ghndrx/prowler
1
0
Fork 0
mirror of https://github.com/ghndrx/prowler.git synced 2026-02-10 14:55:00 +00:00
Code Issues Packages Projects Releases Wiki Activity

fix(iam credentials checks): unify logic (#2883)

Browse Source
This commit is contained in:
Nacho Rivera
2023-10-02 11:28:26 +02:00
committed by GitHub
parent f4ed01444a
commit 2d89f57644
4 changed files with 114 additions and 122 deletions
Download Patch File Download Diff File Expand all files Collapse all files

62
prowler/providers/aws/services/iam/iam_disable_30_days_credentials/iam_disable_30_days_credentials.py
View File

@@ -42,12 +42,16 @@ class iam_disable_30_days_credentials(Check):
user["access_key_1_active"] != "true" user["access_key_1_active"] != "true"
and user["access_key_2_active"] != "true" and user["access_key_2_active"] != "true"
): ):
self.add_finding( report = Check_Report_AWS(self.metadata())
user=user, report.region = iam_client.region
status="PASS", report.resource_id = user["user"]
status_extended=f"User {user['user']} does not have access keys.", report.resource_arn = user["arn"]
findings=findings, report.status = "PASS"
report.status_extended = (
f"User {user['user']} does not have access keys."
) )
findings.append(report)
else: else:
old_access_keys = False old_access_keys = False
if user["access_key_1_active"] == "true": if user["access_key_1_active"] == "true":
@@ -61,12 +65,13 @@ class iam_disable_30_days_credentials(Check):
) )
if access_key_1_last_used_date.days > maximum_expiration_days: if access_key_1_last_used_date.days > maximum_expiration_days:
old_access_keys = True old_access_keys = True
self.add_finding( report = Check_Report_AWS(self.metadata())
user=user, report.region = iam_client.region
status="FAIL", report.resource_id = user["user"]
status_extended=f"User {user['user']} has not used access key 1 in the last {maximum_expiration_days} days ({access_key_1_last_used_date.days} days).", report.resource_arn = user["arn"]
findings=findings, report.status = "FAIL"
) report.status_extended = f"User {user['user']} has not used access key 1 in the last {maximum_expiration_days} days ({access_key_1_last_used_date.days} days)."
findings.append(report)
if user["access_key_2_active"] == "true": if user["access_key_2_active"] == "true":
if user["access_key_2_last_used_date"] != "N/A": if user["access_key_2_last_used_date"] != "N/A":
@@ -79,28 +84,21 @@ class iam_disable_30_days_credentials(Check):
) )
if access_key_2_last_used_date.days > maximum_expiration_days: if access_key_2_last_used_date.days > maximum_expiration_days:
old_access_keys = True old_access_keys = True
self.add_finding( report = Check_Report_AWS(self.metadata())
user=user, report.region = iam_client.region
status="FAIL", report.resource_id = user["user"]
status_extended=f"User {user['user']} has not used access key 2 in the last {maximum_expiration_days} days ({access_key_2_last_used_date.days} days).", report.resource_arn = user["arn"]
findings=findings, report.status = "FAIL"
) report.status_extended = f"User {user['user']} has not used access key 2 in the last {maximum_expiration_days} days ({access_key_2_last_used_date.days} days)."
findings.append(report)
if not old_access_keys: if not old_access_keys:
self.add_finding( report = Check_Report_AWS(self.metadata())
user=user, report.region = iam_client.region
status="PASS", report.resource_id = user["user"]
status_extended=f"User {user['user']} does not have unused access keys for {maximum_expiration_days} days.", report.resource_arn = user["arn"]
findings=findings, report.status = "PASS"
) report.status_extended = f"User {user['user']} does not have unused access keys for {maximum_expiration_days} days."
findings.append(report)
return findings return findings
def add_finding(self, user, status, status_extended, findings):
report = Check_Report_AWS(self.metadata())
report.region = iam_client.region
report.resource_id = user["user"]
report.resource_arn = user["arn"]
report.status = status
report.status_extended = status_extended
findings.append(report)

62
prowler/providers/aws/services/iam/iam_disable_45_days_credentials/iam_disable_45_days_credentials.py
View File

