andymotta · October 30, 2017 23:36
diff --git a/delete_all_inactive_keys.py b/delete_all_inactive_keys.py
 import boto3
 from botocore.exceptions import ClientError
 import datetime
 from datetime import date
 import os
 from ConfigParser import SafeConfigParser


 access_file = os.path.join(os.environ['HOME'], '.aws', 'credentials')
 access_list = SafeConfigParser()
 access_list.read(access_file)

 # Only delete inactive keys if they haven't been used in 40 days or more
 global DEFAULT_AGE_THRESHOLD_IN_DAYS
 DEFAULT_AGE_THRESHOLD_IN_DAYS = 40

 def main():
    access = generate_access_list() # Use sts_assume instead
    all_results = []
    for p in access:
        try:
            if p == 'default':
                print "Skipping 'default' access profile"
                continue
            print "Checking " + p + "..."
            os.environ["AWS_PROFILE"] = p
            # Create a custom session to switch profiles later
            session = boto3.session.Session()
            global iam
            iam = session.client('iam')
            # Create a custom session to switch profiles later
            results = get_inactive_access_keys_last_used()
            all_results.append(results)
        except:
            raise
            print "Skipping " + p
            continue
    # print all_results

 def generate_access_list():
    lst = []
    for profile in access_list.sections():
        lst.append(profile)
    return lst

 def get_inactive_access_keys_last_used():
    return_value = {}
    return_value['DeletedAccessKeys'] = []
    try:
        for user in iam.list_users()['Users']:
            now = date(datetime.date.today().year, datetime.date.today().month, datetime.date.today().day)
            for access_key in iam.list_access_keys(UserName = user['UserName'])['AccessKeyMetadata']:
                if access_key['Status'] == 'Inactive':
                    response = iam.get_access_key_last_used(AccessKeyId = access_key['AccessKeyId'])
                    if 'LastUsedDate' in response['AccessKeyLastUsed']:
                        access_key_last_used_date = response['AccessKeyLastUsed']['LastUsedDate']
                        access_key_last_used_date = date(access_key_last_used_date.year, access_key_last_used_date.month, access_key_last_used_date.day)
                        age = (now - access_key_last_used_date).days
                        if age >= DEFAULT_AGE_THRESHOLD_IN_DAYS:
                            user_name = user['UserName']
                            # Disable the access key.
                            print('The inactive access key {0}, user {1}, has not been used in {2} days.'.format(access_key['AccessKeyId'], user_name, age))
                            print('Deleting access key {0}.'.format(access_key['AccessKeyId']))
                            response = iam.delete_access_key(
                                UserName = user['UserName'],
                                AccessKeyId = access_key['AccessKeyId']
                            )
                            return_value['DeletedAccessKeys'].append({'AccessKeyId': access_key['AccessKeyId'], 'LastUsedDate': str(access_key_last_used_date)})
        return return_value
    except ClientError as e:
        raise
        if e.response['Error']['Code'] == 'InvalidClientTokenId':
            print "Not authorized to perform iam maintainence"

 main()
	import boto3
	from botocore.exceptions import ClientError
	import datetime
	from datetime import date
	import os
	from ConfigParser import SafeConfigParser


	access_file = os.path.join(os.environ['HOME'], '.aws', 'credentials')
	access_list = SafeConfigParser()
	access_list.read(access_file)

	# Only delete inactive keys if they haven't been used in 40 days or more
	global DEFAULT_AGE_THRESHOLD_IN_DAYS
	DEFAULT_AGE_THRESHOLD_IN_DAYS = 40

	def main():
	access = generate_access_list() # Use sts_assume instead
	all_results = []
	for p in access:
	try:
	if p == 'default':
	print "Skipping 'default' access profile"
	continue
	print "Checking " + p + "..."
	os.environ["AWS_PROFILE"] = p
	# Create a custom session to switch profiles later
	session = boto3.session.Session()
	global iam
	iam = session.client('iam')
	# Create a custom session to switch profiles later
	results = get_inactive_access_keys_last_used()
	all_results.append(results)
	except:
	raise
	print "Skipping " + p
	continue
	# print all_results

	def generate_access_list():
	lst = []
	for profile in access_list.sections():
	lst.append(profile)
	return lst

	def get_inactive_access_keys_last_used():
	return_value = {}
	return_value['DeletedAccessKeys'] = []
	try:
	for user in iam.list_users()['Users']:
	now = date(datetime.date.today().year, datetime.date.today().month, datetime.date.today().day)
	for access_key in iam.list_access_keys(UserName = user['UserName'])['AccessKeyMetadata']:
	if access_key['Status'] == 'Inactive':
	response = iam.get_access_key_last_used(AccessKeyId = access_key['AccessKeyId'])
	if 'LastUsedDate' in response['AccessKeyLastUsed']:
	access_key_last_used_date = response['AccessKeyLastUsed']['LastUsedDate']
	access_key_last_used_date = date(access_key_last_used_date.year, access_key_last_used_date.month, access_key_last_used_date.day)
	age = (now - access_key_last_used_date).days
	if age >= DEFAULT_AGE_THRESHOLD_IN_DAYS:
	user_name = user['UserName']
	# Disable the access key.
	print('The inactive access key {0}, user {1}, has not been used in {2} days.'.format(access_key['AccessKeyId'], user_name, age))
	print('Deleting access key {0}.'.format(access_key['AccessKeyId']))
	response = iam.delete_access_key(
	UserName = user['UserName'],
	AccessKeyId = access_key['AccessKeyId']
	)
	return_value['DeletedAccessKeys'].append({'AccessKeyId': access_key['AccessKeyId'], 'LastUsedDate': str(access_key_last_used_date)})
	return return_value
	except ClientError as e:
	raise
	if e.response['Error']['Code'] == 'InvalidClientTokenId':
	print "Not authorized to perform iam maintainence"

	main()