|
5 | 5 | from cloud_governance.common.clouds.aws.utils.common_methods import get_boto3_client |
6 | 6 | from cloud_governance.common.clouds.aws.utils.utils import Utils |
7 | 7 | from cloud_governance.common.logger.init_logger import logger |
| 8 | +from datetime import datetime, timezone |
8 | 9 |
|
9 | 10 |
|
10 | 11 | class IAMOperations: |
@@ -158,3 +159,141 @@ def untag_role(self, role_name: str, tags: list): |
158 | 159 | return True |
159 | 160 | except Exception as err: |
160 | 161 | raise err |
| 162 | + |
| 163 | + def tag_user(self, user_name: str, tags: list): |
| 164 | + """ |
| 165 | + This method tags the IAM user. |
| 166 | + :param user_name: The name of the IAM user to tag. |
| 167 | + :param tags: A list of tags to associate with the user. |
| 168 | + :return: True if tagging is successful, otherwise raises an exception. |
| 169 | + """ |
| 170 | + try: |
| 171 | + self.iam_client.tag_user(UserName=user_name, Tags=tags) |
| 172 | + return True |
| 173 | + except Exception as err: |
| 174 | + raise err |
| 175 | + |
| 176 | + def get_iam_users_access_keys(self): |
| 177 | + """ |
| 178 | + Retrieves IAM users and summarizes: |
| 179 | + - Access key status (active/inactive) |
| 180 | + - Access key age in days |
| 181 | + - Access key last used in days (or "N/A" if never used) |
| 182 | + - Tags (as a list of dictionaries) |
| 183 | + - Most recent key usage: last_activity_days |
| 184 | + - IAM client region (global context, since IAM is non-regional) |
| 185 | + - IAM user unique ID: ResourceId |
| 186 | +
|
| 187 | + Returns: |
| 188 | + dict: { |
| 189 | + "username": { |
| 190 | + "Access key 1": [status, age_days, last_used_days], |
| 191 | + "Access key 2": [...], |
| 192 | + "last_activity_days": int or "N/A", |
| 193 | + "tags": [{"Key": "tag_key", "Value": "tag_value"}, ...], |
| 194 | + "region": "us-east-1", |
| 195 | + "ResourceId": "AIDAEXAMPLEUSERID" |
| 196 | + }, |
| 197 | + ... |
| 198 | + } |
| 199 | + """ |
| 200 | + result = {} |
| 201 | + now = datetime.now(timezone.utc) |
| 202 | + region_name = self.iam_client.meta.region_name or "global" |
| 203 | + |
| 204 | + paginator = self.iam_client.get_paginator('list_users') |
| 205 | + for page in paginator.paginate(): |
| 206 | + for user in page['Users']: |
| 207 | + username = user['UserName'] |
| 208 | + result[username] = {} |
| 209 | + last_used_days_list = [] |
| 210 | + |
| 211 | + # Access keys |
| 212 | + access_keys = self.iam_client.list_access_keys(UserName=username)['AccessKeyMetadata'] |
| 213 | + for idx, key in enumerate(access_keys, start=1): |
| 214 | + label = f"Access key {idx}" |
| 215 | + status = key['Status'].lower() |
| 216 | + age_days = (now - key['CreateDate']).days |
| 217 | + |
| 218 | + # Get access key last used |
| 219 | + try: |
| 220 | + response = self.iam_client.get_access_key_last_used(AccessKeyId=key['AccessKeyId']) |
| 221 | + last_used_date = response.get('AccessKeyLastUsed', {}).get('LastUsedDate') |
| 222 | + if last_used_date: |
| 223 | + last_used_days = (now - last_used_date).days |
| 224 | + last_used_days_list.append(last_used_days) |
| 225 | + else: |
| 226 | + last_used_days = "N/A" |
| 227 | + except Exception: |
| 228 | + last_used_days = "N/A" |
| 229 | + |
| 230 | + result[username][label] = [status, age_days, last_used_days] |
| 231 | + |
| 232 | + # Most recent access key activity |
| 233 | + result[username]["last_activity_days"] = min(last_used_days_list) if last_used_days_list else "N/A" |
| 234 | + |
| 235 | + # Tags as list of dicts |
| 236 | + try: |
| 237 | + tag_response = self.iam_client.list_user_tags(UserName=username) |
| 238 | + tags = tag_response.get('Tags', []) |
| 239 | + except Exception: |
| 240 | + tags = [] |
| 241 | + |
| 242 | + result[username]["tags"] = tags |
| 243 | + result[username]["region"] = region_name |
| 244 | + result[username]["ResourceId"] = user.get('UserId') # <-- Unique ID |
| 245 | + return result |
| 246 | + |
| 247 | + def has_active_access_keys(self, username): |
| 248 | + """ |
| 249 | + Checks if the given IAM user has any active access keys. |
| 250 | + When no user access key return False |
| 251 | + Args: |
| 252 | + username (str): IAM user name |
| 253 | +
|
| 254 | + Returns: |
| 255 | + bool: True if any access key is active, False otherwise |
| 256 | + """ |
| 257 | + try: |
| 258 | + access_keys = self.iam_client.list_access_keys(UserName=username)['AccessKeyMetadata'] |
| 259 | + except Exception as e: |
| 260 | + logger.error(f"Failed to list access keys for user '{username}': {e}") |
| 261 | + return False |
| 262 | + |
| 263 | + for key in access_keys: |
| 264 | + if key.get('Status') == 'Active': |
| 265 | + return True |
| 266 | + return False |
| 267 | + |
| 268 | + def deactivate_user_access_keys(self, username): |
| 269 | + """ |
| 270 | + Deactivates all active access keys for the given IAM user. |
| 271 | +
|
| 272 | + Args: |
| 273 | + username (str): IAM user name |
| 274 | + """ |
| 275 | + try: |
| 276 | + access_keys = self.iam_client.list_access_keys(UserName=username)['AccessKeyMetadata'] |
| 277 | + except Exception as e: |
| 278 | + logger.error(f"Failed to list access keys for user '{username}': {e}") |
| 279 | + return |
| 280 | + |
| 281 | + for idx, key in enumerate(access_keys, start=1): |
| 282 | + label = f"Access key {idx}" |
| 283 | + current_status = key['Status'].lower() |
| 284 | + access_key_id = key['AccessKeyId'] |
| 285 | + |
| 286 | + if current_status == 'active': |
| 287 | + try: |
| 288 | + self.iam_client.update_access_key( |
| 289 | + UserName=username, |
| 290 | + AccessKeyId=access_key_id, |
| 291 | + Status='Inactive' |
| 292 | + ) |
| 293 | + logger.info(f"{label} deactivated for user '{username}'") |
| 294 | + except Exception as e: |
| 295 | + logger.error(f"Failed to deactivate {label} for user '{username}': {e}") |
| 296 | + else: |
| 297 | + logger.info(f"{label} is already inactive for user '{username}'") |
| 298 | + |
| 299 | + logger.info(f"Deactivate access keys for user '{username}' have been processed.") |
0 commit comments