-
-
Save webdev/45d39c01573ed309ad5025048ab34fea to your computer and use it in GitHub Desktop.
Nagios plugin for checking that all AWS IAM login userhave MFA
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#!/bin/bash | |
# for debugging: | |
# aws iam generate-credential-report | |
# NOTE: generate will work only once every 4 hours - http://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_getting-report.html | |
# aws iam get-credential-report --output text | awk '{print $1}' | base64 -d | head -1 | sed 's#,#\n#g' | cat -n | |
# aws iam get-credential-report --output text | awk '{print $1}' | base64 -d | awk -F, '{print $1, $4, $5, $8, $9, $14, $19, $21}' | column -t | |
unset PYTHONPATH | |
aws iam generate-credential-report &>/dev/null | |
#sleep 10 | |
read report rep_time mime <<< "`aws iam get-credential-report --output text`" | |
rep_age=$((`date +%s`-`date -d "$rep_time" +%s`)) | |
max_rep_age=$((5*60*60)) | |
table=`echo "$report" | base64 -d | sed 's#<root_account>#ROOT#' | awk -F, '$5!="N/A"{print $1, $5, $8}'` | |
cnt=0; bad=0 | |
while read user last_login mfa; do | |
cnt=$(($cnt+1)) | |
[ "$mfa" != true ] && no_mfa+=" $user" && bad=$(($bad+1)) | |
done < <(echo "$table" | sed 1d) | |
no_mfa=${no_mfa/ /} | |
table="<pre>`echo \"$table\" | column -t`</pre>" | |
perf_data="| no_mfa=$bad;1;1; login_user=$cnt; report_age_minutes=$(($rep_age/60));$(($max_rep_age/60));$(($max_rep_age/60));" | |
if [ $bad -ne 0 ]; then | |
echo "CRITICAL - Scanned $cnt login users, found $bad without MFA: ${no_mfa// /, } (report age is $(($rep_age/60)) minutes) $perf_data" | |
echo "$table" | |
exit 2 | |
else | |
if [ $rep_age -lt $max_rep_age ]; then | |
echo "OK - Scanned $cnt login users, all have MFA (report age is $(($rep_age/60)) minutes) $perf_data" | |
echo "$table" | |
exit 0 | |
else | |
echo "Critical - Scanned $cnt login users, all have MFA (report age is older than $(($max_rep_age/60))m - $(($rep_age/60)) minutes) $perf_data" | |
echo "$table" | |
exit 2 | |
fi | |
fi |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment