{"id":875,"date":"2025-06-17T11:37:17","date_gmt":"2025-06-17T10:37:17","guid":{"rendered":"https:\/\/livingdevops.com\/?p=875"},"modified":"2025-06-17T11:51:10","modified_gmt":"2025-06-17T10:51:10","slug":"aws-lambda-tutorial-python-terraform","status":"publish","type":"post","link":"https:\/\/livingdevops.com\/devops\/aws-lambda-tutorial-python-terraform\/","title":{"rendered":"AWS Lambda Tutorial: Build a real world devops project with Python & Terraform"},"content":{"rendered":"\n

Building a production Lambda function that monitors IAM access keys and sends automated email alerts using boto3 and AWS SES.<\/mark><\/strong><\/p>\n\n\n\n

Scenario<\/h3>\n\n\n\n

In my project, we have over 10+ users with access keys. Most of the access keys were 300\u2013400 days old.<\/p>\n\n\n\n

Having access keys lying around for a long period poses a security risk, which is unacceptable. They\u2019re not just a minor security issue\u200a\u2014\u200athey\u2019re multimillion-dollar liabilities.<\/p>\n\n\n\n

Learn AWS Lambda by Solving a $1M Security Problem<\/h3>\n\n\n\n

The issue I can see is that no one remembers to rotate the access keys, so I thought of building a Lambda function that could remind the team to rotate the keys after a certain number of days.<\/p>\n\n\n\n

Different organizations enforce varying rotation policies\u200a\u2014\u200asome require rotation every 30 days, others allow 60 or 90 days before access keys must be refreshed.<\/p>\n\n\n\n

My solution needed to accommodate these different requirements while being easy to deploy and maintain.<\/p>\n\n\n\n

\ud83d\udc49 If you are new to Lambda functions, then read this blog post.<\/a><\/strong><\/p>\n\n\n\n

What to expect in this blog post<\/h3>\n\n\n\n

In this blog post, I\u2019ll walk you through the complete implementation of an automated access key rotation reminder system. You\u2019ll learn how to build a Lambda function that monitors key ages, sends targeted notifications, and helps your team maintain robust security hygiene without the overhead of manual tracking.<\/p>\n\n\n\n

\u2705 You can find the entire code for this blog post on my public GitHub repo<\/strong><\/a>.<\/p>\n\n\n\n

Writing the Python code<\/h3>\n\n\n\n

I used AWS Python SDK, boto3, for the automation. Here is the approach I took.<\/p>\n\n\n\n

    \n
  • List the users and access keys<\/li>\n\n\n\n
  • Calculate the age<\/li>\n\n\n\n
  • Compare it with age standards, and determine if this key should be rotated.<\/li>\n\n\n\n
  • If the key should be rotated, build the email body that includes the link to the user<\/li>\n\n\n\n
  • Send the email using AWS SES(Simple Email Service)<\/li>\n<\/ul>\n\n\n\n

    Building the code<\/h3>\n\n\n\n

    Before we deploy a fully functioning Lambda, I will build and test the code locally.<\/p>\n\n\n\n

    Note: Also, configure the AWS credentials -> aws configure<\/code> locally<\/p>\n\n\n\n

    I will use boto3, datetime, and email Python modules. datetime and email are Python built-in modules, but we need to install boto3, which is the AWS-managed library.<\/p>\n\n\n\n