Which cloud-provider artefact does Wiz CIEM analyse to compute effective AWS permissions?

Correct: a. Effective AWS permissions require resolving every policy layer: SCPs (from AWS Org), permission boundaries, inline policies, AWS-managed policies and resource-based policies on target resources. Wiz ingests and intersects all of them.

Why does Wiz CIEM flag an identity that has been granted s3:DeleteBucket but has never used it in 90 days?

Correct: d. Unused high-impact permissions are potential blast radius. If the identity's credentials are stolen or the workload is compromised, the attacker can exercise all unused permissions. CIEM right-sizes to only what is needed.

A GCP service account for a data pipeline has roles/editor on the entire project. Wiz shows it only calls BigQuery read APIs. What is the correct remediation?

Correct: d. The least privilege principle requires scoping to actual usage. Wiz generates a custom role for only the BigQuery read actions observed on the specific dataset — roles/editor is a wildcard that grants edit access to every GCP service in the project.

An AWS cross-account trust policy allows an external vendor to assume a role. The trust has no external-ID and no MFA condition. What attack does this enable?

Correct: c. Without an external-ID condition, the confused deputy problem allows a malicious AWS account to deceive the trusted vendor into assuming the cross-account role on the attacker's behalf, gaining access to the victim account. External-ID or MFA conditions prevent this.

Which approach gives the most accurate least privilege policy recommendation?

Correct: c. Activity-log analysis captures actual usage including infrequent but legitimate calls (weekly batch jobs, quarterly audits). Developer self-reporting and code review miss dynamic runtime behaviour; ReadOnlyAccess is not a least privilege solution for write workloads.

Wiz CIEM shows a Lambda function with an s3:* policy. The activity log lookback is 7 days. Why might this be an unreliable basis for a least privilege policy?

Correct: b. A 7-day window misses infrequent but legitimate actions. The recommended lookback is typically 90 days to capture monthly and quarterly workloads. Scoping policy on a short window risks blocking real operations when the tight policy is applied.

Wiz CIEM: Cloud Entitlement Analysis & Least Privilege (2026)

Q: What does 'effective permissions' mean in a Wiz CIEM context?

Correct: b. Effective permissions are the intersection of every policy layer, not the union or just the assigned role. This is exactly what Wiz CIEM computes agentlessly across the full account hierarchy.

Q: Which of these identity types does Wiz CIEM include in the attack surface map?

Correct: a. Wiz maps all identity types — human and non-human — including workload identities (Lambda, EC2 instance profiles), GitHub Actions OIDC, cross-account roles and external vendor principals.

Q: A Lambda function has been assigned an S3 full-access policy but only ever calls s3:GetObject. What should Wiz recommend?

Correct: c. Wiz uses activity-log analysis to identify that only s3:GetObject was used and auto-generates a policy scoped to that action and the specific bucket. The unused permissions are excess blast radius.

Q: A third-party vendor role can assume a role in your AWS production account with no external-ID condition and no MFA. What risk does Wiz flag?

Correct: b. Without an external-ID condition, the confused deputy problem means any principal that knows the role ARN could trick the vendor into assuming it. Wiz flags this as a critical external identity risk requiring an external-ID or MFA condition on the trust policy.

Most engineers think…

Most people assume cloud IAM is 'just roles and policies — read the JSON and you know the access'. That works for a single flat AWS account with three roles. It does not work for a 200-account AWS Organisation with SCPs, permission boundaries, resource-based policies, role chaining and ABAC tags all interacting at the same time.

Wiz CIEM solves a different, harder problem: it computes the effective permission set — what an identity can actually do after every policy layer is resolved — then flags where that effective access is excessive, unused or exposes a cross-account or external trust boundary. That is the answer interviewers want when they ask about cloud identity risk.

① The CIEM problem — assigned vs effective permissions and permission sprawl

In a cloud environment an identity rarely has a single attached policy. A developer in AWS might hold a role with an inline policy, an AWS-managed policy, an SCP from the organisation root, a permission boundary and resource-based policies on the S3 buckets they touch. The effective permission set is the intersection of all those layers — not the union. Wiz CIEM resolves that intersection automatically, across every account and every identity.

The scale of the problem is striking: research consistently shows that over 95% of cloud identities use fewer than 5% of the permissions they hold. That unused 95% is open blast radius — a compromised credential can pivot far beyond what the operator intended. Blast radius is why CIEM matters even in organisations with mature IAM practices.

Wiz ingests policy data from AWS, Azure and GCP without agents and builds a graph of every identity, every permission layer and every resource. Security teams can query: which identities can delete production S3 buckets? or who has write access to this secret? — and get the real answer, not the paper answer.

Figure 1 — How Wiz resolves effective permissions

Wiz intersects every policy layer to compute the real access an identity holds — not the paper access.

