AWS user missing mtime
lloesche opened this issue · 6 comments
Description
A user's atime should be the time the account was last used, a users mtime should be the time the password was last updated. The new AWS collector is missing this info.
Version
main
Environment
No response
Steps to Reproduce
No response
Logs
No response
Additional Context
No response
ctime is mapped from CreateDate
atime is mapped from PasswordLastUsed
mtime is not mapped - the same as the old collector.
For PasswordLastUsed AWS writes this:
If the value is missing, then the user either has no password or the password has not been used since IAM began tracking password age on October 20, 2014.
So we could use either PasswordLastUsed and/or the last used AccessKey for atime. If nothing is present we could fallback to October 2014. wdyt?
Not sure if there is a meaningful property for mtime?
Let's not mix IAM User objects with their AccessKey. Let's stick to PasswordLastUsed and let's also not fall back to 2014. Chances are users simply haven't used the account using password login when PasswordLastUsed is not set.
Trying to poke my nose here, can someone explain me more about how I can check atime/mtime for a user & help fix this bug?
Then I think the handling of atime is correct, but mtime is missing.
Will adjust the title.
@lloesche @aquamatthias
I've been looking into this and am not convinced that this information is available at all.
I found this AWS Security Blogpost where they mention the property password_last_rotated as part of a credentials report. That would map nicely to our mtime. And supposedly all these entries are available via API as well. But the blog post is from 2014 and in no IAM documentation have I found any reference to this property whatsoever. So I'm not convinced it's in use any longer 🤷🏻♀️
Closing this issue for now. Would reopen it once we have specific requests to pull such data.