def control_3_7_log_metric_alarm_for_disable_deletion_CMK():
cont = Control(
'3.7',
'Ensure a log metric filter and alarm exist for disabling or scheduled deletion of customer created CMKs',
True)
res = monitoring_common_function([
"\$\.eventSource\s*=\s*\"?kms\.amazonaws\.com(\"|\)|\s)",
"\$\.eventName\s*=\s*\"?DisableKey(\"|\)|\s)",
"\$\.eventName\s*=\s*\"?ScheduleKeyDeletion(\"|\)|\s)"
], cloudtrials)
if res == 0:
cont.fail_reason = 'No trail found'
elif res == 1:
cont.fail_reason = 'No metric filter found from Log group'
elif res == 2:
cont.fail_reason = 'Pattern not found in the metric filter'
cont.offenders = 'No alarm exist for disabling or scheduled deletion of Customer Managed keys'
elif res == 3:
cont.fail_reason = 'No alarm is found for the metric filter'
else:
cont.result = True
return {
'control_id': cont.id,
'scored': cont.scored,
'desc': cont.desc,
'result': cont.result,
'fail_reason': cont.fail_reason,
'offenders': cont.offenders
}
def control_3_9_log_metric_alarm_for_awsconfig_config_changes():
cont = Control(
'3.9',
'Ensure a log metric filter and alarm exist for AWS Config configuration changes',
True)
res = monitoring_common_function([
"\$\.eventSource\s*=\s*\"?config\.amazonaws\.com(\"|\)|\s)",
"\$\.eventName\s*=\s*\"?StopConfigurationRecorder(\"|\)|\s)",
"\$\.eventName\s*=\s*\"?DeleteDeliveryChannel(\"|\)|\s)",
"\$\.eventName\s*=\s*\"?PutDeliveryChannel(\"|\)|\s)",
"\$\.eventName\s*=\s*\"?PutConfigurationRecorder(\"|\)|\s)"
], cloudtrials)
if res == 0:
cont.fail_reason = 'No trail found'
elif res == 1:
cont.fail_reason = 'No metric filter found from Log group'
elif res == 2:
cont.fail_reason = 'Pattern not found in the metric filter'
cont.offenders = 'No alarm exist for AWSConfig configuration changes'
elif res == 3:
cont.fail_reason = 'No alarm is found for the metric filter'
else:
cont.result = True
return {
'control_id': cont.id,
'scored': cont.scored,
'desc': cont.desc,
'result': cont.result,
'fail_reason': cont.fail_reason,
'offenders': cont.offenders
}
def control_3_6_log_metric_alarm_for_aws_console_auth_failures():
cont = Control(
'3.6',
'Ensure a log metric filter and alarm exist for AWS Management Console authentication failures',
True)
res = monitoring_common_function([
"\$\.eventName\s*=\s*\"?ConsoleLogin(\"|\)|\s)",
"\$\.errorMessage\s*=\s*\"?Failed authentication(\"|\)|\s)"
], cloudtrials)
if res == 0:
cont.fail_reason = 'No trail found'
elif res == 1:
cont.fail_reason = 'No metric filter found from Log group'
elif res == 2:
cont.fail_reason = 'Pattern not found in the metric filter'
cont.offenders = 'No alarm exist for AWS Console authentication failures'
elif res == 3:
cont.fail_reason = 'No alarm is found for the metric filter'
else:
cont.result = True
return {
'control_id': cont.id,
'scored': cont.scored,
'desc': cont.desc,
'result': cont.result,
'fail_reason': cont.fail_reason,
'offenders': cont.offenders
}
def control_3_5_log_metric_alarm_for_cloudtrail_config_changes():
cont = Control(
'3.5',
'Ensure a log metric filter and alarm exist for CloudTrail configuration changes',
True)
res = monitoring_common_function([
"\$\.eventName\s*=\s*\"?CreateTrail(\"|\)|\s)",
"\$\.eventName\s*=\s*\"?UpdateTrail(\"|\)|\s)",
"\$\.eventName\s*=\s*\"?DeleteTrail(\"|\)|\s)",
"\$\.eventName\s*=\s*\"?StartLogging(\"|\)|\s)",
"\$\.eventName\s*=\s*\"?StopLogging(\"|\)|\s)"
], cloudtrials)
if res == 0:
cont.fail_reason = 'No trail found'
elif res == 1:
cont.fail_reason = 'No metric filter found from Log group'
elif res == 2:
cont.fail_reason = 'Pattern not found in the metric filter'
cont.offenders = 'No alarm exist for Cloudtrail configuration changes'
elif res == 3:
cont.fail_reason = 'No alarm is found for the metric filter'
else:
cont.result = True
return {
'control_id': cont.id,
'scored': cont.scored,
'desc': cont.desc,
'result': cont.result,
'fail_reason': cont.fail_reason,
'offenders': cont.offenders
}
def control_1_16_policy_attached_grp_roles():
cont = Control('1.16',
'Ensure IAM policies are attached only to groups or roles',
True)
all_users_paginator = IAM_CLIENT.get_paginator('list_users')
for users in all_users_paginator.paginate():
for user in users['Users']:
if user is None:
continue
if IAM_CLIENT.list_attached_user_policies(
UserName=user['UserName'])['AttachedPolicies']:
if 'Managed Policies attached directly to user.' not in cont.fail_reason:
cont.fail_reason = "Managed Policies attached directly to user."
