Overview
The AWS Security Maturity Model v2 (SMM) provides a structured approach to improving cloud security posture through progressive implementation of security controls across five phases. IAM Audit specifically addresses two critical controls that form the foundation of identity security in AWS Organizations.Security Controls Addressed
This tool helps organizations advance in two specific phases of the AWS Security Maturity Model:Phase 1 — Quick Wins
Multi-Factor Authentication: Identify users without MFA protection
Phase 2 — Foundational
Use Temporary Credentials: Expose long-term access keys across your organization
Phase 1: Multi-Factor Authentication
Control Objective
Ensure all human users with console access have MFA enabled — a critical defense against credential compromise.How IAM Audit Helps
The audit report identifies users with:- Console access configured (
password_status: Configurada) - Missing MFA protection (
mfa_status: None)
Maturity Indicators
| Maturity Level | Criteria |
|---|---|
| Not Started | No visibility into MFA coverage across accounts |
| In Progress | Regular audits conducted, gaps identified |
| Complete | 100% of console users have MFA enabled |
| Advanced | Policy enforcement prevents console access without MFA |
Phase 2: Temporary Credentials
Control Objective
Eliminate long-term access keys in favor of temporary credentials issued through AWS STS, IAM roles, or identity providers.How IAM Audit Helps
The tool exposes:- All active access keys across your organization (
status: Active) - Key age via
created_datefield - Key usage patterns through
last_used_dateandservice_name
Maturity Indicators
| Maturity Level | Criteria |
|---|---|
| Not Started | No inventory of long-term credentials |
| In Progress | Access keys identified and cataloged |
| Complete | Migration plan executed, keys older than 90 days eliminated |
| Advanced | Temporary credentials used for all programmatic access |
Mapping Audit Results to Maturity Phases
CSV Fields and Security Controls
The IAM audit report fields directly map to SMM controls:Field Mapping to SMM Controls
Field Mapping to SMM Controls
Phase 1 — MFA Control:
password_status: Identifies console accessmfa_status: Shows MFA device type or absencepassword_last_used: Indicates active console users
access_key_id: Lists all long-term credentialscreated_date: Enables age-based risk scoringlast_used_date: Identifies unused keys for safe removalservice_name: Shows which AWS services depend on the key
Progressing Through Maturity Levels
Quantify Gaps
Analyze the CSV reports to measure:
- Percentage of console users without MFA
- Number of access keys older than 90 days
- Total long-term credentials in production accounts
Prioritize Remediation
Address high-risk findings first:
- Console users without MFA in production accounts
- Active access keys older than 1 year
- Keys with recent usage (
last_used_datewithin 30 days)
Track Progress
Re-run audits monthly and compare results. Use CloudTrail events to verify:
DeleteAccessKeyevents for key removal- MFA device assignments
- User lifecycle changes
Beyond the Tool: Full SMM Implementation
While IAM Audit addresses two foundational controls, the complete AWS Security Maturity Model includes:- Phase 1: Patch Management, Security Notifications, Security Contacts
- Phase 2: CloudTrail Logging, GuardDuty, Security Hub
- Phase 3: Centralized Logging, Backup Strategy, Incident Response
- Phase 4: Advanced Detection, Compliance Frameworks
- Phase 5: Continuous Improvement, Security Operations Maturity
Identity and access management forms the foundation. Without solving MFA and temporary credentials, advancing to later phases becomes significantly harder.
Additional Resources
AWS Security Maturity Model
Official AWS SMM documentation with all controls
Interpreting Results
Learn how to analyze your audit findings
Remediation Guide
Step-by-step workflows to fix identified issues
IAM Best Practices
AWS official IAM security recommendations