Copyright (c) 2025 MindMesh Academy. All rights reserved. This content is proprietary and may not be reproduced or distributed without permission.

4.1.2. Principle of Least Privilege & MFA

šŸ’” First Principle: The Principle of Least Privilege (PoLP) grants only the minimum permissions needed for a user or service to perform its task. Multi-Factor Authentication (MFA) adds an essential security layer.

Scenario: An administrative IAM user in your AWS account currently has AdministratorAccess policy attached and logs in with just a password. You need to reduce the security risk associated with this user.

PoLP and MFA are two of the most critical security best practices for SysOps Administrators to implement in their AWS environment.

Key Concepts:
  • Principle of Least Privilege (PoLP):
    • Concept: Granting only the specific IAM permissions required for an IAM identity (human user or automated process) to perform its intended function, and nothing more.
    • Benefits: Reduces the attack surface, limits the "blast radius" if a credential is compromised, and simplifies auditing.
    • Implementation: Use IAM policies with specific actions and resource ARNs rather than * (wildcard).
  • Multi-Factor Authentication (MFA):
    • Concept: Requires users to provide two or more verification factors to gain access (e.g., password + security token from a physical device or virtual MFA app).
    • Benefits: Significantly reduces unauthorized access risk, even if a password is stolen.
    • Implementation: Always enable for the root account and all administrative IAM users. Consider enforcing for all users via an IAM policy condition.

āš ļø Common Pitfall: Not enforcing MFA for the root account or administrative users, leaving a significant vulnerability.

Key Trade-Offs: Enhanced security (PoLP, MFA) versus potential initial inconvenience for users or increased complexity in policy management.

Practical Implementation: IAM policy condition to enforce MFA:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Deny",
            "Action": "*",
            "Resource": "*",
            "Condition": {
                "BoolIfExists": {
                    "aws:MultiFactorAuthPresent": "false"
                }
            }
        }
    ]
}

This policy, when attached, denies all actions if MFA is not present.

Reflection Question: How does applying the Principle of Least Privilege (by granting only necessary permissions) and implementing Multi-Factor Authentication (MFA) fundamentally enhance the security posture of your AWS account, significantly reducing unauthorized access risk and limiting the impact of potential compromises?