From bce18d807fb1b1983cd28ca8081f532b2c7ff321 Mon Sep 17 00:00:00 2001
From: Jim Razmus II <jim.razmus@code42.com>
Date: Fri, 29 Sep 2017 17:50:36 -0500
Subject: [PATCH 1/2] We are compliant if we 'do' have a serial number.

---
 architecture/create-benchmark-rules.yaml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/architecture/create-benchmark-rules.yaml b/architecture/create-benchmark-rules.yaml
index 3eb434e..62abdb9 100644
--- a/architecture/create-benchmark-rules.yaml
+++ b/architecture/create-benchmark-rules.yaml
@@ -265,7 +265,7 @@
                 # Determine whether the root account uses hardware-based MFA.
                 mfa_devices = client.list_virtual_mfa_devices()['VirtualMFADevices']
                 for mfa_device in mfa_devices:
-                    if not 'SerialNumber' in mfa_device:
+                    if 'SerialNumber' in mfa_device:
                         is_compliant = is_compliant and True
                     else:
                         is_compliant = is_compliant and False

From 23001c27586d08235e31b32e29ef3adc73ea6933 Mon Sep 17 00:00:00 2001
From: Jim Razmus II <jim.razmus@code42.com>
Date: Fri, 29 Sep 2017 17:51:40 -0500
Subject: [PATCH 2/2] Fix failures resulting from an empty annotation when we
 are compliant.

---
 architecture/create-benchmark-rules.yaml | 27 ++++++++++++------------
 1 file changed, 14 insertions(+), 13 deletions(-)

diff --git a/architecture/create-benchmark-rules.yaml b/architecture/create-benchmark-rules.yaml
index 62abdb9..1526197 100644
--- a/architecture/create-benchmark-rules.yaml
+++ b/architecture/create-benchmark-rules.yaml
@@ -288,19 +288,20 @@
                             annotation = annotation + ' The root account has active access keys associated with it.'
                         break
 
-                config = boto3.client('config')
-                config.put_evaluations(
-                    Evaluations=[
-                        {
-                            'ComplianceResourceType': 'AWS::::Account',
-                            'ComplianceResourceId': 'Root',
-                            'ComplianceType': 'COMPLIANT' if is_compliant else 'NON_COMPLIANT',
-                            'Annotation': annotation,
-                            'OrderingTimestamp': datetime.datetime.now(),
-                        },
-                    ],
-                    ResultToken=result_token
-                )
+                evaluations = [
+                    {
+                       'ComplianceResourceType': 'AWS::::Account',
+                       'ComplianceResourceId': 'Root',
+                       'ComplianceType': 'COMPLIANT' if is_compliant else 'NON_COMPLIANT',
+                       'OrderingTimestamp': datetime.datetime.now(),
+                    }
+                ]
+
+                if annotation: evaluations[0]['Annotation'] = annotation
+
+                response = boto3.client('config').put_evaluations(
+                   Evaluations = evaluations,
+                   ResultToken = result_token)
 
         Description: Evaluates the security properties of the root account
         Handler: index.lambda_handler