github.com/khulnasoft-lab/defsec@v1.0.5-0.20230827010352-5e9f46893d95/rules/cloud/policies/aws/iam/no_root_access_keys.go

github.com/khulnasoft-lab/defsec@v1.0.5-0.20230827010352-5e9f46893d95/rules/cloud/policies/aws/iam/no_root_access_keys.go (about)

     1  package iam
     2  
     3  import (
     4  	"github.com/khulnasoft-lab/defsec/pkg/framework"
     5  
     6  	"github.com/khulnasoft-lab/defsec/pkg/severity"
     7  
     8  	"github.com/khulnasoft-lab/defsec/pkg/state"
     9  
    10  	"github.com/khulnasoft-lab/defsec/pkg/scan"
    11  
    12  	"github.com/khulnasoft-lab/defsec/internal/rules"
    13  
    14  	"github.com/khulnasoft-lab/defsec/pkg/providers"
    15  )
    16  
    17  var checkNoRootAccessKeys = rules.Register(
    18  	scan.Rule{
    19  		AVDID:     "AVD-AWS-0141",
    20  		Provider:  providers.AWSProvider,
    21  		Service:   "iam",
    22  		ShortCode: "no-root-access-keys",
    23  		Frameworks: map[framework.Framework][]string{
    24  			framework.Default:     nil,
    25  			framework.CIS_AWS_1_2: {"1.12"},
    26  			framework.CIS_AWS_1_4: {"1.4"},
    27  		},
    28  		Summary:    "The root user has complete access to all services and resources in an AWS account. AWS Access Keys provide programmatic access to a given account.",
    29  		Impact:     "Compromise of the root account compromises the entire AWS account and all resources within it.",
    30  		Resolution: "Use lower privileged accounts instead, so only required privileges are available.",
    31  		Explanation: `
    32  CIS recommends that all access keys be associated with the root user be removed. Removing access keys associated with the root user limits vectors that the account can be compromised by. Removing the root user access keys also encourages the creation and use of role-based accounts that are least privileged.
    33  			`,
    34  		Links: []string{
    35  			"https://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html",
    36  		},
    37  		Terraform: &scan.EngineMetadata{
    38  			GoodExamples:        terraformNoRootAccessKeysGoodExamples,
    39  			BadExamples:         terraformNoRootAccessKeysBadExamples,
    40  			Links:               terraformNoRootAccessKeysLinks,
    41  			RemediationMarkdown: terraformNoRootAccessKeysRemediationMarkdown,
    42  		},
    43  		Severity: severity.Critical,
    44  	},
    45  	func(s *state.State) (results scan.Results) {
    46  		for _, user := range s.AWS.IAM.Users {
    47  			if user.Name.EqualTo("root") {
    48  				var hasActiveKey bool
    49  				for _, key := range user.AccessKeys {
    50  					if key.Active.IsTrue() {
    51  						results.Add("Access key exists for root user", &key)
    52  						hasActiveKey = true
    53  					}
    54  				}
    55  				if !hasActiveKey {
    56  					results.AddPassed(&user)
    57  				}
    58  			}
    59  		}
    60  		return
    61  	},
    62  )