--- policy: /ce/ca/aws/iam/user-unused logic: /ce/ca/aws/iam/user-unused/prod.logic.yaml executionTime: 2026-02-10T22:33:00.895612431Z generationMs: 58 executionMs: 886 rows: - id: test1 match: true status: expected: DISAPPEARED actual: DISAPPEARED conditionIndex: expected: 99 actual: 99 conditionText: expected: isDisappeared(CA10__disappearanceTime__c) actual: isDisappeared(CA10__disappearanceTime__c) runtimeError: {} - id: test2 match: true status: expected: INAPPLICABLE actual: INAPPLICABLE conditionIndex: expected: 199 actual: 199 conditionText: expected: extract('CA10__createDate__c').withinLastDays(30) actual: extract('CA10__createDate__c').withinLastDays(30) runtimeError: {} - id: test3 match: true status: expected: UNDETERMINED actual: UNDETERMINED conditionIndex: expected: 201 actual: 201 conditionText: expected: CA10__credReportAttributesJson__c.isEmpty() actual: CA10__credReportAttributesJson__c.isEmpty() runtimeError: {} - id: test4 match: true status: expected: COMPLIANT actual: COMPLIANT conditionIndex: expected: 299 actual: 299 conditionText: expected: extract('CA10__credReportPasswordEnabled__c') == true || extract('CA10__credReportAccessKey1Active__c') == true || extract('CA10__credReportAccessKey2Active__c') == true actual: extract('CA10__credReportPasswordEnabled__c') == true || extract('CA10__credReportAccessKey1Active__c') == true || extract('CA10__credReportAccessKey2Active__c') == true runtimeError: {} - id: test5 match: true status: expected: INCOMPLIANT actual: INCOMPLIANT conditionIndex: expected: 300 actual: 300 conditionText: expected: otherwise actual: otherwise runtimeError: {} usedFiles: - path: /ce/ca/aws/iam/user-unused/policy.yaml md5Hash: 647ED80FCAC7CD683DA709CFA32858A0 content: "---\nnames:\n full: \"AWS IAM User has no active credentials\"\n contextual:\ \ \"User has no active credentials\"\ndescription: >\n Identify IAM users that\ \ have no console password and no active access keys. \n These accounts are\ \ dormant and provide no utility, but still represent a management \n overhead\ \ and potential security risk if credentials are added later without review.\n\ type: \"BEST_PRACTICE\"\ncategories:\n - \"SECURITY\"\nframeworkMappings:\n\ \ - \"/frameworks/cloudaware/identity-and-access-governance/credential-lifecycle-management\"\ \n - \"/frameworks/aws-well-architected/sec/03/06\"\nsimilarPolicies:\n cloudConformity:\n\ \ - url: https://www.trendmicro.com/cloudoneconformity/knowledge-base/aws/IAM/unused-iam-user.html\n\ \ name: Unused IAM User\n" - path: /ce/ca/aws/iam/user-unused/prod.logic.yaml md5Hash: 221DECE1A05645BBBE3C7DDDEF3C4545 content: | --- inputType: CA10__CaAwsUser__c testData: - file: "test-data.json" importExtracts: - file: "/types/CA10__CaAwsUser__c/credReport.extracts.yaml" - file: "/types/CA10__CaAwsUser__c/object.extracts.yaml" conditions: - status: "INAPPLICABLE" currentStateMessage: "The user was created recently and may still be under configuration." check: IS_WITHIN_LAST_DAYS: offsetDays: 30 arg: EXTRACT: "CA10__createDate__c" - status: "COMPLIANT" currentStateMessage: "The user has at least one active authentication method." check: OR: args: - IS_EQUAL: left: EXTRACT: "CA10__credReportPasswordEnabled__c" right: BOOLEAN: true - IS_EQUAL: left: EXTRACT: "CA10__credReportAccessKey1Active__c" right: BOOLEAN: true - IS_EQUAL: left: EXTRACT: "CA10__credReportAccessKey2Active__c" right: BOOLEAN: true otherwise: status: "INCOMPLIANT" currentStateMessage: "The user has no console password and no active access keys." remediationMessage: "Delete this IAM user account if it is no longer needed." - path: /ce/ca/aws/iam/user-unused/test-data.json md5Hash: 392EAE0553C10B67AD6280D4BBD20FB8 content: |- [ { "CA10__credReportAttributesJson__c": "{\"password_last_used\":\"N/A\",\"access_key_1_last_used_region\":\"N/A\",\"password_enabled\":\"false\",\"access_key_1_last_used_date\":\"N/A\",\"access_key_1_last_used_service\":\"N/A\",\"mfa_active\":\"false\",\"access_key_2_last_used_date\":\"N/A\",\"user_creation_time\":\"2024-10-24T16:53:46Z\",\"cert_2_active\":\"false\",\"cert_1_active\":\"false\",\"cert_1_last_rotated\":\"N/A\",\"access_key_2_last_used_service\":\"N/A\",\"access_key_2_active\":\"false\",\"access_key_1_active\":\"true\",\"password_next_rotation\":\"N/A\",\"access_key_2_last_rotated\":\"N/A\",\"arn\":\"arn:aws-us-gov:iam::225574349834:user/Wayne.Campbell\",\"access_key_1_last_rotated\":\"2024-10-24T16:53:46Z\",\"access_key_2_last_used_region\":\"N/A\",\"user\":\"Wayne.Campbell\",\"password_last_changed\":\"N/A\",\"cert_2_last_rotated\":\"N/A\"}", "expectedResult": { "runtimeError": null, "conditionText": "isDisappeared(CA10__disappearanceTime__c)", "conditionIndex": 99, "status": "DISAPPEARED" }, "context": { "snapshotTime": "2025-12-19T02:21:26Z" }, "CA10__createDate__c": "2024-10-24T16:53:46Z", "Id": "test1", "CA10__disappearanceTime__c": "2025-08-17T06:55:49Z" }, { "CA10__credReportAttributesJson__c": "{\"password_last_used\":\"N/A\",\"access_key_1_last_used_region\":\"us-east-1\",\"password_enabled\":\"false\",\"access_key_1_last_used_date\":\"2025-12-05T03:52:00Z\",\"access_key_1_last_used_service\":\"s3\",\"mfa_active\":\"false\",\"access_key_2_last_used_date\":\"N/A\",\"user_creation_time\":\"2025-12-03T22:06:21Z\",\"cert_2_active\":\"false\",\"cert_1_active\":\"false\",\"cert_1_last_rotated\":\"N/A\",\"access_key_2_last_used_service\":\"N/A\",\"access_key_2_active\":\"false\",\"access_key_1_active\":\"true\",\"password_next_rotation\":\"N/A\",\"access_key_2_last_rotated\":\"N/A\",\"arn\":\"arn:aws:iam::343823317319:user/xfer-hfm\",\"access_key_1_last_rotated\":\"2025-12-03T22:27:25Z\",\"access_key_2_last_used_region\":\"N/A\",\"user\":\"xfer-hfm\",\"password_last_changed\":\"N/A\",\"cert_2_last_rotated\":\"N/A\"}", "expectedResult": { "runtimeError": null, "conditionText": "extract('CA10__createDate__c').withinLastDays(30)", "conditionIndex": 199, "status": "INAPPLICABLE" }, "context": { "snapshotTime": "2025-12-19T02:21:26Z" }, "CA10__createDate__c": "2025-12-03T22:06:21Z", "Id": "test2", "CA10__disappearanceTime__c": null }, { "CA10__credReportAttributesJson__c": "", "expectedResult": { "runtimeError": null, "conditionText": "CA10__credReportAttributesJson__c.isEmpty()", "conditionIndex": 201, "status": "UNDETERMINED" }, "context": { "snapshotTime": "2025-12-19T02:21:26Z" }, "CA10__createDate__c": null, "Id": "test3", "CA10__disappearanceTime__c": null }, { "CA10__credReportAttributesJson__c": "{\"password_last_used\":\"N/A\",\"access_key_1_last_used_region\":\"us-gov-west-1\",\"password_enabled\":\"false\",\"access_key_1_last_used_date\":\"2025-12-18T19:22:00Z\",\"access_key_1_last_used_service\":\"s3\",\"mfa_active\":\"false\",\"access_key_2_last_used_date\":\"N/A\",\"user_creation_time\":\"2025-05-07T20:32:58Z\",\"cert_2_active\":\"false\",\"cert_1_active\":\"false\",\"cert_1_last_rotated\":\"N/A\",\"access_key_2_last_used_service\":\"N/A\",\"access_key_2_active\":\"false\",\"access_key_1_active\":\"true\",\"password_next_rotation\":\"N/A\",\"access_key_2_last_rotated\":\"N/A\",\"arn\":\"arn:aws-us-gov:iam::659394873413:user/InsightIDR-LegacyGov\",\"access_key_1_last_rotated\":\"2025-05-07T20:33:32Z\",\"access_key_2_last_used_region\":\"N/A\",\"user\":\"InsightIDR-LegacyGov\",\"password_last_changed\":\"N/A\",\"cert_2_last_rotated\":\"N/A\"}", "expectedResult": { "runtimeError": null, "conditionText": "extract('CA10__credReportPasswordEnabled__c') == true || extract('CA10__credReportAccessKey1Active__c') == true || extract('CA10__credReportAccessKey2Active__c') == true", "conditionIndex": 299, "status": "COMPLIANT" }, "context": { "snapshotTime": "2025-12-19T02:21:26Z" }, "CA10__createDate__c": "2025-05-07T20:32:58Z", "Id": "test4", "CA10__disappearanceTime__c": null }, { "CA10__credReportAttributesJson__c": "{\"password_last_used\":\"no_information\",\"access_key_1_last_used_region\":\"N/A\",\"password_enabled\":\"not_supported\",\"access_key_1_last_used_date\":\"N/A\",\"access_key_1_last_used_service\":\"N/A\",\"mfa_active\":\"false\",\"access_key_2_last_used_date\":\"N/A\",\"user_creation_time\":\"2019-11-19T20:34:14Z\",\"cert_2_active\":\"false\",\"cert_1_active\":\"false\",\"cert_1_last_rotated\":\"N/A\",\"access_key_2_last_used_service\":\"N/A\",\"access_key_2_active\":\"false\",\"access_key_1_active\":\"false\",\"password_next_rotation\":\"not_supported\",\"access_key_2_last_rotated\":\"N/A\",\"arn\":\"arn:aws-us-gov:iam::659394873413:root\",\"access_key_1_last_rotated\":\"N/A\",\"access_key_2_last_used_region\":\"N/A\",\"user\":\"\\u003croot_account\\u003e\",\"password_last_changed\":\"not_supported\",\"cert_2_last_rotated\":\"N/A\"}", "expectedResult": { "runtimeError": null, "conditionText": "otherwise", "conditionIndex": 300, "status": "INCOMPLIANT" }, "context": { "snapshotTime": "2025-12-19T02:21:26Z" }, "CA10__createDate__c": null, "Id": "test5", "CA10__disappearanceTime__c": null } ] - path: /types/CA10__CaAwsUser__c/credReport.extracts.yaml md5Hash: F6D383D933A0B64268B39ADE7012508C