0db1343c-0684-40dd-9545-a396779d9582
— Retrievable via GET /ai/narratives/0db1343c-0684-40dd-9545-a396779d9582
a. Define and document the types of accounts allowed and specifically prohibited for use within the system; b. Assign account managers; c. Require [Assignment: organization-defined prerequisites and criteria] for group and role membership; d. Specify: 1. Authorized users of the system; 2. Group and role membership; and 3. Access authorizations (i.e., privileges) and [Assignment: organization-defined attributes (as required)] for each account; e. Require approvals by [Assignment: organization-defined personnel or roles] for requests to create accounts; f. Create, enable, modify, disable, and remove accounts in accordance with [Assignment: organization-defined policy, procedures, prerequisites, and criteria]; g. Monitor the use of accounts; h. Notify account managers and [Assignment: organization-defined personnel or roles] within: 1. [FedRAMP Assignment: twenty-four (24) hours] when accounts are no longer required; 2. [FedRAMP Assignment: eight (8) hours] when users are terminated or transferred; and 3. [FedRAMP Assignment: eight (8) hours] when system usage or need-to-know changes for an individual; i. Authorize access to the system based on: 1. A valid access authorization; 2. Intended system usage; and 3. [Assignment: organization-defined attributes (as required)]; j. Review accounts for compliance with account management requirements [FedRAMP Assignment: monthly for privileged accessed, every six (6) months for non-privileged access]; k. Establish and implement a process for changing shared or group account authenticators (if deployed) when individuals are removed from the group; and l. Align account management processes with personnel termination and transfer processes.
Responsible Role: Infrastructure, GRC, Account Manager, Customer Parameter AC-2(c): Account provisioning/deprovisioning process for FedRAMP accounts Parameter AC-2(d)(3): The organization attributes Parameter AC-2(e): Group Owners and ISSO Parameter AC-2(f): Access Control policies and procedures Parameter AC-2(h): Group Owners Parameter AC-2(h)(1): twenty-four (24) hours] when accounts are no longer required Parameter AC-2(h)(2): eight (8) hours Parameter AC-2(h)(3): eight (8) hours Parameter AC-2(i)(3): The organization account attributes (as required) Parameter AC-2(j): monthly for privileged accessed, every six (6) months for non-privileged access
☐ Implemented ☒ Partially Implemented ☐ Planned ☐ Alternative implementation ☐ Not Applicable
☐ Service Provider Corporate ☐ Service Provider System Specific ☐ Service Provider Hybrid (Corporate and System Specific) ☐ Configured by Customer (Customer System Specific) ☐ Provided by Customer (Customer System Specific) ☒ Shared (Service Provider and Customer Responsibility) ☒ Inherited from pre-existing FedRAMP Authorization for {{INHERITED_AUTH_NAME}}, {{INHERITED_AUTH_DATE}}
AWS IAM users, roles, and groups are used to define account types and administrative roles for the system. The system inherits applicable infrastructure security capabilities from Amazon Web Services (AWS), which maintains a FedRAMP authorization ({{INHERITED_AUTH_NAME}}, {{INHERITED_AUTH_DATE}}).
The organization defines and documents account types within the system FedRAMP Access Control Procedure and separation of duties matrix, including allowed named user accounts, approved service accounts with documented justification, and time-bound temporary accounts. Prohibited account types (e.g., generic and anonymous) are governed through policy with narrowly scoped exceptions addressed under Part k and tracked through governance workflows. Account lifecycle requests are managed through Jira workflows with enforcement through AWS IAM and Federal LDAP.
Customers define and document allowed/prohibited account types for their tenant environments; the organization provides an initial tenant administrator account to bootstrap configuration.
Account management privileges are constrained through IAM roles and policies to support accountability and separation of duties.
The organization assigns account managers (Group Owners) for the system and documents responsibilities for provisioning, modification, and removal approvals. Access changes are controlled through Jira-based workflows that record requestor, approver, and fulfillment details. Continuous monitoring activities track control maturity and drive iterative improvement.
Customers assign account managers for their environment, using the initial account provisioned by the organization to assume management responsibilities within their domain.
IAM group and role membership, along with conditional access controls, enforce prerequisites for privileged membership.
The organization requires FedRAMP account requests to meet documented access request prerequisites, including business justification, Group Owner review, and least-privilege role alignment. Security awareness training and FedRAMP Rules of Behavior (RoB) acknowledgment are required prior to activation. Provisioning is executed through AWS IAM and Federal LDAP in accordance with documented procedures.
Customers define role membership prerequisites within their tenant, including any approval workflows and attribute requirements aligned to their organizational policies.
IAM policies and role assumptions define authorized users, group and role membership, and access authorizations for system administration.
The organization specifies authorized users, group/role membership, and access authorizations through documented RBAC mappings tied to job functions and approved duties. Access attributes (as required) are managed through organization-defined identifiers (e.g., tags) and directory attributes applied through AWS IAM and Federal LDAP. Logging for identity and access activities is integrated into centralized monitoring to support traceability and governance oversight.
Customers specify authorized users, group/role membership, and access authorizations (including organization-defined attributes) for their tenant accounts, using tenant-level administration capabilities provided by the organization.
Provisioning actions are limited to approved administrators via scoped IAM permissions and documented approval workflows.
The organization requires account creation requests to be submitted and approved through Jira by the designated Group Owner/Account Manager and ISSO (or delegated approvers) prior to provisioning. Requests include documented business justification and required training acknowledgments (e.g., RoB and security awareness) aligned to defined roles. Approval and fulfillment actions are retained as part of governance records and reviewed through configuration management practices.
Customers require approvals by organization-defined personnel or roles for tenant account creation; the organization provides an initial administrator account to enable delegation.
IAM lifecycle functions are used to create, modify, disable, and remove identities and associated permissions.
The organization manages account lifecycle actions in accordance with the system FedRAMP Access Control policies and procedures and the defined provisioning/deprovisioning workflow. Each change is initiated via an approved Jira request and fulfilled through AWS IAM and Federal LDAP with documented requestor/approver/implementer traceability. Enhancements are managed through continuous monitoring governance, including POA&M tracking as applicable.
Customers manage tenant user lifecycle actions under their organization-defined procedures and criteria, using the initial account to configure and operate their environment.
