CIS 1.4 checking for access key last used date along with access key last rotated date
abhishekupadhyaya opened this issue · 0 comments
1.4 Ensure access keys are rotated every 90 days or less (Scored)
def control_1_4_rotated_keys(credreport):
# Look for unused credentails
for i in range(len(credreport)):
if credreport[i]['access_key_1_active'] == "true":
try:
delta = datetime.strptime(now, frm) - datetime.strptime(credreport[i]['access_key_1_last_rotated'], frm)
# Verify keys have rotated in the last 90 days
if delta.days > 90:
result = False
failReason = "Key rotation >90 days or not used since rotation"
offenders.append(str(credreport[i]['arn']) + ":unrotated key1")
except:
pass
try:
last_used_datetime = datetime.strptime(credreport[i]['access_key_1_last_used_date'], frm)
last_rotated_datetime = datetime.strptime(credreport[i]['access_key_1_last_rotated'], frm)
# Verify keys have been used since rotation.
if last_used_datetime < last_rotated_datetime:
result = False
failReason = "Key rotation >90 days or not used since rotation"
offenders.append(str(credreport[i]['arn']) + ":unused key1")
except:
pass
if credreport[i]['access_key_2_active'] == "true":
try:
delta = datetime.strptime(now, frm) - datetime.strptime(credreport[i]['access_key_2_last_rotated'], frm)
# Verify keys have rotated in the last 90 days
if delta.days > 90:
result = False
failReason = "Key rotation >90 days or not used since rotation"
offenders.append(str(credreport[i]['arn']) + ":unrotated key2")
except:
pass
try:
last_used_datetime = datetime.strptime(credreport[i]['access_key_2_last_used_date'], frm)
last_rotated_datetime = datetime.strptime(credreport[i]['access_key_2_last_rotated'], frm)
# Verify keys have been used since rotation.
if last_used_datetime < last_rotated_datetime:
result = False
failReason = "Key rotation >90 days or not used since rotation"
offenders.append(str(credreport[i]['arn']) + ":unused key2")
except:
pass
return {'Result': result, 'failReason': failReason, 'Offenders': offenders, 'ScoredControl': scored, 'Description': description, 'ControlId': control}
CIS 1.4 control is Ensure access keys are rotated every 90 days or less. I am wondering why are we comparing last used data with last rotated date.