cont.offenders = user['Arn'] + ":=> Managed policy"
if IAM_CLIENT.list_user_policies(
UserName=user['UserName'])['PolicyNames']:
if 'Inline Policies are attached directly to user.' not in cont.fail_reason:
cont.fail_reason = "Inline Policies are attached directly to user."
cont.offenders = user['Arn'] + ":=> Inline policy"
if not cont.offenders:
cont.result = True
return {
'control_id': cont.id,
'scored': cont.scored,
'desc': cont.desc,
'result': cont.result,
'fail_reason': cont.fail_reason,
'offenders': cont.offenders
}
def control_3_10_log_metric_alarm_for_security_group_changes():
cont = Control(
'3.10',
'Ensure a log metric filter and alarm exist for security group changes',
True)
res = monitoring_common_function([
"\$\.eventName\s*=\s*\"?AuthorizeSecurityGroupIngress(\"|\)|\s)",
"\$\.eventName\s*=\s*\"?AuthorizeSecurityGroupEgress(\"|\)|\s)",
"\$\.eventName\s*=\s*\"?RevokeSecurityGroupIngress(\"|\)|\s)",
"\$\.eventName\s*=\s*\"?RevokeSecurityGroupEgress(\"|\)|\s)",
"\$\.eventName\s*=\s*\"?CreateSecurityGroup(\"|\)|\s)",
"\$\.eventName\s*=\s*\"?DeleteSecurityGroup(\"|\)|\s)"
], cloudtrials)
if res == 0:
cont.fail_reason = 'No trail found'
elif res == 1:
cont.fail_reason = 'No metric filter found from Log group'
elif res == 2:
cont.fail_reason = 'Pattern not found in the metric filter'
cont.offenders = 'No alarm exist for Security group changes'
elif res == 3:
cont.fail_reason = 'No alarm is found for the metric filter'
else:
cont.result = True
return {
'control_id': cont.id,
'scored': cont.scored,
'desc': cont.desc,
'result': cont.result,
'fail_reason': cont.fail_reason,
'offenders': cont.offenders
}
def control_3_11_log_metric_alarm_for_NACL_changes():
cont = Control(
'3.11',
'Ensure a log metric filter and alarm exist for changes to Network Access Control Lists (NACL)',
True)
res = monitoring_common_function([
"\$\.eventName\s*=\s*\"?CreateNetworkAcl(\"|\)|\s)",
"\$\.eventName\s*=\s*\"?CreateNetworkAclEntry(\"|\)|\s)",
"\$\.eventName\s*=\s*\"?DeleteNetworkAcl(\"|\)|\s)",
"\$\.eventName\s*=\s*\"?DeleteNetworkAclEntry(\"|\)|\s)",
"\$\.eventName\s*=\s*\"?ReplaceNetworkAclEntry(\"|\)|\s)",
"\$\.eventName\s*=\s*\"?ReplaceNetworkAclAssociation(\"|\)|\s)"
], cloudtrials)
if res == 0:
cont.fail_reason = 'No trail found'
elif res == 1:
cont.fail_reason = 'No metric filter found from Log group'
elif res == 2:
cont.fail_reason = 'Pattern not found in the metric filter'
cont.offenders = 'No alarm exist for Network Access Control Lists (NACL) changes'
elif res == 3:
cont.fail_reason = 'No alarm is found for the metric filter'
else:
cont.result = True
return {
'control_id': cont.id,
'scored': cont.scored,
'desc': cont.desc,
'result': cont.result,
'fail_reason': cont.fail_reason,
'offenders': cont.offenders
}
def control_3_2_log_metric_alarm_for_signin_without_MFA():
cont = Control(
'3.2',
'Ensure a log metric filter and alarm exist for Management Console sign-in without MFA',
True)
res = monitoring_common_function([
"\$\.eventName\s*=\s*\"?ConsoleLogin(\"|\)|\s)",
"\$\.additionalEventData\.MFAUsed\s*\!=\s*\"?Yes"
], cloudtrials)
if res == 0:
cont.fail_reason = 'No trail found'
elif res == 1:
cont.fail_reason = 'No metric filter found from Log group'
