mirror of
https://github.com/ghndrx/prowler.git
synced 2026-02-10 14:55:00 +00:00
fix(iam): findings of some checks may have been lost (#2847)
This commit is contained in:
Kay Agahd
@@ -269,3 +269,56 @@ class Test_iam_disable_30_days_credentials_test:
|
||||
)
|
||||
assert result[-1].resource_id == user
|
||||
assert result[-1].resource_arn == arn
|
||||
|
||||
@mock_iam
|
||||
def test_user_both_access_keys_not_used(self):
|
||||
credentials_last_rotated = (
|
||||
datetime.datetime.now() - datetime.timedelta(days=100)
|
||||
).strftime("%Y-%m-%dT%H:%M:%S+00:00")
|
||||
iam_client = client("iam")
|
||||
user = "test-user"
|
||||
arn = iam_client.create_user(UserName=user)["User"]["Arn"]
|
||||
|
||||
from prowler.providers.aws.services.iam.iam_service import IAM
|
||||
|
||||
audit_info = self.set_mocked_audit_info()
|
||||
|
||||
with mock.patch(
|
||||
"prowler.providers.aws.lib.audit_info.audit_info.current_audit_info",
|
||||
new=audit_info,
|
||||
):
|
||||
with mock.patch(
|
||||
"prowler.providers.aws.services.iam.iam_disable_30_days_credentials.iam_disable_30_days_credentials.iam_client",
|
||||
new=IAM(audit_info),
|
||||
) as service_client:
|
||||
from prowler.providers.aws.services.iam.iam_disable_30_days_credentials.iam_disable_30_days_credentials import (
|
||||
iam_disable_30_days_credentials,
|
||||
)
|
||||
|
||||
service_client.credential_report[0]["access_key_1_active"] = "true"
|
||||
service_client.credential_report[0][
|
||||
"access_key_1_last_used_date"
|
||||
] = credentials_last_rotated
|
||||
|
||||
service_client.credential_report[0]["access_key_2_active"] = "true"
|
||||
service_client.credential_report[0][
|
||||
"access_key_2_last_used_date"
|
||||
] = credentials_last_rotated
|
||||
|
||||
check = iam_disable_30_days_credentials()
|
||||
result = check.execute()
|
||||
assert result[-1].status == "FAIL"
|
||||
assert (
|
||||
result[-1].status_extended
|
||||
== f"User {user} has not used access key 2 in the last 30 days (100 days)."
|
||||
)
|
||||
assert result[-1].resource_id == user
|
||||
assert result[-1].resource_arn == arn
|
||||
|
||||
assert result[-2].status == "FAIL"
|
||||
assert (
|
||||
result[-2].status_extended
|
||||
== f"User {user} has not used access key 1 in the last 30 days (100 days)."
|
||||
)
|
||||
assert result[-2].resource_id == user
|
||||
assert result[-2].resource_arn == arn
|
||||
|
||||
@@ -269,3 +269,56 @@ class Test_iam_disable_45_days_credentials_test:
|
||||
)
|
||||
assert result[-1].resource_id == user
|
||||
assert result[-1].resource_arn == arn
|
||||
|
||||
@mock_iam
|
||||
def test_user_both_access_keys_not_used(self):
|
||||
credentials_last_rotated = (
|
||||
datetime.datetime.now() - datetime.timedelta(days=100)
|
||||
).strftime("%Y-%m-%dT%H:%M:%S+00:00")
|
||||
iam_client = client("iam")
|
||||
user = "test-user"
|
||||
arn = iam_client.create_user(UserName=user)["User"]["Arn"]
|
||||
|
||||
from prowler.providers.aws.services.iam.iam_service import IAM
|
||||
|
||||
audit_info = self.set_mocked_audit_info()
|
||||
|
||||
with mock.patch(
|
||||
"prowler.providers.aws.lib.audit_info.audit_info.current_audit_info",
|
||||
new=audit_info,
|
||||
):
|
||||
with mock.patch(
|
||||
"prowler.providers.aws.services.iam.iam_disable_45_days_credentials.iam_disable_45_days_credentials.iam_client",
|
||||
new=IAM(audit_info),
|
||||
) as service_client:
|
||||
from prowler.providers.aws.services.iam.iam_disable_45_days_credentials.iam_disable_45_days_credentials import (
|
||||
iam_disable_45_days_credentials,
|
||||
)
|
||||
|
||||
service_client.credential_report[0]["access_key_1_active"] = "true"
|
||||
service_client.credential_report[0][
|
||||
"access_key_1_last_used_date"
|
||||
] = credentials_last_rotated
|
||||
|
||||
service_client.credential_report[0]["access_key_2_active"] = "true"
|
||||
service_client.credential_report[0][
|
||||
"access_key_2_last_used_date"
|
||||
] = credentials_last_rotated
|
||||
|
||||
check = iam_disable_45_days_credentials()
|
||||
result = check.execute()
|
||||
assert result[-1].status == "FAIL"
|
||||
assert (
|
||||
result[-1].status_extended
|
||||
== f"User {user} has not used access key 2 in the last 45 days (100 days)."
