堆栈内存溢出
  简体   繁体   English

密码/访问密钥过期时如何通知 IAM 用户?

[英]How to notify IAM Users when Password/Access Keys expire?

 原文  2019-09-24 14:07:49       python/ amazon-web-services/ passwords/ amazon-iam

问题描述

I am trying to find a solution to notify all AWS IAM Users if their Password and Access Keys expire.我正在尝试找到一种解决方案,以在他们的密码和访问密钥过期时通知所有 AWS IAM 用户。 Is there a way to do it via console or with some Python script?有没有办法通过控制台或一些 Python 脚本来做到这一点?

The IAM User should get a mail at least before a week when their IAM Password and access keys expire. IAM 用户应至少在其 IAM 密码和访问密钥到期前一周收到一封邮件。

3 个解决方案

解决方案1
 0  2019-09-24 15:28:08

Write a script that runs on a regular schedule (you can do this with scheduled Lambda, for example).编写一个定期运行的脚本(例如,您可以使用预定的 Lambda 来执行此操作)。

Call get_credential_report to see how long till IAM passwords will expire and call list_access_keys to see when access keys were created (and hence calculate when they need to be rotated).调用get_credential_report以查看 IAM 密码将在多长时间内过期,并调用list_access_keys以查看何时创建访问密钥(并因此计算何时需要轮换)。

Note: the AWS Management Console warns IAM users when they are within 15 days of password expiration.注意:AWS 管理控制台会在 IAM 用户在密码到期后 15 天内发出警告。

解决方案2
 0  2019-09-24 15:28:20

For the passwords, you could use the GetCredentialReport API call.对于密码,您可以使用GetCredentialReport API 调用。 In there you will find the password_next_rotation :在那里你会找到password_next_rotation

When the account has a password policy that requires password rotation, this field contains the date and time, in ISO 8601 date-time format, when the user is required to set a new password.当帐户具有要求密码轮换的密码策略时,此字段包含日期和时间,采用 ISO 8601 日期时间格式,当用户需要设置新密码时。 The value for the AWS account (root) is always not_supported. AWS 账户 (root) 的值始终为 not_supported。

Using this information, you could write a script to send those emails (assuming you have tagged your users with their email addresses in IAM)使用此信息,您可以编写一个脚本来发送这些电子邮件(假设您在 IAM 中使用他们的 email 地址标记了您的用户)

It's available in boto3 : get_credential_report() .它在boto3中可用: get_credential_report()

Note that access keys do not expire.请注意,访问密钥不会过期。

解决方案3
 -2  2022-01-10 18:36:57

This is my contribution with a simple bash script that can help to achieve that easier这是我对一个简单的 bash 脚本的贡献,它可以帮助实现这一目标更容易

https://gist.github.com/andresjz/048891dc6e92c19bc3346c00513232f3#file-get_accounts_expirations-sh-L5 https://gist.github.com/andresjz/048891dc6e92c19bc3346c00513232f3#file-get_accounts_expirations-sh-L5

暂无
暂无

声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.

相关问题 如何通知网络中的用户 - How to notify users in network 如何通知所有用户? - How to notify all users? 如何使用Boto使dynamoDB中的密钥失效? - How do I expire keys in dynamoDB with Boto? 密码更改后如何使密码重置令牌失效? - How to expire password reset token after password changed? 如何自动让API密钥过期? - How can I automatically let API keys expire? 如何使用临时凭证访问 IAM 资源 - How to access IAM resources using temporary credentials 如何使用IAM用户名和密码登录到AWS? - How to login to aws using IAM user id and password? 使用boto3,如何检查AWS IAM用户是否具有密码? - Using boto3, how to check if AWS IAM user has password? 如何使用 boto 在 AWS iam 中获取用户的权限或组详细信息 - How to get the permission or group details of the users in AWS iam using boto 我们如何获取IAM用户,他们的群组和政策? - How can we fetch IAM users, their groups and policies?
相关标签
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM