Level 300
Before diving into the technical depths of permission sets and CDK pipelines, let’s take a brief journey through the story so far. Originally, our exploration began with the challenge of managing access in the cloud task that’s both critical and complex as organizations scale. In the first installment, we introduced the foundations: using AWS IAM Identity Center as the central hub for managing user identities and permissions efficiently across multiple AWS accounts. We looked at how a consistent and automated approach helps streamline authorization, reduce manual errors, and improve auditability.
The next chapter followed with practical examples illustrating how to create and deploy permission sets via Infrastructure-as-Code. Here, we learned to define reusable templates for permissions, enabling teams to replicate best practices and accelerate onboarding for new projects. Along the way, pitfalls emerged—like misconfigured policies or improper use of wildcards—which provided valuable lessons on the importance of policy validation and iterative testing in a DevSecOps environment.
Reviewing recent news, in June 2025 AWS introduced internal access findings, which spot principals in an AWS organization with access to key resources like S3 buckets, DynamoDB tables, and RDS snapshots by analyzing various policy types. Results appear on a unified dashboard for fast response or automated notifications via Amazon EventBridge, improving compliance and data security.
In February 2026, AWS added multi‑Region replication for Identity Center, allowing workforce identities and permission sets to sync across regions. This boosts resiliency, supports data residency requirements, and ensures consistent access control for global deployments.
Additionally, the integration of generative AI solutions into authorization workflows is reshaping how policies are analyzed and managed. With the introduction of AWS Kiro —an AI-powered assistant for access analysis—teams can now automatically detect policy anomalies, receive context-aware recommendations, and accelerate remediation efforts. This part will explore these innovations and demonstrate how they can be practically applied to build secure, efficient, and adaptive authorization pipelines in the modern enterprise.
The Challenge
As an AWS security specialist, you face the task of modernizing your organization's authorization management workflow. The goal is to enhance the provisioning and management of access controls across AWS environments while preserving robust multi-region replication capabilities, upholding DevSecOps best practices, and ensuring that human oversight remains integral to the process. At the same time, you must increase resiliency, proactively mitigate risks, and introduce AI-driven solutions to streamline operations and strengthen security posture.
How can AI enhance this workflow? 🧐
Integrating AI into authorization workflows—especially with tools like Kiro— dramatically enhances both efficiency and security. AI-powered assistants can automatically analyze complex IAM policies for anomalies or risky configurations, such as improper use of wildcards or misconfigured permissions, which are often the sources of failed pipeline executions and compliance gaps. By leveraging generative AI, organizations receive real-time, context-aware recommendations for policy corrections, reducing manual troubleshooting and accelerating remediation. AI solutions can also automate policy reviews, flag potential issues before deployment, and offer suggestions to align with best practices, thus minimizing human error and strengthening security posture. In addition, AI-driven analytics help teams continuously monitor and adapt policies to evolving threats, ensuring adaptive and resilient access control across global environments. Altogether, AI capabilities transform the workflow by making policy management more proactive, scalable, and responsive to both technical and regulatory demands.
Let's start by enhancing our workflow from traditional CI/CD to incorporating an** Architect in the Loop approach**.
In the Architect in the Loop (AITL) model, architects collaborate with AI systems, which generate options and analyze trade-offs. The architect reviews, contextualizes, and approves output based on technical and organizational needs. Here, AI performs most tasks but consults the architect for decisions and guidance when necessary.
The diagram depicts a multi account AWS environment with a centralized management approach. It illustrates how various services, identity providers, and automation tools interact to enforce security, governance, and continuous deployment across multiple AWS accounts.
Key Components
Accounts and Regions
• AWS Account – DevSecOps: This is the primary development and security operations account where IAM Idenity Center is delegate.
• AWS Account – Master: Acts as the central governance hub, managing permissions and policies across the organization for itself.
• AWS Account – Security Tooling Account: Hosts security focused tools and services for monitoring and analysis, managing permissions and policies across the organization for itself.Core Services
• Key Management Service (KMS): Provides encryption and key management for sensitive data.
• CloudWatch: Monitors system and application metrics.
• Secrets Manager: Stores and rotates secrets securely.
• AWS Chatbot: Enables chat based monitoring and alerts.
• Lambda: Runs serverless functions for custom automation.
• IAM Access Analyzer: Analyzes policies for unintended access.
• S3 Reports Bucket: Stores logs and reports for auditing.Identity and Access Management
• Identity Center and Third Party IdP icons are shown in the diagram, indicating that identity federation and centralized access management are part of the architecture.
• IAM Access Analyzer is highlighted, showing that policy analysis is performed to ensure least privilege access using validate-aws-policies python package.CI/CD Pipeline
The CI/CD pipeline is visualized as a sequence of steps:
• CodeCommit/GitHub (source code repository)
• CodeBuild (build step, Synth,cdk pipelines self-mutate, management environment, Validate PermissionsSet))
• Manual Approval (human gate for critical deployments)Infrastructure Deployment
• CloudFormation templates are used for both Prepare and Deploy stages, indicating that the infrastructure is provisioned through IaC.
