diff --git a/prowler/providers/aws/services/iam/iam_disable_30_days_credentials/iam_disable_30_days_credentials.py b/prowler/providers/aws/services/iam/iam_disable_30_days_credentials/iam_disable_30_days_credentials.py index 846eae26..d14c6194 100644 --- a/prowler/providers/aws/services/iam/iam_disable_30_days_credentials/iam_disable_30_days_credentials.py +++ b/prowler/providers/aws/services/iam/iam_disable_30_days_credentials/iam_disable_30_days_credentials.py @@ -38,17 +38,15 @@ class iam_disable_30_days_credentials(Check): findings.append(report) for user in iam_client.credential_report: - report = Check_Report_AWS(self.metadata()) - report.region = iam_client.region - report.resource_id = user["user"] - report.resource_arn = user["arn"] if ( user["access_key_1_active"] != "true" and user["access_key_2_active"] != "true" ): - report.status = "PASS" - report.status_extended = ( - f"User {user['user']} does not have access keys." + self.add_finding( + user=user, + status="PASS", + status_extended=f"User {user['user']} does not have access keys.", + findings=findings, ) else: old_access_keys = False @@ -63,8 +61,12 @@ class iam_disable_30_days_credentials(Check): ) if access_key_1_last_used_date.days > maximum_expiration_days: old_access_keys = True - report.status = "FAIL" - report.status_extended = f"User {user['user']} has not used access key 1 in the last {maximum_expiration_days} days ({access_key_1_last_used_date.days} days)." + self.add_finding( + user=user, + status="FAIL", + status_extended=f"User {user['user']} has not used access key 1 in the last {maximum_expiration_days} days ({access_key_1_last_used_date.days} days).", + findings=findings, + ) if user["access_key_2_active"] == "true": if user["access_key_2_last_used_date"] != "N/A": @@ -77,12 +79,28 @@ class iam_disable_30_days_credentials(Check): ) if access_key_2_last_used_date.days > maximum_expiration_days: old_access_keys = True - report.status = "FAIL" - report.status_extended = f"User {user['user']} has not used access key 2 in the last {maximum_expiration_days} days ({access_key_2_last_used_date.days} days)." + self.add_finding( + user=user, + status="FAIL", + status_extended=f"User {user['user']} has not used access key 2 in the last {maximum_expiration_days} days ({access_key_2_last_used_date.days} days).", + findings=findings, + ) if not old_access_keys: - report.status = "PASS" - report.status_extended = f"User {user['user']} does not have unused access keys for {maximum_expiration_days} days." - findings.append(report) + self.add_finding( + user=user, + status="PASS", + status_extended=f"User {user['user']} does not have unused access keys for {maximum_expiration_days} days.", + findings=findings, + ) return findings + + def add_finding(self, user, status, status_extended, findings): + report = Check_Report_AWS(self.metadata()) + report.region = iam_client.region + report.resource_id = user["user"] + report.resource_arn = user["arn"] + report.status = status + report.status_extended = status_extended + findings.append(report) diff --git a/prowler/providers/aws/services/iam/iam_disable_45_days_credentials/iam_disable_45_days_credentials.py b/prowler/providers/aws/services/iam/iam_disable_45_days_credentials/iam_disable_45_days_credentials.py index 0115e4b4..a4c6b4c8 100644 --- a/prowler/providers/aws/services/iam/iam_disable_45_days_credentials/iam_disable_45_days_credentials.py +++ b/prowler/providers/aws/services/iam/iam_disable_45_days_credentials/iam_disable_45_days_credentials.py @@ -38,17 +38,15 @@ class iam_disable_45_days_credentials(Check): findings.append(report) for user in iam_client.credential_report: - report = Check_Report_AWS(self.metadata()) - report.region = iam_client.region - report.resource_id = user["user"] - report.resource_arn = user["arn"] if ( user["access_key_1_active"] != "true" and user["access_key_2_active"] != "true" ): - report.status = "PASS" - report.status_extended = ( - f"User {user['user']} does not have access keys." + self.add_finding( + user=user, + status="PASS", + status_extended=f"User {user['user']} does not have access keys.", + findings=findings, ) else: old_access_keys = False @@ -63,8 +61,12 @@ class iam_disable_45_days_credentials(Check): ) if access_key_1_last_used_date.days > maximum_expiration_days: old_access_keys = True - report.status = "FAIL" - report.status_extended = f"User {user['user']} has not used access key 1 in the last {maximum_expiration_days} days ({access_key_1_last_used_date.days} days)." + self.add_finding( + user=user, + status="FAIL", + status_extended=f"User {user['user']} has not used access key 1 in the last {maximum_expiration_days} days ({access_key_1_last_used_date.days} days).", + findings=findings, + ) if user["access_key_2_active"] == "true": if user["access_key_2_last_used_date"] != "N/A": @@ -77,12 +79,28 @@ class iam_disable_45_days_credentials(Check): ) if access_key_2_last_used_date.days > maximum_expiration_days: old_access_keys = True - report.status = "FAIL" - report.status_extended = f"User {user['user']} has not used access key 2 in the last {maximum_expiration_days} days ({access_key_2_last_used_date.days} days)." + self.add_finding( + user=user, + status="FAIL", + status_extended=f"User {user['user']} has not used access key 2 in the last {maximum_expiration_days} days ({access_key_2_last_used_date.days} days).", + findings=findings, + ) if not old_access_keys: - report.status = "PASS" - report.status_extended = f"User {user['user']} does not have unused access keys for {maximum_expiration_days} days." - findings.append(report) + self.add_finding( + user=user, + status="PASS", + status_extended=f"User {user['user']} does not have unused access keys for {maximum_expiration_days} days.", + findings=findings, + ) return findings + + def add_finding(self, user, status, status_extended, findings): + report = Check_Report_AWS(self.metadata()) + report.region = iam_client.region + report.resource_id = user["user"] + report.resource_arn = user["arn"] + report.status = status + report.status_extended = status_extended + findings.append(report) diff --git a/prowler/providers/aws/services/iam/iam_disable_90_days_credentials/iam_disable_90_days_credentials.py b/prowler/providers/aws/services/iam/iam_disable_90_days_credentials/iam_disable_90_days_credentials.py index 47350258..6b5ec594 100644 --- a/prowler/providers/aws/services/iam/iam_disable_90_days_credentials/iam_disable_90_days_credentials.py +++ b/prowler/providers/aws/services/iam/iam_disable_90_days_credentials/iam_disable_90_days_credentials.py @@ -38,17 +38,15 @@ class iam_disable_90_days_credentials(Check): findings.append(report) for user in iam_client.credential_report: - report = Check_Report_AWS(self.metadata()) - report.region = iam_client.region - report.resource_id = user["user"] - report.resource_arn = user["arn"] if ( user["access_key_1_active"] != "true" and user["access_key_2_active"] != "true" ): - report.status = "PASS" - report.status_extended = ( - f"User {user['user']} does not have access keys." + self.add_finding( + user=user, + status="PASS", + status_extended=f"User {user['user']} does not have access keys.", + findings=findings, ) else: old_access_keys = False @@ -63,8 +61,12 @@ class iam_disable_90_days_credentials(Check): ) if access_key_1_last_used_date.days > maximum_expiration_days: old_access_keys = True - report.status = "FAIL" - report.status_extended = f"User {user['user']} has not used access key 1 in the last {maximum_expiration_days} days ({access_key_1_last_used_date.days} days)." + self.add_finding( + user=user, + status="FAIL", + status_extended=f"User {user['user']} has not used access key 1 in the last {maximum_expiration_days} days ({access_key_1_last_used_date.days} days).", + findings=findings, + ) if