Monitor & Alert on Inactive AWS IAM Users with Slack Notifications

Description

AWS IAM Inactive User Automation Alert Workflow

> Weekly job that finds IAM users with no activity for > 90 days and notifies a Slack channel.
> ⚠️ Important: AWS SigV4 for IAM must be scoped to us-east-1. Create the AWS credential in n8n with region us-east-1 (even if your other services run elsewhere).

Who’s it for
SRE/DevOps teams that want automated IAM hygiene checks.
Security/compliance owners who need regular inactivity reports.
MSPs managing multiple AWS accounts who need lightweight alerting.

How it works / What it does
Weekly scheduler – kicks off the workflow (e.g., every Monday 09:00).
Get many users – lists IAM users.
Get user – enriches each user with details (password status, MFA, etc.).
Filter bad data – drops service-linked users or items without usable dates.
IAM user inactive for more than 90 days? – keeps users whose last activity is older than 90 days.
Last activity is derived from any of:
PasswordLastUsed (console sign-in)
AccessKeyLastUsed.LastUsedDate (from GetAccessKeyLastUsed if you add it)
Fallback to CreateDate if no usage data exists (optional)
Send a message (Slack) – posts an alert for each inactive user.
No operation – path for users that don’t match (do nothing).

How to set up
Credentials
AWS (Predefined → AWS)
Service: iam
Region: us-east-1 ← required for IAM
Access/Secret (or Assume Role) with read-only IAM perms (see below).
Slack OAuth (bot in your target channel).

Requirements
n8n (current version).
AWS IAM permissions** (minimum):
iam:ListUsers, iam:GetUser
(Optional for higher fidelity) iam:ListAccessKeys, iam:GetAccessKeyLastUsed
Slack bot with permission to post in the target channel.
Network egress to iam.amazonaws.com.

How to customize the workflow
Change window:** set 60/120/180 days by adjusting minus(N, 'days').
Audit log:** append results to Google Sheets/DB with UserName, Arn, LastActivity, CheckedAt.
Escalation:** if a user remains inactive for another cycle, mention @security or open a ticket.
Auto-remediation (advanced):** on a separate approval path, disable access keys or detach policies.
Multi-account / multi-region:** iterate a list of AWS credentials (one per account; IAM stays us-east-1).
Exclude list:** add a static list or tag-based filter to skip known service users.

Notes & gotchas
Many users never sign in; if you don’t pull GetAccessKeyLastUsed, they may look “inactive”. Add that call for accuracy.
PasswordLastUsed is null if console login never happened.
IAM returns timestamps in ISO or epoch—use toDate/toDateTime before comparisons.