What Is Cloud IAM → Authentication vs Authorization → IAM Roles vs Policies → AWS IAM Deep Dive → GCP Resource Hierarchy IAM → Azure RBAC Scopes → OIDC Workload Identity → AWS IAM Privilege Escalation → AWS Least Privilege Audit
TL;DR
- The average IAM entity uses less than 5% of its granted permissions — the 95% excess is attack surface, not waste
- AWS Access Analyzer generates a least-privilege policy from 90 days of CloudTrail data — use it on every Lambda role, ECS task role, and EC2 instance profile
- GCP IAM Recommender surfaces specific right-sizing suggestions based on 90-day activity and tracks them until you act on them
- Azure Access Reviews with
defaultDecision: Denyactually remove stale access; reviews that default to preserve do nothing meaningful - Build
aws accessanalyzer validate-policyinto CI/CD — catch wildcards and dangerous permissions before they merge - Least privilege is a cycle: inventory → classify → right-size → add guardrails → monitor → repeat. Not a one-time project.
The Big Picture
THE LEAST PRIVILEGE AUDIT CYCLE
┌─────────────────────────────────────────────────────────────────┐
│ 1. INVENTORY What identities exist, what policies attached? │
│ aws iam get-account-authorization-details │
└────────────────────────────┬────────────────────────────────────┘
▼
┌─────────────────────────────────────────────────────────────────┐
│ 2. CLASSIFY Group by purpose: human / CI-CD / app / data │
│ Expected permission profile per class — deviations are findings│
└────────────────────────────┬────────────────────────────────────┘
▼
┌─────────────────────────────────────────────────────────────────┐
│ 3. FIND UNUSED Granted vs Used gap (average: 95% excess) │
│ AWS: Access Analyzer generated policy + last-accessed data │
│ GCP: IAM Recommender │ Azure: Defender + Access Reviews │
└────────────────────────────┬────────────────────────────────────┘
▼
┌─────────────────────────────────────────────────────────────────┐
│ 4. RIGHT-SIZE Replace wildcards with scoped permissions │
│ Remove unused services · pin resource ARNs · add conditions │
└────────────────────────────┬────────────────────────────────────┘
▼
┌─────────────────────────────────────────────────────────────────┐
│ 5. GUARD Validate in CI/CD before any policy merges │
│ aws accessanalyzer validate-policy → fail pipeline if findings │
└────────────────────────────┬────────────────────────────────────┘
▼
┌─────────────────────────────────────────────────────────────────┐
│ 6. MONITOR Weekly: new findings Quarterly: full review │
│ On offboarding: immediate direct-permission audit │
└───────────────────────────┬─────────────────────────────────────┘
│
└──────────────────── back to 1
The AWS least privilege audit tools covered in this episode map directly onto steps 3–5. The cycle is the practice.
Introduction
Last year I audited an AWS account for an e-commerce company. They’d been running in production for three years. Eight engineers, two teams, a moderately complex microservices architecture. Reasonable people, competent engineers, no obvious security negligence.
When I ran the IAM Access Analyzer policy generation job against their 12 Lambda execution roles and waited for it to pull 90 days of CloudTrail data, here’s what I found:
The average Lambda role had 47 granted permissions. The average Lambda was actually using 6 of them over 90 days. That’s a utilization rate of roughly 13%. The other 87% — the 41 permissions nobody was using — sat there as silent attack surface.
The worst example was a Lambda that processed image thumbnails. Its role had AmazonS3FullAccess plus AmazonDynamoDBFullAccess plus AWSLambdaFullAccess. Someone had attached three AWS managed policies early in development to “make sure everything worked” and never came back to tighten it. The Lambda needed three permissions: s3:GetObject on one bucket, s3:PutObject on another, and logs:CreateLogGroup. That’s it. Instead it had s3:* on all S3, full DynamoDB including delete, and the ability to create and delete other Lambda functions.
If an attacker had exploited a vulnerability in that image processor — a malformed image, a dependency with a CVE — they’d have had full S3 access, full DynamoDB access, and the ability to backdoor other Lambda functions. Not because anyone intended that. Because “make it work first, fix it later” is how IAM configurations drift.
This episode is “fix it later.” The tools exist. The methodology is straightforward. The gap between knowing you should do this and actually doing it is usually not understanding the tooling.
