Skip to content

AWS IAM#

Version: 1.0.1 · Category: AWS Cloud Security · Plan: Base+

A comprehensive IAM security analysis integration covering user and role inventory, policy inspection, access key management, permission boundary analysis, and security risk detection.

Tools#

list_users — User list#

List all IAM users with status fields:

  • Password and access key last used times
  • MFA device status
  • Groups and group count
  • Access key count

get_user_details — User details#

Retrieve the full configuration for a specific user:

  • Attached managed policies
  • Inline policy names
  • Groups
  • MFA devices
  • Active access keys and status

list_roles — Role list#

List all IAM roles, including:

  • Role name and ARN
  • Creation time
  • Assume Role policy (trust policy) document

get_role_details — Role details#

Retrieve the full configuration for a role:

  • Attached managed policies
  • Inline policy names
  • Trust policy (which principals can assume this role)

list_policies — Policy list#

List IAM policies with scope filtering:

scope parameter Description
Local Only customer-managed policies
AWS Only AWS-managed policies
All All policies

get_policy_details — Policy details#

Retrieve a policy's full text and version history.

analyze_user_permissions — User effective permissions analysis#

Aggregate all effective permissions for a specified user from all sources:

  • Directly attached managed policies
  • Inline policies
  • Group memberships
  • Group policies

Returns a complete list of allowed actions.

check_inactive_users — Inactive user detection#

Detect users who have not used their console passwords or access keys within a specified number of days.

Parameter Default Description
days_threshold 90 Inactive threshold (days)

check_access_keys — Access key health check#

Comprehensive access key audit:

  • Key age
  • Last used time and service
  • Rotation recommendations

check_mfa_compliance — MFA compliance check#

Detect IAM users without MFA enabled — focus on users with console access.

find_admin_users — Admin user list#

Identify users with AdministratorAccess managed policy or equivalent *:* full permissions attached.

check_password_policy — Password policy#

View the account's IAM password policy settings — check minimum length, complexity, expiry, and reuse restrictions.

find_roles_with_external_trust — External trust role detection#

Detect IAM roles trusted by non-current-account principals:

  • Cross-account trust (other AWS account IDs)
  • External trust (trust to federated identity providers or third-party services)

check_permission_boundaries — Permission boundary analysis#

Audit permission boundary configurations for all users and roles — identify identities with boundaries set and their effective permission scope.

get_account_summary — Account summary#

Retrieve account-level IAM configuration statistics:

  • Number of users, groups, roles, policies
  • MFA enable rate
  • Whether the root account uses MFA

Configuration#

Item Description
AWS_ACCESS_KEY_ID Access Key ID
AWS_SECRET_ACCESS_KEY Secret Access Key
AWS_DEFAULT_REGION Default region (e.g. us-east-1)
AWS_SESSION_TOKEN Optional: temporary session token

Investigation workflow#

1. get_account_summary
   → Get an overview of account-wide IAM configuration risk

2. check_mfa_compliance
   → Identify users without MFA enabled (priority action)

3. find_admin_users
   → List all users with admin privileges

4. check_access_keys
   → Identify access keys that are too old and should be rotated

5. analyze_user_permissions username:"<suspicious user>"
   → Get the full effective permission list for a specific user

6. find_roles_with_external_trust
   → Confirm which roles can be assumed by external accounts or identities