How-To: Creating a Security Auditor Role in AWS

Last updated: June 18, 2026

Introduction

This article will help you set up the necessary permissions in your AWS environment. Creating a security auditor role involves attaching specific managed policies to an IAM user, allowing for thorough but non-intrusive security assessments.

Prerequisites

  • Administrative access to your AWS Management Console.

  • Permissions to create IAM users and manage policy attachments.

Instructions

1. Access the IAM Console

  1. Sign in to the AWS Management Console.

  2. Navigate to the IAM console by searching for "IAM" or using this link.

2. Start the User Creation Process

  1. In the left-hand navigation pane, click on Users.

  2. Click the Add Users button.

  3. Enter your desired name in the User name field.

  4. Optional: If the user requires access to the console, check the box Provide user access to the AWS Management Console and select I want to create an IAM user.

  5. Click Next.

3. Attach Permissions Policies

  1. In the Set Permissions tab, click the Attach policies directly button.

  2. In the policy search box, type Security Audit and check the box next to that policy to select it.

  3. Next, use the Filter By Type dropdown, select AWS managed - Job Function, and then search for ReadOnlyAccess.

  4. Check the box to select the ReadOnlyAccess policy as well.

  5. Click the Next: Review button.

4. Complete the Setup

  1. Review your configuration to ensure both policies are listed.

  2. Click the Create User button.

Expected Outcome

You have now created a user with a security auditor role. This user is equipped with the necessary permissions to view configuration details and security settings without the ability to modify your resources.

Troubleshooting & Best Practices

  • Programmatic Access: If your assessment requires programmatic access, you will need to generate Access Keys (Access Key ID and Secret Access Key) from the user's "Security credentials" tab. Always download and store these securely, as the secret key is only shown once.

  • Protecting Sensitive Data: If you want to exclude specific sensitive resources (like a particular S3 bucket) from this auditor's view, you can attach an additional custom Deny policy. AWS always prioritizes explicit Deny statements over Allow statements.

  • Enable MFA: For added security, we highly recommend enabling a virtual MFA device for the IAM user via the "Security credentials" tab in the IAM console.

    Note: A virtual MFA device is an authenticator app (such as Google Authenticator or Authy) installed on a physical device like a smartphone or tablet. Physical access to that device is required to complete setup — the enrollment wizard asks you to enter two consecutive one-time codes generated live by the app, making it impossible to finish without the device in hand. Because of this, AWS recommends letting each user configure their own MFA device rather than having an admin do it on their behalf. To enable this, the user must be granted the necessary IAM permissions. See AWS: Allows MFA-authenticated IAM users to manage their own MFA device on the Security credentials page.

    Steps to enable:

    1. Open the user's Security credentials tab in the IAM console.

    2. Under Multi-factor authentication (MFA), click Assign MFA device.

    3. Enter a Device name, select Authenticator app, and click Next.

    4. Open the authenticator app and scan the QR code or enter the secret key manually.

    5. Enter the current code in MFA code 1. Wait up to 30 seconds for a new code, then enter it in MFA code 2.

    6. Click Add MFA.

    Important: Submit both codes immediately after generating them. Waiting too long will cause the device to be added but fall out of sync. If this happens, the device will need to be resynced.

  • AWS doc for reference :https://docs.aws.amazon.com/signin/latest/userguide/user-types-list.html