2

All,

I want a policy that only retrieves ACTIVE access keys that are older than 90 days and notify them periodically. 

policies:
  - name: iam-user-access-keys-older-than-90days
    description: |
      Retrieve all IAM users whom have active access keys that are older than 90days
    resource: iam-user
    filters:
      - type: access-key
        key: Status
        value: Active
      - type: access-key
        key: CreateDate
        value: 90
        op: greater-than
        value_type: age

First notification should be sent before 15 days, second notification before 7 days and after every day until expiration date

cloudbud
  • 2,948
  • 5
  • 28
  • 54

1 Answers1

1
policies:
  - name: iam-user-access-keys-older-than-90days
    description: |
      Retrieve all IAM users whom have active access keys that are older than 90days
    resource: iam-user
    filters:
      - type: access-key
        key: Status
        value: Active
      - type: access-key
        match-operator: and
        key: CreateDate
        value: 90
        value_type: age
      - type: credential
        match-operator: and
        key: access_keys.last_rotated
        value_type: age
        value: 15
        op: equal
      - type: credential
        match-operator: or
        key: access_keys.last_rotated
        value_type: age
        value: 7
        op: lte
    actions:
       - type: notify
         template: default
         subject: Hello World
         to:
           - event-user
           - someone@somewhere.com
         transport:
           type: asq
           queue: https://storagename.queue.core.windows.net/queuename

you can write something like and add action to send mail via c7n mailer. For more information you can visit : https://cloudcustodian.io/docs/aws/resources/iam.html#aws-iam-user

Harsh Manvar
  • 27,020
  • 6
  • 48
  • 102