IAM Blast Radius: Why Least Privilege Still Fails
Most breaches we investigate start with an over-permissioned role. Here is how to score and shrink your identity blast radius this quarter.
RAZR Advisory
"Least privilege" is one of those phrases that shows up in every policy and almost no runtime. The gap between the policy statement and the actual IAM tree is where attackers live.
What blast radius actually measures
Blast radius is the set of resources an identity can reach if it were compromised right now. Not what it's supposed to reach — what it can reach given the effective policy graph.
- Direct permissions attached to the identity.
- Permissions inherited through group or role assumption chains.
- Data and services reachable via network paths from resources it controls.
A scoring model you can use this week
- Enumerate the identity's effective permissions using your cloud's IAM analyzer.
- Tag reachable resources by data sensitivity (public, internal, confidential, regulated).
- Score = count of confidential/regulated resources reachable × sensitivity weight.
- Rank identities by score. Attack the top 10 first.
The three moves that shrink it fastest
- Replace long-lived access keys with short-lived, workload-scoped tokens.
- Split "admin" roles into task-scoped roles used via just-in-time elevation.
- Add resource-level conditions (tags, source IP, time of day) to the most privileged roles.