Access Key Groupings
See original GitHub issueIf an IAM account has never been used the “access_keys.last_used_date” will be absent. I want to disable access keys that have never been used AND the last rotated key is greater than 60 days. Neither one of the access keys of the IAM account “read-s3” (see below) should violate this policy. This seems to only happen when two access keys are active.
Policy should match an access key with the following:
- Key Active: YES
- Never Been Used: YES
- Access Key Rotated Greater Than 60 Days: YES
The incorrect access keys that match from the following policy: “read-s3” Access Key 1:
- Key Active: YES
- Never Been Used: YES
- Access Key Rotated Greater Than 60 Days: NO
“read-s3” Access Key 2:
- Key Active: YES
- Never Been Used: NO
- Access Key Rotated Greater Than 60 Days: YES
I am wondering if it is grouping the access keys (similar to the old bug in the security groups) and pulling and evaluating dates/null values from multiple access keys.
Policy:
name: iam_accounts-disable-never_used
description: |
Disable IAM accounts that have never been used in the last 60 days
resource: iam-user
filters:
- type: credential
key: access_keys.active
value: true
- type: credential
key: access_keys.last_used_date
value: absent
- type: credential
key: access_keys.last_rotated
value_type: age
value: 60
op: gte
actions:
- type: remove-keys
age: 60
disable: true
Resources File:
[
{
"UserName": "read-s3",
"c7n:credential-report": {
"password_next_rotation": null,
"password_enabled": false,
"access_keys": [
{
"active": true,
"last_rotated": "2016-12-23T15:55:44+00:00",
"last_used_date": null,
"last_used_service": null,
"last_used_region": null
},
{
"active": true,
"last_rotated": "2016-09-26T18:39:07+00:00",
"last_used_region": null,
"last_used_date": "2017-01-09T23:21:00+00:00",
"last_used_service": "s3"
}
],
"user_creation_time": "2016-09-26T18:39:07+00:00",
"mfa_active": false,
"arn": "arn:aws:iam::xxxxxxx:user/read-s3",
"password_last_used": null,
"password_last_changed": null,
"user": "security-read-s3"
},
"CreateDate": "2016-09-26T18:39:07+00:00",
"UserId": "xxxxx",
"Path": "/",
"Arn": "arn:aws:iam::xxxxxxxx:user/read-s3"
}
]
Issue Analytics
- State:
- Created 7 years ago
- Reactions:5
- Comments:10 (3 by maintainers)
Top Results From Across the Web
Managing access keys for IAM users - AWS Documentation
Access keys are long-term credentials for an IAM user or the AWS account root user. You can use access keys to sign programmatic...
Read more >Keyboard shortcuts for Access - Microsoft Support
To move between groups on a ribbon, press Ctrl+Right or Left arrow key. To move between commands within a group, press the Tab...
Read more >Key Groups – Keycafe Help Centre
Set up a key group. Log into www.keycafe.com; Select Groups from the menu options; Select the + Add button in the upper left...
Read more >Create and Assign Group Access Keys
From the main menu, click on Door Management Options, then Create/Assign Group Access Keys. · To create a Group Access Key, select Site...
Read more >Access Keys Explained - TeamGenius Help
General Access Key; Player Pool Access Key; Evaluation Session Access Key; Eval Group Access Key; Advanced Access Key. General Access Key.
Read more >Top Related Medium Post
No results found
Top Related StackOverflow Question
No results found
Troubleshoot Live Code
Lightrun enables developers to add logs, metrics and snapshots to live code - no restarts or redeploys required.
Start FreeTop Related Reddit Thread
No results found
Top Related Hackernoon Post
No results found
Top Related Tweet
No results found
Top Related Dev.to Post
No results found
Top Related Hashnode Post
No results found
Top GitHub Comments
added a pr, that extends the existing filters and actions that should line up better to the usage and expectation here. nutshell for usage,
type: remove-keys
with parametermatched: true
along with multiplecredential
filters should work out of the box with the new pr, properly respecting individual key matches.as @mateusz described, I am trying to create a policy for CIS benchmark 1.3 and I am not able to access 2 access keys. The below error says that I cannot access key1 and key2 separately as we get them in the credential report
access_key_1_last_used_date
andaccess_key_2_last_used_date
. I wanted to delete they key2 if present. !!` [‘user’, ‘arn’, ‘user_creation_time’, ‘password_enabled’, ‘password_last_used’, ‘password_last_changed’, ‘password_next_rotation’, ‘mfa_active’, ‘access_keys’, ‘access_keys.active’, ‘access_keys.last_used_date’, ‘access_keys.last_used_region’, ‘access_keys.last_used_service’, ‘access_keys.last_rotated’, ‘certs’, ‘certs.active’, ‘certs.last_rotated’]