Horizon IAM Risk Series · Part 1 of 5

The Silent Threat Inside Your AWS Account: Why IAM Risk Is the #1 Cloud Security Problem

IAM misconfiguration is the root cause of most AWS breaches — and it almost certainly exists in your account right now.

When an AWS environment gets breached, investigators almost never find a clever zero-day exploit or a sophisticated attack on infrastructure. What they find is a set of overly permissive IAM policies — roles and credentials that gave an attacker exactly what they needed to move laterally, escalate privileges, and exfiltrate data. The code wasn’t the problem. The permissions were.

This is the pattern that repeats across incident reports, post-mortems, and breach disclosures. AWS IAM security is the critical control plane for every resource in your account, and it is routinely under-managed, under-audited, and poorly understood — even at organizations that consider themselves security-conscious.


The Numbers Don’t Lie

The research is unambiguous on where cloud security failures originate.

99% of cloud security failures are the customer's fault — Gartner Not the cloud provider's infrastructure. Not zero-days. Misconfiguration, weak access controls, and failure to apply least privilege.
Compromised credentials are the #1 initial attack vector — IBM Cost of a Data Breach Report Breaches initiated through stolen or abused credentials cost organizations an average of USD $4.9 million — more than any other attack vector.
80%+ of breaches involve the use or abuse of credentials — Verizon DBIR Credential abuse is not an edge case. It is the dominant pattern across industries, company sizes, and geographies.

In the cloud, credentials are IAM. When Verizon says 80% of breaches involve credential abuse, for AWS customers that means IAM roles, access keys, and trust policies. This is not abstract risk. It’s the most likely path an attacker will take through your environment.


Why AWS IAM Is So Hard to Get Right

AWS IAM is one of the most powerful access management systems ever built. That power is also what makes it genuinely difficult to manage at scale.

A non-trivial AWS environment has IAM everywhere:

The AWS documentation is comprehensive. The tooling is capable. But the surface area is enormous. IAM misconfiguration doesn’t require incompetence — it emerges naturally from the speed and complexity of building on AWS.


How It Gets Away From You

IAM debt rarely accumulates through a single bad decision. It accumulates the same way technical debt does: organically, incrementally, under pressure.

The startup phase. Speed matters more than perfection. A developer needs a Lambda to write to an S3 bucket and DynamoDB table, so they attach a managed policy with broad permissions to get it working. A staging environment gets an IAM user with admin rights “temporarily.” A third-party integration gets more access than it needs because the documentation says to use a certain policy and nobody has time to scope it down.

The growth phase. The team grows. Infra is replicated across environments. Roles get copied and modified. The original intent behind permissions gets lost. The developer who set up that admin IAM user is on a different team now. Nobody remembers why the Lambda role has s3:* on *.

Team expansion and vendor onboarding. New engineers inherit what exists and extend it. A SaaS security tool needs cross-account access to scan your environment — and gets broader permissions than required because the vendor’s onboarding docs are generic. A CI/CD pipeline gets programmatic credentials. Those credentials rotate infrequently, if ever.

At no point did anyone make a reckless decision. Each choice was reasonable in context. The result is an AWS access management posture that looks fine from the outside but carries real, exploitable risk.


What “Bad” Actually Looks Like

Here are three IAM states that appear in real AWS accounts at organizations of all sizes. None of them trigger a CloudTrail alarm. None of them are visibly broken. All of them represent material cloud identity risk.

Example 1: The Wildcard Action Role

A Lambda function created during a hackathon has an execution role with the following policy:

{
  "Effect": "Allow",
  "Action": "s3:*",
  "Resource": "*"
}

This role allows the function — and any attacker who compromises it — to read, write, delete, or modify every S3 object in the account, including backups, logs, and anything in buckets belonging to other workloads. The function itself only needs to write to one bucket prefix.

Example 2: The Zombie Role

An IAM role was created 18 months ago to support a vendor integration. The vendor relationship ended. The role was never deleted. It still has an active trust policy allowing the vendor's AWS account to assume it, and the attached permissions include read access to several RDS databases and S3 buckets. No one on the current team knows it exists.

Example 3: The Overpermissive Trust Policy

A deployment role used by a CI/CD pipeline has the following trust policy principal:

{
  "Principal": {
    "AWS": "arn:aws:iam::123456789012:root"
  }
}

This trusts the entire AWS account, not a specific role or user. Any principal in that account — including compromised developer credentials — can assume this deployment role. The intent was to allow a specific deployment user. The result is an open door.

These are not obscure edge cases. They’re representative of the IAM misconfiguration patterns that appear in nearly every environment we’ve assessed.


The Cost of Getting It Wrong

The consequences of IAM misconfiguration don’t announce themselves until it’s too late.

A breach. Compromised credentials or an overly permissive role is the most common path to unauthorized access in AWS. Lateral movement, data exfiltration, ransomware — all of it flows through IAM.

A compliance failure. SOC 2, PCI DSS, HIPAA, ISO 27001 — every major compliance framework requires demonstrable access controls and least privilege. An IAM review is a standard part of any serious audit. Wildcard policies and unused roles are findings.

An audit finding. Even without a breach, a third-party security assessment or customer security questionnaire that surfaces poor IAM hygiene creates business friction. Enterprise customers increasingly require evidence of access controls before signing.

Erosion of customer trust. If your customers are enterprises handing you their data, IAM risk is their risk too. A breach that traces back to an over-permissive role is not a story you want to tell.

The cost of preventive IAM hygiene is a fraction of the cost of any of these outcomes.


Start with Visibility

You can’t fix what you can’t see. The first step toward managing AWS IAM security isn’t a policy rewrite — it’s understanding your current state. What roles exist? Which ones are unused? Which policies grant wildcard actions? Which trust relationships are still valid?

That’s precisely what Horizon IAM Risk Analyzer is built to answer. It scans your AWS environment, maps your IAM posture against least privilege principles, and surfaces the specific findings that carry the most risk — without requiring you to manually trace every policy attachment.

Horizon IAM Risk Analyzer is available on the AWS Marketplace with a free 14-day trial.

See What's Actually in Your AWS IAM

Horizon IAM Risk Analyzer maps your current IAM posture, identifies misconfigurations, and prioritizes the findings that matter most — in minutes, not weeks.

AWS Marketplace listing →

The next post in this series goes deeper: the five IAM misconfigurations we find in almost every AWS account, why they’re so common, and exactly how to fix them. If you’re running workloads in AWS today, at least one of them is in your environment.