2019-06-11 22:24:35 +00:00
require " resource_support/aws/aws_singular_resource_mixin "
require " resource_support/aws/aws_backend_base "
require " aws-sdk-iam "
2019-05-25 08:33:26 +00:00
2017-06-13 05:44:11 +00:00
class AwsIamRootUser < Inspec . resource ( 1 )
2019-06-11 22:24:35 +00:00
name " aws_iam_root_user "
desc " Verifies settings for AWS root account "
2019-03-19 14:17:32 +00:00
example << ~ EXAMPLE
2017-06-13 05:44:11 +00:00
describe aws_iam_root_user do
2018-01-23 16:01:51 +00:00
it { should have_access_key }
2017-06-13 05:44:11 +00:00
end
2019-03-19 14:17:32 +00:00
EXAMPLE
2019-06-11 22:24:35 +00:00
supports platform : " aws "
2017-06-13 05:44:11 +00:00
2018-02-08 04:26:37 +00:00
# TODO: rewrite to avoid direct injection, match other resources, use AwsSingularResourceMixin
def initialize ( conn = nil )
@client = conn ? conn . iam_client : inspec_runner . backend . aws_client ( Aws :: IAM :: Client )
end
2018-02-14 19:15:20 +00:00
# TODO: DRY up, see https://github.com/chef/inspec/issues/2633
# Copied from resource_support/aws/aws_resource_mixin.rb
def catch_aws_errors
yield
rescue Aws :: Errors :: MissingCredentialsError
# The AWS error here is unhelpful:
# "unable to sign request without credentials set"
2020-09-14 19:46:58 +00:00
Inspec :: Log . error " It appears that you have not set your AWS credentials. You may set them using environment variables, or using the 'aws://region/aws_credentials_profile' target. See https://docs.chef.io/inspec/platforms/ for details. "
2019-06-11 22:24:35 +00:00
fail_resource ( " No AWS credentials available " )
2018-02-14 19:15:20 +00:00
rescue Aws :: Errors :: ServiceError = > e
fail_resource e . message
end
# TODO: DRY up, see https://github.com/chef/inspec/issues/2633
# Copied from resource_support/aws/aws_singular_resource_mixin.rb
2018-02-08 04:26:37 +00:00
def inspec_runner
# When running under inspec-cli, we have an 'inspec' method that
# returns the runner. When running under unit tests, we don't
# have that, but we still have to call this to pass something
# (nil is OK) to the backend.
# TODO: remove with https://github.com/chef/inspec-aws/issues/216
# TODO: remove after rewrite to include AwsSingularResource
inspec if respond_to? ( :inspec )
2017-06-13 05:44:11 +00:00
end
2018-01-23 16:01:51 +00:00
def has_access_key?
2019-06-11 22:24:35 +00:00
summary_account [ " AccountAccessKeysPresent " ] == 1
2017-06-13 05:44:11 +00:00
end
2017-08-16 09:53:44 +00:00
def has_mfa_enabled?
2019-06-11 22:24:35 +00:00
summary_account [ " AccountMFAEnabled " ] == 1
2017-08-16 09:53:44 +00:00
end
2018-04-03 13:13:52 +00:00
# if the root account has a Virtual MFA device then it will have a special
# serial number ending in 'root-account-mfa-device'
def has_virtual_mfa_enabled?
mfa_device_pattern = %r{ arn:aws:iam:: \ d { 12 } :mfa \ /root-account-mfa-device }
2019-06-11 22:24:35 +00:00
virtual_mfa_devices . any? { | d | mfa_device_pattern =~ d [ " serial_number " ] }
2018-04-03 13:13:52 +00:00
end
def has_hardware_mfa_enabled?
has_mfa_enabled? && ! has_virtual_mfa_enabled?
end
2017-06-13 05:44:11 +00:00
def to_s
2019-06-11 22:24:35 +00:00
" AWS Root-User "
2017-06-13 05:44:11 +00:00
end
private
def summary_account
2018-02-14 19:15:20 +00:00
catch_aws_errors do
@summary_account || = @client . get_account_summary . summary_map
end
2017-06-13 05:44:11 +00:00
end
2018-04-03 13:13:52 +00:00
def virtual_mfa_devices
catch_aws_errors do
@__virtual_devices || = @client . list_virtual_mfa_devices . virtual_mfa_devices
end
end
2017-06-13 05:44:11 +00:00
end