How can I find unused permissions on IAM Identity Center Users?

You can use the AWS Command Line Interface (AWS CLI) and AWS Identity Center APIs to retrieve information about your IAM Identity Center users, permission sets, and their assigned permissions. If you have a large number of users and permission sets, this process can be complex.

1. aws identitystore-cli list-permission-sets/ AWS Identity Center ListPermissionSets API
2. aws identitystore-cli list-permission-set-assignments/ ListPermissionSetAssignments API (for each of above permission set)
3. aws identitystore-cli get-permission-set/ GetPermissionSet API

I understand that you are looking to analyze not when someone has used a PermissionSet to get into one of your organization accounts, but you are looking to understand based on the assigned permissions / policies, which of them are being effectively being used and which not. You have to think, that in the end what IdC is doing is running the orchestration process for you deploying roles that you assume in the destination account, so the effective usage of the permissions happens at the destination account and not at the management account level. I know it's hard, but they only way you have to do what you are looking for is to analyze the usage on the destination account with tools like Access Analyzer. So, my suggestion is to configure the IAM access analyzer in your accounts, and build an small script to get all those created roles in the destination account together and analyze them (you know that the same PermissionSet can manage multiple accounts, so you can find permissions not used in one account but used in another one, so you need to get a unified view for all the accounts where your PermissionSets live).

Hope this helps to give you a better idea.

Best.