IAM Activity Tracker

A comprehensive serverless AWS solution for tracking and auditing IAM, STS, and AWS Console signin activities across all regions. Features real-time collection via free CloudTrail event history, advanced analytics with S3 + Athena, and automated security alerting. Built with AWS SAM, Lambda, DynamoDB, and optional Parquet analytics.

Overview

IAM Activity Tracker provides comprehensive monitoring of authentication and authorization activities across your AWS account, helping you:

Track who created, modified, or deleted IAM resources
Monitor role assumptions and credential usage
Detect suspicious authentication patterns and failed login attempts
Monitor AWS Console login activity including root account usage
Build compliance reports and audit trails
Maintain event data beyond CloudTrail's 90-day limit
Real-time security alerts for suspicious activities

Features

Event Collection

Multi-Region Support: Automatically tracks IAM events (us-east-1), STS events (all regions), Console signin events (global), and SSO/Identity Center events
Complete Coverage: Monitors IAM, STS, signin.amazonaws.com, and sso.amazonaws.com event sources
SSO Tracking: Full support for AWS SSO/Identity Center administrative events (permission sets, account assignments, policy attachments)
Incremental Processing: Only processes new events since last run with checkpoint management
Initial Collection: First run collects up to 90 days of historical events from CloudTrail
Parallel Processing: Uses multi-threading for fast regional queries (up to 32 concurrent threads)
Real-time Storage: DynamoDB with GSI for immediate user and action queries
Smart Filtering: Automatically filters out AWS service-linked role noise while preserving security-relevant events
Serverless: No infrastructure to manage, fully event-driven architecture
Security Alerts: Real-time SNS notifications for root usage, failed auth, privilege escalation, SSO admin actions, and more

Analytics & Reporting

S3 Data Lake: Optional daily export to S3 in optimized Parquet format
Athena Integration: Query years of data with standard SQL
Pre-built Queries: 15 ready-to-use security and compliance queries (including 6 SSO-specific queries)
Dual Output Format: All queries support both table format (curated fields, no truncation) and JSON format (complete data)
Cost Optimization: S3 lifecycle policies automatically archive old data
Query Tools: Python CLI for running analytics programmatically with flexible output options

Operational

Cost-Effective: Operates within AWS free tier for most organizations
Customizable Schedule: Configurable collection and export frequencies
Comprehensive Monitoring: CloudWatch alarms for all functions
Easy Deployment: Single-command SAM deployment

Architecture

Complete System Overview

┌─────────────────┐     ┌──────────────────┐     ┌─────────────────┐
│   EventBridge   │────▶│ Tracker Lambda   │────▶│    DynamoDB     │
│   (Hourly)      │     │(Multi-threaded)  │     │    (Events)     │
└─────────────────┘     └──────────────────┘     └─────────────────┘
                               │                           │
                               ▼                           ▼
                        ┌──────────────────┐     ┌─────────────────┐
                        │ CloudTrail Event │     │Security Alerts  │
                        │   History API    │     │     (SNS)       │
                        │ (Free 90 days)   │     └─────────────────┘
                        └──────────────────┘               │
                                                           ▼
┌─────────────────┐     ┌──────────────────┐     ┌─────────────────┐
│   EventBridge   │────▶│ Export Lambda    │     │   DynamoDB      │
│    (Daily)      │     │  (Parquet)       │     │   (Control)     │
└─────────────────┘     └──────────────────┘     └─────────────────┘
                               │
                               ▼
                        ┌──────────────────┐     ┌─────────────────┐
                        │   S3 Bucket      │────▶│ Athena + Glue   │
                        │ (Data Lake)      │     │  (Analytics)    │
                        └──────────────────┘     └─────────────────┘
                               │                           │
                               ▼                           ▼
                        ┌──────────────────┐     ┌─────────────────┐
                        │ Lifecycle Rules  │     │  Query Tools    │
                        │(CostOptimization)│     │   (Python)      │
                        └──────────────────┘     └─────────────────┘

