AWS IAM Least Privilege – How to Clean Up Overpermissioned Accounts

Many AWS accounts start clean but become messy over time. Users and roles collect permissions that are never removed. This is one of the most common security risks in cloud environments.

Common overpermission problems teams face:

• Users with AdministratorAccess who only need read access
• Old IAM users with active access keys that are never used
• Roles attached to EC2 or Lambda with wildcard permissions
• No regular review of who has access to what
• Service accounts shared across multiple applications

What least privilege means in practice:

• Every user and role should have only the permissions they need to do their job
• Nothing more, nothing less
• Review and reduce permissions regularly — not just once during setup

Steps to clean up overpermissioned accounts:

• Download IAM Credential Report → IAM → Credential Report → Download CSV
• Identify users with no activity in last 90 days → disable or delete
• Check all roles using IAM Access Analyzer → remove unused policies
• Replace wildcard actions like s3:* with specific ones like s3:GetObject
• Enable AWS CloudTrail to track what permissions are actually being used

Tools that help:

• AWS IAM Access Analyzer
• AWS Trusted Advisor (Security checks)
• AWS CloudTrail
• IAM Credential Report

Question: Have you ever found an IAM user or role with more permissions than needed? How did you handle it? Share your experience below — it helps the community stay secure?