Enterprise-grade AWS IAM security tools for automated access key rotation, password management, and compliance monitoring
Features β’ Quick Start β’ Architecture β’ Documentation β’ Contributing
- 90-day compliance policy with automated monitoring
- Lambda-powered enforcement with daily compliance checks
- Smart notifications at 75, 85, and 90+ day thresholds
- Automatic key disabling for expired credentials (configurable)
- User exemption system via AWS tags
- Interactive key rotation with guided workflows
- Secure password reset with policy validation
- Rich console interfaces with color-coded status indicators
- Comprehensive error handling and audit logging
- Backup and rollback capabilities
- Real-time compliance reports with export capabilities
- CloudWatch metrics and alarms for proactive monitoring
- Detailed audit trails for security compliance
- Executive dashboards with compliance statistics
- Multi-format exports (JSON, CSV, HTML)
- Terraform modules for complete deployment
- Least-privilege IAM policies for security
- Environment-specific configurations for dev/staging/prod
- Automated testing pipeline with GitHub Actions
- AWS CLI configured with appropriate credentials
- Python 3.9+ with pip
- Terraform 1.5+ (for infrastructure deployment)
- IAM permissions for user management and Lambda deployment
# Clone the repository
git clone <repository-url>
cd iam-key-rotation
# Create and activate virtual environment
python3 -m venv venv
source venv/bin/activate
# Install dependencies
cd scripts
pip install -r requirements.txt# List access keys with ages and compliance status
python3 scripts/aws_iam_self_service_key_rotation.py -l
# Generate compliance report
python3 scripts/aws_iam_compliance_report.py
# Reset your password securely
python3 scripts/aws_iam_self_service_password_reset.py
# Deploy enforcement infrastructure
cd terraform/iam
terraform init && terraform applygraph TB
subgraph "AWS Cloud"
subgraph "Monitoring & Enforcement"
Lambda[π§ Lambda Function<br/>Key Enforcement]
CW[π CloudWatch<br/>Metrics & Alarms]
SES[π§ SES<br/>Notifications]
EventBridge[β° EventBridge<br/>Daily Trigger]
end
subgraph "IAM Resources"
Users[π₯ IAM Users]
Keys[π Access Keys]
Policies[π Policies]
end
subgraph "Data & Reports"
CredReport[π Credential Report]
S3[ποΈ S3 Bucket<br/>Audit Logs]
end
end
subgraph "User Tools"
KeyRotation[π Key Rotation Script]
PasswordReset[π Password Reset Tool]
ComplianceReport[π Compliance Reports]
end
EventBridge --> Lambda
Lambda --> CredReport
Lambda --> CW
Lambda --> SES
Lambda --> Keys
KeyRotation --> Keys
PasswordReset --> Users
ComplianceReport --> CredReport
CW --> S3
| Component | Purpose | Technology |
|---|---|---|
| Lambda Enforcement | Automated key monitoring and enforcement | Python 3.11, Boto3 |
| Self-Service Scripts | User-friendly key and password management | Python, Rich UI |
| Compliance Engine | Real-time compliance monitoring and reporting | Python, AWS APIs |
| Infrastructure | Automated deployment and configuration | Terraform, CloudFormation |
| Monitoring | Metrics, alarms, and observability | CloudWatch, SNS |
Rotate your AWS access keys safely with guided workflows:
# View current keys with age indicators
python3 scripts/aws_iam_self_service_key_rotation.py -lπ¨ Rich Console Output:
AWS Access Keys
βββββββββββββββββββββββ³βββββββββββ³ββββββββββββββββββββββ³βββββββββββββ
β Key ID β Status β Created β Age (days) β
β‘ββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ©
β AKIAEXAMPLE123456 β Active β 2024-01-15 09:30:00 β π΄ 95 β
β AKIAEXAMPLE789012 β Inactive β 2024-06-20 14:15:00 β π’ 5 β
βββββββββββββββββββββββ΄βββββββββββ΄ββββββββββββββββββββββ΄βββββββββββββ
β οΈ Key AKIAEXAMPLE123456 is 95 days old and should be rotated immediately!
