--- policy: /ce/ca/aws/iam/user-has-more-than-one-active-access-key logic: /ce/ca/aws/iam/user-has-more-than-one-active-access-key/prod.logic.yaml executionTime: 2026-05-09T12:03:18.029570175Z generationMs: 78 executionMs: 1921 rows: - id: a01 match: true status: expected: INAPPLICABLE actual: INAPPLICABLE conditionIndex: expected: 199 actual: 199 conditionText: expected: extract('CA10__credReportAccessKey1Active__c') == false && extract('CA10__credReportAccessKey2Active__c') == false actual: extract('CA10__credReportAccessKey1Active__c') == false && extract('CA10__credReportAccessKey2Active__c') == false runtimeError: {} - id: a02 match: true status: expected: COMPLIANT actual: COMPLIANT conditionIndex: expected: 300 actual: 300 conditionText: expected: otherwise actual: otherwise runtimeError: {} - id: a03 match: true status: expected: INCOMPLIANT actual: INCOMPLIANT conditionIndex: expected: 299 actual: 299 conditionText: expected: extract('CA10__credReportAccessKey1Active__c') == true && extract('CA10__credReportAccessKey2Active__c') == true actual: extract('CA10__credReportAccessKey1Active__c') == true && extract('CA10__credReportAccessKey2Active__c') == true runtimeError: {} usedFiles: - path: /ce/ca/aws/iam/user-has-more-than-one-active-access-key/policy.yaml md5Hash: B3157D337FEEAD62F52A30793033C6B9 content: | --- names: full: AWS IAM User has more than one active access key contextual: User has more than one active access key description: Access keys are long-term credentials for an IAM user or the AWS account 'root' user. You can use access keys to sign programmatic requests to the AWS CLI or AWS API (directly or using the AWS SDK) type: COMPLIANCE_POLICY categories: - SECURITY frameworkMappings: - "/frameworks/cis-aws-v6.0.0/02/12" - "/frameworks/cloudaware/identity-and-access-governance/credential-lifecycle-management" similarPolicies: internal: - dec-x-30795016 cloudConformity: - url: https://www.trendmicro.com/cloudoneconformity-staging/knowledge-base/aws/IAM/unnecessary-access-keys.html name: Unnecessary Access Keys - path: /ce/ca/aws/iam/user-has-more-than-one-active-access-key/prod.logic.yaml md5Hash: 43414594DDD90589FC77B1E895139FE3 content: | --- inputType: "CA10__CaAwsUser__c" testData: - file: test-data.json importExtracts: - file: /types/CA10__CaAwsUser__c/credReport.extracts.yaml conditions: - status: "INAPPLICABLE" currentStateMessage: "The user does not have active access keys." check: AND: args: - IS_EQUAL: left: EXTRACT: CA10__credReportAccessKey1Active__c right: BOOLEAN: false - IS_EQUAL: left: EXTRACT: CA10__credReportAccessKey2Active__c right: BOOLEAN: false - status: "INCOMPLIANT" currentStateMessage: "More than one active access key is available for the IAM user." remediationMessage: "Remove one of the access keys." check: AND: args: - IS_EQUAL: left: EXTRACT: CA10__credReportAccessKey1Active__c right: BOOLEAN: true - IS_EQUAL: left: EXTRACT: CA10__credReportAccessKey2Active__c right: BOOLEAN: true otherwise: status: "COMPLIANT" currentStateMessage: "This IAM user has only one active access key." - path: /ce/ca/aws/iam/user-has-more-than-one-active-access-key/test-data.json md5Hash: C9D1F08BED12F98A84A2BEE7B1ED7D18 content: | [ { "expectedResult": { "status": "INAPPLICABLE", "conditionIndex": "199", "conditionText": "extract('CA10__credReportAccessKey1Active__c') == false && extract('CA10__credReportAccessKey2Active__c') == false", "runtimeError": null }, "context": { "snapshotTime": "2024-05-30T18:23:28Z" }, "Id": "a01", "CA10__disappearanceTime__c": null, "CA10__credReportAttributesJson__c": "{\"password_last_used\":\"2024-07-17T17:37:46Z\",\"access_key_1_last_used_region\":\"N/A\",\"password_enabled\":\"true\",\"access_key_1_last_used_date\":\"N/A\",\"access_key_1_last_used_service\":\"N/A\",\"mfa_active\":\"true\",\"access_key_2_last_used_date\":\"N/A\",\"user_creation_time\":\"2017-09-27T19:51:41Z\",\"cert_2_active\":\"false\",\"cert_1_active\":\"false\",\"cert_1_last_rotated\":\"N/A\",\"access_key_2_last_used_service\":\"N/A\",\"access_key_2_active\":\"false\",\"access_key_1_active\":\"false\",\"password_next_rotation\":\"2024-10-15T17:38:45Z\",\"access_key_2_last_rotated\":\"N/A\",\"arn\":\"arn:aws:iam::526216611803:user/srichter\",\"access_key_1_last_rotated\":\"N/A\",\"access_key_2_last_used_region\":\"N/A\",\"user\":\"srichter\",\"password_last_changed\":\"2024-07-17T17:38:45Z\",\"cert_2_last_rotated\":\"N/A\"}" }, { "expectedResult": { "status": "COMPLIANT", "conditionIndex": "300", "conditionText": "otherwise", "runtimeError": null }, "context": { "snapshotTime": "2024-05-30T18:23:28Z" }, "Id": "a02", "CA10__disappearanceTime__c": null, "CA10__credReportAttributesJson__c": "{\"password_last_used\":\"2024-07-17T17:37:46Z\",\"access_key_1_last_used_region\":\"N/A\",\"password_enabled\":\"true\",\"access_key_1_last_used_date\":\"N/A\",\"access_key_1_last_used_service\":\"N/A\",\"mfa_active\":\"true\",\"access_key_2_last_used_date\":\"N/A\",\"user_creation_time\":\"2017-09-27T19:51:41Z\",\"cert_2_active\":\"false\",\"cert_1_active\":\"false\",\"cert_1_last_rotated\":\"N/A\",\"access_key_2_last_used_service\":\"N/A\",\"access_key_2_active\":\"false\",\"access_key_1_active\":\"true\",\"password_next_rotation\":\"2024-10-15T17:38:45Z\",\"access_key_2_last_rotated\":\"N/A\",\"arn\":\"arn:aws:iam::526216611803:user/srichter\",\"access_key_1_last_rotated\":\"N/A\",\"access_key_2_last_used_region\":\"N/A\",\"user\":\"srichter\",\"password_last_changed\":\"2024-07-17T17:38:45Z\",\"cert_2_last_rotated\":\"N/A\"}" }, { "expectedResult": { "status": "INCOMPLIANT", "conditionIndex": "299", "conditionText": "extract('CA10__credReportAccessKey1Active__c') == true && extract('CA10__credReportAccessKey2Active__c') == true", "runtimeError": null }, "context": { "snapshotTime": "2024-05-30T18:23:28Z" }, "Id": "a03", "CA10__disappearanceTime__c": null, "CA10__credReportAttributesJson__c": "{\"password_last_used\":\"2024-07-17T17:37:46Z\",\"access_key_1_last_used_region\":\"N/A\",\"password_enabled\":\"true\",\"access_key_1_last_used_date\":\"N/A\",\"access_key_1_last_used_service\":\"N/A\",\"mfa_active\":\"true\",\"access_key_2_last_used_date\":\"N/A\",\"user_creation_time\":\"2017-09-27T19:51:41Z\",\"cert_2_active\":\"false\",\"cert_1_active\":\"false\",\"cert_1_last_rotated\":\"N/A\",\"access_key_2_last_used_service\":\"N/A\",\"access_key_2_active\":\"true\",\"access_key_1_active\":\"true\",\"password_next_rotation\":\"2024-10-15T17:38:45Z\",\"access_key_2_last_rotated\":\"N/A\",\"arn\":\"arn:aws:iam::526216611803:user/srichter\",\"access_key_1_last_rotated\":\"N/A\",\"access_key_2_last_used_region\":\"N/A\",\"user\":\"srichter\",\"password_last_changed\":\"2024-07-17T17:38:45Z\",\"cert_2_last_rotated\":\"N/A\"}" } ] - path: /types/CA10__CaAwsUser__c/credReport.extracts.yaml md5Hash: F6D383D933A0B64268B39ADE7012508C content: "\n# password_last_used: 2021-10-15T16:30:24+00:00\n# access_key_1_last_used_region:\ \ us-east-1\n# password_enabled: not_supported\n# access_key_1_last_used_date:\ \ 2020-02-27T12:03:00+00:00\n# access_key_1_last_used_service: s3\n# mfa_active:\ \ false\n# access_key_2_last_used_date: N/A\n# user_creation_time: 2008-06-17T18:41:41+00:00\n\ # cert_2_active: false\n# cert_1_active: true\n# cert_1_last_rotated: 2011-04-27T13:23:57+00:00\n\ # access_key_2_last_used_service: N/A\n# access_key_2_active: false\n# access_key_1_active:\ \ false\n# password_next_rotation: not_supported\n# access_key_2_last_rotated:\ \ 2014-07-03T15:12:24+00:00\n# arn: arn:aws:iam::814021343637:root\n# access_key_1_last_rotated:\ \ 2011-04-27T13:20:07+00:00\n# access_key_2_last_used_region: N/A\n# user: \n\ # password_last_changed: not_supported\n# cert_2_last_rotated: N/A\n---\nextracts:\n\ \ - name: CA10__credReportAttributesJson__c\n value: \n JSON_FROM:\n\ \ arg:\n FIELD:\n path: CA10__credReportAttributesJson__c\n\ \ returnType: BYTES\n undeterminedIf:\n isEmpty:\ \ Credential report attributes are empty, this is either permission issue or\ \ the data haven't been populated yet\n undeterminedIf:\n isInvalid:\ \ \"Cred report attributes JSON is invalid\"\n - name: CA10__credReportAccessKey1Active__c\n\ \ value:\n BOOLEAN_FROM:\n arg:\n JSON_QUERY_TEXT:\n\ \ arg:\n EXTRACT: CA10__credReportAttributesJson__c\n\ \ expression: \"to_string(access_key_1_active)\"\n undeterminedIf:\n\ \ evaluationError: \"The JSON query has failed.\"\n \ \ resultTypeMismatch: \"The JSON query did not return text type.\"\n \ \ undeterminedIf:\n isEmpty: Value of 'access_key_1_active' is empty,\ \ unexpected data\n - name: CA10__credReportAccessKey2Active__c\n value:\n\ \ BOOLEAN_FROM:\n arg:\n JSON_QUERY_TEXT:\n \ \ arg:\n EXTRACT: CA10__credReportAttributesJson__c\n \ \ expression: \"to_string(access_key_2_active)\"\n undeterminedIf:\n\ \ evaluationError: \"The JSON query has failed.\"\n \ \ resultTypeMismatch: \"The JSON query did not return text type.\"\n \ \ undeterminedIf:\n isEmpty: Value of 'access_key_1_active' is empty,\ \ unexpected data\n - name: CA10__credReportPasswordLastUsed__c\n value:\n\ \ DATE_TIME_FROM:\n arg:\n JSON_QUERY_TEXT:\n \ \ arg:\n EXTRACT: CA10__credReportAttributesJson__c\n \ \ expression: \"to_string(password_last_used)\"\n undeterminedIf:\n\ \ evaluationError: \"The JSON query has failed.\"\n \ \ resultTypeMismatch: \"The JSON query did not return text type.\"\n \ \ nullValues:\n - \"no_information\"\n - \"N/A\"\n \ \ format: ISO_8601\n undeterminedIf:\n # value CAN be empty,\ \ for example when password was never used.\n #isEmpty: Value of 'password_last_used'\ \ is empty, unexpected data\n invalidFormat: Value of 'password_last_used'\ \ does not match ISO-8601 format\n - name: CA10__credReportAccessKey1LastUsed__c\n\ \ value:\n DATE_TIME_FROM:\n arg:\n JSON_QUERY_TEXT:\n\ \ arg:\n EXTRACT: CA10__credReportAttributesJson__c\n\ \ expression: \"to_string(access_key_1_last_used_date)\"\n \ \ undeterminedIf:\n evaluationError: \"The JSON query has\ \ failed.\"\n resultTypeMismatch: \"The JSON query did not return\ \ text type.\"\n nullValues:\n - \"N/A\"\n format: ISO_8601\n\ \ undeterminedIf:\n # value CAN be empty, for example when password\ \ was never used.\n #isEmpty: Value of 'access_key_1_last_used_date'\ \ is empty, unexpected data\n invalidFormat: Value of 'access_key_1_last_used_date'\ \ does not match ISO-8601 format\n - name: CA10__credReportAccessKey2LastUsed__c\n\ \ value:\n DATE_TIME_FROM:\n arg:\n JSON_QUERY_TEXT:\n\ \ arg:\n EXTRACT: CA10__credReportAttributesJson__c\n\ \ expression: \"to_string(access_key_2_last_used_date)\"\n \ \ undeterminedIf:\n evaluationError: \"The JSON query has\ \ failed.\"\n resultTypeMismatch: \"The JSON query did not return\ \ text type.\"\n nullValues:\n - \"N/A\"\n format: ISO_8601\n\ \ undeterminedIf:\n # value CAN be empty, for example when password\ \ was never used.\n #isEmpty: Value of 'access_key_2_last_used_date'\ \ is empty, unexpected data\n invalidFormat: Value of 'access_key_2_last_used_date'\ \ does not match ISO-8601 format\n - name: CA10__credReportMfaActive__c\n \ \ value:\n BOOLEAN_FROM:\n arg:\n JSON_QUERY_TEXT:\n\ \ arg:\n EXTRACT: CA10__credReportAttributesJson__c\n\ \ expression: \"to_string(mfa_active)\"\n undeterminedIf:\n\ \ evaluationError: \"The JSON query has failed.\"\n \ \ resultTypeMismatch: \"The JSON query did not return text type.\"\n \ \ undeterminedIf:\n isEmpty: Credential report 'mfa_active' key is\ \ empty, unexpected data\n - name: CA10__credReportPasswordEnabled__c\n \ \ value:\n BOOLEAN_FROM:\n arg:\n JSON_QUERY_TEXT:\n \ \ arg:\n EXTRACT: CA10__credReportAttributesJson__c\n\ \ expression: \"to_string(password_enabled)\"\n undeterminedIf:\n\ \ evaluationError: \"The JSON query has failed.\"\n \ \ resultTypeMismatch: \"The JSON query did not return text type.\"\n \ \ undeterminedIf:\n isEmpty: Value of 'password_enabled' is empty,\ \ unexpected data\n - name: CA10__credReportPasswordLastChanged__c\n value:\n\ \ DATE_TIME_FROM:\n arg:\n JSON_QUERY_TEXT:\n \ \ arg:\n EXTRACT: CA10__credReportAttributesJson__c\n \ \ expression: \"to_string(password_last_changed)\"\n undeterminedIf:\n\ \ evaluationError: \"The JSON query has failed.\"\n \ \ resultTypeMismatch: \"The JSON query did not return text type.\"\n \ \ nullValues:\n - \"N/A\"\n format: ISO_8601\n undeterminedIf:\n\ \ # value CAN be empty, for example when password was never changed.