in aws-cloudknox-config/ssm/CloudKnox_IAMRightsize.py [0:0]
def lambda_handler(event, context):
iam_user_id = event['parameterValue']
assert iam_user_id != '', 'iam user resource id cannot be empty'
logger.info(f'iam user resource id {iam_user_id}')
iam_user = get_iam_user_name(iam_user_id)
assert iam_user != '', 'iam user name cannot be empty'
logger.info(f'iam user name {iam_user} for resource id {iam_user_id}')
ck_config = get_cloudknox_config()
logger.info(f'cloudknox config successfully retrieved from secrets')
access_token = get_access_token(ck_config)
logger.info(f'cloudknox temporary access token successfully retrieved')
user_arn = 'arn:aws:iam::' + ck_config['accountId'] + ':user/' + iam_user
ck_remediated_policies = get_cloudknox_remediation_policies(access_token, user_arn, ck_config)
if len(ck_remediated_policies) < 1:
logger.info(f'received empty list of iam_policies, aborting remediation')
return
iam_policies = get_remediated_policy_list(iam_user, ck_remediated_policies)
logger.info(f'received iam_policies dict {iam_policies}')
iam_client = session.client(service_name='iam')
attach_remediated_iam_policies(iam_client, iam_user, iam_policies)
clean_unused_iam_policies(iam_client, iam_user, iam_policies.keys())