--- policy: /ce/ca/aws/iam/delete-root-user-signing-certificates logic: /ce/ca/aws/iam/delete-root-user-signing-certificates/prod.logic.yaml executionTime: 2026-02-10T22:32:57.472335905Z generationMs: 76 executionMs: 849 rows: - id: a01 match: true status: expected: DISAPPEARED actual: DISAPPEARED conditionIndex: expected: 99 actual: 99 conditionText: expected: isDisappeared(CA10__disappearanceTime__c) actual: isDisappeared(CA10__disappearanceTime__c) runtimeError: {} - id: a02 match: true status: expected: INAPPLICABLE actual: INAPPLICABLE conditionIndex: expected: 199 actual: 199 conditionText: expected: extract('CA10__userName__c') != 'root' actual: extract('CA10__userName__c') != 'root' runtimeError: {} - id: a03I match: true status: expected: INCOMPLIANT actual: INCOMPLIANT conditionIndex: expected: 299 actual: 299 conditionText: expected: extract('CA10__credReportCert1Active__c') == true || extract('CA10__credReportCert2Active__c') == true actual: extract('CA10__credReportCert1Active__c') == true || extract('CA10__credReportCert2Active__c') == true runtimeError: {} - id: a03 match: true status: expected: COMPLIANT actual: COMPLIANT conditionIndex: expected: 300 actual: 300 conditionText: expected: otherwise actual: otherwise runtimeError: {} usedFiles: - path: /ce/ca/aws/iam/delete-root-user-signing-certificates/policy.yaml md5Hash: 807FA53A5E58D1D3B225E1354800E466 content: "---\nnames:\n full: AWS Account Root User signing certificates are\ \ active\n contextual: Root User signing certificates are active\ndescription:\ \ >\n Ensure that no signing certificates exist for the AWS root account. \n\ \ The root user is the most privileged user in an AWS account, and minimizing\ \ \n its credentials reduces the risk of account compromise.\ntype: \"COMPLIANCE_POLICY\"\ \ncategories:\n - \"SECURITY\"\nframeworkMappings:\n - \"/frameworks/cloudaware/identity-and-access-governance/credential-lifecycle-management\"\ \n - \"/frameworks/aws-well-architected/sec/01/02\"\nsimilarPolicies:\n cloudConformity:\n\ \ - url: https://www.trendmicro.com/cloudoneconformity/knowledge-base/aws/IAM/root-active-certificates.html\n\ \ name: Root Account Active Signing Certificates\n" - path: /ce/ca/aws/iam/delete-root-user-signing-certificates/prod.logic.yaml md5Hash: BA8C28E4D4ECA47CA111E17B50439A0D content: | --- inputType: "CA10__CaAwsUser__c" testData: - file: test-data.json importExtracts: - file: /types/CA10__CaAwsUser__c/credReport.extracts.yaml - file: /types/CA10__CaAwsUser__c/object.extracts.yaml conditions: - status: "INAPPLICABLE" currentStateMessage: "This policy applies only to the root user." check: NOT_EQUAL: left: EXTRACT: CA10__userName__c right: TEXT: "root" - status: "INCOMPLIANT" currentStateMessage: "The root user has one or more active signing certificates." remediationMessage: "Delete all active signing certificates for the root user." check: OR: args: - IS_EQUAL: left: EXTRACT: CA10__credReportCert1Active__c right: BOOLEAN: true - IS_EQUAL: left: EXTRACT: CA10__credReportCert2Active__c right: BOOLEAN: true otherwise: status: "COMPLIANT" currentStateMessage: "The root user does not have any active signing certificates." - path: /ce/ca/aws/iam/delete-root-user-signing-certificates/test-data.json md5Hash: 6243DEAC4B4AFEA58C135F6D812848EA content: |- [ { "expectedResult": { "status": "DISAPPEARED", "conditionIndex": "99", "conditionText": "isDisappeared(CA10__disappearanceTime__c)", "runtimeError": null }, "context": { "snapshotTime": "2024-06-19T07:55:48Z" }, "Id": "a01", "CA10__disappearanceTime__c": "2024-05-20T12:40:12Z", "CA10__credReportAttributesJson__c": "{\"password_last_used\":\"2024-07-17T17:37:46Z\",\"access_key_1_last_used_region\":\"N/A\",\"password_enabled\":\"true\",\"access_key_1_last_used_date\":\"N/A\",\"access_key_1_last_used_service\":\"N/A\",\"mfa_active\":\"true\",\"access_key_2_last_used_date\":\"N/A\",\"user_creation_time\":\"2017-09-27T19:51:41Z\",\"cert_2_active\":\"false\",\"cert_1_active\":\"false\",\"cert_1_last_rotated\":\"N/A\",\"access_key_2_last_used_service\":\"N/A\",\"access_key_2_active\":\"false\",\"access_key_1_active\":\"false\",\"password_next_rotation\":\"2024-10-15T17:38:45Z\",\"access_key_2_last_rotated\":\"N/A\",\"arn\":\"userArn\",\"access_key_1_last_rotated\":\"N/A\",\"access_key_2_last_used_region\":\"N/A\",\"user\":\"user\",\"password_last_changed\":\"2024-07-17T17:38:45Z\",\"cert_2_last_rotated\":\"N/A\"}" }, { "expectedResult": { "status": "INAPPLICABLE", "conditionIndex": "199", "conditionText": "extract('CA10__userName__c') != 