\n\ \ #isEmpty: Value of 'password_last_changed' is empty, unexpected data\n\ \ invalidFormat: Value of 'password_last_changed' does not match ISO-8601\ \ format\n - name: CA10__credReportAccessKey1LastRotated__c\n value:\n \ \ DATE_TIME_FROM:\n arg:\n JSON_QUERY_TEXT:\n \ \ arg:\n EXTRACT: CA10__credReportAttributesJson__c\n \ \ expression: \"to_string(access_key_1_last_rotated)\"\n undeterminedIf:\n\ \ evaluationError: \"The JSON query has failed.\"\n \ \ resultTypeMismatch: \"The JSON query did not return text type.\"\n \ \ nullValues:\n - \"N/A\"\n format: ISO_8601\n undeterminedIf:\n\ \ # value CAN be empty, for example when key was never changed.\n \ \ #isEmpty: Value of 'access_key_1_last_rotated' is empty, unexpected\ \ data\n invalidFormat: Value of 'access_key_1_last_rotated' does not\ \ match ISO-8601 format\n - name: CA10__credReportAccessKey2LastRotated__c\n\ \ value:\n DATE_TIME_FROM:\n arg:\n JSON_QUERY_TEXT:\n\ \ arg:\n EXTRACT: CA10__credReportAttributesJson__c\n\ \ expression: \"to_string(access_key_2_last_rotated)\"\n \ \ undeterminedIf:\n evaluationError: \"The JSON query has failed.\"\ \n resultTypeMismatch: \"The JSON query did not return text type.\"\ \n nullValues:\n - \"N/A\"\n format: ISO_8601\n \ \ undeterminedIf:\n # value CAN be empty, for example when key\ \ was never changed.\n #isEmpty: Value of 'access_key_2_last_rotated'\ \ is empty, unexpected data\n invalidFormat: Value of 'access_key_2_last_rotated'\ \ does not match ISO-8601 format\n - name: CA10__credReportCert1Active__c\n\ \ value:\n BOOLEAN_FROM:\n arg:\n JSON_QUERY_TEXT:\n\ \ arg:\n EXTRACT: CA10__credReportAttributesJson__c\n\ \ expression: \"to_string(cert_1_active)\"\n undeterminedIf:\n\ \ evaluationError: \"The JSON query has failed.\"\n \ \ resultTypeMismatch: \"The JSON query did not return text type.\"\n \ \ undeterminedIf:\n isEmpty: Value of 'cert_1_active' is empty, unexpected\ \ data\n - name: CA10__credReportCert2Active__c\n value:\n BOOLEAN_FROM:\n\ \ arg:\n JSON_QUERY_TEXT:\n arg:\n EXTRACT:\ \ CA10__credReportAttributesJson__c\n expression: \"to_string(cert_2_active)\"\ \n undeterminedIf:\n evaluationError: \"The JSON query\ \ has failed.\"\n resultTypeMismatch: \"The JSON query did not\ \ return text type.\"\n undeterminedIf:\n isEmpty: Value of\ \ 'cert_1_active' is empty, unexpected data" script: |- CREATE TEMP FUNCTION mock_ExpectedResult() RETURNS ARRAY >> DETERMINISTIC LANGUAGE js AS r""" return [ { "Id" : "a01", "expectedResult" : { "status" : "INAPPLICABLE", "conditionIndex" : "199", "conditionText" : "extract('CA10__credReportAccessKey1Active__c') == false && extract('CA10__credReportAccessKey2Active__c') == false", "runtimeError" : null } }, { "Id" : "a02", "expectedResult" : { "status" : "COMPLIANT", "conditionIndex" : "300", "conditionText" : "otherwise", "runtimeError" : null } }, { "Id" : "a03", "expectedResult" : { "status" : "INCOMPLIANT", "conditionIndex" : "299", "conditionText" : "extract('CA10__credReportAccessKey1Active__c') == true && extract('CA10__credReportAccessKey2Active__c') == true", "runtimeError" : null } } ]; """; CREATE TEMP FUNCTION mock_CA10__CaAwsUser__c() RETURNS ARRAY >> DETERMINISTIC LANGUAGE js AS r""" return [ { "context" : { "snapshotTime" : new Date("2024-05-30T18:23:28Z") }, "CA10__credReportAttributesJson__c" : "{\"password_last_used\":\"2024-07-17T17:37:46Z\",\"access_key_1_last_used_region\":\"N/A\",\"password_enabled\":\"true\",\"access_key_1_last_used_date\":\"N/A\",\"access_key_1_last_used_service\":\"N/A\",\"mfa_active\":\"true\",\"access_key_2_last_used_date\":\"N/A\",\"user_creation_time\":\"2017-09-27T19:51:41Z\",\"cert_2_active\":\"false\",\"cert_1_active\":\"false\",\"cert_1_last_rotated\":\"N/A\",\"access_key_2_last_used_service\":\"N/A\",\"access_key_2_active\":\"false\",\"access_key_1_active\":\"false\",\"password_next_rotation\":\"2024-10-15T17:38:45Z\",\"access_key_2_last_rotated\":\"N/A\",\"arn\":\"arn:aws:iam::526216611803:user/srichter\",\"access_key_1_last_rotated\":\"N/A\",\"access_key_2_last_used_region\":\"N/A\",\"user\":\"srichter\",\"password_last_changed\":\"2024-07-17T17:38:45Z\",\"cert_2_last_rotated\":\"N/A\"}", "Id" : "a01" }, { "context" : { "snapshotTime" : new