In AWS console, I can assign an IAM user to a group whose permissions is defined by associated policies.
The credential report in IAM seems to only report some basic attributes of IAM each user and its last login time (inferred from various fields such as password_last_used and access_key_1_last_used_date). But it does not tell me the group or role level information.
Is there any way I can monitor any attempt, success or otherwise to change these permissions?
CloudTrail lets you monitor all API calls to AWS. This will do what I think you want. In their words
AWS CloudTrail is a service that enables governance, compliance, operational auditing, and risk auditing of your AWS account. With CloudTrail, you can log, continuously monitor, and retain events related to API calls across your AWS infrastructure. CloudTrail provides a history of AWS API calls for your account, including API calls made through the AWS Management Console, AWS SDKs, command line tools, and other AWS services. This history simplifies security analysis, resource change tracking, and troubleshooting.
AWS Config is similar, in that it lets you monitor and version control configurations of AWS resources. In their words
AWS Config is a service that enables you to assess, audit, and evaluate the configurations of your AWS resources. Config continuously monitors and records your AWS resource configurations and allows you to automate the evaluation of recorded configurations against desired configurations. With Config, you can review changes in configurations and relationships between AWS resources, dive into detailed resource configuration histories, and determine your overall compliance against the configurations specified in your internal guidelines. This enables you to simplify compliance auditing, security analysis, change management, and operational troubleshooting.
There are also third party tools, paid and open source, that provide similar services with better user interfaces, or user interfaces to these services.