'root'", "runtimeError": null }, "context": { "snapshotTime": "2024-06-19T07:55:48Z" }, "Id": "a02", "CA10__disappearanceTime__c": null, "CA10__credReportAttributesJson__c": "{\"password_last_used\":\"2024-07-17T17:37:46Z\",\"access_key_1_last_used_region\":\"N/A\",\"password_enabled\":\"true\",\"access_key_1_last_used_date\":\"N/A\",\"access_key_1_last_used_service\":\"N/A\",\"mfa_active\":\"true\",\"access_key_2_last_used_date\":\"N/A\",\"user_creation_time\":\"2017-09-27T19:51:41Z\",\"cert_2_active\":\"false\",\"cert_1_active\":\"false\",\"cert_1_last_rotated\":\"N/A\",\"access_key_2_last_used_service\":\"N/A\",\"access_key_2_active\":\"false\",\"access_key_1_active\":\"false\",\"password_next_rotation\":\"2024-10-15T17:38:45Z\",\"access_key_2_last_rotated\":\"N/A\",\"arn\":\"userArn\",\"access_key_1_last_rotated\":\"N/A\",\"access_key_2_last_used_region\":\"N/A\",\"user\":\"user\",\"password_last_changed\":\"2024-07-17T17:38:45Z\",\"cert_2_last_rotated\":\"N/A\"}", "CA10__userName__c": "userName" }, { "expectedResult": { "status": "INCOMPLIANT", "conditionIndex": "299", "conditionText": "extract('CA10__credReportCert1Active__c') == true || extract('CA10__credReportCert2Active__c') == true", "runtimeError": null }, "context": { "snapshotTime": "2024-06-19T07:55:48Z" }, "Id": "a03I", "CA10__disappearanceTime__c": null, "CA10__credReportAttributesJson__c": "{\"password_last_used\":\"2024-07-17T17:37:46Z\",\"access_key_1_last_used_region\":\"N/A\",\"password_enabled\":\"true\",\"access_key_1_last_used_date\":\"N/A\",\"access_key_1_last_used_service\":\"N/A\",\"mfa_active\":\"true\",\"access_key_2_last_used_date\":\"N/A\",\"user_creation_time\":\"2017-09-27T19:51:41Z\",\"cert_2_active\":\"false\",\"cert_1_active\":\"true\",\"cert_1_last_rotated\":\"N/A\",\"access_key_2_last_used_service\":\"N/A\",\"access_key_2_active\":\"true\",\"access_key_1_active\":\"false\",\"password_next_rotation\":\"2024-10-15T17:38:45Z\",\"access_key_2_last_rotated\":\"N/A\",\"arn\":\"userArn\",\"access_key_1_last_rotated\":\"N/A\",\"access_key_2_last_used_region\":\"N/A\",\"user\":\"\",\"password_last_changed\":\"2024-07-17T17:38:45Z\",\"cert_2_last_rotated\":\"N/A\"}", "CA10__userName__c": "root" }, { "expectedResult": { "status": "COMPLIANT", "conditionIndex": "300", "conditionText": "otherwise", "runtimeError": null }, "context": { "snapshotTime": "2024-06-19T07:55:48Z" }, "Id": "a03", "CA10__disappearanceTime__c": null, "CA10__credReportAttributesJson__c": "{\"password_last_used\":\"2024-07-17T17:37:46Z\",\"access_key_1_last_used_region\":\"N/A\",\"password_enabled\":\"true\",\"access_key_1_last_used_date\":\"N/A\",\"access_key_1_last_used_service\":\"N/A\",\"mfa_active\":\"true\",\"access_key_2_last_used_date\":\"N/A\",\"user_creation_time\":\"2017-09-27T19:51:41Z\",\"cert_2_active\":\"false\",\"cert_1_active\":\"false\",\"cert_1_last_rotated\":\"N/A\",\"access_key_2_last_used_service\":\"N/A\",\"access_key_2_active\":\"false\",\"access_key_1_active\":\"false\",\"password_next_rotation\":\"2024-10-15T17:38:45Z\",\"access_key_2_last_rotated\":\"N/A\",\"arn\":\"userArn\",\"access_key_1_last_rotated\":\"N/A\",\"access_key_2_last_used_region\":\"N/A\",\"user\":\"\",\"password_last_changed\":\"2024-07-17T17:38:45Z\",\"cert_2_last_rotated\":\"N/A\"}", "CA10__userName__c": "root" } ] - path: /types/CA10__CaAwsUser__c/credReport.extracts.yaml md5Hash: F6D383D933A0B64268B39ADE7012508C content: "\n# password_last_used: 2021-10-15T16:30:24+00:00\n# access_key_1_last_used_region:\ \ us-east-1\n# password_enabled: not_supported\n# access_key_1_last_used_date:\ \ 2020-02-27T12:03:00+00:00\n# access_key_1_last_used_service: s3\n# mfa_active:\ \ false\n# access_key_2_last_used_date: N/A\n# user_creation_time: 2008-06-17T18:41:41+00:00\n\ # cert_2_active: false\n# cert_1_active: true\n# cert_1_last_rotated: 2011-04-27T13:23:57+00:00\n\ # access_key_2_last_used_service: N/A\n# access_key_2_active: false\n# access_key_1_active:\ \ false\n# password_next_rotation: not_supported\n# access_key_2_last_rotated:\ \ 2014-07-03T15:12:24+00:00\n# arn: arn:aws:iam::814021343637:root\n# access_key_1_last_rotated:\ \ 2011-04-27T13:20:07+00:00\n# access_key_2_last_used_region: N/A\n# user: \n\ # password_last_changed: not_supported\n# cert_2_last_rotated: N/A\n---\nextracts:\n\ \ - name: CA10__credReportAttributesJson__c\n value: \n JSON_FROM:\n\ \ arg:\n FIELD:\n path: CA10__credReportAttributesJson__c\n\ \ returnType: BYTES\n undeterminedIf:\n isEmpty:\ \ Credential report attributes are empty, this is either permission issue or\ \ the data haven't been populated yet\n undeterminedIf:\n isInvalid:\ \ \"Cred report attributes JSON is invalid\"\n - name: CA10__credReportAccessKey1Active__c\n\ \ value:\n BOOLEAN_FROM:\n arg:\n JSON_QUERY_TEXT:\n\ \ arg:\n EXTRACT: CA10__credReportAttributesJson__c\n\ \ expression: \"to_string(access_key_1_active)\"\n undeterminedIf:\n\ \ evaluationError: \"The JSON query has failed.\"\n \ \ resultTypeMismatch: \"The JSON query did not return text type.\"\n \ \ undeterminedIf:\n isEmpty: Value of 'access_key_1_active' is empty,\ \ unexpected data\n - name: CA10__credReportAccessKey2Active__c\n value:\n\ \ BOOLEAN_FROM:\n arg:\n JSON_QUERY_TEXT:\n \ \ arg:\n EXTRACT: CA10__credReportAttributesJson__c\n \ \ expression: \"to_string(access_key_2_active)\"\n undeterminedIf:\n\ \ evaluationError: \"The JSON query has failed.\"\n \ \ resultTypeMismatch: \"The JSON query did not return text type.\"\n \ \ undeterminedIf:\n isEmpty: Value of 'access_key_1_active' is empty,\ \ unexpected data\n - name: CA10__credReportPasswordLastUsed__c\n value:\n\ \ DATE_TIME_FROM:\n arg:\n JSON_QUERY_TEXT:\n \ \ arg:\n EXTRACT: CA10__credReportAttributesJson__c\n \ \ expression: \"to_string(password_last_used)\"\n undeterminedIf:\n\ \ evaluationError: \"The JSON query has failed.\"\n \ \ resultTypeMismatch: \"The JSON query did not return text type.\"\n \ \ nullValues:\n - \"no_information\"\n - \"N/A\"\n \ \ format: ISO_8601\n undeterminedIf:\n # value CAN be empty,\ \ for example when password was never used.\n #isEmpty: Value of 'password_last_used'\ \ is empty, unexpected data\n invalidFormat: Value of 'password_last_used'\ \ does not match ISO-8601 format\n - name: CA10__credReportAccessKey1LastUsed__c\n\ \ value:\n DATE_TIME_FROM:\n arg:\n JSON_QUERY_TEXT:\n\ \ arg:\n EXTRACT: CA10__credReportAttributesJson__c\n\ \ expression: \"to_string(access_key_1_last_used_date)\"\n \ \ undeterminedIf:\n evaluationError: \"The JSON query has\ \ failed.\"\n resultTypeMismatch: \"The JSON query did not return\ \ text type.\"\n nullValues:\n - \"N/A\"\n format: ISO_8601\n\ \ undeterminedIf:\n # value CAN be empty, for example when password\ \ was never used.\n #isEmpty: Value of 'access_key_1_last_used_date'\ \ is empty, unexpected data\n invalidFormat: Value of 'access_key_1_last_used_date'\ \ does not match ISO-8601 format\n - name: CA10__credReportAccessKey2LastUsed__c\n\ \ value:\n DATE_TIME_FROM:\n arg:\n JSON_QUERY_TEXT:\n\ \ arg:\n EXTRACT: CA10__credReportAttributesJson__c\n\ \ expression: \"to_string(access_key_2_last_used_date)\"\n \ \ undeterminedIf:\n evaluationError: \"The JSON query has\ \ failed.\"\n resultTypeMismatch: \"The JSON query did not return\ \ text type.\"\n nullValues:\n - \"N/A\"\n format: ISO_8601\n\ \ undeterminedIf:\n # value CAN be empty, for example when password\ \ was never used.