AWS access recertification tool enforces real-time permission changes

Companies spend weeks reviewing access permissions, only to leave the same privileges intact after the process concludes. According to industry observations, revoked permissions often remain active because revocation steps are rarely executed. This disconnect between policy and enforcement creates persistent security gaps that auditors frequently flag.

To address this issue, an engineer has developed an open-source solution called VIGIL, now available in the AWS Samples repository. Unlike traditional recertification tools that generate approval lists without enforcing changes, VIGIL bridges the gap by automating both decision-making and permission enforcement in a single workflow.

Aligning decisions with immediate enforcement

Traditional recertification processes involve a series of manual steps: a tool generates an access list, an owner reviews and approves or revokes permissions, and the cycle is marked complete. However, the permissions themselves remain unchanged, leaving the system in the same state it was before the review. This creates a false sense of security where compliance documentation suggests improvements that were never implemented.

VIGIL redefines the process by integrating decision-making with enforcement. The tool performs four critical functions:

• It identifies all resources tagged with an owner attribute and determines which users currently have access to each resource.
• It prompts the resource owner to decide whether to retain, reduce, or remove access.
• It executes the owner’s decision directly on the live resource, ensuring changes take effect immediately.
• It records every action in a tamper-evident log, providing verifiable evidence for audits.

Precision revocation without over-reach

A common pitfall in permission management is the use of broad revocation methods that inadvertently remove access to unrelated resources. For example, detaching an IAM policy to revoke access to a single S3 bucket often results in the user losing access to all other buckets they were permitted to use. This approach introduces operational risk and can disrupt legitimate workflows.

VIGIL avoids this problem by applying minimally invasive changes to policies. When a user’s access to an S3 bucket was granted via a bucket policy, VIGIL removes only the specific principal or actions from that bucket’s policy without affecting other permissions. If the access was granted through the user’s own IAM policy, the tool adds a targeted Deny statement scoped to the specific resource and action, leaving other permissions intact. This ensures that revocation is surgical and does not over-correct.

If a change cannot be applied safely or precisely, VIGIL escalates the issue by creating a ticket instead of making an unsafe modification. The priority is to avoid unintended consequences, even if it means leaving the permission unchanged.

Building resilience into the enforcement pipeline

Enforcement is not executed synchronously within the API call. Instead, the system validates the decision, records it, and places the action on an SQS queue. A dedicated worker service processes the queue, ensuring idempotency, automatic retries on failure, and redirection of unprocessable items to a dead-letter queue. This design keeps the API responsive while guaranteeing that no change is lost mid-execution.

The architecture is fully serverless, leveraging AWS Lambda, SQS, DynamoDB, Cognito, SES, and API Gateway. This eliminates the need for managing infrastructure while maintaining scalability and reliability. A documented REST API allows organizations to integrate custom user interfaces or existing security dashboards without modifying the core engine.

Providing auditable evidence for compliance

Each decision and enforcement action is written to an append-only ledger where every record is cryptographically linked to the previous one. This hash-chaining mechanism makes tampering detectable, as altering any record would break the chain and invalidate subsequent entries. Organizations can further enhance compliance by storing these records in an S3 Object Lock bucket with Write-Once-Read-Many (WORM) compliance, preventing deletion or alteration for the defined retention period.

Beyond tamper resistance, VIGIL captures snapshots of the pre-change state for every modification. This enables complete rollback capabilities if an error occurs or if an auditor requests reversal. The result is a verifiable trail that answers not just what was changed, but whether the change was actually applied and remains effective.

Extensibility for diverse environments

The current version includes connectors for S3 buckets, IAM users, IAM roles, and EC2 instances. Each connector implements four essential methods: snapshot, revoke, modify, and rollback, making it straightforward to extend support to additional AWS services such as RDS, SNS, SQS, or Secrets Manager. Adding a new service requires writing a single connector rather than modifying the core engine.

The project ships with a production-grade AWS SAM template, a quick-start guide, a developer manual, and instructions for building custom connectors. While the tool is designed for enterprise use, the team encourages community feedback and contributions to expand its capabilities.

Before deploying in a production environment, organizations should review VIGIL against their internal security policies and compliance requirements. The tool is open source, allowing for thorough inspection and customization to align with specific governance standards.

As security tooling evolves, solutions that automate enforcement rather than documentation alone will become essential to maintaining robust access controls. VIGIL represents a step toward real-time compliance where decisions immediately translate into enforced changes, reducing audit gaps and operational risk.