Initial public release v1.0

.github/workflows/release.yml

@@ -0,0 +1,46 @@
+name: Release binaries
+
+on:
+  release:
+    types: [created]
+
+jobs:
+  amd64-releases-matrix:
+    name: Release Go Binary (amd64)
+    runs-on: ubuntu-latest
+    strategy:
+      matrix:
+        goos: [linux, windows, darwin]
+        goarch: [amd64]
+    steps:
+      - uses: actions/checkout@v2
+      - uses: wangyoucao577/[email protected]
+        with:
+          github_token: ${{ secrets.GITHUB_TOKEN }}
+          goversion: "https://dl.google.com/go/go1.17.5.linux-amd64.tar.gz"
+          goos: ${{ matrix.goos }}
+          goarch: ${{ matrix.goarch }}
+          project_path: "."
+          binary_name: "cleanup-aws-access-keys"
+          ldflags: "-s -w"
+          extra_files: LICENSE README.md
+
+  arm64-releases-matrix:
+    name: Release Go Binary (arm64)
+    runs-on: ubuntu-latest
+    strategy:
+      matrix:
+        goos: [linux, darwin]
+        goarch: [arm64]
+    steps:
+      - uses: actions/checkout@v2
+      - uses: wangyoucao577/[email protected]
+        with:
+          github_token: ${{ secrets.GITHUB_TOKEN }}
+          goversion: "https://dl.google.com/go/go1.17.5.linux-amd64.tar.gz"
+          goos: ${{ matrix.goos }}
+          goarch: ${{ matrix.goarch }}
+          project_path: "."
+          binary_name: "cleanup-aws-access-keys"
+          ldflags: "-s -w"
+          extra_files: LICENSE README.md

LICENSE

@@ -1,6 +1,6 @@
 MIT License
 
-Copyright (c) 2022 Puru
+Copyright (c) 2022 Puru Tuladhar ([email protected])
 
 Permission is hereby granted, free of charge, to any person obtaining a copy
 of this software and associated documentation files (the "Software"), to deal

README.md

@@ -1,2 +1,111 @@
 # cleanup-aws-access-keys
-A cloud security tool to clean up AWS access keys.
+A cloud security tool to search and clean up unused AWS access keys, written in Go.
+
+## Features:
+* Find unused access keys (e.g: access keys unused for more than 90 days, access keys created both never used)
+* Deactivate/activate access keys easily based on search criteria.
+* Delete access keys based on search criteria.
+* Auto-approve flag to run non-interactively (e.g: a cron job to deactivate access keys unused for more 90 days)
+
+## What is an AWS access keys?
+* Access keys are long-term credentials for an IAM user or the AWS account root user.
+* You can use access keys to make programmatic calls to AWS via AWS CLI, AWS SDKs, or direct AWS API calls.
+* An IAM user is only allowed to have maximum of two access keys (active or inactive) at a time.
+* Access keys consist of two parts: an access key ID (e.g: `AKIAIOSFODNN7EXAMPLE`) and a secret access key (e.g: `wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY`). Like a user name and password, you must use both the access key ID and secret access key together to authenticate your requests. Manage your access keys as securely as you do your user name and password.
+* If you lose or forget your secret key, you cannot retrieve it. Instead, create a new access key and make the old key inactive and delete it.
+
+
+> **Warning:** Never post your secret access key on public platforms, such as GitHub. This can compromise your account security. As a best practice, it's recommended to rotate your keys frequently.
+
+> __Best Practices:__ Use temporary security credentials (IAM roles) instead of access keys, and disable any AWS account root user access keys. For more information, see [Best Practices for Managing AWS Access Keys](https://docs.aws.amazon.com/general/latest/gr/aws-access-keys-best-practices.html) in the Amazon Web Services General Reference.
+
+[Learn more about AWS access keys](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_access-keys.html?icmpid=docs_iam_console)
+
+## Usage:
+```
+$ ./cleanup-aws-access-keys 
+A cloud security tool to search and clean up unused AWS access keys (https://github.com/tuladhar/cleanup-aws-access-keys)
+
+Usage:
+  cleanup-aws-access-keys [command]
+
+Available Commands:
+  activate    Activate access key(s)
+  completion  Generate the autocompletion script for the specified shell
+  deactivate  Deactivate access key(s)
+  delete      Delete access key(s)
+  help        Help about any command
+  search      Search for access key(s)
+
+Flags:
+  -h, --help      help for cleanup-aws-access-keys
+  -v, --version   version for cleanup-aws-access-keys
+
+Use "cleanup-aws-access-keys [command] --help" for more information about a command.
+```
+
+## Examples:
+
+Search for active access keys unused for more than 90 days.
+```
+./cleanup-aws-access-keys search --last-used 90 --status active
+```
+
+Search for access keys created but never used.
+```
+./cleanup-aws-access-keys search --last-used -1
+```
+
+Search for inactive access keys.
+```
+./cleanup-aws-access-keys search --status inactive
+```
+
+Deactivate access keys unused for more than 90 days.
+```
+./cleanup-aws-access-keys deactivate --last-used 90
+```
+> Hint: Use `--auto-approve` flag to skip interactive prompt.
+
+Deactivate access keys of specific username.
+```
+./cleanup-aws-access-keys deactivate --username jeff.bezos
+```
+
+Delete access keys unused for more than 180 days.
+```
+./cleanup-aws-access-keys delete --last-used 180
+```
+
+Delete inactive access keys of specific username.
+```
+./cleanup-aws-access-keys delete --status inactive --username jeff.bezos
+```
+
+## Installation
+Binary is available for Linux, Windows and Mac OS (amd64 and arm64). Download the binary for your respective platform from the [releases page](https://github.com/tuladhar/cleanup-aws-access-keys/releases).
+
+### Linux:
+```
+```
+
+## Development
+If you wish to contribute or compile from source code, you'll first need Go installed on your machine. Go version [Go v.1.9](https://go.dev/dl/)+ is required.
+
+- Clone the repository
+```
+git clone https://github.com/tuladhar/cleanup-aws-access-keys
+```
+- Add missing modules
+```
+go mod tidy
+```
+- Modify the code, and build the binary or run directly
+```
+go run main.go
+// or
+go build
+```
+
+## Author
+* Puru Tuladhar (https://github.com/tuladhar)

