--- policy: /ce/ca/aws/iam/root-user-mfa logic: /ce/ca/aws/iam/root-user-mfa/prod.logic.yaml executionTime: 2026-02-10T22:32:59.914010614Z generationMs: 87 executionMs: 889 rows: - id: a0 match: true status: expected: DISAPPEARED actual: DISAPPEARED conditionIndex: expected: 99 actual: 99 conditionText: expected: isDisappeared(CA10__disappearanceTime__c) actual: isDisappeared(CA10__disappearanceTime__c) runtimeError: {} - id: a01 match: true status: expected: INAPPLICABLE actual: INAPPLICABLE conditionIndex: expected: 199 actual: 199 conditionText: expected: extract('CA10__userName__c') != 'root' actual: extract('CA10__userName__c') != 'root' runtimeError: {} - id: a02 match: true status: expected: COMPLIANT actual: COMPLIANT conditionIndex: expected: 299 actual: 299 conditionText: expected: extract('CA10__credReportMfaActive__c') == true actual: extract('CA10__credReportMfaActive__c') == true runtimeError: {} - id: a03 match: true status: expected: COMPLIANT actual: COMPLIANT conditionIndex: expected: 399 actual: 399 conditionText: expected: extract('CA10__credReportPasswordEnabled__c') != true actual: extract('CA10__credReportPasswordEnabled__c') != true runtimeError: {} - id: a04 match: true status: expected: COMPLIANT actual: COMPLIANT conditionIndex: expected: 399 actual: 399 conditionText: expected: extract('CA10__credReportPasswordEnabled__c') != true actual: extract('CA10__credReportPasswordEnabled__c') != true runtimeError: {} - id: a05 match: true status: expected: INCOMPLIANT actual: INCOMPLIANT conditionIndex: expected: 400 actual: 400 conditionText: expected: otherwise actual: otherwise runtimeError: {} usedFiles: - path: /ce/ca/aws/iam/root-user-mfa/policy.yaml md5Hash: C378BD03CEE084DF40AFB9DCDF2A9C93 content: | --- names: full: AWS Account Root User MFA is not enabled. contextual: Account Root User MFA is not enabled. description: "The 'root' user account is the most privileged user in an AWS account.\ \ Multi-factor Authentication (MFA) adds an extra layer of protection on top of\ \ a username and password. With MFA enabled, when a user signs in to an AWS website,\ \ they will be prompted for their username and password as well as for an authentication\ \ code from their AWS MFA device." type: COMPLIANCE_POLICY categories: - SECURITY frameworkMappings: - "/frameworks/cis-aws-v6.0.0/02/04" - "/frameworks/cloudaware/identity-and-access-governance/mfa-implementation" - "/frameworks/aws-well-architected/sec/02/01" - "/frameworks/pci-dss-v3.2.1/08/03/01" - "/frameworks/pci-dss-v4.0.1/08/04/02" - "/frameworks/nist-sp-800-53-r5/ac/02/01" - "/frameworks/nist-sp-800-53-r5/ac/03/15" - "/frameworks/nist-sp-800-53-r5/ia/02/01" - "/frameworks/nist-sp-800-53-r5/ia/02/02" - "/frameworks/nist-sp-800-53-r5/ia/02/06" - "/frameworks/nist-sp-800-53-r5/ia/02/08" similarPolicies: cloudConformity: - url: https://www.trendmicro.com/cloudoneconformity-staging/knowledge-base/aws/IAM/root-mfa-enabled.html name: Root MFA Enabled - path: /ce/ca/aws/iam/root-user-mfa/prod.logic.yaml md5Hash: A9C93C1E1FDD8AB3C301A075FF169910 content: | --- inputType: "CA10__CaAwsUser__c" testData: - file: test-data.json importExtracts: - file: /types/CA10__CaAwsUser__c/credReport.extracts.yaml - file: /types/CA10__CaAwsUser__c/object.extracts.yaml conditions: - status: "INAPPLICABLE" currentStateMessage: "This policy applies only to root users." check: NOT_EQUAL: left: EXTRACT: CA10__userName__c right: TEXT: "root" - status: "COMPLIANT" currentStateMessage: "The root user has MFA enabled." check: IS_EQUAL: left: EXTRACT: CA10__credReportMfaActive__c right: BOOLEAN: true - status: "COMPLIANT" currentStateMessage: "The root user does not have console credentials." check: NOT_EQUAL: left: EXTRACT: CA10__credReportPasswordEnabled__c right: BOOLEAN: true otherwise: status: "INCOMPLIANT" currentStateMessage: "The root user does not have MFA enabled." remediationMessage: "Enable MFA for the root user." - path: /ce/ca/aws/iam/root-user-mfa/test-data.json md5Hash: FB9550FA93296F834FD234D624FF47E6 content: |- [ { "expectedResult": { "status": "DISAPPEARED", "conditionIndex": "99", "conditionText": "isDisappeared(CA10__disappearanceTime__c)", "runtimeError": null }, "context": { "snapshotTime": "2024-06-18T05:52:54Z" }, "Id": "a0", "CA10__disappearanceTime__c": "2024-05-20T12:40:12Z", "CA10__credReportAttributesJson__c": "{\"password_last_used\":\"2024-07-17T17:37:46Z\",\"access_key_1_last_used_region\":\"N/A\",\"password_enabled\":\"true\",\"access_key_1_last_used_date\":\"N/A\",\"access_key_1_last_used_service\":\"N/A\",\"mfa_active\":\"true\",\"access_key_2_last_used_date\":\"N/A\",\"user_creation_time\":\"2017-09-27T19:51:41Z\",\"cert_2_active\":\"false\",\"cert_1_active\":\"false\",\"cert_1_last_rotated\":\"N/A\",\"access_key_2_last_used_service\":\"N/A\",\"access_key_2_active\":\"false\",\"access_key_1_active\":\"false\",\"password_next_rotation\":\"2024-10-15T17:38:45Z\",\"access_key_2_last_rotated\":\"N/A\",\"arn\":\"arn:aws:iam::526216611803:user/srichter\",\"access_key_1_last_rotated\":\"N/A\",\"access_key_2_last_used_region\":\"N/A\",\"user\":\"root\",\"password_last_changed\":\"2024-07-17T17:38:45Z\",\"cert_2_last_rotated\":\"N/A\"}" }, { "expectedResult": { "status": "INAPPLICABLE", "conditionIndex": "199", "conditionText": "extract('CA10__userName__c') != 