Skip to content

Commit

Permalink
fix(iam credentials checks): unify logic (#2883)
Browse files Browse the repository at this point in the history
  • Loading branch information
@n4ch04
n4ch04 authored Oct 2, 2023
1 parent f4ed014 commit 2d89f57
Show file tree
Hide file tree
Showing 4 changed files with 114 additions and 122 deletions.
62 changes: 30 additions & 32 deletions ...iders/aws/services/iam/iam_disable_30_days_credentials/iam_disable_30_days_credentials.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -42,12 +42,16 @@ def execute(self) -> Check_Report_AWS:
user["access_key_1_active"] != "true"
and user["access_key_2_active"] != "true"
):
self.add_finding(
user=user,
status="PASS",
status_extended=f"User {user['user']} does not have access keys.",
findings=findings,
report = Check_Report_AWS(self.metadata())
report.region = iam_client.region
report.resource_id = user["user"]
report.resource_arn = user["arn"]
report.status = "PASS"
report.status_extended = (
f"User {user['user']} does not have access keys."
)
findings.append(report)

else:
old_access_keys = False
if user["access_key_1_active"] == "true":
Expand All @@ -61,12 +65,13 @@ def execute(self) -> Check_Report_AWS:
)
if access_key_1_last_used_date.days > maximum_expiration_days:
old_access_keys = True
self.add_finding(
user=user,
status="FAIL",
status_extended=f"User {user['user']} has not used access key 1 in the last {maximum_expiration_days} days ({access_key_1_last_used_date.days} days).",
findings=findings,
)
report = Check_Report_AWS(self.metadata())
report.region = iam_client.region
report.resource_id = user["user"]
report.resource_arn = user["arn"]
report.status = "FAIL"
report.status_extended = f"User {user['user']} has not used access key 1 in the last {maximum_expiration_days} days ({access_key_1_last_used_date.days} days)."
findings.append(report)

if user["access_key_2_active"] == "true":
if user["access_key_2_last_used_date"] != "N/A":
Expand All @@ -79,28 +84,21 @@ def execute(self) -> Check_Report_AWS:
)
if access_key_2_last_used_date.days > maximum_expiration_days:
old_access_keys = True
self.add_finding(
user=user,
status="FAIL",
status_extended=f"User {user['user']} has not used access key 2 in the last {maximum_expiration_days} days ({access_key_2_last_used_date.days} days).",
findings=findings,
)
report = Check_Report_AWS(self.metadata())
report.region = iam_client.region
report.resource_id = user["user"]
report.resource_arn = user["arn"]
report.status = "FAIL"
report.status_extended = f"User {user['user']} has not used access key 2 in the last {maximum_expiration_days} days ({access_key_2_last_used_date.days} days)."
findings.append(report)

if not old_access_keys:
self.add_finding(
user=user,
status="PASS",
status_extended=f"User {user['user']} does not have unused access keys for {maximum_expiration_days} days.",
findings=findings,
)
report = Check_Report_AWS(self.metadata())
report.region = iam_client.region
report.resource_id = user["user"]
report.resource_arn = user["arn"]
report.status = "PASS"
report.status_extended = f"User {user['user']} does not have unused access keys for {maximum_expiration_days} days."
findings.append(report)

return findings

def add_finding(self, user, status, status_extended, findings):
report = Check_Report_AWS(self.metadata())
report.region = iam_client.region
report.resource_id = user["user"]
report.resource_arn = user["arn"]
report.status = status
report.status_extended = status_extended
findings.append(report)
62 changes: 30 additions & 32 deletions ...iders/aws/services/iam/iam_disable_45_days_credentials/iam_disable_45_days_credentials.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -42,12 +42,16 @@ def execute(self) -> Check_Report_AWS:
user["access_key_1_active"] != "true"
and user["access_key_2_active"] != "true"
):
self.add_finding(
user=user,
status="PASS",
status_extended=f"User {user['user']} does not have access keys.",
findings=findings,
report = Check_Report_AWS(self.metadata())
report.region = iam_client.region
report.resource_id = user["user"]
report.resource_arn = user["arn"]
report.status = "PASS"
report.status_extended = (
f"User {user['user']} does not have access keys."
)
findings.append(report)

