AWS IAM Access Key Manager

Purpose

The purpose of AWS Access Key Analyzer (The Key Cop) is to enhance security and maintain least-privilege access across AWS environments by continuously monitoring and analyzing IAM access keys. Since unmanaged or forgotten access keys pose significant security risks, organizations need a robust way to identify, track, and remediate unused IAM access keys. This solution enables comprehensive access key management and security analysis across multiple AWS accounts and regions through automated monitoring and policy validation.  When scheduled, this system automatically sends rotation reminder emails as well as deletes old access keys and sends a deletion email notification.

Example Policy #1: All IAM Access Keys should be rotated every 89 days.

Example Policy #2: All IAM Access Keys should be deleted after 89 days old.

Both are automated with ease using this out-of-the-box solution.

Requirements

  • Onboard AWS accounts into a regional target group
  • E1 Permissions: iam:describe, iam:delete, iam:disable, as applicable

Supported Resources

  • AWS IAM Access Keys

Commands

  • Access Key Collector: Run this command with a target group of AWS accounts to populate the system with all supported resource types.
  • Key Rotation Reminder: Select resource(s) from the system data table and run this command to send a Key Rotation Reminder email.
  • Key Deletion Reminder: Select resource(s) from the system data table and run this command to send a Key Deletion Reminder email.
  • Delete IAM Access Key: Select resource(s) from the system data table and run this command to delete the IAM Access Key.

How-to use

  1. Execute "Access Key Collector" command with your target group of AWS accounts to populate resources data. Each resource will have "DaysUntilDeletion" and "IsExempt" fields
  2. Select all the IAM access keys that have a "DaysUntilDeletion" value between 75 and 88 days and then choose "Key Rotation Reminder".  This will send an email to all the users that have keys between 75 and 88 days old
  3. Select all the IAM access keys that have a "DaysUntilDeletion" value of 89 and then choose "Key deletion Reminder".  This will send an email to all the users that have keys 89 days old
  4. Select all the IAM access keys that have a "DaysUntilDeletion" value of 89 and then choose "Delete IAM Access Key".  This will delete all the keys that are 89 days old
  5. The recommendation is to "schedule" the "Access Key Collector" command so the emails and deletions happen automatically.

Notes

  • Each IAM user should be tagged with and "Owner" tag with a value of email address/s separated by : (email1@company.com:email2@company.com)
  • To Exempt a key, add the IAM Access Key ID to the variable named "exempt_keys"
  • To modify the max age limit, update the variable named iam_key_rotation_limit to whatever you want to set
HOMECONTACTPRIVACYLegal