Correct access_key detection on aws_iam_root_user (#198)

Signed-off-by: Rony Xavier <rx294@nyu.edu>

docs/resources/aws_iam_root_user.md

@@ -26,10 +26,10 @@ An `aws_iam_root_user` resource block requires no parameters but has several mat
 
 The following examples show how to use this InSpec audit resource.
 
-### Test that the AWS root account has only one access key
+### Test that the AWS root account has at-least one access key
 
     describe aws_iam_root_user do
-      its('access_key_count') { should eq 1 }
+      it { should have_access_key }
     end
 
 ### Test that the AWS root account has Multi-Factor Authentication enabled
@@ -49,3 +49,9 @@ This InSpec audit resource has the following special matchers. For a full list o
 The `have_mfa_enabled` matcher tests if the AWS root user has Multi-Factor Authentication enabled, requiring them to enter a secondary code when they login to the web console.
 
     it { should have_mfa_enabled }
+
+### have_access_key
+
+The `have_access_key` matcher tests if the AWS root user has at least one access key.
+
+    it { should have_access_key }

libraries/aws_iam_root_user.rb

@@ -6,7 +6,7 @@ class AwsIamRootUser < Inspec.resource(1)
   desc 'Verifies settings for AWS root account'
   example "
     describe aws_iam_root_user do
-      its('access_key_count') { should eq 0 }
+      it { should have_access_key }
     end
   "
 
@@ -14,8 +14,8 @@ class AwsIamRootUser < Inspec.resource(1)
     @client = conn.iam_client
   end
 
-  def access_key_count
-    summary_account['AccountAccessKeysPresent']
+  def has_access_key?
+    summary_account['AccountAccessKeysPresent'] == 1
   end
 
   def has_mfa_enabled?

test/integration/default/verify/controls/aws_iam_root_user.rb

@@ -18,10 +18,10 @@ control "aws_iam_root_user has_mfa_enabled property" do
   end
 end
 
-#------------- Property - access_key_count -------------#
-# test for = 1 in 'minimal' test set
-control "aws_iam_root_user access_key_count property" do
+#------------- Property - has_access_key -------------#
+# Positive test in 'minimal' test set
+control "aws_iam_root_user has_access_key property" do
   describe aws_iam_root_user do
-    its('access_key_count') { should be 0 }
+    it { should_not have_access_key }
   end
 end

test/integration/minimal/verify/controls/aws_iam_root_user.rb

@@ -18,10 +18,10 @@ control "aws_iam_root_user has_mfa_enabled property" do
   end
 end
 
-#------------- Property - access_key_count -------------#
-# test for = 0 in 'default' test set
-control "aws_iam_root_user access_key_count property" do
+#------------- Property - has_access_key -------------#
+# Negative test in 'default' test set
+control "aws_iam_root_user has_access_key property" do
   describe aws_iam_root_user do
-    its('access_key_count') { should be 1 }
+    it { should have_access_key }
   end
 end

test/unit/resources/aws_iam_root_user_test.rb

@@ -10,14 +10,22 @@ class AwsIamRootUserTest < Minitest::Test
     @mock_conn.expect :iam_client, @mock_client
   end
 
-  def test_access_key_count_returns_from_summary_account
-    expected_keys = 2
+  def test_has_access_key_returns_true_from_summary_account
     test_summary_map = OpenStruct.new(
-      summary_map: { 'AccountAccessKeysPresent' => expected_keys },
+      summary_map: { 'AccountAccessKeysPresent' => 1 },
     )
     @mock_client.expect :get_account_summary, test_summary_map
 
-    assert_equal expected_keys, AwsIamRootUser.new(@mock_conn).access_key_count
+    assert_equal true, AwsIamRootUser.new(@mock_conn).has_access_key?
+  end
+
+  def test_has_access_key_returns_false_from_summary_account
+    test_summary_map = OpenStruct.new(
+      summary_map: { 'AccountAccessKeysPresent' => 0 },
+    )
+    @mock_client.expect :get_account_summary, test_summary_map
+
+    assert_equal false, AwsIamRootUser.new(@mock_conn).has_access_key?
   end
 
   def test_has_mfa_enabled_returns_true_when_account_mfa_devices_is_one