Skip to content

Automatic rotation of AWS user access keys after a period of 90 days. Secrets stored in Secrets Manager with appropriate IAM permissions and resource policies to grant only the appropriate user access.

Notifications You must be signed in to change notification settings

Nimzyow/aws-serverless-access-keys-rotation

Repository files navigation

README

What is this repository for?

It is security best practice to rotate aws access keys and to get used to rotating aws access keys.

This shortens the period the access keys are active and will reduce business impact if the access keys ever become compromised.

I created another AWS account using organisations which acts as my Sandbox/testing account. The purpose was to deploy a test or staging version of this task to my Sandbox/testing account and deploy the production version to my main account. Really, I just wanted to experiment and play around with using multiple AWS accounts as I've often read it is good practice to have a aws account purely for production purposes and another for testing, through use of aws organisations. So, perfect reason to experiment and see for myself!

How do I get set up?

  • Install SAM CLI
  • Once you have run the sam pipeline init --bootstrap command, set your github secrets with:
    • AWS_ACCESS_KEY_ID
    • AWS_SECRET_ACCESS_KEY
      • Note: The above access keys are the sam user that SAM creates for you when you run the above command and answer all the questions. The sam user will already have access keys but you'll need to generate new access keys for this user as there is no way for you to retrieve the secret after access keys are created. So make sure you have sufficient permissions to change an IAM user access keys, such as by giving yourself admin access or by logging in as root user.

How to start a SAM project

  1. sam init
  2. choose AWS Quick start templates
  3. choose hello world example
  4. select n for popular runtime package (python and zip)
  5. choose node 16
  6. choose zip
  7. choose hello world example typescript
  8. choose n for xray tracing
  9. name the app

FAQ

  1. How do I validate my SAM template?

    sam validate

  2. How do I generate an eventbridge scheduled test event to simulate lambda invocation?

sam local generate-event cloudwatch scheduled-event

Note: The CloudWatch Events service has been re-launched as Amazon EventBridge with full backwards compatibility.

The CLI will generate a scheduled event which you can copy paste into events/event.json

  1. How do I test the lambda function locally?

from the same directory as template.yml

sam local invoke "NameOfYourFunctionInTemplateFile" -e events/event.json

Note: You will need to run sam build to test the lambda function with the most up to date code.
Note: use the -e with the path to the event file if you need it.

  1. How do I sync my resources to the cloud for testing?

Ensure you have set the correct profile first with export AWS_PROFILE=<name>

sam sync --stack-name serverless-access-keys-rotation --watch

  1. How do I see the logs from the terminal

Creating the pipeline

You can use SAM to create a guided pipeline file for you to use as a base. Simply run:

sam pipeline init --bootstrap

You'll be asked a series of questions such as which CI/CD system you use, what profiles to use to create the SAM user with appropriate permissions etc...

task

  1. Cloudwatch event triggers lambda every day - DONE
  2. lambda function checks users and decides if their access keys are too old

-- Below automatically created by SAM

serverless-access-keys-rotation

This project contains source code and supporting files for a serverless application that you can deploy with the SAM CLI. It includes the following files and folders.

  • hello-world - Code for the application's Lambda function written in TypeScript.
  • events - Invocation events that you can use to invoke the function.
  • hello-world/tests - Unit tests for the application code.
  • template.yaml - A template that defines the application's AWS resources.

The application uses several AWS resources, including Lambda functions and an API Gateway API. These resources are defined in the template.yaml file in this project. You can update the template to add AWS resources through the same deployment process that updates your application code.

If you prefer to use an integrated development environment (IDE) to build and test your application, you can use the AWS Toolkit.
The AWS Toolkit is an open source plug-in for popular IDEs that uses the SAM CLI to build and deploy serverless applications on AWS. The AWS Toolkit also adds a simplified step-through debugging experience for Lambda function code. See the following links to get started.

Deploy the sample application

The Serverless Application Model Command Line Interface (SAM CLI) is an extension of the AWS CLI that adds functionality for building and testing Lambda applications. It uses Docker to run your functions in an Amazon Linux environment that matches Lambda. It can also emulate your application's build environment and API.

To use the SAM CLI, you need the following tools.

