Comprehensive AWS IAM security framework implementing least privilege, permission boundaries, ABAC, IAM Access Analyzer, and automated credential hygiene — preventing privilege escalation and credential compromise at enterprise scale.
| Component | Purpose | Files |
|---|---|---|
| Permission Boundaries | Prevent privilege escalation | modules/permission-boundaries/ |
| ABAC Policies | Tag-based dynamic least privilege | modules/iam-roles/abac.tf |
| Access Analyzer | Detect external access + unused permissions | modules/access-analyzer/ |
| Credential Hygiene | Rotate/disable stale keys automatically | scripts/python/credential_hygiene.py |
| IAM Reporting | Weekly privilege report for all accounts | scripts/python/iam_report.py |
- No long-term credentials — Use IAM roles, not access keys, wherever possible
- Permission boundaries on all delegated roles — Operators cannot grant themselves more than boundary allows
- ABAC over RBAC — Tag-based policies scale to thousands of resources without policy updates
- Just-in-time access — Use IAM Identity Center permission sets with time-limited sessions
- Continuous analysis — Access Analyzer + IAM Findings in Security Hub
cd terraform/environments/prod
terraform init && terraform plan# Report stale credentials (>90 days unused)
python3 scripts/python/credential_hygiene.py --report
# Disable credentials unused for >90 days
python3 scripts/python/credential_hygiene.py --remediate --dry-runMIT License