Skip to content

Add delete_access_key policy, enhance unused_access_key policy#974

Merged
pragya811 merged 18 commits into
mainfrom
unused-key-changes
Mar 31, 2026
Merged

Add delete_access_key policy, enhance unused_access_key policy#974
pragya811 merged 18 commits into
mainfrom
unused-key-changes

Conversation

@pragya811

@pragya811 pragya811 commented Feb 25, 2026

Copy link
Copy Markdown
Member

Type of change

Note: Fill x in []

  • bug
  • enhancement
  • documentation
  • dependencies

Description

  1. Enable unused_access_key policy in action, set dry_run to 'no'.
  2. Change days to take action from 90 to 180

For security reasons, all pull requests need to be approved first before running any automated CI

@pragya811 pragya811 self-assigned this Feb 25, 2026
@pragya811 pragya811 requested review from ebattat and inntran February 25, 2026 10:16
Comment thread cloud_governance/common/utils/configs.py Outdated
@ebattat

ebattat commented Feb 25, 2026

Copy link
Copy Markdown
Member

@inntran, any comment ?

@inntran

inntran commented Feb 25, 2026

Copy link
Copy Markdown
Collaborator

I wish we could move configurations from Python files to YAML. Other than that, we can not fix all code smells at this time, so let it be.

@pragya811 pragya811 marked this pull request as draft March 2, 2026 08:04
@pragya811

pragya811 commented Mar 4, 2026

Copy link
Copy Markdown
Member Author

Changes:

1. Added code changes for sending email reminders to users with inactive access keys. Between 80 - 90 days, the user will get 2 reminders to take action on the unused key. Keys > 120 days of age and inactive will be eligible for deletion as mentioned above.

  1. Keys older than 90 days are deactivated (after any grace period) and tagged with UnusedAccessKeyNInactiveDate.

  2. Deletion:
    Default: delete only inactive keys that have this policy’s tag and have been inactive for more than 120 days.
    With DELETE_INACTIVE_KEYS_WITHOUT_TAG=true: delete any inactive key older than 120 days, even without the tag.

image

@pragya811 pragya811 requested a review from ebattat March 4, 2026 09:23

@ebattat ebattat left a comment

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

ADD .DS_Store to git ignore

Comment thread cloud_governance/common/clouds/aws/iam/iam_operations.py
Comment thread cloud_governance/common/clouds/aws/iam/iam_operations.py
Comment thread cloud_governance/policy/aws/unused_access_key.py Outdated
Comment thread cloud_governance/policy/aws/unused_access_key.py Outdated
Comment thread cloud_governance/policy/aws/unused_access_key.py Outdated
@pragya811

pragya811 commented Mar 9, 2026

Copy link
Copy Markdown
Member Author

[UPDATE 9 March 2026]:

  1. Created new policy, delete_access_key policy thereby separating the functionality from unused_access_key policy. Keys > 120 days age will be eligible for deletion.
  2. With DELETE_INACTIVE_KEYS_WITHOUT_TAG=true: delete any inactive key older than 120 days, even without the tag. Default set to False.
  3. Added internal grace period calculator instead of using CleanupDays tag since one single iam user can have upto 2 keys eligible for deletion/deactivation. Grace period begins post 90 days for deactivation and post 120 days for deletion upto DAYS_TO_TAKE_ACTION. User will get email alerts during this time informing of the necessary action and steps.
  4. Included custom email alert for unused_access_key and delete_access_key policy.

TBD:
Enable configs for unsed_access_key and delete_access_key

@pragya811 pragya811 marked this pull request as ready for review March 10, 2026 07:09
@pragya811 pragya811 changed the title Enable unused_access_key policy in action Add delete_access_key policy, enhance unused_access_key policy Mar 10, 2026
Comment thread cloud_governance/main/environment_variables.py

@ebattat ebattat left a comment

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

/LGTM

@pragya811 pragya811 merged commit 027904c into main Mar 31, 2026
5 checks passed
@github-project-automation github-project-automation Bot moved this from In progress to Done in Cloud-Governance project Mar 31, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

Development

Successfully merging this pull request may close these issues.

3 participants