How-To: Creating a Security Auditor Role in AWS

Last updated: May 29, 2026

Introduction

This article will help you set up the necessary permissions in your AWS environment. Creating a security auditor role involves attaching specific managed policies to an IAM user, allowing for thorough but non-intrusive security assessments.

Prerequisites

  • Administrative access to your AWS Management Console.

  • Permissions to create IAM users and manage policy attachments.

Instructions

1. Access the IAM Console

  1. Sign in to the AWS Management Console.

  2. Navigate to the IAM console by searching for "IAM" or using this link.

2. Start the User Creation Process

  1. In the left-hand navigation pane, click on Users.

  2. Click the Add Users button.

  3. Enter your desired name in the User name field.

  4. Optional: If the user requires access to the console, check the box Provide user access to the AWS Management Console and select I want to create an IAM user.

  5. Click Next.

3. Attach Permissions Policies

  1. In the Set Permissions tab, click the Attach policies directly button.

  2. In the policy search box, type Security Audit and check the box next to that policy to select it.

  3. Next, use the Filter By Type dropdown, select AWS managed - Job Function, and then search for ReadOnlyAccess.

  4. Check the box to select the ReadOnlyAccess policy as well.

  5. Click the Next: Review button.

4. Complete the Setup

  1. Review your configuration to ensure both policies are listed.

  2. Click the Create User button.

Expected Outcome

You have now created a user with a security auditor role. This user is equipped with the necessary permissions to view configuration details and security settings without the ability to modify your resources.

Troubleshooting & Best Practices

  • Programmatic Access: If your assessment requires programmatic access, you will need to generate Access Keys (Access Key ID and Secret Access Key) from the user's "Security credentials" tab. Always download and store these securely, as the secret key is only shown once.

  • Protecting Sensitive Data: If you want to exclude specific sensitive resources (like a particular S3 bucket) from this auditor's view, you can attach an additional custom Deny policy. AWS always prioritizes explicit Deny statements over Allow statements.

  • Enable MFA: For added security, we highly recommend enabling a virtual MFA device for the IAM user via the "Security credentials" tab in the IAM console.

  • AWS doc for reference :https://docs.aws.amazon.com/signin/latest/userguide/user-types-list.html