From 2d89f576447024e2bfc9b136233942a9b2e7901f Mon Sep 17 00:00:00 2001 From: Nacho Rivera Date: Mon, 2 Oct 2023 11:28:26 +0200 Subject: [PATCH] fix(iam credentials checks): unify logic (#2883) --- .../iam_disable_30_days_credentials.py | 62 +++++++++--------- .../iam_disable_45_days_credentials.py | 62 +++++++++--------- .../iam_disable_90_days_credentials.py | 49 +++++++-------- .../iam_rotate_access_key_90_days.py | 63 +++++++++---------- 4 files changed, 114 insertions(+), 122 deletions(-) diff --git a/prowler/providers/aws/services/iam/iam_disable_30_days_credentials/iam_disable_30_days_credentials.py b/prowler/providers/aws/services/iam/iam_disable_30_days_credentials/iam_disable_30_days_credentials.py index d14c6194..b6b42045 100644 --- a/prowler/providers/aws/services/iam/iam_disable_30_days_credentials/iam_disable_30_days_credentials.py +++ b/prowler/providers/aws/services/iam/iam_disable_30_days_credentials/iam_disable_30_days_credentials.py @@ -42,12 +42,16 @@ class iam_disable_30_days_credentials(Check): user["access_key_1_active"] != "true" and user["access_key_2_active"] != "true" ): - self.add_finding( - user=user, - status="PASS", - status_extended=f"User {user['user']} does not have access keys.", - findings=findings, + report = Check_Report_AWS(self.metadata()) + report.region = iam_client.region + report.resource_id = user["user"] + report.resource_arn = user["arn"] + report.status = "PASS" + report.status_extended = ( + f"User {user['user']} does not have access keys." ) + findings.append(report) + else: old_access_keys = False if user["access_key_1_active"] == "true": @@ -61,12 +65,13 @@ class iam_disable_30_days_credentials(Check): ) if access_key_1_last_used_date.days > maximum_expiration_days: old_access_keys = True - self.add_finding( - user=user, - status="FAIL", - status_extended=f"User {user['user']} has not used access key 1 in the last {maximum_expiration_days} days ({access_key_1_last_used_date.days} days).", - findings=findings, - ) + report = Check_Report_AWS(self.metadata()) + report.region = iam_client.region + report.resource_id = user["user"] + report.resource_arn = user["arn"] + report.status = "FAIL" + report.status_extended = f"User {user['user']} has not used access key 1 in the last {maximum_expiration_days} days ({access_key_1_last_used_date.days} days)." + findings.append(report) if user["access_key_2_active"] == "true": if user["access_key_2_last_used_date"] != "N/A": @@ -79,28 +84,21 @@ class iam_disable_30_days_credentials(Check): ) if access_key_2_last_used_date.days > maximum_expiration_days: old_access_keys = True - self.add_finding( - user=user, - status="FAIL", - status_extended=f"User {user['user']} has not used access key 2 in the last {maximum_expiration_days} days ({access_key_2_last_used_date.days} days).", - findings=findings, - ) + report = Check_Report_AWS(self.metadata()) + report.region = iam_client.region + report.resource_id = user["user"] + report.resource_arn = user["arn"] + report.status = "FAIL" + report.status_extended = f"User {user['user']} has not used access key 2 in the last {maximum_expiration_days} days ({access_key_2_last_used_date.days} days)." + findings.append(report) if not old_access_keys: - self.add_finding( - user=user, - status="PASS", - status_extended=f"User {user['user']} does not have unused access keys for {maximum_expiration_days} days.", - findings=findings, - ) + report = Check_Report_AWS(self.metadata()) + report.region = iam_client.region + report.resource_id = user["user"] + report.resource_arn = user["arn"] + report.status = "PASS" + report.status_extended = f"User {user['user']} does not have unused access keys for {maximum_expiration_days} days." + findings.append(report) return findings - - def add_finding(self, user, status, status_extended, findings): - report = Check_Report_AWS(self.metadata()) - report.region = iam_client.region - report.resource_id = user["user"] - report.resource_arn = user["arn"] - report.status = status - report.status_extended = status_extended - findings.append(report) diff --git a/prowler/providers/aws/services/iam/iam_disable_45_days_credentials/iam_disable_45_days_credentials.py b/prowler/providers/aws/services/iam/iam_disable_45_days_credentials/iam_disable_45_days_credentials.py index a4c6b4c8..42cfcd0c 100644 --- a/prowler/providers/aws/services/iam/iam_disable_45_days_credentials/iam_disable_45_days_credentials.py +++ b/prowler/providers/aws/services/iam/iam_disable_45_days_credentials/iam_disable_45_days_credentials.py @@ -42,12 +42,16 @@ class iam_disable_45_days_credentials(Check): user["access_key_1_active"] != "true" and user["access_key_2_active"] != "true" ): - self.add_finding( - user=user, - status="PASS", - status_extended=f"User {user['user']} does not have access keys.", - findings=findings, + report = Check_Report_AWS(self.metadata()) + report.region = iam_client.region + report.resource_id = user["user"] + report.resource_arn = user["arn"] + report.status = "PASS" + report.status_extended = ( + f"User {user['user']} does not have access keys." ) + findings.append(report) + else: old_access_keys = False if user["access_key_1_active"] == "true": @@ -61,12 +65,13 @@ class iam_disable_45_days_credentials(Check): ) if access_key_1_last_used_date.days > maximum_expiration_days: old_access_keys = True - self.add_finding( - user=user, - status="FAIL", - status_extended=f"User {user['user']} has not used access key 1 in the last {maximum_expiration_days} days ({access_key_1_last_used_date.days} days).", - findings=findings, - ) + report = Check_Report_AWS(self.metadata()) + report.region = iam_client.region + report.resource_id = user["user"] + report.resource_arn = user["arn"] + report.status = "FAIL" + report.status_extended = f"User {user['user']} has not used access key 1 in the last {maximum_expiration_days} days ({access_key_1_last_used_date.days} days)." + findings.append(report) if user["access_key_2_active"] == "true": if user["access_key_2_last_used_date"] != "N/A": @@ -79,28 +84,21 @@ class iam_disable_45_days_credentials(Check): ) if access_key_2_last_used_date.days > maximum_expiration_days: old_access_keys = True - self.add_finding( - user=user, - status="FAIL", - status_extended=f"User {user['user']} has not used access key 2 in the last {maximum_expiration_days} days ({access_key_2_last_used_date.days} days).", - findings=findings, - ) + report = Check_Report_AWS(self.metadata()) + report.region = iam_client.region + report.resource_id = user["user"] + report.resource_arn = user["arn"] + report.status = "FAIL" + report.status_extended = f"User {user['user']} has not used access key 2 in the last {maximum_expiration_days} days ({access_key_2_last_used_date.days} days)." + findings.append(report) if not old_access_keys: - self.add_finding( - user=user, - status="PASS", - status_extended=f"User {user['user']} does not have unused access keys for {maximum_expiration_days} days.", - findings=findings, - ) + report = Check_Report_AWS(self.metadata()) + report.region = iam_client.region + report.resource_id = user["user"] + report.resource_arn = user["arn"] + report.status = "PASS" + report.status_extended = f"User {user['user']} does not have unused access keys for {maximum_expiration_days} days." + findings.append(report) return findings - - def add_finding(self, user, status, status_extended, findings): - report = Check_Report_AWS(self.metadata()) - report.region = iam_client.region - report.resource_id = user["user"] - report.resource_arn = user["arn"] - report.status = status - report.status_extended = status_extended - findings.append(report) diff --git a/prowler/providers/aws/services/iam/iam_disable_90_days_credentials/iam_disable_90_days_credentials.py b/prowler/providers/aws/services/iam/iam_disable_90_days_credentials/iam_disable_90_days_credentials.py index 6b5ec594..5a045ebb 100644 --- a/prowler/providers/aws/services/iam/iam_disable_90_days_credentials/iam_disable_90_days_credentials.py +++ b/prowler/providers/aws/services/iam/iam_disable_90_days_credentials/iam_disable_90_days_credentials.py @@ -42,12 +42,16 @@ class iam_disable_90_days_credentials(Check): user["access_key_1_active"] != "true" and user["access_key_2_active"] != "true" ): - self.add_finding( - user=user, - status="PASS", - status_extended=f"User {user['user']} does not have access keys.", - findings=findings, + report = Check_Report_AWS(self.metadata()) + report.region = iam_client.region + report.resource_id = user["user"] + report.resource_arn = user["arn"] + report.status = "PASS" + report.status_extended = ( + f"User {user['user']} does not have access keys." ) + findings.append(report) + else: old_access_keys = False if user["access_key_1_active"] == "true": @@ -61,12 +65,13 @@ class iam_disable_90_days_credentials(Check): ) if access_key_1_last_used_date.days > maximum_expiration_days: old_access_keys = True - self.add_finding( - user=user, - status="FAIL", - status_extended=f"User {user['user']} has not used access key 1 in the last {maximum_expiration_days} days ({access_key_1_last_used_date.days} days).", - findings=findings, - ) + report = Check_Report_AWS(self.metadata()) + report.region = iam_client.region + report.resource_id = user["user"] + report.resource_arn = user["arn"] + report.status = "FAIL" + report.status_extended = f"User {user['user']} has not used access key 1 in the last {maximum_expiration_days} days ({access_key_1_last_used_date.days} days)." + findings.append(report) if user["access_key_2_active"] == "true": if user["access_key_2_last_used_date"] != "N/A": @@ -79,12 +84,13 @@ class iam_disable_90_days_credentials(Check): ) if access_key_2_last_used_date.days > maximum_expiration_days: old_access_keys = True - self.add_finding( - user=user, - status="FAIL", - status_extended=f"User {user['user']} has not used access key 2 in the last {maximum_expiration_days} days ({access_key_2_last_used_date.days} days).", - findings=findings, - ) + report = Check_Report_AWS(self.metadata()) + report.region = iam_client.region + report.resource_id = user["user"] + report.resource_arn = user["arn"] + report.status = "FAIL" + report.status_extended = f"User {user['user']} has not used access key 2 in the last {maximum_expiration_days} days ({access_key_2_last_used_date.days} days)." + findings.append(report) if not old_access_keys: self.add_finding( @@ -95,12 +101,3 @@ class iam_disable_90_days_credentials(Check): ) return findings - - def add_finding(self, user, status, status_extended, findings): - report = Check_Report_AWS(self.metadata()) - report.region = iam_client.region - report.resource_id = user["user"] - report.resource_arn = user["arn"] - report.status = status - report.status_extended = status_extended - findings.append(report) diff --git a/prowler/providers/aws/services/iam/iam_rotate_access_key_90_days/iam_rotate_access_key_90_days.py b/prowler/providers/aws/services/iam/iam_rotate_access_key_90_days/iam_rotate_access_key_90_days.py index ca52b524..b23cd479 100644 --- a/prowler/providers/aws/services/iam/iam_rotate_access_key_90_days/iam_rotate_access_key_90_days.py +++ b/prowler/providers/aws/services/iam/iam_rotate_access_key_90_days/iam_rotate_access_key_90_days.py @@ -16,12 +16,16 @@ class iam_rotate_access_key_90_days(Check): user["access_key_1_last_rotated"] == "N/A" and user["access_key_2_last_rotated"] == "N/A" ): - self.add_finding( - user=user, - status="PASS", - status_extended=f"User {user['user']} does not have access keys.", - findings=findings, + report = Check_Report_AWS(self.metadata()) + report.region = iam_client.region + report.resource_id = user["user"] + report.resource_arn = user["arn"] + report.status = "PASS" + report.status_extended = ( + f"User {user['user']} does not have access keys." ) + findings.append(report) + else: old_access_keys = False if ( @@ -37,12 +41,13 @@ class iam_rotate_access_key_90_days(Check): ) if access_key_1_last_rotated.days > maximum_expiration_days: old_access_keys = True - self.add_finding( - user=user, - status="FAIL", - status_extended=f"User {user['user']} has not rotated access key 1 in over 90 days ({access_key_1_last_rotated.days} days).", - findings=findings, - ) + report = Check_Report_AWS(self.metadata()) + report.region = iam_client.region + report.resource_id = user["user"] + report.resource_arn = user["arn"] + report.status = "FAIL" + report.status_extended = f"User {user['user']} has not rotated access key 1 in over 90 days ({access_key_1_last_rotated.days} days)." + findings.append(report) if ( user["access_key_2_last_rotated"] != "N/A" and user["access_key_2_active"] == "true" @@ -56,27 +61,21 @@ class iam_rotate_access_key_90_days(Check): ) if access_key_2_last_rotated.days > maximum_expiration_days: old_access_keys = True - self.add_finding( - user=user, - status="FAIL", - status_extended=f"User {user['user']} has not rotated access key 2 in over 90 days ({access_key_2_last_rotated.days} days).", - findings=findings, - ) + report = Check_Report_AWS(self.metadata()) + report.region = iam_client.region + report.resource_id = user["user"] + report.resource_arn = user["arn"] + report.status = "FAIL" + report.status_extended = f"User {user['user']} has not rotated access key 2 in over 90 days ({access_key_2_last_rotated.days} days)." + findings.append(report) + if not old_access_keys: - self.add_finding( - user=user, - status="PASS", - status_extended=f"User {user['user']} does not have access keys older than 90 days.", - findings=findings, - ) + report = Check_Report_AWS(self.metadata()) + report.region = iam_client.region + report.resource_id = user["user"] + report.resource_arn = user["arn"] + report.status = "PASS" + report.status_extended = f"User {user['user']} does not have access keys older than 90 days." + findings.append(report) return findings - - def add_finding(self, user, status, status_extended, findings): - report = Check_Report_AWS(self.metadata()) - report.region = iam_client.region - report.resource_id = user["user"] - report.resource_arn = user["arn"] - report.status = status - report.status_extended = status_extended - findings.append(report)