← Back to DevBytes

Monitoring IAM: Metrics, Alarms, and Dashboards

What Is IAM Monitoring?

IAM (Identity and Access Management) monitoring is the practice of continuously observing the activities, permissions, and authentication patterns within your cloud or on‑premises identity fabric. In AWS, this translates to tracking API calls that modify users, roles, policies, and access keys, as well as monitoring authentication events and privilege escalations. Monitoring IAM means collecting, visualizing, and alerting on metrics derived from IAM‑related log data — primarily AWS CloudTrail logs and CloudWatch metrics — so that you know exactly who did what, when, and under what circumstances.

Why Monitoring IAM Matters

IAM is the security foundation of any cloud workload. A single overly permissive policy, an inactive access key left behind, or an anomalous burst of failed authentication attempts can expose your entire environment. Monitoring IAM gives you:

Without monitoring, IAM becomes a silent threat vector that you only discover after an incident.

Core IAM Metrics and Data Sources

AWS provides several native metrics and log sources that you should integrate into your monitoring stack. The primary sources are CloudTrail logs and CloudWatch metrics published by AWS services. You can also create custom metrics from log data using metric filters.

CloudTrail Events

Every IAM‑related API call (e.g., CreateUser, PutRolePolicy, DeleteAccessKey) is captured in CloudTrail. By creating metric filters on the associated log group, you transform raw events into countable metrics like “Number of DeleteRole calls in 5 minutes”. CloudTrail also captures authentication events (ConsoleLogin, AssumeRole) and errors.

Built‑in CloudWatch Metrics for IAM

AWS publishes a set of free, built‑in metrics under the AWS/IAM namespace that require no log filtering:

These built‑in metrics are immediately available and don't require log groups, making them perfect as a first‑line dashboard and alarm source.

IAM Access Analyzer Findings

IAM Access Analyzer generates findings when a resource policy grants public or cross‑account access that wasn't intended. While findings are not traditional time‑series metrics, you can monitor them via AWS Config rules and CloudWatch Events, or by polling the API and pushing custom metrics to CloudWatch.

Creating Alarms for IAM Anomalies

Alarms translate metrics into actionable notifications. The general workflow is: define a metric (built‑in or from a metric filter), create a CloudWatch alarm on that metric, and trigger an SNS topic for email, Slack, or pager notifications. Below are practical examples using the AWS CLI.

Example 1: Alarm on Root User Activity

Root account usage should be rare and tightly controlled. This alarm fires immediately whenever root credentials are used.

aws cloudwatch put-metric-alarm \
  --alarm-name RootCredentialUsageAlarm \
  --alarm-description "Alert whenever root credentials are used" \
  --namespace AWS/IAM \
  --metric-name RootCredentialUsage \
  --statistic Sum \
  --period 86400 \
  --evaluation-periods 1 \
  --threshold 1 \
  --comparison-operator GreaterThanOrEqualToThreshold \
  --alarm-actions arn:aws:sns:us-east-1:123456789012:iam-alerts \
  --treat-missing-data notBreaching

Note the --period 86400 (24 hours) and --evaluation-periods 1 so that a single daily sample triggers the alarm.

Example 2: Alarm on IAM Policy Changes

This alarm uses the built‑in PolicyChanges metric to alert on any spike in policy modifications, which could indicate an attacker altering permissions.

aws cloudwatch put-metric-alarm \
  --alarm-name HighPolicyChanges \
  --alarm-description "Alert when IAM policy changes exceed 5 in a 1-hour window" \
  --namespace AWS/IAM \
  --metric-name PolicyChanges \
  --statistic Sum \
  --period 3600 \
  --evaluation-periods 1 \
  --threshold 5 \
  --comparison-operator GreaterThanThreshold \
  --alarm-actions arn:aws:sns:us-east-1:123456789012:iam-alerts

Example 3: Alarm on Suspicious API Calls via Metric Filter

For events not covered by built‑in metrics — like DeleteRole or PutUserPolicy on privileged users — you create a metric filter on the CloudTrail log group and then an alarm. First, create the metric filter:

aws logs put-metric-filter \
  --log-group-name MyCloudTrailLogGroup \
  --filter-name DeleteRoleFilter \
  --filter-pattern '{ $.eventName = "DeleteRole" }' \
  --metric-transformations \
    metricName=DeleteRoleCount,metricNamespace=IAMCustom,metricValue=1,unit=Count