• The Permissions Set step shows that IAM permission sets are defined and applied as part of the deployment process.Model Context Protocol (MCP) Integration
• Kiro IDE – Agents is highlighted, indicating that an MCP compatible IDE is used to generate policies and manage custom agents.
• The AWS MCP Server provides the necessary endpoint for agents to interact with AWS services.
• The label mcproxy-for-aws@latest refers to a proxy that facilitates secure communication between agents and AWS APIs, ensuring that policy generation and SOPs (Standard Operating Procedures) are executed safely.
Workflow Summary
- Source Control – Code is stored in CodeCommit/GitHub.
- Build – CodeBuild compiles the code and prepares the environment.
- Validation – Permissions sets are validated to ensure compliance.
- Manual Approval – A human reviewer authorizes the deployment.
- Deployment – CloudFormation templates are used to provision resources.
- Policy Generation – The Kiro IDE and AWS MCP Server generate policies based on requirements, leveraging the mcproxy for secure API calls.
Security and Governance Highlights
• Least privilege access is enforced through IAM Access Analyzer and Permissions Set validation.
• Centralized governance is maintained via the Master account and delegated account, which oversees permissions and policies across all accounts.
• Continuous monitoring is provided by CloudWatch and Secrets Manager, ensuring operational visibility and secure secret handling.
Hands On
It is time to create!
The first step is improving the security Engineer experience like builder or operator so enable the use of smart IDE like Kiro and custom agent for context.
Here is the agent specification:
{
"name": "secops",
"description": "Specialized agent for managing AWS IAM Identity Center CDK project with permission sets, policies, and pipeline automation",
"prompt": "You are an expert in AWS IAM Identity Center, AWS CDK (Python), and CI/CD pipelines. Your expertise includes:\n\n- IAM Identity Center permission sets and assignments\n- IAM Access Analyzer policy validation\n- AWS CDK infrastructure as code (Python)\n- CodePipeline and CodeBuild automation\n- Amazon Q Developer chatbot integrations (Slack/Teams)\n- Policy validation and security best practices\n- GitHub Actions and CodeCommit PR validation\n\nYou help with:\n- Creating and managing permission sets\n- Validating IAM policies with Access Analyzer\n- Troubleshooting CDK deployments\n- Configuring pipeline notifications\n- Setting up PR validation workflows\n- Implementing least privilege access\n\nAlways prioritize security, follow AWS best practices, and provide minimal, focused implementations.",
"tools": [
"fs_read",
"fs_write",
"execute_bash",
"grep",
"glob",
"code",
"use_aws",
"aws___search_documentation",
"aws___read_documentation",
"web_search"
],
"allowedTools": [
"fs_read",
"grep",
"glob",
"code",
"aws___search_documentation"
],
"toolsSettings": {
"fs_write": {
"allowedPaths": [
"src/**",
"project_configs/**",
"tests/**",
".github/**",
"scripts/**",
"docs/**",
".kiro/**",
"*.md",
"*.yaml",
"*.yml"
],
"deniedPaths": [
"cdk.out/**",
".venv/**",
"node_modules/**",
"__pycache__/**"
]
},
"execute_bash": {
"allowedCommands": [
"cdk synth",
"cdk diff*",
"cdk deploy*",
"cdk ls",
"pip install*",
"python -m pytest*",
"validate-aws-policies*",
"git status",
"git diff",
"git log*",
"aws iam*",
"aws sso*",
"aws identitystore*",
"aws codepipeline*",
"aws logs*",
"aws s3 ls*"
],
"autoAllowReadonly": true
},
"use_aws": {
"allowedServices": [
"iam",
"sso",
"sso-admin",
"identitystore",
"codepipeline",
"codebuild",
"s3",
"logs",
"cloudformation",
"accessanalyzer",
"secretsmanager",
"chatbot"
],
"autoAllowReadonly": true
}
},
"resources": [
"file://README.md",
"file://project_configs/**/*.yaml",
"file://cdk.json",
"file://requirements.txt",
"skill://.kiro/skills/**/SKILL.md"
],
"hooks": {
"agentSpawn": [
{
"command": "echo '📋 IAM Identity Center Project Context:' && echo ' - CDK Version:' $(cdk --version 2>/dev/null || echo 'Not installed') && echo ' - Python:' $(python --version 2>&1) && echo ' - AWS Profile:' ${AWS_PROFILE:-'default'} && echo ' - Project:' $(basename $(pwd))",
"description": "Show project environment info"
},
{
"command": "if [ -d 'project_configs/policies' ]; then echo '🔍 Validating IAM policies...' && validate-aws-policies -d project_configs/policies -c --quiet || echo '⚠️ Policy validation failed'; else echo 'ℹ️ No policies directory found'; fi",
"description": "Auto-validate IAM policies with Access Analyzer"
}
]
},
"mcpServers": {
"aws-mcp": {
"command": "uvx",
"args": [
"mcp-proxy-for-aws@latest",
"https://aws-mcp.us-east-1.api.aws/mcp",
"--metadata",
"AWS_REGION=us-east-2"
],
"timeout": 100000
}
},
"keyboardShortcut": "ctrl+shift+i",
"welcomeMessage": "🔐 IAM Identity Center Manager ready! I can help with:\n • Permission sets and policy validation\n • CDK deployments and troubleshooting\n • Pipeline notifications (Slack/Teams)\n • PR validation workflows\n • Access Analyzer integration\n\nWhat would you like to work on?"
