This repository has been archived by the owner on Jul 22, 2021. It is now read-only.
CIS 1.4 checking for access key last used date along with access key last rotated date #88
Comments
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
1.4 Ensure access keys are rotated every 90 days or less (Scored)
def control_1_4_rotated_keys(credreport):
# Look for unused credentails
for i in range(len(credreport)):
if credreport[i]['access_key_1_active'] == "true":
try:
delta = datetime.strptime(now, frm) - datetime.strptime(credreport[i]['access_key_1_last_rotated'], frm)
# Verify keys have rotated in the last 90 days
if delta.days > 90:
result = False
failReason = "Key rotation >90 days or not used since rotation"
offenders.append(str(credreport[i]['arn']) + ":unrotated key1")
except:
pass
try:
last_used_datetime = datetime.strptime(credreport[i]['access_key_1_last_used_date'], frm)
last_rotated_datetime = datetime.strptime(credreport[i]['access_key_1_last_rotated'], frm)
# Verify keys have been used since rotation.
if last_used_datetime < last_rotated_datetime:
result = False
failReason = "Key rotation >90 days or not used since rotation"
offenders.append(str(credreport[i]['arn']) + ":unused key1")
except:
pass
if credreport[i]['access_key_2_active'] == "true":
try:
delta = datetime.strptime(now, frm) - datetime.strptime(credreport[i]['access_key_2_last_rotated'], frm)
# Verify keys have rotated in the last 90 days
if delta.days > 90:
result = False
failReason = "Key rotation >90 days or not used since rotation"
offenders.append(str(credreport[i]['arn']) + ":unrotated key2")
except:
pass
try:
last_used_datetime = datetime.strptime(credreport[i]['access_key_2_last_used_date'], frm)
last_rotated_datetime = datetime.strptime(credreport[i]['access_key_2_last_rotated'], frm)
# Verify keys have been used since rotation.
if last_used_datetime < last_rotated_datetime:
result = False
failReason = "Key rotation >90 days or not used since rotation"
offenders.append(str(credreport[i]['arn']) + ":unused key2")
except:
pass
return {'Result': result, 'failReason': failReason, 'Offenders': offenders, 'ScoredControl': scored, 'Description': description, 'ControlId': control}
CIS 1.4 control is
Ensure access keys are rotated every 90 days or less. I am wondering why are we comparing last used data with last rotated date.The text was updated successfully, but these errors were encountered: