Conversation
…heck (#2846) The check previously called GetAccountSummary and read AccountAccessKeysPresent, which returns 1 when the root account has *any* access keys — active or inactive. That produced a critical false positive for accounts that only had a disabled root key sitting on them: AWS Console correctly said "Root user has no active access keys" while our scan reported "Root account has active access keys" at critical severity. Switch to GenerateCredentialReport + GetCredentialReport (same source AWS Console's IAM Dashboard recommendation panel uses). Parse the <root_account> row's access_key_1_active / access_key_2_active columns directly so we report exactly what AWS Console reports. - Extract the check into apps/api/src/cloud-security/providers/aws/iam-root-access-keys.ts so it can be unit-tested in isolation. - Drop the old in-adapter implementation and the now-unused GetAccountSummary import. iam.adapter.ts shrinks from 308 → 266 lines. - Add 16 unit tests covering: customer's exact scenario (inactive-only key passes), each active-key column, both active, no root row (safe skip), permission errors (safe skip), and the polling/retry path on CredentialReportNotReadyException. Co-authored-by: Tofik Hasanov <annexcies@gmail.com> Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com> Co-authored-by: Tofik Hasanov <72318342+tofikwest@users.noreply.github.com>
|
The latest updates on your projects. Learn more about Vercel for GitHub.
2 Skipped Deployments
|
![cubic-dev-ai[bot]](https://avatars.githubusercontent.com/in/1082092?s=60&v=4){kind=small}
Contributor
|
🎉 This PR is included in version 3.55.1 🎉 The release is available on GitHub release Your semantic-release bot 📦🚀 |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
This is an automated pull request to release the candidate branch into production, which will trigger a deployment.
It was created by the [Production PR] action.
Summary by cubic
Use the IAM Credential Report to check for root access keys, fixing false positives where inactive keys were flagged as critical. The check is now a dedicated module with polling and safe-skip behavior, and the IAM adapter calls it.
Bug Fixes
GetAccountSummarytoGenerateCredentialReport+GetCredentialReportfrom@aws-sdk/client-iam.<root_account>row to detectaccess_key_1_active/access_key_2_active; only fail when any is true.Refactors
iam-root-access-keys.tsand updated the adapter to usecheckRootAccessKeys.Written for commit 2e58e26. Summary will update on new commits.