elif res == 2:
cont.fail_reason = 'Pattern not found in the metric filter'
cont.offenders = 'No alarm exist for Sign-in without MFA'
elif res == 3:
cont.fail_reason = 'No alarm is found for the metric filter'
else:
cont.result = True
return {
'control_id': cont.id,
'scored': cont.scored,
'desc': cont.desc,
'result': cont.result,
'fail_reason': cont.fail_reason,
'offenders': cont.offenders
}
def control_3_3_log_metric_alarm_for_usage_root_account():
cont = Control(
'3.3',
'Ensure a log metric filter and alarm exist for usage of "root" account',
True)
res = monitoring_common_function([
"\$\.userIdentity\.type\s*=\s*\"?Root",
"\$\.userIdentity\.invokedBy\s*NOT\s*EXISTS",
"\$\.eventType\s*\!=\s*\"?AwsServiceEvent(\"|\)|\s)"
], cloudtrials)
if res == 0:
cont.fail_reason = 'No trail found'
elif res == 1:
cont.fail_reason = 'No metric filter found from Log group'
elif res == 2:
cont.fail_reason = 'Pattern not found in the metric filter'
cont.offenders = 'No alarm exist for usage of root account'
elif res == 3:
cont.fail_reason = 'No alarm is found for the metric filter'
else:
cont.result = True
return {
'control_id': cont.id,
'scored': cont.scored,
'desc': cont.desc,
'result': cont.result,
'fail_reason': cont.fail_reason,
'offenders': cont.offenders
}
def control_1_14_hardware_mfa_enabled_root():
cont = Control('1.14',
'Ensure hardware MFA is enabled for the "root" account',
True)
root_account_MFA = IAM_CLIENT.get_account_summary(
)['SummaryMap']['AccountMFAEnabled']
if root_account_MFA == 1:
hardware_MFA_paginator = IAM_CLIENT.get_paginator(
'list_virtual_mfa_devices')
for resp in hardware_MFA_paginator.paginate(AssignmentStatus='Any'):
for hardware_MFA in resp['VirtualMFADevices']:
if "mfa/root-account-mfa-device" in hardware_MFA[
'SerialNumber']:
cont.result = True
break
if cont.result is False:
cont.fail_reason = 'The root account does not have Hardware MFA'
else:
cont.fail_reason = 'The root account does not have MFA enabled'
return {
'control_id': cont.id,
'scored': cont.scored,
'desc': cont.desc,
'result': cont.result,
'fail_reason': cont.fail_reason,
'offenders': cont.offenders
}
def control_3_1_log_metric_alarm_for_unauthorized_API():
cont = Control(
'3.1',
'Ensure a log metric filter and alarm exist for unauthorized API calls',
True)
res = monitoring_common_function([
"\$\.errorCode\s*=\s*\"?\*UnauthorizedOperation(\"|\)|\s)",
"\$\.errorCode\s*=\s*\"?AccessDenied\*(\"|\)|\s)"
], cloudtrials)
if res == 0:
cont.fail_reason = 'No trail found'
elif res == 1:
cont.fail_reason = 'No metric filter found from Log group'
elif res == 2:
cont.fail_reason = 'Pattern not found in the metric filter'
elif res == 3:
cont.fail_reason = 'No alarm is found for the metric filter'
else:
cont.result = True
return {
'control_id': cont.id,
'scored': cont.scored,
'desc': cont.desc,
'result': cont.result,
'fail_reason': cont.fail_reason,
'offenders': cont.offenders
}
def control_3_13_log_metric_alarm_for_route_table_changes():
cont = Control(
'3.13',
'Ensure a log metric filter and alarm exist for route table changes',
True)
res = monitoring_common_function([
"\$\.eventName\s*=\s*\"?CreateRoute(\"|\)|\s)",
"\$\.eventName\s*=\s*\"?CreateRouteTable(\"|\)|\s)",
