TL;DR: Spent 6 hours debugging why our GitOps pipeline kept blocking a critical deployment. Turns out IAM Access Analyzer doesn't care about your Permission Boundaries when evaluating trust policies. Principal: "AWS: *" + a StringLike ARN condition is still globally exploitable. Fixed it with aws:PrincipalOrgID . The Incident Our zero-critical-finding security gate hard-blocked a hotfix for our order processing engine. The Terraform pipeline died during validation with: [FATAL] IAM Access Analyzer finding [RESOURCE_PUBLICLY_ACCESSIBLE] detected on aws_iam_role.cross_account_event_bus. Trust policy allows Principal 'AWS:*'. Deployment halted. Enter fullscreen mode Exit fullscreen mode The False Leads (aka me being an idiot) First, I assumed IAM eventual consistency was screwing with us. Forced a state refresh, manually triggered aws accessanalyzer start-resource-scan, finding came right back. Second hypothesis: I had a strict Permission Boundary on the role with aws:SourceVpc and aws:SourceIp conditions.…