Back to posts

How I Actually Manage IAM Without Losing My Mind

Samir Saqer / August 5, 2025

AWSSecurityDevOps

AWS IAM looks simple at first.
A few users, some permissions, maybe an access key or two.

Then months pass.
People leave. Projects change. Keys get shared.
And suddenly you have no idea who can do what anymore.

These are the rules I personally stick to to keep IAM boring, predictable, and safe.

Not perfect. Just practical.

One user, one key. No exceptions.

Every IAM user gets a single access key.
Not two. Not “temporary extras”.

If something leaks, I want to know exactly who it belongs to.

Less keys = less guessing.

Rotate keys, but avoid them when possible

Yes, rotating keys every 90 days is good practice.
But the real solution is simpler:

Stop using keys where you can.

IAM Roles are cleaner, safer, and don’t end up forgotten in old scripts.

Keys should be the last option, not the default.

Permissions live in groups, not people

I never assign policies directly to users.

Instead:

  • Create groups (e.g. developers, billing, read-only)
  • Attach policies to groups
  • Add users to groups

When someone joins or leaves, it’s one click.
No hunting through random policies.

Nobody needs god mode

Full admin access feels convenient.
It’s also how mistakes turn into incidents.

Most people only need:

  • Read access
  • Or very specific actions

If someone truly needs admin, make it temporary.

Always keep a support role ready

At some point, something will go wrong.

Having a dedicated IAM Role for AWS Support means:

  • You can grant access instantly
  • Without touching your main users

It’s one of those things you don’t need… until you really do.

EC2 should never use access keys

If an EC2 instance needs AWS access, it gets: An IAM Role. Not a key.

Hardcoded credentials inside servers are just future leaks waiting to happen.

Roles rotate automatically.
Keys don’t.

Let IAM Access Analyzer judge you

AWS already tells you when your policies are too open.

Turn on IAM Access Analyzer and actually look at it.

It’s like linting for your permissions.

Multiple accounts? Use Organizations

Once you manage more than one AWS account:

Use AWS Organizations.

With:

  • Service Control Policies (SCPs)
  • Cross-account roles

You get real structure instead of copy-pasted chaos.

CloudShell is optional, not mandatory

CloudShell is useful, but it’s still: A browser-based terminal with real permissions.

If no one uses it, disable it.

Less surface area = less risk.

The real rule

Most IAM disasters don’t come from hackers.
They come from old keys, forgotten users, and lazy permissions.

Good IAM isn’t fancy.
It’s just consistent.

And consistency is what actually keeps things secure.