ghndrx/prowler
1
0
Fork 0
mirror of https://github.com/ghndrx/prowler.git synced 2026-02-10 06:45:08 +00:00
Code Issues Packages Projects Releases Wiki Activity

fix(iam credentials checks): unify logic (#2883)

Browse Source
This commit is contained in:
Nacho Rivera
2023-10-02 11:28:26 +02:00
committed by GitHub
parent f4ed01444a
commit 2d89f57644
4 changed files with 114 additions and 122 deletions
Download Patch File Download Diff File Expand all files Collapse all files

62
prowler/providers/aws/services/iam/iam_disable_30_days_credentials/iam_disable_30_days_credentials.py
View File

@@ -42,12 +42,16 @@ class iam_disable_30_days_credentials(Check):
user["access_key_1_active"] != "true"
and user["access_key_2_active"] != "true"
):
self.add_finding(
user=user,
status="PASS",
status_extended=f"User {user['user']} does not have access keys.",
findings=findings,
report = Check_Report_AWS(self.metadata())
report.region = iam_client.region
report.resource_id = user["user"]
report.resource_arn = user["arn"]
report.status = "PASS"
report.status_extended = (
f"User {user['user']} does not have access keys."
)
findings.append(report)
else:
old_access_keys = False
if user["access_key_1_active"] == "true":
@@ -61,12 +65,13 @@ class iam_disable_30_days_credentials(Check):
)
if access_key_1_last_used_date.days > maximum_expiration_days:
old_access_keys = True
self.add_finding(
user=user,
status="FAIL",
status_extended=f"User {user['user']} has not used access key 1 in the last {maximum_expiration_days} days ({access_key_1_last_used_date.days} days).",
findings=findings,
)
report = Check_Report_AWS(self.metadata())
report.region = iam_client.region
report.resource_id = user["user"]
report.resource_arn = user["arn"]
report.status = "FAIL"
report.status_extended = f"User {user['user']} has not used access key 1 in the last {maximum_expiration_days} days ({access_key_1_last_used_date.days} days)."
findings.append(report)
if user["access_key_2_active"] == "true":
if user["access_key_2_last_used_date"] != "N/A":
@@ -79,28 +84,21 @@ class iam_disable_30_days_credentials(Check):
)
if access_key_2_last_used_date.days > maximum_expiration_days:
old_access_keys = True
self.add_finding(
user=user,
status="FAIL",
status_extended=f"User {user['user']} has not used access key 2 in the last {maximum_expiration_days} days ({access_key_2_last_used_date.days} days).",
findings=findings,
)
report = Check_Report_AWS(self.metadata())
report.region = iam_client.region
report.resource_id = user["user"]
report.resource_arn = user["arn"]
report.status = "FAIL"
report.status_extended = f"User {user['user']} has not used access key 2 in the last {maximum_expiration_days} days ({access_key_2_last_used_date.days} days)."
findings.append(report)
if not old_access_keys:
self.add_finding(
user=user,
status="PASS",
status_extended=f"User {user['user']} does not have unused access keys for {maximum_expiration_days} days.",
findings=findings,
)
report = Check_Report_AWS(self.metadata())
report.region = iam_client.region
report.resource_id = user["user"]
report.resource_arn = user["arn"]
report.status = "PASS"
report.status_extended = f"User {user['user']} does not have unused access keys for {maximum_expiration_days} days."
findings.append(report)
return findings
def add_finding(self, user, status, status_extended, findings):
report = Check_Report_AWS(self.metadata())
report.region = iam_client.region
report.resource_id = user["user"]
report.resource_arn = user["arn"]
report.status = status
report.status_extended = status_extended
findings.append(report)

62
prowler/providers/aws/services/iam/iam_disable_45_days_credentials/iam_disable_45_days_credentials.py
View File

