Whitepaper 'FinOps and cost management for Kubernetes'
Please consider giving OptScale a Star on GitHub, it is 100% open source. It would increase its visibility to others and expedite product development. Thank you!
Webinar 'FinOps and cloud cost optimization for ML/AI workloads.' Register here →
Ebook 'From FinOps to proven cloud cost management & optimization strategies'
OptScale — FinOps
FinOps overview
Cost optimization:
AWS
MS Azure
Google Cloud
Alibaba Cloud
Kubernetes
OptScale — MLOps
ML/AI Profiling
ML/AI Optimization
Big Data Profiling
OPTSCALE PRICING
Acura — Cloud migration
Overview
Database replatforming
Migration to:
AWS
MS Azure
Google Cloud
Alibaba Cloud
VMWare
OpenStack
KVM
Public Cloud
Migration from:
On-premise
Acura — DR & cloud backup
Overview
Migration to:
AWS
MS Azure
Google Cloud
Alibaba Cloud
VMWare
OpenStack
KVM

The best way to find inactive IAM users with AWS management console access to avoid security issues

Problem description

AWS resources are available for users, who sign in to your company AWS account through the AWS Management Console. Therefore unauthorized activity within your AWS account, for instance, can damage your R&D process or cause unpredictable cloud bills.

The security best practice is to remove passwords to the AWS Management Console when users leave your organization, no longer need them or just use access keys (a combination of an access key ID and a secret access key) to access to AWS account.

Terminating user access to the AWS Management Console by removing their password doesn’t affect the opportunity to access the console using an assumed role or permissions. If the user has active access keys, they continue to function and allow access to AWS resources.

The best way to find inactive IAM users with AWS management console

Our recommendations will help you increase the security of AWS accounts by identifying inactive users with console passwords. In our article we recommend to disable console passwords that are not active for 90 days or more, however, you can adjust a specified period of time based on your requirements.

Please, find the recommendations regarding terminating inactive IAM user accounts in our previous article

Recommendations

Find all users having console access turned on, but have not been using it for more than 90 days.

Remainder

If the user has console access and has not been using it for more than 90 days and has active access keys and has not been using it for more than 90 days too, it’s another category of users. See blog post about inactive users.

Step 1

List all the users who were created more than 90 days ago and the last time login into the AWS console was more than 90 days ago, or it wasn’t used at all.
AWS cli command:

aws iam list-users --query 'Users[?(CreateDate <= `2021-12-26` && (PasswordLastUsed <= `2021-12-26`) || !not_null(PasswordLastUsed))].UserName' --output text

Step 2

Filter the users without console access

aws iam get-login-profile --user-name "$user" 2>/dev/null

Please note, in case the user doesn’t have console access, this command will raise an exception.

2>/dev/null

 is needed for skipping such a user and doesn’t show error messages.

Step 3

For every user in this list we should check all access keys.
AWS cli command:

aws iam list-access-keys --user-name "$user" --query 'AccessKeyMetadata[].AccessKeyId' --output text

Step 4

For every access key we should check LastUsedDate. In case one access key at least was used less than 45 days ago, such a user should be skipped, otherwise the user could be marked as the target user.
AWS cli command:

aws iam get-access-key-last-used --access-key-id "$access_key" --query 'AccessKeyLastUsed.LastUsedDate >= `2022-02-09`' --output text

Free cloud cost optimization. Lifetime

Note 1

In commands we use dates 2021-12-26 and 2022-02-09 which are relative dates equal (now – 90 days) and (now – 45 days). You should use your own relative date.

Note 2

AWS cli has a pagination mechanism for large amounts of data in output. If you have many users in an account, the provided script will process only the first page. Consider using something more powerful than AWS cli.

As a result one line command:

for user in $(aws iam list-users --query 'Users[?(CreateDate <= `2021-12-26` && (PasswordLastUsed <= `2021-12-26`) || !not_null(PasswordLastUsed))].UserName' --output text); do for access_key in $(aws iam list-access-keys --user-name "$user" --query 'AccessKeyMetadata[].AccessKeyId' --output text); do if [[ "$(aws iam get-access-key-last-used --access-key-id "$access_key" --query 'AccessKeyLastUsed.LastUsedDate >= `2022-02-09`' --output text)" == True ]]; then continue 2; fi; done; echo "$user"; done

As a result this command will provide a list of user names.

👆🏻 Unauthorized access to internal IT environments doesn’t meet company security standards. Terminating access for inactive users is aimed to reduce the risk of uncontrolled access to your resources.

💡 Discover 3 easy steps to find all inactive users in your AWS account for access management and security improvements → https://hystax.com/3-easy-steps-to-find-all-inactive-users-in-your-aws-account-for-access-management-and-security-improvements

Enter your email to be notified about new and relevant content.

Thank you for joining us!

We hope you'll find it usefull

You can unsubscribe from these communications at any time. Privacy Policy

News & Reports

FinOps and MLOps

A full description of OptScale as a FinOps and MLOps open source platform to optimize cloud workload performance and infrastructure cost. Cloud cost optimization, VM rightsizing, PaaS instrumentation, S3 duplicate finder, RI/SP usage, anomaly detection, + AI developer tools for optimal cloud utilization.

FinOps, cloud cost optimization and security

Discover our best practices: 

  • How to release Elastic IPs on Amazon EC2
  • Detect incorrectly stopped MS Azure VMs
  • Reduce your AWS bill by eliminating orphaned and unused disk snapshots
  • And much more deep insights

FinOps and cloud cost optimization for ML/AI workloads

Join our live demo on 21th 
February and discover how OptScale allows running ML/AI or any type of workload with optimal performance and infrastructure cost.