AWS IAM Best Practices

AWS recommends the following AWS Identity and Access Management service – IAM Best Practices to secure AWS resources

Root Account – Protect & Minimize Root User Usage

• Do not use the AWS Root account which has full access to all the AWS resources and services including the Billing information.
• Permissions associated with the AWS Root account cannot be restricted.
• Do not generate the access keys, if not required.
• If already generated and not needed, delete the access keys.
• If access keys are needed, rotate (change) the access key regularly.
• Never share the Root account credentials or access keys, instead create IAM users or Roles to grant granular access.
• Enable AWS multifactor authentication (MFA) on the AWS account — AWS now enforces MFA for all root users across all account types (as of June 2025).
• Use phishing-resistant MFA methods such as passkeys or FIDO2 security keys for root account protection.
• Use centralized root access management in AWS Organizations to monitor, remove, and prevent recovery of long-term root credentials across member accounts.
• Root users must register MFA within 35 days of first sign-in attempt if not already enabled.

Use Federation with IAM Identity Center for Human Users

• Don’t use the AWS root account credentials to access AWS, and don’t share the credentials with anyone else.
• Use AWS IAM Identity Center (formerly AWS SSO) for centralized access management to provide workforce access to AWS accounts using temporary credentials.
• Use an identity provider (IdP) for federated access to AWS accounts by assuming IAM roles, which provide temporary credentials.
• IAM Identity Center supports integration with external identity providers (Okta, Azure AD, Google Workspace, etc.) or its own built-in identity store.
• Create individual IAM users only for specific legacy use cases that cannot use federation (e.g., third-party tools, CodeCommit SSH access, Amazon Keyspaces).
• For scenarios requiring IAM users with programmatic access, use long-term credentials only when temporary credentials via roles are not feasible.

Groups – Use groups to assign permissions to IAM users

• Instead of defining permissions for individual IAM users, create groups and define the relevant permissions for each group as per the job function, and then associate IAM users to those groups.
• Users in an IAM group inherit the permissions assigned to the group and a User can belong to multiple groups.
• It is much easier to add new users, remove users and modify the permissions of a group of users.

Permission – Apply Least-Privilege Permissions

• IAM user, by default, is created with no permissions.
• Users should be granted LEAST PRIVILEGE as required to perform a task.
• Starting with minimal permissions and adding to the permissions as required to perform the job function is far better than granting all access and trying to then tighten it down.
• Get started with AWS managed policies for common use cases and move toward least-privilege with customer managed policies specific to your use cases.
• Use IAM Access Analyzer policy generation to generate fine-grained policies based on actual access activity logged in CloudTrail.
• Use IAM last accessed information to identify and remove unused permissions, policies, and credentials.

Passwords – Enforce strong password policy for users

• Enforce users to create strong passwords and enforce them to rotate their passwords periodically.
• Enable a strong password policy to define password requirements forcing users to create passwords with requirements like at least one capital letter, one number, and how frequently it should be rotated.

MFA – Require MFA for All Users

• Enable MultiFactor Authentication (MFA) for all IAM users, especially those with privileged access to sensitive resources or APIs.
• AWS now enforces MFA for root users across all account types — Organizations management accounts (May 2024), standalone accounts (June 2024), and all remaining root users (June 2025).
• Use phishing-resistant MFA such as passkeys and FIDO2 security keys wherever possible.
• Passkeys (supported since June 2024) use public key cryptography for strong, phishing-resistant authentication that works across devices.
• AWS supports up to 8 MFA devices per root and IAM user.
• Synced passkeys allow users to access their FIDO sign-in credentials across multiple devices without re-enrolling each device.
• MFA prevents over 99% of password-related attacks.
• If using IAM Identity Center, configure MFA capabilities within Identity Center when using its built-in identity store or AD Connector.