The Fundamental Problem: Granted vs Used
The central insight of IAM auditing is simple: what an identity is granted and what it actually uses are rarely the same thing.
AWS has published data from their own customer environments: the average IAM entity uses less than 5% of the permissions it has been granted. That 95% excess is not wasted — it’s attack surface. Every permission that exists but isn’t needed is a permission an attacker can use if they compromise that identity.
The tools to close this gap exist on all three platforms. The difference between organizations that operate at low IAM risk and those that don’t is usually not knowledge — it’s the discipline of actually running these tools regularly and acting on what they find.
AWS IAM Auditing
Last Accessed Data — The Starting Point
AWS tracks when each service was last called by each IAM entity. This tells you which service permissions have never been used:
# Generate last-accessed data for a specific role
aws iam generate-service-last-accessed-details \
--arn arn:aws:iam::123456789012:role/LambdaImageProcessor
JOB_ID="..." # returned by the above command
# Poll until complete (usually 30-60 seconds)
aws iam get-service-last-accessed-details --job-id "${JOB_ID}"
# Parse: find services that were never called
aws iam get-service-last-accessed-details --job-id "${JOB_ID}" \
--output json | jq '.ServicesLastAccessed[] | select(.TotalAuthenticatedEntities == 0) | .ServiceName'
# These services have never been accessed by this role — permissions can be removed
For finer granularity — which specific actions are used within a service:
aws iam generate-service-last-accessed-details \
--arn arn:aws:iam::123456789012:policy/AppServerPolicy \
--granularity ACTION_LEVEL
aws iam get-service-last-accessed-details --job-id "${JOB_ID}" \
--output json | jq '.ServicesLastAccessed[] |
select(.TotalAuthenticatedEntities > 0) |
{service: .ServiceName, last_used: .LastAuthenticated}'
Access Analyzer — Generated Least-Privilege Policies
This is the tool I use most. It pulls 90 days of CloudTrail data for a role and generates a policy containing only the actions actually called:
# Start a policy generation job
aws accessanalyzer start-policy-generation \
--policy-generation-details '{
"principalArn": "arn:aws:iam::123456789012:role/LambdaImageProcessor"
}' \
--cloudtrail-details '{
"trailArn": "arn:aws:cloudtrail:ap-south-1:123456789012:trail/management-events",
"startTime": "2026-01-01T00:00:00Z",
"endTime": "2026-04-01T00:00:00Z"
}'
JOB_ID="..."
aws accessanalyzer get-generated-policy --job-id "${JOB_ID}"
The output is a valid IAM policy document containing only what was called. Compare it against the current policy — the delta is everything that can be removed. I treat the generated policy as a starting point, not a final answer: occasionally a permission is needed but wasn’t exercised in the 90-day window (error handling paths, quarterly jobs, incident response capabilities). Review the generated policy against the function’s known requirements before applying it verbatim.
Access Analyzer also identifies external sharing you may not have intended:
# Find resources shared outside the account or organization
aws accessanalyzer create-analyzer \
--analyzer-name account-analyzer \
--type ACCOUNT
aws accessanalyzer list-findings \
--analyzer-arn arn:aws:accessanalyzer:ap-south-1:123456789012:analyzer/account-analyzer \
--filter '{"status":{"eq":["ACTIVE"]}}' \
--output table
# Shows: S3 buckets, KMS keys, Lambda functions accessible from outside the account
And validates new policies before you apply them:
# Run this in CI/CD before any IAM policy gets merged
aws accessanalyzer validate-policy \
--policy-document file://new-iam-policy.json \
--policy-type IDENTITY_POLICY \
| jq '.findings[] | select(.findingType == "ERROR" or .findingType == "SECURITY_WARNING")'
# Exit non-zero if findings exist — fail the pipeline
FINDINGS=$(aws accessanalyzer validate-policy \
--policy-document file://new-iam-policy.json \
--policy-type IDENTITY_POLICY \
| jq '[.findings[] | select(.findingType == "ERROR" or .findingType == "SECURITY_WARNING")] | length')
[ "$FINDINGS" -eq 0 ] || { echo "IAM policy has $FINDINGS security findings"; exit 1; }
CloudTrail for Targeted Investigation
When you need to understand what a specific role has been doing in detail:
