def get_evaluation_elements(b3_iam, invoking_event):
"""Returns evaluation results for every invoking event.
Args:
b3_iam: boto3 iam client
invoking_event: invoking lambda event
Returns:
List of evaluation elements
"""
eval_elements = []
root_mfa_status = b3_iam.get_account_summary()['SummaryMap']
if root_mfa_status['AccountMFAEnabled']:
eval_elements.append(
evaluation.EvaluationElement(
invoking_event["awsAccountId"], "AWS::::Account", "COMPLIANT",
"MFA is enabled for Root account",
invoking_event["notificationCreationTime"]))
else:
eval_elements.append(
evaluation.EvaluationElement(
invoking_event["awsAccountId"], "AWS::::Account",
"NON_COMPLIANT", "MFA is Not enabled for Root account",
invoking_event["notificationCreationTime"]))
return eval_elements
def lambda_handler(event, context):
"""
Handler for executing lambda. Setup AWS Config Evaluation for each S3 Bucket.
Args:
event: Lambda Event
context: Lambda Context
Returns:
None
"""
citizen_exec_role_arn = event["citizen_exec_role_arn"]
event = event["config_event"]
logger.log_event(event, context, None, None)
invoking_event = json.loads(event["invokingEvent"])
rule_parameters = rule_parameter.RuleParameter(event)
is_test_mode = rule_parameters.get("testMode", False)
assumed_creds = credential.get_assumed_creds(boto3.client("sts"),
citizen_exec_role_arn)
config = boto3.client("config", **assumed_creds)
s3_b3_client = boto3.client("s3", **assumed_creds)
buckets = s3_b3_client.list_buckets()["Buckets"]
encrypted_buckets = S3Encryption(
s3_b3_client).get_encryp_comp_s3_bucket_list()
evaluation.delete_evaluation_results(config, is_test_mode,
event["configRuleName"])
if buckets == []:
eval_element = evaluation.EvaluationElement(
event["accountId"], "AWS::::Account", "COMPLIANT",
"No S3 Buckets detected",
invoking_event["notificationCreationTime"])
evaluation.put_log_evaluation(config, eval_element,
event["resultToken"], is_test_mode,
logger, event, context)
else:
for bucket in buckets:
compliance_type = "NON_COMPLIANT"
if "Name" in bucket:
if bucket["Name"] in encrypted_buckets:
annotation = "S3 Bucket has Encryption"
compliance_type = "COMPLIANT"
else:
annotation = "S3 Bucket has No Encryption"
else:
annotation = "Invalid S3 bucket"
eval_element = evaluation.EvaluationElement(
bucket["Name"], "AWS::S3::Bucket", compliance_type, annotation,
invoking_event["notificationCreationTime"])
evaluation.put_log_evaluation(config, eval_element,
event["resultToken"], is_test_mode,
logger, event, context)
def lambda_handler(event, context):
"""Entrypoint for lambda function.
Args:
event: lambda event
context: lambda context
Returns:
aws config put_evaluations object
"""
logger.log_event(event, context, None, None)
invoking_event = json.loads(event["invokingEvent"])
rule_parameters = json.loads(event["ruleParameters"])
is_test_mode = rule_parameters[
"testMode"] if "testMode" in rule_parameters else False
arn = rule_parameters[
"executionRoleArn"] if "executionRoleArn" in rule_parameters else None
assumed_creds = credential.get_assumed_creds(boto3.client("sts"), arn)
config = boto3.client("config", **assumed_creds)
compliance_type = get_compliance_type(
boto3.client("cloudtrail", **assumed_creds))
eval_element = evaluation.EvaluationElement(
event["accountId"], "AWS::::Account", compliance_type, "",
invoking_event["notificationCreationTime"])
evaluation.put_log_evaluation(config, eval_element, event["resultToken"],
is_test_mode, logger, event, context)
def lambda_handler(event, context):
"""Entrypoint for lambda function.
Args:
event: lambda event
context: lambda context
"""
citizen_exec_role_arn = event["citizen_exec_role_arn"]
event = event["config_event"]
logger.log_event(event, context, None, None)
invoking_event = json.loads(event["invokingEvent"])
parameter = rule_parameter.RuleParameter(event)
is_test_mode = parameter.get("testMode", False)
assumed_creds = credential.get_assumed_creds(boto3.client("sts"),
citizen_exec_role_arn)
config = boto3.client("config", **assumed_creds)
compliance_type = get_compliance_type(
boto3.client("cloudtrail", **assumed_creds))
eval_element = evaluation.EvaluationElement(
event["accountId"], "AWS::::Account", compliance_type, "",
invoking_event["notificationCreationTime"])
evaluation.put_log_evaluation(config, eval_element, event["resultToken"],
is_test_mode, logger, event, context)
def lambda_handler(event, context):
"""Main function.
