New AWS tool recommends removal of unused permissions

IAM Access Analyzer feature uses automated reasoning to recommend policies that remove unused accesses, helping customers achieve “least privilege”.

AWS Identity and Access Management (IAM) policies provide customers with fine-grained control over who has access to what resources in the Amazon Web Services (AWS) Cloud. This control helps customers enforce the principle of least privilege by granting only the permissions required to perform particular tasks. In practice, however, writing IAM policies that enforce least privilege requires customers to understand what permissions are necessary for their applications to function, which can become challenging when the scale of the applications grows.

To help customers understand what permissions are not necessary, we launched IAM Access Analyzer unused access findings at the 2023 re:Invent conference. IAM Access Analyzer analyzes your AWS accounts to identify unused access and creates a centralized dashboard to report its findings. The findings highlight unused roles and unused access keys and passwords for IAM users. For active IAM roles and users, the findings provide visibility into unused services and actions.

Related content
New IAM Access Analyzer feature uses automated reasoning to ensure that access policies written in the IAM policy language don’t grant unintended access.

To take this service a step further, in June 2024 we launched recommendations to refine unused permissions in Access Analyzer. This feature recommends a refinement of the customer’s original IAM policies that retains the policy structure while removing the unused permissions. The recommendations not only simplify removal of unused permissions but also help customers enact the principle of least privilege for fine-grained permissions.

In this post, we discuss how Access Analyzer policy recommendations suggest policy refinements based on unused permissions, which completes the circle from monitoring overly permissive policies to refining them.

Policy recommendation in practice

Let's dive into an example to see how policy recommendation works. Suppose you have the following IAM policy attached to an IAM role named MyRole:

{
  "Version": "2012-10-17",
  "Statement": [
   {
      "Effect": "Allow",
      "Action": [
        "lambda:AddPermission",
        "lambda:GetFunctionConfiguration",
        "lambda:UpdateFunctionConfiguration",
        "lambda:UpdateFunctionCode",
        "lambda:CreateFunction",
        "lambda:DeleteFunction",
        "lambda:ListVersionsByFunction",
        "lambda:GetFunction",
        "lambda:Invoke*"
      ],
      "Resource": "arn:aws:lambda:us-east-1:123456789012:function:my-lambda"
   },
  {
    "Effect" : "Allow",
    "Action" : [
      "s3:Get*",
      "s3:List*"
    ],
    "Resource" : "*"
  }
 ]
}

The above policy has two policy statements:

  • The first statement allows actions on a function in AWS Lambda, an AWS offering that provides function execution as a service. The allowed actions are specified by listing individual actions as well as via the wildcard string lambda:Invoke*, which permits all actions starting with Invoke in AWS Lambda, such as lambda:InvokeFunction.
  • The second statement allows actions on any Amazon Simple Storage Service (S3) bucket. Actions are specified by two wildcard strings, which indicate that the statement allows actions starting with Get or List in Amazon S3.

Enabling Access Analyzer for unused finding will provide you with a list of findings, each of which details the action-level unused permissions for specific roles. For example, for the role with the above policy attached, if Access Analyzer finds any AWS Lambda or Amazon S3 actions that are allowed but not used, it will display them as unused permissions.

Related content
Amazon Web Services (AWS) is a cloud computing services provider that has made significant investments in applying formal methods to proving correctness of its internal systems and providing assurance of correctness to their end-users. In this paper, we focus on how we built abstractions and eliminated specifications to scale a verification engine for AWS access policies, Zelkova, to be usable by all AWS

The unused permissions define a list of actions that are allowed by the IAM policy but not used by the role. These actions are specific to a namespace, a set of resources that are clustered together and walled off from other namespaces, to improve security. Here is an example in Json format that shows unused permissions found for MyRole with the policy we attached earlier:

