How to Monitor Custom IAM Users in Your AWS Organization

How to Monitor Custom IAM Users in Your AWS Organization

Managing AWS accounts is one of the most challenging jobs for any Platform / Security team. While maintaining availability and security, monitoring who is getting access to AWS accounts is essential.

Sample AWS organization accounts

Let’s assume the CTO of PlatformSecurityTech (an imaginary IT company) asked their Platform team to create a few accounts for their product offerings. Right after the request, the team set up 3 accounts per the above diagram and handed them to the company. The team used AWS Identity Center to manage its users securely and maintain further security.

Since users of Account A and Account B had unrestrictive permissions for their day-to-day needs (it could be a lack of understanding of programmatic access through SSO), many IAM users were created. Among them, a few were not even used for months 🤔. It was getting difficult to maintain their usage. The team decided to perform bi-weekly audits on existing IAM users in different accounts and later monitor them.

It’s easy if you have one or two accounts to monitor. But in an ideal world, there are many of them. Going through each one is not only tiring but also time-consuming. They decided to go ahead with Advance Query in AWS Config to increase productivity and provide a seamless experience in monitoring those IAMs.

Given they restructured the organization as below,

Here, they developed another AWS account called Delegated Admin, which manages all the administrative work (non-root account). Due to its nature, this new account is connected with all other accounts and can fetch data and perform specific activities in those accounts. Assuming AWS Config is configured in the new account, you can now observe your account’s activity. Now, to check the existing IAM users,

AWS Config Dashboard

Go to for the AWS Config dashboard. There, you will find a similar-looking sidebar. Now, go to Advance Query from the sidebar.

AWS Config — Advance Query dashboard

You will find something similar to the above page, which might be pre-populated with a few queries through the team-configured conformance pack. Click on the new query and add it to the query editor below.

  resourceType = 'AWS::IAM::User'

AWS Config — Advance Query Editor

Running this query will show the list of IAM users in the AWS organization, including the other details mentioned in the selected query. Once the team collects the data from their audits, they can contact the creator of those IAM users for their needs and perform the corrections accordingly. One can export the data to any sharable format for frequent updates.

Thank you for reading this article! If you're interested in DevOps, Security, or Leadership for your startup, feel free to reach out at or book a slot in my calendar. Don't forget to subscribe to my newsletter for more insights on my security and product development journey. Stay tuned for more posts!