#!/usr/bin/env bash

# Prowler - the handy cloud security tool (copyright 2019) by Toni de la Fuente
#
# Licensed under the Apache License, Version 2.0 (the "License"); you may not
# use this file except in compliance with the License. You may obtain a copy
# of the License at http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software distributed
# under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR
# CONDITIONS OF ANY KIND, either express or implied. See the License for the
# specific language governing permissions and limitations under the License.

CHECK_ID_check116="1.16"
CHECK_TITLE_check116="[check116] Ensure IAM policies are attached only to groups or roles"
CHECK_SCORED_check116="SCORED"
CHECK_TYPE_check116="LEVEL1"
CHECK_SEVERITY_check116="Low"
CHECK_ASFF_TYPE_check116="Software and Configuration Checks/Industry and Regulatory Standards/CIS AWS Foundations Benchmark"
CHECK_ASFF_RESOURCE_TYPE_check116="AwsIamUser"
CHECK_ALTERNATE_check116="check116"
CHECK_ASFF_COMPLIANCE_TYPE_check116="ens-op.acc.3.aws.iam.1"
CHECK_SERVICENAME_check116="iam"
CHECK_RISK_check116='By default IAM users; groups; and roles have no access to AWS resources. IAM policies are the means by which privileges are granted to users; groups; or roles. It is recommended that IAM policies be applied directly to groups and roles but not users. Assigning privileges at the group or role level reduces the complexity of access management as the number of users grow. Reducing access management complexity may in-turn reduce opportunity for a principal to inadvertently receive or retain excessive privileges.'
CHECK_REMEDIATION_check116='Remove any policy attached directly to the user. Use groups or roles instead.'
CHECK_DOC_check116='https://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html'
CHECK_CAF_EPIC_check116='IAM'

check116(){
  # "Ensure IAM policies are attached only to groups or roles (Scored)"
  LIST_USERS=$($AWSCLI iam list-users --query 'Users[*].UserName' --output text $PROFILE_OPT --region $REGION)
  C116_NUM_USERS=0
  for user in $LIST_USERS;do
    USER_POLICY=$($AWSCLI iam list-attached-user-policies --output text $PROFILE_OPT --region $REGION --user-name $user)
    if [[ $USER_POLICY ]]; then
      textFail "$REGION: $user has managed policy directly attached" "$REGION" "$user"
      C116_NUM_USERS=$(expr $C116_NUM_USERS + 1)
    fi
    USER_POLICY=$($AWSCLI iam list-user-policies --output text $PROFILE_OPT --region $REGION --user-name $user)
    if [[ $USER_POLICY ]]; then
      textFail "$REGION: $user has inline policy directly attached" "$REGION" "$user"
      C116_NUM_USERS=$(expr $C116_NUM_USERS + 1)
    fi
  done
  if [[ $C116_NUM_USERS -eq 0 ]]; then
    textPass "$REGION: No policies attached to users" "$REGION" "$user"
  fi
}