🧠 AWS IAM User with credentials unused for 45 days or more is not disabled - prod.logic.yaml 🟢

• Contextual name: 🧠 prod.logic.yaml 🟢
• ID: /ce/ca/aws/iam/disable-user-with-unused-credentials-45-days-and-more/prod.logic.yaml
• Located in: 📝 AWS IAM User with credentials unused for 45 days or more is not disabled 🟢

Flags

• 🟢 Logic test success
• 🟢 Logic with extracts
• 🟢 Logic with test data

Input Type

	Type	API Name	Extracts	Extract Files	Logic Files
🔒	📕 AWS IAM User	CA10__CaAwsUser__c	13	2	8

Uses

• 🔌 AWS IAM User - credReport.extracts.yaml
• 🧪 test-data.json

Test Results 🟢

Generated at: 2025-04-24T23:44:53.826507690Z Open

Result	Id	Condition Index	Condition Text	Runtime Error
🟢	a01	✔️ 199	✔️ extract('CA10__credReportPasswordEnabled__c') == false && extract('CA10__credReportAccessKey1Active__c') == false && extract('CA10__credReportAccessKey2Active__c') == false	✔️ null
🟢	a02	✔️ 299	✔️ extract('CA10__credReportPasswordEnabled__c') == true && extract('CA10__credReportPasswordLastUsed__c').isNotEmpty() && extract('CA10__credReportPasswordLastUsed__c').beyondLastDays(45)	✔️ null
🟢	a03	✔️ 499	✔️ extract('CA10__credReportAccessKey1Active__c') == true && extract('CA10__credReportAccessKey1LastUsed__c').isNotEmpty() && extract('CA10__credReportAccessKey1LastUsed__c').beyondLastDays(45)	✔️ null
🟢	a04	✔️ 699	✔️ extract('CA10__credReportAccessKey2Active__c') == true && extract('CA10__credReportAccessKey2LastUsed__c').isNotEmpty() && extract('CA10__credReportAccessKey2LastUsed__c').beyondLastDays(45)	✔️ null
🟢	a05	✔️ 800	✔️ otherwise	✔️ null

Generation

	File	MD5
Open	/ce/ca/aws/iam/disable-user-with-unused-credentials-45-days-and-more/policy.yaml	69CACB97F1B070462B064151FC1F738F
Open	/ce/ca/aws/iam/disable-user-with-unused-credentials-45-days-and-more/prod.logic.yaml	7BDD3AF74014CFD3333888C0026ECDC5
Open	/ce/ca/aws/iam/disable-user-with-unused-credentials-45-days-and-more/test-data.json	17D5E80C6F1E05BE85336BC1B63CD61A
Open	/types/CA10__CaAwsUser__c/credReport.extracts.yaml	8152C61E7FBD5E63E054E986AF83B52F

Generate FULL script

java -jar repo-manager.jar policies generate FULL /ce/ca/aws/iam/disable-user-with-unused-credentials-45-days-and-more/prod.logic.yaml

Generate DEBUG script

java -jar repo-manager.jar policies generate DEBUG /ce/ca/aws/iam/disable-user-with-unused-credentials-45-days-and-more/prod.logic.yaml

Generate CAPTURE_TEST_DATA script

java -jar repo-manager.jar policies generate CAPTURE_TEST_DATA /ce/ca/aws/iam/disable-user-with-unused-credentials-45-days-and-more/prod.logic.yaml

Generate TESTS script

java -jar repo-manager.jar policies generate TESTS /ce/ca/aws/iam/disable-user-with-unused-credentials-45-days-and-more/prod.logic.yaml

Execute tests

java -jar repo-manager.jar policies test /ce/ca/aws/iam/disable-user-with-unused-credentials-45-days-and-more/prod.logic.yaml

