๐ง AWS IAM User with credentials unused for 45 days or more is not disabled - prod.logic.yaml๐ข
- Contextual name: ๐ง prod.logic.yaml๐ข
- ID:
/ce/ca/aws/iam/disable-user-with-unused-credentials-45-days-and-more/prod.logic.yaml - Tags:
- ๐ข Logic test success
- ๐ข Logic with extracts
- ๐ข Logic with test data
Usesโ
- ๐ AWS IAM User
- ๐ AWS IAM User - credReport.extracts.yaml
- ๐งช test-data.json
Test Results ๐ขโ
Generated at: 2026-02-10T22:32:58.667659565Z Open
| Result | Id | Condition Index | Condition Text | Runtime Error |
|---|---|---|---|---|
| ๐ข | a01 | โ๏ธ 199 | โ๏ธ extract('CA10__credReportPasswordEnabled__c') == false && extract('CA10__credReportAccessKey1Active__c') == false && extract('CA10__credReportAccessKey2Active__c') == false | โ๏ธ null |
| ๐ข | a02 | โ๏ธ 299 | โ๏ธ extract('CA10__credReportPasswordEnabled__c') == true && extract('CA10__credReportPasswordLastUsed__c').isNotEmpty() && extract('CA10__credReportPasswordLastUsed__c').beyondLastDays(45) | โ๏ธ null |
| ๐ข | a03 | โ๏ธ 499 | โ๏ธ extract('CA10__credReportAccessKey1Active__c') == true && extract('CA10__credReportAccessKey1LastUsed__c').isNotEmpty() && extract('CA10__credReportAccessKey1LastUsed__c').beyondLastDays(45) | โ๏ธ null |
| ๐ข | a04 | โ๏ธ 699 | โ๏ธ extract('CA10__credReportAccessKey2Active__c') == true && extract('CA10__credReportAccessKey2LastUsed__c').isNotEmpty() && extract('CA10__credReportAccessKey2LastUsed__c').beyondLastDays(45) | โ๏ธ null |
| ๐ข | a05 | โ๏ธ 800 | โ๏ธ otherwise | โ๏ธ null |
Generation Bundleโ
| File | MD5 | |
|---|---|---|
| Open | /ce/ca/aws/iam/disable-user-with-unused-credentials-45-days-and-more/policy.yaml | 2008A10A45DB76F56E4423D9DB73803B |
| Open | /ce/ca/aws/iam/disable-user-with-unused-credentials-45-days-and-more/prod.logic.yaml | DD40FB5F8B767D069800107E72E772C4 |
| Open | /ce/ca/aws/iam/disable-user-with-unused-credentials-45-days-and-more/test-data.json | 17D5E80C6F1E05BE85336BC1B63CD61A |
| Open | /types/CA10__CaAwsUser__c/credReport.extracts.yaml | F6D383D933A0B64268B39ADE7012508C |
Available Commandsโ
repo-manager policies generate FULL /ce/ca/aws/iam/disable-user-with-unused-credentials-45-days-and-more/prod.logic.yaml
repo-manager policies generate DEBUG /ce/ca/aws/iam/disable-user-with-unused-credentials-45-days-and-more/prod.logic.yaml
repo-manager policies generate CAPTURE_TEST_DATA /ce/ca/aws/iam/disable-user-with-unused-credentials-45-days-and-more/prod.logic.yaml
repo-manager policies generate TESTS /ce/ca/aws/iam/disable-user-with-unused-credentials-45-days-and-more/prod.logic.yaml
# Execute tests
repo-manager policies test /ce/ca/aws/iam/disable-user-with-unused-credentials-45-days-and-more/prod.logic.yaml
Contentโ
---
inputType: "CA10__CaAwsUser__c"
testData:
- file: test-data.json
importExtracts:
- file: /types/CA10__CaAwsUser__c/credReport.extracts.yaml
conditions:
- status: "INAPPLICABLE"
currentStateMessage: "This policy applies only to users with an enabled console password or active access keys."