Say 'effective' not 'assigned'

In any cloud security interview, always distinguish effective permissions (what an identity can actually do after all policy layers resolve) from assigned permissions (what policies are attached). Wiz CIEM is valuable precisely because it computes the former, which no manual review can do reliably at scale.

Quick check · Q1 of 10 · Understand

What does 'effective permissions' mean in a Wiz CIEM context?

a) The permissions listed in the most recently attached policyb) The actual access an identity holds after all policy layers — SCPs, permission boundaries and resource policies — are intersectedc) The permissions an admin manually approved last quarterd) Only the AWS-managed policies attached to a role

Correct: b. Effective permissions are the intersection of every policy layer, not the union or just the assigned role. This is exactly what Wiz CIEM computes agentlessly across the full account hierarchy.

👉 So far: Effective permissions = the real access after all policy layers resolve. Assigned permissions ≠ effective permissions. The gap between granted and used is the CIEM problem.

② The identity attack surface — every identity Wiz maps

Wiz CIEM maps a wider set of identities than most teams track manually. Human IAM users (active and stale), service accounts and workload identities (EC2 instance profiles, Lambda execution roles, GCP service accounts, Azure managed identities), federated identities from external IdPs (Okta, Azure AD, GitHub Actions OIDC), cross-account roles that allow one account to assume permissions in another, and external principals — third-party vendor roles and AWS partner accounts — are all surfaced in a single graph.

For each identity Wiz surfaces its effective permissions, its last-used timestamp, and any identity misconfiguration signals: no MFA on a privileged user, no activity in 90 days, wildcard resource on a write action, admin or sensitive-data access with no justification. These signals feed directly into the Wiz Security Graph and can appear on attack paths.

Why federated and workload identities are the hardest

Human users get reviewed in quarterly access reviews. CI/CD roles and GitHub Actions OIDC tokens are created by developers, often with wide permissions, and rarely reviewed. Wiz surfaces these with the same effective-permission analysis so the security team can right-size workload identities alongside human ones.

Figure 2 — Wiz CIEM identity attack surface

Wiz maps all identity types — human and non-human — into one effective-permissions graph.

🔐

Effective permissions

tap to flip

What an identity can actually do after all policy layers (SCPs, permission boundaries, inline, managed, resource-based) are resolved — the real blast radius, not the paper one.

📊

Permission sprawl

tap to flip

The gap between permissions granted and permissions used. Research shows 95%+ of cloud identities use under 5% of granted permissions — the unused 95% is open attack surface.

🔗

Cross-account role

tap to flip

A role in one AWS account that trusts a principal in another account to assume it. Dangerous when the trust policy uses wildcards or has no external-ID or MFA condition.

🤖

Workload identity

tap to flip

Non-human identities that power code: EC2 instance profiles, Lambda execution roles, GCP service accounts, Azure managed identities, GitHub Actions OIDC tokens. Often over-privileged and rarely reviewed.

Forgetting non-human identities

Most access reviews focus on human accounts. In a cloud environment, CI/CD roles, Lambda execution roles, and GitHub Actions OIDC tokens often hold broader permissions than any human user — and are almost never in the quarterly review cycle. Always map workload identities alongside human ones.

Quick check · Q2 of 10 · Remember

Which of these identity types does Wiz CIEM include in the attack surface map?

a) Human users, service accounts, federated identities, cross-account roles and external principalsb) Only active human IAM usersc) Only service accounts and workload rolesd) Only identities that have triggered a GuardDuty alert

Correct: a. Wiz maps all identity types — human and non-human — including workload identities (Lambda, EC2 instance profiles), GitHub Actions OIDC, cross-account roles and external vendor principals.

👉 So far: Wiz maps human users, service accounts, workload identities, federated IdPs, cross-account roles and external principals — all with effective permissions and last-used timestamps.

③ The least privilege engine — activity analysis and right-sizing

Wiz analyses cloud-provider activity logs (AWS CloudTrail, Azure Activity Log, GCP Audit Logs) to determine which actions an identity has actually used over a configurable lookback window (commonly 90 days). It then computes the delta: granted permissions minus used permissions = excess. From that delta, Wiz auto-generates a least privilege policy that retains only what was used.

Right-sizing is not a one-click deploy. Wiz surfaces the generated policy for review; the security or platform team validates edge cases (quarterly batch jobs that run outside the observation window, break-glass scenarios), then exports the policy to AWS IAM, Azure RBAC or GCP IAM. The workflow keeps humans in the loop while eliminating the manual guesswork that makes most least-privilege projects stall.

Beyond right-sizing, Wiz also detects privilege escalation paths — an identity that cannot do something directly but can assume a role or modify a policy to grant itself that ability. These lateral and escalation risks are surfaced as findings with remediation steps, not just raw policy diffs.

