Analysis Methodology

Eight dimensions of
cloud access analysis

Every analysis evaluates the full AWS authorization stack. No shortcuts. No single-layer approximations.

The Full Authorization Stack — AWS

SCP

Service Control Policies

RCP

Resource Control Policies

IbP

Identity-based Policies

PB

Permission Boundaries

RbP

Resource-based Policies

Cond

Conditions & Sessions

Every who-can query resolves all 6 layers to produce the real answer

Each layer can block the ones before it — an SCP deny kills an identity allow, a permission boundary caps attached policies, a condition can override everything. The answer exists only after all 6 are composed.

AWS shown here. The same whole-chain discipline extends to every cloud our customers run on — layers differ, the principle doesn't.

01 / The WHO-CAN Approach

Inverted Analysis

Traditional tools start from identities and list what they can do. Whocan inverts the question: start from your most critical assets and find every path that reaches them. This is how attackers think — they target resources, not policies.

Analysis flow

Input

Critical asset

S3 bucket, KMS key, secret, database

Analysis

Full-chain resolution

SCP → RCP → IbP → PB → RbP → Conditions

Result

Every principal with access

Users, roles, IC users, cross-account

Layers evaluated: SCPRCPIbPPBRbPConditions

Why it matters

Starting from resources reveals access paths that identity-first analysis misses: resource policies granting direct access, cross-account trust chains, and condition-dependent paths that only activate under specific circumstances.

Example queries

Who can read production secrets?

who-can(
    action: "secretsmanager:GetSecretValue"
    resource: secrets
)

Who can decrypt with production KMS keys?

who-can(
    action: "kms:Decrypt"
    resource: var:prod-kms-keys
)
Real-world scenario: LexisNexis — 3.9M records from one ECS task role

02 / Managed Policy Tracking

External Policies Evolution

Cloud providers silently update managed policies. When AWS adds a new action to AmazonBedrockLimitedAccess, every principal with that policy gains a new capability — without any action on your part. Your posture changes. You don't know.

Analysis flow

Input

AWS updates managed policy

New action added silently

Analysis

Catalog tracking

Updated catalog mapped against your policies

Result

Posture re-evaluation

All affected principals flagged

Layers evaluated: SCPRCPIbPPBRbPConditions

Why it matters

Static security frameworks update their action lists weeks or months after AWS. During that gap, your policies grant capabilities that no tool detects. Whocan stays current with AWS's action catalog and re-evaluates your policies without that lag.

Example queries

Who can create service-specific credentials?

who-can(
    action: "iam:CreateServiceSpecificCredential"
)

03 / Wildcard Expansion Tracking

Service Evolution

A policy granting iam:Get* written in 2023 automatically covers every new Get action AWS adds in 2024-2026. When AWS launches a new service, existing wildcard policies like s3:* or bedrock:* silently match all its actions — including ones the policy author never anticipated.

Analysis flow

Input

AWS adds new action

bedrock:InvokeModelWithResponseStream

Analysis

Wildcard match detection

Existing bedrock:* policies now cover it

Result

Affected principals identified

New capability surfaced immediately

Layers evaluated: SCPIbPPBRbP

Why it matters

Every wildcard is a forward contract on future AWS actions. Whocan evaluates wildcards against the live action catalog, not a static list. When AWS adds bedrock:InvokeModelWithResponseStream, Whocan knows which policies already match it.

Example queries

Who can invoke any Bedrock action?

who-can(
    action: "bedrock:InvokeModel"
    resource: resources where self.Arn ~ /bedrock/
)

04 / Grant-Intent Divergence

Provenance Drift

Permissions accumulate. A role created for a narrow job grows wildcards, inherits group attachments, and acquires reach its author never approved. Provenance Drift compares a principal's current effective authority to the intent encoded at grant time — and surfaces the delta as a first-class result.

Analysis flow

Input

Grant-time baseline

Effective authority at creation or last review

Analysis

Divergence analysis

Current effective reach vs. recorded baseline

Result

Scope-creep findings

Principals whose effective authority exceeds intent

Layers evaluated: SCPIbPPBRbP

Why it matters

Quarterly access reviews catch obvious admins. They miss the slow accretion: a team membership added two quarters ago, a managed policy that grew an action, a permission boundary that was widened "temporarily". Provenance Drift makes that accretion visible as a continuous query, not an audit-week scramble.