check:
AND:
args:
- IS_EQUAL:
left:
EXTRACT: CA10__credReportPasswordEnabled__c
right:
BOOLEAN: false
- IS_EQUAL:
left:
EXTRACT: CA10__credReportAccessKey1Active__c
right:
BOOLEAN: false
- IS_EQUAL:
left:
EXTRACT: CA10__credReportAccessKey2Active__c
right:
BOOLEAN: false
- status: "INCOMPLIANT"
currentStateMessage: "The password has not been used for over 45 days."
remediationMessage: "Disable console access for the user."
check:
AND:
args:
- IS_EQUAL:
left:
EXTRACT: CA10__credReportPasswordEnabled__c
right:
BOOLEAN: true
- NOT_EMPTY:
arg:
EXTRACT: CA10__credReportPasswordLastUsed__c
- IS_BEYOND_LAST_DAYS:
offsetDays: 45
arg:
EXTRACT: CA10__credReportPasswordLastUsed__c
- status: "INCOMPLIANT"
currentStateMessage: "The password has not been changed for over 45 days."
remediationMessage: "Disable console access for the user."
check:
AND:
args:
- IS_EQUAL:
left:
EXTRACT: CA10__credReportPasswordEnabled__c
right:
BOOLEAN: true
- IS_EMPTY:
arg:
EXTRACT: CA10__credReportPasswordLastUsed__c
- NOT_EMPTY:
arg:
EXTRACT: CA10__credReportPasswordLastChanged__c
- IS_BEYOND_LAST_DAYS:
offsetDays: 45
arg:
EXTRACT: CA10__credReportPasswordLastChanged__c
- status: "INCOMPLIANT"
currentStateMessage: "Access key 1 has not been used for over 45 days."
remediationMessage: "Deactivate access key 1."
check:
AND:
args:
- IS_EQUAL:
left:
EXTRACT: CA10__credReportAccessKey1Active__c
right:
BOOLEAN: true
- NOT_EMPTY:
arg:
EXTRACT: CA10__credReportAccessKey1LastUsed__c
- IS_BEYOND_LAST_DAYS:
offsetDays: 45
arg:
EXTRACT: CA10__credReportAccessKey1LastUsed__c
- status: "INCOMPLIANT"
currentStateMessage: "Access key 1 has not been rotated for over 45 days."
remediationMessage: "Delete access key 1."
check:
AND:
args:
- IS_EQUAL:
left:
EXTRACT: CA10__credReportAccessKey1Active__c
right:
BOOLEAN: true
- IS_EMPTY:
arg:
EXTRACT: CA10__credReportAccessKey1LastUsed__c
- IS_BEYOND_LAST_DAYS:
offsetDays: 45
arg:
EXTRACT: CA10__credReportAccessKey1LastRotated__c
- status: "INCOMPLIANT"
currentStateMessage: "Access key 2 has not been used for over 45 days."
remediationMessage: "Deactivate access key 2."
check:
AND:
args:
- IS_EQUAL:
left:
EXTRACT: CA10__credReportAccessKey2Active__c
right:
BOOLEAN: true
- NOT_EMPTY:
arg:
EXTRACT: CA10__credReportAccessKey2LastUsed__c
- IS_BEYOND_LAST_DAYS:
offsetDays: 45
arg:
EXTRACT: CA10__credReportAccessKey2LastUsed__c
- status: "INCOMPLIANT"
currentStateMessage: "Access key 2 has not been rotated for over 45 days."
remediationMessage: "Delete access key 2."
check:
AND:
args:
- IS_EQUAL:
left:
EXTRACT: CA10__credReportAccessKey2Active__c
right:
BOOLEAN: true
- IS_EMPTY:
arg:
EXTRACT: CA10__credReportAccessKey2LastUsed__c
- IS_BEYOND_LAST_DAYS:
offsetDays: 45
arg:
EXTRACT: CA10__credReportAccessKey2LastRotated__c
otherwise:
status: "COMPLIANT"
currentStateMessage: "All credentials unused for 45 days or longer have been removed or deactivated."