IAM Security Audit

A small Python tool that audits an AWS account’s IAM configuration for common security gaps and produces a timestamped report in reports/.

This project is designed for quick, repeatable checks you can run locally before a security review, as part of a baseline hardening effort, or during routine IAM hygiene.

What it checks

The current checks include:

• IAM users without MFA enabled
• Access keys older than MAX_ACCESS_KEY_AGE_DAYS
• Access keys unused for more than INACTIVE_KEY_DAYS (or never used)

Output

Running the audit generates an HTML report (and also writes JSON findings in the script) with a timestamped filename:

• reports/iam_audit_<YYYYMMDD>_<HHMMSS>.html

Requirements

• Python 3.7+
• AWS credentials available locally (for example via aws configure, environment variables, or a named profile)

Install

Clone and install dependencies:

git clone https://github.com/justjjosh/iam-security-audit.git
cd iam-security-audit

python3 -m venv venv
source venv/bin/activate

pip install -r requirements.txt

Run

python3 audit.py

Then open the generated report:

open reports/iam_audit_*.html

Configuration

Edit config.py to tune the audit thresholds:

• MAX_ACCESS_KEY_AGE_DAYS (default: 90)
• INACTIVE_KEY_DAYS (default: 30)

Reports are written to the REPORT_FOLDER directory (default: reports).

Required IAM permissions

The AWS credentials used to run the audit need, at minimum, the following IAM permissions:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "iam:ListUsers",
        "iam:ListMFADevices",
        "iam:ListAccessKeys",
        "iam:GetAccessKeyLastUsed"
      ],
      "Resource": "*"
    }
  ]
}

Contributing

Issues and pull requests are welcome. If you’re proposing a new check, including a sample finding in the PR description makes review much easier.

Author

Raji Olatubosun Joshua

• GitHub: justjjosh
• LinkedIn: Raji Olatubosun Joshua