• Riccardo, this is exactly what I was looking for! I don't have python skills (maybe in the near future), but how would I modify this for filtering by tags for users? My users aren't created with valid email addresses so changing the client's process is not likely.

  • Hi @joeyancheta, I'm glad you find this useful :-)

    You probably want to change the line filtered_users = list(filter(lambda u: u.get('PasswordLastUsed'), users))

    If you have a complex policy to check, let's create a dedicated function we invoke (I haven't tested this):

    def is_user_interesting(user):
        tags = user.get('Tags')
    
        for tag in tags:
            if tag['Key'] == 'Foo' and tag['Value'] == "Buzz":
                return True # We found the tag we are interested in!
    
        return False # If we are here, it means no tag matched, or there isn't any tag associated to the user

    Then, we provide this new function to the filter invocation:

    filtered_users = list(filter(is_user_interesting, users))
  • Thanks for the reply @rpadovani

    Unfortunately, I am still getting an error when using your new function.

    I am getting closer though. I worked with a friend and we were able to build this new function. We are getting the tags, but aren't able to get the send notifications to go out.

        for keys_for_user in interesting_keys_grouped_by_user.values():
          user_name = keys_for_user[0]['UserName']
          print(user_name)
          user_details = iam_client.get_user(UserName=user_name)
          email = None
          print(user_details)
          for tag in user_details.get('Tags', []):
            if tag['Key'] == 'Email':
              email = tag['Value']
          if email is None:
                # error, the user has no email tag
            continue
          send_notification(email, keys_for_user, context.invoked_function_arn.split(":")[4])
    Edited by joeyancheta
  • @rpadovani I just wanted to give you an update on my project. we actually need to use user_details = iam_client.list_user_tags(UserName=user_name) to get the tags.

    this is the final snippet that was added to your script.

        for keys_for_user in interesting_keys_grouped_by_user.values():
          user_name = keys_for_user[0]['UserName']
          print(user_name)
          user_details = iam_client.list_user_tags(UserName=user_name)
          email = None
          print(user_details)
          for tag in user_details.get('Tags', []):
            if tag['Key'] == 'CheckAccessKeyAge':
              email = tag['Value']
          if email is None:
                # error, the user has no email tag
            continue
          send_notification(email, keys_for_user, context.invoked_function_arn.split(":")[4])
    Edited by joeyancheta
  • Thanks for the update @joeyancheta, I am happy you were able to make it working for your use case :-)

  • Hi @rpadovani,

    I got an error when trying to run the script in my Lambda environment. Could you please tell me if it makes sense?

    Function logs:
    START RequestId: 1b0e3a07-06e9-40e9-9612-6557829f41a4 Version: $LATEST
    [ERROR]	2021-01-19T20:57:54.492Z	1b0e3a07-06e9-40e9-9612-6557829f41a4	Missing final '@domain'
    [ERROR]	2021-01-19T20:57:54.578Z	1b0e3a07-06e9-40e9-9612-6557829f41a4	Missing final '@domain'
    [ERROR]	2021-01-19T20:57:54.593Z	1b0e3a07-06e9-40e9-9612-6557829f41a4	Missing final '@domain'

    Systems setup (based off your blog post): IAM SES

  • Hi @scott178, the error seems to indicate that usernames of your users aren't actual email - thus the Missing final '@domain'. You can save your users' email in a tag, or if the domain is always the same, you can change line 59 from Destination={'ToAddresses': [email]},, to Destination={'ToAddresses': [email + "@example.com"]},.

    Let me know if this helps!

Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment