Is there any way I can get a list of removed or deleted user in AWS ? All I am getting is list of users who all are active but I need a list of removed user.
I have tried to get logs out of cloud trail but could not find the relevant event.
I not much familiar with AWS maybe because of this I could not find any module for this.
Thank you
2
Answers
You can able to find out the delete user with the following eventName in the AWS Cloudtrail.
"eventName:DeleteUser"
However by default, the AWS Cloudtrail has only past 90 days activities only.
To search for deleted IAM users visit CloudTrail Events and filter results with eventName:DeleteUser and/or eventName:AdminDeleteUser filters.
For searching users deleted more than 90 days ago you have to create a CloudTrail trail (and enabling CloudWatch Logs is recommended).
Tip: Because IAM is a global resource, you have to set your region on to us-east-1 (North Virginia) or your queries do not return any results for those events.