As often happens, users have to reset their password for different systems. Sending these passwords over email is not secure. I wrote this small utility which resets a user password and saves it in the AWS Parameter store and also emails a dynamically generated link to user to extract the password. As soon as the user extracts this password - it is no longer possible to retreive it again. The link stops working. Once setup and running, it does not need any manual intervention from admin teams.
An example use case is to allow IAM users to reset their passwords if they forget it rather than requesting someone else (admin team, maybe?) to do it.
Needless to say, this is NOT a full blown solution as you will need to take care of authentication and authorization of the api (currently it is public). Treat this more as a proof of concept to use/implement using native AWS services without adopting any additional tools.
This is a simplified view of the components being used. It is fairly lightweight and as part of a bigger setup, it probably wouldn't even be noticed w.r.t cost.
Install serverless, follow this guide
Setup aws cli with profiles matching environments/stages. A sample ~/.aws/credentials file -
[dev]
aws_access_key_id = DEV_ACCESS_KEY
aws_secret_access_key = DEV_SECRET_KEY
You can obviously tweak the solution to work for you, but for it to work right out of the box, following should be available
- IAM user should exist.
- IAM username should be the user's email.
- You should be out of SES sandbox mode, otherwise users will not receive email with the link.
Deploy the service. Use --stage=qa|prod to deploy the service in stages other than dev.
sls deploy -v
Hit the apigateway endpoint url https://apiendpoint.execute-api.region.amazonaws.com/dev/generate?user=username with the query string user=username to generate the password. This will give you an output like this -
Your request has been submitted
Please check your email for further details
A sample email
From: no-reply@example.com
Sent: Monday, April 01, 2000 1:00 PM
To: username@example.com
Subject: CONFIDENTIAL: Account information
You can retrieve your password from the link below.
https://apiendpoint.execute-api.region.amazonaws.com/dev/extract?ph=2000040113001245&rs=i093tN.3UOIW1YZsMi
NOTE: This link is valid for a single use only.
Using the link mentioned in the email https://apiendpoint.execute-api.region.amazonaws.com/dev/extract?ph=2000040113001245&rs=i093tN.3UOIW1YZsMi , you can extract the password. This will give you an output like -
Your temporary password
Please use this to login and change your password
ABCD_&abcd99
If you hit the same url again, it should now give you an error -
Invalid!
This link is expired or has been already used once
🚀 Nuke the setup after you are done testing/looking.
sls remove -v
Since this is a mere proof-of-concept solution, before deploying it to a live environment, you should consider implementing security measures like (listing a few, there may be more) -
- Authentication and authorization of the api, maybe using AWS Cognito.
- Restricting the api to within your corporate network using WAF IP based rules.
- Restricting lambda role IAM permissions to least possible, removing any * in the policy.
- Using a custom KMS key for encryption and tightly controlling access to this key using IAM policies.
Drop me a note or open an issue if something doesn't work out.
Cheers! 👍