Total Pageviews


September 9, 2019

AWS Security Automation - Access Key Rotation Compliance Management using AWS Lambda

by 4hathacker  |  in AWS SecOps at  10:14 PM

Hi folks!!!

In the previous post, we discussed about control and enforcement over Public Ingress Rules in EC2 Security Groups. Feel free to have a look at it here.

Now, we will be proceeding with maintenance of IAM User Access Key hygiene. But first lets understand about the same.

AWS Access Keys are the credentials used by IAM User or the AWS account root user. They are used to sign programmatic requests to the AWS CLI or AWS API (directly or using the AWS SDK). Access Keys consist of two parts: an access key ID and a secret access key. Like a username and password, we have to provide both together to authenticate the requests. A security recommendation suggests that we should only use IAM roles instead of access keys but still in some cases we need to have the access keys handy. These access keys will provide a user complete access to a set of resources defined by the IAM User Policy. So, if the access keys are lost or went into wrong hands, your resources are at risk.

There are a set of IAM Best Practices defined by AWS to help secure your AWS resources. Related to Access Keys, this include,

1. Do Not Share Access Keys

We clearly understood the fact that Access Keys must not be shared in public and should be kept at secure place.

2. Rotate Credentials Regularly

Rotate your credentials either password/access keys regularly s.t. if a password or access key is compromised without your knowledge, you can limit how long the credentials can be used to access your resources.

3. Remove Unnecessary Credentials, etc.

It is important to remove the unused passwords and access keys not in current utilization of business requirements. For this, you can look for the users who have not used their passwords/credentials since a pre-decided particular time.

If you have plenty of users in your AWS account, it will be a tedious task to keep an eye on every user to meet the access key compliance. And manual management, can result in severe consequences.


According to CIS Amazon Web Services Foundations v1.2.0 - 05-23-2018, the compliance benchmark says,
Ensure credentials unused for 90 days or greater are disabled.
Ensure access keys are rotated every 90 days or less.

To meet the following compliance requirements, here we will be implementing an intelligent Lambda function which will take care of the following things,
Sanitation: If Access Key is not used since last 45 days being "Active", disable the Access Key and publish the message to Security/SecOps Team.
Rotation: If Access Key creation has passed 85 days, generate a new Access Key for the user and publish the message to Security/SecOps Team. Further SecOps/Security Team will inform the user to update all its apps with New Access Key. Delete the older Access Key automatically after 90 days.
Audit: Check the compliance everyday and generate a compliance list for all users with relevant information, scope of action required and action recommendation.


1. Go to AWS Lambda Console using "Services" drop-down and search for "Lambda". Inside Lambda Console, Go to "Functions" and hit "Create Function". Fill the basic information required for the AWS Lambda function and move forward.

2. Post successful Lambda creation, Click on Amazon CloudWatch Logs and go down to hit "Manage These Permissions".

3. Now we will be attaching an inline policy for IAM Access Key Management permissions. Use "Edit JSON" to write the policy and review it giving a name to hit "Create Policy" button.

4. I have one more inline policy made for SNS publish. Going to attach the same now.

5. To add a trigger, go to our Lambda function, hit "Add Trigger" and fill the details as given below. Please note that we will be setting up a "Schedule expression" which will trigger the Lambda check every day at 10 am UTC. And do not check upon the "Enable trigger" for now.  

"Lambda Core Logic"

There are three parts in this Lambda function:

1. lambda_handler - It is the controller of the function which passes the usernames to check for access key compliance.

2. sns_publish - To send the notification to Security/SecOps team about the compliance status.

3. access_key_remediator - accepts the usernames and check compliance benchmark for every key attached to a username.

Compliance Check:

To check for the compliance, here I have created a set of users in this AWS account. 

When we ran the Lambda, we got a result in return as well as some log information. If we can see the log information along with the result, we can conclude,

- There are 5 users.
- User "4hathacker" has two access keys and both are disabled.
- User "LegitUser3" has one access key and it is disabled.
- User "LegitUser4" have one access key and it isn't used in any of the API call yet.
- User "LegitUser4" has  one access key which is disabled.

If you are wondering about "LegitUser1" and "LegitUser2", then I would like to tell you that, I do not have created any access key for them. Hence, they didn't appear in the logs as well as the compliance report result.


