Ensure IAM configuration modifications are detected

Error: IAM configuration modifications are not detected

Bridgecrew Policy ID: BC_AWS_ALERT_5
Severity: MEDIUM

IAM configuration modifications are not detected


AWS IAM enables users to delegate broad or granular access rights with a few lines of code. Tracking IAM configuration changes ensures that these configurations are carefully inspected, and manual or unexpected changes are also logged and tracked.

IAM Policy actions in CloudTrail use the following prefix before the action: cloudtrail:.

Policy statements include either an Action or NotAction element. CloudTrail defines its own set of actions that describe tasks you can perform with this service.

AWS IAM policy modifications that are tracked, include:

  • DetachGroupPolicy, AttachGroupPolicy, DeleteGroupPolicy, PutGroupPolicy
  • DetachUserPolicy, AttachUserPolicy, DeleteUserPolicy, PutUserPolicy
  • DetachRolePolicy, AttachRolePolicy, DeleteRolePolicy, PutRolePolicy
  • CreatePolicyVersion, DeletePolicyVersion
  • CreatePolicy, DeletePolicy