Access Key Groupings

[dykemasarah]

If an IAM account has never been used the "access_keys.last_used_date" will be absent. I want to disable access keys that have never been used AND the last rotated key is greater than 60 days. Neither one of the access keys of the IAM account "read-s3" (see below) should violate this policy. This seems to only happen when two access keys are active.

Policy should match an access key with the following:

• Key Active: YES
• Never Been Used: YES
• Access Key Rotated Greater Than 60 Days: YES

The incorrect access keys that match from the following policy:
"read-s3" Access Key 1:

• Key Active: YES
• Never Been Used: YES
• Access Key Rotated Greater Than 60 Days: NO

"read-s3" Access Key 2:

• Key Active: YES
• Never Been Used: NO
• Access Key Rotated Greater Than 60 Days: YES

I am wondering if it is grouping the access keys (similar to the old bug in the security groups) and pulling and evaluating dates/null values from multiple access keys.

Policy:

    name: iam_accounts-disable-never_used
    description: |
       Disable IAM accounts that have never been used in the last 60 days
    resource: iam-user
    filters:
      - type: credential
        key: access_keys.active
        value: true
      - type: credential
        key: access_keys.last_used_date
        value: absent
      - type: credential
        key: access_keys.last_rotated
        value_type: age
        value: 60
        op: gte
    actions:
      - type: remove-keys
        age: 60
        disable: true

Resources File:

[
  {
    "UserName": "read-s3",
    "c7n:credential-report": {
      "password_next_rotation": null,
      "password_enabled": false,
      "access_keys": [
        {
          "active": true,
          "last_rotated": "2016-12-23T15:55:44+00:00",
          "last_used_date": null,
          "last_used_service": null,
          "last_used_region": null
        },
        {
          "active": true,
          "last_rotated": "2016-09-26T18:39:07+00:00",
          "last_used_region": null,
          "last_used_date": "2017-01-09T23:21:00+00:00",
          "last_used_service": "s3"
        }
      ],
      "user_creation_time": "2016-09-26T18:39:07+00:00",
      "mfa_active": false,
      "arn": "arn:aws:iam::xxxxxxx:user/read-s3",
      "password_last_used": null,
      "password_last_changed": null,
      "user": "security-read-s3"
    },
    "CreateDate": "2016-09-26T18:39:07+00:00",
    "UserId": "xxxxx",
    "Path": "/",
    "Arn": "arn:aws:iam::xxxxxxxx:user/read-s3"
  }
]

[jdubs]

I'm also having these issues.

[dykemasarah]

The issue still persists. I had an IAM account with two access keys. I have a specific policy to disable keys after 60 days if never used. However, when two access keys are active and one gets recently created/never been used and the other has been active for more than 60 days, both keys have an action executed - not just the key with the violation.

"access_keys": [
{
"active": true, 
**"last_rotated": "2017-10-03T22:19:40+00:00",** 
"last_used_date": null, 
"last_used_service": null, 
"last_used_region": null
}, 
{
"active": true, 
**"last_rotated": "2017-07-11T19:23:21+00:00",** 
"last_used_region": "us-east-1", 
"last_used_date": "2017-10-03T22:19:00+00:00", 
"last_used_service": "iam"
}

policy:
  - name: iam_accounts-action-disable-never_used
    description: |
       Disabling IAM accounts that have has not been used
    resource: iam-user
    filters:
      - type: credential
        key: user
        value: *whitelisted_users
        op: not-in
      - type: credential
        key: access_keys.active
        value: true
      - type: credential
        key: access_keys.last_used_date
        value: absent
      - type: credential
        key: access_keys.last_rotated
        value_type: age
        value: 60
        op: gte
      - and:
        - type: credential
          key: access_keys.last_rotated
          value_type: age
          value: 90
          op: lt
    actions:
      - type: remove-keys
        disable: true

[zfLQ2qx2]

@dykemasarah @kapilt I can confirm that as of 2018-04-30 this is still an issue - when you make a user's keys inactive it impacts both keys, not just the ones that matched the policy criteria. I also opened #2302 because c7n_mailer outputs a list of users who have keys that matched the criteria - accesskeyid isn't passed in the resources so you can't be specific about which keys were impacted (assuming that the first issue was fixed).

[mateusz]

Same here - makes it hard to validate/act on AWS CIS Foundations Benchmark 1.3 an 1.4 if you don't want to mess people's other access keys, or want to exclude "Disabled" keys from the policy.

Amazon provides access_key_1_last_rotated and access_key_2_last_rotated as part of the credentials report. Would be nice if these were exposed as indexed fields next to the existing "access_keys", so I could get around that problem:

    filters:
      - type: credential
        key: access_key1.last_rotated
        value_type: age
        value: 90
        op: greater-than
      - type: credential
        key: access_key1.active
        value: true

# and then second policy covering access_key2.

This would work because you can't have more than 2 access keys per account.

[coachin2au]

+1 on this issue. We had several production keys get deleted when the second (old) key was caught in the filter. The issue has been out for some time, is this on the roadmap for a fix?

[kapilt]

bump, as a high priority, we should have a look at this for the next release. just had a conversation at reinvent booth with a user about it.

[Ashex]

@kapilt Thanks for raising the priority! I would definitely have mentioned this at the booth today had I known you were there :)

As it stands I'm using this in a PCI enforcement process and have to make it a semi-manual process due to this issue.

[kapilt]

i had a chance to deep dive on this. there's a couple of different issues for contextual awareness.

• the credential report from aws never references a key id, any key identity has to be inferred from the actual key by comparing last_rotated to CreateDate.

• the remove-keys action is pretty simplistic, it doesn't use the output of existing filters when selecting keys. There was a workaround added to address this issue by supporting an age attribute, but thats not great since its effectively fetching and filtering independently with a single criteria on age.

• access-keys does support filtering individual keys with identity but doesn't annotate the matched keys and has to do an api call per user (vs cred report which is effectively just one call).

Okay thats some context on current state, wrt to what it looks like people are trying to do, filter access keys on a number of attributes (creation date, last use, active), then delete those matched keys.

Wrt to what works today

• for folks simply wishing to remove access keys based on a single date criteria, using the remove-keys action with the age parameter should suffice.

For additional capabilities (multi-filter use cases) we'll need to extend the existing semantics, and there are some caveats.

• update credential filter to annotate the actual key matched
• update access-keys filter to annotate the actual key matched
• multiple uses of credential or access-key should be supported to further filter keys.
• update remove-keys to add a matched: boolean parameter, which will have it only remove the keys matched by filters, this will be exclusive of the existing age parameter.

[kapilt]

added a pr, that extends the existing filters and actions that should line up better to the usage and expectation here. nutshell for usage, type: remove-keys with parameter matched: true along with multiple credential filters should work out of the box with the new pr, properly respecting individual key matches.

[harshamaduri]

as @mateusz described, I am trying to create a policy for CIS benchmark 1.3 and I am not able to access 2 access keys. The below error says that I cannot access key1 and key2 separately as we get them in the credential report access_key_1_last_used_date and access_key_2_last_used_date. I wanted to delete they key2 if present. !!

` ['user', 'arn', 'user_creation_time', 'password_enabled', 'password_last_used', 'password_last_changed', 'password_next_rotation', 'mfa_active', 'access_keys', 'access_keys.active', 'access_keys.last_used_date', 'access_keys.last_used_region', 'access_keys.last_used_service', 'access_keys.last_rotated', 'certs', 'certs.active', 'certs.last_rotated']