1. Automatic and timely Creation and Deletion of Keys.
2. Notification of Disabled Keys to SecOps/Security Team.
3. Daily Audit for compliance.
4. No manual overhead and zero maintenance.

Scope Of Improvement:

1. SecOps/Security Team needs to convey to the user about Creation of New Access Keys with complete details.
2. Can subscribe to more SNS topics with an arrangement to reach end user with appropriate notification.

This is how we have automated one more compliance check. Stay Tuned, for more posts like this...!!!
PS: I have cleared all the users and keys shared here... ;)


  1. I had a very bad feeling that my woman has been lying to me all this years and also cheating on me, I can’t get hold of her phone cause she always put it on phone lock, though she claims that there is no one else but she stays out some nights and tell me that she was up for work so I was able to pull up with and this hacker helped me with all the necessary info I needed to know and right about now am very happy with all that I was able to find out from her phone without touching her phone. Am here to thank you ARSTRONG WIZARD you are the best. Its really hard to find a legit hacker but this hacker is the real deal just tell him Jim Dutcher referred you to him. Whatsapp him +12899600524

    1. How to recover funds / crypto currency ; Binary Option & fake investments RECOVERY  Have  you ever been a victim of a scam? Have you lost your money to scam imposters online? I implore you to contact this trustworthy hacker and   recovery expert QUADHACKED@GMAIL.COM  TO HELP RECOVER ALL YOU HAVE LOST, I was a victim of fake people posing as  binary options and bitcoin investors,  I lost a sum of $4,000 and 2BTC from my bitcoin wallet to these fakes. It took a while before I realized they were scams and this really hurt .   Then an in-law of mine heard the incident and recommended to me a specialist with the address -  QUADHACKED@GMAIL . COM  .He helped me recover my stolen bitcoins after providing necessary informations and program requirements and in less than 72hrs  the fakes were caught and made to pay for what they did to me .if you have lost any amount to online scams and you're seeking to recover LOST FUNDS from wallet hackers, fake hackers,  online dating scams, BTC wallet hack, recovery of lost funds from fake binary investors  .Reach out to Quadhacked  to help you ,and you will be so glad you did so, best believe .:.

  2. They are all scammers, they will make you pay after which they will give you an excuse asking you to pay more money, they have ripped me of $2000, i promised i was going to expose them. I figured it all out when my colleague took me to Pavel (HACKINTECHNOLOGY@GMAIL.COM) +1 669 225 2253 He did perfect job, he hacks all accounts ranging from (Emails, Facebook, whatsapp, imo, skype, instagram, Phone cloning, DMV removal, tracking locations, background checks Kik etc. he also hacks cell phones, cell phone tapping and cloning, clears bad driving and criminal records, bank transfers, locates missing individuals e.t.c. You should contact him and please stop using contacts you see on websites to execute jobs for you, you can ask around to find a real hacker.

  3. Please help me to get missing code in line no 94-172 in lamda code 3rd scrrenshot def access_key_remediator(usernames) function.pls help me to get remaining code


    i’ll recommend this for anyone in a distant relationship most especially . the kind of job i do Makes me stay far away from home in remote countries drilling and mining . Any time i’m away, i’m always curious on what my spouse was up to. some one recommended to me Q U A D H A C K E D @ G M A I L . C O M . and spoke so high of him. i decided to give him a try, . he helped me clone my spouse phone and tap into my spouse whatsapp and e m ails. i was shook with all that was revealed to me in a a very short while, even deleted messages from over 7 months ago, i promise to testify if he helped me which he did .ever since ,he has helped me on other jobs i’ll keep off here. reach out to him today and thank me later.
    Reach out to him for hack services ranging from

  5. Things fell off and I needed a car loan, but all attempts went to no avail because of my bad credit. After so much research online I came across CLEVER HACKER, I saw good recommendations and I sent him a mail though I was skeptical. To my great surprise my score was raised to 774 from 591 in no time, my collections was wiped and I got approved for a new car loan. The least I could do is the others about him cause I know how frustrating the credit system can be. Send him a mail via CLEVERHACKER.HACK@GMAIL.COM or text 7818169462 if you having credit problems

  6. i was lost with no hope for my wife was cheating and had always got away with it because i did not know how or always too scared to pin anything on her. with the help a friend IN PERSON OF PAIGE who recommended me to who help hack her phone, email, chat, sms and expose her for a cheater she is. I just want to say a big thank you to HACKINTECHNOLOGY@GMAIL.COM . am sure someone out there is looking for how to solve his relationship problems, you can also contact him for all sorts of hacking job..he is fast and reliable. you could also text +1 669 225 2253

