The Problem<\/h2>\n
Every AWS project we manage runs an IAM compliance script that generates a daily report. The report tells us who hasn’t rotated their access keys, who hasn’t changed their password in months, who doesn’t have MFA enabled, and who hasn’t logged in for over 75 days. Detection was never the issue.<\/p>\n
The issue was everything that came after. There was no automated follow-up, no enforcement, and no guarantee that a non-compliant access key would ever get rotated. Keys could stay active for months if no one followed up aggressively enough. Our team was spending 1\u20133 hours every week<\/strong> on repetitive manual work with inconsistent results.<\/p>\n We needed a system that could handle the entire lifecycle automatically \u2014 from the first notification all the way to disabling old keys.<\/p>\n We designed a Python-based automation that runs daily via a Jenkins pipeline or cron job. It scans all IAM users, compares them against compliance thresholds, and escalates through five stages over 14 days before automatically disabling non-compliant access keys.<\/p>\n 5-Stage Escalation Flow<\/p><\/div>\n Each user’s escalation state is stored in an S3 JSON file (encrypted) so the automation remembers exactly where it left off between daily runs. If a user resolves their violation at any point, the state is cleared automatically.<\/p>\n A core design goal was to avoid inbox clutter. Instead of sending separate emails for each violation type, the system sends one consolidated email per user<\/strong> listing all their issues with a per-violation stage badge. All follow-ups are threaded in the same Gmail conversation using SES threading headers ( The email uses a navy banner header with color-coded stage badges (green for notification, amber for warning, red for enforcement) so the user can immediately understand the urgency at a glance.<\/p>\n Email Routing Rules<\/p><\/div>\n Credentials are never written in the email body<\/strong>. They are always sent as a CSV attachment in a separate private email with no CC. Every generated credential is also backed up to S3 under We made sure the automation is completely project-agnostic. Every hardcoded project reference was removed from the codebase. The entire project identity flows from a single line in This one setting drives:<\/p>\n We provide two deployment options:<\/p>\n Deploying to a new project takes approximately 30 minutes including S3 bucket setup, IAM policy creation, SES verification, and user email tagging.<\/p>\n IAM compliance is a critical part of any AWS security posture, but enforcing it manually doesn’t scale. By building a 5-stage escalation automation with consolidated emails, auto-credential generation, threaded follow-ups, and guaranteed enforcement, our team went from spending hours every week on compliance chasing to spending zero.<\/p>\n The system is fully open for adoption across any AWS project in the competency. All you need is an AWS account with SES configured, an S3 bucket, and about 30 minutes. Full documentation, setup guide, and deployment packages are available \u2014 reach out to the MSP team and we’ll get you set up.<\/p>\n","protected":false},"excerpt":{"rendered":" Introduction Managing IAM (Identity and Access Management) compliance manually is one of those tasks that sounds simple but quietly consumes hours every week. Someone has to read the daily report, identify non-compliant users, send individual emails, track who responded, follow up again, and eventually rotate keys manually for users who never got around to it. […]<\/p>\n","protected":false},"author":2266,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"iawp_total_views":2},"categories":[5877],"tags":[248,1916,8571,1499,8572],"aioseo_notices":[],"_links":{"self":[{"href":"https:\/\/www.tothenew.com\/blog\/wp-json\/wp\/v2\/posts\/80112"}],"collection":[{"href":"https:\/\/www.tothenew.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.tothenew.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.tothenew.com\/blog\/wp-json\/wp\/v2\/users\/2266"}],"replies":[{"embeddable":true,"href":"https:\/\/www.tothenew.com\/blog\/wp-json\/wp\/v2\/comments?post=80112"}],"version-history":[{"count":2,"href":"https:\/\/www.tothenew.com\/blog\/wp-json\/wp\/v2\/posts\/80112\/revisions"}],"predecessor-version":[{"id":80165,"href":"https:\/\/www.tothenew.com\/blog\/wp-json\/wp\/v2\/posts\/80112\/revisions\/80165"}],"wp:attachment":[{"href":"https:\/\/www.tothenew.com\/blog\/wp-json\/wp\/v2\/media?parent=80112"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.tothenew.com\/blog\/wp-json\/wp\/v2\/categories?post=80112"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.tothenew.com\/blog\/wp-json\/wp\/v2\/tags?post=80112"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}The Solution: 5-Stage Escalation Automation<\/h2>\n
Compliance Checks<\/h3>\n
\n
The 5-Stage Escalation Flow<\/h3>\n
![\"5-Stage](\"https:\/\/www.tothenew.com\/blog\/wp-ttn-blog\/uploads\/2026\/06\/IAM_Escalation_Flow1.png\")
\n
One Email Per User. One Thread.<\/h2>\n
In-Reply-To<\/code> and References<\/code>).<\/p>\nEmail Routing Rules<\/h3>\n
![\"Email](\"https:\/\/www.tothenew.com\/blog\/wp-ttn-blog\/uploads\/2026\/06\/IAM_Email_Routing.png\")
iam-compliance\/{project}\/credentials\/<\/code> with AES-256 encryption as a fallback.<\/p>\nBuilt to Be Reused Across Projects<\/h2>\n
config.yaml<\/code>:<\/p>\nproject_name: \"ETV\"<\/code><\/p>\n\n
[ETV] IAM Compliance: john.doe@company.com<\/code><\/li>\niam-compliance\/etv\/state.json<\/code><\/li>\niam-compliance\/etv\/credentials\/access-keys\/<\/code><\/li>\n<\/ul>\n\n
run.sh<\/code> wrapper for projects without Jenkins<\/li>\n<\/ul>\nKey Technical Decisions<\/h2>\n
\n
PasswordResetRequired: true<\/code> is set so users must immediately change their auto-generated password<\/li>\n<\/ul>\nResults<\/h2>\n
\n
Conclusion<\/h2>\n