[
 {
    "serviceNamespace": "lambda",
    "actions": [
      "UpdateFunctionCode",
      "GetFunction",
      "ListVersionsByFunction",
      "UpdateFunctionConfiguration",
      "CreateFunction",
      "DeleteFunction",
      "GetFunctionConfiguration",
      "AddPermission"
    ]
  },
  {
    "serviceNamespace": "s3",
    "actions": [
        "GetBucketLocation",
        "GetBucketWebsite",
        "GetBucketPolicyStatus",
        "GetAccelerateConfiguration",
        "GetBucketPolicy",
        "GetBucketRequestPayment",
        "GetReplicationConfiguration",
        "GetBucketLogging",
        "GetBucketObjectLockConfiguration",
        "GetBucketNotification",
        "GetLifecycleConfiguration",
        "GetAnalyticsConfiguration",
        "GetBucketCORS",
        "GetInventoryConfiguration",
        "GetBucketPublicAccessBlock",
        "GetEncryptionConfiguration",
        "GetBucketAcl",
        "GetBucketVersioning",
        "GetBucketOwnershipControls",
        "GetBucketTagging",
        "GetIntelligentTieringConfiguration",
        "GetMetricsConfiguration"
    ]
  }
]

This example shows actions that are not used in AWS Lambda and Amazon S3 but are allowed by the policy we specified earlier.

Related content
Rungta had a promising career with NASA, but decided the stars aligned for her at Amazon.

How could you refine the original policy to remove the unused permissions and achieve least privilege? One option is manual analysis. You might imagine the following process:

  • Find the statements that allow unused permissions;
  • Remove individual actions from those statements by referencing unused permissions.

This process, however, can be error prone when dealing with large policies and long lists of unused permissions. Moreover, when there are wildcard strings in a policy, removing unused permissions from them requires careful investigation of which actions should replace the wildcard strings.

Policy recommendation does this refinement automatically for customers!

The policy below is one that Access Analyzer recommends after removing the unused actions from the policy above (the figure also shows the differences between the original and revised policies):

{
  "Version": "2012-10-17",
  "Statement" : [
   {
      "Effect" : "Allow",
      "Action" : [
-       "lambda:AddPermission",
-       "lambda:GetFunctionConfiguration",
-       "lambda:UpdateFunctionConfiguration",
-       "lambda:UpdateFunctionCode",
-       "lambda:CreateFunction",
-       "lambda:DeleteFunction",
-       "lambda:ListVersionsByFunction",
-       "lambda:GetFunction",
        "lambda:Invoke*"
      ],
      "Resource" : "arn:aws:lambda:us-east-1:123456789012:function:my-lambda"
    },
    {
     "Effect" : "Allow",
     "Action" : [
-      "s3:Get*",
+      "s3:GetAccess*",
+      "s3:GetAccountPublicAccessBlock",
+      "s3:GetDataAccess",
+      "s3:GetJobTagging",
+      "s3:GetMulti*",
+      "s3:GetObject*",
+      "s3:GetStorage*",
       "s3:List*"
     ],
     "Resource" : "*"
   }
  ]
}

Let’s take a look at what’s changed for each policy statement.

For the first statement, policy recommendation removes all individually listed actions (e.g., lambda:AddPermission), since they appear in unused permissions. Because none of the unused permissions starts with lambda:Invoke, the recommendation leaves lambda:Invoke* untouched.

For the second statement, let’s focus on what happens to the wildcard s3:Get*, which appears in the original policy. There are many actions that can start with s3:Get, but only some of them are shown in the unused permissions. Therefore, s3:Get* cannot just be removed from the policy. Instead, the recommended policy replaces s3:Get* with seven actions that can start with s3:Get but are not reported as unused.

Related content
Amazon scientists are on the cutting edge of using math-based logic to provide better network security, access management, and greater reliability.

Some of these actions (e.g., s3:GetJobTagging) are individual ones, whereas others contain wildcards (e.g., s3:GetAccess* and s3:GetObject*). One way to manually replace s3:Get* in the revised policy would be to list all the actions that start with s3:Get except for the unused ones. However, this would result in an unwieldy policy, given that there are more than 50 actions starting with s3:Get.

Instead, policy recommendation identifies ways to use wildcards to collapse multiple actions, outputting actions such as s3:GetAccess* or s3:GetMulti*. Thanks to these wildcards, the recommended policy is succinct but still permits all the actions starting with s3:Get that are not reported as unused.

How do we decide where to place a wildcard in the newly generated wildcard actions? In the next section, we will dive deep on how policy recommendation generalizes actions with wildcards to allow only those actions that do not appear in unused permissions.

A deep dive into how actions are generalized

Policy recommendation is guided by the mathematical principle of “least general generalization” — i.e., finding the least permissive modification of the recommended policy that still allows all the actions allowed by the original policy. This theorem-backed approach guarantees that the modified policy still allows all and only the permissions granted by the original policy that are not reported as unused.

