AWS IAM Security Audit: Finding Overprivileged Roles

Overview

IAM misconfigurations are consistently ranked as a top cloud security risk. This guide covers systematic approaches to auditing AWS IAM for common security issues.

Audit Checklist

1. Root Account Security

# Check if root has access keys (should be none)
aws iam get-account-summary | jq '.SummaryMap.AccountAccessKeysPresent'
# Verify MFA is enabled on root
aws iam get-account-summary | jq '.SummaryMap.AccountMFAEnabled'

2. User Credential Hygiene

# Find users without MFA
aws iam generate-credential-report
aws iam get-credential-report --query 'Content' --output text | base64 -d | grep -E "^[^,]+,false"
# Find old access keys (>90 days)
aws iam list-users | jq -r '.Users[].UserName' | while read user; do
  aws iam list-access-keys --user-name "$user" --query "AccessKeyMetadata[?CreateDate<='$(date -d '90 days ago' +%Y-%m-%d)']"
done

3. Overprivileged Policies

Look for these dangerous patterns:

"Action": "*" with "Resource": "*"

iam:* permissions on non-admin roles

s3:* without resource constraints

PassRole without restrictions

4. Cross-Account Trust

# List roles with external trust
aws iam list-roles | jq -r '.Roles[] | select(.AssumeRolePolicyDocument.Statement[].Principal.AWS != null) | .RoleName'

Remediation Priorities

Critical: Remove root access keys, enable root MFA

High: Rotate old credentials, enforce MFA

Medium: Right-size overprivileged policies

Low: Clean up unused roles and users

Automation

Consider using tools like:

AWS Access Analyzer

Prowler

ScoutSuite

Custom scripts (like the AWS Security Scanner project)