Then create the alarm on the custom metric:

aws cloudwatch put-metric-alarm \
  --alarm-name DeleteRoleAlarm \
  --metric-name DeleteRoleCount \
  --namespace IAMCustom \
  --statistic Sum \
  --period 300 \
  --evaluation-periods 1 \
  --threshold 1 \
  --comparison-operator GreaterThanOrEqualToThreshold \
  --alarm-actions arn:aws:sns:us-east-1:123456789012:iam-alerts

Building Dashboards for IAM

A CloudWatch dashboard consolidates metrics, alarms, and log queries into a single operational pane. You define the dashboard as a JSON body with widgets. Below is a complete dashboard example that includes:

{
  "widgets": [
    {
      "type": "metric",
      "x": 0,
      "y": 0,
      "width": 12,
      "height": 6,
      "properties": {
        "view": "timeSeries",
        "stacked": false,
        "metrics": [
          [ "AWS/IAM", "PolicyChanges", { "stat": "Sum" } ]
        ],
        "region": "us-east-1",
        "title": "IAM Policy Changes (1h)",
        "period": 3600
      }
    },
    {
      "type": "metric",
      "x": 12,
      "y": 0,
      "width": 6,
      "height": 6,
      "properties": {
        "view": "singleValue",
        "metrics": [
          [ "AWS/IAM", "RootCredentialUsage", { "stat": "Sum", "period": 86400 } ]
        ],
        "region": "us-east-1",
        "title": "Root Usage Today",
        "period": 86400
      }
    },
    {
      "type": "alarm",
      "x": 18,
      "y": 0,
      "width": 6,
      "height": 3,
      "properties": {
        "title": "Alarm Status: Root Usage",
        "alarms": [
          "arn:aws:cloudwatch:us-east-1:123456789012:alarm:RootCredentialUsageAlarm"
        ]
      }
    },
    {
      "type": "log",
      "x": 0,
      "y": 6,
      "width": 24,
      "height": 6,
      "properties": {
        "query": "fields @timestamp, userIdentity.userName, requestParameters.roleName, sourceIPAddress | filter eventName = 'DeleteRole' | sort @timestamp desc | limit 20",
        "region": "us-east-1",
        "title": "Recent DeleteRole Events (CloudTrail)",
        "view": "table"
      }
    }
  ]
}

To create the dashboard via CLI:

aws cloudwatch put-dashboard \
  --dashboard-name IAM-Monitoring \
  --dashboard-body file://iam-dashboard.json

Widget Types for IAM

Automating IAM Monitoring with Infrastructure as Code

You can embed the entire monitoring setup — metric filters, alarms, and dashboards — into CloudFormation or Terraform. Below is a CloudFormation snippet that creates a metric filter, alarm, and SNS topic for DeleteRole events.

Resources:
  IAMAlarmTopic:
    Type: AWS::SNS::Topic
    Properties:
      TopicName: iam-alerts

  DeleteRoleMetricFilter:
    Type: AWS::Logs::MetricFilter
    Properties:
      LogGroupName: !Ref MyCloudTrailLogGroup
      FilterPattern: '{ $.eventName = "DeleteRole" }'
      MetricTransformations:
        - MetricName: DeleteRoleCount
          MetricNamespace: IAMCustom
          MetricValue: "1"

  DeleteRoleAlarm:
    Type: AWS::CloudWatch::Alarm
    Properties:
      AlarmName: DeleteRoleAlarm
      Namespace: IAMCustom
      MetricName: DeleteRoleCount
      Statistic: Sum
      Period: 300
      EvaluationPeriods: 1
      Threshold: 1
      ComparisonOperator: GreaterThanOrEqualToThreshold
      AlarmActions:
        - !Ref IAMAlarmTopic

Best Practices

Conclusion

Monitoring IAM is not optional — it's the first line of defense against identity‑based attacks and the backbone of audit readiness. By combining built‑in CloudWatch metrics, custom metric filters on CloudTrail logs, and well‑tuned alarms, you transform raw API activity into a clear, actionable signal. Dashboards tie it all together, giving security and operations teams a single pane of glass over IAM health. Start with root credential and policy change alerts, then expand to cover your critical IAM operations. Instrument your setup with Infrastructure as Code so that monitoring is deployed consistently across environments. With these practices, you'll know the instant your identity boundary is challenged — and be ready to respond.

🚀 Need a reliable AI agent for your project?

Deploy Hermes Agent in 10 minutes. Managed hosting, zero DevOps.

Get Started — $23.99/mo
← Back to all articles