关于AWS Key disabler
AWS Key Disabler is a powerful AWS IAM user access key security protection tool that reduces the security risks posed by old access keys by disabling AWS IAM user access keys by setting a time limit.
The process by which the tool runs
AWS Key disabler is essentially a Lambda function that can be implemented through the following workflows:
Tool Requirements:
The current version of the AWS Key disabler script requires the following components:
1、Node.js和NPM;
2、Gruntjs;
3. AWS CLI command-line tool;
4. Enable SWS, verify the domain name, and remove the AWS account in sandbox mode;
Developer toolchain
Tool installation
Note that the following installation commands are only available for macOS, Windows, and *nix, and there may be some differences.
First, we need to clone the source code of the project locally with the following command:
git clone https://github.com/te-papa/aws-key-disabler.git
Switch to the /grunt directory, set up the Grunt task runner, and install the dependencies:
cd grunt/
npm install
Then add the following information to the /grunt/package.json file:
1. Set the aws_account_number value of your AWS account.
2. Set the first_warning and last_warning, that is, the number of days and time for triggering the alarm email (sent to the report_to);
3. Set expiry, that is, the number of key timeout days, if it times out, a reminder will be sent to the user by email;
4. Set the serviceaccount, that is, the account username that needs to be ignored by the script;
5. Set the exclusiongroup, that is, the group name assigned to the user that needs to be ignored by the script;
6. Set the send_completion_report value to True to send notification emails via SES.
7. Set up report_to, that is, the email address used to receive alerts and reports;
8. Set report_from, that is, the email address used to send warning emails and reports;
9. Set the deployment_region, that is, the region that supports Lambda;
Next, make sure that the command line interface is successfully connected to AWS, and you can use the following command to verify that the connection is successful:
aws iam get-user
In the command line interface, switch to the /grunt directory and run the following command to complete the tool deployment:
grunt bumpup && grunt deployLambda
Tool use
Use the AWS CLI to manually call a Lambda function from the command line interface
We can call the Lambda function directly with the function name and store the output of the scan file in scan.report.log file:
aws lambda invoke --function-name AccessKeyRotation scan.report.log --region us-east-1
{
"StatusCode": 200
}
Use jq to view the contents of the scan.report.log file in the command line window:
jq '.' scan.report.log
{
"reportdate": "2016-06-26 10:37:24.071091",
"users": [
{
"username": "TestS3User",
"userid": "1",
"keys": [
{
"age": 72,
"changed": false,
"state": "key is already in an INACTIVE state",
"accesskeyid": "**************Q3GA1"
},
{
"age": 12,
"changed": false,
"state": "key is still young",
"accesskeyid": "**************F3AA2"
}
]
},
{
"username": "BlahUser22",
"userid": "2",
"keys": []
},
{
"username": "LambdaFake1",
"userid": "3",
"keys": [
{
"age": 23,
"changed": false,
"state": "key is due to expire in 1 week (7 days)",
"accesskeyid": "**************DFG12"
},
{
"age": 296,
"changed": false,
"state": "key is already in an INACTIVE state",
"accesskeyid": "**************4ZASD"
}
]
},
{
"username": "apiuser49",
"userid": "4",
"keys": [
{
"age": 30,
"changed": true,
"state": "key is now EXPIRED! Changing key to INACTIVE state",
"accesskeyid": "**************ER2E2"
},
{
"age": 107,
"changed": false,
"state": "key is already in an INACTIVE state",
"accesskeyid": "**************AWQ4K"
}
]
},
{
"username": "UserEMRKinesis",
"userid": "5",
"keys": [
{
"age": 30,
"changed": false,
"state": "key is now EXPIRED! Changing key to INACTIVE state",
"accesskeyid": "**************MGB41A"
}
]
},
{
"username": "CDN-Drupal",
"userid": "6",
"keys": [
{
"age": 10,
"changed": false,
"state": "key is still young",
"accesskeyid": "**************ZDSQ5A"
},
{
"age": 5,
"changed": false,
"state": "key is still young",
"accesskeyid": "**************E3ODA"
}
]
},
{
"username": "ChocDonutUser1",
"userid": "7",
"keys": [
{
"age": 59,
"changed": false,
"state": "key is already in an INACTIVE state",
"accesskeyid": "**************CSA123"
}
]
},
{
"username": "ChocDonut2",
"userid": "8",
"keys": [
{
"age": 60,
"changed": false,
"state": "key is already in an INACTIVE state",
"accesskeyid": "**************FDGD2"
}
]
},
{
"username": "[email protected]",
"userid": "9",
"keys": [
{
"age": 45,
"changed": false,
"state": "key is already in an INACTIVE state",
"accesskeyid": "**************BLQ5GJ"
},
{
"age": 71,
"changed": false,
"state": "key is already in an INACTIVE state",
"accesskeyid": "**************GJFF53"
}
]
}
]
}
Use Sample 1
aws lambda list-functions
openssl dgst -binary -sha256 ..\Releases\AccessKeyRotationPackage.1.0.18.zip | openssl base64
aws lambda invoke --function-name AccessKeyRotation report.log --region us-east-1
jq '.' report.log
jq '.users[] | select(.username=="johndoe")' report.log
jq '.' report.log | grep age | cut -d':' -f2 | sort -n
Use Example 2
jq 'def maximal_by(f): (map(f) | max) as $mx | .[] | select(f == $mx); .users | maximal_by(.keys[].age)' report.log
jq 'def minimal_by(f): (map(f) | min) as $mn | .[] | select(f == $mn); .users | minimal_by(.keys[].age)' report.log
End-user output
License Agreement
The development and release of this project is under an open source license.
Project address
US Disassembler:Hattpus://github.com/te-papa/US-key-disabler
Resources
https://aws.amazon.com/about-aws/global-infrastructure/regional-product-services/