Skip to main content

What is IAM Audit?

IAM Audit is a Python CLI tool that automatically scans all active accounts in your AWS Organization, assumes an audit role in each one, and produces a consolidated security report of IAM users, access keys, MFA status, and console access.
Built by Gerardo Castro, AWS Security Hero, this tool was born from real-world security assessments in multi-account AWS environments across LATAM.

The Problem It Solves

In multi-account AWS environments, nobody has a consolidated view of IAM credentials. Old access keys don’t show up in any default dashboard. They don’t generate alerts. They don’t bother anyone. They just wait. This tool finds them.
The author tested this on a real AWS Organization with 20+ active accounts and found an access key created in 2018 — still active in production.

What You Get

IAM Audit produces two comprehensive CSV reports with:

IAM Security Report

  • All access keys per user (status, creation date, last used)
  • MFA status (Virtual, Hardware, or None)
  • Console access configuration
  • Last service used by each key

CloudTrail Events

  • IAM user creation/deletion events
  • Access key lifecycle events
  • Login profile changes
  • Perfect for remediation tracking

Key Features

Zero Standing Credentials Uses sts:AssumeRole with temporary credentials that expire automatically. No long-term credentials are created. Organization-Wide Visibility Automatically discovers all active accounts using the AWS Organizations API and audits them in sequence. Least Privilege Design The management account role only needs organizations:ListAccounts and sts:AssumeRole. Child account roles only need read-only IAM and CloudTrail permissions. Real Remediation Tracking CloudTrail event collection lets you track security improvements over time by monitoring IAM user and key deletions. Control Tower Compatible Works out-of-the-box with AWS Control Tower’s AWSControlTowerExecution role — no additional deployment needed.

How It Works

1

List Organization Accounts

Connects to the management account and retrieves all active accounts using organizations:ListAccounts
2

Assume Audit Role

For each account, assumes a read-only IAM audit role using sts:AssumeRole with temporary credentials
3

Collect IAM Data

Lists all IAM users, their access keys, MFA devices, login profiles, and last used information
4

Query CloudTrail

Pulls IAM-related events (user/key creation and deletion) for the specified time window
5

Generate Reports

Exports two timestamped CSV files with comprehensive findings across all accounts

Use Cases

Security Audits Quickly identify forgotten credentials, users without MFA, and unused access keys during periodic security reviews. Compliance Reporting Generate evidence for SOC 2, ISO 27001, or internal security standards requiring credential lifecycle management. Cloud Security Maturity This tool helps advance two specific controls from the AWS Security Maturity Model v2:
  • Phase 1 — Quick Wins: Multi-Factor Authentication (identifies users without MFA)
  • Phase 2 — Foundational: Use Temporary Credentials (exposes long-term access keys)
Incident Response During a security incident, rapidly enumerate all IAM users and keys across your organization to assess exposure.

What’s Next?

Installation

Set up Python, boto3, and AWS credentials

Quick Start

Run your first audit in 5 minutes

Build docs developers (and LLMs) love

Get started for freeTalk to us