Example queries

Principals whose effective reach diverges from baseline

users where self.Entitlements.Drift.size() > 0
    map { Name, Arn, Drift: self.Entitlements.Drift }

05 / Transitive Access Graph

Lateral Movement

An attacker who compromises one identity doesn't stop there. They discover cross-account roles with broad trust policies, assume roles across accounts, and escalate privileges at each hop. A 3-hop chain — user to role A to role B to admin — is invisible to individual policy reviews.

Analysis flow

Input

Compromised identity

User, role, or IC user

Analysis

Transitive graph computation

All assume-role chains resolved

Result

Full blast radius mapped

Every reachable role and resource

Layers evaluated: SCPRCPIbPRbPConditions

Why it matters

Whocan computes the complete transitive assume-role graph across all accounts. Every chain is visible: user → role → role → admin. Including Identity Center sessions, cross-account trust, and service-linked role paths.

Example queries

Roles assumable by any AWS principal

roles where self.AssumeRoleStatement has (
    self.Effect == "Allow"
    & self.Principal includes "*"
)

Cross-account role trust analysis

roles where self.AssumeRoleStatement has (
    self.Effect == "Allow"
    & self.Action includes "sts:AssumeRole"
) map { Name, Arn, AssumeRoleStatement }
Real-world scenario: SCARLETEEL — 19-principal lateral movement chain

06 / Dynamic Critical Sequences

Privilege Escalation

Most privilege escalation paths don't appear in security referentials. They are multi-step sequences where individually harmless permissions combine into admin access: PassRole + CreateFunction + InvokeFunction = escalation to any role. Whocan discovers these dynamically — not from a static checklist.

Analysis flow

Input

Individual permissions

iam:PassRole + lambda:CreateFunction + lambda:InvokeFunction

Analysis

Sequence detection

Multi-step chain computed dynamically

Result

Escalation paths flagged

Full path to admin or sensitive access

Layers evaluated: SCPIbPPBRbP

Why it matters

Security frameworks maintain static lists of "sensitive actions" updated weeks after AWS changes. Whocan computes critical sequences dynamically, discovering escalation paths that no predefined list contains.

Example queries

All privilege escalation sequences

users where self.Entitlements.Abilities includes "iam-privilege-escalation"
    map { Name, Arn, Sequences: self.Entitlements.Sequences }

Who can pass roles to Lambda?

who-can(
    action: "iam:PassRole"
    always-ok-vars: ["iam:PassedToService"]
)
Real-world scenario: SCARLETEEL — Lambda code injection escalation

07 / Attribute-Based Access Control

Application Segmentation

In a well-governed environment, App A's principals should never access App B's resources. Whocan validates workload boundaries using tag-based attribute control (ABAC): principals tagged team=platform shouldn't read buckets tagged app=payments. Cross-boundary violations are surfaced immediately.

Analysis flow

Input

Tagged principals & resources

team=X, application=Y, dp:include:network

Analysis

Cross-boundary evaluation

Tag conditions resolved across full stack

Result

Boundary violations surfaced

App A principals reaching App B resources

Layers evaluated: SCPRCPIbPPBRbPConditions

Why it matters

Data perimeter policies use tags like dp:include:network and dp:exclude:identity to scope controls. Whocan evaluates these conditions realistically, validating that your ABAC controls actually enforce the boundaries you intended — across SCPs, RCPs, identity policies, and resource policies.

Example queries

Cross-application bucket access

app-a-users = users where self.Tags has (
    self.Key == "application" & self.Value == "app-a"
)
app-b-buckets = buckets where self.Tags has (
    self.Key == "application" & self.Value == "app-b"
)
who-can(
    among: app-a-users,
    action: "s3:GetObject",
    resource: app-b-buckets
)

Environment isolation: dev vs. production

dev-users = users where self.account() in var:dev-accounts
prod-resources = buckets where self.account() in var:production-accounts
who-can(
    among: dev-users,
    action: "s3:GetObject",
    resource: prod-resources
)

08 / Organization Boundary Enforcement

Data Perimeter

Can an external role or principal assume a role in your organization? Can data leave through a misconfigured resource policy? Whocan validates the three perimeter dimensions — identity, resource, and network — checking that only trusted identities access trusted resources from expected networks.

Analysis flow

Input

External principal

Account outside organization, third-party role

Analysis

Three-perimeter validation

Identity + Resource + Network boundaries

Result

External access paths detected

Unauthorized cross-boundary access flagged

Layers evaluated: SCPRCPIbPPBRbPConditions

Why it matters

Data perimeter controls rely on SCPs, RCPs, VPC endpoint policies, and resource policies working together. A gap in any layer creates an exfiltration path. Whocan evaluates all layers simultaneously, detecting external access paths that per-layer analysis misses.

Example queries

Roles assumable from outside the organization

roles where self.AssumeRoleStatement has (
    self.Effect == "Allow"
    & self.Principal includes "*"
)

Cross-account KMS access

prod-keys = kms-keys where self.account() in var:production-accounts
cross-account-readers = who-can(
    action: "kms:Decrypt"
    resource: prod-keys
) where self.account() not in var:production-accounts
cross-account-readers
Real-world scenario: S3 Ransomware — external KMS key encryption

09 / ABAC Down to the Row

Data-plane Conditions

Most tools stop at "conditional access — we can't tell you who." Whocan materializes the runtime context with the env: parameter and evaluates condition keys that depend on it. The result is a concrete principal list, not a disclaimer.

Analysis flow

Input

Tenant or context to test

tenantId=tenant-a

Analysis

env: context materialization

Condition keys evaluated against the supplied context

Result

Resolved principal list

Exact access for the specific scenario, no disclaimers

Layers evaluated: SCPRCPIbPPBRbPConditions

Why it matters

Real multi-tenant isolation, per-customer encryption boundaries, and row-level access control all depend on condition keys that resolve at request time. A tool that returns "conditional access" cannot prove these boundaries hold. Whocan supplies the context explicitly and returns the actual answer — the same authorization decision AWS itself would make for that specific request.

Example queries

Multi-tenant object-tag isolation (S3)

tenant-id = "tenant-a"

who-can(
    action: "s3:GetObject"
    resource: var:multi-tenant-bucket
    env: {"s3:existingobjecttag/tenantid": tenant-id}
)

Coverage matrix

Every dimension evaluates the full AWS authorization stack. No single-layer shortcuts.

Analysis DimensionSCPRCPIbPPBRbPCondKey Detection
Inverted AnalysisWho can read production secrets?
External Policies EvolutionWho can create service-specific credentials?
Service EvolutionWho can invoke any Bedrock action?
Provenance DriftPrincipals whose effective reach diverges from baseline
Lateral MovementRoles assumable by any AWS principal
Privilege EscalationAll privilege escalation sequences
Application SegmentationCross-application bucket access
Data PerimeterRoles assumable from outside the organization
Data-plane ConditionsMulti-tenant object-tag isolation (S3)

§ — Further reading

The rest of the product — in the same detail.

What you can ask

Ask the hard questions in one query

From access reviews to privilege-escalation paths — one query runs the full decision chain and returns the real principals.

Who can read the PII bucket

Exhaustive list of principals who can s3:GetObject on the bucket storing personal data.

monitorable 
who-can(
    action: "s3:GetObject"
    resource: var:sensitive-buckets
)

Non-admin users who can decrypt production secrets

Composes computed entitlements with who-can. Surfaces users who should not reach encrypted data but can — a least-privilege violation on the encryption boundary.

monitorable 
admin-users = users where self.Entitlements.Abilities includes "iam-admin"

secret-prod-readers = who-can(
    action: "kms:Decrypt"
    resource: var:prod-kms-keys
)

users where self in secret-prod-readers & self not in admin-users

Multi-tenant: who can read tenant-A objects in a shared bucket

Evaluates s3:ExistingObjectTag natively via env. Most CSPMs return only "conditional access" without resolving it — this returns the actual principal list.

monitorable 
tenant-id = "tenant-a"

who-can(
    action: "s3:GetObject"
    resource: var:multi-tenant-bucket
    env: {"s3:existingobjecttag/tenantid": tenant-id}
)
Questions a graph can’t answer →

Continuous monitoring

Detect Drift — and See Exactly What Changed

Save any RQL query as a monitor. Whocan re-evaluates on every refresh and alerts when the result set changes. Then compares two snapshots side by side — which principals appeared, which disappeared, when — an auditor-grade change ledger per query.

