Skip to content

plus3it/terraform-aws-tardigrade-iam-key-enforcer

Repository files navigation

Tardigrade IAM Key Enforcer

This repo contains the Python-based Lambda function that will audit IAM Access keys for an account and will enforce key rotation as well as notify users.

Basic Function

The Lambda function is triggered for each account by an Event notification that is configured to run on a schedule. The function audits each user in an account for access keys and determines how long before they expire, it will then notify users that their key expires in X days and that automatic key enforcement is forthcoming.

Requirements

Name Version
terraform >= 1.1
aws >= 3.0

Providers

Name Version
aws >= 3.0

Resources

Name Type
aws_caller_identity.current data source
aws_iam_policy_document.lambda data source
aws_partition.current data source
aws_region.current data source

Inputs

Name Description Type Default Required
admin_email Admin Email that will receive all emails and reports about actions taken if email is enabled string n/a yes
assume_role_name Name of the IAM role that the lambda will assume in the target account string n/a yes
email_source Email that will be used to send messages string n/a yes
key_age_delete Age at which a key should be deleted (e.g. 120) number n/a yes
key_age_inactive Age at which a key should be inactive (e.g. 90) number n/a yes
key_age_warning Age at which to warn (e.g. 75) number n/a yes
key_use_threshold Age at which unused keys should be deleted (e.g.30) number n/a yes
accounts List of account objects to create events for
list(object({
account_name = string
account_number = string
role_name = optional(string) # deprecated
armed = bool
debug = optional(bool, false)
email_user_enabled = bool
email_targets = list(string)
exempt_groups = list(string)
schedule_expression = optional(string, "cron(0 1 ? * SUN *)")

}))
[] no
email_admin_report_enabled Used to enable or disable the SES emailed report bool false no
email_admin_report_subject Subject of the report email that is sent string null no
email_banner_message Messages that will be at the top of all emails sent to notify recipients of important information string "" no
email_banner_message_color Color of email banner message, must be valid html color string "red" no
email_tag Tag to be placed on the IAM user that we can use to notify when their key is going to be disabled/deleted string "keyenforcer:email" no
email_templates Email templates to use for Admin and User emails
object({
admin = optional(object({
subject = optional(string, null),
html = optional(string, null),
text = optional(string, null),
}), {}),
user = optional(object({
subject = optional(string, null),
html = optional(string, null),
text = optional(string, null),
}), {})
})
{} no
lambda Map of any additional arguments for the upstream lambda module. See https://github.com/terraform-aws-modules/terraform-aws-lambda
object({
artifacts_dir = optional(string, "builds")
build_in_docker = optional(bool, false)
create_package = optional(bool, true)
ephemeral_storage_size = optional(number)
ignore_source_code_hash = optional(bool, true)
local_existing_package = optional(string)
recreate_missing_package = optional(bool, false)
runtime = optional(string, "python3.11")
s3_bucket = optional(string)
s3_existing_package = optional(map(string))
s3_prefix = optional(string)
store_on_s3 = optional(bool, false)
timeout = optional(number, 300)
source_path = optional(object({
patterns = optional(list(string), ["!\.terragrunt-source-manifest"])
}), {})
})
{} no
log_level Log level for lambda string "INFO" no
project_name Project name to prefix resources with string "iam-key-enforcer" no
s3_bucket Bucket name to write the audit report to if s3_enabled is set to 'true' string null no
s3_enabled Set to 'true' and provide s3_bucket if the audit report should be written to S3 bool false no
schedule_expression (DEPRECATED) Schedule Expressions for Rules string null no
tags Tags for resource map(string) {} no

Outputs

Name Description
lambda The lambda module object
queue The SQS Queue resource object