-
Notifications
You must be signed in to change notification settings - Fork 342
/
Copy pathaws_users_pw_last_used.py
executable file
·114 lines (92 loc) · 3.82 KB
/
aws_users_pw_last_used.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
#!/usr/bin/env python3
# vim:ts=4:sts=4:sw=4:et
#
# Author: Hari Sekhon
# Date: 2019-12-19 11:43:25 +0000 (Thu, 19 Dec 2019)
#
# https://github.com/HariSekhon/DevOps-Python-tools
#
# License: see accompanying Hari Sekhon LICENSE file
#
# If you're using my code you're welcome to connect with me on LinkedIn and optionally send me feedback
# to help improve or steer this or other code I publish
#
# https://www.linkedin.com/in/HariSekhon
#
"""
Lists all AWS IAM users dates since their passwords were last used, optionally filtering
for users whose passwords haven't been used in > N days
Output format is:
<user> <pw_last_used_date> <days_since_use>
Uses Boto, read here for the list of ways to configure your AWS credentials:
https://boto3.amazonaws.com/v1/documentation/api/latest/guide/configuration.html
This version adds date parsing for finding keys older than a given time for enforcing periodic key rotation policies
See also the DevOps Bash Tools repo and The Advanced Nagios Plugins Collection for similar tools
https://github.com/HariSekhon/DevOps-Bash-tools
https://github.com/HariSekhon/Nagios-Plugins
"""
from __future__ import absolute_import
from __future__ import division
from __future__ import print_function
from __future__ import unicode_literals
import datetime
import os
import sys
from math import floor
import boto3
libdir = os.path.abspath(os.path.join(os.path.dirname(__file__), 'pylib'))
sys.path.append(libdir)
try:
# pylint: disable=wrong-import-position
from harisekhon.utils import log, validate_float
from harisekhon import CLI
except ImportError as _:
print('module import failed: %s' % _)
print("Did you remember to build the project by running 'make'?", file=sys.stderr)
print("Alternatively perhaps you tried to copy this program out without it's adjacent libraries?", file=sys.stderr)
sys.exit(4)
__author__ = 'Hari Sekhon'
__version__ = '0.1.0'
class AWSUsersPasswordLastUsed(CLI):
def __init__(self):
super(AWSUsersPasswordLastUsed, self).__init__()
self.age = None
self.now = None
self.timeout_default = 300
def add_options(self):
self.add_opt('-a', '--age', help='Return users with passwords last used more than N days ago')
def process_args(self):
self.age = self.get_opt('age')
if self.age:
validate_float(self.age, 'age')
self.age = float(self.age)
def run(self):
iam = boto3.client('iam')
user_paginator = iam.get_paginator('list_users')
self.now = datetime.datetime.utcnow()
for users_response in user_paginator.paginate():
for user_item in users_response['Users']:
log.debug(user_item)
self.process_password_last_used(user_item)
log.info('Completed')
def process_password_last_used(self, user_item):
# already cast to datetime.datetime with tzinfo
user = user_item['UserName']
if 'PasswordLastUsed' in user_item:
password_last_used = user_item['PasswordLastUsed']
# removing tzinfo for comparison to avoid below error
# - both are UTC and this doesn't make much difference anyway
# TypeError: can't subtract offset-naive and offset-aware datetimes
datetime_delta = self.now - password_last_used.replace(tzinfo=None)
days = int(floor(datetime_delta.total_seconds() / 86400))
if self.age and days <= self.age:
return
else:
password_last_used = 'N/A'
days = 'N/A'
print('{user:20s}\t{password_last_used:25s}\t({days:>3} days)'.format(
user=user,
password_last_used=str(password_last_used), # without str() format string breaks with :25
days=days))
if __name__ == '__main__':
AWSUsersPasswordLastUsed().main()