Skip to main content
← back to extensions

Aws Iam Role Audit

@jentz/aws-iam-role-auditv2026.06.13.0· 2d agoMODELS
01README

Read-only fleet IAM lens for an integration's roles across many accounts. A single audit method fans out in one locked execution: for each configured role it reads the role directly in each account, determines the management mechanism authoritatively from CloudFormation ownership, validates the role against its expectations (attached policies, trust principals, external ids), and writes one role resource per (account, role) plus one scan_error per account/phase that cannot be assessed.

The role resource carries existence, ARN, path, create date, tags, attached managed-policy ARNs, inline policy names, trust principals and external ids, the four-value management mechanism (cfn-stackset/cfn-standalone-stack/manual/missing), a required flag, and a compliant flag with human-readable findings. A per-account credential failure or per-role read failure produces a scan_error and never aborts the sweep.

Configuration is multi-role only (roles: [...]), and stackLookupRegions is required with no default — both surfaces fail closed before any AWS call.

Read-only: only iam:Get*/iam:List*, cloudformation:DescribeStackResources, and sts:GetCallerIdentity are ever called, so the audit runs under a *-readonly profile. Companion to @jentz/aws-stackset-audit; both feed an integration-coverage coalescer.

02Models1
@jentz/aws-iam-role-auditv2026.06.13.0aws_iam_role_audit.ts

Global Arguments

ArgumentTypeDescription
rolesarrayThe integration's roles, each with its own expectations and required
profilesarrayNamed AWS profiles to sweep, one account each. Empty uses the ambient
stackLookupRegions?arrayREQUIRED. Regions searched (in order) for the CloudFormation stack that
requiredProfileSuffixstringIf set, every profile must end with this suffix or it is refused before
regionstringRegion for the IAM/STS client endpoint. IAM is global; us-east-1 is safe.
fn audit()
Read-only fan-out: for each configured role, sweep every profile

Resources

role(infinite)— One integration role observed (or absent) in one account, with its
scan_error(infinite)— A profile (or profile × role) that could not be assessed — expired
03Stats
A
100 / 100
Downloads
0
Archive size
304.3 KB
  • Has README or module doc2/2earned
  • README has a code example1/1earned
  • README is substantive1/1earned
  • Most symbols documented1/1earned
  • No slow types (deprecated)1/1earned
  • Dependencies pass trust audit2/2earned
  • Has description1/1earned
  • Platform support declared (or universal)2/2earned
  • License declared1/1earned
  • Verified public repository2/2earned
Repository
https://github.com/jentz/swamp-extensions
04Platforms
05Labels
#aws#iam#audit#cloud