π§ Advanced Usage:
# Create new key with automatic backup
python3 scripts/aws_iam_self_service_key_rotation.py -c --backup
# Export key information as JSON
python3 scripts/aws_iam_self_service_key_rotation.py -l --json
# Update key status
python3 scripts/aws_iam_self_service_key_rotation.py -u AKIAEXAMPLE inactiveReset your IAM password with enhanced security:
python3 scripts/aws_iam_self_service_password_reset.py⨠Features:
- π Secure password input (hidden from terminal)
- π― AWS password policy validation
- π² Cryptographically secure password generation
- π Comprehensive audit logging
- π‘οΈ Error handling for all AWS scenarios
Generate comprehensive compliance reports:
# Interactive compliance dashboard
python3 scripts/aws_iam_compliance_report.py
# Export to CSV for analysis
python3 scripts/aws_iam_compliance_report.py --csv compliance_report.csv
# JSON export for automation
python3 scripts/aws_iam_compliance_report.py --json compliance_data.json
# Summary only for quick checks
python3 scripts/aws_iam_compliance_report.py --summary-onlyπ Sample Report:
Compliance Overview
ββββββββββββββββββββββββββββββ³ββββββββ³βββββββββββββ
β Metric β Count β Percentage β
β‘ββββββββββββββββββββββββββββββββββββββββββββββββββ©
β Total Users β 150 β 100% β
β Users with Access Keys β 120 β 80.0% β
β Users with MFA β 145 β 96.7% β
β Compliant Users β 135 β 90.0% β
β Users with Expired Keys β 5 β 3.3% β
ββββββββββββββββββββββββββββββ΄ββββββββ΄βββββββββββββ
Deploy the complete enforcement infrastructure:
cd terraform/iam
# Configure variables (optional)
cp terraform.tfvars.example terraform.tfvars
# Edit terraform.tfvars with your settings
# Deploy infrastructure
terraform init
terraform plan
terraform applyποΈ Configuration Options:
# terraform.tfvars
warning_threshold = 75 # Days before warning
urgent_threshold = 85 # Days before urgent notice
disable_threshold = 90 # Days before auto-disable
auto_disable = true # Enable automatic disabling
sender_email = "security@yourcompany.com"Edit config/settings.yaml to customize policies:
# Access Key Rotation Policy
access_key_policy:
warning_threshold: 75
urgent_threshold: 85
disable_threshold: 90
auto_disable: false
exemption_tag: "key-rotation-exempt"
# Notification Settings
notifications:
sender_email: "cloud-admins@yourcompany.com"
daily_digest: true
immediate_alerts: true
# Environment Overrides
environments:
production:
access_key_policy:
auto_disable: true
disable_threshold: 90Exempt specific users from key rotation:
# Tag a user for exemption
aws iam tag-user \
--user-name service-account-user \
--tags Key=key-rotation-exempt,Value=true# Run comprehensive test suite
pytest
# Run with coverage analysis
coverage run -m pytest
coverage report
coverage html # Generate HTML report# Run security scans
bandit -r scripts/ lambda/
# Check for hardcoded secrets
pytest -m integration --collect-only # Lists integration tests without executing them or their fixturesThe project includes a complete GitHub Actions workflow:
- β Multi-Python version testing (3.9, 3.11, 3.12)
- π Security scanning with Bandit
- π Terraform validation and linting
- π§ͺ Unit and integration testing
- π¦ Lambda package validation
The Lambda function publishes metrics to the IAM/KeyRotation namespace:
| Metric | Description |
|---|---|
total_keys |
Total number of active access keys |
warning_keys |
Keys approaching expiration (75+ days) |
urgent_keys |
Keys requiring immediate attention (85+ days) |
expired_keys |
Keys past expiration threshold (90+ days) |
disabled_keys |
Keys automatically disabled |
Configure CloudWatch alarms for proactive monitoring:
# High-priority alert for expired keys
aws cloudwatch put-metric-alarm \
--alarm-name "IAM-Expired-Keys-Critical" \
--alarm-description "Alert when any access keys are expired" \
--metric-name expired_keys \
--namespace IAM/KeyRotation \
--statistic Maximum \
--period 86400 \
--threshold 0 \
--comparison-operator GreaterThanThresholdπ΄ "NoCredentialsError" when running scripts
Solution:
# Configure AWS credentials
aws configure
# Or set environment variables
export AWS_ACCESS_KEY_ID="your-key-id"
export AWS_SECRET_ACCESS_KEY="your-secret-key"
export AWS_DEFAULT_REGION="us-east-1"π‘ "PasswordPolicyViolation" during password reset
Solution: The generated password doesn't meet your AWS password policy. Check your account's password policy:
aws iam get-account-password-policyπ΅ Lambda function timeout errors
Solution:
Increase the Lambda timeout in terraform/iam/lambda.tf:
resource "aws_lambda_function" "access_key_enforcement" {
timeout = 600 # Increase from 300 to 600 seconds
# ...
}Enable debug logging:
export LOG_LEVEL=DEBUG
python3 scripts/aws_iam_compliance_report.pyWe welcome contributions! Please see our Contributing Guidelines for details.
# Fork and clone the repository
git clone https://github.com/yourusername/iam-key-rotation.git
# Create development branch
git checkout -b feature/amazing-feature
# Set up development environment
python3 -m venv venv
source venv/bin/activate
pip install -r scripts/requirements.txt
# Run tests before submitting
pytest- π Ensure tests pass and security scans are clean
- π Update documentation for any new features
- π·οΈ Add appropriate labels to your PR
- π₯ Request review from maintainers
This project is licensed under the MIT License - see the LICENSE file for details.
- AWS Security Best Practices for compliance guidelines
- Boto3 Community for excellent AWS SDK support
- Rich Library for beautiful console interfaces
- Terraform Community for infrastructure as code patterns
π Secure by Design β’ π Enterprise Ready β’ π― Compliance Focused
Forked from AWS IAM Key Rotation Refactored with β€οΈ with Claude and Anthony M.