Hero Card: IAM Users and Roles with Excessive Privilege
© 2026 Sonrai Security. All rights reserved.
Overview
When Identity and Access Management (IAM) users and roles are assigned permissions which ultimately don't get put to use, those permissions can provide an attacker with an easy way to gain intelligence, perform data exfiltration, impersonate users, and more.
Excess privilege can also lead to scenarios where users are unintentionally allowed to complete actions that are not expected, like creating/deleting resources, which can drive up operational costs and cause outages.
![[AI GENERATED] Cloud Permissions Firewall hero card showing IAM users and roles with excessive privilege, with metrics on identities that have privileged permissions they do not use](/cpf-public/img/cpf/permissions-firewall/services/hero-cards/405CAE04-B807-409E-A20A-2480574D8DBE.png)
Examples
- Example 1: When Outsiders Become Insiders
- Example 2: When Insiders Cause Problems
Example 1: When Outsiders Become Insiders
One day, an attacker managed to gain access to a junior engineer's account through a successful phishing attempt. The engineer's account had been granted excessive privileges due to lax IAM policies. Although the engineer's primary role involved developing software and managing deployment scripts, their account had permissions far beyond what was necessary for their job.
With the engineer's compromised credentials, the attacker explored the company's AWS environment. The broad permissions allowed the attacker to access sensitive databases, alter application configurations, and modify access controls. The attacker used these elevated privileges to create backdoors and install malware on several virtual machines.
The attacker then exfiltrated large volumes of proprietary data and customer information, covering their tracks by modifying logs and disabling monitoring alerts.
Example 2: When Insiders Cause Problems
An enterprise company experiencing rapid growth was hiring new software engineers to aide in quick product development.
Due to an oversight in the onboarding process, their newest hire Tyler was assigned an IAM role with full administrative privileges over the entire AWS account (intended for senior administrators). Tyler was unaware of the level of access they had been granted and set to work developing a new feature!
While working on a deployment script, Tyler accidentally executed a command that deleted an entire S3 bucket containing critical customer data. The error was not immediately noticed because Tyler's elevated permissions allowed the script to execute without any warnings or alerts.
As the day progressed, the missing data caused a cascade of issues across the company's services. Customers experienced disruptions and the company's reputation took a hit.
Protect Your Identities
Deny privileged permissions access for identities which have been afforded it, but don't use it!
Select the scope at which you want to take action and click the button to see the changes you are about to make:
![[AI GENERATED] Cloud Permissions Firewall Services page showing the scope selector and Preview Changes button for the IAM Users and Roles with Excessive Privilege hero card](/cpf-public/img/cpf/permissions-firewall/services/hero-cards/35387236-F864-45F2-8701-31E450465EB7.png)
![[AI GENERATED] Cloud Permissions Firewall preview of changes showing which identities will have excessive privileged permissions removed before deploying least privilege protections](/cpf-public/img/cpf/permissions-firewall/services/hero-cards/AAE856AC-CC0C-45A0-B8DD-A189A51EB870.png)
When ready, click the button to review those changes within the Pending Changes page before you deploy them to your cloud:
![[AI GENERATED] Cloud Permissions Firewall Pending Changes page showing the staged identity protections for review before deploying to the cloud](/cpf-public/img/cpf/permissions-firewall/services/hero-cards/A99A34B8-568E-4E86-8251-ABF1DF1F934B.png)
Unprotect at Scope
If you encounter a situation where you need to unprotect all services at scope, you can leverage the Services page menu:
![[AI GENERATED] Cloud Permissions Firewall Services page menu showing the Unprotect at Scope option to remove all service protections for a selected scope](/cpf-public/img/cpf/permissions-firewall/services/206EF1CC-B426-4486-A64F-C1A0325831C6.png)
By using this menu option, a CloudFormation template is generated that will remove all of the service protections you have put into place with the Cloud Permissions Firewall, re-enable all services that were disabled using the Cloud Permissions Firewall, and discard any pending changes.
![[AI GENERATED] Cloud Permissions Firewall confirmation dialog for Unprotect at Scope, explaining that the CloudFormation template will remove all service protections and discard pending changes](/cpf-public/img/cpf/permissions-firewall/services/1BF34F76-A7D1-4EB6-A642-16CDBBC4E87C.png)