Visibility
AWS
Cloud Security Engineer
IAM Engineer
Map your full AWS IAM estate including every role, key, and cross-account chain with named owners
Quick Summary: AWS IAM estates grow complex fast — roles inherit permissions across accounts, access keys age beyond policy, and cross-account chains create attack paths no spreadsheet can map. Oleria, an AI-native identity security & governance platform, maps your full AWS IAM estate including every role, key, and cross-account relationship with a named owner for each.
If you're running 20+ AWS accounts, you already know the console can't answer "who has what" across the org. The cross-account assume-role chains and the access keys someone created in 2021 and forgot are invisible until an attacker uses them. Oleria gives you the full org-wide picture - with owners attached - in one query.
AWS IAM is the densest NHI surface in most enterprises. Users, roles, access keys, instance profiles, federated identities, role chains across accounts. The AWS Console shows you one account at a time. AWS Access Analyzer finds unused access but doesn't tell you who owns the role. AWS Identity Center shows you permission sets but not the per-account roles assumed via STS. The picture you need - "every NHI in our AWS org, who owns it, what's stale, what's overprivileged" - sits between the categories.
The numbers say the rest. Industry research consistently puts 30%+ of AWS access keys older than 90 days in average enterprises. Cross-account assume-role paths in mid-size estates run into the hundreds, often unmapped. CISA and CSA research on cloud IAM hygiene consistently shows that in cloud-first organizations, the overwhelming majority of identities are non-human - the AWS estate is overwhelmingly machine, not human. The U.S. Treasury breach in late 2024 illustrated the failure mode: poorly governed API keys becoming the entry point for privilege escalation and lateral movement.
What makes this stubborn is the multi-account reality. The cloud team writes a script per account. They run it monthly. The output is 23 spreadsheets. They never get joined. The trust-policy chain in account A that lets account B assume into account C is invisible until an attacker uses it. CSPM finds the misconfigurations. CIEM finds the effective permissions. Neither treats roles as identities with owners, lifecycle, and review cycles - so findings pile up without a human accountable for resolving them. Oleria ties the technical picture to that missing ownership layer.
Org-wide AWS IAM Estate Inventory in one view - no more 23 separate spreadsheets. IAM users, roles, access keys, instance profiles, and IAM Identity Center permission sets across every account in your AWS Organization, connected via Organizations delegated admin or org-wide read role.
Assume-role chain resolution that maps what attackers actually use. A role in account A that lets account B assume it that lets a role in account C assume it - three hops, one chain, one risk picture. The lateral movement paths that stay invisible in the console, surfaced before they're exploited.
Access key hygiene queue, sorted by privilege. Last-used date, last-rotated date, age, and scope for every access key. The 90-day-old keys you forgot you created, surfaced as a prioritized queue ready for rotation or revocation.
Privilege drift detection that catches new accumulation within hours. Roles that picked up additional managed policies, inline policies, or trust-policy expansions over time - flagged when it happens, not at audit time.
Complete AWS IAM Estate Inventory and Governance — every role, access key, and cross-account chain resolved with named owners, org-wide.
You connect AWS Organizations via the management account. Within an hour, the inventory shows 12,847 NHIs across 23 accounts. Of those, 1,124 access keys are older than 90 days. 287 IAM roles have trust policies allowing assume from a wildcard principal. 412 roles hold AdministratorAccess or near-admin policies. The cross-account map shows 67 assume-role chains that span 3+ accounts. The cloud team takes the access-key queue, the security team takes the trust-policy queue, the platform team takes the privilege-drift queue. Three months later, 90+ day access keys are at zero, sustained by automated rotation workflows. Trust-policy permissiveness has dropped 60%. Drift detection runs daily and surfaces new privilege accumulation within hours.
Yes. Connect once via the management account or a delegated admin and Oleria discovers and inventories every member account. New accounts added to the org appear in inventory automatically.
Permission sets and assignments via Identity Center are part of the inventory. Federated humans and federated workloads share the graph; you can filter to just NHIs when the question is about machines.
Inventory scales horizontally and is incremental after first sync. Filtering and saved views handle large estates without loading everything into the UI at once. The cloud team in a 50-account org runs the same workflows as the team in a 2-account org.
Oleria reads IAM continuously. Actions like rotating keys or narrowing policies happen via the workflow engine and require explicit operator action with audit trail. Read-only by default; write actions are opt-in per workflow. We don't move quietly through your IAM.
Access Analyzer finds unused access and external access. Oleria treats roles as identities - with owners, review cycles, and cross-app context. The role's consumer is a Jenkins pipeline. The pipeline is owned by team X. Team X's lead just left. That whole picture is what makes the finding actionable. Different lens, often complementary.
