Skip to main content

Prerequisites

Before running an audit, ensure you have:
1

Python Environment

Python 3.9 or higher installed on your system
python --version
2

AWS CLI Configured

An AWS CLI profile configured with access to your management account
aws configure --profile your-mgmt-profile
Or verify existing profiles:
aws configure list-profiles
3

boto3 Installed

The AWS SDK for Python installed
pip install boto3
4

Audit Role Deployed

The audit role must be deployed in all member accounts with the required permissions
If you use AWS Control Tower, the AWSControlTowerExecution role already exists in all accounts and can be used for auditing.

Basic Execution

The audit requires two mandatory flags: 
python iam_audit.py --profile <mgmt-profile> --role <role-name>

Common Examples

python iam_audit.py --profile mgmt-profile --role AWSControlTowerExecution

What Happens During Execution

When you run the audit, the tool performs these operations in sequence:
1

List Organization Accounts

Connects to AWS Organizations API using your management account credentials to retrieve all ACTIVE accounts
# Source: iam_audit.py:8-19
accounts = org_client.list_accounts()
2

CloudTrail Events Collection

Before auditing IAM, the tool queries CloudTrail events across all accounts for the following IAM-related events:
  • CreateUser
  • DeleteUser
  • CreateAccessKey
  • DeleteAccessKey
  • DeleteLoginProfile
Time Range: From February 18, 2026 to current date (hardcoded in source at iam_audit.py:137)
CloudTrail queries are performed in the us-east-1 region. IAM is a global service, but CloudTrail events are regional.
3

Assume Role in Each Account

For each account, the tool:
  1. Calls sts:AssumeRole to obtain temporary credentials
  2. Creates an IAM client with the temporary credentials
  3. Uses session name SecurityAudit
# Source: iam_audit.py:21-28
sts_client.assume_role(
    RoleArn=f"arn:aws:iam::{account_id}:role/{role_name}",
    RoleSessionName="SecurityAudit"
)
4

Enumerate IAM Users

In each account, the tool paginates through all IAM users
5

Collect Access Key Data

For each user, the tool retrieves:
  • All access keys (active and inactive)
  • Access key last used date and service
  • MFA device status (None, Virtual, or Hardware)
  • Login profile status (console password configured or not)
  • Password last used date
6

Generate CSV Reports

Writes two timestamped CSV files to the current directory:
  • iam_audit_report_YYYYMMDD_HHMMSS.csv
  • cloudtrail_events_YYYYMMDD_HHMMSS.csv

Monitoring Progress

The tool outputs progress messages to the console: 
Auditando cuenta: Production (123456789012)
Auditando cuenta: Staging (234567890123)
  Consultando CloudTrail en cuenta: Production (123456789012)
  Consultando CloudTrail en cuenta: Staging (234567890123)

Total de Access Keys encontradas: 47
Reporte exportado: iam_audit_report_20260305_143022.csv

Total de eventos CloudTrail encontrados: 12
Reporte de eventos CloudTrail exportado: cloudtrail_events_20260305_143022.csv

Execution Time Estimates

Execution time varies based on organization size:
Organization SizeEstimated Time
5-10 accounts2-5 minutes
10-20 accounts5-10 minutes
20-50 accounts10-20 minutes
50+ accounts20+ minutes
Time estimates assume ~10-50 IAM users per account. Organizations with hundreds of IAM users per account will take longer.

Common Errors and Quick Fixes

Cause: The audit role doesn’t exist in a member account, or the trust policy doesn’t allow the management account to assume it.Fix:
  1. Verify the role exists in the member account
  2. Check the trust policy allows sts:AssumeRole from your management account
  3. Ensure the role name matches exactly (case-sensitive)
The tool will skip accounts where it can’t assume the role and continue with others. Check console output for which accounts failed.
Cause: This is expected behavior when a user doesn’t have console access configured.Fix: No action needed. The code handles this exception and sets password_status to “No configurada” (see iam_audit.py:58).
Cause: AWS credentials not configured or the specified profile doesn’t exist.Fix:
# List available profiles
aws configure list-profiles

# Configure the profile
aws configure --profile your-profile-name
Cause: Your profile doesn’t have organizations:ListAccounts permission.Fix: Ensure your management account credentials include:
{
  "Effect": "Allow",
  "Action": "organizations:ListAccounts",
  "Resource": "*"
}
Cause: No IAM users with access keys were found, or all accounts failed to audit.Fix:
  1. Check console output for error messages
  2. Verify the role exists in at least one member account
  3. Confirm there are IAM users in your accounts

Next Steps

After running the audit successfully:

Understand Reports

Learn what each CSV field means and how to analyze the output

Command Reference

Explore all available command-line options

Build docs developers (and LLMs) love

Get started for freeTalk to us