# Step 1: Evidence Details

|System|Source of data|Frameworks|Purpose|
|---|---|---|---|
|aws|compliancecow||Ensure accessKey Rotated within given time period(MaxAccessKeyAge)|

```
Purpose: The purpose of AWS Access Key rotation rule is to enhance security by regularly replacing access keys used for programmatic access to AWS resources. Rotating keys reduces the risk of unauthorized access due to compromised or leaked credentials. It ensures that access keys are regularly refreshed, minimizing the window of vulnerability.
```
```
Input: MaxAccessKeyAge - 90 ( sample input )
RecomendedEvidenceName: AccessKeyRotationReport
```

# Step 2: Define the System Specific Data (a.k.a Extended Data Schema)

In [None]:
# AWS Example
[
      {
        "User": "johndoe",
        "ARN": "arn:aws:iam::022654265366:johndoe",
        "UserCreationTime": "2023-03-17T07:04:00+00:00",
        "PasswordEnabled": true,
        "PasswordLastUsed": "2024-03-08T05:47:36+00:00",
        "PasswordLastChanged" : "2023-03-17T07:04:00+00:00",
        "PasswordNextRotation" : "N/A",
        "MFAActive" : false,
        "AccessKey1Active" : true,
        "AccessKey1LastRotated" : "N/A",
        "AccessKey1LastUsed": "2024-03-13T06:47:00+00:00",
        "AccessKey1LastUsedRegion" : "us-west-2",
        "AccessKey1LastUsedService" : "securityhub",
        "AccessKey2Active" : true,
        "AccessKey2LastRotated" : ""
        "Accesskey2LastUsedDate": "",
        "AccessKey2LastUsedRegion" : "",
        "AccessKey2LastUsedService": "",
        "Cert1Active": "",
        "Cert1LastRotated": ""	,
        "Cert2Active": "",
        "Cert2LastRotated" : "",
        "MFADevices" : ""
      }
  ]

# Step 3: Define the Standard Schema
  


In [None]:
{
    # Meta
    "System":"aws",
    "Source":"compliancecow",

    # Resource info
    "ResourceID":"arn:aws:iam::022654265366:user/test-user-one",
    "ResourceName":"test-user-one",
    "ResourceType":"AwsIamUser",
    "ResourceLocation":"global",
    "ResourceTags": null,
    "ResourceURL": "https://us-east-1.console.aws.amazon.com/iamv2/home?region=us-east-1#/users/details/test-user-one",

    # Data
    "AccessKey1Active": "true",
    "AccessKey1LastRotated": "2023-03-24T13:11:23+00:00",
    "AccessKey1Age": 122,
    "Accesskey1LastUsedDate": "2023-12-20T13:34:00+00:00",
    "AccessKey2Active": "true",
    "AccessKey2LastRotated": "2023-03-24T13:11:23+00:00",
    "AccessKey2Age": 90,
    "Accesskey2LastUsedDate": "2023-12-20T13:34:00+00:00",

    # Compliance details
    "ValidationStatusCode":"ACC_KY2_RTD_ACC_KY1_NT_RTD",
    "ValidationStatusNotes":"AcessKey2 was rotated properly and accessKey1 was not rotated properly",
    "ComplianceStatus":"NON_COMPLIANT",
		"ComplianceStatusReason":"Record is non compliant as accessKey1 was not rotated properly",
		"EvaluatedTime":"2023-12-22T07:03:37.417Z",