'root'", "runtimeError": null }, "context": { "snapshotTime": "2024-06-18T05:52:54Z" }, "Id": "a01", "CA10__disappearanceTime__c": null, "CA10__credReportAttributesJson__c": "{\"password_last_used\":\"2024-07-17T17:37:46Z\",\"access_key_1_last_used_region\":\"N/A\",\"password_enabled\":\"true\",\"access_key_1_last_used_date\":\"N/A\",\"access_key_1_last_used_service\":\"N/A\",\"mfa_active\":\"true\",\"access_key_2_last_used_date\":\"N/A\",\"user_creation_time\":\"2017-09-27T19:51:41Z\",\"cert_2_active\":\"false\",\"cert_1_active\":\"false\",\"cert_1_last_rotated\":\"N/A\",\"access_key_2_last_used_service\":\"N/A\",\"access_key_2_active\":\"false\",\"access_key_1_active\":\"false\",\"password_next_rotation\":\"2024-10-15T17:38:45Z\",\"access_key_2_last_rotated\":\"N/A\",\"arn\":\"arn:aws:iam::526216611803:user/srichter\",\"access_key_1_last_rotated\":\"N/A\",\"access_key_2_last_used_region\":\"N/A\",\"user\":\"\",\"password_last_changed\":\"2024-07-17T17:38:45Z\",\"cert_2_last_rotated\":\"N/A\"}", "CA10__userName__c": "userName" }, { "expectedResult": { "status": "COMPLIANT", "conditionIndex": "299", "conditionText": "extract('CA10__credReportMfaActive__c') == true", "runtimeError": null }, "context": { "snapshotTime": "2024-06-18T05:52:54Z" }, "Id": "a02", "CA10__disappearanceTime__c": null, "CA10__credReportAttributesJson__c": "{\"password_last_used\":\"2024-07-17T17:37:46Z\",\"access_key_1_last_used_region\":\"N/A\",\"password_enabled\":\"true\",\"access_key_1_last_used_date\":\"N/A\",\"access_key_1_last_used_service\":\"N/A\",\"mfa_active\":\"true\",\"access_key_2_last_used_date\":\"N/A\",\"user_creation_time\":\"2017-09-27T19:51:41Z\",\"cert_2_active\":\"false\",\"cert_1_active\":\"false\",\"cert_1_last_rotated\":\"N/A\",\"access_key_2_last_used_service\":\"N/A\",\"access_key_2_active\":\"false\",\"access_key_1_active\":\"false\",\"password_next_rotation\":\"2024-10-15T17:38:45Z\",\"access_key_2_last_rotated\":\"N/A\",\"arn\":\"arn:aws:iam::526216611803:user/srichter\",\"access_key_1_last_rotated\":\"N/A\",\"access_key_2_last_used_region\":\"N/A\",\"user\":\"root\",\"password_last_changed\":\"2024-07-17T17:38:45Z\",\"cert_2_last_rotated\":\"N/A\"}", "CA10__userName__c": "root" }, { "expectedResult": { "status": "COMPLIANT", "conditionIndex": "399", "conditionText": "extract('CA10__credReportPasswordEnabled__c') != true", "runtimeError": null }, "context": { "snapshotTime": "2024-06-18T05:52:54Z" }, "Id": "a03", "CA10__disappearanceTime__c": null, "CA10__credReportAttributesJson__c": "{\"password_last_used\":\"2024-07-17T17:37:46Z\",\"access_key_1_last_used_region\":\"N/A\",\"password_enabled\":\"false\",\"access_key_1_last_used_date\":\"N/A\",\"access_key_1_last_used_service\":\"N/A\",\"mfa_active\":\"false\",\"access_key_2_last_used_date\":\"N/A\",\"user_creation_time\":\"2017-09-27T19:51:41Z\",\"cert_2_active\":\"false\",\"cert_1_active\":\"false\",\"cert_1_last_rotated\":\"N/A\",\"access_key_2_last_used_service\":\"N/A\",\"access_key_2_active\":\"false\",\"access_key_1_active\":\"false\",\"password_next_rotation\":\"2024-10-15T17:38:45Z\",\"access_key_2_last_rotated\":\"N/A\",\"arn\":\"arn:aws:iam::526216611803:user/srichter\",\"access_key_1_last_rotated\":\"N/A\",\"access_key_2_last_used_region\":\"N/A\",\"user\":\"root\",\"password_last_changed\":\"2024-07-17T17:38:45Z\",\"cert_2_last_rotated\":\"N/A\"}", "CA10__userName__c": "root" }, { "expectedResult": { "status": "COMPLIANT", "conditionIndex": "399", "conditionText": "extract('CA10__credReportPasswordEnabled__c') != true", "runtimeError": null }, "context": { "snapshotTime": "2024-06-18T05:52:54Z" }, "Id": "a04", "CA10__disappearanceTime__c": null, "CA10__credReportAttributesJson__c": "{\"password_last_used\":\"2024-07-17T17:37:46Z\",\"access_key_1_last_used_region\":\"N/A\",\"password_enabled\":\"not_supported\",\"access_key_1_last_used_date\":\"N/A\",\"access_key_1_last_used_service\":\"N/A\",\"mfa_active\":\"false\",\"access_key_2_last_used_date\":\"N/A\",\"user_creation_time\":\"2017-09-27T19:51:41Z\",\"cert_2_active\":\"false\",\"cert_1_active\":\"false\",\"cert_1_last_rotated\":\"N/A\",\"access_key_2_last_used_service\":\"N/A\",\"access_key_2_active\":\"false\",\"access_key_1_active\":\"false\",\"password_next_rotation\":\"2024-10-15T17:38:45Z\",\"access_key_2_last_rotated\":\"N/A\",\"arn\":\"arn:aws:iam::526216611803:user/srichter\",\"access_key_1_last_rotated\":\"N/A\",\"access_key_2_last_used_region\":\"N/A\",\"user\":\"root\",\"password_last_changed\":\"2024-07-17T17:38:45Z\",\"cert_2_last_rotated\":\"N/A\"}", "CA10__userName__c": "root" }, { "expectedResult": { "status": "INCOMPLIANT", "conditionIndex": "400", "conditionText": "otherwise", "runtimeError": null }, "context": { "snapshotTime": "2024-06-18T05:52:54Z" }, "Id": "a05", "CA10__disappearanceTime__c": null, "CA10__credReportAttributesJson__c": "{\"password_last_used\":\"2024-07-17T17:37:46Z\",\"access_key_1_last_used_region\":\"N/A\",\"password_enabled\":\"true\",\"access_key_1_last_used_date\":\"N/A\",\"access_key_1_last_used_service\":\"N/A\",\"mfa_active\":\"false\",\"access_key_2_last_used_date\":\"N/A\",\"user_creation_time\":\"2017-09-27T19:51:41Z\",\"cert_2_active\":\"false\",\"cert_1_active\":\"false\",\"cert_1_last_rotated\":\"N/A\",\"access_key_2_last_used_service\":\"N/A\",\"access_key_2_active\":\"false\",\"access_key_1_active\":\"false\",\"password_next_rotation\":\"2024-10-15T17:38:45Z\",\"access_key_2_last_rotated\":\"N/A\",\"arn\":\"arn:aws:iam::526216611803:user/srichter\",\"access_key_1_last_rotated\":\"N/A\",\"access_key_2_last_used_region\":\"N/A\",\"user\":\"root\",\"password_last_changed\":\"2024-07-17T17:38:45Z\",\"cert_2_last_rotated\":\"N/A\"}", "CA10__userName__c": "root" } ] - path: /types/CA10__CaAwsUser__c/credReport.extracts.yaml md5Hash: F6D383D933A0B64268B39ADE7012508C content: "\n# password_last_used: 2021-10-15T16:30:24+00:00\n# access_key_1_last_used_region:\ \ us-east-1\n# password_enabled: not_supported\n# access_key_1_last_used_date:\ \ 2020-02-27T12:03:00+00:00\n# access_key_1_last_used_service: s3\n# mfa_active:\ \ false\n# access_key_2_last_used_date: N/A\n# user_creation_time: 2008-06-17T18:41:41+00:00\n\ # cert_2_active: false\n# cert_1_active: true\n# cert_1_last_rotated: 2011-04-27T13:23:57+00:00\n\ # access_key_2_last_used_service: N/A\n# access_key_2_active: false\n# access_key_1_active:\ \ false\n# password_next_rotation: not_supported\n# access_key_2_last_rotated:\ \ 2014-07-03T15:12:24+00:00\n# arn: arn:aws:iam::814021343637:root\n# access_key_1_last_rotated:\ \ 2011-04-27T13:20:07+00:00\n# access_key_2_last_used_region: N/A\n# user: \n\ # password_last_changed: not_supported\n# cert_2_last_rotated: N/A\n---\nextracts:\n\ \ - name: CA10__credReportAttributesJson__c\n value: \n JSON_FROM:\n\ \ arg:\n FIELD:\n path: CA10__credReportAttributesJson__c\n\ \ returnType: BYTES\n undeterminedIf:\n isEmpty:\ \ Credential report attributes are empty, this is either permission issue or\ \ the data haven't been populated yet\n undeterminedIf:\n isInvalid:\ \ \"Cred report attributes JSON is invalid\"\n - name: CA10__credReportAccessKey1Active__c\n\ \ value:\n BOOLEAN_FROM:\n arg:\n JSON_QUERY_TEXT:\n\ \ arg:\n EXTRACT: CA10__credReportAttributesJson__c\n\ \ expression: \"to_string(access_key_1_active)\"\n undeterminedIf:\n\ \ evaluationError: \"The JSON query has failed.\"\n \ \ resultTypeMismatch: \"The JSON query did not return text type.\"\n \ \ undeterminedIf:\n isEmpty: Value of 'access_key_1_active' is empty,\ \ unexpected data\n - name: CA10__credReportAccessKey2Active__c\n value:\n\ \ BOOLEAN_FROM:\n arg:\n JSON_QUERY_TEXT:\n \ \ arg:\n EXTRACT: CA10__credReportAttributesJson__c\n \ \ expression: \"to_string(access_key_2_active)\"\n undeterminedIf:\n\ \ evaluationError: \"The JSON query has failed.\"\n \ \ resultTypeMismatch: \"The JSON query did not return text type.\"\n \ \ undeterminedIf:\n isEmpty: Value of 'access_key_1_active' is empty,\ \ unexpected data\n - name: CA10__credReportPasswordLastUsed__c\n value:\n\ \ DATE_TIME_FROM:\n arg:\n JSON_QUERY_TEXT:\n \ \ arg:\n EXTRACT: CA10__credReportAttributesJson__c\n \ \ expression: \"to_string(password_last_used)\"\n undeterminedIf:\n\ \ evaluationError: \"The JSON query has failed.\"\n \ \ resultTypeMismatch: \"The JSON query did not return text type.\"\n \ \ nullValues:\n - \"no_information\"\n - \"N/A\"\n \ \ format: ISO_8601\n undeterminedIf:\n # value CAN be empty,\ \ for example when password was never used.\n #isEmpty: Value of 'password_last_used'\ \ is empty, unexpected data\n invalidFormat: Value of 'password_last_used'\ \ does not match ISO-8601 format\n - name: CA10__credReportAccessKey1LastUsed__c\n\ \ value:\n DATE_TIME_FROM:\n arg:\n JSON_QUERY_TEXT:\n\ \ arg:\n EXTRACT: CA10__credReportAttributesJson__c\n\ \ expression: \"to_string(access_key_1_last_used_date)\"\n \ \ undeterminedIf:\n evaluationError: \"The JSON query has\ \ failed.\"\n resultTypeMismatch: \"The JSON query did not return\ \ text type.\"\n nullValues:\n - \"N/A\"\n format: ISO_8601\n\ \ undeterminedIf:\n # value CAN be empty, for example when password\ \ was never used.\n #isEmpty: Value of 'access_key_1_last_used_date'\ \ is empty, unexpected data\n invalidFormat: Value of 'access_key_1_last_used_date'\ \ does not match ISO-8601 format\n - name: CA10__credReportAccessKey2LastUsed__c\n\ \ value:\n DATE_TIME_FROM:\n arg:\n JSON_QUERY_TEXT:\n\ \ arg:\n EXTRACT: CA10__credReportAttributesJson__c\n\ \ expression: \"to_string(access_key_2_last_used_date)\"\n \ \ undeterminedIf:\n evaluationError: \"The JSON query has\ \ failed.