To build and deploy your application for the first time, run the following in your shell:

sam build
sam deploy --guided

The first command will build the source of your application. The second command will package and deploy your application to AWS, with a series of prompts:

  • Stack Name: The name of the stack to deploy to CloudFormation. This should be unique to your account and region, and a good starting point would be something matching your project name.
  • AWS Region: The AWS region you want to deploy your app to.
  • Confirm changes before deploy: If set to yes, any change sets will be shown to you before execution for manual review. If set to no, the AWS SAM CLI will automatically deploy application changes.
  • Allow SAM CLI IAM role creation: Many AWS SAM templates, including this example, create AWS IAM roles required for the AWS Lambda function(s) included to access AWS services. By default, these are scoped down to minimum required permissions. To deploy an AWS CloudFormation stack which creates or modifies IAM roles, the CAPABILITY_IAM value for capabilities must be provided. If permission isn't provided through this prompt, to deploy this example you must explicitly pass --capabilities CAPABILITY_IAM to the sam deploy command.
  • Save arguments to samconfig.toml: If set to yes, your choices will be saved to a configuration file inside the project, so that in the future you can just re-run sam deploy without parameters to deploy changes to your application.

You can find your API Gateway Endpoint URL in the output values displayed after deployment.

Use the SAM CLI to build and test locally

Build your application with the sam build command.

serverless-access-keys-rotation$ sam build

The SAM CLI installs dependencies defined in hello-world/package.json, compiles TypeScript with esbuild, creates a deployment package, and saves it in the .aws-sam/build folder.

Test a single function by invoking it directly with a test event. An event is a JSON document that represents the input that the function receives from the event source. Test events are included in the events folder in this project.

Run functions locally and invoke them with the sam local invoke command.

serverless-access-keys-rotation$ sam local invoke HelloWorldFunction --event events/event.json

The SAM CLI can also emulate your application's API. Use the sam local start-api to run the API locally on port 3000.

serverless-access-keys-rotation$ sam local start-api
serverless-access-keys-rotation$ curl http://localhost:3000/

The SAM CLI reads the application template to determine the API's routes and the functions that they invoke. The Events property on each function's definition includes the route and method for each path.

Events:
  HelloWorld:
    Type: Api
    Properties:
      Path: /hello
      Method: get

Add a resource to your application

The application template uses AWS Serverless Application Model (AWS SAM) to define application resources. AWS SAM is an extension of AWS CloudFormation with a simpler syntax for configuring common serverless application resources such as functions, triggers, and APIs. For resources not included in the SAM specification, you can use standard AWS CloudFormation resource types.

Fetch, tail, and filter Lambda function logs

To simplify troubleshooting, SAM CLI has a command called sam logs. sam logs lets you fetch logs generated by your deployed Lambda function from the command line. In addition to printing the logs on the terminal, this command has several nifty features to help you quickly find the bug.

NOTE: This command works for all AWS Lambda functions; not just the ones you deploy using SAM.

serverless-access-keys-rotation$ sam logs -n HelloWorldFunction --stack-name serverless-access-keys-rotation --tail

You can find more information and examples about filtering Lambda function logs in the SAM CLI Documentation.

Unit tests

Tests are defined in the hello-world/tests folder in this project. Use NPM to install the Jest test framework and run unit tests.

serverless-access-keys-rotation$ cd hello-world
hello-world$ npm install
hello-world$ npm run test

Cleanup

To delete the sample application that you created, use the AWS CLI. Assuming you used your project name for the stack name, you can run the following:

aws cloudformation delete-stack --stack-name serverless-access-keys-rotation

Resources

See the AWS SAM developer guide for an introduction to SAM specification, the SAM CLI, and serverless application concepts.

Next, you can use AWS Serverless Application Repository to deploy ready to use Apps that go beyond hello world samples and learn how authors developed their applications: AWS Serverless Application Repository main page

About

Automatic rotation of AWS user access keys after a period of 90 days. Secrets stored in Secrets Manager with appropriate IAM permissions and resource policies to grant only the appropriate user access.

Topics

Resources

Stars

Watchers

Forks

Releases

No releases published

Packages

No packages published