Visualize IAM credential reports for all AWS accounts using Amazon QuickSight

Created by Parag Nagwekar (AWS) and Arun Chandapillai (AWS)

Code repository: Get Organizational wide visibility of your IAM Credential Reports	Environment: Production	Technologies: Analytics; Advisory; Management & governance; Security, identity, compliance
Workload: All other workloads	AWS services: Amazon Athena; AWS CloudFormation; Amazon EventBridge; AWS Identity and Access Management; Amazon QuickSight

Summary

Warning: IAM users have long-term credentials, which presents a security risk. To help mitigate this risk, we recommend that you provide these users with only the permissions they require to perform the task and that you remove these users when they are no longer needed.

You can use AWS Identity and Access Management (IAM) credential reports to help you meet the security, auditing, and compliance requirements of your organization. Credential reports provide a list of all the users in your AWS accounts and show the status of their credentials, such as passwords, access keys, and multi-factor authentication (MFA) devices. You can use credential reports for multiple AWS accounts managed by AWS Organizations.

This pattern includes steps and code to help you create and share IAM credential reports for all the AWS accounts in your organization by using Amazon QuickSight dashboards. You can share the dashboards with stakeholders in your organization. The reports can help your organization achieve the following targeted business outcomes:

• Identify security incidents related to IAM users

• Track real-time migration of IAM users to single sign-on (SSO) authentication

• Track AWS Regions accessed by IAM users

• Stay compliant

• Share information with other stakeholders

Prerequisites and limitations

Prerequisites

• An active AWS account

• An organization with member accounts

• An IAM role with permissions to access accounts in Organizations

• AWS Command Line Interface (AWS CLI) version 2, installed and configured

• A subscription to Amazon QuickSight Enterprise edition

Architecture

Technology stack

• Amazon Athena

• Amazon EventBridge

• Amazon QuickSight

• Amazon Simple Storage Service (Amazon S3)

• AWS Glue

• AWS Identity and Access Management (IAM)

• AWS Lambda

• AWS Organizations

Target architecture

The following diagram shows an architecture for setting up a workflow that captures IAM credential report data from multiple AWS accounts.

1. EventBridge invokes a Lambda function daily.

2. The Lambda function assumes an IAM role in every AWS account across the organization. Then, the function creates the IAM credentials report and stores the report data in a centralized S3 bucket. You must enable encryption and deactivate public access on the S3 bucket.

3. An AWS Glue crawler crawls the S3 bucket daily and updates the Athena table accordingly.

4. QuickSight imports and analyzes the data from the credential report and builds a dashboard that can be visualized by and shared with stakeholders.

Tools

AWS services

• Amazon Athena is an interactive query service that makes it easy to analyze data in Amazon S3 by using standard SQL.

• Amazon EventBridge is a serverless event bus service that helps you connect your applications with real-time data from a variety of sources. For example, Lambda functions, HTTP invocation endpoints using API destinations, or event buses in other AWS accounts.

• Amazon QuickSight is a cloud-scale business intelligence (BI) service that helps you visualize, analyze, and report your data in a single dashboard.

• AWS Identity and Access Management (IAM) helps you securely manage access to your AWS resources by controlling who is authenticated and authorized to use them.

• AWS Lambda is a compute service that helps you run code without needing to provision or manage servers. It runs your code only when needed and scales automatically, so you pay only for the compute time that you use.

Code

The code for this pattern is available in the GitHub getiamcredsreport-allaccounts-org repository. You can use the code from this repository to create IAM credential reports across AWS accounts in Organizations and store them in a central location.

Epics

Set up the infrastructure

Task	Description	Skills required
Set up Amazon QuickSight Enterprise edition.	Activate the Amazon QuickSight Enterprise edition in your AWS account. For more information, see Managing user access inside Amazon QuickSight in the QuickSight documentation. To grant dashboard permissions, get the Amazon Resource Name (ARN) of the QuickSight users.	AWS administrator, AWS DevOps, Cloud administrator, Cloud architect
Integrate Amazon QuickSight with Amazon S3 and Athena.	You must authorize QuickSight to use Amazon S3 and Athena before you deploy the AWS CloudFormation stack.	AWS administrator, AWS DevOps, Cloud administrator, Cloud architect