\n #isEmpty: Value of 'access_key_2_last_used_date'\ \ is empty, unexpected data\n invalidFormat: Value of 'access_key_2_last_used_date'\ \ does not match ISO-8601 format\n - name: CA10__credReportMfaActive__c\n \ \ value:\n BOOLEAN_FROM:\n arg:\n JSON_QUERY_TEXT:\n\ \ arg:\n EXTRACT: CA10__credReportAttributesJson__c\n\ \ expression: \"to_string(mfa_active)\"\n undeterminedIf:\n\ \ evaluationError: \"The JSON query has failed.\"\n \ \ resultTypeMismatch: \"The JSON query did not return text type.\"\n \ \ undeterminedIf:\n isEmpty: Credential report 'mfa_active' key is\ \ empty, unexpected data\n - name: CA10__credReportPasswordEnabled__c\n \ \ value:\n BOOLEAN_FROM:\n arg:\n JSON_QUERY_TEXT:\n \ \ arg:\n EXTRACT: CA10__credReportAttributesJson__c\n\ \ expression: \"to_string(password_enabled)\"\n undeterminedIf:\n\ \ evaluationError: \"The JSON query has failed.\"\n \ \ resultTypeMismatch: \"The JSON query did not return text type.\"\n \ \ undeterminedIf:\n isEmpty: Value of 'password_enabled' is empty,\ \ unexpected data\n - name: CA10__credReportPasswordLastChanged__c\n value:\n\ \ DATE_TIME_FROM:\n arg:\n JSON_QUERY_TEXT:\n \ \ arg:\n EXTRACT: CA10__credReportAttributesJson__c\n \ \ expression: \"to_string(password_last_changed)\"\n undeterminedIf:\n\ \ evaluationError: \"The JSON query has failed.\"\n \ \ resultTypeMismatch: \"The JSON query did not return text type.\"\n \ \ nullValues:\n - \"N/A\"\n format: ISO_8601\n undeterminedIf:\n\ \ # value CAN be empty, for example when password was never changed.\n\ \ #isEmpty: Value of 'password_last_changed' is empty, unexpected data\n\ \ invalidFormat: Value of 'password_last_changed' does not match ISO-8601\ \ format\n - name: CA10__credReportAccessKey1LastRotated__c\n value:\n \ \ DATE_TIME_FROM:\n arg:\n JSON_QUERY_TEXT:\n \ \ arg:\n EXTRACT: CA10__credReportAttributesJson__c\n \ \ expression: \"to_string(access_key_1_last_rotated)\"\n undeterminedIf:\n\ \ evaluationError: \"The JSON query has failed.\"\n \ \ resultTypeMismatch: \"The JSON query did not return text type.\"\n \ \ nullValues:\n - \"N/A\"\n format: ISO_8601\n undeterminedIf:\n\ \ # value CAN be empty, for example when key was never changed.\n \ \ #isEmpty: Value of 'access_key_1_last_rotated' is empty, unexpected\ \ data\n invalidFormat: Value of 'access_key_1_last_rotated' does not\ \ match ISO-8601 format\n - name: CA10__credReportAccessKey2LastRotated__c\n\ \ value:\n DATE_TIME_FROM:\n arg:\n JSON_QUERY_TEXT:\n\ \ arg:\n EXTRACT: CA10__credReportAttributesJson__c\n\ \ expression: \"to_string(access_key_2_last_rotated)\"\n \ \ undeterminedIf:\n evaluationError: \"The JSON query has failed.\"\ \n resultTypeMismatch: \"The JSON query did not return text type.\"\ \n nullValues:\n - \"N/A\"\n format: ISO_8601\n \ \ undeterminedIf:\n # value CAN be empty, for example when key\ \ was never changed.\n #isEmpty: Value of 'access_key_2_last_rotated'\ \ is empty, unexpected data\n invalidFormat: Value of 'access_key_2_last_rotated'\ \ does not match ISO-8601 format\n - name: CA10__credReportCert1Active__c\n\ \ value:\n BOOLEAN_FROM:\n arg:\n JSON_QUERY_TEXT:\n\ \ arg:\n EXTRACT: CA10__credReportAttributesJson__c\n\ \ expression: \"to_string(cert_1_active)\"\n undeterminedIf:\n\ \ evaluationError: \"The JSON query has failed.\"\n \ \ resultTypeMismatch: \"The JSON query did not return text type.\"\n \ \ undeterminedIf:\n isEmpty: Value of 'cert_1_active' is empty, unexpected\ \ data\n - name: CA10__credReportCert2Active__c\n value:\n BOOLEAN_FROM:\n\ \ arg:\n JSON_QUERY_TEXT:\n arg:\n EXTRACT:\ \ CA10__credReportAttributesJson__c\n expression: \"to_string(cert_2_active)\"\ \n undeterminedIf:\n evaluationError: \"The JSON query\ \ has failed.\"\n resultTypeMismatch: \"The JSON query did not\ \ return text type.