What Is IAM Monitoring?
IAM (Identity and Access Management) monitoring is the practice of continuously observing the activities, permissions, and authentication patterns within your cloud or on‑premises identity fabric. In AWS, this translates to tracking API calls that modify users, roles, policies, and access keys, as well as monitoring authentication events and privilege escalations. Monitoring IAM means collecting, visualizing, and alerting on metrics derived from IAM‑related log data — primarily AWS CloudTrail logs and CloudWatch metrics — so that you know exactly who did what, when, and under what circumstances.
Why Monitoring IAM Matters
IAM is the security foundation of any cloud workload. A single overly permissive policy, an inactive access key left behind, or an anomalous burst of failed authentication attempts can expose your entire environment. Monitoring IAM gives you:
- Early threat detection — catch privilege escalation, credential misuse, or unauthorized changes before they become breaches.
- Compliance and auditing — prove that access reviews are happening and that policy changes are tracked (e.g., for PCI DSS, HIPAA, SOC 2).
- Operational insight — understand API error rates, root user activity, and the velocity of permission changes in your organization.
- Cost and hygiene optimization — identify unused roles, inactive users, or stale access keys that could be removed.
Without monitoring, IAM becomes a silent threat vector that you only discover after an incident.
Core IAM Metrics and Data Sources
AWS provides several native metrics and log sources that you should integrate into your monitoring stack. The primary sources are CloudTrail logs and CloudWatch metrics published by AWS services. You can also create custom metrics from log data using metric filters.
CloudTrail Events
Every IAM‑related API call (e.g., CreateUser, PutRolePolicy, DeleteAccessKey) is captured in CloudTrail. By creating metric filters on the associated log group, you transform raw events into countable metrics like “Number of DeleteRole calls in 5 minutes”. CloudTrail also captures authentication events (ConsoleLogin, AssumeRole) and errors.
Built‑in CloudWatch Metrics for IAM
AWS publishes a set of free, built‑in metrics under the AWS/IAM namespace that require no log filtering:
- RootCredentialUsage — 1 if root credentials are used, 0 otherwise (sampled daily).
- PolicyChanges — sum of all IAM policy‑altering API calls (e.g.,
PutRolePolicy,CreatePolicy) in a period. - UserAccessKeyUsage — sum of access key usage events (e.g.,
CreateAccessKey,UpdateAccessKey). - RoleUsage — sum of
AssumeRolecalls.
These built‑in metrics are immediately available and don't require log groups, making them perfect as a first‑line dashboard and alarm source.
IAM Access Analyzer Findings
IAM Access Analyzer generates findings when a resource policy grants public or cross‑account access that wasn't intended. While findings are not traditional time‑series metrics, you can monitor them via AWS Config rules and CloudWatch Events, or by polling the API and pushing custom metrics to CloudWatch.
Creating Alarms for IAM Anomalies
Alarms translate metrics into actionable notifications. The general workflow is: define a metric (built‑in or from a metric filter), create a CloudWatch alarm on that metric, and trigger an SNS topic for email, Slack, or pager notifications. Below are practical examples using the AWS CLI.
Example 1: Alarm on Root User Activity
Root account usage should be rare and tightly controlled. This alarm fires immediately whenever root credentials are used.
aws cloudwatch put-metric-alarm \
--alarm-name RootCredentialUsageAlarm \
--alarm-description "Alert whenever root credentials are used" \
--namespace AWS/IAM \
--metric-name RootCredentialUsage \
--statistic Sum \
--period 86400 \
--evaluation-periods 1 \
--threshold 1 \
--comparison-operator GreaterThanOrEqualToThreshold \
--alarm-actions arn:aws:sns:us-east-1:123456789012:iam-alerts \
--treat-missing-data notBreaching
Note the --period 86400 (24 hours) and --evaluation-periods 1 so that a single daily sample triggers the alarm.
Example 2: Alarm on IAM Policy Changes
This alarm uses the built‑in PolicyChanges metric to alert on any spike in policy modifications, which could indicate an attacker altering permissions.
