Get Started
Back to Templates

Monitor & Alert on Inactive AWS IAM Users with Slack Notifications

Created by

Created by: Trung Tran || trungtran

Trung Tran

Last update

Last update 2 months ago

Categories

Share

AWS IAM Inactive User Automation Alert Workflow

Weekly job that finds IAM users with no activity for > 90 days and notifies a Slack channel.
⚠️ Important: AWS SigV4 for IAM must be scoped to us-east-1. Create the AWS credential in n8n with region us-east-1 (even if your other services run elsewhere).

Who’s it for

  • SRE/DevOps teams that want automated IAM hygiene checks.
  • Security/compliance owners who need regular inactivity reports.
  • MSPs managing multiple AWS accounts who need lightweight alerting.

How it works / What it does

  1. Weekly scheduler – kicks off the workflow (e.g., every Monday 09:00).
  2. Get many users – lists IAM users.
  3. Get user – enriches each user with details (password status, MFA, etc.).
  4. Filter bad data – drops service-linked users or items without usable dates.
  5. IAM user inactive for more than 90 days? – keeps users whose last activity is older than 90 days.
    • Last activity is derived from any of:
      • PasswordLastUsed (console sign-in)
      • AccessKeyLastUsed.LastUsedDate (from GetAccessKeyLastUsed if you add it)
      • Fallback to CreateDate if no usage data exists (optional)
  6. Send a message (Slack) – posts an alert for each inactive user.
  7. No operation – path for users that don’t match (do nothing).

How to set up

  1. Credentials
    • AWS (Predefined → AWS)
      • Service: iam
      • Region: us-east-1required for IAM
      • Access/Secret (or Assume Role) with read-only IAM perms (see below).
    • Slack OAuth (bot in your target channel).

Requirements

  • n8n (current version).
  • AWS IAM permissions (minimum):
    • iam:ListUsers, iam:GetUser
    • (Optional for higher fidelity) iam:ListAccessKeys, iam:GetAccessKeyLastUsed
  • Slack bot with permission to post in the target channel.
  • Network egress to iam.amazonaws.com.

How to customize the workflow

  • Change window: set 60/120/180 days by adjusting minus(N, 'days').
  • Audit log: append results to Google Sheets/DB with UserName, Arn, LastActivity, CheckedAt.
  • Escalation: if a user remains inactive for another cycle, mention @security or open a ticket.
  • Auto-remediation (advanced): on a separate approval path, disable access keys or detach policies.
  • Multi-account / multi-region: iterate a list of AWS credentials (one per account; IAM stays us-east-1).
  • Exclude list: add a static list or tag-based filter to skip known service users.

Notes & gotchas

  • Many users never sign in; if you don’t pull GetAccessKeyLastUsed, they may look “inactive”. Add that call for accuracy.
  • PasswordLastUsed is null if console login never happened.
  • IAM returns timestamps in ISO or epoch—use toDate/toDateTime before comparisons.