The Wiz Research team conducted extensive research of permissions provided to 3rd party vendors in cloud environments and the results should be a wake-up call:

  • 82% of companies provide 3rd party vendors highly privileged roles. This is a major risk to sensitive data leakage and may pose both a security risk, as well as serious privacy risk.
  • 76% of companies have 3d party roles that allow for full account takeover. This type of access should be reserved for select and closely monitored roles and never be granted as part of a default setup of a 3rd party vendor.
  • Over 90% of cloud security teams were not aware they gave high permissions to 3rd party vendors.

"In the majority of cases these permissions are there for no reason: the vendor doesn’t actually need them, and the customer team isn’t even aware that they gave them to the vendor. The most common example is the AWS ReadOnlyAccess policy, which is extremely popular amongst 3rd party vendors (a default for 25% of vendors included in our research). Vendors and customers believe it’s a harmless policy, but instead it provides wide read access to many of your databases, DynamoDB, S3 buckets, SQS queues, and more. Wondering why any vendor would need permissions this broad? Well, they don’t," says Shir Tamari, Head of Research.

This is specially important in the aftermath of the SolarWinds attack and the Mimecast certificate breach. "Security teams need to focus on “Minimizing the risk of 3rd parties in your cloud environment”, because it provides room for a supply chain attack and can even lead to compliance risks. Reducing the permissions provided to 3rd parties is an immediate call to action for the industry and a shared responsibility between customers and vendors alike. Customers should be proactive and scrutinize every requested permission, while vendors should understand that “Less is More”. Less permissions means less liability, whereas too many permissions could mean they’re next in line to becoming a target for adversaries," Tamari says. 

Overall, the results should be a call for action, as the number of security incidents related to supply chain attacks continue to increase. 

For the full report and other findings, please visit