To implement the least-general generalization for unused permissions, we construct a data structure known as a trie, which is a tree each of whose nodes extends a sequence of tokens corresponding to a path through the tree. In our case, the nodes represent prefixes shared among actions, with a special marker for actions reported in unused permissions. By traversing the trie, we find the shortest string of prefixes that does not contain unused actions.

The diagram below shows a simplified trie delineating actions that replace the S3 Get* wildcard from the original policy (we have omitted some actions for clarity):

Access Analyzer trie.png
A trie delineating actions that can replace the Get* wildcard in an IAM policy. Nodes containing unused actions are depicted in orange; the remaining nodes are in green.

At a high level, the trie represents prefixes that are shared by some of the possible actions starting with s3:Get. Its root node represents the prefix Get; child nodes of the root append their prefixes to Get. For example, the node named Multi represents all actions that start with GetMulti.

Related content
Automated reasoning and optimizations specific to CPU microarchitectures improve both performance and assurance of correct implementation.

We say that a node is safe (denoted in green in the diagram) if none of the unused actions start with the prefix corresponding to that node; otherwise, it is unsafe (denoted in orange). For example, the node s3:GetBucket is unsafe because the action s3:GetBucketPolicy is unused. Similarly, the node ss is safe since there are no unused permissions that start with GetAccess.

We want our final policies to contain wildcard actions that correspond only to safe nodes, and we want to include enough safe nodes to permit all used actions. We achieve this by selecting the nodes that correspond to the shortest safe prefixes—i.e., nodes that are themselves safe but whose parents are not. As a result, the recommended policy replaces s3:Get* with the shortest prefixes that do not contain unused permissions, such as s3:GetAccess*, s3:GetMulti* and s3:GetJobTagging.

Together, the shortest safe prefixes form a new policy that, while syntactically similar to the original policy, is the least-general generalization to result from removing the unused actions. In other words, we have not removed more actions than necessary.

You can find how to start using policy recommendation with unused access in Access Analyzer. To learn more about the theoretical foundations powering policy recommendation, be sure to check out our science paper.

