aws.iam-user

Filters

access-key

Filter IAM users based on access-key values

By default multiple uses of this filter will match on any user key satisfying either filter. To find specific keys that match multiple access-key filters, use match-operator: and

example:

policies:
  - name: iam-users-with-active-keys
    resource: iam-user
    filters:
      - type: access-key
        key: Status
        value: Active
      - type: access-key
        match-operator: and
        key: CreateDate
        value_type: age
        value: 90
properties:
  default:
    type: object
  key:
    type: string
  match-operator:
    enum:
    - and
    - or
  op:
    enum:
    - eq
    - equal
    - ne
    - not-equal
    - gt
    - greater-than
    - ge
    - gte
    - le
    - lte
    - lt
    - less-than
    - glob
    - regex
    - regex-case
    - in
    - ni
    - not-in
    - contains
    - difference
    - intersect
  type:
    enum:
    - access-key
  value:
    oneOf:
    - type: array
    - type: string
    - type: boolean
    - type: number
    - type: 'null'
  value_from:
    additionalProperties: 'False'
    properties:
      expr:
        oneOf:
        - type: integer
        - type: string
      format:
        enum:
        - csv
        - json
        - txt
        - csv2dict
      headers:
        patternProperties:
          ? ''
          : type: string
        type: object
      url:
        type: string
    required:
    - url
    type: object
  value_path:
    type: string
  value_regex:
    type: string
  value_type:
    enum:
    - age
    - integer
    - expiration
    - normalize
    - size
    - cidr
    - cidr_size
    - swap
    - resource_count
    - expr
    - unique_size
    - date
    - version
    - float
required:
- type

Permissions - iam:ListAccessKeys

credential

Use IAM Credential report to filter users.

The IAM Credential report aggregates multiple pieces of information on iam users. This makes it highly efficient for querying multiple aspects of a user that would otherwise require per user api calls.

https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_getting-report.html

For example if we wanted to retrieve all users with mfa who have never used their password but have active access keys from the last month

- name: iam-mfa-active-keys-no-login
  resource: iam-user
  filters:
    - type: credential
      key: mfa_active
      value: true
    - type: credential
      key: password_last_used
      value: absent
    - type: credential
      key: access_keys.last_used_date
      value_type: age
      value: 30
      op: less-than

Credential Report Transforms

We perform some default transformations from the raw credential report. Sub-objects (access_key_1, cert_2) are turned into array of dictionaries for matching purposes with their common prefixes stripped. N/A values are turned into None, TRUE/FALSE are turned into boolean values.

properties:
  key:
    enum:
    - user
    - arn
    - user_creation_time
    - password_enabled
    - password_last_used
    - password_last_changed
    - password_next_rotation
    - mfa_active
    - access_keys
    - access_keys.active
    - access_keys.last_used_date
    - access_keys.last_used_region
    - access_keys.last_used_service
    - access_keys.last_rotated
    - certs
    - certs.active
    - certs.last_rotated
    title: report key to search
    type: string
  op:
    enum:
    - eq
    - equal
    - ne
    - not-equal
    - gt
    - greater-than
    - ge
    - gte
    - le
    - lte
    - lt
    - less-than
    - glob
    - regex
    - regex-case
    - in
    - ni
    - not-in
    - contains
    - difference
    - intersect
  report_delay:
    default: 10
    title: Number of seconds to wait for report generation.
    type: number
  report_generate:
    default: true
    title: Generate a report if none is present.
    type: boolean
  report_max_age:
    default: 86400
    title: Number of seconds to consider a report valid.
    type: number
  type:
    enum:
    - credential
  value:
    oneOf:
    - type: array
    - type: string
    - type: boolean
    - type: number
    - type: 'null'
  value_type:
    enum:
    - age
    - integer
    - expiration
    - normalize
    - size
    - cidr
    - cidr_size
    - swap
    - resource_count
    - expr
    - unique_size
    - date
    - version
    - float
required:
- type

