In a cloud context, managing IAM users is critical. Having a periodic report on the number of existing IAM users, as well as information on the date the user was formed and the privileges allocated to the user, will help you keep track of who is using the cloud infrastructure. If you are auditing the cloud infrastructure, this article is to offer valuable insights.
You may get a list of current users by downloading IAM's Credential Report with a single cloud account. Even with that approach, you still will not be able to know what rights IAM users have been given. What is more, downloading the Credential Report for each account and then aggregating the information is not practicable if you work on an AWS Organization with hundreds of Cloud member accounts. This post will suggest a method for gathering data about IAM users at the organizational level (and of course, can be applied at the single account level).
The idea of this solution is that we will use the following services: AWS Config, AWS Lambda, S3 bucket, and Amazon EventBridge:
- Create Config aggregator (at organization scope) to aggregate resources from all cloud accounts in the company.
- Build a Lambda function to receive local user information from the Config aggregator, push data into a CSV file, and save the CSV file to an S3 bucket.
- Config an event to execute a Lambda function weekly to export reports automatically.
Create Config aggregator
When you activate AWS Control Tower in your organization, the Audit account is automatically generated when you create a landing zone. The Audit account is a restricted account that's designed to give your security and compliance teams read and write access to all accounts in your landing zone. In your Audit account, you can create a Config Aggregator to collect information about all of your organization's resources.
In addition, you can also set up the Config Aggregator quickly using the CloudFormation template:
Create an S3 bucket
We need to create an S3 bucket to store reports.
Create an S3 bucket named "user-report" to store the user report file. Modify the bucket permission to allow the Lambda function to put objects in this bucket:
Build a Lambda function
Create a role assigned to the Lambda function, grant the following permissions to this function so that it can get data from Config, and write the data to the S3 bucket:
To query IAM user information (accountID - Cloud account ID, resourceName - username, resourceId - userID,... ) from AWS Config via Lambda function, we use boto3 library and following syntax
The returned data will look like this:
All the content we need to get is in the "Result" section. Config limits the number of records in the response, we need to use a “for” loop and “NextToken” param to get the entire records:
The result after querying to Config will be in the form of JSON. To easily read and edit the file content, we can convert the data to CSV format. We'll process the data a little before converting it to CSV and saving it to an S3 bucket:
Config an Event
Create an EventBridge event to trigger the Lambda function. Depending on your needs, you can use EventBridge events to schedule Lambda functions to run weekly, monthly, or any other time.
Click on Add trigger in the Function overview panel:
Fill in the required information:
In this example, I put the information as cron(0 9 ? * 2#1 *). That means this Lambda function will run every month on the first Monday at 9:00 a.m.
Before running the Lambda function to generate the report, you can use the following code to create new users. This code will create 100 new users with randomly generated usernames.
After deploying the code, we can test the Lambda function and check if there are enough created users in the report. The report will look like this:
As a result, a monthly report will be generated that aggregates information from all existing IAM users in your AWS Organization.
Then it will be easy to keep track of and manage local users.
Based on your purposes and needs, you may also modify the Lambda function to collect information about various resources inside your organization.
About FPT Software
FPT Software is a global technology and IT services provider headquartered in Vietnam, with more than USD 600 million in revenue and 22,000 employees in 26 countries. As a pioneer in digital transformation, the company delivers world-class services in the Smart factory, Digital platforms, RPA, AI, IoT, Cloud, AR/VR, BPO, and more. It has served 1000+ customers worldwide, a hundred of which are Fortune Global 500 companies in the industries of Automotive, Banking and Finance, Logistics & Transportation, Utilities, and more. For more information, please visit https://www.fpt-software.com.