Data Flow

Collection: Tracker Lambda queries CloudTrail every hour across all regions
Storage: Events stored in DynamoDB for real-time queries
Export: Export Lambda converts daily data to Parquet format in S3
Analytics: Glue crawlers discover partitions, Athena enables SQL queries
Optimization: S3 lifecycle rules archive old data to reduce costs

Prerequisites

AWS Account with appropriate permissions
AWS CLI installed and configured
SAM CLI installed (Installation Guide)
Python 3.13 runtime support in your AWS region
AWS SDK Pandas Layer for Python 3.13 (automatically configured in template)

Required IAM Permissions

To deploy and operate the IAM Activity Tracker, your AWS user/role needs the following permissions:

CloudFormation: Full access to create, update, and delete stacks
Lambda: Create, update functions and execution roles
DynamoDB: Create tables, indexes, and manage data
S3: Create buckets and manage objects (if analytics enabled)
EventBridge: Create and manage rules
CloudWatch: Create log groups and alarms
IAM: Create and manage service roles and policies
Glue: Create databases, tables, and crawlers (if analytics enabled)

For deployment, you can use the AWS managed policy PowerUserAccess or create a custom policy with these specific permissions.

Quick Start

1. Clone the Repository

git clone https://github.com/TocConsulting/iam-activity-tracker
cd iam-activity-tracker

2. Deploy the Solution

make deploy

The deployment will:

Build the Lambda function
Create an S3 bucket for deployment artifacts (if needed)
Deploy the CloudFormation stack
Set up all required resources
Automatically offer to initialize the system (recommended)

Immediate Initialization After deployment, the system will ask if you want to initialize immediately. This will:

Collect up to 90 days of historical CloudTrail events (1-5 minutes)
Export data to S3 in Parquet format (if analytics enabled)
Set up Athena tables automatically
Run Glue crawler to discover partitions

Without initialization, you would need to wait 25+ hours before analytics are ready!

3. View Available Commands

make help

This shows all available commands including deployment, queries, and utilities.

Deployment Options

Standard Deployment (Recommended)

export AWS_REGION=us-east-1
export AWS_PROFILE=production
make deploy
# Choose 'Y' when prompted for initialization

This provides the best user experience with immediate access to analytics.

Deploy Without Initialization

make deploy
# Choose 'n' when prompted for initialization

Use this if you want to wait for scheduled collection (1 hour + 24 hours).

Initialize Later

make init

Run this anytime after deployment to collect historical data and set up analytics.

AWS Service Event Filtering

By default, the tracker filters out AWS service-linked role events to reduce noise and focus on security-relevant activities.

What Gets Filtered?

Events are filtered based on CloudTrail's userIdentity.type field:

{
  "userIdentity": {
    "type": "AWSService",
    "invokedBy": "elasticloadbalancing.amazonaws.com"
  }
}

Why Filter AWS Service Events?

AWS services generate thousands of routine operational events that create noise in security monitoring:

Volume: Can be 80-90% of total IAM/STS events
Operational: Not indicative of user or application security activities
Cost: Increases DynamoDB storage and processing costs
Alert fatigue: Makes it harder to spot actual security incidents

Role Filtering for CSPM and Security Tools

The tracker supports filtering out specific roles that generate excessive noise, particularly useful for Cloud Security Posture Management (CSPM) tools and security scanners.

Common Use Cases

Filter out roles used by:

CSPM Tools: PrismaCloud, Wiz, Orca, Dome9, CloudHealth
Security Scanners: Qualys, Rapid7, Tenable
Compliance Tools: AWS Config rules, custom compliance checkers
Monitoring Tools: DataDog, New Relic, Splunk collectors

Configuration

Set the FilteredRoles parameter during deployment or update:

# During deployment
sam deploy --parameter-overrides FilteredRoles="PrismaCloudRole,WizSecurityRole,*Scanner*"

# Or export before deployment
export FILTERED_ROLES="PrismaCloud*,Wiz*,OrcaSecurityRole,*CSPM*"
make deploy

Filter Pattern Syntax

The filter supports multiple pattern types:

Exact role names: SecurityAuditRole
Wildcards: *SecurityScanner*, CSPM-*, *-audit-role
Full ARNs: arn:aws:iam::123456789012:role/PrismaCloudRole
Multiple patterns: Comma-separated list

What Gets Filtered?

