add default (#537)

* add default values and logic fix

rules/aws_cloudtrail_rules/aws_iam_user_key_created.py

@@ -6,8 +6,9 @@ def rule(event):
         event.get("eventSource") == "iam.amazonaws.com"
         and event.get("eventName") == "CreateAccessKey"
         and (
-            deep_get(event, "responseElements", "accessKey", "userName")
-            not in deep_get(event, "userIdentity", "arn")
+            not deep_get(event, "userIdentity", "arn", default="").endswith(
+                f"user/{deep_get(event, 'responseElements', 'accessKey', 'userName', default='')}"
+            )
         )
     )
 
@@ -16,7 +17,7 @@ def title(event):
     return (
         f"[{deep_get(event,'userIdentity','arn')}]"
         " created API keys for "
-        f"[{deep_get(event,'responseElements','accessKey','userName')}]"
+        f"[{deep_get(event,'responseElements','accessKey','userName', default = '')}]"
     )
 
 

rules/aws_cloudtrail_rules/aws_iam_user_key_created.yml

@@ -84,6 +84,83 @@ Tests:
             type: IAMUser
             userName: user1
       Name: user1 create keys for user2
+    - ExpectedResult: true
+      Log:
+        awsRegion: us-east-1
+        eventCategory: Management
+        eventID: "12345"
+        eventName: CreateAccessKey
+        eventSource: iam.amazonaws.com
+        eventTime: "2022-09-27 17:09:18"
+        eventType: AwsApiCall
+        eventVersion: "1.08"
+        managementEvent: true
+        readOnly: false
+        recipientAccountId: "123456789"
+        requestParameters:
+            userName: jack
+        responseElements:
+            accessKey:
+                accessKeyId: ABCDEFG
+                createDate: Sep 27, 2022 5:09:18 PM
+                status: Active
+                userName: jack
+        sourceIPAddress: cloudformation.amazonaws.com
+        userAgent: cloudformation.amazonaws.com
+        userIdentity:
+            accessKeyId: ABCDEFGH
+            accountId: "123456789"
+            arn: arn:aws:iam::123456789:user/jackson
+            invokedBy: cloudformation.amazonaws.com
+            principalId: ABCDEFGH
+            sessionContext:
+                attributes:
+                    creationDate: "2022-09-27T17:08:35Z"
+                    mfaAuthenticated: "false"
+                sessionIssuer: {}
+                webIdFederationData: {}
+            type: IAMUser
+            userName: user1
+      Name: jackson create keys for jack
+    - ExpectedResult: true
+      Log:
+        awsRegion: us-east-1
+        eventCategory: Management
+        eventID: "12345"
+        eventName: CreateAccessKey
+        eventSource: iam.amazonaws.com
+        eventTime: "2022-09-27 17:09:18"
+        eventType: AwsApiCall
+        eventVersion: "1.08"
+        managementEvent: true
+        readOnly: false
+        recipientAccountId: "123456789"
+        requestParameters:
+            userName: jackson
+        responseElements:
+            accessKey:
+                accessKeyId: ABCDEFG
+                createDate: Sep 27, 2022 5:09:18 PM
+                status: Active
+                userName: jackson
+        sourceIPAddress: cloudformation.amazonaws.com
+        userAgent: cloudformation.amazonaws.com
+        userIdentity:
+            accessKeyId: ABCDEFGH
+            accountId: "123456789"
+            arn: arn:aws:iam::123456789:user/jack
+            invokedBy: cloudformation.amazonaws.com
+            principalId: ABCDEFGH
+            sessionContext:
+                attributes:
+                    creationDate: "2022-09-27T17:08:35Z"
+                    mfaAuthenticated: "false"
+                sessionIssuer: {}
+                webIdFederationData: {}
+            type: IAMUser
+            userName: user1
+      Name: jack create keys for jackson
+
 DedupPeriodMinutes: 60
 LogTypes:
     - AWS.CloudTrail