forked from aquasecurity/trivy-aws
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathiam.go
98 lines (80 loc) · 2.5 KB
/
iam.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
package iam
import (
"github.com/aquasecurity/trivy-aws/internal/adapters/cloud/aws"
"github.com/aquasecurity/trivy/pkg/iac/providers/aws/iam"
"github.com/aquasecurity/trivy/pkg/iac/state"
"github.com/aquasecurity/trivy/pkg/iac/types"
"github.com/aquasecurity/trivy/pkg/log"
iamapi "github.com/aws/aws-sdk-go-v2/service/iam"
)
type adapter struct {
*aws.RootAdapter
api *iamapi.Client
}
func init() {
aws.RegisterServiceAdapter(&adapter{})
}
func (a *adapter) Provider() string {
return "aws"
}
func (a *adapter) Name() string {
return "iam"
}
func (a *adapter) Adapt(root *aws.RootAdapter, state *state.State) error {
a.RootAdapter = root
a.api = iamapi.NewFromConfig(root.SessionConfig())
if err := a.adaptPasswordPolicy(state); err != nil {
return err
}
if err := a.adaptPolicies(state); err != nil {
return err
}
if err := a.adaptRoles(state); err != nil {
return err
}
if err := a.adaptUsers(state); err != nil {
return err
}
// groups must be transformed last because it depends on users
if err := a.adaptGroups(state); err != nil {
return err
}
if err := a.adaptServerCertificates(state); err != nil {
return err
}
return nil
}
func (a *adapter) adaptPasswordPolicy(state *state.State) error {
a.Tracker().SetServiceLabel("Checking password policy...")
output, err := a.api.GetAccountPasswordPolicy(a.Context(), &iamapi.GetAccountPasswordPolicyInput{})
if err != nil {
a.Logger().Error("Failed to adapt account password policy", log.Err(err))
return nil
}
a.Tracker().SetTotalResources(1)
policy := output.PasswordPolicy
metadata := a.CreateMetadata("passwordpolicy")
reusePrevention := 0
if policy.PasswordReusePrevention != nil {
reusePrevention = int(*policy.PasswordReusePrevention)
}
maxAge := 0
if policy.MaxPasswordAge != nil {
maxAge = int(*policy.MaxPasswordAge)
}
minimumLength := 0
if policy.MinimumPasswordLength != nil {
minimumLength = int(*policy.MinimumPasswordLength)
}
state.AWS.IAM.PasswordPolicy = iam.PasswordPolicy{
Metadata: metadata,
ReusePreventionCount: types.Int(reusePrevention, metadata),
RequireLowercase: types.Bool(policy.RequireLowercaseCharacters, metadata),
RequireUppercase: types.Bool(policy.RequireUppercaseCharacters, metadata),
RequireNumbers: types.Bool(policy.RequireNumbers, metadata),
RequireSymbols: types.Bool(policy.RequireSymbols, metadata),
MaxAgeDays: types.Int(maxAge, metadata),
MinimumLength: types.Int(minimumLength, metadata),
}
return nil
}