content: "\n# password_last_used: 2021-10-15T16:30:24+00:00\n# access_key_1_last_used_region:\ \ us-east-1\n# password_enabled: not_supported\n# access_key_1_last_used_date:\ \ 2020-02-27T12:03:00+00:00\n# access_key_1_last_used_service: s3\n# mfa_active:\ \ false\n# access_key_2_last_used_date: N/A\n# user_creation_time: 2008-06-17T18:41:41+00:00\n\ # cert_2_active: false\n# cert_1_active: true\n# cert_1_last_rotated: 2011-04-27T13:23:57+00:00\n\ # access_key_2_last_used_service: N/A\n# access_key_2_active: false\n# access_key_1_active:\ \ false\n# password_next_rotation: not_supported\n# access_key_2_last_rotated:\ \ 2014-07-03T15:12:24+00:00\n# arn: arn:aws:iam::814021343637:root\n# access_key_1_last_rotated:\ \ 2011-04-27T13:20:07+00:00\n# access_key_2_last_used_region: N/A\n# user: \n\ # password_last_changed: not_supported\n# cert_2_last_rotated: N/A\n---\nextracts:\n\ \ - name: CA10__credReportAttributesJson__c\n value: \n JSON_FROM:\n\ \ arg:\n FIELD:\n path: CA10__credReportAttributesJson__c\n\ \ returnType: BYTES\n undeterminedIf:\n isEmpty:\ \ Credential report attributes are empty, this is either permission issue or\ \ the data haven't been populated yet\n undeterminedIf:\n isInvalid:\ \ \"Cred report attributes JSON is invalid\"\n - name: CA10__credReportAccessKey1Active__c\n\ \ value:\n BOOLEAN_FROM:\n arg:\n JSON_QUERY_TEXT:\n\ \ arg:\n EXTRACT: CA10__credReportAttributesJson__c\n\ \ expression: \"to_string(access_key_1_active)\"\n undeterminedIf:\n\ \ evaluationError: \"The JSON query has failed.\"\n \ \ resultTypeMismatch: \"The JSON query did not return text type.\"\n \ \ undeterminedIf:\n isEmpty: Value of 'access_key_1_active' is empty,\ \ unexpected data\n - name: CA10__credReportAccessKey2Active__c\n value:\n\ \ BOOLEAN_FROM:\n arg:\n JSON_QUERY_TEXT:\n \ \ arg:\n EXTRACT: CA10__credReportAttributesJson__c\n \ \ expression: \"to_string(access_key_2_active)\"\n undeterminedIf:\n\ \ evaluationError: \"The JSON query has failed.\"\n \ \ resultTypeMismatch: \"The JSON query did not return text type.\"\n \ \ undeterminedIf:\n isEmpty: Value of 'access_key_1_active' is empty,\ \ unexpected data\n - name: CA10__credReportPasswordLastUsed__c\n value:\n\ \ DATE_TIME_FROM:\n arg:\n JSON_QUERY_TEXT:\n \ \ arg:\n EXTRACT: CA10__credReportAttributesJson__c\n \ \ expression: \"to_string(password_last_used)\"\n undeterminedIf:\n\ \ evaluationError: \"The JSON query has failed.\"\n \ \ resultTypeMismatch: \"The JSON query did not return text type.\"\n \ \ nullValues:\n - \"no_information\"\n - \"N/A\"\n \ \ format: ISO_8601\n undeterminedIf:\n # value CAN be empty,\ \ for example when password was never used.\n #isEmpty: Value of 'password_last_used'\ \ is empty, unexpected data\n invalidFormat: Value of 'password_last_used'\ \ does not match ISO-8601 format\n - name: CA10__credReportAccessKey1LastUsed__c\n\ \ value:\n DATE_TIME_FROM:\n arg:\n JSON_QUERY_TEXT:\n\ \ arg:\n EXTRACT: CA10__credReportAttributesJson__c\n\ \ expression: \"to_string(access_key_1_last_used_date)\"\n \ \ undeterminedIf:\n evaluationError: \"The JSON query has\ \ failed.\"\n resultTypeMismatch: \"The JSON query did not return\ \ text type.\"\n nullValues:\n - \"N/A\"\n format: ISO_8601\n\ \ undeterminedIf:\n # value CAN be empty, for example when password\ \ was never used.\n #isEmpty: Value of 'access_key_1_last_used_date'\ \ is empty, unexpected data\n invalidFormat: Value of 'access_key_1_last_used_date'\ \ does not match ISO-8601 format\n - name: CA10__credReportAccessKey2LastUsed__c\n\ \ value:\n DATE_TIME_FROM:\n arg:\n JSON_QUERY_TEXT:\n\ \ arg:\n EXTRACT: CA10__credReportAttributesJson__c\n\ \ expression: \"to_string(access_key_2_last_used_date)\"\n \ \ undeterminedIf:\n evaluationError: \"The JSON query has\ \ failed.\"\n resultTypeMismatch: \"The JSON query did not return\ \ text type.\"\n nullValues:\n - \"N/A\"\n format: ISO_8601\n\ \ undeterminedIf:\n # value CAN be empty, for example when password\ \ was never used.\n #isEmpty: Value of 'access_key_2_last_used_date'\ \ is empty, unexpected data\n invalidFormat: Value of 'access_key_2_last_used_date'\ \ does not match ISO-8601 format\n - name: CA10__credReportMfaActive__c\n \ \ value:\n BOOLEAN_FROM:\n arg:\n JSON_QUERY_TEXT:\n\ \ arg:\n EXTRACT: CA10__credReportAttributesJson__c\n\ \ expression: \"to_string(mfa_active)\"\n undeterminedIf:\n\ \ evaluationError: \"The JSON query has failed.\"\n \ \ resultTypeMismatch: \"The JSON query did not return text type.