Skip to content

Releases: TocConsulting/iam-activity-tracker

v1.2.0 - Multi-Region Support & Instant Setup

17 Sep 06:51
@TarekCheikh TarekCheikh
v1.2.0
925e0fd

Choose a tag to compare

View all tags
v1.2.0 - Multi-Region Support & Instant Setup Latest
Latest

🚀 Major Improvements

Multi-Region Deployment Support

  • Fixed critical bug: Hardcoded AWS SDK Pandas layer ARN for eu-west-1 only
  • Added support for all 28 regions: Dynamic layer selection based on deployment region
  • Proper account ID mapping: Different regions use different AWS account IDs for layers

Instant Setup Experience

  • New post-deployment initialization: No more waiting 25+ hours for analytics
  • Immediate data collection: Collects up to 90 days of historical events in 1-5 minutes
  • Automatic Athena setup: Tables ready immediately after deployment
  • Interactive deployment: Choose to initialize during deployment or skip for later

Enhanced Developer Experience

  • New command: make init - Initialize system anytime after deployment
  • Better error handling: Improved environment variable management
  • Updated documentation: Clear deployment options and improved Quick Start

🔧 Technical Changes

  • Added region mapping for AWS SDK Pandas Python 3.13 layer (all 28 regions)
  • Created scripts/post-deploy-init.sh for immediate system initialization
  • Enhanced scripts/deploy.sh with interactive initialization prompt
  • Updated Makefile with new init command
  • Fixed environment variable passing between scripts

🌍 Supported Regions

Now works in all AWS regions with Python 3.13 Lambda layer support:
us-east-1, us-east-2, us-west-1, us-west-2, ca-central-1, eu-central-1, eu-central-2, eu-west-1, eu-west-2, eu-west-3,
eu-north-1, eu-south-1, eu-south-2, af-south-1, ap-northeast-1, ap-northeast-2, ap-northeast-3, ap-south-1, ap-south-2,
ap-southeast-1, ap-southeast-2, ap-southeast-3, ap-southeast-4, ap-east-1, me-central-1, me-south-1, il-central-1, sa-east-1

📦 Migration

For existing deployments:

# Update your deployment
git pull
make update

# Initialize if you want immediate analytics
make init

For new deployments:
export AWS_REGION=your-region
export AWS_PROFILE=your-profile
make deploy
# Choose 'Y' when prompted for initialization
Assets 2
Loading

v1.0.0

07 Sep 23:33
@TarekCheikh TarekCheikh
v1.0.0
9255080

Choose a tag to compare

View all tags
v1.0.0

v1.0.0 - Initial Release

🎉 First Production Release

Features

🔍 Comprehensive Event Tracking

  • IAM Events: Track all IAM activities (user/role/policy management) from us-east-1
  • STS Events: Monitor AssumeRole operations across all active AWS regions
  • Console Signin Events: Capture AWS Console authentication attempts
  • SSO/Identity Center Events: Track SSO permission sets, account assignments, and application management

💾 Multi-Tier Storage Architecture

  • DynamoDB Tables: Real-time event storage with Global Secondary Indexes for fast queries
  • S3 + Parquet Export: Automated daily export to S3 in optimized Parquet format
  • Athena Integration: SQL analytics with 15 pre-built security queries
  • 90-Day CloudTrail History: Initial backfill of historical events

🚨 Real-Time Security Alerts

  • Root account activity monitoring
  • IAM user creation tracking
  • Administrative policy attachments (AdministratorAccess, IAMFullAccess, PowerUserAccess)
  • Dangerous inline policies (, iam:, sts:*)
  • Access key lifecycle management
  • External account trust relationships
  • MFA device deletion detection
  • SSO permission set modifications
  • SSO account assignment tracking
  • SSO application management monitoring

📊 Analytics Queries (15 Pre-built)

  • User activity patterns and identification
  • Failed authentication detection
  • Root account usage alerts
  • Off-hours access monitoring (outside 6 AM - 10 PM)
  • Permission change tracking
  • Role assumption patterns
  • Daily/hourly activity summaries
  • SSO administrative user identification
  • SSO permission set and policy analysis

⚡ Performance & Scalability

  • Multi-threaded region processing
  • Batch DynamoDB writes
  • Incremental processing with checkpoint management
  • Configurable schedules (hourly/6h/12h/daily)
  • AWS Free Tier optimized (typically $0/month for most organizations)

🛠️ Operational Tools

  • Automated deployment with SAM CLI
  • AWS CLI/SAM CLI auto-installation support
  • Colored terminal output for better readability
  • Rich terminal formatting for query results
  • Comprehensive logging and error handling

Infrastructure Components

  • 2 Lambda Functions: Tracker (1GB RAM, 5min timeout) and Exporter (2GB RAM, 15min timeout)
  • 3 DynamoDB Tables: Events, Control, and Alerts (with TTL)
  • 2 S3 Buckets: Analytics data and Athena query results
  • 1 SNS Topic: Security alert notifications
  • CloudWatch Alarms: Function errors and duration monitoring
  • Glue Crawler: Automated partition discovery
  • Athena WorkGroup: Dedicated query execution environment

Deployment

# Simple one-command deployment
./scripts/deploy.sh

# Or with make
make deploy

Requirements

- AWS Account with appropriate IAM permissions
- Python 3.13 runtime support
- AWS CLI configured with credentials
- SAM CLI for deployment

Security & Compliance

- All data encrypted at rest (AWS managed keys)
- TLS 1.2+ for data in transit
- Fine-grained IAM policies
- Configurable data retention policies

Cost Optimization

- DynamoDB on-demand pricing
- S3 lifecycle policies (Standard → IA → Glacier → Deep Archive)
- Parquet compression (75% storage reduction)
- Query result caching in Athena
- Typically operates within AWS Free Tier limits
Loading