AWS IAM Review Checklist for Growing Businesses

AWS IAM Review Checklist for Growing Businesses

Many AWS environments start simple. One account, a handful of users, a few S3 buckets. Over time, teams grow, integrations multiply, and permissions accumulate quietly in the background. Without a regular IAM review, that accumulation becomes risk.

This checklist is for technology leaders who want a practical starting point — not a compliance exercise, but a real working review that takes a few hours and produces useful findings.

1. Audit Users With Administrator Access

Administrator access in AWS should be limited to a very small number of people — typically two or three individuals, not entire teams. Pull the list of users and roles with AdministratorAccess or arn:aws:iam::aws:policy/AdministratorAccess attached. Review each one. If you cannot immediately explain why that person or system needs full administrator access, that is a finding.

2. Identify Inactive Users and Access Keys

AWS IAM Credential Report (available under IAM → Credential report) shows the last time each user logged in or used their access key. Any user inactive for 90 days or more should be reviewed. Any access key unused for 60 days should be rotated or removed. Stale credentials are a common entry point in cloud breaches.

3. Review Service Account Permissions

Service accounts — the IAM users or roles used by applications, CI/CD pipelines, and automated jobs — often accumulate permissions over time. A deployment script that once needed S3 write access now has EC2, RDS, and Lambda permissions attached from a previous project. Review each service role and remove permissions that the service no longer uses.

4. Check for Wildcard Permissions

Search your IAM policies for the pattern "Action": "" or "Resource": "". These wildcard permissions grant broader access than most workloads require. Scoped permissions — for example, s3:GetObject limited to a specific bucket — reduce the blast radius if a service account is ever compromised.

5. Review Cross-Account Trust Relationships

IAM roles that trust external AWS accounts allow those accounts to assume the role and act within your environment. Review the trust policies on all IAM roles. If you do not recognise the account ID in a trust policy, investigate before removing — it may be a vendor integration — but any unknown trust relationship is a priority finding.

6. Confirm MFA Is Enforced

Multi-factor authentication should be required for all human users who have console access, especially those with elevated permissions. IAM supports MFA enforcement through service control policies or IAM policy conditions. Check whether your account has an MFA enforcement policy in place.

7. Document What You Find

The output of an IAM review is only useful if it leads to action. Record the findings, assign owners, and set remediation timelines. A quarterly IAM review with documented outcomes is far more effective than a one-time audit.

Cloudain Perspective

Cloudain works with growing businesses to establish cloud governance practices that keep IAM review part of normal operations rather than an emergency response. If you want a structured IAM review for your AWS environment, we can help you run one.