Saturday, 13 November 2021

Lock the user AWS access keys if the access key is inactive for certain days

 About the problem: 


 I got a specific requirement from my client compliance team that they want to disable the AWS access keys automatically if the user key is inactive for certain days . By default AWS IAM didn't provide that option so we have to find another way to meet that compliance .

Solution :


AWS "AccessKeyLastUsed" api helps to check the users last time used the access key. By using that I have build the below script which will disable the user if its disable for 90 days .


Lambda Script:

import json

import boto3

import os

from datetime import datetime, timedelta


def lambda_handler(event, context):

    #Variable declaration section

    iamClient = boto3.client('iam')

    UserMetaDataList = []

    DictionaryOfFate = {}


############################################# Conditional User Keys Activate/Inactivate #########################################


    # To list and append user meta data

    response = iamClient.list_users(MaxItems=150)

    UserMetaDataList.extend(response['Users'])

    while response['IsTruncated'] :

        response = iamClient.list_users(MaxItems=150, Marker = response['Marker'])

        UserMetaDataList.extend(response['Users'])


   

    # Collecting the usernames and creation dates

    for userMeta in UserMetaDataList :

        DictionaryOfFate[userMeta['UserName']] = userMeta['CreateDate'].date()


   

    #DictionaryOfFate = {'testUser':2010}


    # User Modification


    for UserNameAskey in DictionaryOfFate.keys() :

        AccessKeyList = []

        lastActivityDateList = []

        LastActivity = None


        # Collect Access keys

        response = iamClient.list_access_keys(UserName=UserNameAskey,MaxItems=150)

        AccessKeyList.extend(response['AccessKeyMetadata'])

        while response['IsTruncated'] :

            response = iamClient.list_access_keys(UserName=UserNameAskey,MaxItems=150,Marker = response['Marker'])

            AccessKeyList.extend(response['AccessKeyMetadata'])

        #print(AccessKeyList)

   

        # Finding Last Activity Date

        if(len(AccessKeyList)!=0) :

            flagForUnusedUser = 0           # this flag is for user having access keys but never logged in

            for accessKey in AccessKeyList :

                try :

                    response = iamClient.get_access_key_last_used(AccessKeyId=accessKey['AccessKeyId'])

                    LastActivity = response['AccessKeyLastUsed']['LastUsedDate'].date()

                    if(LastActivity != datetime.now().date()) :

                        LastActivity = str(datetime.now().date() - LastActivity)

                        temp = LastActivity.find('day')

                        LastActivity = int(LastActivity[:(temp-1)])

                        # If the User remains inactive for more than 90 days, then initiate deletion

                        if( LastActivity > 90 ) :

                            print("Defaulter : " + UserNameAskey)

                            print("\n")

                            # Access keys

                            if(accessKey['Status']=='Active'):

                                response = iamClient.update_access_key(UserName=UserNameAskey,AccessKeyId=accessKey['AccessKeyId'],Status='Inactive')

                        # print(LastActivity)

                    else :

                        #print("Recently accessed : " + UserNameAskey + "\n")

                        LastActivity = 0


                except Exception as e :

                    #print("Access not Found")

                    continue

                

        else:

            pass


Lock the user AWS account if the account is inactive for certain days

About the problem: 

 I got a specific requirement from my client compliance team that they want to disable the AWS account automatically if the user is inactive for certain days . By default AWS IAM didn't provide that option so we have to find another way to meet that compliance .

Solution :

AWS "PasswordLastUsed" api helps to check the users last time used the password . By using that I have build the below script which will disable the user if its disable for 90 days .


Lambda Script :

import datetime

import dateutil

import boto3

from dateutil import parser



UserMetaDataList = []

IAM = boto3.client('iam')

todaysDate = datetime.date.today() - datetime.timedelta(days=90) [Please change the date as per your requirement]

response=IAM.list_users(MaxItems=200)

#UserMetaDataList.extend(response['Users'])

print (response)

#print UserMetaDataList

userlen = len(response['Users'])

print (userlen)

#timeLimit=datetime.datetime.now() - datetime.timedelta(days=90)


print ("-------------------------------------------------------------")

print ("Login access Created Date" + "\t\t" + "Username")

print ("-------------------------------------------------------------")


#try:

for i in range(userlen):

    #print i

    try:

        Passwordlastused=response['Users'][i]['PasswordLastUsed']

        print (Passwordlastused)

        username=response['Users'][i]['UserName']

        print (username)

