Merge pull request #135 from cloudgraphdev/fix/CG-1335-aws-pci-iam-1

fix(CG-1335): AWS PCI IAM 1 rule fix

Author: tyler-dunkel

src/aws/pci-dss-3.2.1/rules/pci-dss-3.2.1-iam-check-1.ts

@@ -34,18 +34,19 @@ export default {
     'https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-pci-controls.html',
   ],
   gql: `{
-    queryawsIamUser {
+    queryawsIamUser(filter: { name: { eq: "root" } }) {
       id
       arn
       accountId
-      __typename
-      name
+       __typename
+      accessKeysActive
     }
   }`,
+  exclude: { not: { path: '@.name', equal: 'root' } },
   resource: 'queryawsIamUser[*]',
   severity: 'high',
   conditions: {
-    path: '@.name',
-    notEqual: 'root',
+    path: '@.accessKeysActive',
+    equal: false,
   },
 }

src/aws/pci-dss-3.2.1/tests/pci-dss-3.2.1-iam-checks.test.ts

@@ -18,12 +18,13 @@ describe('PCI Data Security Standard: 3.2.1', () => {
   })
 
   describe('IAM Check 1: IAM root user access key should not exist', () => {
-    test('Should fail when it finds a user called root', async () => {
+    test('Should fail when root account has at least one access key active', async () => {
       const data = {
         queryawsIamUser: [
           {
             id: cuid(),
             name: 'root',
+            accessKeysActive: true,
           },
         ],
       }
@@ -36,12 +37,13 @@ describe('PCI Data Security Standard: 3.2.1', () => {
       expect(processedRule.result).toBe(Result.FAIL)
     })
 
-    test('Should pass when it does not find a user called root', async () => {
+    test('Should pass when a root account does not have any access key active', async () => {
       const data = {
         queryawsIamUser: [
           {
             id: cuid(),
-            name: 'user',
+            name: 'root',
+            accessKeysActive: false,
           },
         ],
       }