Skip to content

Implementation Strategy

In the context of your overall organization strategy for AWS IAM, we recommend using a few measures for locking down your AWS environments with IAM:

  1. Use Policy Sentry to create Identity-based policies
  2. Use Service Control Policies (SCPs) to lock down available API calls per account.
    • A great collection of SCPs can be found on
    • Control Tower has some excellent guidance on strategy for SCPs in their documentation. Note that they call it "Guardrails" but they are mostly SCPs. See the docs here
  3. Use Repokid to revoke out of date policies as your application/roles mature.
  4. Use Resource-based policies for all services that support them.
  5. Never provision infrastructure manually; use Infrastructure as Code