cmd/activate.go

@@ -0,0 +1,81 @@
+/*
+MIT License
+
+Copyright (c) 2022 Puru Tuladhar ([email protected])
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.
+*/
+package cmd
+
+import (
+	"fmt"
+	"context"
+
+	"github.com/aws/aws-sdk-go-v2/service/iam"
+	"github.com/aws/aws-sdk-go-v2/service/iam/types"
+
+	"github.com/spf13/cobra"
+)
+
+func activateKeys() {
+	var n int
+	for _, d := range state.TableData {
+		_, err := client.UpdateAccessKey(context.TODO(), &iam.UpdateAccessKeyInput{
+			UserName: &d[0],
+			AccessKeyId: &d[1],
+			Status: types.StatusTypeInactive,
+		})
+		if err != nil {
+			fmt.Printf("Unable to activate access key %s for username %s: %s\n", d[1], d[0], err)
+			continue
+		}
+		n += 1
+	}
+	fmt.Printf("\nSuccessfully activated %d access key(s).\n", n)
+}
+
+// activateCmd represents the activate command
+var activateCmd = &cobra.Command{
+	Use:   "activate",
+	Short: "Activate access key(s)",
+	Long: ``,
+	Run: func(cmd *cobra.Command, args []string) {
+		flags.Status = "inactive"
+		SearchKeys()
+
+		if !flags.AutoApprove {
+			fmt.Println()
+			fmt.Printf("Are you sure you want to ACTIVATE %d access key(s)?\n", len(state.TableData))
+			if AskApproval() {
+				activateKeys()
+			}
+		} else {
+			activateKeys()
+		}
+	},
+}
+
+func init() {
+	rootCmd.AddCommand(activateCmd)
+
+	activateCmd.Flags().IntVarP(&flags.LastUsed, "last-used", "", 0, "access key was last used n days.")
+	activateCmd.Flags().StringVarP(&flags.Username, "username", "", "", "access key owned by username")
+	activateCmd.Flags().StringVarP(&flags.Status, "status", "", "", "access key status: active or inactive")	
+	activateCmd.Flags().BoolVarP(&flags.AutoApprove, "auto-approve", "", false, "automatic yes to prompts and run non-interactively.")
+}

cmd/deactivate.go

@@ -0,0 +1,82 @@
+/*
+MIT License
+
+Copyright (c) 2022 Puru Tuladhar ([email protected])
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.
+*/
+package cmd
+
+import (
+	"fmt"
+	"context"
+
+	"github.com/aws/aws-sdk-go-v2/service/iam"
+	"github.com/aws/aws-sdk-go-v2/service/iam/types"
+
+	"github.com/spf13/cobra"
+)
+
+func deactivateKeys() {
+	var n int
+	for _, d := range state.TableData {
+		_, err := client.UpdateAccessKey(context.TODO(), &iam.UpdateAccessKeyInput{
+			UserName: &d[0],
+			AccessKeyId: &d[1],
+			Status: types.StatusTypeInactive,
+		})
+		if err != nil {
+			fmt.Printf("Unable to deactivate access key %s for username %s: %s\n", d[1], d[0], err)
+			continue
+		}
+		n += 1
+	}
+	fmt.Printf("\nSuccessfully deactivated %d access key(s).\n", n)
+}
+
+// deactivateCmd represents the deactivate command
+var deactivateCmd = &cobra.Command{
+	Use:   "deactivate",
+	Short: "Deactivate access key(s)",
+	Long: ``,
+	Run: func(cmd *cobra.Command, args []string) {
+		flags.Status = "active"
+		SearchKeys()
+
+		if !flags.AutoApprove {
+			fmt.Println()
+			fmt.Printf("Are you sure you want to DEACTIVATE %d access key(s)?\n", len(state.TableData))
+			fmt.Printf("WARNING: You can't use a disabled key to make AWS API calls but you can activate it again later.\n")
+			if AskApproval() {
+				deactivateKeys()
+			}
+		} else {
+			deactivateKeys()
+		}
+	},
+}
+
+func init() {
+	rootCmd.AddCommand(deactivateCmd)
+
+	deactivateCmd.Flags().IntVarP(&flags.LastUsed, "last-used", "", 0, "access key was last used n days.")
+	deactivateCmd.Flags().StringVarP(&flags.Username, "username", "", "", "access key owned by username")
+	deactivateCmd.Flags().StringVarP(&flags.Status, "status", "", "", "access key status: active or inactive")	
+	deactivateCmd.Flags().BoolVarP(&flags.AutoApprove, "auto-approve", "", false, "automatic yes to prompts and run non-interactively.")
+}