Skip to content

TeraSky-OSS/aws-organizational-iam-users-report

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

13 Commits
files
files
 
 
.gitignore
.gitignore
 
 
LICENSE
LICENSE
 
 
README.md
README.md
 
 
cloudformation.tf
cloudformation.tf
 
 
data.tf
data.tf
 
 
main.tf
main.tf
 
 
provider.tf
provider.tf
 
 
variables.tf
variables.tf
 
 

Repository files navigation

AWS Organizational IAM Users Report

The AWS Organizational IAM Users Report tool will help you generate a report of all IAM users in your AWS organization, including their last activity, password age, and more.

This tool is based on the AWS IAM Credentials Report native tool, and extends it to generate a report for the entire AWS organization.

Although the tool is being deployed with Terraform, the Terraform module will also deploy a set of resources with CloudFormation StackSets as there is a limitation with Terraform ("dynamic providers")

The following resources are being created as part of this module:

  • Lambda function in the management account
  • EventBridge event rule in the management account
  • CloudFormation StackSet that deploys an IAM role in each chosen member account:

Example Usage

Run the following command to generate the basic terraform.tfvars file:

cat <<EOF > terraform.tfvars
deploy_to_organization = false
include_organizational_units = ["ou-s8qf-092b7iur"]
EOF

Then, to deploy the resources, simply run terraform apply

The above example will deploy the automation to all accounts under the ou-s8qf-092b7iur organizational unit (OU).

You can modify the above command (or the generated terraform.tfvars file) to deploy to your specified OUs.

You can also deploy the automation to the entire organization (all accounts) by specifying deploy_to_organization = true.

Note: You must configure your console credentials with proper permissions on the management account of your AWS organization

Known Issues

In some cases, running terraform destroy might fail (for example if there is a suspended account in the organization). If this happens, You'll need to delete all Stack Instances from the CloudFormation StackSet manually through AWS console. Perform the following:

  1. Login to the management account of your AWS organization
  2. Go to CloudFormation service
  3. Go to StackSets
  4. Click on the stuck StackSet (starting with organizational-events-notifier)
  5. Click on Actions and choose Delete stacks from StackSet
  6. For AWS OU ID provide one of the following:
    • If deployed the automation to the entire organization, provide the ID of your organization (for example: r-s8qf)
    • If deployed the automation to specific organizational units (OUs), provide the ID of all OUs
  7. For Specify regions click on Add all regions
  8. Under Deployment options, use the following values:
    • Maximum concurrent accounts: Percentage - 100
    • Failure tolerance: Percentage - 100
    • Region Concurrency: Parallel
  9. Keep all other default values
  10. Proceed to delete the StackSet Instances
  11. In the StackSet page, go to Stack Instances tab and make sure that it's empty
  12. Run terraform destroy again to delete all other resources

Requirements

Name Version
terraform >= 1.0
aws ~> 4.59

Providers

Name Version
archive 2.3.0
aws 4.62.0

Modules

Name Source Version
lambda_function terraform-aws-modules/lambda/aws ~> 4.13

Resources

Name Type
aws_cloudformation_stack_set.iam_role resource
aws_cloudformation_stack_set_instance.iam_role resource
aws_cloudwatch_event_rule.weekly resource
aws_cloudwatch_event_target.lambda_function resource
aws_ses_email_identity.recipients resource
archive_file.lambda_function data source
aws_caller_identity.current data source
aws_organizations_organization.current data source

Inputs

Name Description Type Default Required
assume_role_arn ARN of the IAM Role to assume in the member account string null no
aws_region AWS Region to deploy all resources string "us-east-1" no
default_tags Tags to apply across all resources handled by this provider map(string) 
{
  "Terraform": "True"
}
 no
deploy_to_organization Whether to deploy the automation to the main OU of the organization (all AWS accounts in the organization) bool true no
email_recipients Email addresses of recipients (comma separated) string n/a yes
email_sender Email address from which the emails will be recieved (the format is: email@example.com email@example.com) string n/a yes
event_cron Cron value for the EventBridge rule string "cron(0 0 ? * SUN *)" no
function_assume_role_name Name of IAM role that will be created in all member accounts, and will be assumed by the Lambda function string "OrganizationIAMUsersReportLambda" no
function_description Description of the Lambda function string "Lambda function to send a report of all IAM users in the organization" no
function_timeout The amount of time your Lambda Function has to run in seconds number 60 no
include_organizational_units List of AWS organizational unit IDs to include and deploy the automation to (if deploy_to_organization is set to false) list(string) [] no
project_name Name of the tool/project string "organizational-iam-users-report" no

Outputs

No outputs.

About

No description, website, or topics provided.

Resources

Readme

License

Apache-2.0 license
Activity
Custom properties

Stars

2 stars

Watchers

1 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

No packages published

Languages