Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.
And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.
Access Key Groupings
See original GitHub issueIf an IAM account has never been used the “access_keys.last_used_date” will be absent. I want to disable access keys that have never been used AND the last rotated key is greater than 60 days. Neither one of the access keys of the IAM account “read-s3” (see below) should violate this policy. This seems to only happen when two access keys are active.
Policy should match an access key with the following:
- Key Active: YES
- Never Been Used: YES
- Access Key Rotated Greater Than 60 Days: YES
The incorrect access keys that match from the following policy: “read-s3” Access Key 1:
- Key Active: YES
- Never Been Used: YES
- Access Key Rotated Greater Than 60 Days: NO
“read-s3” Access Key 2:
- Key Active: YES
- Never Been Used: NO
- Access Key Rotated Greater Than 60 Days: YES
I am wondering if it is grouping the access keys (similar to the old bug in the security groups) and pulling and evaluating dates/null values from multiple access keys.
Policy:
name: iam_accounts-disable-never_used
description: |
Disable IAM accounts that have never been used in the last 60 days
resource: iam-user
filters:
- type: credential
key: access_keys.active
value: true
- type: credential
key: access_keys.last_used_date
value: absent
- type: credential
key: access_keys.last_rotated
value_type: age
value: 60
op: gte
actions:
- type: remove-keys
age: 60
disable: true
Resources File:
[
{
"UserName": "read-s3",
"c7n:credential-report": {
"password_next_rotation": null,
"password_enabled": false,
"access_keys": [
{
"active": true,
"last_rotated": "2016-12-23T15:55:44+00:00",
"last_used_date": null,
"last_used_service": null,
"last_used_region": null
},
{
"active": true,
"last_rotated": "2016-09-26T18:39:07+00:00",
"last_used_region": null,
"last_used_date": "2017-01-09T23:21:00+00:00",
"last_used_service": "s3"
}
],
"user_creation_time": "2016-09-26T18:39:07+00:00",
"mfa_active": false,
"arn": "arn:aws:iam::xxxxxxx:user/read-s3",
"password_last_used": null,
"password_last_changed": null,
"user": "security-read-s3"
},
"CreateDate": "2016-09-26T18:39:07+00:00",
"UserId": "xxxxx",
"Path": "/",
"Arn": "arn:aws:iam::xxxxxxxx:user/read-s3"
}
]
Issue Analytics
- State:
- Created 7 years ago
- Reactions:5
- Comments:10 (3 by maintainers)
Top Results From Across the Web
Top Related Medium Post
Top Related StackOverflow Question
Troubleshoot Live Code
Top Related Reddit Thread
Top Related Hackernoon Post
Top Related Tweet
Top Related Dev.to Post
Top Related Hashnode Post
added a pr, that extends the existing filters and actions that should line up better to the usage and expectation here. nutshell for usage,
type: remove-keyswith parametermatched: truealong with multiplecredentialfilters should work out of the box with the new pr, properly respecting individual key matches.as @mateusz described, I am trying to create a policy for CIS benchmark 1.3 and I am not able to access 2 access keys. The below error says that I cannot access key1 and key2 separately as we get them in the credential report
access_key_1_last_used_dateandaccess_key_2_last_used_date. I wanted to delete they key2 if present. !!` [‘user’, ‘arn’, ‘user_creation_time’, ‘password_enabled’, ‘password_last_used’, ‘password_last_changed’, ‘password_next_rotation’, ‘mfa_active’, ‘access_keys’, ‘access_keys.active’, ‘access_keys.last_used_date’, ‘access_keys.last_used_region’, ‘access_keys.last_used_service’, ‘access_keys.last_rotated’, ‘certs’, ‘certs.active’, ‘certs.last_rotated’]