Related content

CN, 31, Shanghai
As an Applied Scientist, you will be responsible for bringing new product designs through to manufacturing. You will work closely with multi-disciplinary groups including Product Design, Industrial Design, Hardware Engineering, and Operations, to drive key aspects of engineering of consumer electronics products. In this role, you will use expertise in physical sciences, theoretical, numerical or empirical techniques to create scalable models representing response of physical systems or devices, including: * Applying domain scientific expertise towards developing innovative analysis and tests to study viability of new materials, designs or processes * Working closely with engineering teams to drive validation, optimization and implementation of hardware design or software algorithmic solutions to improve product and customer risks * Establishing scalable, efficient, automated processes to handle large scale design and data analysis * Conducting research into use conditions, materials and analysis techniques * Tracking general business activity including device health in field and providing clear, compelling reports to management on a regular basis * Developing, implementing guidelines to continually optimize design processes * Using simulation tools like LS-DYNA, and Abaqus for analysis and optimization of product design * Using of programming languages like Python and Matlab for analytical/statistical analyses and automation * Demonstrating strong understanding across multiple physical science domains, e.g. structural, thermal, fluid dynamics, and materials * Developing, analyzing and testing structural solutions from concept design, feature development, product architecture, through system validation * Supporting product development and optimization through application of analysis and testing of complex electronic assemblies using advanced simulation and experimentation tools and techniques
IL, Haifa
We are seeking an Applied Scientist to help build Amazon’s next-generation customer memory and personalization systems. Are you interested in building systems that move beyond reacting to customer behavior, to actually understanding and remembering it over time? Our team is building Amazon’s customer memory layer – a system that extracts, curates, and reasons over customer knowledge to power next-generation personalization. This includes transforming noisy, unstructured signals into durable, high-quality representations of customer preferences, intents, and life events, and using them in real time to improve customer experiences. We are part of Amazon’s Personalization organization, a high-performing group that leverages large-scale machine learning, generative AI, and distributed systems to deliver highly relevant customer experiences. We tackle challenging problems at the intersection of information extraction, knowledge representation, LLM reasoning, and recommendation systems. Our systems operate under real-world constraints of scale, latency, and quality, requiring careful tradeoffs between precision, recall, and responsiveness. This team plays a central role in defining how Amazon understands its customers, and how that understanding is applied across the shopping experience. As an Applied Scientist, you will design and build ML and LLM-powered solutions for Amazon's customer memory and personalization systems. You will work on how customer knowledge is extracted, validated, and applied in production systems. You will own the end-to-end delivery of ML solutions, from problem formulation and modeling to offline and online experimentation, and production deployment at scale. You will deliver high-quality, scalable systems that power customer-facing experiences. You will drive work across areas such as fact extraction, memory quality and lifecycle, temporal reasoning, and grounded personalization, while navigating tradeoffs between quality, latency, and coverage. You will collaborate closely with engineering and product teams to translate research into measurable customer impact. Please visit https://www.amazon.science for more information.
US, WA, Seattle
Are you passionate about solving big problems from ground-up? Do you enjoy building new state-of-the-art products at internet scale? Come lead the innovation in this startup team, vertical ad products. This is a green field problem without a known answer or a pattern to follow. We have ambitious vision to simplify full funnel advertising solutions, at scale, with specialized agentic AI-powered models and diversify the demand to strategic verticals including finserv, autos, locals.. etc. We are seeking an experienced Sr Data Scientist to drive innovation in our Ads Foundational Model. In this individual contributor role, you will apply advanced machine learning techniques to improve advertiser performance and customer experience. Key job responsibilities As a Data Scientist on this team, you will: 1. Develop and drive the science strategy for Ads Foundational Model (Ads-FM), aligning it with the program's objectives and overall business goals. 2. Identify high-impact opportunities within Ads-FM program and lead the ideation, planning, and execution of science initiatives to address them. 3. Build and deploy machine learning models using computer vision, natural language processing, and deep learning to evaluate and enhance ad effectiveness. 4. Develop algorithms that extract meaningful signals from image, video, and audio content to predict and improve customer engagement 5. Leverage Amazon's extensive data repository to create predictive models that generate actionable recommendations for more compelling ad creative 6. Collaborate with business leaders and cross-functional teams to implement ML-powered solutions 7. Contribute to the ML roadmap for the Ads-FM program through innovation and research.
US, WA, Seattle