Args:
event: lambda event
context: lambda context
"""
citizen_exec_role_arn = event["citizen_exec_role_arn"]
event = event["config_event"]
logger.log_event(event, context, None, None)
invoking_event = json.loads(event["invokingEvent"])
parameter = rule_parameter.RuleParameter(event)
is_test_mode = parameter.get("testMode", False)
credentials = credential.get_assumed_creds(boto3.client("sts"), citizen_exec_role_arn)
b3_config = boto3.client('config', **credentials)
b3_s3 = boto3.client('s3', **credentials)
b3_cloudformation = boto3.client('cloudformation', **credentials)
evaluation.delete_evaluation_results(
b3_config,
is_test_mode,
event.get("configRuleName")
)
prod_citizen_version = get_prod_citizen_version(
b3_s3,
os.environ.get("BUCKET_NAME_DISTRIBUTION", "")
)
stacks = describe_active_stacks(b3_cloudformation)
citizen_stacks = get_citizen_stacks(stacks)
if prod_citizen_version is None: # we couldn't fetch the version from the s3 bucket
message = "Unable to fetch the latest production version of the Citizen Template"
logger.log_event(event, context, None, message)
elif citizen_stacks == []: # if we can't find any citizen stacks the account in non-compliant
eval_element = evaluation.EvaluationElement(
event["accountId"],
"AWS::::Account",
"NON_COMPLIANT",
"No Citizen stack found in account",
invoking_event["notificationCreationTime"]
)
evaluation.put_log_evaluation(
b3_config,
eval_element,
event["resultToken"],
is_test_mode,
logger,
event,
context
)
else:
for citizen_stack in citizen_stacks:
if citizen_stack["Version"] == prod_citizen_version:
compliance_type = "COMPLIANT"
annotation = "Citizen Stack version " + \
citizen_stack["Version"] + \
" is up to date"
else:
compliance_type = "NON_COMPLIANT"
annotation = "Citizen Stack is out of date, found version " + \
citizen_stack["Version"] + \
", the latest available version is " + \
prod_citizen_version + \
". Please update this Citizen Stack."
eval_element = evaluation.EvaluationElement(
citizen_stack["StackId"],
"AWS::CloudFormation::Stack",
compliance_type,
annotation,
invoking_event["notificationCreationTime"]
)
evaluation.put_log_evaluation(
b3_config,
eval_element,
event["resultToken"],
is_test_mode,
logger,
event,
context
)
def lambda_handler(event, context):
# #print(context)
"""
Handler for executing lambda. Setup AWS Config Evaluation for each S3 Bucket.
Args:
event: Lambda Event
context: Lambda Context
Returns:
None
"""
citizen_exec_role_arn = event["citizen_exec_role_arn"]
event = event["config_event"]
logger.log_event(event, context, None, None)
invoking_event = json.loads(event["invokingEvent"])
rule_parameters = rule_parameter.RuleParameter(event)
is_test_mode = rule_parameters.get("testMode", False)
assumed_creds = credential.get_assumed_creds(boto3.client("sts"), citizen_exec_role_arn)
config = boto3.client("config", **assumed_creds)
s3_b3_client = boto3.client("s3", **assumed_creds)
# print('s3_b3_client {}'.format(s3_b3_client))
buckets = s3_b3_client.list_buckets()["Buckets"]
# print('buckets {}'.format(buckets))
# for bucketz in buckets["Buckets"]:
# bname = bucketz['Name']
# print('bname {}'.format(bname))
logging_buckets = S3Logging(s3_b3_client).get_logging_comp_s3_bucket_list()
# print('logging_buckets {}'.format(logging_buckets))
# evaluation.delete_evaluation_results(config, is_test_mode, event["configRuleName"])
if buckets == []:
# print('a')
eval_element = evaluation.EvaluationElement(
event["accountId"],
"AWS::::Account",
"COMPLIANT",
"No S3 Buckets detected",
invoking_event["notificationCreationTime"]
)
evaluation.put_log_evaluation(
config,
eval_element,
event["resultToken"],
is_test_mode,
logger,
event,
context
)
else:
# print('b')
for bucket in buckets:
# print('buckets {}'.format(buckets))
# print('bucket {}'.format(bucket))
# print('fuck1')
compliance_type = "NON_COMPLIANT"
if "Name" in bucket:
# print('bucketa {}'.format(bucket))
# print('bucketaa {}'.format(bucket["Name"]))
# print('logging_buckets {}'.format(logging_buckets))
if bucket["Name"] in logging_buckets:
# print('bucketb {}'.format(bucket))
annotation = "S3 Bucket has logging"
compliance_type = "COMPLIANT"
else:
# #print('bucketc {}'.format(bucket["Name"]))
annotation = "S3 Bucket has No logging"
else:
annotation = "Invalid S3 bucket"
eval_element = evaluation.EvaluationElement(
bucket["Name"],
"AWS::S3::Bucket",
compliance_type,
annotation,
invoking_event["notificationCreationTime"]
)
# #print(eval_element)
# #print(evaluation)
evaluation.put_log_evaluation(
config,
eval_element,
event["resultToken"],
is_test_mode,
logger,
event,
context
)