All posts
June 18, 20264 min read

Non-human identity: what it means for your access reviews (on AWS)

When a service account is granted more permissions than it ever needs, the hidden cost is a bloated access review that masks risky drift and forces auditors to chase phantom privileges. Most teams treat non‑human identities like throw‑away keys: a long‑lived IAM user or an AWS access key that is copied into CI pipelines, Terraform modules, or legacy scripts. The credential is often shared across multiple jobs, never rotated, and rarely tied to a single owner. Because the key is static, no one k

Free White Paper

Non-Human Identity Management + Access Reviews & Recertification: The Complete Guide

Architecture patterns, implementation strategies, and security best practices. Delivered to your inbox.

Free. No spam. Unsubscribe anytime.
Coleman Nye

When a service account is granted more permissions than it ever needs, the hidden cost is a bloated access review that masks risky drift and forces auditors to chase phantom privileges.

Most teams treat non‑human identities like throw‑away keys: a long‑lived IAM user or an AWS access key that is copied into CI pipelines, Terraform modules, or legacy scripts. The credential is often shared across multiple jobs, never rotated, and rarely tied to a single owner. Because the key is static, no one knows which job actually used it, and the audit trail is a single line in CloudTrail that says “AssumeRole” without context. Over time the permission set balloons as engineers add policies to fix breakages, creating a “permission creep” problem that only surfaces during a painful, manual access review.

In practice, an access review for these accounts becomes a guessing game. Reviewers see a list of attached policies, but they cannot tell whether a policy is still required, whether a particular Lambda function still calls the service, or whether a recent code change has rendered the permission obsolete. The result is either a rush to grant blanket exceptions – inflating the attack surface – or an exhaustive manual hunt that consumes weeks of engineering time.

The root of the problem is that the identity provisioning step alone does not provide visibility or control over the actual usage of the credential. Switching to non‑human identities that are issued via OIDC or short‑lived service tokens solves the credential‑sprawl, but the request still travels directly to the target AWS service. Without an intervening enforcement point, there is still no audit of each command, no inline masking of sensitive response data, and no just‑in‑time approval workflow that could surface risky actions before they happen.

What teams need is a gateway that sits on the data path, intercepts every request from a non‑human identity, and applies policy before the request reaches the AWS resource. hoop.dev is built exactly for that purpose.

Setup: defining non‑human identities

The first step is to provision service accounts as OIDC‑backed identities or AWS IAM roles that are mapped to groups in your identity provider. The setup phase decides who can request a connection, what groups they belong to, and which resources they are allowed to target. This is the classic “who am I” question that identity providers answer, but on its own it does not enforce any runtime guardrails.

The data path: hoop.dev as the enforcement boundary

hoop.dev sits between the identity token and the AWS service. Every API call, CLI command, or SDK request is proxied through the gateway. Because the gateway is the only place the traffic passes, it can inspect the wire‑protocol, apply policies, and record the interaction before the request ever reaches the target.

Enforcement outcomes that matter for access reviews

hoop.dev records each session, preserving a replayable log that shows exactly which command was issued, by which service account, and what response was returned. This log becomes the primary evidence for any access review, eliminating the need to infer intent from static policy documents.

Continue reading? Get the full guide.

Non-Human Identity Management + Access Reviews & Recertification: Architecture Patterns & Best Practices

Free. No spam. Unsubscribe anytime.

hoop.dev masks sensitive fields in responses, such as secret values returned by Parameter Store or database credentials leaked in error messages. Masking reduces the risk of exposing secrets during a review while still providing enough context to understand the operation.

hoop.dev enforces just‑in‑time approval for high‑risk actions. When a service account attempts a privileged operation, the request is paused and routed to an approver. The approval decision is captured in the audit trail, giving reviewers a clear “who approved what” record.

hoop.dev blocks disallowed commands before they reach the AWS endpoint. Dangerous patterns – for example, a DeleteTable call on a production DynamoDB table – are intercepted and denied, preventing accidental or malicious data loss.

Why this changes the access‑review game

Because enforcement happens at the gateway, reviewers no longer need to guess which permissions are still in use. The session logs show real usage, the approval records highlight privileged actions, and the masking ensures no secret data is unintentionally disclosed. The result is a leaner, evidence‑based review process that focuses on actual behavior rather than static policy artifacts.

In addition, the gateway centralises policy management. Instead of scattering IAM policies across dozens of services, you define intent‑based rules once in hoop.dev and let the gateway enforce them consistently for every non‑human identity.

What to watch for when implementing

  • Make sure every service account is represented as an OIDC‑backed identity or short‑lived role. Legacy long‑lived keys should be rotated out.
  • Map identities to logical groups that reflect business functions (e.g., “data‑pipeline‑jobs” or “batch‑processors”). Use those groups in hoop.dev policies.
  • Define clear approval thresholds – for example, any S3 DeleteObject on a production bucket requires a manager’s sign‑off.
  • Validate that the gateway can reach the target VPC or subnet; the agent runs close to the resource and the gateway proxies traffic transparently.
  • Review the generated session logs regularly to fine‑tune policies and reduce false positives.

For a step‑by‑step walkthrough of provisioning non‑human identities and wiring them through the gateway, see the getting‑started guide. The broader feature set, including masking and approval workflows, is documented in the learn section.

FAQ

How does hoop.dev improve the accuracy of my access reviews?

By recording every command and response, hoop.dev gives reviewers concrete evidence of what each service account actually did, rather than relying on static policy definitions.

Do I need to replace my existing IAM policies?

No. Existing policies remain in place, but hoop.dev adds a runtime enforcement layer that can tighten or relax access dynamically based on real usage.

Can hoop.dev be added without changing my application code?

Yes. The gateway works with standard AWS CLI, SDKs, and other clients. You point the client at the hoop.dev endpoint and the rest of the flow stays unchanged.

Explore the source code and contribute on GitHub.

Open source

Save the open-source gateway for agent data access

Hoop is MIT-licensed infrastructure for controlling how AI agents reach production data. Star hoophq/hoop so you can inspect it, deploy it, or share it when your team starts governing agent access.

Star and save the repo →More posts
Ask AI about this topic
ClaudeChatGPTGrokGeminiPerplexityCopilot