Skip to main content
Get your first audit running in minutes and start identifying forgotten credentials, missing MFA, and unused access keys across all AWS accounts in your Organization.
This guide assumes you’ve already installed IAM Audit and configured the necessary AWS permissions.

Run Your First Audit

1

Verify Prerequisites

Ensure you have:
  • Python 3.9+ installed
  • boto3 package installed (pip install boto3)
  • AWS CLI configured with a profile that has access to your AWS Organization management account
  • Audit role deployed to all member accounts (e.g., AWSControlTowerExecution or custom role)
Test your AWS credentials:
aws organizations list-accounts --profile your-mgmt-profile
2

Run the Audit

Execute the IAM audit script with your management account profile and the audit role name:
If you’re using AWS Control Tower, use the pre-existing AWSControlTowerExecution role:
python iam_audit.py --profile mgmt-profile --role AWSControlTowerExecution
What happens during execution:
  1. Script lists all active accounts in your AWS Organization
  2. Assumes the audit role in each member account
  3. Collects IAM user data, access keys, MFA status, and login profiles
  4. Queries CloudTrail for recent IAM events
  5. Exports findings to two timestamped CSV files
Auditando cuenta: Production (123456789012)
Auditando cuenta: Development (234567890123)
Auditando cuenta: Staging (345678901234)
  Consultando CloudTrail en cuenta: Production (123456789012)
  Consultando CloudTrail en cuenta: Development (234567890123)
  Consultando CloudTrail en cuenta: Staging (345678901234)

Total de Access Keys encontradas: 47
Reporte exportado: iam_audit_report_20260305_143022.csv

Total de eventos CloudTrail encontrados: 12
Reporte de eventos CloudTrail exportado: cloudtrail_events_20260305_143022.csv
3

Review the Reports

Two CSV files are generated with timestamps:1. IAM Audit Report (iam_audit_report_YYYYMMDD_HHMMSS.csv)Contains detailed findings for each IAM user and access key:
FieldDescriptionExample
account_idAWS account ID123456789012
account_nameAccount name from OrganizationProduction
usernameIAM user namejohn.doe
password_statusConsole access configuredConfigurada / No configurada
password_last_usedLast console login date2026-03-04 15:30:00
access_key_idAccess key identifierAKIAIOSFODNN7EXAMPLE
statusKey statusActive / Inactive
created_dateKey creation timestamp2018-06-15 10:20:30
last_used_dateLast time key was used2026-03-05 08:45:00
service_nameLast AWS service accesseds3, ec2, sts, etc.
mfa_statusMFA device typeVirtual / Hardware / None
2. CloudTrail Events Report (cloudtrail_events_YYYYMMDD_HHMMSS.csv)Tracks IAM-related events for remediation monitoring:
FieldDescription
eventTimeWhen the event occurred
eventNameIAM action (CreateUser, DeleteAccessKey, etc.)
usernameUser who performed the action
account_idAccount where the event occurred
account_nameHuman-readable account name
resourcesAffected IAM resources
4

Identify Security Issues

Open the IAM audit report and look for these red flags:

Old Access Keys

Keys created more than 90 days ago — potential security risk

Unused Keys

Keys that have never been used or haven’t been used in 6+ months

Missing MFA

Users with console access but no MFA device configured

Shared Credentials

Multiple active keys for a single user account
Quick analysis in Excel or Numbers:
  1. Filter by mfa_status = None and password_status = Configurada → users with console access but no MFA
  2. Sort by created_date ascending → find the oldest access keys
  3. Filter by last_used_date = Nunca utilizada → unused credentials to disable
  4. Group by username with multiple rows → users with multiple active keys

What’s Next?

Configure Permissions

Fine-tune IAM policies for least-privilege access

Interpret Results

Learn how to analyze findings and assess risk

Remediate Issues

Step-by-step guide to fix identified security gaps

Automate Audits

Schedule recurring audits with AWS Lambda

Common Scenarios

Control Tower automatically deploys the AWSControlTowerExecution role to all enrolled accounts:
python iam_audit.py --profile mgmt-profile --role AWSControlTowerExecution
Benefits:
  • Zero configuration — role exists by default
  • Automatically deployed to new accounts
  • Permissions already configured for auditing
See Control Tower Integration for details.
If you’re not using Control Tower or need a dedicated least-privilege role:
python iam_audit.py --profile my-org-mgmt --role CustomIAMAuditRole
Deploy the role to all member accounts using CloudFormation StackSets. See AWS Setup Guide.
If the audit role doesn’t exist in certain accounts, you’ll see errors like:
Error en cuenta Development-Sandbox: An error occurred (AccessDenied) when calling the AssumeRole operation
This is expected behavior. The script continues auditing other accounts and skips those where the role isn’t available.To fix:
  1. Deploy the audit role to the missing accounts
  2. Verify the trust relationship allows your management account to assume the role
  3. Re-run the audit
See Troubleshooting for detailed diagnostics.
If the report shows zero access keys:Possible causes:
  1. ✅ Great job! Your organization may not have any IAM users with long-term credentials
  2. The audit role doesn’t have iam:ListAccessKeys permission
  3. The role trust policy doesn’t allow your management account to assume it
Verify permissions:
aws iam get-role-policy --role-name IAMAuditRole --policy-name AuditPolicy --profile your-member-account-profile
See Permissions Setup to review required IAM actions.

Troubleshooting

Permission denied errors? Ensure your management account profile has organizations:ListAccounts and sts:AssumeRole permissions. See IAM Permissions Setup.
Run the audit monthly or after onboarding new team members to track credential hygiene over time. Use the CloudTrail events report to verify that old keys are being rotated or deleted.
For comprehensive troubleshooting, see the Troubleshooting Guide.

Build docs developers (and LLMs) love

Get started for freeTalk to us