AWS IAM Access Key Rotation - Lambda Function
•Download as PPTX, PDF•
2 likes•1,709 views
This document describes an automated process for deactivating IAM access keys that are one month old. A Lambda function is triggered by a CloudWatch scheduled event to query IAM for old access keys and deactivate them. Notifications are sent via SES when keys are deactivated. The source code for the Lambda function is available on GitHub.
![The Access Key
[A4B4Q]
belonging to User
[Logstash] has been
automatically deactivated
due to it being 50 days old.
Output](https://image.slidesharecdn.com/awssummit-160703210654/85/AWS-IAM-Access-Key-Rotation-Lambda-Function-4-320.jpg)
AWS IAM Access Key Rotation - Lambda Function
- 2. Automatic IAM Access Key Rotation via Lambda Function
- 3. CloudWatch Scheduled Event Email Report via SES SysOps Access KeysUsers Triggers Queries Updates Generates Delivers IAM
- 4. The Access Key [A4B4Q] belonging to User [Logstash] has been automatically deactivated due to it being 50 days old. Output
- 5. PyCharm IDE Python 2.7 Boto3 Grunt JavaScript Task Runner IAM Role IAM Policy Lambda Function CloudWatch Scheduled Event GitHub API
- 7. Deactivates 1 month old IAM Access Keys – 1.0.21
Editor's Notes
- #3: Curdin - Intro
- #4: Thanks Curdin Intro – Jeremy Cook Principle Solutions Architect Work for Fronde For the last 8 years Fronde has been helping our NZ and Australian customers move and migrate onto the AWS cloud AWS is an awesome platform – and the Lambda Service further enhances it Solution – Lambda is at the core – we deploy a Lambda Function written in Python Orchestrates the business problem that Te Papa had
- #5: The end result from a SysOps perspective is: As a SysAdmin I’m alerted to the fact that an IAM static access key (or set of keys) has been determined to have breached an age threshold of 30days and therefore I am notified through email – that the key in question has been deactivated. Careful consideration has been made to ensure that any information regarding the IAM static access keys when in transit (e.g in this case EMAIL) is done without leakage – that is any reference to the AccessKey itself is done in a manner where the key isn’t fully revealed – it is MASKED.
- #6: Some insights into the developer toolchain Lambda Function - was implemented in Python (2.7) is the preferred language Grunt is used to automate the build and deploy process
- #7: Ok Lets put the toolchain into action 3 main stages (Build, Deploy, Run) – approx 5 mins in total Build phase – packages the code in a ZIP archive Deploy phase Sets up IAM Sets up Lambda Function Sets up a CloudWatch Scheduled Event Run phase
- #8: The deployment scripts have built and deployed all assets Everything has been wired together The semantic build versioning flowed all the way through into the AWS Console – this allows reconciliation of the runtime back to the tagged codebase
- #9: Lambda now in Sydney! Automation Ensures that the code will do it what it was expected to do Build Versioning Provides traceability of codebase deployed – back to source control Time to market - super quick project – how long did this take – 2 days (not weeks, not months) In the context of this project - Cheap as chips – well its free – we run this process once per day – the 1st 1 million requests per month are free
- #10: Finally For those interested in this and serverless lambda functions in general Te Papa have kindly open sourced the code for this project – its located on GitHub Thanks for yr time – shoulder tap the team down in the Fronde booth Love to chat to about the awesomeness of Lambda