# What API calls has LambdaImageProcessor made in the last 30 days?
aws cloudtrail lookup-events \
--lookup-attributes AttributeKey=Username,AttributeValue=LambdaImageProcessor \
--start-time "$(date -d '30 days ago' +%Y-%m-%dT%H:%M:%S)" \
--output json | jq '.Events[] | {time:.EventTime, event:.EventName, source:.EventSource}'
# All IAM changes in the last 7 days — track who changed what
aws cloudtrail lookup-events \
--lookup-attributes AttributeKey=EventSource,AttributeValue=iam.amazonaws.com \
--start-time "$(date -d '7 days ago' +%Y-%m-%dT%H:%M:%S)" \
--output table
Open Source Tooling
For a more comprehensive scan across an account:
# Prowler — runs hundreds of checks including IAM-specific ones
pip install prowler
prowler aws --profile default --services iam --output-formats json html
# Key IAM checks:
# iam_root_mfa_enabled
# iam_user_no_setup_initial_access_key
# iam_policy_no_administrative_privileges
# iam_user_access_key_unused → finds keys unused for 90+ days
# iam_role_cross_account_readonlyaccess_policy
# ScoutSuite — multi-cloud auditor with a report UI
pip install scoutsuite
scout aws --profile default --report-dir ./scout-report
GCP IAM Auditing
IAM Recommender — Automated Right-Sizing
GCP’s IAM Recommender analyses 90 days of activity and surfaces specific suggestions: “replace roles/editor with roles/storage.objectViewer.” It tells you exactly what to change, not just that something needs changing:
# List IAM recommendations for a project
gcloud recommender recommendations list \
--recommender=google.iam.policy.Recommender \
--project=my-project \
--location=global \
--format=json | jq '.[] | {
principal: .description,
current_role: .content.operationGroups[].operations[] | select(.action=="remove") | .path,
suggested_role: .content.operationGroups[].operations[] | select(.action=="add") | .value
}'
# Mark a recommendation as applied (required to track progress)
gcloud recommender recommendations mark-succeeded RECOMMENDATION_ID \
--recommender=google.iam.policy.Recommender \
--project=my-project \
--location=global \
--etag ETAG
I run IAM Recommender across all GCP projects in a quarterly review. The recommendations don’t age out — GCP continues to track them until you address them or explicitly dismiss them. Dismissed without action counts as a decision; it should be documented.
Policy Analyzer — Answering Access Questions
When you need to understand who has access to a specific resource, and why:
# Who can access a specific BigQuery dataset?
gcloud policy-intelligence analyze-iam-policy \
--project=my-project \
--full-resource-name="//bigquery.googleapis.com/projects/my-project/datasets/customer_analytics" \
--output-partial-result-before-timeout
# What can a specific principal do in this project?
gcloud policy-intelligence analyze-iam-policy \
--project=my-project \
--full-resource-name="//cloudresourcemanager.googleapis.com/projects/my-project" \
--identity="serviceAccount:[email protected]"
Finding Public Exposure
# Org-wide scan for allUsers or allAuthenticatedUsers bindings
gcloud asset search-all-iam-policies \
--scope=organizations/ORG_ID \
--query="policy.members:allUsers OR policy.members:allAuthenticatedUsers" \
--format=json | jq '.[] | {resource: .resource, policy: .policy}'
Run this in every new environment you inherit. The results reliably surface data exposure incidents waiting to happen — public GCS buckets, publicly readable BigQuery datasets, APIs exposed to any authenticated Google account.
