From fa228c876c462755adc2a448a87cf29b26068363 Mon Sep 17 00:00:00 2001
From: Fennerr <41741346+Fennerr@users.noreply.github.com>
Date: Fri, 17 Feb 2023 13:53:28 +0200
Subject: [PATCH] fix(iam_rotate_access_key_90_days): check only active access
 keys (#1929)

Co-authored-by: Sergio Garcia <sergargar1@gmail.com>
---
 .../iam_rotate_access_key_90_days.py                   | 10 ++++++++--
 .../iam_rotate_access_key_90_days_test.py              |  2 ++
 2 files changed, 10 insertions(+), 2 deletions(-)

diff --git a/prowler/providers/aws/services/iam/iam_rotate_access_key_90_days/iam_rotate_access_key_90_days.py b/prowler/providers/aws/services/iam/iam_rotate_access_key_90_days/iam_rotate_access_key_90_days.py
index 420b38cc..45840a50 100644
--- a/prowler/providers/aws/services/iam/iam_rotate_access_key_90_days/iam_rotate_access_key_90_days.py
+++ b/prowler/providers/aws/services/iam/iam_rotate_access_key_90_days/iam_rotate_access_key_90_days.py
@@ -26,7 +26,10 @@ class iam_rotate_access_key_90_days(Check):
                 )
             else:
                 old_access_keys = False
-                if user["access_key_1_last_rotated"] != "N/A":
+                if (
+                    user["access_key_1_last_rotated"] != "N/A"
+                    and user["access_key_1_active"] == "true"
+                ):
                     access_key_1_last_rotated = (
                         datetime.datetime.now()
                         - datetime.datetime.strptime(
@@ -38,7 +41,10 @@ class iam_rotate_access_key_90_days(Check):
                         old_access_keys = True
                         report.status = "FAIL"
                         report.status_extended = f"User {user['user']} has not rotated access key 1 in over 90 days ({access_key_1_last_rotated.days} days)."
-                if user["access_key_2_last_rotated"] != "N/A":
+                if (
+                    user["access_key_2_last_rotated"] != "N/A"
+                    and user["access_key_2_active"] == "true"
+                ):
                     access_key_2_last_rotated = (
                         datetime.datetime.now()
                         - datetime.datetime.strptime(
diff --git a/tests/providers/aws/services/iam/iam_rotate_access_key_90_days/iam_rotate_access_key_90_days_test.py b/tests/providers/aws/services/iam/iam_rotate_access_key_90_days/iam_rotate_access_key_90_days_test.py
index eededd61..c0d6ee8a 100644
--- a/tests/providers/aws/services/iam/iam_rotate_access_key_90_days/iam_rotate_access_key_90_days_test.py
+++ b/tests/providers/aws/services/iam/iam_rotate_access_key_90_days/iam_rotate_access_key_90_days_test.py
@@ -59,6 +59,7 @@ class Test_iam_rotate_access_key_90_days_test:
                 iam_rotate_access_key_90_days,
             )
 
+            service_client.credential_report[0]["access_key_1_active"] = "true"
             service_client.credential_report[0][
                 "access_key_1_last_rotated"
             ] = credentials_last_rotated
@@ -95,6 +96,7 @@ class Test_iam_rotate_access_key_90_days_test:
                 iam_rotate_access_key_90_days,
             )
 
+            service_client.credential_report[0]["access_key_2_active"] = "true"
             service_client.credential_report[0][
                 "access_key_2_last_rotated"
             ] = credentials_last_rotated