5.2.5. Investigating Unintended Permissions

First Principle: Permissions drift over time — temporary access becomes permanent, resource policies grant broader access than intended, and refactored code leaves behind unused but active permissions. Continuous investigation identifies and remediates these gaps.

IAM Access Analyzer External Access Findings:

• Continuously monitors resource policies for external sharing
• Generates findings when S3 buckets, KMS keys, IAM roles, Lambda functions, or SQS queues are accessible from outside your account or organization
• Severity levels help prioritize: public access is higher severity than cross-account access within your organization

Common Unintended Permission Patterns:

Remediation Workflow:

1. Enable Access Analyzer in all accounts (via delegated administrator)
2. Review findings weekly — prioritize public access and critical resources
3. Tighten resource policies based on actual usage patterns
4. Remove unused credentials and permissions
5. Set up EventBridge rules to alert on new external access findings

⚠️ Exam Trap: Access Analyzer can generate least-privilege policies based on CloudTrail data. If a question asks "how to right-size permissions based on actual usage," Access Analyzer policy generation is the answer.

Scenario: Access Analyzer identifies that a KMS key in your production account has a key policy granting kms:Decrypt to an external account that was used during a one-time data migration 6 months ago. You remove the external principal from the key policy and create an EventBridge rule to alert on future external access findings.

Reflection Question: Why does continuous permission investigation (not just one-time audits) create a fundamentally different security posture?