0xdabbad00
commented
4 years ago No, the concept here is that many companies use Federated users (ex. SSO into accounts), which can end up all being just the same IAM role, so you have Alice and Bob using Okta to access the AWS account as the admin role. So you want to know, does Bob actually use all of his privileges? Can we limit Bob to only view access?
Question on this enhancement. Is this looking to leverage something like a central security account that assumes into the account in question to run Athena queries and gather information?
ie: role in central security/audit account -> assume into account -> run Athena queries