mirror of
https://github.com/ghndrx/prowler.git
synced 2026-02-10 14:55:00 +00:00
fix(iam): findings of some checks may have been lost (#2847)
This commit is contained in:
Kay Agahd
@@ -38,17 +38,15 @@ class iam_disable_30_days_credentials(Check):
|
||||
findings.append(report)
|
||||
|
||||
for user in iam_client.credential_report:
|
||||
report = Check_Report_AWS(self.metadata())
|
||||
report.region = iam_client.region
|
||||
report.resource_id = user["user"]
|
||||
report.resource_arn = user["arn"]
|
||||
if (
|
||||
user["access_key_1_active"] != "true"
|
||||
and user["access_key_2_active"] != "true"
|
||||
):
|
||||
report.status = "PASS"
|
||||
report.status_extended = (
|
||||
f"User {user['user']} does not have access keys."
|
||||
self.add_finding(
|
||||
user=user,
|
||||
status="PASS",
|
||||
status_extended=f"User {user['user']} does not have access keys.",
|
||||
findings=findings,
|
||||
)
|
||||
else:
|
||||
old_access_keys = False
|
||||
@@ -63,8 +61,12 @@ class iam_disable_30_days_credentials(Check):
|
||||
)
|
||||
if access_key_1_last_used_date.days > maximum_expiration_days:
|
||||
old_access_keys = True
|
||||
report.status = "FAIL"
|
||||
report.status_extended = f"User {user['user']} has not used access key 1 in the last {maximum_expiration_days} days ({access_key_1_last_used_date.days} days)."
|
||||
self.add_finding(
|
||||
user=user,
|
||||
status="FAIL",
|
||||
status_extended=f"User {user['user']} has not used access key 1 in the last {maximum_expiration_days} days ({access_key_1_last_used_date.days} days).",
|
||||
findings=findings,
|
||||
)
|
||||
|
||||
if user["access_key_2_active"] == "true":
|
||||
if user["access_key_2_last_used_date"] != "N/A":
|
||||
@@ -77,12 +79,28 @@ class iam_disable_30_days_credentials(Check):
|
||||
)
|
||||
if access_key_2_last_used_date.days > maximum_expiration_days:
|
||||
old_access_keys = True
|
||||
report.status = "FAIL"
|
||||
report.status_extended = f"User {user['user']} has not used access key 2 in the last {maximum_expiration_days} days ({access_key_2_last_used_date.days} days)."
|
||||
self.add_finding(
|
||||
user=user,
|
||||
status="FAIL",
|
||||
status_extended=f"User {user['user']} has not used access key 2 in the last {maximum_expiration_days} days ({access_key_2_last_used_date.days} days).",
|
||||
findings=findings,
|
||||
)
|
||||
|
||||
if not old_access_keys:
|
||||
report.status = "PASS"
|
||||
report.status_extended = f"User {user['user']} does not have unused access keys for {maximum_expiration_days} days."
|
||||
findings.append(report)
|
||||
self.add_finding(
|
||||
user=user,
|
||||
status="PASS",
|
||||
status_extended=f"User {user['user']} does not have unused access keys for {maximum_expiration_days} days.",
|
||||
findings=findings,
|
||||
)
|
||||
|
||||
return findings
|
||||
|
||||
def add_finding(self, user, status, status_extended, findings):
|
||||
report = Check_Report_AWS(self.metadata())
|
||||
report.region = iam_client.region
|
||||
report.resource_id = user["user"]
|
||||
report.resource_arn = user["arn"]
|
||||
report.status = status
|
||||
report.status_extended = status_extended
|
||||
findings.append(report)
|
||||
|
||||
@@ -38,17 +38,15 @@ class iam_disable_45_days_credentials(Check):
|
||||
findings.append(report)
|
||||
|
||||
for user in iam_client.credential_report:
|
||||
report = Check_Report_AWS(self.metadata())
|
||||
report.region = iam_client.region
|
||||
report.resource_id = user["user"]
|
||||
report.resource_arn = user["arn"]
|
||||
if (
|
||||
user["access_key_1_active"] != "true"
|
||||
and user["access_key_2_active"] != "true"
|
||||
):
|
||||
report.status = "PASS"
|
||||
report.status_extended = (
|
||||
f"User {user['user']} does not have access keys."