  • Drift alerts — fire the moment a saved query result changes
  • Differential queries — see exactly which principals appeared or disappeared
  • Auditor-grade change ledger per query for compliance evidence
  • Threshold-based severity levels (critical / warning / ok)
  • Pre-built monitors for admins, bucket access, escalation paths
  • Daily re-evaluation (Pro) or on-demand (Enterprise)

New admin detected

critical

role/ci-deploy-pipeline now has iam-admin entitlement on prod account

+1 principal·Evaluated 2 hours ago

Cross-env bucket access

warning

dev-account role can read s3://production-data — environment isolation breach

+1 access path·Evaluated 2 hours ago

Open trust policies

critical

0 roles with open trust policies allowing assume from any AWS account

No change·Evaluated 2 hours ago

What-if simulation

Test Before You Deploy

Create virtual roles and resources that exist only in Whocan. Model proposed changes, vet third-party trust, and simulate attacker-controlled roles — all without touching AWS.

Model Before Creating

Design a new IAM role with full trust policy, permissions, and boundaries. Whocan evaluates it against your real environment before you deploy to AWS.

# Virtual role analysis

roles where name == "new-ci-role"

| who-can(action: "s3:*")

Vet Third-Party Access

Before granting a vendor cross-account access, model their role in Whocan. See exactly what they can reach through trust chains, SCPs, and resource policies.

Trust policy simulationCross-account chainsLeast privilege check

Incident Response

During an incident, model the attacker's assumed role to instantly map blast radius — which resources they can access, which accounts they can pivot to.

Blast radius mappingLateral movementAssumable role chains

Coming soon: Virtual Resources — model S3 buckets, KMS keys, and SQS queues with resource-based policies for end-to-end access simulation.

AI agent governance

Built for AI Agents and Service Identities

Traditional cloud security assumes human pace. AI agents don't — they make thousands of API calls per minute, chain credentials across services, and run without anyone clicking. And Amazon Bedrock supports no resource-based policies: whether a principal can invoke a model or rewire an agent is decided entirely on the identity side — the exact chain Whocan computes.

Review Before Deploy

Model a new agent's IAM role in Whocan before a single API call. Virtual Roles reveal every resource it can reach and every escalation path it opens — so you approve what's safe, not what's convenient.

# Proposed AI agent role

roles where name == "agent-vendor-x"

| who-can(action: "kms:Decrypt",

resource: var:customer-keys)

Blast Radius on Demand

An agent is compromised at 14:32. One query returns everything it could touch — cross-account pivots, resources reached through conditional access, chained credentials. Seconds, not hours.

Cross-account pivotsConditional access resolvedFull chain evaluation

Non-Human Identities, First Class

Service accounts, bots, CI runners, agents — query them the way you query users. Who can decrypt which secret. Who can assume which role. Who has effective admin without being in any admin group.

Service accountsBots & agentsTrust chains

Same engine, different principals: the authorization chain that evaluates your human IAM evaluates AI agents identically. Same RQL. Same accuracy.

Always current

Always Up to Date

We don't depend on security frameworks with outdated lists. New AWS actions show up in your results without waiting for a benchmark update.

Same day

When AWS releases a new action, your existing policies surface as covering it — the same day attackers can use it.

Dynamic

Privilege escalation sequences are computed from your actual environment, not from a pre-defined checklist.

Weeks ahead

Traditional security frameworks update weeks or months after new AWS actions. Whocan keeps you current without that lag.

AI-powered

Ask Questions, Get Answers

Whocan's AI assistant compiles natural language into RQL — the same query language the engine runs on. Other vendors' chatbots search documentation. Ours compiles to an authorization decision you can read, edit, save, and monitor.

  • Compiles plain English into real RQL — not generic LLM prose
  • Executes the compiled query against your live environment
  • Returns principal lists, not confidence scores
  • The query is yours — edit it, save it, version it, share it
  • Offers to save the query as a continuous monitor
U
Can anyone from the dev account read the production bucket?
AI

I'll check cross-environment access. Running:

who-can(action: "s3:GetObject", resource: prod-bucket, among: dev-principals)

Found 3 principals with access. Setting up a monitor?

Know your real posture.
Not what your policies say on paper.

15 minutes to deploy. No agents. Read-only access. See your real IAM posture immediately.

·