\"\n resultTypeMismatch: \"The JSON query did not return\ \ text type.\"\n nullValues:\n - \"N/A\"\n format: ISO_8601\n\ \ undeterminedIf:\n # value CAN be empty, for example when password\ \ was never used.\n #isEmpty: Value of 'access_key_2_last_used_date'\ \ is empty, unexpected data\n invalidFormat: Value of 'access_key_2_last_used_date'\ \ does not match ISO-8601 format\n - name: CA10__credReportMfaActive__c\n \ \ value:\n BOOLEAN_FROM:\n arg:\n JSON_QUERY_TEXT:\n\ \ arg:\n EXTRACT: CA10__credReportAttributesJson__c\n\ \ expression: \"to_string(mfa_active)\"\n undeterminedIf:\n\ \ evaluationError: \"The JSON query has failed.\"\n \ \ resultTypeMismatch: \"The JSON query did not return text type.\"\n \ \ undeterminedIf:\n isEmpty: Credential report 'mfa_active' key is\ \ empty, unexpected data\n - name: CA10__credReportPasswordEnabled__c\n \ \ value:\n BOOLEAN_FROM:\n arg:\n JSON_QUERY_TEXT:\n \ \ arg:\n EXTRACT: CA10__credReportAttributesJson__c\n\ \ expression: \"to_string(password_enabled)\"\n undeterminedIf:\n\ \ evaluationError: \"The JSON query has failed.\"\n \ \ resultTypeMismatch: \"The JSON query did not return text type.\"\n \ \ undeterminedIf:\n isEmpty: Value of 'password_enabled' is empty,\ \ unexpected data\n - name: CA10__credReportPasswordLastChanged__c\n value:\n\ \ DATE_TIME_FROM:\n arg:\n JSON_QUERY_TEXT:\n \ \ arg:\n EXTRACT: CA10__credReportAttributesJson__c\n \ \ expression: \"to_string(password_last_changed)\"\n undeterminedIf:\n\ \ evaluationError: \"The JSON query has failed.\"\n \ \ resultTypeMismatch: \"The JSON query did not return text type.\"\n \ \ nullValues:\n - \"N/A\"\n format: ISO_8601\n undeterminedIf:\n\ \ # value CAN be empty, for example when password was never changed.\n\ \ #isEmpty: Value of 'password_last_changed' is empty, unexpected data\n\ \ invalidFormat: Value of 'password_last_changed' does not match ISO-8601\ \ format\n - name: CA10__credReportAccessKey1LastRotated__c\n value:\n \ \ DATE_TIME_FROM:\n arg:\n JSON_QUERY_TEXT:\n \ \ arg:\n EXTRACT: CA10__credReportAttributesJson__c\n \ \ expression: \"to_string(access_key_1_last_rotated)\"\n undeterminedIf:\n\ \ evaluationError: \"The JSON query has failed.\"\n \ \ resultTypeMismatch: \"The JSON query did not return text type.\"\n \ \ nullValues:\n - \"N/A\"\n format: ISO_8601\n undeterminedIf:\n\ \ # value CAN be empty, for example when key was never changed.\n \ \ #isEmpty: Value of 'access_key_1_last_rotated' is empty, unexpected\ \ data\n invalidFormat: Value of 'access_key_1_last_rotated' does not\ \ match ISO-8601 format\n - name: CA10__credReportAccessKey2LastRotated__c\n\ \ value:\n DATE_TIME_FROM:\n arg:\n JSON_QUERY_TEXT:\n\ \ arg:\n EXTRACT: CA10__credReportAttributesJson__c\n\ \ expression: \"to_string(access_key_2_last_rotated)\"\n \ \ undeterminedIf:\n evaluationError: \"The JSON query has failed.\"\ \n resultTypeMismatch: \"The JSON query did not return text type.\"\ \n nullValues:\n - \"N/A\"\n format: ISO_8601\n \ \ undeterminedIf:\n # value CAN be empty, for example when key\ \ was never changed.\n #isEmpty: Value of 'access_key_2_last_rotated'\ \ is empty, unexpected data\n invalidFormat: Value of 'access_key_2_last_rotated'\ \ does not match ISO-8601 format\n - name: CA10__credReportCert1Active__c\n\ \ value:\n BOOLEAN_FROM:\n arg:\n JSON_QUERY_TEXT:\n\ \ arg:\n EXTRACT: CA10__credReportAttributesJson__c\n\ \ expression: \"to_string(cert_1_active)\"\n undeterminedIf:\n\ \ evaluationError: \"The JSON query has failed.\"\n \ \ resultTypeMismatch: \"The JSON query did not return text type.\"\n \ \ undeterminedIf:\n isEmpty: Value of 'cert_1_active' is empty, unexpected\ \ data\n - name: CA10__credReportCert2Active__c\n value:\n BOOLEAN_FROM:\n\ \ arg:\n JSON_QUERY_TEXT:\n arg:\n EXTRACT:\ \ CA10__credReportAttributesJson__c\n expression: \"to_string(cert_2_active)\"\ \n undeterminedIf:\n evaluationError: \"The JSON query\ \ has failed.\"\n resultTypeMismatch: \"The JSON query did not\ \ return text type.\"\n undeterminedIf:\n isEmpty: Value of\ \ 'cert_1_active' is empty, unexpected data" - path: /types/CA10__CaAwsUser__c/object.extracts.yaml md5Hash: 131CCD980BE5290B2C296CE093A686DC content: "---\nextracts:\n - name: CA10__mfaDeviceType__c\n # Acceptable values\ \ are: null, \"Hardware\", \"Virtual\"\n value:\n FIELD: \n path:\ \ CA10__mfaDeviceType__c\n undeterminedIf:\n noAccessDelegate:\n\ \ path: CA10__virtualMfaState__c\n currentStateMessage:\ \ Possible access issue with iam:GetAccountSummary, iam:ListVirtualMFADevices\ \ or iam:ListMFADevices\n# Not Nullable. Can't have no access, retrieved via\ \ iam:ListUsers\n - name: \"CA10__userName__c\"\n value:\n FIELD:\n\ \ path: \"CA10__userName__c\"\n - name: \"CA10__accessKeysCount__c\"\ \n value:\n FIELD:\n path: \"CA10__accessKeysCount__c\"\n# Not\ \ nullable\n - name: \"CA10__createDate__c\"\n value:\n FIELD:\n \ \ path: \"CA10__createDate__c\"\n" script: |- CREATE TEMP FUNCTION mock_ExpectedResult() RETURNS ARRAY >> DETERMINISTIC LANGUAGE js AS r""" return [ { "Id" : "a0", "expectedResult" : { "status" : "DISAPPEARED", "conditionIndex" : "99", "conditionText" : "isDisappeared(CA10__disappearanceTime__c)", "runtimeError" : null } }, { "Id" : "a01", "expectedResult" : { "status" : "INAPPLICABLE", "conditionIndex" : "199", "conditionText" : "extract('CA10__userName__c') != 'root'", "runtimeError" : null } }, { "Id" : "a02", "expectedResult" : { "status" : "COMPLIANT", "conditionIndex" : "299", "conditionText" : "extract('CA10__credReportMfaActive__c') == true", "runtimeError" : null } }, { "Id" : "a03", "expectedResult" : { "status" : "COMPLIANT", "conditionIndex" : "399", "conditionText" : "extract('CA10__credReportPasswordEnabled__c') != true", "runtimeError" : null } }, { "Id" : "a04", "expectedResult" : { "status" : "COMPLIANT", "conditionIndex" : "399", "conditionText" : "extract('CA10__credReportPasswordEnabled__c') != true", "runtimeError" : null } }, { "Id" : "a05", "expectedResult" : { "status" : "INCOMPLIANT", "conditionIndex" : "400", "conditionText" : "otherwise", "runtimeError" : null } } ]; """; CREATE TEMP FUNCTION mock_CA10__CaAwsUser__c() RETURNS ARRAY >> DETERMINISTIC LANGUAGE js AS r""" return [ { "context" : { "snapshotTime" : new Date("2024-06-18T05:52:54Z") }, "CA10__disappearanceTime__c" : new Date("2024-05-20T12:40:12Z"), "CA10__userName__c" : null, "CA10__credReportAttributesJson__c" : "{\"password_last_used\":\"2024-07-17T17:37:46Z\",\"access_key_1_last_used_region\":\"N/A\",\"password_enabled\":\"true\",\"access_key_1_last_used_date\":\"N/A\",\"access_key_1_last_used_service\":\"N/A\",\"mfa_active\":\"true\",\"access_key_2_last_used_date\":\"N/A\",\"user_creation_time\":\"2017-09-27T19:51:41Z\",\"cert_2_active\":\"false\",\"cert_1_active\":\"false\",\"cert_1_last_rotated\":\"N/A\",\"access_key_2_last_used_service\":\"N/A\",\"access_key_2_active\":\"false\",\"access_key_1_active\":\"false\",\"password_next_rotation\":\"2024-10-15T17:38:45Z\",\"access_key_2_last_rotated\":\"N/A\",\"arn\":\"arn:aws:iam::526216611803:user/srichter\",\"access_key_1_last_rotated\":\"N/A\",\"access_key_2_last_used_region\":\"N/A\",\"user\":\"root\",\"password_last_changed\":\"2024-07-17T17:38:45Z\",\"cert_2_last_rotated\":\"N/A\"}", "Id" : "a0" }, { "context" : { "snapshotTime" : new Date("2024-06-18T05:52:54Z") }, "CA10__userName__c" : "userName", "CA10__credReportAttributesJson__c" : "{\"password_last_used\":\"2024-07-17T17:37:46Z\",\"access_key_1_last_used_region\":\"N/A\",\"password_enabled\":\"true\",\"access_key_1_last_used_date\":\"N/A\",\"access_key_1_last_used_service\":\"N/A\",\"mfa_active\":\"true\",\"access_key_2_last_used_date\":\"N/A\",\"user_creation_time\":\"2017-09-27T19:51:41Z\",\"cert_2_active\":\"false\",\"cert_1_active\":\"false\",\"cert_1_last_rotated\":\"N/A\",\"access_key_2_last_used_service\":\"N/A\",\"access_key_2_active\":\"false\",\"access_key_1_active\":\"false\",\"password_next_rotation\":\"2024-10-15T17:38:45Z\",\"access_key_2_last_rotated\":\"N/A\",\"arn\":\"arn:aws:iam::526216611803:user/srichter\",\"access_key_1_last_rotated\":\"N/A\",\"access_key_2_last_used_region\":\"N/A\",\"user\":\"\",\"password_last_changed\":\"2024-07-17T17:38:45Z\",\"cert_2_last_rotated\":\"N/A\"}", "Id" : "a01" }, { "context" : { "snapshotTime" : new Date("2024-06-18T05:52:54Z") }, "CA10__userName__c" : "root", "CA10__credReportAttributesJson__c" : "{\"password_last_used\":\"2024-07-17T17:37:46Z\",\"access_key_1_last_used_region\":\"N/A\",\"password_enabled\":\"true\",\"access_key_1_last_used_date\":\"N/A\",\"access_key_1_last_used_service\":\"N/A\",\"mfa_active\":\"true\",\"access_key_2_last_used_date\":\"N/A\",\"user_creation_time\":\"2017-09-27T19:51:41Z\",\"cert_2_active\":\"false\",\"cert_1_active\":\"false\",\"cert_1_last_rotated\":\"N/A\",\"access_key_2_last_used_service\":\"N/A\",\"access_key_2_active\":\"false\",\"access_key_1_active\":\"false\",\"password_next_rotation\":\"2024-10-15T17:38:45Z\",\"access_key_2_last_rotated\":\"N/A\",\"arn\":\"arn:aws:iam::526216611803:user/srichter\",\"access_key_1_last_rotated\":\"N/A\",\"access_key_2_last_used_region\":\"N/A\",\"user\":\"root\",\"password_last_changed\":\"2024-07-17T17:38:45Z\",\"cert_2_last_rotated\":\"N/A\"}", "Id" : "a02" }, { "context" : { "snapshotTime" : new