Skip to content

AWS Stale Non-Human Resources Lambda - Deployment Guide

Overview

This Lambda function identifies stale non-human identities and resources in AWS and sends the findings to Coralogix as structured logs. By tracking unused resources across their AWS infrastructure, it helps organizations maintain security hygiene.

Prerequisites

Before deploying this Lambda function, ensure you have:

  • An AWS account with appropriate permissions to create Lambda functions
  • A Coralogix account and API key
  • The deployment files: code.zip and layer.zip (located in the deploy directory)

Deployment Steps

Step 1: Create the Lambda Function

  1. Navigate to the AWS Lambda Console
    • Go to the AWS Lambda service in your AWS console
    • Click "Create function"
  2. Configure Basic Settings
    • Select "Author from scratch"
    • Function name: aws-stale-resources-detector (or your preferred name)
    • Runtime: Python 3.13
    • Architecture: Choose your preferred architecture (x86_64 or arm64)

Step 2: Upload Function Code

  1. Upload Source Code
    • In the function's Code tab
    • Click "Upload from"".zip file"
    • Upload the code.zip file from the deploy directory

Step 3: Create and Attach Lambda Layer

  1. Create Lambda Layer
    • Navigate to LambdaLayersCreate layer
    • Name: stale-resources-dependencies(or your preferred name)
    • Upload the layer.zip file
    • Compatible runtimes: Python 3.13
    • Architecture: Match your function's architecture
  2. Attach Layer to Function
    • Return to your Lambda function
    • In the function designer, click "Layers"
    • Click "Add a layer"
    • Select "Custom layers" → Choose your created layer

Step 4: Configure Function Settings

4.1 General Configuration

Navigate to ConfigurationGeneral configuration:
SettingValueReason
Timeout5 minutesAllows sufficient time for API calls across multiple regions
Memory256 MBEnsures adequate resources for processing multiple AWS services

4.2 Environment Variables

Navigate to ConfigurationEnvironment variables:
VariableDescriptionExample Values
CX_API_KEYYour Coralogix API keyxxx-xxx-xxx-xxx
CX_ENDPOINTCoralogix region endpointEU1, EU2, US1, US2, AP1, AP2, AP3
AWS_REGIONS (optional)Specific regions to be tested (comma separated)us-east-1, ap-south-1, eu-north-1

Warning

Store the API key securely. Consider using AWS Secrets Manager for production deployments.

4.3 IAM Permissions

  1. Navigate to Permissions
    • Go to ConfigurationPermissions
    • Click on the execution role name
  2. Add Required Policy
    • Click "Add permissions""Create inline policy"
    • Switch to the JSON tab and paste:
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "StaleResourcesDetection",
            "Effect": "Allow",
            "Action": [
                "kms:ListKeys",
                "kms:DescribeKey",
                "ec2:DescribeRegions",
                "iam:GetAccessKeyLastUsed",
                "iam:ListUsers",
                "iam:GetLoginProfile", 
                "iam:ListAccessKeys",
                "secretsmanager:ListSecrets"
            ],
            "Resource": "*"
        }
    ]
}
  1. Save Policy
    • Name: StaleResourcesDetectionPolicy (or your preferred name)
    • Click "Create policy"

Step 5: Configure Automated Execution

  1. Add EventBridge Trigger
    • In your Lambda function, click "Add trigger"
    • Source: EventBridge (CloudWatch Events)
  2. Create Schedule Rule
    • Select "Create a new rule"
    • Rule name: daily-stale-resources-scan
    • Rule type: Schedule expression
    • Schedule expression: rate(1 day)

!!! info 📅 Schedule Options - Daily: rate(1 day) - Weekly: rate(7 days) - Custom: cron(0 9 * * ? *) (9 AM daily)

Verification and Testing

Test the Function

  1. Manual Test
    • Click "Test" in the Lambda console
    • Create a test event (can be empty {})
    • Execute and verify logs in CloudWatch
  2. Expected Behavior
    • The function should complete without errors
    • CloudWatch logs should show scanning progress
    • Coralogix should receive structured log data

