# Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
# SPDX-License-Identifier: Apache-2.0
---
schemaVersion: "0.3"
description: |
  ### Document Name - ASR-RevokeUnrotatedKeys

  ## What does this document do?
  This document disables active keys that have not been rotated for more than 90 days. Note that this remediation is **DISRUPTIVE**. It will disabled keys that have been used within the previous 90 days by have not been rotated by using the [UpdateAccessKey API](https://docs.aws.amazon.com/IAM/latest/APIReference/API_UpdateAccessKey.html). Please note, this automation document requires AWS Config to be enabled.

  ## Input Parameters
  * Finding: (Required) Security Hub finding details JSON
  * AutomationAssumeRole: (Required) The ARN of the role that allows Automation to perform the actions on your behalf.
  * MaxCredentialUsageAge: (Optional) Maximum number of days a key is allowed to be unrotated before revoking it. DEFAULT: 90

  ## Output Parameters
  * RevokeUnrotatedKeys.Output

assumeRole: "{{ AutomationAssumeRole }}"
parameters:
  AutomationAssumeRole:
    type: String
    description: (Required) The ARN of the role that allows Automation to perform the actions on your behalf.
    allowedPattern: '^arn:(?:aws|aws-us-gov|aws-cn):iam::\d{12}:role/[\w+=,.@-]+$'
  IAMResourceId:
    type: String
    description: (Required) IAM resource unique identifier.
    allowedPattern: ^[\w+=,.@_-]{1,128}$
  MaxCredentialUsageAge:
    type: String
    description: (Required) Maximum number of days within which a credential must be used. The default value is 90 days.
    allowedPattern: ^(?:[1-9]\d{0,3}|10000)$
    default: "90"
outputs:
  - RevokeUnrotatedKeys.Output
mainSteps:
  - name: RevokeUnrotatedKeys
    action: aws:executeScript
    timeoutSeconds: 600
    isEnd: true
    description: |
      ## RevokeUnrotatedKeys

      This step deactivates IAM user access keys that have not been rotated in more than MaxCredentialUsageAge days
      ## Outputs
      * Output: Success message or failure Exception.
    inputs:
      Runtime: python3.8
      Handler: unrotated_key_handler
      InputPayload:
        IAMResourceId: "{{ IAMResourceId }}"
        MaxCredentialUsageAge: "{{ MaxCredentialUsageAge }}"
      Script: |-
        %%SCRIPT=RevokeUnrotatedKeys.py%%

    outputs:
      - Name: Output
        Selector: $.Payload
        Type: StringMap