Permissions - iam:GenerateCredentialReport, iam:GetCredentialReport

group

Filter IAM users based on attached group values

example:

policies:
  - name: iam-users-in-admin-group
    resource: iam-user
    filters:
      - type: group
        key: GroupName
        value: Admins
properties:
  default:
    type: object
  key:
    type: string
  op:
    enum:
    - eq
    - equal
    - ne
    - not-equal
    - gt
    - greater-than
    - ge
    - gte
    - le
    - lte
    - lt
    - less-than
    - glob
    - regex
    - regex-case
    - in
    - ni
    - not-in
    - contains
    - difference
    - intersect
  type:
    enum:
    - group
  value:
    oneOf:
    - type: array
    - type: string
    - type: boolean
    - type: number
    - type: 'null'
  value_from:
    additionalProperties: 'False'
    properties:
      expr:
        oneOf:
        - type: integer
        - type: string
      format:
        enum:
        - csv
        - json
        - txt
        - csv2dict
      headers:
        patternProperties:
          ? ''
          : type: string
        type: object
      url:
        type: string
    required:
    - url
    type: object
  value_path:
    type: string
  value_regex:
    type: string
  value_type:
    enum:
    - age
    - integer
    - expiration
    - normalize
    - size
    - cidr
    - cidr_size
    - swap
    - resource_count
    - expr
    - unique_size
    - date
    - version
    - float
required:
- type

Permissions - iam:ListGroupsForUser

has-inline-policy

Filter IAM users that have an inline-policy attached

True: Filter users that have an inline-policy False: Filter users that do not have an inline-policy

properties:
  type:
    enum:
    - has-inline-policy
  value:
    type: boolean
required:
- type

Permissions - iam:ListUserPolicies

json-diff

Compute the diff from the current resource to a previous version.

A resource matches the filter if a diff exists between the current resource and the selected revision.

Utilizes config as a resource revision database.

Revisions can be selected by date, against the previous version, and against a locked version (requires use of is-locked filter).

properties:
  selector:
    enum:
    - previous
    - date
    - locked
  selector_value:
    type: string
  type:
    enum:
    - json-diff
required:
- type

Permissions - config:GetResourceConfigHistory

mfa-device

Filter iam-users based on mfa-device status

example:

policies:
  - name: mfa-enabled-users
    resource: iam-user
    filters:
      - type: mfa-device
        key: UserName
        value: not-null
properties:
  default:
    type: object
  key:
    type: string
  op:
    enum:
    - eq
    - equal
    - ne
    - not-equal
    - gt
    - greater-than
    - ge
    - gte
    - le
    - lte
    - lt
    - less-than
    - glob
    - regex
    - regex-case
    - in
    - ni
    - not-in
    - contains
    - difference
    - intersect
  type:
    enum:
    - mfa-device
  value:
    oneOf:
    - type: array
    - type: string
    - type: boolean
    - type: number
    - type: 'null'
  value_from:
    additionalProperties: 'False'
    properties:
      expr:
        oneOf:
        - type: integer
        - type: string
      format:
        enum:
        - csv
        - json
        - txt
        - csv2dict
      headers:
        patternProperties:
          ? ''
          : type: string
        type: object
      url:
        type: string
    required:
    - url
    type: object
  value_path:
    type: string
  value_regex:
    type: string
  value_type:
    enum:
    - age
    - integer
    - expiration
    - normalize
    - size
    - cidr
    - cidr_size
    - swap
    - resource_count
    - expr
    - unique_size
    - date
    - version
    - float
required:
- type

Permissions - iam:ListMFADevices

policy

Filter IAM users based on attached policy values

example:

