2017-04-04 21:57:16 +00:00
|
|
|
# author: Chris Redekop
|
|
|
|
|
class AwsIamAccessKey < Inspec.resource(1)
|
|
|
|
|
name 'aws_iam_access_key'
|
|
|
|
|
desc 'Verifies settings for AWS IAM access keys'
|
|
|
|
|
example "
|
2017-04-05 09:46:11 +00:00
|
|
|
describe aws_iam_access_key(username: 'username', id: 'access-key id') do
|
2017-04-15 12:47:16 +00:00
|
|
|
it { should exist }
|
|
|
|
|
it { should_not be_active }
|
|
|
|
|
its('create_date') { should be > Time.now - 365 * 86400 }
|
|
|
|
|
its('last_used_date') { should be > Time.now - 90 * 86400 }
|
2017-04-04 21:57:16 +00:00
|
|
|
end
|
|
|
|
|
"
|
2017-04-15 12:47:16 +00:00
|
|
|
|
|
|
|
|
def initialize(opts, decorator = IamClientDecorator.new)
|
2017-04-04 21:57:16 +00:00
|
|
|
@opts = opts
|
2017-04-15 12:47:16 +00:00
|
|
|
@decorator = decorator
|
|
|
|
|
end
|
|
|
|
|
|
|
|
|
|
def exists?
|
|
|
|
|
!access_key.nil?
|
2017-04-28 10:40:19 +00:00
|
|
|
rescue AccessKeyNotFoundError, Aws::IAM::Errors::NoSuchEntity
|
2017-04-15 12:47:16 +00:00
|
|
|
false
|
2017-04-04 21:57:16 +00:00
|
|
|
end
|
|
|
|
|
|
|
|
|
|
def id
|
2017-04-15 12:47:16 +00:00
|
|
|
access_key.access_key_id
|
2017-04-04 21:57:16 +00:00
|
|
|
end
|
|
|
|
|
|
|
|
|
|
def active?
|
2017-04-15 12:47:16 +00:00
|
|
|
'Active'.eql? access_key.status
|
2017-04-04 21:57:16 +00:00
|
|
|
end
|
|
|
|
|
|
|
|
|
|
def create_date
|
2017-04-15 12:47:16 +00:00
|
|
|
access_key.create_date
|
2017-04-04 21:57:16 +00:00
|
|
|
end
|
|
|
|
|
|
|
|
|
|
def last_used_date
|
|
|
|
|
access_key_last_used.last_used_date
|
|
|
|
|
end
|
|
|
|
|
|
2017-04-15 12:47:16 +00:00
|
|
|
def to_s
|
|
|
|
|
"IAM Access-Key #{@opts[:id]}"
|
|
|
|
|
end
|
2017-04-04 21:57:16 +00:00
|
|
|
|
2017-04-15 12:47:16 +00:00
|
|
|
class AccessKeyNotFoundError < StandardError
|
|
|
|
|
end
|
|
|
|
|
|
|
|
|
|
class IamClientDecorator
|
|
|
|
|
def initialize(validator = ArgumentValidator.new,
|
|
|
|
|
conn = AWSConnection.new)
|
|
|
|
|
|
|
|
|
|
@validator = validator
|
|
|
|
|
@client = conn.iam_client
|
|
|
|
|
end
|
|
|
|
|
|
|
|
|
|
def get_access_key(username, id)
|
|
|
|
|
@validator.validate_username(username)
|
|
|
|
|
@validator.validate_id(id)
|
|
|
|
|
|
|
|
|
|
access_key =
|
|
|
|
|
@client.list_access_keys({ user_name: username })
|
|
|
|
|
.access_key_metadata.select { |x| x.access_key_id.eql? id }.first
|
|
|
|
|
|
|
|
|
|
if access_key.nil?
|
|
|
|
|
raise AccessKeyNotFoundError, 'access key not found '.concat(
|
|
|
|
|
"[username = \"#{username}\", id = \"#{id}\"]",
|
|
|
|
|
)
|
|
|
|
|
end
|
|
|
|
|
|
|
|
|
|
access_key
|
|
|
|
|
end
|
|
|
|
|
|
|
|
|
|
def get_access_key_last_used(id)
|
|
|
|
|
@validator.validate_id(id)
|
|
|
|
|
|
|
|
|
|
@client.get_access_key_last_used({ access_key_id: id })
|
|
|
|
|
.access_key_last_used
|
|
|
|
|
end
|
|
|
|
|
|
|
|
|
|
class ArgumentValidator
|
|
|
|
|
[:username, :id].each do |argument|
|
|
|
|
|
define_method "validate_#{argument}" do |value|
|
|
|
|
|
return unless value.nil?
|
|
|
|
|
|
|
|
|
|
raise ArgumentError,
|
|
|
|
|
"missing required resource argument \"#{argument}\""
|
2017-04-04 21:57:16 +00:00
|
|
|
end
|
|
|
|
|
end
|
|
|
|
|
end
|
2017-04-15 12:47:16 +00:00
|
|
|
end
|
|
|
|
|
|
|
|
|
|
private
|
2017-04-04 21:57:16 +00:00
|
|
|
|
2017-04-15 12:47:16 +00:00
|
|
|
def access_key
|
|
|
|
|
@access_key ||= @decorator.get_access_key(@opts[:username], @opts[:id])
|
|
|
|
|
end
|
|
|
|
|
|
|
|
|
|
def access_key_last_used
|
|
|
|
|
@access_key_last_used ||= @decorator.get_access_key_last_used(@opts[:id])
|
2017-04-04 21:57:16 +00:00
|
|
|
end
|
|
|
|
|
end
|