Date("2024-05-30T18:23:28Z") }, "CA10__credReportAttributesJson__c" : "{\"password_last_used\":\"2024-07-17T17:37:46Z\",\"access_key_1_last_used_region\":\"N/A\",\"password_enabled\":\"true\",\"access_key_1_last_used_date\":\"N/A\",\"access_key_1_last_used_service\":\"N/A\",\"mfa_active\":\"true\",\"access_key_2_last_used_date\":\"N/A\",\"user_creation_time\":\"2017-09-27T19:51:41Z\",\"cert_2_active\":\"false\",\"cert_1_active\":\"false\",\"cert_1_last_rotated\":\"N/A\",\"access_key_2_last_used_service\":\"N/A\",\"access_key_2_active\":\"false\",\"access_key_1_active\":\"true\",\"password_next_rotation\":\"2024-10-15T17:38:45Z\",\"access_key_2_last_rotated\":\"N/A\",\"arn\":\"arn:aws:iam::526216611803:user/srichter\",\"access_key_1_last_rotated\":\"N/A\",\"access_key_2_last_used_region\":\"N/A\",\"user\":\"srichter\",\"password_last_changed\":\"2024-07-17T17:38:45Z\",\"cert_2_last_rotated\":\"N/A\"}", "Id" : "a02" }, { "context" : { "snapshotTime" : new Date("2024-05-30T18:23:28Z") }, "CA10__credReportAttributesJson__c" : "{\"password_last_used\":\"2024-07-17T17:37:46Z\",\"access_key_1_last_used_region\":\"N/A\",\"password_enabled\":\"true\",\"access_key_1_last_used_date\":\"N/A\",\"access_key_1_last_used_service\":\"N/A\",\"mfa_active\":\"true\",\"access_key_2_last_used_date\":\"N/A\",\"user_creation_time\":\"2017-09-27T19:51:41Z\",\"cert_2_active\":\"false\",\"cert_1_active\":\"false\",\"cert_1_last_rotated\":\"N/A\",\"access_key_2_last_used_service\":\"N/A\",\"access_key_2_active\":\"true\",\"access_key_1_active\":\"true\",\"password_next_rotation\":\"2024-10-15T17:38:45Z\",\"access_key_2_last_rotated\":\"N/A\",\"arn\":\"arn:aws:iam::526216611803:user/srichter\",\"access_key_1_last_rotated\":\"N/A\",\"access_key_2_last_used_region\":\"N/A\",\"user\":\"srichter\",\"password_last_changed\":\"2024-07-17T17:38:45Z\",\"cert_2_last_rotated\":\"N/A\"}", "Id" : "a03" } ]; """; CREATE TEMP FUNCTION process_CA10__CaAwsUser__c( obj STRUCT< CA10__disappearanceTime__c TIMESTAMP, CA10__credReportAttributesJson__c STRING, Id STRING >, snapshotTime TIMESTAMP ) RETURNS STRUCT DETERMINISTIC LANGUAGE js OPTIONS (library=['gs://compliance-platform-public/jmespath.min.js']) AS r""" var TextLib = new function () { this.normalize = function(arg) { return arg == null ? '' : arg.replace(/\s+/g, ' ').trim().toLowerCase(); }; this.isEmpty = function(arg) { return this.normalize(arg) == ''; }; this.isNotEmpty = function(arg) { return this.normalize(arg) != ''; }; this.equal = function(left, right) { return this.normalize(left) == this.normalize(right); }; this.notEqual = function(left, right) { return this.normalize(left) != this.normalize(right); }; this.startsWith = function(arg, substring) { return this.normalize(arg).startsWith(this.normalize(substring)); }; this.endsWith = function(arg, substring) { return this.normalize(arg).endsWith(this.normalize(substring)); }; this.contains = function(arg, substring) { return this.normalize(arg).includes(this.normalize(substring)); }; this.containsAll = function(arg, substrings) { if (substrings == null || substrings.length === 0) return false; let normalizedArg = this.normalize(arg); return substrings.every(sub => normalizedArg.includes(this.normalize(sub))); }; this.containsAny = function(arg, substrings) { if (substrings == null || substrings.length === 0) return false; let normalizedArg = this.normalize(arg); return substrings.some(sub => normalizedArg.includes(this.normalize(sub))); }; }(); var BytesLib = new function () { this.normalize = function(arg) { return arg == null ? '' : arg; }; this.isEmpty = function(arg) { return this.normalize(arg) == ''; }; this.isNotEmpty = function(arg) { return this.normalize(arg) != ''; }; this.equal = function(left, right) { return this.normalize(left) == this.normalize(right); }; this.notEqual = function(left, right) { return this.normalize(left) != this.normalize(right); }; this.startsWith = function(arg, substring) { return this.normalize(arg).startsWith(this.normalize(substring)); }; this.endsWith = function(arg, substring) { return this.normalize(arg).endsWith(this.normalize(substring)); }; this.contains = function(arg, substring) { return this.normalize(arg).includes(this.normalize(substring)); }; this.containsAll = function(arg, substrings) { if (substrings == null || substrings.length === 0) return false; let