Automating the AWS Identity Lifecycle with unSkript (Part 3)

This week, AWS is celebrating all that is AWS at their re:Invent conference in Las Vegas. Here at unSkript, we are celebrating all that is AWS by highlighting how to automate common AWS tasks with our xRunBooks. In our first two posts in this series (Part 1 and Part 2) , we built a xRunBook that creates a IAM user, and applied a Managed access policy to the user. In this post, we are going to do the opposite — removing a user from the AWS environment.

There comes a time when access for a certain identity or user must be removed from your AWS environment. In this post, we’ll create an automated workflow that does just that.

When creating this article, there was no pre-built workflow to delete an IAM user in the open source unSkript xRunBook Library, so we will have to modify an existing workflow to delete the user. (Once this post is completed, the xRunBook will be added to our Open Source library of RunBooks.

In this case, we’ll use “Create IAM User workflow” from our last post in this series. By changing the order of the actions in the workflow, and a few small code edits, we’ll change this workflow from one that creates new users to one that deletes existing users.

Setup

If you have not yet created AWS Credentials, here are the instructions.

The existing order of the Actions in the xRunBook we created in Part 2 is:

  1. unSkript Internal
  2. Create IAM user: Create the user
  3. Create logon profile: add a password
  4. Add policies: Assign a permission policy
  5. Get STS identity: get Assigner’s name
  6. Send Slack message: Posts results in Slack

Changes Required

Clearly, steps 2–4 are creation steps and they will all be changed to deletion/removal steps. They also must be reordered, as permission policies and passwords must be removed from an identity before it can be deleted.

Luckily, reordering Actions in unSkript is a Drag-and-drop affair. Click and drag Actions 2–4 (and the corresponding notes) to reorder the Actions as follows:

  1. unSkript Internal
  2. Create logon profile: add a password
  3. Add policies: Assign a permission policy
  4. Create IAM user: Create the user
  5. Get STS identity: get Assigner’s name
  6. Send Slack message: Posts results in Slack

Editing the Actions

Now we can begin the process of editing the Actions from Creation steps to deletion steps

Create Login Profile -> Delete Login Profile

In order to delete an IAM profile, the profile cannot have a password login. Lucki;y, with just a few small changes, we can update this Action to delete the Login Profile.

Here are lines 34–37:

response = ec2Client.create_login_profile(

UserName=UserName,

Password=Password,

PasswordResetRequired=True)

Change ec2Client.create_login_profile to ec2Client.delete_login_profile, and remove the two password parameters:

response = ec2Client.delete_login_profile(

UserName=UserName)

Remove lines 58–62 (these may be different depending on your previous edit)

task.configure(conditionsJson=’’’{

“condition_enabled”: true,

“condition_cfg”: “‘User’ in UserInfo”,

“condition_result”: true

}’’’)

The next step in cleaning up this Action is to update the classes and naming to remove evidence of creation, and leave only mentions of deletion.

Add policies to IAM user -> Remove policies to IAM user

This is the most complicated step. In order to remove the Policies for the IAM user, we must first identify what policies have been applied. There is an Action called “AWS List Attached User Policies” that we can add to the xRunBook. Search for this Action in the Action search, and drag the Action above the Add Policies to IAM User Action.

  • AWS List Attached User Policies

To configure this new Action to deliver the existing policies for the given user, add your AWS Credentials and user_name as the User Name. Under output, name the output policies. This will output an array of Policies associated with the user.

Screen shot of a successful Action ru n. The 2 Policies are noted in the results window.
This user is an Admin!

Now, back to the Add Policies to user Action. It is built to handle just one policy at a time, so we must extend it to handle an array of policies, and remove them.

Change the definition aws_attach_iam_policy to

def aws_detach_iam_policy(handle, user_name: str, policy_name) -> Dict:

“””aws_attache_iam_policy used to provide user permissions.

:type handle: object

:param handle: Object returned from task.validate(…).

:type user_name: string

:param user_name: Dictionary of credentials info.

:type policy_name: string

:param policy_name: Policy name to apply the permissions to the user.

:rtype: Dict with User policy information.

“””

for policy in policy_name:

result = {}

iamResource = handle.resource(‘iam’)

try:

user = iamResource.User(user_name)

response = user.detach_policy(

PolicyArn=’arn:aws:iam::aws:policy/’+policy

)

result = response

except ClientError as error:

result = error.response

return result

And the last line change to:

task.execute(aws_detach_iam_policy, lego_printer=unskript_default_printer, hdl=hdl, args=args)

What we have done is extend the Class to handle an array of Policies (versus just a string containing one policy, and added a loop to iterate through the policies in order to remove them (detach_policy).

Finally change the configuration of this Action so that the Policy_Name is policies (the output list from the action we just added).

successful removal of all policies

For testing purposes, if you rerun the List attached Policies Action, the result should be an empty array: [].

Create IAM user -> Delete IAM user

Lines 36–42:

response = ec2Client.create_user(

UserName=user_name,

Tags=[

{

‘Key’: tag_key,

‘Value’: tag_value

}])

Change create_user to delete_user, and remove the Tags.

response = ec2Client.delete_user(

UserName=user_name)

Slack Message

Finally, we need to change the Slack message:

f’IAM user {user_name} deleted by {caller[“Arn”]}’
Slack message showing user has been deleted.
Slack message indcicating deletion of a user

Final xRunBook Cleanup

With the changes above, your xRunBook will now delete the supplied user from the AWS environment. But, we can clean it up a little bit — removing references to Creation, and also removing a few superfulous variables that are still hanging around.

Parameters

We should delete the tag_key and tag_value input parameters, as they are no longer referenced in the xRunBook. You can do this by clicking “Parameters” in the top navigation bar, and clicking the trash bin next to these two items.

Actions that have input parameters that are no longer used: tag_key, tag_value, password. You can delete unused Action parameters by clicking the 3 dot menu in the Action and editing the Inputs.

Fast Iteration: Easy Automations

In this post, we took an existing xRunBook that creates IAM users and quickly iterated on a few of the Actions to invert the xRunBook to delete IAM users. Since RunBooks are based on Jupyter Notebooks, reordering Actions is easy (drag and drop) and by simply calling different calls in the Python libraries we were able to design an entire workflow quickly.

Conclusion

In this series of posts, we have created a simple AWS IAM lifecycle toolchain. If your IAM is more complicated, you can use these xRunBooks as a stepping stone — adding additional Actions or xRunBooks to completely automate your AWS IAM lifecycle.

unSkript can help you automate many of your internal tools and processes. Interested in learning more? Check out our DocsGitHub, or reach out in our Slack Community!

Share your thoughts