AWS IAM
Discover IAM users & roles, customer & AWS managed policies, permission boundaries, role trust relationships, access keys, STS assumptions, and effective permissions across accounts and OUs. Govern non-human identities and stop risky actions before impact.
What the connector discovers
- IAM Users, Roles & Instance Profiles
User metadata, access keys, MFA; roles & instance profiles used by EC2/Lambda/EKS; last-used indicators and Access Advisor signals.
- Policies & Permission Boundaries
Customer/AWS managed policies, inline policies, boundary policies; policy documents normalized and evaluated for effective rights.
- Role Trust Policies (AssumeRole)
Who can assume which roles, from where (accounts, OUs, services, external IdPs), with session policies and conditions.
- Organizations & SCPs (optional)
Account hierarchy, OUs, service control policies that influence effective permissions across accounts.
- Effective Permissions
Identity → policy set → resource ARNs → allowed actions, correlated to actions observed in CloudTrail at time-of-execution.
IAM defines **who can do what** across every AWS service. ClarioSec turns IAM configuration into **runtime governance**: drift-aware scoring, pre-execution controls, and narratives that stand up to audits and RCAs.
Drift-aware risk scoring
Baselines per role/user; peer groups by service/team; detection of privilege creep, policy sprawl, risky trust relationships, and anomalous action sequences in CloudTrail.
Pre-execution enforcement
Allow / Alert / Block / Approve with governed overrides. Automatic scope minimization (policy edits/suggestions) and access key rotation on risk thresholds.
Audit-grade narratives
Every decision returns a narrative linking **rule → reason → proof → control map** (SOC 2, GDPR, ISO/IEC 27001 & 42001, AI Act), including before/after permissions and owner context.
Connect AWS IAM
Use a **cross-account role** (recommended) or **access keys** with read-only permissions. ClarioSec assumes the role via STS and honors rate limits & paging.
- 1) Create a ReadOnly Role
In the management account (or per account), create a role with an external ID for ClarioSec; attach AWS managed ReadOnlyAccess plus IAM/Organizations read APIs.
- 2) Trust Policy
Allow the ClarioSec account to assume the role using the ExternalId condition. Optionally restrict by source account/OUs.
- 3) Provide Role ARN (or keys)
Paste the Role ARN and External ID in ClarioSec (or access key/secret for a limited-scope start).
- 4) Optional — Organizations
Grant read-only access to AWS Organizations to fetch OU hierarchy and SCPs for effective permission evaluation.
High-value objects pulled via IAM/STS/Organizations/Access Analyzer:
- IAM Users, Roles, Instance Profiles, Groups
- Customer/AWS managed & inline Policies; Permission Boundaries
- Role Trust Policies (assume-role relationships), STS usage & session policies
- Access Keys (age/last used), MFA status; Credential Report; Access Advisor
- Organizations: Accounts, OUs, SCPs (optional)
- Access Analyzer & CloudTrail correlations for permission-at-time-of-action
Endpoint family: IAM, STS, Organizations, Access Analyzer, CloudTrail (read-only).
- Over-privileged roles & wildcard policies
Policies with "Action":"*" or "Resource":"*" on sensitive services; missing permission boundaries.
- Risky trust policies
Roles assumable from external accounts, anonymous principals, or wide OUs without conditions.
- Stale access keys & unused permissions
Keys older than policy, long-unused, or permissions never exercised per Access Advisor.
- SCP gaps
Inconsistent service control policies allowing escalation paths across accounts.
- Prioritized policy minimization suggestions & boundary enforcement
- Auto-rotation and disabling of stale access keys
- Just-in-time approvals for sensitive AssumeRole paths
- Audit-grade narratives mapped to SOC 2 / GDPR / ISO / AI Act
Ready to govern AWS IAM agents at runtime?
Move from IAM posture to provable behavior — identity → permission → action → narrative.