Back to all tools
IAM Activity Tracker
Serverless IAM, STS, and Console signin tracking
A comprehensive serverless AWS solution for tracking and auditing IAM, STS, and AWS Console signin activities across all regions. Features real-time collection via free CloudTrail event history, advanced analytics with S3 + Athena, and automated security alerting. Built with AWS SAM.
Features
Event Collection
- IAM events (us-east-1), STS events (all regions)
- Console signin events (global)
- SSO/Identity Center admin events
- Up to 90 days historical collection
- 32 concurrent threads for fast queries
Analytics
- DynamoDB for real-time queries
- S3 Data Lake with Parquet format
- Athena SQL queries
- 15 pre-built security queries
- 6 SSO-specific queries
Security Alerts
- Root account activity
- Failed authentication attempts
- IAM user creation
- Admin policy attachments
- Access key operations
- MFA device changes
Installation & Usage
Quick Start
git clone https://github.com/TocConsulting/iam-activity-tracker cd iam-activity-tracker make deploy # Choose Y when prompted for initialization
Run Queries
make list-queries make run-query Q=failed_auth make run-query Q=root_usage make run-query Q=sso_admin_policies FORMAT=json
Pre-built Security Queries
failed_authFailed authentication attemptsroot_usageRoot account activityoff_hoursAfter-hours access (10 PM - 6 AM)active_usersMost active userspermission_changesIAM policy modificationsrole_assumptionsRole usage patternsdaily_summaryDaily activity summariessso_permission_setsSSO permission set changessso_account_assignmentsAccount access grantssso_admin_policiesAdmin policy attachmentsNeed Help Implementing?
We can help you deploy and customize this tool for your specific needs, or build custom solutions.
Contact Us