Management-plane audit logs provide visibility into account usage and account management events for monitoring and alerting.
The organization monitors account usage through centralized security monitoring integrated with available identity and access event sources. Alerting is configured for elevated access activity, anomalous authentication patterns, and account or permission changes that indicate potential misuse. Planned improvements to audit trail coverage for account lifecycle actions are prioritized through governance workflows and tracked through standard change management.
Customers monitor account usage within their tenant using available tools, logs, and APIs, and incorporate findings into their security operations processes.
Workflow records and system event sources support time-bound notifications and traceability for account status changes.
The organization maintains procedures to notify account managers and designated personnel within FedRAMP timeframes for accounts no longer required, user termination/transfer, and changes in need-to-know. Jira workflow notifications and operational coordination support timely routing of requests to responsible Group Owners and approvers. Continuous monitoring validates timeliness and supports ongoing refinement of notification practices.
Customers implement notification mechanisms aligned to FedRAMP timeframes for tenant users and coordinate actions with their assigned account managers and approvers.
IAM policy evaluation enforces access decisions based on approved authorization, intended usage, and configured attributes.
The organization authorizes access based on validated access approval, intended system usage, and organization-defined attributes (as required). RBAC enforcement is implemented through Federal LDAP and AWS IAM roles and policies, including an audit-oriented role aligned to read-only permissions for assessment activities. Periodic governance review supports continued alignment to least privilege as mission needs evolve.
Customers authorize tenant access based on approved need, intended usage, and their organization-defined attributes, using delegated tenant administration capabilities.
IAM reporting and inventory data support periodic privileged and non-privileged access reviews.
The organization performs account reviews against account management requirements with a focus on privileged and non-privileged access populations aligned to FedRAMP cadence. Reviews leverage available identity inventories and administrative reporting to identify stale access, inappropriate privilege, and required updates. Configuration management and periodic reviews validate implementation maturity over time, and remediation actions are tracked through governance workflows.
Customers conduct tenant account reviews at the FedRAMP-defined frequency and track remediation of identified exceptions in accordance with their internal governance processes.
Credential management mechanisms support rotation of authenticators for any approved shared or group access mechanisms.
The organization governs shared or group account use as an exception-based practice, restricted to approved scenarios (e.g., emergency access) with documented ownership and purpose. When shared/group authenticators are used, procedures require authenticator changes upon personnel removal and documentation through Jira with accountable approval. Review activities validate continued alignment to policy and inform refinements captured through change management.
Customers establish processes for changing shared or group account authenticators (if used) upon personnel removal and maintain documentation consistent with their tenant governance practices.
Identity lifecycle controls support timely disablement and removal aligned to personnel status changes.
The organization aligns account management actions with personnel termination and transfer procedures to support timely access updates for FedRAMP-scoped identities. Termination and transfer events are routed through controlled workflows for access revalidation and disablement with accountable approvals and traceability. Coordination with PS-4 and PS-5 processes supports consistent governance across workforce lifecycle activities.
Customers align tenant account management with their personnel termination and transfer processes and apply timely access updates for tenant users.
High-level planning + tools used (no chain-of-thought). This helps validate the narrative is evidence-driven.
| Tool | Args | Result |
|---|---|---|
aws_default_evidence_snapshot |
{
"account_id": "154776478584",
"ingestion_run_id": "6e066971-b587-4844-a459-c7203e772d91"
} |
ok |
aws_counts_by_resource_type |
{
"account_id": "154776478584",
"ingestion_run_id": "6e066971-b587-4844-a459-c7203e772d91",
"table": "identities"
} |
ok |
aws_list_records |
{
"account_id": "154776478584",
"ingestion_run_id": "6e066971-b587-4844-a459-c7203e772d91",
"limit": 50,
"resource_type": "iam_user",
"table": "identities"
} |
ok |
aws_list_records |
{
"account_id": "154776478584",
"ingestion_run_id": "6e066971-b587-4844-a459-c7203e772d91",
"limit": 50,
"resource_type": "iam_role",
"table": "identities"
} |
ok |
aws_summarize_iam_users |
{
"account_id": "154776478584",
"ingestion_run_id": "6e066971-b587-4844-a459-c7203e772d91"
} |
ok |
aws_summarize_iam_authentication_posture |
{
"account_id": "154776478584",
"ingestion_run_id": "6e066971-b587-4844-a459-c7203e772d91"
} |
ok |
aws_summarize_iam_policy_attachments |
{
"account_id": "154776478584",
"ingestion_run_id": "6e066971-b587-4844-a459-c7203e772d91"
} |
ok |
aws_summarize_cloudtrail_posture |
{
"account_id": "154776478584",
"ingestion_run_id": "6e066971-b587-4844-a459-c7203e772d91"
} |
ok |
The exact evidence data the AI model used to generate this narrative. Stored with every generated narrative for traceability (AU-3).
{
"account_id": "154776478584",
"analysis": {
"assessor_summary": [
"Verify account lifecycle processes for creation, modification, disabling, and removal across all systems.",
"Confirm role-based access assignments, least privilege, and separation of duties are enforced.",
"Assess account reviews, recertification cadence, and timely remediation of exceptions.",
"Validate handling of privileged, shared, service, and emergency accounts with appropriate approvals and monitoring.",
"Check integration with authoritative identity sources and consistent enforcement of account policies."
],
"evidence_needs": [
"Account management policy and procedures (joiner/mover/leaver, approvals, SLAs)",
"System Security Plan (SSP) excerpts describing account management and identity stores",
"Current account inventory exports for key systems (IAM/IdP, OS, DB, SaaS) including status, roles/groups, last login",
"Sample provisioning tickets/requests with approvals for new accounts and access changes",
"Sample deprovisioning/termination records showing timely disablement/removal",
"Privileged account list and supporting approvals (admin roles, break-glass)",
"Service account inventory with owners, purpose, rotation/management method, and review evidence",
"Shared account inventory (if any) with compensating controls and approvals",
"Access review/recertification reports, attestations, and remediation tracking",
"Group/role definitions and mapping to job functions (RBAC matrix)",
"Evidence of account monitoring/auditing (logs for account create/modify/disable, alerting)",
"Configuration evidence for account policy enforcement (e.g., automated provisioning, disabling rules, sync settings)",
"Contractor/third-party account management evidence (sponsorship, expiration, periodic review)",
"Exception/waiver records for any deviations and corresponding risk acceptance"
],
"preferred_tables": [
"identities",
"assets",
"data_stores"
]
},
"control_id": "AC-2",
"ingestion_run_id": "6e066971-b587-4844-a459-c7203e772d91",
"narrative_generation": {
"implementation_status": "Partially Implemented",
"saved_via": "human_acceptance"
},
"tool_calls": [
{
"args": {
"account_id": "154776478584",
"ingestion_run_id": "6e066971-b587-4844-a459-c7203e772d91"
},
"name": "aws_default_evidence_snapshot"
},
{
"args": {
"account_id": "154776478584",
"ingestion_run_id": "6e066971-b587-4844-a459-c7203e772d91",
"table": "identities"
},
"name": "aws_counts_by_resource_type"
},
{
"args": {
"account_id": "154776478584",
"ingestion_run_id": "6e066971-b587-4844-a459-c7203e772d91",
"limit": 50,
"resource_type": "iam_user",
"table": "identities"
},
"name": "aws_list_records"
},
{
"args": {
"account_id": "154776478584",
"ingestion_run_id": "6e066971-b587-4844-a459-c7203e772d91",
"limit": 50,
"resource_type": "iam_role",
"table": "identities"
},
"name": "aws_list_records"
},
{
"args": {
"account_id": "154776478584",
"ingestion_run_id": "6e066971-b587-4844-a459-c7203e772d91"
},
"name": "aws_summarize_iam_users"
},
{
"args": {
"account_id": "154776478584",
"ingestion_run_id": "6e066971-b587-4844-a459-c7203e772d91"
},
"name": "aws_summarize_iam_authentication_posture"
},
{
"args": {
"account_id": "154776478584",
"ingestion_run_id": "6e066971-b587-4844-a459-c7203e772d91"
},
"name": "aws_summarize_iam_policy_attachments"
},
{
"args": {
"account_id": "154776478584",
"ingestion_run_id": "6e066971-b587-4844-a459-c7203e772d91"
},
"name": "aws_summarize_cloudtrail_posture"
}
],
"tool_outputs": [
{
"args": {
"account_id": "154776478584",
"ingestion_run_id": "6e066971-b587-4844-a459-c7203e772d91"
},
"name": "aws_default_evidence_snapshot",
"result": {
"counts": {
"assets": [
{
"count": 3,
"resource_type": "ebs_volume"
},
{
"count": 2,
"resource_type": "ec2_instance"
}
],
"data_stores": [],
"identities": [
{
"count": 1,
"resource_type": "iam_password_policy"
},
{
"count": 4,
"resource_type": "iam_role"
},
{
"count": 5,
"resource_type": "iam_user"
}
],
"network_components": [
{
"count": 1,
"resource_type": "internet_gateway"
},
{
"count": 1,
"resource_type": "network_acl"
},
{
"count": 1,
"resource_type": "route_table"
},
{
"count": 3,
"resource_type": "security_group"
},
{
"count": 6,
"resource_type": "subnet"
},
{
"count": 1,
"resource_type": "vpc"
}
]
},
"summaries": {
"cloudtrail": {
"cloudwatch_logs_integration_trails_count": 0,
"kms_enabled_trails_count": 0,
"log_file_validation_enabled_trails_count": 0,
"logging_enabled_trails_count": 0,
"multi_region_trails_count": 0,
"sample_trails": [],
"total_trails": 0
},
"cloudwatch_logs": {
"kms_encrypted_log_groups_count": 0,
"log_groups_with_retention_count": 0,
"log_groups_without_retention_count": 0,
"sample_log_groups_without_retention": [],
"total_log_groups": 0
},
"cm8_inventory": {
"counts": {
"assets": [
{
"count": 3,
"resource_type": "ebs_volume"
},
{
"count": 2,
"resource_type": "ec2_instance"
}
],
"data_stores": [],
"identities": [
{
"count": 1,
"resource_type": "iam_password_policy"
},
{
"count": 4,
"resource_type": "iam_role"
},
{
"count": 5,
"resource_type": "iam_user"
}
],
"network_components": [
{
"count": 1,
"resource_type": "internet_gateway"
},
{
"count": 1,
"resource_type": "network_acl"
},
{
"count": 1,
"resource_type": "route_table"
},
{
"count": 3,
"resource_type": "security_group"
},
{
"count": 6,
"resource_type": "subnet"
},
{
"count": 1,
"resource_type": "vpc"
}
]
},
"ebs_volumes": {
"encrypted_volumes_count": 0,
"sample_unencrypted_volumes": [
{
"attachments": [
{
