How to create CloudWatch events to monitor IAM keys for expiration

To create a CloudWatch given your constraints, here's a workaround you could consider:

1. Enable AWS CloudTrail: Ensure that CloudTrail is enabled in your AWS account to track all API calls, including those related to IAM.

2. Create a CloudWatch Metric Filter:

   • CloudTrail logs every API call to IAM, including UpdateAccessKey and DeleteAccessKey events.
   • You can create a CloudWatch Logs metric filter that matches events where the access key's status changes to 'Inactive' or is deleted.

3. Create a CloudWatch Alarm:

   • Set up an alarm based on the metric filter.
   • Configure the alarm to trigger when there is a change in the metric (e.g., when the count of the filtered events is greater than zero).

4. Set Up an Amazon SNS Topic:

   • Create an SNS topic.
   • Subscribe your email address to the SNS topic to receive notifications.

5. Configure the Alarm Action:

   • Assign the SNS topic to the CloudWatch alarm as the action to be taken when the alarm's conditions are met.

However, it's important to note that this solution would only inform you when an access key status is changed or deleted, not when it actually expires. AWS doesn't emit an explicit event when an access key expires because keys do not expire automatically unless you set an expiration date manually or use a custom script/tool that enforces such a policy.

For a more proactive approach, you might consider the following:

• Regularly Scheduled Event: Create a scheduled CloudWatch Event (like a cron job) that triggers at regular intervals.

• AWS Systems Manager Automation Document:

  • Use Systems Manager to run an automation document at the intervals specified by the scheduled event.
  • The document can run a script that uses AWS CLI commands to check the age of IAM access keys.
  • If it finds keys that are expired or about to expire, it can publish a message to an SNS topic.

• Email Notifications: As with the previous method, have the SNS topic configured to send emails to the necessary recipients.

Remember to ensure that the role or user executing the Systems Manager Automation document has the necessary permissions to list IAM access keys and send messages to an SNS topic.