Removing last-used checks on credentials

tstibbs · Nov 18, 2024 · 2bd20b8 · 2bd20b8
1 parent 434a536
commit 2bd20b8
Show file tree

Hide file tree

Showing 3 changed files with 3 additions and 15 deletions.
diff --git a/aws/environment-setup/lib/deploy-parent-tooling.js b/aws/environment-setup/lib/deploy-parent-tooling.js
@@ -6,13 +6,7 @@ import events from 'aws-cdk-lib/aws-events'
 import eventsTargets from 'aws-cdk-lib/aws-events-targets'
 import dynamodb from 'aws-cdk-lib/aws-dynamodb'
 
-import {
-	CHILD_ACCOUNTS,
-	RAW_CHILD_ACCOUNTS,
-	MAX_CREDENTIAL_AGE,
-	MAX_UNUSED_CREDENTIAL_DAYS,
-	DEV_SUFFIX
-} from './deploy-envs.js'
+import {CHILD_ACCOUNTS, RAW_CHILD_ACCOUNTS, MAX_CREDENTIAL_AGE, DEV_SUFFIX} from './deploy-envs.js'
 import {PARENT_ACCNT_CLI_ROLE_NAME} from './deploy-utils.js'
 import {MONITOR_STORE_SCHEMA} from '../src/constants.js'
 import {createParentUsageMonitorResources} from './deploy-shared-usage.js'
@@ -72,7 +66,6 @@ function createLambda(stack, notificationTopic) {
 			ALERTS_TOPIC: notificationTopic.topicArn,
 			CHILD_ACCOUNTS: RAW_CHILD_ACCOUNTS,
 			MAX_CREDENTIAL_AGE,
-			MAX_UNUSED_CREDENTIAL_DAYS,
 			MONITOR_TABLE_NAME: monitorStoreTable.tableName
 		},
 		memorySize: 128,

diff --git a/aws/environment-setup/src/iam-checker.js b/aws/environment-setup/src/iam-checker.js
@@ -3,7 +3,7 @@
 import {parse as csvParse} from 'csv-parse/sync'
 import backOff from 'exponential-backoff'
 
-import {MAX_CREDENTIAL_AGE, MAX_UNUSED_CREDENTIAL_DAYS} from './runtime-envs.js'
+import {MAX_CREDENTIAL_AGE} from './runtime-envs.js'
 import {buildApiForAccount, buildMultiAccountLambdaHandler} from './utils.js'
 import {MonitorStore} from './monitor-store.js'
 
@@ -16,7 +16,6 @@ async function checkOneAccount(accountId) {
 	const issues = []
 	const now = Date.now()
 	const maxCredentialAge = MAX_CREDENTIAL_AGE //in days
-	const maxUnusedCredentialDays = MAX_UNUSED_CREDENTIAL_DAYS //in days
 	const iam = await buildApiForAccount(accountId, 'ParentAccountCliRole', 'IAM')
 
 	async function runChecks() {
@@ -42,7 +41,7 @@ async function checkOneAccount(accountId) {
 		rootMfaEnabled(rootUsers)
 		// check MFA enabled for all users with console access
 		consoleUsersMfaEnabled(nonRootUsers)
-		// Check no access keys older than x days and no credentials that have been unused for x days
+		// Check no access keys older than x days
 		checkCredentials(nonRootUsers)
 	}
 
@@ -72,15 +71,12 @@ async function checkOneAccount(accountId) {
 	function checkCredentials(nonRootUsers) {
 		nonRootUsers.forEach(user => {
 			if (user.password_enabled === 'true') {
-				dateMoreRecentThan(user, 'password_last_used', maxUnusedCredentialDays)
 				dateMoreRecentThan(user, 'password_last_changed', maxCredentialAge)
 			}
 			if (user.access_key_1_active === 'true') {
-				dateMoreRecentThan(user, 'access_key_1_last_used_date', maxUnusedCredentialDays)
 				dateMoreRecentThan(user, 'access_key_1_last_rotated', maxCredentialAge)
 			}
 			if (user.access_key_2_active === 'true') {
-				dateMoreRecentThan(user, 'access_key_2_last_used_date', maxUnusedCredentialDays)
 				dateMoreRecentThan(user, 'access_key_2_last_rotated', maxCredentialAge)
 			}
 		})

diff --git a/aws/environment-setup/src/runtime-envs.js b/aws/environment-setup/src/runtime-envs.js
@@ -6,7 +6,6 @@ export const {
 	WARNING_BUDGET,
 	MAX_BUDGET,
 	MAX_CREDENTIAL_AGE,
-	MAX_UNUSED_CREDENTIAL_DAYS,
 	NOTIFICATION_EMAIL,
 	ORG_ID,
 	PARENT_ACCOUNT_ID,