IAM Security Audit

Security

Review and secure your AWS access controls

šŸ’µ Cost: IAM is completely FREE. You can create unlimited users, roles, policies, and groups at no cost. IAM Access Analyzer is also free. Security Hub has a 30-day free trial, then charges per check.

Why Audit IAM?

IAM (Identity and Access Management) controls who can do what in your AWS account. A misconfigured IAM policy can expose your entire infrastructure. Regular audits ensure you follow the principle of least privilege.

Security First

Most AWS breaches occur due to compromised credentials or overly permissive IAM policies. Treat IAM security as your first line of defense.

IAM Audit Checklist

1

Review IAM Users

Check for unused users, users without MFA, and users with console access who should not have it.

2

Audit Access Keys

Find and rotate old access keys. Delete keys that have not been used in 90+ days.

3

Check IAM Policies

Look for overly permissive policies like AdministratorAccess on non-admin users.

4

Review IAM Roles

Ensure roles follow least-privilege. Check trust relationships for cross-account access.

5

Enable CloudTrail

Ensure all API calls are logged for security audit purposes.

Terminal
$aws iam generate-credential-report && aws iam get-credential-report --query Content --output text | base64 --decode
user,arn,user_creation_time,password_enabled,password_last_used,mfa_active,access_key_1_active,access_key_1_last_used_date
admin,arn:aws:iam::123456789:user/admin,2024-01-01,true,2024-01-15,true,false,N/A
old-developer,arn:aws:iam::123456789:user/old-developer,2023-06-01,true,2023-09-15,false,true,2023-10-01

Red Flags

  • mfa_active: false - User has no MFA enabled
  • password_last_used: N/A or old date - Potentially unused user
  • access_key_1_last_used: N/A - Access key never used
Bash
# List access keys older than 90 days
aws iam list-users --query 'Users[*].UserName' --output text | while read user; do
  echo "User: $user"
  aws iam list-access-keys --user-name $user --query 'AccessKeyMetadata[?CreateDate<`2024-01-01`]'
done
Terminal
$aws iam list-entities-for-policy --policy-arn arn:aws:iam::aws:policy/AdministratorAccess
{
    "PolicyGroups": [],
    "PolicyUsers": [
        {
            "UserName": "dev-user-fargate",
            "UserId": "AIDAEXAMPLE"
        }
    ],
    "PolicyRoles": []
}

Only break-glass admin accounts should have AdministratorAccess. Regular users should have specific permissions for their tasks.

Previous
WAF
Next
Security Incidents

AWS Deployment Guide ā€” Built with Next.js