DEV Community

Luthfi Anandra for AWS Community Builders

Posted on • Edited on • Originally published at aws.plainenglish.io

What’s Alternative Way to Find AWS IAM Key that has not been rotated for ages? Let’s Check Out This Tool

meme-iam

AWS IAM Key is one of tool that used to interact with AWS API. In AWS, it’s common for user that used for human-to-machine interaction or machine-to-machine interaction to have AWS Key that consists of AWS Access Key and AWS Secret Key.

For security reason, IAM key should be rotated for example every 90 days. The goal is to prevent security holes/leaks, for example we accidentally expose our IAM key. Because with this IAM key, every person that has access to the key can access AWS API in accordance with privilege given to that key and we don’t want any bad actor have access to our AWS environment.

In this blogpost, I want to introduce a tool that can be used to check or notify if any our AWS IAM key has exceeded the threshold. This tool name kuncen-aws-iam

Prerequisites

To run kuncen-aws-iam, you must follow these prerequisites:

  • Have Docker Engine installed or run on your environment
  • Pull lanandra/steampipe-container-agent container image. This container will utilize Steampipe for querying AWS IAM API
  • Have AWS API credentials (such as: AWS Access Key and AWS Secret Key) that have privilege to AWS IAM service

How to Use

  1. Clone kuncen-aws-iam source code
  2. From your terminal, export AWS credentials (AWS_ACCESS_KEY_ID & AWS_SECRET_ACCESS_KEY)

    export AWS_ACCESS_KEY_ID="AWS_ACCESS_KEY_ID"
    export AWS_SECRET_ACCESS_KEY="AWS_SECRET_ACCESS_KEY"
    
  3. Go to directory where kuncen-aws-iam resided. Then run the script

    cd path/to/kuncen-aws-iam/
    
    ./kuncen-aws-iam.sh
    
  4. Or if you want to run kuncen-aws-iam anywhere in your terminal, please create symlink to this script. Example:

    sudo ln -s path/to/kuncen-aws-iam/kuncen-aws-iam.sh 
    /usr/local/bin/kuncen-aws-iam
    
  5. Example output of kuncen-aws-iam

output-table

Notes

  • As mentioned above, kuncen-aws-iam will check and send output of IAM key that age has exceed 90 days. But if you need to adjust the interval days, you can set it by set this environment variable below:

    export KUNCEN_AWS_IAM_INTERVAL=int
    
    example:
    export KUNCEN_AWS_IAM_INTERVAL=180
    
  • As mentioned above, kuncen-aws-iam utilize Steampipe for querying AWS IAM API. By default Steampipe will output a query with table format. But Steampipe offers some output format such as: line, csv, json or table. If you need kuncen-aws-iam send output with different output other than table, you can set it by set this environment variable below:

    export KUNCEN_AWS_IAM_OUTPUT=string
    
    example:
    export KUNCEN_AWS_IAM_OUTPUT=json
    

    example output:

output-json

Please comment if you have any suggestions, critiques, or thoughts.

Hope this article will benefit you. Thank you.

Top comments (0)