def aged_out(timestamp):
if not timestamp:
return False
datetime_ts = resolve_timestamp_string(timestamp)
if not datetime_ts:
return False
return (datetime.datetime.now() - datetime_ts) > TIMEOUT_DAYS
def policy(resource):
# If a user is less than 4 hours old, it may not have a credential report generated yet.
# It will be re-scanned periodically until a credential report is found, at which point this
# policy will be properly evaluated.
if not resource.get("CredentialReport"):
return True
key_rot = deep_get(resource, "CredentialReport", "AccessKey1LastRotated")
if key_rot == DEFAULT_TIME:
return True
create = resource.get("TimeCreated", "")
key_rot_date = resolve_timestamp_string(key_rot)
create_date = resolve_timestamp_string(create)
if not key_rot_date or not create_date:
return True
return (key_rot_date - create_date) >= MAX_SECONDS_TO_AUTOGEN_KEY
def policy(resource):
if not resource.get("NotAfter"):
return False
timestamp = resolve_timestamp_string(resource.get("NotAfter"))
if not timestamp:
return True
time_to_expiration = timestamp - datetime.datetime.now()
return time_to_expiration >= EXPIRATION_BUFFER
def rule(event):
if event.udm("event_type") != event_type.ACCOUNT_CREATED:
return False
account_id = parse_new_account_id(event)
event_time = resolve_timestamp_string(event.get("p_event_time"))
expiry_time = event_time + TTL
account_event_id = f"new_aws_account_{event.get('p_row_id')}"
if account_id:
put_string_set("new_account - " + account_id, [account_event_id],
expiry_time.strftime("%s"))
return True
def rule(event):
if event.udm("event_type") != event_type.USER_ACCOUNT_CREATED:
return False
user_event_id = f"new_user_{event.get('p_row_id')}"
new_user = event.udm("user")
new_account = event.udm("user_account_id") or "<UNKNOWN_ACCOUNT>"
event_time = resolve_timestamp_string(event.get("p_event_time"))
expiry_time = event_time + TTL
if new_user:
put_string_set(new_user + "-" + str(new_account), [user_event_id],
expiry_time.strftime("%s"))
return True
def policy(resource):
# Check if a CloudWatch Logs Group has been set, and received at least one log
if not (
resource.get("CloudWatchLogsLogGroupArn")
and deep_get(resource, "Status", "LatestCloudWatchLogsDeliveryTime")
):
return False
# Check if the last log sent is within the allowable timeframe
last_log_time = resolve_timestamp_string(
deep_get(resource, "Status", "LatestCloudWatchLogsDeliveryTime")
)
if not last_log_time:
return True
return (datetime.datetime.utcnow() - last_log_time) <= MAX_TIME_BETWEEN_LOGS