By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

How to create CloudWatch events to monitor IAM keys for expiration

0

Hello,

I am trying to create a CloudWatch event that monitors the IAM keys for when they expire. My end goal is to have an email sent via SNS whenever an IAM access key has expired. I am limited with my options. I cannot use AWS Config and I am not allowed to create a Lambda function using Python.

Any help would be appreciated.

Topics
ServerlessComputeSecurity, Identity, & ComplianceManagement & Governance
Tags
AWS LambdaAWS Identity and Access ManagementAmazon CloudWatchAWS IAM Identity CenterIAM Policies
Language
English
rePost-User-9168878
asked 6 months ago437 views
1 Answer
0
Accepted Answer

To create a CloudWatch given your constraints, here's a workaround you could consider:

  1. Enable AWS CloudTrail: Ensure that CloudTrail is enabled in your AWS account to track all API calls, including those related to IAM.

  2. Create a CloudWatch Metric Filter:

    • CloudTrail logs every API call to IAM, including UpdateAccessKey and DeleteAccessKey events.
    • You can create a CloudWatch Logs metric filter that matches events where the access key's status changes to 'Inactive' or is deleted.

  3. Create a CloudWatch Alarm:

    • Set up an alarm based on the metric filter.
    • Configure the alarm to trigger when there is a change in the metric (e.g., when the count of the filtered events is greater than zero).

  4. Set Up an Amazon SNS Topic:

    • Create an SNS topic.
    • Subscribe your email address to the SNS topic to receive notifications.

  5. Configure the Alarm Action:

    • Assign the SNS topic to the CloudWatch alarm as the action to be taken when the alarm's conditions are met.

However, it's important to note that this solution would only inform you when an access key status is changed or deleted, not when it actually expires. AWS doesn't emit an explicit event when an access key expires because keys do not expire automatically unless you set an expiration date manually or use a custom script/tool that enforces such a policy.

For a more proactive approach, you might consider the following:

  • Regularly Scheduled Event: Create a scheduled CloudWatch Event (like a cron job) that triggers at regular intervals.

  • AWS Systems Manager Automation Document:

    • Use Systems Manager to run an automation document at the intervals specified by the scheduled event.
    • The document can run a script that uses AWS CLI commands to check the age of IAM access keys.
    • If it finds keys that are expired or about to expire, it can publish a message to an SNS topic.

  • Email Notifications: As with the previous method, have the SNS topic configured to send emails to the necessary recipients.

Remember to ensure that the role or user executing the Systems Manager Automation document has the necessary permissions to list IAM access keys and send messages to an SNS topic.

AWS
Drew D
answered 6 months ago
profile pictureAWS
EXPERT
Didier_Durand
reviewed 6 months ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content