Key Report¶
Overview of keyup’s Key Report and required Identity Access Management (IAM) permissions.
Key Report Contents¶
- Report Overview
- Required User Permissions
- Recommended User Permissions
- Policies Explained
- Screenshots
Report Overview¶
keyup provides a parameter to produce a report for all iam users referenced in the local awscli configuration file. The report shows the expired status of all access keys for these users. This is valuable because it allows the user to understand which iam users require renewed access keys without running keyup for each iam user account individually.
Execute the following command to run the key report for all iam users in the local awscli configuration file:
$ keyup --key-report
Back to Key Report Contents
Required User Permissions¶
There are minimal Identity Access Management (IAM) permissions required to return valid results for a each IAM user. If an iam user referenced in the local awscli configuration file does not have adequate permissions to return results for the key report, keyup will simply skip the user and omit the iam user from the key report.
The following IAM policy must be assigned to each IAM user either via group policy assignment or directly attached to the IAM user identity in the AWS Account.
{
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"iam:ListAccountAliases"
],
"Resource": [
"arn:aws:iam::000000000000:user/*"
],
"Effect": "Allow",
"Sid": "iamAccountInfo"
},
{
"Action": [
"iam:CreateAccessKey",
"iam:DeleteAccessKey",
"iam:ListAccessKeys",
"iam:GetAccessKeyLastUsed"
],
"Resource": [
"arn:aws:iam::742134111111:user/${aws:username}"
],
"Effect": "Allow",
"Sid": "iamUserChangeOwnAccessKeys"
}
]
}
Back to Key Report Contents
Recommended User Permissions¶
The policy below is highly recommended as a complement to the required IAM permissions policy above. The recommended policy will require a 2-factor MFA code when attempting to provision resources in an AWS Account.
{
"Statement": [
{
"Action": [
"iam:ChangePassword",
"iam:CreateLoginProfile",
"iam:DeleteLoginProfile",
"iam:GetAccountPasswordPolicy",
"iam:GetAccountSummary",
"iam:GetLoginProfile",
"iam:UpdateLoginProfile"
],
"Effect": "Allow",
"Resource": [
"arn:aws:iam::000000000000:user/${aws:username}"
],
"Sid": "AllowIndividualUserToSeeTheirAccountInformation"
},
{
"Action": [
"iam:ListVirtualMFADevices",
"iam:ListMFADevices"
],
"Effect": "Allow",
"Resource": [
"arn:aws:iam::000000000000:user/${aws:username}",
"arn:aws:iam::000000000000:mfa/*"
],
"Sid": "AllowIndividualUserToListTheirMFA"
},
{
"Action": [
"iam:CreateVirtualMFADevice",
"iam:DeactivateMFADevice",
"iam:DeleteVirtualMFADevice",
"iam:EnableMFADevice",
"iam:ResyncMFADevice"
],
"Effect": "Allow",
"Resource": [
"arn:aws:iam::000000000000:user/${aws:username}",
"arn:aws:iam::000000000000:mfa/*"
],
"Sid": "AllowIndividualUserToManageThierMFA"
},
{
"Condition": {
"Null": {
"aws:MultiFactorAuthAge": "true"
}
},
"Effect": "Deny",
"NotAction": "iam:*",
"Resource": "*",
"Sid": "DoNotAllowAnythingOtherThanAboveUnlessMFAd"
}
],
"Version": "2012-10-17"
}
Back to Key Report Contents
Policies Explained¶
See the IAM Policy Details section to gain an understanding of each each IAM policy provision and the permissions granted to a user.
Back to Key Report Contents
Screenshots¶
Sample key report screenshots (click to enlarge).
- Key report showing all users with valid access keys (none expired):
- Key report showing keys within 48 hours of expiration:
- Key report showing expired keys:
Back to Key Report Contents Top