From 3570ad55b09ab6ca70f4eae846670ba5af42f677 Mon Sep 17 00:00:00 2001
From: Matthias Veit <aquamatthias@users.noreply.github.com>
Date: Fri, 16 Feb 2024 11:11:33 +0100
Subject: [PATCH] [aws][fix] Make cognito group unique (#1924)

---
 plugins/aws/resoto_plugin_aws/resource/cognito.py           | 4 ++--
 resotocore/resotocore/static/report/checks/aws/aws_iam.json | 2 +-
 2 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/plugins/aws/resoto_plugin_aws/resource/cognito.py b/plugins/aws/resoto_plugin_aws/resource/cognito.py
index c5550c4eb..0a6c28141 100644
--- a/plugins/aws/resoto_plugin_aws/resource/cognito.py
+++ b/plugins/aws/resoto_plugin_aws/resource/cognito.py
@@ -7,7 +7,7 @@
 from resoto_plugin_aws.resource.lambda_ import AwsLambdaFunction
 from resotolib.baseresources import BaseUser, EdgeType, ModelReference
 from resotolib.graph import Graph
-from resotolib.json_bender import S, Bend, Bender, ForallBend
+from resotolib.json_bender import S, Bend, Bender, ForallBend, K
 from resotolib.types import Json
 
 service_name = "cognito-idp"
@@ -28,7 +28,7 @@ class AwsCognitoGroup(AwsResource):
         "predecessors": {"default": ["aws_iam_role"], "delete": ["aws_iam_role"]}
     }
     mapping: ClassVar[Dict[str, Bender]] = {
-        "id": S("GroupName"),
+        "id": S("UserPoolId") + K(":") + S("GroupName"),
         "name": S("GroupName"),
         "ctime": S("CreationDate"),
         "mtime": S("LastModifiedDate"),
diff --git a/resotocore/resotocore/static/report/checks/aws/aws_iam.json b/resotocore/resotocore/static/report/checks/aws/aws_iam.json
index 198d7d22e..9811d76f4 100644
--- a/resotocore/resotocore/static/report/checks/aws/aws_iam.json
+++ b/resotocore/resotocore/static/report/checks/aws/aws_iam.json
@@ -687,7 +687,7 @@
             "risk": "Unused access keys pose a security risk and should be removed to prevent unauthorized access.",
             "severity": "medium",
             "detect": {
-                "resoto": "is(aws_iam_access_key) and age>{{access_key_too_old_age}} and (last_used==null or last_used<{{access_key_too_old_age.from_now}})"
+                "resoto": "is(aws_iam_access_key) and age>{{access_key_too_old_age}} and (last_used==null or last_used<{{access_key_too_old_age.ago}})"
             },
             "default_values": {
                 "access_key_too_old_age": "90d"