From cdfe64d73a9ab4e1a3abd4f2b42035772ea80b38 Mon Sep 17 00:00:00 2001
From: Jaffer Li <jaffer@acm.org>
Date: Fri, 3 Mar 2017 19:48:24 +0800
Subject: [PATCH] Fix bug of ControlId: 1.23, for non password user

Fix bug of Control ID: 1.23.

Definition of Control ID: 1.23 is "Do not setup access keys during initial user setup for all IAM users that have a console password"

Add new conditional to exclude the IAM users which don't have console password.
---
 .../aws-cis-foundation-benchmark-checklist.py                   | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/aws_cis_foundation_framework/aws-cis-foundation-benchmark-checklist.py b/aws_cis_foundation_framework/aws-cis-foundation-benchmark-checklist.py
index 6072304..0c716ab 100644
--- a/aws_cis_foundation_framework/aws-cis-foundation-benchmark-checklist.py
+++ b/aws_cis_foundation_framework/aws-cis-foundation-benchmark-checklist.py
@@ -727,7 +727,7 @@ def control_1_23_no_active_initial_access_keys_with_iam_user(credreport):
     scored = False
     offenders = []
     for n, _ in enumerate(credreport):
-        if (credreport[n]['access_key_1_active'] or credreport[n]['access_key_2_active'] == 'true') and n > 0:
+        if (credreport[n]['access_key_1_active'] or credreport[n]['access_key_2_active'] == 'true') and n > 0 and credreport[n]['password_enabled'] == 'true':
             response = IAM_CLIENT.list_access_keys(
                 UserName=str(credreport[n]['user'])
             )