else:
old_access_keys = False
if user["access_key_1_active"] == "true":
Expand All @@ -61,12 +65,13 @@ def execute(self) -> Check_Report_AWS:
)
if access_key_1_last_used_date.days > maximum_expiration_days:
old_access_keys = True
self.add_finding(
user=user,
status="FAIL",
status_extended=f"User {user['user']} has not used access key 1 in the last {maximum_expiration_days} days ({access_key_1_last_used_date.days} days).",
findings=findings,
)
report = Check_Report_AWS(self.metadata())
report.region = iam_client.region
report.resource_id = user["user"]
report.resource_arn = user["arn"]
report.status = "FAIL"
report.status_extended = f"User {user['user']} has not used access key 1 in the last {maximum_expiration_days} days ({access_key_1_last_used_date.days} days)."
findings.append(report)

if user["access_key_2_active"] == "true":
if user["access_key_2_last_used_date"] != "N/A":
Expand All @@ -79,28 +84,21 @@ def execute(self) -> Check_Report_AWS:
)
if access_key_2_last_used_date.days > maximum_expiration_days:
old_access_keys = True
self.add_finding(
user=user,
status="FAIL",
status_extended=f"User {user['user']} has not used access key 2 in the last {maximum_expiration_days} days ({access_key_2_last_used_date.days} days).",
findings=findings,
)
report = Check_Report_AWS(self.metadata())
report.region = iam_client.region
report.resource_id = user["user"]
report.resource_arn = user["arn"]
report.status = "FAIL"
report.status_extended = f"User {user['user']} has not used access key 2 in the last {maximum_expiration_days} days ({access_key_2_last_used_date.days} days)."
findings.append(report)

if not old_access_keys:
self.add_finding(
user=user,
status="PASS",
status_extended=f"User {user['user']} does not have unused access keys for {maximum_expiration_days} days.",
findings=findings,
)
report = Check_Report_AWS(self.metadata())
report.region = iam_client.region
report.resource_id = user["user"]
report.resource_arn = user["arn"]
report.status = "PASS"
report.status_extended = f"User {user['user']} does not have unused access keys for {maximum_expiration_days} days."
findings.append(report)

return findings

def add_finding(self, user, status, status_extended, findings):
report = Check_Report_AWS(self.metadata())
report.region = iam_client.region
report.resource_id = user["user"]
report.resource_arn = user["arn"]
report.status = status
report.status_extended = status_extended
findings.append(report)
49 changes: 23 additions & 26 deletions ...iders/aws/services/iam/iam_disable_90_days_credentials/iam_disable_90_days_credentials.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -42,12 +42,16 @@ def execute(self) -> Check_Report_AWS:
user["access_key_1_active"] != "true"
and user["access_key_2_active"] != "true"
):
self.add_finding(
user=user,
status="PASS",
status_extended=f"User {user['user']} does not have access keys.",
findings=findings,
report = Check_Report_AWS(self.metadata())
report.region = iam_client.region
report.resource_id = user["user"]
report.resource_arn = user["arn"]
report.status = "PASS"
report.status_extended = (
f"User {user['user']} does not have access keys."
)
findings.append(report)

else:
old_access_keys = False
if user["access_key_1_active"] == "true":
Expand All @@ -61,12 +65,13 @@ def execute(self) -> Check_Report_AWS:
)
if access_key_1_last_used_date.days > maximum_expiration_days:
old_access_keys = True
self.add_finding(
user=user,
status="FAIL",
status_extended=f"User {user['user']} has not used access key 1 in the last {maximum_expiration_days} days ({access_key_1_last_used_date.days} days).",
findings=findings,
)
report = Check_Report_AWS(self.metadata())
report.region = iam_client.region
report.resource_id = user["user"]
report.resource_arn = user["arn"]
report.status = "FAIL"
report.status_extended = f"User {user['user']} has not used access key 1 in the last {maximum_expiration_days} days ({access_key_1_last_used_date.days} days)."
findings.append(report)

