This control plane turns raw AWS Access Analyzer exports into a buyer-readable identity and perimeter surface: public resources, external trust, stale findings, disabled analyzers, and the remediation packet needed before audits, incidents, or release windows drift.
| Risk | Owner | Subject | Principal | Message |
|---|---|---|---|---|
| high public-bucket-access |
Cloud Security Engineering | arn:aws:s3:::marketing-export-drop us-east-1 |
* | Bucket "arn:aws:s3:::marketing-export-drop" is reachable by a public principal. |
| high external-principal-without-condition |
IAM Platform | arn:aws:iam::111122223333:role/vendor-billing-export us-east-1 |
arn:aws:iam::444455556666:root | Finding "arn:aws:iam::111122223333:role/vendor-billing-export" allows an external principal without restrictive condition keys. |
| high public-kms-key-access |
Cloud Security Engineering | arn:aws:kms:us-east-1:111122223333:key/abcd-1234 us-east-1 |
* | KMS key "arn:aws:kms:us-east-1:111122223333:key/abcd-1234" exposes public access posture that should be reviewed immediately. |
| medium analyzer-disabled |
Platform Operations | ops-secondary us-west-2 |
— | Analyzer "ops-secondary" is disabled and will not surface new findings. |
| medium stale-active-finding |
Cloud Security Engineering | arn:aws:s3:::marketing-export-drop us-east-1 |
* | Finding "arn:aws:s3:::marketing-export-drop" has remained active since 2026-04-24. |
| medium cross-account-role-trust |
IAM Platform | arn:aws:iam::111122223333:role/vendor-billing-export us-east-1 |
arn:aws:iam::444455556666:root | Role "arn:aws:iam::111122223333:role/vendor-billing-export" trusts an external principal and should be validated against expected federation or vendor access. |