policies:
  - name: iam-users-with-admin-access
    resource: iam-user
    filters:
      - type: policy
        key: PolicyName
        value: AdministratorAccess
        include-via: true
properties:
  default:
    type: object
  include-via:
    type: boolean
  key:
    type: string
  op:
    enum:
    - eq
    - equal
    - ne
    - not-equal
    - gt
    - greater-than
    - ge
    - gte
    - le
    - lte
    - lt
    - less-than
    - glob
    - regex
    - regex-case
    - in
    - ni
    - not-in
    - contains
    - difference
    - intersect
  type:
    enum:
    - policy
  value:
    oneOf:
    - type: array
    - type: string
    - type: boolean
    - type: number
    - type: 'null'
  value_from:
    additionalProperties: 'False'
    properties:
      expr:
        oneOf:
        - type: integer
        - type: string
      format:
        enum:
        - csv
        - json
        - txt
        - csv2dict
      headers:
        patternProperties:
          ? ''
          : type: string
        type: object
      url:
        type: string
    required:
    - url
    type: object
  value_path:
    type: string
  value_regex:
    type: string
  value_type:
    enum:
    - age
    - integer
    - expiration
    - normalize
    - size
    - cidr
    - cidr_size
    - swap
    - resource_count
    - expr
    - unique_size
    - date
    - version
    - float
required:
- type

Permissions - iam:ListAttachedUserPolicies, iam:ListGroupsForUser, iam:ListAttachedGroupPolicies

ssh-key

Filter IAM users based on uploaded SSH public keys

example:

policies:
  - name: iam-users-with-old-ssh-keys
    resource: iam-user
    filters:
      - type: ssh-key
        key: Status
        value: Active
      - type: ssh-key
        key: UploadDate
        value_type: age
        value: 90
properties:
  default:
    type: object
  key:
    type: string
  op:
    enum:
    - eq
    - equal
    - ne
    - not-equal
    - gt
    - greater-than
    - ge
    - gte
    - le
    - lte
    - lt
    - less-than
    - glob
    - regex
    - regex-case
    - in
    - ni
    - not-in
    - contains
    - difference
    - intersect
  type:
    enum:
    - ssh-key
  value:
    oneOf:
    - type: array
    - type: string
    - type: boolean
    - type: number
    - type: 'null'
  value_from:
    additionalProperties: 'False'
    properties:
      expr:
        oneOf:
        - type: integer
        - type: string
      format:
        enum:
        - csv
        - json
        - txt
        - csv2dict
      headers:
        patternProperties:
          ? ''
          : type: string
        type: object
      url:
        type: string
    required:
    - url
    type: object
  value_path:
    type: string
  value_regex:
    type: string
  value_type:
    enum:
    - age
    - integer
    - expiration
    - normalize
    - size
    - cidr
    - cidr_size
    - swap
    - resource_count
    - expr
    - unique_size
    - date
    - version
    - float
required:
- type

Permissions - iam:ListSSHPublicKeys

Actions

delete

Delete a user or properties of a user.

For example if you want to have a whitelist of valid (machine-)users and want to ensure that no users have been clicked without documentation.

You can use both the ‘credential’ or the ‘username’ filter. ‘credential’ will have an SLA of 4h, (http://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_getting-report.html), but the added benefit of performing less API calls, whereas ‘username’ will make more API calls, but have a SLA of your cache.

example:
# using a 'credential' filter'
- name: iam-only-whitelisted-users-credential
  resource: iam-user
  filters:
    - type: credential
      key: user
      op: not-in
      value:
        - valid-user-1
        - valid-user-2
  actions:
    - delete

# using a 'username' filter with 'UserName'
- name: iam-only-whitelisted-users-username
  resource: iam-user
  filters:
    - type: value
      key: UserName
      op: not-in
      value:
        - valid-user-1
        - valid-user-2
  actions:
    - delete

 # using a 'username' filter with 'Arn'
- name: iam-only-whitelisted-users-arn
  resource: iam-user
  filters:
    - type: value
      key: Arn
      op: not-in
      value:
        - arn:aws:iam:123456789012:user/valid-user-1
        - arn:aws:iam:123456789012:user/valid-user-2
  actions:
    - delete

Additionally, you can specify the options to delete properties of an iam-user, including console-access, access-keys, attached-user-policies, inline-user-policies, mfa-devices, groups, ssh-keys, signing-certificates, and service-specific-credentials.