normalizedArg = this.normalize(arg); return substrings.every(sub => normalizedArg.includes(this.normalize(sub))); }; this.containsAny = function(arg, substrings) { if (substrings == null || substrings.length === 0) return false; let normalizedArg = this.normalize(arg); return substrings.some(sub => normalizedArg.includes(this.normalize(sub))); }; }(); var references1 = []; // condition[0], conditionIndex:[0..99] references1.push('Deleted From AWS [CA10__disappearanceTime__c]: ' + obj.CA10__disappearanceTime__c); if (obj.CA10__disappearanceTime__c != null) { return {status: 'DISAPPEARED', conditionIndex: 99, conditionText: "isDisappeared(CA10__disappearanceTime__c)", currentStateMessage: "Object is deleted in the source", currentStateReferences: references1.join('\n'), remediation: null, runtimeError: null}; } // condition[1], conditionIndex:[100..199] function boolChecked4() { var boolFrom10 = jsonQueryChecked5(); if (TextLib.isEmpty(boolFrom10)) { throw new Error("UNDETERMINED condition:105", {cause: {status: 'UNDETERMINED', conditionIndex: 105, conditionText: "extract('CA10__credReportAttributesJson__c').jsonQueryText('to_string(access_key_1_active)').isEmpty()", currentStateMessage: "Value of 'access_key_1_active' is empty, unexpected data", currentStateReferences: references1.join('\n'), remediation: null, runtimeError: null}}); } return TextLib.equal('true', boolFrom10); } function jsonQueryChecked5() { var input = extract7.call(extract7); var out; try { out = jmespath.search(input, 'to_string(access_key_1_active)'); if (out != null && typeof out != 'string') { throw new Error("UNDETERMINED condition:103", {cause: {status: 'UNDETERMINED', conditionIndex: 103, conditionText: "extract('CA10__credReportAttributesJson__c').jsonQueryText('to_string(access_key_1_active)').isResultTypeMismatch()", currentStateMessage: "The JSON query did not return text type.", currentStateReferences: references1.join('\n'), remediation: null, runtimeError: null}}); } } catch (e) { throw new Error("UNDETERMINED condition:104", {cause: {status: 'UNDETERMINED', conditionIndex: 104, conditionText: "extract('CA10__credReportAttributesJson__c').jsonQueryText('to_string(access_key_1_active)').isEvaluationFailed()", currentStateMessage: "The JSON query has failed.", currentStateReferences: references1.join('\n'), remediation: null, runtimeError: e.message}}); } return out; } function jsonChecked8() { var input = fieldChecked9(); input = TextLib.isEmpty(input) ? null : input; var out; try { out = JSON.parse(input); } catch (e) { throw new Error("UNDETERMINED condition:102", {cause: {status: 'UNDETERMINED', conditionIndex: 102, conditionText: "CA10__credReportAttributesJson__c.asJson().isInvalid()", currentStateMessage: "Cred report attributes JSON is invalid", currentStateReferences: references1.join('\n'), remediation: null, runtimeError: e.message}}); } return out; } function fieldChecked9() { if (BytesLib.isEmpty(obj.CA10__credReportAttributesJson__c)) { throw new Error("UNDETERMINED condition:101", {cause: {status: 'UNDETERMINED', conditionIndex: 101, conditionText: "CA10__credReportAttributesJson__c.isEmpty()", currentStateMessage: "Credential report attributes are empty, this is either permission issue or the data haven't been populated yet", currentStateReferences: references1.join('\n'), remediation: null, runtimeError: null}}); } return obj.CA10__credReportAttributesJson__c; } function extract7() { if (!this.out) { this.out = jsonChecked8(); } return this.out; }; function extract3() { if (!this.out) { this.out = boolChecked4(); } return this.out; }; function boolChecked13() { var boolFrom16 = jsonQueryChecked14(); if (TextLib.isEmpty(boolFrom16)) { throw new Error("UNDETERMINED condition:108", {cause: {status: 'UNDETERMINED', conditionIndex: 108, conditionText: "extract('CA10__credReportAttributesJson__c').jsonQueryText('to_string(access_key_2_active)').isEmpty()", currentStateMessage: "Value of 'access_key_1_active' is empty, unexpected data", currentStateReferences: references1.join('\n'), remediation: null, runtimeError: null}}); } return TextLib.equal('true', boolFrom16); } function jsonQueryChecked14() { var input = extract7.call(extract7); var out; try { out = jmespath.search(input, 'to_string(access_key_2_active)'); if (out != null && typeof out != 'string') { throw new Error("UNDETERMINED condition:106", {cause: {status: 'UNDETERMINED', conditionIndex: 106, conditionText: "extract('CA10__credReportAttributesJson__c').jsonQueryText('to_string(access_key_2_active)').isResultTypeMismatch()", currentStateMessage: "The JSON query did not return text type.", currentStateReferences: references1.join('\n'), remediation: null, runtimeError: null}}); } } catch (e) { throw new Error("UNDETERMINED condition:107", {cause: {status: 'UNDETERMINED', conditionIndex: 107, conditionText: "extract('CA10__credReportAttributesJson__c').jsonQueryText('to_string(access_key_2_active)').isEvaluationFailed()", currentStateMessage: "The JSON query has failed.", currentStateReferences: references1.join('\n'), remediation: null, runtimeError: e.message}}); } return out; } function extract12() { if (!this.out) { this.out = boolChecked13(); } return this.out; }; references1.push('Cred Report: Attributes JSON [obj.CA10__credReportAttributesJson__c]: ' + obj.CA10__credReportAttributesJson__c); try { if (extract3.call(extract3) == false && extract12.call(extract12) == false) { return {status: 'INAPPLICABLE', conditionIndex: 199, conditionText: "extract('CA10__credReportAccessKey1Active__c') == false && extract('CA10__credReportAccessKey2Active__c') == false", currentStateMessage: "The user does not have active access keys.", currentStateReferences: references1.join('\n'), remediation: null, runtimeError: null}; } } catch (err) { if (err.cause && err.cause.status) { return err.cause; } else { throw err; } } // condition[2], conditionIndex:[200..299] function boolChecked19() { var boolFrom25 = jsonQueryChecked20(); if (TextLib.isEmpty(boolFrom25)) { throw new Error("UNDETERMINED condition:205", {cause: {status: 'UNDETERMINED', conditionIndex: 205, conditionText: "extract('CA10__credReportAttributesJson__c').jsonQueryText('to_string(access_key_1_active)').isEmpty()", currentStateMessage: "Value of 'access_key_1_active' is empty, unexpected data", currentStateReferences: references1.join('\n'), remediation: null, runtimeError: null}}); } return TextLib.equal('true', boolFrom25); } function jsonQueryChecked20() { var input = extract22.call(extract22); var out; try { out = jmespath.search(input, 'to_string(access_key_1_active)'); if (out != null && typeof out != 'string') { throw new Error("UNDETERMINED condition:203", {cause: {status: 'UNDETERMINED', conditionIndex: 203, conditionText: "extract('CA10__credReportAttributesJson__c').jsonQueryText('to_string(access_key_1_active)').isResultTypeMismatch()", currentStateMessage: "The JSON query did not return text type.", currentStateReferences: references1.join('\n'), remediation: null, runtimeError: null}}); } } catch (e) { throw new Error("UNDETERMINED condition:204", {cause: {status: 'UNDETERMINED', conditionIndex: 204, conditionText: "extract('CA10__credReportAttributesJson__c').jsonQueryText('to_string(access_key_1_active)').isEvaluationFailed()", currentStateMessage: "The JSON query has failed.", currentStateReferences: references1.join('\n'), remediation: null, runtimeError: e.message}}); } return out; } function jsonChecked23() { var input = fieldChecked24(); input = TextLib.isEmpty(input) ? null : input; var out; try { out = JSON.parse(input); } catch (e) { throw new Error("UNDETERMINED condition:202", {cause: {status: 'UNDETERMINED', conditionIndex: 202, conditionText: "CA10__credReportAttributesJson__c.asJson().isInvalid()", currentStateMessage: "Cred report attributes JSON is invalid", currentStateReferences: references1.join('\n'), remediation: null, runtimeError: e.message}}); } return out; } function fieldChecked24() { if (BytesLib.isEmpty(obj.CA10__credReportAttributesJson__c)) { throw new Error("UNDETERMINED condition:201", {cause: {status: 'UNDETERMINED', conditionIndex: 201, conditionText: "CA10__credReportAttributesJson__c.isEmpty()", currentStateMessage: "Credential report attributes are empty, this is either permission issue or the data haven't been populated yet", currentStateReferences: references1.join('\n'), remediation: