We have the following security tools in IAM:
IAM Credential Report;
IAM Acces Advisor;
IAM Credential Report
The IAM Credential Report is a report generated by AWS Identity and Access Management (IAM) that provides a detailed overview of the IAM users and their respective access keys, passwords, and other security-related information within an AWS account. The report includes details such as user names, access key IDs, their status (active or inactive), password reset requirements, and the date and time of their last activity. It allows administrators to review and assess the state of IAM credentials, identify potentially insecure configurations or unused accounts, and take appropriate actions to mitigate risks.
By regularly reviewing the IAM Credential Report, administrators can identify any misconfigured or insecure access keys, inactive or outdated user accounts, and other potential security vulnerabilities. This report can aid in maintaining a strong IAM security posture and ensure compliance with security best practices and regulatory requirements.
You can get a credential report from the AWS Management Console and Command Line Tools.
Getting credential reports (console)
You can use the AWS Management Console to download a credential report as a comma-separated values (CSV) file.
To download a credential report (console)
Sign in to the AWS Management Console and open the IAM console at https://console.aws.amazon.com/iam/.
In the navigation pane, choose Credential report.
Choose Download Report.
Getting credential reports (AWS CLI)
To download a credentials report (AWS CLI)
Configure the AWS CLI;
Generate a credentials report. AWS stores a single report. If a report exists, generating a credentials report overwrites the previous report.
aws iam generate-credential-report
View the last report that was generated:
aws iam get-credential-report
IAM Acces Advisor
IAM Access Advisor is a feature in AWS (Amazon Web Services) Identity and Access Management (IAM) that provides insights into the permissions granted to IAM users, roles, and groups. It helps administrators and security teams analyze the access patterns and usage of IAM entities to make informed decisions about security and access management.
The benefits of IAM Access Advisor include:
Visibility: It offers visibility into the actual usage of IAM entities, enabling administrators to identify unused or underutilized permissions. This information helps optimize and fine-tune access policies to reduce unnecessary permissions and potential security risks.
Least Privilege: By understanding the specific permissions used by IAM entities, administrators can implement the principle of least privilege more effectively. This principle ensures that users have only the necessary permissions to perform their tasks, reducing the potential impact of compromised credentials or accidental access.
Security Auditing: IAM Access Advisor data can be leveraged for security auditing and compliance purposes. It provides evidence of the access patterns and permissions used by IAM entities, facilitating security assessments and compliance reporting.
Access Policy Refinement: Access Advisor information can guide the process of refining access policies. By analyzing the access patterns and aligning them with business requirements, administrators can adjust policies to ensure efficient access management while maintaining security.
To access the IAM Access Advisor information in the AWS Management Console, navigate to the IAM service, select a user, role, or group, and review the "Access Advisor" tab. It displays a visual representation of the last accessed AWS services and offers details on service-specific permissions used within the selected time frame.
Currently, there is no direct AWS CLI command available to retrieve IAM Access Advisor information. The Access Advisor data is only accessible through the AWS Management Console.