Audit and reconcile auto-provisioned resources - Amazon IAM Identity Center
Why audit your resources?How to audit resourcesConsiderations
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Audit and reconcile auto-provisioned resources

SCIM enables you to automatically provision users, groups, and group memberships from your identity source to IAM Identity Center. This guide helps you verify and reconcile these resources to maintain accurate synchronization.

Why audit your resources?

Regular auditing helps ensure your access controls remain accurate and your identity provider (IdP) stays properly synchronized with IAM Identity Center. This is particularly important for security compliance and access management.

Resources you can audit:

  • Users

  • Groups

  • Group memberships

You can use Amazon Identity Store APIs or CLI commands to conduct the audit and reconciliation. The following examples use Amazon CLI commands. For API alternatives, refer to the corresponding operations in the Identity Store API reference.

How to audit resources

Here are examples for how to audit these resources using Amazon CLI commands.

Before you begin, ensure you have:

  • Administrator access to IAM Identity Center.

  • Amazon CLI installed and configured. For information, see the Amazon Command Line Interface User Guide.

  • Required IAM permissions for Identity Store commands.

Step 1: List current resources

You can view your current resources using the Amazon CLI.

Note

When using the Amazon CLI, pagination is handled automatically unless you specify --no-paginate. If you’re calling the API directly (for example, with an SDK or a custom script), handle the NextToken in the response. This ensures you retrieve all results across multiple pages.

Example for users
aws identitystore list-users \
  --region REGION \
  --identity-store-id IDENTITY_STORE_ID
Example for groups
aws identitystore list-groups \
  --region REGION \
  --identity-store-id IDENTITY_STORE_ID
Example for group memberships
aws identitystore list-group-memberships \
  --region REGION \
  --identity-store-id IDENTITY_STORE_ID
  --group-id GROUP_ID

Step 2: Compare with your identity source

Compare the listed resources with your identity source to identify any discrepancies, such as:

  • Missing resources that should be provisioned in IAM Identity Center.

  • Extra resources that should be removed from IAM Identity Center.

Example for users
# Create missing users
aws identitystore create-user \
  --identity-store-id IDENTITY_STORE_ID \
  --user-name USERNAME \
  --display-name DISPLAY_NAME \
  --name GivenName=FIRST_NAME,FamilyName=LAST_NAME \
  --emails Value=EMAIL,Primary=true

# Delete extra users
aws identitystore delete-user \
  --identity-store-id IDENTITY_STORE_ID \
  --user-id USER_ID
Example for groups
# Create missing groups
aws identitystore create-group \
  --identity-store-id IDENTITY_STORE_ID \
  [group attributes]
  
# Delete extra groups
aws identitystore delete-group \
  --identity-store-id IDENTITY_STORE_ID \
  --group-id GROUP_ID
Example for group memberships
# Add missing members
aws identitystore create-group-membership \
  --identity-store-id IDENTITY_STORE_ID \
  --group-id GROUP_ID \
  --member-id '{"UserId": "USER_ID"}'
  
# Remove extra members
aws identitystore delete-group-membership \
  --identity-store-id IDENTITY_STORE_ID \
  --membership-id MEMBERSHIP_ID

Considerations

  • Commands are subject to service quotas and API throttling.

  • When you find many differences during reconciliation, make small, gradual changes to Amazon Identity Store. This helps you avoid mistakes that affect multiple users.

  • SCIM synchronization can override your manual changes. Check your IdP settings to understand this behavior.