ljmocic/export-users-with-old-access-keys-to-csv.py

## export-users-with-old-access-keys-to-csv.py
import datetime
import csv
import boto3
from boto3.session import Session

MAX_DAYS_OLD = 15

# Checks if access key is older than predefined number of days


def access_key_older_than(iam, user, days_old_access_key):
    # Get access keys for user
    keydetails = iam.list_access_keys(UserName=user)
    # Since one user can have many keys, iterate through all of them
    for keys in keydetails['AccessKeyMetadata']:
        # Check if the key is older than predefined value
        if keys['Status'] == 'Active' and (time_diff(keys['CreateDate'])) >= days_old_access_key:
            print(keys['UserName'], keys['AccessKeyId'],
                  time_diff(keys['CreateDate']), sep=',')
            return True
    # If nothing found, then it's ok, continue
    return False


# Return difference in days
def time_diff(key_created_time):
    now = datetime.datetime.now(datetime.timezone.utc)
    diff = now - key_created_time
    return diff.days


def assume_role(arn, session_name):

    client = boto3.client('sts')
    account_id = client.get_caller_identity()["Account"]
    print(account_id)

    response = client.assume_role(RoleArn=arn, RoleSessionName=session_name)

    session = Session(aws_access_key_id=response['Credentials']['AccessKeyId'],
                      aws_secret_access_key=response['Credentials']['SecretAccessKey'],
                      aws_session_token=response['Credentials']['SessionToken'])

    client = session.client('sts')
    account_id = client.get_caller_identity()["Account"]
    print(account_id)


def main(aws_account):

    roles = [
        {
            "arn": "replace_this",
            "session_name": "replace_this"
        },
        {
            "arn": "replace_this",
            "session_name": "replace_this"
        },
    ]

    for role in roles:
        assume_role(role['arn'], role['session_name'])
        iam = boto3.client(
            'iam', aws_access_key_id=aws_account['ACCESS_KEY'], aws_secret_access_key=aws_account['SECRET_KEY'])

        # Get users
        details = iam.list_users(MaxItems=300)

        # Open file for saving the report
        with open(f'report-' + aws_account['ACCESS_KEY'] + '.csv', 'w', encoding='utf-8', newline='') as f:
            # initialize writer for csv files
            writer = csv.writer(f,
                                delimiter=',', quoting=csv.QUOTE_ALL)
            # Iterate through every user
            for user in details['Users']:
                # Check if access key is older than predefined value
                if access_key_older_than(iam, user['UserName'], MAX_DAYS_OLD):
                    row_data = []
                    row_data.append(user['UserName'])
                    row_data.append(user['Arn'])
                    # Write row to csv file
                    writer.writerow(row_data)
	import datetime
	import csv
	import boto3
	from boto3.session import Session

	MAX_DAYS_OLD = 15

	# Checks if access key is older than predefined number of days


	def access_key_older_than(iam, user, days_old_access_key):
	# Get access keys for user
	keydetails = iam.list_access_keys(UserName=user)
	# Since one user can have many keys, iterate through all of them
	for keys in keydetails['AccessKeyMetadata']:
	# Check if the key is older than predefined value
	if keys['Status'] == 'Active' and (time_diff(keys['CreateDate'])) >= days_old_access_key:
	print(keys['UserName'], keys['AccessKeyId'],
	time_diff(keys['CreateDate']), sep=',')
	return True
	# If nothing found, then it's ok, continue
	return False


	# Return difference in days
	def time_diff(key_created_time):
	now = datetime.datetime.now(datetime.timezone.utc)
	diff = now - key_created_time
	return diff.days


	def assume_role(arn, session_name):

	client = boto3.client('sts')
	account_id = client.get_caller_identity()["Account"]
	print(account_id)

	response = client.assume_role(RoleArn=arn, RoleSessionName=session_name)

	session = Session(aws_access_key_id=response['Credentials']['AccessKeyId'],
	aws_secret_access_key=response['Credentials']['SecretAccessKey'],
	aws_session_token=response['Credentials']['SessionToken'])

	client = session.client('sts')
	account_id = client.get_caller_identity()["Account"]
	print(account_id)


	def main(aws_account):

	roles = [
	{
	"arn": "replace_this",
	"session_name": "replace_this"
	},
	{
	"arn": "replace_this",
	"session_name": "replace_this"
	},
	]

	for role in roles:
	assume_role(role['arn'], role['session_name'])
	iam = boto3.client(
	'iam', aws_access_key_id=aws_account['ACCESS_KEY'], aws_secret_access_key=aws_account['SECRET_KEY'])

	# Get users
	details = iam.list_users(MaxItems=300)

	# Open file for saving the report
	with open(f'report-' + aws_account['ACCESS_KEY'] + '.csv', 'w', encoding='utf-8', newline='') as f:
	# initialize writer for csv files
	writer = csv.writer(f,
	delimiter=',', quoting=csv.QUOTE_ALL)
	# Iterate through every user
	for user in details['Users']:
	# Check if access key is older than predefined value
	if access_key_older_than(iam, user['UserName'], MAX_DAYS_OLD):
	row_data = []
	row_data.append(user['UserName'])
	row_data.append(user['Arn'])
	# Write row to csv file
	writer.writerow(row_data)