Automated GitHub Scanner for Exposed AWS IAM Keys

Description

Automated GitHub Scanner for Exposed AWS IAM Keys

Overview

This n8n workflow automatically scans GitHub for exposed AWS IAM access keys associated with your AWS account, helping security teams quickly identify and respond to potential security breaches. When compromised keys are found, the workflow generates detailed security reports and sends Slack notifications with actionable remediation steps.

🔑 Key Features

Automated AWS IAM Key Scanning**: Regularly checks for exposed AWS access keys on GitHub
Real-time Security Alerts**: Sends immediate Slack notifications when compromised keys are detected
Comprehensive Security Reports**: Generates detailed reports with exposure information and risk assessment
Actionable Remediation Steps**: Provides clear instructions for securing compromised credentials
Continuous Monitoring**: Maintains ongoing surveillance of your AWS environment

📋 Workflow Steps

List AWS Users: Retrieves all users from your AWS account
Split Users for Processing: Processes each user individually
Get User Access Keys: Retrieves access keys for each user
Filter Active Keys Only: Focuses only on currently active access keys
Search GitHub for Exposed Keys: Scans GitHub repositories for exposed access keys
Aggregate Search Results: Consolidates and deduplicates search findings
Check For Compromised Keys: Determines if any keys have been exposed
Generate Security Report: Creates detailed security reports for compromised keys
Extract AWS Usernames: Extracts usernames from AWS response for notification
Format Slack Alert: Prepares comprehensive Slack notifications
Send Slack Notification: Delivers alerts with actionable information
Continue Scanning: Maintains continuous monitoring cycle

🛠️ Setup Requirements

Prerequisites

Active n8n instance
AWS account with IAM permissions
GitHub account/token for searching repositories
Slack workspace for notifications

Required Credentials

AWS Credentials:
IAM user with permissions to list users and access keys
Access Key ID and Secret Access Key

GitHub Credentials:
Personal Access Token with search permissions

Slack Credentials:
Webhook URL for your notification channel

⚙️ Configuration

AWS Configuration:
Configure the "List AWS Users" node with your AWS credentials
Ensure proper IAM permissions for listing users and access keys

GitHub Configuration:
Set up the "Search GitHub for Exposed Keys" node with your GitHub token
Adjust search parameters if needed

Slack Configuration:
Configure the Slack node with your webhook URL
Customize notification format if desired

🚀 Usage

Running the Workflow

Manual Execution: Click "Execute Workflow" to run an immediate scan
Scheduled Execution: Set up a schedule to run periodic scans (recommended daily or weekly)

Repository Compatibility

This workflow is compatible with both public and private GitHub repositories to which you have access. It will scan all repositories you have permission to view based on your GitHub credentials.

Handling Alerts

When a compromised key is detected:

Review the Slack notification for details about the exposure
Follow the recommended remediation steps:
Deactivate the compromised key immediately
Create a new key if needed
Investigate the exposure source
Update any services using the compromised key

⚠️ Disclaimer

This workflow template is provided for reference purposes only to demonstrate how to automate AWS IAM key exposure scanning. Please note:

The scanning process may produce false positives as it only matches potential AWS access key patterns
Always verify any reported exposures manually before taking action
Disabling or deleting access keys without proper verification could have significant negative impacts on your environment
Understand which systems and applications rely on identified access keys before deactivating them
This template should be customized to fit your specific environment and security policies

IMPORTANT: Use this workflow with caution and only after thoroughly understanding your AWS environment. The authors of this template are not responsible for any disruptions or damages resulting from its use.

🔒 Security Considerations

This workflow requires access to sensitive AWS credentials
Store all credentials securely within n8n
Review and rotate access keys regularly

📝 Customization Options

Adjust GitHub search parameters for more targeted scanning
Customize Slack notification format and content
Modify security report generation for your specific needs
Integrate with additional notification channels (email, MS Teams, etc.)

Optional: Enabling Interactive Slack Buttons

The Slack Block Kit notification format supports interactive buttons that can be implemented if you want to perform actions directly from Slack:

Disable Key: This button can be configured to automatically disable the compromised AWS IAM access key
View Details: This button can be set up to show additional information about the exposure
Acknowledge: This button can be used to mark the alert as acknowledged

To make these buttons functional:

Set up a Slack Socket Mode App:
Create a Slack app in the Slack API Console
Enable Socket Mode and Interactive Components
Subscribe to the block_actions event to capture button clicks

Create an n8n Webhook Endpoint:
Add a new webhook node to receive Slack button click events
Create separate workflows for each button action

Implement AWS Key Disabling:
For the "Disable Key" button, create a workflow that uses the n8n HTTP Request node to call the AWS IAM UpdateAccessKey API
Example HTTP request that can be implemented in n8n:
Method: POST
URL: https://iam.amazonaws.com/
Query Parameters:
Action: UpdateAccessKey
AccessKeyId: AKIAIOSFODNN7EXAMPLE
Status: Inactive
UserName: {{$json.username}}
Version: 2010-05-08

Update the Slack Message Format:
Modify the Format Slack Alert node to include your webhook URL in the button action values
Add callback_id and action_id values to identify which button was clicked

This implementation allows for immediate response to security incidents directly from the Slack interface, reducing response time and improving security posture.