Help Center/ Identity and Access Management_Identity and Access Management (New Edition)/ API Reference/ Example Applications/ Security Auditing on Permissions of IAM Users
Updated on 2025-11-06 GMT+08:00
View PDF
Share

Security Auditing on Permissions of IAM Users

Scenario

Enterprise users usually need to periodically audit the permissions of IAM users created in the cloud, ensuring that IAM users only have the permissions required to complete certain tasks. Generally, only account administrators and auditors have administration permissions for the IAM service, and IAM users should not have these permissions. Periodic security audit can be automatically implemented through APIs.

This section describes how to perform security audit on the permissions of IAM users by calling APIs. You can also implement periodic security audit using programmatic methods.

General Procedure

You can perform security audit on the permissions of IAM users, including identity policies attached to IAM users and IAM user groups. You can perform permission audit on the identity policies attached to IAM users by comparing the permissions to be audited with the content of the attached identity policies. The following uses identity policies attached to IAM user groups as an example to describe how to audit permissions. The procedure is as follows:

  1. List all the user groups.
  2. Query the permissions of each user group.
  3. Query the content of an identity policy.
  4. Determine the permissions to be audited and query the IAM users in each user group that has been assigned these permissions.

The following APIs will be used in this example:

Step 1: List All the User Groups

URI: GET /v5/groups

For details about the API, see Listing User Groups.

  • Example Request 
    GET https://{endpoint}/v5/groups
  • Example Response 
    { 
  "groups" : [ { 
    "group_id" : "5b050baea9db472c88cbae67e8d6....", 
    "group_name" : "IAMGroupA", 
    "created_at" : "2023-09-11T10:13:25.414Z", 
    "urn" : "iam::d78cbac186b744899480f25bd022....:group:IAMGroupA", 
    "description" : "IAMdescription" 
  }, { 
    "group_id" : "07609e7eb200250a3f7dc003cb7a....", 
    "group_name" : "IAMGroupB", 
    "created_at" : "2023-09-11T10:13:40.016Z", 
    "urn" : "iam::d78cbac186b744899480f25bd022....:group:IAMGroupB", 
    "description" : "IAMdescription" 
  } ], 
  "page_info" : { 
    "current_count" : 2 
  } 
}

Step 2: Query Permissions of Each User Group

URI: GET /v5/groups/{group_id}/attached-policies

For details about the API, see Querying All Identity Policies Attached to a Specified User Group.

  • Example Request 
    GET https://{endpoint}/v5/groups/5b050baea9db472c88cbae67e8d6..../attached-policies
  • Example Response 
    { 
  "attached_policies" : [ { 
    "policy_name" : "ReadPolicy", 
    "policy_id" : "75cfe22af2b3498d82b655fbb39d....", 
    "urn" : "iam::d78cbac186b744899480f25bd022....:policy:ReadPolicy", 
    "attached_at" : "2023-09-25T09:31:44.935Z" 
  } ], 
  "page_info" : { 
    "current_count" : 1 
  } 
}

Step 3: Query the Content of an Identity Policy

URI: GET /v5/policies/{policy_id}/versions

For details about the API, see Querying All Versions of a Specified Identity Policy.

  • Example Request 
    GET https://{endpoint}/v5/policies/75cfe22af2b3498d82b655fbb39d..../versions
  • Example Response 
    { 
  "versions" : [ { 
    "document" : "{\"Version\":\"5.0\",\"Statement\":[{\"Effect\":\"Allow\",\"Action\":[\"iam:*:get*\",\"iam:*:list*\"]}]}", 
    "version_id" : "v1", 
    "is_default" : true, 
    "created_at" : "2023-09-25T09:03:24.786Z" 
  } ], 
  "page_info" : { 
    "current_count" : 1 
  } 
}

Step 4: Determine the Permissions to Be Audited and Query IAM Users Granted These Permissions

URI: GET /v5/users

For details about the API, see Querying the IAM Users in a Group.

  • Example Request 
    GET https://{endpoint}/v5/users?group_id=5b050baea9db472c88cbae67e8d6....
  • Example Response 
    { 
  "users" : [ { 
    "description" : "description", 
    "user_name" : "IAMUserA", 
    "is_root_user" : false, 
    "created_at" : "2023-04-26T03:49:42Z", 
    "user_id" : "07609fb9358010e21f7bc003751c....", 
    "urn" : "iam::d78cbac186b744899480f25bd022....:user:IAMUserA", 
    "enabled" : true 
  }, { 
    "description" : "description", 
    "user_name" : "IAMUserB", 
    "is_root_user" : false, 
    "created_at" : "2023-04-26T03:52:27Z", 
    "user_id" : "076837351e80251c1f0fc003afe4....", 
    "urn" : "iam::d78cbac186b744899480f25bd022....:user:IAMUserB", 
    "enabled" : true 
  } ], 
  "page_info" : {  
    "current_count" : 2 
  } 
}
Parent topic: Example Applications