@@ -42,12 +42,16 @@ class iam_disable_45_days_credentials(Check):
user["access_key_1_active"] != "true" user["access_key_1_active"] != "true"
and user["access_key_2_active"] != "true" and user["access_key_2_active"] != "true"
): ):
self.add_finding( report = Check_Report_AWS(self.metadata())
user=user, report.region = iam_client.region
status="PASS", report.resource_id = user["user"]
status_extended=f"User {user['user']} does not have access keys.", report.resource_arn = user["arn"]
findings=findings, report.status = "PASS"
report.status_extended = (
f"User {user['user']} does not have access keys."
) )
findings.append(report)
else: else:
old_access_keys = False old_access_keys = False
if user["access_key_1_active"] == "true": if user["access_key_1_active"] == "true":
@@ -61,12 +65,13 @@ class iam_disable_45_days_credentials(Check):
) )
if access_key_1_last_used_date.days > maximum_expiration_days: if access_key_1_last_used_date.days > maximum_expiration_days:
old_access_keys = True old_access_keys = True
self.add_finding( report = Check_Report_AWS(self.metadata())
user=user, report.region = iam_client.region
status="FAIL", report.resource_id = user["user"]
status_extended=f"User {user['user']} has not used access key 1 in the last {maximum_expiration_days} days ({access_key_1_last_used_date.days} days).", report.resource_arn = user["arn"]
findings=findings, report.status = "FAIL"
) report.status_extended = f"User {user['user']} has not used access key 1 in the last {maximum_expiration_days} days ({access_key_1_last_used_date.days} days)."
findings.append(report)
if user["access_key_2_active"] == "true": if user["access_key_2_active"] == "true":
if user["access_key_2_last_used_date"] != "N/A": if user["access_key_2_last_used_date"] != "N/A":
@@ -79,28 +84,21 @@ class iam_disable_45_days_credentials(Check):
) )
if access_key_2_last_used_date.days > maximum_expiration_days: if access_key_2_last_used_date.days > maximum_expiration_days:
old_access_keys = True old_access_keys = True
self.add_finding( report = Check_Report_AWS(self.metadata())
user=user, report.region = iam_client.region
status="FAIL", report.resource_id = user["user"]
status_extended=f"User {user['user']} has not used access key 2 in the last {maximum_expiration_days} days ({access_key_2_last_used_date.days} days).", report.resource_arn = user["arn"]
findings=findings, report.status = "FAIL"
) report.status_extended = f"User {user['user']} has not used access key 2 in the last {maximum_expiration_days} days ({access_key_2_last_used_date.days} days)."
findings.append(report)
if not old_access_keys: if not old_access_keys:
self.add_finding( report = Check_Report_AWS(self.metadata())
user=user, report.region = iam_client.region
status="PASS", report.resource_id = user["user"]
status_extended=f"User {user['user']} does not have unused access keys for {maximum_expiration_days} days.", report.resource_arn = user["arn"]
findings=findings, report.status = "PASS"
) report.status_extended = f"User {user['user']} does not have unused access keys for {maximum_expiration_days} days."
findings.append(report)
return findings return findings
def add_finding(self, user, status, status_extended, findings):
report = Check_Report_AWS(self.metadata())
report.region = iam_client.region
report.resource_id = user["user"]
report.resource_arn = user["arn"]
report.status = status
report.status_extended = status_extended
findings.append(report)

49
prowler/providers/aws/services/iam/iam_disable_90_days_credentials/iam_disable_90_days_credentials.py
View File

@@ -42,12 +42,16 @@ class iam_disable_90_days_credentials(Check):
user["access_key_1_active"] != "true" user["access_key_1_active"] != "true"
and user["access_key_2_active"] != "true" and user["access_key_2_active"] != "true"
): ):
self.add_finding( report = Check_Report_AWS(self.metadata())
user=user, report.region = iam_client.region
status="PASS", report.resource_id = user["user"]
status_extended=f"User {user['user']} does not have access keys.", report.resource_arn = user["arn"]
findings=findings, report.status = "PASS"
report.status_extended = (
f"User {user['user']} does not have access keys."
) )
findings.append(report)
else: else:
old_access_keys = False old_access_keys = False
if user["access_key_1_active"] == "true": if user["access_key_1_active"] == "true":
@@ -61,12 +65,13 @@ class iam_disable_90_days_credentials(Check):
) )
if access_key_1_last_used_date.days > maximum_expiration_days: if access_key_1_last_used_date.days > maximum_expiration_days:
old_access_keys = True old_access_keys = True
self.add_finding( report = Check_Report_AWS(self.metadata())
user=user, report.region = iam_client.region
status="FAIL", report.resource_id = user["user"]
status_extended=f"User {user['user']} has not used access key 1 in the last {maximum_expiration_days} days ({access_key_1_last_used_date.days} days).", report.resource_arn = user["arn"]
findings=findings, report.status = "FAIL"
) report.status_extended = f"User {user['user']} has not used access key 1 in the last {maximum_expiration_days} days ({access_key_1_last_used_date.days} days)."
findings.append(report)
if user["access_key_2_active"] == "true": if user["access_key_2_active"] == "true":
if user["access_key_2_last_used_date"] != "N/A": if user["access_key_2_last_used_date"] != "N/A":
@@ -79,12 +84,13 @@ class iam_disable_90_days_credentials(Check):
) )
if access_key_2_last_used_date.days > maximum_expiration_days: if access_key_2_last_used_date.days > maximum_expiration_days:
old_access_keys = True old_access_keys = True
self.add_finding( report = Check_Report_AWS(self.metadata())
user=user, report.region = iam_client.region
status="FAIL", report.resource_id = user["user"]
status_extended=f"User {user['user']} has not used access key 2 in the last {maximum_expiration_days} days ({access_key_2_last_used_date.days} days).", report.resource_arn = user["arn"]
findings=findings, report.status = "FAIL"
) report.status_extended = f"User {user['user']} has not used access key 2 in the last {maximum_expiration_days} days ({access_key_2_last_used_date.days} days)."
findings.append(report)
if not old_access_keys: if not old_access_keys:
self.add_finding( self.add_finding(
@@ -95,12 +101,3 @@ class iam_disable_90_days_credentials(Check):
) )
return findings return findings
def add_finding(self, user, status, status_extended, findings):
report = Check_Report_AWS(self.metadata())
report.region = iam_client.region
report.resource_id = user["user"]
report.resource_arn = user["arn"]
report.status = status
report.status_extended = status_extended
findings.append(report)

