Hay dos herramientas interesantes para checar tu AIM ussage
Repokid uses Access Advisor provided by Aardvark to remove permissions granting access to unused services from the inline policies of IAM roles in an AWS account. https://github.com/Netflix/repokid
y Cloudtracker CloudTracker helps you find over-privileged IAM users and roles by comparing CloudTrail logs with current IAM policies https://github.com/duo-labs/cloudtracker
Repokid necesita una base de datos en AWS y Cloudtracker funciona con información que bajas.