\"\n \ \ undeterminedIf:\n isEmpty: Credential report 'mfa_active' key is\ \ empty, unexpected data\n - name: CA10__credReportPasswordEnabled__c\n \ \ value:\n BOOLEAN_FROM:\n arg:\n JSON_QUERY_TEXT:\n \ \ arg:\n EXTRACT: CA10__credReportAttributesJson__c\n\ \ expression: \"to_string(password_enabled)\"\n undeterminedIf:\n\ \ evaluationError: \"The JSON query has failed.\"\n \ \ resultTypeMismatch: \"The JSON query did not return text type.\"\n \ \ undeterminedIf:\n isEmpty: Value of 'password_enabled' is empty,\ \ unexpected data\n - name: CA10__credReportPasswordLastChanged__c\n value:\n\ \ DATE_TIME_FROM:\n arg:\n JSON_QUERY_TEXT:\n \ \ arg:\n EXTRACT: CA10__credReportAttributesJson__c\n \ \ expression: \"to_string(password_last_changed)\"\n undeterminedIf:\n\ \ evaluationError: \"The JSON query has failed.\"\n \ \ resultTypeMismatch: \"The JSON query did not return text type.\"\n \ \ nullValues:\n - \"N/A\"\n format: ISO_8601\n undeterminedIf:\n\ \ # value CAN be empty, for example when password was never changed.\n\ \ #isEmpty: Value of 'password_last_changed' is empty, unexpected data\n\ \ invalidFormat: Value of 'password_last_changed' does not match ISO-8601\ \ format\n - name: CA10__credReportAccessKey1LastRotated__c\n value:\n \ \ DATE_TIME_FROM:\n arg:\n JSON_QUERY_TEXT:\n \ \ arg:\n EXTRACT: CA10__credReportAttributesJson__c\n \ \ expression: \"to_string(access_key_1_last_rotated)\"\n undeterminedIf:\n\ \ evaluationError: \"The JSON query has failed.\"\n \ \ resultTypeMismatch: \"The JSON query did not return text type.\"\n \ \ nullValues:\n - \"N/A\"\n format: ISO_8601\n undeterminedIf:\n\ \ # value CAN be empty, for example when key was never changed.\n \ \ #isEmpty: Value of 'access_key_1_last_rotated' is empty, unexpected\ \ data\n invalidFormat: Value of 'access_key_1_last_rotated' does not\ \ match ISO-8601 format\n - name: CA10__credReportAccessKey2LastRotated__c\n\ \ value:\n DATE_TIME_FROM:\n arg:\n JSON_QUERY_TEXT:\n\ \ arg:\n EXTRACT: CA10__credReportAttributesJson__c\n\ \ expression: \"to_string(access_key_2_last_rotated)\"\n \ \ undeterminedIf:\n evaluationError: \"The JSON query has failed.\"\ \n resultTypeMismatch: \"The JSON query did not return text type.\"\ \n nullValues:\n - \"N/A\"\n format: ISO_8601\n \ \ undeterminedIf:\n # value CAN be empty, for example when key\ \ was never changed.\n #isEmpty: Value of 'access_key_2_last_rotated'\ \ is empty, unexpected data\n invalidFormat: Value of 'access_key_2_last_rotated'\ \ does not match ISO-8601 format\n - name: CA10__credReportCert1Active__c\n\ \ value:\n BOOLEAN_FROM:\n arg:\n JSON_QUERY_TEXT:\n\ \ arg:\n EXTRACT: CA10__credReportAttributesJson__c\n\ \ expression: \"to_string(cert_1_active)\"\n undeterminedIf:\n\ \ evaluationError: \"The JSON query has failed.\"\n \ \ resultTypeMismatch: \"The JSON query did not return text type.\"\n \ \ undeterminedIf:\n isEmpty: Value of 'cert_1_active' is empty, unexpected\ \ data\n - name: CA10__credReportCert2Active__c\n value:\n BOOLEAN_FROM:\n\ \ arg:\n JSON_QUERY_TEXT:\n arg:\n EXTRACT:\ \ CA10__credReportAttributesJson__c\n expression: \"to_string(cert_2_active)\"\ \n undeterminedIf:\n evaluationError: \"The JSON query\ \ has failed.\"\n resultTypeMismatch: \"The JSON query did not\ \ return text type.\"\n undeterminedIf:\n isEmpty: Value of\ \ 'cert_1_active' is empty, unexpected data" - path: /types/CA10__CaAwsUser__c/object.extracts.yaml md5Hash: 131CCD980BE5290B2C296CE093A686DC content: "---\nextracts:\n - name: CA10__mfaDeviceType__c\n # Acceptable values\ \ are: null, \"Hardware\", \"Virtual\"\n value:\n FIELD: \n path:\ \ CA10__mfaDeviceType__c\n undeterminedIf:\n noAccessDelegate:\n\ \ path: CA10__virtualMfaState__c\n currentStateMessage:\ \ Possible access issue with iam:GetAccountSummary, iam:ListVirtualMFADevices\ \ or iam:ListMFADevices\n# Not Nullable. Can't have no access, retrieved via\ \ iam:ListUsers\n - name: \"CA10__userName__c\"\n value:\n FIELD:\n\ \ path: \"CA10__userName__c\"\n - name: \"CA10__accessKeysCount__c\"\ \n value:\n FIELD:\n path: \"CA10__accessKeysCount__c\"\n# Not\ \ nullable\n - name: \"CA10__createDate__c\"\n value:\n FIELD:\n \ \ path: \"CA10__createDate__c\"\n" script: |- CREATE TEMP FUNCTION mock_ExpectedResult() RETURNS ARRAY >> DETERMINISTIC LANGUAGE js AS r""" return [ { "Id" : "test1", "expectedResult" : { "runtimeError" : null, "conditionText" : "isDisappeared(CA10__disappearanceTime__c)", "conditionIndex" : 