        Passwordlastused=response['Users'][i]['PasswordLastUsed']

        try:

            if(str(todaysDate)>=str(Passwordlastused)): 

                #print ( "Disableing user %s" % username")

                IAM.delete_login_profile(UserName=username)

        

        

        except Exception as e:

            print("Some error occured in lambda_handler" + '\n' + str(e))

            pass

        

    except Exception as e:

        print("Some error occured in lambda_handler" + '\n' + str(e))

        pass

        

#except Exception as e:

 #   print(e)



def lambda_handler(event, context):     

    filepath ='/tmp/volume_report.csv'

    filename ='report_Ireland' 

AWS EBS Volume report using python script

 It is very import me to track all the resources created for my client is always compliance with the IT security policy . Most of my clients are prefer to have AWS volume encryption as mandatory but to track it in large environment is an challenge. Also aws volume api support 100 volumes in describe instance api . So its difficult for a system admin to track the AWS volume resource in a larger environment . So i deicide to create an python lambda script which will check the existing volumes attach with the instacnes and send an automated email of the volumes attached with the instacnes .

Lambda Script:


import os

import json

import boto3

import datetime

import sys

import time

from time import gmtime, strftime

import csv

from email import encoders

from email.mime.multipart import MIMEMultipart

from email.mime.text import MIMEText

from email.mime.application import MIMEApplication

from email.mime.base import MIMEBase

from botocore.exceptions import ClientError



ses = boto3.client('ses',region_name=regionName) [Your AWS region name]


regionFromCopy='ap-south-1' [Your AWS region Name]

s3 = boto3.resource('s3',region_name='ap-south-1') [Your AWS region Name]

#create object for ami.

clientEc2 = boto3.client('ec2',region_name=regionFromCopy)


csvfile= open('/tmp/volume_report.csv', 'w')

writer = csv.writer(csvfile)

inst_name=[]

writer.writerow([

        'Instance ID',

        'Private IP Address',

        'Instance Type',

        'Instance State',

        'Instance SG',

            'Volume ID',

            'Availability Zone',

            'Device mount Point',

            'Encryption State',

            'Volumetype',

            'Createtime',

            'size',

            'Instance Name'])


try:


regionFromCopy='ap-south-1' [Your AWS region Name]

#create object for ami.

clientEc2 = boto3.client('ec2',region_name=regionFromCopy)

          # use below If you need for specific environment based on tagging 

#reservations = clientEc2.describe_instances(Filters = [{'Name': 'tag:Environment' ,'Values': ["Devolopment"]}])

reservations = clientEc2.describe_instances()

#print reservations

instances = [i for r in reservations['Reservations'] for i in r['Instances']]

#generate date for the ami name.

todaysDate = datetime.date.today()

InstanceName=''

for instance in instances:

InstanceID = instance['InstanceId']

print (InstanceID)

PriveIP = instance['PrivateIpAddress']

print (PriveIP)

instancetype = instance['InstanceType']

print (instancetype)

launchtime = instance['LaunchTime']

print (launchtime)

instancestate = instance['State']['Name']

print (instancestate)

instanceSG = instance['SecurityGroups']

print (instanceSG)

instacneSubnet = instance['SubnetId']

print (instacneSubnet)

blockdevice = instance['BlockDeviceMappings']

#print blockdevice

for tag in  instance['Tags']:

if tag['Key'] == "Name":

instanceName = tag['Value']

print (instanceName)

#for tag in  instance['Tags']:

# if tag['Key'] == "Application":

# applicationName = tag['Value']

#    print applicationName

    

for block in blockdevice:

    ebsdrive = block['Ebs']

    print (ebsdrive['VolumeId'])

    vol = ebsdrive['VolumeId']

    volumedit =  clientEc2.describe_volumes(VolumeIds= [str(vol)])

   

    #print volumedit

    

    Availabilityzone= ''

    Availabilityzone=volumedit['Volumes'][0]['AvailabilityZone']

    print (Availabilityzone)

    attachments= ''

    attachments=volumedit['Volumes'][0]['Attachments']

    print (attachments)

    for item in attachments:

        deviceID = (item["Device"] )

        print (deviceID)

                

                

    encrypted= ''

    encrypted=volumedit['Volumes'][0]['Encrypted']

    print (encrypted)

    Volumetype=''

    Volumetype=volumedit['Volumes'][0]['VolumeType']

    print (Volumetype)

    Volumeid= ''

    Volumeid=volumedit['Volumes'][0]['VolumeType']

    print (Volumeid)

    Createtime= '' 