"attach_time": "2022-09-10 19:16:37+00:00",
"delete_on_termination": true,
"device": "/dev/sda1",
"instance_id": "i-0322a28bf1a8a68c5",
"state": "attached"
}
],
"region": "us-east-1",
"size_gb": 10,
"volume_id": "vol-0402ca2f2f3be9e94"
},
{
"attachments": [
{
"attach_time": "2022-08-28 20:05:24+00:00",
"delete_on_termination": true,
"device": "/dev/sdb",
"instance_id": "i-0601780d500bb51ea",
"state": "attached"
}
],
"region": "us-east-1",
"size_gb": 10,
"volume_id": "vol-017cf162462cc1786"
},
{
"attachments": [
{
"attach_time": "2022-08-28 20:05:24+00:00",
"delete_on_termination": true,
"device": "/dev/sda1",
"instance_id": "i-0601780d500bb51ea",
"state": "attached"
}
],
"region": "us-east-1",
"size_gb": 20,
"volume_id": "vol-05e6fd7a0bd29300e"
}
],
"total_volumes": 3,
"unencrypted_volumes_count": 3
}
},
"ec2_instances": {
"monitoring_enabled_count": 0,
"sample_instances": [
{
"iam_instance_profile": null,
"instance_id": "i-0601780d500bb51ea",
"instance_type": "t2.medium",
"monitoring_enabled": false,
"region": "us-east-1",
"security_group_ids": [
"sg-090ff45d5d6ad1cd4"
],
"state": "stopped",
"subnet_id": "subnet-0b8c568bc3659b486",
"tags": {
"Name": "First Instance"
},
"vpc_id": "vpc-033668c99bb7641b0"
},
{
"iam_instance_profile": null,
"instance_id": "i-0322a28bf1a8a68c5",
"instance_type": "t2.micro",
"monitoring_enabled": false,
"region": "us-east-1",
"security_group_ids": [
"sg-090ff45d5d6ad1cd4"
],
"state": "stopped",
"subnet_id": "subnet-05c9a438bb7c68867",
"tags": {
"Name": "Second Instance"
},
"vpc_id": "vpc-033668c99bb7641b0"
}
],
"states": {
"stopped": 2
},
"total_instances": 2
},
"iam_authentication_posture": {
"credential_report": null,
"password_policy": {
"exists": false
}
},
"iam_policy_attachments": {
"roles_total": 4,
"roles_with_attached_policies_count": 4,
"roles_with_inline_policies_count": 0,
"sample_roles": [
{
"arn": "arn:aws:iam::154776478584:role/Audit",
"attached_policies": [
"arn:aws:iam::aws:policy/SecurityAudit"
],
"inline_policy_names": [],
"max_session_duration": 3600,
"role_name": "Audit"
},
{
"arn": "arn:aws:iam::154776478584:role/aws-service-role/resource-explorer-2.amazonaws.com/AWSServiceRoleForResourceExplorer",
"attached_policies": [
"arn:aws:iam::aws:policy/aws-service-role/AWSResourceExplorerServiceRolePolicy"
],
"inline_policy_names": [],
"max_session_duration": 3600,
"role_name": "AWSServiceRoleForResourceExplorer"
},
{
"arn": "arn:aws:iam::154776478584:role/aws-service-role/support.amazonaws.com/AWSServiceRoleForSupport",
"attached_policies": [
"arn:aws:iam::aws:policy/aws-service-role/AWSSupportServiceRolePolicy"
],
"inline_policy_names": [],
"max_session_duration": 3600,
"role_name": "AWSServiceRoleForSupport"
},
{
"arn": "arn:aws:iam::154776478584:role/aws-service-role/trustedadvisor.amazonaws.com/AWSServiceRoleForTrustedAdvisor",
"attached_policies": [
"arn:aws:iam::aws:policy/aws-service-role/AWSTrustedAdvisorServiceRolePolicy"
],
"inline_policy_names": [],
"max_session_duration": 3600,
"role_name": "AWSServiceRoleForTrustedAdvisor"
}
],
"sample_users": [
{
"arn": "arn:aws:iam::154776478584:user/AbdulHadi",
"attached_policies": [],
"groups": [],
"inline_policy_names": [],
"user_name": "AbdulHadi"
},
{
"arn": "arn:aws:iam::154776478584:user/farhan",
"attached_policies": [
"arn:aws:iam::aws:policy/AdministratorAccess",
"arn:aws:iam::aws:policy/IAMUserChangePassword"
],
"groups": [
"AdminGroup"
],
"inline_policy_names": [],
"user_name": "farhan"
},
{
"arn": "arn:aws:iam::154776478584:user/hamza",
"attached_policies": [
"arn:aws:iam::aws:policy/AdministratorAccess",
"arn:aws:iam::aws:policy/IAMUserChangePassword"
],
"groups": [
"AdminGroup"
],
"inline_policy_names": [],
"user_name": "hamza"
},
{
"arn": "arn:aws:iam::154776478584:user/salman",
"attached_policies": [
"arn:aws:iam::aws:policy/AdministratorAccess",
"arn:aws:iam::aws:policy/IAMUserChangePassword"
],
"groups": [
"AdminGroup"
],
"inline_policy_names": [],
"user_name": "salman"
},
{
"arn": "arn:aws:iam::154776478584:user/shevyn",
"attached_policies": [
"arn:aws:iam::aws:policy/AdministratorAccess",
"arn:aws:iam::aws:policy/IAMUserChangePassword",
"arn:aws:iam::aws:policy/AWSBillingConductorFullAccess"
],
"groups": [
"AdminGroup"
],
"inline_policy_names": [],
"user_name": "shevyn"
}
],
"top_attached_policies": [
{
"count": 4,
"policy_arn": "arn:aws:iam::aws:policy/AdministratorAccess"
},
{
"count": 4,
"policy_arn": "arn:aws:iam::aws:policy/IAMUserChangePassword"
},
{
"count": 1,
"policy_arn": "arn:aws:iam::aws:policy/AWSBillingConductorFullAccess"
},
{
"count": 1,
"policy_arn": "arn:aws:iam::aws:policy/SecurityAudit"
},
{
"count": 1,
"policy_arn": "arn:aws:iam::aws:policy/aws-service-role/AWSResourceExplorerServiceRolePolicy"
},
{
"count": 1,
"policy_arn": "arn:aws:iam::aws:policy/aws-service-role/AWSSupportServiceRolePolicy"
},
{
"count": 1,
"policy_arn": "arn:aws:iam::aws:policy/aws-service-role/AWSTrustedAdvisorServiceRolePolicy"
