ghndrx/prowler
1
0
Fork 0
mirror of https://github.com/ghndrx/prowler.git synced 2026-02-13 00:05:04 +00:00
Code Issues Packages Projects Releases Wiki Activity

feat(iam): improve disable credentials checks (#2909)

Browse Source
This commit is contained in:
Sergio Garcia
2023-10-06 11:41:04 +02:00
committed by GitHub
parent 3955450245
commit e610c2514d
43 changed files with 693 additions and 1741 deletions
Download Patch File Download Diff File Expand all files Collapse all files

16
tests/lib/check/check_test.py
View File

@@ -295,8 +295,8 @@ class Test_Check:
"metadata_path": f"{os.path.dirname(os.path.realpath(__file__))}/fixtures/metadata.json",
},
"expected": {
"CheckID": "iam_disable_30_days_credentials",
"CheckTitle": "Ensure credentials unused for 30 days or greater are disabled",
"CheckID": "iam_user_accesskey_unused",
"CheckTitle": "Ensure Access Keys unused are disabled",
"ServiceName": "iam",
"Severity": "low",
},
@@ -398,22 +398,22 @@ class Test_Check:
{
"input": {
"checks_to_run": {
"iam_disable_30_days_credentials",
"iam_disable_90_days_credentials",
"iam_user_console_access_unused",
"iam_user_accesskey_unused",
},
"excluded_services": {"ec2"},
"provider": "aws",
},
"expected": {
"iam_disable_30_days_credentials",
"iam_disable_90_days_credentials",
"iam_user_console_access_unused",
"iam_user_accesskey_unused",
},
},
{
"input": {
"checks_to_run": {
"iam_disable_30_days_credentials",
"iam_disable_90_days_credentials",
"iam_user_console_access_unused",
"iam_user_accesskey_unused",
},
"excluded_services": {"iam"},
"provider": "aws",

4
tests/lib/check/fixtures/groupsA.json
View File

@@ -9,8 +9,8 @@
},
"iam": {
"checks": [
"iam_disable_30_days_credentials",
"iam_disable_90_days_credentials"
"iam_user_accesskey_unused",
"iam_user_console_access_unused"
],
"description": "Identity and Access Management"
}

6
tests/lib/check/fixtures/metadata.json
View File

@@ -3,8 +3,8 @@
"cat1",
"cat2"
],
"CheckID": "iam_disable_30_days_credentials",
"CheckTitle": "Ensure credentials unused for 30 days or greater are disabled",
"CheckID": "iam_user_accesskey_unused",
"CheckTitle": "Ensure Access Keys unused are disabled",
"CheckType": [
"Software and Configuration Checks"
],
@@ -25,7 +25,7 @@
"othercheck1",
"othercheck2"
],
"Description": "Ensure credentials unused for 30 days or greater are disabled",
"Description": "Ensure Access Keys unused are disabled",
"Notes": "additional information",
"Provider": "aws",
"RelatedTo": [

6
tests/lib/outputs/fixtures/metadata.json
View File

@@ -3,8 +3,8 @@
"cat1",
"cat2"
],
"CheckID": "iam_disable_30_days_credentials",
"CheckTitle": "Ensure credentials unused for 30 days or greater are disabled",
"CheckID": "iam_user_accesskey_unused",
"CheckTitle": "Ensure Access Keys unused are disabled",
"CheckType": [
"Software and Configuration Checks"
],
@@ -25,7 +25,7 @@
"othercheck1",
"othercheck2"
],
"Description": "Ensure credentials unused for 30 days or greater are disabled",
"Description": "Ensure Access Keys unused are disabled",
"Notes": "additional information",
"Provider": "aws",
"RelatedTo": [

26
tests/lib/outputs/outputs_test.py
View File

@@ -27,8 +27,8 @@ from prowler.lib.outputs.file_descriptors import fill_file_descriptors
from prowler.lib.outputs.json import (
fill_json_asff,
fill_json_ocsf,
generate_json_asff_status,
generate_json_asff_resource_tags,
generate_json_asff_status,
generate_json_ocsf_severity_id,
generate_json_ocsf_status,
generate_json_ocsf_status_id,
@@ -989,8 +989,8 @@ class Test_Outputs:
expected = Check_Output_JSON_OCSF(
finding=Finding(
title="Ensure credentials unused for 30 days or greater are disabled",
desc="Ensure credentials unused for 30 days or greater are disabled",
title="Ensure Access Keys unused are disabled",
desc="Ensure Access Keys unused are disabled",
supporting_data={
"Risk": "Risk associated.",
"Notes": "additional information",
@@ -1007,7 +1007,7 @@ class Test_Outputs:
),
types=["Software and Configuration Checks"],
src_url="https://serviceofficialsiteorpageforthissubject",
uid="prowler-aws-iam_disable_30_days_credentials-123456789012-eu-west-1-test-resource",
uid="prowler-aws-iam_user_accesskey_unused-123456789012-eu-west-1-test-resource",
related_events=[
"othercheck1",
"othercheck2",
@@ -1050,8 +1050,8 @@ class Test_Outputs:
version=prowler_version,
vendor_name="Prowler/ProwlerPro",
feature=Feature(
name="iam_disable_30_days_credentials",
uid="iam_disable_30_days_credentials",
name="iam_user_accesskey_unused",
uid="iam_user_accesskey_unused",
version=prowler_version,
),
),
@@ -1117,8 +1117,8 @@ class Test_Outputs:
expected = Check_Output_JSON_OCSF(
finding=Finding(
title="Ensure credentials unused for 30 days or greater are disabled",
desc="Ensure credentials unused for 30 days or greater are disabled",
title="Ensure Access Keys unused are disabled",
desc="Ensure Access Keys unused are disabled",
supporting_data={
"Risk": "Risk associated.",
"Notes": "additional information",
@@ -1135,7 +1135,7 @@ class Test_Outputs:
),
types=["Software and Configuration Checks"],
src_url="https://serviceofficialsiteorpageforthissubject",
uid="prowler-aws-iam_disable_30_days_credentials-123456789012-eu-west-1-test-resource",
uid="prowler-aws-iam_user_accesskey_unused-123456789012-eu-west-1-test-resource",
related_events=[
"othercheck1",
"othercheck2",
@@ -1178,8 +1178,8 @@ class Test_Outputs:
version=prowler_version,
vendor_name="Prowler/ProwlerPro",
feature=Feature(
name="iam_disable_30_days_credentials",
uid="iam_disable_30_days_credentials",
name="iam_user_accesskey_unused",
uid="iam_user_accesskey_unused",
version=prowler_version,
),
),
@@ -1333,10 +1333,10 @@ class Test_Outputs:
output_options = mock.MagicMock()
output_options.bulk_checks_metadata = {}
output_options.bulk_checks_metadata[
"iam_disable_30_days_credentials"
"iam_user_accesskey_unused"
] = mock.MagicMock()
output_options.bulk_checks_metadata[
"iam_disable_30_days_credentials"
"iam_user_accesskey_unused"
].Compliance = bulk_check_metadata
assert get_check_compliance(finding, "aws", output_options) == {

6
tests/providers/aws/lib/security_hub/fixtures/metadata.json
View File

@@ -3,8 +3,8 @@
"cat1",
"cat2"
],
"CheckID": "iam_disable_30_days_credentials",
"CheckTitle": "Ensure credentials unused for 30 days or greater are disabled",
"CheckID": "iam_user_accesskey_unused",
"CheckTitle": "Ensure Access Keys unused are disabled",
"CheckType": [
"Software and Configuration Checks"
],
@@ -25,7 +25,7 @@
"othercheck1",
"othercheck2"
],
"Description": "Ensure credentials unused for 30 days or greater are disabled",
"Description": "Ensure Access Keys unused are disabled",
"Notes": "additional information",
"Provider": "aws",
"RelatedTo": [

