In today’s cloud-first world, cybersecurity threats are no longer limited to perimeter-based attacks. Whether a user is inside your network or working remotely, every request should be authenticated, authorized, and verified. That’s the foundation of the Zero Trust Framework.
In this blog, we’ll not only understand what Zero Trust is, but also implement it in AWS using IAM, fine-grained permissions, and MFA. Let’s get started!
What is Zero Trust?
Zero Trust is a modern security model built on the principle:
Never trust, always verify.
Unlike traditional security models that trust users or devices inside the network, Zero Trust treats every user, device, or service as untrusted by default, and access is explicitly granted based on identity, context, and compliance.
Key Principles:
- Verify explicitly – Use strong identity signals like MFA.
- Enforce least privilege – Grant only what’s needed.
- Assume breach – Always monitor and restrict lateral movement.
What We’ll Demonstrate on AWS
In this blog, we’ll apply these Zero Trust principles by doing the following:
- Create an IAM user
- Assign least-privilege access (to a single S3 bucket)
- Enforce Multi-Factor Authentication (MFA)
- Verify the setup works as expected
Step-by-Step Implementation in AWS
Step 1: Create IAM User
- Go to the AWS Console → IAM → Users
- Click “Add users”
- Username:
demo-user - Select Programmatic access
- Skip group assignment for now
- Click Create user
You’ll get an Access Key ID and Secret Access Key — note these down.
Step 2: Assign Least Privilege Access (S3 Read-Only)
Let’s create a custom IAM policy that allows the user to only list and read files from a specific S3 bucket.
IAM Policy JSON:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AllowListBucket",
"Effect": "Allow",
"Action": "s3:ListBucket",
"Resource": "arn:aws:s3:::zero-trust-demo-bucket"
},
{
"Sid": "AllowGetObject",
"Effect": "Allow",
"Action": "s3:GetObject",
"Resource": "arn:aws:s3:::zero-trust-demo-bucket/*"
}
]
}Attach this policy to the user via:
- IAM → Users →
demo-user→ Permissions → Add inline policy
This ensures the user can only read from one bucket, not the whole account.
Step 3: Add MFA to the User
- IAM → Users →
demo-user→ Security credentials - Under Multi-Factor Authentication (MFA), click Assign MFA device
- Choose Virtual MFA device
- Use apps like Google Authenticator or Authy
- Scan the QR code and enter the OTPs
MFA is now active for the user.
Optional: Enforce MFA for Sensitive Operations
You can take it further by requiring MFA for actions like uploading to S3:
{
"Effect": "Deny",
"Action": "s3:PutObject",
"Resource": "arn:aws:s3:::zero-trust-demo-bucket/*",
"Condition": {
"BoolIfExists": {
"aws:MultiFactorAuthPresent": "false"
}
}
}Attach this as a second policy. It denies PutObject unless the user has authenticated using MFA.
Step 4: Verify the Setup
Without MFA:
- Try listing or reading from the bucket → Works
- Try uploading → Fails (access denied)
With MFA:
- Use
aws sts get-session-tokenwith MFA device ARN and OTP - Export the new session credentials
- Try uploading → Works now
This shows that permissions are scoped, MFA is enforced, and trust is verified continuously — the essence of Zero Trust!
Conclusion
In this demo, we’ve practically implemented Zero Trust Framework in AWS by:
- Creating a minimal-access user
- Applying strict, specific permissions
- Enforcing MFA before granting elevated actions
This approach reduces the attack surface, prevents lateral movement, and helps enforce a strong security posture.