}
],
"top_inline_policy_names": [],
"users_total": 5,
"users_with_attached_policies_count": 4,
"users_with_inline_policies_count": 0
},
"iam_users": {
"active_access_keys_count": 2,
"mfa_disabled_count": 5,
"mfa_enabled_count": 0,
"sample_users": [
{
"access_keys_count": 1,
"arn": "arn:aws:iam::154776478584:user/AbdulHadi",
"groups": [],
"mfa_enabled": false,
"password_last_used": "None",
"user_name": "AbdulHadi"
},
{
"access_keys_count": 0,
"arn": "arn:aws:iam::154776478584:user/farhan",
"groups": [
"AdminGroup"
],
"mfa_enabled": false,
"password_last_used": "2025-12-11T17:46:35Z",
"user_name": "farhan"
},
{
"access_keys_count": 1,
"arn": "arn:aws:iam::154776478584:user/hamza",
"groups": [
"AdminGroup"
],
"mfa_enabled": false,
"password_last_used": "2026-03-04T23:03:00Z",
"user_name": "hamza"
},
{
"access_keys_count": 0,
"arn": "arn:aws:iam::154776478584:user/salman",
"groups": [
"AdminGroup"
],
"mfa_enabled": false,
"password_last_used": "2026-02-06T23:13:07Z",
"user_name": "salman"
},
{
"access_keys_count": 0,
"arn": "arn:aws:iam::154776478584:user/shevyn",
"groups": [
"AdminGroup"
],
"mfa_enabled": false,
"password_last_used": "2026-02-06T14:39:51Z",
"user_name": "shevyn"
}
],
"total_users": 5
},
"network_boundary": {
"counts_by_resource_type": {
"internet_gateway": 1,
"network_acl": 1,
"route_table": 1,
"security_group": 3,
"subnet": 6,
"vpc": 1
},
"sample": {
"internet_gateway": [
{
"id": "igw-0c2d9b6f737cc026e",
"region": "us-east-1",
"summary": {
"attachments": [
{
"State": "available",
"VpcId": "vpc-033668c99bb7641b0"
}
],
"internet_gateway_id": "igw-0c2d9b6f737cc026e",
"tags": {}
},
"vpc_id": "vpc-033668c99bb7641b0"
}
],
"nat_gateway": [],
"network_acl": [
{
"id": "acl-06660319533dddb32",
"region": "us-east-1",
"summary": {
"associations": [
{
"network_acl_association_id": "aclassoc-0c29b39b3fcdfb473",
"subnet_id": "subnet-006336d9696975386"
},
{
"network_acl_association_id": "aclassoc-0618ec8477cd3a5d2",
"subnet_id": "subnet-0b8c568bc3659b486"
},
{
"network_acl_association_id": "aclassoc-02f93f4972febca91",
"subnet_id": "subnet-0c567848e2f3285b9"
},
{
"network_acl_association_id": "aclassoc-0dcb08e13e94dc611",
"subnet_id": "subnet-05c9a438bb7c68867"
},
{
"network_acl_association_id": "aclassoc-0b2e9a777557a332d",
"subnet_id": "subnet-0b3e792cb9abb6b15"
},
{
"network_acl_association_id": "aclassoc-01cbb62a80cdc5353",
"subnet_id": "subnet-06c23e873cdba6e94"
}
],
"entries": [
{
"cidr_block": "0.0.0.0/0",
"egress": true,
"ipv6_cidr_block": null,
"port_range": null,
"protocol": "-1",
"rule_action": "allow",
"rule_number": 100
},
{
"cidr_block": "0.0.0.0/0",
"egress": true,
"ipv6_cidr_block": null,
"port_range": null,
"protocol": "-1",
"rule_action": "deny",
"rule_number": 32767
},
{
"cidr_block": "0.0.0.0/0",
"egress": false,
"ipv6_cidr_block": null,
"port_range": null,
"protocol": "-1",
"rule_action": "allow",
"rule_number": 100
},
{
"cidr_block": "0.0.0.0/0",
"egress": false,
"ipv6_cidr_block": null,
"port_range": null,
"protocol": "-1",
"rule_action": "deny",
"rule_number": 32767
}
],
"is_default": true,
"network_acl_id": "acl-06660319533dddb32",
"tags": {},
"vpc_id": "vpc-033668c99bb7641b0"
},
"vpc_id": "vpc-033668c99bb7641b0"
}
],
"route_table": [
{
"id": "rtb-0e286a42d0f5851da",
"region": "us-east-1",
"summary": {
"associations": [
{
"association_id": "rtbassoc-04fbdfbd5f3d513a8",
"gateway_id": null,
"main": true,
"subnet_id": null
}
],
"route_table_id": "rtb-0e286a42d0f5851da",
"routes": [
{
"destination_cidr_block": "172.31.0.0/16",
"destination_ipv6_cidr_block": null,
"gateway_id": "local",
"instance_id": null,
"nat_gateway_id": null,
"origin": "CreateRouteTable",
"state": "active",
"transit_gateway_id": null,
"vpc_peering_connection_id": null
},
{
"destination_cidr_block": "0.0.0.0/0",
"destination_ipv6_cidr_block": null,
"gateway_id": "igw-0c2d9b6f737cc026e",
"instance_id": null,
"nat_gateway_id": null,
"origin": "CreateRoute",
"state": "active",
"transit_gateway_id": null,
"vpc_peering_connection_id": null
}
],
"tags": {},
"vpc_id": "vpc-033668c99bb7641b0"
},
"vpc_id": "vpc-033668c99bb7641b0"
}
],
"vpc_endpoint": []
}
},
"rds_instances": {
"encrypted_rds_instances_count": 0,
"publicly_accessible_rds_instances_count": 0,
"sample_unencrypted_rds_instances": [],
"total_rds_instances": 0,
"unencrypted_rds_instances_count": 0
},
"s3_buckets": {
"encrypted_buckets_count": 0,
"public_access_block_missing_count": 0,
"sample_unencrypted_buckets": [],
"total_buckets": 0,
"unencrypted_buckets_count": 0
},
"security_groups": {
"sample_world_open_security_groups": [
{
"group_id": "sg-090ff45d5d6ad1cd4",
"group_name": "launch-wizard-1",
"open_ingress_rules": [
{
"cidr_blocks": [
"0.0.0.0/0"
],
"description": null,
"from_port": 22,
"ipv6_cidr_blocks": [],
"protocol": "tcp",
"to_port": 22
}
],
"vpc_id": "vpc-033668c99bb7641b0"
},
{
"group_id": "sg-00b9a1b8acdc7534e",
