Clean up least privilege with unused-access findings
IAM Access Analyzer can tell you which permissions, roles, and keys have gone cold. A short playbook for acting on it.
Most over-privilege isn't granted maliciously — it accumulates. A role gets a broad policy "to unblock the deploy," and three years later nobody remembers why. IAM Access Analyzer unused-access findings surface exactly this: permissions, roles, and access keys that haven't been touched in a window you choose.
A sane first pass:
- Turn on an unused-access analyzer for the organization with a 90-day window.
- Sort findings by unused roles and unused access keys first — they're the cheapest, lowest-risk wins and shrink your credential surface immediately.
- For still-active roles, look at unused permissions and let Access Analyzer generate a tighter policy from observed CloudTrail activity.
Don't try to fix everything at once. Disable unused keys, delete dormant roles, then right-size the noisy ones over a couple of weeks.
This week's move: enable the unused-access analyzer, then delete or deactivate every access key that hasn't been used in 90 days. It's the fastest least-privilege gain you'll make all month.