user["access_key_2_active"] == "true": if user["access_key_2_last_used_date"] != "N/A": @@ -77,12 +79,28 @@ class iam_disable_90_days_credentials(Check): ) if access_key_2_last_used_date.days > maximum_expiration_days: old_access_keys = True - report.status = "FAIL" - report.status_extended = f"User {user['user']} has not used access key 2 in the last {maximum_expiration_days} days ({access_key_2_last_used_date.days} days)." + self.add_finding( + user=user, + status="FAIL", + status_extended=f"User {user['user']} has not used access key 2 in the last {maximum_expiration_days} days ({access_key_2_last_used_date.days} days).", + findings=findings, + ) if not old_access_keys: - report.status = "PASS" - report.status_extended = f"User {user['user']} does not have unused access keys for {maximum_expiration_days} days." - findings.append(report) + self.add_finding( + user=user, + status="PASS", + status_extended=f"User {user['user']} does not have unused access keys for {maximum_expiration_days} days.", + findings=findings, + ) return findings + + def add_finding(self, user, status, status_extended, findings): + report = Check_Report_AWS(self.metadata()) + report.region = iam_client.region + report.resource_id = user["user"] + report.resource_arn = user["arn"] + report.status = status + report.status_extended = status_extended + findings.append(report) diff --git a/prowler/providers/aws/services/iam/iam_rotate_access_key_90_days/iam_rotate_access_key_90_days.py b/prowler/providers/aws/services/iam/iam_rotate_access_key_90_days/iam_rotate_access_key_90_days.py index 45840a50..ca52b524 100644 --- a/prowler/providers/aws/services/iam/iam_rotate_access_key_90_days/iam_rotate_access_key_90_days.py +++ b/prowler/providers/aws/services/iam/iam_rotate_access_key_90_days/iam_rotate_access_key_90_days.py @@ -12,17 +12,15 @@ class iam_rotate_access_key_90_days(Check): response = iam_client.credential_report for user in response: - report = Check_Report_AWS(self.metadata()) - report.region = iam_client.region - report.resource_id = user["user"] - report.resource_arn = user["arn"] if ( user["access_key_1_last_rotated"] == "N/A" and user["access_key_2_last_rotated"] == "N/A" ): - report.status = "PASS" - report.status_extended = ( - f"User {user['user']} does not have access keys." + self.add_finding( + user=user, + status="PASS", + status_extended=f"User {user['user']} does not have access keys.", + findings=findings, ) else: old_access_keys = False @@ -39,8 +37,12 @@ class iam_rotate_access_key_90_days(Check): ) if access_key_1_last_rotated.days > maximum_expiration_days: old_access_keys = True - report.status = "FAIL" - report.status_extended = f"User {user['user']} has not rotated access key 1 in over 90 days ({access_key_1_last_rotated.days} days)." + self.add_finding( + user=user, + status="FAIL", + status_extended=f"User {user['user']} has not rotated access key 1 in over 90 days ({access_key_1_last_rotated.days} days).", + findings=findings, + ) if ( user["access_key_2_last_rotated"] != "N/A" and user["access_key_2_active"] == "true" @@ -54,11 +56,27 @@ class iam_rotate_access_key_90_days(Check): ) if access_key_2_last_rotated.days > maximum_expiration_days: old_access_keys = True - report.status = "FAIL" - report.status_extended = f"User {user['user']} has not rotated access key 2 in over 90 days ({access_key_2_last_rotated.days} days)." + self.add_finding( + user=user, + status="FAIL", + status_extended=f"User {user['user']} has not rotated access key 2 in over 90 days ({access_key_2_last_rotated.days} days).", + findings=findings, + ) if not old_access_keys: - report.status = "PASS" - report.status_extended = f"User {user['user']} does not have access keys older than 90 days." - findings.append(report) + self.add_finding( + user=user, + status="PASS", + status_extended=f"User {user['user']} does not have access keys older than 90 days.", + findings=findings, + ) return