Level 200: Automated IAM User Cleanup


  • Pierre Liddle, Principal Security Architect
  • Byron Pogson, Solutions Architect


This hands-on lab will guide you through the steps to deploy a AWS Lambda function with AWS Serverless Application Model (SAM) to provide regular insights on IAM User/s and AWS Access Key usage within your account. You will use the AWS SAM CLI to package your deployment. Skills learned will help you secure your AWS account in alignment with the AWS Well-Architected Framework.

The AWS Lambda function is triggered by a regular scheduled event in Amazon CloudWatch Events. Once the Lambda function runs to check the status of the AWS IAM Users and associated IAM Access Keys the results are sent the designated email contact via Amazon SNS. A check is also performed for unused roles and unused permissions identifed by IAM Access Analyzer. The logs from the AWS Lambda function are captured in Amazon CloudWatch Logs for review and trouble shooting purposes.



  • Identify orphaned IAM Users and AWS Access Keys
  • Take action to automatically remove IAM Users and AWS Access Keys no longer needed
  • Reduce identity sprawl


  • An AWS account that you are able to use for testing, that is not used for production or other purposes. NOTE: You will be billed for any applicable AWS resources used if you complete this lab.
  • Select region with support for AWS Lambda from the list: AWS Regions and Endpoints.
  • AWS Serverless Application Model (SAM) installed and configured. The AWS Serverless Application Model (SAM) is an open-source framework for building serverless applications. It provides shorthand syntax to express functions, APIs, databases, and event source mappings. With just a few lines per resource, you can define the application you want and model it using YAML. During deployment, SAM transforms and expands the SAM syntax into AWS CloudFormation syntax, enabling you to build serverless applications faster.


References & useful resources