Most Cloud Security Posture Management (CSPM) tools rely on iam:GenerateCredentialReport to fetch IAM user details. However, this API fails in AWS accounts with large IAM user bases (e.g., 20,000+ users), causing:
- Missed IAM misconfigurations 🚨
- Blind spots in security audits 🕵️
- Unmonitored access risks 🔓
AWS's current hard limit allows a maximum of 5000 IAM users per account—but what happens when an enterprise has 25,000+ users?
👉 Kloudle solved this.
We bypassed AWS’s API limitations to provide IAM misconfiguration detection at any scale.
Instead of relying on iam:GenerateCredentialReport, we dynamically query AWS APIs to fetch IAM data without limits.
This uncovered critical IAM risks that CSPM tools miss in large accounts.
Our method identified high-impact security flaws, such as:
1️⃣ Users with multiple active access keys
- Attackers can maintain access even after a breach.
- APIs used:
aws iam list-users,aws iam list-access-keys
2️⃣ Stale IAM keys (not rotated in 90+ days)
- Prolonged attack surface, compliance failures.
- APIs used:
aws iam list-users,aws iam list-access-keys
3️⃣ Unused IAM keys (last used >90 days ago)
- Forgotten keys pose high-risk entry points.
- APIs used:
aws iam get-access-key-last-used
4️⃣ Users with password login but NO MFA
- One stolen password = full account compromise.
- APIs used:
aws iam list-users,aws iam list-mfa-devices
AWS IAM security is not one-size-fits-all.
Enterprise-scale AWS accounts break traditional security tools.
By dynamically querying AWS APIs without relying on credential reports, we offer:
✅ Security for AWS accounts with 20,000+ IAM users
✅ Deep visibility beyond CSPM limitations
✅ Real-time IAM risk detection without API failures
- Read more: Kloudle’s Blog on IAM Security
- Join the Discussion: Open an issue if you've faced similar IAM challenges!
🚀 Securing AWS at Scale. One IAM risk at a time.