A serverless AWS CDK stack that enforces IAM access key rotation using an AWS Config Rule and automates credential revocation via AWS Systems Manager (SSM) Automation.
This AWS CDK stack sets up an AWS Config Rule to monitor and enforce the rotation of IAM access keys, ensuring they are rotated within a specified timeframe (default: 60 days). It also configures an SSM Automation document to revoke unused IAM user credentials, triggered by Config Rule violations. The solution enhances security by automating key management and revocation processes.
- Access Key Rotation: Enforces rotation of IAM access keys using an AWS Config managed rule.
- Automated Revocation: Uses SSM Automation to revoke unused credentials based on Config Rule violations.
- Customizable Rules: Allows modification of the rotation interval (e.g.,
maxAccessKeyAge) and SSM permissions. - CDK-Based: Infrastructure defined and deployed using AWS Cloud Development Kit (CDK).
- Security Focused: Improves account security by monitoring and managing IAM credentials.
- AWS CLI: Installed and configured with appropriate credentials.
- Node.js: Required for AWS CDK (version 14 or higher recommended).
- AWS Account: With permissions to create Config Rules, SSM Automation documents, and IAM roles.
- Creates an AWS Config managed rule to check if IAM access keys have been rotated within a specified timeframe.
- Default rotation period is 60 days; modify
maxAccessKeyAgein theAccessKeysRotationStackconstructor to adjust this interval.
- Sets up an SSM Automation document to revoke IAM user credentials unused for a specified period.
- Triggered by AWS Config Rule violations.
- IAM Role: Creates
SsmAutomationRolefor thessm.amazonaws.comservice principal, with an inline policy granting IAM actions andconfig:ListDiscoveredResourcespermissions. CustomizessmAutomationPolicyin the constructor for specific permissions. - Remediation Configuration: Defined by
MyCfnRemediationConfiguration, linking the Config Rule (managedRule.configRuleName) and SSM document as the target type. Theparametersobject includes IAM user ARN and maximum credential age.
- Clone the repository and navigate to the project directory:
git clone https://github.com/username/repo.git cd aws-cdk-access-keys-rotation-stack - Install dependencies:
npm install
- Deploy the stack:
cdk deploy
- Test access key revocation (optional):
aws iam update-access-key --access-key-id <Access key ID> --status Inactive --user-name <IAM user name>
- Replace
<Access key ID>and<IAM user name>with valid values.
- Replace
To remove the stack and its resources from your AWS account:
cdk destroy