findings + + def add_finding(self, user, status, status_extended, findings): + report = Check_Report_AWS(self.metadata()) + report.region = iam_client.region + report.resource_id = user["user"] + report.resource_arn = user["arn"] + report.status = status + report.status_extended = status_extended + findings.append(report) diff --git a/prowler/providers/aws/services/iam/iam_user_no_setup_initial_access_key/iam_user_no_setup_initial_access_key.py b/prowler/providers/aws/services/iam/iam_user_no_setup_initial_access_key/iam_user_no_setup_initial_access_key.py index 522199bf..de506c16 100644 --- a/prowler/providers/aws/services/iam/iam_user_no_setup_initial_access_key/iam_user_no_setup_initial_access_key.py +++ b/prowler/providers/aws/services/iam/iam_user_no_setup_initial_access_key/iam_user_no_setup_initial_access_key.py @@ -20,36 +20,38 @@ class iam_user_no_setup_initial_access_key(Check): and user_record["access_key_1_last_used_date"] == "N/A" and user_record["password_enabled"] == "true" ): - report = Check_Report_AWS(self.metadata()) - report.region = iam_client.region - report.resource_id = user_record["user"] - report.resource_arn = user_record["arn"] - report.status = "FAIL" - report.status_extended = ( - f"User {user_record['user']} has never used access key 1." + self.add_finding( + user=user_record, + status="FAIL", + status_extended=f"User {user_record['user']} has never used access key 1.", + findings=findings, ) - findings.append(report) if ( user_record["access_key_2_active"] == "true" and user_record["access_key_2_last_used_date"] == "N/A" and user_record["password_enabled"] == "true" ): - report = Check_Report_AWS(self.metadata()) - report.region = iam_client.region - report.resource_id = user_record["user"] - report.resource_arn = user_record["arn"] - report.status = "FAIL" - report.status_extended = ( - f"User {user_record['user']} has never used access key 2." + self.add_finding( + user=user_record, + status="FAIL", + status_extended=f"User {user_record['user']} has never used access key 2.", + findings=findings, ) - findings.append(report) else: - report = Check_Report_AWS(self.metadata()) - report.region = iam_client.region - report.resource_id = user_record["user"] - report.resource_arn = user_record["arn"] - report.status = "PASS" - report.status_extended = f"User {user_record['user']} does not have access keys or uses the access keys configured." - findings.append(report) + self.add_finding( + user=user_record, + status="PASS", + status_extended=f"User {user_record['user']} does not have access keys or uses the access keys configured.", + findings=findings, + ) return findings + + def add_finding(self, user, status, status_extended, findings): + report = Check_Report_AWS(self.metadata()) + report.region = iam_client.region + report.resource_id = user["user"] + report.resource_arn = user["arn"] + report.status = status + report.status_extended = status_extended + findings.append(report) diff --git a/tests/providers/aws/services/iam/iam_disable_30_days_credentials/iam_disable_30_days_credentials_test.py b/tests/providers/aws/services/iam/iam_disable_30_days_credentials/iam_disable_30_days_credentials_test.py index b672b39a..c56d76ea 100644 --- a/tests/providers/aws/services/iam/iam_disable_30_days_credentials/iam_disable_30_days_credentials_test.py +++ b/tests/providers/aws/services/iam/iam_disable_30_days_credentials/iam_disable_30_days_credentials_test.py @@ -269,3 +269,56 @@ class Test_iam_disable_30_days_credentials_test: ) assert result[-1].resource_id == user assert result[-1].resource_arn == arn + + @mock_iam + def test_user_both_access_keys_not_used(self): + credentials_last_rotated = ( + datetime.datetime.now() - datetime.timedelta(days=100) + ).strftime("%Y-%m-%dT%H:%M:%S+00:00") + iam_client = client("iam") + user = "test-user" + arn = iam_client.create_user(UserName=user)["User"]["Arn"] + + from