Sweetcode Logo Auditing IAM Users in AWS

Original publication: View on Sweetcode (Archived)

Auditing IAM Users in AWS

By: Wendy Segura

3 years ago · In Application Development · aws

Checking your AWS account to see how many IAM (Identity and Access Management) users you have is a great and very simple way to get started with auditing.

You will be able to check if these users are following security best practices, such as having Multi-Factor Authentication set up for their account, the last time they changed their password, and when they last rotated their access key.

Let us suppose that everyone in the company had access to the AWS account. Even if their job description did not require any type of access, this would make the account vulnerable and create a less secure environment.

Auditing IAM users and making sure that they need the access to perform their task is a start to not only practicing better security, but also enforcing IAM best practices. One of the core principles of AWS security is the Principle of Least Privilege.

To read more on IAM best practices, see: IAM Best Practices

Get an Account Summary

A great first step is generating a summary report of your account using the AWS CLI: 

aws iam get-account-summary

Example output:

{
  "SummaryMap": {
    "Users": 27,
    "Groups": 7,
    "Roles": 3,
    "MFADevices": 3,
    "MFADevicesInUse": 1,
    "AccountMFAEnabled": 1
  }
}

Generate a Credential Report

For deeper insight, generate a credential report to review user-level details. 

aws iam generate-credential-report

Download the report:

aws iam get-credential-report --output text --query Content | base64 -D >> report.txt

What the Report Contains

user
arn
user_creation_time
password_enabled
password_last_used
password_last_changed
password_next_rotation
mfa_active
access_key_1_active
access_key_1_last_rotated
access_key_2_active

This report allows you to determine whether users are still active employees and whether credentials need to be rotated or removed.

Audits should be performed regularly, especially after organizational changes such as employee departures or suspected unauthorized access.

You can also automate IAM audits using AWS Lambda on a scheduled basis to ensure ongoing compliance with security best practices.

Wendy Segura

Wendy Segura

Security Engineer · Writer · Cybersecurity