AWS Introduction
AWS Pricing
AWS Threats
AWS Misconfigurations
- Getting Started with AWS Audit
- Permissions required for Misconfigurations Detection
- API Gateway Audit
- Cloudformation Audit
- CloudFront Audit
- CloudTrail Audit
- Cloudwatch Audit
- DynamoDB Audit
- EC2 Audit
- Elastic Search Audit
- ELB Audit
- IAM Audit
- KMS Audit
- Kubernetes Audit
- Lambda Audit
- RDS Audit
- Redshift Audit
- Route53 Audit
- S3 Audit
- Security Groups Audit
- SES Audit
- SNS Audit
- IAM Deep Dive
- App Sync Audit
- Code Build Audit
- Open Search Audit
- Shield Audit
- SQS Audit
Role Service Inactivity
More Info:
Roles which have access to services but have not used in past several days should be looked into and cleaned up.
Risk Level
Medium
Address
Security
Compliance Standards
CISAWS
Triage and Remediation
How to Prevent
To prevent Role Service Inactivity in IAM using the AWS Management Console, follow these steps:
-
Enable Access Advisor:
- Navigate to the IAM dashboard in the AWS Management Console.
- Select the “Roles” tab.
- Choose the specific role you want to monitor.
- Go to the “Access Advisor” tab to review the services that the role has accessed and the last accessed time.
- Regularly review this information to identify and take action on inactive roles.
-
Set Up CloudWatch Alarms:
- Go to the CloudWatch dashboard.
- Create a new alarm based on IAM metrics.
- Set the alarm to trigger if a role has not been used for a specified period.
- Configure notifications to alert administrators when the alarm is triggered.
-
Enable AWS Config Rules:
- Navigate to the AWS Config dashboard.
- Ensure that AWS Config is enabled in your account.
- Add a managed rule such as
iam-role-last-usedto monitor the last time an IAM role was used. - Set up notifications for compliance changes to be alerted when a role becomes inactive.
-
Implement IAM Role Policies:
- Go to the IAM dashboard and select the “Roles” tab.
- Choose the role you want to configure.
- Attach a policy that includes conditions to limit the role’s permissions based on time or usage.
- Use the
aws:RequestTagoraws:PrincipalTagconditions to enforce policies that disable or restrict roles after a period of inactivity.
By following these steps, you can proactively monitor and manage IAM role activity to prevent role service inactivity in AWS.
To prevent Role Service Inactivity in IAM using AWS CLI, you can follow these steps:
-
Create a Role with Specific Permissions: Ensure that the role you create has the necessary permissions and is not overly permissive. Use the
create-rolecommand to create a role with a specific policy.aws iam create-role --role-name MyRole --assume-role-policy-document file://trust-policy.json -
Attach a Policy to the Role: Attach a policy to the role that grants only the necessary permissions. Use the
attach-role-policycommand to attach a managed policy orput-role-policyto attach an inline policy.aws iam attach-role-policy --role-name MyRole --policy-arn arn:aws:iam::aws:policy/ReadOnlyAccess -
Enable CloudTrail to Monitor Role Activity: Enable AWS CloudTrail to monitor and log all activities associated with the role. This helps in identifying any inactivity or misuse.
aws cloudtrail create-trail --name MyTrail --s3-bucket-name my-bucket aws cloudtrail start-logging --name MyTrail -
Set Up CloudWatch Alarms for Inactivity: Create CloudWatch Alarms to monitor the role’s activity and trigger alerts if the role is inactive for a specified period.
aws cloudwatch put-metric-alarm --alarm-name RoleInactivityAlarm --metric-name Invocations --namespace AWS/Lambda --statistic Sum --period 86400 --threshold 1 --comparison-operator LessThanThreshold --dimensions Name=FunctionName,Value=MyLambdaFunction --evaluation-periods 1 --alarm-actions arn:aws:sns:us-east-1:123456789012:MyTopic
By following these steps, you can ensure that roles are properly configured, monitored, and any inactivity is promptly addressed.
To prevent Role Service Inactivity in IAM using Python scripts, you can follow these steps:
1. Set Up AWS SDK (Boto3)
First, ensure you have the AWS SDK for Python (Boto3) installed. You can install it using pip if you haven’t already:
pip install boto3
2. Create a Python Script to List Roles
Create a Python script to list all IAM roles and their last used timestamps. This will help you identify inactive roles.
import boto3
from datetime import datetime, timedelta
# Initialize a session using Amazon IAM
session = boto3.Session(profile_name='your_profile_name')
iam_client = session.client('iam')
# Get the current date
current_date = datetime.utcnow()
# Define the inactivity threshold (e.g., 90 days)
inactivity_threshold = timedelta(days=90)
# List all IAM roles
roles = iam_client.list_roles()
for role in roles['Roles']:
role_name = role['RoleName']
role_last_used = iam_client.get_role(RoleName=role_name)['Role']['RoleLastUsed']
if 'LastUsedDate' in role_last_used:
last_used_date = role_last_used['LastUsedDate']
if current_date - last_used_date > inactivity_threshold:
print(f"Role {role_name} has been inactive since {last_used_date}")
else:
print(f"Role {role_name} has never been used")
3. Automate Role Deactivation or Notification
You can extend the script to either deactivate the inactive roles or send notifications to the administrators.
Deactivate Inactive Roles
for role in roles['Roles']:
role_name = role['RoleName']
role_last_used = iam_client.get_role(RoleName=role_name)['Role']['RoleLastUsed']
if 'LastUsedDate' in role_last_used:
last_used_date = role_last_used['LastUsedDate']
if current_date - last_used_date > inactivity_threshold:
# Deactivate the role
iam_client.update_role(RoleName=role_name, MaxSessionDuration=3600) # Example action
print(f"Role {role_name} has been deactivated due to inactivity")
else:
print(f"Role {role_name} has never been used")
Send Notifications
import smtplib
from email.mime.text import MIMEText
def send_notification(role_name, last_used_date):
msg = MIMEText(f"Role {role_name} has been inactive since {last_used_date}")
msg['Subject'] = 'Inactive IAM Role Notification'
msg['From'] = '[email protected]'
msg['To'] = '[email protected]'
with smtplib.SMTP('smtp.example.com') as server:
server.sendmail(msg['From'], [msg['To']], msg.as_string())
for role in roles['Roles']:
role_name = role['RoleName']
role_last_used = iam_client.get_role(RoleName=role_name)['Role']['RoleLastUsed']
if 'LastUsedDate' in role_last_used:
last_used_date = role_last_used['LastUsedDate']
if current_date - last_used_date > inactivity_threshold:
send_notification(role_name, last_used_date)
print(f"Notification sent for role {role_name} due to inactivity")
else:
print(f"Role {role_name} has never been used")
4. Schedule the Script
Use a task scheduler like cron (Linux) or Task Scheduler (Windows) to run the script periodically to ensure continuous monitoring and prevention of role service inactivity.
Example (Linux Cron Job)
# Open the crontab file
crontab -e
# Add the following line to run the script daily at midnight
0 0 * * * /usr/bin/python3 /path/to/your_script.py
By following these steps, you can effectively prevent role service inactivity in IAM using Python scripts.