6
tests/providers/aws/lib/security_hub/security_hub_test.py
View File

@@ -122,7 +122,7 @@ class Test_SecurityHub:
AWS_REGION_1: [
{
"SchemaVersion": "2018-10-08",
"Id": f"prowler-iam_disable_30_days_credentials-{AWS_ACCOUNT_ID}-{AWS_REGION_1}-ee26b0dd4",
"Id": f"prowler-iam_user_accesskey_unused-{AWS_ACCOUNT_ID}-{AWS_REGION_1}-ee26b0dd4",
"ProductArn": f"arn:aws:securityhub:{AWS_REGION_1}::product/prowler/prowler",
"RecordState": "ACTIVE",
"ProductFields": {
@@ -130,14 +130,14 @@ class Test_SecurityHub:
"ProviderVersion": "3.9.0",
"ProwlerResourceName": "test",
},
"GeneratorId": "prowler-iam_disable_30_days_credentials",
"GeneratorId": "prowler-iam_user_accesskey_unused",
"AwsAccountId": f"{AWS_ACCOUNT_ID}",
"Types": ["Software and Configuration Checks"],
"FirstObservedAt": timestamp_utc.strftime("%Y-%m-%dT%H:%M:%SZ"),
"UpdatedAt": timestamp_utc.strftime("%Y-%m-%dT%H:%M:%SZ"),
"CreatedAt": timestamp_utc.strftime("%Y-%m-%dT%H:%M:%SZ"),
"Severity": {"Label": "LOW"},
"Title": "Ensure credentials unused for 30 days or greater are disabled",
"Title": "Ensure Access Keys unused are disabled",
"Description": "test",
"Resources": [
{

449
tests/providers/aws/services/iam/iam_disable_30_days_credentials/iam_disable_30_days_credentials_test.py
View File

