VIGIL enforces AWS access reviews instead of just logging them
An open-source tool that closes the gap between access recertification and actual enforcement, using scoped IAM changes and a hash-chained audit trail to make decisions stick. The Answer Up Front…
An open-source tool that closes the gap between access recertification and actual enforcement, using scoped IAM changes and a hash-chained audit trail to make decisions stick.
The Answer Up Front
VIGIL is for AWS-heavy teams who are frustrated with compliance tools that only produce attestations, not actual permission changes. If you have the engineering capacity to deploy and manage a serverless application and want a free, auditable way to enforce access reviews, this is a strong contender. Skip it if you need a polished, turnkey SaaS product with a rich UI and dedicated support. The bottom line: VIGIL trades the convenience of a commercial tool for the rigor of enforced, auditable security changes, directly addressing the common failure mode of access reviews.
Methodology
This is a v0 review based on the author's technical blog post and the associated public code repository. Independent benchmarks and long-term workflow analysis are pending.
- Tool: VIGIL
- Version: As of June 2026
- Date Observed: June 29, 2026
- Source Signal: "I built an AWS access recertification engine that actually enforces the decision" on dev.to, which links to the official GitHub repository at
https://github.com/aws-samples/sample-identity-recertification-vigil.
This review covers the tool's stated architecture, core features, and intended workflow as described by its creator, Paramanand Mallik. The presence of an AWS SAM template and source code in an official aws-samples repository lends high credibility to the architectural claims. What is not covered is the operational cost at scale, the user experience of its REST API, or the difficulty of extending the tool with new connectors.
What It Does
VIGIL is a self-hosted, serverless engine designed to discover, review, enforce, and audit AWS resource access. Its workflow is built around making the review decision and the enforcement action a single, atomic step.
Discovers and queues reviews
The engine discovers resources based on an owner tag. It then determines which principals (users or roles) have access to each resource and initiates a review process with the designated owner. This automates the tedious, manual process of figuring out who has access to what before a review can even begin.
Enforces decisions with scoped changes
This is the core feature. When an owner decides to revoke or trim access, VIGIL applies that change to the live AWS resource. Crucially, it avoids broad, destructive changes. Instead of detaching a principal's entire policy, it modifies the specific resource policy (like an S3 bucket policy) to remove just that principal. If the access comes from an identity-based policy, it adds a resource-scoped explicit Deny statement, which safely overrides the access without affecting the principal's permissions for other resources.
Uses SQS for durable execution
Enforcement actions are not synchronous API calls. When a decision is made, the engine validates it and places a message on an SQS queue. A separate, idempotent worker function processes the queue, with built-in retries and a dead-letter queue for failed actions. This architecture ensures that the API remains responsive and that enforcement actions are not lost due to transient failures.
Creates a tamper-evident audit trail
Every decision and enforcement action is recorded in an append-only log. Each new record is hash-linked to the previous one, creating a verifiable chain of events. The author notes this trail can be mirrored to an S3 bucket with Object Lock (WORM) enabled, providing a high-assurance audit log that can be presented to auditors to prove not only that a review occurred, but that its outcome was enforced.
What's Interesting / What's Not
The most interesting aspect of VIGIL is its founding premise: access attestation without enforcement is security theater. The tool is an opinionated implementation of that idea. The decision to use scoped denies instead of modifying shared IAM policies shows a mature understanding of AWS security operations, where avoiding accidental over-revocation is critical. This is a tool built by a practitioner to solve a practitioner's problem.
The hash-chained audit trail with optional WORM storage is also a significant feature. It directly addresses the needs of teams undergoing compliance audits like SOC 2 or ISO 27001, where proving the integrity of evidence is paramount.
What's less compelling, or rather, what defines its niche, is the operational model. As a self-hosted serverless application, the user is responsible for deployment, monitoring, and the underlying AWS costs. While the serverless architecture should keep costs low, it's not zero-ops. The lack of a built-in UI (it exposes a REST API) means it's best suited for teams comfortable with API-first workflows or those willing to build a simple front-end for their compliance managers.
Pricing
As of June 2026, VIGIL is open-source and available under the MIT-0 License. There is no license cost to use the software. Users are responsible for the costs of the AWS services it consumes, which include Lambda, SQS, DynamoDB, Cognito, SES, and API Gateway. These costs will vary with usage but are generally low for serverless components.
Verdict
VIGIL is a well-architected solution to a real-world security compliance gap. For engineering-led teams that manage their own infrastructure and prefer auditable, open-source tools, it is an excellent choice. It provides a robust framework for enforcing the principle of least privilege that is superior to manual processes or attestation-only tools. However, teams without the resources to deploy and maintain an AWS application, or those who require a polished graphical interface for non-technical users, should look to commercial SaaS alternatives. VIGIL is a pick for the former and a skip for the latter.
What We'd Test Next
A v2 review would require deploying VIGIL into a test AWS account. We would first measure the baseline monthly cost for a small organization with a few dozen resources under management. Next, we would test the extensibility claim by attempting to write a new connector for a service like Amazon RDS or AWS Secrets Manager, evaluating the clarity of the developer guide. Finally, we would execute a complex revocation and then test the rollback functionality to verify its effectiveness in a real-world recovery scenario.
The investor read
VIGIL itself is not an investable company; it's an open-source project hosted in an official AWS samples repository. The signal for investors is the market gap it highlights. There is a clear and growing demand from technically sophisticated customers for compliance tools that enforce security policies, not just document them. This validates the product thesis for a commercial entity to build a polished, managed SaaS offering on the same principles: scoped enforcement, durable execution, and tamper-evident audit trails. A startup that can offer the rigor of VIGIL with the usability of a modern SaaS platform would be well-positioned to capture market share from legacy governance, risk, and compliance (GRC) vendors who focus on attestation.
Pull quote: “The most interesting aspect of VIGIL is its founding premise: access attestation without enforcement is security theater.”
Every claim ties to a primary source. See our methodology.