Date("2024-06-18T05:52:54Z") }, "CA10__userName__c" : "root", "CA10__credReportAttributesJson__c" : "{\"password_last_used\":\"2024-07-17T17:37:46Z\",\"access_key_1_last_used_region\":\"N/A\",\"password_enabled\":\"false\",\"access_key_1_last_used_date\":\"N/A\",\"access_key_1_last_used_service\":\"N/A\",\"mfa_active\":\"false\",\"access_key_2_last_used_date\":\"N/A\",\"user_creation_time\":\"2017-09-27T19:51:41Z\",\"cert_2_active\":\"false\",\"cert_1_active\":\"false\",\"cert_1_last_rotated\":\"N/A\",\"access_key_2_last_used_service\":\"N/A\",\"access_key_2_active\":\"false\",\"access_key_1_active\":\"false\",\"password_next_rotation\":\"2024-10-15T17:38:45Z\",\"access_key_2_last_rotated\":\"N/A\",\"arn\":\"arn:aws:iam::526216611803:user/srichter\",\"access_key_1_last_rotated\":\"N/A\",\"access_key_2_last_used_region\":\"N/A\",\"user\":\"root\",\"password_last_changed\":\"2024-07-17T17:38:45Z\",\"cert_2_last_rotated\":\"N/A\"}", "Id" : "a03" }, { "context" : { "snapshotTime" : new Date("2024-06-18T05:52:54Z") }, "CA10__userName__c" : "root", "CA10__credReportAttributesJson__c" : "{\"password_last_used\":\"2024-07-17T17:37:46Z\",\"access_key_1_last_used_region\":\"N/A\",\"password_enabled\":\"not_supported\",\"access_key_1_last_used_date\":\"N/A\",\"access_key_1_last_used_service\":\"N/A\",\"mfa_active\":\"false\",\"access_key_2_last_used_date\":\"N/A\",\"user_creation_time\":\"2017-09-27T19:51:41Z\",\"cert_2_active\":\"false\",\"cert_1_active\":\"false\",\"cert_1_last_rotated\":\"N/A\",\"access_key_2_last_used_service\":\"N/A\",\"access_key_2_active\":\"false\",\"access_key_1_active\":\"false\",\"password_next_rotation\":\"2024-10-15T17:38:45Z\",\"access_key_2_last_rotated\":\"N/A\",\"arn\":\"arn:aws:iam::526216611803:user/srichter\",\"access_key_1_last_rotated\":\"N/A\",\"access_key_2_last_used_region\":\"N/A\",\"user\":\"root\",\"password_last_changed\":\"2024-07-17T17:38:45Z\",\"cert_2_last_rotated\":\"N/A\"}", "Id" : "a04" }, { "context" : { "snapshotTime" : new Date("2024-06-18T05:52:54Z") }, "CA10__userName__c" : "root", "CA10__credReportAttributesJson__c" : "{\"password_last_used\":\"2024-07-17T17:37:46Z\",\"access_key_1_last_used_region\":\"N/A\",\"password_enabled\":\"true\",\"access_key_1_last_used_date\":\"N/A\",\"access_key_1_last_used_service\":\"N/A\",\"mfa_active\":\"false\",\"access_key_2_last_used_date\":\"N/A\",\"user_creation_time\":\"2017-09-27T19:51:41Z\",\"cert_2_active\":\"false\",\"cert_1_active\":\"false\",\"cert_1_last_rotated\":\"N/A\",\"access_key_2_last_used_service\":\"N/A\",\"access_key_2_active\":\"false\",\"access_key_1_active\":\"false\",\"password_next_rotation\":\"2024-10-15T17:38:45Z\",\"access_key_2_last_rotated\":\"N/A\",\"arn\":\"arn:aws:iam::526216611803:user/srichter\",\"access_key_1_last_rotated\":\"N/A\",\"access_key_2_last_used_region\":\"N/A\",\"user\":\"root\",\"password_last_changed\":\"2024-07-17T17:38:45Z\",\"cert_2_last_rotated\":\"N/A\"}", "Id" : "a05" } ]; """; CREATE TEMP FUNCTION process_CA10__CaAwsUser__c( obj STRUCT< CA10__disappearanceTime__c TIMESTAMP, CA10__userName__c STRING, CA10__credReportAttributesJson__c STRING, Id STRING >, snapshotTime TIMESTAMP ) RETURNS STRUCT DETERMINISTIC LANGUAGE js OPTIONS (library=['gs://compliance-platform-public/jmespath.min.js']) AS r""" var BytesLib = new function () { this.normalize = function(arg) { return arg == null ? '' : arg; }; this.isEmpty = function(arg) { return this.normalize(arg) == ''; }; this.isNotEmpty = function(arg) { return this.normalize(arg) != ''; }; this.equal = function(left, right) { return this.normalize(left) == this.normalize(right); }; this.notEqual = function(left, right) { return this.normalize(left) != this.normalize(right); }; this.startsWith = function(arg, substring) { return this.normalize(arg).startsWith(this.normalize(substring)); }; this.endsWith = function(arg, substring) { return this.normalize(arg).endsWith(this.normalize(substring)); }; this.contains = function(arg, substring) { return this.normalize(arg).includes(this.normalize(substring)); }; this.containsAll = function(arg, substrings) { if (substrings == null || substrings.length === 0) return false; let normalizedArg = this.normalize(arg); return substrings.every(sub => normalizedArg.includes(this.normalize(sub))); }; this.containsAny = function(arg, substrings) { if (substrings == null || substrings.length === 0) return false; let normalizedArg = this.normalize(arg); return substrings.some(sub => normalizedArg.includes(this.normalize(sub))); }; }(); var TextLib = new function () { this.normalize = function(arg) { return arg == null ? '' : arg.replace(/\s+/g, ' ').trim().toLowerCase(); }; this.isEmpty = function(arg) { return this.normalize(arg) == ''; }; this.isNotEmpty = function(arg) { return this.normalize(arg) != ''; }; this.equal = function(left, right) { return this.normalize(left) == this.normalize(right); }; this.notEqual = function(left, right) { return this.normalize(left) != this.normalize(right); }; this.startsWith = function(arg, substring) { return this.normalize(arg).startsWith(this.normalize(substring)); }; this.endsWith = function(arg, substring) { return this.normalize(arg).endsWith(this.normalize(substring)); }; this.contains = function(arg, substring) { return