IAM Least-Privilege via Access Analyzer

Most IAM policies are over-broad. AWS Access Analyzer's last-accessed reports point at the unused permissions to remove.

Data sources

IAM Access Analyzer last-accessed timestamps per service per role.

CloudTrail data events for resource-level usage.

The trim

Permissions not used in 90 days are candidates for removal.

Owner reviews before removal. Some emergency-only permissions are intentionally unused.

Compound

Quarterly: remove 5-15% of unused permissions. Privilege surface shrinks.

Year-over-year, risk drops without operational pain.