Turbot Guardrails Hub 
Hub
  • Mods
  • Policy Packs
  • Docs
  • Home
ModsPolicy PacksDocsHome
Policy Packs
AWS CIS v3.0.0 - Section 1 - Identity and Access Management
  • AWS > EC2 > Instance > Instance Profile
  • AWS > EC2 > Instance > Instance Profile > Name
  • AWS > IAM > Access Key > Active
  • AWS > IAM > Access Key > Active > Age
  • AWS > IAM > Access Key > Active > Last Modified
  • AWS > IAM > Access Key > Active > Latest
  • AWS > IAM > Access Key > Active > Recently Used
  • AWS > IAM > Account Password Policy > Settings
  • AWS > IAM > Account Password Policy > Settings > Minimum Length
  • AWS > IAM > Account Password Policy > Settings > Reuse Prevention
  • AWS > IAM > Group > Inline Policy > Statements > Approved
  • AWS > IAM > Group > Inline Policy > Statements > Approved > Administrator Access
  • AWS > IAM > Policy > Statements > Approved
  • AWS > IAM > Policy > Statements > Approved > Rules
  • AWS > IAM > Role > Inline Policy > Statements > Approved
  • AWS > IAM > Role > Inline Policy > Statements > Approved > Administrator Access
  • AWS > IAM > Server Certificate > Active
  • AWS > IAM > Server Certificate > Active > Expired
  • AWS > IAM > Stack
  • AWS > IAM > Stack > Source
  • AWS > IAM > Stack > Terraform Version
  • AWS > IAM > User > Inline Policy > Approved
  • AWS > IAM > User > Inline Policy > Approved > Usage
  • AWS > IAM > User > Inline Policy > Statements > Approved
  • AWS > IAM > User > Inline Policy > Statements > Approved > Administrator Access
  • AWS > IAM > User > Login Profile
  • AWS > IAM > User > Policy Attachments > Approved
  • AWS > IAM > User > Policy Attachments > Approved > Rules
  • AWS > Region > Stack
  • AWS > Region > Stack > Source
Get Involved
Discuss on Slack

Policy Setting: AWS > IAM > User > Login Profile

Policies

This policy setting is dependent on the following policy types:

  • AWS > IAM > User > Login Profile

Source

resource "turbot_policy_setting" "aws_iam_user_login_profile" {
  resource       = turbot_policy_pack.main.id
  type           = "tmod:@turbot/aws-iam#/policy/types/userLoginProfile"
  note           = "AWS CIS v3.0.0 - Controls: 1.10 & 1.11"
  template_input = <<-EOT
    {
      value: constant(value: "Check: Login profile enabled")
      # value: constant(value: "Enforce: Delete login profile")
      user {
        children(filter:[
            "resourceTypeId:'tmod:@turbot/aws-iam#/resource/types/accessKey'",
            "level:self"
          ]){
          items {
            status: get(path:"Status")
          }
        }
        UserName
        parent {
          children(filter:[
            "resourceTypeId:'tmod:@turbot/aws-iam#/resource/types/mfaVirtual'",
            "level:self",
            "limit:2000"
          ]) {
            items {
              mfa_user: get(path:"User.UserName")
            }
          }
        }
      }
    }
    EOT
  template       = <<-EOT
    {%- set has_mfa = false -%}


    {%- set has_key = false -%}


    {# Check for MFA - AWS CIS 3.0.0 - 1.10 #}


    {%- for mfa in $.user.parent.children.items -%}


      {%- if mfa.mfa_user == $.user.UserName -%}


        {%- set has_mfa = true -%}


      {%- endif -%}


    {%- endfor -%}


    {# Check for Access Keys - AWS CIS 3.0.0 - 1.11 #}




    {%- for key in $.user.children.items -%}


      {%- if key.status == "Active" -%}


        {%- set has_key = true -%}


      {%- endif -%}


    {%- endfor -%}


    {# Result #}


    {%- if (not has_mfa) or has_key -%}


      {{ $.value | json }}


    {%- else -%}


      Skip


    {%- endif -%}
    EOT
}
Guardrails
Guardrails Hub
  • Hub
  • Docs
  • Blog
  • Changelog
Products
  • GuardrailsGuardrails
  • PipesPipes
  • SteampipeSteampipe
  • PowerpipePowerpipe
  • FlowpipeFlowpipe
  • TailpipeTailpipe
Turbot
  • Home
  • About us
  • We're hiring!
  • Contact us
Community

Our community of practitioners love to discuss cloud governance & security.

Slack logoJoin us on Slack →

System StatusLegalSecurity
Terms of UseSecurityPrivacy