starred/iam-policy-autopilot
1
0
Fork 0
mirror of https://github.com/awslabs/iam-policy-autopilot.git synced 2026-04-25 16:05:58 +03:00
Code Issues 89 Projects Releases 4 Packages Wiki Activity

[GH-ISSUE #65] Feature Request: CloudTrail Log Analysis for Least-Privilege Policy Generation #147

New issue
Open
opened 2026-03-15 11:47:15 +03:00 by kerem · 1 comment
kerem commented 2026-03-15 11:47:15 +03:00
Owner
Copy link

Originally created by @e8-BrandonSahawneh on GitHub (Dec 9, 2025).
Original GitHub issue: https://github.com/awslabs/iam-policy-autopilot/issues/65

Currently, iam-policy-autopilot works excellently for generating policies for Lambda functions. However, identifying and removing unused permissions for standard IAM Users and IAM Identity Center roles remains a significant pain point.

Problem:
Our current workflow for remediation is manual and toil-heavy:

  1. We query CloudTrail logs using Athena to identify the permissions actually used by an identity over a specific period.
  2. We manually compare this against the attached policies.
  3. We hand-craft new, trimmed-down policies to remove unused permissions.

This process is unscalable across a large organization with many users and roles.

Request
I would like iam-policy-autopilot to support analyzing CloudTrail logs to automatically craft "least privilege" IAM policies.

Specific functionality requested:

  • Input: Ability to ingest or point to CloudTrail logs (S3 bucket or Athena query results).
  • Parameter: A "lookback period" configuration (e.g., analyze the last 90 days of activity).
  • Output: Generation of an IAM policy that includes only the actions and resources accessed during that historical period.
  • Scope: Support for both standard IAM Roles/Users and IAM Identity Center permission sets.

We currently use manual scripts combining Athena queries and text parsing, but this is error-prone and difficult to maintain. We have also looked at AWS Access Analyzer (which does not support data events), but having this functionality native to iam-policy-autopilot would streamline our workflow.

This feature would significantly help organizations moving towards Zero Trust by automating the "right-sizing" of permissions based on actual historical data.

Originally created by @e8-BrandonSahawneh on GitHub (Dec 9, 2025). Original GitHub issue: https://github.com/awslabs/iam-policy-autopilot/issues/65 Currently, iam-policy-autopilot works excellently for generating policies for Lambda functions. However, identifying and removing unused permissions for standard IAM Users and IAM Identity Center roles remains a significant pain point. **Problem:** Our current workflow for remediation is manual and toil-heavy: 1. We query CloudTrail logs using Athena to identify the permissions actually used by an identity over a specific period. 2. We manually compare this against the attached policies. 3. We hand-craft new, trimmed-down policies to remove unused permissions. This process is unscalable across a large organization with many users and roles. **Request** I would like iam-policy-autopilot to support analyzing CloudTrail logs to automatically craft "least privilege" IAM policies. Specific functionality requested: - Input: Ability to ingest or point to CloudTrail logs (S3 bucket or Athena query results). - Parameter: A "lookback period" configuration (e.g., analyze the last 90 days of activity). - Output: Generation of an IAM policy that includes only the actions and resources accessed during that historical period. - Scope: Support for both standard IAM Roles/Users and IAM Identity Center permission sets. We currently use manual scripts combining Athena queries and text parsing, but this is error-prone and difficult to maintain. We have also looked at AWS Access Analyzer (which does not support data events), but having this functionality native to iam-policy-autopilot would streamline our workflow. This feature would significantly help organizations moving towards Zero Trust by automating the "right-sizing" of permissions based on actual historical data.
kerem commented 2026-03-15 11:47:26 +03:00
Author
Owner
Copy link

@Dianayin422 commented on GitHub (Feb 6, 2026):

Hi @e8-BrandonSahawneh , I'm Diana Yin, the PM for IAM Policy Autopilot. Thanks for sharing your feedback here. I'd love to hear more about your experience. If you're open to a quick chat, feel free to email me at dianayin@amazon.com and we can set up a time. Thanks!

<!-- gh-comment-id:3861967821 --> @Dianayin422 commented on GitHub (Feb 6, 2026): Hi @e8-BrandonSahawneh , I'm Diana Yin, the PM for IAM Policy Autopilot. Thanks for sharing your feedback here. I'd love to hear more about your experience. If you're open to a quick chat, feel free to email me at dianayin@amazon.com and we can set up a time. Thanks!
Sign in to join this conversation.
No Branch/Tag specified
Branches Tags
main
auto/update-submodules-20260419
auto/update-submodules-20260412
auto/update-submodules-20260405
auto/update-submodules-20260329
auto/update-submodules-20260322
auto/update-submodules-20260315
auto/update-submodules-20260308
auto/update-submodules-20260301
auto/update-submodules-20260222
auto/update-submodules-20260215
auto/update-submodules-20260209
auto/update-submodules-20260208
release/0.1.4
release/0.1.3
release/0.1.2
release/0.1.1
0.1.4
0.1.3
0.1.2
0.1.1
Labels
Clear labels   
bug

   
code-quality

   
documentation

   
enhancement

   
good first issue

   
pull-request

Mirrored from GitHub Pull Request

  
tooling

   
tooling
No labels
bug
code-quality
documentation
enhancement
good first issue
pull-request
tooling
tooling
Milestone
Clear milestone
No items
No milestone
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
1 participant
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference
starred/iam-policy-autopilot#147
No description provided.