So I found out what the issue was, the patterns that I was attempting to use did either not provide a small or large enough scope. Monitoring IAM in this way requires following this guide and when it tells you the event pattern to input as a Cloudwatch Event pattern you need to specify EXACTLY the event names that you require.
It's fairly long but demonstrates how thorough you need to be and that no globbing is supported, here is the pattern I ended up with:
{
"source": [
"aws.iam"
],
"detail-type": [
"AWS API Call via CloudTrail"
],
"detail": {
"eventSource": [
"iam.amazonaws.com"
],
"eventName": [
"AddClientIDToOpenIDConnectProvider",
"AddRoleToInstanceProfile",
"AddUserToGroup",
"ChangePassword",
"CreateAccessKey",
"CreateAccountAlias",
"CreateInstanceProfile",
"CreateLoginProfile",
"CreateOpenIDConnectProvider",
"CreateRole",
"CreateSAMLProvider",
"CreateServiceLinkedRole",
"CreateServiceSpecificCredential",
"CreateUser",
"CreateVirtualMFADevice",
"DeactivateMFADevice",
"DeleteVirtualMFADevice",
"EnableMFADevice",
"ResyncMFADevice",
"UpdateAccessKey",
"UpdateAccountPasswordPolicy",
"UpdateGroup",
"UpdateLoginProfile",
"UpdateOpenIDConnectProviderThumbprint",
"UpdateRoleDescription",
"UpdateSAMLProvider",
"UpdateServerCertificate",
"UpdateServiceSpecificCredential",
"UpdateSigningCertificate",
"UpdateSSHPublicKey",
"UpdateUser",
"UploadServerCertificate",
"UploadSigningCertificate",
"UploadSSHPublicKey",
"AttachGroupPolicy",
"AttachRolePolicy",
"AttachUserPolicy",
"CreatePolicy",
"CreatePolicyVersion",
"DeleteAccountPasswordPolicy",
"DeleteGroupPolicy",
"DeletePolicy",
"DeletePolicyVersion",
"DeleteRolePolicy",
"DeleteUserPolicy",
"DetachGroupPolicy",
"DetachRolePolicy",
"DetachUserPolicy",
"PutGroupPolicy",
"PutRolePolicy",
"PutUserPolicy",
"SetDefaultPolicyVersion",
"UpdateAssumeRolePolicy"
]
}
}