\"\n undeterminedIf:\n isEmpty: Value of\ \ 'cert_1_active' is empty, unexpected data" - path: /types/CA10__CaAwsUser__c/object.extracts.yaml md5Hash: 131CCD980BE5290B2C296CE093A686DC content: "---\nextracts:\n - name: CA10__mfaDeviceType__c\n # Acceptable values\ \ are: null, \"Hardware\", \"Virtual\"\n value:\n FIELD: \n path:\ \ CA10__mfaDeviceType__c\n undeterminedIf:\n noAccessDelegate:\n\ \ path: CA10__virtualMfaState__c\n currentStateMessage:\ \ Possible access issue with iam:GetAccountSummary, iam:ListVirtualMFADevices\ \ or iam:ListMFADevices\n# Not Nullable. Can't have no access, retrieved via\ \ iam:ListUsers\n - name: \"CA10__userName__c\"\n value:\n FIELD:\n\ \ path: \"CA10__userName__c\"\n - name: \"CA10__accessKeysCount__c\"\ \n value:\n FIELD:\n path: \"CA10__accessKeysCount__c\"\n# Not\ \ nullable\n - name: \"CA10__createDate__c\"\n value:\n FIELD:\n \ \ path: \"CA10__createDate__c\"\n" script: |- CREATE TEMP FUNCTION mock_ExpectedResult() RETURNS ARRAY >> DETERMINISTIC LANGUAGE js AS r""" return [ { "Id" : "a01", "expectedResult" : { "status" : "DISAPPEARED", "conditionIndex" : "99", "conditionText" : "isDisappeared(CA10__disappearanceTime__c)", "runtimeError" : null } }, { "Id" : "a02", "expectedResult" : { "status" : "INAPPLICABLE", "conditionIndex" : "199", "conditionText" : "extract('CA10__userName__c') != 'root'", "runtimeError" : null } }, { "Id" : "a03I", "expectedResult" : { "status" : "INCOMPLIANT", "conditionIndex" : "299", "conditionText" : "extract('CA10__credReportCert1Active__c') == true || extract('CA10__credReportCert2Active__c') == true", "runtimeError" : null } }, { "Id" : "a03", "expectedResult" : { "status" : "COMPLIANT", "conditionIndex" : "300", "conditionText" : "otherwise", "runtimeError" : null } } ]; """; CREATE TEMP FUNCTION mock_CA10__CaAwsUser__c() RETURNS ARRAY >> DETERMINISTIC LANGUAGE js AS r""" return [ { "context" : { "snapshotTime" : new Date("2024-06-19T07:55:48Z") }, "CA10__disappearanceTime__c" : new Date("2024-05-20T12:40:12Z"), "CA10__userName__c" : null, "CA10__credReportAttributesJson__c" : "{\"password_last_used\":\"2024-07-17T17:37:46Z\",\"access_key_1_last_used_region\":\"N/A\",\"password_enabled\":\"true\",\"access_key_1_last_used_date\":\"N/A\",\"access_key_1_last_used_service\":\"N/A\",\"mfa_active\":\"true\",\"access_key_2_last_used_date\":\"N/A\",\"user_creation_time\":\"2017-09-27T19:51:41Z\",\"cert_2_active\":\"false\",\"cert_1_active\":\"false\",\"cert_1_last_rotated\":\"N/A\",\"access_key_2_last_used_service\":\"N/A\",\"access_key_2_active\":\"false\",\"access_key_1_active\":\"false\",\"password_next_rotation\":\"2024-10-15T17:38:45Z\",\"access_key_2_last_rotated\":\"N/A\",\"arn\":\"userArn\",\"access_key_1_last_rotated\":\"N/A\",\"access_key_2_last_used_region\":\"N/A\",\"user\":\"user\",\"password_last_changed\":\"2024-07-17T17:38:45Z\",\"cert_2_last_rotated\":\"N/A\"}", "Id" : "a01" }, { "context" : { "snapshotTime" : new Date("2024-06-19T07:55:48Z") }, "CA10__userName__c" : "userName", "CA10__credReportAttributesJson__c" : "{\"password_last_used\":\"2024-07-17T17:37:46Z\",\"access_key_1_last_used_region\":\"N/A\",\"password_enabled\":\"true\",\"access_key_1_last_used_date\":\"N/A\",\"access_key_1_last_used_service\":\"N/A\",\"mfa_active\":\"true\",\"access_key_2_last_used_date\":\"N/A\",\"user_creation_time\":\"2017-09-27T19:51:41Z\",\"cert_2_active\":\"false\",\"cert_1_active\":\"false\",\"cert_1_last_rotated\":\"N/A\",\"access_key_2_last_used_service\":\"N/A\",\"access_key_2_active\":\"false\",\"access_key_1_active\":\"false\",\"password_next_rotation\":\"2024-10-15T17:38:45Z\",\"access_key_2_last_rotated\":\"N/A\",\"arn\":\"userArn\",\"access_key_1_last_rotated\":\"N/A\",\"access_key_2_last_used_region\":\"N/A\",\"user\":\"user\",\"password_last_changed\":\"2024-07-17T17:38:45Z\",\"cert_2_last_rotated\":\"N/A\"}", "Id" : "a02" }, { "context" : { "snapshotTime" : new Date("2024-06-19T07:55:48Z") }, "CA10__userName__c" : "root", "CA10__credReportAttributesJson__c" : "{\"password_last_used\":\"2024-07-17T17:37:46Z\",\"access_key_1_last_used_region\":\"N/A\",\"password_enabled\":\"true\",\"access_key_1_last_used_date\":\"N/A\",\"access_key_1_last_used_service\":\"N/A\",\"mfa_active\":\"true\",\"access_key_2_last_used_date\":\"N/A\",\"user_creation_time\":\"2017-09-27T19:51:41Z\",\"cert_2_active\":\"false\",\"cert_1_active\":\"true\",\"cert_1_last_rotated\":\"N/A\",\"access_key_2_last_used_service\":\"N/A\",\"access_key_2_active\":\"true\",\"access_key_1_active\":\"false\",\"password_next_rotation\":\"2024-10-15T17:38:45Z\",\"access_key_2_last_rotated\":\"N/A\",\"arn\":\"userArn\",\"access_key_1_last_rotated\":\"N/A\",\"access_key_2_last_used_region\":\"N/A\",\"user\":\"\",\"password_last_changed\":\"2024-07-17T17:38:45Z\",\"cert_2_last_rotated\":\"N/A\"}", "Id" : "a03I" }, { "context" : { "snapshotTime" : new