marcelgolus
commented
3 years ago Have same issue as above, it does not send any notification, any how to suggest something @TPierce-2014 ?
Thanks
Closed Kin6HA closed 3 years ago
marcelgolus
commented
3 years ago Have same issue as above, it does not send any notification, any how to suggest something @TPierce-2014 ?
Thanks
TPierce-2014
commented
3 years ago Hello,
Did you follow the full setup process?
*Create bucket in us-east-1
I did modify the code to allow testing and add two test files for you. Make sure to modify TestIAMRotationFunction.json to include the IAM user you are using for testing. And modify TestRotationMessageFunction.json to replace ACCOUNT_ID with your actual account ID for testing purposes. You also must upload the filled out CSV file after the stack has completed its launch. This is what triggers the DDB table to populate.
Let me know if you still have issues with this. I've tested the same code in multiple accounts and it works each time.
marcelgolus
commented
3 years ago Hello Tracy,
I’ve put all the files in the bucket iam-key-rotation and with the stack I’ve put name for the new bucker iam-key-rotation-csv - where I have to upload the csv file in order to get it imported to the DDB - it’s well. However I don’t know fully what is purpose of that CSV file? Is it only for assigning IAM user to the email?
I’m testing this only on one account, so I don’t use AWS ORGANISATION. Also please take a look if I properly filled the columns:
| accountid | accountname | accountemail | accountowner |
|---|---|---|---|
| 6377xxxxx1038 | test@test.com | test@test.com | testaccount(what to fill there?) |
if I have planty users I have to prepare full CSV? with account name + account email? So when I have new joiner I have to add it also to the CSV here?
why it has to be launched in us-east-1? can it be in different region as well? like frankfurt?
TPierce-2014
commented
3 years ago Ok. Your files should all be in iam-key-rotation/iam-rotation/ALL_FILES_HERE. The .csv file is uploaded to the iam-key-rotation-csv bucket, so that part is correct. The purpose of the .csv file is to upload to the DDB table, the account IDs, owner email addresses, and account owners.
The account email must be a valid email address to send emails to. The account owner can be a person responsible for the account. When SNS is sending the message, it checks the DDB table to retrieve the email address for the account that owns the key rotation. That is how it knows which email address to send which notification to.
The reason this has to be launched in us-east-1, is that is where all IAM CloudTrail logs are stored, as us-east-1 is the IAM default location for logging purposes. Even if you run all other resources of your environment in another region, IAM API calls will always log in us-east-1.
marcelgolus
commented
3 years ago OK thanks, so the CSV seems to be correct? So does it mean if I have new joiner, except the account creation in IAM I have to upload updated CSV file ?
TPierce-2014
commented
3 years ago As long as those are valid email addresses, yes, it appears to be correct. If you open a new account, you will have to update the .csv file with that account information, yes. That way it knows who to send the email notifications to.
marcelgolus
commented
3 years ago Hello TPierce-2014,
One more question, do you know why it's importing only one user into DDB? I have the entries in csv like that:
| accountid | accountname | accountemail | accountowner |
|---|---|---|---|
| 6377433438 | test@test.com | test@test.com | testaccount |
| 6377433438 | test1@test.com | test1@test.com | test1account |
| 6377433438 | test2@test.com | test2@test.com | test2account |
etc
so it imports only last row from CSV... accountid is the AWS account id where the user is created right?
TPierce-2014
commented
3 years ago Hi there. It's only sending to the first person on the list, because you have the same account id listed for each. It will only send to one person. The best option to send to a list of people is to list the account once and place a distro for the email that reaches all of them. The code could be modified, but the distro would be the best option.
marcelgolus
commented
3 years ago Hi,
Distro is not a solution because when for some user access key 90 day's and for some still at for example 60 days or less.. If I will put all into one distribution list then it will send email for all but the keys will be rotated only for some. I would like to have functionality that email will be send only to person which his key is expired. Thanks for hints so I will try to rebuild a bit the lambda functions.
TPierce-2014
commented
3 years ago Good luck :)
skaminskitx
commented
3 years ago I know this is closed but I was able to modify the notifier.py to allow for multiple IAM users in a Single AWS Account and send notifications to via email to the separate IAM users.
<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:x="urn:schemas-microsoft-com:office:excel" xmlns="http://www.w3.org/TR/REC-html40">
accountname | accountid | accountemail | accountowner -- | -- | -- | -- testuser1 | 123456789012 | testuser1email@email.com | testuser1email@email.com testuser2 | 123456789012 | testuser2email@email.com | testuser2email@email.com testuser4 | 123456789012 | testuser4email@email.com | testuser4email@email.com testuser3 | 123456789012 | testuser3email@email.com | testuser3email@email.com
Hi, thanks for your input. Tried to create the stack. It works fine to scan and create the IAM access key after 90 days. However, no SNS message was received. Cross-checked the Cloudwatch Event rules history in RotationCloudWatchEventSNS, it never run.
Any idea? Any coding is required to update in "IAM-Access-Key-Rotation-LambdaFunctionName"
Thanks.