GitLab

Riccardo, this is exactly what I was looking for! I don't have python skills (maybe in the near future), but how would I modify this for filtering by tags for users? My users aren't created with valid email addresses so changing the client's process is not likely.

Hi @joeyancheta, I'm glad you find this useful :-)

You probably want to change the line filtered_users = list(filter(lambda u: u.get('PasswordLastUsed'), users))

If you have a complex policy to check, let's create a dedicated function we invoke (I haven't tested this):

def is_user_interesting(user):
    tags = user.get('Tags')

    for tag in tags:
        if tag['Key'] == 'Foo' and tag['Value'] == "Buzz":
            return True # We found the tag we are interested in!

    return False # If we are here, it means no tag matched, or there isn't any tag associated to the user

Then, we provide this new function to the filter invocation:

filtered_users = list(filter(is_user_interesting, users))

Thanks for the reply @rpadovani

Unfortunately, I am still getting an error when using your new function.

I am getting closer though. I worked with a friend and we were able to build this new function. We are getting the tags, but aren't able to get the send notifications to go out.

    for keys_for_user in interesting_keys_grouped_by_user.values():
      user_name = keys_for_user[0]['UserName']
      print(user_name)
      user_details = iam_client.get_user(UserName=user_name)
      email = None
      print(user_details)
      for tag in user_details.get('Tags', []):
        if tag['Key'] == 'Email':
          email = tag['Value']
      if email is None:
            # error, the user has no email tag
        continue
      send_notification(email, keys_for_user, context.invoked_function_arn.split(":")[4])

@rpadovani I just wanted to give you an update on my project. we actually need to use user_details = iam_client.list_user_tags(UserName=user_name) to get the tags.

this is the final snippet that was added to your script.

    for keys_for_user in interesting_keys_grouped_by_user.values():
      user_name = keys_for_user[0]['UserName']
      print(user_name)
      user_details = iam_client.list_user_tags(UserName=user_name)
      email = None
      print(user_details)
      for tag in user_details.get('Tags', []):
        if tag['Key'] == 'CheckAccessKeyAge':
          email = tag['Value']
      if email is None:
            # error, the user has no email tag
        continue
      send_notification(email, keys_for_user, context.invoked_function_arn.split(":")[4])

Thanks for the update @joeyancheta, I am happy you were able to make it working for your use case :-)

Hi @rpadovani,

I got an error when trying to run the script in my Lambda environment. Could you please tell me if it makes sense?

Function logs:
START RequestId: 1b0e3a07-06e9-40e9-9612-6557829f41a4 Version: $LATEST
[ERROR]	2021-01-19T20:57:54.492Z	1b0e3a07-06e9-40e9-9612-6557829f41a4	Missing final '@domain'
[ERROR]	2021-01-19T20:57:54.578Z	1b0e3a07-06e9-40e9-9612-6557829f41a4	Missing final '@domain'
[ERROR]	2021-01-19T20:57:54.593Z	1b0e3a07-06e9-40e9-9612-6557829f41a4	Missing final '@domain'

Systems setup (based off your blog post): IAM SES

Hi @scott178, the error seems to indicate that usernames of your users aren't actual email - thus the Missing final '@domain'. You can save your users' email in a tag, or if the domain is always the same, you can change line 59 from Destination={'ToAddresses': [email]},, to Destination={'ToAddresses': [email + "@example.com"]},.

Let me know if this helps!