|
5 | 5 | from cloud_governance.common.clouds.aws.utils.common_methods import get_boto3_client |
6 | 6 | from cloud_governance.common.clouds.aws.utils.utils import Utils |
7 | 7 | from cloud_governance.common.logger.init_logger import logger |
| 8 | +from datetime import datetime, timezone |
8 | 9 |
|
9 | 10 |
|
10 | 11 | class IAMOperations: |
11 | 12 |
|
| 13 | + ACCESS_KEY_LABEL_MAP = {"access key 1": 0, "access key 2": 1} |
| 14 | + |
12 | 15 | def __init__(self, iam_client=None): |
13 | 16 | self.iam_client = iam_client if iam_client else get_boto3_client('iam') |
14 | 17 | self.utils = Utils() |
@@ -158,3 +161,157 @@ def untag_role(self, role_name: str, tags: list): |
158 | 161 | return True |
159 | 162 | except Exception as err: |
160 | 163 | raise err |
| 164 | + |
| 165 | + def tag_user(self, user_name: str, tags: list): |
| 166 | + """ |
| 167 | + This method tags the IAM user. |
| 168 | + :param user_name: The name of the IAM user to tag. |
| 169 | + :param tags: A list of tags to associate with the user. |
| 170 | + :return: True if tagging is successful, otherwise raises an exception. |
| 171 | + """ |
| 172 | + try: |
| 173 | + self.iam_client.tag_user(UserName=user_name, Tags=tags) |
| 174 | + return True |
| 175 | + except Exception as err: |
| 176 | + raise err |
| 177 | + |
| 178 | + def get_iam_users_access_keys(self): |
| 179 | + """ |
| 180 | + Retrieves IAM users and summarizes: |
| 181 | + - Access key status (active/inactive) |
| 182 | + - Access key age in days |
| 183 | + - Access key last used in days (or "N/A" if never used) |
| 184 | + - Tags (as a list of dictionaries) |
| 185 | + - Most recent key usage: last_activity_days |
| 186 | + - IAM client region (global context, since IAM is non-regional) |
| 187 | + - IAM user unique ID: ResourceId |
| 188 | +
|
| 189 | + Returns: |
| 190 | + dict: { |
| 191 | + "username": { |
| 192 | + "Access key 1": [status, age_days, last_used_days], |
| 193 | + "Access key 2": [...], |
| 194 | + "last_activity_days": int or "N/A", |
| 195 | + "tags": [{"Key": "tag_key", "Value": "tag_value"}, ...], |
| 196 | + "region": "us-east-1", |
| 197 | + "ResourceId": "AIDAEXAMPLEUSERID" |
| 198 | + }, |
| 199 | + ... |
| 200 | + } |
| 201 | + """ |
| 202 | + result = {} |
| 203 | + now = datetime.now(timezone.utc) |
| 204 | + region_name = self.iam_client.meta.region_name or "global" |
| 205 | + |
| 206 | + paginator = self.iam_client.get_paginator('list_users') |
| 207 | + for page in paginator.paginate(): |
| 208 | + for user in page['Users']: |
| 209 | + username = user['UserName'] |
| 210 | + result[username] = {} |
| 211 | + # Access keys |
| 212 | + access_keys = self.iam_client.list_access_keys(UserName=username)['AccessKeyMetadata'] |
| 213 | + for idx, key in enumerate(access_keys, start=1): |
| 214 | + label = f"Access key {idx}" |
| 215 | + status = key['Status'].lower() |
| 216 | + age_days = (now - key['CreateDate']).days |
| 217 | + |
| 218 | + # Get access key last used |
| 219 | + try: |
| 220 | + response = self.iam_client.get_access_key_last_used(AccessKeyId=key['AccessKeyId']) |
| 221 | + last_used_date = response.get('AccessKeyLastUsed', {}).get('LastUsedDate') |
| 222 | + if last_used_date: |
| 223 | + last_used_days = (now - last_used_date).days |
| 224 | + else: |
| 225 | + last_used_days = "N/A" |
| 226 | + except Exception: |
| 227 | + last_used_days = "N/A" |
| 228 | + |
| 229 | + result[username][label] = {'label': label, 'status': status, 'age_days': age_days, 'last_activity_days': last_used_days if last_used_days is not None else "N/A"} |
| 230 | + |
| 231 | + # Tags as list of dicts |
| 232 | + try: |
| 233 | + tag_response = self.iam_client.list_user_tags(UserName=username) |
