The AWS Key disabler is a Lambda Function that disables AWS IAM User Access Keys after a set amount of time in order to reduce the risk associated with old access keys.
Also ReadHow Safe is to Use the Internet From Public WiFi?
report_to
attribute in the /grunt/package.json
build configuration file.This script requires the following components to run.
It also assumes that you have an AWS account with SES enabled, ie domain verified and sandbox mode removed.
These instructions are for OSX. Your mileage may vary on Windows and other *nix.
/grunt
foldernpm install
/grunt/package.json
aws_account_number
value to your AWS account id found on https://portal.aws.amazon.com/gp/aws/manageYourAccountfirst_warning
and last_warning
to the age that the key has to be in days to trigger a warning. These limits trigger an email send to report_to
expiry
to the age in days when the key expires. At this age the key is disabled and an email is triggered to report_to
notifying this changeserviceaccount
to the account username you want the script to ignoreexclusiongroup
to the name of a group assigned to users you want the script to ignore.send_completion_report
value to True
to enable email delivery via SESreport_to
value to the email address you’d like to receive deletion reports toreport_from
value to the email address you’d like to use as the sender address for deletion reports. Note that the domain for this needs to be verified in AWS SES.deployment_region
to a region that supports Lambda. 10 Set the email_region
to the region that supports SES. Also ensure that the region has SES sandbox mode disabled. aws iam get-user
to verify successful connection/grunt
directory run grunt bumpup && grunt deployLambda
to bump your version number and perform a build/deploy of the Lambda function to the selected regionExecute the lambda function by name, AccessKeyRotation
, logging the output of the scan to a file called scan.report.log
:
aws lambda invoke --function-name AccessKeyRotation scan.report.log --region us-east-1
{
"StatusCode": 200
}
Use jq
to render the contents of the scan.report.log
to the console:
jq '.' scan.report.log
{
"reportdate": "2016-06-26 10:37:24.071091",
"users": [
{
"username": "TestS3User",
"userid": "1",
"keys": [
{
"age": 72,
"changed": false,
"state": "key is already in an INACTIVE state",
"accesskeyid": "**************Q3GA1"
},
{
"age": 12,
"changed": false,
"state": "key is still young",
"accesskeyid": "**************F3AA2"
}
]
},
{
"username": "BlahUser22",
"userid": "2",
"keys": []
},
{
"username": "LambdaFake1",
"userid": "3",
"keys": [
{
"age": 23,
"changed": false,
"state": "key is due to expire in 1 week (7 days)",
"accesskeyid": "**************DFG12"
},
{
"age": 296,
"changed": false,
"state": "key is already in an INACTIVE state",
"accesskeyid": "**************4ZASD"
}
]
},
{
"username": "apiuser49",
"userid": "4",
"keys": [
{
"age": 30,
"changed": true,
"state": "key is now EXPIRED! Changing key to INACTIVE state",
"accesskeyid": "**************ER2E2"
},
{
"age": 107,
"changed": false,
"state": "key is already in an INACTIVE state",
"accesskeyid": "**************AWQ4K"
}
]
},
{
"username": "UserEMRKinesis",
"userid": "5",
"keys": [
{
"age": 30,
"changed": false,
"state": "key is now EXPIRED! Changing key to INACTIVE state",
"accesskeyid": "**************MGB41A"
}
]
},
{
"username": "CDN-Drupal",
"userid": "6",
"keys": [
{
"age": 10,
"changed": false,
"state": "key is still young",
"accesskeyid": "**************ZDSQ5A"
},
{
"age": 5,
"changed": false,
"state": "key is still young",
"accesskeyid": "**************E3ODA"
}
]
},
{
"username": "ChocDonutUser1",
"userid": "7",
"keys": [
{
"age": 59,
"changed": false,
"state": "key is already in an INACTIVE state",
"accesskeyid": "**************CSA123"
}
]
},
{
"username": "ChocDonut2",
"userid": "8",
"keys": [
{
"age": 60,
"changed": false,
"state": "key is already in an INACTIVE state",
"accesskeyid": "**************FDGD2"
}
]
},
{
"username": "admin.skynet@cyberdyne.systems.com",
"userid": "9",
"keys": [
{
"age": 45,
"changed": false,
"state": "key is already in an INACTIVE state",
"accesskeyid": "**************BLQ5GJ"
},
{
"age": 71,
"changed": false,
"state": "key is already in an INACTIVE state",
"accesskeyid": "**************GJFF53"
}
]
}
]
}
key_disabler.keystates.<state>.message
key_disabler.mask_accesskey_length
. The access keys are 20 characters in length.This script is provided as is. We are happy to answer questions as time allows but can’t give any promises.
If things don’t work ensure that:
Once the Lambda Function has been successfully deployed – the following commands can be performed:
aws lambda list-functions
openssl dgst -binary -sha256 ..\Releases\AccessKeyRotationPackage.1.0.18.zip | openssl base64
aws lambda invoke --function-name AccessKeyRotation report.log --region us-east-1
jq '.' report.log
jq '.users[] | select(.username=="johndoe")' report.log
jq '.' report.log | grep age | cut -d':' -f2 | sort -n
jq 'def maximal_by(f): (map(f) | max) as $mx | .[] | select(f == $mx); .users | maximal_by(.keys[].age)' report.log
jq 'def minimal_by(f): (map(f) | min) as $mn | .[] | select(f == $mn); .users | minimal_by(.keys[].age)' report.log
Kali Linux 2024.4, the final release of 2024, brings a wide range of updates and…
This Go program applies a lifetime patch to PowerShell to disable ETW (Event Tracing for…
GPOHunter is a comprehensive tool designed to analyze and identify security misconfigurations in Active Directory…
Across small-to-medium enterprises (SMEs) and managed service providers (MSPs), the top priority for cybersecurity leaders…
The free and open-source security platform SecHub, provides a central API to test software with…
Don't worry if there are any bugs in the tool, we will try to fix…