Date("2024-06-19T07:55:48Z") }, "CA10__userName__c" : "root", "CA10__credReportAttributesJson__c" : "{\"password_last_used\":\"2024-07-17T17:37:46Z\",\"access_key_1_last_used_region\":\"N/A\",\"password_enabled\":\"true\",\"access_key_1_last_used_date\":\"N/A\",\"access_key_1_last_used_service\":\"N/A\",\"mfa_active\":\"true\",\"access_key_2_last_used_date\":\"N/A\",\"user_creation_time\":\"2017-09-27T19:51:41Z\",\"cert_2_active\":\"false\",\"cert_1_active\":\"false\",\"cert_1_last_rotated\":\"N/A\",\"access_key_2_last_used_service\":\"N/A\",\"access_key_2_active\":\"false\",\"access_key_1_active\":\"false\",\"password_next_rotation\":\"2024-10-15T17:38:45Z\",\"access_key_2_last_rotated\":\"N/A\",\"arn\":\"userArn\",\"access_key_1_last_rotated\":\"N/A\",\"access_key_2_last_used_region\":\"N/A\",\"user\":\"\",\"password_last_changed\":\"2024-07-17T17:38:45Z\",\"cert_2_last_rotated\":\"N/A\"}", "Id" : "a03" } ]; """; CREATE TEMP FUNCTION process_CA10__CaAwsUser__c( obj STRUCT< CA10__disappearanceTime__c TIMESTAMP, CA10__userName__c STRING, CA10__credReportAttributesJson__c STRING, Id STRING >, snapshotTime TIMESTAMP ) RETURNS STRUCT DETERMINISTIC LANGUAGE js OPTIONS (library=['gs://compliance-platform-public/jmespath.min.js']) AS r""" var BytesLib = new function () { this.normalize = function(arg) { return arg == null ? '' : arg; }; this.isEmpty = function(arg) { return this.normalize(arg) == ''; }; this.isNotEmpty = function(arg) { return this.normalize(arg) != ''; }; this.equal = function(left, right) { return this.normalize(left) == this.normalize(right); }; this.notEqual = function(left, right) { return this.normalize(left) != this.normalize(right); }; this.startsWith = function(arg, substring) { return this.normalize(arg).startsWith(this.normalize(substring)); }; this.endsWith = function(arg, substring) { return this.normalize(arg).endsWith(this.normalize(substring)); }; this.contains = function(arg, substring) { return this.normalize(arg).includes(this.normalize(substring)); }; this.containsAll = function(arg, substrings) { if (substrings == null || substrings.length === 0) return false; let normalizedArg = this.normalize(arg); return substrings.every(sub => normalizedArg.includes(this.normalize(sub))); }; this.containsAny = function(arg, substrings) { if (substrings == null || substrings.length === 0) return false; let normalizedArg = this.normalize(arg); return substrings.some(sub => normalizedArg.includes(this.normalize(sub))); }; }(); var TextLib = new function () { this.normalize = function(arg) { return arg == null ? '' : arg.replace(/\s+/g, ' ').trim().toLowerCase(); }; this.isEmpty = function(arg) { return this.normalize(arg) == ''; }; this.isNotEmpty = function(arg) { return this.normalize(arg) != ''; }; this.equal = function(left, right) { return this.normalize(left) == this.normalize(right); }; this.notEqual = function(left, right) { return this.normalize(left) != this.normalize(right); }; this.startsWith = function(arg, substring) { return this.normalize(arg).startsWith(this.normalize(substring)); }; this.endsWith = function(arg, substring) { return this.normalize(arg).endsWith(this.normalize(substring)); }; this.contains = function(arg, substring) { return this.normalize(arg).includes(this.normalize(substring)); }; this.containsAll = function(arg, substrings) { if (substrings == null || substrings.length === 0) return false; let normalizedArg = this.normalize(arg); return substrings.every(sub => normalizedArg.includes(this.normalize(sub))); }; this.containsAny = function(arg, substrings) { if (substrings == null || substrings.length === 0) return false; let normalizedArg = this.normalize(arg); return substrings.some(sub => normalizedArg.includes(this.normalize(sub))); }; }(); var references1 = []; // condition[0], conditionIndex:[0..99] references1.push('Deleted From AWS [CA10__disappearanceTime__c]: ' + obj.CA10__disappearanceTime__c); if (obj.CA10__disappearanceTime__c != null) { return {status: 'DISAPPEARED', conditionIndex: 99, conditionText: "isDisappeared(CA10__disappearanceTime__c)", currentStateMessage: "Object is deleted in the source", currentStateReferences: references1.join('\n'), remediation: null, runtimeError: null}; } // condition[1], conditionIndex:[100..199] function extract3() { if (!this.out) { this.out = obj.CA10__userName__c; } return this.out; }; references1.push('User Name [obj.CA10__userName__c]: ' + obj.CA10__userName__c); if (TextLib.notEqual(extract3.call(extract3), 'root')) { return {status: 'INAPPLICABLE', conditionIndex: 199, conditionText: "extract('CA10__userName__c') != 'root'", currentStateMessage: "This policy applies only to the root user.", currentStateReferences: references1.join('\n'), remediation: null, runtimeError: null}; } // condition[2], conditionIndex:[200..299] function boolChecked7() { var boolFrom13 = jsonQueryChecked8(); if (TextLib.isEmpty(boolFrom13)) { throw new Error("UNDETERMINED condition:205", {cause: {status: 'UNDETERMINED', conditionIndex: 205, conditionText: "extract('CA10__credReportAttributesJson__c').jsonQueryText('to_string(cert_1_active)').isEmpty()", currentStateMessage: "Value of 'cert_1_active' is empty, unexpected data", currentStateReferences: references1.join('\n'), remediation: null, runtimeError: null}}); } return TextLib.equal('true', boolFrom13); } function jsonQueryChecked8() { var input = extract10.call(extract10); var out; try { out = jmespath.search(input, 'to_string(cert_1_active)'); if (out != null && typeof out != 'string') { throw new Error("UNDETERMINED condition:203", {cause: {status: 'UNDETERMINED', conditionIndex: 203, conditionText: "extract('CA10__credReportAttributesJson__c').jsonQueryText('to_string(cert_1_active)').isResultTypeMismatch()", currentStateMessage: "The JSON query did not return text type.", currentStateReferences: references1.join('\n'), remediation: null, runtimeError: null}}); } } catch (e) { throw new Error("UNDETERMINED condition:204", {cause: {status: 'UNDETERMINED', conditionIndex: 204, conditionText: "extract('CA10__credReportAttributesJson__c').jsonQueryText('to_string(cert_1_active)').isEvaluationFailed()", currentStateMessage: "The JSON query has failed.", currentStateReferences: references1.join('\n'), remediation: null, runtimeError: e.message}}); } return out; } function jsonChecked11() { var input = fieldChecked12(); input = TextLib.isEmpty(input) ? null : input; var out; try { out = JSON.parse(input); } catch (e) { throw new Error("UNDETERMINED condition:202", {cause: {status: 'UNDETERMINED', conditionIndex: 202, conditionText: "CA10__credReportAttributesJson__c.asJson().isInvalid()", currentStateMessage: "Cred report attributes JSON is invalid", currentStateReferences: references1.join('\n'), remediation: null, runtimeError: e.message}}); } return out; } function fieldChecked12() { if (BytesLib.isEmpty(obj.CA10__credReportAttributesJson__c)) { throw new Error("UNDETERMINED condition:201", {cause: {status: 'UNDETERMINED', conditionIndex: 201, conditionText: "CA10__credReportAttributesJson__c.isEmpty()", currentStateMessage: "Credential report attributes are empty, this is either permission issue or the data haven't been populated yet", currentStateReferences: references1.join('\n'), remediation: null, runtimeError: null}}); } return obj.CA10__credReportAttributesJson__c; } function extract10() { if (!this.out) { this.out = jsonChecked11(); } return this.out; }; function extract6() { if (!this.out) { this.out = boolChecked7(); } return this.out; }; function boolChecked16() { var boolFrom19 = jsonQueryChecked17(); if (TextLib.isEmpty(boolFrom19)) { throw new