PS Product SecurityKnowledge Base

๐Ÿชช IAM Review Checklist

Intro: This checklist focuses on human and non-human access, trust policies, privilege boundaries, and the path by which powerful actions happen.

Best time to use this checklist

Use it for new roles, service accounts, federation trust, break-glass paths, admin workflows, and platform changes.

Stop-the-line conditions

  • wildcard or broad admin privilege without strong business justification;
  • long-lived static credentials for automation where federation is possible;
  • unclear mapping between identity, owner, and purpose;
  • transitive trust that lets one compromised system pivot into another.

Text-first review prompts

  • Which actor or workload identity is using this permission?
  • Is the privilege scoped to specific resources, actions, and environments?
  • What trust assumption lets this identity exist or assume a more powerful role?
  • How short-lived is the credential material?
  • What logs prove that the identity acted, and what alerts watch for misuse?
  • What would an attacker gain if this identity were compromised?

Evidence table

Control area What to verify Typical evidence
Identity purpose Every identity has a clear owner and business purpose IAM inventory, owner mapping
Privilege scope Permissions are limited to required actions and resources policy review, diff
Trust Federation, assume-role, and service-account trust is understood trust policy, OIDC config
Credential lifetime Short-lived credentials are used where possible STS config, token lifetime
Detection Use of privileged identities is logged and monitored audit logs, detections

Common misses

  • reviewing permissions without reviewing trust relationships;
  • ignoring who can edit the role instead of who can use the role;
  • failing to separate development and production authority;
  • forgetting that an overpowered CI identity is often a production risk, not only a build risk.

---Author attribution: Ivan Piskunov, 2026 - Educational and defensive-engineering use.