github.com/khulnasoft-lab/defsec@v1.0.5-0.20230827010352-5e9f46893d95/rules/cloud/policies/aws/iam/disable_unused_credentials.go

github.com/khulnasoft-lab/defsec@v1.0.5-0.20230827010352-5e9f46893d95/rules/cloud/policies/aws/iam/disable_unused_credentials.go (about)

     1  package iam
     2  
     3  import (
     4  	"fmt"
     5  	"time"
     6  
     7  	"github.com/khulnasoft-lab/defsec/pkg/framework"
     8  
     9  	"github.com/khulnasoft-lab/defsec/pkg/severity"
    10  
    11  	"github.com/khulnasoft-lab/defsec/pkg/state"
    12  
    13  	"github.com/khulnasoft-lab/defsec/pkg/scan"
    14  
    15  	"github.com/khulnasoft-lab/defsec/internal/rules"
    16  
    17  	"github.com/khulnasoft-lab/defsec/pkg/providers"
    18  )
    19  
    20  var CheckUnusedCredentialsDisabled = rules.Register(
    21  	scan.Rule{
    22  		AVDID:    "AVD-AWS-0144",
    23  		Provider: providers.AWSProvider,
    24  		Frameworks: map[framework.Framework][]string{
    25  			framework.CIS_AWS_1_2: {"1.3"},
    26  		},
    27  		Service:    "iam",
    28  		ShortCode:  "disable-unused-credentials",
    29  		Summary:    "Credentials which are no longer used should be disabled.",
    30  		Impact:     "Leaving unused credentials active widens the scope for compromise.",
    31  		Resolution: "Disable credentials which are no longer used.",
    32  		Explanation: `
    33  CIS recommends that you remove or deactivate all credentials that have been unused in 90 days or more. Disabling or removing unnecessary credentials reduces the window of opportunity for credentials associated with a compromised or abandoned account to be used.
    34  			`,
    35  		Links: []string{
    36  			"https://console.aws.amazon.com/iam/",
    37  		},
    38  		Severity: severity.Medium,
    39  	},
    40  	func(s *state.State) (results scan.Results) {
    41  
    42  		for _, user := range s.AWS.IAM.Users {
    43  			if user.HasLoggedIn() && user.LastAccess.Before(time.Now().Add(-90*24*time.Hour)) {
    44  				results.Add("User has not logged in for >90 days", &user)
    45  				continue
    46  			}
    47  			var hasKey bool
    48  			for _, key := range user.AccessKeys {
    49  				if key.Active.IsFalse() || !key.LastAccess.GetMetadata().IsResolvable() ||
    50  					key.LastAccess.After(time.Now().Add(-90*24*time.Hour)) {
    51  					continue
    52  				}
    53  				results.Add(fmt.Sprintf("User access key '%s' has not been used in >90 days", key.AccessKeyId.Value()), &user)
    54  				hasKey = true
    55  			}
    56  			if !hasKey {
    57  				results.AddPassed(&user)
    58  			}
    59  		}
    60  
    61  		return
    62  	},
    63  )