AWS IAM
Identity & SecurityConnect AI agents to AWS Identity and Access Management. Agents provision users and access keys, attach and detach managed policies, manage group membership, rotate credentials, and audit account posture.
What This Integration Enables
Agents provision new IAM users and programmatic access keys as part of an onboarding automation, attach or detach managed policies on users and roles to grant or revoke permissions on demand, manage group membership to apply permission sets consistently across teams, rotate access keys by creating a new key and then deactivating and deleting the old one, and audit account posture by listing users, groups, roles, and pulling an IAM account summary. IAM is a global service, so requests go to the single global endpoint and are always signed for us-east-1; the region setting only matters when authenticating through an assumed role. The connector respects IAM's guardrails: the access key secret is returned only once, destructive deletes are irreversible, and IAM blocks deleting an entity that still has dependents. The connector covers the IAM surface; the surrounding flow decides which permission grants run automatically and which ones wait for a security owner's sign-off.
Without FlowRunner
With FlowRunner
Use Case Scenarios
Onboard a service account with least privilege
An onboarding event starts the flow. The agent calls Create User for the new account, then Create Access Key for programmatic access, capturing the secret that IAM returns exactly once. It attaches only the baseline policy the role calls for and, when a privileged policy is also requested, routes that grant to security for approval before calling Attach User Policy. The credentials and setup instructions are delivered securely with [Amazon SES](/integrations/ses-service). The account starts with the access it needs and nothing more.
Safe access-key rotation
On a rotation schedule, the agent calls Create Access Key to mint a new key, waits for the downstream systems to adopt it, then calls Update Access Key to deactivate the old key and Delete Access Key to remove it. The ordering matters: the new key is active before the old one is retired, so nothing breaks mid-rotation. The completion is announced to a security topic with [Amazon SNS](/integrations/sns-service).
Scheduled account-posture audit
On a routine, the agent calls Get Account Summary and lists users, groups, and roles to build a posture snapshot, then enqueues it for a downstream compliance workflow with [Amazon SQS](/integrations/sqs-service). Drift, like an unexpected admin user or a policy attached outside the baseline, surfaces as an exception instead of surviving until the next external audit.
Human-in-Loop Highlight
Attaching a privileged policy is the moment the agent should stop and ask, because a privilege escalation is a decision with real blast radius. The agent does the safe work on its own: it creates the user, mints the access key, and attaches the baseline policy the role clearly needs. When the request includes a policy that grants elevated or account-wide permissions, it pauses before Attach User Policy and asks the security owner through their channel: "Onboarding [user] requests policy [policy name], which grants [scope]. Approve the attachment, downgrade to [baseline], or deny?" The owner decides. The agent handles provisioning; the person owns the escalation.
Agent Capabilities
19 actionsUsers and Access Keys
6- Create User Provisions a new IAM user as part of an onboarding automation.
- List Users Lists IAM users for an account posture audit.
- Create Access Key Creates a programmatic access key. The secret is returned only once, so the flow must store it immediately.
- Update Access Key Activates or deactivates an access key during rotation.
- Delete Access Key Permanently deletes an access key, the final step of a rotation.
- Delete User Permanently removes an IAM user. IAM blocks the delete until dependents are removed.
Groups
4- Create Group Creates an IAM group to apply a permission set consistently across a team.
- Add User To Group Adds a user to a group to apply its permissions.
- Remove User From Group Removes a user from a group.
- List Groups For User Lists the groups a user belongs to.
Policies
5- Attach User Policy Attaches a managed policy to a user to grant permissions on demand. The typical human-gated step.
- Detach User Policy Detaches a managed policy from a user to revoke permissions.
- Attach Role Policy Attaches a managed policy to a role.
- Detach Role Policy Detaches a managed policy from a role.
- Create Policy Creates a customer-managed policy. AWS-managed policies cannot be created or deleted.
Roles and Account
4- Create Role Creates an IAM role.
- List Attached Role Policies Lists the managed policies attached to a role for an access review.
- Get Account Summary Pulls an IAM account summary for posture reporting.
- List Account Aliases Lists the account's aliases.
Start building with AWS IAM
$100 in credits. No card required. Connect in minutes.