    # User editable data
     "UserAction":"",

    # Action editable data
     "ActionStatus":"",
     "ActionResponseURL":""
}

# Step 3.a: Sample Data

|System|Source|ResourceID|ResourceName|ResourceType|ResourceLocation|ResourceTags|ResourceURL|AccessKey1Active|AccessKey1LastRotated|AccessKey1Age|Accesskey1LastUsedDate|AccessKey2Active|AccessKey2LastRotated|AccessKey2Age|Accesskey2LastUsedDate|ValidationStatusCode|ValidationStatusNotes|ComplianceStatus|ComplianceStatusReason|EvaluatedTime|UserAction|ActionStatus|ActionResponseURL|
|------|------|------|------|------|------|------|------|------|------|------|------|------|------|------|------|------|------|------|------|------|------|------|------|
|aws|compliancecow|arn:aws:iam::022654265366:user/test-user-one|test-user-one|AwsIamUser|global||https://us-east-1.console.aws.amazon.com/iamv2/home?region=us-east-1#/users/details/test-user-one|true|2023-11-16T05:00:21+00:00|273|2023-12-20T13:34:00+00:00|true|2023-03-24T13:11:23+00:00|122|2024-03-16T00:50:00+00:00|ACC_KY2_RTD_ACC_KY1_NT_RTD|AcessKey2 was rotated properly and accessKey1 was not rotated properly|NON_COMPLIANT|Record is not compliant as the access key was not rotated properly|2023-12-22T07:03:37.417Z|
|aws|compliancecow|arn:aws:iam::022654265366:user/test-user-two|test-user-two|AwsIamUser|global||https://us-east-1.console.aws.amazon.com/iamv2/home?region=us-east-1#/users/details/test-user-two|false|N/A|N/A|N/A|false|N/A|N/A|N/A|BTH_ACC_KEY_NT_RTD|Both access keys have not been rotated|NON_COMPLIANT|The record is not compliant as both access keys were not rotated properly|2023-12-22T07:03:37.417Z|
|aws|compliancecow|arn:aws:iam::022654265366:user/test-user-two|test-user-two|AwsIamUser|global||https://us-east-1.console.aws.amazon.com/iamv2/home?region=us-east-1#/users/details/test-user-three|true|2024-02-22T08:00:12+00:00|24|N/A|false|N/A|N/A|N/A|ACC_KEY_RTD|Accesskey1 has been rotated|COMPLIANT|Record is compliant as accesskey1 was rotated properly|2023-12-22T07:03:37.417Z|

# Step 4: Describe the Compliance Taxonomy

|Access1KeyAge|Access2KeyAge|ValidationStatusCode|ValidationStatusNotes|ComplianceStatus|ComplianceStatusReason|
|---|---|---|---|---|---|
| > MaxAccessKeyAge| > MaxAccessKeyAge|BTH_ACC_KEY_NT_RTD|Both access keys have not been rotated|NON_COMPLIANT|The record is not compliant as both access keys were not rotated properly|
| <= MaxAccessKeyAge| <= MaxAccessKeyAge|BTH_ACC_KEY_RTD|Both access keys have been rotated|COMPLIANT|Record is compliant as both access keys were rotated properly|
|>MaxAccessKeyAge| <= MaxAccessKeyAge|ACC_KY2_RTD_ACC_KY1_NT_RTD|Record is non compliant as accessKey1 was not rotated properly|NON_COMPLIANT|AcessKey2 was rotated properly and accessKey1 was not rotated properly|
| <= MaxAccessKeyAge| > MaxAccessKeyAge|ACC_KY1_RTD_ACC_KY2_NT_RTD|Record is non compliant as accessKey2 was not rotated properly|NON_COMPLIANT|AcessKey1 was rotated properly and accessKey2 was not rotated properly|
| <= MaxAccessKeyAge| N/A |ACC_KEY_RTD|Record is compliant as accesskey1 was rotated properly|COMPLIANT|Accesskey1 has been rotated|
| > MaxAccessKeyAge| N/A |ACC_KEY_NT_RTD|Record is not compliant as ccesskey1 was not rotated properly|NON_COMPLIANT|Accesskey1 has not been rotated|
|N/A| <= MaxAccessKeyAge |ACC_KEY_RTD|Record is compliant as accesskey2 was rotated properly|COMPLIANT|Accesskey2 has been rotated|
|N/A| > MaxAccessKeyAge|ACC_KEY_NT_RTD|Record is not compliant as accesskey2was not rotated properly|NON_COMPLIANT|Accesskey2 has not been rotated|

# Step 5: Calculation for Compliance Percentage and Status


In [None]:
# Calculation of Compliance Percentage

TotalRecordCount = Count of 'COMPLIANT' and 'NON_COMPLIANT' records
FailedRecordCount = Count of 'NON_COMPLIANT' records

CompliancePCT = int(100 - ((FailedRecordCount * 100) / TotalRecordCount))

Compliance Status
COMPLIANT - 100%
NON_COMPLIANT - 0% to less than 100%

# Step 6: Describe (in words) the Remediation Steps for Non-Compliance

Remediation notes:
Address non-compliance with the AWS Access Key Rotation Policy by rotating the identified access key << KeyName >>

Steps:

1. Log in to the AWS Management Console.
2. Navigate to IAM and select the user or role associated with the identified access key.
3. Generate a new access key and disable or delete the old one.

Refer the doc for more information: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_access-keys.html

# Step 7: Control Setup Details

| Control Details            |                               |
|----------------------------|-------------------------------|
| **RuleName**               | AWSAccessKeyRotationReport    |
| **PreRequisiteRuleNames**  | AWSCredentialReport           |
| **ApplicationClassName**   | AWSAppConnector               |