Figure 3 — Least privilege auto-generation pipeline

Wiz derives least privilege policies from real usage data, not guesswork.

Priya at a Pune fintech faces this

An AWS Lambda function used for payment-status checks is flagged by Wiz with a critical finding: it holds an IAM policy with s3:* and dynamodb:* on all resources, but activity logs show it has only ever called dynamodb:GetItem on one table.

Likely cause

A developer copy-pasted a broad policy template during a hackathon sprint and it was never reviewed. The Lambda role has been in production for eight months with massive unused permissions.

Diagnosis

Wiz CIEM shows effective permissions vs used permissions: granted includes s3:DeleteBucket on *, used is only dynamodb:GetItem on one table ARN. Blast radius if the function is compromised is the entire S3 estate and DynamoDB.

Wiz ▸ CIEM ▸ Identities ▸ Lambda role ▸ Effective permissions ▸ Usage analysis

Fix

Accept Wiz auto-generated least privilege policy: allow dynamodb:GetItem on the specific table ARN only. Remove s3:* and dynamodb:* entirely. Export the new policy to AWS IAM and re-deploy.

Verify

Re-check in Wiz: the Lambda role now shows effective permissions matching its actual usage — finding resolves. Run a DynamoDB GetItem in staging to confirm the function still works.

▶ Watch Wiz detect and remediate a wildcard permission on a CI/CD role

Step through how a GitHub Actions role with s3:* gets detected, scoped and fixed. Press Play for the detection path, then Break it to see what happens without CIEM.

① IngestWiz agentlessly ingests IAM policies from the AWS account — including the GitHub Actions OIDC role used by the CI/CD pipeline.

▼

② ResolveWiz resolves effective permissions: the role holds s3:* on all buckets, with no SCP or permission boundary restricting it.

▼

③ Analyse usageActivity log analysis (CloudTrail, 90-day window) shows the role has only called s3:PutObject on one deploy bucket.

▼

④ Flag & remediateWiz raises a high-severity finding: 's3:* on * — only s3:PutObject used.' Auto-generated least privilege policy scoped to one bucket is ready for export.

Press Play to step through the CIEM detection and remediation path. Then press Break it.

Quick check · Q3 of 10 · Apply

A Lambda function has been assigned an S3 full-access policy but only ever calls s3:GetObject. What should Wiz recommend?

a) Delete the Lambda functionb) Keep the full policy as a safety buffer for future usec) Auto-generate a least privilege policy scoped to s3:GetObject on the specific bucket usedd) Block all S3 access until the team fills a request form

Correct: c. Wiz uses activity-log analysis to identify that only s3:GetObject was used and auto-generates a policy scoped to that action and the specific bucket. The unused permissions are excess blast radius.

👉 So far: Least privilege in Wiz = activity-log analysis (90-day lookback) → delta (granted minus used) → auto-generated scoped policy → human review → export to IAM/RBAC/GCP IAM.

④ Cross-account & external identity risk — trust boundaries and detection

Multi-account architectures are the norm in AWS Organizations and GCP folders. Cross-account roles let one account assume a role in another — powerful for automation, dangerous when the trust policy is too permissive. Wiz maps every cross-account trust relationship and flags cases where the trusted principal is an overly broad account ID, a wildcard (*), or a third-party account with no MFA condition.

External identity risk is the next category: vendor or partner roles that federate into your cloud from outside your organisation. Wiz surfaces these external principals in the same graph, showing what they can do inside your environment, whether their access has been used recently, and whether any conditions (IP, MFA, external ID) constrain the trust. A vendor role with admin permissions and no external-ID condition is a critical finding.

Detection signals Wiz raises

Cross-account role with no external-ID condition (third-party access risk)
Resource policy with a wildcard principal (*) on a sensitive resource
External identity with permissions unused for over 90 days
Role that can be assumed from outside the organisation boundary
Federated identity with admin rights and no MFA requirement

Figure 4 — Cross-account risk vs external identity risk

Wiz surfaces both trust-boundary categories with distinct remediation paths.

Check the trust policy, not just the role

A cross-account or external-vendor finding is not closed by disabling the role — verify the trust policy conditions. Wiz shows whether an external-ID, MFA or IP condition is present. If none exist, any principal that knows the role ARN can assume it. Fix is to add conditions to the trust document, not just deactivate the role.

Quick check · Q4 of 10 · Analyze

A third-party vendor role can assume a role in your AWS production account with no external-ID condition and no MFA. What risk does Wiz flag?

a) No risk — external IDs are optionalb) A cross-account external identity risk: the vendor role can be assumed by anyone who knows the role ARN, with no additional constraintc) Only a low-severity informational findingd) A network configuration issue unrelated to CIEM

Correct: b. Without an external-ID condition, the confused deputy problem means any principal that knows the role ARN could trick the vendor into assuming it. Wiz flags this as a critical external identity risk requiring an external-ID or MFA condition on the trust policy.