    Createtime=volumedit['Volumes'][0]['CreateTime']

    print (Createtime)

    size= ''

    size=volumedit['Volumes'][0]['Size']

    print (size)

    writer.writerow([InstanceID,PriveIP,instancetype,instancestate,instacneSubnet,vol,Availabilityzone,deviceID,encrypted,Volumetype,Createtime,size,instanceName])

    

except Exception as e:

print("Some error occured in lambda_handler" + '\n' + str(e))



csvfile.close()

print (len(inst_name))

def lambda_handler(event, context): 


    date_fmt = strftime("%Y_%m_%d", gmtime())

    #Give your file path

    filepath ='/tmp/volume_report.csv'

    #filename ='report_Ireland'

    #Give your filename

    mail("Source mail ID","Recipient mail ID","Volume Notification","PFA The Volume resource on AWS Region.",filepath)

    #s3.Object('client-ami-report', filename+'_'+str(date_fmt)+'.csv').put(Body=open(filepath, 'rb'))

def mail(fromAddress,toAddress, subject, text, attach):

    

    #Multiple recipients could be there

    ###################################################################

    if(toAddress.find(',') > 1) :

        toAddress = toAddress.split(',')

    else :

        toAddress = list(toAddress.split())

    ###################################################################

    

    CHARSET = "UTF-8"

    msg = MIMEMultipart('alternative')

    msg['From'] = fromAddress

    msg['To'] = ','.join(toAddress)

    msg['Subject'] = subject

    text = MIMEText(text.encode(CHARSET), 'html', CHARSET)

    msg.attach(text)

    if(attach != None) :

        part = MIMEBase('application', 'octet-stream')

        part.set_payload(open(attach, 'rb').read())

        encoders.encode_base64(part)

        part.add_header('Content-Disposition','attachment; filename="%s"' % os.path.basename(attach))

        msg.attach(part)

    try:

        response = ses.send_raw_email(

            Source=fromAddress,

            Destinations=toAddress,

            RawMessage={

                'Data':msg.as_string(),

            },

        )   

    except Exception as e:

        print("Some Error has occured stating " + str(e))

    else:

        print("Email sent! Message ID: %s" % response['MessageId'])

    


AWS Volume encryption automatically for all instances for your AWS environment automatically using Shell Script :


About EBS volume Encryption:

EBS encryption as an encryption solution for your EBS resources associated with your aws EC2 instances. With Amazon EBS encryption, you aren't required to build, maintain, and secure your own key management infrastructure. Amazon EBS encryption uses AWS KMS keys when creating encrypted volumes for the ec2 servers.

Encryption operations occur on the servers that host EC2 instances, ensuring the security of both data-at-rest and data-in-transit between an instance and its attached EBS storage volume .

Problem Statement : 

Encrypt Volume encryption is an challenging task in an existing production environment which was  not build with encryption during the environment build . If its an 200 + instance then manually creating the AMI and attaching and detaching the volume manually will take lots of time and its an error prone . 

Solution :

So I decide to automate that task for my client which will detach the unencrypted volume and create an snapshot of the unencrypted volume , create an AWS volume by tracking the availability zone of the previous instance and attach the volume with the instance .   

Script :

Note : Server need to be ins stop state to detach the volume . Also you can add one more liner check in the below script to check if instance is online or in stop state . if you  need help please write back i will update the script

#!/bin/bash

#Script to update unencrypted volume on the account

# Place the input of volume Id to be delete in /tmp/volid.txt


us_region_name='your volume region name'

describe_vol="/usr/bin/aws ec2 describe-volumes"

describe_instance="/usr/bin/aws ec2 describe-instances"

create_snapshot="/usr/bin/aws ec2 create-snapshot"

describe_snapshots="/usr/bin/aws ec2 describe-snapshots"

create_volume="/usr/bin/aws ec2 create-volume"

attach_volume="/usr/bin/aws ec2 attach-volume"

detach_volume="/usr/bin/aws ec2 detach-volume"

create_tags="/usr/bin/aws ec2 create-tags"

kms_key="your KMS key"

for SNAP in `cat /tmp/volid.txt`

do

echo $SNAP


instance_id=`$describe_vol  --volume-ids $SNAP  --query Volumes[*].Attachments[*].InstanceId  --region $us_region_name  --output text`

Availabilityzone=`$describe_vol  --volume-ids $SNAP  --query Volumes[*].AvailabilityZone  --region $us_region_name  --output text`

attachment=`$describe_vol  --volume-ids $SNAP  --query Volumes[*].Attachments[*].Device  --region $us_region_name  --output text`

