--- policy: /ce/ca/aws/iam/password-policy logic: /ce/ca/aws/iam/password-policy/prod.logic.yaml executionTime: 2026-05-09T12:03:14.983910576Z generationMs: 63 executionMs: 2196 rows: - id: '001' match: true status: expected: COMPLIANT actual: COMPLIANT conditionIndex: expected: 199 actual: 199 conditionText: expected: CA10__AWS_IAM_Password_Policies__r.has(COMPLIANT) actual: CA10__AWS_IAM_Password_Policies__r.has(COMPLIANT) runtimeError: {} - id: '002' match: true status: expected: INCOMPLIANT actual: INCOMPLIANT conditionIndex: expected: 200 actual: 200 conditionText: expected: otherwise actual: otherwise runtimeError: {} usedFiles: - path: /ce/ca/aws/iam/password-policy/policy.yaml md5Hash: D7BFFBB77E1FE4D8FFE4067C5C19A065 content: | --- names: full: "AWS Account does not have an IAM Password Policy" contextual: "Account does not have an IAM Password Policy" description: "Ensure that an IAM Password Policy is configured for the AWS Account.\ \ Password policies allow you to enforce password complexity requirements and rotation\ \ schedules for IAM users, securing access to the AWS environment." type: "COMPLIANCE_POLICY" categories: - "SECURITY" frameworkMappings: - "/frameworks/cloudaware/identity-and-access-governance/credential-lifecycle-management" - "/frameworks/aws-fsbp-v1.0.0/iam/07" - "/frameworks/aws-well-architected/sec/02/01" similarPolicies: cloudConformity: - url: "https://www.trendmicro.com/cloudoneconformity/knowledge-base/aws/IAM/password-policy.html" name: "IAM Password Policy" - path: /ce/ca/aws/iam/password-policy/prod.logic.yaml md5Hash: FAB152975E47327EB6F5876E0041BD6F content: | --- inputType: "CA10__CaAwsAccount__c" testData: - file: test-data.json conditions: - status: "COMPLIANT" currentStateMessage: "The account has a password policy." check: RELATED_LIST_HAS: relationshipName: "CA10__AWS_IAM_Password_Policies__r" status: "COMPLIANT" otherwise: status: "INCOMPLIANT" currentStateMessage: "The account does not have a password policy." remediationMessage: "Create an IAM password policy." relatedLists: - relationshipName: "CA10__AWS_IAM_Password_Policies__r" importExtracts: - file: /types/CA10__CaAwsPasswordPolicy__c/object.extracts.yaml conditions: [] otherwise: status: "COMPLIANT" currentStateMessage: "This is a password policy." - path: /ce/ca/aws/iam/password-policy/test-data.json md5Hash: 3EE40F2BF50726AA3647B3305E96EDBD content: | [ { "expectedResult": { "status": "COMPLIANT", "conditionIndex": "199", "conditionText": "CA10__AWS_IAM_Password_Policies__r.has(COMPLIANT)", "runtimeError": null }, "context": { "snapshotTime": "2025-11-27T06:42:48Z" }, "Id": "001", "CA10__AWS_IAM_Password_Policies__r": [ { "CA10__disappearanceTime__c": null, "CA10__account__c": "001", "Id": "pp001" } ] }, { "expectedResult": { "status": "INCOMPLIANT", "conditionIndex": "200", "conditionText": "otherwise", "runtimeError": null }, "context": { "snapshotTime": "2025-11-27T06:42:48Z" }, "Id": "002", "CA10__AWS_IAM_Password_Policies__r": [] } ] - path: /types/CA10__CaAwsPasswordPolicy__c/object.extracts.yaml md5Hash: 2C1D97EF4F574F9BE1A9C1EB7CAE6A9C content: "---\nextracts:\n - name: CA10__minimumPasswordLength__c\n # Should\ \ not be null if the policy itself exists? Needs additional research\n #TODO:\ \ research if CA10__minimumPasswordLength__c can be null\n value:\n \ \ FIELD: \n path: CA10__minimumPasswordLength__c\n undeterminedIf:\n\ \ isEmpty: Possibly corrupted data. Minimum password length should\ \ not be empty\n - name: CA10__passwordReusePrevention__c\n value: \n \ \ FIELD:\n path: CA10__passwordReusePrevention__c\n undeterminedIf:\n\ \ isEmpty: Possibly corrupted data. Number of passwords to remember\ \ should not be empty" script: |- CREATE TEMP FUNCTION mock_ExpectedResult() RETURNS ARRAY >> DETERMINISTIC LANGUAGE js AS r""" return [ { "Id" : "001", "expectedResult" : { "status" : "COMPLIANT", "conditionIndex" : "199", "conditionText" : "CA10__AWS_IAM_Password_Policies__r.has(COMPLIANT)", "runtimeError" : null } }, { "Id" : "002", "expectedResult" : { "status" : "INCOMPLIANT", "conditionIndex" : "200", "conditionText" : "otherwise", "runtimeError" : null } } ]; """; CREATE TEMP FUNCTION mock_CA10__CaAwsAccount__c() RETURNS ARRAY >> DETERMINISTIC LANGUAGE js AS r""" return [ { "context" : { "snapshotTime" : new Date("2025-11-27T06:42:48Z") }, "Id" : "001" }, { "context" : { "snapshotTime" : new Date("2025-11-27T06:42:48Z") }, "Id" : "002" } ]; """; CREATE TEMP FUNCTION mock_CA10__CaAwsPasswordPolicy__c() RETURNS ARRAY >> DETERMINISTIC LANGUAGE js AS r""" return [ { "context" : { "snapshotTime" : new Date("2025-11-27T06:42:48Z") }, "CA10__account__c" : "001", "Id" : "pp001" } ]; """; CREATE TEMP FUNCTION process_CA10__CaAwsAccount__c( obj STRUCT< Id STRING, CA10__AWS_IAM_Password_Policies__r ARRAY >> >, snapshotTime TIMESTAMP ) RETURNS STRUCT DETERMINISTIC LANGUAGE js AS r""" var references1 = []; // condition[0], conditionIndex:[0..99] if (false) { return {status: 'DISAPPEARED', conditionIndex: 99, conditionText: "isDisappeared()", currentStateMessage: "Object is deleted in the source", currentStateReferences: references1.join('\n'), remediation: null, runtimeError: null}; } var count_CA10__AWS_IAM_Password_Policies__r_COMPLIANT2 = 0; if (obj.CA10__AWS_IAM_Password_Policies__r != null) { for (var i3 = 0; i3 < obj.CA10__AWS_IAM_Password_Policies__r.length; i3++) { if (typeof(obj.CA10__AWS_IAM_Password_Policies__r[i3].status) !== 'undefined') { if (obj.CA10__AWS_IAM_Password_Policies__r[i3].status == 'COMPLIANT') { count_CA10__AWS_IAM_Password_Policies__r_COMPLIANT2 += obj.CA10__AWS_IAM_Password_Policies__r[i3].count; } } else { if (obj.CA10__AWS_IAM_Password_Policies__r[i3].result.status == 'COMPLIANT') { count_CA10__AWS_IAM_Password_Policies__r_COMPLIANT2 += 1; } } } } // condition[1], conditionIndex:[100..199] references1.push('Related list [CA10__AWS_IAM_Password_Policies__r] ' + (count_CA10__AWS_IAM_Password_Policies__r_COMPLIANT2 > 0 ? 