Terraform module which creates all necessary resources to rotate all aws IAM user access keys in a single aws account. This module is derived from the official AWS documentation for automatically rotating IAM user access keys at scale with AWS Organizations, however, specifically modified to facilitate use cases for single aws accounts. The module can also provide exceptions for cases where the IAM user keys should not be rotated as well as forcing specific user keys rotation.
- Email template bucket: The bucket name you provide as s3_bucket_name input needs to exist.
- Amazon Simple Email Service (Amazon SES) moved out of the sandbox:
- First you need to create a verified email identity. To do this,
- Open aws management console
- Go to
SES(simple email service) in aws console - Click on
Verified identitieson the left tab and thencreate identity
- Select
Email addressand then write the email address you want to have as verified identity. This email address will be used asfromof the email. Note that you need to have access to the email address to verify the identity. Click onCreate identity.
- Now you need to verify the email address. To do so, open the email you received from aws and click on verification link
Once you click the verification link, the email identity will be verified and shown like this: 
- Now that you have verified one identity, you can request
SESservice to be out of sandbox environment. Unless, SES is out of sandbox environment, you cannot send email to emails addresses which are not verified. - To request
SESservice out of Sanbox environment, go to- Account dashboard on the left tab
- Click on
view Get set up page->request production access
- Fill up the form with relevant details
-
Mail type:transactional -
Website URL:https://www.yourwebsite.com/ -
Use case description:
IAM auto rotation emails -
Add additional contact if necessary.
-
Acknowledge
-
Click on
submit request
-
- Amazon
SESservice should be out of sandbox environment as soon as it is approved by aws. Once you are out of sandbox environment, you can go ahead and send emails fromAmazon SESservice.
- First you need to create a verified email identity. To do this,
terraform {
required_providers {
aws = {
source = "hashicorp/aws"
version = ">= 5.0"
}
}
}
module "iam-auto-rotation" {
source = "[email protected]:pyradd/iam-auto-rotation.git?ref=v1.0.0" ## for https use "github.com/pyradd/iam-auto-rotation.git?ref=v1.0.0"
s3_bucket_name = "<S3-BUCKET-NAME>"
admin_email_address = "<ADMIN-EMAIL>"
recipient_emails = "<LIST-OF-RECIPIENT-EMAILS>"
### for a full list of variables, have a look at variables.tf file ###
}| Name | Version |
|---|---|
| terraform | >= 1.0 |
| aws | >= 5.0 |
| Name | Version |
|---|---|
| archive | 2.4.0 |
| aws | 5.24.0 |
No modules.
| Name | Description | Type | Default | Required |
|---|---|---|---|---|
| admin_email_address | Email address that will be used in the 'sent from' section of the email. This needs to be a validated email identity in simple email service | string |
n/a | yes |
| credential_replication_regions | Please provide the comma separated regions where you want to replicate the credentials (Secret Manager), e.g. us-east-2,us-west-1,us-west-2 Please skip the region where you are creating stack | string |
"" |
no |
| dry_run_flag | Enables/Disables key rotation functionality. 'True' only sends notifications to end users (Audit Mode). 'False' preforms key rotation and sends notifications to end users (Remediation Mode). | string |
"False" |
no |
| email_template_audit | Enter the file name of the email html template to be sent out by the Notifier Module for Audit Mode. Note: Must be located in the 'S3 Bucket Prefix/Template/template_name.html' folder | string |
"iam-auto-key-rotation-enforcement.html" |
no |
| email_template_enforce | Enter the file name of the email html template to be sent out by the Notifier Module for Enforce Mode. Note: Must be located in the 'S3 Bucket Prefix/Template/template_name.html' folder | string |
"iam-auto-key-rotation-enforcement.html" |
no |
| execution_role_name | Enter the name of IAM Execution Role that will assume the sub-account role for Lambda Execution. | string |
"asa-iam-key-rotation-lambda-execution-role" |
no |
| iam_exemption_group | Manage IAM Key Rotation exemptions via an IAM Group. Enter the IAM Group name being used to facilitate IAM accounts excluded from auto-key rotation. | string |
"IAMKeyRotationExemptionGroup" |
no |
| iam_role_name | Enter the name of IAM Role that the main ASA-iam-key-auto-rotation-and-notifier-solution.yaml CloudFormation template will assume. | string |
"asa-iam-key-rotation-lambda-execution-role" |
no |
| inactive_buffer | The grace period between rotation and deactivation of a key. | string |
10 |
no |
| inactive_period | The number of days after which to inactivate keys that had been rotated (Note: This must be greater than RotationPeriod). | string |
100 |
no |
| recipient_emails | List of recipient emails | list(string) |
n/a | yes |
| recovery_grace_period | Recovery grace period between deactivation and deletion. | string |
10 |
no |
| resource_owner_tag | (Optional) Tag key used to indicate the owner of an IAM user resource. | string |
n/a | yes |
| rotation_period | The number of days after which a key should be rotated (rotating from active to inactive). | string |
90 |
no |
| s3_bucket_name | S3 Bucket Name where code is located, see the documentation for bucket names https://docs.aws.amazon.com/AmazonS3/latest/userguide/bucketnamingrules.html | string |
n/a | yes |
| s3_bucket_prefix | The prefix or directory where resources will be stored. | string |
"asa-iam-rotation" |
no |
No outputs.