Negative-PID-FF-GRADIENT-BLACK-BG-01.png
Linkedin-in Facebook-f Youtube

Designing Least Privilege in the cloud

Negative PID

Digital Investigations
OSINT investigations SOCMINT investigations Dark web investigations Blockchain investigations Background checks Due diligence Evidence gathering Chain of custody
website

This post is about...

Top 10 articles

Social media focus

Core topics
world cloud service concept with digital cloud sig 2025 10 15 02 04 45 utc
Designing Least Privilege in the cloud
Summary

In traditional environments, access control typically stops at the server boundary. In the cloud, however, a single misconfigured role can open your entire environment to compromise. Attackers no longer need root on a box: they need a misassigned IAM policy.

Cloud IAM (Identity and Access Management) is the backbone of security in AWS, Azure, and GCP. Each platform uses slightly different terminology, but the principle is universal: grant only what’s required, and nothing more. This article will guide you through designing, implementing, and auditing least-privilege access models in the three major clouds.

AWS IAM: Policies, Roles, and Boundaries

Core concepts of AWS IAM:

  • Users: Individual identities (humans or applications)
  • Groups: Collections of users sharing permissions
  • Roles: Identities assumed temporarily by AWS services or external entities
  • Policies: JSON documents defining permissions
  • Permission Boundaries: Limits what a user or role can be granted, even by other admins

Example of a minimal S3 access policy: 

				
					{"<a href="https://negativepid.blog/how-to-fix-common-kali-upgrade-errors/">Version</a>":"2012-10-17","Statement":[{"Sid":"AllowListAndReadSpecificBucket","Effect":"Allow","Action":["s3:GetObject","s3:ListBucket"],"Resource":["arn:aws:s3:::my-secure-bucket","arn:aws:s3:::my-secure-bucket\/*"]}]}

Practical steps:

  • Use AWS managed policies as templates, not defaults.
  • Define permission boundaries for delegated administrators.
  • Enable IAM Access Analyzer to detect overly permissive policies.
  • Rotate roles and access keys regularly; avoid static credentials.
  • Pro tip: Use aws iam simulate-principal-policy to test a user’s or role’s effective permissions before deployment.
Azure: Role-Based Access Control (RBAC)

Core concepts of RBAC: 

  • Roles: Predefined or custom sets of permissions (e.g., Reader, Contributor).
  • Assignments: Bind a role to a principal at a specific scope.
  • Scopes: Hierarchical (Management Group → Subscription → Resource Group → Resource).
  • Privileged Identity Management (PIM): Enables time-bound or approval-based elevated access.

Example of assigning a custom role via PowerShell

				
					# Create custom role JSON
$role = @{
    Name = "Storage Reader"
    Description = "Can read <a href="https://negativepid.blog/gaia-x-the-european-cloud-ecosystem/">data</a> from storage accounts only"
    Actions = @("Microsoft.Storage/storageAccounts/read")
    NotActions = @()
    AssignableScopes = @("/subscriptions/xxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx")
} | ConvertTo-Json -Depth 5

# Create and assign role
New-AzRoleDefinition -InputFile "storageReader.json"
New-AzRoleAssignment -SignInName "user@domain.com" -RoleDefinitionName "Storage Reader" -Scope "/subscriptions/xxxx"

Practical steps: 

  • Assign roles at the lowest possible scope.
  • Use PIM for “just-in-time” admin access.
  • Regularly export assignments with az role assignment list and review them.
  • Audit changes through Azure Activity Logs.
GCP: IAM and Custom Roles

Core concepts of Gcloud:

  • Members: Users, groups, or service accounts
  • Roles: Collections of permissions; can be basic, predefined, or custom
  • Policies: Bind members to roles at project, folder, or organization level
  • IAM Recommender: Suggests permissions to remove based on usage

Example of creating a custom role via Gcloud:

				
					gcloud iam roles create storageViewer \
  --project my-project \
  --title "Storage Viewer" \
  --description "Read-only access to storage objects" \
  --permissions storage.objects.get,storage.objects.list \
  --stage GA

Practical steps:

  • Prefer predefined roles over basic roles (Owner, Editor, Viewer).
  • Audit policies using: 
				
					gcloud projects get-iam-policy my-project
  • Use IAM Recommender to detect unused privileges: 
				
					gcloud recommender recommendations list \
  --recommender=google.iam.policy.Recommender
Automation across clouds

Managing permissions manually is error-prone. For large environments:

  • Use Terraform or Pulumi to codify roles and policies.
  • Store definitions in Git for version control.
  • Apply policy testing (e.g., terratest, checkov) before deployment.

Example of a Terraform snippet (multi-cloud IAM baseline):

				
					module "iam_baseline" {
  source  = "terraform-aws-modules/iam/aws"
  create_role = true
  role_name   = "read-only-ops"
  policy = jsonencode({
    Version = "2012-10-17"
    Statement = [{
      Effect   = "Allow"
      Action   = ["ec2:Describe*", "s3:Get*", "s3:List*"]
      Resource = "*"
    }]
  })
}
Continuous monitoring and review
  • AWS: Enable CloudTrail + Access Analyzer
  • Azure: Use Defender for Cloud + Identity Secure Score
  • GCP: Review IAM policies quarterly and track drift with Config Connector

Automate everything: continuous scanning, anomaly detection, and reporting pipelines (e.g., in R, Python, or with SIEM integrations).

Takeaways

Least privilege in the cloud isn’t a checkbox. It’s a continuous lifecycle:

least privilege lifecycle

By moving from root to role, you protect not only your infrastructure but your organization’s entire cloud footprint.

Back to blog
Share this post :

PID Perspectives is migrating to European Servers. Please, let us know if you experience a slow response or technical issues.

Contact