Azure IAM Auditing
Defender for Cloud — Baseline Recommendations
# Get IAM-related security recommendations
az security assessment list --output table | grep -i -E "(identity|mfa|privileged|owner)"
# Check specific conditions:
# "MFA should be enabled on accounts with owner permissions on your subscription"
# "Deprecated accounts should be removed from your subscription"
# "External accounts with owner permissions should be removed from your subscription"
Azure Resource Graph — Bulk Role Assignment Queries
Azure Resource Graph lets you query RBAC assignments across the entire tenant in a single call — essential for large Azure estates:
# All role assignments — who has what, where
az graph query -q "
AuthorizationResources
| where type =~ 'microsoft.authorization/roleassignments'
| extend principalId = properties.principalId,
roleId = properties.roleDefinitionId,
scope = properties.scope
| project scope, principalId, roleId
| limit 500" \
--output table
# Find all Owner assignments at subscription scope — high-risk
az graph query -q "
AuthorizationResources
| where type =~ 'microsoft.authorization/roleassignments'
| where properties.roleDefinitionId endswith '8e3af657-a8ff-443c-a75c-2fe8c4bcb635'
| where properties.scope startswith '/subscriptions/'
| project scope, properties.principalId" \
--output table
Entra ID Access Reviews — Automated Re-Certification
Access reviews send notifications to resource owners or users asking them to confirm that access is still appropriate. When someone doesn’t respond — or responds “no” — the access is removed:
# Create a quarterly access review for subscription Owner assignments
az rest --method POST \
--uri "https://graph.microsoft.com/v1.0/identityGovernance/accessReviews/definitions" \
--body '{
"displayName": "Quarterly Subscription Owner Review",
"scope": {
"query": "/subscriptions/SUB_ID/providers/Microsoft.Authorization/roleAssignments",
"queryType": "MicrosoftGraph"
},
"reviewers": [{"query": "/me", "queryType": "MicrosoftGraph"}],
"settings": {
"mailNotificationsEnabled": true,
"justificationRequiredOnApproval": true,
"autoApplyDecisionsEnabled": true,
"defaultDecision": "Deny", ← if no response, access is removed
"instanceDurationInDays": 7,
"recurrence": {
"pattern": {"type": "absoluteMonthly", "interval": 3},
"range": {"type": "noEnd"}
}
}
}'
The defaultDecision: Deny setting is the key. Access reviews that default to preserving access on non-response don’t actually remove anything — they just document that nobody reviewed it. Defaulting to revocation means inaction removes access, which is the correct behavior for privileged roles.
The Hardening Workflow
The methodology I apply when auditing any cloud IAM configuration:
Step 1: Inventory Everything
You cannot audit what you don’t know exists.
# AWS: full IAM snapshot in one call
aws iam get-account-authorization-details --output json > iam-snapshot-$(date +%Y%m%d).json
# Contains: all users, groups, roles, policies, attachments — everything
# GCP: export all IAM-relevant assets
gcloud asset export \
--project=my-project \
--output-path=gs://audit-bucket/iam-snapshot-$(date +%Y%m%d).json \
--asset-types="iam.googleapis.com/ServiceAccount,cloudresourcemanager.googleapis.com/Project"
Step 2: Classify by Function
Group identities by purpose: human engineering access, CI/CD pipelines, application workloads, data pipelines, monitoring/audit. Each class has an expected permission profile. Anything outside the expected profile for its class is a finding.
A Lambda function with iam:* is not in the expected profile for application workloads. An EC2 instance role with s3:DeleteObject on * deserves a question. A CI/CD pipeline role with secretsmanager:GetSecretValue warrants understanding what secrets it actually needs.
Step 3: Find Unused Permissions
Apply the tools:
– AWS: Access Analyzer generated policies + Last Accessed Data
– GCP: IAM Recommender
– Azure: Defender for Cloud recommendations + sign-in activity analysis
For any permission unused in 90 days: document whether it’s still needed (rare operation, incident response capability) or can be removed.
Step 4: Right-Size Policies
Replace broad permissions with specific ones:
// Before: attached AmazonS3FullAccess to a read-only service
{
"Action": "s3:*",
"Effect": "Allow",
"Resource": "*"
}
// After: only what the service actually calls
{
"Action": ["s3:GetObject", "s3:ListBucket"],
"Effect": "Allow",
"Resource": [
"arn:aws:s3:::app-assets-prod",
"arn:aws:s3:::app-assets-prod/*"
]
}
Every wildcard you remove is attack surface eliminated. Not conceptually — concretely.
