Skip to main content

Documentation Index

Fetch the complete documentation index at: https://docs.iru.com/llms.txt

Use this file to discover all available pages before exploring further.

About AWS Identity and Access Management (IAM)

The IAM connector inventories users, roles, groups, policies, access keys, MFA devices, and credential reports. High sensitivity data used for access-review evidence. The integration uses sts:AssumeRole. IAMReadOnlyAccess is simplest; the inline JSON below narrows to Get* / List* plus GenerateCredentialReport / GenerateServiceLastAccessedDetails. Treat the cross-account role ARN like infrastructure secrets - limit who edits trust relationships.

How it works

DetailValue
CategoryIdentity
AuthenticationCross-account IAM role

Prerequisites

  • IAM admin rights in the same account whose IAM plane you want evidence for.

Connect AWS IAM to Iru

Copy the trust policy from Iru

1

Open Sources

In Iru Compliance, on the left navigation bar, expand Compliance and select Sources.
Left navigation: Compliance expanded, Sources selected
2

Turn on AWS IAM

Find AWS IAM (use Category or Search by name or description). On that card, turn on the toggle. Leave the connector tab open.
3

Copy the trust policy JSON

The wizard shows the trust policy JSON. Always use the principal and external ID from your live wizard:
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "AWS": "arn:aws:iam::753695775620:role/IruConnect"
      },
      "Condition": {
        "StringEquals": {
          "sts:ExternalId": "YOUR_EXTERNAL_ID"
        }
      },
      "Action": "sts:AssumeRole"
    }
  ]
}

Create the IAM role in AWS

1

Start Create role

In the account whose IAM data you need, open IAMRolesCreate role.
2

Set trusted entity

Choose AWS accountAnother AWS account. Enter 753695775620 (or the account ID Iru shows). Enable Require external ID and paste the value from Iru.
3

Attach read-only IAM permissions

Attach IAMReadOnlyAccess, or add this inline policy if you cannot use the managed policy:
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "iam:Get*",
        "iam:List*",
        "iam:GenerateCredentialReport",
        "iam:GenerateServiceLastAccessedDetails"
      ],
      "Resource": "*"
    }
  ]
}
4

Name the role and copy the ARN

Name the role (for example IruIAMReadOnly), create it, and copy the Role ARN from the role summary.
5

Confirm the trust relationship

On Trust relationships, verify the JSON matches Iru’s wizard exactly.

Submit the role ARN in Iru

1

Paste the IAM Role ARN

Return to the Iru wizard tab. Paste the Role ARN into the field the wizard provides.
2

Confirm the source is Active

Submit until AWS IAM shows Active.

Troubleshooting

Check pop-up blocker settings for the Iru site and try again.
Prime GenerateCredentialReport manually once via console/CLI.
Wildcards must cover Get* / List* for each resource type you expect.

Considerations

IAM is global within an account: single scan covers…

IAM is global within an account - single scan covers all Regions’ IAM APIs.

See also