← All glossary terms
AWS IAM4 min read

What is an Over-Permissioned AWS IAM Role?

An over-permissioned AWS IAM role has more permissions than the workload needs — the most common AWS misconfiguration. Learn the patterns and how to fix them.

What is an Over-Permissioned AWS IAM Role?

Definition

An over-permissioned AWS IAM role is one whose granted permissions exceed what the workload, user, or service actually needs. Over-permissioning violates the principle of least privilege and is the most common AWS IAM misconfiguration.

Examples:

  • A Lambda function with AdministratorAccess when it only needs s3:GetObject on one bucket.
  • An EC2 instance role with s3:* on * when it only writes to one bucket.
  • A CI/CD role with iam:* when it only deploys CloudFormation stacks.

In simple terms:

Over-permissioning is the gap between what a role can do and what it actually needs to do.


Why Over-Permissioning Matters

  • Most AWS breaches stem from compromised principals with excessive permissions.
  • Capital One, Imperva, and many other public breaches were amplified by over-permissioned EC2/IAM roles.
  • Over-permissioning expands blast radius dramatically; one credential leak becomes account-wide compromise.
  • Auditors, regulators, and frameworks (ISO 27001, SOC 2, PCI DSS) increasingly require demonstrated least privilege.

Common Over-Permissioning Patterns

1. Wildcard Action and Resource

{ "Effect": "Allow", "Action": "*", "Resource": "*" }
  • Equivalent to AdministratorAccess.
  • Often attached "temporarily" and never removed.

2. AWS Managed AdministratorAccess

  • Frequently attached to roles for "convenience" or during early development.
  • Persists in production.

3. Service-Wide Wildcards

  • "s3:*" on * for a workload that only needs s3:GetObject on one bucket.
  • "ec2:*" for a CI/CD job that only needs ec2:DescribeInstances.

4. Dangerous IAM Permissions

  • iam:*
  • iam:PassRole on *
  • iam:CreatePolicyVersion
  • iam:AttachRolePolicy
  • iam:PutRolePolicy

These enable privilege escalation.

5. Cross-Service Escalation Permissions

  • lambda:CreateFunction + iam:PassRole on a high-privilege role = escalate to that role.
  • cloudformation:* + iam:PassRole similarly powerful.
  • ec2:RunInstances + iam:PassRole to assign a high-privilege instance profile.

6. Excessive Trust Plus Permissions

  • Role can be assumed broadly AND has excessive permissions = high-impact compromise.

7. Inherited Through Federation / Identity Center

  • Permission Sets too broad for casual users.

Real-World Examples

Capital One (2019)

EC2 role with s3:List* and s3:Get* on sensitive buckets. SSRF allowed an attacker to steal the role's credentials and exfiltrate 100M+ records. Had the role been narrowly scoped (specific bucket + needed actions), impact would have been limited.

Imperva (2019)

Compromised AWS API key with broad permissions accessed a customer database. Least privilege would have limited the attacker's reach.

Multiple S3 Misconfig Incidents

Roles with s3:GetObject on * (instead of one bucket) made every S3 object reachable from a single compromise.


Detection: How to Find Over-Permissioning

1. AWS IAM Access Analyzer

  • Unused access findings (recently launched) flag permissions never used.
  • Generated policies suggest least-privilege based on observed CloudTrail activity.

2. CloudTrail Analysis

  • Compare permissions granted vs actions called over a period (e.g., 90 days).
  • Flag permissions never used.

3. Forestall and Similar Tools

  • Effective permission analysis per principal.
  • Compare to actual usage.
  • Risk-rank with attack-path context.

4. Manual Review Triggers

  • Any policy with *:* or Service:* wildcards.
  • Any role with AdministratorAccess in production.
  • Any role with iam:PassRole on *.

Remediation Approach

Step 1: Inventory

  • List all roles, policies, principals.
  • Identify those with broad permissions or AdministratorAccess.

Step 2: Observe Actual Usage

  • CloudTrail / Access Analyzer for 30–90 days.
  • Identify actually-used actions per principal.

Step 3: Generate Tighter Policy

  • Use Access Analyzer policy generation, then refine manually.
  • Specify exact actions and resource ARNs.

Step 4: Test in Lower Environment

  • Apply tightened policy in dev / staging.
  • Monitor for AccessDenied; iterate.

Step 5: Roll Out

  • Apply in prod.
  • Monitor for issues.
  • Document the new policy.

Step 6: Maintain

  • Quarterly review.
  • Re-run Access Analyzer unused-permission detection.

Best Practices to Prevent Over-Permissioning

  1. Default deny mindset — explicit allows only.
  2. Avoid *:* and Service:* in production.
  3. Use customer-managed policies with version control.
  4. Reject AWS managed AdministratorAccess outside emergency.
  5. iam:PassRole scoped to specific roles.
  6. IAM Access Analyzer enabled and findings worked.
  7. Permission boundaries for delegated admin.
  8. SCPs for org-wide guardrails.
  9. Periodic least-privilege reviews.
  10. Automated policy generation in CI/CD pipelines.
  11. Tag roles with owner / purpose for accountability.

Checklist

  • All *:* permissions justified or removed?
  • AdministratorAccess use minimized in production?
  • iam:PassRole scoped tightly?
  • IAM Access Analyzer findings actioned?
  • CloudTrail-driven least-privilege analysis?
  • Permission boundaries on delegated admins?
  • SCPs enforce baseline?
  • Quarterly review of high-privilege roles?
  • Continuous attack-path analysis?

How Forestall Helps

Forestall surfaces over-permissioning by combining:

  • Effective permissions per principal.
  • CloudTrail-observed usage.
  • Privilege escalation paths.
  • Risk-ranked findings tied to remediation guidance.
  • Continuous monitoring of new over-permissioned principals.

Frequently Asked Questions

Why is least privilege so hard to achieve?

Workloads' permission needs evolve; documenting and enforcing requires tooling and discipline; developers prefer broad permissions for speed.

How small should permissions be?

As small as possible while meeting workload needs — exact actions on specific ARNs with conditions where applicable.

What's the relationship between over-permissioning and privilege escalation?

Over-permissioning often is the escalation surface. Specific actions (iam:*, iam:PassRole, lambda:CreateFunction+iam:PassRole) enable escalation to admin-equivalent.

Should I use IAM Access Analyzer's policy generation?

Yes — as a starting point. Refine manually before deploying.

How do I balance security and developer productivity?

Tier permissions by environment (dev broader, prod tight). Use CI/CD to deploy tight prod policies. Provide self-service access via Identity Center / break-glass for exceptions.


Conclusion

Over-permissioned AWS IAM roles are the silent expansion of every AWS breach. Reducing them — via Access Analyzer, CloudTrail observation, permission boundaries, SCPs, and continuous review — is the highest-leverage thing you can do for AWS security. Treat least privilege as a continuous discipline, not a one-time project, and the impact of any compromised credential stays contained.

IAM RoleLeast PrivilegeOver-PermissioningAWS IAMCloud Security

Find every over-permissioned role in your AWS estate.

Forestall analyzes IAM usage to surface roles with effective permissions far above what's used.

We respect your privacy

We use cookies to keep this site secure and working properly. With your permission, we also use optional cookies to understand usage and improve the experience. Cookie Policy

You can change your choice at any time.

What is an Over-Permissioned AWS IAM Role? | Forestall