prowler.providers.aws.services.iam.iam_service import IAM + + audit_info = self.set_mocked_audit_info() + + with mock.patch( + "prowler.providers.aws.lib.audit_info.audit_info.current_audit_info", + new=audit_info, + ): + with mock.patch( + "prowler.providers.aws.services.iam.iam_disable_30_days_credentials.iam_disable_30_days_credentials.iam_client", + new=IAM(audit_info), + ) as service_client: + from prowler.providers.aws.services.iam.iam_disable_30_days_credentials.iam_disable_30_days_credentials import ( + iam_disable_30_days_credentials, + ) + + service_client.credential_report[0]["access_key_1_active"] = "true" + service_client.credential_report[0][ + "access_key_1_last_used_date" + ] = credentials_last_rotated + + service_client.credential_report[0]["access_key_2_active"] = "true" + service_client.credential_report[0][ + "access_key_2_last_used_date" + ] = credentials_last_rotated + + check = iam_disable_30_days_credentials() + result = check.execute() + assert result[-1].status == "FAIL" + assert ( + result[-1].status_extended + == f"User {user} has not used access key 2 in the last 30 days (100 days)." + ) + assert result[-1].resource_id == user + assert result[-1].resource_arn == arn + + assert result[-2].status == "FAIL" + assert ( + result[-2].status_extended + == f"User {user} has not used access key 1 in the last 30 days (100 days)." + ) + assert result[-2].resource_id == user + assert result[-2].resource_arn == arn diff --git a/tests/providers/aws/services/iam/iam_disable_45_days_credentials/iam_disable_45_days_credentials_test.py b/tests/providers/aws/services/iam/iam_disable_45_days_credentials/iam_disable_45_days_credentials_test.py index d7aedf80..dbc892ba 100644 --- a/tests/providers/aws/services/iam/iam_disable_45_days_credentials/iam_disable_45_days_credentials_test.py +++ b/tests/providers/aws/services/iam/iam_disable_45_days_credentials/iam_disable_45_days_credentials_test.py @@ -269,3 +269,56 @@ class Test_iam_disable_45_days_credentials_test: ) assert result[-1].resource_id == user assert result[-1].resource_arn == arn + + @mock_iam + def test_user_both_access_keys_not_used(self): + credentials_last_rotated = ( + datetime.datetime.now() - datetime.timedelta(days=100) + ).strftime("%Y-%m-%dT%H:%M:%S+00:00") + iam_client = client("iam") + user = "test-user" + arn = iam_client.create_user(UserName=user)["User"]["Arn"] + + from prowler.providers.aws.services.iam.iam_service import IAM + + audit_info = self.set_mocked_audit_info() + + with mock.patch( + "prowler.providers.aws.lib.audit_info.audit_info.current_audit_info", + new=audit_info, + ): + with mock.patch( + "prowler.providers.aws.services.iam.iam_disable_45_days_credentials.iam_disable_45_days_credentials.iam_client", + new=IAM(audit_info), + ) as service_client: + from prowler.providers.aws.services.iam.iam_disable_45_days_credentials.iam_disable_45_days_credentials import ( + iam_disable_45_days_credentials, + ) + + service_client.credential_report[0]["access_key_1_active"] = "true" + service_client.credential_report[0][ + "access_key_1_last_used_date" + ] = credentials_last_rotated + + service_client.credential_report[0]["access_key_2_active"] = "true" + service_client.credential_report[0][ + "access_key_2_last_used_date" + ] = credentials_last_rotated + + check = iam_disable_45_days_credentials() + result = check.execute() + assert result[-1].status == "FAIL" + assert ( + result[-1].status_extended + == f"User {user} has not used access key 2 in the last 45 days (100 days)." + ) + assert result[-1].resource_id == user + assert result[-1].resource_arn == arn + + assert result[-2].status == "FAIL" + assert ( + result[-2].status_extended + == f"User {user} has not used access key 1 in the last 45 days (100 days)." + ) + assert result[-2].resource_id == user + assert result[-2].resource_arn == arn diff --git a/tests/providers/aws/services/iam/iam_disable_90_days_credentials/iam_disable_90_days_credentials_test.py