4. Certification Automation

Objective

Automate access certification processes to ensure access rights are reviewed periodically and comply with security requirements.

Step 1: Verify DynamoDB Table

1.1 Check Existing Table

  1. Open Amazon DynamoDB in the console
  2. Verify that the AccessCertifications table was created in chapter 2
  3. This table will be used to store certification data

Step 2: Create Lambda Function

2.1 Create Lambda Function

  1. Open AWS Lambda in the console
  2. Click Create function
  3. Choose Author from scratch
  4. Enter function details:
    • Function name: AccessCertificationTrigger
    • Runtime: Python 3.9
    • Architecture: x86_64

Navigate to S3

  1. Click Create function

2.2 Configure Lambda Function Code

  1. In the Code tab, replace the default code with the following:
import json
import boto3
from datetime import datetime

def lambda_handler(event, context):
    print("Access Certification Trigger Started")
    
    # Initialize AWS clients
    dynamodb = boto3.resource('dynamodb')
    table = dynamodb.Table('AccessCertifications')
    
    # Create certification record
    response = table.put_item(
        Item={
            'UserId': 'system',
            'CertificationDate': datetime.now().isoformat(),
            'Status': 'Triggered',
            'Type': 'Quarterly Review'
        }
    )
    
    return {
        'statusCode': 200,
        'body': json.dumps('Certification process triggered successfully')
    }
  1. Click Deploy to save changes

2.3 Configure IAM Role for Lambda

  1. Go to Configuration tab

Navigate to S3

  1. Click Permissions
  2. Click on the role name to open IAM console
  3. Click Add permissionsAttach policies

Navigate to S3

  1. Search and attach policy AmazonDynamoDBFullAccess
  2. Select Add permissions

Navigate to S3

Step 3: Setup EventBridge Scheduler

3.1 Create Scheduled Rule

  1. Open Amazon EventBridge in AWS Console
  2. Click Rules in the sidebar
  3. Click Create rule

Step 1: Define rule detail

  1. Enter rule information:

    • Name: AccessCertificationSchedule
    • Description: Quarterly access certification review
    • Event bus: default
    • Enable the rule on the selected event bus

  2. In Rule type, select Schedule

  3. Click Next

Navigate to S3

Step 2: Define schedule

  1. In Occurrence, select Recurring schedule
  2. In Schedule pattern, select Rate-based schedule
  3. Enter 90 and select Days

Navigate to S3

  1. In Flexible time window, enter 15 minutes
  2. Click Next

Step 3: Select target

  1. In Target API, select AWS Lambda Invoke
  2. In Lambda function, select AccessCertificationTrigger
  3. Click Next

Navigate to S3

Step 4: Configure tags (Optional)

  1. Skip the tags section, click Next

Step 5: Review and create

  1. Review configuration and click Create rule

Navigate to S3

Step 4: Test the Automation

4.1 Verify EventBridge Schedule

  1. In Amazon EventBridge console
  2. Click Schedules in the sidebar (not Rules)
  3. Verify that schedule AccessCertificationSchedule is created and Enabled

4.2 Test Lambda Function Manually

  1. Go to AWS Lambda console
  2. Select function AccessCertificationTrigger
  3. Click Test to create a test event
  4. Use default test event and click Test
  5. Check execution results

4.3 Verify DynamoDB Record

  1. Go to Amazon DynamoDB console
  2. Select table AccessCertifications
  3. Click Explore table items
  4. Verify that a new record was created by the Lambda function

Expected Results

After completion:

  • ✅ DynamoDB table for certification data storage
  • ✅ Lambda function processing certification logic
  • ✅ EventBridge scheduled triggers quarterly
  • ✅ Automated quarterly access reviews
  • ✅ Audit trail and monitoring

Next Steps

Continue to 5. Privilege Analytics to set up privilege analysis.