This repo contains the Python-based Lambda function that will audit IAM Access keys for an account and will enforce key rotation as well as notify users.
The Lambda function is triggered for each account by an Event notification that is configured to run on a schedule. The function audits each user in an account for access keys and determines how long before they expire, it will then notify users that their key expires in X days and that automatic key enforcement is forthcoming.
| Name | Version |
|---|---|
| terraform | >= 1.1 |
| aws | >= 3.0 |
| Name | Version |
|---|---|
| aws | >= 3.0 |
| Name | Type |
|---|---|
| aws_caller_identity.current | data source |
| aws_iam_policy_document.lambda | data source |
| aws_partition.current | data source |
| aws_region.current | data source |
| Name | Description | Type | Default | Required |
|---|---|---|---|---|
| admin_email | Admin Email that will receive all emails and reports about actions taken if email is enabled | string |
n/a | yes |
| assume_role_name | Name of the IAM role that the lambda will assume in the target account | string |
n/a | yes |
| email_source | Email that will be used to send messages | string |
n/a | yes |
| key_age_delete | Age at which a key should be deleted (e.g. 120) | number |
n/a | yes |
| key_age_inactive | Age at which a key should be inactive (e.g. 90) | number |
n/a | yes |
| key_age_warning | Age at which to warn (e.g. 75) | number |
n/a | yes |
| key_use_threshold | Age at which unused keys should be deleted (e.g.30) | number |
n/a | yes |
| accounts | List of account objects to create events for | list(object({ |
[] |
no |
| email_admin_report_enabled | Used to enable or disable the SES emailed report | bool |
false |
no |
| email_admin_report_subject | Subject of the report email that is sent | string |
null |
no |
| email_banner_message | Messages that will be at the top of all emails sent to notify recipients of important information | string |
"" |
no |
| email_banner_message_color | Color of email banner message, must be valid html color | string |
"red" |
no |
| email_tag | Tag to be placed on the IAM user that we can use to notify when their key is going to be disabled/deleted | string |
"keyenforcer:email" |
no |
| email_templates | Email templates to use for Admin and User emails | object({ |
{} |
no |
| lambda | Map of any additional arguments for the upstream lambda module. See https://github.com/terraform-aws-modules/terraform-aws-lambda | object({ |
{} |
no |
| log_level | Log level for lambda | string |
"INFO" |
no |
| project_name | Project name to prefix resources with | string |
"iam-key-enforcer" |
no |
| s3_bucket | Bucket name to write the audit report to if s3_enabled is set to 'true' | string |
null |
no |
| s3_enabled | Set to 'true' and provide s3_bucket if the audit report should be written to S3 | bool |
false |
no |
| schedule_expression | (DEPRECATED) Schedule Expressions for Rules | string |
null |
no |
| tags | Tags for resource | map(string) |
{} |
no |
| Name | Description |
|---|---|
| lambda | The lambda module object |
| queue | The SQS Queue resource object |