This control plane turns raw AWS Access Analyzer exports into a buyer-readable identity and perimeter surface: public resources, external trust, stale findings, disabled analyzers, and the remediation packet needed before audits, incidents, or release windows drift.
| Lane | Owner | Focus | Status | Findings | Next action |
|---|---|---|---|---|---|
| Production analyzer lane This is the highest-risk lane because active public findings are still open. |
Cloud Security Engineering | Public perimeter findings in primary account | red | 2 | Clear public S3 and KMS posture before assuming account boundary is governed. |
| Vendor trust lane External trust is expected in places, but should never stay unconstrained. |
IAM Platform | Cross-account role assumptions | yellow | 2 | Attach restrictive conditions or rotate to scoped federation before the next vendor rollout. |
| Secondary region analyzer A disabled analyzer creates blind spots even if primary-account posture looks healthy. |
Platform Operations | Coverage outside primary account path | red | 1 | Re-enable the disabled analyzer and confirm archive-rule baseline in the secondary region. |
| Archive hygiene lane Archive rules are not just noise control - they shape triage clarity. |
Cloud Governance | Expected-benign finding suppression | yellow | 1 | Define archive rules so known safe patterns stop drowning active operator triage. |