TechQA.

Custom AWS Config rule with Guard policy for checking User access key

29 views Asked by At

I have read this artice that shows how to write a custom AWS Config rule with Guard policy: https://aws.amazon.com/blogs/mt/announcing-aws-config-custom-rules-using-guard-custom-policy/

I want to write a similar custom AWS Config rule that checks access key age. If the key age is over 60 days, I want to make it non-compliant.

My first starting point was to find the Config rule schemas for IAM Users. I found this one: https://github.com/awslabs/aws-config-resource-schema/blob/master/config/properties/resource-types/AWS%3A%3AIAM%3A%3AUser.properties.json

But this schema does not include any details for access keys. I was hoping it will include a property such as maxAccesskeyAge.

I was hoping I could write a rule like this:

let maxKeyAge = 60
rule compliancecheck when 
        resourceType == "AWS::IAM::USER" {
            configuration.maxAccessKeyAge == %maxKeyAge
        }

But this code does not work.

How can I write a custom Config rule to check key age? thanks

amazon-iam aws-config
Original Q&A
1

There are 1 answers

1
Qadri On

There are 2 issues with the code. resourceType should be AWS::IAM::User (not uppercase USER)

The property that tell us about key age is configuration.createDate

So the final code should be:

rule compliancecheck{
 when resourceType == "AWS::IAM::User" {
            configuration.createDate ==  "2014-01-12T16:13:20.00Z"
        }
}

Related Questions in AMAZON-IAM

Related Questions in AWS-CONFIG

Popular Questions

Popular Tags

javascript python java c# php android html jquery c++ css ios sql mysql r reactjs node.js arrays c asp.net json

Trending Questions