public static void main(String[] args) { final String USAGE = "To run this example, supply an IAM username\n" + "Ex: ListAccessKeys <username>\n"; if (args.length != 1) { System.out.println(USAGE); System.exit(1); } String username = args[0]; final AmazonIdentityManagement iam = AmazonIdentityManagementClientBuilder.defaultClient(); boolean done = false; ListAccessKeysRequest request = new ListAccessKeysRequest() .withUserName(username); while (!done) { ListAccessKeysResult response = iam.listAccessKeys(request); for (AccessKeyMetadata metadata : response.getAccessKeyMetadata()) { System.out.format("Retrieved access key %s", metadata.getAccessKeyId()); } request.setMarker(response.getMarker()); if (!response.getIsTruncated()) { done = true; } } }
void writeViolation(final String accountId, final AccessKeyMetadata accessKey) { log.info("Found user {} with expired access key {} in account {}", accessKey.getUserName(), accessKey.getAccessKeyId(), accountId); violationSink.put( new ViolationBuilder() .withAccountId(accountId) .withRegion(NoPasswordViolationWriter.NO_REGION) .withEventId("check-access-key_" + accessKey.getAccessKeyId()) .withType(ACTIVE_KEY_TOO_OLD) .withPluginFullyQualifiedClassName(KeyRotationJob.class) .withMetaInfo(metaMap(accessKey)) .build()); }
private Map<?, ?> metaMap(final AccessKeyMetadata accessKey) { return ImmutableMap.builder() .put("access_key_id", accessKey.getAccessKeyId()) .put("user_name", accessKey.getUserName()) .put("access_key_created", accessKey.getCreateDate()) .build(); }
@Before public void setUp() { mockIAMDataSource = mock(IdentityManagementDataSource.class); mockViolationWriter = mock(KeyRotationViolationWriter.class); mockAccountIdSupplier = mock(AccountIdSupplier.class); when(mockAccountIdSupplier.get()).thenReturn(newHashSet("account01", "account02")); when(mockIAMDataSource.getUsers(eq("account01"))).thenReturn(singletonList(new User())); when(mockIAMDataSource.getUsers(eq("account02"))).thenReturn(asList(new User(), new User())); when(mockIAMDataSource.getAccessKeys(eq("account01"), any())).thenReturn(asList( upToDate(active(new AccessKeyMetadata())), expired(active(new AccessKeyMetadata())), expired(inactive(new AccessKeyMetadata())))); when(mockIAMDataSource.getAccessKeys(eq("account02"), any())).thenReturn(singletonList(upToDate(inactive(new AccessKeyMetadata())))); }
private static Predicate<AccessKeyMetadata> activity(final String value) { return t -> value.equals(t.getStatus()); }
private static Predicate<AccessKeyMetadata> withDaysOlderThan(final int days) { return t -> (t.getCreateDate().getTime() < LocalDate.now().minusDays(days).toDate().getTime()); }
static Predicate<AccessKeyMetadata> isActiveAndOlderThanDays(final int days) { return IS_ACTIVE.and(withDaysOlderThan(days)); }
private AccessKeyMetadata expired(final AccessKeyMetadata accessKeyMetadata) { accessKeyMetadata.setCreateDate(now().minusDays(31).toDate()); return accessKeyMetadata; }
private AccessKeyMetadata upToDate(final AccessKeyMetadata accessKeyMetadata) { accessKeyMetadata.setCreateDate(new Date()); return accessKeyMetadata; }
private AccessKeyMetadata inactive(final AccessKeyMetadata accessKeyMetadata) { accessKeyMetadata.setStatus("Inactive"); return accessKeyMetadata; }
private AccessKeyMetadata active(final AccessKeyMetadata accessKeyMetadata) { accessKeyMetadata.setStatus("Active"); return accessKeyMetadata; }
@Override public void handle(String target, Request baseRequest, HttpServletRequest request, HttpServletResponse response) { try { final Map<String, String[]> paramMap = request.getParameterMap(); final AWSDatabase current = dbHolder.getCurrent(); final long age = current.getAgeInMs(); final float ageInSeconds = (float) age / 1000.0f; response.setHeader("Age", String.format("%.3f", ageInSeconds)); response.setHeader("Cache-Control", String.format("public, max-age=%d", dbHolder.getCacheTimeInMs() / 1000)); switch (target) { case "/ec2": handleComplexEC2(response, paramMap, current); break; case "/ec2/all": handleSimpleRequest(response, current.getEc2Instances()); break; case "/rds/all": handleSimpleRequest(response, current.getRdsInstances()); break; case "/ec2/sg": handleSimpleRequest(response, current.getEc2SGs()); break; case "/iam": // backwards compatibility with documented feature final ArrayList<AccessKeyMetadata> justKeys = Lists.<AccessKeyMetadata>newArrayList(); for (IAMUserWithKeys userWithKeys : current.getIamUsers()) justKeys.addAll(userWithKeys.getKeys()); handleSimpleRequest(response, justKeys); break; case "/iam/users": handleSimpleRequest(response, current.getIamUsers()); break; case "/dynamo": handleComplexDynamo(response, paramMap, current); break; case "/sqs": handleComplexSQS(response, paramMap, current); break; case "/elasticache/cluster": handleComplexElasticacheCluster(response, paramMap, current); break; default: response.setStatus(HttpServletResponse.SC_NOT_FOUND); break; } } finally { baseRequest.setHandled(true); } }