}
The key point here is the prompt for a specialized agent designed to manage AWS IAM Identity Center projects using the AWS CDK (Cloud Development Kit) with a focus on permission sets, policies, and automation for CI/CD pipelines. This agent is described as an expert in several areas:}
• AWS IAM Identity Center: Managing permission sets and assignments, which define what users and groups can access within AWS accounts.
• AWS CDK (Python): Using infrastructure-as-code techniques to automate the creation and management of AWS resources.
• CI/CD pipelines: Automating deployment workflows with CodePipeline and CodeBuild, ensuring reliable and repeatable processes.
• Policy validation: Leveraging IAM Access Analyzer to check and validate security policies, helping maintain least-privilege access and compliance.
Now the agent skills. Agent Skills
Skills are portable instruction packages that follow the open Agent Skills standard. They bundle instructions, scripts, and templates into reusable packages that Kiro can activate when relevant to your task.
Kiro supports the Agent Skills standard, so you can import skills from the community or other compatible AI tools and share your own skills across the ecosystem.
Here is an example of my skill:
---
name: iam-identity-center-project
description: "Complete guide for IAM Identity Center CDK project including permission sets, policy validation, pipeline automation, and chatbot notifications. Use when working with this project's architecture, deployment, or troubleshooting."
keywords: [iam, identity-center, permission-sets, cdk, pipeline, chatbot, policy-validation]
---
# IAM Identity Center CDK Project
## Project Overview
This CDK project manages AWS IAM Identity Center permission sets with automated policy validation, CI/CD pipelines, and chatbot notifications.
## Key Components
### 1. Permission Sets Management
- **Location**: `project_configs/environment_options/*.yaml`
- **Stack**: `src/cdkv2_manage_identity_center_stack.py`
- Define permission sets with inline policies and managed policies
- Support for principal_name (auto-resolved) or principal_id (direct)
### 2. Policy Validation
- **Tool**: `validate-aws-policies` (IAM Access Analyzer)
- **Pipeline Step**: ValidatePermissionSet in CodeBuild
- **Formats**: JSON, HTML, Markdown reports
- **Storage**: S3 bucket (labvel-secure-reports)
### 3. CI/CD Pipeline
- **Stack**: `src/cdkv2_manage_identity_center_pipeline.py`
- **Stages**: Source → Build → UpdatePipeline → ValidatePermissionSet → Deploy
- **PR Validation**: GitHub Actions + CodeCommit triggers
- **Notifications**: Amazon Q Chatbot (Slack/Teams)
### 4. Chatbot Integration
- **Location**: `src/lib/chatbot/amazon_q_chatbot.py`
- **Features**: Native CodePipeline notifications + report summaries via webhook
- **Platforms**: Slack and Microsoft Teams
- **Reports**: Lambda posts validation summaries to chat
## Source Code Structure
src/
├── cdkv2_manage_identity_center_stack.py # Main stack - permission sets
├── cdkv2_manage_identity_center_pipeline.py # Pipeline stack
└── lib/
├── chatbot/
│ ├── amazon_q_chatbot.py # Chatbot construct
│ └── lambda/notification_enricher.py # Lambda for reports
├── sns/sns_codestart_notifications.py # SNS notifications
└── custom_resources/ # Custom resources
**Note**: Use `fs_read`, `code`, or `grep` tools to explore source files on-demand.
## Quick Commands
...
With this approach the security specialist can create friendly and secure policies and check before uploading
The results
Pipeline execution:
The slack custom notification and amazon Q message
And the reports:
Conclusion
Leverage AWS's latest features—such as multi-region Identity Center replication and advanced IAM Access Analyzer tools—and integrate generative AI assistants like Kiro. This approach combines automated policy analysis, real-time anomaly detection, and context-aware remediation with architect-in-the-loop oversight, allowing AI to handle routine tasks while security professionals review and approve critical changes. The result is a resilient, adaptive, and scalable workflow that proactively reduces risk, enforces compliance, and empowers teams to respond rapidly to evolving security and regulatory demands.
For more please contact us!
✨ Alejandro Velez, Platform Engineering Latam Lead @ GFT | AWS Ambassador
Top comments (0)