> For the complete documentation index, see [llms.txt](https://docs.balkan.id/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://docs.balkan.id/iam-risk-analyzer/segregation-of-duties-iam-risk-analyzer/iam-risk-analysis-amazon-web-services-aws.md).

# IAM Risk Analysis - Amazon Web Services(AWS)

### Overview

This section outlines how Segregation of Duties (SoD) policies across Amazon Web Services (AWS) are implemented, configured, validated, and operationalized within BalkanID IAM Risk Analyzer.

The objective is to transition organizations from periodic IAM role reviews and static cloud access audits to a continuous governance program where identity risks are automatically detected, analyzed, and remediated throughout the identity lifecycle.

AWS Identity and Access Management (IAM) functions as the core authorization control plane for cloud infrastructure. Access to AWS resources is governed through:

* IAM users and roles
* Identity federation through SSO or external IdP
* IAM policies and permission boundaries
* AWS Organizations and account hierarchies
* Service roles and workload identities
* Cross-account trust relationships

While this policy-based authorization model enables flexible access management, it can introduce privilege escalation paths, segregation conflicts, and identity lifecycle risks when roles and permissions are assigned without centralized governance.

BalkanID IAM Risk Analyzer continuously evaluates AWS identity relationships to detect:

* Segregation of Duties conflicts
* Privileged access governance violations
* Excessive IAM permissions
* Identity lifecycle failures
* Service and workload identity risks

The result is a centralized risk view that allows organizations to enforce least privilege, secure role governance, and strong cloud identity controls.

### Implementation

**Phase 1:** Policy Definition & Baseline Establishment

Objective: Define and validate SoD policy scope across AWS IAM roles, administrative privileges, and identity lifecycle processes.

Activities include:

Identify cloud governance areas in scope:

* IAM users, roles, and policies
* AWS Organizations and account hierarchy
* Federated identity access (SSO / IdP integration)
* Service roles and workload identities
* Cross-account trust relationships
* Root account governance

Define baseline toxic privilege combinations aligned to AWS governance best practices.

Categorize SoD rules by risk severity.

Validate rule logic against:

* IAM policies
* Role trust relationships
* Identity federation assignments
* Resource-level permissions
* Service-linked roles

Outcome

A formally approved AWS SoD policy library ready for configuration within BalkanID IAM Risk Analyzer.

**Phase 2:** Rule Configuration in BalkanID IAM Risk Analyzer - Finding Rule for SoD  detection \
\
User-Generated Insights can be used for writing SoD Rules and can be aggregated into a finding for actionable risk alerts. Findings provide a broader risk context and are used to trigger automated workflows.

Example:

***Use Case 1*****:** IAM Administration vs Security Monitoring

AWS allows identities to both manage IAM policies and control security monitoring services such as CloudTrail or GuardDuty.

When a single identity can modify IAM permissions and disable monitoring controls, unauthorized actions may go undetected.

Risk Impact

* Ability to conceal unauthorized activity
* Reduced independent oversight of security controls
* Increased insider threat exposure

***Use Case 2***: Infrastructure Provisioning vs Billing Administration

AWS environments rely on infrastructure provisioning privileges to deploy compute, storage, and networking resources.

If a single identity can both provision infrastructure and modify billing settings, that identity may manipulate resource consumption or conceal cost anomalies.

Risk Impact

* Unauthorized infrastructure provisioning
* Potential financial manipulation
* Increased cost governance risk

<figure><img src="/files/755SrdCJa7oJgXXA1Zu4" alt=""><figcaption></figcaption></figure>

### Baseline SoD Rule Library&#x20;

| **Rules**                                                   | **Category**                                                                         |
| ----------------------------------------------------------- | ------------------------------------------------------------------------------------ |
| SoD- IAM Administration vs Security Monitoring              | <p></p><ul><li>Segregation of Duties</li><li>Cloud Security Governance</li></ul>     |
| SoD - Infrastructure Provisioning vs Billing Administration | <p></p><ul><li>Segregation of Duties</li><li>Financial Governance</li></ul>          |
| SoD- KMS Key Administration vs Data Access                  | <p></p><ul><li>Segregation of Duties</li><li>Cryptographic Controls</li></ul><p></p> |

### Control Mapping

| Framework      | Control ID | Control Title           |
| -------------- | ---------- | ----------------------- |
| SOC 2          | CC6        | Logical Access Controls |
| SOC 2          | CC6.3      | Authorization Changes   |
| ISO 27001      | A.9        | Access Control          |
| ISO 27001      | A.6        | Segregation of Duties   |
| ISO/IEC 27001  | A.5.18     | Access Rights           |
| NIST SP 800-53 | AC-5       | Separation of Duties    |
| NIST SP 800-53 | AC-2       | Account Management      |
| NIST SP 800-53 | AC-6       | Least Privilege         |

## Conclusion

AWS IAM provides powerful and flexible access control capabilities but requires strong governance to prevent privilege sprawl, segregation conflicts, and identity lifecycle gaps.

The findings identified highlight areas where cloud access controls may not be sufficiently designed or operating effectively, particularly in areas related to privileged access governance, IAM policy design, and role lifecycle management.

Implementing continuous identity risk monitoring through BalkanID IAM Risk Analyzer enables organizations to detect and remediate these risks, strengthening cloud governance and reducing audit and security exposure.


---

# Agent Instructions
This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com.

## Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://docs.balkan.id/iam-risk-analyzer/segregation-of-duties-iam-risk-analyzer/iam-risk-analysis-amazon-web-services-aws.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.