
Use IAM Access Analyzer to detect unused Amazon Bedrock permissions
Security best practices to maintain least privilege
Shreyas Subramanian
Amazon Employee
Published Jan 18, 2025
Identity-based policies determine whether someone can create, access, or delete Amazon Bedrock resources in your account. When you create or edit identity-based policies, follow these guidelines and recommendations:
- Get started with AWS managed policies and move toward least-privilege permissions – To get started granting permissions to your users and workloads, use the AWS managed policies that grant permissions for many common use cases. They are available in your AWS account. We recommend that you reduce permissions further by defining AWS customer managed policies that are specific to your use cases. For more information, see AWS managed policies or AWS managed policies for job functions in the IAM User Guide.
- Apply least-privilege permissions – When you set permissions with IAM policies, grant only the permissions required to perform a task. You do this by defining the actions that can be taken on specific resources under specific conditions, also known as least-privilege permissions. For more information about using IAM to apply permissions, see Policies and permissions in IAM in the IAM User Guide.
- Use conditions in IAM policies to further restrict access – You can add a condition to your policies to limit access to actions and resources. For example, you can write a policy condition to specify that all requests must be sent using SSL. You can also use conditions to grant access to service actions if they are used through a specific AWS service, such as AWS CloudFormation. For more information, see IAM JSON policy elements: Condition in the IAM User Guide.
- Use IAM Access Analyzer to validate your IAM policies to ensure secure and functional permissions – IAM Access Analyzer validates new and existing policies so that the policies adhere to the IAM policy language (JSON) and IAM best practices. IAM Access Analyzer provides more than 100 policy checks and actionable recommendations to help you author secure and functional policies. For more information, see Validate policies with IAM Access Analyzer in the IAM User Guide.
In this blog, we will focus on the last point - how to use IAM access analyzer to move towards least-privilege permissions. Let us assume you have been using Amazon Bedrock for a while via roles attached to multiple applications. Follow the steps below to analyze these roles using IAM access analyzer:
Step 1 - Search for IAM Access Analyzer in the Search field in your AWS console

Step 2 - Navigate to to 'Unused findings' on the left sidebar

Step 3 - Create an access analyzer, and wait for the results to refresh

Step 4 - To find unused roles related to Bedrock, filter by resources that contain 'bedrock'

You will find a few roles that you can further investigate and delete:

Step 5 - Find unused permissions by using the findings filter again as shown

find any unused permission related to Bedrock roles and investigate them further:

Step 6 - In the recommendations section, click Preview policy to see suggested changes

Step 7 - You can copy and edit the policy in IAM after reviewing
Here is an example of a bedrock logging role with unused permissions being pruned:

Here is another example of a agents role with unused permissions

And lastly here is an example of a bedrock read only policy removing unused sagemaker related permissions:

Using tools like IAM Access analyzer, you can keep your roles and policies up to date, making sure you are defining AWS policies that are specific to your use cases. Also make sure to do this several times as scopes can change throughout the lifetime of an application.
Any opinions in this post are those of the individual author and may not reflect the opinions of AWS.