You will build and lead the economics research agenda for measurement, experimentation, and value attribution for Amazon's Devices & Services organization. Your team is the "truth layer" of the Intelligence Core — the shared economics and causal inference capability that serves all Devices product lines, marketing pods, and Finance leadership with causal evidence of what Devices are worth and whether our investments are working. This is not a traditional analytics or measurement role. You will own an active research program in experimentation design — identifying and executing the causal studies that produce the causal inputs for pricing decisions, marketing optimization, and portfolio strategy. Your outputs provide the causal evidence base that L8 peers and senior leadership consume to make billions of dollars in investment decisions across the D&S portfolio. You will also own the economic models that validate and drive execution across the full surface area of marketing spend for devices and services. Key job responsibilities Economic Value: • Downstream value attribution for all Devices product lines — Impact on Prime, subscription lift, consumer spending, advertising value • Alexa+ value isolation and cross-PL attribution • Causal frameworks connecting device sales to Prime acquisition, subscription retention, and ecosystem engagement Marketing Science & Measurement: • Build the marketing science function from scratch • Incrementality measurement for marketing spend across all channels • Attribution methodology, measurement standards, and cross-pod governance • Marketing ROI frameworks for use by category marketers • CCM certification methodology and scenario planning models for optimal investment allocation Experimentation: • Owning the estimation methodology, identification strategies, data inputs/outputs, and refresh cadence • You will build this team's analytics function with AI at its core from day one • Experimentation governance — managing interference across teams, setting standards for causal validity • Evaluation framework for AI agents and autonomous optimization systems
US, WA, Seattle
Innovators wanted! Are you an entrepreneur? A builder? A dreamer? This role is part of an Amazon Special Projects team that takes the company’s Think Big leadership principle to the extreme. We focus on creating entirely new products and services with a goal of positively impacting the lives of our customers. No industries or subject areas are out of bounds. If you’re interested in innovating at scale to address big challenges in the world, this is the team for you. Here at Amazon, we embrace our differences. We are committed to furthering our culture of inclusion. We have thirteen employee-led affinity groups, reaching 40,000 employees in over 190 chapters globally. We are constantly learning through programs that are local, regional, and global. Amazon’s culture of inclusion is reinforced within our 16 Leadership Principles, which remind team members to seek diverse perspectives, learn and be curious, and earn trust. Our team highly values work-life balance, mentorship and career growth. We believe striking the right balance between your personal and professional life is critical to life-long happiness and fulfillment. We care about your career growth and strive to assign projects and offer training that will challenge you to become your best.
IN, KA, Bengaluru
Have you ever wondered how that Amazon box with the smile arrives so quickly, where it came from, and how much it cost Amazon to deliver? The WW Amazon Logistics, Business Analytics team manages the delivery of tens of millions of products every week to Amazon's customers, achieving on-time delivery in a cost-effective manner. We are seeking an enthusiastic, customer-obsessed Manager Research Science with strong analytical skills to join our team. This role is crucial in optimizing Amazon's vast delivery network and will have significant impact on the customer experience, particularly in the final phase of delivery. As a Manager Research Science, you will: 1. Address business challenges through building compelling cases and using data to influence change across the organization 2. Develop input and assumptions based on preexisting models to estimate costs and savings opportunities associated with varying levels of network growth and operations 3. Create metrics to measure business performance, identify root causes and trends, and prescribe action plans 4. Manage multiple high-impact projects simultaneously 5. Work with technology teams and product managers to develop new tools and systems supporting business growth 6. Communicate with and support various internal stakeholders and external audiences 7. Implement scheduling solutions, improve metrics, and develop scalable processes and tools The ideal candidate will have: - Extensive experience in operations research and data-driven decision making - Strong analytical and problem-solving skills - Robust program management and research science skills - Ability to work with a team and make independent decisions in ambiguous environments - Customer-obsessed mindset with a focus on improving the Amazon delivery experience This role offers the autonomy to think strategically and make data-driven decisions from day one. Join us in shaping the future of e-commerce delivery and addressing the core challenges in our world-class operations space! Key job responsibilities 1. Advanced Modeling and Algorithm Development: - Design and implement sophisticated machine learning models for logistics optimization - Develop complex time series forecasting algorithms for demand prediction and resource allocation 2. AI and Machine Learning Integration: - Architect and deploy AI-powered systems to enhance decision-making in logistics operations - Implement deep learning techniques for image recognition in package sorting and handling - Develop reinforcement learning algorithms for adaptive scheduling and resource management 3. Big Data Analytics and Processing: - Design and implement distributed computing solutions for processing massive logistics datasets - Utilize cloud computing platforms (e.g., AWS) for scalable data processing and analysis 4. AI-Driven Workflow Optimization: - Design and implement AI agents for autonomous decision-making in logistics processes - Create machine learning models for customer behavior analysis and personalized delivery options 5. Software Development and System Architecture: - Write efficient, scalable code in languages such as Python, Java, or C++ - Develop and maintain complex software systems for logistics optimization - Stay at the forefront of AI and ML research - Publish research findings in top-tier conferences and journals About the team We are Amazon's Last Mile Science and Analytics team, dedicated to improving e-commerce delivery. We work to optimize our vast network, forecast demand using machine learning, and enhance route efficiency. Our efforts focus on developing innovative delivery methods, applying AI to solve complex problems, and conducting geospatial analysis. We create simulations to refine processes and plan capacity effectively. Operating globally, we strive to develop adaptable solutions for diverse markets. We aim to advance logistics science, continually improving speed, efficiency, and customer satisfaction, in support of Amazon's mission to be Earth's most customer-centric company.