null, runtimeError: null}}); } return obj.CA10__credReportAttributesJson__c; } function extract22() { if (!this.out) { this.out = jsonChecked23(); } return this.out; }; function extract18() { if (!this.out) { this.out = boolChecked19(); } return this.out; }; function boolChecked28() { var boolFrom31 = jsonQueryChecked29(); if (TextLib.isEmpty(boolFrom31)) { throw new Error("UNDETERMINED condition:208", {cause: {status: 'UNDETERMINED', conditionIndex: 208, conditionText: "extract('CA10__credReportAttributesJson__c').jsonQueryText('to_string(access_key_2_active)').isEmpty()", currentStateMessage: "Value of 'access_key_1_active' is empty, unexpected data", currentStateReferences: references1.join('\n'), remediation: null, runtimeError: null}}); } return TextLib.equal('true', boolFrom31); } function jsonQueryChecked29() { var input = extract22.call(extract22); var out; try { out = jmespath.search(input, 'to_string(access_key_2_active)'); if (out != null && typeof out != 'string') { throw new Error("UNDETERMINED condition:206", {cause: {status: 'UNDETERMINED', conditionIndex: 206, conditionText: "extract('CA10__credReportAttributesJson__c').jsonQueryText('to_string(access_key_2_active)').isResultTypeMismatch()", currentStateMessage: "The JSON query did not return text type.", currentStateReferences: references1.join('\n'), remediation: null, runtimeError: null}}); } } catch (e) { throw new Error("UNDETERMINED condition:207", {cause: {status: 'UNDETERMINED', conditionIndex: 207, conditionText: "extract('CA10__credReportAttributesJson__c').jsonQueryText('to_string(access_key_2_active)').isEvaluationFailed()", currentStateMessage: "The JSON query has failed.", currentStateReferences: references1.join('\n'), remediation: null, runtimeError: e.message}}); } return out; } function extract27() { if (!this.out) { this.out = boolChecked28(); } return this.out; }; try { if (extract18.call(extract18) == true && extract27.call(extract27) == true) { return {status: 'INCOMPLIANT', conditionIndex: 299, conditionText: "extract('CA10__credReportAccessKey1Active__c') == true && extract('CA10__credReportAccessKey2Active__c') == true", currentStateMessage: "More than one active access key is available for the IAM user.", currentStateReferences: references1.join('\n'), remediation: "Remove one of the access keys.", runtimeError: null}; } } catch (err) { if (err.cause && err.cause.status) { return err.cause; } else { throw err; } } return {status: 'COMPLIANT', conditionIndex: 300, conditionText: "otherwise", currentStateMessage: "This IAM user has only one active access key.", currentStateReferences: references1.join('\n'), remediation: null, runtimeError: null}; """; SELECT expectedResult.Id as Id, IF ( IFNULL(expectedResult.expectedResult.status, '') = IFNULL(sObject.result.status, '') AND IFNULL(expectedResult.expectedResult.conditionIndex, -1) = IFNULL(sObject.result.conditionIndex, -1) AND IFNULL(expectedResult.expectedResult.conditionText, '') = IFNULL(sObject.result.conditionText, '') AND IFNULL(expectedResult.expectedResult.runtimeError, '') = IFNULL(sObject.result.runtimeError, ''), "MATCH", "FAIL" ) as match, expectedResult.expectedResult.status as expectedStatus, sObject.result.status as actualStatus, expectedResult.expectedResult.conditionIndex as expectedConditionIndex, sObject.result.conditionIndex as actualConditionIndex, expectedResult.expectedResult.conditionText as expectedConditionText, sObject.result.conditionText as actualConditionText, expectedResult.expectedResult.runtimeError as expectedRuntimeError, sObject.result.runtimeError as actualRuntimeError FROM UNNEST(mock_ExpectedResult()) expectedResult LEFT JOIN ( SELECT sObject.CA10__disappearanceTime__c AS CA10__disappearanceTime__c, sObject.CA10__credReportAttributesJson__c AS CA10__credReportAttributesJson__c, sObject.Id AS Id, process_CA10__CaAwsUser__c( STRUCT( sObject.CA10__disappearanceTime__c AS CA10__disappearanceTime__c, sObject.CA10__credReportAttributesJson__c AS CA10__credReportAttributesJson__c, sObject.Id AS Id ), sObject.context.snapshotTime ) as result FROM UNNEST(mock_CA10__CaAwsUser__c()) AS sObject ) sObject ON sObject.Id = expectedResult.Id;