IAM Password Policy Not Found - 1.8

mitre / aws-foundations-cis-baseline

InSpec profile to validate your VPC to the standards of the CIS Amazon Web Services Foundations Benchmark

Other

77 stars 30 forks source link

IAM Password Policy Not Found - 1.8 #120

Open aaronlippold opened 11 months ago

aaronlippold commented 11 months ago

The error collection is skipping the resource when a configured password policy cannot be found, this should fail the resource and not skip it.

Related #125

wdower commented 11 months ago

So the problem here is that apparently the AWS API throws a "NoSuchEntity" error even when the password policy is set to the defaults. Any customizing of the password policy makes the password policy suddenly detectable by the API.

That means we can't necessarily autofail the resource; in most cases, there is actually a password policy set, it's just the default.

wdower commented 11 months ago

Ref: https://github.com/aws/aws-cli/issues/7265

This is a bug in the API.

aaronlippold commented 11 months ago

OK, let's raise an issue on the SDK board, they seem to be very responsive. The other thing you could do in the resources, just do some sort of no op on the backend or in the resource to work around the bug. A.k.a. have the client do a query or something that doesn't change any date, but just works around the bug.