This article presents two real-world AWS security incidents where limited IAM permissions prevented threat actors from achieving their goals, demonstrating practical least privilege implementation.

• Threat actor with compromised database admin credentials failed to create IAM access keys, passwords, and policies due to missing permissions
• Attacker exploiting exposed ECS task interface couldn't launch EC2 instances because role only had S3 permissions
• Least privilege requires balancing effort against risk reduction, not necessarily absolute minimum permissions
• Use IAM Access Analyzer to generate policies from CloudTrail logs and refine with conditions
• Review last-accessed information to identify and remove unused permissions
• Start with AWS managed policies or examples, then add/remove actions and resources as needed
• Enable GuardDuty and CloudTrail for threat detection and incident response capability

Limited permissions effectively contained both security events with reasonable effort, proving that balanced privilege restriction stops unauthorized access without requiring maximum complexity.