👉 So far: Cross-account risk: over-permissive trust policies with no external-ID condition. External risk: vendor federation with admin rights and no MFA. Both need trust-policy conditions fixed, not just role deactivation.

🤖 Ask the AI Tutor

Tap any question — instant, scoped to this lesson. No login, no waiting.

Pre-curated from vendor docs + community Q&A, scoped to this lesson. For a live prod issue, paste your export into chat.techclick.in.

🧠 In your own words

Type one line: what is the difference between assigned permissions and effective permissions, and why does it matter for cloud security? Then compare with the expert version.

Expert version: Assigned permissions are the policies directly attached to an identity — the paper view. Effective permissions are what that identity can actually do after every constraining policy layer is applied: SCPs, permission boundaries, resource-based policies and session conditions all interact to reduce (or occasionally expand) the assigned set. The gap matters because most security reviews look at assigned policies, which may show broad access that is actually blocked by an SCP — or miss a resource-based policy that grants access no role policy explicitly states. Wiz CIEM computes effective permissions agentlessly at scale so teams know the real blast radius of any identity without manual resolution across hundreds of accounts.

🗣 Teach a friend

Best way to lock it in — explain it in one line to a teammate. Tap to generate a paste-ready summary.

📩 Quiz me on this in 7 days. Opt in and we'll email 3 micro-questions on Wiz at Day 1, Day 7 and Day 30 — spaced repetition is how this sticks. Un-tick any time.

📖 Glossary

Effective permissions: The actual access an identity holds after every policy layer — SCPs, permission boundaries, inline, managed and resource-based policies — is resolved and intersected.
CIEM: Cloud Infrastructure Entitlement Management — the discipline of discovering, analysing and right-sizing cloud identity permissions across multi-cloud environments.
Permission sprawl: The accumulated gap between permissions granted and permissions used across an organisation's cloud identities — each unused permission is potential blast radius.
Least privilege policy: A policy scoped to only the actions and resources an identity has actually used, derived from activity-log analysis rather than guesswork.
Cross-account role: An IAM role in one AWS account whose trust policy allows a principal in another account to assume it — powerful for automation, risky if the trust is too permissive.
Confused deputy: An attack where a malicious actor tricks a trusted third party into using its privileged cross-account role on the attacker's behalf — prevented by an external-ID condition on the trust policy.
Workload identity: Non-human identities that power code: EC2 instance profiles, Lambda execution roles, GCP service accounts, Azure managed identities and CI/CD OIDC tokens.
Blast radius: The set of resources and actions an attacker can reach if a given cloud identity is compromised — determined by effective permissions, not assigned ones.

📚 Sources

Wiz — Cloud Infrastructure Entitlement Management (CIEM) solution page. wiz.io/solutions/ciem
Wiz Academy — What Is CIEM? Use Cases, Challenges and Benefits. wiz.io/academy/cloud-security/cloud-infrastructure-entitlement-management-ciem
Wiz Academy — Cloud Entitlement Management: How To Reduce Identity Risk. wiz.io/academy/cloud-security/cloud-entitlement-management
Wiz Academy — CIEM vs. IAM: How Do They Compare?. wiz.io/academy/cloud-security/ciem-vs-iam
Wiz Blog — CIEM and Secure Cloud Access: Best Practices from Wiz and CyberArk. wiz.io/blog/best-practices-from-wiz-and-cyberark
AWS — AWS IAM policy evaluation logic — effective permissions resolution. docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_evaluation-logic.html

What's next?

Understood entitlements? Next, go deep on Wiz Attack Paths — how the graph engine chains identity risks with misconfigurations and exposed secrets to find the routes an attacker would actually take to your crown jewels.

Next · All interview lessons → Practice on exam.techclick.in →

Wiz CIEM — Effective Permissions & the Identity Attack Surface

🎯 By the end you will be able to

Pick where you want to start

The CIEM problem

Identity attack surface

Least privilege engine

Cross-account & external risk

① The CIEM problem — assigned vs effective permissions and permission sprawl

② The identity attack surface — every identity Wiz maps

Why federated and workload identities are the hardest

③ The least privilege engine — activity analysis and right-sizing

▶ Watch Wiz detect and remediate a wildcard permission on a CI/CD role

④ Cross-account & external identity risk — trust boundaries and detection

Detection signals Wiz raises

🤖 Ask the AI Tutor

📝 Wrap-up assessment — six more

🧠 In your own words

🗣 Teach a friend

📖 Glossary

📚 Sources

What's next?