Detection: IAM Identity Created Without CloudFormation
Overview
Detect when IAM entity (users, roles, or groups) was created outside of AWS CloudFormation. Manually created entities bypass centralized governance, auditing, and compliance controls, increasing the risk of over-permissioning and misconfigurations. Identifying such entities helps maintain secure resource management and ensures adherence to infrastructure-as-code (IaC) best practices.
References:
Usage
Run the detection in your terminal:
powerpipe detection run aws_cloudtrail_log_detections.detection.iam_identity_created_without_cloudformationSnapshot and share results via Turbot Pipes:
powerpipe loginpowerpipe detection run aws_cloudtrail_log_detections.detection.iam_identity_created_without_cloudformation --shareSQL
This detection uses a named query:
select tp_timestamp as timestamp,string_split(event_source, '.')[1] || ':' || event_name as operation,coalesce(request_parameters ->> 'userName', request_parameters ->> 'roleName', request_parameters ->> 'groupName') as resource,user_identity.arn as actor,tp_source_ip as source_ip,tp_index as account_id,aws_region as region,tp_id as source_id,*
from aws_cloudtrail_logwhere event_source = 'iam.amazonaws.com' and event_name in ( 'CreateGroup', 'CreateRole', 'CreateUser' ) and ( user_identity.invoked_by is null or user_identity.invoked_by != 'cloudformation.amazonaws.com' ) and error_code is null
order by event_time desc;