'has' : 'does not have') + ' objects in COMPLIANT status'); if (count_CA10__AWS_IAM_Password_Policies__r_COMPLIANT2 > 0) { return {status: 'COMPLIANT', conditionIndex: 199, conditionText: "CA10__AWS_IAM_Password_Policies__r.has(COMPLIANT)", currentStateMessage: "The account has a password policy.", currentStateReferences: references1.join('\n'), remediation: null, runtimeError: null}; } return {status: 'INCOMPLIANT', conditionIndex: 200, conditionText: "otherwise", currentStateMessage: "The account does not have a password policy.", currentStateReferences: references1.join('\n'), remediation: "Create an IAM password policy.", runtimeError: null}; """; CREATE TEMP FUNCTION process_CA10__AWS_IAM_Password_Policies__r( obj STRUCT< CA10__disappearanceTime__c TIMESTAMP, CA10__account__c STRING, Id STRING >, snapshotTime TIMESTAMP ) RETURNS STRUCT DETERMINISTIC LANGUAGE js AS r""" var references1 = []; // condition[0], conditionIndex:[0..99] references1.push('Deleted From AWS [CA10__disappearanceTime__c]: ' + obj.CA10__disappearanceTime__c); if (obj.CA10__disappearanceTime__c != null) { return {status: 'DISAPPEARED', conditionIndex: 99, conditionText: "isDisappeared(CA10__disappearanceTime__c)", currentStateMessage: "Object is deleted in the source", currentStateReferences: references1.join('\n'), remediation: null, runtimeError: null}; } return {status: 'COMPLIANT', conditionIndex: 100, conditionText: "otherwise", currentStateMessage: "This is a password policy.", currentStateReferences: references1.join('\n'), remediation: null, runtimeError: null}; """; SELECT expectedResult.Id as Id, IF ( IFNULL(expectedResult.expectedResult.status, '') = IFNULL(sObject.result.status, '') AND IFNULL(expectedResult.expectedResult.conditionIndex, -1) = IFNULL(sObject.result.conditionIndex, -1) AND IFNULL(expectedResult.expectedResult.conditionText, '') = IFNULL(sObject.result.conditionText, '') AND IFNULL(expectedResult.expectedResult.runtimeError, '') = IFNULL(sObject.result.runtimeError, ''), "MATCH", "FAIL" ) as match, expectedResult.expectedResult.status as expectedStatus, sObject.result.status as actualStatus, expectedResult.expectedResult.conditionIndex as expectedConditionIndex, sObject.result.conditionIndex as actualConditionIndex, expectedResult.expectedResult.conditionText as expectedConditionText, sObject.result.conditionText as actualConditionText, expectedResult.expectedResult.runtimeError as expectedRuntimeError, sObject.result.runtimeError as actualRuntimeError FROM UNNEST(mock_ExpectedResult()) expectedResult LEFT JOIN ( SELECT sObject.Id AS Id, `CA10__AWS_IAM_Password_Policies__r`.arr AS CA10__AWS_IAM_Password_Policies__r, process_CA10__CaAwsAccount__c( STRUCT( sObject.Id AS Id, `CA10__AWS_IAM_Password_Policies__r`.arr AS CA10__AWS_IAM_Password_Policies__r ), sObject.context.snapshotTime ) as result FROM UNNEST(mock_CA10__CaAwsAccount__c()) AS sObject LEFT JOIN ( SELECT sObject.CA10__account__c, ARRAY_AGG( STRUCT( sObject.CA10__disappearanceTime__c AS CA10__disappearanceTime__c, sObject.CA10__account__c AS CA10__account__c, sObject.Id AS Id, process_CA10__AWS_IAM_Password_Policies__r( STRUCT( sObject.CA10__disappearanceTime__c AS CA10__disappearanceTime__c, sObject.CA10__account__c AS CA10__account__c, sObject.Id AS Id ), sObject.context.snapshotTime ) as result ) ) AS arr FROM UNNEST(mock_CA10__CaAwsPasswordPolicy__c()) AS sObject GROUP BY sObject.CA10__account__c ) AS `CA10__AWS_IAM_Password_Policies__r` ON sObject.Id = `CA10__AWS_IAM_Password_Policies__r`.CA10__account__c ) sObject ON sObject.Id = expectedResult.Id;