"\$\.eventName\s*=\s*\"?ReplaceRoute(\"|\)|\s)",
"\$\.eventName\s*=\s*\"?ReplaceRouteTableAssociation(\"|\)|\s)",
"\$\.eventName\s*=\s*\"?DeleteRouteTable(\"|\)|\s)",
"\$\.eventName\s*=\s*\"?DeleteRoute(\"|\)|\s)",
"\$\.eventName\s*=\s*\"?DisassociateRouteTable(\"|\)|\s)"
], cloudtrials)
if res == 0:
cont.fail_reason = 'No trail found'
elif res == 1:
cont.fail_reason = 'No metric filter found from Log group'
elif res == 2:
cont.fail_reason = 'Pattern not found in the metric filter'
cont.offenders = 'No alarm exist for Route table changes'
elif res == 3:
cont.fail_reason = 'No alarm is found for the metric filter'
else:
cont.result = True
return {
'control_id': cont.id,
'scored': cont.scored,
'desc': cont.desc,
'result': cont.result,
'fail_reason': cont.fail_reason,
'offenders': cont.offenders
}
def control_3_12_log_metric_alarm_for_network_gateway_changes():
cont = Control(
'3.12',
'Ensure a log metric filter and alarm exist for changes to network gateways',
True)
res = monitoring_common_function([
"\$\.eventName\s*=\s*\"?CreateCustomerGateway(\"|\)|\s)",
"\$\.eventName\s*=\s*\"?DeleteCustomerGateway(\"|\)|\s)",
"\$\.eventName\s*=\s*\"?AttachInternetGateway(\"|\)|\s)",
"\$\.eventName\s*=\s*\"?CreateInternetGateway(\"|\)|\s)",
"\$\.eventName\s*=\s*\"?DeleteInternetGateway(\"|\)|\s)",
"\$\.eventName\s*=\s*\"?DetachInternetGateway(\"|\)|\s)"
], cloudtrials)
if res == 0:
cont.fail_reason = 'No trail found'
elif res == 1:
cont.fail_reason = 'No metric filter found from Log group'
elif res == 2:
cont.fail_reason = 'Pattern not found in the metric filter'
cont.offenders = 'No alarm exist for Network Gateway changes'
elif res == 3:
cont.fail_reason = 'No alarm is found for the metric filter'
else:
cont.result = True
return {
'control_id': cont.id,
'scored': cont.scored,
'desc': cont.desc,
'result': cont.result,
'fail_reason': cont.fail_reason,
'offenders': cont.offenders
}
def control_1_3_creds_unused_90_days():
cont = Control(
"1.3", 'Ensure credentials unused for 90 days or greater are disabled',
True)
report = CRED_REPORT
for each_report in report:
try:
if each_report['password_enabled'] == 'true':
passd_date = (
datetime.strptime(now, fmt) -
datetime.strptime(each_report['password_last_used'], fmt))
if passd_date.days > 90:
if 'Password unused more than 90 days.' not in cont.fail_reason:
cont.fail_reason = 'Password unused more than 90 days.'
cont.offenders = each_report['arn'] + "=>:password"
except:
pass
try:
if each_report['access_key_1_active'] == 'true':
access_key_1_date = (
datetime.strptime(now, fmt) - datetime.strptime(
each_report['access_key_1_last_used_date'], fmt))
if access_key_1_date.days > 90:
if 'Access key unused more than 90 days.' not in cont.fail_reason:
cont.fail_reason = 'Access key unused more than 90 days.'
cont.offenders = each_report['arn'] + "=>:access_key_1"
except:
pass
try:
if each_report['access_key_2_active'] == 'true':
access_key_1_date = (
datetime.strptime(now, fmt) - datetime.strptime(
each_report['access_key_2_last_used_date'], fmt))
if access_key_1_date.days > 90:
if 'Access key unused more than 90 days.' not in cont.fail_reason:
cont.fail_reason = 'Access key unused more than 90 days.'
