github.com/khulnasoft-lab/defsec@v1.0.5-0.20230827010352-5e9f46893d95/rules/cloud/policies/aws/iam/rotate_access_keys.go

github.com/khulnasoft-lab/defsec@v1.0.5-0.20230827010352-5e9f46893d95/rules/cloud/policies/aws/iam/rotate_access_keys.go (about)

     1  package iam
     2  
     3  import (
     4  	"fmt"
     5  	"time"
     6  
     7  	"github.com/khulnasoft-lab/defsec/pkg/framework"
     8  
     9  	"github.com/khulnasoft-lab/defsec/pkg/severity"
    10  
    11  	"github.com/khulnasoft-lab/defsec/pkg/state"
    12  
    13  	"github.com/khulnasoft-lab/defsec/pkg/scan"
    14  
    15  	"github.com/khulnasoft-lab/defsec/internal/rules"
    16  
    17  	"github.com/khulnasoft-lab/defsec/pkg/providers"
    18  )
    19  
    20  var CheckAccessKeysRotated = rules.Register(
    21  	scan.Rule{
    22  		AVDID:    "AVD-AWS-0146",
    23  		Provider: providers.AWSProvider,
    24  		Frameworks: map[framework.Framework][]string{
    25  			framework.CIS_AWS_1_2: {"1.4"},
    26  			framework.CIS_AWS_1_4: {"1.14"},
    27  		},
    28  		Service:    "iam",
    29  		ShortCode:  "rotate-access-keys",
    30  		Summary:    "Access keys should be rotated at least every 90 days",
    31  		Impact:     "Compromised keys are more likely to be used to compromise the account",
    32  		Resolution: "Rotate keys every 90 days or less",
    33  		Explanation: `
    34  Regularly rotating your IAM credentials helps prevent a compromised set of IAM access keys from accessing components in your AWS account.
    35  			`,
    36  		Links: []string{
    37  			"https://docs.aws.amazon.com/prescriptive-guidance/latest/patterns/automatically-rotate-iam-user-access-keys-at-scale-with-aws-organizations-and-aws-secrets-manager.html",
    38  		},
    39  		Severity: severity.Low,
    40  	},
    41  	func(s *state.State) (results scan.Results) {
    42  
    43  		for _, user := range s.AWS.IAM.Users {
    44  			var hasKey bool
    45  			for _, key := range user.AccessKeys {
    46  				if key.Active.IsFalse() {
    47  					continue
    48  				}
    49  				if key.CreationDate.Before(time.Now().Add(-time.Hour * 24 * 90)) {
    50  					days := int(time.Since(key.CreationDate.Value().Add(-time.Hour*24*90)).Hours() / 24)
    51  					if days == 0 {
    52  						days = 1
    53  					}
    54  					results.Add(fmt.Sprintf("User access key '%s' should have been rotated %d day(s) ago", key.AccessKeyId.Value(), days), &user)
    55  					hasKey = true
    56  				}
    57  			}
    58  			if !hasKey {
    59  				results.AddPassed(&user)
    60  			}
    61  		}
    62  
    63  		return
    64  	},
    65  )