Monitor custom IAM users in AWS organization
Managing AWS accounts is one of the hardest jobs handled by Platform / Security team of any organizations. While maintaining the availability and security, it is very important to monitor who is getting access to AWS accounts.
Let’s assume, CTO of PlatformSecurityTech (an imaginary IT company) asked their Platform team to create few account for their product offerings. Right after the request, the team went ahead and setup 3 different accounts as per the above diagram and handed over to the company. To maintain the further security, the team went ahead with AWS SSO to securely manage it’s users.
Since users of Account A and Account B were having unrestrictive permissions, for their day to day need (could be lack of understand of programatic access through SSO), there were bunch of IAM users created. Among them few were not even used for months 🤔. It was getting difficult to maintain the usage of these IAM users. The team decided to perform some bi-weekly audit on existing IAM users in different accounts and later monitor.
It’s easy if you have one or two accounts to monitor. But in ideal world there are many of them. Going through each of them is not only a tiring process but also heavily time consuming. To bring the productivity with seamless experience on monitoring those IAMs, they decided to go ahead with Advance Query in AWS Config.
Given they restructured the organization as below,
Here, they came up with another AWS account called Delegated Admin, that manages all the administrative work (non root account). Due to it’s nature, this new account is connected with all other accounts and have capability to fetch data and perform specific activities in those accounts. Assuming AWS Config is configured in the new account, you now get full control on observing all of your account’s activity. Now to check the existing IAM users,
Go to https://console.aws.amazon.com/config/ for AWS Config dashboard. Where you will find the similar looking sidebar. Now go to Advance Query from the sidebar.
You will find similar to above page which might be pre-populated with few queries through the conformance pack the team had configured. Click on new query and add the below query in the query editor.
SELECT
accountId,
resourceName,
resourceId,
resourceCreationTime
WHERE
resourceType = 'AWS::IAM::User'
ORDER BY
accountId
Running this query will show the list of IAM users available in the AWS organization including the other details mentioned on the select query. Once the team collects the data from their audits, they can contact the creator of those IAM users for its need and perform the corrections accordingly. One can export the data to any sharable format for frequent updates.