|
||||
self.add_finding(
|
||||
user=user,
|
||||
status="PASS",
|
||||
status_extended=f"User {user['user']} does not have access keys.",
|
||||
findings=findings,
|
||||
)
|
||||
else:
|
||||
old_access_keys = False
|
||||
@@ -63,8 +61,12 @@ class iam_disable_45_days_credentials(Check):
|
||||
)
|
||||
if access_key_1_last_used_date.days > maximum_expiration_days:
|
||||
old_access_keys = True
|
||||
report.status = "FAIL"
|
||||
report.status_extended = f"User {user['user']} has not used access key 1 in the last {maximum_expiration_days} days ({access_key_1_last_used_date.days} days)."
|
||||
self.add_finding(
|
||||
user=user,
|
||||
status="FAIL",
|
||||
status_extended=f"User {user['user']} has not used access key 1 in the last {maximum_expiration_days} days ({access_key_1_last_used_date.days} days).",
|
||||
findings=findings,
|
||||
)
|
||||
|
||||
if user["access_key_2_active"] == "true":
|
||||
if user["access_key_2_last_used_date"] != "N/A":
|
||||
@@ -77,12 +79,28 @@ class iam_disable_45_days_credentials(Check):
|
||||
)
|
||||
if access_key_2_last_used_date.days > maximum_expiration_days:
|
||||
old_access_keys = True
|
||||
report.status = "FAIL"
|
||||
report.status_extended = f"User {user['user']} has not used access key 2 in the last {maximum_expiration_days} days ({access_key_2_last_used_date.days} days)."
|
||||
self.add_finding(
|
||||
user=user,
|
||||
status="FAIL",
|
||||
status_extended=f"User {user['user']} has not used access key 2 in the last {maximum_expiration_days} days ({access_key_2_last_used_date.days} days).",
|
||||
findings=findings,
|
||||
)
|
||||
|
||||
if not old_access_keys:
|
||||
report.status = "PASS"
|
||||
report.status_extended = f"User {user['user']} does not have unused access keys for {maximum_expiration_days} days."
|
||||
findings.append(report)
|
||||
self.add_finding(
|
||||
user=user,
|
||||
status="PASS",
|
||||
status_extended=f"User {user['user']} does not have unused access keys for {maximum_expiration_days} days.",
|
||||
findings=findings,
|
||||
)
|
||||
|
||||
return findings
|
||||
|
||||
def add_finding(self, user, status, status_extended, findings):
|
||||
report = Check_Report_AWS(self.metadata())
|
||||
report.region = iam_client.region
|
||||
report.resource_id = user["user"]
|
||||
report.resource_arn = user["arn"]
|
||||
report.status = status
|
||||
report.status_extended = status_extended
|
||||
findings.append(report)
|
||||
|
||||
@@ -38,17 +38,15 @@ class iam_disable_90_days_credentials(Check):
|
||||
findings.append(report)
|
||||
|
||||
for user in iam_client.credential_report:
|
||||
report = Check_Report_AWS(self.metadata())
|
||||
report.region = iam_client.region
|
||||
report.resource_id = user["user"]
|
||||
report.resource_arn = user["arn"]
|
||||
if (
|
||||
user["access_key_1_active"] != "true"
|
||||
and user["access_key_2_active"] != "true"
|
||||
):
|
||||
report.status = "PASS"
|
||||
report.status_extended = (
|
||||
f"User {user['user']} does not have access keys."
|
||||
self.add_finding(
|
||||
user=user,
|
||||
status="PASS",
|
||||
status_extended=f"User {user['user']} does not have access keys.",
|
||||
findings=findings,
|
||||
)
|
||||
else:
|
||||
old_access_keys = False
|
||||
@@ -63,8 +61,12 @@ class iam_disable_90_days_credentials(Check):
|
||||
)
|
||||
if access_key_1_last_used_date.days > maximum_expiration_days:
|
||||
old_access_keys = True
|
||||
report.status = "FAIL"
|
||||
report.status_extended = f"User {user['user']} has not used access key 1 in the last {maximum_expiration_days} days ({access_key_1_last_used_date.days} days)."
