Role Service Inactivity

More Info:

Roles which have access to services but have not used in past several days should be looked into and cleaned up.

Risk Level

Medium

Address

Security

Compliance Standards

CISAWS

Triage and Remediation

How to Prevent

Using Console

Using CLI

To prevent Role Service Inactivity in IAM using AWS CLI, you can follow these steps:

Create a Role with Specific Permissions: Ensure that the role you create has the necessary permissions and is not overly permissive. Use the create-role command to create a role with a specific policy.
```
aws iam create-role --role-name MyRole --assume-role-policy-document file://trust-policy.json
```
Attach a Policy to the Role: Attach a policy to the role that grants only the necessary permissions. Use the attach-role-policy command to attach a managed policy or put-role-policy to attach an inline policy.
```
aws iam attach-role-policy --role-name MyRole --policy-arn arn:aws:iam::aws:policy/ReadOnlyAccess
```
Enable CloudTrail to Monitor Role Activity: Enable AWS CloudTrail to monitor and log all activities associated with the role. This helps in identifying any inactivity or misuse.
```
aws cloudtrail create-trail --name MyTrail --s3-bucket-name my-bucket
aws cloudtrail start-logging --name MyTrail
```

Set Up CloudWatch Alarms for Inactivity: Create CloudWatch Alarms to monitor the role’s activity and trigger alerts if the role is inactive for a specified period.

aws cloudwatch put-metric-alarm --alarm-name RoleInactivityAlarm --metric-name Invocations --namespace AWS/Lambda --statistic Sum --period 86400 --threshold 1 --comparison-operator LessThanThreshold --dimensions Name=FunctionName,Value=MyLambdaFunction --evaluation-periods 1 --alarm-actions arn:aws:sns:us-east-1:123456789012:MyTopic

By following these steps, you can ensure that roles are properly configured, monitored, and any inactivity is promptly addressed.

Using Python

To prevent Role Service Inactivity in IAM using Python scripts, you can follow these steps:

1. Set Up AWS SDK (Boto3)

First, ensure you have the AWS SDK for Python (Boto3) installed. You can install it using pip if you haven’t already:

pip install boto3

2. Create a Python Script to List Roles

Create a Python script to list all IAM roles and their last used timestamps. This will help you identify inactive roles.

import boto3
from datetime import datetime, timedelta

# Initialize a session using Amazon IAM
session = boto3.Session(profile_name='your_profile_name')
iam_client = session.client('iam')

# Get the current date
current_date = datetime.utcnow()

# Define the inactivity threshold (e.g., 90 days)
inactivity_threshold = timedelta(days=90)

# List all IAM roles
roles = iam_client.list_roles()

for role in roles['Roles']:
    role_name = role['RoleName']
    role_last_used = iam_client.get_role(RoleName=role_name)['Role']['RoleLastUsed']
    
    if 'LastUsedDate' in role_last_used:
        last_used_date = role_last_used['LastUsedDate']
        if current_date - last_used_date > inactivity_threshold:
            print(f"Role {role_name} has been inactive since {last_used_date}")
    else:
        print(f"Role {role_name} has never been used")

3. Automate Role Deactivation or Notification

You can extend the script to either deactivate the inactive roles or send notifications to the administrators.

Deactivate Inactive Roles

for role in roles['Roles']:
    role_name = role['RoleName']
    role_last_used = iam_client.get_role(RoleName=role_name)['Role']['RoleLastUsed']
    
    if 'LastUsedDate' in role_last_used:
        last_used_date = role_last_used['LastUsedDate']
        if current_date - last_used_date > inactivity_threshold:
            # Deactivate the role
            iam_client.update_role(RoleName=role_name, MaxSessionDuration=3600)  # Example action
            print(f"Role {role_name} has been deactivated due to inactivity")
    else:
        print(f"Role {role_name} has never been used")

Send Notifications

import smtplib
from email.mime.text import MIMEText

def send_notification(role_name, last_used_date):
    msg = MIMEText(f"Role {role_name} has been inactive since {last_used_date}")
    msg['Subject'] = 'Inactive IAM Role Notification'
    msg['From'] = '[email protected]'
    msg['To'] = '[email protected]'

    with smtplib.SMTP('smtp.example.com') as server:
        server.sendmail(msg['From'], [msg['To']], msg.as_string())

for role in roles['Roles']:
    role_name = role['RoleName']
    role_last_used = iam_client.get_role(RoleName=role_name)['Role']['RoleLastUsed']
    
    if 'LastUsedDate' in role_last_used:
        last_used_date = role_last_used['LastUsedDate']
        if current_date - last_used_date > inactivity_threshold:
            send_notification(role_name, last_used_date)
            print(f"Notification sent for role {role_name} due to inactivity")
    else:
        print(f"Role {role_name} has never been used")

4. Schedule the Script

Use a task scheduler like cron (Linux) or Task Scheduler (Windows) to run the script periodically to ensure continuous monitoring and prevention of role service inactivity.

Example (Linux Cron Job)

# Open the crontab file
crontab -e

# Add the following line to run the script daily at midnight
0 0 * * * /usr/bin/python3 /path/to/your_script.py

By following these steps, you can effectively prevent role service inactivity in IAM using Python scripts.

Additional Reading:

https://aws.amazon.com/blogs/security/continuously-monitor-unused-iam-roles-aws-config/

AWS Introduction

AWS Pricing

AWS Threats

AWS Misconfigurations

Role Service Inactivity

More Info:

Risk Level

Address

Compliance Standards

Triage and Remediation

How to Prevent

1. Set Up AWS SDK (Boto3)

2. Create a Python Script to List Roles

3. Automate Role Deactivation or Notification

Deactivate Inactive Roles

Send Notifications

4. Schedule the Script

Example (Linux Cron Job)

Additional Reading:

AWS Introduction

AWS Pricing

AWS Threats

AWS Misconfigurations

​More Info:

​Risk Level

​Address

​Compliance Standards

​Triage and Remediation

​How to Prevent

​Additional Reading:

More Info:

Risk Level

Address

Compliance Standards

Triage and Remediation

How to Prevent

Additional Reading: