mirror of
https://github.com/awslabs/iam-policy-autopilot.git
synced 2026-04-25 16:05:58 +03:00
[GH-ISSUE #65] Feature Request: CloudTrail Log Analysis for Least-Privilege Policy Generation #147
Labels
No milestone
No project
No assignees
1 participant
Notifications
Due date
No due date set.
Dependencies
No dependencies set.
Reference
starred/iam-policy-autopilot#147
Loading…
Add table
Add a link
Reference in a new issue
No description provided.
Delete branch "%!s()"
Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?
Originally created by @e8-BrandonSahawneh on GitHub (Dec 9, 2025).
Original GitHub issue: https://github.com/awslabs/iam-policy-autopilot/issues/65
Currently, iam-policy-autopilot works excellently for generating policies for Lambda functions. However, identifying and removing unused permissions for standard IAM Users and IAM Identity Center roles remains a significant pain point.
Problem:
Our current workflow for remediation is manual and toil-heavy:
This process is unscalable across a large organization with many users and roles.
Request
I would like iam-policy-autopilot to support analyzing CloudTrail logs to automatically craft "least privilege" IAM policies.
Specific functionality requested:
We currently use manual scripts combining Athena queries and text parsing, but this is error-prone and difficult to maintain. We have also looked at AWS Access Analyzer (which does not support data events), but having this functionality native to iam-policy-autopilot would streamline our workflow.
This feature would significantly help organizations moving towards Zero Trust by automating the "right-sizing" of permissions based on actual historical data.
@Dianayin422 commented on GitHub (Feb 6, 2026):
Hi @e8-BrandonSahawneh , I'm Diana Yin, the PM for IAM Policy Autopilot. Thanks for sharing your feedback here. I'd love to hear more about your experience. If you're open to a quick chat, feel free to email me at dianayin@amazon.com and we can set up a time. Thanks!