Skip to content
By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post
About re:Post

Inquiry Regarding Optimal Solution for Auditing Inactive IAM Users Across Multiple AWS Accounts

0

We are operating over 30 AWS accounts, each representing a separate environment. I access these accounts via switch roles.

As part of our internal audit process, we are reviewing IAM users whose last login dates exceed six months. While I understand that login activity can be viewed from the AWS Console, I would like to ask:

What is the most efficient and scalable solution for auditing inactive IAM users across multiple AWS accounts? Is there a specific benefit to using Access Analyzer for this purpose, even though login data is already visible in the Console? Any guidance or best practices for managing this type of cross-account IAM user audit would be greatly appreciated.

Topics
Management & GovernanceSecurity, Identity, & Compliance
Tags
AWS Identity and Access ManagementIAM PoliciesAWS Account ManagementSecurity, Identity, & Compliance
Language
English
asked a year ago136 views
1 Answer
0

Hello.

How about using AWS Config's "iam-user-unused-credentials-check"?
Using this, I think it's possible to find IAM users that haven't been used for 30 days.
Also, AWS Confign can be used in combination with AWS Organizations, so it's probably possible to find IAM users that aren't being used across multiple accounts.
https://docs.aws.amazon.com/config/latest/developerguide/iam-user-unused-credentials-check.html

IAM Access Analyzer may also be able to find unused IAM users.
https://aws.amazon.com/jp/blogs/aws/iam-access-analyzer-updates-find-unused-access-check-policies-before-deployment/

EXPERT
answered a year ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Relevant content