Class: AwsIamRootUser

Inherits:

Object

• Object
• AwsIamRootUser

Defined in:

lib/resources/aws/aws_iam_root_user.rb

Instance Method Summary

• #catch_aws_errors ⇒ Object

  TODO: DRY up, see github.com/chef/inspec/issues/2633 Copied from resource_support/aws/aws_resource_mixin.rb.

• #has_access_key? ⇒ Boolean
• #has_hardware_mfa_enabled? ⇒ Boolean
• #has_mfa_enabled? ⇒ Boolean
• #has_virtual_mfa_enabled? ⇒ Boolean

  if the root account has a Virtual MFA device then it will have a special serial number ending in ‘root-account-mfa-device’.

• #initialize(conn = nil) ⇒ AwsIamRootUser constructor

  TODO: rewrite to avoid direct injection, match other resources, use AwsSingularResourceMixin.

• #inspec_runner ⇒ Object

  TODO: DRY up, see github.com/chef/inspec/issues/2633 Copied from resource_support/aws/aws_singular_resource_mixin.rb.

• #to_s ⇒ Object

Constructor Details

#initialize(conn = nil) ⇒ AwsIamRootUser

TODO: rewrite to avoid direct injection, match other resources, use AwsSingularResourceMixin

# File 'lib/resources/aws/aws_iam_root_user.rb', line 16

def initialize(conn = nil)
  @client = conn ? conn.iam_client : inspec_runner.backend.aws_client(Aws::IAM::Client)
end

Instance Method Details

#catch_aws_errors ⇒ Object

TODO: DRY up, see github.com/chef/inspec/issues/2633 Copied from resource_support/aws/aws_resource_mixin.rb

# File 'lib/resources/aws/aws_iam_root_user.rb', line 22

def catch_aws_errors
  yield
rescue Aws::Errors::MissingCredentialsError
  # The AWS error here is unhelpful:
  # "unable to sign request without credentials set"
  Inspec::Log.error "It appears that you have not set your AWS credentials.  You may set them using environment variables, or using the 'aws://region/aws_credentials_profile' target.  See https://www.inspec.io/docs/reference/platforms for details."
  fail_resource("No AWS credentials available")
rescue Aws::Errors::ServiceError => e
  fail_resource e.message
end

#has_access_key? ⇒ Boolean

Returns:

• (Boolean)

# File 'lib/resources/aws/aws_iam_root_user.rb', line 45

def has_access_key?
  summary_account["AccountAccessKeysPresent"] == 1
end

#has_hardware_mfa_enabled? ⇒ Boolean

Returns:

• (Boolean)

# File 'lib/resources/aws/aws_iam_root_user.rb', line 61

def has_hardware_mfa_enabled?
  has_mfa_enabled? && !has_virtual_mfa_enabled?
end

#has_mfa_enabled? ⇒ Boolean

Returns:

• (Boolean)

# File 'lib/resources/aws/aws_iam_root_user.rb', line 49

def has_mfa_enabled?
  summary_account["AccountMFAEnabled"] == 1
end

#has_virtual_mfa_enabled? ⇒ Boolean

if the root account has a Virtual MFA device then it will have a special serial number ending in ‘root-account-mfa-device’

Returns:

• (Boolean)

# File 'lib/resources/aws/aws_iam_root_user.rb', line 55

def has_virtual_mfa_enabled?
  mfa_device_pattern = %r{arn:aws:iam::\d{12}:mfa\/root-account-mfa-device}

  virtual_mfa_devices.any? { |d| mfa_device_pattern =~ d["serial_number"] }
end

#inspec_runner ⇒ Object

TODO: DRY up, see github.com/chef/inspec/issues/2633 Copied from resource_support/aws/aws_singular_resource_mixin.rb

# File 'lib/resources/aws/aws_iam_root_user.rb', line 35

def inspec_runner
  # When running under inspec-cli, we have an 'inspec' method that
  # returns the runner. When running under unit tests, we don't
  # have that, but we still have to call this to pass something
  # (nil is OK) to the backend.
  # TODO: remove with https://github.com/chef/inspec-aws/issues/216
  # TODO: remove after rewrite to include AwsSingularResource
  inspec if respond_to?(:inspec)
end

#to_s ⇒ Object

# File 'lib/resources/aws/aws_iam_root_user.rb', line 65

def to_s
  "AWS Root-User"
end