This set of CloudFormation templates and Python scripts will set up an auto-rotation function that will automatically rotate your AWS IAM User Access Keys every 90 days.
From force_rotation_handler.py in access_key_auto_rotation.zip
def check_forced_rotate_flag(event, noUsers, log):
# Initialize Values
force_rotate = None
force_rotate_user_name = None
log.info('Checking if ForceRotate flag exists.')
# Check if the message sent to the Lambda contained the value 'ForceRotate'
# Note: This currently only supports one username at a time for testing
if "ForceRotate" in event and not noUsers:
force_rotate_user_name = event['ForceRotate']
force_rotate = True
log.info(f'ForceRotate flag exists for [{force_rotate_user_name}].')
elif "ForceRotate" not in event and not noUsers: # Same expression as below elif
force_rotate = False
log.info(
'ForceRotate flag does not exist and '
'there are users in this account.')
elif "ForceRotate" not in event and not noUsers: # Same expression as above elif
log.info(
f'ForceRotate flag exists for [{force_rotate_user_name}]'
f' but there are no users in this account.')
force_rotate = True
else:
log.error('Undetected type. Listing noUsers(boolean) and users(array)')
force_rotate = False
return force_rotate, force_rotate_user_name
From the log messages, it is my assumption the second elif should instead be:
From
force_rotation_handler.pyinaccess_key_auto_rotation.zipFrom the log messages, it is my assumption the second
elifshould instead be: