Users who haven't accessed AWS for an extended time
To better control access to your cloud infrastructure, you want to review who has access and how frequently or infrequently they have accessed the system. You also want to see accounts created for employees who are no longer with the company or no longer in the organization where cloud access is needed.
Data required
AWS: Description data
Procedure
- Configure the Splunk Add-on for Amazon Web Services.
- Ensure that your deployment is ingesting AWS data through one of the following methods:
- Pulling the data from Splunk via AWS APIs. At small scale, pull via the AWS APIs will work.
- Pushing the data from AWS into Splunk via Lambda/Firehose to Splunk HTTP event collector. As the size and scale of either your AWS accounts or the amount of data to be collected grows, pushing data from AWS into the Splunk platform is the easier and more scalable method.
- Run the following search:
sourcetype="aws:description" source="*:iam_users" |dedup Arn sortby -_time |spath output=AccessKeys path=AccessKeys{} |eval AccessKeys=mvfilter(match(AccessKeys,".*\"Status\": \"Active\",*")) |fields account_id UserName AccessKeys PasswordLastUsed |mvexpand AccessKeys |rex field=AccessKeys ".*LastUsedDate\": \"(?<LastUsedDate>[^\"]*)" |eval ak_used_day=strptime(LastUsedDate,"%FT%T"), ps_used_day=strptime(PasswordLastUsed,"%FT%T"), recent_used_day=max(ak_used_day,ps_used_day), diff_days=((now() - recent_used_day) / 86400) |stats min(diff_days) AS no_used_days BY UserName, account_id |eval no_used_days=round(no_used_days) |where (no_used_days > 30) |eval insight="User unused for extended period of time. (".no_used_days." days since last access)" |sort - no_used_days |table account_id UserName insight
Search explanation
The table provides an explanation of what each part of this search achieves. You can adjust this query based on the specifics of your environment.
| Splunk Search | Explanation |
|---|---|
|
|
Search only your iam users and filter by description data. |
|
|
Remove duplicate instances by Amazon resource name (Arn) and sort the remaining results with the most recent instances first. |
|
|
Parse the JSON data and obtain the list of access keys configured for each user. |
|
|
Filter the list to return only active access keys by matching on |
|
|
Show only the fields listed. |
|
|
Create a row for each access key record for each user. |
|
|
Extract and parse the timestamp for the last time the access key was used. |
|
|
Determine the most recent access time for each user and filter the results to only users who have not accessed AWS in 30 or more days. |
|
|
Run the min aggregate function on |
|
|
Round the results to whole days and store in the |
|
|
Filter results to return only those where the number of unused days is greater than 30. |
|
|
Create the insight field for the result and concatenate the calculated days into the string. |
|
|
Sort the list by users who have accessed AWS least recently first. |
|
|
Display the results in a table with columns in the order shown. |
Next steps
Sample results for this search are shown in the table below. The user name and the amount of time since last seen is displayed. To prevent accidental misconfigurations or security concerns, a good practice is to revoke access for users who access cloud infrastructure on an infrequent basis.
account_id |
UserName |
insight |
|---|---|---|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
The AWS app does a similar search for lack of use by users and provides additional insight for lack of password policy, IAM access key rotation, and password reuse not prevented. These can be found by navigating to Insights > IAM Insights > Insights Filter.
You might also be interested in other processes associated with the Managing an Amazon Web Services environment use case.