AWS Access Key Report
This Lambda queries an AWS account for a listing of all AWS IAM User access keys, their ages, and information on their last usage.
What problem does this solve?
AWS IAM User access keys and secret keys are used to provide 3rd party access to AWS resources when AWS IAM Roles are not an option. Managing the lifecycle of the keys can difficult and often leads to stale keys which are never rotated or disabled which creates a security risk. While Credential Reports provides some of this information, it is user centric verus key centric. It also does not provide the key IDs which creates more work to determine which key needs to be rotated.
The script queries the AWS IAM API to pull a listing of AWS IAM Users from an account, queries for a listing of the access keys each account has provisioned, and then pulls metadata about each key including the creation date, the last date the key was used, and more. The data is outputed to a variable in CSV format and written to an S3 bucket.
Python Runtime and Modules
AWS Permissions Requirement
- S3:PutObject (only required for user specific S3 prefix)
The can be pushed using the provided CloudFormation template. The code must be placed into a ZIP file and placed on an S3 bucket the user creating the CloudFormation stack.