IAM Audit & Compliance

🔥 Vibe Prompt

"Run an IAM audit: find unused permissions, dormant users, over-privileged roles, and fix them."

AWS IAM Access Analyzer

# Analyze IAM policies
aws accessanalyzer create-analyzer --analyzer-name my-analyzer --type ACCOUNT
aws accessanalyzer start-resource-scan --analyzer-arn <arn>
aws accessanalyzer list-findings --analyzer-arn <arn>

# Check unused access
aws accessanalyzer list-access-preview-findings --access-preview-id <id>

IAM Audit Script

import boto3

iam = boto3.client('iam')

def audit_iam():
    findings = []
    
    # 1. Users without MFA
    users = iam.list_users()['Users']
    for user in users:
        mfa = iam.list_mfa_devices(UserName=user['UserName'])
        if not mfa['MFADevices']:
            findings.append(f"HIGH: {user['UserName']} has no MFA")
    
    # 2. Old access keys (>90 days)
    for user in users:
        keys = iam.list_access_keys(UserName=user['UserName'])['AccessKeyMetadata']
        for key in keys:
            age = (datetime.now() - key['CreateDate'].replace(tzinfo=None)).days
            if age > 90:
                findings.append(f"MEDIUM: {user['UserName']} key age: {age}d")
    
    # 3. Admin users audit
    for user in users:
        policies = iam.list_attached_user_policies(UserName=user['UserName'])
        for policy in policies['AttachedPolicies']:
            if 'AdministratorAccess' in policy['PolicyName']:
                findings.append(f"CRITICAL: {user['UserName']} has Admin access!")
    
    # 4. Unused roles (not used in 90 days)
    roles = iam.list_roles()['Roles']
    for role in roles:
        last_used = iam.get_role(RoleName=role['RoleName']).get('Role', {}).get('RoleLastUsed', {}).get('LastUsedDate')
        if last_used and (datetime.now() - last_used.replace(tzinfo=None)).days > 90:
            findings.append(f"LOW: Role {role['RoleName']} unused in 90d")
    
    return findings

for f in audit_iam():
    print(f"⚠️ {f}")

IAM Compliance Framework

| Standard | IAM Requirement |
|----------|----------------|
| SOC 2    | Access review every 90d |
| PCI DSS  | MFA for all admin access |
| HIPAA    | Access control + audit logs |
| ISO 27001 | Role-based access + review |
| FedRAMP  | PIV/CAC authentication |

Automated Remediation

def auto_remediate(findings):
    for finding in findings:
        if "no MFA" in finding:
            # Apply SCP requiring MFA
            apply_scp("require-mfa")
        elif "old access key" in finding:
            username = finding.split(": ")[1].split(" ")[0]
            iam.delete_access_keys(UserName=username)
            notify_user(username)
        elif "Admin access" in finding:
            username = finding.split(": ")[1].split(" ")[0]
            iam.detach_user_policy(
                UserName=username,
                PolicyArn="arn:aws:iam::aws:policy/AdministratorAccess"
            )
            attach_appropriate_role(username)

IAM Course Complete! 🎉

  • ✅ IAM Basics
  • ✅ OAuth 2.0 & OIDC
  • ✅ SSO & SAML
  • ✅ MFA & Passwordless
  • ✅ Audit & Compliance


為什麼要學IAM 審計與合規?

IAM 審計與合規 是 security-iam 課程的核心章節之一。

在真實世界中

IAM 審計與合規 並不是課本上的理論——它在真實的軟體開發中頻繁出現。無論你是正在接案、準備面試,還是想要提升自己的技術深度,理解這個主題都能讓你直接受益。

你將從本章獲得

  • 🎯 完整的知識體系:從核心原理到實作細節,條理分明
  • 💻 可運行的程式碼:每段程式碼都是完整的,可直接執行
  • 🔍 除錯技巧:常見錯誤的分析與解決方案
  • 🚀 下一步指引:學完後該往哪個方向繼續深入

銜接下一章

本章為你建立了 IAM 審計與合規 的完整知識基礎。下一章將在此基礎上,帶你探索更進階的真實世界應用場景——你將學會如何將本章所學應用到更複雜的問題中。

解鎖完整教學內容

本章為付費內容。加入專案即可解鎖超過 5000 字的深度解析,包含 10 個以上神級 Prompt 與真實 Source Code 範例!