def unprotect_iam_safe_with_elevation(self, aws_cloud_account_id: str,
entity_name: str,
entity_type: str) -> None:
"""Protect iam safe with elevation
:link https://api-v2-docs.dome9.com/index.html?python#user_deleteiamsafeentitiesforuser
:param aws_cloud_account_id: Aws security group id.
:type aws_cloud_account_id: str
:param entity_name: Aws iam user name or aws role
:type entity_name: str
:param entity_type: Entity type, must be one of the following Role or User
:type entity_type: str
:return None
"""
APIUtils.check_is_valid_entity_type(entity_type=entity_type)
# in order to unprotect iam safe with elevation, first protect iam safe (restrict) then unprotect
body = RestrictedIamEntitiesRequest(entity_type=entity_type,
entity_name=entity_name)
self.protect_iam_safe(aws_cloud_account_id=aws_cloud_account_id,
body=body)
self.unprotect_iam_safe(aws_cloud_account_id=aws_cloud_account_id,
entity_type=entity_type,
entity_name=entity_name)
def __post_init__(self):
APIUtils.check_is_valid_aws_region_id(self.region)
new_group_behaviors = [
new_group_behavior.value
for new_group_behavior in NewGroupBehaviors
]
if self.new_group_behavior not in new_group_behaviors:
raise UnsupportedCloudAccountGroupBehaviors(
f'new group behaviors must be one of the following {new_group_behaviors}'
)
def update_iam_safe_with_elevation(
self, aws_cloud_account_id: str, entity_name: str,
entity_type: str, users_ids_to_protect: List[str]) -> None:
"""Protect iam safe with elevation
:link https://api-v2-docs.dome9.com/index.html?python#user_putiamsafeaccountiamentities
:param aws_cloud_account_id: Aws security group id.
:type aws_cloud_account_id: str
:param entity_name: Aws iam user name or aws role
:type entity_name: str
:param entity_type: Entity type, must be one of the following Role or User
:type entity_type: str
:param users_ids_to_protect: List of users ids to protect
:type users_ids_to_protect: List[str]
:return https://api-v2-docs.dome9.com/index.html?python#schemadome9-web-api-userandrole-iamsafe-useriamsafeaccountputviewmodel
:rtype UserIamSafeAccountPut
"""
APIUtils.check_is_valid_entity_type(entity_type=entity_type)
entities_failed_to_protect = set()
entity_details = self._get_iam_entity_details(
aws_cloud_account_id=aws_cloud_account_id,
entity_name=entity_name,
entity_type=entity_type)
curr_protected_users_ids = AwsIamSafe._get_users_ids_according_to_emails(
emails=entity_details['attachedDome9Users'])
protected_unprotected_dict = AwsIamSafe._generate_protected_unprotected_map(
curr_protected_users_ids=curr_protected_users_ids,
users_ids_to_protect=users_ids_to_protect)
unprotect_body = ProtectIamSafeWithElevation(iam_entities=[])
protect_body = ProtectIamSafeWithElevation(
iam_entities=[entity_details['arn']])
for user_id, to_protect in protected_unprotected_dict.items():
route = f'{UserConsts.USER.value}/{user_id}/{AwsIamSafeConsts.IAM_SAFE.value}/{AwsIamSafeConsts.ACCOUNTS.value}/{aws_cloud_account_id}/{AwsIamSafeConsts.IAM_ENTITIES.value}'
if to_protect:
resp = self._put(route=route, body=protect_body)
else:
resp = self._put(route=route, body=unprotect_body)
if len(resp['failedIamEntities']) != 0:
entities_failed_to_protect.add(user_id)
if len(entities_failed_to_protect) != 0:
logger.warning(
f'failed to protect the following users with ids {entities_failed_to_protect}'
)
def unprotect_iam_safe(self, aws_cloud_account_id: str, entity_type: str,
entity_name: str) -> None:
"""Unprotect specific iam safe entity
:param aws_cloud_account_id: Aws security group id.
:type aws_cloud_account_id: str
:param entity_type: entity type, must be User or Role
:type entity_type: str
:param entity_name: Entity name
:type entity_name: str
:return None
"""
APIUtils.check_is_valid_entity_type(entity_type=entity_type)
route = f'{AwsCloudAccountConsts.CLOUD_ACCOUNTS.value}/{aws_cloud_account_id}/{AwsIamSafeConsts.RESTRICTED_IAM_ENTITIES.value}/{entity_type}'
return self._delete(
route=route,
params={AwsIamSafeConsts.ENTITY_NAME.value: entity_name})
def __post_init__(self):
APIUtils.check_is_valid_protocol(protocol=self.protocolType)
def __post_init__(self):
APIUtils.check_is_valid_aws_region_id(region=self.regionId)
def __post_init__(self):
APIUtils.check_is_ip(self.ip)
def __post_init__(self):
APIUtils.check_is_valid_aws_region_id(self.region)
APIUtils.check_is_valid_protocol(self.protocol)
def __post_init__(self): APIUtils.check_is_valid_priority(self.priority) APIUtils.check_is_valid_protocol(self.protocol) APIUtils.check_is_valid_access(self.access) APIUtils.check_is_valid_direction(self.direction)
def __post_init__(self): APIUtils.check_is_valid_azure_region(region=self.region)
def __post_init__(self):
APIUtils.check_is_valid_state(state=self.email_sending_state)
def __post_init__(self):
APIUtils.check_is_valid_state(state=self.state)
def __post_init__(self):
APIUtils.check_is_valid_state(state=self.email_sending_state)
APIUtils.check_is_valid_state(
state=self.email_per_finding_sending_state)
APIUtils.check_is_valid_state(state=self.sns_sending_state)
APIUtils.check_is_valid_state(
state=self.external_ticket_creating_state)
APIUtils.check_is_valid_state(
state=self.aws_security_hub_integration_state)
APIUtils.check_is_valid_state(state=self.webhook_integration_state)
def __post_init__(self):
APIUtils.check_is_valid_notification_output_format(
notification_output_format=self.sns_output_format)
def __post_init__(self):
APIUtils.check_is_valid_entity_type(entity_type=self.entity_type)