Compliance Frameworks
BETA// Beta Mapping Disclaimer
Framework mappings are currently in beta. These references are generated based on technical specifications and common industry alignments. Mappings may be incomplete or inaccurate; always consult with a qualified auditor for official compliance validation.
Overview
Perform manual, quarterly access reviews of IAM roles, users, and access keys across Landing Zone accounts. Use the Organization-level IAM Access Analyzer (deployed separately via AWS-IAM-010) to retrieve unused access findings as the authoritative data source for each review cycle.
This control governs the manual review process for stale or excessive permissions within Landing Zone accounts. The Organization-level IAM Access Analyzer continuously generates findings for UnusedPermission, UnusedIAMUserAccessKey, and UnusedIAMRole based on a 90-day CloudTrail-derived lookback window. On a quarterly cadence, the responsible team queries these findings per account, evaluates each identified entity, and revokes or deletes credentials and roles that are no longer operationally required. The review outcome must be documented as compliance evidence for each cycle.
Unused privileged access is a persistent attack surface. Credentials or roles that exist but are never used cannot be distinguished from compromised ones during a security incident. Regular manual reviews ensure that permissions are aligned with current operational need and that accumulated drift is addressed before it can be exploited.
Remediation Strategy
Query the existing Organization-level IAM Access Analyzer for unused access findings scoped to Landing Zone accounts. Manually evaluate each finding and revoke or delete identified unused credentials and roles.
Identify the ARN of the Organization-level IAM Access Analyzer deployed in the management or delegated security administrator account.
Query the analyzer for findings of type UnusedPermission, UnusedIAMUserAccessKey, and UnusedIAMRole, filtered to the Landing Zone accounts under review.
For each finding, confirm with the account owner whether the access is still operationally required.
Revoke unused permissions, delete inactive access keys, and remove roles with no recent activity.
Archive the finding list and revocation actions as evidence for the quarterly review record.
# Query unused access findings for a specific Landing Zone account
aws accessanalyzer list-findings-v2 \
--analyzer-arn <org-analyzer-arn> \
--filter '{
"findingType": {"eq": ["UnusedPermission", "UnusedIAMUserAccessKey", "UnusedIAMRole"]},
"resourceOwnerAccount": {"eq": ["<landing-zone-account-id>"]}
}'