Step 5: Add Conditions as Guardrails
Conditions constrain how permissions are used even when they can’t be removed:
// Require MFA for sensitive operations — applies across all roles in the account
{
"Effect": "Deny",
"Action": ["iam:*", "s3:Delete*", "ec2:Terminate*", "kms:*"],
"Resource": "*",
"Condition": {
"BoolIfExists": { "aws:MultiFactorAuthPresent": "false" }
}
}
// Restrict all non-service API calls to the corporate network
{
"Effect": "Deny",
"Action": "*",
"Resource": "*",
"Condition": {
"NotIpAddress": { "aws:SourceIp": ["10.0.0.0/8", "172.16.0.0/12"] },
"Bool": { "aws:ViaAWSService": "false" } // allow calls made through AWS services (e.g., Lambda calling S3)
}
}
Step 6: Build It Into CI/CD
IAM configuration changes that aren’t reviewed before they reach production will drift. Make the validation automatic:
# Pre-merge check in CI — catches wildcards and dangerous permissions before they land
FINDINGS=$(aws accessanalyzer validate-policy \
--policy-document file://changed-policy.json \
--policy-type IDENTITY_POLICY \
| jq '[.findings[] | select(.findingType == "ERROR" or .findingType == "SECURITY_WARNING")] | length')
if [ "$FINDINGS" -gt 0 ]; then
echo "❌ IAM policy has $FINDINGS security findings — see below"
aws accessanalyzer validate-policy --policy-document file://changed-policy.json \
--policy-type IDENTITY_POLICY | jq '.findings[]'
exit 1
fi
Step 7: Schedule Regular Reviews
IAM audit is not a one-time project. Build a cadence:
- Weekly: Access Analyzer findings, IAM Recommender dismissals, new cross-account trust relationships
- Monthly: Unused access keys report, inactive service accounts
- Quarterly: Access reviews for privileged roles, full policy inventory review
- On offboarding: Immediate review of departing engineer’s direct permissions and any roles whose trust policies name them
Quick Wins Checklist
| Check | AWS | GCP | Azure |
|---|---|---|---|
| No active root / global admin credentials | GetAccountSummary → AccountAccessKeysPresent: 0 |
N/A | Check Entra ID conditional access |
| MFA on all human privileged accounts | IAM Credential report | Google 2FA enforcement | Conditional Access policy |
| No inactive credentials older than 90 days | Credential report LastRotated |
SA key age | Entra ID sign-in activity |
No policies with Action:* or Resource:* on write |
Access Analyzer validate | N/A | Azure Policy |
| No public-facing storage | S3 Block Public Access | constraints/storage.publicAccessPrevention |
Storage account public access disabled |
| Machine identities use roles, not static keys | Audit for access key creation on roles | iam.disableServiceAccountKeyCreation |
Use Managed Identity |
| Permissions verified against actual usage | Access Analyzer generated policy | IAM Recommender | Defender for Cloud recommendations |
Framework Alignment
| Framework | Reference | What It Covers Here |
|---|---|---|
| CISSP | Domain 6 — Security Assessment and Testing | IAM auditing is a core cloud security assessment activity — finding over-permission before attackers do |
| CISSP | Domain 7 — Security Operations | Continuous IAM right-sizing is an operational discipline requiring tooling, cadence, and ownership |
| ISO 27001:2022 | 5.18 Access rights | Periodic review of access rights — this episode is the practical implementation of that control |
| ISO 27001:2022 | 8.2 Privileged access rights | Reviewing and right-sizing elevated permissions; detecting unused privileged access |
| ISO 27001:2022 | 8.16 Monitoring activities | Continuous IAM monitoring, CloudTrail analysis, and automated anomaly detection |
| SOC 2 | CC6.3 | Access removal processes — Access Analyzer, IAM Recommender, and Access Reviews are the tooling for CC6.3 |
| SOC 2 | CC7.1 | Threat and vulnerability identification — unused permissions are latent attack surface, identifiable and removable |
Key Takeaways
- The average cloud identity uses less than 5% of its granted permissions — the 95% excess is attack surface, not just waste
- AWS Access Analyzer generates a least-privilege policy from CloudTrail data — run it on every Lambda role, ECS task role, and EC2 instance profile quarterly
- GCP IAM Recommender surfaces role right-sizing suggestions based on 90-day activity — they don’t expire until you address them
- Azure Access Reviews with
defaultDecision: Denyactually remove stale access; reviews that default to preserve do nothing meaningful - Build IAM policy validation into CI/CD — catch wildcards and dangerous permissions before they merge
- Least privilege is a cycle: inventory → classify → right-size → add guardrails → monitor → repeat. Not a one-time project.
What’s Next
EP10 covers cross-system identity federation — OIDC, SAML, and the trust relationships that let a single IdP authenticate users and workloads across cloud platforms, SaaS applications, and organizational boundaries. Understanding how federation works is also understanding how it can be exploited when trust is too broad.
Next: SAML vs OIDC federation
Get EP10 in your inbox when it publishes → linuxcent.com/subscribe