|
||||
self.add_finding(
|
||||
user=user,
|
||||
status="FAIL",
|
||||
status_extended=f"User {user['user']} has not used access key 1 in the last {maximum_expiration_days} days ({access_key_1_last_used_date.days} days).",
|
||||
findings=findings,
|
||||
)
|
||||
|
||||
if user["access_key_2_active"] == "true":
|
||||
if user["access_key_2_last_used_date"] != "N/A":
|
||||
@@ -77,12 +79,28 @@ class iam_disable_90_days_credentials(Check):
|
||||
)
|
||||
if access_key_2_last_used_date.days > maximum_expiration_days:
|
||||
old_access_keys = True
|
||||
report.status = "FAIL"
|
||||
report.status_extended = f"User {user['user']} has not used access key 2 in the last {maximum_expiration_days} days ({access_key_2_last_used_date.days} days)."
|
||||
self.add_finding(
|
||||
user=user,
|
||||
status="FAIL",
|
||||
status_extended=f"User {user['user']} has not used access key 2 in the last {maximum_expiration_days} days ({access_key_2_last_used_date.days} days).",
|
||||
findings=findings,
|
||||
)
|
||||
|
||||
if not old_access_keys:
|
||||
report.status = "PASS"
|
||||
report.status_extended = f"User {user['user']} does not have unused access keys for {maximum_expiration_days} days."
|
||||
findings.append(report)
|
||||
self.add_finding(
|
||||
user=user,
|
||||
status="PASS",
|
||||
status_extended=f"User {user['user']} does not have unused access keys for {maximum_expiration_days} days.",
|
||||
findings=findings,
|
||||
)
|
||||
|
||||
return findings
|
||||
|
||||
def add_finding(self, user, status, status_extended, findings):
|
||||
report = Check_Report_AWS(self.metadata())
|
||||
report.region = iam_client.region
|
||||
report.resource_id = user["user"]
|
||||
report.resource_arn = user["arn"]
|
||||
report.status = status
|
||||
report.status_extended = status_extended
|
||||
findings.append(report)
|
||||
|
||||
@@ -12,17 +12,15 @@ class iam_rotate_access_key_90_days(Check):
|
||||
response = iam_client.credential_report
|
||||
|
||||
for user in response:
|
||||
report = Check_Report_AWS(self.metadata())
|
||||
report.region = iam_client.region
|
||||
report.resource_id = user["user"]
|
||||
report.resource_arn = user["arn"]
|
||||
if (
|
||||
user["access_key_1_last_rotated"] == "N/A"
|
||||
and user["access_key_2_last_rotated"] == "N/A"
|
||||
):
|
||||
report.status = "PASS"
|
||||
report.status_extended = (
|
||||
f"User {user['user']} does not have access keys."
|
||||
self.add_finding(
|
||||
user=user,
|
||||
status="PASS",
|
||||
status_extended=f"User {user['user']} does not have access keys.",
|
||||
findings=findings,
|
||||
)
|
||||
else:
|
||||
old_access_keys = False
|
||||
@@ -39,8 +37,12 @@ class iam_rotate_access_key_90_days(Check):
|
||||
)
|
||||
if access_key_1_last_rotated.days > maximum_expiration_days:
|
||||
old_access_keys = True
|
||||
report.status = "FAIL"
|
||||
report.status_extended = f"User {user['user']} has not rotated access key 1 in over 90 days ({access_key_1_last_rotated.days} days)."
|
||||
self.add_finding(
|
||||
user=user,
|
||||
status="FAIL",
|
||||
status_extended=f"User {user['user']} has not rotated access key 1 in over 90 days ({access_key_1_last_rotated.days} days).",
|
||||
findings=findings,
|
||||
)
|
||||
if (
|
||||
user["access_key_2_last_rotated"] != "N/A"
|
||||
and user["access_key_2_active"] == "true"
|
||||
@@ -54,11 +56,27 @@ class iam_rotate_access_key_90_days(Check):
|
||||
)
|
||||
if access_key_2_last_rotated.days > maximum_expiration_days:
|
||||
old_access_keys = True
|
||||
report.status = "FAIL"
|
||||
report.status_extended = f"User {user['user']} has not rotated access key 2 in over 90 days ({access_key_2_last_rotated.days} days)."
|
||||
self.add_finding(
|
||||
user=user,
|
||||
status="FAIL",
|
||||
status_extended=f"User {user['user']} has not rotated access key 2 in over 90 days ({access_key_2_last_rotated.days} days).",
|
||||
findings=findings,
|
||||
)
|
||||
if not old_access_keys:
|
||||
report.status = "PASS"
|
||||
report.status_extended = f"User {user['user']} does not have access keys older than 90 days."
