How do you implement least-privilege IAM policies and why is it critical?

Least-privilege means granting only the exact permissions needed to perform a task — no more. This limits blast radius if credentials are compromised.

Implementation steps:

1. Start with deny-all, add allows: Begin with minimal permissions and add only what’s needed.
2. IAM Access Analyzer: Use to identify unused permissions and generate least-privilege policies based on CloudTrail logs.
3. Policy conditions: Add StringEquals conditions to restrict resources by tag, region, or account.
4. Permission boundaries: Cap the maximum permissions a principal can have, even if attached policies are more permissive.

"Condition": {
  "StringEquals": {
    "aws:RequestedRegion": "us-east-1"
  }
}