AWS Permission Analyzer
Deploy a read-only analyzer via CloudFormation to map IAM permissions attached to discovered AWS credentials.
Key Features
- One-click CloudFormation template deployment
- Read-only IAM role (iam:Simulate*, iam:Get*, iam:List*)
- Permission boundary detection
- Cross-account role support
- Automatic re-analysis when credentials change
Requirements
- 1AWS account with CloudFormation stack create permission
- 2IAM admin to approve the analyzer role
- 3Cremit Argus account on Pro plan or above
Step-by-step setup guide
The exact flow you follow inside the dashboard.
Overview
The AWS Permission Analyzer deploys a read-only IAM role in your AWS account via CloudFormation. When Argus discovers an AWS credential, the analyzer resolves that credential's real IAM permissions, lets you assess over-privilege, and maps the exposure surface before you rotate.
Prerequisites
- AWS account with permission to create IAM roles and CloudFormation stacks
- A Cremit Argus account on the Pro plan or above
- For multi-account orgs: an administrator to approve the stack in each account
Step-by-Step Setup
Step 1: Download the CloudFormation template from Argus
- In Argus, go to Security > Permission Analysis and click Add AWS Analyzer
- Copy the provided External ID; you will use it in Step 2 to prevent confused-deputy attacks
- Click Launch Stack to open the AWS CloudFormation console with the template pre-filled, or download the template YAML to deploy manually
Step 2: Deploy the CloudFormation stack
The stack creates an IAM role that Cremit can assume with least-privilege, read-only access.
- Paste the External ID into the stack parameters
- Review the IAM role; it grants iam:Get*, iam:List*, iam:Simulate* and read-only scoped-policy queries
- Click Create Stack and wait for CREATE_COMPLETE (usually under 2 minutes)
- Copy the Role ARN from the stack's Outputs tab
Step 3: Register the analyzer in Argus
- Back in Argus's Add AWS Analyzer form, paste the Role ARN
- Optionally label the account (for example, 'Prod', 'Staging')
- Click Register
Step 4: Run the first analysis
Argus will analyze every previously discovered AWS credential tied to this account.
- Results stream in as analysis completes; typical completion is 30-120 seconds per credential
- Re-analysis is automatic whenever Argus detects a credential change, or on demand from the credential's detail page
Verification
To confirm the integration is configured correctly:
- The analyzer appears in Registered Analyzers with a Connected status
- Analysis Results shows parsed permission data for existing AWS credentials
- The stack outputs a Role ARN matching what Argus displays
- CloudTrail events from the analyzer role show only read-only API calls
Troubleshooting
Issue: Argus reports 'AssumeRole failed: AccessDenied'.
- Solution: The External ID in the role's trust policy must match exactly what Argus shows. Re-generate the External ID in Argus and update the stack parameters.
Issue: Analysis is slow or timing out for a specific credential.
- Solution: Very large IAM policies (thousands of statements) take longer to simulate. Argus will complete them in the background; check back in 5-10 minutes, or open a support ticket if it persists.
Key Benefits
- Read-only access; the analyzer role cannot modify or exfiltrate resources
- CloudFormation deploy is one-click per account and fully auditable
- Cross-account trust via External ID prevents Confused Deputy risks
- Automatic re-analysis when credentials change keeps assessments current