feat: added iam analyzer

Signed-off-by: Alex Jones <[email protected]>
isotope-rs · Dec 21, 2023 · 8489fe5 · 8489fe5
1 parent 07654d3
commit 8489fe5
Show file tree

Hide file tree

Showing 5 changed files with 183 additions and 0 deletions.
diff --git a/Cargo.lock b/Cargo.lock
diff --git a/Cargo.toml b/Cargo.toml
@@ -43,6 +43,7 @@ simple-home-dir = "0.2.0"
 tokio = { version = "1", features = ["full"] }
 unescape = "0.1.0"
 v = "0.1.0"
+chrono = "0.4.31"
 
 # Config for 'cargo dist'
 [workspace.metadata.dist]

diff --git a/README.md b/README.md
@@ -106,6 +106,8 @@ isotope analyze -a S3
 - EC2
   - Orphaned Elastic IP address
   - Public snapshot detection
+- IAM
+  - Orphaned/unused key detection
 
 ### Community
 

diff --git a/src/analyzer/iam_analyzer.rs b/src/analyzer/iam_analyzer.rs
@@ -0,0 +1,45 @@
+use async_trait::async_trait;
+use aws_sdk_iam::Client;
+use aws_types::sdk_config::SdkConfig;
+use crate::analyzer::analyzer_trait::Analyzer;
+use crate::analyzer::types::AnalysisResults;
+use chrono::{TimeZone, Utc};
+use chrono::Duration;
+pub struct IamAnalyzer {
+	pub config: SdkConfig
+}
+
+#[async_trait]
+impl Analyzer for IamAnalyzer {
+
+	async fn run(&self) -> Option<Vec<AnalysisResults>> {
+		let mut results = Vec::new();
+		let iam = Client::new(&self.config);
+
+		// Check for unused access keys
+		if let Ok(keys) = iam.list_access_keys().send().await {
+			for key in keys.access_key_metadata {
+				if let Some(create_date) = key.create_date {
+					if !key.access_key_id.as_ref().unwrap().is_empty(){
+						if let Some(aws_create_date) = key.create_date {
+							let create_date = Utc.timestamp(aws_create_date.secs(), 0);
+							if create_date < Utc::now() - Duration::days(90) {
+								results.push(AnalysisResults {
+									message: format!("Unused access key: {}", key.access_key_id.as_ref().unwrap()),
+									advice: "Consider deleting unused access keys".to_string(),
+									analyzer_name: self.get_name(),
+								});
+							}
+						}
+					}
+				}
+			}
+		}
+
+		Some(results)
+	}
+
+	fn get_name(&self) -> String {
+		"iam".to_string()
+	}
+}
diff --git a/src/analyzer/mod.rs b/src/analyzer/mod.rs
@@ -10,6 +10,7 @@ mod s3_analyzer;
 mod sg_analyzer;
 mod sts_analyzer;
 pub(crate) mod types;
+mod iam_analyzer;
 
 pub fn generate_analyzers(config: &SdkConfig) -> Vec<Box<dyn Analyzer>> {
     let analyzers: Vec<Box<dyn Analyzer>> = vec![
@@ -34,6 +35,9 @@ pub fn generate_analyzers(config: &SdkConfig) -> Vec<Box<dyn Analyzer>> {
         Box::new(ec2_snapshot_analyzer::EC2SnapshotAnalyzer {
             config: config.clone(),
         }),
+        Box::new(iam_analyzer::IamAnalyzer {
+            config: config.clone(),
+        })
     ];
     analyzers
 }