{"id":"iam-authorization-paths-each-have-distinct-bypass-vectors","text":"IAM's multiple authorization evaluation paths (identity-based, resource-based, session, boundary) each have unique bypass mechanisms — resource policies bypass boundaries via user ARNs, PassRole bypasses CloudTrail visibility, and cross-account requires dual explicit controls — making single-path hardening insufficient.","truth_value":"IN","source":"","source_url":"","source_hash":"","justifications":[],"dependents":[],"metadata":{},"explanation":{"steps":[{"node":"iam-authorization-paths-each-have-distinct-bypass-vectors","truth_value":"IN","reason":"premise"}]}}