🛡️ iam-orgsync

IAM Org Sync

What if your IAM permissions updated themselves — but an AI reviewed every change before it applied?

IAM Org Sync is an intelligent Identity and Access Management automation tool that continuously synchronizes employee permissions with their current role using a least-privilege model. Every permission change is analyzed by AWS Bedrock AI before being applied, ensuring security while dramatically reducing manual IAM administration overhead.

---

🚀 Why I Built This

I built IAM Org Sync after witnessing the same problem repeat across multiple organizations during SOC 2 audits: access creep.

When an employee transfers from DevOps to Sales, their EC2 and S3 access often stays forever — this is called access creep, and it's one of the top findings in SOC 2 and ISO 27001 audits. During my last compliance review, I watched security teams spend 15+ hours manually reconciling who had access to what, only to find three former contractors still with admin privileges from two years prior.

The manual process doesn't scale. When you have 500 employees, 50 role changes per month, and quarterly audit cycles, IAM management becomes a bottleneck. Security teams spend more time closing tickets than actually securing systems.

I chose Go for this project because goroutine concurrency lets me process hundreds of users in parallel — something Python's threading model struggles with due to the GIL. A Python script processing 100 users sequentially might take 30 seconds; Go spins up a worker pool and completes the same work in 3 seconds, utilizing all CPU cores. For organizations with thousands of users, this difference is transformative.

---

🎯 The Problem It Solves

Scenario	Without iam-orgsync	With iam-orgsync
Employee transfers	Permissions from old role persist indefinitely; security tickets pile up	Old policies automatically detached, new role policies attached within minutes
Employee terminated	Manual revocation takes hours to days; former employees retain access	All permissions revoked immediately upon HR status change
New hire	Manual IAM ticket creation delays productivity by days	Role-based permissions provisioned automatically on day one
Quarterly access review	15+ hours of manual reconciliation per audit cycle	Real-time audit trail with SOC 2 evidence generated automatically
Suspicious permission escalation	No automated detection; relies on periodic reviews	AI layer flags anomalous permissions before application

📢 Callout: Manual IAM reviews consume 15+ hours per audit cycle — IAM Org Sync eliminates this entirely with continuous enforcement.

---

🏗️ Architecture Overview

IAM Org Sync uses a five-component pipeline architecture: HR roster ingestion, parallel sync engine processing, AI anomaly detection via AWS Bedrock, decision gating, and AWS IAM execution with audit logging.

flowchart LR
    A[HR Roster<br/>JSON] --> B[Sync Engine<br/>Go Goroutines]
    B --> C[AI Anomaly Layer<br/>Bedrock Claude]
    C --> D{Decision}
    D -->|Apply| E[AWS IAM<br/>Apply Changes]
    D -->|Hold| F[Alert Security Team]
    B --> G[Audit Reports<br/>JSON + CSV]
    E --> G

Loading

Component	Technology	Purpose	SOC 2 Control
HR Data Source	JSON (hr_roster.json)	Employee roster with role/department/status	CC6.2
Sync Engine	Go 1.22 + Goroutines	Parallel user processing with WaitGroup	CC6.1
AI Anomaly Layer	AWS Bedrock (Claude Haiku)	Risk assessment before permission changes	CC7.2
IAM Executor	aws-sdk-go-v2	Attach/detach policies, least-privilege enforcement	CC6.3
Audit Reporter	JSON + CSV export	SOC 2 compliance evidence generation	CC9.1

---

💻 Tech Stack

Layer	Technology	Why This Choice
Runtime	Go 1.22	Goroutine-based concurrency; superior parallel processing vs Python
AWS SDK	aws-sdk-go-v2	Official AWS SDK; comprehensive IAM coverage
AI Layer	AWS Bedrock (Claude Haiku)	Low-latency inference; cost-effective for high-volume analysis
Config	gopkg.in/yaml.v3	Human-readable policy map definitions
IAM	AWS IAM Policies	Native least-privilege enforcement
Storage	DynamoDB (optional)	Event store for large-scale audit logs
Export	CSV/JSON	SOC 2 evidence format compatibility

Why Go Over Python

Aspect	Python	Go	Winner
Concurrency	Threading (GIL-limited)	Goroutines (true parallelism)	Go
Memory per task	~1MB (threads)	~2KB (goroutines)	Go
Cold start	100-500ms	Instant (compiled)	Go
AWS SDK	boto3 (mature)	aws-sdk-go-v2 (excellent)	Tie
Deployment	Virtual env / Docker	Single binary	Go

Go's goroutines let us process 100+ users concurrently — the same workload in Python would require multiprocessing with significantly higher memory overhead and complexity.