@@ -1,449 +0,0 @@
import datetime
from unittest import mock
from boto3 import client, session
from moto import mock_iam
from prowler.providers.aws.lib.audit_info.models import AWS_Audit_Info
from prowler.providers.common.models import Audit_Metadata
AWS_ACCOUNT_NUMBER = "123456789012"
AWS_REGION = "us-east-1"
class Test_iam_disable_30_days_credentials_test:
# Mocked Audit Info
def set_mocked_audit_info(self):
audit_info = AWS_Audit_Info(
session_config=None,
original_session=None,
audit_session=session.Session(
profile_name=None,
botocore_session=None,
region_name=AWS_REGION,
),
audited_account=AWS_ACCOUNT_NUMBER,
audited_account_arn=f"arn:aws:iam::{AWS_ACCOUNT_NUMBER}:root",
audited_user_id=None,
audited_partition="aws",
audited_identity_arn=None,
profile=None,
profile_region=AWS_REGION,
credentials=None,
assumed_role_info=None,
audited_regions=None,
organizations_metadata=None,
audit_resources=None,
mfa_enabled=False,
audit_metadata=Audit_Metadata(
services_scanned=0,
expected_checks=[],
completed_checks=0,
audit_progress=0,
),
)
return audit_info
@mock_iam
def test_iam_user_logged_30_days(self):
password_last_used = (
datetime.datetime.now() - datetime.timedelta(days=2)
).strftime("%Y-%m-%d %H:%M:%S+00:00")
iam_client = client("iam")
user = "test-user"
arn = iam_client.create_user(UserName=user)["User"]["Arn"]
from prowler.providers.aws.services.iam.iam_service import IAM
audit_info = self.set_mocked_audit_info()
with mock.patch(
"prowler.providers.aws.lib.audit_info.audit_info.current_audit_info",
new=audit_info,
):
with mock.patch(
"prowler.providers.aws.services.iam.iam_disable_30_days_credentials.iam_disable_30_days_credentials.iam_client",
new=IAM(audit_info),
) as service_client:
from prowler.providers.aws.services.iam.iam_disable_30_days_credentials.iam_disable_30_days_credentials import (
iam_disable_30_days_credentials,
)
service_client.users[0].password_last_used = password_last_used
check = iam_disable_30_days_credentials()
result = check.execute()
assert len(result) == 2
assert result[0].status == "PASS"
assert (
result[0].status_extended
== f"User {user} has logged in to the console in the past 30 days."
)
assert result[0].resource_id == user
assert result[0].resource_arn == arn
assert result[0].region == AWS_REGION
assert result[1].status == "PASS"
assert (
result[1].status_extended
== f"User {user} does not have access keys."
)
assert result[1].resource_id == user
assert result[1].resource_arn == arn
assert result[1].region == AWS_REGION
@mock_iam
def test_iam_user_not_logged_30_days(self):
password_last_used = (
datetime.datetime.now() - datetime.timedelta(days=60)
).strftime("%Y-%m-%d %H:%M:%S+00:00")
iam_client = client("iam")
user = "test-user"
arn = iam_client.create_user(UserName=user)["User"]["Arn"]
from prowler.providers.aws.services.iam.iam_service import IAM
audit_info = self.set_mocked_audit_info()
with mock.patch(
"prowler.providers.aws.lib.audit_info.audit_info.current_audit_info",
new=audit_info,
):
with mock.patch(
"prowler.providers.aws.services.iam.iam_disable_30_days_credentials.iam_disable_30_days_credentials.iam_client",
new=IAM(audit_info),
) as service_client:
from prowler.providers.aws.services.iam.iam_disable_30_days_credentials.iam_disable_30_days_credentials import (
iam_disable_30_days_credentials,
)
service_client.users[0].password_last_used = password_last_used
check = iam_disable_30_days_credentials()
result = check.execute()
assert len(result) == 2
assert result[0].status == "FAIL"
assert (
result[0].status_extended
== f"User {user} has not logged in to the console in the past 30 days."
)
assert result[0].resource_id == user
assert result[0].resource_arn == arn
assert result[0].region == AWS_REGION
assert result[1].status == "PASS"
assert (
result[1].status_extended
== f"User {user} does not have access keys."
)
assert result[1].resource_id == user
assert result[1].resource_arn == arn
assert result[1].region == AWS_REGION
@mock_iam
def test_iam_user_not_logged(self):
iam_client = client("iam")
user = "test-user"
arn = iam_client.create_user(UserName=user)["User"]["Arn"]
from prowler.providers.aws.services.iam.iam_service import IAM
audit_info = self.set_mocked_audit_info()
with mock.patch(
"prowler.providers.aws.lib.audit_info.audit_info.current_audit_info",
new=audit_info,
):
with mock.patch(
"prowler.providers.aws.services.iam.iam_disable_30_days_credentials.iam_disable_30_days_credentials.iam_client",
new=IAM(audit_info),
) as service_client:
from prowler.providers.aws.services.iam.iam_disable_30_days_credentials.iam_disable_30_days_credentials import (
iam_disable_30_days_credentials,
)
service_client.users[0].password_last_used = ""
# raise Exception
check = iam_disable_30_days_credentials()
result = check.execute()
assert len(result) == 2
assert result[0].status == "PASS"
assert (
result[0].status_extended
== f"User {user} does not have a console password or is unused."
)
assert result[0].resource_id == user
assert result[0].resource_arn == arn
assert result[0].region == AWS_REGION
assert result[1].status == "PASS"
assert (
result[1].status_extended
== f"User {user} does not have access keys."
)
assert result[1].resource_id == user
assert result[1].resource_arn == arn
assert result[1].region == AWS_REGION
@mock_iam
def test_user_no_access_keys(self):
iam_client = client("iam")
user = "test-user"
arn = iam_client.create_user(UserName=user)["User"]["Arn"]
from prowler.providers.aws.services.iam.iam_service import IAM
audit_info = self.set_mocked_audit_info()
with mock.patch(
"prowler.providers.aws.lib.audit_info.audit_info.current_audit_info",
new=audit_info,
):
with mock.patch(
"prowler.providers.aws.services.iam.iam_disable_30_days_credentials.iam_disable_30_days_credentials.iam_client",
new=IAM(audit_info),
) as service_client:
from prowler.providers.aws.services.iam.iam_disable_30_days_credentials.iam_disable_30_days_credentials import (
iam_disable_30_days_credentials,
)
service_client.credential_report[0][
"access_key_1_last_rotated"
] == "N/A"
service_client.credential_report[0][
"access_key_2_last_rotated"
] == "N/A"
check = iam_disable_30_days_credentials()
result = check.execute()
assert len(result) == 2
assert result[0].status == "PASS"
assert (
result[0].status_extended
== f"User {user} does not have a console password or is unused."
)
assert result[0].resource_id == user
assert result[0].resource_arn == arn
assert result[0].region == AWS_REGION
assert result[1].status == "PASS"
assert (
result[1].status_extended
== f"User {user} does not have access keys."
)
assert result[1].resource_id == user
assert result[1].resource_arn == arn
assert result[1].region == AWS_REGION
@mock_iam
def test_user_access_key_1_not_used(self):
credentials_last_rotated = (
datetime.datetime.now() - datetime.timedelta(days=100)
).strftime("%Y-%m-%dT%H:%M:%S+00:00")
iam_client = client("iam")
