Skip to main content

More Info:

Roles which have access to services but have not used in past several days should be looked into and cleaned up.

Risk Level

Medium

Address

Security

Compliance Standards

CISAWS

Triage and Remediation

  • Prevention
  • Cause
  • Remediation

How to Prevent

Using Console

To prevent Role Service Inactivity in IAM using the AWS Management Console, follow these steps:
  1. Enable Access Advisor:
    • Navigate to the IAM dashboard in the AWS Management Console.
    • Select the “Roles” tab.
    • Choose the specific role you want to monitor.
    • Go to the “Access Advisor” tab to review the services that the role has accessed and the last accessed time.
    • Regularly review this information to identify and take action on inactive roles.
  2. Set Up CloudWatch Alarms:
    • Go to the CloudWatch dashboard.
    • Create a new alarm based on IAM metrics.
    • Set the alarm to trigger if a role has not been used for a specified period.
    • Configure notifications to alert administrators when the alarm is triggered.
  3. Enable AWS Config Rules:
    • Navigate to the AWS Config dashboard.
    • Ensure that AWS Config is enabled in your account.
    • Add a managed rule such as iam-role-last-used to monitor the last time an IAM role was used.
    • Set up notifications for compliance changes to be alerted when a role becomes inactive.
  4. Implement IAM Role Policies:
    • Go to the IAM dashboard and select the “Roles” tab.
    • Choose the role you want to configure.
    • Attach a policy that includes conditions to limit the role’s permissions based on time or usage.
    • Use the aws:RequestTag or aws:PrincipalTag conditions to enforce policies that disable or restrict roles after a period of inactivity.
By following these steps, you can proactively monitor and manage IAM role activity to prevent role service inactivity in AWS.
To prevent Role Service Inactivity in IAM using AWS CLI, you can follow these steps:
  1. Create a Role with Specific Permissions: Ensure that the role you create has the necessary permissions and is not overly permissive. Use the create-role command to create a role with a specific policy. 
    aws iam create-role --role-name MyRole --assume-role-policy-document file://trust-policy.json
  2. Attach a Policy to the Role: Attach a policy to the role that grants only the necessary permissions. Use the attach-role-policy command to attach a managed policy or put-role-policy to attach an inline policy. 
    aws iam attach-role-policy --role-name MyRole --policy-arn arn:aws:iam::aws:policy/ReadOnlyAccess
  3. Enable CloudTrail to Monitor Role Activity: Enable AWS CloudTrail to monitor and log all activities associated with the role. This helps in identifying any inactivity or misuse. 
    aws cloudtrail create-trail --name MyTrail --s3-bucket-name my-bucket
aws cloudtrail start-logging --name MyTrail
  4. Set Up CloudWatch Alarms for Inactivity: Create CloudWatch Alarms to monitor the role’s activity and trigger alerts if the role is inactive for a specified period. 
    aws cloudwatch put-metric-alarm --alarm-name RoleInactivityAlarm --metric-name Invocations --namespace AWS/Lambda --statistic Sum --period 86400 --threshold 1 --comparison-operator LessThanThreshold --dimensions Name=FunctionName,Value=MyLambdaFunction --evaluation-periods 1 --alarm-actions arn:aws:sns:us-east-1:123456789012:MyTopic
By following these steps, you can ensure that roles are properly configured, monitored, and any inactivity is promptly addressed.
To prevent Role Service Inactivity in IAM using Python scripts, you can follow these steps:

1. Set Up AWS SDK (Boto3)

First, ensure you have the AWS SDK for Python (Boto3) installed. You can install it using pip if you haven’t already:
pip install boto3

2. Create a Python Script to List Roles

Create a Python script to list all IAM roles and their last used timestamps. This will help you identify inactive roles.
import boto3
from datetime import datetime, timedelta

# Initialize a session using Amazon IAM
session = boto3.Session(profile_name='your_profile_name')
iam_client = session.client('iam')

# Get the current date
current_date = datetime.utcnow()

# Define the inactivity threshold (e.g., 90 days)
inactivity_threshold = timedelta(days=90)

# List all IAM roles
roles = iam_client.list_roles()

for role in roles['Roles']:
    role_name = role['RoleName']
    role_last_used = iam_client.get_role(RoleName=role_name)['Role']['RoleLastUsed']
    
    if 'LastUsedDate' in role_last_used:
        last_used_date = role_last_used['LastUsedDate']
        if current_date - last_used_date > inactivity_threshold:
            print(f"Role {role_name} has been inactive since {last_used_date}")
    else:
        print(f"Role {role_name} has never been used")

3. Automate Role Deactivation or Notification

You can extend the script to either deactivate the inactive roles or send notifications to the administrators.

Deactivate Inactive Roles

for role in roles['Roles']:
    role_name = role['RoleName']
    role_last_used = iam_client.get_role(RoleName=role_name)['Role']['RoleLastUsed']
    
    if 'LastUsedDate' in role_last_used:
        last_used_date = role_last_used['LastUsedDate']
        if current_date - last_used_date > inactivity_threshold:
            # Deactivate the role
            iam_client.update_role(RoleName=role_name, MaxSessionDuration=3600)  # Example action
            print(f"Role {role_name} has been deactivated due to inactivity")
    else:
        print(f"Role {role_name} has never been used")

Send Notifications

import smtplib
from email.mime.text import MIMEText

def send_notification(role_name, last_used_date):
    msg = MIMEText(f"Role {role_name} has been inactive since {last_used_date}")
    msg['Subject'] = 'Inactive IAM Role Notification'
    msg['From'] = 'admin@example.com'
    msg['To'] = 'admin@example.com'

    with smtplib.SMTP('smtp.example.com') as server:
        server.sendmail(msg['From'], [msg['To']], msg.as_string())

for role in roles['Roles']:
    role_name = role['RoleName']
    role_last_used = iam_client.get_role(RoleName=role_name)['Role']['RoleLastUsed']
    
    if 'LastUsedDate' in role_last_used:
        last_used_date = role_last_used['LastUsedDate']
        if current_date - last_used_date > inactivity_threshold:
            send_notification(role_name, last_used_date)
            print(f"Notification sent for role {role_name} due to inactivity")
    else:
        print(f"Role {role_name} has never been used")

4. Schedule the Script

Use a task scheduler like cron (Linux) or Task Scheduler (Windows) to run the script periodically to ensure continuous monitoring and prevention of role service inactivity.

Example (Linux Cron Job)

# Open the crontab file
crontab -e

# Add the following line to run the script daily at midnight
0 0 * * * /usr/bin/python3 /path/to/your_script.py
By following these steps, you can effectively prevent role service inactivity in IAM using Python scripts.

Additional Reading:

I