---

✨ Key Features

Feature	Description	Value
🔄 Auto Org-Sync	Automatically syncs IAM permissions with HR role changes	Eliminates manual IAM tickets
🤖 AI Anomaly Detection	AWS Bedrock analyzes every permission change for risk	Catches suspicious grants before application
🧹 Access Creep Removal	Identifies and removes permissions not matching current role	Continuous least-privilege enforcement
⚡ Concurrent Processing	Go goroutine worker pool processes users in parallel	100 users in ~3 seconds
📋 SOC 2 Evidence Export	Auto-generates CSV audit trails mapped to CC6.x controls	Compliance evidence ready for auditors
🔒 Least Privilege Enforcement	Policy map defines exact permissions per role	No over-provisioned access
🚪 Terminated User Revocation	Instantly revokes all permissions when HR marks user terminated	Zero lingering access
📝 Audit Trail Logging	JSON logs with full change history, timestamps, AI analysis	Forensic evidence for investigations
🔍 Dry-Run Mode	Preview all changes without applying them	Safe testing before production

Report

Report in CSV

Report in Json

---

🔄 How It Works

1. Load HR Roster: Parse hr_roster.json to get current employee list with roles and status
2. Load Policy Map: Read policy_map.yaml to determine expected permissions per role
3. Parallel Processing: Goroutine worker pool queries IAM for each user's current policies
4. Calculate Diff: Compare current policies against expected; identify attach/detach actions
5. AI Review: Send each change to AWS Bedrock for risk analysis; get apply/hold/escalate recommendation
6. Execute & Audit: Apply approved changes to AWS IAM; export audit logs and SOC 2 evidence

sequenceDiagram
    participant HR as HR System (JSON)
    participant Engine as Sync Engine
    participant IAM as AWS IAM
    participant AI as AWS Bedrock
    participant Report as Audit Reports
    
    HR->>Engine: Employee roster
    Engine->>Engine: Load policy map
    loop For each user
        Engine->>IAM: List current policies
        IAM-->>Engine: Current policy list
        Engine->>Engine: Calculate diff
        Engine->>AI: Analyze change
        AI-->>Engine: Risk score + recommendation
        alt Recommendation = apply
            Engine->>IAM: Attach/Detach policies
            IAM-->>Engine: Confirmation
        else Recommendation = hold
            Engine->>Report: Log for review
        end
        Engine->>Report: Export audit entry
    end
    Report->>Report: Generate SOC 2 CSV

Loading

---

🔐 Security First

Security Control	Implementation	Why It Matters
Dry-run mode	--dry-run flag previews changes without applying	Safe testing in production environments
No hardcoded credentials	Uses AWS credentials chain (env vars, profile, EC2 role)	Prevents credential leakage
Least privilege IAM	Tool requires limited IAM permissions to function	Minimizes blast radius if compromised
AI gate	All permission changes require AI approval (configurable)	Catches anomalous requests before application
Audit logging	JSON + CSV export of every change with timestamp	Forensic evidence for SOC 2 auditors
Terminated user revocation	Automatic policy detachment on HR status = terminated	Eliminates lingering access

Minimum Required IAM Policy

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "IAMOrgSyncMinimalPermissions",
            "Effect": "Allow",
            "Action": [
                "iam:ListUsers",
                "iam:GetUser",
                "iam:ListAttachedUserPolicies",
                "iam:ListUserPolicies",
                "iam:AttachUserPolicy",
                "iam:DetachUserPolicy",
                "iam:GetUserPolicy",
                "iam:ListGroupsForUser",
                "iam:ListRoles"
            ],
            "Resource": "*"
        }
    ]
}

⚠️ Production Recommendation: Restrict Resource to specific user ARNs rather than * for production deployments.

---

📊 Sample Output

JSON Audit Log Entry

{
  "timestamp": "2026-03-05T14:30:00Z",
  "user_id": "EMP004",
  "full_name": "Emily Thompson",
  "email": "emily.thompson@company.com",
  "department": "Engineering",
  "old_role": "backend_engineer",
  "new_role": "devops_engineer",
  "trigger": "role_transfer",
  "old_permissions": [
    "arn:aws:iam::123456789012:policy/backend_engineer-base"
  ],
  "new_permissions": [
    "arn:aws:iam::123456789012:policy/devops_engineer-base"
  ],
  "permissions_added": [
    "arn:aws:iam::123456789012:policy/devops_engineer-ec2",
    "arn:aws:iam::123456789012:policy/devops_engineer-ecs"
  ],
  "permissions_removed": [
    "arn:aws:iam::123456789012:policy/backend_engineer-dynamodb"
  ],
  "access_creep_detected": true,
  "access_creep_count": 1,
  "ai_risk_level": "low",
  "ai_recommendation": "apply",
  "ai_reasoning": "Role transfer from backend to devops is legitimate. New permissions align with stated role. One orphaned DynamoDB permission was properly removed.",
  "action_taken": "applied",
  "sync_duration_ms": 2450,
  "soc2_controls_affected": ["CC6.1", "CC6.2", "CC6.3"]
}

SOC 2 Evidence (CSV)

Control	User	Change Type	Old Permissions	New Permissions	AI Risk	AI Recommendation	Status	Timestamp
CC6.1	EMP001	role_change	2 policies	4 policies	low	apply	applied	2026-03-05T14:25:00Z
CC6.2	EMP001	role_change	2 policies	4 policies	low	apply	applied	2026-03-05T14:25:00Z
CC6.3	EMP003	termination	3 policies	0 policies	low	apply	applied	2026-03-05T14:26:00Z
CC6.1	EMP007	access_creep	6 policies	3 policies	medium	hold	held	2026-03-05T14:27:00Z
CC7.2	EMP007	access_creep	6 policies	3 policies	medium	hold	held	2026-03-05T14:27:00Z

---

🚦 Getting Started

Prerequisites

• Go 1.21+ — Download from golang.org
• AWS Account — With IAM and Bedrock access
• AWS CLI — Configured with credentials (aws configure)

Installation

# Clone the repository
git clone https://github.com/yourusername/iam-orgsync.git
cd iam-orgsync

# Install dependencies
go mod tidy

# Build the binary
go build -o iam-orgsync ./cmd/main.go

Configuration

Create a .env file (see .env.example):

AWS_REGION=us-east-1
AWS_PROFILE=default
AWS_ACCOUNT_ID=123456789012
HR_ROSTER_PATH=data/hr_roster.json
POLICY_MAP_PATH=config/policy_map.yaml
OUTPUT_DIR=reports
AWS_BEDROCK_ENABLED=true

Usage Examples

# 1. Dry-run mode (safe for testing - no actual IAM changes)
go run ./cmd/main.go --dry-run

# 2. Full sync with actual IAM changes
go run ./cmd/main.go

# 3. Sync a single user (useful for targeted testing)
go run ./cmd/main.go --user EMP001

# 4. Skip AI analysis (mock mode for offline demos)
go run ./cmd/main.go --skip-ai

# 5. Show help
go run ./cmd/main.go --help

---

📋 SOC 2 Control Mapping

SOC 2 Control	Trust Service Criterion	How iam-orgsync Addresses It
CC6.1	Logical Access Security	Every permission change is logged with full audit trail. Changes are compared against least-privilege policy map before application.
CC6.2	New User Registration	When HR marks a user as active, sync engine automatically provisions appropriate role-based permissions. All new permissions go through AI review.
CC6.3	Access Removal	Terminated users automatically have all policies detached within minutes. Transferred users have old-role policies removed and new-role policies attached.
CC7.2	Anomaly Detection	AI layer analyzes every permission change via AWS Bedrock, scoring risk and recommending hold/escalate for suspicious requests.
CC9.1	Monitoring	Real-time audit logs and SOC 2 evidence CSV export provide continuous evidence of access management activities.

---

📂 Project Structure

iam-orgsync/
├── cmd/
│   └── main.go                 # Application entry point
├── config/
│   └── policy_map.yaml         # Role → permissions mapping
├── data/
│   └── hr_roster.json          # Employee roster (HR export)
├── internal/
│   ├── ai/
│   │   └── anomaly.go          # AWS Bedrock integration
│   ├── iam/
│   │   └── client.go           # AWS IAM SDK wrapper
│   ├── report/
│   │   └── exporter.go         # JSON/CSV audit export
│   └── sync/
│       └── engine.go           # Core sync logic + goroutines
├── reports/
│   ├── audit_log.json          # Generated audit trail
│   └── soc2_evidence.csv       # Generated SOC 2 evidence
├── go.mod                      # Go module definition
└── README.md                   # This file

File/Folder	Purpose
cmd/main.go	CLI argument parsing, configuration loading, main execution loop
config/policy_map.yaml	YAML definitions of least-privilege permissions per role
data/hr_roster.json	Employee data: user_id, name, email, role, department, status
internal/sync/engine.go	Worker pool, goroutine management, user processing orchestration
internal/iam/client.go	AWS SDK wrappers for ListUsers, AttachPolicy, DetachPolicy
internal/ai/anomaly.go	Bedrock API client, prompt engineering, risk scoring
internal/report/exporter.go	JSON audit log writer, CSV SOC 2 evidence generator
reports/	Output directory for generated audit files

---

🗺️ Roadmap

Feature	Status	Business Value
Role-based sync	✅ Complete	Core functionality
AI anomaly detection (Bedrock)	✅ Complete	Risk-aware permission changes
Access creep detection	✅ Complete	Continuous least-privilege
Dry-run mode	✅ Complete	Safe testing
SOC 2 evidence export	✅ Complete	Audit readiness
Terminated user revocation	✅ Complete	Instant access removal
Parallel processing (goroutines)	✅ Complete	High throughput
JSON audit logging	✅ Complete	Forensic evidence
CLI flags & config	✅ Complete	Operational flexibility
DynamoDB event store	🔄 Planned	Scalable audit storage
Slack/Teams notifications	🔄 Planned	Alert security teams
SAML/SSO integration	🔄 Planned	Enterprise identity sync
Multi-account support	🔄 Planned	AWS Organizations support
Policy simulation mode	🔄 Planned	"What-if" analysis

---

👤 About the Author

I'm a senior fullstack engineer with 8+ years of experience building cloud-native systems on AWS. This project represents my approach to solving real-world IAM automation challenges while maintaining SOC 2 compliance. I specialize in Go, GRC engineering, and security engineering.

Open to senior fullstack engineer, Agentic AI Engineer, and GRC engineering roles. Let's connect.

---