99, "status" : "DISAPPEARED" } }, { "Id" : "test2", "expectedResult" : { "runtimeError" : null, "conditionText" : "extract('CA10__createDate__c').withinLastDays(30)", "conditionIndex" : 199, "status" : "INAPPLICABLE" } }, { "Id" : "test3", "expectedResult" : { "runtimeError" : null, "conditionText" : "CA10__credReportAttributesJson__c.isEmpty()", "conditionIndex" : 201, "status" : "UNDETERMINED" } }, { "Id" : "test4", "expectedResult" : { "runtimeError" : null, "conditionText" : "extract('CA10__credReportPasswordEnabled__c') == true || extract('CA10__credReportAccessKey1Active__c') == true || extract('CA10__credReportAccessKey2Active__c') == true", "conditionIndex" : 299, "status" : "COMPLIANT" } }, { "Id" : "test5", "expectedResult" : { "runtimeError" : null, "conditionText" : "otherwise", "conditionIndex" : 300, "status" : "INCOMPLIANT" } } ]; """; CREATE TEMP FUNCTION mock_CA10__CaAwsUser__c() RETURNS ARRAY >> DETERMINISTIC LANGUAGE js AS r""" return [ { "context" : { "snapshotTime" : new Date("2025-12-19T02:21:26Z") }, "CA10__disappearanceTime__c" : new Date("2025-08-17T06:55:49Z"), "CA10__createDate__c" : new Date("2024-10-24T16:53:46Z"), "CA10__credReportAttributesJson__c" : "{\"password_last_used\":\"N/A\",\"access_key_1_last_used_region\":\"N/A\",\"password_enabled\":\"false\",\"access_key_1_last_used_date\":\"N/A\",\"access_key_1_last_used_service\":\"N/A\",\"mfa_active\":\"false\",\"access_key_2_last_used_date\":\"N/A\",\"user_creation_time\":\"2024-10-24T16:53:46Z\",\"cert_2_active\":\"false\",\"cert_1_active\":\"false\",\"cert_1_last_rotated\":\"N/A\",\"access_key_2_last_used_service\":\"N/A\",\"access_key_2_active\":\"false\",\"access_key_1_active\":\"true\",\"password_next_rotation\":\"N/A\",\"access_key_2_last_rotated\":\"N/A\",\"arn\":\"arn:aws-us-gov:iam::225574349834:user/Wayne.Campbell\",\"access_key_1_last_rotated\":\"2024-10-24T16:53:46Z\",\"access_key_2_last_used_region\":\"N/A\",\"user\":\"Wayne.Campbell\",\"password_last_changed\":\"N/A\",\"cert_2_last_rotated\":\"N/A\"}", "Id" : "test1" }, { "context" : { "snapshotTime" : new Date("2025-12-19T02:21:26Z") }, "CA10__createDate__c" : new Date("2025-12-03T22:06:21Z"), "CA10__credReportAttributesJson__c" : "{\"password_last_used\":\"N/A\",\"access_key_1_last_used_region\":\"us-east-1\",\"password_enabled\":\"false\",\"access_key_1_last_used_date\":\"2025-12-05T03:52:00Z\",\"access_key_1_last_used_service\":\"s3\",\"mfa_active\":\"false\",\"access_key_2_last_used_date\":\"N/A\",\"user_creation_time\":\"2025-12-03T22:06:21Z\",\"cert_2_active\":\"false\",\"cert_1_active\":\"false\",\"cert_1_last_rotated\":\"N/A\",\"access_key_2_last_used_service\":\"N/A\",\"access_key_2_active\":\"false\",\"access_key_1_active\":\"true\",\"password_next_rotation\":\"N/A\",\"access_key_2_last_rotated\":\"N/A\",\"arn\":\"arn:aws:iam::343823317319:user/xfer-hfm\",\"access_key_1_last_rotated\":\"2025-12-03T22:27:25Z\",\"access_key_2_last_used_region\":\"N/A\",\"user\":\"xfer-hfm\",\"password_last_changed\":\"N/A\",\"cert_2_last_rotated\":\"N/A\"}", "Id" : "test2" }, { "context" : { "snapshotTime" : new Date("2025-12-19T02:21:26Z") }, "CA10__credReportAttributesJson__c" : "", "Id" : "test3" }, { "context" : { "snapshotTime" : new Date("2025-12-19T02:21:26Z") }, "CA10__createDate__c" : new Date("2025-05-07T20:32:58Z"), "CA10__credReportAttributesJson__c" : "{\"password_last_used\":\"N/A\",\"access_key_1_last_used_region\":\"us-gov-west-1\",\"password_enabled\":\"false\",\"access_key_1_last_used_date\":\"2025-12-18T19:22:00Z\",\"access_key_1_last_used_service\":\"s3\",\"mfa_active\":\"false\",\"access_key_2_last_used_date\":\"N/A\",\"user_creation_time\":\"2025-05-07T20:32:58Z\",\"cert_2_active\":\"false\",\"cert_1_active\":\"false\",\"cert_1_last_rotated\":\"N/A\",\"access_key_2_last_used_service\":\"N/A\",\"access_key_2_active\":\"false\",\"access_key_1_active\":\"true\",\"password_next_rotation\":\"N/A\",\"access_key_2_last_rotated\":\"N/A\",\"arn\":\"arn:aws-us-gov:iam::659394873413:user/InsightIDR-LegacyGov\",\"access_key_1_last_rotated\":\"2025-05-07T20:33:32Z\",\"access_key_2_last_used_region\":\"N/A\",\"user\":\"InsightIDR-LegacyGov\",\"password_last_changed\":\"N/A\",\"cert_2_last_rotated\":\"N/A\"}", "Id" : "test4" }, { "context" : { "snapshotTime" : new