Created
April 19, 2015 11:36
-
-
Save Sam-Martin/1eab296f82f06ccee49a to your computer and use it in GitHub Desktop.
PRTG check AWS users without MFA
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| [CmdletBinding()] | |
| Param( | |
| [parameter(Mandatory=$true)] | |
| [string]$accessKey, | |
| [parameter(Mandatory=$true)] | |
| [string]$secretKey | |
| ) | |
| # Grab the current working directory of the script for the purposes of loading the DLL | |
| $scriptWorkingDirectory = Split-Path -Path $MyInvocation.MyCommand.Definition -Parent | |
| # Ensure you use the .NET 4.5 DLL not the .NET 3.5 DLL from the AWS .NET SDK | |
| # Load AWS API DLL | |
| $AWSAPIFiles = @( | |
| "$scriptWorkingDirectory\AWSSDK.dll" | |
| ) | |
| foreach($apiFile in $AWSAPIFiles){ | |
| # Try loading the DLL | |
| Write-Verbose "Loading $apiFile"; | |
| try{ | |
| $fileStream = ([System.IO.FileInfo] (Get-Item $apiFile)).OpenRead(); | |
| }catch{ | |
| Write-Error $_.exception.message; | |
| Exit 1; | |
| } | |
| # Read the contents of the DLL | |
| $assemblyBytes = New-Object byte[] $fileStream.Length | |
| $fileStream.Read($assemblyBytes, 0, $fileStream.Length) | out-null; | |
| $var= $fileStream.Close() | |
| # Load the library | |
| [System.Reflection.Assembly]::Load($assemblyBytes) | out-null; | |
| } | |
| # Set the AWS Access Key and Secret Key for authentication using the .NET SDK | |
| [System.Configuration.ConfigurationManager]::AppSettings["AWSAccessKey"] = $accessKey | |
| [System.Configuration.ConfigurationManager]::AppSettings["AWSSecretKey"] = $secretKey | |
| # Connect to the AWS API | |
| Write-Verbose "Connecting to AWS API"; | |
| $client= New-Object -TypeName Amazon.IdentityManagement.AmazonIdentityManagementServiceClient; | |
| # Fetch the list of users that have passwords but not MFA | |
| Write-Verbose "Fetch users that have passwords, but no MFA"; | |
| $mfadevices = @() | |
| $usersWithoutMFA = $client.listUsers().ListUsersResult.Users | ?{ | |
| # Ensure the user has a password (if they only have a secret key, they don't need MFA) | |
| try{ | |
| $client.GetLoginProfile($_.username) | Out-Null; | |
| }catch{ | |
| return $false; | |
| } | |
| # Return false if they don't have MFA (otherwise we don't care about them as they're doing the right thing!) | |
| return !$client.ListMFADevices($_.username).MFADevices; | |
| } | |
| # Output to PRTG | |
| Write-Verbose "Output in a PRTG friendly format (XML)"; | |
| Write-Host " | |
| <prtg> | |
| <result> | |
| <channel>Number of users without MFA devices registered</channel> | |
| <value>$(($usersWithoutMFA | Measure-Object).count)</value> | |
| </result> | |
| <Text>$(($usersWithoutMFA | select -expandProperty "Username") -join "; ")</Text> | |
| </prtg>"; | |
| # Return success exit code | |
| exit 0; |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment