Skip to main content

🧠 AWS Account Root User has active access keys - prod.logic.yaml 🟒

Flags​

Input Type​

TypeAPI NameExtractsExtract FilesLogic Files
πŸ”’πŸ“• AWS IAM UserCA10__CaAwsUser__c1328

Uses​

Test Results πŸŸ’β€‹

Generated at: 2025-04-24T23:44:50.973301869Z Open

ResultIdCondition IndexCondition TextRuntime Error
🟒a01βœ”οΈ 99βœ”οΈ isDisappeared(CA10__disappearanceTime__c)βœ”οΈ null
🟒a02βœ”οΈ 199βœ”οΈ extract('CA10__userName__c') != 'root'βœ”οΈ null
🟒a03Iβœ”οΈ 299βœ”οΈ extract('CA10__credReportAccessKey1Active__c') == true || extract('CA10__credReportAccessKey2Active__c') == trueβœ”οΈ null
🟒a03βœ”οΈ 300βœ”οΈ otherwiseβœ”οΈ null

Generation​

FileMD5
Open/ce/ca/aws/iam/delete-root-user-access-keys/policy.yamlBF6C5BE98D1D586E808EDBBE3B1AB9D3
Open/ce/ca/aws/iam/delete-root-user-access-keys/prod.logic.yaml0FCAB6E94F942B20EF932AECFDC139E3
Open/ce/ca/aws/iam/delete-root-user-access-keys/test-data.json28ACF37626AC89A1F2A44EBD680FA511
Open/types/CA10__CaAwsUser__c/object.extracts.yaml2D04C00E6C59E96198CA5A6E62D0A180
Open/types/CA10__CaAwsUser__c/credReport.extracts.yaml8152C61E7FBD5E63E054E986AF83B52F

Generate FULL script​

java -jar repo-manager.jar policies generate FULL /ce/ca/aws/iam/delete-root-user-access-keys/prod.logic.yaml

Generate DEBUG script​

java -jar repo-manager.jar policies generate DEBUG /ce/ca/aws/iam/delete-root-user-access-keys/prod.logic.yaml

Generate CAPTURE_TEST_DATA script​

java -jar repo-manager.jar policies generate CAPTURE_TEST_DATA /ce/ca/aws/iam/delete-root-user-access-keys/prod.logic.yaml

Generate TESTS script​

java -jar repo-manager.jar policies generate TESTS /ce/ca/aws/iam/delete-root-user-access-keys/prod.logic.yaml

Execute tests​

java -jar repo-manager.jar policies test /ce/ca/aws/iam/delete-root-user-access-keys/prod.logic.yaml

Content​

Open File

---
inputType: "CA10__CaAwsUser__c"
testData:
  - file: test-data.json
importExtracts:
  - file: /types/CA10__CaAwsUser__c/credReport.extracts.yaml
  - file: /types/CA10__CaAwsUser__c/object.extracts.yaml
conditions:
  - status: "INAPPLICABLE"
    currentStateMessage: "Requirements of this policy are applicable only to the root user"
    check:
      NOT_EQUAL:
        left:
          EXTRACT: CA10__userName__c
        right:
          TEXT: "root"
  - status: "INCOMPLIANT"
    currentStateMessage: "Either one or both access keys are active for the root user."
    remediationMessage: "Disable all active access keys for the root user."
    check:
      OR:
        args:
          - IS_EQUAL:
              left:
                EXTRACT: CA10__credReportAccessKey1Active__c
              right:
                BOOLEAN: true
          - IS_EQUAL:
              left:
                EXTRACT: CA10__credReportAccessKey2Active__c
              right:
                BOOLEAN: true
otherwise:
  status: "COMPLIANT"
  currentStateMessage: "The root user does not have any active access keys."