Monitor Execution

  • CloudWatch Logs: Check the /aws/lambda/[function-name] log group
  • Coralogix Dashboard: Import aws_nhi_resources.json for visualization

Output Examples

The Lambda function sends structured JSON logs to Coralogix. Here are sample outputs:

IAM User Detection

{
    "additional_data": {
        "Path": "/",
        "UserName": "inactive-user",
        "UserId": "AIDA3LV44N67TAQFJ35WZ",
        "Arn": "arn:aws:iam::123456789012:user/inactive-user",
        "CreateDate": "2025-03-23T15:07:14+00:00",
        "PasswordLastUsed": "2025-03-23T15:18:01+00:00",
        "console_access": true,
        "user_has_access_keys": false,
        "user_age": 142
    },
    "account_id": "123456789012",
    "service": "IAM",
    "region": "global",
    "test_name": "users"
}

KMS Key Detection

{
    "additional_data": {
        "AWSAccountId": "123456789012",
        "KeyId": "66ae1211-d20f-4cdf-a74a-...",
        "Arn": "arn:aws:kms:us-east-1:123456789012:key/66ae3211-d20f-4cdf-a74a-123456789012",
        "CreationDate": "2022-06-16T14:11:10.900000+00:00",
        "Enabled": true,
        "Description": "Default key that protects my SQS messages",
        "KeyUsage": "ENCRYPT_DECRYPT",
        "KeyState": "Enabled"
    },
    "account_id": "123456789012", 
    "service": "KMS",
    "region": "us-east-1",
    "test_name": "kms keys"
}

Secrets Manager Detection

{
    "additional_data": {
        "ARN": "arn:aws:secretsmanager:us-east-1:123456789012:secret:unused-secret",
        "Name": "unused-secret",
        "LastChangedDate": "2025-04-09T14:54:00.103000+00:00",
        "LastAccessedDate": "2025-04-29T00:00:00+00:00",
        "CreatedDate": "2025-04-09T14:17:14.287000+00:00",
        "secret_age": 25,
        "last_retrieval": 6
    },
    "account_id": "123456789012",
    "service": "Secret Manager", 
    "region": "us-east-1",
    "test_name": "secrets"
}

Troubleshooting

Common Issues

IssuePossible CauseSolution
Timeout ErrorFunction exceeds the 3-second default timeoutIncrease the timeout to 5 minutes in General Configuration
Permission DeniedMissing IAM permissionsVerify all required permissions are attached to the execution role
No Logs in CoralogixIncorrect API key or endpointVerify the CX_API_KEY and CX_ENDPOINT environment variables
Import ErrorMissing dependenciesEnsure the Lambda layer is properly attached

Debug Steps

  1. Check CloudWatch logs for detailed error messages
  2. Verify that environment variables are set correctly
  3. Test IAM permissions using the AWS CLI or CloudShell
  4. Confirm network connectivity to the Coralogix endpoint

Coralogix Extension Setup

After successfully deploying your Lambda function, you need to set up the Coralogix extension to visualize and monitor your data.

Step 1: Install the Extension

  1. Access Coralogix Dashboard
    • Log in to your Coralogix account
    • Navigate to Data FlowExtensions in the left sidebar
  2. Find and Install the Extension
    • Search for "AWS Non Human Identities" in the extensions catalog
    • Click "Install" on the extension card
    • The extension includes pre-built dashboards, alerts, and parsing rules specifically designed for this Lambda's output
  3. Verify Installation
    • Once installed, you should see the extension appear in your Extensions list
    • The status should show as "Active"

Step 3: Configure Data Monitoring

  1. Verify Data Flow
    • Go to LiveTail in Coralogix
    • Filter by application name (should match your Lambda function name)
    • You should see JSON logs arriving after your Lambda executes

Support

Need help?

Our world-class customer success team is available 24/7 to walk you through your setup and answer any questions that may come up.

Feel free to reach out to us via our in-app chat or by sending us an email to support@coralogix.com.

Previous SeriLog
Next Alcide kAudit
Home
User Guides
DataPrime
Integrations
OpenTelemetry
Developer Portal