user = "test-user"
arn = iam_client.create_user(UserName=user)["User"]["Arn"]
from prowler.providers.aws.services.iam.iam_service import IAM
audit_info = self.set_mocked_audit_info()
with mock.patch(
"prowler.providers.aws.lib.audit_info.audit_info.current_audit_info",
new=audit_info,
):
with mock.patch(
"prowler.providers.aws.services.iam.iam_disable_30_days_credentials.iam_disable_30_days_credentials.iam_client",
new=IAM(audit_info),
) as service_client:
from prowler.providers.aws.services.iam.iam_disable_30_days_credentials.iam_disable_30_days_credentials import (
iam_disable_30_days_credentials,
)
service_client.credential_report[0]["access_key_1_active"] = "true"
service_client.credential_report[0][
"access_key_1_last_used_date"
] = credentials_last_rotated
check = iam_disable_30_days_credentials()
result = check.execute()
assert len(result) == 2
assert result[0].status == "PASS"
assert (
result[0].status_extended
== f"User {user} does not have a console password or is unused."
)
assert result[0].resource_id == user
assert result[0].resource_arn == arn
assert result[0].region == AWS_REGION
assert result[1].status == "FAIL"
assert (
result[1].status_extended
== f"User {user} has not used access key 1 in the last 30 days (100 days)."
)
assert result[1].resource_id == user + "/AccessKey1"
assert result[1].resource_arn == arn
assert result[1].region == AWS_REGION
@mock_iam
def test_user_access_key_2_not_used(self):
credentials_last_rotated = (
datetime.datetime.now() - datetime.timedelta(days=100)
).strftime("%Y-%m-%dT%H:%M:%S+00:00")
iam_client = client("iam")
user = "test-user"
arn = iam_client.create_user(UserName=user)["User"]["Arn"]
from prowler.providers.aws.services.iam.iam_service import IAM
audit_info = self.set_mocked_audit_info()
with mock.patch(
"prowler.providers.aws.lib.audit_info.audit_info.current_audit_info",
new=audit_info,
):
with mock.patch(
"prowler.providers.aws.services.iam.iam_disable_30_days_credentials.iam_disable_30_days_credentials.iam_client",
new=IAM(audit_info),
) as service_client:
from prowler.providers.aws.services.iam.iam_disable_30_days_credentials.iam_disable_30_days_credentials import (
iam_disable_30_days_credentials,
)
service_client.credential_report[0]["access_key_2_active"] = "true"
service_client.credential_report[0][
"access_key_2_last_used_date"
] = credentials_last_rotated
check = iam_disable_30_days_credentials()
result = check.execute()
assert len(result) == 2
assert result[0].status == "PASS"
assert (
result[0].status_extended
== f"User {user} does not have a console password or is unused."
)
assert result[0].resource_id == user
assert result[0].resource_arn == arn
assert result[0].region == AWS_REGION
assert result[1].status == "FAIL"
assert (
result[1].status_extended
== f"User {user} has not used access key 2 in the last 30 days (100 days)."
)
assert result[1].resource_id == user + "/AccessKey2"
assert result[1].resource_arn == arn
assert result[1].region == AWS_REGION
@mock_iam
def test_user_both_access_keys_not_used(self):
credentials_last_rotated = (
datetime.datetime.now() - datetime.timedelta(days=100)
).strftime("%Y-%m-%dT%H:%M:%S+00:00")
iam_client = client("iam")
user = "test-user"
arn = iam_client.create_user(UserName=user)["User"]["Arn"]
from prowler.providers.aws.services.iam.iam_service import IAM
audit_info = self.set_mocked_audit_info()
with mock.patch(
"prowler.providers.aws.lib.audit_info.audit_info.current_audit_info",
new=audit_info,
):
with mock.patch(
"prowler.providers.aws.services.iam.iam_disable_30_days_credentials.iam_disable_30_days_credentials.iam_client",
new=IAM(audit_info),
) as service_client:
from prowler.providers.aws.services.iam.iam_disable_30_days_credentials.iam_disable_30_days_credentials import (
iam_disable_30_days_credentials,
)
service_client.credential_report[0]["access_key_1_active"] = "true"
service_client.credential_report[0][
"access_key_1_last_used_date"
] = credentials_last_rotated
service_client.credential_report[0]["access_key_2_active"] = "true"
service_client.credential_report[0][
"access_key_2_last_used_date"
] = credentials_last_rotated
check = iam_disable_30_days_credentials()
result = check.execute()
assert len(result) == 3
assert result[0].status == "PASS"
assert (
result[0].status_extended
== f"User {user} does not have a console password or is unused."
)
assert result[0].resource_id == user
assert result[0].resource_arn == arn
assert result[0].region == AWS_REGION
assert result[1].status == "FAIL"
assert (
result[1].status_extended
== f"User {user} has not used access key 1 in the last 30 days (100 days)."
)
assert result[1].resource_id == user + "/AccessKey1"
assert result[1].resource_arn == arn
assert result[1].region == AWS_REGION
assert result[2].status == "FAIL"
assert (
result[2].status_extended
== f"User {user} has not used access key 2 in the last 30 days (100 days)."
)
assert result[2].resource_id == user + "/AccessKey2"
assert result[2].resource_arn == arn
assert result[2].region == AWS_REGION
@mock_iam
def test_user_both_access_keys_used(self):
credentials_last_rotated = (
datetime.datetime.now() - datetime.timedelta(days=10)
).strftime("%Y-%m-%dT%H:%M:%S+00:00")
iam_client = client("iam")
user = "test-user"
arn = iam_client.create_user(UserName=user)["User"]["Arn"]
from prowler.providers.aws.services.iam.iam_service import IAM
audit_info = self.set_mocked_audit_info()
with mock.patch(
"prowler.providers.aws.lib.audit_info.audit_info.current_audit_info",
new=audit_info,
):
with mock.patch(
"prowler.providers.aws.services.iam.iam_disable_30_days_credentials.iam_disable_30_days_credentials.iam_client",
new=IAM(audit_info),
) as service_client:
from prowler.providers.aws.services.iam.iam_disable_30_days_credentials.iam_disable_30_days_credentials import (
iam_disable_30_days_credentials,
)
service_client.credential_report[0]["access_key_1_active"] = "true"
service_client.credential_report[0][
"access_key_1_last_used_date"
] = credentials_last_rotated
service_client.credential_report[0]["access_key_2_active"] = "true"
service_client.credential_report[0][
"access_key_2_last_used_date"
] = credentials_last_rotated
check = iam_disable_30_days_credentials()
result = check.execute()
assert len(result) == 2
assert result[0].status == "PASS"
assert (
result[0].status_extended
== f"User {user} does not have a console password or is unused."
)
assert result[0].resource_id == user
assert result[0].resource_arn == arn
assert result[0].region == AWS_REGION
assert result[1].status == "PASS"
assert (
result[1].status_extended
== f"User {user} does not have unused access keys for 30 days."
)
assert result[1].resource_id == user
assert result[1].resource_arn == arn
assert result[1].region == AWS_REGION

448
tests/providers/aws/services/iam/iam_disable_45_days_credentials/iam_disable_45_days_credentials_test.py
View File

