github.com/khulnasoft-lab/defsec@v1.0.5-0.20230827010352-5e9f46893d95/rules/cloud/policies/aws/iam/disable_unused_credentials_45.go

github.com/khulnasoft-lab/defsec@v1.0.5-0.20230827010352-5e9f46893d95/rules/cloud/policies/aws/iam/disable_unused_credentials_45.go (about)

     1  package iam
     2  
     3  import (
     4  	"fmt"
     5  	"time"
     6  
     7  	"github.com/khulnasoft-lab/defsec/pkg/framework"
     8  
     9  	"github.com/khulnasoft-lab/defsec/pkg/severity"
    10  
    11  	"github.com/khulnasoft-lab/defsec/pkg/state"
    12  
    13  	"github.com/khulnasoft-lab/defsec/pkg/scan"
    14  
    15  	"github.com/khulnasoft-lab/defsec/internal/rules"
    16  
    17  	"github.com/khulnasoft-lab/defsec/pkg/providers"
    18  )
    19  
    20  var CheckUnusedCredentialsDisabled45Days = rules.Register(
    21  	scan.Rule{
    22  		AVDID:    "AVD-AWS-0166",
    23  		Provider: providers.AWSProvider,
    24  		Frameworks: map[framework.Framework][]string{
    25  			framework.CIS_AWS_1_4: {"1.12"},
    26  		},
    27  		Service:    "iam",
    28  		ShortCode:  "disable-unused-credentials-45-days",
    29  		Summary:    "AWS IAM users can access AWS resources using different types of credentials, such as\npasswords or access keys. It is recommended that all credentials that have been unused in\n45 or greater days be deactivated or removed.",
    30  		Impact:     "Leaving unused credentials active widens the scope for compromise.",
    31  		Resolution: "Disable credentials which are no longer used.",
    32  		Explanation: `
    33  Disabling or removing unnecessary credentials will reduce the window of opportunity for credentials associated with a compromised or abandoned account to be used.
    34  			`,
    35  		Links: []string{
    36  			"https://console.aws.amazon.com/iam/",
    37  		},
    38  		Severity: severity.Low,
    39  	},
    40  	func(s *state.State) (results scan.Results) {
    41  
    42  		for _, user := range s.AWS.IAM.Users {
    43  			if user.HasLoggedIn() && user.LastAccess.Before(time.Now().Add(-45*24*time.Hour)) {
    44  				results.Add("User has not logged in for >45 days", &user)
    45  				continue
    46  			}
    47  			var hasKey bool
    48  			for _, key := range user.AccessKeys {
    49  				if key.Active.IsFalse() || !key.LastAccess.GetMetadata().IsResolvable() ||
    50  					key.LastAccess.After(time.Now().Add(-45*24*time.Hour)) {
    51  					continue
    52  				}
    53  				results.Add(fmt.Sprintf("User access key '%s' has not been used in >45 days", key.AccessKeyId.Value()), &user)
    54  				hasKey = true
    55  			}
    56  			if !hasKey {
    57  				results.AddPassed(&user)
    58  			}
    59  		}
    60  
    61  		return
    62  	},
    63  )