| 234 | + tags = tag_response.get('Tags', []) |
| 235 | + except Exception: |
| 236 | + tags = [] |
| 237 | + |
| 238 | + result[username]["tags"] = tags |
| 239 | + result[username]["region"] = region_name |
| 240 | + result[username]["ResourceId"] = user.get('UserId') # <-- Unique ID |
| 241 | + |
| 242 | + return result |
| 243 | + |
| 244 | + def has_active_access_keys(self, username: str, access_key_label: str = None) -> bool: |
| 245 | + """ |
| 246 | + Checks if the given IAM user has any active access keys. |
| 247 | + Optionally filters by access key label ("Access Key 1" or "Access Key 2"). |
| 248 | +
|
| 249 | + Args: |
| 250 | + username (str): IAM user name |
| 251 | + access_key_label (str): Label to filter access keys ("Access Key 1"/"Access Key 2") |
| 252 | +
|
| 253 | + Returns: |
| 254 | + bool: True if any access key is active (and matches the label if provided), False otherwise |
| 255 | + """ |
| 256 | + try: |
| 257 | + keys = self.iam_client.list_access_keys(UserName=username)['AccessKeyMetadata'] |
| 258 | + except Exception as e: |
| 259 | + logger.error(f"Failed to list access keys for user '{username}': {e}") |
| 260 | + return False |
| 261 | + |
| 262 | + # Sort keys by CreateDate ascending (oldest first) |
| 263 | + keys.sort(key=lambda k: k['CreateDate']) |
| 264 | + |
| 265 | + if access_key_label: |
| 266 | + idx = self.ACCESS_KEY_LABEL_MAP.get(access_key_label.lower()) |
| 267 | + if idx is None or idx >= len(keys): |
| 268 | + return False |
| 269 | + return keys[idx].get('Status') == 'Active' |
| 270 | + |
| 271 | + return any(k.get('Status') == 'Active' for k in keys) |
| 272 | + |
| 273 | + def deactivate_user_access_key(self, username: str, **kwargs): |
| 274 | + """ |
| 275 | + Deactivates the specified access key for the given IAM user. |
| 276 | +
|
| 277 | + Args: |
| 278 | + username (str): IAM user name |
| 279 | + access_key_label (str): Access Key 1 or Access Key 2 (case-insensitive) |
| 280 | + """ |
| 281 | + access_key_label = kwargs.get('access_key_label', '').lower() |
| 282 | + if not access_key_label: |
| 283 | + logger.warning("No access key label provided for deactivation.") |
| 284 | + return |
| 285 | + |
| 286 | + try: |
| 287 | + access_keys = self.iam_client.list_access_keys(UserName=username)['AccessKeyMetadata'] |
| 288 | + except Exception as e: |
| 289 | + logger.error(f"Failed to list access keys for user '{username}': {e}") |
| 290 | + return |
| 291 | + |
| 292 | + # Sort keys by CreateDate ascending (oldest first) for consistent indexing |
| 293 | + access_keys.sort(key=lambda k: k['CreateDate']) |
| 294 | + |
| 295 | + idx = self.ACCESS_KEY_LABEL_MAP.get(access_key_label) |
| 296 | + if idx is None or idx >= len(access_keys): |
| 297 | + logger.warning(f"Access key label '{access_key_label}' not found for user '{username}'") |
| 298 | + return |
| 299 | + |
| 300 | + key_to_deactivate = access_keys[idx] |
| 301 | + access_key_id = key_to_deactivate['AccessKeyId'] |
| 302 | + current_status = key_to_deactivate['Status'].lower() |
| 303 | + |
| 304 | + if current_status == 'active': |
| 305 | + try: |
| 306 | + self.iam_client.update_access_key( |
| 307 | + UserName=username, |
| 308 | + AccessKeyId=access_key_id, |
| 309 | + Status='Inactive' |
| 310 | + ) |
| 311 | + logger.info(f"Access key '{access_key_id}' deactivated for user '{username}'") |
| 312 | + except Exception as e: |
| 313 | + logger.error(f"Failed to deactivate access key '{access_key_id}' for user '{username}': {e}") |
| 314 | + else: |
| 315 | + logger.info(f"Access key '{access_key_id}' is already inactive for user '{username}'") |
| 316 | + |
| 317 | + logger.info(f"Access key deactivation processed for user '{username}'.") |
0 commit comments