Most Cloud Security Posture Management (CSPM) tools rely on iam:GenerateCredentialReport to fetch IAM user details. However, this API fails in AWS accounts with large IAM user bases (e.g., 20,000+ users), causing:
- Missed IAM misconfigurations π¨
- Blind spots in security audits π΅οΈ
- Unmonitored access risks π
AWS's current hard limit allows a maximum of 5000 IAM users per accountβbut what happens when an enterprise has 25,000+ users?
π Kloudle solved this.
We bypassed AWSβs API limitations to provide IAM misconfiguration detection at any scale.
Instead of relying on iam:GenerateCredentialReport, we dynamically query AWS APIs to fetch IAM data without limits.
This uncovered critical IAM risks that CSPM tools miss in large accounts.
Our method identified high-impact security flaws, such as:
1οΈβ£ Users with multiple active access keys
- Attackers can maintain access even after a breach.
- APIs used:
aws iam list-users,aws iam list-access-keys
2οΈβ£ Stale IAM keys (not rotated in 90+ days)
- Prolonged attack surface, compliance failures.
- APIs used:
aws iam list-users,aws iam list-access-keys
3οΈβ£ Unused IAM keys (last used >90 days ago)
- Forgotten keys pose high-risk entry points.
- APIs used:
aws iam get-access-key-last-used
4οΈβ£ Users with password login but NO MFA
- One stolen password = full account compromise.
- APIs used:
aws iam list-users,aws iam list-mfa-devices
AWS IAM security is not one-size-fits-all.
Enterprise-scale AWS accounts break traditional security tools.
By dynamically querying AWS APIs without relying on credential reports, we offer:
β
Security for AWS accounts with 20,000+ IAM users
β
Deep visibility beyond CSPM limitations
β
Real-time IAM risk detection without API failures
- Read more: Kloudleβs Blog on IAM Security
- Join the Discussion: Open an issue if you've faced similar IAM challenges!
π Securing AWS at Scale. One IAM risk at a time.