Detect when Temporary Credentials Present in Local awscli Config

Comments (5)

1. 

   blakeca00 reporter

   Logic used to detect ACTIVE token:

   • keyup run thru list of all iam users in the awscli config
   • each user will be checked for prescence of a token generated by the corresponding IAM user
   • any tokens found will have expiration datetime compared with now
   • if not expired token == prohibit access key rotation
   • log status, exit.

   • 2017-12-30T12:55:03+00:00
2. 

   blakeca00 reporter

   • marked as critical

   • 2018-01-01T21:37:35+00:00
3. 

   blakeca00 reporter

   Logic:

   1. Detect any awscli profiles which have 'aws_security_token' entry (iam users will not have)
   2. Try to auth using these profiles to see if any are active by using keys with authenticated() function. If return True >> active
   3. If some active, exit. Don't rotate creds
   4. If all inactive, >> rotate credentials

   • 2018-01-01T21:44:54+00:00
4. 

   blakeca00 reporter

   Correct Logic:

   1. Map profile names to Temporary profile names in order to discover which represent Iam users.
   2. For the temporary credentials which represent real iam users, try to authenticate using the access key and secret key.
   3. If any authenticate, exit without rotating keys
   4. If all authentication fail, trigger rotation ( temporary credentials are expired.

   Authentication using all temp credentials cannot be tried; will set of cw filter metric alarms for Auth Failure

   • 2018-01-02T12:46:21+00:00
5. 

   blakeca00 reporter

   • changed status to duplicate

   Duplicate of #13.

   • 2018-01-20T20:54:31+00:00
6. Log in to comment