IAM
Roles, policies, privilege paths, MFA, access keys — across every connected cloud.
What IAM in Escher covers
| Capability | Example question |
|---|---|
| Privilege inventory | "Who has admin access in production?" |
| Privilege escalation paths | "Is there a path from any developer role to admin?" |
| Blast radius | "If this role were compromised, what could it reach?" |
| MFA hygiene | "Which users haven't used MFA in 30 days?" |
| Access key hygiene | "Which access keys are older than 90 days?" |
| Cross-cloud consistency | "Are our IAM groups consistent across AWS and Azure?" |
| Unused privilege detection | "Which roles haven't been used in 60 days?" |
Sample answers
"Find every role with
*:*in production."
Returns a Canvas: every overprivileged role, by account, with last-used timestamps and which principals can assume them.
"What can the
ci-deployrole actually do, transitively?"
Returns the full effective permission set — including roles it can assume and what those roles can do. Often surprises people.
"Which IAM users haven't logged in for 90 days?"
Returns a list ranked by privilege level. The dormant admin is the priority.
What's hard about IAM that Escher makes easy
- Transitive
AssumeRolegraphs. AWS IAM lets roles assume other roles, sometimes across accounts. Escher follows the chain. - Cross-cloud equivalence. AWS IAM ≠ Azure RBAC ≠ GCP IAM. Escher normalizes the model so you can ask consistent questions.
- Effective permissions. A user's effective permissions are the union of their identity policies, group policies, role chains, and resource-based policies. Escher computes the union.
Tips
TIP
Audit before incidents, not after. A quarterly "find every overprivileged role" pass takes 5 minutes with Escher. It catches the dormant admin before the breach.
TIP
Use blast radius for risk prioritization. Don't fix every finding — fix the ones with highest blast radius first.