if user["access_key_2_active"] == "true":
if user["access_key_2_last_used_date"] != "N/A":
Expand All @@ -79,12 +84,13 @@ def execute(self) -> Check_Report_AWS:
)
if access_key_2_last_used_date.days > maximum_expiration_days:
old_access_keys = True
self.add_finding(
user=user,
status="FAIL",
status_extended=f"User {user['user']} has not used access key 2 in the last {maximum_expiration_days} days ({access_key_2_last_used_date.days} days).",
findings=findings,
)
report = Check_Report_AWS(self.metadata())
report.region = iam_client.region
report.resource_id = user["user"]
report.resource_arn = user["arn"]
report.status = "FAIL"
report.status_extended = f"User {user['user']} has not used access key 2 in the last {maximum_expiration_days} days ({access_key_2_last_used_date.days} days)."
findings.append(report)

if not old_access_keys:
self.add_finding(
Expand All @@ -95,12 +101,3 @@ def execute(self) -> Check_Report_AWS:
)

return findings

def add_finding(self, user, status, status_extended, findings):
report = Check_Report_AWS(self.metadata())
report.region = iam_client.region
report.resource_id = user["user"]
report.resource_arn = user["arn"]
report.status = status
report.status_extended = status_extended
findings.append(report)
63 changes: 31 additions & 32 deletions ...providers/aws/services/iam/iam_rotate_access_key_90_days/iam_rotate_access_key_90_days.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -16,12 +16,16 @@ def execute(self) -> Check_Report_AWS:
user["access_key_1_last_rotated"] == "N/A"
and user["access_key_2_last_rotated"] == "N/A"
):
self.add_finding(
user=user,
status="PASS",
status_extended=f"User {user['user']} does not have access keys.",
findings=findings,
report = Check_Report_AWS(self.metadata())
report.region = iam_client.region
report.resource_id = user["user"]
report.resource_arn = user["arn"]
report.status = "PASS"
report.status_extended = (
f"User {user['user']} does not have access keys."
)
findings.append(report)

else:
old_access_keys = False
if (
Expand All @@ -37,12 +41,13 @@ def execute(self) -> Check_Report_AWS:
)
if access_key_1_last_rotated.days > maximum_expiration_days:
old_access_keys = True
self.add_finding(
user=user,
status="FAIL",
status_extended=f"User {user['user']} has not rotated access key 1 in over 90 days ({access_key_1_last_rotated.days} days).",
findings=findings,
)
report = Check_Report_AWS(self.metadata())
report.region = iam_client.region
report.resource_id = user["user"]
report.resource_arn = user["arn"]
report.status = "FAIL"
report.status_extended = f"User {user['user']} has not rotated access key 1 in over 90 days ({access_key_1_last_rotated.days} days)."
findings.append(report)
if (
user["access_key_2_last_rotated"] != "N/A"
and user["access_key_2_active"] == "true"
Expand All @@ -56,27 +61,21 @@ def execute(self) -> Check_Report_AWS:
)
if access_key_2_last_rotated.days > maximum_expiration_days:
old_access_keys = True
self.add_finding(
user=user,
status="FAIL",
status_extended=f"User {user['user']} has not rotated access key 2 in over 90 days ({access_key_2_last_rotated.days} days).",
findings=findings,
)
report = Check_Report_AWS(self.metadata())
report.region = iam_client.region
report.resource_id = user["user"]
report.resource_arn = user["arn"]
report.status = "FAIL"
report.status_extended = f"User {user['user']} has not rotated access key 2 in over 90 days ({access_key_2_last_rotated.days} days)."
findings.append(report)

if not old_access_keys:
self.add_finding(
user=user,
status="PASS",
status_extended=f"User {user['user']} does not have access keys older than 90 days.",
findings=findings,
)
report = Check_Report_AWS(self.metadata())
report.region = iam_client.region
report.resource_id = user["user"]
report.resource_arn = user["arn"]
report.status = "PASS"
report.status_extended = f"User {user['user']} does not have access keys older than 90 days."
findings.append(report)

return findings

def add_finding(self, user, status, status_extended, findings):
report = Check_Report_AWS(self.metadata())
report.region = iam_client.region
report.resource_id = user["user"]
report.resource_arn = user["arn"]
report.status = status
report.status_extended = status_extended
findings.append(report)

0 comments on commit 2d89f57

Please sign in to comment.