is there a way to set alarm for inactive aws user - amazon-iam

Is there any way to set an alarm for AWS users that been inactive for e.g. 60 days? I mean I need an alarm to be created which will send notification if an AWS user account have been inactive for a period of time

From GenerateServiceLastAccessedDetails - AWS Identity and Access Management:
GenerateServiceLastAccessedDetails() Generates a report that includes details about when an IAM resource (user, group, role, or policy) was last used in an attempt to access AWS services. Recent activity usually appears within four hours.
From GetServiceLastAccessedDetails - AWS Identity and Access Management:
GetServiceLastAccessedDetails() Retrieves a service last accessed report that was created using the GenerateServiceLastAccessedDetails operation. You can use the JobId parameter in GetServiceLastAccessedDetails to retrieve the status of your report job. When the report is complete, you can retrieve the generated report. The report includes a list of AWS services that the resource (user, group, role, or managed policy) can access.
So, take a look at those commands (available via AWS CLI or AWS SDK) and find the latest date of all the services that the user has accessed.
See also: Identify unused IAM roles and remove them confidently with the last used timestamp | AWS Security Blog

Yes and no. There is no plain Alarm that can do that. AWS CloudWatch Alarms can only alarm based on CloudWatch Metrics and IAM Users do not send any metrics to here.
You could write a Lambda, have it iterate through IAM Users and get their last active date. Then add an EventRule which will run this Lambda regularly, such as once per day. If Users are inactive, you could send a message to an SNS Topic, or if you wanted more adjustable alarms, send some metrics to CloudWatch Metrics in a custom namespace, then create a CloudWatch Alarm to alert on those metrics.

Related

AWS: how to see the services a particular user account has been using

I'm the administrator of an AWS account that has 4 users. One of the users is racking up higher-than-expected costs.
I checked the Cost Explorer, but could not seem to configure it to view individual users.
As an administrator in AWS, how do I see all of the services this particular user has been using during a given period of time (e.g. the last 12 months)?
Thanks!
AWS resources are associated with an AWS Account, not a specific user.
If a user has the necessary permissions to create resources (eg an Amazon EC2 instance), then the instance is launched in the AWS Account, but there is no link back to the user that requested the resource.
You can, however, use AWS CloudTrail:
AWS CloudTrail is an AWS service that helps you enable operational and risk auditing, governance, and compliance of your AWS account. Actions taken by a user, role, or an AWS service are recorded as events in CloudTrail. Events include actions taken in the AWS Management Console, AWS Command Line Interface, and AWS SDKs and APIs.
It will show all API calls made by the user, including the Action ('launch an EC2 instance'), their IP address, timestamp, etc. Operations in the AWS management console will also be shown, since it makes API calls on behalf of the user.
CloudTrail keeps a history of the past 90 days, but you can create specific 'Trails' that retain data permanently. If you have not done this, then it will not be possible to see what they did prior to 90 days ago.

How many accounts could send cloudwatch events to AWS logs destination?

Trying to have a central account processing cloudwatch logs. (Cross account logs forwarding)
Following https://docs.aws.amazon.com/AmazonCloudWatch/latest/logs/CreateDestination.html
After step 7a is complete, in the log data recipient account,
associate an access policy with the destination. This policy enables
the log data sender account (111111111111) to access the destination
in the log data recipient account (999999999999).
There is a limitation * is not possible to be defined in Priciple AWS accounts.
If multiple accounts are sending logs to this destination, each sender
account must be listed separately in the policy. This policy does not
support specifying * as the Principal or the use of the
aws:PrincipalOrgId global key.
Is there any limitation of how many accounts could be granted/attached using access policy ?
With resource policies for cloudwatch logs your only limit is a max policy document length of 5120 characters. Depending on the number of accounts and the size/maturity of your organization I would recommend configuring aws organizations. With aws organizations you can use the principleOrgID condition key in the resource policy to grant any account in your organization permissions to write logs. More information on that strategy can be found here.

AWS CloudWatch Billing metrics Account

I am attempting to use CloudWatch AWS/Billing metrics to consolidate cost information in a central aggregator.
All the guides I can find seem to just point to setting "Receive Billing Alerts" on the master payer account. After doing that the metrics appear on that 'root' account. But none of the other accounts or users can see them.
UPDATE: I can get the data if I make a new IAM user in the Root Account, but i felt that since my user could see the Billing dashboard, it should also be able to see the CloudWatch metrics

"Logs can only be viewed for the account logged in" in AWS CloudWatch Logs console

After enabling cross-account, cross-region access (in AWS CloudWatch Settings) in both the monitoring account and the sharing account, I receive an error in the CloudWatch Logs console upon selecting the sharing account from the drop-down at the top of the page:
"Logs can only be viewed for the account logged in - XXX. You are viewing data for YYY.Go back to XXX in us-east-1"
Viewing cross-account metrics and dashboards are working well, but logs are most useful to my use case. What could cause this error on the console?
I have the monitoring and sharing roles set up per the instructions here: https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/Cross-Account-Cross-Region.html#enable-cross-account-cross-Region
Unfortunately, as at time of writing (2021-12-22), cross-account CloudWatch only supports dashboards, alarms, metrics and automatic dashboards. Logs are not yet visible across accounts.
From the documentation, my emphasis:
This functionality provides you with cross-account visibility to your dashboards, alarms, metrics, and automatic dashboards without having to log in and log out of different accounts.

How to Track AWS Resource created by an IAM user and store record in database?

I have created some IAM users to my AWS account with permission to launch instances.
Now I want to track and store their instance launch activity like time and instance ID in my MySQL or any other database.
Is there any way to achieve this, any suggestion will be appreciated.
All activities of an IAM user can be monitored using aws cloudtrail. Cloudtrail logs all the events.
The cloudtrail log is stored to a S3 bucket. You can use the storage trigger option in aws lambda functions to watch for a particular log .
In this case the log for new EC2 instance creation.
In the lambda function you need to add the code that takes that log information and stores into a Mysql database that you have setup.
Refer this post https://docs.aws.amazon.com/lambda/latest/dg/with-cloudtrail.html
Also you can try creating a cloudwatch for EC2 instance creation and it can trigger an aws lambda function which will do the data insert to the db.
Here is a sample of cloudwatch based scheduler. You have to setup a specific trigger as per your need though.
https://docs.aws.amazon.com/AmazonCloudWatch/latest/events/RunLambdaSchedule.html
You should use AWS CloudTrail:
CloudTrail is enabled on your AWS account when you create it. When activity occurs in your AWS account, that activity is recorded in a CloudTrail event. You can easily view recent events in the CloudTrail console by going to Event history. For an ongoing record of activity and events in your AWS account, create a trail.