@@ -1,448 +0,0 @@
import datetime
from unittest import mock
from boto3 import client, session
from moto import mock_iam
from prowler.providers.aws.lib.audit_info.models import AWS_Audit_Info
from prowler.providers.common.models import Audit_Metadata
AWS_ACCOUNT_NUMBER = "123456789012"
AWS_REGION = "us-east-1"
class Test_iam_disable_45_days_credentials_test:
# Mocked Audit Info
def set_mocked_audit_info(self):
audit_info = AWS_Audit_Info(
session_config=None,
original_session=None,
audit_session=session.Session(
profile_name=None,
botocore_session=None,
region_name=AWS_REGION,
),
audited_account=AWS_ACCOUNT_NUMBER,
audited_account_arn=f"arn:aws:iam::{AWS_ACCOUNT_NUMBER}:root",
audited_user_id=None,
audited_partition="aws",
audited_identity_arn=None,
profile=None,
profile_region=AWS_REGION,
credentials=None,
assumed_role_info=None,
audited_regions=None,
organizations_metadata=None,
audit_resources=None,
mfa_enabled=False,
audit_metadata=Audit_Metadata(
services_scanned=0,
expected_checks=[],
completed_checks=0,
audit_progress=0,
),
)
return audit_info
@mock_iam
def test_iam_user_logged_45_days(self):
password_last_used = (
datetime.datetime.now() - datetime.timedelta(days=2)
).strftime("%Y-%m-%d %H:%M:%S+00:00")
iam_client = client("iam")
user = "test-user"
arn = iam_client.create_user(UserName=user)["User"]["Arn"]
from prowler.providers.aws.services.iam.iam_service import IAM
audit_info = self.set_mocked_audit_info()
with mock.patch(
"prowler.providers.aws.lib.audit_info.audit_info.current_audit_info",
new=audit_info,
):
with mock.patch(
"prowler.providers.aws.services.iam.iam_disable_45_days_credentials.iam_disable_45_days_credentials.iam_client",
new=IAM(audit_info),
) as service_client:
from prowler.providers.aws.services.iam.iam_disable_45_days_credentials.iam_disable_45_days_credentials import (
iam_disable_45_days_credentials,
)
service_client.users[0].password_last_used = password_last_used
check = iam_disable_45_days_credentials()
result = check.execute()
assert len(result) == 2
assert result[0].status == "PASS"
assert (
result[0].status_extended
== f"User {user} has logged in to the console in the past 45 days."
)
assert result[0].resource_id == user
assert result[0].resource_arn == arn
assert result[0].region == AWS_REGION
assert result[1].status == "PASS"
assert (
result[1].status_extended
== f"User {user} does not have access keys."
)
assert result[1].resource_id == user
assert result[1].resource_arn == arn
assert result[1].region == AWS_REGION
@mock_iam
def test_iam_user_not_logged_45_days(self):
password_last_used = (
datetime.datetime.now() - datetime.timedelta(days=60)
).strftime("%Y-%m-%d %H:%M:%S+00:00")
iam_client = client("iam")
user = "test-user"
arn = iam_client.create_user(UserName=user)["User"]["Arn"]
from prowler.providers.aws.services.iam.iam_service import IAM
audit_info = self.set_mocked_audit_info()
with mock.patch(
"prowler.providers.aws.lib.audit_info.audit_info.current_audit_info",
new=audit_info,
):
with mock.patch(
"prowler.providers.aws.services.iam.iam_disable_45_days_credentials.iam_disable_45_days_credentials.iam_client",
new=IAM(audit_info),
) as service_client:
from prowler.providers.aws.services.iam.iam_disable_45_days_credentials.iam_disable_45_days_credentials import (
iam_disable_45_days_credentials,
)
service_client.users[0].password_last_used = password_last_used
check = iam_disable_45_days_credentials()
result = check.execute()
assert len(result) == 2
assert result[0].status == "FAIL"
assert (
result[0].status_extended
== f"User {user} has not logged in to the console in the past 45 days."
)
assert result[0].resource_id == user
assert result[0].resource_arn == arn
assert result[0].region == AWS_REGION
assert result[1].status == "PASS"
assert (
result[1].status_extended
== f"User {user} does not have access keys."
)
assert result[1].resource_id == user
assert result[1].resource_arn == arn
assert result[1].region == AWS_REGION
@mock_iam
def test_iam_user_not_logged(self):
iam_client = client("iam")
user = "test-user"
arn = iam_client.create_user(UserName=user)["User"]["Arn"]
from prowler.providers.aws.services.iam.iam_service import IAM
audit_info = self.set_mocked_audit_info()
with mock.patch(
"prowler.providers.aws.lib.audit_info.audit_info.current_audit_info",
new=audit_info,
):
with mock.patch(
"prowler.providers.aws.services.iam.iam_disable_45_days_credentials.iam_disable_45_days_credentials.iam_client",
new=IAM(audit_info),
) as service_client:
from prowler.providers.aws.services.iam.iam_disable_45_days_credentials.iam_disable_45_days_credentials import (
iam_disable_45_days_credentials,
)
service_client.users[0].password_last_used = ""
# raise Exception
check = iam_disable_45_days_credentials()
result = check.execute()
assert len(result) == 2
assert result[0].status == "PASS"
assert (
result[0].status_extended
== f"User {user} does not have a console password or is unused."
)
assert result[0].resource_id == user
assert result[0].resource_arn == arn
assert result[0].region == AWS_REGION
assert result[1].status == "PASS"
assert (
result[1].status_extended
== f"User {user} does not have access keys."
)
assert result[1].resource_id == user
assert result[1].resource_arn == arn
assert result[1].region == AWS_REGION
@mock_iam
def test_user_no_access_keys(self):
iam_client = client("iam")
user = "test-user"
arn = iam_client.create_user(UserName=user)["User"]["Arn"]
from prowler.providers.aws.services.iam.iam_service import IAM
audit_info = self.set_mocked_audit_info()
with mock.patch(
"prowler.providers.aws.lib.audit_info.audit_info.current_audit_info",
new=audit_info,
):
with mock.patch(
"prowler.providers.aws.services.iam.iam_disable_45_days_credentials.iam_disable_45_days_credentials.iam_client",
new=IAM(audit_info),
) as service_client:
from prowler.providers.aws.services.iam.iam_disable_45_days_credentials.iam_disable_45_days_credentials import (
iam_disable_45_days_credentials,
)
service_client.credential_report[0][
"access_key_1_last_rotated"
] == "N/A"
service_client.credential_report[0][
"access_key_2_last_rotated"
] == "N/A"
check = iam_disable_45_days_credentials()
result = check.execute()
assert len(result) == 2
assert result[0].status == "PASS"
assert (
result[0].status_extended
== f"User {user} does not have a console password or is unused."
)
assert result[0].resource_id == user
assert result[0].resource_arn == arn
assert result[0].region == AWS_REGION
assert result[1].status == "PASS"
assert (
result[1].status_extended
== f"User {user} does not have access keys."
)
assert result[1].resource_id == user
assert result[1].resource_arn == arn
assert result[1].region == AWS_REGION
@mock_iam
def test_user_access_key_1_not_used(self):
credentials_last_rotated = (
datetime.datetime.now() - datetime.timedelta(days=100)
).strftime("%Y-%m-%dT%H:%M:%S+00:00")
iam_client = client("iam")
user = "test-user"
arn = iam_client.create_user(UserName=user)["User"]["Arn"]
from prowler.providers.aws.services.iam.iam_service import IAM
audit_info = self.set_mocked_audit_info()
with mock.patch(
"prowler.providers.aws.lib.audit_info.audit_info.current_audit_info",
new=audit_info,
):
with mock.patch(
"prowler.providers.aws.services.iam.iam_disable_45_days_credentials.iam_disable_45_days_credentials.iam_client",
new=IAM(audit_info),
) as service_client:
from prowler.providers.aws.services.iam.iam_disable_45_days_credentials.iam_disable_45_days_credentials import (
iam_disable_45_days_credentials,
)
service_client.credential_report[0]["access_key_1_active"] = "true"
service_client.credential_report[0][
"access_key_1_last_used_date"
] = credentials_last_rotated
check = iam_disable_45_days_credentials()
result = check.execute()
assert len(result) == 2
assert result[0].status == "PASS"
assert (
result[0].status_extended
== f"User {user} does not have a console password or is unused."
)
assert result[0].resource_id == user
assert result[0].resource_arn == arn
assert result[0].region == AWS_REGION
assert result[1].status == "FAIL"
assert (
result[1].status_extended
== f"User {user} has not used access key 1 in the last 45 days (100 days)."
)
assert result[1].resource_id == user + "/AccessKey1"
assert result[1].resource_arn == arn
assert result[1].region == AWS_REGION
@mock_iam
def test_user_access_key_2_not_used(self):
credentials_last_rotated = (
datetime.datetime.now() - datetime.timedelta(days=100)
).strftime("%Y-%m-%dT%H:%M:%S+00:00")
iam_client = client("iam")
user = "test-user"
arn = iam_client.create_user(UserName=user)["User"]["Arn"]
from prowler.providers.aws.services.iam.iam_service import IAM
audit_info = self.set_mocked_audit_info()
with mock.patch(
"prowler.providers.aws.lib.audit_info.audit_info.current_audit_info",
new=audit_info,
):
with mock.patch(
"prowler.providers.aws.services.iam.iam_disable_45_days_credentials.iam_disable_45_days_credentials.iam_client",
new=IAM(audit_info),
) as service_client:
from prowler.providers.aws.services.iam.iam_disable_45_days_credentials.iam_disable_45_days_credentials import (
iam_disable_45_days_credentials,
)
service_client.credential_report[0]["access_key_2_active"] = "true"
service_client.credential_report[0][
"access_key_2_last_used_date"
] = credentials_last_rotated
check = iam_disable_45_days_credentials()
result = check.execute()
assert len(result) == 2
assert result[0].status == "PASS"
assert (
result[0].status_extended
== f"User {user} does not have a console password or is unused."
)
assert result[0].resource_id == user
assert result[0].resource_arn == arn
assert result[0].region == AWS_REGION
assert result[1].status == "FAIL"
assert (
result[1].status_extended
== f"User {user} has not used access key 2 in the last 45 days (100 days)."
)
assert result[1].resource_id == user + "/AccessKey2"
assert result[1].resource_arn == arn
assert result[1].region == AWS_REGION
@mock_iam
def test_user_both_access_keys_not_used(self):
credentials_last_rotated = (
datetime.datetime.now() - datetime.timedelta(days=100)
).strftime("%Y-%m-%dT%H:%M:%S+00:00")
iam_client = client("iam")
user = "test-user"
arn = iam_client.create_user(UserName=user)["User"]["Arn"]
from prowler.providers.aws.services.iam.iam_service import IAM
audit_info = self.set_mocked_audit_info()
with mock.patch(
"prowler.providers.aws.lib.audit_info.audit_info.current_audit_info",
new=audit_info,
):
with mock.patch(
"prowler.providers.aws.services.iam.iam_disable_45_days_credentials.iam_disable_45_days_credentials.iam_client",
new=IAM(audit_info),
) as service_client:
from prowler.providers.aws.services.iam.iam_disable_45_days_credentials.iam_disable_45_days_credentials import (
iam_disable_45_days_credentials,
)
service_client.credential_report[0]["access_key_1_active"] = "true"
service_client.credential_report[0][
"access_key_1_last_used_date"
] = credentials_last_rotated
service_client.credential_report[0]["access_key_2_active"] = "true"
service_client.credential_report[0][
"access_key_2_last_used_date"
] = credentials_last_rotated
check = iam_disable_45_days_credentials()
result = check.execute()
assert len(result) == 3
assert result[0].status == "PASS"
assert (
result[0].status_extended
== f"User {user} does not have a console password or is unused."
)
assert result[0].resource_id == user
assert result[0].resource_arn == arn
assert result[0].region == AWS_REGION
assert result[1].status == "FAIL"
assert (
result[1].status_extended
== f"User {user} has not used access key 1 in the last 45 days (100 days)."
)
assert result[1].resource_id == user + "/AccessKey1"
assert result[1].resource_arn == arn
assert result[1].region == AWS_REGION
assert result[2].status == "FAIL"
assert (
result[2].status_extended
== f"User {user} has not used access key 2 in the last 45 days (100 days)."
)
assert result[2].resource_id == user + "/AccessKey2"
assert result[2].resource_arn == arn
assert result[2].region == AWS_REGION
@mock_iam
def test_user_both_access_keys_used(self):
credentials_last_rotated = (
datetime.datetime.now() - datetime.timedelta(days=10)
).strftime("%Y-%m-%dT%H:%M:%S+00:00")
iam_client = client("iam")
user = "test-user"
arn = iam_client.create_user(UserName=user)["User"]["Arn"]
from prowler.providers.aws.services.iam.iam_service import IAM
audit_info = self.set_mocked_audit_info()
with mock.patch(
"prowler.providers.aws.lib.audit_info.audit_info.current_audit_info",
new=audit_info,
):
with mock.patch(
"prowler.providers.aws.services.iam.iam_disable_45_days_credentials.iam_disable_45_days_credentials.iam_client",
new=IAM(audit_info),
) as service_client:
from prowler.providers.aws.services.iam.iam_disable_45_days_credentials.iam_disable_45_days_credentials import (
iam_disable_45_days_credentials,
)
service_client.credential_report[0]["access_key_1_active"] = "true"
service_client.credential_report[0][
"access_key_1_last_used_date"
] = credentials_last_rotated
service_client.credential_report[0]["access_key_2_active"] = "true"
service_client.credential_report[0][
"access_key_2_last_used_date"
] = credentials_last_rotated
check = iam_disable_45_days_credentials()
result = check.execute()
assert len(result) == 2
assert result[0].status == "PASS"
assert (
result[0].status_extended
== f"User {user} does not have a console password or is unused."
)
assert result[0].resource_id == user
assert result[0].resource_arn == arn
assert result[0].region == AWS_REGION
assert result[1].status == "PASS"
assert (
result[1].status_extended
== f"User {user} does not have unused access keys for 45 days."
)
assert result[1].resource_id == user
assert result[1].resource_arn == arn
assert result[1].region == AWS_REGION

