IAM Audit & Compliance
🔥 Vibe Prompt
"Run an IAM audit: find unused permissions, dormant users, over-privileged roles, and fix them."
AWS IAM Access Analyzer
# Analyze IAM policies
aws accessanalyzer create-analyzer --analyzer-name my-analyzer --type ACCOUNT
aws accessanalyzer start-resource-scan --analyzer-arn <arn>
aws accessanalyzer list-findings --analyzer-arn <arn>
# Check unused access
aws accessanalyzer list-access-preview-findings --access-preview-id <id>
IAM Audit Script
import boto3
iam = boto3.client('iam')
def audit_iam():
findings = []
# 1. Users without MFA
users = iam.list_users()['Users']
for user in users:
mfa = iam.list_mfa_devices(UserName=user['UserName'])
if not mfa['MFADevices']:
findings.append(f"HIGH: {user['UserName']} has no MFA")
# 2. Old access keys (>90 days)
for user in users:
keys = iam.list_access_keys(UserName=user['UserName'])['AccessKeyMetadata']
for key in keys:
age = (datetime.now() - key['CreateDate'].replace(tzinfo=None)).days
if age > 90:
findings.append(f"MEDIUM: {user['UserName']} key age: {age}d")
# 3. Admin users audit
for user in users:
policies = iam.list_attached_user_policies(UserName=user['UserName'])
for policy in policies['AttachedPolicies']:
if 'AdministratorAccess' in policy['PolicyName']:
findings.append(f"CRITICAL: {user['UserName']} has Admin access!")
# 4. Unused roles (not used in 90 days)
roles = iam.list_roles()['Roles']
for role in roles:
last_used = iam.get_role(RoleName=role['RoleName']).get('Role', {}).get('RoleLastUsed', {}).get('LastUsedDate')
if last_used and (datetime.now() - last_used.replace(tzinfo=None)).days > 90:
findings.append(f"LOW: Role {role['RoleName']} unused in 90d")
return findings
for f in audit_iam():
print(f"⚠️ {f}")
IAM Compliance Framework
| Standard | IAM Requirement |
|----------|----------------|
| SOC 2 | Access review every 90d |
| PCI DSS | MFA for all admin access |
| HIPAA | Access control + audit logs |
| ISO 27001 | Role-based access + review |
| FedRAMP | PIV/CAC authentication |
Automated Remediation
def auto_remediate(findings):
for finding in findings:
if "no MFA" in finding:
# Apply SCP requiring MFA
apply_scp("require-mfa")
elif "old access key" in finding:
username = finding.split(": ")[1].split(" ")[0]
iam.delete_access_keys(UserName=username)
notify_user(username)
elif "Admin access" in finding:
username = finding.split(": ")[1].split(" ")[0]
iam.detach_user_policy(
UserName=username,
PolicyArn="arn:aws:iam::aws:policy/AdministratorAccess"
)
attach_appropriate_role(username)
IAM Course Complete! 🎉
- ✅ IAM Basics
- ✅ OAuth 2.0 & OIDC
- ✅ SSO & SAML
- ✅ MFA & Passwordless
- ✅ Audit & Compliance
為什麼要學IAM 審計與合規?
IAM 審計與合規 是 security-iam 課程的核心章節之一。
在真實世界中
IAM 審計與合規 並不是課本上的理論——它在真實的軟體開發中頻繁出現。無論你是正在接案、準備面試,還是想要提升自己的技術深度,理解這個主題都能讓你直接受益。
你將從本章獲得
- 🎯 完整的知識體系:從核心原理到實作細節,條理分明
- 💻 可運行的程式碼:每段程式碼都是完整的,可直接執行
- 🔍 除錯技巧:常見錯誤的分析與解決方案
- 🚀 下一步指引:學完後該往哪個方向繼續深入
銜接下一章
本章為你建立了 IAM 審計與合規 的完整知識基礎。下一章將在此基礎上,帶你探索更進階的真實世界應用場景——你將學會如何將本章所學應用到更複雜的問題中。