Role – Use Temporary Credentials with IAM Roles

• Use roles for workloads instead of creating IAM users and hardcoding the credentials which can compromise the access and are also hard to rotate.
• Roles have specific permissions and do not have a permanent set of credentials.
• Roles provide a way to access AWS by relying on dynamically generated & automatically rotated temporary security credentials.
• For workloads running on AWS compute services (EC2, Lambda, ECS), IAM roles deliver temporary credentials automatically.
• For workloads running outside AWS, use:
  • IAM Roles Anywhere — obtain temporary credentials using X.509 certificates from your PKI (credentials valid up to 12 hours).
  • AssumeRoleWithSAML — using SAML assertions from an external IdP.
  • AssumeRoleWithWebIdentity — using JWT from an OIDC-compatible IdP.
  • AWS IoT Core — using Mutual TLS (MTLS) authentication for IoT devices.
• Additional options for hybrid workloads: ECS Anywhere, EKS Hybrid Nodes, and Systems Manager Hybrid Activations all deliver temporary credentials to external compute resources.

Sharing – Delegate using roles

• Allow users from same AWS account, another AWS account, or externally authenticated users (either through any corporate authentication service or through Google, Facebook etc) to use IAM roles to specify the permissions which can then be assumed by them.
• A role can be defined that specifies what permissions the IAM users in the other account are allowed, and from which AWS accounts the IAM users are allowed to assume the role.

Rotation – Update Access Keys When Needed

• Where possible, rely on temporary credentials instead of creating long-term credentials such as access keys.
• For scenarios requiring IAM users with programmatic access and long-term credentials, update access keys when needed (e.g., when an employee leaves).
• Use IAM access last used information to update and remove access keys safely.
• Access keys allow creation of 2 active keys at the same time for a user. These can be used to rotate the keys.

Track & Review – Regularly Remove Unused Credentials

• Remove IAM users, roles, permissions, policies, and credentials (passwords and access keys) that are not needed.
• Use the IAM Credential report that lists all IAM users in the account and the status of their various credentials, including passwords, access keys, and MFA devices and usage patterns.
• Use IAM last accessed information to identify users, roles, and permissions no longer needed.
• Passwords and access keys that have not been used recently might be good candidates for removal.
• Use IAM Access Analyzer unused access analysis to continuously identify unused roles, access keys, passwords, and unused service/action-level permissions across your organization.

Conditions – Use policy conditions for extra security

• Define conditions under which IAM policies allow access to a resource.
• Conditions would help provide finer access control to the AWS services and resources for e.g. access limited to a specific IP range, requiring TLS for all requests, allowing only encrypted requests for uploads to S3 buckets, or restricting access to specific AWS services like CloudFormation.

Auditing – Monitor activity in the AWS account

• Enable logging features provided through CloudTrail, S3, CloudFront in AWS to determine the actions users have taken in the account and the resources that were used.
• Log files show the time and date of actions, the source IP for an action, which actions failed due to inadequate permissions, and more.

Use IAM Access Analyzer

• IAM Access Analyzer provides multiple capabilities to help achieve least privilege:
• External access analysis — identifies resources shared with external principals and generates findings for public and cross-account access.
• Unused access analysis — continuously identifies unused IAM roles, unused access keys, unused passwords, and unused service/action-level permissions across your organization (paid feature).
• Policy generation — generates fine-grained least-privilege policies based on actual access activity captured in CloudTrail logs.
• Policy validation — provides 100+ policy checks and actionable recommendations to ensure policies adhere to IAM best practices.
• Custom policy checks — CheckNoNewAccess and CheckAccessNotGranted APIs to verify policies don’t grant unintended access.
• Guided revocation — provides guidance to revoke unused permissions, with quick links to delete unused roles, access keys, and passwords.
• Integrates with AWS Security Hub for centralized unused access findings.

Use Permissions Boundaries

• Use IAM Permissions Boundaries to delegate permissions management within an account.
• IAM permissions boundaries help set the maximum permissions that you delegate and that an identity-based policy can grant to an IAM role.
• A permissions boundary does not grant permissions on its own.

Establish Permissions Guardrails Across Multiple Accounts

• Use AWS Organizations to separate workloads using multiple accounts.
• Use Service Control Policies (SCPs) to establish permissions guardrails controlling access for all IAM principals (roles and users) across accounts.
• Use Resource Control Policies (RCPs) (launched November 2024) to establish permissions guardrails controlling access to AWS resources across your organization.
  • RCPs set the maximum available permissions on resources at the organization, OU, or account level.
  • RCPs complement SCPs — SCPs restrict what principals can do, RCPs restrict what can be done to resources.
  • RCPs help establish data perimeters by restricting external access to resources at scale.
• SCPs and RCPs do not grant permissions — you must still attach identity-based or resource-based policies to grant access.

Use AWS Managed Policies and Move Toward Least Privilege

• Start with AWS managed policies that grant permissions for common use cases and job functions.
• AWS managed policies may not grant least-privilege for specific use cases as they are designed for all AWS customers.
• Reduce permissions further by defining customer managed policies specific to your use cases.
• Use AWS managed policies for job functions (e.g., ViewOnlyAccess, SystemAdministrator, DatabaseAdministrator) as starting points.

1. Your organization is preparing for a security assessment of your use of AWS. In preparation for this assessment, which two IAM best practices should you consider implementing? Choose 2 answers
   1. Create individual IAM users for everyone in your organization (May not be needed as can use IAM Identity Center with federation)
   2. Configure MFA on the root account and for privileged IAM users
   3. Assign IAM users and groups configured with policies granting least privilege access
   4. Ensure all users have been assigned and are frequently rotating a password, access ID/secret key, and X.509 certificate (Must be assigned only if using console or through command line)
2. What are the recommended best practices for IAM? (Choose 3 answers)
   1. Grant least privilege
   2. Use the AWS account(root) for regular user
   3. Use Mutli-Factor Authentication (MFA)
   4. Store access key/private key in git
   5. Rotate credentials regularly
3. Which of the below mentioned options is not a best practice to securely manage the AWS access credentials?
   1. Enable MFA for privileged users
   2. Create individual IAM users
   3. Keep rotating your secure access credentials at regular intervals
   4. Create strong access key and secret access key and attach to the root account
4. Your CTO is very worried about the security of your AWS account. How best can you prevent hackers from completely hijacking your account?
   1. Use short but complex password on the root account and any administrators.
   2. Use AWS IAM Geo-Lock and disallow anyone from logging in except for in your city.
   3. Use MFA on all users and accounts, especially on the root account. (For increased security, it is recommend to configure MFA to help protect AWS resources. AWS now enforces MFA for all root users.)
   4. Don’t write down or remember the root account password after creating the AWS account.
5. Fill the blanks: ____ helps us track AWS API calls and transitions, ____ helps to understand what resources we have now, and ____ allows auditing credentials and logins.
   1. AWS Config, CloudTrail, IAM Credential Reports
   2. CloudTrail, IAM Credential Reports, AWS Config
   3. CloudTrail, AWS Config, IAM Credential Reports
   4. AWS Config, IAM Credential Reports, CloudTrail
6. A company wants to ensure that its workforce users access AWS accounts using temporary credentials and centralized access management. Which AWS service should they use? [Updated 2026]
   1. AWS Directory Service
   2. AWS IAM Identity Center
   3. Amazon Cognito
   4. AWS Certificate Manager
7. An organization needs to provide temporary AWS credentials to workloads running on-premises that cannot use IAM Identity Center. Which service should they use? [Updated 2026]
   1. AWS STS AssumeRole
   2. IAM User access keys
   3. IAM Roles Anywhere
   4. AWS Secrets Manager
8. Which IAM Access Analyzer capability helps identify unused IAM roles, access keys, and permissions across an AWS Organization? [Updated 2026]
   1. External access analysis
   2. Policy validation
   3. Unused access analysis
   4. Policy generation
9. Which AWS Organizations policy type was introduced in November 2024 to centrally restrict access to AWS resources across an organization? [Updated 2026]
   1. Service Control Policies (SCPs)
   2. Tag Policies
   3. Backup Policies
   4. Resource Control Policies (RCPs)
10. Which MFA method does AWS recommend as the most secure, phishing-resistant option for protecting AWS accounts? [Updated 2026]
    1. Virtual MFA device (authenticator app)
    2. SMS text message codes
    3. Hardware TOTP token
    4. Passkeys and FIDO2 security keys

References

• AWS IAM Security Best Practices Documentation
• AWS IAM Best Practices Resource Page
• AWS IAM Identity Center Documentation
• IAM Roles Anywhere Documentation
• IAM Access Analyzer Documentation
• Resource Control Policies (RCPs) Documentation
• AWS MFA Requirements Expansion Blog