|
||||
)
|
||||
assert result[-1].resource_id == user
|
||||
assert result[-1].resource_arn == arn
|
||||
|
||||
assert result[-2].status == "FAIL"
|
||||
assert (
|
||||
result[-2].status_extended
|
||||
== f"User {user} has not used access key 1 in the last 45 days (100 days)."
|
||||
)
|
||||
assert result[-2].resource_id == user
|
||||
assert result[-2].resource_arn == arn
|
||||
|
||||
@@ -268,3 +268,56 @@ class Test_iam_disable_90_days_credentials_test:
|
||||
)
|
||||
assert result[-1].resource_id == user
|
||||
assert result[-1].resource_arn == arn
|
||||
|
||||
@mock_iam
|
||||
def test_user_both_access_keys_not_used(self):
|
||||
credentials_last_rotated = (
|
||||
datetime.datetime.now() - datetime.timedelta(days=100)
|
||||
).strftime("%Y-%m-%dT%H:%M:%S+00:00")
|
||||
iam_client = client("iam")
|
||||
user = "test-user"
|
||||
arn = iam_client.create_user(UserName=user)["User"]["Arn"]
|
||||
|
||||
from prowler.providers.aws.services.iam.iam_service import IAM
|
||||
|
||||
audit_info = self.set_mocked_audit_info()
|
||||
|
||||
with mock.patch(
|
||||
"prowler.providers.aws.lib.audit_info.audit_info.current_audit_info",
|
||||
new=audit_info,
|
||||
):
|
||||
with mock.patch(
|
||||
"prowler.providers.aws.services.iam.iam_disable_90_days_credentials.iam_disable_90_days_credentials.iam_client",
|
||||
new=IAM(audit_info),
|
||||
) as service_client:
|
||||
from prowler.providers.aws.services.iam.iam_disable_90_days_credentials.iam_disable_90_days_credentials import (
|
||||
iam_disable_90_days_credentials,
|
||||
)
|
||||
|
||||
service_client.credential_report[0]["access_key_1_active"] = "true"
|
||||
service_client.credential_report[0][
|
||||
"access_key_1_last_used_date"
|
||||
] = credentials_last_rotated
|
||||
|
||||
service_client.credential_report[0]["access_key_2_active"] = "true"
|
||||
service_client.credential_report[0][
|
||||
"access_key_2_last_used_date"
|
||||
] = credentials_last_rotated
|
||||
|
||||
check = iam_disable_90_days_credentials()
|
||||
result = check.execute()
|
||||
assert result[-1].status == "FAIL"
|
||||
assert (
|
||||
result[-1].status_extended
|
||||
== f"User {user} has not used access key 2 in the last 90 days (100 days)."
|
||||
)
|
||||
assert result[-1].resource_id == user
|
||||
assert result[-1].resource_arn == arn
|
||||
|
||||
assert result[-2].status == "FAIL"
|
||||
assert (
|
||||
result[-2].status_extended
|
||||
== f"User {user} has not used access key 1 in the last 90 days (100 days)."
|
||||
)
|
||||
assert result[-2].resource_id == user
|
||||
assert result[-2].resource_arn == arn
|
||||
|
||||
@@ -152,3 +152,55 @@ class Test_iam_rotate_access_key_90_days_test:
|
||||
)
|
||||
assert result[0].resource_id == user
|
||||
assert result[0].resource_arn == arn
|
||||
|
||||
@mock_iam
|
||||
def test_user_both_access_keys_not_rotated(self):
|
||||
credentials_last_rotated = (
|
||||
datetime.datetime.now() - datetime.timedelta(days=100)
|
||||
).strftime("%Y-%m-%dT%H:%M:%S+00:00")
|
||||
iam_client = client("iam")
|
||||
user = "test-user"
|
||||
arn = iam_client.create_user(UserName=user)["User"]["Arn"]
|
||||
|
||||
from prowler.providers.aws.services.iam.iam_service import IAM
|
||||
|
||||
current_audit_info = self.set_mocked_audit_info()
|
||||
|
||||
with mock.patch(
|
||||
"prowler.providers.aws.lib.audit_info.audit_info.current_audit_info",
|
||||
new=current_audit_info,
|
||||
), mock.patch(
|
||||
"prowler.providers.aws.services.iam.iam_rotate_access_key_90_days.iam_rotate_access_key_90_days.iam_client",
|
||||
new=IAM(current_audit_info),
|
||||
) as service_client:
|
||||
from prowler.providers.aws.services.iam.iam_rotate_access_key_90_days.iam_rotate_access_key_90_days import (
|
||||
iam_rotate_access_key_90_days,
|
||||
)
|
||||
|
||||
service_client.credential_report[0]["access_key_1_active"] = "true"
|
||||
service_client.credential_report[0][
|
||||
"access_key_1_last_rotated"
|
||||
] = credentials_last_rotated
|
||||
|
||||
service_client.credential_report[0]["access_key_2_active"] = "true"
|
||||
service_client.credential_report[0][
|
||||
"access_key_2_last_rotated"
|
||||
] = credentials_last_rotated
|
||||
|
||||
check = iam_rotate_access_key_90_days()
|
||||
result = check.execute()
|
||||
assert result[0].status == "FAIL"
|
||||
assert (
|
||||
result[0].status_extended
|
||||
== f"User {user} has not rotated access key 1 in over 90 days (100 days)."
