Jump to section
AWS IAM Least-Privilege
Drift Audit
Every IAM role in your AWS estate has a story: what it was meant to do, what it can do, and what it actually did last quarter. We reconcile all three. Using 90 days of CloudTrail evidence, we generate a least-privilege policy per role and quantify the drift between granted and used. Pinpoint over-privilege with falsifiable evidence — not the false-positive flood of continuous CSPM.
IAM · Drift · Least Privilege
AWS IAM Least-Privilege Drift Audit
CloudTrail · IAM Access Analyzer · SCPs
Did your team cover these critical blindspots?
The most commonly overlooked attack vectors in Cloud Security environments—validated through hundreds of enterprise engagements.
AdminAccess everywhere
Half of your roles have AdministratorAccess "until the migration is done". The migration is done. The policy is still attached. No one will revoke it without proof of harmlessness.
Wildcard actions on service roles
Service roles carry s3:*, ec2:*, and iam:Pass* combinations that look harmless until one Lambda gets compromised. CSPM tools flag them all, every day, forever — and nothing changes.
No evidence of what is actually used
When the security team asks for least-privilege, the platform team asks for the list of unused permissions. No one has it. The conversation ends there until the next audit.
What We Test
Security Checklist
18 automated + manual checks organized across 4 security domains. Every item is evaluated and reported with evidence.
Drift Detection
5 checks
Generated Least-Privilege Policy
4 checks
Trust & Boundary Map
5 checks
Findings & Evidence
4 checks
Main Assessment Coverage
- CloudTrail-Backed 90-Day Action Inventory
- Granted vs Used Permission Drift, per Role
- Generated Least-Privilege Policy, per Role
- Wildcard & High-Risk Permission Inventory
- Cross-Account Trust & AssumeRole Map
- SCP & Permission Boundary Coverage Review
- IAM Access Analyzer Reachability Findings
Flexible Network Execution
Read-only IAM role in your management account is sufficient. We invoke list/get/describe IAM APIs plus CloudTrail Lake queries. No data plane access — no S3 object reads, no EC2 SSM, no Lambda invocations.
Route assessment engines through your designated corporate IPs to simplify allowlisting, avoid WAF alarms, and maintain a clean audit trail satisfying internal security policies.
Transparent Licensing
One-time execution license. No subscriptions. No hidden fees.
Drift Audit
/ one-time license
- CloudTrail 90-Day Action Inventory
- Granted vs Used Drift per Role
- Generated Least-Privilege Policy per Role
- Cross-Account Trust & AssumeRole Graph
- SCP & Permission Boundary Coverage Review
- Executive PDF + Technical JSON + CSV
- 30-Day Platform Access
Request AWS IAM Least-Privilege Drift Audit
Send us a quick note and we'll come back with timing, scope, and the license details.