Skip to main content
Splunk Lantern

Users who haven't accessed AWS for an extended time

You might want to know which users are not actively using your AWS cloud infrastructure when doing the following:

Prerequisites 

In order to execute this procedure in your environment, the following data, services, or apps are required:

Example

To better control access to your cloud infrastructure, you want to review who has access and how frequently or infrequently they have accessed the system. You also want to see accounts created for employees who are no longer with the company or no longer in the organization where cloud access is needed. 

To optimize the search shown below, you should specify an index and a time range.

  1. Run the following search: 
sourcetype="aws:description" source="*:iam_users" 
|dedup Arn sortby -_time 
|spath output=AccessKeys path=AccessKeys{} 
|eval AccessKeys=mvfilter(match(AccessKeys,".*\"Status\": \"Active\",*")) 
|fields account_id UserName AccessKeys PasswordLastUsed 
|mvexpand AccessKeys 
|rex field=AccessKeys ".*LastUsedDate\": \"(?<LastUsedDate>[^\"]*)" 
|eval ak_used_day=strptime(LastUsedDate,"%FT%T"), ps_used_day=strptime(PasswordLastUsed,"%FT%T"), recent_used_day=max(ak_used_day,ps_used_day), diff_days=((now() - recent_used_day) / 86400) 
|stats min(diff_days) AS no_used_days BY UserName, account_id 
|eval no_used_days=round(no_used_days) 
|where (no_used_days > 30) 
|eval insight="User unused for extended period of time. (".no_used_days." days since last access)"
|sort - no_used_days
|table account_id UserName insight

Search explanation

The table provides an explanation of what each part of this search achieves. You can adjust this query based on the specifics of your environment.

Splunk Search Explanation

sourcetype="aws:description"
source="*:iam_users" 

Search only your iam users and filter by description data.

|dedup Arn sortby -_time

Remove duplicate instances by Amazon resource name (Arn) and sort the remaining results with the most recent instances first. 

|spath output=AccessKeys path=AccessKeys{} 

Parse the JSON data and obtain the list of access keys configured for each user. 

|eval AccessKeys=mvfilter(match(AccessKeys,".*\"Status\": \"Active\",*"))

Filter the list to return only active access keys by matching on “Status: Active” in the AccessKeys JSON text.  

|fields account_id UserName AccessKeys PasswordLastUsed

Show only the fields listed.

|mvexpand AccessKeys

Create a row for each access key record for each user.

|rex field=AccessKeys ".*LastUsedDate\": \"(?<LastUsedDate>[^\"]*)"

Extract and parse the timestamp for the last time the access key was used. 

|eval ak_used_day=strptime(LastUsedDate,"%FT%T"), ps_used_day=strptime(PasswordLastUsed,"%FT%T"), recent_used_day=max(ak_used_day,ps_used_day), diff_days=((now() - recent_used_day) / 86400) 

Determine the most recent access time for each user and filter the results to only users who have not accessed AWS in 30 or more days. 

|stats min(diff_days) AS no_used_days BY UserName, account_id

Run the min aggregate function on diff_days to return the lowest value for each user.

|eval no_used_days=round(no_used_days) 

Round the results to whole days and store in the no_used_days field. 

|where (no_used_days > 30)

Filter results to return only those where the number of unused days is greater than 30.

|eval insight="User unused for extended period of time. (".no_used_days." days since last access)"

Create the insight field for the result and concatenate the calculated days into the string.

|sort - no_used_days

Sort the list by users who have accessed AWS least recently first. 

|table account_id UserName insight

Display the results in a table with columns in the order shown.

Result

Sample results for this search are shown in the table below. The user name and the amount of time since last seen is displayed. To prevent accidental misconfigurations or security concerns, a good practice is to revoke access for users who access cloud infrastructure on an infrequent basis. 

account_id UserName insight

63605715280

yzhu

User unused for extended period of time. (1684 days since last access)

63605715280

zhouz

User unused for extended period of time. (1486 days since last access)

63605715280

yang_cao

User unused for extended period of time. (1451 days since last access)

63605715280

yfu

User unused for extended period of time. (1383 days since last access)

The AWS app does a similar search for lack of use by users and provides additional insight for lack of password policy, IAM access key rotation, and password reuse not prevented. These can be found by navigating to Insights > IAM Insights  > Insights Filter.

  • Was this article helpful?