b/tests/providers/aws/services/iam/iam_disable_90_days_credentials/iam_disable_90_days_credentials_test.py index ff7352c9..ff9bede7 100644 --- a/tests/providers/aws/services/iam/iam_disable_90_days_credentials/iam_disable_90_days_credentials_test.py +++ b/tests/providers/aws/services/iam/iam_disable_90_days_credentials/iam_disable_90_days_credentials_test.py @@ -268,3 +268,56 @@ class Test_iam_disable_90_days_credentials_test: ) assert result[-1].resource_id == user assert result[-1].resource_arn == arn + + @mock_iam + def test_user_both_access_keys_not_used(self): + credentials_last_rotated = ( + datetime.datetime.now() - datetime.timedelta(days=100) + ).strftime("%Y-%m-%dT%H:%M:%S+00:00") + iam_client = client("iam") + user = "test-user" + arn = iam_client.create_user(UserName=user)["User"]["Arn"] + + from prowler.providers.aws.services.iam.iam_service import IAM + + audit_info = self.set_mocked_audit_info() + + with mock.patch( + "prowler.providers.aws.lib.audit_info.audit_info.current_audit_info", + new=audit_info, + ): + with mock.patch( + "prowler.providers.aws.services.iam.iam_disable_90_days_credentials.iam_disable_90_days_credentials.iam_client", + new=IAM(audit_info), + ) as service_client: + from prowler.providers.aws.services.iam.iam_disable_90_days_credentials.iam_disable_90_days_credentials import ( + iam_disable_90_days_credentials, + ) + + service_client.credential_report[0]["access_key_1_active"] = "true" + service_client.credential_report[0][ + "access_key_1_last_used_date" + ] = credentials_last_rotated + + service_client.credential_report[0]["access_key_2_active"] = "true" + service_client.credential_report[0][ + "access_key_2_last_used_date" + ] = credentials_last_rotated + + check = iam_disable_90_days_credentials() + result = check.execute() + assert result[-1].status == "FAIL" + assert ( + result[-1].status_extended + == f"User {user} has not used access key 2 in the last 90 days (100 days)." + ) + assert result[-1].resource_id == user + assert result[-1].resource_arn == arn + + assert result[-2].status == "FAIL" + assert ( + result[-2].status_extended + == f"User {user} has not used access key 1 in the last 90 days (100 days)." + ) + assert result[-2].resource_id == user + assert result[-2].resource_arn == arn diff --git a/tests/providers/aws/services/iam/iam_rotate_access_key_90_days/iam_rotate_access_key_90_days_test.py b/tests/providers/aws/services/iam/iam_rotate_access_key_90_days/iam_rotate_access_key_90_days_test.py index bfd271e7..f93275ef 100644 --- a/tests/providers/aws/services/iam/iam_rotate_access_key_90_days/iam_rotate_access_key_90_days_test.py +++ b/tests/providers/aws/services/iam/iam_rotate_access_key_90_days/iam_rotate_access_key_90_days_test.py @@ -152,3 +152,55 @@ class Test_iam_rotate_access_key_90_days_test: ) assert result[0].resource_id == user assert result[0].resource_arn == arn + + @mock_iam + def test_user_both_access_keys_not_rotated(self): + credentials_last_rotated = ( + datetime.datetime.now() - datetime.timedelta(days=100) + ).strftime("%Y-%m-%dT%H:%M:%S+00:00") + iam_client = client("iam") + user = "test-user" + arn = iam_client.create_user(UserName=user)["User"]["Arn"] + + from prowler.providers.aws.services.iam.iam_service import IAM + + current_audit_info = self.set_mocked_audit_info() + + with mock.patch( + "prowler.providers.aws.lib.audit_info.audit_info.current_audit_info", + new=current_audit_info, + ), mock.patch( + "prowler.providers.aws.services.iam.iam_rotate_access_key_90_days.iam_rotate_access_key_90_days.iam_client", + new=IAM(current_audit_info), + ) as service_client: + from prowler.providers.aws.services.iam.iam_rotate_access_key_90_days.iam_rotate_access_key_90_days import ( + iam_rotate_access_key_90_days, + ) + + service_client.credential_report[0]["access_key_1_active"] = "true" + service_client.credential_report[0][ + "access_key_1_last_rotated" + ] = credentials_last_rotated + + service_client.credential_report[0]["access_key_2_active"] = "true" + service_client.credential_report[0][ + "access_key_2_last_rotated" + ] = credentials_last_rotated + + check = iam_rotate_access_key_90_days() + result = check.execute() + assert result[0].status == "FAIL" + assert ( + result[0].status_extended + == f"User {user} has not rotated access key 1 in over 90 days (100 days)." + ) + assert result[0].resource_id == user + assert result[0].resource_arn == arn + + assert result[1].status == "FAIL" + assert ( + result[1].status_extended + == f"User {user} has not rotated access key 2 in over 90 days (100 days)." + ) + assert result[1].resource_id == user + assert result[1].resource_arn == arn diff --git a/tests/providers/aws/services/iam/iam_user_no_setup_initial_access_key/iam_user_no_setup_initial_access_key_test.py b/tests/providers/aws/services/iam/iam_user_no_setup_initial_access_key/iam_user_no_setup_initial_access_key_test.py index f8cd13a7..85dc01bc 100644 --- a/tests/providers/aws/services/iam/iam_user_no_setup_initial_access_key/iam_user_no_setup_initial_access_key_test.py +++ b/tests/providers/aws/services/iam/iam_user_no_setup_initial_access_key/iam_user_no_setup_initial_access_key_test.py @@ -101,6 +101,37 @@ test_false_access_key_2,arn:aws:iam::123456789012:test_false_access_key_2,2022-0 assert result[0].status == "FAIL" assert search("has never used access key 2", result[0].status_extended) + @mock_iam + def test_setup_both_access_keys_fail(self): + raw_credential_report = r"""user,arn,user_creation_time,password_enabled,password_last_used,password_last_changed,password_next_rotation,mfa_active,access_key_1_active,access_key_1_last_rotated,access_key_1_last_used_date,access_key_1_last_used_region,access_key_1_last_used_service,access_key_2_active,access_key_2_last_rotated,access_key_2_last_used_date,access_key_2_last_used_region,access_key_2_last_used_service,cert_1_active,cert_1_last_rotated,cert_2_active,cert_2_last_rotated +test_false_both_access_keys,arn:aws:iam::123456789012:test_false_both_access_keys,2022-04-17T14:59:38+00:00,true,no_information,not_supported,not_supported,false,true,N/A,N/A,N/A,N/A,true,N/A,N/A,N/A,N/A,false,N/A,false,N/A""" + credential_lines = raw_credential_report.split("\n") + csv_reader = DictReader(credential_lines, delimiter=",") + credential_list = list(csv_reader) + + current_audit_info = self.set_mocked_audit_info() + from prowler.providers.aws.services.iam.iam_service import IAM + + with mock.patch( + "prowler.providers.aws.lib.audit_info.audit_info.current_audit_info", + new=current_audit_info, + ), mock.patch( + "prowler.providers.aws.services.iam.iam_user_no_setup_initial_access_key.iam_user_no_setup_initial_access_key.iam_client", + new=IAM(current_audit_info), + ) as service_client: + from prowler.providers.aws.services.iam.iam_user_no_setup_initial_access_key.iam_user_no_setup_initial_access_key import ( + iam_user_no_setup_initial_access_key, + ) + + service_client.credential_report = credential_list + + check = iam_user_no_setup_initial_access_key() + result = check.execute() + assert result[0].status == "FAIL" + assert search("has never used access key 1", result[0].status_extended) + assert result[1].status == "FAIL" + assert search("has never used access key 2", result[1].status_extended) + @mock_iam def test_setup_access_key_pass(self): raw_credential_report = r"""user,arn,user_creation_time,password_enabled,password_last_used,password_last_changed,password_next_rotation,mfa_active,access_key_1_active,access_key_1_last_rotated,access_key_1_last_used_date,access_key_1_last_used_region,access_key_1_last_used_service,access_key_2_active,access_key_2_last_rotated,access_key_2_last_used_date,access_key_2_last_used_region,access_key_2_last_used_service,cert_1_active,cert_1_last_rotated,cert_2_active,cert_2_last_rotated