Identity governance used to be a manual spreadsheet activity that most teams dreaded. Cloud environments changed those expectations. Administrators can now automate access reviews, privilege lifecycle checks, credential audits, and policy evaluations with native tools or simple scripts.
This article focuses on building automation for AWS, Azure, and GCP; and it ends with a cross-platform workflow any team can adopt.
Why automate identity governance
Manual access reviews are slow and error-prone. Automation reduces risk by:
- Detecting roles or users with unused permissions
- Revoking stale or inactive accounts
- Validating that least privilege has not drifted
- Replacing manual approval flows with time-bound elevation
- Ensuring auditors can rely on consistent historical logs
AWS: Automated access evaluation
Key services:
Automating access review
aws accessanalyzer list-findings \
--analyzer-name org-analyzer \
--filter status=ACTIVE \
--query "findings[*].{id:id, policy:resourcePolicy, action:action}"
Combine this with a scheduled Lambda to create weekly reports.
Detecting unused IAM permissions
aws iam list-service-last-accessed-details \
--arn arn:aws:iam::111122223333:user/someuser
Inactive permissions are your first candidates for removal.
Automated key rotation
Use EventBridge and Lambda to flag keys older than your policy threshold.
aws iam list-access-keys \
--user-name someuser \
--query 'AccessKeyMetadata[?CreateDate<`2024-01-01`]'
Azure: PIM, Graph API, and Role audit automation
Key services:
- Azure AD Privileged Identity Management (PIM)
- Microsoft Graph API
- Azure Monitor Activity Logs
Automating PIM reviews
Azure provides an API endpoint to retrieve who has eligible or active privileged roles.
Example of Graph API call:
GET <a href="https://negativepid.blog/the-edward-snowden-leaks/">https</a>://graph.microsoft.com/beta/roleManagement/directory/roleAssignments
Detecting orphaned accounts
Use PowerShell automation:
Get-AzureADUser -All $true |
Where-Object { $_.AccountEnabled -eq $false -or $_.SignInActivity.LastSignInDate -lt (Get-Date).AddDays(-90) }
Rotating Built-in Admin Roles
Use PIM to enforce just-in-time access where privileged roles automatically expire. Configure a Logic App to notify or remove standing privileges that do not have an expiry set.
GCP: permissions usage analysis and IAM recommender
Key services:
- IAM Recommender
- Cloud Logging
- Cloud Functions
Automating permission pruning
GCP’s recommender can be queried programmatically.
gcloud recommender recommendations list \
--project my-project \
--recommender <a href="https://negativepid.blog/a-global-map-of-mass-surveillance-programs/">google</a>.iam.policy.Recommender
You can trigger this process on a schedule and export the recommendations for review.
Finding inactive accounts
gcloud logging read "protoPayload.methodName:google.iam.admin.v1" \
--limit 1000
Filter for accounts without activity over a defined period.
Cross-cloud governance with Policy-As-Code
For multi-cloud environments, consistency is the challenge. The best approach is policy-as-code. Here’s a Terraform Example to define a baseline identity policy for all clouds:
variable "allowed_actions" {
type = list(string)
default = ["read", "list"]
}
locals {
iam_baseline = {
aws = {
actions = ["ec2:Describe*", "s3:Get*", "s3:List*"]
}
azure = {
actions = ["Microsoft.Storage/storageAccounts/read"]
}
gcp = {
permissions = ["<a href="https://negativepid.blog/understanding-the-windows-os/">storage</a>.objects.get", "storage.objects.list"]
}
}
}
Centralising baseline roles reduces drift.
Automated identity review dashboards
A simple governance dashboard can aggregate:
- Users per cloud
- Accounts with admin privileges
- Inactive accounts
- Stale access keys
- Unused permissions
- PIM activation events
- SSO assignment summaries
library(jsonlite)
library(dplyr)
data <- fromJSON("iam_access.json")
unused <- data %>%
filter(lastAccessed == "N/A") %>%
select(principal, service)
unused
Scheduled scripts can publish updated dashboards to a Quarto page or an internal SharePoint site.
A practical weekly automation cycle
You can implement the following with scheduled functions or cron jobs:
- Export IAM roles, users, and permissions from AWS, Azure, GCP
- Flag inactive, orphaned, or disabled accounts
- Run cloud-specific “unused permission” checks
- Enforce key rotation rules
- Validate policies against your Terraform baseline
- Send findings to a shared inbox or ticketing system
- Update dashboards for review meetings
This removes the manual burden from administrators and keeps the environment aligned with security policy.
Identity governance improves once you bring structure, schedules, and automation. Every cloud platform provides the tools. Administrators only need consistent workflows to unify the process.