|
||||
findings.append(report)
|
||||
self.add_finding(
|
||||
user=user,
|
||||
status="PASS",
|
||||
status_extended=f"User {user['user']} does not have access keys older than 90 days.",
|
||||
findings=findings,
|
||||
)
|
||||
|
||||
return findings
|
||||
|
||||
def add_finding(self, user, status, status_extended, findings):
|
||||
report = Check_Report_AWS(self.metadata())
|
||||
report.region = iam_client.region
|
||||
report.resource_id = user["user"]
|
||||
report.resource_arn = user["arn"]
|
||||
report.status = status
|
||||
report.status_extended = status_extended
|
||||
findings.append(report)
|
||||
|
||||
@@ -20,36 +20,38 @@ class iam_user_no_setup_initial_access_key(Check):
|
||||
and user_record["access_key_1_last_used_date"] == "N/A"
|
||||
and user_record["password_enabled"] == "true"
|
||||
):
|
||||
report = Check_Report_AWS(self.metadata())
|
||||
report.region = iam_client.region
|
||||
report.resource_id = user_record["user"]
|
||||
report.resource_arn = user_record["arn"]
|
||||
report.status = "FAIL"
|
||||
report.status_extended = (
|
||||
f"User {user_record['user']} has never used access key 1."
|
||||
self.add_finding(
|
||||
user=user_record,
|
||||
status="FAIL",
|
||||
status_extended=f"User {user_record['user']} has never used access key 1.",
|
||||
findings=findings,
|
||||
)
|
||||
findings.append(report)
|
||||
if (
|
||||
user_record["access_key_2_active"] == "true"
|
||||
and user_record["access_key_2_last_used_date"] == "N/A"
|
||||
and user_record["password_enabled"] == "true"
|
||||
):
|
||||
report = Check_Report_AWS(self.metadata())
|
||||
report.region = iam_client.region
|
||||
report.resource_id = user_record["user"]
|
||||
report.resource_arn = user_record["arn"]
|
||||
report.status = "FAIL"
|
||||
report.status_extended = (
|
||||
f"User {user_record['user']} has never used access key 2."
|
||||
self.add_finding(
|
||||
user=user_record,
|
||||
status="FAIL",
|
||||
status_extended=f"User {user_record['user']} has never used access key 2.",
|
||||
findings=findings,
|
||||
)
|
||||
findings.append(report)
|
||||
else:
|
||||
report = Check_Report_AWS(self.metadata())
|
||||
report.region = iam_client.region
|
||||
report.resource_id = user_record["user"]
|
||||
report.resource_arn = user_record["arn"]
|
||||
report.status = "PASS"
|
||||
report.status_extended = f"User {user_record['user']} does not have access keys or uses the access keys configured."
|
||||
findings.append(report)
|
||||
self.add_finding(
|
||||
user=user_record,
|
||||
status="PASS",
|
||||
status_extended=f"User {user_record['user']} does not have access keys or uses the access keys configured.",
|
||||
findings=findings,
|
||||
)
|
||||
|
||||
return findings
|
||||
|
||||
def add_finding(self, user, status, status_extended, findings):
|
||||
report = Check_Report_AWS(self.metadata())
|
||||
report.region = iam_client.region
|
||||
report.resource_id = user["user"]
|
||||
report.resource_arn = user["arn"]
|
||||
report.status = status
|
||||
report.status_extended = status_extended
|
||||
findings.append(report)
|
||||
|
||||
@@ -269,3 +269,56 @@ class Test_iam_disable_30_days_credentials_test:
|
||||
)
|
||||
assert result[-1].resource_id == user
|
||||
assert result[-1].resource_arn == arn
|
||||
|
||||
@mock_iam
|
||||
def test_user_both_access_keys_not_used(self):
|
||||
credentials_last_rotated = (
|
||||
datetime.datetime.now() - datetime.timedelta(days=100)
|
||||
).strftime("%Y-%m-%dT%H:%M:%S+00:00")
|
||||
iam_client = client("iam")
|
||||
user = "test-user"
|
||||
arn = iam_client.create_user(UserName=user)["User"]["Arn"]
|
||||
|
||||
from prowler.providers.aws.services.iam.iam_service import IAM
|
||||
|
||||
audit_info = self.set_mocked_audit_info()
|
||||
|
||||
with mock.patch(
|
||||
"prowler.providers.aws.lib.audit_info.audit_info.current_audit_info",
|
||||
new=audit_info,
|
||||
):
|
||||
with mock.patch(
|
||||
"prowler.providers.aws.services.iam.iam_disable_30_days_credentials.iam_disable_30_days_credentials.iam_client",
|
||||
new=IAM(audit_info),
|
||||
) as service_client:
|
||||
from prowler.providers.aws.services.iam.iam_disable_30_days_credentials.iam_disable_30_days_credentials import (
|
||||
iam_disable_30_days_credentials,
|
||||
)
|
||||
|
||||
service_client.credential_report[0]["access_key_1_active"] = "true"
|
||||
service_client.credential_report[0][
|
||||
"access_key_1_last_used_date"
|
||||
] = credentials_last_rotated
|
||||
|
||||
service_client.credential_report[0]["access_key_2_active"] = "true"
|
||||
service_client.credential_report[0][
|
||||
"access_key_2_last_used_date"
|
||||
] = credentials_last_rotated
|
||||
|
||||
check = iam_disable_30_days_credentials()
|
||||
result = check.execute()
|
||||
assert result[-1].status == "FAIL"
|
||||
assert (
|
||||
result[-1].status_extended
|
||||
== f"User {user} has not used access key 2 in the last 30 days (100 days)."
