Skip to main content
Stay compliant with AWS Step Functions — IAM Users’ Access Key Age Notification

Stay compliant with AWS Step Functions — IAM Users’ Access Key Age Notification

·3 mins· loading ·
AWS Serverless IAM Security Step Functions EventBridge Scheduler
Pubudu Jayawardana
Author
Pubudu Jayawardana
Cloud Engineer, AWS Community Builder

It is a best practice and also, one of the AWS Security Hub controls for IAM to have all the IAM user access keys to be rotated every 90 days.

It might not be an easy task to check each and every user access key to check if they pass this validation.

Lambda is a great tool not only to be part of a Serverless system but also small house keeping tasks like this. In this blog post, I am going to discuss how we can use a simple AWS Step Function to go through all the user access keys in the AWS account and send a notification if there are keys that were created more than 90 days ago.

Architecture
#

Images: Architecture
Images: Architecture

State machine
#

Images: State machine
Images: State machine

As you see, this is a very simple system with very few components.

  1. There is an AWS Schedule that runs periodically that initializes a Step Functions execution.

  2. Within Step Functions execution, first there is a SDK integration to IAM to get all the users available in the AWS account.

  3. Then, the result is sent to a Distributed Map state to iterate through each and every user.

  4. Within the Distributed Map state, there is another SDK integration to IAM to get all the access keys for a particular user.

  5. ListAccessKeys of IAM will provide the access key details in the below structure:

    {
     “AccessKeyId”: “AKIXXXXXXXXX”,
     “CreateDate”: “2021–11–27T20:15:43Z”,
     “Status”: “Active”,
     “UserName”: “pubudu”
    }
    
  6. Once all the Distributed Map iterations are completed, all the results will be sent to the KeyValidationLambda function as input.

  7. Within the KeyValidationLambda function, all the key data are iterated and using the CreatedData, it checks if the particular access key was created 90 days ago.

  8. If there are older access keys, it will be sent back to the SF execution.

  9. In the next step, there is a Choice state where it checks if there are results returned from the Lambda. If so, it sends this data into a SNS Topic via SDK integration. Then it ends the execution.

  10. If there is no result returned from Lambda, SF execution will end successfully.

  11. You can subscribe to the SNS topic in many ways (ex: email, Slack, etc) so you will get notified when a message is published to the topic.

Try this yourself
#

You can test this solution in your AWS account using AWS SAM with Python. Source code for this project is available at https://github.com/pubudusj/aws-iam-key-checker

Summary
#

AWS Step Functions SDK integration is very powerful to build not only full scale Serverless functionality but also this kind of automation around security best practices.

At the moment, AWS Step Functions doesn’t support date time related intrinsic functions. When those are available, access key validation checks can be done within the execution which will further reduce the custom code (within the Lambda function).

Useful Links #

  1. Step Functions SDK integrations — https://docs.aws.amazon.com/step-functions/latest/dg/supported-services-awssdk.html

  2. AWS Security Hub IAM controls — https://docs.aws.amazon.com/securityhub/latest/userguide/iam-controls.html

Related

Manage EventBridge Schedules using Step Functions (Part 2)- with Wait State
·3 mins· loading
AWS Serverless EventBridge Scheduler Step Functions SAM
This is another way of managing EventBridge Schedules withing Step Functions execution.
Manage EventBridge Schedules using Step Functions
·3 mins· loading
AWS Serverless EventBridge Scheduler Step Functions SAM
With the support of Step Function SDK integrations, we can manage EventBridge Schedules.
Load Data From S3 to Postgres using Step Functions
·5 mins· loading
AWS Serverless Lambda Step Functions Postgres
In this post, I discuss how we can use Step Functions Distributed Maps to parallelise the csv data loading to a database.