# Investigate and resolve overprivileged access

After [running an Access Discovery assessment](/docs/getting-started/access-discovery/create-an-assessment.md) and reviewing the results, you can investigate and remediate unused or excessive permissions identified across your environment.

<figure><img src="/files/nVe0jL7FDwHt8HOZtQZq" alt="" width="375"><figcaption><p>Principal details panel</p></figcaption></figure>

Using the **Recommendations** tab, you can review the top overprivileged issues for each principal. Access Discovery provides guided remediation options such as quarantine, deletion, or right-sizing to help reduce unnecessary access.

***

### Remediate overprivileged access

Follow these steps to remediate overprivileged access:

1. On the [**Access Discovery**](https://app.apono.io/access-discovery) page, in the row of an assessment, click **Explore**. The **View Assessment** page opens.
2. Filter the assessment by defining the filters or clicking a [widget](/docs/getting-started/access-discovery/analyze-an-assessment.md#widgets) and viewing details in the [table](/docs/getting-started/access-discovery/analyze-an-assessment.md#table-principals).
3. In the table, click the row of a principal. The **Principal Details** panel opens and displays information about the principal.

<table><thead><tr><th width="194.08984375">Field</th><th>Description</th></tr></thead><tbody><tr><td><strong>Account</strong></td><td>Account where the principal is stored</td></tr><tr><td><strong>Risk Score</strong></td><td>Calculation based on the <strong>Principal Risk Level</strong> (maximum score of policy actions sensitivity) and the account risk level</td></tr><tr><td><strong>ARN</strong></td><td>Amazon resource name of the principal</td></tr><tr><td><strong>Identities</strong></td><td>Number of human and machine identities</td></tr><tr><td><strong>Last Used</strong></td><td>Last use date of the principal</td></tr><tr><td><strong>Over Privilege</strong></td><td><p>Overall percentage of overprivileged permissions</p><p>Beside this value in parentheses is the overprivilege percentage for high-risk permissions (Admin, AIM).</p></td></tr><tr><td><strong>Tiers</strong></td><td>Calculation based on the <strong>Over Privilege</strong> percent, <strong>Risk Score</strong>, and <strong>Privilege Permissions</strong> percentage.</td></tr></tbody></table>

4. On the **Recommendations** tab, expand a recommendation category to view the suggested summary:
   * **Dormant Principal Detected**: Principals that have not been used within the past 90 days
   * **Unused Privileged Permissions Detected**: High-risk actions assigned to but not used by a principal
   * **Overprivileged Policy Detected**: Policy assigned to a principal that includes unused actions

{% hint style="info" %}
The **Recommendations** tab displays the top **three** overprivileged issues.

To support further investigation, you can explore the additional tabs:

* [Used By](#used-by) shows the identities that have used the principal.
* [Used For](#used-for) shows the permissions associated with each policy, including used and unused actions by privilege level.

As you resolve the initial recommendations, additional issues will appear in the **Recommendations** tab until all are addressed.
{% endhint %}

5. Click **How to Fix**. A pop-up window appears.
6. Complete the fix based on the type of recommendation.

<details>

<summary>Dormant Principal Detected</summary>

**Quarantine Principal**

This approach uses an Automatic Access Flow to restrict a principal's access using an AWS Permission Boundary until it can be reviewed or safely deleted.

Follow this step to block unused permissions:

1. On the **Quarantine Principal** tab, click **Remediate** to limit access within the dedicated access flow.

Apono will add the principle to a Permission Boundary that is always active, until the admin disables the Access Flow or deletes the principle.

***

**Delete Principal**

This approach removes the principal from your AWS environment.

Follow these steps to delete the principal:

1. On the **Delete Principal** tab, copy the code.
2. Run the code in your AWS CLI to remove the principal from your AWS account.

</details>

<details>

<summary>Unused Privileged Permissions Detected</summary>

This approach uses an Automatic Access Flow to restrict a principal's access using an AWS Permission Boundary until it can be reviewed or safely deleted.

Follow this step to block unused permissions:

1. On the **Custom Quarantine** tab, click **Remediate** to limit access within the dedicated access flow.

Apono will add the principle to a Permission Boundary that is always active, until the admin disables the Access Flow or deletes the principle.

</details>

<details>

<summary>Overprivileged Policy Detected</summary>

**Custom Quarantine**

This approach temporarily restricts sensitive actions until the policy is reviewed or replaced.

Follow these steps to block unused actions:

1. On the **Custom Quarantine** tab, click **Remediate** to deny actions within the dedicated access flow.
2. Copy the deny rule JSON provided by Apono.
3. In your AWS environment, create a deny rule using the Apono-provided JSON. This rule will prevent the principal from using the unused actions detected in its policy.

***

**Right-size**

This approach updates the policy.

Follow these steps to update the policy:

1. On the **Right Size Policy** tab, copy the code.
2. In AWS, replace the existing policy definition with the new, least-privilege policy definition that contains only used permissions.

</details>

#### Used By

The **Used By** tab displays the human and machine identities that have used the principal.

<figure><img src="/files/FzC9cjB7FtPyNxA3Venk" alt="" width="563"><figcaption><p>Machine Identities and Human Identities sections of the Used By tab</p></figcaption></figure>

This view helps you trace usage and validate whether access is still needed. You can expand the row of an identity to view the details of the **Last 5 logins**:

* User Agent
* Source IP
* Date

#### Used For

The **Used For** tab displays the policies associated with the selected principal. Each policy summarizes the number of used and unused permissions, organized by privilege level.

<figure><img src="/files/7ax4Jrdr1UBJfv6iYXLi" alt="" width="371"><figcaption><p>Analysis tab</p></figcaption></figure>

Unused access at higher privilege levels (such as Admin or IAM) represents increased risk and should be prioritized for review to reduce risk.

Follow these steps to remediate a policy:

1. On the **Used For** tab, expand a policy.

{% hint style="info" %}
The **Analysis** tab shows all privilege levels and shows the number of used and unused permissions based on observed activity within the last 90 days.

The **Current policy** tab shows the policy JSON.
{% endhint %}

2. Click **Right-size**. A pop-up window appears.
3. Quarantine or right-size the policy to reduce unnecessary access.

<details>

<summary>Custom Quarantine</summary>

This approach temporarily restricts sensitive actions until the policy is reviewed or replaced.

Follow this step to block unused actions:

1. On the **Custom Quarantine** tab, click **Remediate** to deny actions within the dedicated access flow.

</details>

<details>

<summary>Right-size</summary>

This approach updates the policy.

Follow these steps to update the policy:

1. On the **Right Size Policy** tab, copy the code.
2. In AWS, replace the existing policy definition with the new, least-privilege policy definition.

</details>


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://docs.apono.io/docs/getting-started/access-discovery/investigate-and-resolve-overprivileged-access.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.