Conversation
| CLOUDWATCH_METRICS_AVAILABLE_DAYS = 14 | ||
| AWS_DEFAULT_GLOBAL_REGION = 'us-east-1' | ||
| UNUSED_ACCESS_KEY_DAYS = 90 | ||
| UNUSED_ACCESS_KEY_DAYS = 180 |
There was a problem hiding this comment.
UNUSED_ACCESS_KEY_DAYS = 90
DELETE_ACCESS_KEY_DAYS = 180
There was a problem hiding this comment.
changed to 90, For delete access key policy, will raise a separate PR
|
@inntran, any comment ? |
|
I wish we could move configurations from Python files to YAML. Other than that, we can not fix all code smells at this time, so let it be. |
|
Changes:
|
| raise err | ||
|
|
||
| def untag_user(self, user_name: str, tag_keys: list): | ||
| """ |
There was a problem hiding this comment.
After we delete the access keys, we will remove the tags 'UnusedAccessKey1InactiveDate', etc which we added to send email reminders.
| self.tag_user(username, [{'Key': inactive_tag_key, 'Value': inactive_date}]) | ||
| except Exception as e: | ||
| logger.error(f"Failed to deactivate access key '{access_key_id}' for user '{username}': {e}") | ||
| else: |
| if should_delete: | ||
| if self._dry_run == 'no': | ||
| try: | ||
| self._delete_inactive_access_key(user_name, access_key_label) |
There was a problem hiding this comment.
We should send email alert before deleting the access key
There was a problem hiding this comment.
Added the part about deletion for keys aged > 120 days in the email alert reminder before deactivation.
| tag_key = f"UnusedAccessKey{access_key_label.split()[-1]}ReminderCount" | ||
| to_user = self.get_tag_name_from_tags(tags=tags, tag_name='User') or user_name | ||
| display_name = self._mail_message.get_user_ldap_details(user_name=to_user) or to_user | ||
| subject, body = self._mail_message.unused_access_key_reminder( |
There was a problem hiding this comment.
Maybe we should mention that we will delete the access key after 120 days, if no key rotation is done.
| if reminder_val in ('1', '2'): | ||
| reminder_count = int(reminder_val) | ||
| if reminder_count < 2 and self._dry_run == 'no': | ||
| self._send_reminder_and_update_tag( |
There was a problem hiding this comment.
Unused Access Key Already Participates in Alerts in send_aggregated_alerts.py, why we need to send it separately ?
There was a problem hiding this comment.
send_aggregated_alerts.py sends alerts post deactivation (>90 days) based on Cleanup Days. Hence added a separate email alert to alert the user twice before UNUSED_ACCESS_KEY_REMINDER_DAYS.
3 participants
Type of change
Note: Fill x in []
Description
For security reasons, all pull requests need to be approved first before running any automated CI