When a role matches your filter patterns:

AssumeRole events for that role are not stored
All subsequent actions by that assumed role session are filtered
Events are counted but not stored in DynamoDB
Filter metrics are included in Lambda execution logs

Example Configurations

# Filter common CSPM tools
FilteredRoles="PrismaCloud*,WizSecurityRole,OrcaSecurityRole,Dome9-Connect"

# Filter by pattern
FilteredRoles="*SecurityScanner*,*CSPM*,*Compliance*"

# Filter specific ARNs
FilteredRoles="arn:aws:iam::123456789012:role/SecurityAudit,arn:aws:iam::123456789012:role/CloudHealth"

# Mixed patterns
FilteredRoles="PrismaCloud*,*Scanner*,arn:aws:iam::123456789012:role/SpecificRole"

Monitoring Filtered Events

The Lambda response includes filtering statistics:

{
  "total_events_processed": 1500,
  "total_events_filtered": 8500,  // Events filtered out
  "execution_time_seconds": 45.2
}

This helps you understand the impact of filtering and validate your patterns are working correctly.

Configuration Options

Environment Variables

Core Configuration

Variable	Default	Description
`STACK_NAME`	iam-activity-tracker	CloudFormation stack name
`AWS_REGION`	us-east-1	Deployment region
`LOG_LEVEL`	INFO	Logging verbosity (DEBUG/INFO/WARNING/ERROR)

Collection Settings

Variable	Default	Description
`SCHEDULE_EXPRESSION`	rate(1 hour)	How often to collect events
`MAX_WORKERS`	16	Max concurrent threads for region processing
`PROCESS_IAM_EVENTS`	true	Track IAM events (us-east-1)
`PROCESS_STS_EVENTS`	true	Track STS events (all regions)
`PROCESS_SIGNIN_EVENTS`	true	Track AWS Console signin events (us-east-1)
`PROCESS_SSO_EVENTS`	true	Track AWS SSO/Identity Center events
`SSO_REGION`	us-east-1	Primary region for SSO events
`FILTER_AWS_SERVICE_EVENTS`	true	Filter out AWS service-linked role events
`FILTERED_ROLES`	''	Comma-separated list of role names/patterns to filter (e.g., `PrismaCloud,WizRole,SecurityScanner`). Supports wildcards ()

Analytics Configuration

Variable	Default	Description
`ENABLE_ANALYTICS`	true	Enable S3 export and Athena integration
`EXPORT_SCHEDULE_EXPRESSION`	rate(1 day)	How often to export to S3
`EXPORT_DAYS_BACK`	1	Number of days to export per run

Security Alerting Configuration

Variable	Default	Description
`ENABLE_SECURITY_ALERTS`	true	Enable security alerts via SNS
`ALERTS_EMAIL_ADDRESS`	''	Email address for security alerts (set during deployment or leave empty to skip)
`OFF_HOURS_START`	22	Start hour for off-hours alerts (24-hour format)
`OFF_HOURS_END`	6	End hour for off-hours alerts (24-hour format)

Schedule Options

Collection Frequency

rate(1 hour) - Every hour (recommended for active environments)
rate(6 hours) - Every 6 hours (cost-conscious option)
rate(12 hours) - Twice daily (minimal active monitoring)
rate(1 day) - Once daily (archive-focused)

Export Frequency

rate(6 hours) - Every 6 hours (near real-time analytics)
rate(12 hours) - Twice daily
rate(1 day) - Daily (recommended for most use cases)
rate(7 days) - Weekly (cost-optimized for large datasets)

Cost Analysis

Free Tier Coverage (DynamoDB Only)

For small organizations (<100 users, <50 service roles):

DynamoDB: $0 (within 25GB free storage, 25 RCU/WCU)
Lambda: $0 (within 1M invocations, 400,000 GB-seconds)
CloudTrail: $0 (using free 90-day event history API)
CloudWatch: $0 (within free tier limits)
Total: $0/month

