webdev/check_iam_login_MFA.sh

## check_iam_login_MFA.sh
#!/bin/bash
# for debugging:
#   aws iam generate-credential-report
#     NOTE: generate will work only once every 4 hours - http://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_getting-report.html
#   aws iam get-credential-report --output text | awk '{print $1}' | base64 -d | head -1 | sed 's#,#\n#g' | cat -n
#   aws iam get-credential-report --output text | awk '{print $1}' | base64 -d | awk -F, '{print $1, $4, $5, $8, $9, $14, $19, $21}' | column -t
unset PYTHONPATH

aws iam generate-credential-report &>/dev/null
#sleep 10
read report rep_time mime <<< "`aws iam get-credential-report --output text`"
rep_age=$((`date +%s`-`date -d "$rep_time" +%s`))
max_rep_age=$((5*60*60))

table=`echo "$report" | base64 -d | sed 's#<root_account>#ROOT#' | awk -F, '$5!="N/A"{print $1, $5, $8}'`

cnt=0; bad=0
while read user last_login mfa; do
        cnt=$(($cnt+1))
        [ "$mfa" != true ] && no_mfa+=" $user" && bad=$(($bad+1))
done < <(echo "$table" | sed 1d)
no_mfa=${no_mfa/ /}

table="<pre>`echo \"$table\" | column -t`</pre>"

perf_data="| no_mfa=$bad;1;1; login_user=$cnt; report_age_minutes=$(($rep_age/60));$(($max_rep_age/60));$(($max_rep_age/60));"

if [ $bad -ne 0 ]; then
        echo "CRITICAL - Scanned $cnt login users, found $bad without MFA: ${no_mfa// /, } (report age is $(($rep_age/60)) minutes) $perf_data"
        echo "$table"
        exit 2
else
        if [ $rep_age -lt $max_rep_age ]; then
                echo "OK - Scanned $cnt login users, all have MFA (report age is $(($rep_age/60)) minutes) $perf_data"
                echo "$table"
                exit 0
        else
                echo "Critical - Scanned $cnt login users, all have MFA (report age is older than $(($max_rep_age/60))m - $(($rep_age/60)) minutes) $perf_data"
                echo "$table"
                exit 2
        fi
fi
	#!/bin/bash
	# for debugging:
	# aws iam generate-credential-report
	# NOTE: generate will work only once every 4 hours - http://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_getting-report.html
	# aws iam get-credential-report --output text \| awk '{print $1}' \| base64 -d \| head -1 \| sed 's#,#\n#g' \| cat -n
	# aws iam get-credential-report --output text \| awk '{print $1}' \| base64 -d \| awk -F, '{print $1, $4, $5, $8, $9, $14, $19, $21}' \| column -t
	unset PYTHONPATH

	aws iam generate-credential-report &>/dev/null
	#sleep 10
	read report rep_time mime <<< "`aws iam get-credential-report --output text`"
	rep_age=$((`date +%s`-`date -d "$rep_time" +%s`))
	max_rep_age=$((56060))

	table=`echo "$report" \| base64 -d \| sed 's#<root_account>#ROOT#' \| awk -F, '$5!="N/A"{print $1, $5, $8}'`

	cnt=0; bad=0
	while read user last_login mfa; do
	cnt=$(($cnt+1))
	[ "$mfa" != true ] && no_mfa+=" $user" && bad=$(($bad+1))
	done < <(echo "$table" \| sed 1d)
	no_mfa=${no_mfa/ /}

	table="<pre>`echo \"$table\" \| column -t`</pre>"

	perf_data="\| no_mfa=$bad;1;1; login_user=$cnt; report_age_minutes=$(($rep_age/60));$(($max_rep_age/60));$(($max_rep_age/60));"

	if [ $bad -ne 0 ]; then
	echo "CRITICAL - Scanned $cnt login users, found $bad without MFA: ${no_mfa// /, } (report age is $(($rep_age/60)) minutes) $perf_data"
	echo "$table"
	exit 2
	else
	if [ $rep_age -lt $max_rep_age ]; then
	echo "OK - Scanned $cnt login users, all have MFA (report age is $(($rep_age/60)) minutes) $perf_data"
	echo "$table"
	exit 0
	else
	echo "Critical - Scanned $cnt login users, all have MFA (report age is older than $(($max_rep_age/60))m - $(($rep_age/60)) minutes) $perf_data"
	echo "$table"
	exit 2
	fi
	fi