this.normalize(arg).includes(this.normalize(substring)); }; this.containsAll = function(arg, substrings) { if (substrings == null || substrings.length === 0) return false; let normalizedArg = this.normalize(arg); return substrings.every(sub => normalizedArg.includes(this.normalize(sub))); }; this.containsAny = function(arg, substrings) { if (substrings == null || substrings.length === 0) return false; let normalizedArg = this.normalize(arg); return substrings.some(sub => normalizedArg.includes(this.normalize(sub))); }; }(); var references1 = []; // condition[0], conditionIndex:[0..99] references1.push('Deleted From AWS [CA10__disappearanceTime__c]: ' + obj.CA10__disappearanceTime__c); if (obj.CA10__disappearanceTime__c != null) { return {status: 'DISAPPEARED', conditionIndex: 99, conditionText: "isDisappeared(CA10__disappearanceTime__c)", currentStateMessage: "Object is deleted in the source", currentStateReferences: references1.join('\n'), remediation: null, runtimeError: null}; } // condition[1], conditionIndex:[100..199] function extract3() { if (!this.out) { this.out = obj.CA10__userName__c; } return this.out; }; references1.push('User Name [obj.CA10__userName__c]: ' + obj.CA10__userName__c); if (TextLib.notEqual(extract3.call(extract3), 'root')) { return {status: 'INAPPLICABLE', conditionIndex: 199, conditionText: "extract('CA10__userName__c') != 'root'", currentStateMessage: "This policy applies only to root users.", currentStateReferences: references1.join('\n'), remediation: null, runtimeError: null}; } // condition[2], conditionIndex:[200..299] function boolChecked7() { var boolFrom13 = jsonQueryChecked8(); if (TextLib.isEmpty(boolFrom13)) { throw new Error("UNDETERMINED condition:205", {cause: {status: 'UNDETERMINED', conditionIndex: 205, conditionText: "extract('CA10__credReportAttributesJson__c').jsonQueryText('to_string(mfa_active)').isEmpty()", currentStateMessage: "Credential report 'mfa_active' key is empty, unexpected data", currentStateReferences: references1.join('\n'), remediation: null, runtimeError: null}}); } return TextLib.equal('true', boolFrom13); } function jsonQueryChecked8() { var input = extract10.call(extract10); var out; try { out = jmespath.search(input, 'to_string(mfa_active)'); if (out != null && typeof out != 'string') { throw new Error("UNDETERMINED condition:203", {cause: {status: 'UNDETERMINED', conditionIndex: 203, conditionText: "extract('CA10__credReportAttributesJson__c').jsonQueryText('to_string(mfa_active)').isResultTypeMismatch()", currentStateMessage: "The JSON query did not return text type.", currentStateReferences: references1.join('\n'), remediation: null, runtimeError: null}}); } } catch (e) { throw new Error("UNDETERMINED condition:204", {cause: {status: 'UNDETERMINED', conditionIndex: 204, conditionText: "extract('CA10__credReportAttributesJson__c').jsonQueryText('to_string(mfa_active)').isEvaluationFailed()", currentStateMessage: "The JSON query has failed.", currentStateReferences: references1.join('\n'), remediation: null, runtimeError: e.message}}); } return out; } function jsonChecked11() { var input = fieldChecked12(); input = TextLib.isEmpty(input) ? null : input; var out; try { out = JSON.parse(input); } catch (e) { throw new Error("UNDETERMINED condition:202", {cause: {status: 'UNDETERMINED', conditionIndex: 202, conditionText: "CA10__credReportAttributesJson__c.asJson().isInvalid()", currentStateMessage: "Cred report attributes JSON is invalid", currentStateReferences: references1.join('\n'), remediation: null, runtimeError: e.message}}); } return out; } function fieldChecked12() { if (BytesLib.isEmpty(obj.CA10__credReportAttributesJson__c)) { throw new Error("UNDETERMINED condition:201", {cause: {status: 'UNDETERMINED', conditionIndex: 201, conditionText: "CA10__credReportAttributesJson__c.isEmpty()", currentStateMessage: "Credential report attributes are empty, this is either permission issue or the data haven't been populated yet", currentStateReferences: references1.join('\n'), remediation: null, runtimeError: null}}); } return obj.CA10__credReportAttributesJson__c; } function extract10() { if (!this.out) { this.out = jsonChecked11(); } return this.out; }; function extract6() { if (!this.out) { this.out = boolChecked7(); } return this.out; }; references1.push('Cred Report: Attributes JSON [obj.CA10__credReportAttributesJson__c]: ' + obj.CA10__credReportAttributesJson__c); try { if (extract6.call(extract6) == true) { return {status: 'COMPLIANT', conditionIndex: 299, conditionText: "extract('CA10__credReportMfaActive__c') == true", currentStateMessage: "The root user has MFA enabled.", currentStateReferences: references1.join('\n'), remediation: null, runtimeError: null}; } } catch (err) { if (err.cause && err.cause.status) { return err.cause; } else { throw err; } } // condition[3], conditionIndex:[300..399] function boolChecked16() { var boolFrom22 = jsonQueryChecked17(); if (TextLib.isEmpty(boolFrom22)) { throw