Whitepaper 'FinOps and cost management for Kubernetes'
Please consider giving OptScale a Star on GitHub, it is 100% open source. It would increase its visibility to others and expedite product development. Thank you!
Ebook 'From FinOps to proven cloud cost management & optimization strategies'
OptScale FinOps
OptScale — FinOps
FinOps overview
Cost optimization:
AWS
MS Azure
Google Cloud
Alibaba Cloud
Kubernetes
MLOps
OptScale — MLOps
ML/AI Profiling
ML/AI Optimization
Big Data Profiling
OPTSCALE PRICING
cloud migration
Acura — Cloud migration
Overview
Database replatforming
Migration to:
AWS
MS Azure
Google Cloud
Alibaba Cloud
VMWare
OpenStack
KVM
Public Cloud
Migration from:
On-premise
disaster recovery
Acura — DR & cloud backup
Overview
Migration to:
AWS
MS Azure
Google Cloud
Alibaba Cloud
VMWare
OpenStack
KVM

3 easy steps to find all inactive users in your AWS account for access management and security improvements

Problem description

Unauthorized access to internal IT environments doesn’t meet company security standards. Terminating access for inactive users is aimed to reduce the risk of uncontrolled access to your resources and help establish and control the process of access management to internal and production environments.

Disabling access procedure is necessary in case, for instance, when users leave the organization or IT environments are not required anymore. Team leads need to be sure that the former users no longer have access.

Find_all_inactive_users_in_your_AWS_account

Our recommendations enable your engineering team to increase the security of AWS accounts by identifying inactive users and removing IAM user credentials. In our article we recommend to terminate IAM user accounts that are not active for 90 days or more, however, you can adjust a specified period of time based on your requirements.

Recommendations

Step 1

List all users who are created more than 90 days ago and last login into AWS console was more than 90 days ago, or wasn’t used it at all.
AWS cli command:

aws iam list-users --query 'Users[?(CreateDate <= `2021-12-26` && (PasswordLastUsed <= `2021-12-26`) || !not_null(PasswordLastUsed))].UserName' --output text

Step 2

For every user in this list we should check all access keys.
AWS cli command:

aws iam list-access-keys --user-name "$user" --query 'AccessKeyMetadata[].AccessKeyId' --output text

Step 3

For every access key we should check LastUsedDate. In case all access keys were used last time more than 90 days ago, such users could be marked as targets.
AWS cli command:

aws iam get-access-key-last-used --access-key-id "$access_key" --query 'AccessKeyLastUsed.LastUsedDate >= `2021-12-26`' --output text

Free cloud cost optimization. Lifetime

Note 1

 In commands we used date 2021-12-26 its relative date equal (now – 90 days). You should use your own relative date.

Note 2

AWS cli has a pagination mechanism for large amounts of data in output. If you have many users in an account, the provided script will process only the first page. Consider using something more powerful than AWS cli.

As a result one line command:

for user in $(aws iam list-users --query 'Users[?(CreateDate <= `2021-12-26` && (PasswordLastUsed <= `2021-12-26`) || !not_null(PasswordLastUsed))].UserName' --output text); do for access_key in $(aws iam list-access-keys --user-name "$user" --query 'AccessKeyMetadata[].AccessKeyId' --output text); do if [[ "$(aws iam get-access-key-last-used --access-key-id "$access_key" --query 'AccessKeyLastUsed.LastUsedDate >= `2021-12-26`' --output text)" == True ]]; then continue 2; fi; done; echo "$user"; done

As a result this command will provide a list of user names.

👆🏻 Storing objects in AWS S3 public buckets could threaten the security of your company data.

💡 Discover the recommendations, which help you manage public access to AWS S3 resources properly and ensure that all required buckets and objects have their public access blocked  → https://hystax.com/the-quickest-way-to-get-a-list-of-public-buckets-in-aws-to-enhance-your-security

Enter your email to be notified about new and relevant content.

Thank you for joining us!

We hope you'll find it usefull

You can unsubscribe from these communications at any time. Privacy Policy

News & Reports

FinOps and MLOps

A full description of OptScale as a FinOps and MLOps open source platform to optimize cloud workload performance and infrastructure cost. Cloud cost optimization, VM rightsizing, PaaS instrumentation, S3 duplicate finder, RI/SP usage, anomaly detection, + AI developer tools for optimal cloud utilization.

FinOps, cloud cost optimization and security

Discover our best practices: 

  • How to release Elastic IPs on Amazon EC2
  • Detect incorrectly stopped MS Azure VMs
  • Reduce your AWS bill by eliminating orphaned and unused disk snapshots
  • And much more deep insights

Optimize RI/SP usage for ML/AI teams with OptScale

Find out how to:

  • see RI/SP coverage
  • get recommendations for optimal RI/SP usage
  • enhance RI/SP utilization by ML/AI teams with OptScale