aws cloudwatch put-metric-alarm \
--alarm-name HighPolicyChanges \
--alarm-description "Alert when IAM policy changes exceed 5 in a 1-hour window" \
--namespace AWS/IAM \
--metric-name PolicyChanges \
--statistic Sum \
--period 3600 \
--evaluation-periods 1 \
--threshold 5 \
--comparison-operator GreaterThanThreshold \
--alarm-actions arn:aws:sns:us-east-1:123456789012:iam-alerts
Example 3: Alarm on Suspicious API Calls via Metric Filter
For events not covered by built‑in metrics — like DeleteRole or PutUserPolicy on privileged users — you create a metric filter on the CloudTrail log group and then an alarm. First, create the metric filter:
aws logs put-metric-filter \
--log-group-name MyCloudTrailLogGroup \
--filter-name DeleteRoleFilter \
--filter-pattern '{ $.eventName = "DeleteRole" }' \
--metric-transformations \
metricName=DeleteRoleCount,metricNamespace=IAMCustom,metricValue=1,unit=Count
Then create the alarm on the custom metric:
aws cloudwatch put-metric-alarm \
--alarm-name DeleteRoleAlarm \
--metric-name DeleteRoleCount \
--namespace IAMCustom \
--statistic Sum \
--period 300 \
--evaluation-periods 1 \
--threshold 1 \
--comparison-operator GreaterThanOrEqualToThreshold \
--alarm-actions arn:aws:sns:us-east-1:123456789012:iam-alerts
Building Dashboards for IAM
A CloudWatch dashboard consolidates metrics, alarms, and log queries into a single operational pane. You define the dashboard as a JSON body with widgets. Below is a complete dashboard example that includes:
- A time‑series widget for built‑in
PolicyChanges - A single‑value widget showing the latest root credential usage
- An alarm status widget for the root usage alarm
- A log query widget that shows recent
DeleteRoleevents from CloudTrail
{
"widgets": [
{
"type": "metric",
"x": 0,
"y": 0,
"width": 12,
"height": 6,
"properties": {
"view": "timeSeries",
"stacked": false,
"metrics": [
[ "AWS/IAM", "PolicyChanges", { "stat": "Sum" } ]
],
"region": "us-east-1",
"title": "IAM Policy Changes (1h)",
"period": 3600
}
},
{
"type": "metric",
"x": 12,
"y": 0,
"width": 6,
"height": 6,
"properties": {
"view": "singleValue",
"metrics": [
[ "AWS/IAM", "RootCredentialUsage", { "stat": "Sum", "period": 86400 } ]
],
"region": "us-east-1",
"title": "Root Usage Today",
"period": 86400
}
},
{
"type": "alarm",
"x": 18,
"y": 0,
"width": 6,
"height": 3,
"properties": {
"title": "Alarm Status: Root Usage",
"alarms": [
"arn:aws:cloudwatch:us-east-1:123456789012:alarm:RootCredentialUsageAlarm"
]
}
},
{
"type": "log",
"x": 0,
"y": 6,
"width": 24,
"height": 6,
"properties": {
"query": "fields @timestamp, userIdentity.userName, requestParameters.roleName, sourceIPAddress | filter eventName = 'DeleteRole' | sort @timestamp desc | limit 20",
"region": "us-east-1",
"title": "Recent DeleteRole Events (CloudTrail)",
"view": "table"
}
}
]
}
To create the dashboard via CLI:
aws cloudwatch put-dashboard \
--dashboard-name IAM-Monitoring \
--dashboard-body file://iam-dashboard.json
Widget Types for IAM
- metric — time‑series or single‑value charts for built‑in or custom IAM metrics.
- alarm — shows the current status (OK/ALARM) of your IAM alarms.
- log — runs CloudWatch Logs Insights queries to surface recent IAM API events.
- text — markdown widget for static links, runbooks, or contact information.
Automating IAM Monitoring with Infrastructure as Code
You can embed the entire monitoring setup — metric filters, alarms, and dashboards — into CloudFormation or Terraform. Below is a CloudFormation snippet that creates a metric filter, alarm, and SNS topic for DeleteRole events.
Resources:
IAMAlarmTopic:
Type: AWS::SNS::Topic
Properties:
TopicName: iam-alerts
DeleteRoleMetricFilter:
Type: AWS::Logs::MetricFilter
Properties:
LogGroupName: !Ref MyCloudTrailLogGroup
FilterPattern: '{ $.eventName = "DeleteRole" }'
MetricTransformations:
- MetricName: DeleteRoleCount
MetricNamespace: IAMCustom
MetricValue: "1"
DeleteRoleAlarm:
Type: AWS::CloudWatch::Alarm
Properties:
AlarmName: DeleteRoleAlarm
Namespace: IAMCustom
MetricName: DeleteRoleCount
Statistic: Sum
Period: 300
EvaluationPeriods: 1
Threshold: 1
ComparisonOperator: GreaterThanOrEqualToThreshold
AlarmActions:
- !Ref IAMAlarmTopic
Best Practices
- Start with built‑in metrics — they require zero configuration and cover the most critical signals (root usage, policy changes).
- Supplement with custom metric filters for high‑risk APIs:
DeleteRole,PutUserPolicy,CreateAccessKey,UpdateAssumeRolePolicy. - Set alarms with appropriate periods — root usage can be checked daily, while policy changes should be evaluated every hour or even every 5 minutes in sensitive environments.
- Use composite alarms to reduce noise. For example, combine a high rate of
DeleteRolecalls with a spike inAssumeRolefailures before paging. - Integrate IAM Access Analyzer findings into the dashboard or alarm stream to catch unintended public access.
- Automate with IaC — deploy metrics and alarms alongside the log groups and IAM resources they monitor.
- Regularly review and test your alarms. Simulate a benign IAM change (e.g., creating a temporary role) to confirm notifications arrive.
- Correlate with AWS Config rules — use Config to detect policy compliance drift and combine with CloudWatch to track the timeline of changes.
Conclusion
Monitoring IAM is not optional — it's the first line of defense against identity‑based attacks and the backbone of audit readiness. By combining built‑in CloudWatch metrics, custom metric filters on CloudTrail logs, and well‑tuned alarms, you transform raw API activity into a clear, actionable signal. Dashboards tie it all together, giving security and operations teams a single pane of glass over IAM health. Start with root credential and policy change alerts, then expand to cover your critical IAM operations. Instrument your setup with Infrastructure as Code so that monitoring is deployed consistently across environments. With these practices, you'll know the instant your identity boundary is challenged — and be ready to respond.