|
||||
)
|
||||
assert result[-1].resource_id == user
|
||||
assert result[-1].resource_arn == arn
|
||||
|
||||
assert result[-2].status == "FAIL"
|
||||
assert (
|
||||
result[-2].status_extended
|
||||
== f"User {user} has not used access key 1 in the last 30 days (100 days)."
|
||||
)
|
||||
assert result[-2].resource_id == user
|
||||
assert result[-2].resource_arn == arn
|
||||
|
||||
@@ -269,3 +269,56 @@ class Test_iam_disable_45_days_credentials_test:
|
||||
)
|
||||
assert result[-1].resource_id == user
|
||||
assert result[-1].resource_arn == arn
|
||||
|
||||
@mock_iam
|
||||
def test_user_both_access_keys_not_used(self):
|
||||
credentials_last_rotated = (
|
||||
datetime.datetime.now() - datetime.timedelta(days=100)
|
||||
).strftime("%Y-%m-%dT%H:%M:%S+00:00")
|
||||
iam_client = client("iam")
|
||||
user = "test-user"
|
||||
arn = iam_client.create_user(UserName=user)["User"]["Arn"]
|
||||
|
||||
from prowler.providers.aws.services.iam.iam_service import IAM
|
||||
|
||||
audit_info = self.set_mocked_audit_info()
|
||||
|
||||
with mock.patch(
|
||||
"prowler.providers.aws.lib.audit_info.audit_info.current_audit_info",
|
||||
new=audit_info,
|
||||
):
|
||||
with mock.patch(
|
||||
"prowler.providers.aws.services.iam.iam_disable_45_days_credentials.iam_disable_45_days_credentials.iam_client",
|
||||
new=IAM(audit_info),
|
||||
) as service_client:
|
||||
from prowler.providers.aws.services.iam.iam_disable_45_days_credentials.iam_disable_45_days_credentials import (
|
||||
iam_disable_45_days_credentials,
|
||||
)
|
||||
|
||||
service_client.credential_report[0]["access_key_1_active"] = "true"
|
||||
service_client.credential_report[0][
|
||||
"access_key_1_last_used_date"
|
||||
] = credentials_last_rotated
|
||||
|
||||
service_client.credential_report[0]["access_key_2_active"] = "true"
|
||||
service_client.credential_report[0][
|
||||
"access_key_2_last_used_date"
|
||||
] = credentials_last_rotated
|
||||
|
||||
check = iam_disable_45_days_credentials()
|
||||
result = check.execute()
|
||||
assert result[-1].status == "FAIL"
|
||||
assert (
|
||||
result[-1].status_extended
|
||||
== f"User {user} has not used access key 2 in the last 45 days (100 days)."
|
||||
)
|
||||
assert result[-1].resource_id == user
|
||||
assert result[-1].resource_arn == arn
|
||||
|
||||
assert result[-2].status == "FAIL"
|
||||
assert (
|
||||
result[-2].status_extended
|
||||
== f"User {user} has not used access key 1 in the last 45 days (100 days)."
