IAM Audit & Compliance
🔥 Vibe Prompt
"Run an IAM audit: find unused permissions, dormant users, over-privileged roles, and fix them."
AWS IAM Access Analyzer
# Analyze IAM policies
aws accessanalyzer create-analyzer --analyzer-name my-analyzer --type ACCOUNT
aws accessanalyzer start-resource-scan --analyzer-arn <arn>
aws accessanalyzer list-findings --analyzer-arn <arn>
# Check unused access
aws accessanalyzer list-access-preview-findings --access-preview-id <id>
IAM Audit Script
import boto3
iam = boto3.client('iam')
def audit_iam():
findings = []
# 1. Users without MFA
users = iam.list_users()['Users']
for user in users:
mfa = iam.list_mfa_devices(UserName=user['UserName'])
if not mfa['MFADevices']:
findings.append(f"HIGH: {user['UserName']} has no MFA")
# 2. Old access keys (>90 days)
for user in users:
keys = iam.list_access_keys(UserName=user['UserName'])['AccessKeyMetadata']
for key in keys:
age = (datetime.now() - key['CreateDate'].replace(tzinfo=None)).days
if age > 90:
findings.append(f"MEDIUM: {user['UserName']} key age: {age}d")
# 3. Admin users audit
for user in users:
policies = iam.list_attached_user_policies(UserName=user['UserName'])
for policy in policies['AttachedPolicies']:
if 'AdministratorAccess' in policy['PolicyName']:
findings.append(f"CRITICAL: {user['UserName']} has Admin access!")
# 4. Unused roles (not used in 90 days)
roles = iam.list_roles()['Roles']
for role in roles:
last_used = iam.get_role(RoleName=role['RoleName']).get('Role', {}).get('RoleLastUsed', {}).get('LastUsedDate')
if last_used and (datetime.now() - last_used.replace(tzinfo=None)).days > 90:
findings.append(f"LOW: Role {role['RoleName']} unused in 90d")
return findings
for f in audit_iam():
print(f"⚠️ {f}")
IAM Compliance Framework
| Standard | IAM Requirement |
|----------|----------------|
| SOC 2 | Access review every 90d |
| PCI DSS | MFA for all admin access |
| HIPAA | Access control + audit logs |
| ISO 27001 | Role-based access + review |
| FedRAMP | PIV/CAC authentication |
Automated Remediation
def auto_remediate(findings):
for finding in findings:
if "no MFA" in finding:
# Apply SCP requiring MFA
apply_scp("require-mfa")
elif "old access key" in finding:
username = finding.split(": ")[1].split(" ")[0]
iam.delete_access_keys(UserName=username)
notify_user(username)
elif "Admin access" in finding:
username = finding.split(": ")[1].split(" ")[0]
iam.detach_user_policy(
UserName=username,
PolicyArn="arn:aws:iam::aws:policy/AdministratorAccess"
)
attach_appropriate_role(username)
IAM Course Complete! 🎉
- ✅ IAM Basics
- ✅ OAuth 2.0 & OIDC
- ✅ SSO & SAML
- ✅ MFA & Passwordless
- ✅ Audit & Compliance
IAM 稽核與法規遵循
為什麼需要稽核?
- 資安事件調查:發生入侵時要知道攻擊者做了什麼
- 法規要求:ISO 27001、SOC 2、GDPR 都要求存取稽核
- 內部管控:確保沒有人越權操作
AWS CloudTrail
CloudTrail 記錄 AWS 帳號中的所有 API 呼叫——誰用哪個角色、從哪個 IP、呼叫了什麼 API。
{
"eventSource": "iam.amazonaws.com",
"eventName": "CreateUser",
"userIdentity": {
"arn": "arn:aws:iam::123456:user/admin",
"sourceIpAddress": "203.0.113.5"
},
"requestParameters": {
"userName": "backdoor_user"
}
}
IAM Access Analyzer
IAM Access Analyzer 會分析所有 IAM 政策,找出「可能被外部存取的資源」——例如 S3 Bucket 政策允許外部帳號存取。這在合規稽核中非常有用。
課程總結
這堂 IAM 課程從基礎概念、OAuth/OIDC、SSO/SAML、MFA 到稽核——你現在可以設計企業級的身分與存取管理架構。