fluidasserts.cloud.aws.iam module

AWS cloud checks (IAM).

fluidasserts.cloud.aws.iam.group_with_inline_policies(key_id, secret, retry=True)

Check if IAM groups have any inline policies attached.

Parameters
  • key_id (str) – AWS Key Id.

  • secret (str) – AWS Key Secret.

Returns

  • OPEN if there are groups with inline policies attached. Encryption enabled.

  • UNKNOWN on errors.

  • CLOSED otherwise.

Return type

fluidasserts.Result

fluidasserts.cloud.aws.iam.has_mfa_disabled(key_id, secret, retry=True)

Search users with password enabled and without MFA.

Parameters
  • key_id (str) – AWS Key Id

  • secret (str) – AWS Key Secret

Return type

tuple

fluidasserts.cloud.aws.iam.has_not_support_role(key_id, secret, retry=True)

Check if there are a support role.

Parameters
  • key_id (str) – AWS Key Id

  • secret (str) – AWS Key Secret

Return type

tuple

fluidasserts.cloud.aws.iam.has_old_ssh_public_keys(key_id, secret, retry=True)

Find IAM users keep any outdated (older than 90 days) SSH public keys.

Parameters
  • key_id (str) – AWS Key Id.

  • secret (str) – AWS Key Secret.

Returns

  • OPEN if there are users with outdated SSH public keys. Encryption enabled.

  • UNKNOWN on errors.

  • CLOSED otherwise.

Return type

fluidasserts.Result

fluidasserts.cloud.aws.iam.has_permissive_role_policies(key_id, secret, retry=True)

Check if an IAM Role Policy grants wildcard privileges.

See https://cwe.mitre.org/data/definitions/250.html

See IAM Best Practices

Parameters
  • key_id (str) – AWS Key Id

  • secret (str) – AWS Key Secret

Return type

tuple

fluidasserts.cloud.aws.iam.has_privileges_over_iam(key_id, secret, retry=True)

Check if a policy documents has privileges over iam.

Parameters
  • key_id (str) – AWS Key Id.

  • secret (str) – AWS Key Secret.

Returns

  • OPEN if any policy documents has privileges over iam.

  • UNKNOWN on errors.

  • CLOSED otherwise.

Return type

fluidasserts.Result

fluidasserts.cloud.aws.iam.has_root_active_signing_certificates(key_id, secret, retry=True)

Check if user root has activated signing certificates.

To comply with the best security practices, make sure that the root user is not using X.590 certificates to make requests through the SOAP protocol to AWS. Disable any x.590 certificate for the root user, since it is used for daily tasks it is not a recommended practice.

Parameters
  • key_id (str) – AWS Key Id

  • secret (str) – AWS Key Secret

Return type

tuple

fluidasserts.cloud.aws.iam.has_wildcard_resource_on_write_action(key_id, secret, retry=True)

Check if write actions are allowed on all resources.

Do not allow "Resource": "*" to have write actions.

Parameters
  • key_id (str) – AWS Key Id.

  • secret (str) – AWS Key Secret.

Returns

  • OPEN if there are IAM polices with wildcard resource in write actions.

  • UNKNOWN on errors.

  • CLOSED otherwise.

Return type

fluidasserts.Result

fluidasserts.cloud.aws.iam.have_full_access_policies(key_id, secret, retry=True)

Check if there are policies that allow full administrative privileges.

Parameters
  • key_id (str) – AWS Key Id

  • secret (str) – AWS Key Secret

Return type

tuple

fluidasserts.cloud.aws.iam.have_old_access_keys(key_id, secret, retry=True)

Find access keys not rotated in the last 90 days.

Parameters
  • key_id (str) – AWS Key Id

  • secret (str) – AWS Key Secret

Return type

tuple

fluidasserts.cloud.aws.iam.have_old_creds_enabled(key_id, secret, retry=True)

Find password not used in the last 90 days.

Parameters
  • key_id (str) – AWS Key Id

  • secret (str) – AWS Key Secret

Return type

tuple

fluidasserts.cloud.aws.iam.mfa_disabled_for_users_with_console_password(key_id, secret, retry=True)

Check if IAM Users with console password are not protected by MFA.

