IAM Risk
The IAM Risk page answers one question: do the users and roles in your AWS account have more permissions than they should?
It complements Findings. Findings evaluates resources; IAM Risk evaluates identities. Read them together — a finding might flag a role's wildcard policy, while IAM Risk shows the same role hasn't been used in 180 days and has access to twelve services it has never touched.
Signals in the list
Most columns are self-describing. Three are worth a closer look:
- Overprivilege — a bar and percentage showing how much of an identity's granted access goes unused. Higher is worse: a high score means broad access that's mostly never exercised.
- Stale — 180d (red) if the identity hasn't been active in 180+ days, 90d (orange) for 90–180 days, Never Used for identities that have never acted at all. Stale + admin is usually where to look first.
- Notable annotations show as a small icon next to the principal name — hover for the message. Examples: a trust policy allowing an external account, a cross-account assume-role from an unexpected source.
In the identity drawer
The header shows the principal name, type, account, and ARN (copyable, with a Console link when available). A red banner appears for admin identities.
The two important sections are Services and Escalation paths.
Services
One chip per AWS service the identity has been granted access to. Color shows actual usage:
- Accessed (green) — used recently.
- Unused (orange) — granted but never used.
- Unknown (gray) — activity data isn't conclusive.
Each chip also carries an access-level marker: R (read), W (write), or R/W (both).
Escalation paths
A table of techniques the identity could use to escalate further. Each row shows the technique's ID, name, severity, category, and the IAM actions that matched.
Where to go from here
IAM Risk tells you what an identity has more access to than it needs, and how it could pivot. For the full chain — from an external entry surface to the sensitive target an identity could reach — jump to Attack Paths.