iam-credentials-disabler

#!/bin/sh

set -euo pipefail

# the generate-credential-report command returns before the actual report is
# available for download
while aws iam generate-credential-report | jq -e -r '.State != "COMPLETE"' >/dev/null; do
    echo ">>> waiting for new report..."
    sleep 5
done

aws iam get-credential-report | jq -r '.Content' | base64 -d > aws-report.csv

expiry="$(date --date='90 days ago' --iso-8601)"

echo '>>> deleting login profiles for users who have not logged in in the past 90 days'
awk -F ',' -v date="${expiry}" '$4 == "true" && $5 < date {print $1}' aws-report.csv | \
    xargs -t -I {} aws iam delete-login-profile --user-name "{}"

echo '>>> deleting user iam keys that have not been used in the past 90 days'
# find all users who have at least one expired key associated with them
#   ($9 == "true" && $11 < date) translates to:
#   access_key_1_active == "true" && access_key_1_last_used_date < date
# similarly, the second part of the expression checks access_key_2
awk -F ',' -v date="${expiry}" '($9 == "true" && $11 < date) || ($14 == "true" && $16 < date) {print $1}' aws-report.csv | \
while IFS= read -r u; do
   # loop through the access keys of the user and find which ones have expired
   aws iam list-access-keys --user-name "${u}" | jq -r '.AccessKeyMetadata[] | select(.Status == "Active") | .AccessKeyId' | \
   while IFS= read -r ak; do
       if aws iam get-access-key-last-used --access-key-id "${ak}" | \
           jq -e --arg date "${expiry}" '.AccessKeyLastUsed.LastUsedDate < $date' >/dev/null; then
           (
               set -x
               aws iam delete-access-key --user-name "${u}" --access-key-id "${ak}"
           )
       fi
   done
done

echo '>>> deleting user iam keys that have never been used and were created more than 90 days ago'
# find all users who have at least one expired key associated with them
#   ($9 == "true" && $11 == "N/A" && $10 < date) translates to:
#   access_key_1_active == "true" && access_key_1_last_used_date == "N/A" && access_key_1_last_rotated < date
# where `access_key_1_last_rotated` is essentially the date it was created
# similarly, the second part of the expression checks access_key_2
awk -F ',' -v date="${expiry}" '($9 == "true" && $11 == "N/A" && $10 < date) || ($14 == "true" && $16 == "N/A" && $15 < date) {print $1}' aws-report.csv | \
while IFS= read -r u; do
   # loop through the access keys of the user and find which ones were created more than 90d ago
   aws iam list-access-keys --user-name "${u}" | \
       jq -r --arg date "${expiry}" '.AccessKeyMetadata[] | select(.Status == "Active" and .CreateDate < $date) | .AccessKeyId' | \
   while IFS= read -r ak; do
       if aws iam get-access-key-last-used --access-key-id "${ak}" | \
           jq -e -r '.AccessKeyLastUsed.LastUsedDate == null' >/dev/null; then
           (
               set -x
               aws iam delete-access-key --user-name "${u}" --access-key-id "${ak}"
           )
       fi
   done
done