With Analytics Enabled (S3 + Athena)

Small Organizations

Core components: $0 (free tier)
S3 storage: ~$0.50-2/month (depends on data retention)
Athena queries: ~$0.10-1/month (depends on query frequency)
Total: $0.60-3/month

Medium Organizations (500-1000 users)

DynamoDB: $2-5/month (beyond free tier)
Lambda: $0-2/month (increased execution time for exports)
S3 storage: $2-8/month (more data, lifecycle optimization)
Athena: $1-5/month (more frequent analytics)
Total: $5-20/month

Large Organizations (1000+ users)

DynamoDB: $10-25/month
Lambda: $2-10/month
S3 storage: $5-20/month (with lifecycle policies)
Athena: $5-15/month
Glue: $1-5/month (crawler executions)
Total: $23-75/month

Note: Costs do not include SNS alerts (minimal, ~$0.10 per 1000 emails)

Cost Optimization Features

S3 Lifecycle Policies: Automatically move data to cheaper storage classes
- Standard (30 days) → Standard-IA (90 days) → Glacier (365 days) → Deep Archive
- Can reduce storage costs by 80-95% for older data
Parquet Format: 70-90% smaller than JSON, reducing storage and query costs
Partitioned Data: Athena only scans relevant partitions, reducing query costs
Conditional Deployment: Disable analytics if only real-time monitoring is needed

Querying the Data

Real-time Queries (DynamoDB)

Perfect for recent data (last 30-90 days) and operational monitoring.

Using AWS Console

Navigate to DynamoDB in AWS Console
Select the events table (e.g., iam-activity-tracker-events)
Use Query or Scan with filters

Using AWS CLI

# Query events by user
aws dynamodb query \
  --table-name iam-activity-tracker-events \
  --index-name user_name-index \
  --key-condition-expression "user_name = :username" \
  --expression-attribute-values '{":username":{"S":"alice.johnson"}}'

# Query events by action
aws dynamodb query \
  --table-name iam-activity-tracker-events \
  --index-name event_name-index \
  --key-condition-expression "event_name = :eventname" \
  --expression-attribute-values '{":eventname":{"S":"CreateUser"}}'

Analytics Queries (Athena)

Perfect for historical analysis, compliance reporting, and complex queries.

Quick Setup

Option 1: Automatic (Recommended) The system will automatically set up Athena during deployment initialization.

Option 2: Manual Setup If you skipped initialization, run this after the first export:

make setup-athena

Option 3: Initialize Later If you deployed without initialization, you can run it anytime:

make init

Pre-built Security Queries

# List all available queries
make list-queries

# Run specific security analysis (table format - default)
make run-query Q=failed_auth             # Failed authentication attempts
make run-query Q=root_usage              # Root account activity
make run-query Q=off_hours               # After-hours access
make run-query Q=active_users            # Most active users
make run-query Q=permission_changes      # IAM permission modifications
make run-query Q=role_assumptions        # Role usage patterns
make run-query Q=daily_summary           # Compliance reporting

# SSO/Identity Center queries
make run-query Q=sso_permission_sets     # SSO permission set changes
make run-query Q=sso_account_assignments # Account access grants
make run-query Q=sso_admin_policies      # Admin policy attachments
make run-query Q=sso_admin_users         # SSO administrators
make run-query Q=sso_activity_summary    # SSO usage overview

# JSON format for complete data (ALL queries support both formats!)
make run-query Q=failed_auth FORMAT=json             # Any IAM query
make run-query Q=root_usage FORMAT=json              
make run-query Q=sso_account_assignments FORMAT=json # Any SSO query
make run-query Q=sso_admin_policies FORMAT=json      
make run-query Q=active_users FORMAT=json            # Any analytics query

Output Formats

ALL queries support two output formats:

Table Format (default): Displays curated fields optimized to prevent truncation. Perfect for quick analysis and reporting.
JSON Format: Returns complete data with all available fields. Ideal for detailed investigations or data export.

# Examples - Every query works with both formats
make run-query Q=user_lookup                  # Table format (default)
make run-query Q=user_lookup FORMAT=table     # Explicit table format
make run-query Q=user_lookup FORMAT=json      # JSON format with all fields

make run-query Q=sso_admin_policies          # Table format (default)
make run-query Q=sso_admin_policies FORMAT=json  # Complete data

Direct Athena Console Usage

For users who prefer AWS Athena console directly, all queries are available as ready-to-use SQL:

# View all queries in SQL format
cat queries/analytics_queries.sql

# Copy/paste any query directly into Athena console
# Queries use default table: iam_activity_tracker_database.iam_events

The queries/analytics_queries.sql file contains all 15 queries in standard SQL format, synchronized with the Python implementation. Perfect for:

Custom modifications: Edit queries for specific requirements
Learning: Understand the SQL behind each security analysis
Integration: Use with other tools beyond the CLI

Example Query Output:

Custom SQL Queries

-- Recent failed authentication attempts
SELECT 
    substr(event_time, 1, 10) as event_date,
    user_name,
    source_ip,
    event_name,
    error_code,
    COUNT(*) as failure_count
FROM iam_activity_tracker_database.iam_events
WHERE 
    substr(event_time, 1, 10) >= cast(current_date - INTERVAL '7' DAY as varchar)
    AND error_code IS NOT NULL AND error_code != ''
    AND event_name IN ('ConsoleLogin', 'AssumeRole', 'GetSessionToken')
GROUP BY 1, 2, 3, 4, 5
ORDER BY failure_count DESC;

-- Permission changes by user
SELECT 
    user_name,
    event_name,
    COUNT(*) as change_count,
    MIN(substr(event_time, 1, 10)) as first_change,
    MAX(substr(event_time, 1, 10)) as last_change
FROM iam_activity_tracker_database.iam_events
WHERE 
    substr(event_time, 1, 10) >= cast(current_date - INTERVAL '30' DAY as varchar)
    AND event_name IN (
        'AttachUserPolicy', 'DetachUserPolicy',
        'AttachGroupPolicy', 'DetachGroupPolicy',
        'AttachRolePolicy', 'DetachRolePolicy',
        'CreateUser', 'DeleteUser',
        'CreateRole', 'DeleteRole',
        'PutUserPolicy', 'DeleteUserPolicy'
    )
GROUP BY user_name, event_name
ORDER BY change_count DESC;

-- Role assumption patterns
SELECT 
    JSON_EXTRACT_SCALAR(request_parameters, '$.roleArn') as role_arn,
    user_name,
    COUNT(*) as assumption_count,
    COUNT(CASE WHEN error_code IS NOT NULL AND error_code != '' THEN 1 END) as failed_count
FROM iam_activity_tracker_database.iam_events
WHERE 
    substr(event_time, 1, 10) >= cast(current_date - INTERVAL '30' DAY as varchar)
    AND event_name = 'AssumeRole'
    AND JSON_EXTRACT_SCALAR(request_parameters, '$.roleArn') IS NOT NULL
GROUP BY 1, 2
ORDER BY assumption_count DESC
LIMIT 20;

Example Outputs

The tool provides rich, formatted output for all queries with execution metrics:

Query Comparison

Feature	DynamoDB	Athena
Best for	Real-time, recent data	Historical analysis, complex queries
Time range	All data (no TTL by default)	All exported data
Query language	DynamoDB Query/Scan	Standard SQL
Performance	Milliseconds	Seconds to minutes
Cost	Free tier friendly	Pay per TB scanned
Complexity	Simple filters	Complex joins, aggregations

Monitoring

CloudWatch Alarms

The solution includes CloudWatch alarms for:

Tracker Lambda: Errors and high execution duration (>4 minutes)
Export Lambda: Errors and high execution duration (>13 minutes)

Viewing Logs

# View tracker Lambda logs with automatic formatting
make logs

# View specific log group
make logs | grep ERROR     # Filter for errors
make logs | grep CRITICAL  # Filter for critical alerts