446
tests/providers/aws/services/iam/iam_disable_90_days_credentials/iam_disable_90_days_credentials_test.py
View File

@@ -1,446 +0,0 @@
import datetime
from unittest import mock
from boto3 import client, session
from moto import mock_iam
from prowler.providers.aws.lib.audit_info.models import AWS_Audit_Info
from prowler.providers.common.models import Audit_Metadata
AWS_ACCOUNT_NUMBER = "123456789012"
AWS_REGION = "us-east-1"
class Test_iam_disable_90_days_credentials_test:
# Mocked Audit Info
def set_mocked_audit_info(self):
audit_info = AWS_Audit_Info(
session_config=None,
original_session=None,
audit_session=session.Session(
profile_name=None,
botocore_session=None,
region_name=AWS_REGION,
),
audited_account=AWS_ACCOUNT_NUMBER,
audited_account_arn=f"arn:aws:iam::{AWS_ACCOUNT_NUMBER}:root",
audited_user_id=None,
audited_partition="aws",
audited_identity_arn=None,
profile=None,
profile_region=AWS_REGION,
credentials=None,
assumed_role_info=None,
audited_regions=None,
organizations_metadata=None,
audit_resources=None,
mfa_enabled=False,
audit_metadata=Audit_Metadata(
services_scanned=0,
expected_checks=[],
completed_checks=0,
audit_progress=0,
),
)
return audit_info
@mock_iam
def test_iam_user_logged_90_days(self):
password_last_used = (
datetime.datetime.now() - datetime.timedelta(days=2)
).strftime("%Y-%m-%d %H:%M:%S+00:00")
iam_client = client("iam")
user = "test-user"
arn = iam_client.create_user(UserName=user)["User"]["Arn"]
from prowler.providers.aws.services.iam.iam_service import IAM
audit_info = self.set_mocked_audit_info()
with mock.patch(
"prowler.providers.aws.lib.audit_info.audit_info.current_audit_info",
new=audit_info,
):
with mock.patch(
"prowler.providers.aws.services.iam.iam_disable_90_days_credentials.iam_disable_90_days_credentials.iam_client",
new=IAM(audit_info),
) as service_client:
from prowler.providers.aws.services.iam.iam_disable_90_days_credentials.iam_disable_90_days_credentials import (
iam_disable_90_days_credentials,
)
service_client.users[0].password_last_used = password_last_used
check = iam_disable_90_days_credentials()
result = check.execute()
assert result[0].status == "PASS"
assert (
result[0].status_extended
== f"User {user} has logged in to the console in the past 90 days."
)
assert result[0].resource_id == user
assert result[0].resource_arn == arn
assert result[0].region == AWS_REGION
assert result[1].status == "PASS"
assert (
result[1].status_extended
== f"User {user} does not have access keys."
)
assert result[1].resource_id == user
assert result[1].resource_arn == arn
assert result[1].region == AWS_REGION
@mock_iam
def test_iam_user_not_logged_90_days(self):
password_last_used = (
datetime.datetime.now() - datetime.timedelta(days=100)
).strftime("%Y-%m-%d %H:%M:%S+00:00")
iam_client = client("iam")
user = "test-user"
arn = iam_client.create_user(UserName=user)["User"]["Arn"]
from prowler.providers.aws.services.iam.iam_service import IAM
audit_info = self.set_mocked_audit_info()
with mock.patch(
"prowler.providers.aws.lib.audit_info.audit_info.current_audit_info",
new=audit_info,
):
with mock.patch(
"prowler.providers.aws.services.iam.iam_disable_90_days_credentials.iam_disable_90_days_credentials.iam_client",
new=IAM(audit_info),
) as service_client:
from prowler.providers.aws.services.iam.iam_disable_90_days_credentials.iam_disable_90_days_credentials import (
iam_disable_90_days_credentials,
)
service_client.users[0].password_last_used = password_last_used
check = iam_disable_90_days_credentials()
result = check.execute()
assert len(result) == 2
assert result[0].status == "FAIL"
assert (
result[0].status_extended
== f"User {user} has not logged in to the console in the past 90 days."
)
assert result[0].resource_id == user
assert result[0].resource_arn == arn
assert result[0].region == AWS_REGION
assert result[1].status == "PASS"
assert (
result[1].status_extended
== f"User {user} does not have access keys."
)
assert result[1].resource_id == user
assert result[1].resource_arn == arn
assert result[1].region == AWS_REGION
@mock_iam
def test_iam_user_not_logged(self):
iam_client = client("iam")
user = "test-user"
arn = iam_client.create_user(UserName=user)["User"]["Arn"]
from prowler.providers.aws.services.iam.iam_service import IAM
audit_info = self.set_mocked_audit_info()
with mock.patch(
"prowler.providers.aws.lib.audit_info.audit_info.current_audit_info",
new=audit_info,
):
with mock.patch(
"prowler.providers.aws.services.iam.iam_disable_90_days_credentials.iam_disable_90_days_credentials.iam_client",
new=IAM(audit_info),
) as service_client:
from prowler.providers.aws.services.iam.iam_disable_90_days_credentials.iam_disable_90_days_credentials import (
iam_disable_90_days_credentials,
)
service_client.users[0].password_last_used = ""
# raise Exception
check = iam_disable_90_days_credentials()
result = check.execute()
assert len(result) == 2
assert result[0].status == "PASS"
assert (
result[0].status_extended
== f"User {user} does not have a console password or is unused."
)
assert result[0].resource_id == user
assert result[0].resource_arn == arn
assert result[0].region == AWS_REGION
assert result[1].status == "PASS"
assert (
result[1].status_extended
== f"User {user} does not have access keys."
)
assert result[1].resource_id == user
assert result[1].resource_arn == arn
assert result[1].region == AWS_REGION
@mock_iam
def test_user_no_access_keys(self):
iam_client = client("iam")
user = "test-user"
arn = iam_client.create_user(UserName=user)["User"]["Arn"]
from prowler.providers.aws.services.iam.iam_service import IAM
audit_info = self.set_mocked_audit_info()
with mock.patch(
"prowler.providers.aws.lib.audit_info.audit_info.current_audit_info",
new=audit_info,
):
with mock.patch(
"prowler.providers.aws.services.iam.iam_disable_90_days_credentials.iam_disable_90_days_credentials.iam_client",
new=IAM(audit_info),
) as service_client:
from prowler.providers.aws.services.iam.iam_disable_90_days_credentials.iam_disable_90_days_credentials import (
iam_disable_90_days_credentials,
)
service_client.credential_report[0][
"access_key_1_last_rotated"
] == "N/A"
service_client.credential_report[0][
"access_key_2_last_rotated"
] == "N/A"
check = iam_disable_90_days_credentials()
result = check.execute()
assert len(result) == 2
assert result[0].status == "PASS"
assert (
result[0].status_extended
== f"User {user} does not have a console password or is unused."
)
assert result[0].resource_id == user
assert result[0].resource_arn == arn
assert result[0].region == AWS_REGION
assert result[1].status == "PASS"
assert (
result[1].status_extended
== f"User {user} does not have access keys."
)
assert result[1].resource_id == user
assert result[1].resource_arn == arn
assert result[1].region == AWS_REGION
@mock_iam
def test_user_access_key_1_not_used(self):
credentials_last_rotated = (
datetime.datetime.now() - datetime.timedelta(days=100)
).strftime("%Y-%m-%dT%H:%M:%S+00:00")
iam_client = client("iam")
user = "test-user"
arn = iam_client.create_user(UserName=user)["User"]["Arn"]
from prowler.providers.aws.services.iam.iam_service import IAM
audit_info = self.set_mocked_audit_info()
with mock.patch(
"prowler.providers.aws.lib.audit_info.audit_info.current_audit_info",
new=audit_info,
):
with mock.patch(
"prowler.providers.aws.services.iam.iam_disable_90_days_credentials.iam_disable_90_days_credentials.iam_client",
new=IAM(audit_info),
) as service_client:
from prowler.providers.aws.services.iam.iam_disable_90_days_credentials.iam_disable_90_days_credentials import (
iam_disable_90_days_credentials,
)
service_client.credential_report[0]["access_key_1_active"] = "true"
service_client.credential_report[0][
"access_key_1_last_used_date"
] = credentials_last_rotated
check = iam_disable_90_days_credentials()
result = check.execute()
assert len(result) == 2
assert result[0].status == "PASS"
assert (
result[0].status_extended
== f"User {user} does not have a console password or is unused."
)
assert result[0].resource_id == user
assert result[0].resource_arn == arn
assert result[0].region == AWS_REGION
assert result[1].status == "FAIL"
assert (
result[1].status_extended
== f"User {user} has not used access key 1 in the last 90 days (100 days)."
)
assert result[1].resource_id == user + "/AccessKey1"
assert result[1].resource_arn == arn
assert result[1].region == AWS_REGION
@mock_iam
def test_user_access_key_2_not_used(self):
credentials_last_rotated = (
datetime.datetime.now() - datetime.timedelta(days=100)
).strftime("%Y-%m-%dT%H:%M:%S+00:00")
iam_client = client("iam")
user = "test-user"
arn = iam_client.create_user(UserName=user)["User"]["Arn"]
from prowler.providers.aws.services.iam.iam_service import IAM
audit_info = self.set_mocked_audit_info()
with mock.patch(
"prowler.providers.aws.lib.audit_info.audit_info.current_audit_info",
new=audit_info,
):
with mock.patch(
"prowler.providers.aws.services.iam.iam_disable_90_days_credentials.iam_disable_90_days_credentials.iam_client",
new=IAM(audit_info),
) as service_client:
from prowler.providers.aws.services.iam.iam_disable_90_days_credentials.iam_disable_90_days_credentials import (
iam_disable_90_days_credentials,
)
service_client.credential_report[0]["access_key_2_active"] = "true"
service_client.credential_report[0][
"access_key_2_last_used_date"
] = credentials_last_rotated
check = iam_disable_90_days_credentials()
result = check.execute()
assert len(result) == 2
assert result[0].status == "PASS"
assert (
result[0].status_extended
== f"User {user} does not have a console password or is unused."
)
assert result[0].resource_id == user
assert result[0].resource_arn == arn
assert result[0].region == AWS_REGION
assert result[1].status == "FAIL"
assert (
result[1].status_extended
== f"User {user} has not used access key 2 in the last 90 days (100 days)."
)
assert result[1].resource_id == user + "/AccessKey2"
assert result[1].resource_arn == arn
assert result[1].region == AWS_REGION
@mock_iam
def test_user_both_access_keys_not_used(self):
credentials_last_rotated = (
datetime.datetime.now() - datetime.timedelta(days=100)
).strftime("%Y-%m-%dT%H:%M:%S+00:00")
iam_client = client("iam")
user = "test-user"
arn = iam_client.create_user(UserName=user)["User"]["Arn"]
from prowler.providers.aws.services.iam.iam_service import IAM
audit_info = self.set_mocked_audit_info()
with mock.patch(
"prowler.providers.aws.lib.audit_info.audit_info.current_audit_info",
new=audit_info,
):
with mock.patch(
"prowler.providers.aws.services.iam.iam_disable_90_days_credentials.iam_disable_90_days_credentials.iam_client",
new=IAM(audit_info),
) as service_client:
from prowler.providers.aws.services.iam.iam_disable_90_days_credentials.iam_disable_90_days_credentials import (
iam_disable_90_days_credentials,
)
service_client.credential_report[0]["access_key_1_active"] = "true"
service_client.credential_report[0][
"access_key_1_last_used_date"
] = credentials_last_rotated
service_client.credential_report[0]["access_key_2_active"] = "true"
service_client.credential_report[0][
"access_key_2_last_used_date"
] = credentials_last_rotated
check = iam_disable_90_days_credentials()
result = check.execute()
assert len(result) == 3
assert result[0].status == "PASS"
assert (
result[0].status_extended
== f"User {user} does not have a console password or is unused."
)
assert result[0].resource_id == user
assert result[0].resource_arn == arn
assert result[0].region == AWS_REGION
assert result[1].status == "FAIL"
assert (
result[1].status_extended
== f"User {user} has not used access key 1 in the last 90 days (100 days)."
)
assert result[1].resource_id == user + "/AccessKey1"
assert result[1].resource_arn == arn
assert result[1].region == AWS_REGION
assert result[2].status == "FAIL"
assert (
result[2].status_extended
== f"User {user} has not used access key 2 in the last 90 days (100 days)."
)
assert result[2].resource_id == user + "/AccessKey2"
assert result[2].resource_arn == arn
assert result[2].region == AWS_REGION
@mock_iam
def test_user_both_access_keys_used(self):
credentials_last_rotated = (
datetime.datetime.now() - datetime.timedelta(days=10)
).strftime("%Y-%m-%dT%H:%M:%S+00:00")
iam_client = client("iam")
user = "test-user"
arn = iam_client.create_user(UserName=user)["User"]["Arn"]
from prowler.providers.aws.services.iam.iam_service import IAM
audit_info = self.set_mocked_audit_info()
with mock.patch(
"prowler.providers.aws.lib.audit_info.audit_info.current_audit_info",
new=audit_info,
):
with mock.patch(
"prowler.providers.aws.services.iam.iam_disable_45_days_credentials.iam_disable_45_days_credentials.iam_client",
new=IAM(audit_info),
) as service_client:
from prowler.providers.aws.services.iam.iam_disable_45_days_credentials.iam_disable_45_days_credentials import (
iam_disable_45_days_credentials,
)
service_client.credential_report[0]["access_key_1_active"] = "true"
service_client.credential_report[0][
"access_key_1_last_used_date"
] = credentials_last_rotated
service_client.credential_report[0]["access_key_2_active"] = "true"
service_client.credential_report[0][
"access_key_2_last_used_date"
] = credentials_last_rotated
check = iam_disable_45_days_credentials()
result = check.execute()
assert len(result) == 2
assert result[0].status == "PASS"
assert (
result[0].status_extended
== f"User {user} does not have a console password or is unused."
)
assert result[0].resource_id == user
assert result[0].resource_arn == arn
assert result[0].region == AWS_REGION
assert result[1].status == "PASS"
assert (
result[1].status_extended
== f"User {user} does not have unused access keys for 45 days."
)
assert result[1].resource_id == user
assert result[1].resource_arn == arn
assert result[1].region == AWS_REGION

