Documentation

AWS | Insights

Suggest Edits

Identify overprivileged IAM users

As an AWS security admin, you want to check if legacy AWS Identity and Access Management (AWS IAM) users still exist with unnecessary privileges after migrating to AWS Identity Center (SSO).

Walkthrough

  1. Sign into app.beyondtrust.io.
    The BeyondTrust Home page displays.

  2. From the top left of the page, click > Insights > Accounts.
    The Accounts page displays.

  3. Set these filters:
    Provider = AWS
    Account type = IAM user

  4. Sort by the True Privilege column. Select Highest and High.

  5. Take a look at the results. You'll see all IAM user account types with high or highest privilege.

How does this information help?

  • You can see the accounts outside your federated setup.
  • Surfaces hidden risk: a single local IAM user could bypass your Identity Center controls.

What can you do?

  • Migrate IAM users into federated access if possible.
  • Are you using BeyondTrust Password Safe? Onboard these privileged IAM accounts to ensure credentials are managed appropriately.

Detect anomalies in AWS account activity

As an AWS admin, you want to know if AWS accounts are behaving unusually, indicating compromise.

Walkthrough

  1. Sign into app.beyondtrust.io.
    The BeyondTrust Home page displays.

  2. From the top left of the page, click > Insights > Detections.
    The Detections page displays.

  3. Set this filter:
    Provider= AWS

  4. Look for unusual sign-in activity, privilege escalations, or anomalous role assumptions.

How does this information help?

  • Highlights risky behavior before it becomes a breach.
  • Provides a high-level “threat lens” tied to AWS-specific activity.

What can you do?

  • Investigate the account in the True Privilege graph.
  • Assess blast radius: What assets can that user access and potentially compromise?
  • Downgrade permissions assigned to this user or set up Just-in-Time (JIT) access.

Map escalation paths to critical AWS assets

As an AWS admin, you want to understand how a seemingly low-privileged user could escalate to full AWS admin rights.

Walkthrough

  1. Sign into app.beyondtrust.io.
    The BeyondTrust Home page displays.

  2. From the top left of the page, click > Insights > Dashboard.
    The Insights Home page displays.

  3. Click the View Escalation Paths link.

  4. Set this filter:
    Provider= AWS

    Entitlements display for all AWS users.

  5. Click .

  6. Inspect chains where Identity Center groups map to IAM roles with broad privileges.

  7. Highlight "choke points". In this scenario, a group grants excessive privilege to the members in that group. A group member can then take advantage of those excessive privileges and compromise other areas of AWS.

How does this information help?

  • Surfaces “hidden ladders” attackers could exploit.
  • Demonstrates blast radius if one account in the chain is compromised.

What can you do?

  • Break escalation chains by tightening group-to-role mappings.
  • Apply least-privilege practices.

Uncover secrets with broad access

As an AWS admin, you suspect sensitive AWS Secrets Manager entries are accessible to too many people.

Walkthrough

  1. Sign into app.beyondtrust.io.
    The BeyondTrust Home page displays.

  2. From the top left of the page, click > Insights > Entitlements.

  3. Set this filter:
    Type= Secret

  4. Click the link for a secret to see more information on the Details tab. You can see the account names that are using the secret.

  5. Click to display the Path to Privilege page for a user. On the Path to Privilege page, trace which roles and groups grant access. Identify choke points where a single role cascades access to many users.

How does this information help?

  • Pinpoints where high-value secrets are exposed.
  • Connects AWS secrets to identities across domains. For example, Microsoft Entra ID federated accounts with unexpected secret access.

Think of a sensitive secret stored in AWS Secrets Manager. A breach can devastate the business if too many identities can access it.

What can you do?

  • Restrict user and role access to sensitive secrets.

Updated about 8 hours ago

©2003-2025 BeyondTrust Corporation. All Rights Reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust is not a chartered bank or trust company, or depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.