Health Checks

# Check stack status and outputs
make status

# Test a specific query
make run-query Q=failed_auth

Maintenance

Data Retention

By default, events are kept indefinitely. To enable automatic deletion:

Edit template.yaml
Add TTL configuration to IAMEventsTable
Redeploy the stack

Updating the Solution

# Pull latest changes
git pull

# Update deployment
make update

Troubleshooting

Data Collection Issues

"Access Denied" errors
- Ensure Lambda has CloudTrail read permissions in all regions
- Verify CloudTrail is enabled (check AWS Console → CloudTrail)
- Check IAM policy attached to tracker Lambda role
High tracker Lambda duration
- Reduce MAX_WORKERS if hitting API rate limits
- Consider increasing schedule interval to reduce frequency
- Check CloudWatch metrics for throttling
Missing events
- Verify PROCESS_IAM_EVENTS and PROCESS_STS_EVENTS are true
- Check CloudWatch Logs for region-specific errors
- Ensure all required AWS regions are accessible

Analytics Issues

No data in S3 bucket
- Check export Lambda logs for errors
- Verify ENABLE_ANALYTICS is set to true
- Ensure DynamoDB has data before export runs
- Check S3 bucket permissions
Athena queries return no results
- Run Glue crawler to discover new partitions:
```
aws glue start-crawler --name iam-activity-tracker-crawler
```
- Verify S3 data location in Athena table definition
- Check partition projection configuration
High Athena costs
- Use LIMIT in queries during testing
- Add date filters to reduce data scanned
- Check query execution plans
- Consider partition pruning
Export Lambda timeout
- Reduce EXPORT_DAYS_BACK to process fewer days per run
- Increase Lambda memory (currently 2048MB)
- Check if DynamoDB has throttling issues

Performance Optimization

Slow query performance
- Use appropriate indexes in DynamoDB
- Add partition filters in Athena queries
- Consider using columnar projection in Athena
Cost optimization
- Enable S3 lifecycle policies (automatically configured)
- Reduce query frequency if not needed real-time
- Use Athena workgroups to set query limits

Debug Mode

To enable verbose logging, update the CloudFormation stack parameter:

Set LogLevel parameter to DEBUG during deployment

Verification Commands

# Check DynamoDB table
aws dynamodb describe-table --table-name iam-activity-tracker-events

# Check S3 bucket (if analytics enabled)
aws s3 ls s3://iam-activity-tracker-analytics-ACCOUNT_ID/iam-events/ --recursive | head -5

# Test a query
make run-query Q=daily_summary

Security Considerations

Lambda function has read-only access to CloudTrail
DynamoDB tables are encrypted at rest
No credentials or sensitive data in logs
Follows principle of least privilege

Uninstall

To remove all resources:

make destroy

Warning: This will delete all collected event data!

Important: If analytics is enabled, manually empty the S3 buckets before running destroy:

aws s3 rm s3://iam-activity-tracker-analytics-ACCOUNT_ID/ --recursive
aws s3 rm s3://iam-activity-tracker-athena-results-ACCOUNT_ID/ --recursive

Contributing

Contributions are welcome! Please:

Fork the repository
Create a feature branch
Submit a pull request

License

This project is licensed under the MIT License - see the LICENSE file for details.

Support

For issues or questions:

Check the troubleshooting section
Review CloudWatch Logs
Open an issue in the repository

Available Queries

Pre-built Queries (15 total)

IAM & Security Queries

user_lookup - User activity patterns
failed_auth - Failed authentication attempts
root_usage - Root account activity
off_hours - After-hours access (10 PM - 6 AM)
active_users - Most active users
permission_changes - IAM policy modifications
role_assumptions - Role usage patterns
daily_summary - Daily activity summaries
hourly_activity - Peak usage analysis

SSO/Identity Center Queries

sso_permission_sets - Track SSO permission set creation and updates
sso_account_assignments - Monitor who is getting access to which AWS accounts
sso_admin_policies - Track dangerous administrative policy attachments
sso_applications - Monitor third-party application integrations
sso_admin_users - Identify users making SSO configuration changes
sso_activity_summary - SSO usage patterns and error rates