"group_name": "launch-wizard-2",
"open_ingress_rules": [
{
"cidr_blocks": [
"0.0.0.0/0"
],
"description": null,
"from_port": 3389,
"ipv6_cidr_blocks": [],
"protocol": "tcp",
"to_port": 3389
}
],
"vpc_id": "vpc-033668c99bb7641b0"
}
],
"security_groups_with_world_open_ingress_count": 2,
"total_security_groups": 3,
"world_open_ingress_rule_count": 2
},
"vpc_flow_logs": {
"deliver_logs_success_count": 0,
"sample_flow_logs": [],
"total_flow_logs": 0
}
}
}
},
{
"args": {
"account_id": "154776478584",
"ingestion_run_id": "6e066971-b587-4844-a459-c7203e772d91",
"table": "identities"
},
"name": "aws_counts_by_resource_type",
"result": [
{
"count": 1,
"resource_type": "iam_password_policy"
},
{
"count": 4,
"resource_type": "iam_role"
},
{
"count": 5,
"resource_type": "iam_user"
}
]
},
{
"args": {
"account_id": "154776478584",
"ingestion_run_id": "6e066971-b587-4844-a459-c7203e772d91",
"limit": 50,
"resource_type": "iam_user",
"table": "identities"
},
"name": "aws_list_records",
"result": [
{
"account_id": "154776478584",
"data": {
"access_keys": [
{
"access_key_id": "AKIASICLFUN4GJGPP5SM",
"create_date": "2026-02-08 19:33:09+00:00",
"status": "Active"
}
],
"arn": "arn:aws:iam::154776478584:user/AbdulHadi",
"attached_policies": [],
"create_date": "2026-02-08T19:30:25Z",
"groups": [],
"inline_policy_names": [],
"mfa_enabled": false,
"password_last_used": null,
"path": "/",
"tags": {},
"user_id": "AIDASICLFUN4CYQMP6UHX",
"user_name": "AbdulHadi"
},
"id": "6d519866-c220-41b0-83c6-d5e14834b931",
"region": "global",
"resource_id": "arn:aws:iam::154776478584:user/AbdulHadi",
"resource_type": "iam_user"
},
{
"account_id": "154776478584",
"data": {
"access_keys": [],
"arn": "arn:aws:iam::154776478584:user/farhan",
"attached_policies": [
"arn:aws:iam::aws:policy/AdministratorAccess",
"arn:aws:iam::aws:policy/IAMUserChangePassword"
],
"create_date": "2025-12-10T19:58:27Z",
"groups": [
"AdminGroup"
],
"inline_policy_names": [],
"mfa_enabled": false,
"password_last_used": "2025-12-11T17:46:35Z",
"path": "/",
"tags": {},
"user_id": "AIDASICLFUN4FFOJTKWPM",
"user_name": "farhan"
},
"id": "3dd3242c-3245-4bec-88d1-c0f44d4ae9d8",
"region": "global",
"resource_id": "arn:aws:iam::154776478584:user/farhan",
"resource_type": "iam_user"
},
{
"account_id": "154776478584",
"data": {
"access_keys": [
{
"access_key_id": "AKIASICLFUN4N52MO3HS",
"create_date": "2026-02-08 19:38:08+00:00",
"status": "Active"
}
],
"arn": "arn:aws:iam::154776478584:user/hamza",
"attached_policies": [
"arn:aws:iam::aws:policy/AdministratorAccess",
"arn:aws:iam::aws:policy/IAMUserChangePassword"
],
"create_date": "2026-02-06T16:33:09Z",
"groups": [
"AdminGroup"
],
"inline_policy_names": [],
"mfa_enabled": false,
"password_last_used": "2026-03-04T23:03:00Z",
"path": "/",
"tags": {},
"user_id": "AIDASICLFUN4O7C7EIDXC",
"user_name": "hamza"
},
"id": "25f6c6c3-3adf-44a0-9a63-32fa54914046",
"region": "global",
"resource_id": "arn:aws:iam::154776478584:user/hamza",
"resource_type": "iam_user"
},
{
"account_id": "154776478584",
"data": {
"access_keys": [],
"arn": "arn:aws:iam::154776478584:user/salman",
"attached_policies": [
"arn:aws:iam::aws:policy/AdministratorAccess",
"arn:aws:iam::aws:policy/IAMUserChangePassword"
],
"create_date": "2026-02-06T16:45:47Z",
"groups": [
"AdminGroup"
],
"inline_policy_names": [],
"mfa_enabled": false,
"password_last_used": "2026-02-06T23:13:07Z",
"path": "/",
"tags": {},
"user_id": "AIDASICLFUN4P6MJ4IIOH",
"user_name": "salman"
},
"id": "c4fb4290-7566-4858-96c8-674fbbddd870",
"region": "global",
"resource_id": "arn:aws:iam::154776478584:user/salman",
"resource_type": "iam_user"
},
{
"account_id": "154776478584",
"data": {
"access_keys": [],
"arn": "arn:aws:iam::154776478584:user/shevyn",
"attached_policies": [
"arn:aws:iam::aws:policy/AdministratorAccess",
"arn:aws:iam::aws:policy/IAMUserChangePassword",
"arn:aws:iam::aws:policy/AWSBillingConductorFullAccess"
],
"create_date": "2025-12-10T19:52:34Z",
"groups": [
"AdminGroup"
],
"inline_policy_names": [],
"mfa_enabled": false,
"password_last_used": "2026-02-06T14:39:51Z",
"path": "/",
"tags": {},
"user_id": "AIDASICLFUN4A2TYI27PZ",
"user_name": "shevyn"
},
"id": "ed2c9f51-1d08-4337-843d-c26b05eb69b6",
"region": "global",
"resource_id": "arn:aws:iam::154776478584:user/shevyn",
"resource_type": "iam_user"
}
]
},
{
"args": {
"account_id": "154776478584",
"ingestion_run_id": "6e066971-b587-4844-a459-c7203e772d91",
"limit": 50,
"resource_type": "iam_role",
"table": "identities"
},
"name": "aws_list_records",
"result": [
{
"account_id": "154776478584",
"data": {
"arn": "arn:aws:iam::154776478584:role/Audit",
"assume_role_policy_document": {
"Statement": [
{
"Action": "sts:AssumeRole",
"Condition": {},
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::154776478584:root"
}
}
],
"Version": "2012-10-17"
},
"attached_policies": [
"arn:aws:iam::aws:policy/SecurityAudit"
],
