This tool generates a new IAM access key pair every X number of days and informs about the same using the supported mailers mentioned below. Moreover, it will delete the existing key pair once it reaches End-of-Life.
- Lambda
- DynamoDB
- SES
- CloudWatch Event
- IAM
- AWS SES
- Mailgun
- SMTP
- CloudWatch triggers lambda function which checks the age of access key for all the IAM users who have IKR:EMAIL(case-insensitive) tag attached.
- If existing access key age is greater than
ACCESS_KEY_AGEenvironment variable orIKR:ROTATE_AFTER_DAYStag associated to the IAM user and if the user ONLY has a single key pair associated, a new key pair is generated and ifENCRYPT_KEY_PAIRenvironment variable is set to true the new key pair is encrypted using a symmetric key which is stored in SSM parameter (/ikr/secret/iam/IAM_USERNAME) before the same is mailed to the user via the selected mail service. - The existing access key is then stored in DynamoDB table with user details and an expiration timestamp.
- DynamoDB stream triggers destructor lambda function which is responsible for deleting the old access key associated to IAM user and the SSM parameter that stores the symmetric encryption key if
ENCRYPT_KEY_PAIRenvironment variable is set to true. The destruction operation is carried out only if the DynamoDB stream event is of typedelete. - In case the destructor function fails to delete the existing key pair, the entry is added back to the DynamoDB table for retry.
- Use the terraform module included in this repo to create all the AWS resources required to automate IAM key rotation
- Add the following tags to the IAM user whose access key pair generation needs to be automated. All the tags mentioned are case-insensitive:
- Required:
IKR:EMAIL: Email address of IAM user where alerts related to access keys will be sent
- Optional:
IKR:ROTATE_AFTER_DAYS: After how many days new access key should be generated. Note: If you want to control key generation period per user add this tag to the user else environment variableROTATE_AFTER_DAYSwill be usedIKR:DELETE_AFTER_DAYS: After how many days existing access key should be deleted. Note: If you want to control key deletion period per user add this tag to the user else environment variableDELETE_AFTER_DAYSwill be usedIKR:INSTRUCTION_0: Add help instruction related to updating access key. This instruction will be sent to IAM user whenever a new key pair is generated. Note: As AWS restricts tag value to 256 characters you can use multiple instruction tags by increasing the number (IKR:INSTRUCTION_0,IKR:INSTRUCTION_1,IKR:INSTRUCTION_2and so on). All the instruction tags value will be combined and sent as a single string to the user.
- Required:
tag-iam-users.py: Tags IAM users by reading iam-user-tags.json filedecryption.py: Decrypt cipher text using the encryption key stored in the SSM parmeter store