/serverless-monitor-for-unused-iam-roles

Monitor Unused IAM Roles 🎓

Primary LanguagePython

Monitor unused IAM roles with AWS Config Custom Rules

Identify IAM Roles that have not been used for x amount of time (for example, since last 30 days). We will use the role last used API and continuously monitor role activity using AWS Config. You can extend this solution to push the NON COMPLIANT information to SNS and get the necessary teams involved in the clean up operation.

Monitor unused IAM roles with AWS Config Custom Rules

Follow this article in Youtube

  1. Prerequisites

    This demo, instructions, scripts and cloudformation template is designed to be run in us-east-1. With few modifications you can try it out in other regions as well(Not covered here).

  2. SetUp Dev Environment

    Make sure you have AWS CLI profile configured. You should have at minimum these permissions before executing below commands

    # Clone the repo
git clone https://github.com/miztiik/serverless-monitor-for-unused-iam-roles.git
cd serverless-monitor-for-unused-iam-roles

# Setup some global variables
dir_name="mystique-infosec"
custom_rule_name="monitor_unused_iam_roles"

# If you dont have venv installed already
# pip install virtualenv

python3 -m venv ${dir_name}
cd ${dir_name}
source bin/activate
pip3 install rdk

# Configure AWS Profile
rdk init

# Lets create a LOCAL rule
rdk create ${custom_rule_name} --runtime python3.7 --resource-types AWS::IAM::Role

  3. Copy the Config Rule code

    Copy the file under lambda_src to the directory ${custom_rule_name} directory that was created now. The custom_rule_name and this file-name should be the SAME.

  4. Deploy the custom rule

    rdk deploy ${custom_rule_name}

  5. Test the rule

    1. Create a new role(or ideally any pre-existing role, which has not been used for sometime is good enough)
    2. Wait for AWS Config to evaluate the role and identify it as ❌ Noncompliant

  6. Next Steps: Do Try This

    • update the lambda MAX_UNUSED_DAYS = 30 to different time period or make it a customizable variable
    • Integrate SNS notification
    • Quarantine old roles
    • Create exception list

  7. Resource Cleanup

    1. Delete CloudWatch Lambda LogGroups
    2. Delete the stack[s] - If you want to destroy all the resources created by the stack, Execute the below command to delete the stack, or you can delete the stack from console as well
    rdk undeploy ${custom_rule_name}

Buy me a coffee

Buy me a coffee ☕ through Paypal, or You can reach out to get more details through here.

References

  1. Getting Started with Custom Rules
  2. AWS Config Rule Development Kit
  3. AWS Config RDK - Getting Started - Blog
  4. AWS Config RDK - Getting Started - Git
  5. Git Repo of Config Rules in Python-01
  6. Git Repo of Config Rules in Python-02

Metadata

Level: 200