Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

feat(aws): add new check iam_root_credentials_management_enabled #5801

Open
wants to merge 2 commits into
base: master
Choose a base branch
from
Open

feat(aws): add new check iam_root_credentials_management_enabled #5801

wants to merge 2 commits into from
+541 −308

Conversation

MrCloudSec
Copy link
Member

Context

Centralized root credentials management in AWS Organizations is critical for securing root access across member accounts. When this new feature is enabled, member accounts no longer have direct control over their root credentials, mitigating risks associated with root misuse or compromise. See more info about this new feature in https://docs.aws.amazon.com/IAM/latest/UserGuide/id_root-user.html#id_root-user-access-management.

Description

This PR introduces a new check, iam_root_credentials_management_enabled, to verify if centralized root credentials management is enabled. Additionally:

  • The checks iam_root_hardware_mfa_enabled, iam_no_root_access_key, and iam_root_mfa_enabled have been updated to skip findings if centralized root credentials management is active, as root credentials are no longer directly managed by member accounts.

  • The organizations attribute was converted to a single organization attribute since there is only a single organization per AWS account.

Checklist

License

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.

@MrCloudSec MrCloudSec requested review from a team as code owners November 15, 2024 23:04
@github-actions github-actions bot added the provider/aws Issues/PRs related with the AWS provider label Nov 15, 2024
@codecov Codecov
Copy link

codecov bot commented Nov 16, 2024
edited
Loading

Codecov Report

Attention: Patch coverage is 95.27027% with 7 lines in your changes missing coverage. Please review.

Project coverage is 89.90%. Comparing base (78b518e) to head (1d5bb2f).

Files with missing lines Patch % Lines
...dware_mfa_enabled/iam_root_hardware_mfa_enabled.py 89.47% 2 Missing ⚠️
prowler/providers/aws/services/iam/iam_service.py 86.66% 2 Missing ⚠️
...ny_regions/organizations_scp_check_deny_regions.py 83.33% 2 Missing ⚠️
...ws/services/organizations/organizations_service.py 75.00% 1 Missing ⚠️
Additional details and impacted files 
@@            Coverage Diff             @@
##           master    #5801      +/-   ##
==========================================
+ Coverage   89.88%   89.90%   +0.02%     
==========================================
  Files        1132     1133       +1     
  Lines       35275    35308      +33     
==========================================
+ Hits        31707    31744      +37     
+ Misses       3568     3564       -4

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
provider/aws Issues/PRs related with the AWS provider
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
1 participant
@MrCloudSec