How do I recreate a deleted IAM user or role with the same policies and permissions?

Short description

When you use the AWS Management Console to delete an IAM user, IAM automatically deletes resources associated with that user. These resources include any group memberships, passwords, access keys, inline policies, and MFA devices.

When you use the AWS Management Console to delete a user group, IAM automatically deletes or removes resources associated with that group. All group members are removed, managed policies are detached, and all inline policies are deleted.

Resolution

You can't recover deleted IAM users or roles. However, you can use the following AWS services to view APIs and resources associated with specific IAM users and groups:

• AWS CloudTrail event history
• Amazon CloudWatch log groups
• Amazon Athena queries
• AWS Config resource timeline

Then, recreate the IAM user or IAM group and reconfigure any associated resources.

Use CloudTrail event history to review deleted IAM users or roles

Use CloudTrail to search event history for the deleted IAM user or role name to get API history for the associated resources.

Note: You can use CloudTrail to search event history for the past 90 days of events.

1. Open the CloudTrail console.
2. In the navigation pane, choose Event history.
3. Choose the Lookup attributes dropdown list, and then choose Resource Name.
4. In the Enter a lookup value text box, enter the IAM user or role name.
5. In Event name, choose the IAM user or role name to view the results.

Note: You can also set custom filters for CloudTrail events.

The results might contain the following APIs associated with the deleted IAM user or role:

• DetachUserPolicy and DetachRolePolicy: Identifies the user or role managed policies.
• PutUserPolicy and PutRolePolicy: Identifies the user or role inline policies.
• CreateRole: Identifies the trust policy document and any permissions boundary policies associated with the IAM role when it was created.
• CreateUser: Identifies any permissions boundary policies associated with the IAM user when it was created.
• PutUserPermissionsBoundary and PutRolePermissionsBoundary: Identifies any permissions boundary policies associated with the IAM user or role after it was created.

Use CloudWatch log groups

Use CloudWatch log groups to search API history beyond the last 90 days.

Note: You must have a trail created and configured to log to Amazon CloudWatch log groups. For more information, see Creating a trail with the CloudTrail console.

1. Open the CloudWatch console.
2. In the navigation pane, expand Logs, and then choose Log groups.
3. In Log Group, choose your log group.
4. From the log groups page, choose Search Log Group.
5. In Filter events, enter a query to either search for a user's API calls, or specific API actions. Then, choose the refresh icon.
6. In the log group search output, expand Timestamp to view the API call result details.

Example query to search logs for a user's API calls

Note: Replace Alice with the username for your search query. Enter the IAM user's "friendly name" or the assumed role's "role session name." The role session name for a specific session is the value provided as a session name when the role is assumed. For API calls made by the IAM role, the value for the userName field isn't the role name.

{ $.userIdentity.userName = "Alice" }

Note: You can also analyze log data with CloudWatch Logs Insights. For more information, see How can I retrieve and then analyze my CloudTrail Logs with CloudWatch Logs Insights?

Use Athena to query CloudTrail trail logs to review deleted IAM users or roles

You can use Athena to query CloudTrail logs over the past 90 days. You can also find data events which you can't view in CloudTrail event history.

Note: To use Athena to query CloudTrail logs, you must have a trail configured to log to an Amazon Simple Storage Service (Amazon S3) bucket.

1. Open the Athena console, and then choose Launch query editor.
2. Enter one of the following example queries based on your use case, and then choose Run.

Example query to return all CloudTrail events related to configuration changes applied to specific IAM user

SELECT *
FROM example-athena-table
WHERE
eventsource = 'iam.amazonaws.com' 
AND requestParameters LIKE '%DeletedIAMUserName%'
AND readonly = 'false'

Example query to return all CloudTrail events related to configuration changes applied to specific IAM role

SELECT *
FROM example-athena-table 
WHERE 
eventsource = 'iam.amazonaws.com' 
AND requestParameters LIKE '%DeletedIAMRoleName%' 
AND readonly = 'false'

Note: Replace athena-table with your Athena table name and DeletedIAMUserName or DeletedIAMRoleName with your IAM user or role.

You can also use CloudTrail logs to create an Athena table to run queries. For more information, see Query CloudTrail logs.

Use AWS Config to review deleted IAM users or roles

You can view the resources that AWS Config recorded in your AWS account such as deleted IAM users or roles.

1. Open the AWS Config console.
2. In the navigation pane, choose Resources.
3. On the Resource Inventory page, in Resource type, select the dropdown list.
4. Choose AWS IAM Role or AWS IAM User.
5. Select the Included deleted resources toggle to on, and then choose Apply.
6. From the Resource identifier column, choose the IAM user or role marked as "deleted".
7. On the Resources page, choose Resource Timeline.
8. On the Timeline page, review the General details and Events for the deleted IAM user or role.

The AWS Config resources timeline contains details for inline policies, managed policies, and permissions associated with the IAM role or user before deletion. For more information, see Viewing resources referenced with AWS Config.

Related information

Viewing compliance history for your AWS Resources

How do I automatically create tables in Amazon Athena to search through CloudTrail logs?

How can I monitor the account activity of specific IAM users, roles, and AWS access keys?