Note: using options will _not_ delete the user itself, only the items specified by options that are attached to the respective iam-user. To delete a user completely, use the delete action without specifying options.

example:
- name: delete-console-access-unless-valid
  comment: |
    finds iam-users with console access and deletes console access unless
    the username is included in whitelist
  resource: iam-user
  filters:
    - type: value
      key: UserName
      op: not-in
      value:
        - valid-user-1
        - valid-user-2
    - type: credential
      key: password_enabled
      value: true
  actions:
    - type: delete
      options:
        - console-access

- name: delete-misc-access-for-iam-user
  comment: |
    deletes multiple options from test_user
  resource: iam-user
  filters:
    - UserName: test_user
  actions:
    - type: delete
      options:
        - mfa-devices
        - access-keys
        - ssh-keys
properties:
  options:
    items:
      enum:
      - console-access
      - access-keys
      - attached-user-policies
      - inline-user-policies
      - mfa-devices
      - groups
      - ssh-keys
      - signing-certificates
      - service-specific-credentials
      - user-policies
      type: string
    type: array
  type:
    enum:
    - delete
required:
- type

Permissions - iam:ListAttachedUserPolicies, iam:ListAccessKeys, iam:ListGroupsForUser, iam:ListMFADevices, iam:ListServiceSpecificCredentials, iam:ListSigningCertificates, iam:ListSSHPublicKeys, iam:DeactivateMFADevice, iam:DeleteAccessKey, iam:DeleteLoginProfile, iam:DeleteSigningCertificate, iam:DeleteSSHPublicKey, iam:DeleteUser, iam:DeleteUserPolicy, iam:DetachUserPolicy, iam:RemoveUserFromGroup

delete-ssh-keys

Delete or disable a user’s SSH keys.

For example to delete keys after 90 days:

example:
- name: iam-user-delete-ssh-keys
  resource: iam-user
  actions:
    - type: delete-ssh-keys
properties:
  disable:
    type: boolean
  matched:
    type: boolean
  type:
    enum:
    - delete-ssh-keys
required:
- type

Permissions - iam:ListSSHPublicKeys, iam:UpdateSSHPublicKey, iam:DeleteSSHPublicKey

remove-keys

Delete or disable user’s access keys.

For example if we wanted to disable keys after 90 days of non-use and delete them after 180 days of nonuse:

example:
- name: iam-mfa-active-key-no-login
  resource: iam-user
  actions:
    - type: remove-keys
      disable: true
      age: 90
    - type: remove-keys
      age: 180
properties:
  age:
    type: number
  disable:
    type: boolean
  matched:
    type: boolean
  type:
    enum:
    - remove-keys
required:
- type

Permissions - iam:ListAccessKeys, iam:UpdateAccessKey, iam:DeleteAccessKey

set-boundary

Set IAM Permission boundary on an IAM Role or User.

A role or user can only have a single permission boundary set.

properties:
  policy:
    type: string
  state:
    enum:
    - present
    - absent
  type:
    enum:
    - set-boundary
required:
- type

Permissions - iam:PutUserPermissionsBoundary

set-groups

Set a specific IAM user as added/removed from a group

example:
- name: iam-user-add-remove
  resource: iam-user
  filters:
    - type: value
      key: UserName
      value: Bob
  actions:
    - type: set-groups
      state: remove
      group: Admin
properties:
  group:
    type: string
  state:
    enum:
    - add
    - remove
  type:
    enum:
    - set-groups
required:
- state
- group
- type

Permissions - iam:AddUserToGroup, iam:RemoveUserFromGroup

set-policy

Set a specific IAM policy as attached or detached on a user.

You will identify the policy by its arn.

Returns a list of roles modified by the action.

For example, if you want to automatically attach a single policy while detaching all exisitng policies:

example:
- name: iam-attach-user-policy
  resource: iam-user
  filters:
    - type: value
      key: UserName
      op: not-in
      value:
        - AdminUser1
        - AdminUser2
  actions:
    - type: set-policy
      state: detached
      arn: arn:aws:iam::aws:policy/AdministratorAccess
properties:
  arn:
    type: string
  state:
    enum:
    - attached
    - detached
  type:
    enum:
    - set-policy
required:
- state
- arn
- type

Permissions - iam:AttachUserPolicy, iam:DetachUserPolicy, iam:ListAttachedUserPolicies