This project is part of a wider IAM governance strategy designed to reduce the attack surface of an AWS ecosystem by identifying and removing unnecessary human identities, machine identities and access keys. It also helps to identify IAM users who do not have MFA enabled.
The main prerequisite is to have populated the AWS config file locally with the organisation's AWS accounts. Its content should look like this:
To use this solution, please follow the instructions below.
1) Clone the repository locally:
git clone https://github.com/nick22d/identity-hygiene-program.git
2) Navigate into the repository:
cd identity-hygiene-program/
3) Set up the dependencies:
./setup.sh
4) Ensure that you have authenticated with an AWS identity:
aws sts get-caller-identity
5) Run the main script to generate the reports:
./main.sh
6) Analyse each report with the identities parser tool:
./identities_parser.sh reports/<filename>
It is important to mention that not all options are applicable for all files. For example, if a file with the suffix "*_roles_activity.csv" is parsed, only options 1 and 2 would be useful. Similarly, if a file with the suffix "*_users_activity.csv" is parsed, only options 3-6 would be relevant.
- This solution does not require MFA to be disabled on the AWS CLI.
- Each report can be examined with any CSV client (i.e. Microsoft Excel).
- Root users are excluded from the tool's SQL queries to avoid accidental removal.
- No AWS charges are incurred by the use of this solution.