-
Notifications
You must be signed in to change notification settings - Fork 1.5k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Access Key Groupings #842
Comments
I'm also having these issues. |
The issue still persists. I had an IAM account with two access keys. I have a specific policy to disable keys after 60 days if never used. However, when two access keys are active and one gets recently created/never been used and the other has been active for more than 60 days, both keys have an action executed - not just the key with the violation. "access_keys": [
{
"active": true,
**"last_rotated": "2017-10-03T22:19:40+00:00",**
"last_used_date": null,
"last_used_service": null,
"last_used_region": null
},
{
"active": true,
**"last_rotated": "2017-07-11T19:23:21+00:00",**
"last_used_region": "us-east-1",
"last_used_date": "2017-10-03T22:19:00+00:00",
"last_used_service": "iam"
} policy:
- name: iam_accounts-action-disable-never_used
description: |
Disabling IAM accounts that have has not been used
resource: iam-user
filters:
- type: credential
key: user
value: *whitelisted_users
op: not-in
- type: credential
key: access_keys.active
value: true
- type: credential
key: access_keys.last_used_date
value: absent
- type: credential
key: access_keys.last_rotated
value_type: age
value: 60
op: gte
- and:
- type: credential
key: access_keys.last_rotated
value_type: age
value: 90
op: lt
actions:
- type: remove-keys
disable: true |
@dykemasarah @kapilt I can confirm that as of 2018-04-30 this is still an issue - when you make a user's keys inactive it impacts both keys, not just the ones that matched the policy criteria. I also opened #2302 because c7n_mailer outputs a list of users who have keys that matched the criteria - accesskeyid isn't passed in the resources so you can't be specific about which keys were impacted (assuming that the first issue was fixed). |
Same here - makes it hard to validate/act on AWS CIS Foundations Benchmark 1.3 an 1.4 if you don't want to mess people's other access keys, or want to exclude "Disabled" keys from the policy. Amazon provides
This would work because you can't have more than 2 access keys per account. |
+1 on this issue. We had several production keys get deleted when the second (old) key was caught in the filter. The issue has been out for some time, is this on the roadmap for a fix? |
bump, as a high priority, we should have a look at this for the next release. just had a conversation at reinvent booth with a user about it. |
@kapilt Thanks for raising the priority! I would definitely have mentioned this at the booth today had I known you were there :) As it stands I'm using this in a PCI enforcement process and have to make it a semi-manual process due to this issue. |
i had a chance to deep dive on this. there's a couple of different issues for contextual awareness.
Okay thats some context on current state, wrt to what it looks like people are trying to do, filter access keys on a number of attributes (creation date, last use, active), then delete those matched keys. Wrt to what works today
For additional capabilities (multi-filter use cases) we'll need to extend the existing semantics, and there are some caveats.
|
added a pr, that extends the existing filters and actions that should line up better to the usage and expectation here. nutshell for usage, |
as @mateusz described, I am trying to create a policy for CIS benchmark 1.3 and I am not able to access 2 access keys. The below error says that I cannot access key1 and key2 separately as we get them in the credential report ` ['user', 'arn', 'user_creation_time', 'password_enabled', 'password_last_used', 'password_last_changed', 'password_next_rotation', 'mfa_active', 'access_keys', 'access_keys.active', 'access_keys.last_used_date', 'access_keys.last_used_region', 'access_keys.last_used_service', 'access_keys.last_rotated', 'certs', 'certs.active', 'certs.last_rotated'] |
If an IAM account has never been used the "access_keys.last_used_date" will be absent. I want to disable access keys that have never been used AND the last rotated key is greater than 60 days. Neither one of the access keys of the IAM account "read-s3" (see below) should violate this policy. This seems to only happen when two access keys are active.
Policy should match an access key with the following:
The incorrect access keys that match from the following policy:
"read-s3" Access Key 1:
"read-s3" Access Key 2:
I am wondering if it is grouping the access keys (similar to the old bug in the security groups) and pulling and evaluating dates/null values from multiple access keys.
Policy:
Resources File:
The text was updated successfully, but these errors were encountered: