Terraform IAM policy risk

Find privilege changes before apply.

IAM changes can create escalation paths or outages. This page uses static guidance only; raw Terraform plans stay local in your workstation or CI.

No plan uploadManual review guideSOC 2 evidence

High-risk signals include wildcard actions, broader resources, trust relationship changes, permission boundary removal, managed policy swaps, and deny statement removal.

Request pilot setup

Review checklist

IAM signals

Policy statements add wildcard actions, resources, or principals.
Deny statements, conditions, or permission boundaries are removed.
Assume-role trust policy changes broaden who can assume a role.
Service-linked, deployment, break-glass, or production admin roles change.

SOC 2 angle

Evidence to keep

Map IAM changes to CC6 logical access, CC6.2 authorization, CC6.3 access modification, and CC8 change management. Use readtheplan locally or in CI for exact plan evidence.

Request pilot setup

Placeholder inbox: pilot-contact@example.com.

FAQ

IAM risk questions

Why does Terraform IAM policy risk need human review?

Small JSON policy edits can materially change authorization. A reviewer should check principals, actions, resources, and conditions.

Can readtheplan review IAM without sharing a plan?

Yes. Run readtheplan where the Terraform JSON plan already exists, such as your workstation or CI job.