{"id":26649129,"url":"https://github.com/kloudle/aws-iam-large-account-security","last_synced_at":"2025-04-11T03:02:28.530Z","repository":{"id":282829815,"uuid":"947692539","full_name":"Kloudle/aws-iam-large-account-security","owner":"Kloudle","description":"Security insights for AWS IAM in large-scale accounts (20K+ users), bypassing CSPM limitations.","archived":false,"fork":false,"pushed_at":"2025-03-17T06:55:35.000Z","size":6,"stargazers_count":7,"open_issues_count":0,"forks_count":0,"subscribers_count":2,"default_branch":"main","last_synced_at":"2025-03-25T00:48:13.734Z","etag":null,"topics":["aws","cloud-security","cspm","iam","identity-access-management","misconfiguration","security-automation","security-scanner"],"latest_commit_sha":null,"homepage":"https://kloudle.com/blog/kloudle-wins-digitalocean-enterprise-customer-unique-iam-capability/","language":null,"has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":null,"status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/Kloudle.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":null,"code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2025-03-13T05:08:17.000Z","updated_at":"2025-03-18T22:19:01.000Z","dependencies_parsed_at":"2025-03-17T07:28:19.398Z","dependency_job_id":null,"html_url":"https://github.com/Kloudle/aws-iam-large-account-security","commit_stats":null,"previous_names":["kloudle/aws-iam-large-account-security"],"tags_count":0,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Kloudle%2Faws-iam-large-account-security","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Kloudle%2Faws-iam-large-account-security/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Kloudle%2Faws-iam-large-account-security/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Kloudle%2Faws-iam-large-account-security/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/Kloudle","download_url":"https://codeload.github.com/Kloudle/aws-iam-large-account-security/tar.gz/refs/heads/main","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":248333605,"owners_count":21086199,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["aws","cloud-security","cspm","iam","identity-access-management","misconfiguration","security-automation","security-scanner"],"created_at":"2025-03-25T00:48:21.023Z","updated_at":"2025-04-11T03:02:28.486Z","avatar_url":"https://github.com/Kloudle.png","language":null,"funding_links":[],"categories":[],"sub_categories":[],"readme":"# AWS IAM Security at Scale 🚀\n\n## 🛑 The Problem: AWS IAM Limitations\n\nMost **Cloud Security Posture Management (CSPM)** tools rely on `iam:GenerateCredentialReport` to fetch IAM user details. However, this API **fails** in AWS accounts with **large IAM user bases** (e.g., 20,000+ users), causing:\n\n- **Missed IAM misconfigurations** 🚨  \n- **Blind spots in security audits** 🕵️  \n- **Unmonitored access risks** 🔓  \n\nAWS's current hard limit allows a **maximum of 5000 IAM users per account**—but what happens when an enterprise **has 25,000+ users**?  \n\n👉 **Kloudle solved this.**  \n\n---\n\n## 🔥 Our Breakthrough: IAM Security for Large AWS Accounts\n\nWe bypassed **AWS’s API limitations** to provide IAM misconfiguration detection **at any scale.**  \nInstead of relying on `iam:GenerateCredentialReport`, we **dynamically query AWS APIs** to fetch IAM data **without limits.**  \n\nThis uncovered **critical IAM risks** that CSPM tools **miss** in large accounts.  \n\n### ✅ **Misconfigurations We Detect**\nOur method identified **high-impact security flaws**, such as:\n\n1️⃣ **Users with multiple active access keys**  \n   - Attackers can maintain access even after a breach.  \n   - **APIs used:** `aws iam list-users`, `aws iam list-access-keys`  \n\n2️⃣ **Stale IAM keys (not rotated in 90+ days)**  \n   - Prolonged attack surface, compliance failures.  \n   - **APIs used:** `aws iam list-users`, `aws iam list-access-keys`  \n\n3️⃣ **Unused IAM keys (last used \u003e90 days ago)**  \n   - Forgotten keys pose **high-risk** entry points.  \n   - **APIs used:** `aws iam get-access-key-last-used`  \n\n4️⃣ **Users with password login but NO MFA**  \n   - **One stolen password = full account compromise.**  \n   - **APIs used:** `aws iam list-users`, `aws iam list-mfa-devices`  \n\n---\n\n## 🏆 **Why This Matters**\nAWS IAM security is **not one-size-fits-all.**  \nEnterprise-scale AWS accounts **break traditional security tools.**  \n\nBy dynamically querying AWS APIs **without relying on credential reports**, we offer:  \n\n✅ **Security for AWS accounts with 20,000+ IAM users**  \n✅ **Deep visibility beyond CSPM limitations**  \n✅ **Real-time IAM risk detection without API failures**  \n\n---\n\n## 📚 Additional Resources\n\n- **Read more:** [Kloudle’s Blog on IAM Security](https://kloudle.com/blog/kloudle-wins-digitalocean-enterprise-customer-unique-iam-capability/)\n- **Join the Discussion:** [Open an issue](https://github.com/Kloudle/aws-iam-large-account-security/issues) if you've faced similar IAM challenges!\n\n---\n\n🚀 **Securing AWS at Scale. One IAM risk at a time.**\n\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fkloudle%2Faws-iam-large-account-security","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fkloudle%2Faws-iam-large-account-security","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fkloudle%2Faws-iam-large-account-security/lists"}