Class: AwsIamRootUser

Inherits:
Object
  • Object
show all
Defined in:
lib/resources/aws/aws_iam_root_user.rb

Instance Method Summary collapse

Constructor Details

#initialize(conn = nil) ⇒ AwsIamRootUser

TODO: rewrite to avoid direct injection, match other resources, use AwsSingularResourceMixin



16
17
18
# File 'lib/resources/aws/aws_iam_root_user.rb', line 16

def initialize(conn = nil)
  @client = conn ? conn.iam_client : inspec_runner.backend.aws_client(Aws::IAM::Client)
end

Instance Method Details

#catch_aws_errorsObject

TODO: DRY up, see github.com/chef/inspec/issues/2633 Copied from resource_support/aws/aws_resource_mixin.rb



22
23
24
25
26
27
28
29
30
31
# File 'lib/resources/aws/aws_iam_root_user.rb', line 22

def catch_aws_errors
  yield
rescue Aws::Errors::MissingCredentialsError
  # The AWS error here is unhelpful:
  # "unable to sign request without credentials set"
  Inspec::Log.error "It appears that you have not set your AWS credentials.  You may set them using environment variables, or using the 'aws://region/aws_credentials_profile' target.  See https://docs.chef.io/inspec/platforms/ for details."
  fail_resource("No AWS credentials available")
rescue Aws::Errors::ServiceError => e
  fail_resource e.message
end

#has_access_key?Boolean

Returns:

  • (Boolean)


45
46
47
# File 'lib/resources/aws/aws_iam_root_user.rb', line 45

def has_access_key?
  ["AccountAccessKeysPresent"] == 1
end

#has_hardware_mfa_enabled?Boolean

Returns:

  • (Boolean)


61
62
63
# File 'lib/resources/aws/aws_iam_root_user.rb', line 61

def has_hardware_mfa_enabled?
  has_mfa_enabled? && !has_virtual_mfa_enabled?
end

#has_mfa_enabled?Boolean

Returns:

  • (Boolean)


49
50
51
# File 'lib/resources/aws/aws_iam_root_user.rb', line 49

def has_mfa_enabled?
  ["AccountMFAEnabled"] == 1
end

#has_virtual_mfa_enabled?Boolean

if the root account has a Virtual MFA device then it will have a special serial number ending in ‘root-account-mfa-device’

Returns:

  • (Boolean)


55
56
57
58
59
# File 'lib/resources/aws/aws_iam_root_user.rb', line 55

def has_virtual_mfa_enabled?
  mfa_device_pattern = %r{arn:aws:iam::\d{12}:mfa\/root-account-mfa-device}

  virtual_mfa_devices.any? { |d| mfa_device_pattern =~ d["serial_number"] }
end

#inspec_runnerObject

TODO: DRY up, see github.com/chef/inspec/issues/2633 Copied from resource_support/aws/aws_singular_resource_mixin.rb



35
36
37
38
39
40
41
42
43
# File 'lib/resources/aws/aws_iam_root_user.rb', line 35

def inspec_runner
  # When running under inspec-cli, we have an 'inspec' method that
  # returns the runner. When running under unit tests, we don't
  # have that, but we still have to call this to pass something
  # (nil is OK) to the backend.
  # TODO: remove with https://github.com/chef/inspec-aws/issues/216
  # TODO: remove after rewrite to include AwsSingularResource
  inspec if respond_to?(:inspec)
end

#to_sObject



65
66
67
# File 'lib/resources/aws/aws_iam_root_user.rb', line 65

def to_s
  "AWS Root-User"
end