Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

feat(iam): improve disable credentials checks #2909

Merged
merged 7 commits into from
Oct 6, 2023
Merged

feat(iam): improve disable credentials checks #2909

merged 7 commits into from
Oct 6, 2023

Conversation

MrCloudSec
Copy link
Member

Description

Create two configurable checks for IAM credentials:

  • iam_user_accesskey_unused
  • iam_user_console_access_unused

License

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.

@MrCloudSec MrCloudSec requested a review from a team October 5, 2023 13:25
@MrCloudSec MrCloudSec linked an issue Oct 5, 2023 that may be closed by this pull request
Pull apart status_extended from iam_disable_30_days_credentials and make more check_ids #2377
Closed
jfagoagas
jfagoagas requested changes Oct 6, 2023
View reviewed changes
prowler/providers/aws/services/iam/iam_user_accesskey_unused/iam_user_accesskey_unused.py Outdated
@@ -3,40 +3,12 @@
from prowler.lib.check.models import Check, Check_Report_AWS
from prowler.providers.aws.services.iam.iam_client import iam_client

maximum_expiration_days = 45
maximum_expiration_days = iam_client.audit_config.get("max_unused_access_keys_days")
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Putting this line there makes the tests to fail, you have to move it under line 10.

And set a default value with the same value in config.yaml.

https://docs.prowler.cloud/en/latest/developer-guide/checks/#using-the-audit-config

.../providers/aws/services/iam/iam_user_console_access_unused/iam_user_console_access_unused.py Outdated
from prowler.lib.check.models import Check, Check_Report_AWS
from prowler.providers.aws.services.iam.iam_client import iam_client

maximum_expiration_days = iam_client.audit_config.get("max_console_access_days")
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Putting this line there makes the tests to fail, you have to move it under line 10.

And set a default value with the same value in config.yaml.

https://docs.prowler.cloud/en/latest/developer-guide/checks/#using-the-audit-config

@jfagoagas jfagoagas self-requested a review October 6, 2023 07:41
jfagoagas
jfagoagas previously approved these changes Oct 6, 2023
View reviewed changes
Copy link
Member

@jfagoagas jfagoagas left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🚀

@MrCloudSec MrCloudSec requested a review from jfagoagas October 6, 2023 08:16
jfagoagas
jfagoagas previously approved these changes Oct 6, 2023
View reviewed changes
@MrCloudSec MrCloudSec requested a review from jfagoagas October 6, 2023 08:41
@MrCloudSec MrCloudSec force-pushed the improve-iam-credentials-checks branch from 680d8d5 to 402ef76 Compare October 6, 2023 08:58
@codecov
Copy link

codecov bot commented Oct 6, 2023
edited
Loading

Codecov Report

Merging #2909 (402ef76) into master (49a437d) will decrease coverage by 0.06%.
Report is 1 commits behind head on master.
The diff coverage is 100.00%.

@@            Coverage Diff             @@
##           master    #2909      +/-   ##
==========================================
- Coverage   86.24%   86.18%   -0.06%     
==========================================
  Files         540      539       -1     
  Lines       17496    17374     -122     
==========================================
- Hits        15089    14974     -115     
+ Misses       2407     2400       -7
Files Coverage Δ
...user_accesskey_unused/iam_user_accesskey_unused.py 100.00% <100.00%> (ø)
...le_access_unused/iam_user_console_access_unused.py 100.00% <100.00%> (ø)

... and 2 files with indirect coverage changes

📣 We’re building smart automated test selection to slash your CI/CD build times. Learn more

@jfagoagas jfagoagas merged commit e610c25 into master Oct 6, 2023
@jfagoagas jfagoagas deleted the improve-iam-credentials-checks branch October 6, 2023 09:41
jfagoagas pushed a commit to jit-contrib/prowler that referenced this pull request Oct 18, 2023
@MrCloudSec @jfagoagas
feat(iam): improve disable credentials checks (prowler-cloud#2909)
a56c355
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@jfagoagas jfagoagas jfagoagas approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Pull apart status_extended from iam_disable_30_days_credentials and make more check_ids
2 participants
@MrCloudSec @jfagoagas