AWS IAM Policy Cheatsheet

Top patterns.

Overview

The IAM policy cheatsheet captures the policy patterns operators actually use during AWS access work. Resource-based, identity-based, condition-based; each pattern fits a specific access shape; mixing them up produces over-broad permissions.

• Top patterns. Resource-based, identity-based, condition-based; the three primitives that compose every AWS access policy.
• Resource-based policies. Per-resource access; S3, KMS, Lambda all support resource policies; the right shape for cross-account access.
• Identity-based policies. Per-principal access; users, roles, groups; the shape that scales with the workforce.
• Condition keys plus permission boundaries. Condition keys for IP, MFA, time; permission boundaries for maximum-permissions guardrails.

The approach

The practical approach: least privilege, condition keys for fine-grain, explicit resource ARNs, document the policy. The team’s discipline produces tight permissions that survive audit.

• Least privilege. Per-policy minimum access; start narrow, widen on demand; the modern security baseline.
• Condition keys for fine-grain. aws:SourceIp, aws:MultiFactorAuthAge; access conditional on context, not just identity.
• Resource ARNs explicit. Per-resource ARN; wildcards are tech debt; the explicit ARN is the audit-friendly shape.
• simulate-principal-policy. Test policy effect before deploy; cheaper than discovering the over-broad grant in production.
• Document the policy. Per-policy rationale committed to the repo; supports operational reviews and audit response.

Why this compounds

IAM policy fluency compounds across services. Each correctly-scoped policy reduces breach impact; identity expertise accrues; audit response gets cheaper as the muscle matures.

• Better security posture. Tight policies reduce attack surface; one compromised credential affects fewer resources.
• Better compliance. Per-policy auditable rationale; SOC 2 evidence collection drops from weeks to hours.
• Better operational fit. Right policy per workload; least-privilege baseline does not block legitimate operations.
• Institutional knowledge. Each policy teaches IAM patterns; the team’s identity engineering muscle grows.

IAM policy fluency is a security discipline that pays off across years. Nova AI Ops integrates with IAM telemetry, surfaces patterns, and supports the team’s identity discipline.