Skip to main content

Find forgotten IAM credentials before attackers do

Python CLI tool to audit IAM users and access keys across AWS Organizations multi-account environments. Built with boto3 and least privilege principles.

Why IAM Audit?

In multi-account AWS Organizations, nobody has a consolidated view of IAM credentials. Old access keys don’t appear in any default dashboard. They don’t generate alerts. They don’t bother anyone. They simply wait. This tool finds them.
Tested in a real AWS Organization with 20+ active accounts. Found an access key created in 2018 — still active in production.

What it does

IAM Audit automatically traverses all active accounts in your AWS Organization, assumes an audit role in each one, and produces consolidated CSV reports with:

Access Key Inventory

Every access key by user with status, creation date, last usage, and service

MFA Status

Detect users without MFA — Virtual, Hardware, or None

Console Access

Track which users have login profiles configured

CloudTrail Events

Collect IAM events for remediation tracking over time

Key Features

Multi-Account Scanning

Scan all active accounts in your AWS Organization with automatic role assumption

Least Privilege

Uses temporary credentials via sts:AssumeRole — no long-term credentials needed

CSV Reports

Export detailed findings to CSV for analysis and tracking

MFA Detection

Identify users without MFA across all accounts

CloudTrail Integration

Track IAM events for remediation progress

Control Tower Ready

Works with AWS Control Tower out of the box

Quick Example

# Audit all accounts in your AWS Organization
python iam_audit.py --profile mgmt-profile --role AWSControlTowerExecution

# Output: iam_audit_report_20260305_143022.csv
# Output: cloudtrail_events_20260305_143022.csv

Security Maturity Alignment

This tool helps advance two key controls in the AWS Security Maturity Model v2:
PhaseControlHow IAM Audit Helps
Phase 1 — Quick WinsMulti-Factor AuthenticationIdentifies users without MFA with console access
Phase 2 — FoundationalUse Temporary CredentialsExposes users with long-term access keys

Get Started

Installation

Install dependencies and set up the tool

Quick Start

Run your first audit in 5 minutes

Configure Permissions

Set up least-privilege IAM roles

Interpret Results

Understand your audit findings

Built by AWS Security Hero

Gerardo Castro — AWS Security Hero · Cloud Security Engineer Building security tools for real AWS environments in LATAM. This script was born from a concrete need in the field — like most tools worth using. Read the full story about finding a 6-year-old access key in production.

Build docs developers (and LLMs) love

Get started for freeTalk to us