Skip to main content

About AWS Identity and Access Management (IAM)

The IAM connector inventories users, roles, groups, policies, access keys, MFA devices, and credential reports. High sensitivity data used for access-review evidence. The integration uses sts:AssumeRole. IAMReadOnlyAccess is simplest; the inline JSON below narrows to Get* / List* plus GenerateCredentialReport / GenerateServiceLastAccessedDetails. Treat the cross-account role ARN like infrastructure secrets - limit who edits trust relationships.

How It Works

Iru runs in its own AWS account. To read IAM data in your account, you create an IAM role with a trust policy that allows Iru’s principal to call sts:AssumeRole, gated by the External ID from the wizard, and a permissions policy that grants read-only access to IAM resources (for example IAMReadOnlyAccess or the tighter inline JSON on the AWS tab). You then paste the role’s ARN back into Iru. IAMReadOnlyAccess exposes identities, policy documents, and access-key metadata by design, so treat the role and its ARN as sensitive.
DetailValue
CategoryIdentity
AuthenticationCross-account IAM role

Prerequisites

  • IAM admin rights in the same account whose IAM plane you want evidence for.

Connect AWS IAM to Iru

Start here: open the source wizard and copy the trust policy (and note the external ID). When you are ready to create the role in AWS, switch to the AWS tab and follow Create the IAM role in AWS. After you have the Role ARN, return to the Iru Compliance tab and complete Submit the role ARN in Iru below.

Get the trust policy from Iru

1

Open Sources

In Iru Compliance, on the left navigation bar, expand Compliance and select Sources.
Left navigation: Compliance expanded, Sources selected
2

Turn on AWS IAM

Find AWS IAM (use Category or Search by name or description). On that card, turn on the toggle. Leave the Iru is requesting access to external services wizard tab open.
3

Copy the trust policy JSON

The wizard shows the trust policy JSON your IAM role must use (Principal and sts:ExternalId). Below is an example of the structure; copy the live JSON from your wizard so the account, principal ARN, and external ID match exactly.
copy=false
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "AWS": "arn:aws:iam::753695775620:role/IruConnect"
      },
      "Condition": {
        "StringEquals": {
          "sts:ExternalId": "YOUR_EXTERNAL_ID"
        }
      },
      "Action": "sts:AssumeRole"
    }
  ]
}
4

Switch to AWS to create the role

Keep the Iru wizard tab open for reference, then switch to the AWS tab and follow Create the IAM role in AWS.

Submit the role ARN in Iru

Finish the AWS tab first (through Create the IAM role in AWS) so you have the Role ARN from the new role.
1

Paste the IAM Role ARN

Return to the Iru wizard tab. Paste the Role ARN into the field the wizard provides.
2

Finish the connection

Click Submit Role. When the connection succeeds, the wizard shows Connection Configured.
3

Confirm the source is Active

Close the Iru is requesting access to external services browser tab, then return to ComplianceSources and confirm the AWS IAM card is Active.

Troubleshooting

Check pop-up blocker settings for the Iru site and try again.
Prime GenerateCredentialReport manually once via console/CLI.
Wildcards must cover Get* / List* for each resource type you expect.

Considerations

IAM is global within an account: single scan covers…

IAM is global within an account - single scan covers all Regions’ IAM APIs.

Sources Management

Browse and manage every Compliance source.

Getting Started With Compliance

Frameworks, actions, and Artifacts.

Iru Overview

How Endpoint, Compliance, and Identity fit together.

Artifacts Management

Upload, review, and organize evidence from sources and actions.