Date("2025-12-19T02:21:26Z") }, "CA10__credReportAttributesJson__c" : "{\"password_last_used\":\"no_information\",\"access_key_1_last_used_region\":\"N/A\",\"password_enabled\":\"not_supported\",\"access_key_1_last_used_date\":\"N/A\",\"access_key_1_last_used_service\":\"N/A\",\"mfa_active\":\"false\",\"access_key_2_last_used_date\":\"N/A\",\"user_creation_time\":\"2019-11-19T20:34:14Z\",\"cert_2_active\":\"false\",\"cert_1_active\":\"false\",\"cert_1_last_rotated\":\"N/A\",\"access_key_2_last_used_service\":\"N/A\",\"access_key_2_active\":\"false\",\"access_key_1_active\":\"false\",\"password_next_rotation\":\"not_supported\",\"access_key_2_last_rotated\":\"N/A\",\"arn\":\"arn:aws-us-gov:iam::659394873413:root\",\"access_key_1_last_rotated\":\"N/A\",\"access_key_2_last_used_region\":\"N/A\",\"user\":\"\\u003croot_account\\u003e\",\"password_last_changed\":\"not_supported\",\"cert_2_last_rotated\":\"N/A\"}", "Id" : "test5" } ]; """; CREATE TEMP FUNCTION process_CA10__CaAwsUser__c( obj STRUCT< CA10__disappearanceTime__c TIMESTAMP, CA10__createDate__c TIMESTAMP, CA10__credReportAttributesJson__c STRING, Id STRING >, snapshotTime TIMESTAMP ) RETURNS STRUCT DETERMINISTIC LANGUAGE js OPTIONS (library=['gs://compliance-platform-public/jmespath.min.js']) AS r""" var BytesLib = new function () { this.normalize = function(arg) { return arg == null ? '' : arg; }; this.isEmpty = function(arg) { return this.normalize(arg) == ''; }; this.isNotEmpty = function(arg) { return this.normalize(arg) != ''; }; this.equal = function(left, right) { return this.normalize(left) == this.normalize(right); }; this.notEqual = function(left, right) { return this.normalize(left) != this.normalize(right); }; this.startsWith = function(arg, substring) { return this.normalize(arg).startsWith(this.normalize(substring)); }; this.endsWith = function(arg, substring) { return this.normalize(arg).endsWith(this.normalize(substring)); }; this.contains = function(arg, substring) { return this.normalize(arg).includes(this.normalize(substring)); }; this.containsAll = function(arg, substrings) { if (substrings == null || substrings.length === 0) return false; let normalizedArg = this.normalize(arg); return substrings.every(sub => normalizedArg.includes(this.normalize(sub))); }; this.containsAny = function(arg, substrings) { if (substrings == null || substrings.length === 0) return false; let normalizedArg = this.normalize(arg); return substrings.some(sub => normalizedArg.includes(this.normalize(sub))); }; }(); var TextLib = new function () { this.normalize = function(arg) { return arg == null ? '' : arg.replace(/\s+/g, ' ').trim().toLowerCase(); }; this.isEmpty = function(arg) { return this.normalize(arg) == ''; }; this.isNotEmpty = function(arg) { return this.normalize(arg) != ''; }; this.equal = function(left, right) { return this.normalize(left) == this.normalize(right); }; this.notEqual = function(left, right) { return this.normalize(left) != this.normalize(right); }; this.startsWith = function(arg, substring) { return this.normalize(arg).startsWith(this.normalize(substring)); }; this.endsWith = function(arg, substring) { return this.normalize(arg).endsWith(this.normalize(substring)); }; this.contains = function(arg, substring) { return this.normalize(arg).includes(this.normalize(substring)); }; this.containsAll = function(arg, substrings) { if (substrings == null || substrings.length === 0) return false; let normalizedArg = this.normalize(arg); return substrings.every(sub => normalizedArg.includes(this.normalize(sub))); }; this.containsAny = function(arg, substrings) { if (substrings == null || substrings.length === 0) return false; let normalizedArg = this.normalize(arg); return substrings.some(sub => normalizedArg.includes(this.normalize(sub))); }; }(); var todayMinus30Day = new Date(snapshotTime.toISOString().substr(0,10)+'T00:00:00.000Z').getTime() + (-30 * 86400000); var todayPlus1Day = new Date(snapshotTime.toISOString().substr(0,10)+'T00:00:00.000Z').getTime() + (1 * 86400000); var references1 = []; // condition[0], conditionIndex:[0..99] references1.push('Deleted From AWS [CA10__disappearanceTime__c]: ' + obj.CA10__disappearanceTime__c); if (obj.CA10__disappearanceTime__c != null) { return {status: 'DISAPPEARED', conditionIndex: 99, conditionText: "isDisappeared(CA10__disappearanceTime__c)", currentStateMessage: "Object is deleted in the source", currentStateReferences: references1.join('\n'), remediation: null, runtimeError: null}; } // condition[1], conditionIndex:[100..199] function extract3() { if (!this.out) { this.out = obj.CA10__createDate__c; } return this.out; }; references1.push('Create Date [obj.CA10__createDate__c]: ' + obj.CA10__createDate__c); if (extract3.call(extract3) != null && extract3.call(extract3).getTime() >= todayMinus30Day && extract3.call(extract3).getTime() < todayPlus1Day) { return {status: 'INAPPLICABLE', conditionIndex: 199, conditionText: "extract('CA10__createDate__c').withinLastDays(30)", currentStateMessage: "The user was created recently and may still be under configuration.", currentStateReferences: references1.join('\n'), remediation: null, runtimeError: null}; } // condition[2], conditionIndex:[200..299] function boolChecked8() { var boolFrom14 = jsonQueryChecked9(); if (TextLib.isEmpty(boolFrom14)) { throw new Error("UNDETERMINED condition:205", {cause: {status: 'UNDETERMINED', conditionIndex: 205, conditionText: "extract('CA10__credReportAttributesJson__c').jsonQueryText('to_string(password_enabled)').isEmpty()", currentStateMessage: "Value of 'password_enabled' is empty, unexpected data", currentStateReferences: references1.join('\n'), remediation: null, runtimeError: null}}); } return TextLib.equal('true', boolFrom14); } function jsonQueryChecked9() { var input = extract11.call(extract11); var out; try { out = jmespath.search(input, 'to_string(password_enabled)'); if (out != null && typeof out != 'string') { throw new Error("UNDETERMINED condition:203", {cause: {status: 'UNDETERMINED', conditionIndex: 203, conditionText: "extract('CA10__credReportAttributesJson__c').jsonQueryText('to_string(password_enabled)').isResultTypeMismatch()", currentStateMessage: "The JSON query did not return text type.", currentStateReferences: references1.join('\n'), remediation: null, runtimeError: null}}); } } catch (e) { throw new Error("UNDETERMINED condition:204", {cause: {status: 'UNDETERMINED', conditionIndex: 204, conditionText: "extract('CA10__credReportAttributesJson__c').jsonQueryText('to_string(password_enabled)').isEvaluationFailed()", currentStateMessage: "The JSON query has failed.", currentStateReferences: references1.join('\n'), remediation: null, runtimeError: e.message}}); } return out; } function jsonChecked12() { var input = fieldChecked13(); input = TextLib.isEmpty(input) ? null : input; var out; try { out = JSON.parse(input); } catch (e) { throw new Error("UNDETERMINED condition:202", {cause: {status: 'UNDETERMINED', conditionIndex: 202, conditionText: "CA10__credReportAttributesJson__c.asJson().isInvalid()", currentStateMessage: "Cred report attributes JSON is invalid", currentStateReferences: references1.join('\n'), remediation: null, runtimeError: e.message}}); } return out; } function fieldChecked13() { if (BytesLib.isEmpty(obj.CA10__credReportAttributesJson__c)) { throw new Error("UNDETERMINED condition:201", {cause: {status: 'UNDETERMINED', conditionIndex: 201, conditionText: "CA10__credReportAttributesJson__c.isEmpty()", currentStateMessage: "Credential report attributes are empty, this is either permission issue or the data haven't been populated yet", currentStateReferences: references1.join('\n'), remediation: null, runtimeError: null}}); } return obj.CA10__credReportAttributesJson__c; } function extract11() { if (!this.out) { this.out = jsonChecked12(); } return this.out; }; function extract7() { if (!this.out) { this.out = boolChecked8(); } return this.out; }; function boolChecked17() { var boolFrom20 = jsonQueryChecked18(); if (TextLib.isEmpty(boolFrom20)) { throw new Error("UNDETERMINED condition:208", {cause: {status: 'UNDETERMINED', conditionIndex: 208, conditionText: "extract('CA10__credReportAttributesJson__c').jsonQueryText('to_string(access_key_1_active)').isEmpty()", currentStateMessage: "Value of 'access_key_1_active' is empty, unexpected data", currentStateReferences: references1.join('\n'), remediation: null, runtimeError: null}}); } return TextLib.equal('true', boolFrom20); } function jsonQueryChecked18() { var input = extract11.call(extract11); var out; try { out = jmespath.search(input, 'to_string(access_key_1_active)'); if (out != null && typeof out != 'string') { throw new Error("UNDETERMINED condition:206", {cause: {status: 'UNDETERMINED', conditionIndex: 206, conditionText: "extract('CA10__credReportAttributesJson__c').jsonQueryText('to_string(access_key_1_active)').isResultTypeMismatch()", currentStateMessage: "The JSON query did not return text type.", currentStateReferences: references1.join('\n'), remediation: null, runtimeError: null}}); } } catch (e) { throw new Error("UNDETERMINED condition:207", {cause: {status: 'UNDETERMINED', conditionIndex: 207, conditionText: "extract('CA10__credReportAttributesJson__c').jsonQueryText('to_string(access_key_1_active)').isEvaluationFailed()", currentStateMessage: "The JSON query has failed.", currentStateReferences: references1.join('\n'), remediation: null, runtimeError: e.message}}); } return out; } function extract16() { if (!this.out) { this.out = boolChecked17(); } return this.out; }; function boolChecked23() { var boolFrom26 = jsonQueryChecked24(); if (TextLib.isEmpty(boolFrom26)) { throw new Error("UNDETERMINED condition:211", {cause: {status: 'UNDETERMINED', conditionIndex: 211, conditionText: "extract('CA10__credReportAttributesJson__c').jsonQueryText('to_string(access_key_2_active)').isEmpty()", currentStateMessage: "Value of 'access_key_1_active' is empty, unexpected data", currentStateReferences: references1.join('\n'), remediation: null, runtimeError: null}}); } return TextLib.equal('true', boolFrom26); } function jsonQueryChecked24() { var input = extract11.call(extract11); var out; try { out = jmespath.search(input, 'to_string(access_key_2_active)'); if (out != null && typeof out != 'string') { throw new Error("UNDETERMINED condition:209", {cause: {status: 'UNDETERMINED', conditionIndex: 209, conditionText: "extract('CA10__credReportAttributesJson__c').jsonQueryText('to_string(access_key_2_active)').isResultTypeMismatch()", currentStateMessage: "The JSON query did not return text type.", currentStateReferences: references1.join('\n'), remediation: null, runtimeError: null}}); } } catch (e) { throw new Error("UNDETERMINED condition:210", {cause: {status: 'UNDETERMINED', conditionIndex: 210, conditionText: "extract('CA10__credReportAttributesJson__c').jsonQueryText('to_string(access_key_2_active)').isEvaluationFailed()", currentStateMessage: "The JSON query has failed.", currentStateReferences: references1.join('\n'), remediation: null, runtimeError: e.message}}); } return out; } function extract22() { if (!this.out) { this.out = boolChecked23(); } return this.out; }; references1.push('Cred Report: Attributes JSON [obj.CA10__credReportAttributesJson__c]: ' + obj.CA10__credReportAttributesJson__c); try { if (extract7.call(extract7) == true || extract16.call(extract16) == true || extract22.call(extract22) == true) { return {status: 'COMPLIANT', conditionIndex: 299, conditionText: "extract('CA10__credReportPasswordEnabled__c') == true || extract('CA10__credReportAccessKey1Active__c') == true || extract('CA10__credReportAccessKey2Active__c') == true", currentStateMessage: "The user has at least one active authentication method.", currentStateReferences: references1.join('\n'), remediation: null, runtimeError: null}; } } catch (err) { if (err.cause && err.cause.status) { return err.cause; } else { throw err; } } return {status: 'INCOMPLIANT', conditionIndex: 300, conditionText: "otherwise", currentStateMessage: "The user has no console password and no active access keys.", currentStateReferences: references1.join('\n'), remediation: "Delete this IAM user account if it is no longer needed.", runtimeError: null}; """; SELECT expectedResult.Id as Id, IF ( IFNULL(expectedResult.expectedResult.status, '') = IFNULL(sObject.result.status, '') AND IFNULL(expectedResult.expectedResult.conditionIndex, -1) = IFNULL(sObject.result.conditionIndex, -1) AND IFNULL(expectedResult.expectedResult.conditionText, '') = IFNULL(sObject.result.conditionText, '') AND IFNULL(expectedResult.expectedResult.runtimeError, '') = IFNULL(sObject.result.runtimeError, ''), "MATCH", "FAIL" ) as match, expectedResult.expectedResult.status as expectedStatus, sObject.result.status as actualStatus, expectedResult.expectedResult.conditionIndex as expectedConditionIndex, sObject.result.conditionIndex as actualConditionIndex, expectedResult.expectedResult.conditionText as expectedConditionText, sObject.result.conditionText as actualConditionText, expectedResult.expectedResult.runtimeError as expectedRuntimeError, sObject.result.runtimeError as actualRuntimeError FROM UNNEST(mock_ExpectedResult()) expectedResult LEFT JOIN ( SELECT sObject.CA10__disappearanceTime__c AS CA10__disappearanceTime__c, sObject.CA10__createDate__c AS CA10__createDate__c, sObject.CA10__credReportAttributesJson__c AS CA10__credReportAttributesJson__c, sObject.Id AS Id, process_CA10__CaAwsUser__c( STRUCT( sObject.CA10__disappearanceTime__c AS CA10__disappearanceTime__c, sObject.CA10__createDate__c AS CA10__createDate__c, sObject.CA10__credReportAttributesJson__c AS CA10__credReportAttributesJson__c, sObject.Id AS Id ), sObject.context.snapshotTime ) as result FROM UNNEST(mock_CA10__CaAwsUser__c()) AS sObject ) sObject ON sObject.Id = expectedResult.Id;