Investigate and resolve overprivileged access

Use insights to quarantine, delete, or right-size permissions

After running an Access Discovery assessment and reviewing the results, you can investigate and remediate unused or excessive permissions identified across your environment.

Using the Recommendations tab, you can review the top overprivileged issues for each principal. Access Discovery provides guided remediation options such as quarantine, deletion, or right-sizing to help reduce unnecessary access.

Remediate overprivileged access

Follow these steps to remediate overprivileged access:

On the Access Discovery page, in the row of an assessment, click Explore. The View Assessment page opens.
Filter the assessment by defining the filters or clicking a widget and viewing details in the table.
In the table, click the row of a principal. The Principal Details panel opens and displays information about the principal.

Field

Description

Account

Account where the principal is stored

Risk Score

Calculation based on the Principal Risk Level (maximum score of policy actions sensitivity) and the account risk level

ARN

Amazon resource name of the principal

Identities

Number of human and machine identities

Last Used

Last use date of the principal

Over Privilege

Overall percentage of overprivileged permissions

Beside this value in parentheses is the overprivilege percentage for high-risk permissions (Admin, AIM).

Tiers

Calculation based on the Over Privilege percent, Risk Score, and Privilege Permissions percentage.

On the Recommendations tab, expand a recommendation category to view the suggested summary:
- Dormant Principal Detected: Principals that have not been used within the past 90 days
- Unused Privileged Permissions Detected: High-risk actions assigned to but not used by a principal
- Overprivileged Policy Detected: Policy assigned to a principal that includes unused actions

The Recommendations tab displays the top three overprivileged issues.

To support further investigation, you can explore the additional tabs:

Used By shows the identities that have used the principal.
Used For shows the permissions associated with each policy, including used and unused actions by privilege level.

As you resolve the initial recommendations, additional issues will appear in the Recommendations tab until all are addressed.

Click How to Fix. A pop-up window appears.
Complete the fix based on the type of recommendation.

Dormant Principal Detected

Quarantine Principal

This approach uses an Automatic Access Flow to restrict a principal's access using an AWS Permission Boundary until it can be reviewed or safely deleted.

Follow this step to block unused permissions:

On the Quarantine Principal tab, click Remediate to limit access within the dedicated access flow.

Apono will add the principle to a Permission Boundary that is always active, until the admin disables the Access Flow or deletes the principle.

Delete Principal

This approach removes the principal from your AWS environment.

Follow these steps to delete the principal:

On the Delete Principal tab, copy the code.
Run the code in your AWS CLI to remove the principal from your AWS account.

Unused Privileged Permissions Detected

This approach uses an Automatic Access Flow to restrict a principal's access using an AWS Permission Boundary until it can be reviewed or safely deleted.

Follow this step to block unused permissions:

On the Custom Quarantine tab, click Remediate to limit access within the dedicated access flow.

Apono will add the principle to a Permission Boundary that is always active, until the admin disables the Access Flow or deletes the principle.

Overprivileged Policy Detected

Custom Quarantine

This approach temporarily restricts sensitive actions until the policy is reviewed or replaced.

Follow these steps to block unused actions:

On the Custom Quarantine tab, click Remediate to deny actions within the dedicated access flow.
Copy the deny rule JSON provided by Apono.
In your AWS environment, create a deny rule using the Apono-provided JSON. This rule will prevent the principal from using the unused actions detected in its policy.

Right-size

This approach updates the policy.

Follow these steps to update the policy:

On the Right Size Policy tab, copy the code.
In AWS, replace the existing policy definition with the new, least-privilege policy definition that contains only used permissions.

Used By

The Used By tab displays the human and machine identities that have used the principal.

This view helps you trace usage and validate whether access is still needed. You can expand the row of an identity to view the details of the Last 5 logins:

User Agent
Source IP
Date

Used For

The Used For tab displays the policies associated with the selected principal. Each policy summarizes the number of used and unused permissions, organized by privilege level.

Unused access at higher privilege levels (such as Admin or IAM) represents increased risk and should be prioritized for review to reduce risk.

Follow these steps to remediate a policy:

On the Used For tab, expand a policy.

The Analysis tab shows all privilege levels and shows the number of used and unused permissions based on observed activity within the last 90 days.

The Current policy tab shows the policy JSON.

Click Right-size. A pop-up window appears.
Quarantine or right-size the policy to reduce unnecessary access.

Custom Quarantine

This approach temporarily restricts sensitive actions until the policy is reviewed or replaced.

Follow this step to block unused actions:

On the Custom Quarantine tab, click Remediate to deny actions within the dedicated access flow.

Right-size

This approach updates the policy.

Follow these steps to update the policy:

On the Right Size Policy tab, copy the code.
In AWS, replace the existing policy definition with the new, least-privilege policy definition.

PreviousAnalyze an assessment NextIntegrating with Apono

Last updated 18 hours ago

Was this helpful?