Deploy the infrastructure

Task	Description	Skills required
Clone the GitHub repository.	Clone the GitHub getiamcredsreport-allaccounts-org repository to your local machine by running the following command: git clone https://github.com/aws-samples/getiamcredsreport-allaccounts-org	AWS administrator
Deploy the infrastructure.	Sign in to the AWS Management Console and open the CloudFormation console. In the navigation pane, choose Create stack, and then choose With new resources (standard). On the Identify resources page, choose Next. On the Specify template page, for Template source, select Upload a template file. Choose Choose file, select the Cloudformation-createcredrepo.yaml file from your cloned GitHub repository, and then choose Next. In Parameters, update IAMRoleName with your IAM role. This should be the IAM role that you want Lambda to assume in every account of the organization. This role creates the credential report. Note: The role doesn't have to be present in all accounts at this step of stack creation. In Parameters, update S3BucketName with the name of the S3 bucket where Lambda can store the credentials for all accounts. For Stack name, enter your stack name. Choose Submit. Note the Lambda function's role name.	AWS administrator
Create an IAM permission policy.	Create an IAM policy for every AWS account across your organization with the following permissions: { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "iam:GenerateCredentialReport", "iam:GetCredentialReport" ], "Resource": "*" } ] }	AWS DevOps, Cloud administrator, Cloud architect, Data engineer
Create an IAM role with a trust policy.	Create an IAM role for the AWS accounts and attach the permission policy that you created in the previous step. Attach the following trust policy to the IAM role: { "Version":"2012-10-17", "Statement":[ { "Effect":"Allow", "Principal":{ "AWS":[ "arn:aws:iam::<MasterAccountID>:role/<LambdaRole>" ] }, "Action":"sts:AssumeRole" } ] } Important: Replace arn:aws:iam::<MasterAccountID>:role/<LambdaRole> with the ARN of the Lambda role that you noted previously. Note: Organizations typically use automation to create IAM roles for their AWS accounts. We recommend that you use this automation, if available. Alternatively, you can use the CreateRoleforOrg.py script from the code repository. The script requires an existing administrative role or any other IAM role that has permission to create an IAM policy and role in every AWS account.	Cloud administrator, Cloud architect, AWS administrator
Configure Amazon QuickSight to visualize the data.	Sign in to QuickSight with your credentials. Create a dataset by using Athena (using the iamcredreportdb database and “cfn_iamcredreport” table), and then automatically refresh the dataset. Create an analysis in QuickSight. Create a QuickSight dashboard.	AWS DevOps, Cloud administrator, Cloud architect, Data engineer

Additional information

Additional considerations

Consider the following:

• After you use CloudFormation to deploy the infrastructure, you can wait to get the reports created in Amazon S3 and analyzed by Athena until Lambda and AWS Glue run as per their schedules. Alternatively, you can run Lambda manually to get the reports in Amazon S3, and then run the AWS Glue crawler to get the Athena table that's created from the data.

• QuickSight is a powerful tool for analyzing and visualizing data based on your business requirements. You can use parameters in QuickSight to control widget data based on data fields that you choose. Also, you can use a QuickSight analysis to create parameters (for example, Account, Date, and User fields such as partition_0, partition_1, and user respectively) from your dataset to add controls for the parameters for Account, Date, and User.

• To build your own QuickSight dashboards, see QuickSight Workshops from the AWS Workshop Studio website.

• To see sample QuickSight dashboards, see the GitHub getiamcredsreport-allaccounts-org code repository.

Targeted business outcomes

You can use this pattern to achieve the following targeted business outcomes:

• Identify security incidents related to IAM users – Investigate every user across every AWS account in your organization by using a single pane of glass. You can track the trend of an IAM user’s most recently accessed individual AWS Regions and the services they used.

• Track real-time migration of IAM users to SSO authentication – By using SSO, users can sign in once with a single credential and access multiple AWS accounts and applications. If you’re planning to migrate your IAM users to SSO, this pattern can help you transition to SSO and track all IAM user credential usage (such as access to the AWS Management Console or usage of access keys) across all AWS accounts.

• Track AWS Regions accessed by IAM users – You can control IAM user access to Regions for various purposes, such as data sovereignty and cost control. You can also track use of Regions by any IAM user.

• Stay compliant – By following the principle of least privilege, you can grant only the specific IAM permissions that are required to perform a specific task. Also, you can track access to AWS services, the AWS Management Console, and long-term credentials usage.

• Share information with other stakeholders – You can share curated dashboards with other stakeholders, without granting them access to IAM credential reports or AWS accounts.