iamspectre — Cross-cloud IAM auditor for AWS, GCP, and Azure AD. Part of SpectreHub.
- Scans IAM resources across AWS, GCP, and Azure AD
- Detects stale users, unused roles, wildcard policies, missing MFA, and expired secrets
- Checks credential reports, key ages, service account bindings, and directory roles
- Each finding includes severity and actionable recommendation
- Outputs text, JSON, SARIF, and SpectreHub formats
- Not a remediation tool — reports only, never modifies IAM resources
- Not a real-time monitor — point-in-time scanner
- Not a cost estimator — IAM findings are security risks, not dollar waste
- Not a CSPM replacement — focuses on identity and access only
brew tap ppiankov/tap
brew install iamspectregit clone https://github.com/ppiankov/iamspectre.git
cd iamspectre
make buildiamspectre scan --provider aws --format json| Command | Description |
|---|---|
iamspectre scan |
Scan IAM resources across cloud providers |
iamspectre init |
Generate config file and IAM permissions |
iamspectre version |
Print version |
iamspectre feeds IAM hygiene findings into SpectreHub for unified visibility across your infrastructure.
spectrehub collect --tool iamspectreiamspectre operates in read-only mode. It inspects and reports — never modifies, deletes, or alters your IAM resources.
| Document | Contents |
|---|---|
| CLI Reference | Full command reference, flags, and configuration |
MIT — see LICENSE.
Built by Obsta Labs