Skip to main content
Sign in

Creating workflows for AWS IAM users

  • April 17, 2024 08:18
  • Updated

Let Oomnitza be your single source of truth!

You'll get visibility of your users as data from AWS IAM is automatically transformed into consumable information and actionable insights.

Connect Oomnitza and AWS IAM in minutes

Get the information and insights that you need by creating configurable workflows for:

  • Managing groups, including creating and deleting groups.
  • Getting, creating, and deleting AWS IAM roles.
  • Onboarding and offboarding users
  • Managing policies, including user policies, managed policies, group policies, and role policies
  • Fetching user information, including the user MFA status, user groups, password age, and access keys.

Navigation

small_blue_link.svgBefore you start

small_blue_link.svgCreating workflows

Before you start

Before you can create the integration with Oomnitza, you need to have added your credentials to Oomnitza. For further information, refer to Adding your AWS credentials to Oomnitza.

We recommend that you also create an extended integration for AWS IAM users. You can use the information retrieved in these integrations to trigger workflows.

Adding global variables

To save time entering information when you create the integration, you can add your AWS version as a global variable in Oomnitza.

Procedure

  1. Click Configuration>General>Global Settings.
  2. Click Add new variable(+).
  3. Add the following variable as the key AWS.Version
  4. Enter your AWS API Version as the value. For example, the current API version for Amazon S3 is2010-05-08. See AWS Documentation: API Versions
  5. Save your changes.

Creating workflows

To create a user workflow, you must complete these steps:  

  1. Click Configuration > Workflows 
  2. Click Add (+) and select People from the list.
  3. Edit the Begin Block and add rules to trigger the workflow. For example, if you set the Actions to Schedule and add a rule so that the Email Equals <EmployeeEmail> you can trigger a workflow to fetch a user matching a certain name on a specific date. Refer to Using the Begin block. 
  4. Drag and drop the API block onto the Sandbox.
  5. Click Edit on the API block and enter AWS IAM in the search field. 
  6. Select a preset from the list below. To choose a preset, click the forward arrow (>).
  7. Select the credentials that you created in Adding your AWS credentials to Oomnitza.
  8. Enter any mandatory information when prompted.
  9. Select Advanced Mode.
  10. Select the Params tab. Review and ensure that the properties referenced in this location, such as {{alternate_username}}, exist in Oomnitza and are populated with information before you run this workflow. You can create a user integration to retrieve this information before you run this workflow.
  11. Select the Response tab. You can access the complete response by inserting {{response}} in the Response field, and then selecting the Oomnitza field or variable that you want to map to. See Mapping positive and negative responses.
  12. Connect the Blocks. 
  13. Save, validate, and activate your workflow.

api_response.PNG

Using the Detach user policy preset

The AWS IAM Detach user policy preset removes the specified managed policy from the specified user. You need to supply the Amazon Resource Name (ARN) of the IAM policy you want to detach, such as arn:aws:iam::aws:policy/AdministratorAccess. See Amazon General Reference Documentation: Resource Names (ARNs).

The user associated with the action is referenced in the Advanced Mode > Params tab in the property{{alternate_username}}(max. length 64).

See AWS IAM Docs: DetachUserPolicy.

Using the Add User to Group preset

The IAM Add User to Group preset adds the specified user to the specified group. You need to supply the name of the group to update, such as Managers.

The user associated with the action is referenced in the Advanced Mode > Params tab in the property{{alternate_username}}(max. length 64).

See AWS IAM Docs: Add user to group.

Using the Attach role policy preset

The AWS IAM Attach role policy preset attaches the specified managed policy to the specified IAM role. When you attach a managed policy to a role, the managed policy becomes part of the role's permission (access) policy. You need to supply the following for this preset:

See AWS IAM Docs: Attach role policy.

Using the Attach user policy preset

The AWS IAM Attach user policy preset attaches the specified managed policy to the specified user. You need to supply the Amazon Resource Name (ARN) of the IAM policy you want to detach, such as arn:aws:iam::aws:policy/AdministratorAccess. See Amazon General Reference Documentation: Resource Names (ARNs).

The user associated with the action is referenced in the Advanced Mode > Params tab in the property{{alternate_username}}(max. length 64).

See AWS IAM Docs: Attach user policy.

Using the Create Group preset

The AWS IAM Create Group preset creates a new group. You need to supply the name of the group to create, such as Admins.

See AWS IAM Docs: Create group.

Using the Create Managed Policy preset

The AWS IAM Create Managed Policy preset creates a new managed policy for your AWS account. You need to supply the following for this preset:

  • The friendly name of the policy, such as S3-read-only-example-bucket. Make sure the name is unique. Names in upper case and lower case, such as "MyResource" and "myresource", are not considered unique.
  • The description of the policy (max. length 1000). AWS documentation recommends that you use this field to detail the permissions defined in the policy, such as "Grants access to production DynamoDB tables."
  • The policy in JSON format (max. length 131072), such as {"Version":"2012-10-17","Statement":[{"Effect":"Allow","Action":"s3:ListAllMyBuckets", "Resource":"arn:aws:s3:::*"},{"Effect":"Allow","Action":["s3:Get*","s3:List*"],"Resource": ["arn:aws:s3:::EXAMPLE-BUCKET","arn:aws:s3:::EXAMPLE-BUCKET/*"]}]}

See AWS IAM Docs: Create policy.

Using the Create Role preset

The AWS IAM Create Role preset creates a new role for your AWS account. You need to supply the following for this preset:

  • The name of the role, such as S3Access
  • The description of the role (max. length 1000).
  • The policy in JSON format (max. length 131072), such as {"Version":"2012-10-17","Statement":[{"Effect":"Allow","Principal":{"Service":["ec2.amazonaws.com"]},"Action":["sts:AssumeRole"]}]}
  • The maximum session duration (in seconds) that you want to set for the specified role. If you do not specify a value for this setting, the default value of one hour is applied. This setting can have a value from 1 hour to 12 hours.

See AWS IAM Docs: Create role.

Using the Create user preset

The AWS IAM Create user preset creates a new IAM user for your AWS account.

The user to be created is referenced in the Advanced Mode > Params tab in the property{{alternate_username}}(max. length 64).

See AWS IAM Docs: Create user.

Using the Delete Group preset

The AWS IAM Delete group preset deletes the specified IAM group.

You need to supply the name of the group to delete, such as Admins. The group must not contain any users or have any attached policies. See AWS IAM Docs: Delete group.

Using the Delete Managed Policy preset

The AWS IAM Delete policy preset deletes the specified managed policy. You need to supply the Amazon Resource Name (ARN) of the IAM policy you want to delete, such as arn:aws:iam::123456789012:policy/S3-read-only-example-bucket. See Amazon General Reference Documentation: Resource Names (ARNs).

Important
Before you can delete a managed policy, you must first detach the policy from all users, groups, and roles that it is attached to. In addition, you must delete all the policy's versions. Refer to the steps in AWS IAM Docs: Delete policy.

Using the Delete role preset

The AWS IAM Delete role preset deletes the specified role. You need to supply the role name to delete, such as S3Access. Unlike the AWS Management Console, when you delete a role programmatically, you must delete the items attached to the role manually, or the deletion fails. See AWS IAM Docs: Delete role.

Using the Detach role policy preset

The AWS IAM Detach role policy preset removes the specified managed policy from the specified role.

You need to supply the following for this preset:

See AWS IAM Docs: Detach role policy.

Using the Get role preset

The AWS IAM Get role preset retrieves information about the specified role, including the role's path, GUID, ARN, and the role's trust policy that grants permission to assume the role. You need to supply the name of the role that you want to fetch, such as S3Access. See AWS IAM Docs: Get role.

Using the List attached group policies preset

The AWS IAM List attached group policies preset lists all managed policies that are attached to the specified IAM group. You need to supply the name of the group, such as ReadOnlyUsers. See AWS IAM Docs: List attached group policies.

Using the List attached role policies preset

The AWS IAM List attached role policies preset lists all managed policies that are attached to the specified IAM role. You need to supply the name of the role, such as ReadOnlyRole. See AWS IAM Docs: List attached role policies.

Using the Remove user from group preset

The AWS IAM Remove user from group preset removes the specified user from the specified group. You need to supply the name of the group, such as Managers. The user to be removed is referenced in the Advanced Mode > Params tab in the property{{alternate_username}}(max. length 64). See AWS IAM Docs: Remove user from group.

Using the Attach group policy preset

The AWS IAM Attach group policy preset attaches the specified managed policy to the specified IAM group.

You need to supply the following for this preset:

See AWS IAM Docs: Attach group policy.

