[GH-ISSUE #65] Feature Request: CloudTrail Log Analysis for Least-Privilege Policy Generation #40

New issue

Open

opened 2026-03-07 19:41:07 +03:00 by kerem · 0 comments

kerem commented

2026-03-07 19:41:07 +03:00

Owner

Originally created by @e8-BrandonSahawneh on GitHub (Dec 9, 2025).
Original GitHub issue: https://github.com/awslabs/iam-policy-autopilot/issues/65

Currently, iam-policy-autopilot works excellently for generating policies for Lambda functions. However, identifying and removing unused permissions for standard IAM Users and IAM Identity Center roles remains a significant pain point.

Problem:
Our current workflow for remediation is manual and toil-heavy:

We query CloudTrail logs using Athena to identify the permissions actually used by an identity over a specific period.
We manually compare this against the attached policies.
We hand-craft new, trimmed-down policies to remove unused permissions.

This process is unscalable across a large organization with many users and roles.

Request
I would like iam-policy-autopilot to support analyzing CloudTrail logs to automatically craft "least privilege" IAM policies.

Specific functionality requested:

Input: Ability to ingest or point to CloudTrail logs (S3 bucket or Athena query results).
Parameter: A "lookback period" configuration (e.g., analyze the last 90 days of activity).
Output: Generation of an IAM policy that includes only the actions and resources accessed during that historical period.
Scope: Support for both standard IAM Roles/Users and IAM Identity Center permission sets.

We currently use manual scripts combining Athena queries and text parsing, but this is error-prone and difficult to maintain. We have also looked at AWS Access Analyzer (which does not support data events), but having this functionality native to iam-policy-autopilot would streamline our workflow.

This feature would significantly help organizations moving towards Zero Trust by automating the "right-sizing" of permissions based on actual historical data.

Originally created by @e8-BrandonSahawneh on GitHub (Dec 9, 2025). Original GitHub issue: https://github.com/awslabs/iam-policy-autopilot/issues/65 Currently, iam-policy-autopilot works excellently for generating policies for Lambda functions. However, identifying and removing unused permissions for standard IAM Users and IAM Identity Center roles remains a significant pain point. **Problem:** Our current workflow for remediation is manual and toil-heavy: 1. We query CloudTrail logs using Athena to identify the permissions actually used by an identity over a specific period. 2. We manually compare this against the attached policies. 3. We hand-craft new, trimmed-down policies to remove unused permissions. This process is unscalable across a large organization with many users and roles. **Request** I would like iam-policy-autopilot to support analyzing CloudTrail logs to automatically craft "least privilege" IAM policies. Specific functionality requested: - Input: Ability to ingest or point to CloudTrail logs (S3 bucket or Athena query results). - Parameter: A "lookback period" configuration (e.g., analyze the last 90 days of activity). - Output: Generation of an IAM policy that includes only the actions and resources accessed during that historical period. - Scope: Support for both standard IAM Roles/Users and IAM Identity Center permission sets. We currently use manual scripts combining Athena queries and text parsing, but this is error-prone and difficult to maintain. We have also looked at AWS Access Analyzer (which does not support data events), but having this functionality native to iam-policy-autopilot would streamline our workflow. This feature would significantly help organizations moving towards Zero Trust by automating the "right-sizing" of permissions based on actual historical data.