63
prowler/providers/aws/services/iam/iam_rotate_access_key_90_days/iam_rotate_access_key_90_days.py
View File

@@ -16,12 +16,16 @@ class iam_rotate_access_key_90_days(Check):
user["access_key_1_last_rotated"] == "N/A" user["access_key_1_last_rotated"] == "N/A"
and user["access_key_2_last_rotated"] == "N/A" and user["access_key_2_last_rotated"] == "N/A"
): ):
self.add_finding( report = Check_Report_AWS(self.metadata())
user=user, report.region = iam_client.region
status="PASS", report.resource_id = user["user"]
status_extended=f"User {user['user']} does not have access keys.", report.resource_arn = user["arn"]
findings=findings, report.status = "PASS"
report.status_extended = (
f"User {user['user']} does not have access keys."
) )
findings.append(report)
else: else:
old_access_keys = False old_access_keys = False
if ( if (
@@ -37,12 +41,13 @@ class iam_rotate_access_key_90_days(Check):
) )
if access_key_1_last_rotated.days > maximum_expiration_days: if access_key_1_last_rotated.days > maximum_expiration_days:
old_access_keys = True old_access_keys = True
self.add_finding( report = Check_Report_AWS(self.metadata())
user=user, report.region = iam_client.region
status="FAIL", report.resource_id = user["user"]
status_extended=f"User {user['user']} has not rotated access key 1 in over 90 days ({access_key_1_last_rotated.days} days).", report.resource_arn = user["arn"]
findings=findings, report.status = "FAIL"
) report.status_extended = f"User {user['user']} has not rotated access key 1 in over 90 days ({access_key_1_last_rotated.days} days)."
findings.append(report)
if ( if (
user["access_key_2_last_rotated"] != "N/A" user["access_key_2_last_rotated"] != "N/A"
and user["access_key_2_active"] == "true" and user["access_key_2_active"] == "true"
@@ -56,27 +61,21 @@ class iam_rotate_access_key_90_days(Check):
) )
if access_key_2_last_rotated.days > maximum_expiration_days: if access_key_2_last_rotated.days > maximum_expiration_days:
old_access_keys = True old_access_keys = True
self.add_finding( report = Check_Report_AWS(self.metadata())
user=user, report.region = iam_client.region
status="FAIL", report.resource_id = user["user"]
status_extended=f"User {user['user']} has not rotated access key 2 in over 90 days ({access_key_2_last_rotated.days} days).", report.resource_arn = user["arn"]
findings=findings, report.status = "FAIL"
) report.status_extended = f"User {user['user']} has not rotated access key 2 in over 90 days ({access_key_2_last_rotated.days} days)."
findings.append(report)
if not old_access_keys: if not old_access_keys:
self.add_finding( report = Check_Report_AWS(self.metadata())
user=user, report.region = iam_client.region
status="PASS", report.resource_id = user["user"]
status_extended=f"User {user['user']} does not have access keys older than 90 days.", report.resource_arn = user["arn"]
findings=findings, report.status = "PASS"
) report.status_extended = f"User {user['user']} does not have access keys older than 90 days."
findings.append(report)
return findings return findings
def add_finding(self, user, status, status_extended, findings):
report = Check_Report_AWS(self.metadata())
report.region = iam_client.region
report.resource_id = user["user"]
report.resource_arn = user["arn"]
report.status = status
report.status_extended = status_extended
findings.append(report)