Monitor custom IAM users in AWS organization

Kaustav Chakraborty
3 min readJun 26, 2022


Managing AWS accounts is one of the hardest jobs handled by Platform / Security team of any organizations. While maintaining the availability and security, it is very important to monitor who is getting access to AWS accounts.

Sample AWS Organization structure

Let’s assume, CTO of PlatformSecurityTech (an imaginary IT company) asked their Platform team to create few account for their product offerings. Right after the request, the team went ahead and setup 3 different accounts as per the above diagram and handed over to the company. To maintain the further security, the team went ahead with AWS SSO to securely manage it’s users.

Since users of Account A and Account B were having unrestrictive permissions, for their day to day need (could be lack of understand of programatic access through SSO), there were bunch of IAM users created. Among them few were not even used for months 🤔. It was getting difficult to maintain the usage of these IAM users. The team decided to perform some bi-weekly audit on existing IAM users in different accounts and later monitor.

It’s easy if you have one or two accounts to monitor. But in ideal world there are many of them. Going through each of them is not only a tiring process but also heavily time consuming. To bring the productivity with seamless experience on monitoring those IAMs, they decided to go ahead with Advance Query in AWS Config.

Given they restructured the organization as below,

Revised structure with Delegated Admin

Here, they came up with another AWS account called Delegated Admin, that manages all the administrative work (non root account). Due to it’s nature, this new account is connected with all other accounts and have capability to fetch data and perform specific activities in those accounts. Assuming AWS Config is configured in the new account, you now get full control on observing all of your account’s activity. Now to check the existing IAM users,

AWS Confg dashboard

Go to for AWS Config dashboard. Where you will find the similar looking sidebar. Now go to Advance Query from the sidebar.

AWS Config — Advance Query dashboard

You will find similar to above page which might be pre-populated with few queries through the conformance pack the team had configured. Click on new query and add the below query in the query editor.

resourceType = 'AWS::IAM::User'
AWS Config — Advance Query Editor

Running this query will show the list of IAM users available in the AWS organization including the other details mentioned on the select query. Once the team collects the data from their audits, they can contact the creator of those IAM users for its need and perform the corrections accordingly. One can export the data to any sharable format for frequent updates.



Kaustav Chakraborty

I help early stage startups to set their infrastructure practices, Sr. Software Engineer @ HelloFresh (