#instance-name=`$describe_instance --instnce-id $instance_id --query 'Reservations[].Instances[].[Tags[?Key==`Name`]| [0].Value]' --output table`

#instance-name=`\$describe_instance --instance-ids $instance_id --query 'Reservations[].Instances[].[Tags[?Key==`Name`]| [0].Value]' --region $us_region_name  --output text\`

$describe_instance --instance-ids $instance_id --query 'Reservations[].Instances[].[Tags[?Key==`Name`]| [0].Value]' --region $us_region_name  --output text > /tmp/instance-name

ins_name=$(cat /tmp/instance-name)

echo $instance_id

echo $attachment

echo $Availabilityzone

echo $ins_name


vol_name=$ins_name-$attachment:$instance_id


echo $vol_name


SNAP_vol=`$create_snapshot --volume-id $SNAP  --region $us_region_name --output text | awk '{print $3}'`


#SNAP=`$create-snapshot --volume-id $SNAP  --query SnapshotId --region $us_region_name --output text`


aws ec2 create-tags --resources $SNAP_vol --tags Key=Name,Value=$vol_name   --region $us_region_name

aws ec2 create-tags --resources $SNAP_vol --tags Key=Availabilityzone,Value=$Availabilityzone   --region $us_region_name

aws ec2 create-tags --resources $SNAP_vol --tags Key=InstanceID,Value=$instance_id  --region $us_region_name

aws ec2 create-tags --resources $SNAP_vol --tags Key=VolumeID,Value=$SNAP  --region $us_region_name

aws ec2 create-tags --resources $SNAP_vol --tags Key=attachment,Value=$attachment  --region $us_region_name


if [ $? -eq 0 ];

  then

  snap_list+=" $SNAP_vol"


else

  echo "SNAP creation is failed"

fi


done


#Snapshot availability check

for snap in $snap_list;

do

echo $snap

snap_status=`$describe_snapshots --snapshot-ids $snap --query  Snapshots[*].State --region $us_region_name --output text`

while [ "$snap_status" != "completed" ];

  do

    sleep 5

    echo "Test successful"

    snap_status=`$describe_snapshots --snapshot-ids $snap --query  Snapshots[*].State --region $us_region_name --output text`

  done

  $describe_snapshots --snapshot-ids $snap  --query 'Snapshots[*].{Name:Tags[?Key==`Availabilityzone`]|[0].Value}' --region $us_region_name --output text > /tmp/zone

  $describe_snapshots --snapshot-ids $snap  --query 'Snapshots[*].{Name:Tags[?Key==`Name`]|[0].Value}' --region $us_region_name --output text > /tmp/snp_name

  $describe_snapshots --snapshot-ids $snap  --query 'Snapshots[*].{Name:Tags[?Key==`InstanceID`]|[0].Value}' --region $us_region_name --output text > /tmp/InstanceID

  $describe_snapshots --snapshot-ids $snap  --query 'Snapshots[*].{Name:Tags[?Key==`VolumeID`]|[0].Value}' --region $us_region_name --output text > /tmp/VolumeID

  $describe_snapshots --snapshot-ids $snap  --query 'Snapshots[*].{Name:Tags[?Key==`attachment`]|[0].Value}' --region $us_region_name --output text > /tmp/attach

  zone=$(cat /tmp/zone)

  snap_name=$(cat /tmp/snp_name)

  InstanceID=$(cat /tmp/InstanceID)

  VolumeID=$(cat /tmp/VolumeID)

  attachment_deive=$(cat /tmp/attach)


  vol=`$create_volume --volume-type gp3 --snapshot-id $snap --availability-zone $zone  --encrypted --kms-key-id $kms_key --region $us_region_name --output text| awk '{print $10}'`

  aws ec2 create-tags --resources $vol --tags Key=Name,Value=$snap_name  --region $us_region_name

  sleep 5

  $detach_volume --volume-id $VolumeID --region $us_region_name --output text

  sleep 30

  $attach_volume --volume-id $vol --instance-id $InstanceID --device $attachment_deive --region $us_region_name --output text


  if [ $? -eq 0 ];

  then

    echo "snap is available. Replacing the encrypted volume of the instances"


  else

    echo "snap is not available"


fi


done

Note : Server need to be ins stop state to detach the volume . Also you can add one more liner check in the below script to check if instance is online or in stop state . if you  need help please write back i will update the script

 If you need to check the volume which is not encrypted in your account .Please check my other blog.