Skip to content
Permalink
master
Switch branches/tags

Name already in use

A tag already exists with the provided branch name. Many Git commands accept both tag and branch names, so creating this branch may cause unexpected behavior. Are you sure you want to create this branch?
Go to file
 
 
Cannot retrieve contributors at this time
#cis bench marking module
import boto3
def check_iam_password_policy(iam_client):
try:
password_policy = iam_client.get_account_password_policy()
print("IAM Password Policy:")
print(password_policy['PasswordPolicy'])
except iam_client.exceptions.NoSuchEntityException:
print("No IAM Password Policy found.")
def check_root_account_mfa(iam_client):
root_account = iam_client.get_account_summary()
if root_account['SummaryMap']['AccountMFAEnabled'] > 0:
print("MFA is enabled on the root account.")
else:
print("MFA is NOT enabled on the root account.")
def check_root_account_access_keys(iam_client):
root_account = iam_client.get_account_summary()
if root_account['SummaryMap']['AccountAccessKeysPresent'] == 0:
print("No access keys exist for the root account.")
else:
print("Access keys exist for the root account.")
def check_iam_user_mfa(iam_client):
users = iam_client.list_users()
for user in users['Users']:
mfa_devices = iam_client.list_mfa_devices(UserName=user['UserName'])
if not mfa_devices['MFADevices']:
print(f"User {user['UserName']} does NOT have MFA enabled.")
else:
print(f"User {user['UserName']} has MFA enabled.")
def check_unused_iam_access_keys(iam_client):
users = iam_client.list_users()
for user in users['Users']:
access_keys = iam_client.list_access_keys(UserName=user['UserName'])
for key in access_keys['AccessKeyMetadata']:
last_used = iam_client.get_access_key_last_used(AccessKeyId=key['AccessKeyId'])
if 'LastUsedDate' in last_used['AccessKeyLastUsed']:
print(f"Access Key {key['AccessKeyId']} for user {user['UserName']} was last used on {last_used['AccessKeyLastUsed']['LastUsedDate']}.")
else:
print(f"Access Key {key['AccessKeyId']} for user {user['UserName']} has NEVER been used.")
def perform_cis_benchmark():
# Initialize a boto3 session
session = boto3.Session(profile_name='cloudgoat')
# Initialize IAM client
iam_client = session.client('iam')
# Perform CIS benchmark checks
print("Performing CIS Benchmark Checks:\n")
print("1. Ensure IAM password policy is configured")
check_iam_password_policy(iam_client)
print("-" * 60)
print("2. Ensure root account has MFA enabled")
check_root_account_mfa(iam_client)
print("-" * 60)
print("3. Ensure no root account access keys exist")
check_root_account_access_keys(iam_client)
print("-" * 60)
print("4. Ensure all IAM users have MFA enabled")
check_iam_user_mfa(iam_client)
print("-" * 60)
print("5. Ensure no unused IAM access keys exist")
check_unused_iam_access_keys(iam_client)
print("-" * 60)
if __name__ == "__main__":
perform_cis_benchmark()