DE, BE, Berlin
As an Applied Scientist II in the Alexa Conversational Modelling Intelligence team within Alexa AI, you will drive model post-training for Large Language Models that power Alexa+. You'll adopt and adapt state-of-the-art techniques — including supervised fine-tuning, RLHF, and preference optimization — running rigorous experiments and translating findings into production-ready solutions that directly improve the customer experience for millions of users worldwide. You will own the full model development cycle from data curation through training, evaluation, and deployment. Your day-to-day will involve developing evaluation methods and metrics, diagnosing model defects, and iterating on recipes to move concrete quality and efficiency benchmarks. You'll write clean, reproducible code, contribute to shared tooling, and collaborate closely with scientists and engineers to bring models from experimentation to scale. You are technically curious, experiment-driven, and motivated by real customer impact. You will also advance the state of the art by publishing at top-tier NLP/ML conferences (ACL, EMNLP, NeurIPS, ICML, ICLR) — contributing to the broader research community while grounding your work in measurable outcomes. Key job responsibilities As an Applied Scientist II in the Alexa Conversational Modelling Intelligence team, you will own the end-to-end model development lifecycle for LLMs that power Alexa+. You'll design and execute training recipes — including supervised fine-tuning, reinforcement learning from human feedback, and preference optimization — iterating rapidly on data, hyperparameters, and architectures to move quality and efficiency metrics. Your work will directly shape how millions of customers interact with Alexa daily. You will build robust evaluation frameworks to measure model performance, diagnose failure modes, and quantify improvements. This includes developing benchmarks, implementing LLM-as-a-judge pipelines, and conducting rigorous defect analysis to identify where models fall short and why. You'll translate these insights into targeted improvements that close gaps in conversational quality, safety, and fluency. You will collaborate closely with research scientists and engineers to bring models from experimentation to production at scale. You'll contribute to shared tooling and infrastructure, write clean and reproducible code, and document your methods so the team can build on your work. You are also expected to advance the state of the art by publishing findings at top-tier NLP/ML venues (ACL, EMNLP, NeurIPS, ICML, ICLR), ensuring your research drives both customer impact and scientific contribution. A day in the life As an Applied Scientist II, your day will involve launching and monitoring training runs, analyzing experiment results, and iterating on model recipes based on evaluation data. You'll participate in science reviews with fellow researchers, sync with engineering partners on deployment readiness, and deep-dive into model outputs to understand behavioral patterns. You'll balance hands-on experimentation with collaborative problem-solving — working across the Alexa AI organization to align model improvements with customer-facing goals and product priorities. About the team The Alexa Conversational Modelling Intelligence team builds industry-leading LLM-based conversational technologies that customers love. Our mission is to push the envelope in LLMs for Alexa to deliver the best-possible customer experience. As an Applied Scientist, you'll contribute directly to that mission through model development and experimentation.
US, CA, Sunnyvale
MULTIPLE POSITIONS AVAILABLE Employer: AMAZON.COM SERVICES LLC Offered Position: Manager III, Economist Job Location: Sunnyvale, California Job Number: AMZ9803624 Position Responsibilities: Independently manage a team of economists and/or scientists in developing strategic economic analyses and demand estimation models. Translate business questions into econometric methodologies and causal inference analyses. Communicate economic insights to non-technical audiences to guide strategic-level, high-impact business decisions. Scale economic models through cross-functional collaboration with engineering teams. Establish scientific quality standards and research priorities. Drive operational efficiency and research excellence across the team. 40 hours / week, 8:00am-5:00pm, Salary Range: $201,300/year to $272,400/year. Amazon is a total compensation company. Dependent on the position offered, equity, sign-on payments, and other forms of compensation may be provided as part of a total compensation package, in addition to a full range of medical, financial, and/or other benefits. For more information, visit: https://www.aboutamazon.com/workplace/employee-benefits. Amazon.com is an Equal Opportunity-Affirmative Action Employer – Minority / Female / Disability / Veteran / Gender Identity / Sexual Orientation.#0000
US, WA, Seattle
