README.md

Tardigrade IAM Key Enforcer

This repo contains the Python-based Lambda function that will audit IAM Access keys for an account and will enforce key rotation as well as notify users.

Basic Function

The Lambda function is triggered for each account by an Event notification that is configured to run on a schedule. The function audits each user in an account for access keys and determines how long before they expire, it will then notify users that their key expires in X days and that automatic key enforcement is forthcoming.

Requirements

Name	Version
terraform	>= 1.1
aws	>= 3.0

Providers

Name	Version
aws	>= 3.0

Resources

Name	Type
aws_caller_identity.current	data source
aws_iam_policy_document.lambda	data source
aws_partition.current	data source
aws_region.current	data source

Inputs

Name	Description	Type	Default	Required
admin_email	Admin Email that will receive all emails and reports about actions taken if email is enabled	string	n/a	yes
assume_role_name	Name of the IAM role that the lambda will assume in the target account	string	n/a	yes
email_source	Email that will be used to send messages	string	n/a	yes
key_age_delete	Age at which a key should be deleted (e.g. 120)	number	n/a	yes
key_age_inactive	Age at which a key should be inactive (e.g. 90)	number	n/a	yes
key_age_warning	Age at which to warn (e.g. 75)	number	n/a	yes
key_use_threshold	Age at which unused keys should be deleted (e.g.30)	number	n/a	yes
accounts	List of account objects to create events for	list(object({ account_name = string account_number = string role_name = optional(string) # deprecated armed = bool debug = optional(bool, false) email_user_enabled = bool email_targets = list(string) exempt_groups = list(string) schedule_expression = optional(string, "cron(0 1 ? * SUN *)") }))	[]	no
email_admin_report_enabled	Used to enable or disable the SES emailed report	bool	false	no
email_admin_report_subject	Subject of the report email that is sent	string	null	no
email_banner_message	Messages that will be at the top of all emails sent to notify recipients of important information	string	""	no
email_banner_message_color	Color of email banner message, must be valid html color	string	"red"	no
email_tag	Tag to be placed on the IAM user that we can use to notify when their key is going to be disabled/deleted	string	"keyenforcer:email"	no
email_templates	Email templates to use for Admin and User emails	object({ admin = optional(object({ subject = optional(string, null), html = optional(string, null), text = optional(string, null), }), {}), user = optional(object({ subject = optional(string, null), html = optional(string, null), text = optional(string, null), }), {}) })	{}	no
lambda	Map of any additional arguments for the upstream lambda module. See https://github.com/terraform-aws-modules/terraform-aws-lambda	object({ artifacts_dir = optional(string, "builds") build_in_docker = optional(bool, false) create_package = optional(bool, true) ephemeral_storage_size = optional(number) ignore_source_code_hash = optional(bool, true) local_existing_package = optional(string) recreate_missing_package = optional(bool, false) runtime = optional(string, "python3.12") s3_bucket = optional(string) s3_existing_package = optional(map(string)) s3_prefix = optional(string) store_on_s3 = optional(bool, false) timeout = optional(number, 300) source_path = optional(object({ patterns = optional(list(string), ["!\.terragrunt-source-manifest"]) }), {}) })	{}	no
log_level	Log level for lambda	string	"INFO"	no
project_name	Project name to prefix resources with	string	"iam-key-enforcer"	no
s3_bucket	Bucket name to write the audit report to if s3_enabled is set to 'true'	string	null	no
s3_enabled	Set to 'true' and provide s3_bucket if the audit report should be written to S3	bool	false	no
schedule_expression	(DEPRECATED) Schedule Expressions for Rules	string	null	no
tags	Tags for resource	map(string)	{}	no

Outputs

Name	Description
lambda	The lambda module object
queue	The SQS Queue resource object