"create_date": "2026-02-08T19:54:17Z",
"inline_policy_names": [],
"max_session_duration": 3600,
"path": "/",
"role_id": "AROASICLFUN4FUDVXOMSL",
"role_name": "Audit",
"tags": {}
},
"id": "118a79b9-79bc-4df5-b14d-e0691f95f2e9",
"region": "global",
"resource_id": "arn:aws:iam::154776478584:role/Audit",
"resource_type": "iam_role"
},
{
"account_id": "154776478584",
"data": {
"arn": "arn:aws:iam::154776478584:role/aws-service-role/resource-explorer-2.amazonaws.com/AWSServiceRoleForResourceExplorer",
"assume_role_policy_document": {
"Statement": [
{
"Action": "sts:AssumeRole",
"Effect": "Allow",
"Principal": {
"Service": "resource-explorer-2.amazonaws.com"
}
}
],
"Version": "2012-10-17"
},
"attached_policies": [
"arn:aws:iam::aws:policy/aws-service-role/AWSResourceExplorerServiceRolePolicy"
],
"create_date": "2025-12-10T19:51:04Z",
"inline_policy_names": [],
"max_session_duration": 3600,
"path": "/aws-service-role/resource-explorer-2.amazonaws.com/",
"role_id": "AROASICLFUN4PYLZZXHFN",
"role_name": "AWSServiceRoleForResourceExplorer",
"tags": {}
},
"id": "e2e15aae-75f2-494d-9816-af1419651a0b",
"region": "global",
"resource_id": "arn:aws:iam::154776478584:role/aws-service-role/resource-explorer-2.amazonaws.com/AWSServiceRoleForResourceExplorer",
"resource_type": "iam_role"
},
{
"account_id": "154776478584",
"data": {
"arn": "arn:aws:iam::154776478584:role/aws-service-role/support.amazonaws.com/AWSServiceRoleForSupport",
"assume_role_policy_document": {
"Statement": [
{
"Action": "sts:AssumeRole",
"Effect": "Allow",
"Principal": {
"Service": "support.amazonaws.com"
}
}
],
"Version": "2012-10-17"
},
"attached_policies": [
"arn:aws:iam::aws:policy/aws-service-role/AWSSupportServiceRolePolicy"
],
"create_date": "2022-08-26T01:30:14Z",
"inline_policy_names": [],
"max_session_duration": 3600,
"path": "/aws-service-role/support.amazonaws.com/",
"role_id": "AROASICLFUN4F7UFKDGUO",
"role_name": "AWSServiceRoleForSupport",
"tags": {}
},
"id": "21d1632d-519e-4c93-9908-a5ef8c8577a7",
"region": "global",
"resource_id": "arn:aws:iam::154776478584:role/aws-service-role/support.amazonaws.com/AWSServiceRoleForSupport",
"resource_type": "iam_role"
},
{
"account_id": "154776478584",
"data": {
"arn": "arn:aws:iam::154776478584:role/aws-service-role/trustedadvisor.amazonaws.com/AWSServiceRoleForTrustedAdvisor",
"assume_role_policy_document": {
"Statement": [
{
"Action": "sts:AssumeRole",
"Effect": "Allow",
"Principal": {
"Service": "trustedadvisor.amazonaws.com"
}
}
],
"Version": "2012-10-17"
},
"attached_policies": [
"arn:aws:iam::aws:policy/aws-service-role/AWSTrustedAdvisorServiceRolePolicy"
],
"create_date": "2022-08-26T01:30:14Z",
"inline_policy_names": [],
"max_session_duration": 3600,
"path": "/aws-service-role/trustedadvisor.amazonaws.com/",
"role_id": "AROASICLFUN4G7GX24OOQ",
"role_name": "AWSServiceRoleForTrustedAdvisor",
"tags": {}
},
"id": "5bcaa273-b7c8-4b97-a1ca-dc7cb453b956",
"region": "global",
"resource_id": "arn:aws:iam::154776478584:role/aws-service-role/trustedadvisor.amazonaws.com/AWSServiceRoleForTrustedAdvisor",
"resource_type": "iam_role"
}
]
},
{
"args": {
"account_id": "154776478584",
"ingestion_run_id": "6e066971-b587-4844-a459-c7203e772d91"
},
"name": "aws_summarize_iam_users",
"result": {
"active_access_keys_count": 2,
"mfa_disabled_count": 5,
"mfa_enabled_count": 0,
"sample_users": [
{
"access_keys_count": 1,
"arn": "arn:aws:iam::154776478584:user/AbdulHadi",
"groups": [],
"mfa_enabled": false,
"password_last_used": "None",
"user_name": "AbdulHadi"
},
{
"access_keys_count": 0,
"arn": "arn:aws:iam::154776478584:user/farhan",
"groups": [
"AdminGroup"
],
"mfa_enabled": false,
"password_last_used": "2025-12-11T17:46:35Z",
"user_name": "farhan"
},
{
"access_keys_count": 1,
"arn": "arn:aws:iam::154776478584:user/hamza",
"groups": [
"AdminGroup"
],
"mfa_enabled": false,
"password_last_used": "2026-03-04T23:03:00Z",
"user_name": "hamza"
},
{
"access_keys_count": 0,
"arn": "arn:aws:iam::154776478584:user/salman",
"groups": [
"AdminGroup"
],
"mfa_enabled": false,
"password_last_used": "2026-02-06T23:13:07Z",
"user_name": "salman"
},
{
"access_keys_count": 0,
"arn": "arn:aws:iam::154776478584:user/shevyn",
"groups": [
"AdminGroup"
],
"mfa_enabled": false,
"password_last_used": "2026-02-06T14:39:51Z",
"user_name": "shevyn"
}
],
"total_users": 5
}
},
{
"args": {
"account_id": "154776478584",
"ingestion_run_id": "6e066971-b587-4844-a459-c7203e772d91"
},
"name": "aws_summarize_iam_authentication_posture",
"result": {
"credential_report": null,
"password_policy": {
"exists": false
}
}
},
{
"args": {
"account_id": "154776478584",
"ingestion_run_id": "6e066971-b587-4844-a459-c7203e772d91"
},
"name": "aws_summarize_iam_policy_attachments",
"result": {
"roles_total": 4,
"roles_with_attached_policies_count": 4,
"roles_with_inline_policies_count": 0,
"sample_roles": [
{
"arn": "arn:aws:iam::154776478584:role/Audit",
"attached_policies": [
