An automated access review pipeline built on AWS that turns IAM control checks into auditor-ready output on a weekly cadence, with no human in the loop.
Manual access reviews are one of the most consistently failed controls in SOC 2 and ISO 27001 audits. Not because teams don't understand the requirement, but because the process is time-consuming, inconsistent, and easy to defer under audit pressure. When it does happen, the output is often a spreadsheet someone assembled the night before the assessment.
The goal was a system that runs without human intervention, checks the controls that actually matter, and produces a timestamped, self-contained report that lands in S3 automatically — something an auditor can open and act on.
Architecture Decision
02
The serverless choice was a GRC-informed infrastructure decision. Every component was chosen because it reduces audit surface, not just operational overhead.
// no server
Zero Patch Surface
No EC2 to patch, harden, or monitor. Lambda eliminates an entire class of infrastructure findings before an auditor ever looks.
// eventbridge
Auditable Cadence
Weekly trigger runs on schedule, every time, with a CloudWatch execution log. The cadence itself becomes audit evidence.
// s3 output
Immutable Evidence Trail
Reports land as access-review-YYYYMMDD.html — timestamped, versioned, retrievable by auditors without any system access.
// bedrock
AI Executive Summary
Narrative module translates raw IAM findings into business-readable risk language. Bridges technical output to GRC-consumable evidence.
// system architecture
What the System Checks
03
Each finding source maps to a specific compliance risk. The system checks the controls auditors actually test for.
iam_findings.py
IAM Identity Hygiene
Flags stale accounts (90+ days inactive), admin users missing MFA, and IAM users without manager tags. Maps to SOC 2 CC6.1 · ISO 27001 A.9 · NIST 800-53 AC-2.
access_analyzer.py
External Resource Exposure
Surfaces cross-account trust relationships, publicly accessible S3 buckets, and resource policies granting access outside the account boundary. Maps to NIST 800-53 AC-3 · PCI-DSS 7.2 · CMMC AC.L2-3.1.3.
security_hub.py
Active IAM Control Failures (IAM.1–IAM.9)
Pulls all FAILED findings for nine AWS Security Hub IAM controls — root MFA, password policy, unused credentials, access key rotation — pre-mapped to NIST 800-53 and PCI-DSS. Maps to NIST 800-53 IA-2 · IA-5 · PCI-DSS 8.x · CMMC IA.L2.
The Output
04
The report module generates a self-contained HTML file — no external dependencies, no server required. An auditor opens it directly from S3 or downloads it offline. The narrative module generates an AI-written executive summary via Bedrock, translating raw findings into business-readable risk language.
// generated HTML report — auditor-ready, no console login required
Frameworks Addressed
05
SOC 2
CC6.1, CC6.2, CC6.3 — logical access controls, user provisioning
ISO 27001
A.9 Access Control — user access management and responsibilities
Requirements 7 and 8 — restrict access, identify and authenticate
CMMC Level 2
AC.L2-3.1.1 through 3.1.3, IA.L2-3.5.3 — access control and MFA
CMMC Level 3
Extended access control mapping to NIST 800-172 requirements
Demo Mode
06
The deployed portfolio version runs with DEMO_MODE=true — generates realistic synthetic findings without pulling live IAM data from a real AWS account. Choosing to demo safely rather than expose live IAM data is itself a security judgment call.
28 tests pass across all six modules — each finding source tested against mock boto3 responses so the pipeline catches regressions before they produce a silently incorrect compliance report. A compliance report with a silent bug is worse than no report — it generates false confidence.
