2

Is there any way to set an alarm for AWS users that been inactive for e.g. 60 days? I mean I need an alarm to be created which will send notification if an AWS user account have been inactive for a period of time

Joe
  • 39
  • 3
  • How would you classify a user as "inactive"? Do you mean the IAM User that did not make any API calls to AWS services? (Note that this would not include logging into EC2 instances since this is not done via AWS.) – John Rotenstein Jul 30 '20 at 07:58
  • Yes Sir, I mean if user does not perform 'any' actions during given time – Joe Jul 30 '20 at 08:28

2 Answers2

3

From GenerateServiceLastAccessedDetails - AWS Identity and Access Management:

GenerateServiceLastAccessedDetails() Generates a report that includes details about when an IAM resource (user, group, role, or policy) was last used in an attempt to access AWS services. Recent activity usually appears within four hours.

From GetServiceLastAccessedDetails - AWS Identity and Access Management:

GetServiceLastAccessedDetails() Retrieves a service last accessed report that was created using the GenerateServiceLastAccessedDetails operation. You can use the JobId parameter in GetServiceLastAccessedDetails to retrieve the status of your report job. When the report is complete, you can retrieve the generated report. The report includes a list of AWS services that the resource (user, group, role, or managed policy) can access.

So, take a look at those commands (available via AWS CLI or AWS SDK) and find the latest date of all the services that the user has accessed.

See also: Identify unused IAM roles and remove them confidently with the last used timestamp | AWS Security Blog

John Rotenstein
  • 241,921
  • 22
  • 380
  • 470
1

Yes and no. There is no plain Alarm that can do that. AWS CloudWatch Alarms can only alarm based on CloudWatch Metrics and IAM Users do not send any metrics to here.

You could write a Lambda, have it iterate through IAM Users and get their last active date. Then add an EventRule which will run this Lambda regularly, such as once per day. If Users are inactive, you could send a message to an SNS Topic, or if you wanted more adjustable alarms, send some metrics to CloudWatch Metrics in a custom namespace, then create a CloudWatch Alarm to alert on those metrics.

Wheat
  • 845
  • 4
  • 12