"arn:aws:iam::aws:policy/SecurityAudit"
],
"inline_policy_names": [],
"max_session_duration": 3600,
"role_name": "Audit"
},
{
"arn": "arn:aws:iam::154776478584:role/aws-service-role/resource-explorer-2.amazonaws.com/AWSServiceRoleForResourceExplorer",
"attached_policies": [
"arn:aws:iam::aws:policy/aws-service-role/AWSResourceExplorerServiceRolePolicy"
],
"inline_policy_names": [],
"max_session_duration": 3600,
"role_name": "AWSServiceRoleForResourceExplorer"
},
{
"arn": "arn:aws:iam::154776478584:role/aws-service-role/support.amazonaws.com/AWSServiceRoleForSupport",
"attached_policies": [
"arn:aws:iam::aws:policy/aws-service-role/AWSSupportServiceRolePolicy"
],
"inline_policy_names": [],
"max_session_duration": 3600,
"role_name": "AWSServiceRoleForSupport"
},
{
"arn": "arn:aws:iam::154776478584:role/aws-service-role/trustedadvisor.amazonaws.com/AWSServiceRoleForTrustedAdvisor",
"attached_policies": [
"arn:aws:iam::aws:policy/aws-service-role/AWSTrustedAdvisorServiceRolePolicy"
],
"inline_policy_names": [],
"max_session_duration": 3600,
"role_name": "AWSServiceRoleForTrustedAdvisor"
}
],
"sample_users": [
{
"arn": "arn:aws:iam::154776478584:user/AbdulHadi",
"attached_policies": [],
"groups": [],
"inline_policy_names": [],
"user_name": "AbdulHadi"
},
{
"arn": "arn:aws:iam::154776478584:user/farhan",
"attached_policies": [
"arn:aws:iam::aws:policy/AdministratorAccess",
"arn:aws:iam::aws:policy/IAMUserChangePassword"
],
"groups": [
"AdminGroup"
],
"inline_policy_names": [],
"user_name": "farhan"
},
{
"arn": "arn:aws:iam::154776478584:user/hamza",
"attached_policies": [
"arn:aws:iam::aws:policy/AdministratorAccess",
"arn:aws:iam::aws:policy/IAMUserChangePassword"
],
"groups": [
"AdminGroup"
],
"inline_policy_names": [],
"user_name": "hamza"
},
{
"arn": "arn:aws:iam::154776478584:user/salman",
"attached_policies": [
"arn:aws:iam::aws:policy/AdministratorAccess",
"arn:aws:iam::aws:policy/IAMUserChangePassword"
],
"groups": [
"AdminGroup"
],
"inline_policy_names": [],
"user_name": "salman"
},
{
"arn": "arn:aws:iam::154776478584:user/shevyn",
"attached_policies": [
"arn:aws:iam::aws:policy/AdministratorAccess",
"arn:aws:iam::aws:policy/IAMUserChangePassword",
"arn:aws:iam::aws:policy/AWSBillingConductorFullAccess"
],
"groups": [
"AdminGroup"
],
"inline_policy_names": [],
"user_name": "shevyn"
}
],
"top_attached_policies": [
{
"count": 4,
"policy_arn": "arn:aws:iam::aws:policy/AdministratorAccess"
},
{
"count": 4,
"policy_arn": "arn:aws:iam::aws:policy/IAMUserChangePassword"
},
{
"count": 1,
"policy_arn": "arn:aws:iam::aws:policy/AWSBillingConductorFullAccess"
},
{
"count": 1,
"policy_arn": "arn:aws:iam::aws:policy/SecurityAudit"
},
{
"count": 1,
"policy_arn": "arn:aws:iam::aws:policy/aws-service-role/AWSResourceExplorerServiceRolePolicy"
},
{
"count": 1,
"policy_arn": "arn:aws:iam::aws:policy/aws-service-role/AWSSupportServiceRolePolicy"
},
{
"count": 1,
"policy_arn": "arn:aws:iam::aws:policy/aws-service-role/AWSTrustedAdvisorServiceRolePolicy"
}
],
"top_inline_policy_names": [],
"users_total": 5,
"users_with_attached_policies_count": 4,
"users_with_inline_policies_count": 0
}
},
{
"args": {
"account_id": "154776478584",
"ingestion_run_id": "6e066971-b587-4844-a459-c7203e772d91"
},
"name": "aws_summarize_cloudtrail_posture",
"result": {
"cloudwatch_logs_integration_trails_count": 0,
"kms_enabled_trails_count": 0,
"log_file_validation_enabled_trails_count": 0,
"logging_enabled_trails_count": 0,
"multi_region_trails_count": 0,
"sample_trails": [],
"total_trails": 0
}
}
],
"tool_plan": {
"tool_calls": [
{
"args": {
"account_id": "154776478584",
"ingestion_run_id": "6e066971-b587-4844-a459-c7203e772d91"
},
"name": "aws_default_evidence_snapshot"
},
{
"args": {
"account_id": "154776478584",
"ingestion_run_id": "6e066971-b587-4844-a459-c7203e772d91",
"table": "identities"
},
"name": "aws_counts_by_resource_type"
},
{
"args": {
"account_id": "154776478584",
"ingestion_run_id": "6e066971-b587-4844-a459-c7203e772d91",
"limit": 50,
"resource_type": "iam_user",
"table": "identities"
},
"name": "aws_list_records"
},
{
"args": {
"account_id": "154776478584",
"ingestion_run_id": "6e066971-b587-4844-a459-c7203e772d91",
"limit": 50,
"resource_type": "iam_role",
"table": "identities"
},
"name": "aws_list_records"
},
{
"args": {
"account_id": "154776478584",
"ingestion_run_id": "6e066971-b587-4844-a459-c7203e772d91"
},
"name": "aws_summarize_iam_users"
},
{
"args": {
"account_id": "154776478584",
"ingestion_run_id": "6e066971-b587-4844-a459-c7203e772d91"
},
"name": "aws_summarize_iam_authentication_posture"
},
{
"args": {
"account_id": "154776478584",
"ingestion_run_id": "6e066971-b587-4844-a459-c7203e772d91"
},
"name": "aws_summarize_iam_policy_attachments"
},
{
"args": {
"account_id": "154776478584",
"ingestion_run_id": "6e066971-b587-4844-a459-c7203e772d91"
},
"name": "aws_summarize_cloudtrail_posture"
}
]
}
}