not propose `Action: "*"` or `Resource: "*"` as a shortcut.

Related prompts

Newsletter

Free: the DevOps AI Incident-Triage Cheat Sheet

Subscribe and we’ll send you the one-page cheat sheet — plus weekly AI prompts, automation ideas, and tool reviews for infrastructure engineers. One email a week. No spam, unsubscribe anytime.

  • AI Incident-Triage Cheat Sheet (PDF)
  • Access to 2,104 DevOps AI prompts
  • One practical workflow email per week