|
||||
)
|
||||
assert result[-2].resource_id == user
|
||||
assert result[-2].resource_arn == arn
|
||||
|
||||
@@ -268,3 +268,56 @@ class Test_iam_disable_90_days_credentials_test:
|
||||
)
|
||||
assert result[-1].resource_id == user
|
||||
assert result[-1].resource_arn == arn
|
||||
|
||||
@mock_iam
|
||||
def test_user_both_access_keys_not_used(self):
|
||||
credentials_last_rotated = (
|
||||
datetime.datetime.now() - datetime.timedelta(days=100)
|
||||
).strftime("%Y-%m-%dT%H:%M:%S+00:00")
|
||||
iam_client = client("iam")
|
||||
user = "test-user"
|
||||
arn = iam_client.create_user(UserName=user)["User"]["Arn"]
|
||||
|
||||
from prowler.providers.aws.services.iam.iam_service import IAM
|
||||
|
||||
audit_info = self.set_mocked_audit_info()
|
||||
|
||||
with mock.patch(
|
||||
"prowler.providers.aws.lib.audit_info.audit_info.current_audit_info",
|
||||
new=audit_info,
|
||||
):
|
||||
with mock.patch(
|
||||
"prowler.providers.aws.services.iam.iam_disable_90_days_credentials.iam_disable_90_days_credentials.iam_client",
|
||||
new=IAM(audit_info),
|
||||
) as service_client:
|
||||
from prowler.providers.aws.services.iam.iam_disable_90_days_credentials.iam_disable_90_days_credentials import (
|
||||
iam_disable_90_days_credentials,
|
||||
)
|
||||
|
||||
service_client.credential_report[0]["access_key_1_active"] = "true"
|
||||
service_client.credential_report[0][
|
||||
"access_key_1_last_used_date"
|
||||
] = credentials_last_rotated
|
||||
|
||||
service_client.credential_report[0]["access_key_2_active"] = "true"
|
||||
service_client.credential_report[0][
|
||||
"access_key_2_last_used_date"
|
||||
] = credentials_last_rotated
|
||||
|
||||
check = iam_disable_90_days_credentials()
|
||||
result = check.execute()
|
||||
assert result[-1].status == "FAIL"
|
||||
assert (
|
||||
result[-1].status_extended
|
||||
== f"User {user} has not used access key 2 in the last 90 days (100 days)."
|
||||
)
|
||||
assert result[-1].resource_id == user
|
||||
assert result[-1].resource_arn == arn
|
||||
|
||||
assert result[-2].status == "FAIL"
|
||||
assert (
|
||||
result[-2].status_extended
|
||||
== f"User {user} has not used access key 1 in the last 90 days (100 days)."
|
||||
)
|
||||
assert result[-2].resource_id == user
|
||||
assert result[-2].resource_arn == arn
|
||||
|
||||
@@ -152,3 +152,55 @@ class Test_iam_rotate_access_key_90_days_test:
|
||||
)
|
||||
assert result[0].resource_id == user
|
||||
assert result[0].resource_arn == arn
|
||||
|
||||
@mock_iam
|
||||
def test_user_both_access_keys_not_rotated(self):
|
||||
credentials_last_rotated = (
|
||||
datetime.datetime.now() - datetime.timedelta(days=100)
|
||||
).strftime("%Y-%m-%dT%H:%M:%S+00:00")
|
||||
iam_client = client("iam")
|
||||
user = "test-user"
|
||||
arn = iam_client.create_user(UserName=user)["User"]["Arn"]
|
||||
|
||||
from prowler.providers.aws.services.iam.iam_service import IAM
|
||||
|
||||
current_audit_info = self.set_mocked_audit_info()
|
||||
|
||||
with mock.patch(
|
||||
"prowler.providers.aws.lib.audit_info.audit_info.current_audit_info",
|
||||
new=current_audit_info,
|
||||
), mock.patch(
|
||||
"prowler.providers.aws.services.iam.iam_rotate_access_key_90_days.iam_rotate_access_key_90_days.iam_client",
|
||||
new=IAM(current_audit_info),
|
||||
) as service_client:
|
||||
from prowler.providers.aws.services.iam.iam_rotate_access_key_90_days.iam_rotate_access_key_90_days import (
|
||||
iam_rotate_access_key_90_days,
|
||||
)
|
||||
|
||||
service_client.credential_report[0]["access_key_1_active"] = "true"
|
||||
service_client.credential_report[0][
|
||||
"access_key_1_last_rotated"
|
||||
] = credentials_last_rotated
|
||||
|
||||
service_client.credential_report[0]["access_key_2_active"] = "true"
|
||||
service_client.credential_report[0][
|
||||
"access_key_2_last_rotated"
|
||||
] = credentials_last_rotated
|
||||
|
||||
check = iam_rotate_access_key_90_days()
|
||||
result = check.execute()
|
||||
assert result[0].status == "FAIL"
|
||||
assert (
|
||||
result[0].status_extended
|
||||
== f"User {user} has not rotated access key 1 in over 90 days (100 days)."
