IAM Least-Privilege via Access Analyzer

Most IAM policies are over-broad. AWS Access Analyzer's last-accessed reports point at the unused permissions to remove.

Data sources

Least privilege is the IAM principle: grant only the permissions actually needed. Most teams write policies with their best guess at what is needed; the policies are typically over-permissive because the team did not know exactly what was needed. Discovery is the discipline of using usage data to reduce policies to what is actually used.

What data sources matter:

• IAM Access Analyzer last-accessed timestamps.: AWS Access Analyzer records when each IAM principal last used each service. The data is per-service per-role; permissions that have not been used in months are candidates for review. The data is built into IAM; the team does not have to build a custom collection.
• CloudTrail data events for resource-level usage.: CloudTrail data events capture per-resource API calls (S3 object operations, DynamoDB item operations). The data shows which resources were accessed and which were not. The granularity supports resource-specific policy tightening.
• Service-level activity from CloudTrail.: Standard CloudTrail captures management events. The team can see which API calls a role actually made over a window. The data feeds the conversation about which permissions are real and which are speculative.
• Application logs.: Some applications log their AWS API usage. The application logs supplement CloudTrail with additional context: which code path called which API, which user triggered which action.
• Third-party tools.: Tools like Repokid (Netflix open-source) and commercial least-privilege tools automate the analysis. They consume CloudTrail and Access Analyzer data and produce policy recommendations.

The data is the foundation. Without usage data, least privilege is a guess; with it, the team can make defensible decisions.

The trim

The trim is the action: remove permissions that have not been used. The discipline is doing this carefully, with owner review and rollback capability, so the trim does not break things.

• Permissions not used in 90 days are candidates for removal.: The 90-day window catches most legitimate use; permissions truly needed have typically been exercised within a quarter. The window is a guideline; some use cases need longer windows.
• Owner reviews before removal.: Each candidate removal goes to the owner of the role for review. The owner knows context the data does not: emergency-only permissions, seasonal use cases, planned future use. The review prevents over-aggressive trimming.
• Some emergency-only permissions are intentionally unused.: Break-glass roles, disaster recovery roles, and similar emergency-use roles may have permissions that are deliberately unused. The owner identifies these and excludes them from the trim.
• Trim in stages.: Remove permissions in batches, observe for breakage, continue. A staged trim with rollback capability is safer than a one-shot reduction. The cost of staging is small; the safety improvement is meaningful.
• Document the trims.: Each trim is documented: what was removed, when, by whom, what was the basis. Audit conversations reference the documentation; rollback decisions reference it.

The trim is the work. Without it, the data sources just produce reports; with it, the data drives real privilege reduction.

Compound

Least privilege discovery is a continuous discipline. Each quarter's trim removes some unused permissions; the next quarter's data shows new candidates. The privilege surface shrinks over time without major disruption.

• Quarterly: remove 5-15% of unused permissions.: Each quarter, the team removes a fraction of identified unused permissions. The fraction varies by environment and risk tolerance; consistent application is what matters.
• Privilege surface shrinks.: Over multiple quarters, the cumulative effect is significant. A surface that was 100% over-provisioned shrinks to 80%, then 70%, then 60%. The shrinkage is gradual; the operational cost is bounded.
• Year-over-year, risk drops.: The annual reduction in privilege surface translates to reduced blast radius for any given credential compromise. The risk reduction is real and measurable; the security posture improves continuously.
• Without operational pain.: Because the trims are reviewed, staged, and reversible, operational impact is minimal. Some trims will turn out to be wrong; rollback is fast; the team learns and continues.
• The end state is sustainable least privilege.: After enough cycles, policies reflect actual usage. New permissions are added when needed; unused ones are removed continuously. The discipline is sustainable; least privilege becomes the steady state, not an aspirational target.

IAM least privilege discovery is one of the highest-leverage long-term security disciplines available to platform and security teams. Nova AI Ops integrates with IAM Access Analyzer and CloudTrail data, surfaces unused permissions per role, and produces the audit-ready trim queue that the team works from quarter to quarter.