Free Resource
IAM Least-Privilege Policy Templates
Production-ready IAM policy templates that follow the principle of least privilege. Each template restricts actions to the minimum required for common workloads. Customize the resource ARNs to match your environment.
Read-Only Security Auditor
For security scanning tools and compliance auditors. Grants read access to all resources without any modification capabilities.
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"s3:GetObject", "s3:ListBucket", "s3:GetBucketPolicy",
"s3:GetBucketAcl", "s3:GetEncryptionConfiguration",
"s3:GetBucketPublicAccessBlock",
"ec2:Describe*", "ec2:Get*",
"iam:Get*", "iam:List*",
"rds:Describe*",
"lambda:Get*", "lambda:List*",
"cloudtrail:DescribeTrails", "cloudtrail:GetTrailStatus",
"config:Get*", "config:Describe*",
"guardduty:Get*", "guardduty:List*",
"securityhub:Get*", "securityhub:Describe*",
"organizations:Describe*", "organizations:List*"
],
"Resource": "*"
},
{
"Effect": "Deny",
"Action": [
"s3:PutObject", "s3:DeleteObject",
"iam:Create*", "iam:Delete*", "iam:Update*",
"ec2:RunInstances", "ec2:TerminateInstances"
],
"Resource": "*"
}
]
}Developer Role (S3 + Lambda + DynamoDB)
For application developers who need to manage serverless resources. Grants create/update/delete for S3, Lambda, and DynamoDB within a specific project environment.
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"s3:GetObject", "s3:PutObject", "s3:DeleteObject",
"s3:ListBucket"
],
"Resource": [
"arn:aws:s3:::myapp-*",
"arn:aws:s3:::myapp-*/*"
]
},
{
"Effect": "Allow",
"Action": [
"lambda:CreateFunction", "lambda:UpdateFunctionCode",
"lambda:UpdateFunctionConfiguration", "lambda:InvokeFunction",
"lambda:GetFunction", "lambda:ListFunctions",
"lambda:DeleteFunction"
],
"Resource": "arn:aws:lambda:*:*:function:myapp-*"
},
{
"Effect": "Allow",
"Action": [
"dynamodb:GetItem", "dynamodb:PutItem",
"dynamodb:UpdateItem", "dynamodb:DeleteItem",
"dynamodb:Query", "dynamodb:Scan",
"dynamodb:DescribeTable"
],
"Resource": "arn:aws:dynamodb:*:*:table/myapp-*"
},
{
"Effect": "Allow",
"Action": [
"logs:CreateLogGroup", "logs:CreateLogStream",
"logs:PutLogEvents"
],
"Resource": "arn:aws:logs:*:*:*"
}
]
}CI/CD Deployment Role
For CI/CD pipelines (GitHub Actions, GitLab CI, Jenkins). Grants permissions to deploy application updates, manage ECR images, and update ECS services.
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"ecr:GetAuthorizationToken",
"ecr:BatchCheckLayerAvailability",
"ecr:GetDownloadUrlForLayer",
"ecr:PutImage",
"ecr:InitiateLayerUpload",
"ecr:UploadLayerPart",
"ecr:CompleteLayerUpload"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": [
"ecs:DescribeServices", "ecs:UpdateService",
"ecs:DescribeTaskDefinition", "ecs:RegisterTaskDefinition"
],
"Resource": [
"arn:aws:ecs:*:*:service/*/myapp-*",
"arn:aws:ecs:*:*:task-definition/myapp-*"
]
},
{
"Effect": "Allow",
"Action": [
"s3:GetObject", "s3:PutObject"
],
"Resource": "arn:aws:s3:::myapp-deployments/*"
},
{
"Effect": "Allow",
"Action": ["iam:PassRole"],
"Resource": "arn:aws:iam::*:role/myapp-ecs-execution-role",
"Condition": {
"StringEquals": {
"iam:PassedToService": "ecs-tasks.amazonaws.com"
}
}
}
]
}Monitoring & Alerting Role
For monitoring tools (Datadog, New Relic, Prometheus). Grants read access to CloudWatch metrics, logs, and EC2 instance status.
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"cloudwatch:GetMetricData",
"cloudwatch:GetMetricStatistics",
"cloudwatch:ListMetrics",
"cloudwatch:PutMetricData"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": [
"logs:GetLogEvents",
"logs:FilterLogEvents",
"logs:DescribeLogGroups",
"logs:DescribeLogStreams"
],
"Resource": "arn:aws:logs:*:*:*"
},
{
"Effect": "Allow",
"Action": [
"ec2:DescribeInstances",
"ec2:DescribeVolumes",
"ec2:DescribeSnapshots"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": [
"tag:GetResources"
],
"Resource": "*"
}
]
}Billing & Cost Management Role
For finance team members who need to view billing data and cost reports without accessing infrastructure.
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"ce:GetCostAndUsage",
"ce:GetCostForecast",
"ce:GetDimensionValues",
"ce:GetTags",
"ce:DescribeCostCategoryDefinition",
"aws-portal:ViewBilling",
"aws-portal:ViewUsage",
"budgets:ViewBudget",
"cur:DescribeReportDefinitions"
],
"Resource": "*"
},
{
"Effect": "Deny",
"Action": [
"aws-portal:ModifyBilling",
"aws-portal:ModifyPaymentMethods",
"budgets:ModifyBudget",
"ce:CreateCostCategoryDefinition"
],
"Resource": "*"
}
]
}Usage Notes
- • Replace
myapp-*with your actual resource prefix. - • Replace account IDs in ARNs with your AWS account ID.
- • Add
Conditionblocks to restrict by source IP, VPC, or MFA status for sensitive roles. - • Use IAM Access Analyzer to validate policies before deployment.
- • Review and audit policies quarterly — remove unused permissions.
- • Apply permission boundaries to limit the maximum scope of any role.
Ready to run this automatically?
Pavora scans your entire AWS infrastructure in minutes with a single read-only integration. Start your free audit today.