Cloud Security / IAM
Cloud Security Hardening & Access Reduction
Improved cloud security posture by reducing standing access, strengthening identity controls, and shrinking attack surface from unused infrastructure.
Problem
A multi-account cloud environment had accumulated standing IAM access, orphaned resources, and overly permissive policies that expanded the attack surface unnecessarily.
Constraints
Production workloads could not be disrupted, changes required coordination across teams, and some legacy integrations depended on IAM users that needed migration paths.
Approach
Systematically audited IAM access, migrated users to SSO where possible, implemented Service Control Policies to prevent disabling security services, and retired unused resources and stale credentials.
Outcome
Significantly reduced standing access, eliminated orphaned infrastructure, and established guardrails that prevented security controls from being accidentally or intentionally disabled.
Terminal
# audit: how many IAM users have console access + no MFA?$ aws iam generate-credential-report && \$ aws iam get-credential-report --output text --query Content | \$ base64 -d | awk -F, '$4=="true" && $8=="false"' | wc -l12# 12 users with console access and no MFA. fix that.# SCP: prevent anyone from disabling GuardDuty$ cat scp-deny-guardduty-disable.json | jq '.Statement[0].Action'["guardduty:DeleteDetector", "guardduty:DisassociateFromMasterAccount", "guardduty:UpdateDetector"]# applied to every account in the organization
Tools
Key Highlights
- IAM user reduction / SSO migration theme
- Least privilege focus
- Guardrails preventing threat detection disablement
- Retirement of orphaned services and stale access
- Attack surface reduction