new Error("UNDETERMINED condition:305", {cause: {status: 'UNDETERMINED', conditionIndex: 305, conditionText: "extract('CA10__credReportAttributesJson__c').jsonQueryText('to_string(password_enabled)').isEmpty()", currentStateMessage: "Value of 'password_enabled' is empty, unexpected data", currentStateReferences: references1.join('\n'), remediation: null, runtimeError: null}}); } return TextLib.equal('true', boolFrom22); } function jsonQueryChecked17() { var input = extract19.call(extract19); var out; try { out = jmespath.search(input, 'to_string(password_enabled)'); if (out != null && typeof out != 'string') { throw new Error("UNDETERMINED condition:303", {cause: {status: 'UNDETERMINED', conditionIndex: 303, conditionText: "extract('CA10__credReportAttributesJson__c').jsonQueryText('to_string(password_enabled)').isResultTypeMismatch()", currentStateMessage: "The JSON query did not return text type.", currentStateReferences: references1.join('\n'), remediation: null, runtimeError: null}}); } } catch (e) { throw new Error("UNDETERMINED condition:304", {cause: {status: 'UNDETERMINED', conditionIndex: 304, conditionText: "extract('CA10__credReportAttributesJson__c').jsonQueryText('to_string(password_enabled)').isEvaluationFailed()", currentStateMessage: "The JSON query has failed.", currentStateReferences: references1.join('\n'), remediation: null, runtimeError: e.message}}); } return out; } function jsonChecked20() { var input = fieldChecked21(); input = TextLib.isEmpty(input) ? null : input; var out; try { out = JSON.parse(input); } catch (e) { throw new Error("UNDETERMINED condition:302", {cause: {status: 'UNDETERMINED', conditionIndex: 302, conditionText: "CA10__credReportAttributesJson__c.asJson().isInvalid()", currentStateMessage: "Cred report attributes JSON is invalid", currentStateReferences: references1.join('\n'), remediation: null, runtimeError: e.message}}); } return out; } function fieldChecked21() { if (BytesLib.isEmpty(obj.CA10__credReportAttributesJson__c)) { throw new Error("UNDETERMINED condition:301", {cause: {status: 'UNDETERMINED', conditionIndex: 301, conditionText: "CA10__credReportAttributesJson__c.isEmpty()", currentStateMessage: "Credential report attributes are empty, this is either permission issue or the data haven't been populated yet", currentStateReferences: references1.join('\n'), remediation: null, runtimeError: null}}); } return obj.CA10__credReportAttributesJson__c; } function extract19() { if (!this.out) { this.out = jsonChecked20(); } return this.out; }; function extract15() { if (!this.out) { this.out = boolChecked16(); } return this.out; }; try { if (extract15.call(extract15) != true) { return {status: 'COMPLIANT', conditionIndex: 399, conditionText: "extract('CA10__credReportPasswordEnabled__c') != true", currentStateMessage: "The root user does not have console credentials.", currentStateReferences: references1.join('\n'), remediation: null, runtimeError: null}; } } catch (err) { if (err.cause && err.cause.status) { return err.cause; } else { throw err; } } return {status: 'INCOMPLIANT', conditionIndex: 400, conditionText: "otherwise", currentStateMessage: "The root user does not have MFA enabled.", currentStateReferences: references1.join('\n'), remediation: "Enable MFA for the root user.", runtimeError: null}; """; SELECT expectedResult.Id as Id, IF ( IFNULL(expectedResult.expectedResult.status, '') = IFNULL(sObject.result.status, '') AND IFNULL(expectedResult.expectedResult.conditionIndex, -1) = IFNULL(sObject.result.conditionIndex, -1) AND IFNULL(expectedResult.expectedResult.conditionText, '') = IFNULL(sObject.result.conditionText, '') AND IFNULL(expectedResult.expectedResult.runtimeError, '') = IFNULL(sObject.result.runtimeError, ''), "MATCH", "FAIL" ) as match, expectedResult.expectedResult.status as expectedStatus, sObject.result.status as actualStatus, expectedResult.expectedResult.conditionIndex as expectedConditionIndex, sObject.result.conditionIndex as actualConditionIndex, expectedResult.expectedResult.conditionText as expectedConditionText, sObject.result.conditionText as actualConditionText, expectedResult.expectedResult.runtimeError as expectedRuntimeError, sObject.result.runtimeError as actualRuntimeError FROM UNNEST(mock_ExpectedResult()) expectedResult LEFT JOIN ( SELECT sObject.CA10__disappearanceTime__c AS CA10__disappearanceTime__c, sObject.CA10__userName__c AS CA10__userName__c, sObject.CA10__credReportAttributesJson__c AS CA10__credReportAttributesJson__c, sObject.Id AS Id, process_CA10__CaAwsUser__c( STRUCT( sObject.CA10__disappearanceTime__c AS CA10__disappearanceTime__c, sObject.CA10__userName__c AS CA10__userName__c, sObject.CA10__credReportAttributesJson__c AS CA10__credReportAttributesJson__c, sObject.Id AS Id ), sObject.context.snapshotTime ) as result FROM UNNEST(mock_CA10__CaAwsUser__c()) AS sObject ) sObject ON sObject.Id = expectedResult.Id;