This marks the first blog of AWS Lambda Series. I will be doing some automations on AWS using Lambda and will be posting them here with a blog. In this blog, we will use Lambda and Event driven functions to deactivate/disable the keys which are older than 3 months to keep our AWS account safe and secure.
Imagine you are working in a big team and you have multiple people working across various environments. You will be having a lot of security credentials lying with of no use. So for those use cases, you can consider this automation where it will remove the access keys and secret_access_keys of the users in lower environments which are older than a month.
Consider this automation in 2 phases:
PHASE-1 Notification & Test Setup :
- Create a SNS Topic and add your email id to the subscription topic of that SNS. So In this case whenever a key has been disbaled you will be informed via email.
Once the SNS is created and your email has been added to the subscription, then go to the email and confirm the subscription.
- Now Create a Dummy IAM user for practice purpose and create security access and secret access keys.
PHASE-2 Lambda & Event Configuration:
- Create a IAM Execution Role for Lambda so that it should have all the permissions for the lambda to execute.
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"iam:ListUsers",
"iam:ListAccessKeys",
"iam:UpdateAccessKey",
"sns:Publish",
"logs:CreateLogGroup",
"logs:CreateLogStream",
"logs:PutLogEvents"
],
"Resource": "*"
}
]
}
You could see that the above role have access to list users, keys and publish it to sns and create logs for the same.
Develop the Lambda Function logic with all the code and pre-requisites.
Give the runtime as Python 3.12 and also extend the timeout to 1 minute as the default timeout is 3 seconds which will be not sufficient.
Copy the code from this repo and save it in the Lambda.Now create the EventBridge function to trigger Lambda in relevant events. While creating, select a target of AWS Service such as Lambda and create a role for that. Select the rate of 1 minute so that it will execute for every one minute.
Phase 3: Automated Remediation
Now for testing function, go to the lambda function and click on deploy and test, you can see that the security keys will be disabled, you can check the same in the Monitoring tab of the Lambda Function.
Now we will add the above trigger to the Lambda function we have created so that everything will be automated instead of us going to the Lambda function to deploy.
Go to Lambda -> Select the function -> Click on Add Trigger and select the created Eventbridge Function.
I have created the sample security keys for a user.
Now you can see from the above 2 pics that the keys have been disabled automatically after one minute.
Conclusion:
Exposed IAM access keys are one of the most common causes of AWS account compromise. Manual monitoring does not scale, and delayed response often leads to serious incidents.
The above automation solves the above problems and helps us to:
- Reacts automatically
- Notifies the right people
- Removes the risk without human intervention
Thanks to Sai Kiran Pinapathruni for the Youtube videos and if you have any doubts refer to the youtube video below:
Top comments (0)