What is an Over-Permissioned AWS IAM Role?
An over-permissioned AWS IAM role has more permissions than the workload needs — the most common AWS misconfiguration. Learn the patterns and how to fix them.
What is an Over-Permissioned AWS IAM Role?
Definition
An over-permissioned AWS IAM role is one whose granted permissions exceed what the workload, user, or service actually needs. Over-permissioning violates the principle of least privilege and is the most common AWS IAM misconfiguration.
Examples:
- A Lambda function with
AdministratorAccesswhen it only needss3:GetObjecton one bucket. - An EC2 instance role with
s3:*on*when it only writes to one bucket. - A CI/CD role with
iam:*when it only deploys CloudFormation stacks.
In simple terms:
Over-permissioning is the gap between what a role can do and what it actually needs to do.
Why Over-Permissioning Matters
- Most AWS breaches stem from compromised principals with excessive permissions.
- Capital One, Imperva, and many other public breaches were amplified by over-permissioned EC2/IAM roles.
- Over-permissioning expands blast radius dramatically; one credential leak becomes account-wide compromise.
- Auditors, regulators, and frameworks (ISO 27001, SOC 2, PCI DSS) increasingly require demonstrated least privilege.
Common Over-Permissioning Patterns
1. Wildcard Action and Resource
{ "Effect": "Allow", "Action": "*", "Resource": "*" }
- Equivalent to AdministratorAccess.
- Often attached "temporarily" and never removed.
2. AWS Managed AdministratorAccess
- Frequently attached to roles for "convenience" or during early development.
- Persists in production.
3. Service-Wide Wildcards
"s3:*"on*for a workload that only needss3:GetObjecton one bucket."ec2:*"for a CI/CD job that only needsec2:DescribeInstances.
4. Dangerous IAM Permissions
iam:*iam:PassRoleon*iam:CreatePolicyVersioniam:AttachRolePolicyiam:PutRolePolicy
These enable privilege escalation.
5. Cross-Service Escalation Permissions
lambda:CreateFunction+iam:PassRoleon a high-privilege role = escalate to that role.cloudformation:*+iam:PassRolesimilarly powerful.ec2:RunInstances+iam:PassRoleto assign a high-privilege instance profile.
6. Excessive Trust Plus Permissions
- Role can be assumed broadly AND has excessive permissions = high-impact compromise.
7. Inherited Through Federation / Identity Center
- Permission Sets too broad for casual users.
Real-World Examples
Capital One (2019)
EC2 role with s3:List* and s3:Get* on sensitive buckets. SSRF allowed an attacker to steal the role's credentials and exfiltrate 100M+ records. Had the role been narrowly scoped (specific bucket + needed actions), impact would have been limited.
Imperva (2019)
Compromised AWS API key with broad permissions accessed a customer database. Least privilege would have limited the attacker's reach.
Multiple S3 Misconfig Incidents
Roles with s3:GetObject on * (instead of one bucket) made every S3 object reachable from a single compromise.
Detection: How to Find Over-Permissioning
1. AWS IAM Access Analyzer
- Unused access findings (recently launched) flag permissions never used.
- Generated policies suggest least-privilege based on observed CloudTrail activity.
2. CloudTrail Analysis
- Compare permissions granted vs actions called over a period (e.g., 90 days).
- Flag permissions never used.
3. Forestall and Similar Tools
- Effective permission analysis per principal.
- Compare to actual usage.
- Risk-rank with attack-path context.
4. Manual Review Triggers
- Any policy with
*:*orService:*wildcards. - Any role with AdministratorAccess in production.
- Any role with
iam:PassRoleon*.
Remediation Approach
Step 1: Inventory
- List all roles, policies, principals.
- Identify those with broad permissions or AdministratorAccess.
Step 2: Observe Actual Usage
- CloudTrail / Access Analyzer for 30–90 days.
- Identify actually-used actions per principal.
Step 3: Generate Tighter Policy
- Use Access Analyzer policy generation, then refine manually.
- Specify exact actions and resource ARNs.
Step 4: Test in Lower Environment
- Apply tightened policy in dev / staging.
- Monitor for AccessDenied; iterate.
Step 5: Roll Out
- Apply in prod.
- Monitor for issues.
- Document the new policy.
Step 6: Maintain
- Quarterly review.
- Re-run Access Analyzer unused-permission detection.
Best Practices to Prevent Over-Permissioning
- Default deny mindset — explicit allows only.
- Avoid
*:*andService:*in production. - Use customer-managed policies with version control.
- Reject AWS managed
AdministratorAccessoutside emergency. iam:PassRolescoped to specific roles.- IAM Access Analyzer enabled and findings worked.
- Permission boundaries for delegated admin.
- SCPs for org-wide guardrails.
- Periodic least-privilege reviews.
- Automated policy generation in CI/CD pipelines.
- Tag roles with owner / purpose for accountability.
Checklist
- All
*:*permissions justified or removed? AdministratorAccessuse minimized in production?iam:PassRolescoped tightly?- IAM Access Analyzer findings actioned?
- CloudTrail-driven least-privilege analysis?
- Permission boundaries on delegated admins?
- SCPs enforce baseline?
- Quarterly review of high-privilege roles?
- Continuous attack-path analysis?
How Forestall Helps
Forestall surfaces over-permissioning by combining:
- Effective permissions per principal.
- CloudTrail-observed usage.
- Privilege escalation paths.
- Risk-ranked findings tied to remediation guidance.
- Continuous monitoring of new over-permissioned principals.
Frequently Asked Questions
Why is least privilege so hard to achieve?
Workloads' permission needs evolve; documenting and enforcing requires tooling and discipline; developers prefer broad permissions for speed.
How small should permissions be?
As small as possible while meeting workload needs — exact actions on specific ARNs with conditions where applicable.
What's the relationship between over-permissioning and privilege escalation?
Over-permissioning often is the escalation surface. Specific actions (iam:*, iam:PassRole, lambda:CreateFunction+iam:PassRole) enable escalation to admin-equivalent.
Should I use IAM Access Analyzer's policy generation?
Yes — as a starting point. Refine manually before deploying.
How do I balance security and developer productivity?
Tier permissions by environment (dev broader, prod tight). Use CI/CD to deploy tight prod policies. Provide self-service access via Identity Center / break-glass for exceptions.
Conclusion
Over-permissioned AWS IAM roles are the silent expansion of every AWS breach. Reducing them — via Access Analyzer, CloudTrail observation, permission boundaries, SCPs, and continuous review — is the highest-leverage thing you can do for AWS security. Treat least privilege as a continuous discipline, not a one-time project, and the impact of any compromised credential stays contained.
Find every over-permissioned role in your AWS estate.
Forestall analyzes IAM usage to surface roles with effective permissions far above what's used.