AWS IAM Audit Evidence
Clear, defensible evidence for AWS Identity, Privilege, and Trust. Auditing AWS IAM is fundamentally different from traditional directory services. Blackbox Auditor produces evidence auditors can actually rely on.
Why AWS IAM Audits Fail Without Specialized Tooling
There is no single "admins group" in AWS. Permissions are inherited, federated, assumed, and distributed across users, roles, access keys, and trust relationships.
Most AWS IAM audit failures stem from the same issues:
- Overreliance on client-provided access lists
- Incomplete visibility into access keys and root usage
- Failure to identify federated and SSO-based access
- Misinterpretation of role permissions and trust relationships
- Manual review of JSON policies without effective privilege resolution
These gaps lead to inaccurate conclusions about who can access AWS and at what level.
What Auditors Need to Answer
An effective IAM audit must clearly and defensibly answer:
- Who can authenticate into AWS?
- How do they authenticate (password, access key, SSO, federation)?
- What permissions do they have in practice, not in theory?
- Which users or roles have administrative or high-risk access?
- Which external identities or accounts are trusted?
Blackbox Auditor is designed specifically to answer these questions.
IAM Audit Evidence Domains
IAM Users, Groups, and Permissions
Blackbox Auditor collects and normalizes IAM user and group data into auditor-ready tables.
- User creation dates, status, and group membership
- Effective permissions with emphasis on administrative access
- Identification of stale, inactive, and generic accounts
- Clear visibility into privilege accumulation
Auditors no longer need to interpret raw policy documents.
Access Keys and Programmatic Access
Access keys are frequently overlooked during audits, despite their risk.
- All active and inactive access keys
- Key age, rotation status, and last-used data
- Identification of long-lived or unused keys
- Programmatic access paths tied to users and roles
Assess programmatic access with confidence.
Password Policy, MFA, and Root User
Critical authentication controls are often reviewed incompletely.
- AWS account password policy settings
- MFA enforcement status
- Root user existence, configuration, and activity
- Evidence that root access is restricted and monitored
Root and authentication controls are not excluded from the audit.
AWS SSO and Federated Access
Federated access is one of the most misunderstood areas of AWS audits.
- Whether AWS SSO or external identity providers are in use
- Federated users and groups with access to AWS
- Roles assumed through federation
- Permissions associated with federated access
Highlights when additional audit procedures are required.
IAM Roles and Trust Relationships
Roles and trust policies define who can become someone else in AWS.
- User-assumable roles
- Cross-account roles
- Trust relationships between AWS accounts
- External account access paths
Complex trust data simplified into defensible evidence.
What the Evidence Looks Like
Blackbox Auditor produces normalized, human-readable tables with timestamped, reproducible outputs aligned to audit workpapers.
Evidence Table Coming Soon
We're preparing sanitized evidence output for this product. Request access to be notified when it's available, or schedule a demo to see live evidence today.
Evidence is designed to support walkthroughs, sampling, and re-performance.
Who This Is For
- External auditors performing AWS-based assessments
- Internal GRC teams validating identity and access controls
- Security teams supporting audit evidence requests
Not Intended For
- Real-time identity threat detection
- Continuous access monitoring
- Identity governance workflows
Evaluate IAM Evidence the Way Auditors Do
See what defensible IAM audit evidence actually looks like.