cont.offenders = each_report['arn'] + "=>:access_key_2"
except:
pass
if not cont.offenders:
cont.result = True
return {
'control_id': cont.id,
'scored': cont.scored,
'desc': cont.desc,
'result': cont.result,
'fail_reason': cont.fail_reason,
'offenders': cont.offenders
}
def control_4_4_vpc_peering_least_access():
cont = Control('4.4',
'Ensure routing tables for VPC peering are "least access',
False)
vpc_paginator = EC2_CLIENT.get_paginator('describe_route_tables')
for route_tables in vpc_paginator.paginate():
for routes in route_tables['RouteTables']:
for route in routes['Routes']:
if 'VpcPeeringConnectionId' in route:
if int(
str(route['DestinationCidrBlock']).split(
'/', 1)[1]) < 24:
if not cont.fail_reason:
cont.fail_reason = 'Large CIDR block routed to peer discovered'
cont.offenders = routes['RouteTableId']
if not cont.offenders:
cont.result = True
return {
'control_id': cont.id,
'scored': cont.scored,
'desc': cont.desc,
'result': cont.result,
'fail_reason': cont.fail_reason,
'offenders': cont.offenders
}
def control_2_6_s3_logging_enabled_cts3_bucket():
cont = Control(
'2.6',
'Ensure S3 bucket access logging is enabled on the CloudTrail S3 bucket',
True)
for each_trail in cloudtrial_describe_trails:
if 'LoggingEnabled' in S3_CLIENT.get_bucket_logging(
Bucket=each_trail['S3BucketName']):
continue
else:
if 'CloudTrail Bucket logging is not enabled' not in cont.fail_reason:
cont.fail_reason = 'CloudTrail Bucket logging is not enabled'
cont.offenders = each_trail['Name'] + \
' => ' + each_trail['S3BucketName']
if not cont.offenders:
cont.result = True
return {
'control_id': cont.id,
'scored': cont.scored,
'desc': cont.desc,
'result': cont.result,
'fail_reason': cont.fail_reason,
'offenders': cont.offenders
}
def control_4_3_security_group_vpc_restricts():
cont = Control(
'4.3',
'Ensure the default security group of every VPC restricts all traffic',
True)
security_groups_iterator = EC2_CLIENT.get_paginator(
'describe_security_groups')
for groups in security_groups_iterator.paginate(Filters=[
{
'Name': 'group-name',
'Values': [
'default',
]
},
]):
for group in groups['SecurityGroups']:
if not (len(group['IpPermissions']) +
len(group['IpPermissionsEgress'])) == 0:
if not cont.fail_reason:
cont.fail_reason = 'Default security groups with ingress or egress rules discovered'
cont.offenders = group['GroupId']
if not cont.offenders:
cont.result = True
return {
'control_id': cont.id,
'scored': cont.scored,
'desc': cont.desc,
'result': cont.result,
'fail_reason': cont.fail_reason,
'offenders': cont.offenders
}
def control_1_21_intial_access_keys_setup():
cont = Control(
'1.21',
'Do not setup access keys during initial user setup for all IAM users that have a console password',
False)
users_paginate = IAM_CLIENT.get_paginator('list_users')
for users in users_paginate.paginate():
for user in users['Users']:
for access_time in IAM_CLIENT.list_access_keys(
UserName=user['UserName'])['AccessKeyMetadata']:
if access_time['CreateDate'] == access_time['CreateDate']:
if 'Keys that were created at the same time as the user profile' not in cont.fail_reason:
cont.fail_reason = 'Keys that were created at the same time as the user profile'
cont.offenders = user['UserName']
if not cont.offenders:
cont.result = True
return {
'control_id': cont.id,
'scored': cont.scored,
'desc': cont.desc,
'result': cont.result,
'fail_reason': cont.fail_reason,
'offenders': cont.offenders
}
def control_3_4_log_metric_alarm_for_IAM_policy_changes():
cont = Control(