|
||||
)
|
||||
assert result[0].resource_id == user
|
||||
assert result[0].resource_arn == arn
|
||||
|
||||
assert result[1].status == "FAIL"
|
||||
assert (
|
||||
result[1].status_extended
|
||||
== f"User {user} has not rotated access key 2 in over 90 days (100 days)."
|
||||
)
|
||||
assert result[1].resource_id == user
|
||||
assert result[1].resource_arn == arn
|
||||
|
||||
@@ -101,6 +101,37 @@ test_false_access_key_2,arn:aws:iam::123456789012:test_false_access_key_2,2022-0
|
||||
assert result[0].status == "FAIL"
|
||||
assert search("has never used access key 2", result[0].status_extended)
|
||||
|
||||
@mock_iam
|
||||
def test_setup_both_access_keys_fail(self):
|
||||
raw_credential_report = r"""user,arn,user_creation_time,password_enabled,password_last_used,password_last_changed,password_next_rotation,mfa_active,access_key_1_active,access_key_1_last_rotated,access_key_1_last_used_date,access_key_1_last_used_region,access_key_1_last_used_service,access_key_2_active,access_key_2_last_rotated,access_key_2_last_used_date,access_key_2_last_used_region,access_key_2_last_used_service,cert_1_active,cert_1_last_rotated,cert_2_active,cert_2_last_rotated
|
||||
test_false_both_access_keys,arn:aws:iam::123456789012:test_false_both_access_keys,2022-04-17T14:59:38+00:00,true,no_information,not_supported,not_supported,false,true,N/A,N/A,N/A,N/A,true,N/A,N/A,N/A,N/A,false,N/A,false,N/A"""
|
||||
credential_lines = raw_credential_report.split("\n")
|
||||
csv_reader = DictReader(credential_lines, delimiter=",")
|
||||
credential_list = list(csv_reader)
|
||||
|
||||
current_audit_info = self.set_mocked_audit_info()
|
||||
from prowler.providers.aws.services.iam.iam_service import IAM
|
||||
|
||||
with mock.patch(
|
||||
"prowler.providers.aws.lib.audit_info.audit_info.current_audit_info",
|
||||
new=current_audit_info,
|
||||
), mock.patch(
|
||||
"prowler.providers.aws.services.iam.iam_user_no_setup_initial_access_key.iam_user_no_setup_initial_access_key.iam_client",
|
||||
new=IAM(current_audit_info),
|
||||
) as service_client:
|
||||
from prowler.providers.aws.services.iam.iam_user_no_setup_initial_access_key.iam_user_no_setup_initial_access_key import (
|
||||
iam_user_no_setup_initial_access_key,
|
||||
)
|
||||
|
||||
service_client.credential_report = credential_list
|
||||
|
||||
check = iam_user_no_setup_initial_access_key()
|
||||
result = check.execute()
|
||||
assert result[0].status == "FAIL"
|
||||
assert search("has never used access key 1", result[0].status_extended)
|
||||
assert result[1].status == "FAIL"
|
||||
assert search("has never used access key 2", result[1].status_extended)
|
||||
|
||||
@mock_iam
|
||||
def test_setup_access_key_pass(self):
|
||||
raw_credential_report = r"""user,arn,user_creation_time,password_enabled,password_last_used,password_last_changed,password_next_rotation,mfa_active,access_key_1_active,access_key_1_last_rotated,access_key_1_last_used_date,access_key_1_last_used_region,access_key_1_last_used_service,access_key_2_active,access_key_2_last_rotated,access_key_2_last_used_date,access_key_2_last_used_region,access_key_2_last_used_service,cert_1_active,cert_1_last_rotated,cert_2_active,cert_2_last_rotated
|
||||
|
||||
Reference in New Issue
Block a user