DC-342 · AWS access review

AWS Credential Surface Audit

Track where AWS identities, aliases, and privileged actions leak into operator workflows so approvals, least-privilege gaps, and risky handling patterns stay visible.

Audit posture

Operator credential exposure inventory

Audit refreshed

The goal is not to eliminate every AWS touchpoint. It is to isolate where credentials or privileged actions appear, whether a review gate exists, and which surfaces still ask humans to hold more power than the workflow truly needs.

Surfaces inventoriedDistinct operator flows or handoff surfaces reviewed
High-risk surfacesCritical or high exposure patterns needing close review
Approval gatesFlows with explicit approval or dual-control checkpoints
Least-privilege gapsPlaces where access scope is wider than the job requires
Filters

Review by workflow and risk

0 matches
Credential residence

Profiles, console sessions, CI OIDC, and handoff notes all count if they influence operator flow risk.

Alias-sensitive flows

Any workflow that can observe or change Lambda alias state gets explicit tracking.

Manual escalation paths

A manual path is not inherently wrong, but it raises fatigue and accidental privilege risk.

Export review bundle

Current filtered bundle preview

Bundle ready

Exports include the filtered surface set, summary counts, risky actions, approval posture, and least-privilege findings so the review can travel without opening the page again.

Duck Control · AWS credential surface audit · exposure, approvals, least privilege DC-342 local build