@@ -42,12 +42,16 @@ class iam_disable_45_days_credentials(Check):
user["access_key_1_active"] != "true"
and user["access_key_2_active"] != "true"
):
self.add_finding(
user=user,
status="PASS",
status_extended=f"User {user['user']} does not have access keys.",
findings=findings,
report = Check_Report_AWS(self.metadata())
report.region = iam_client.region
report.resource_id = user["user"]
report.resource_arn = user["arn"]
report.status = "PASS"
report.status_extended = (
f"User {user['user']} does not have access keys."
)
findings.append(report)
else:
old_access_keys = False
if user["access_key_1_active"] == "true":
@@ -61,12 +65,13 @@ class iam_disable_45_days_credentials(Check):
)
if access_key_1_last_used_date.days > maximum_expiration_days:
old_access_keys = True
self.add_finding(
user=user,
status="FAIL",
status_extended=f"User {user['user']} has not used access key 1 in the last {maximum_expiration_days} days ({access_key_1_last_used_date.days} days).",
findings=findings,
)
report = Check_Report_AWS(self.metadata())
report.region = iam_client.region
report.resource_id = user["user"]
report.resource_arn = user["arn"]
report.status = "FAIL"
report.status_extended = f"User {user['user']} has not used access key 1 in the last {maximum_expiration_days} days ({access_key_1_last_used_date.days} days)."
findings.append(report)
if user["access_key_2_active"] == "true":
if user["access_key_2_last_used_date"] != "N/A":
@@ -79,28 +84,21 @@ class iam_disable_45_days_credentials(Check):
)
if access_key_2_last_used_date.days > maximum_expiration_days:
old_access_keys = True
self.add_finding(
user=user,
status="FAIL",
status_extended=f"User {user['user']} has not used access key 2 in the last {maximum_expiration_days} days ({access_key_2_last_used_date.days} days).",
findings=findings,
)
report = Check_Report_AWS(self.metadata())
report.region = iam_client.region
report.resource_id = user["user"]
report.resource_arn = user["arn"]
report.status = "FAIL"
report.status_extended = f"User {user['user']} has not used access key 2 in the last {maximum_expiration_days} days ({access_key_2_last_used_date.days} days)."
findings.append(report)
if not old_access_keys:
self.add_finding(
user=user,
status="PASS",
status_extended=f"User {user['user']} does not have unused access keys for {maximum_expiration_days} days.",
findings=findings,
)
report = Check_Report_AWS(self.metadata())
report.region = iam_client.region
report.resource_id = user["user"]
report.resource_arn = user["arn"]
report.status = "PASS"
report.status_extended = f"User {user['user']} does not have unused access keys for {maximum_expiration_days} days."
findings.append(report)
return findings
def add_finding(self, user, status, status_extended, findings):
report = Check_Report_AWS(self.metadata())
report.region = iam_client.region
report.resource_id = user["user"]
report.resource_arn = user["arn"]
report.status = status
report.status_extended = status_extended
findings.append(report)

49
prowler/providers/aws/services/iam/iam_disable_90_days_credentials/iam_disable_90_days_credentials.py
View File

@@ -42,12 +42,16 @@ class iam_disable_90_days_credentials(Check):
user["access_key_1_active"] != "true"
and user["access_key_2_active"] != "true"
):
self.add_finding(
user=user,
status="PASS",
status_extended=f"User {user['user']} does not have access keys.",
findings=findings,
report = Check_Report_AWS(self.metadata())
report.region = iam_client.region
report.resource_id = user["user"]
report.resource_arn = user["arn"]
report.status = "PASS"
report.status_extended = (
f"User {user['user']} does not have access keys."
)
findings.append(report)
else:
old_access_keys = False
if user["access_key_1_active"] == "true":
@@ -61,12 +65,13 @@ class iam_disable_90_days_credentials(Check):
)
if access_key_1_last_used_date.days > maximum_expiration_days:
old_access_keys = True
self.add_finding(
user=user,
status="FAIL",
status_extended=f"User {user['user']} has not used access key 1 in the last {maximum_expiration_days} days ({access_key_1_last_used_date.days} days).",
findings=findings,
)
report = Check_Report_AWS(self.metadata())
report.region = iam_client.region
report.resource_id = user["user"]
report.resource_arn = user["arn"]
report.status = "FAIL"
report.status_extended = f"User {user['user']} has not used access key 1 in the last {maximum_expiration_days} days ({access_key_1_last_used_date.days} days)."
findings.append(report)
if user["access_key_2_active"] == "true":
if user["access_key_2_last_used_date"] != "N/A":
@@ -79,12 +84,13 @@ class iam_disable_90_days_credentials(Check):
)
if access_key_2_last_used_date.days > maximum_expiration_days:
old_access_keys = True
self.add_finding(
user=user,
status="FAIL",
status_extended=f"User {user['user']} has not used access key 2 in the last {maximum_expiration_days} days ({access_key_2_last_used_date.days} days).",
findings=findings,
)
report = Check_Report_AWS(self.metadata())
report.region = iam_client.region
report.resource_id = user["user"]
report.resource_arn = user["arn"]
report.status = "FAIL"
report.status_extended = f"User {user['user']} has not used access key 2 in the last {maximum_expiration_days} days ({access_key_2_last_used_date.days} days)."
findings.append(report)
if not old_access_keys:
self.add_finding(
@@ -95,12 +101,3 @@ class iam_disable_90_days_credentials(Check):
)
return findings
def add_finding(self, user, status, status_extended, findings):
report = Check_Report_AWS(self.metadata())
report.region = iam_client.region
report.resource_id = user["user"]
report.resource_arn = user["arn"]
report.status = status
report.status_extended = status_extended
findings.append(report)

63
prowler/providers/aws/services/iam/iam_rotate_access_key_90_days/iam_rotate_access_key_90_days.py
View File

@@ -16,12 +16,16 @@ class iam_rotate_access_key_90_days(Check):
user["access_key_1_last_rotated"] == "N/A"
and user["access_key_2_last_rotated"] == "N/A"
):
self.add_finding(
user=user,
status="PASS",
status_extended=f"User {user['user']} does not have access keys.",
findings=findings,
report = Check_Report_AWS(self.metadata())
report.region = iam_client.region
report.resource_id = user["user"]
report.resource_arn = user["arn"]
report.status = "PASS"
report.status_extended = (
f"User {user['user']} does not have access keys."
)
findings.append(report)
else:
old_access_keys = False
if (
@@ -37,12 +41,13 @@ class iam_rotate_access_key_90_days(Check):
)
if access_key_1_last_rotated.days > maximum_expiration_days:
old_access_keys = True
self.add_finding(
user=user,
status="FAIL",
status_extended=f"User {user['user']} has not rotated access key 1 in over 90 days ({access_key_1_last_rotated.days} days).",
findings=findings,
)
report = Check_Report_AWS(self.metadata())
report.region = iam_client.region
report.resource_id = user["user"]
report.resource_arn = user["arn"]
report.status = "FAIL"
report.status_extended = f"User {user['user']} has not rotated access key 1 in over 90 days ({access_key_1_last_rotated.days} days)."
findings.append(report)
if (
user["access_key_2_last_rotated"] != "N/A"
and user["access_key_2_active"] == "true"
@@ -56,27 +61,21 @@ class iam_rotate_access_key_90_days(Check):
)
if access_key_2_last_rotated.days > maximum_expiration_days:
old_access_keys = True
self.add_finding(
user=user,
status="FAIL",
status_extended=f"User {user['user']} has not rotated access key 2 in over 90 days ({access_key_2_last_rotated.days} days).",
findings=findings,
)
report = Check_Report_AWS(self.metadata())
report.region = iam_client.region
report.resource_id = user["user"]
report.resource_arn = user["arn"]
report.status = "FAIL"
report.status_extended = f"User {user['user']} has not rotated access key 2 in over 90 days ({access_key_2_last_rotated.days} days)."
findings.append(report)
if not old_access_keys:
self.add_finding(
user=user,
status="PASS",
status_extended=f"User {user['user']} does not have access keys older than 90 days.",
findings=findings,
)
report = Check_Report_AWS(self.metadata())
report.region = iam_client.region
report.resource_id = user["user"]
report.resource_arn = user["arn"]
report.status = "PASS"
report.status_extended = f"User {user['user']} does not have access keys older than 90 days."
findings.append(report)
return findings
def add_finding(self, user, status, status_extended, findings):
report = Check_Report_AWS(self.metadata())
report.region = iam_client.region
report.resource_id = user["user"]
report.resource_arn = user["arn"]
report.status = status
report.status_extended = status_extended
findings.append(report)