Ever wish you could use your quantitative and critical thinking skills to influence business decisions? Economists at Amazon partner closely with senior management, business stakeholders, scientist and engineers, and economist leadership to solve key business problems. As part of the Content Discovery and Experimentation Science team within Prime Video, you will leverage your expertise in causal inference and experimental design to make Prime Video the best-in-class digital video experience. Key job responsibilities - Build causal models and metrics that capture trade-off decisions when business and customer outcomes do not align - Partner with data scientists and product managers to integrate these metrics into Prime Video's experimentation tooling - Work with finance partners to ensure that the team's product metrics contribute to Prime Video's strategic business and financial objectives - Contribute to technical and business documents to communicate ideas and proposals to various audiences - Educate and advocate for best practices in experimentation and how to use it for decision-making
US, TX, Austin
What happens when you combine startup speed with Amazon-scale impact? You get this team. Amazon Enterprise Security Products is a newly launched group building intelligent, cloud-agnostic security tools using AI-first development practices. Here, you build AI and you build with AI at the same time. This role is a chance to define and lead the science strategy for the future of security tooling with a small, fast team that ships like a startup but deploys at Amazon scale. We're looking for a Senior Data Scientist who operates at the intersection of applied ML, agentic AI, and security; and who can set technical direction across ambiguous, undefined problem spaces. You won't just build models; you'll decide which problems are worth solving, architect the scientific approach for an entire product area, and raise the bar for how the team applies science. You'll partner with senior and principal engineers, applied scientists, security researchers, and PMs, and your judgment will shape roadmaps, not just deliverables. This is a role for someone who thrives in ambiguity, influences without authority, and turns "too ambitious" into shipped reality. Key job responsibilities - Set the science direction for a product area: Define the modeling strategy, scientific approach, and success metrics for entire categories of AI-first security capabilities, agentic systems, anomaly detection, threat classification, and automated response across multi-cloud environments. Decide where science can move the needle and where it can't. - Own the hardest, most ambiguous problems: Take on undefined, open-ended challenges where the path isn't clear, the data is messy or scarce, and the stakes are high. Frame the problem, choose the approach, and bring others along. - Build with AI to build AI and define how the team does it: Drive adoption of agentic coding tools, LLM-powered workflows, and experimental AI tooling across the science org. Establish the practices that multiply velocity for every scientist, not just yourself. - Architect agentic intelligence: Lead the design of models, embeddings, RAG pipelines, evaluation frameworks, and feedback loops that make multi-agent security systems smart, safe, and customer-ready at scale. Own the science architecture decisions others build on. - Drive technical strategy across teams: Influence roadmaps, dive deep with senior and principal scientists and engineers, and align cross-functional partners around a shared scientific vision. Your recommendations shape what the team invests in next. - Prototype, validate, and scale: Turn ambiguous hypotheses into prototypes in days, validate with real customer signal, and chart the path from prototype to production system that runs reliably at Amazon scale. - Communicate to influence at the executive level: Translate complex modeling results and scientific trade-offs into clear recommendations for engineers, product leaders, and senior executives. Drive organizational decisions with data and earn trust across the company. - Raise the bar and grow others: Mentor data scientists and applied scientists, lead technical and science reviews, and champion AI-first development practices. Shape the science culture and hiring bar of a fast-growing team from the ground floor. A day in the life No two days look the same on this fast-growing, AI-first team. You might start your morning setting direction in a roadmap review; making the call on which science investments will have the biggest customer impact and then dive into architecting an evaluation framework that the whole team will build on. Before lunch, you're pair-prompting with an agentic coding assistant to validate a new approach, then unblocking a teammate stuck on a thorny modeling problem. In the afternoon, you lead a design session with senior and principal scientists and engineers, then distill it into a crisp recommendation for senior leadership. You own ambiguous problems end to end, define how the team works, and see your decisions ripple across the product. This is where builders who want to lead with science come to do their best work. About the team Why AWS? Amazon Web Services (AWS) is the world’s most comprehensive and broadly adopted cloud platform. We pioneered cloud computing and never stopped innovating — that’s why customers from the most successful startups to Global 500 companies trust our robust suite of products and services to power their businesses. Inclusive Team Culture Here at AWS, it’s in our nature to learn and be curious. Our employee-led affinity groups foster a culture of inclusion that empower us to be proud of our differences. Ongoing events and learning experiences, including our Conversations on Race and Ethnicity (CORE) and AmazeCon conferences, inspire us to never stop embracing our uniqueness. Mentorship & Career Growth We’re continuously raising our performance bar as we strive to become Earth’s Best Employer. That’s why you’ll find endless knowledge-sharing, mentorship and other career-advancing resources here to help you develop into a better-rounded professional. Work/Life Balance We value work-life harmony. Achieving success at work should never come at the expense of sacrifices at home, which is why we strive for flexibility as part of our working culture. When we feel supported in the workplace and at home, there’s nothing we can’t achieve in the cloud. Hybrid Work We value innovation and recognize this sometimes requires uninterrupted time to focus on a build. We also value in-person collaboration and time spent face-to-face. Our team affords employees options to work in the office every day or in a flexible, hybrid work model near one of our U.S. Amazon offices.