I am looking for a solution (AWS native or third-party) to help me figure it out "who can access what" in a large AWS organisations with several accounts. I know how to navigate through the console, but I find it quite complicated to understand which privileges each user has especially when the user are allowed to assume into roles.
For example:
How can a large regulated company that uses AWS understands how privileges are given?
There is no solution AFAIK which gives you a good overview over permissions which are granted to a specific user/role. You have to use different approaches to gather these information manually (e.g. by scripting via AWS cli).
You could script a solution yourself by using the IAM access advisor APIs. AWS describe in a blog post [2], how it is possible to determine which service can be accessed by an identity. However, this is pretty useless for your usecase since only direct policy evaluation is supported as stated in [2]:
This operation does not use other policy types when determining whether a resource could access a service. These other policy types include resource-based policies, access control lists, AWS Organizations policies, IAM permissions boundaries, and AWS STS assume role policies. It only applies permissions policy logic.
Another approach is to query the Access Advisor using the cli command aws iam generate-service-last-accessed-details [3] or using the Access Advisor tab in the AWS Management Console [4]. However, this solution does not take into account other policy types (as AWS calles them) either.
I am not sure why AWS do not provide a command to determine "who can access what" and provide a command to determine "who did actually access what" instead. I guess one reason might be that it is straightforward to find out who accessed a particular service by which policy, but it is incredibly hard to determine all services which a user could possibly access.
If you try to script a solution yourself using the AWS cli, you will see that there are many edge cases, such as roles which might be assumed under certain conditions or roles which might be assumed recursively or resource-based policies etc.
Maybe AWS will provide a command for what you are looking for someday in the future. Maybe they already did, but its existence is not widespread...
I know that they are working on a project which is called provable security [5]. It could be related to this topic.
[1] https://aws.amazon.com/de/blogs/security/automate-analyzing-permissions-using-iam-access-advisor/
[2] https://docs.aws.amazon.com/cli/latest/reference/iam/list-policies-granting-service-access.html
[3] https://docs.aws.amazon.com/cli/latest/reference/iam/generate-service-last-accessed-details.html
[4] https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_access-advisor-view-data.html
[5] https://aws.amazon.com/de/security/provable-security/