forked from openedx-unsupported/configuration
-
Notifications
You must be signed in to change notification settings - Fork 0
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Merge pull request openedx-unsupported#300
* stv/aws/audit: Create script to audit AWS user accounts
- Loading branch information
Showing
1 changed file
with
163 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,163 @@ | ||
#!/usr/bin/env python | ||
# pylint: disable=invalid-name | ||
# pylint: disable=missing-docstring | ||
from __future__ import print_function | ||
|
||
import csv | ||
import time | ||
|
||
import boto3 | ||
|
||
|
||
def are_keys_active(row): | ||
is_active = any([ | ||
row['access_key_1_active'] == 'true', | ||
row['access_key_2_active'] == 'true', | ||
]) | ||
return is_active | ||
|
||
|
||
def audit_unused_keys(all_users): | ||
print('## unused keys') | ||
print('### TODO: deactivate key') | ||
users = get_users_with_unused_keys(all_users) | ||
print_items(users) | ||
print('') | ||
|
||
|
||
def audit_unused_passwords(all_users): | ||
print('## unused passwords') | ||
print('### TODO: delete password') | ||
users = get_users_with_unused_passwords(all_users) | ||
print_items(users) | ||
print('') | ||
|
||
|
||
def audit_users_cant_log_in(all_users): | ||
print('## inaccessible users') | ||
print('### TODO: delete user') | ||
users = get_users_cant_log_in(all_users) | ||
print_items(users) | ||
print('') | ||
|
||
|
||
def audit_users_never_logged_in(all_users): | ||
print('## unused users') | ||
print('### TODO: delete password and deactivate key') | ||
users = get_users_never_logged_in(all_users) | ||
print_items(users) | ||
print('') | ||
|
||
|
||
def get_user_data(): | ||
client = boto3.client('iam') | ||
response = client.generate_credential_report() | ||
if response.get('State') != 'COMPLETE': | ||
print('response.State', response.get('State')) | ||
time.sleep(60) | ||
time.sleep(5) | ||
response = client.get_credential_report() | ||
content = response['Content'] | ||
lines = content.splitlines() | ||
data = csv.DictReader(lines) | ||
return data | ||
|
||
|
||
def get_users_cant_log_in(data): | ||
for user in data: | ||
if is_password_enabled(user): | ||
continue | ||
if are_keys_active(user): | ||
continue | ||
yield user | ||
|
||
|
||
def get_users_never_logged_in(users): | ||
for user in users: | ||
if has_used_password(user): | ||
continue | ||
if has_used_key(user): | ||
continue | ||
yield user | ||
|
||
|
||
def get_users_with_unused_keys(users): | ||
for user in users: | ||
if has_unused_key(user): | ||
yield user | ||
|
||
|
||
def get_users_with_unused_passwords(all_users): | ||
for user in all_users: | ||
if has_unused_password(user): | ||
yield user | ||
|
||
|
||
def has_active_key(user): | ||
if user['access_key_1_active']: | ||
return True | ||
if user['access_key_2_active']: | ||
return True | ||
return False | ||
|
||
|
||
def has_unused_key(user): | ||
if user['access_key_1_active'] == 'true': | ||
if user['access_key_1_last_used_date'] == 'N/A': | ||
return True | ||
if user['access_key_2_active'] == 'true': | ||
if user['access_key_2_last_used_date'] == 'N/A': | ||
return True | ||
return False | ||
|
||
|
||
def has_unused_password(user): | ||
if user['password_enabled'] == 'true': | ||
if user['password_last_used'] == 'no_information': | ||
return True | ||
return False | ||
|
||
|
||
def has_used_key(user): | ||
if user['access_key_1_last_used_date'] != 'N/A': | ||
return True | ||
if user['access_key_2_last_used_date'] != 'N/A': | ||
return True | ||
return False | ||
|
||
|
||
def has_used_password(user): | ||
if user['password_enabled'] == 'true': | ||
if user['password_last_used'] == 'no_information': | ||
return False | ||
return True | ||
return False | ||
|
||
|
||
def is_password_enabled(user): | ||
is_enabled = user['password_enabled'] == 'true' | ||
return is_enabled | ||
|
||
|
||
def print_items(users): | ||
for user in users: | ||
print('- ' + user['user']) | ||
|
||
|
||
def main(): | ||
print('# User credential report') | ||
print('') | ||
data = get_user_data() | ||
users = [ | ||
row | ||
for row in data | ||
if row['user'] != '<root_account>' | ||
] | ||
audit_unused_passwords(users) | ||
audit_unused_keys(users) | ||
audit_users_never_logged_in(users) | ||
audit_users_cant_log_in(users) | ||
|
||
|
||
if __name__ == '__main__': | ||
main() |