關于AWS Key disabler
AWS Key disabler是一款功能強大的AWS IAM使用者通路密鑰安全保護工具,該工具可以通過設定一個時間定量來禁用AWS IAM使用者通路密鑰,以此來降低舊通路密鑰所帶來的安全風險。
工具運作流程
AWS Key disabler本質上是一個Lambda函數,可以通過下列工作流來實作其功能:
工具要求
目前版本的AWS Key disabler腳本需要使用到下列元件:
1、Node.js和NPM;
2、Gruntjs;
3、AWS CLI指令行工具;
4、啟用SWS、驗證域名并移除沙盒模式的AWS賬号;
開發者工具鍊
工具安裝
注意,下列安裝指令僅适用于macOS,Windows和*nix的安裝指令可能會有一些差別。
首先,我們需要使用下列指令将該項目源碼克隆至本地:
git clone https://github.com/te-papa/aws-key-disabler.git
切換到/grunt目錄中,設定Grunt任務運作器,并安裝相關依賴:
cd grunt/
npm install
然後在/grunt/package.json檔案中添加下列資訊:
1、設定AWS賬号的aws_account_number值;
2、設定first_warning和last_warning,即觸發警報郵件(發送至report_to)的天數時間;
3、設定expiry,即密鑰逾時天數,如果逾時,則會通過電子郵件向使用者發送提醒;
4、設定serviceaccount,即需要腳本忽略的賬戶使用者名;
5、設定exclusiongroup,即需要腳本忽略的配置設定給使用者的組名;
6、設定send_completion_report值為True以通過SES發送通知郵件;
7、設定report_to,即用于接收警報和報告的郵件位址;
8、設定report_from,即用于發送警告郵件和報告的郵件位址;
9、設定deployment_region,即支援Lambda支援的區域;
接下來,確定指令行接口已經成功連接配接到了AWS,可以使用下列指令驗證連接配接是否成功:
aws iam get-user
在指令行接口中,切換到/grunt目錄中,并運作下列指令即可完成工具部署:
grunt bumpup && grunt deployLambda
工具使用
使用AWS CLI從指令行接口手動調用Lambda函數
我們可以直接使用函數名稱來調用Lambda函數,并将掃描檔案的輸出結果存儲到scan.report.log檔案中:
aws lambda invoke --function-name AccessKeyRotation scan.report.log --region us-east-1
{
"StatusCode": 200
}
使用jq即可在指令行視窗中檢視scan.report.log檔案中的内容:
jq '.' scan.report.log
{
"reportdate": "2016-06-26 10:37:24.071091",
"users": [
{
"username": "TestS3User",
"userid": "1",
"keys": [
{
"age": 72,
"changed": false,
"state": "key is already in an INACTIVE state",
"accesskeyid": "**************Q3GA1"
},
{
"age": 12,
"changed": false,
"state": "key is still young",
"accesskeyid": "**************F3AA2"
}
]
},
{
"username": "BlahUser22",
"userid": "2",
"keys": []
},
{
"username": "LambdaFake1",
"userid": "3",
"keys": [
{
"age": 23,
"changed": false,
"state": "key is due to expire in 1 week (7 days)",
"accesskeyid": "**************DFG12"
},
{
"age": 296,
"changed": false,
"state": "key is already in an INACTIVE state",
"accesskeyid": "**************4ZASD"
}
]
},
{
"username": "apiuser49",
"userid": "4",
"keys": [
{
"age": 30,
"changed": true,
"state": "key is now EXPIRED! Changing key to INACTIVE state",
"accesskeyid": "**************ER2E2"
},
{
"age": 107,
"changed": false,
"state": "key is already in an INACTIVE state",
"accesskeyid": "**************AWQ4K"
}
]
},
{
"username": "UserEMRKinesis",
"userid": "5",
"keys": [
{
"age": 30,
"changed": false,
"state": "key is now EXPIRED! Changing key to INACTIVE state",
"accesskeyid": "**************MGB41A"
}
]
},
{
"username": "CDN-Drupal",
"userid": "6",
"keys": [
{
"age": 10,
"changed": false,
"state": "key is still young",
"accesskeyid": "**************ZDSQ5A"
},
{
"age": 5,
"changed": false,
"state": "key is still young",
"accesskeyid": "**************E3ODA"
}
]
},
{
"username": "ChocDonutUser1",
"userid": "7",
"keys": [
{
"age": 59,
"changed": false,
"state": "key is already in an INACTIVE state",
"accesskeyid": "**************CSA123"
}
]
},
{
"username": "ChocDonut2",
"userid": "8",
"keys": [
{
"age": 60,
"changed": false,
"state": "key is already in an INACTIVE state",
"accesskeyid": "**************FDGD2"
}
]
},
{
"username": "[email protected]",
"userid": "9",
"keys": [
{
"age": 45,
"changed": false,
"state": "key is already in an INACTIVE state",
"accesskeyid": "**************BLQ5GJ"
},
{
"age": 71,
"changed": false,
"state": "key is already in an INACTIVE state",
"accesskeyid": "**************GJFF53"
}
]
}
]
}
使用樣例一
aws lambda list-functions
openssl dgst -binary -sha256 ..\Releases\AccessKeyRotationPackage.1.0.18.zip | openssl base64
aws lambda invoke --function-name AccessKeyRotation report.log --region us-east-1
jq '.' report.log
jq '.users[] | select(.username=="johndoe")' report.log
jq '.' report.log | grep age | cut -d':' -f2 | sort -n
使用樣例二
jq 'def maximal_by(f): (map(f) | max) as $mx | .[] | select(f == $mx); .users | maximal_by(.keys[].age)' report.log
jq 'def minimal_by(f): (map(f) | min) as $mn | .[] | select(f == $mn); .users | minimal_by(.keys[].age)' report.log
終端使用者輸出結果
許可證協定
本項目的開發與釋出遵循開源許可證協定。
項目位址
AWS Key disabler:https://github.com/te-papa/aws-key-disabler
參考資料
https://aws.amazon.com/about-aws/global-infrastructure/regional-product-services/