def run(self, api_data):
# Reset the results list for this plugin
self.results = []
requirements = self.collect_requirements(api_data)
users = requirements['users']['aws-global']
if not users:
self.results.append({
'resource': 'None',
'region': 'aws-global',
'severity': 0,
'message': 'No users found'
})
for user in users:
# Skip root account
if user['user'] == '<root_account>':
continue
username = user['user']
resource_arn = user['arn']
password_last_changed = user.get('password_last_changed', 'N/A')
if password_last_changed == 'N/A':
severity = 0
message = self.config['no_password_message'].format(
username=username, )
else:
severity_key = 'password_rotation_severity_{}_threshold'
message_key = 'password_rotation_severity_{}_message'
days_elapsed = -(utils.days_ago(password_last_changed))
if days_elapsed > self.config[severity_key.format('2')]:
severity = 2
message = self.config[message_key.format('2')].format(
username=username,
days=days_elapsed,
)
elif days_elapsed > self.config[severity_key.format('1')]:
severity = 1
message = self.config[message_key.format('1')].format(
username=username,
days=days_elapsed,
)
else:
severity = 0
message = self.config[message_key.format('0')].format(
username=username,
days=days_elapsed,
)
self.results.append({
'resource': resource_arn,
'region': 'aws-global',
'severity': severity,
'message': message
})
return self.results
def test_can_find_difference_one_day_ago(self):
days = days_ago(arrow.utcnow().shift(days=-1).isoformat())
self.assertEqual(days, 1)
def test_can_find_difference_60_days_in_the_future(self):
days = days_ago(arrow.utcnow().shift(days=60).isoformat())
self.assertEqual(days, -60)
def _check_last_used(self, user, key_1_or_2):
resource = user['arn']
username = user['user']
region = 'aws-global'
sev_2_threshold = self.config.get(
'access_key_last_used_severity_two_threshold')
sev_1_threshold = self.config.get(
'access_key_last_used_severity_one_threshold')
last_used_key = 'access_key_{}_last_used_date'.format(key_1_or_2)
last_used = user.get(last_used_key, 'N/A')
if last_used == 'N/A':
return {
'resource':
resource,
'region':
'aws-global',
'severity':
0,
'message':
'Access key {} has never been used for {}'.format(
key_1_or_2, username)
}
# Check sev 2
days_ago = -(utils.days_ago(last_used))
if days_ago > sev_2_threshold:
return {
'resource':
resource,
'region':
'aws-global',
'severity':
2,
'message':
'Access key {} last used {} days ago for {}'.format(
key_1_or_2,
days_ago,
username,
)
}
if days_ago > sev_1_threshold:
return {
'resource':
resource,
'region':
'aws-global',
'severity':
1,
'message':
'Access key {} last used {} days ago for {}'.format(
key_1_or_2,
days_ago,
username,
)
}
return {
'resource':
resource,
'region':
'aws-global',
'severity':
0,
'message':
'Access key {} last used {} days ago for {}'.format(
key_1_or_2, days_ago, username)
}