← Docs
Recipe

AWS IAM least-privilege policy writer

Generate scoped-down IAM policies from CloudTrail logs so every service gets exactly the permissions it needs — nothing more.

Ingredients

  • CloudTrail enabled in the target account
  • Athena table over the CloudTrail bucket
  • Meridian API key with recipes:write scope

Steps

  1. Collect actions

    Query Athena for distinct eventSource + eventName pairs over the last 90 days.

  2. Feed Meridian

    POST the action list to /v1/recipes/iam-least-privilege.

  3. Review output

    Meridian returns a Terraform-ready policy document with wildcards collapsed and unused services stripped.

  4. Apply & iterate

    Deploy, re-run CloudTrail analysis after 7 days, diff the deltas.

Pro tip

Pipe the output straight into Terraform with the --terraform flag. Meridian handles condition keys and resource ARN scoping automatically.

← Back to all docs