Real-time security monitoring system for AWS Identity and Access Management (IAM) critical operations.
IAM Sentinel is a serverless security solution that monitors critical AWS IAM operations in real-time, triggering alerts for potential security risks through Amazon SNS. It analyzes CloudTrail logs to detect high-risk actions like privilege escalation, unauthorized access, and credential manipulation.
Why Use This?
- Real-time detection of sensitive IAM operations
- Proactive security posture management
- Compliance with AWS security best practices
- Customizable alerting for critical events
- Automated deployment with an interactive setup script
- Real-time Alerts: Instant notifications via SNS
- Event Context: Detailed descriptions of security implications
- Severity Levels: Critical/High/Medium risk classification
- Security Recommendations: Actionable mitigation steps
- Multi-Resource Monitoring: Users, Roles, Groups, Policies
- Interactive Setup: Automated provisioning via Python script
- CloudShell Support: Easy deployment via AWS CloudShell
| Event Name | Type | Description | Severity |
|---|---|---|---|
CreateUser |
User | New IAM user creation | High |
DeleteUser |
User | IAM user deletion | Critical |
UpdateAssumeRolePolicy |
Role | Modification of role trust policy | Critical |
AttachUserPolicy |
Policy | Managed policy attachment to user | High |
DeactivateMFADevice |
Security | Disabling of MFA device | Critical |
CreateAccessKey |
Credential | New access key generation | High |
PutRolePolicy |
Role | Inline policy modification for roles | High |
DeleteRole |
Role | IAM role deletion | Critical |
| View Full Event List |
- Clone Repository
git clone https://github.com/Paresh-Maheshwari/iam-sentinel.git
cd iam-sentinel- Run Interactive Setup Script
# Using local terminal
python3 setup.py
# Using AWS CloudShell for direct deployment
aws cloudshell start-session --command "python3 setup.py"Follow the on-screen prompts to configure IAM roles, SNS, Lambda, and EventBridge.
- Confirm SNS Subscription Check your email and confirm the SNS subscription to start receiving alerts.
- Environment Variables
SNS_TOPIC_ARN=arn:aws:sns:region:account-id:topic-name- EventBridge Rule
{
"source": ["aws.iam"],
"detail-type": ["AWS API Call via CloudTrail"],
"detail": {
"eventSource": ["iam.amazonaws.com"],
"eventName": ["CreateUser","DeleteUser","UpdateAssumeRolePolicy",...]
}
}- SNS Subscriptions
- Configure email/SMS/Slack notifications for the SNS topic
Alert Workflow Diagram
flowchart TD
A[User/Service calls IAM API] -->|CloudTrail logs| B[CloudTrail: Enabled in us-east-1]
B -->|Sends event| C[EventBridge Rule]
C -->|Triggers| D[Lambda Function]
D -->|Publishes alert| E[SNS Notification]
Sample Alert
🚨 IAM EVENT ALERT 🚨
========================================
⏰ Event Time: 2025-02-23T15:32:45Z
🌍 Region: us-east-1
🆔 Event ID: 1234-5678-9012
========================================
🔹 EVENT DETAILS
🔧 Event Name: UpdateAssumeRolePolicy
📖 Description: Role trust policy modified. High risk of cross-account abuse!
🚩 Severity: CRITICAL
📡 Event Source: iam.amazonaws.com
🔹 USER DETAILS
👤 User Name: admin-user
🆔 User ARN: arn:aws:iam::123456789012:user/admin-user
🔐 MFA Enabled: false
⚠️ Recommended Action:
- Immediately review trust policy changes
- Verify cross-account permissions
- Revert if unauthorized
- Fork the repository
- Create a feature branch (
git checkout -b feature/improvement) - Commit changes (
git commit -am 'Add new feature') - Push to branch (
git push origin feature/improvement) - Open a Pull Request
This project is licensed under the MIT License - see LICENSE file for details.
Maintained by: Paresh Maheshwari
"Stay Secure in the Cloud!" ☁️🔒