#2 AWS IAM Security Review: Manual Access Audit & Temporary Role Implementation

Overview

This lab demonstrates a hands-on AWS IAM security review focused on identifying and mitigating over-privileged access, enforcing least privilege, and implementing temporary, auditable administrative access using IAM roles and STS — all within a Free Tier, single-account environment.

Environment

• Account Type: Single AWS Account (Free Tier)
• Tools Used: AWS IAM Console, IAM Access Analyzer, AWS CloudTrail
• Scope: IAM Users, Groups, Roles
• Limitations: No AWS Organizations, no paid security services

Objective

• Identify over-privileged IAM users
• Remove unnecessary standing permissions
• Replace persistent admin access with temporary, role-based access
• Ensure actions are auditable and time-bound
• Follow AWS least-privilege and security best practices

Users in Scope

• admin_user: Standing AdministratorAccess (lab exception)
• ops_user: Standing AdministratorAccess (to be removed)
• dev_user: AmazonS3FullAccess + AmazonEC2ReadOnlyAccess
• audit_user: ReadOnlyAccess
• test_user: Orphaned / revoked

Key Steps

1. IAM Users & Groups Review
   Identified standing admin access on ops_user and admin_user.
2. Access Analyzer Scan
   No external access findings; confirmed no unintended permissions.
3. Temporary Admin Role Creation
   AdminRole with AdministratorAccess, trust limited to ops_user, MFA required.
4. Removal of Standing Admin Access
   Detached AdministratorAccess from ops_user (user & group level).
5. Validation
   Assumed AdminRole via Switch Role, tested S3/EC2 actions, confirmed no standing access remains.
6. Logging & Audit
   CloudTrail enabled; verified AssumeRole events and temporary credentials.

Lessons Learned

• IAM users should not hold standing administrative permissions
• Roles + STS significantly reduce blast radius
• Trust policies are as critical as permission policies
• Testing destructive actions validates real-world access
• Enterprise-grade security patterns achievable in Free Tier

"This lab mirrors real-world IAM evolution: from standing user permissions → temporary, auditable role-based access."

Outcome

Standing admin access removed • Temporary role-based access implemented • All actions auditable via CloudTrail • Least privilege enforced • Risks mitigated.

Next Steps

• Automate role assumption & revocation
• Use granular custom policies
• Integrate CloudTrail monitoring & alerts

Screenshots from the Lab

0000001

1 1 0IAM access analyzer created

1 1 1 analyzer no finds

1 1 2 0 0AdminRole

1 1 2 0 0AdminRole proof

1 1 2 AdminRole working

1 1 3 AdminRole – Permissions Tab

1 1 3 AdminRole working2 ops no group

← →