AWS IAM User Created

Trend Micro Cloud One™ – Conformity is a continuous assurance tool that provides peace of mind for your cloud infrastructure, delivering over 750 automated best practice checks.

Risk level: High (act today)

Trend Micro Cloud One™ – Conformity Real-Time Threat Monitoring and Analysis (RTMA) engine detected a new IAM user creation event within your Amazon Web Services (AWS) account.
An IAM user is an identity created for your AWS cloud account that has specific custom permissions (for example, permissions to manage Amazon KMS Customer Master Keys). The IAM user access to your AWS cloud services and resources can be programmatic – which enables an access key ID and secret access key that can be used with the AWS API, AWS Command Line Interface (CLI), AWS SDK, and other development tools, or through the Management Console – which enables a user name and a password that can be used to sign-in to the AWS Management Console.
The AWS IAM user access is controlled using a well-defined set of permissions (i.e. identity-based policy) that is attached to the identity during the creation process. Conformity Real-Time Threat Monitoring and Analysis (RTMA) integrates seamlessly with Amazon CloudTrail service which logs all IAM user creation events.
The communication channels necessary for sending RTMA notifications upon detecting Amazon IAM "CreateUser" events can be configured within your Trend Micro Cloud One™ – Conformity account. The list of supported communication channels that you can use to receive notification alerts are SMS, Email, Slack, PagerDuty, ServiceNow, and Zendesk.

This rule can help you work with the AWS Well-Architected Framework.


Monitoring IAM user creation in real-time is absolutely necessary for keeping your AWS cloud account safe. Because IAM users can be created with overly permissive policies such as those with administrator-level permissions (where the user has authorization to modify or remove any resource, access any data within your cloud environment, and use any AWS service or component), using IAM user identities by inexperienced or unauthorized personnel within your organization can introduce severe security issues which can lead to data leaks, data loss, or even unexpected charges on your AWS bill. Unfortunately, as an organization grows and more people get involved in the operational aspect of the AWS cloud administration, the tendency is to create more than one privileged IAM user and this poses a huge operational and security risk. To adhere to cloud security best practices and implement the Principle of Least Privilege (also known as the principle of least authority, i.e. the security concept of providing every user, process, or system the minimal set of permissions required to perform successfully its tasks), Trend Micro Cloud One™ – Conformity strongly recommends monitoring the creation of IAM users and ultimately avoid creating more than one privileged IAM user, unless it is really necessary. Ideally, the IAM administration and permission management within your AWS account should be divided between two well-defined roles: IAM Master and IAM Manager. These custom roles should be utilized by designated personnel only to create and configure other IAM users and roles with limited permissions that follow the same principle of least privilege. Since each IAM user creation event is being detected by the Real-Time Threat Monitoring and Analysis (RTMA) feature, the AWS account administrator has the chance to prevent any potential security issues that could be introduced by new, over-privileged IAM users. Using Trend Micro Cloud One™ – Conformity RTMA detection for Amazon IAM user creation will help you enforce stricter and safer access policies within your organization.


Publication date Nov 24, 2020

Unlock the Remediation Steps

Free 30-day Trial

Automatically audit your configurations with Conformity
and gain access to our cloud security platform.

Confirmity Cloud Platform

No thanks, back to article

You are auditing:

AWS IAM User Created

Risk level: High