Security Alerts (8 functions)

Root account activity (login/failed)
IAM user creation
Admin policy attachments
Dangerous inline policies
Access key creation
Role trust policy issues
Access key updates
MFA device changes

File Structure

iam-activity-tracker/
├── assets/                          # Screenshots and documentation
│   ├── Failed_Auth.png
│   └── List_Queries.png
├── functions/                       # Lambda function code
│   ├── tracker/                     # Real-time event collection
│   │   ├── handler.py               # Main tracker Lambda
│   │   ├── cloudtrail_processor.py
│   │   ├── dynamodb_operations.py
│   │   ├── security_alerts.py       # SNS alerting logic
│   │   └── requirements.txt
│   └── exporter/                    # S3 analytics export
│       ├── export_handler.py        # Export Lambda
│       ├── parquet_processor.py
│       ├── s3_operations.py
│       ├── dynamodb_operations.py
│       └── requirements.txt
├── queries/                         # Analytics tools
│   ├── athena_utilities.py          # Athena integration
│   ├── query_runner.py              # CLI query tool
│   ├── analytics_queries.sql        # Pre-built SQL queries
│   ├── setup.sh                     # Python environment setup
│   └── requirements.txt
├── scripts/                         # Operational scripts
│   ├── deploy.sh                    # Deployment script
│   ├── destroy.sh                   # Cleanup script
│   ├── logs.sh                      # View Lambda logs
│   ├── run-query.sh                 # Query execution wrapper
│   ├── setup-athena.sh              # Athena table setup
│   ├── status.sh                    # Stack status check
│   ├── test-alerts.sh               # Test alert system
│   └── validate.sh                  # Template validation
├── template.yaml                    # SAM deployment template
├── Makefile                         # Build automation
├── Architecture.md                  # Detailed system design
└── README.md                        # This file

Built for the AWS security community

Name		Name	Last commit message	Last commit date
Latest commit History 7 Commits
assets		assets
functions		functions
queries		queries
scripts		scripts
Architecture.md		Architecture.md
LICENSE		LICENSE
Makefile		Makefile
README.md		README.md
template.yaml		template.yaml

License

TocConsulting/iam-activity-tracker

Folders and files

Latest commit

History

Repository files navigation

IAM Activity Tracker

Overview

Features

Event Collection

Analytics & Reporting

Operational

Architecture

Complete System Overview

Data Flow

Prerequisites

Required IAM Permissions

Quick Start

1. Clone the Repository

2. Deploy the Solution

3. View Available Commands

Deployment Options

Standard Deployment (Recommended)

Deploy Without Initialization

Initialize Later

AWS Service Event Filtering

What Gets Filtered?

Why Filter AWS Service Events?

Role Filtering for CSPM and Security Tools

Common Use Cases

Configuration

Filter Pattern Syntax

What Gets Filtered?

Example Configurations

Monitoring Filtered Events

Configuration Options

Environment Variables

Core Configuration

Collection Settings

Analytics Configuration

Security Alerting Configuration

Schedule Options

Collection Frequency

Export Frequency

Cost Analysis

Free Tier Coverage (DynamoDB Only)

With Analytics Enabled (S3 + Athena)

Small Organizations

Medium Organizations (500-1000 users)

Large Organizations (1000+ users)

Cost Optimization Features

Querying the Data

Real-time Queries (DynamoDB)

Using AWS Console

Using AWS CLI

Analytics Queries (Athena)

Quick Setup

Pre-built Security Queries

Output Formats

Direct Athena Console Usage

Custom SQL Queries

Example Outputs

Query Comparison

Monitoring

CloudWatch Alarms

Viewing Logs

Health Checks

Maintenance

Data Retention

Updating the Solution

Troubleshooting

Data Collection Issues

Analytics Issues

Performance Optimization

Debug Mode

Verification Commands

Security Considerations

Uninstall

Contributing

License

Packages