"Who's risky?" is harder to answer than it sounds. AWS has hundreds of IAM actions. A handful are dangerous in isolation; many more become dangerous in combination. Maintaining your own list is real work.
Blue Lantern keeps one for you. The on-prem toolkit ships with a curated set of IAM actions that flag privilege escalation, data integrity, and similar high-value risk categories. One command audits your entire account against the list.
Prerequisites
- The Blue Lantern on-prem toolkit installed.
- Credits allocated (or auto-refresh enabled).
- AWS credentials in
.envformat (AWS_ACCESS_KEY_ID,AWS_SECRET_ACCESS_KEY,AWS_SESSION_TOKEN). A sealed secrets file is recommended.
Running the check
bluelantern run aws-iam find-principals-risky-actions
If you'd rather see exactly what the tool checks for before you run it:
bluelantern run aws-iam find-principals-risky-actions --list_checked_actions true
What you get back
A list of principals carrying any flagged action, with:
- Principal type and name.
- The risky action they hold.
- A risk category — e.g.
privesc,data integrity. - A reason — why we flagged it (e.g. "Allows updating inline policies to grant arbitrary permissions").
The risk and reason fields make the list workable: you can sort by category, prioritize privesc findings first, and have something to send to the principal's owner without writing the explanation yourself.
Output also lands in your configured data directory under /results as a JSON file, so you can run this on a schedule and diff against last week's run.
If your environment has its own definition of "risky," swap to find-principals-allowed-action and pass any specific IAM action — see the iam:PassRole post for the shape.