|
||||
)
|
||||
assert result[0].resource_id == user
|
||||
assert result[0].resource_arn == arn
|
||||
|
||||
assert result[1].status == "FAIL"
|
||||
assert (
|
||||
result[1].status_extended
|
||||
== f"User {user} has not rotated access key 2 in over 90 days (100 days)."
|
||||
)
|
||||
assert result[1].resource_id == user
|
||||
assert result[1].resource_arn == arn
|
||||
|
||||
@@ -101,6 +101,37 @@ test_false_access_key_2,arn:aws:iam::123456789012:test_false_access_key_2,2022-0
|
||||
assert result[0].status == "FAIL"
|
||||
assert search("has never used access key 2", result[0].status_extended)
|
||||
|
||||
@mock_iam
|
||||
def test_setup_both_access_keys_fail(self):
|
||||
raw_credential_report = r"""user,arn,user_creation_time,password_enabled,password_last_used,password_last_changed,password_next_rotation,mfa_active,access_key_1_active,access_key_1_last_rotated,access_key_1_last_used_date,access_key_1_last_used_region,access_key_1_last_used_service,access_key_2_active,access_key_2_last_rotated,access_key_2_last_used_date,access_key_2_last_used_region,access_key_2_last_used_service,cert_1_active,cert_1_last_rotated,cert_2_active,cert_2_last_rotated
|
||||
test_false_both_access_keys,arn:aws:iam::123456789012:test_false_both_access_keys,2022-04-17T14:59:38+00:00,true,no_information,not_supported,not_supported,false,true,N/A,N/A,N/A,N/A,true,N/A,N/A,N/A,N/A,false,N/A,false,N/A"""
|
||||
credential_lines = raw_credential_report.split("\n")
|
||||
csv_reader = DictReader(credential_lines, delimiter=",")
|
||||
credential_list = list(csv_reader)
|
||||
|
||||
current_audit_info = self.set_mocked_audit_info()
|
||||
from prowler.providers.aws.services.iam.iam_service import IAM
|
||||
|
||||
with mock.patch(
|
||||
"prowler.providers.aws.lib.audit_info.audit_info.current_audit_info",
|
||||
new=current_audit_info,
|
||||
), mock.patch(
|
||||
"prowler.providers.aws.services.iam.iam_user_no_setup_initial_access_key.iam_user_no_setup_initial_access_key.iam_client",
|
||||
new=IAM(current_audit_info),
|
||||
) as service_client:
|
||||
from prowler.providers.aws.services.iam.iam_user_no_setup_initial_access_key.iam_user_no_setup_initial_access_key import (
|
||||
iam_user_no_setup_initial_access_key,
|
||||
)
|
||||
|
||||
service_client.credential_report = credential_list
|
||||
|
||||
check = iam_user_no_setup_initial_access_key()
|
||||
result = check.execute()
|
||||
assert result[0].status == "FAIL"
|
||||
assert search("has never used access key 1", result[0].status_extended)
|
||||
assert result[1].status == "FAIL"
|
||||
assert search("has never used access key 2", result[1].status_extended)
|
||||
|
||||
@mock_iam
|
||||
def test_setup_access_key_pass(self):
|
||||
raw_credential_report = r"""user,arn,user_creation_time,password_enabled,password_last_used,password_last_changed,password_next_rotation,mfa_active,access_key_1_active,access_key_1_last_rotated,access_key_1_last_used_date,access_key_1_last_used_region,access_key_1_last_used_service,access_key_2_active,access_key_2_last_rotated,access_key_2_last_used_date,access_key_2_last_used_region,access_key_2_last_used_service,cert_1_active,cert_1_last_rotated,cert_2_active,cert_2_last_rotated
|
||||
|
||||
Reference in New Issue
Block a user