'3.4',
'Ensure a log metric filter and alarm exist for IAM policy changes',
True)
res = monitoring_common_function([
"\$\.eventName\s*=\s*\"?DeleteGroupPolicy(\"|\)|\s)",
"\$\.eventName\s*=\s*\"?DeleteRolePolicy(\"|\)|\s)",
"\$\.eventName\s*=\s*\"?DeleteUserPolicy(\"|\)|\s)",
"\$\.eventName\s*=\s*\"?PutGroupPolicy(\"|\)|\s)",
"\$\.eventName\s*=\s*\"?PutRolePolicy(\"|\)|\s)",
"\$\.eventName\s*=\s*\"?PutUserPolicy(\"|\)|\s)",
"\$\.eventName\s*=\s*\"?CreatePolicy(\"|\)|\s)",
"\$\.eventName\s*=\s*\"?DeletePolicy(\"|\)|\s)",
"\$\.eventName\s*=\s*\"?CreatePolicyVersion(\"|\)|\s)",
"\$\.eventName\s*=\s*\"?DeletePolicyVersion(\"|\)|\s)",
"\$\.eventName\s*=\s*\"?AttachRolePolicy(\"|\)|\s)",
"\$\.eventName\s*=\s*\"?DetachRolePolicy(\"|\)|\s)",
"\$\.eventName\s*=\s*\"?AttachUserPolicy(\"|\)|\s)",
"\$\.eventName\s*=\s*\"?DetachUserPolicy(\"|\)|\s)",
"\$\.eventName\s*=\s*\"?AttachGroupPolicy(\"|\)|\s)",
"\$\.eventName\s*=\s*\"?DetachGroupPolicy(\"|\)|\s)"
], cloudtrials)
if res == 0:
cont.fail_reason = 'No trail found'
elif res == 1:
cont.fail_reason = 'No metric filter found from Log group'
elif res == 2:
cont.fail_reason = 'Pattern not found in the metric filter'
cont.offenders = 'No alarm exist for usage of root account'
elif res == 3:
cont.fail_reason = 'No alarm is found for the metric filter'
else:
cont.result = True
return {
'control_id': cont.id,
'scored': cont.scored,
'desc': cont.desc,
'result': cont.result,
'fail_reason': cont.fail_reason,
'offenders': cont.offenders
}
def control_2_5_aws_config_enabled_all_regions():
cont = Control('2.5', 'Ensure AWS Config is enabled in all regions', True)
flag = False
configuration_recorders = CONFIG_SERVICE_CLIENT.describe_configuration_recorders(
)['ConfigurationRecorders']
recorders = list()
for each_recorder in configuration_recorders:
if each_recorder['recordingGroup'][
'allSupported'] is True and each_recorder['recordingGroup'][
'includeGlobalResourceTypes'] is True:
flag = True
recorders.append(each_recorder['name'])
if not recorders:
cont.fail_reason = 'No Configservice recorders found'
cont.offenders = 'No recoders found!.'
else:
flg = False
for recoder_status in CONFIG_SERVICE_CLIENT.describe_configuration_recorder_status(
ConfigurationRecorderNames=recorders
)['ConfigurationRecordersStatus']:
if recoder_status['recording'] is True and recoder_status[
'lastStatus'] == 'Success':
flg = True
break
if flg is False:
cont.fail_reason = 'No recorders is recording or and State is not success'
if flag is True:
cont.result = True
else:
cont.fail_reason = 'The Recording group does not suport all regions and resources'
cont.offenders = 'Configuration Recorders'
return {
'control_id': cont.id,
'scored': cont.scored,
'desc': cont.desc,
'result': cont.result,
'fail_reason': cont.fail_reason,
'offenders': cont.offenders
}
def control_1_4_access_key_rotated():
cont = Control('1.4',
'Ensure access keys are rotated every 90 days or less',
True)
report = CRED_REPORT
for each_report in report:
if each_report['access_key_1_active'] == 'true':
if each_report['access_key_1_last_used_date'] == 'N/A':
cont.fail_reason = 'Access key unused more than 90 days.'
cont.offenders = each_report['arn'] + "=>:access_key_1"
else:
access_key_1_date = (
datetime.strptime(now, fmt) - datetime.strptime(
each_report['access_key_1_last_used_date'], fmt))
if access_key_1_date.days > 90:
if 'Access key unused more than 90 days.' not in cont.fail_reason:
cont.fail_reason = 'Access key unused more than 90 days.'
