AWS Security Hub adds org-wide unused IAM detection

AWS has folded unused IAM access signals into Security Hub CSPM, giving security teams a single place to review stale credentials and overbroad permissions across linked accounts. AWS documentation says IAM Access Analyzer sends unused-access findings into Security Hub CSPM, where they appear alongside other security findings in standard AWS Security Finding Format records. The setup applies to unused access granted to IAM users or roles across an AWS organization or individual accounts. AWS says customers can review those findings in the Security Hub console or programmatically through the API and CLI. ### So what exactly is new in practice? Security Hub CSPM already acted as an aggregation layer for findings from AWS services, but the practical change for many teams is that unused IAM access can now be handled inside the same workflow as other posture findings. AWS documentation says IAM Access Analyzer detects unused access for IAM users and roles, generates a finding for each case, and sends those findings to Security Hub CSPM. That means a central security team can track identity hygiene without pivoting between separate consoles for every account. (docs.aws.amazon.com) A December 4, 2023 AWS Security Blog post described the underlying organization-level model: IAM Access Analyzer continuously analyzes accounts in an AWS organization, creates a centralized dashboard, and highlights unused roles, unused access keys for IAM users, unused passwords for IAM users, plus unused services and actions for active principals. AWS tied that workflow to EventBridge and Security Hub for automated rightsizing and notification flows. (docs.aws.amazon.com) ### What counts as “unused IAM access” here? IAM Access Analyzer documentation says unused-access findings cover more than dormant accounts. For an organization or account, the service continuously monitors IAM roles and users and generates findings for unused access. Those findings include unused roles, unused access keys, unused passwords, and, for active users and roles, unused services and actions that can point to over-privileged policies. (aws.amazon.com) AWS has framed those findings as a least-privilege tool rather than a breach alert. In its September 18, 2024 blog post, AWS said the recommendations are meant to help developers refine unused permissions quickly, with suggested policies that preserve existing resource and condition context. For unused roles, keys and passwords, AWS said the console includes quick links to delete them. (docs.aws.amazon.com) ### Where do teams actually see the findings? Security Hub CSPM documentation says each finding includes severity, affected resources, status history and other metadata, and can be reviewed in the console, through the Security Hub CSPM API, or with the AWS CLI. The console exposes a finding panel with overview, history and resource details, while the API can return full finding records for downstream processing. (aws.amazon.com) AWS says all findings use the AWS Security Finding Format, which matters for teams that normalize data across services or third-party tools. That common format makes it easier to feed IAM unused-access findings into existing dashboards, triage queues and automation pipelines already built around Security Hub data. ### How does this connect to automated cleanup? (docs.aws.amazon.com) AWS documentation says Security Hub findings can be sent to a custom action in Amazon EventBridge, and AWS blog posts say IAM Access Analyzer can be paired with event-driven workflows to notify account owners and rightsize permissions at scale. In practice, that gives platform and security teams a path to trigger tickets, approval flows or scripted remediation when stale keys, passwords or unused permissions appear. (docs.aws.amazon.com) AWS has not described this as automatic permission removal by default. The company’s guidance centers on review, recommendations and optional workflow automation, with remediation handled by the customer through console actions, exported findings or downstream tooling. ### What should a reader watch next? AWS documentation says customers who already use IAM Access Analyzer and Security Hub CSPM can review unused-access findings immediately once the integration is enabled. (docs.aws.amazon.com) AWS also documents finding retrieval through the Security Hub CSPM API and CLI, and EventBridge custom actions remain the named handoff point for teams building remediation workflows around those findings. (docs.aws.amazon.com) (aws.amazon.com)