Triage and Remediation
How to Prevent
Using Console
Using Console
To prevent inactive roles in IAM using the AWS Management Console, follow these steps:
-
Regularly Review IAM Roles:
- Navigate to the IAM dashboard in the AWS Management Console.
- Click on “Roles” to view the list of all IAM roles.
- Regularly review the list of roles to identify any that have not been used for a significant period.
-
Enable CloudTrail Logging:
- Go to the CloudTrail service in the AWS Management Console.
- Ensure that CloudTrail is enabled to log all API activity.
- Use CloudTrail logs to monitor the usage of IAM roles and identify inactive ones.
-
Set Up Automated Alerts:
- Use AWS Config to create a rule that checks for IAM roles that have not been used within a specified period.
- Set up Amazon SNS (Simple Notification Service) to send alerts when the rule is triggered, indicating an inactive role.
-
Implement Lifecycle Policies:
- Establish and document a policy for the lifecycle of IAM roles within your organization.
- Ensure that roles are reviewed periodically (e.g., quarterly) and that any roles identified as inactive are flagged for removal according to the policy.
Using CLI
Using CLI
To prevent inactive roles in IAM using AWS CLI, you can follow these steps:
-
List All IAM Roles:
Use the following command to list all IAM roles in your AWS account. This will help you identify roles that are potentially inactive.
-
Get Role Last Used Information:
For each role, retrieve the last used information to determine if the role has been inactive for a certain period. Replace
ROLE_NAMEwith the actual role name. -
Automate Inactivity Check:
Create a script to automate the process of checking the last used date for each role. If a role has not been used for a specified period (e.g., 90 days), mark it for review or deletion. Here is a basic example in Python:
-
Implement Role Deletion Policy:
Establish a policy for deleting or deactivating roles that have been inactive for a specified period. Use the following command to delete an inactive role. Replace
ROLE_NAMEwith the actual role name.
Using Python
Using Python
To prevent inactive roles in IAM using Python scripts, you can follow these steps:
-
Set Up AWS SDK (Boto3) for Python:
- Ensure you have the AWS SDK for Python (Boto3) installed. You can install it using pip if you haven’t already:
- Ensure you have the AWS SDK for Python (Boto3) installed. You can install it using pip if you haven’t already:
-
Identify Inactive Roles:
- Write a Python script to identify roles that have not been used for a specified period. You can use the
get_roleandlist_rolesmethods from Boto3 to fetch role details and their last used information.
- Write a Python script to identify roles that have not been used for a specified period. You can use the
-
Automate Role Monitoring:
- Create a script that runs periodically (e.g., using a cron job or AWS Lambda) to check for inactive roles and log or notify about them.
-
Implement Preventive Measures:
- Use the script to enforce policies or alerts that notify administrators about inactive roles, so they can take action to remove or review them.
Key Points:
-
Set Up AWS SDK (Boto3):
- Ensure Boto3 is installed and configured with the necessary AWS credentials.
-
Identify Inactive Roles:
- Use the
list_rolesandget_rolemethods to fetch role details and their last used information.
- Use the
-
Automate Role Monitoring:
- Schedule the script to run periodically to monitor inactive roles.
-
Implement Preventive Measures:
- Log or notify administrators about inactive roles for further action.