Using the Detach group policy preset

The AWS IAM Detach group policy preset removes the specified managed policy from the specified IAM group. 

You need to supply the following for this preset:

See AWS IAM Docs: Detach group policy.

Using the Delete Access key preset

The AWS IAM Delete Access key preset deletes the access key pair associated with the specified IAM user. 

You need to supply the following for this preset in the Advanced Mode > Params tab:

  • The name of the user whose access key pair you want to delete (referenced in the property {{alternate_username}})
  • The access key ID for the access key ID and secret access key you want to delete (referenced in the property {{accesskeyid}})

Important
Before you delete the access key, it is recommended that you check that it is not used in any active integrations as these will start to fail once the access key has been deleted. Since a user can have multiple access keys, you may have to run this preset more than once to delete all access keys for a single user. 

See AWS API Documentation: Delete Access Key.

Using the Delete User preset

The AWS IAM Delete User preset enables you to delete a user from AWS IAM. Once a user is deleted, it cannot be restored. You must ensure that you delete all items attached to the user manually, or the deletion fails. Before deleting the user, follow the procedure in AWS API Documentation: Delete User

The user to be deleted is referenced in the Advanced Mode > Params tab in the property{{alternate_username}}(max. length 64).

Using the Disable User preset

The AWS IAM Disable User preset deletes the password for a specified IAM user, which terminates the user's ability to access AWS services through the AWS Management Console

The user to be disabled is referenced in the Advanced Mode > Params tab in the property{{alternate_username}}(max. length 64).

Important
This action does not prevent a user from accessing AWS through the command line interface or the API. To prevent all user access, you must also either make any access keys inactive or delete them. See UpdateAccessKey and DeleteAccessKey.

See AWS API Documentation: Delete Login Profile.

Using the Get password age for a user preset

The AWS IAM Get password age for a user preset gets the user name and password create date. This preset can help you calculate the age of the password to determine if that password is within your company's password age policy. 

The user to be retrieved is referenced in the Advanced Mode > Params tab in the property{{alternate_username}}(max. length 64).

See AWS API Documentation: Login Profile.

Using the Get MFA status for a user preset

The AWS Get MFA Status for a user preset lists the MFA (Multi-Factor Authentication) devices for an IAM user. This preset can help you monitor MFA in your organization. Once the users are imported successfully, you can trigger workflows that allow you to notify users to switch it on or even disable users who have not enabled it.

The user to be retrieved is referenced in the Advanced Mode > Params tab in the property{{alternate_username}}(max. length 64).

See AWS API Documentation: List MFA devices

Using the Get List of Groups for a user preset

The AWS Get List of Groups for a user preset preset lists the IAM groups associated with a specified AWS IAM user.

The user to be retrieved is referenced in the Advanced Mode > Params tab in the property{{alternate_username}}(max. length 64).

See AWS API Documentation: List Groups for User

Using the Get List of Access keys for a user preset

The AWS Get List of Access keys for a user preset lists the access keys associated with a specified AWS IAM user and the age of the access key. This will enable you to identify and deactivate any unnecessary IAM access keys as a security best practice.

The user to be retrieved is referenced in the Advanced Mode > Params tab in the property{{alternate_username}}(max. length 64).

You may want to enter one of the following statements in the Response field:

{% set temp = response['ListAccessKeysResponse']['ListAccessKeysResult']['AccessKeyMetadata']['member']%}{%if (temp is defined) and temp%}{%if temp['AccessKeyId']%}{%set temp = [temp]%}{%endif%}{{ temp | rejectattr('Status', 'eq', 'Inactive') | map(attribute='AccessKeyId') | join(', ') }}{%else%}NONE{%endif%}

This statement gets a list of access keys that are currently active for a given user. NONE is capitalized.

{% set temp = response['ListAccessKeysResponse']['ListAccessKeysResult']['AccessKeyMetadata']['member']%}{%if (temp is defined) and temp%}{%if temp['AccessKeyId']%}{%set temp = [temp]%}{%endif%}{% set dates = temp | rejectattr('Status', 'eq', 'Inactive') | map(attribute='CreateDate') | list %}{%if (dates is defined) and dates%}{{dates[0]}}{%endif%}{%endif%}

This statement gets the date the oldest access key was created.

See AWS API Documentation: List Access Keys

articles_icon.svg Reference articles for workflows

Related articles

Comments

0 comments

Please sign in to leave a comment.