cont.offenders = each_report['arn'] + "=>:access_key_1"
if each_report['access_key_2_active'] == 'true':
if each_report['access_key_1_last_used_date'] == 'N/A':
cont.fail_reason = 'Access key unused more than 90 days.'
cont.offenders = each_report['arn'] + "=>:access_key_1"
else:
access_key_1_date = (
datetime.strptime(now, fmt) - datetime.strptime(
each_report['access_key_2_last_used_date'], fmt))
if access_key_1_date.days > 90:
if 'Access key unused more than 90 days.' not in cont.fail_reason:
cont.fail_reason = 'Access key unused more than 90 days.'
cont.offenders = each_report['arn'] + "=>:access_key_2"
if not cont.offenders:
cont.result = True
return {
'control_id': cont.id,
'scored': cont.scored,
'desc': cont.desc,
'result': cont.result,
'fail_reason': cont.fail_reason,
'offenders': cont.offenders
}
def control_1_8_passwd_policy_one_number():
cont = Control('1.8',
'Ensure IAM password policy require at least one number',
True)
if ACCOUNT_PASSWORD_POLICY is False:
cont.fail_reason = "Account does not have a IAM password policy"
else:
if ACCOUNT_PASSWORD_POLICY['RequireNumbers'] is True:
cont.result = True
else:
cont.fail_reason = 'Require atleast one number is not set.'
return {
'control_id': cont.id,
'scored': cont.scored,
'desc': cont.desc,
'result': cont.result,
'fail_reason': cont.fail_reason,
'offenders': cont.offenders
}
def control_1_10_passwd_policy_passd_reuse():
cont = Control('1.10',
'Ensure IAM password policy prevents password reuse', True)
if ACCOUNT_PASSWORD_POLICY is False:
cont.fail_reason = "Account does not have a IAM password policy"
else:
if ACCOUNT_PASSWORD_POLICY['PasswordReusePrevention'] == 24:
cont.result = True
else:
cont.fail_reason = 'Requires minimum password reuse is 24.'
cont.offenders = 'The current password resuse policy is {0}'.format(
ACCOUNT_PASSWORD_POLICY['PasswordReusePrevention'])
return {
'control_id': cont.id,
'scored': cont.scored,
'desc': cont.desc,
'result': cont.result,
'fail_reason': cont.fail_reason,
'offenders': cont.offenders
}
def control_1_6_passwd_policy_lowercase():
cont = Control(
'1.6',
'Ensure IAM password policy require at least one lowercase letter',
True)
if ACCOUNT_PASSWORD_POLICY is False:
cont.fail_reason = "Account does not have a IAM password policy"
else:
if ACCOUNT_PASSWORD_POLICY['RequireLowercaseCharacters'] is True:
cont.result = True
else:
cont.fail_reason = 'Require lowercase characters is not set.'
return {
'control_id': cont.id,
'scored': cont.scored,
'desc': cont.desc,
'result': cont.result,
'fail_reason': cont.fail_reason,
'offenders': cont.offenders
}
def control_2_3_cloudtrail_s3_not_public_accessable():
cont = Control(
'2.3',
'Ensure the S3 bucket used to store CloudTrail logs is not publicly accessible',
True)
for each_trail_bucket in cloudtrial_describe_trails:
s3_grants = S3_CLIENT.get_bucket_acl(
Bucket=each_trail_bucket['S3BucketName'])['Grants']
for grant in s3_grants:
if 'URI' in grant:
if grant['URI'] == 'http://acs.amazonaws.com/groups/global/AuthenticatedUsers' or grant[
'URI'] == 'http://acs.amazonaws.com/groups/global/AllUsers':
fail_res = 'All Users or Authenticated Users are granted privelge to the bucket'
if fail_res not in cont.fail_reason:
cont.fail_reason = fail_res
cont.offenders = each_trail_bucket['S3BucketName']
bucket_policy = loads(
S3_CLIENT.get_bucket_policy(
Bucket=each_trail_bucket['S3BucketName'])
['Policy'])['Statement']
for policy in bucket_policy:
if policy['Effect'] == 'Allow' and ('*' in policy['Principal'] or
'AWS' in policy['Principal']):
fail_res = 'Bucket policy is set for Public access'
if fail_res not in cont.fail_reason:
cont.fail_reason = fail_res
cont.offenders = each_trail_bucket['S3BucketName']
if not cont.offenders:
cont.result = True
return {
'control_id': cont.id,
'scored': cont.scored,
'desc': cont.desc,
'result': cont.result,
'fail_reason': cont.fail_reason,
'offenders': cont.offenders
}
def control_1_17_current_contact_details():
cont = Control('1.17', 'Maintain current contact details', False)
cont.offenders = 'Check manually in AWS console'
cont.fail_reason = 'No API available to perform this action'
cont.result = None
return {
'control_id': cont.id,
'scored': cont.scored,
'desc': cont.desc,
'result': cont.result,
'fail_reason': cont.fail_reason,
'offenders': cont.offenders
}
def control_1_11_passwd_policy_passd_expiry_age():
cont = Control(
'1.11',
'Ensure IAM password policy expires passwords within 90 days or less',
True)
if ACCOUNT_PASSWORD_POLICY is False:
cont.fail_reason = "Account does not have a IAM password policy"
else:
if ACCOUNT_PASSWORD_POLICY['MaxPasswordAge'] <= 90:
cont.result = True
else:
cont.fail_reason = 'Requires minimum password expires less or equal to 90.'
cont.offenders = 'The current password expiry policy is {0}'.format(
ACCOUNT_PASSWORD_POLICY['PasswordReusePrevention'])
return {
'control_id': cont.id,
'scored': cont.scored,
'desc': cont.desc,
'result': cont.result,
'fail_reason': cont.fail_reason,
'offenders': cont.offenders
}
def control_1_9_passwd_policy_passd_length():
cont = Control(
'1.9',
'Ensure IAM password policy requires minimum length of 14 or greater',
True)
if ACCOUNT_PASSWORD_POLICY is False:
cont.fail_reason = "Account does not have a IAM password policy"
else:
if ACCOUNT_PASSWORD_POLICY['MinimumPasswordLength'] >= 14:
cont.result = True
else:
cont.fail_reason = 'Requires minimum password length is 14.'
cont.offenders = 'The current password length policy is {0}'.format(
ACCOUNT_PASSWORD_POLICY['MinimumPasswordLength'])
return {
'control_id': cont.id,
'scored': cont.scored,
'desc': cont.desc,
'result': cont.result,
'fail_reason': cont.fail_reason,
'offenders': cont.offenders
}
def control_2_2_cloudtrail_log_file_validation():
cont = Control('2.2', 'Ensure CloudTrail log file validation is enabled',
True)
if not cloudtrial_describe_trails:
cont.fail_reason = 'CloudTrail is not created'
cont.offenders = 'CloudTrail is not created'
else:
for each_trail in cloudtrial_describe_trails:
if each_trail['LogFileValidationEnabled'] is False:
if 'Logfile Validation is not enabled' not in cont.fail_reason:
cont.fail_reason = 'Logfile Validation is not enabled'
cont.offenders = each_trail['TrailARN']
if not cont.offenders:
cont.result = True
return {
'control_id': cont.id,
'scored': cont.scored,
'desc': cont.desc,
'result': cont.result,
'fail_reason': cont.fail_reason,
'offenders': cont.offenders
}
def control_1_1_no_root_account_use():
cont = Control("1.1", 'Avoid the use of the "root" account', True)
report = CRED_REPORT[0]
if report['user'] == '<root_account>' and report[
'access_key_1_last_used_date'] == 'N/A' and report[
'access_key_2_last_used_date'] == 'N/A':
try:
pwd_used_time = (
datetime.strptime(now, fmt) -
datetime.strptime(report['password_last_used'], fmt))
if pwd_used_time.days == 0:
cont.fail_reason("Password has been used within last 24 hours")
else:
cont.result = True
except Exception:
pass
else:
try:
access_key_1_time = (
datetime.strptime(now, fmt) -
datetime.strptime(report['access_key_1_last_used_date'], fmt))
access_key_2_time = (
datetime.strptime(now, fmt) -
datetime.strptime(report['access_key_2_last_used_date'], fmt))
if access_key_1_time.days == 0 or access_key_2_time.days == 0:
cont.fail_reason(
"Access keys have been used within last 24 hours.")
except Exception:
pass
return {
'control_id': cont.id,
'scored': cont.scored,
'desc': cont.desc,
'result': cont.result,
'fail_reason': cont._fail_reason,
'offenders': []
}