Parameters
  • key_id (str) – AWS Key Id.

  • secret (str) – AWS Key Secret.

Returns

  • OPEN . Encryption enabled.

  • UNKNOWN on errors.

  • CLOSED otherwise.

Return type

fluidasserts.Result

fluidasserts.cloud.aws.iam.min_password_len_unsafe(key_id, secret, min_len=14, retry=True)

Check if password policy requires passwords greater than 14 chars.

Parameters
  • key_id (str) – AWS Key Id

  • secret (str) – AWS Key Secret

  • min_len – Minimum length required. Default 14

Return type

tuple

fluidasserts.cloud.aws.iam.not_requires_lowercase(key_id, secret, retry=True)

Check if password policy requires lowercase letters.

Parameters
  • key_id (str) – AWS Key Id

  • secret (str) – AWS Key Secret

Return type

tuple

fluidasserts.cloud.aws.iam.not_requires_numbers(key_id, secret, retry=True)

Check if password policy requires numbers.

Parameters
  • key_id (str) – AWS Key Id

  • secret (str) – AWS Key Secret

Return type

tuple

fluidasserts.cloud.aws.iam.not_requires_symbols(key_id, secret, retry=True)

Check if password policy requires symbols.

Parameters
  • key_id (str) – AWS Key Id

  • secret (str) – AWS Key Secret

Return type

tuple

fluidasserts.cloud.aws.iam.not_requires_uppercase(key_id, secret, retry=True)

Check if password policy requires uppercase letters.

Parameters
  • key_id (str) – AWS Key Id

  • secret (str) – AWS Key Secret

Return type

tuple

fluidasserts.cloud.aws.iam.password_expiration_unsafe(key_id, secret, max_days=90, retry=True)

Check if password policy expires the passwords within 90 days or less.

Parameters
  • key_id (str) – AWS Key Id

  • secret (str) – AWS Key Secret

  • max_days – Max expiration days. Default 90

Return type

tuple

fluidasserts.cloud.aws.iam.password_reuse_unsafe(key_id, secret, min_reuse=24, retry=True)

Check if password policy avoids reuse of the last 24 passwords.

Parameters
  • key_id (str) – AWS Key Id

  • secret (str) – AWS Key Secret

  • min_len – Minimum reuse required. Default 24

Return type

tuple

fluidasserts.cloud.aws.iam.policies_attached_to_users(key_id, secret, retry=True)

Check if there are policies attached to users.

Parameters
  • key_id (str) – AWS Key Id

  • secret (str) – AWS Key Secret

Return type

tuple

fluidasserts.cloud.aws.iam.root_has_access_keys(key_id, secret, retry=True)

Check if root account has access keys.

Parameters
  • key_id (str) – AWS Key Id

  • secret (str) – AWS Key Secret

Return type

tuple

fluidasserts.cloud.aws.iam.root_without_mfa(key_id, secret, retry=True)

Check if root account does not have MFA.

Parameters
  • key_id (str) – AWS Key Id

  • secret (str) – AWS Key Secret

Return type

tuple

fluidasserts.cloud.aws.iam.users_with_multiple_access_keys(key_id, secret, retry=True)

Check if there are users with multiple access keys.

Parameters
  • key_id (str) – AWS Key Id.

  • secret (str) – AWS Key Secret.

Returns

  • OPEN if there are users with multiple access keys.

  • UNKNOWN on errors.

  • CLOSED otherwise.

Return type

fluidasserts.Result

fluidasserts.cloud.aws.iam.users_with_password_and_access_keys(key_id, secret, retry=True)

Check if there are users with password and access keys activated.

Make sure your IAM users do not access the API and console with the same account, in order to reduce the risk of unauthorized access in case the access keys or passwords are compromised.

See https://nvd.nist.gov/800-53/Rev4/control/AC-5

Parameters
  • key_id (str) – AWS Key Id

  • secret (str) – AWS Key Secret

Return type

tuple