AWS SAR: Automatically Disable Inactive Console Users
One of the cool things about serverless “stacks” such as AWS Lambda and API Gateway is that it allows you to quickly wire things up and automate tasks without much hassle.
AWS Serverless Application Repository (SAR) takes the convenience to a whole new level. It allows developers to easily share and reuse serverless applications with the push of a button.
At LeanTaaS, we’re big fans of serverless. We’ve been leveraging serverless stacks for a long time, and since SARs came out we’ve been tinkering with them as well. Today, we’re publishing our first open-source SAR to the AWS marketplace for everyone to use. It’s a simple SAR that automatically disables an AWS Console user if they have been inactive for more than 90 days. That’s a nifty little security feature that we think everyone could benefit from. And if you care about AWS CIS Foundation Controls, it will help improve your CIS score!
When deployed on your account, this application will:
- Look at all your IAM Console users that have been inactive for X (configurable) number of days
- Disable them
- Notify a Slack channel via a webhook URL you provide
That’s it!
It needs two inputs from you when you deploy it:
- Number of inactive days (default is 90)
- Slack WebHook URL
Architecture
Note: This deployment will create an IAM role that has access to following actions:
“iam:ListUsers”,
“iam:DeleteLoginProfile”
“logs:CreateLogGroup”,
“logs:CreateLogStream”,
“logs:PutLogEvents”
Deployment
Click on the URL below and “deploy” it!
Once you click the deploy button, you’ll see the following:
If you are logged in to your AWS account it will land you on a page where you can configure the number of days and slack webhook URL and acknowledge that it will create an IAM role to disable users.
It will then start creating resources and provide you a link to view the stack that this application has created
Once the resources are created, cloudwatch kicks off lambda every day in which we check for users who is inactive for x number of days and then deactivate them and send a slack notification similar to below.
