Skip to content

IAM policy patterns

Stub page

Least-privilege IAM policy snippets you copy more than you'd like to admit.

Planned content

  • GitHub Actions OIDC trust policy (with branch/environment conditions)
  • Cross-account assume-role with external ID
  • S3 bucket policy: deny non-TLS, deny non-encrypted PUT
  • KMS key policy: separate admin vs use vs grant