Auditing IAM

During a recent audit we did for a customer's AWS environment, I was looking for an efficient way to analyse the security profile for each IAM user, without too many clicks and navigating back and forth on the IAM console. You know, checking if MFA is enabled, when last security keys were rotated, that kind of stuff.

I found a very quick and easy way to do this via the AWS CLI. It's dead-simple, and reports on everything I needed.

First off, here's how to install the CLI application; for the respective operating systems: AWS CLI installation guide.

As for a user account, I opted to create a new user that is only allowed programmatic access (API, CLI, etc). So from the AWS console, navigate to the IAM console, and select the ‘Users’ menu item. Select the user you'd like to use for CLI access or create a new user for this purpose. Also, add a permission policy to allow the user to have at least read access to the IAM users. For my CLI user, I added the ‘IAMReadOnlyAccess’ policy. While on the user's profile, select the ‘Security Credentials’ tab, and in the Access keys section, create an access key. On the window that pops up, ensure you show the secret access key and store it in a temporary text file for now. Or keep the window open, until we've configured the CLI application. This is the last time you'll be able to view the key details.

With the AWS CLI application, installed, run the ‘aws configure’ command to configure the security keys we've generated in the previous step.

$ aws configure
AWS Access Key ID [****************TMLG]: (paste your access key id here)
AWS Secret Access Key [****************bnm1]: (paste your secret access key here)
Default region name [eu-west-1]:
Default output format [json]:

With that configured, you'll be able to perform queries to your AWS environment from the command line. Just as a quick test, run the following command and see if you're getting a positive response:

$ aws iam get-account-summary
{
    "SummaryMap": {
        "GroupPolicySizeQuota": 5120,
        "InstanceProfilesQuota": 1000,
        (... output suppressed ...)
        "GroupsQuota": 300
    }
}

If you don't get an output similar to the above, go back and check if you've configured the CLI application correctly, with the keys generated for the IAM user, and that the IAM user has the correct IAM policies associated with the account.

Cool, from here we can generate our report. The command is simple, yet so very helpful. Generate the IAM credentials report with the following command:

$ aws iam generate-credential-report
{
    "State": "STARTED",
    "Description": "No report exists. Starting a new report generation task"
}

If this is the first time you're generating this report, the above message will be displayed. Give it a second or two, and run the command again, until you see "State: Complete" .

$ aws iam generate-credential-report
{
    "State": "COMPLETE"
}

To download the report, perform the get-credentials-report command with a few extra flags (like below), and redirect the output to a local file.

$ aws iam get-credential-report --output text --query Content | base64 -D >> my_aws_iam_credentials_report.txt

And that's it… The output is in csv format, which can easily be opened in Excel, with each value in the file representing a column, of course, separated by a comma. A brief example of the report is shown below.

I found the most helpful columns are the ‘password last changed’, and ‘password next rotation’ (and the same for each security key) columns.

Here's a list all all the values you can expect in this report:

  • user
  • arn
  • user_creation_time
  • password_enabled
  • password_last_used
  • password_last_changed
  • password_next_rotation
  • mfa_active
  • access_key_1_active
  • access_key_1_last_rotated
  • access_key_1_last_used_date
  • access_key_1_last_used_region
  • access_key_1_last_used_service
  • access_key_2_active
  • access_key_2_last_rotated
  • access_key_2_last_used_date
  • access_key_2_last_used_region
  • access_key_2_last_used_service
  • cert_1_active
  • cert_1_last_rotated
  • cert_2_active
  • cert_2_last_rotated

This definitely sped things up for the analysis of the customer's IAM profiles. Hope it helps…