fix(iam_rotate_access_key_90_days): check only active access keys (#1929)

Co-authored-by: Sergio Garcia <sergargar1@gmail.com>
2026-02-10 23:05:05 +00:00 · 2023-02-17 13:53:28 +02:00
parent 2f4d0af7d7
commit fa228c876c
2 changed files with 10 additions and 2 deletions
--- a/prowler/providers/aws/services/iam/iam_rotate_access_key_90_days/iam_rotate_access_key_90_days.py
+++ b/prowler/providers/aws/services/iam/iam_rotate_access_key_90_days/iam_rotate_access_key_90_days.py
@@ -26,7 +26,10 @@ class iam_rotate_access_key_90_days(Check):
                )
            else:
                old_access_keys = False
-                if user["access_key_1_last_rotated"] != "N/A":
+                if (
+                    user["access_key_1_last_rotated"] != "N/A"
+                    and user["access_key_1_active"] == "true"
+                ):
                    access_key_1_last_rotated = (
                        datetime.datetime.now()
                        - datetime.datetime.strptime(
@@ -38,7 +41,10 @@ class iam_rotate_access_key_90_days(Check):
                        old_access_keys = True
                        report.status = "FAIL"
                        report.status_extended = f"User {user['user']} has not rotated access key 1 in over 90 days ({access_key_1_last_rotated.days} days)."
-                if user["access_key_2_last_rotated"] != "N/A":
+                if (
+                    user["access_key_2_last_rotated"] != "N/A"
+                    and user["access_key_2_active"] == "true"
+                ):
                    access_key_2_last_rotated = (
                        datetime.datetime.now()
                        - datetime.datetime.strptime(
--- a/tests/providers/aws/services/iam/iam_rotate_access_key_90_days/iam_rotate_access_key_90_days_test.py
+++ b/tests/providers/aws/services/iam/iam_rotate_access_key_90_days/iam_rotate_access_key_90_days_test.py
@@ -59,6 +59,7 @@ class Test_iam_rotate_access_key_90_days_test:
                iam_rotate_access_key_90_days,
            )

+            service_client.credential_report[0]["access_key_1_active"] = "true"
            service_client.credential_report[0][
                "access_key_1_last_rotated"
            ] = credentials_last_rotated
@@ -95,6 +96,7 @@ class Test_iam_rotate_access_key_90_days_test:
                iam_rotate_access_key_90_days,
            )

+            service_client.credential_report[0]["access_key_2_active"] = "true"
            service_client.credential_report[0][
                "access_key_2_last_rotated"
            ] = credentials_last_rotated