274
tests/providers/aws/services/iam/iam_user_accesskey_unused/iam_user_accesskey_unused_test.py Normal file
View File

@@ -0,0 +1,274 @@
import datetime
from unittest import mock
from boto3 import client, session
from moto import mock_iam
from prowler.providers.aws.lib.audit_info.models import AWS_Audit_Info
from prowler.providers.common.models import Audit_Metadata
AWS_ACCOUNT_NUMBER = "123456789012"
AWS_REGION = "us-east-1"
class Test_iam_user_accesskey_unused_test:
# Mocked Audit Info
def set_mocked_audit_info(self):
audit_info = AWS_Audit_Info(
session_config=None,
original_session=None,
audit_session=session.Session(
profile_name=None,
botocore_session=None,
region_name=AWS_REGION,
),
audited_account=AWS_ACCOUNT_NUMBER,
audited_account_arn=f"arn:aws:iam::{AWS_ACCOUNT_NUMBER}:root",
audited_user_id=None,
audited_partition="aws",
audited_identity_arn=None,
profile=None,
profile_region=AWS_REGION,
credentials=None,
assumed_role_info=None,
audited_regions=None,
organizations_metadata=None,
audit_resources=None,
mfa_enabled=False,
audit_metadata=Audit_Metadata(
services_scanned=0,
expected_checks=[],
completed_checks=0,
audit_progress=0,
),
audit_config={"max_unused_access_keys_days": 45},
)
return audit_info
@mock_iam
def test_user_no_access_keys(self):
iam_client = client("iam")
user = "test-user"
arn = iam_client.create_user(UserName=user)["User"]["Arn"]
from prowler.providers.aws.services.iam.iam_service import IAM
audit_info = self.set_mocked_audit_info()
with mock.patch(
"prowler.providers.aws.lib.audit_info.audit_info.current_audit_info",
new=audit_info,
):
with mock.patch(
"prowler.providers.aws.services.iam.iam_user_accesskey_unused.iam_user_accesskey_unused.iam_client",
new=IAM(audit_info),
) as service_client:
from prowler.providers.aws.services.iam.iam_user_accesskey_unused.iam_user_accesskey_unused import (
iam_user_accesskey_unused,
)
service_client.credential_report[0][
"access_key_1_last_rotated"
] == "N/A"
service_client.credential_report[0][
"access_key_2_last_rotated"
] == "N/A"
check = iam_user_accesskey_unused()
result = check.execute()
assert len(result) == 1
assert result[0].status == "PASS"
assert (
result[0].status_extended
== f"User {user} does not have access keys."
)
assert result[0].resource_id == user
assert result[0].resource_arn == arn
assert result[0].region == AWS_REGION
@mock_iam
def test_user_access_key_1_not_used(self):
credentials_last_rotated = (
datetime.datetime.now() - datetime.timedelta(days=100)
).strftime("%Y-%m-%dT%H:%M:%S+00:00")
iam_client = client("iam")
user = "test-user"
arn = iam_client.create_user(UserName=user)["User"]["Arn"]
from prowler.providers.aws.services.iam.iam_service import IAM
audit_info = self.set_mocked_audit_info()
with mock.patch(
"prowler.providers.aws.lib.audit_info.audit_info.current_audit_info",
new=audit_info,
):
with mock.patch(
"prowler.providers.aws.services.iam.iam_user_accesskey_unused.iam_user_accesskey_unused.iam_client",
new=IAM(audit_info),
) as service_client:
from prowler.providers.aws.services.iam.iam_user_accesskey_unused.iam_user_accesskey_unused import (
iam_user_accesskey_unused,
)
service_client.credential_report[0]["access_key_1_active"] = "true"
service_client.credential_report[0][
"access_key_1_last_used_date"
] = credentials_last_rotated
check = iam_user_accesskey_unused()
result = check.execute()
assert len(result) == 1
assert result[0].status == "FAIL"
assert (
result[0].status_extended
== f"User {user} has not used access key 1 in the last 45 days (100 days)."
)
assert result[0].resource_id == user + "/AccessKey1"
assert result[0].resource_arn == arn
assert result[0].region == AWS_REGION
@mock_iam
def test_user_access_key_2_not_used(self):
credentials_last_rotated = (
datetime.datetime.now() - datetime.timedelta(days=100)
).strftime("%Y-%m-%dT%H:%M:%S+00:00")
iam_client = client("iam")
user = "test-user"
arn = iam_client.create_user(UserName=user)["User"]["Arn"]
from prowler.providers.aws.services.iam.iam_service import IAM
audit_info = self.set_mocked_audit_info()
with mock.patch(
"prowler.providers.aws.lib.audit_info.audit_info.current_audit_info",
new=audit_info,
):
with mock.patch(
"prowler.providers.aws.services.iam.iam_user_accesskey_unused.iam_user_accesskey_unused.iam_client",
new=IAM(audit_info),
) as service_client:
from prowler.providers.aws.services.iam.iam_user_accesskey_unused.iam_user_accesskey_unused import (
iam_user_accesskey_unused,
)
service_client.credential_report[0]["access_key_2_active"] = "true"
service_client.credential_report[0][
"access_key_2_last_used_date"
] = credentials_last_rotated
check = iam_user_accesskey_unused()
result = check.execute()
assert len(result) == 1
assert result[0].status == "FAIL"
assert (
result[0].status_extended
== f"User {user} has not used access key 2 in the last 45 days (100 days)."
)
assert result[0].resource_id == user + "/AccessKey2"
assert result[0].resource_arn == arn
assert result[0].region == AWS_REGION
@mock_iam
def test_user_both_access_keys_not_used(self):
credentials_last_rotated = (
datetime.datetime.now() - datetime.timedelta(days=100)
).strftime("%Y-%m-%dT%H:%M:%S+00:00")
iam_client = client("iam")
user = "test-user"
arn = iam_client.create_user(UserName=user)["User"]["Arn"]
from prowler.providers.aws.services.iam.iam_service import IAM
audit_info = self.set_mocked_audit_info()
with mock.patch(
"prowler.providers.aws.lib.audit_info.audit_info.current_audit_info",
new=audit_info,
):
with mock.patch(
"prowler.providers.aws.services.iam.iam_user_accesskey_unused.iam_user_accesskey_unused.iam_client",
new=IAM(audit_info),
) as service_client:
from prowler.providers.aws.services.iam.iam_user_accesskey_unused.iam_user_accesskey_unused import (
iam_user_accesskey_unused,
)
service_client.credential_report[0]["access_key_1_active"] = "true"
service_client.credential_report[0][
"access_key_1_last_used_date"
] = credentials_last_rotated
service_client.credential_report[0]["access_key_2_active"] = "true"
service_client.credential_report[0][
"access_key_2_last_used_date"
] = credentials_last_rotated
check = iam_user_accesskey_unused()
result = check.execute()
assert len(result) == 2
assert result[0].status == "FAIL"
assert (
result[0].status_extended
== f"User {user} has not used access key 1 in the last 45 days (100 days)."
)
assert result[0].resource_id == user + "/AccessKey1"
assert result[0].resource_arn == arn
assert result[0].region == AWS_REGION
assert result[1].status == "FAIL"
assert (
result[1].status_extended
== f"User {user} has not used access key 2 in the last 45 days (100 days)."
)
assert result[1].resource_id == user + "/AccessKey2"
assert result[1].resource_arn == arn
assert result[1].region == AWS_REGION
@mock_iam
def test_user_both_access_keys_used(self):
credentials_last_rotated = (
datetime.datetime.now() - datetime.timedelta(days=10)
).strftime("%Y-%m-%dT%H:%M:%S+00:00")
iam_client = client("iam")
user = "test-user"
arn = iam_client.create_user(UserName=user)["User"]["Arn"]
from prowler.providers.aws.services.iam.iam_service import IAM
audit_info = self.set_mocked_audit_info()
with mock.patch(
"prowler.providers.aws.lib.audit_info.audit_info.current_audit_info",
new=audit_info,
):
with mock.patch(
"prowler.providers.aws.services.iam.iam_user_accesskey_unused.iam_user_accesskey_unused.iam_client",
new=IAM(audit_info),
) as service_client:
from prowler.providers.aws.services.iam.iam_user_accesskey_unused.iam_user_accesskey_unused import (
iam_user_accesskey_unused,
)
service_client.credential_report[0]["access_key_1_active"] = "true"
service_client.credential_report[0][
"access_key_1_last_used_date"
] = credentials_last_rotated
service_client.credential_report[0]["access_key_2_active"] = "true"
service_client.credential_report[0][
"access_key_2_last_used_date"
] = credentials_last_rotated
check = iam_user_accesskey_unused()
result = check.execute()
assert len(result) == 1
assert result[0].status == "PASS"
assert (
result[0].status_extended
== f"User {user} does not have unused access keys for 45 days."
)
assert result[0].resource_id == user
assert result[0].resource_arn == arn
assert result[0].region == AWS_REGION

