A new engine that enforces AWS access recertification in real time
Most organizations revoke AWS access in reviews that never really remove it. A review ends with a “no” decision, a ticket is filed, and the permissions remain untouched. That gap between policy and reality has finally met a tool designed to close it.
From paper to action
VIGIL treats the recertification question—should this access still exist?—as a single atomic step. Instead of generating a list for human approval and hoping someone follows up, the engine discovers which resources an owner has access to, asks for a keep, trim, or remove choice, applies the change on the live resource, and records the proof. The owner’s decision and the permission change happen at the same time, eliminating weeks or months of lingering risk.
Safe removal, scoped enforcement
Broad revocations can trigger outages, so VIGIL never detaches entire policies. If access came from a bucket policy, it removes only the specific principal or actions from that policy. If the access is tied to a principal’s own IAM policy, it adds a resource-scoped explicit Deny, leaving unrelated permissions intact. When a change cannot be made narrowly, VIGIL raises a ticket rather than guessing.
Evidence that survives audits
Every decision and change is written to an append-only trail where each record is hash-linked to the previous one, making tampering detectable. Optional storage in an S3 Object Lock bucket prevents deletion for a set retention period. Because the engine snapshots the before-state, any change can be rolled back on demand—an auditor’s request for evidence becomes a straightforward query rather than a hunt through spreadsheets.
Built for extension
VIGIL ships with connectors for S3 buckets, IAM users, IAM roles, and EC2 instances, each implemented as four methods: snapshot, revoke, modify, and rollback. Adding new services only requires a new connector, not a rewrite of the core engine. The entire system is serverless—Lambda, SQS, DynamoDB, Cognito, SES, and API Gateway—with a documented REST API so teams can plug in their own interfaces.
Source: DEV Community. AI-assisted editorial synthesis — TechnoExpress.