IAM Audit & Compliance

🔥 Vibe Prompt

"Run an IAM audit: find unused permissions, dormant users, over-privileged roles, and fix them."

AWS IAM Access Analyzer

# Analyze IAM policies
aws accessanalyzer create-analyzer --analyzer-name my-analyzer --type ACCOUNT
aws accessanalyzer start-resource-scan --analyzer-arn <arn>
aws accessanalyzer list-findings --analyzer-arn <arn>

# Check unused access
aws accessanalyzer list-access-preview-findings --access-preview-id <id>

IAM Audit Script

import boto3

iam = boto3.client('iam')

def audit_iam():
    findings = []
    
    # 1. Users without MFA
    users = iam.list_users()['Users']
    for user in users:
        mfa = iam.list_mfa_devices(UserName=user['UserName'])
        if not mfa['MFADevices']:
            findings.append(f"HIGH: {user['UserName']} has no MFA")
    
    # 2. Old access keys (>90 days)
    for user in users:
        keys = iam.list_access_keys(UserName=user['UserName'])['AccessKeyMetadata']
        for key in keys:
            age = (datetime.now() - key['CreateDate'].replace(tzinfo=None)).days
            if age > 90:
                findings.append(f"MEDIUM: {user['UserName']} key age: {age}d")
    
    # 3. Admin users audit
    for user in users:
        policies = iam.list_attached_user_policies(UserName=user['UserName'])
        for policy in policies['AttachedPolicies']:
            if 'AdministratorAccess' in policy['PolicyName']:
                findings.append(f"CRITICAL: {user['UserName']} has Admin access!")
    
    # 4. Unused roles (not used in 90 days)
    roles = iam.list_roles()['Roles']
    for role in roles:
        last_used = iam.get_role(RoleName=role['RoleName']).get('Role', {}).get('RoleLastUsed', {}).get('LastUsedDate')
        if last_used and (datetime.now() - last_used.replace(tzinfo=None)).days > 90:
            findings.append(f"LOW: Role {role['RoleName']} unused in 90d")
    
    return findings

for f in audit_iam():
    print(f"⚠️ {f}")

IAM Compliance Framework

| Standard | IAM Requirement |
|----------|----------------|
| SOC 2    | Access review every 90d |
| PCI DSS  | MFA for all admin access |
| HIPAA    | Access control + audit logs |
| ISO 27001 | Role-based access + review |
| FedRAMP  | PIV/CAC authentication |

Automated Remediation

def auto_remediate(findings):
    for finding in findings:
        if "no MFA" in finding:
            # Apply SCP requiring MFA
            apply_scp("require-mfa")
        elif "old access key" in finding:
            username = finding.split(": ")[1].split(" ")[0]
            iam.delete_access_keys(UserName=username)
            notify_user(username)
        elif "Admin access" in finding:
            username = finding.split(": ")[1].split(" ")[0]
            iam.detach_user_policy(
                UserName=username,
                PolicyArn="arn:aws:iam::aws:policy/AdministratorAccess"
            )
            attach_appropriate_role(username)

IAM Course Complete! 🎉

  • ✅ IAM Basics
  • ✅ OAuth 2.0 & OIDC
  • ✅ SSO & SAML
  • ✅ MFA & Passwordless
  • ✅ Audit & Compliance


IAM 稽核與法規遵循

為什麼需要稽核?

  • 資安事件調查:發生入侵時要知道攻擊者做了什麼
  • 法規要求:ISO 27001、SOC 2、GDPR 都要求存取稽核
  • 內部管控:確保沒有人越權操作

AWS CloudTrail

CloudTrail 記錄 AWS 帳號中的所有 API 呼叫——誰用哪個角色、從哪個 IP、呼叫了什麼 API。

{
  "eventSource": "iam.amazonaws.com",
  "eventName": "CreateUser",
  "userIdentity": {
    "arn": "arn:aws:iam::123456:user/admin",
    "sourceIpAddress": "203.0.113.5"
  },
  "requestParameters": {
    "userName": "backdoor_user"
  }
}

IAM Access Analyzer

IAM Access Analyzer 會分析所有 IAM 政策,找出「可能被外部存取的資源」——例如 S3 Bucket 政策允許外部帳號存取。這在合規稽核中非常有用。

課程總結

這堂 IAM 課程從基礎概念、OAuth/OIDC、SSO/SAML、MFA 到稽核——你現在可以設計企業級的身分與存取管理架構。

解鎖完整教學內容

本章為付費內容。加入專案即可解鎖超過 5000 字的深度解析,包含 10 個以上神級 Prompt 與真實 Source Code 範例!