158
tests/providers/aws/services/iam/iam_user_console_access_unused/iam_user_console_access_unused_test.py Normal file
View File

@@ -0,0 +1,158 @@
import datetime
from unittest import mock
from boto3 import client, session
from moto import mock_iam
from prowler.providers.aws.lib.audit_info.models import AWS_Audit_Info
from prowler.providers.common.models import Audit_Metadata
AWS_ACCOUNT_NUMBER = "123456789012"
AWS_REGION = "us-east-1"
class Test_iam_user_console_access_unused_test:
# Mocked Audit Info
def set_mocked_audit_info(self):
audit_info = AWS_Audit_Info(
session_config=None,
original_session=None,
audit_session=session.Session(
profile_name=None,
botocore_session=None,
region_name=AWS_REGION,
),
audited_account=AWS_ACCOUNT_NUMBER,
audited_account_arn=f"arn:aws:iam::{AWS_ACCOUNT_NUMBER}:root",
audited_user_id=None,
audited_partition="aws",
audited_identity_arn=None,
profile=None,
profile_region=AWS_REGION,
credentials=None,
assumed_role_info=None,
audited_regions=None,
organizations_metadata=None,
audit_resources=None,
mfa_enabled=False,
audit_metadata=Audit_Metadata(
services_scanned=0,
expected_checks=[],
completed_checks=0,
audit_progress=0,
),
audit_config={"max_console_access_days": 45},
)
return audit_info
@mock_iam
def test_iam_user_logged_45_days(self):
password_last_used = (
datetime.datetime.now() - datetime.timedelta(days=2)
).strftime("%Y-%m-%d %H:%M:%S+00:00")
iam_client = client("iam")
user = "test-user"
arn = iam_client.create_user(UserName=user)["User"]["Arn"]
from prowler.providers.aws.services.iam.iam_service import IAM
audit_info = self.set_mocked_audit_info()
with mock.patch(
"prowler.providers.aws.lib.audit_info.audit_info.current_audit_info",
new=audit_info,
):
with mock.patch(
"prowler.providers.aws.services.iam.iam_user_console_access_unused.iam_user_console_access_unused.iam_client",
new=IAM(audit_info),
) as service_client:
from prowler.providers.aws.services.iam.iam_user_console_access_unused.iam_user_console_access_unused import (
iam_user_console_access_unused,
)
service_client.users[0].password_last_used = password_last_used
check = iam_user_console_access_unused()
result = check.execute()
assert len(result) == 1
assert result[0].status == "PASS"
assert (
result[0].status_extended
== f"User {user} has logged in to the console in the past 45 days (2 days)."
)
assert result[0].resource_id == user
assert result[0].resource_arn == arn
assert result[0].region == AWS_REGION
@mock_iam
def test_iam_user_not_logged_45_days(self):
password_last_used = (
datetime.datetime.now() - datetime.timedelta(days=60)
).strftime("%Y-%m-%d %H:%M:%S+00:00")
iam_client = client("iam")
user = "test-user"
arn = iam_client.create_user(UserName=user)["User"]["Arn"]
from prowler.providers.aws.services.iam.iam_service import IAM
audit_info = self.set_mocked_audit_info()
with mock.patch(
"prowler.providers.aws.lib.audit_info.audit_info.current_audit_info",
new=audit_info,
):
with mock.patch(
"prowler.providers.aws.services.iam.iam_user_console_access_unused.iam_user_console_access_unused.iam_client",
new=IAM(audit_info),
) as service_client:
from prowler.providers.aws.services.iam.iam_user_console_access_unused.iam_user_console_access_unused import (
iam_user_console_access_unused,
)
service_client.users[0].password_last_used = password_last_used
check = iam_user_console_access_unused()
result = check.execute()
assert len(result) == 1
assert result[0].status == "FAIL"
assert (
result[0].status_extended
== f"User {user} has not logged in to the console in the past 45 days (60 days)."
)
assert result[0].resource_id == user
assert result[0].resource_arn == arn
assert result[0].region == AWS_REGION
@mock_iam
def test_iam_user_not_logged(self):
iam_client = client("iam")
user = "test-user"
arn = iam_client.create_user(UserName=user)["User"]["Arn"]
from prowler.providers.aws.services.iam.iam_service import IAM
audit_info = self.set_mocked_audit_info()
with mock.patch(
"prowler.providers.aws.lib.audit_info.audit_info.current_audit_info",
new=audit_info,
):
with mock.patch(
"prowler.providers.aws.services.iam.iam_user_console_access_unused.iam_user_console_access_unused.iam_client",
new=IAM(audit_info),
) as service_client:
from prowler.providers.aws.services.iam.iam_user_console_access_unused.iam_user_console_access_unused import (
iam_user_console_access_unused,
)
service_client.users[0].password_last_used = ""
# raise Exception
check = iam_user_console_access_unused()
result = check.execute()
assert len(result) == 1
assert result[0].status == "PASS"
assert (
result[0].status_extended
== f"User {user} does not have a console password or is unused."
)
assert result[0].resource_id == user
assert result[0].resource_arn == arn
assert result[0].region == AWS_REGION