On Dec 16, 2021

Get Email Notification On AWS IAM User Creation

Vinayak Pandey
Vinayak Pandey

Example CloudWatch rule and Lambda function to send an email via SES whenever an IAM user is created

In an Enterprise environment, keeping track of IAM users can be a tedious task. The recommended best practice is to integrate your company's Identity provider such as Okta with AWS SSO to keep users and groups in sync. But to avoid any potential mishaps, I recommend restricting access so that IAM user creation is not allowed by general users, only select admins. Even for those select admins, there should be explicit policies where ad-hoc IAM user creation isn't allowed – use roles wherever possible.

In this post, I'll walk through a method to get notified by email whenever an IAM user is created, so you can respond accordingly.

Prerequisite : Cloudtrail and SES should be configured in your AWS account.

Step 1: Create a role for Lambda with the following policy:

    "Version": "2012-10-17",
    "Statement": [
            "Effect": "Allow",
            "Action": "ses:SendEmail",
            "Resource": "*"

Also, add AWSLambdaBasicExecutionRole policy to this role.

Step 2: Create a Lambda function with a Python3.7 runtime and 2-minute timeout. Set 2 environment variables for this function.

Source: email address used to send an email notification. Recipient: receiver’s email address – make sure it’s whitelisted with SES.

Use the code provided at https://raw.githubusercontent.com/vinycoolguy2015/awslambda/master/iam_notification.py for this Lambda function.

import json
import boto3
import os 
import re


def lambda_handler(event, context):
   CreatedDate= event['detail']['responseElements']['user']['createDate']
   Username = event['detail']['responseElements']['user']['userName']
   if event['detail']['userIdentity']['type']=='IAMUser':
   elif event['detail']['userIdentity']['type']=='AssumedRole':
   pattern = '^d'
   result = re.match(pattern,Username.lower().strip())
   if not result:
      if CreatedBy=='':
         Data=' User ' +Username + ' got created on ' + CreatedDate
         Data=' User ' +Username + ' got created on ' + CreatedDate + ' by '+CreatedBy
      send_email("IAM Notification",Data)
def send_email(subject,body):
    ses_client.send_email(Source=os.environ['Source'],Destination={'ToAddresses': [os.environ['Recipient']]},
        'Subject': {
            'Data': subject
        'Body': {
            'Text': {
                'Data': body

Note that if you have users that get automatically created by applications such as Hashicorp vault, you can exclude them so that you don’t get unnecessary notifications. For that, modify the pattern variable in the code.

Step 3: Next create a CloudWatch rule which will trigger this Lambda. Use the given event pattern to create the rule. Then add your lambda as a target for this rule, and you're all set!

  "source": [
  "detail-type": [
    "AWS API Call via CloudTrail"
  "detail": {
    "eventSource": [
    "eventName": [

Now, any time someone creates an IAM user, you will get an email notification like this:

IAM User Creation Notification

Photo by <a href="https://unsplash.com/@lunarts?utm_source=unsplash&utm_medium=referral&utm_content=creditCopyText">Volodymyr Hryshchenko</a> on <a href="https://unsplash.com/s/photos/email-notification?utm_source=unsplash&utm_medium=referral&utm_content=creditCopyText">Unsplash</a>

    Get the IAM Pulse Check Newsletter

    We send out a periodic newsletter full of tips & tricks, contributions from the community, commentary on the industry, relevant social posts, and more.

    Checkout past issues for a sampling of the goods.