Error("UNDETERMINED condition:208", {cause: {status: 'UNDETERMINED', conditionIndex: 208, conditionText: "extract('CA10__credReportAttributesJson__c').jsonQueryText('to_string(cert_2_active)').isEmpty()", currentStateMessage: "Value of 'cert_1_active' is empty, unexpected data", currentStateReferences: references1.join('\n'), remediation: null, runtimeError: null}}); } return TextLib.equal('true', boolFrom19); } function jsonQueryChecked17() { var input = extract10.call(extract10); var out; try { out = jmespath.search(input, 'to_string(cert_2_active)'); if (out != null && typeof out != 'string') { throw new Error("UNDETERMINED condition:206", {cause: {status: 'UNDETERMINED', conditionIndex: 206, conditionText: "extract('CA10__credReportAttributesJson__c').jsonQueryText('to_string(cert_2_active)').isResultTypeMismatch()", currentStateMessage: "The JSON query did not return text type.", currentStateReferences: references1.join('\n'), remediation: null, runtimeError: null}}); } } catch (e) { throw new Error("UNDETERMINED condition:207", {cause: {status: 'UNDETERMINED', conditionIndex: 207, conditionText: "extract('CA10__credReportAttributesJson__c').jsonQueryText('to_string(cert_2_active)').isEvaluationFailed()", currentStateMessage: "The JSON query has failed.", currentStateReferences: references1.join('\n'), remediation: null, runtimeError: e.message}}); } return out; } function extract15() { if (!this.out) { this.out = boolChecked16(); } return this.out; }; references1.push('Cred Report: Attributes JSON [obj.CA10__credReportAttributesJson__c]: ' + obj.CA10__credReportAttributesJson__c); try { if (extract6.call(extract6) == true || extract15.call(extract15) == true) { return {status: 'INCOMPLIANT', conditionIndex: 299, conditionText: "extract('CA10__credReportCert1Active__c') == true || extract('CA10__credReportCert2Active__c') == true", currentStateMessage: "The root user has one or more active signing certificates.", currentStateReferences: references1.join('\n'), remediation: "Delete all active signing certificates for the root user.", runtimeError: null}; } } catch (err) { if (err.cause && err.cause.status) { return err.cause; } else { throw err; } } return {status: 'COMPLIANT', conditionIndex: 300, conditionText: "otherwise", currentStateMessage: "The root user does not have any active signing certificates.", currentStateReferences: references1.join('\n'), remediation: null, runtimeError: null}; """; SELECT expectedResult.Id as Id, IF ( IFNULL(expectedResult.expectedResult.status, '') = IFNULL(sObject.result.status, '') AND IFNULL(expectedResult.expectedResult.conditionIndex, -1) = IFNULL(sObject.result.conditionIndex, -1) AND IFNULL(expectedResult.expectedResult.conditionText, '') = IFNULL(sObject.result.conditionText, '') AND IFNULL(expectedResult.expectedResult.runtimeError, '') = IFNULL(sObject.result.runtimeError, ''), "MATCH", "FAIL" ) as match, expectedResult.expectedResult.status as expectedStatus, sObject.result.status as actualStatus, expectedResult.expectedResult.conditionIndex as expectedConditionIndex, sObject.result.conditionIndex as actualConditionIndex, expectedResult.expectedResult.conditionText as expectedConditionText, sObject.result.conditionText as actualConditionText, expectedResult.expectedResult.runtimeError as expectedRuntimeError, sObject.result.runtimeError as actualRuntimeError FROM UNNEST(mock_ExpectedResult()) expectedResult LEFT JOIN ( SELECT sObject.CA10__disappearanceTime__c AS CA10__disappearanceTime__c, sObject.CA10__userName__c AS CA10__userName__c, sObject.CA10__credReportAttributesJson__c AS CA10__credReportAttributesJson__c, sObject.Id AS Id, process_CA10__CaAwsUser__c( STRUCT( sObject.CA10__disappearanceTime__c AS CA10__disappearanceTime__c, sObject.CA10__userName__c AS CA10__userName__c, sObject.CA10__credReportAttributesJson__c AS CA10__credReportAttributesJson__c, sObject.Id AS Id ), sObject.context.snapshotTime ) as result FROM UNNEST(mock_CA10__CaAwsUser__c()) AS sObject ) sObject ON sObject.Id = expectedResult.Id;