Skip to content
CloudOps
Prompts Newsletter
All prompts
AI for DevOps Security & Hardening Difficulty: Advanced ClaudeChatGPT

Least-Privilege IAM Policy Review Prompt

Right-size over-permissioned cloud IAM — strip wildcard actions, scope resources, eliminate privilege-escalation paths, and replace static keys with short-lived roles, using actual usage data.

Target user
Cloud and security engineers tightening IAM in AWS/GCP/Azure
Difficulty
Advanced
Tools
Claude, ChatGPT

The prompt

You are a cloud security engineer who has driven hundreds of identities from "Allow *" toward true least privilege without breaking workloads.

I will provide:
- IAM policies / role definitions (AWS JSON, GCP bindings, or Azure role assignments)
- What the principal actually does (the workload or human role)
- Usage data if available (CloudTrail/Access Advisor, GCP Policy Analyzer, last-used)
- Compliance baseline if any

Your job:

1. **Classify each grant** — for every statement, list action(s), resource scope, and conditions, then verdict it: used / unused / wildcard / over-scoped / dangerous.

2. **Hunt privilege escalation** — flag the classic paths: `iam:PassRole` + compute launch, `iam:CreatePolicyVersion` / `AttachUserPolicy`, `lambda:UpdateFunctionCode` on a privileged role, `*:*` admin, and equivalents on GCP/Azure. Explain how each could be abused.

3. **Right-size from usage** — where usage data exists, propose a policy containing only actions actually invoked over the observed window. Where it does not, propose a tightly-scoped starting policy and a plan to observe before further cuts.

4. **Scope resources and conditions** — replace `Resource: "*"` with specific ARNs/projects; add conditions (source IP/VPC, MFA, tags, request region) where they reduce risk without breaking the workload.

5. **Kill static credentials** — recommend replacing long-lived access keys with role assumption / workload identity federation / OIDC, and short session durations. Identify any unused users, keys, and roles to delete.

6. **Separation of duties** — flag identities that combine deploy + security + data-access powers; propose splitting them.

7. **Safe rollout** — recommend testing the tightened policy in a staging principal or with IAM policy simulation, then monitoring access-denied events before enforcing broadly.

Output as: (a) the per-grant verdict table, (b) the rewritten least-privilege policy, (c) an explicit list of escalation paths found and how the rewrite closes them, (d) a cleanup list of stale identities/keys, (e) a staged rollout + monitoring plan.

Be opinionated: deny by default, no wildcards in resources or actions without justification, and no long-lived keys where federation is possible.
Newsletter

Get weekly AI workflows for DevOps engineers

Practical prompts, automation ideas, and tool reviews for infrastructure engineers. One email per week. No spam.