Testing your AWS IAM Users for Activity using Lambda

Recently we’ve been going through our AWS account security for compliance reasons. We needed a process that deactivates accounts that are not active for a certain amount of time. I knew I wanted to use something on Lambda to have it run on a schedule for me automatically, but I wasn’t impressed with what I could find online (most only worked on password date).

Here’s what I came up with.

This python script  will go through your IAM users that have passwords and check the last time they used their password.  After that it will check the last time they used their keys. We have developers that don’t often log in to the AWS console, but use their access keys every day. We don’t want to deactivate actively used keys.
Feel free to change this as you see fit. The item you should pay the most attention to is notOkayDays. That variable is the inactivity threshold.

Photo credit