Holmes Stacks
Career · June 4, 2026

Secure AWS pipelines by applying least privilege IAM roles

This video explains how to secure AWS pipelines by implementing least privilege access with scoped IAM roles.

What this guide covers

After reading this guide, you’ll be able to create and apply least privilege IAM roles for your AWS pipelines, limiting permissions strictly to necessary actions and resources. This reduces your pipeline’s attack surface and enhances security posture.

When to use it

  • Launching or updating CI/CD pipelines that interact with AWS services
  • Debugging permission errors caused by overly broad IAM roles in pipelines
  • Auditing pipeline roles to minimize potential breaches or exploits
  • Securing pipelines that need access to specific resources like an S3 bucket

The move, step by step

  1. List required AWS actions and resources your pipeline must perform, e.g., download artifacts from S3 or deploy to Lambda.
  2. Write a JSON IAM policy that allows only those actions on specified resources. For example, to allow only S3 read access to my-bucket: 
    {
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": ["s3:GetObject"],
      "Resource": ["arn:aws:s3:::my-bucket/*"]
    }
  ]
}
  3. Create an IAM role for your pipeline and attach the scoped policy, using AWS Console or CLI (aws iam create-role, aws iam put-role-policy).
  4. Attach this IAM role to your pipeline agent or service, ensuring it uses these minimal permissions.
  5. Test the pipeline thoroughly to confirm it can perform required operations and nothing more.
  6. Iterate by tightening or expanding permissions based on test results, following the principle of least privilege.
  7. Monitor pipeline logs and CloudTrail events for permission errors or suspicious access. Adjust policies accordingly.

Example

Input: Your pipeline downloads build artifacts from S3 bucket my-bucket but doesn’t upload or modify any content.

Command: Create this IAM policy JSON and attach it to the pipeline IAM role.

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": ["s3:GetObject"],
      "Resource": ["arn:aws:s3:::my-bucket/*"]
    }
  ]
}

Expected output: Pipeline can successfully read objects from my-bucket but cannot write, delete, or list objects, reducing risk in case credentials leak.

Common mistakes

  • Mistake: Granting "s3:*" instead of "s3:GetObject" → Fix: Only allow required actions.
  • Mistake: Using "Resource": "*" when specifying S3 access → Fix: Specify exact bucket ARNs.
  • Mistake: Attaching broad AWS-managed policies like AdministratorAccess to pipeline roles → Fix: Use custom scoped policies.
  • Mistake: Not testing to confirm least privilege policies actually permit needed operations → Fix: Run end-to-end tests and adjust permissions iteratively.
  • Mistake: Forgetting to monitor for denied permission errors in logs → Fix: Use CloudTrail and pipeline logs for feedback.

Next step

Take 10 minutes to identify the minimal set of AWS actions your current pipeline requires. Then create a custom IAM policy JSON scoped exactly to those actions and resources. Attach it to your pipeline role and test. Then come back and try the next move from the video.

Your one action today

Pick the smallest version of this guide and try it in your tool of choice in the next 20 minutes.

Free download
Get the AI Career Starter Kit — 25 ChatGPT prompts + a 12-month plan
Click to get it →
Go deeper
AI Career Stack Starter Kit — $39
75 prompts + resume system + cloud roadmap + Notion template

Get the next AI/career guide in your inbox

One short, practical guide on AI tools, cloud, and the modern career stack. No fluff.

Related guides