Content

Open File

---
inputType: "CA10__CaAwsUser__c"
testData:
  - file: test-data.json
importExtracts:
  - file: /types/CA10__CaAwsUser__c/credReport.extracts.yaml
conditions:
  - status: "INAPPLICABLE"
    currentStateMessage: "Requirements of this policy are applicable only to users with enabled console password or access keys."
    check:
      AND:
        args:
          - IS_EQUAL:
              left:
                EXTRACT: CA10__credReportPasswordEnabled__c
              right:
                BOOLEAN: false
          - IS_EQUAL:
              left:
                EXTRACT: CA10__credReportAccessKey1Active__c
              right:
                BOOLEAN: false
          - IS_EQUAL:
              left:
                EXTRACT: CA10__credReportAccessKey2Active__c
              right:
                BOOLEAN: false
  - status: "INCOMPLIANT"
    currentStateMessage: "Password hasn't been used for over 45 days."
    remediationMessage: "Consider disabling the Console Access for the user."
    check:
      AND:
        args:
          - IS_EQUAL:
              left:
                EXTRACT: CA10__credReportPasswordEnabled__c
              right:
                BOOLEAN: true
          - NOT_EMPTY:
              arg:
                EXTRACT: CA10__credReportPasswordLastUsed__c
          - IS_BEYOND_LAST_DAYS:
              offsetDays: 45
              arg:
                EXTRACT: CA10__credReportPasswordLastUsed__c
  - status: "INCOMPLIANT"
    currentStateMessage: "Password hasn't been changed over 45 days."
    remediationMessage: "Consider disabling the Console Access for the user."
    check:
      AND:
        args:
          - IS_EQUAL:
              left:
                EXTRACT: CA10__credReportPasswordEnabled__c
              right:
                BOOLEAN: true
          - IS_EMPTY:
              arg:
                EXTRACT: CA10__credReportPasswordLastUsed__c
          - NOT_EMPTY:
              arg: 
                EXTRACT: CA10__credReportPasswordLastChanged__c
          - IS_BEYOND_LAST_DAYS:
              offsetDays: 45
              arg:
                EXTRACT: CA10__credReportPasswordLastChanged__c
  - status: "INCOMPLIANT"
    currentStateMessage: "Access Key 1 hasn't been used for over 45 days."
    remediationMessage: "Consider deactivating the Access Key 1."
    check:
      AND:
        args:
          - IS_EQUAL:
              left:
                EXTRACT: CA10__credReportAccessKey1Active__c
              right:
                BOOLEAN: true
          - NOT_EMPTY:
              arg:
                EXTRACT: CA10__credReportAccessKey1LastUsed__c
          - IS_BEYOND_LAST_DAYS:
              offsetDays: 45
              arg:
                EXTRACT: CA10__credReportAccessKey1LastUsed__c
  - status: "INCOMPLIANT"
    currentStateMessage: "Access key 1 hasn't been rotated for over 45 days."
    remediationMessage: "Consider deleting the Access Key 1."
    check:
      AND:
        args:
          - IS_EQUAL:
              left:
                EXTRACT: CA10__credReportAccessKey1Active__c
              right:
                BOOLEAN: true
          - IS_EMPTY:
              arg:
                EXTRACT: CA10__credReportAccessKey1LastUsed__c
          - IS_BEYOND_LAST_DAYS:
              offsetDays: 45
              arg:
                EXTRACT: CA10__credReportAccessKey1LastRotated__c
  - status: "INCOMPLIANT"
    currentStateMessage: "Access Key 2 hasn't been used for over 45 days."
    remediationMessage: "Consider deactivating the Access Key 2."
    check:
      AND:
        args:
          - IS_EQUAL:
              left:
                EXTRACT: CA10__credReportAccessKey2Active__c
              right:
                BOOLEAN: true
          - NOT_EMPTY:
              arg:
                EXTRACT: CA10__credReportAccessKey2LastUsed__c
          - IS_BEYOND_LAST_DAYS:
              offsetDays: 45
              arg:
                EXTRACT: CA10__credReportAccessKey2LastUsed__c
  - status: "INCOMPLIANT"
    currentStateMessage: "Access key 2 hasn't been rotated for over 45 days."
    remediationMessage: "Consider deleting the Access Key 2."
    check:
      AND:
        args:
          - IS_EQUAL:
              left:
                EXTRACT: CA10__credReportAccessKey2Active__c
              right:
                BOOLEAN: true
          - IS_EMPTY:
              arg:
                EXTRACT: CA10__credReportAccessKey2LastUsed__c
          - IS_BEYOND_LAST_DAYS:
              offsetDays: 45
              arg:
                EXTRACT: CA10__credReportAccessKey2LastRotated__c
otherwise:
  status: "COMPLIANT"
  currentStateMessage: "All credentials unused for 45 days or longer were removed or deactivated"