  7. I’m sharing this piece of info for those who need the service of a genuine hacker,
    Hack into your partners whatsapp, Facebook or any other social network account without he/she knowing and read conversations, old and new messages including deleted messages,
    He is tested and reliable. contact cyberspyguru07@ gmail com
    wish you the best

  8. Hacking in the real world is not like movies and it’s a bit difficult and tasking. You should consider a professional to look into your task. Honestly speaking, getting a genuine hacker is very rare... but my classmates Corporation has assembled the finest hackers in London, Texas and mostly his Cambridge colleagues .They do a wide variety of hacks such as intercepting bank transfers, hacking into sophisticated devices such as phones, computers, CCTV’s, ATM Cards, Credit reports, Criminal record erase, Bitcoin recovery, University and High school result changes, absolutely anything because they are multi-talented and dedicated set of people. They show proof of their authenticity. Contact them for any kind of hack you desire at “Jamiehacking99 @ gmail . Com”

  9. Hello everyone, Do you need hacking services? . please contact CYBERDEMONHACKER432 AT GMAIL DOT COM

    Be warned, most of these hackers called here are imposters, I know how real hackers work, they never advertise in such a gullible way and they are always discreet. I was tricked so many times out of desperation trying to find urgent help to change my grades from school, finally my friend introduced me to a group of trusted hackers who work with discretion and delivery promptly, they do all sorts of hacking that vary;

    +Database Hacking,
    +Spying and monitoring of any device
    +School grade hack,
    +Company records and systems,
    +Bank Account Hacks,
    +Clearing of Criminal records of diverse types,
    +VPN Software,
    +Monitoring of GPS locations,
    +Bank transfer, Western Union, Money Gram, Credit Card transfer,
    +Bank Account Hacks,
    +Credit score increase
    +University Grades Hack,
    +Any social media platform hack,
    +Retrieval of lost documents
    +Facebook Hacking Tricks,
    +Email hack: Gmail, AOL, Yahoomail, Proton-mail etc,
    +Mobile phone (call and text message Hacking are available also)
    +ATM hack,
    +Retrieval of lost documents, etc..

  10. Each time I call my husband office they keep telling me my husband has a 3pm appointment and this has been happing for a while now, am always worried about my husband leaving the office by 4pm yet he wont open up to me about the contract he has been trying to seal, then I hired WhitehatstechATgmailDOTcom to make the investigation for me without any notice, I got access to my husband phone remotely after going through his text messages and all I found out that there is a lady my husband always see by 3pm then i went further because WhitehatstechATgmailDOTcom also provided me with my husband deleted messages and I saw that my husband makes love to this lady everyday and when he comes home he stave me from sex but am so thankful to WhitehatstechATgmailDOTcom for the best services he rendered to me. WHATSAPP; +18189256165

  11. Excellent and professional investigative services. I hired Mr. WHITE for a very private and difficult matter of hacking my husband's phone and he far exceeded my expectations. He helped me get some info such as WhatsApp, Facebook, text messages, call logs and even phone conversations that I needed for proof of his secretive affair. The first time we spoke, we had a very long phone consultation in which he gave me all my options that he could think of to resolve my case, and he even recommended I try other options before hiring him, which shows that he is honest. I decided to hire him and I am glad I did. He is a fantastic investigator and a great person; to all loyal partners out there if you have a dishonest partner don't hesitate to send him a mail Contact: WhitehatstechAtGmailDotCom

  12. If You Are Trying To Catch Your Cheating Spouse In The Act, I Strongly Recommend You Contact This Awesome Hacker That Helped Me Monitor My Husband’s Phone When I Was Gathering Evidence During The Divorce. I Got Virtually Every Information She Has Been Hiding Over The Months Easily On My Own Phone: The Spy App Diverted All Her Whatsapp, Facebook, Text Messages, Sent And Received Through The Phone: I Also Got Her Phone Calls And Deleted Messages. She Could Not Believe Her Eyes When She Saw The Evidence Because She Had No Idea She Was Hacked, I Didn’t Need To Touch Her Phone At all,.I Certainly Recommend Contact: “”

  13. It’s good to take risk sometimes. I’ve realized that people who do great exploits are people who take risk. Nothing good comes or happens easily. You may be battling with your bad credit, negative items and different bills but if care is not taken depression might set in. I want to introduce CREDIT TRINITY CARE to you guys and trust me, he’s gonna help you fix your credit ASAP. He’ll delete all the negatives and boast your credit score. He boasted my credit score from 400 to 790+ within few days. I read about him on credit blog and discovered that he’s not one of those usual names, so I contacted him via I’m forever grateful to CREDIT TRINITY CARE. I wish I can say everything here which is not possible but all I know is that he can be trusted


  14. I never believe i could ever own a mine store here in California after been through a lot of natural disaster which hurt my credit score so much until this great hacker name TROVIAN CREDIT REPAIR they really assisted me in getting my eviction off my credit report and raised my credit score back to 800 I am able to get my first mortgage loan been approved within few days and they added more trade lines to my credit report. Contact them through TROVIANCREDITREPAIR@GMAIL.COM CALL +1(424) 307 4562

  15. Hello season greetings friends. My name is Darrin Adams. I know lot of us must have fallen for different rippers
    I was a victim, I lost my whole savings and even got into debt because i needed to fix my credit report These scammer took advantage of me, it got worst to the extent i had to open up to my friend at the office. So he referred TROVIAN CREDIT REPAIR to me I contacted them and asked if they could get my credit report fixed they said yes I explained to them about the issues relating to my report and after that he collected some info about me and within 7 days. They did a massive job on my credit report i can proudly say my life has really change, my advice to you out there whom might have lost cash to these faker hackers to stop and go for the best. Hit them up now TROVIANCREDITREPAIR@GMAIL.COM CALL +1 (424) 307 4562 and be happy. You can count on them.

  16. I applied for a house and car loan about a couple of months ago. I was rejected because i had a very low score of 503, it was really frustrating and it pulled me down until one of the realtor refer me to a credit specialist that helped me out. In few days i had my credit score raised to 799 with everything cleaned up I had a bet with my friend i was going to reveal the hacker to the world if he should fix my credit perfectly which they did. You can get in touch with him via TROVIANCREDITREPAIR@GMAIL.COM OR CALL +1 (424) 307 4562 for your credit issues, they also remove the criminal background from my public record. All thanks to TROVIAN CREDIT REPAIR COMPANY.

  17. Lexington Law is a huge rip-off scam. They tell you that they will fix your credit; they make big promises to get you to sign their contract. You pay the monthly due as instructed and get nothing in return. I used them for about a year and my credit scores rate went down. I had a very sick child and had a lot of medical collections and hard inquiries. I was young and dumb back then. I got across TROVIAN CREDIT REPAIR they are genius, get through with them today and you will be glad you did. TROVIANCREDITREPAIR@GMAIL.COM OR CALL +1 (424) 307 4562 He saved me from Financial ruins and bankruptcy...they deleted all the hard inquiries ,collections, derogatory on my credit report and then proceeded to improving my credit score to 800's

  18. I am glad to introduce you to TROVIAN CREDIT REPAIR whom services are 100% real and genuine; they help me fix my credit, paid all my debts, removed all collections and increase my credit card all within one week. I never believed this could be done but they proved me wrong by providing a good result which made me and my family happy....We are forever grateful to them for the good works, they pulled me out
    of hardship, but now we can get everything we want (Loans, Credit card, getting approved for higher limit).Reach out to them to get your credit fixed right now TROVIANCREDITREPAIR AT GMAIL DOT COM or text them on +1 (424) 307 4562 to avoid been scammed by all the fake credit repair agencies.

  19. When I suggest about buying our first home, my wife thought i wasn’t serious because we had a bad credit and couldn't get a loan with that but i was determined to get us out of our place to a better place and that was how the search on how to fix our credit started, luckily for me i stumbled upon this credible hackers TROVIAN CREDIT REPAIR. Words can’t express how good these hackers are. I mean they raised our scores and fixed our credit so we could apply for the loan. My wife trusts my intelligence and determination now. Here is what you need to reach them TROVIANCREDITREPAIR@GMAIL.COM OR TEXT +1 (424) 307 4562. I'm so proud to be writing this.


Like Our Facebook Page

Nitin Sharma's DEV Profile
Proudly Designed by 4hathacker.