def configure_member_account(account_id: str, configuration_role_name: str, regions: list, standards_user_input: dict, aws_partition: str) -> None:
    """Configure Member Account.

    Args:
        account_id: Account ID
        configuration_role_name: Configuration Role Name
        regions: AWS Region List
        standards_user_input: Standards user input dictionary
        aws_partition: AWS Partition
    """
    LOGGER.info(f"Configuring account {account_id}")

    account_session = common.assume_role(configuration_role_name, "sra-configure-security-hub", account_id)

    for region in regions:
        securityhub_client: SecurityHubClient = account_session.client("securityhub", region)
        standard_dict: dict = get_standard_dictionary(
            account_id,
            region,
            aws_partition,
            standards_user_input["SecurityBestPracticesVersion"],
            standards_user_input["CISVersion"],
            standards_user_input["PCIVersion"],
        )
        process_standards(securityhub_client, standard_dict, standards_user_input["StandardsToEnable"])
def process_create_update_event(params: dict, regions: list) -> None:
    """Process create update events.

    Args:
        params: input parameters
        regions: AWS regions
    """
    if (params.get(
            "DISABLE_MACIE",
            "false")).lower() in "true" and params["action"] == "Update":
        account_ids = common.get_account_ids(
            [], params["DELEGATED_ADMIN_ACCOUNT_ID"])
        macie.process_delete_event(params, regions, account_ids, True)
    else:
        common.create_service_linked_role(
            "AWSServiceRoleForAmazonMacie",
            "macie.amazonaws.com",
            "A service-linked role required for Amazon Macie to access your resources.",
        )
        macie.process_organization_admin_account(
            params.get("DELEGATED_ADMIN_ACCOUNT_ID", ""), regions)
        delegated_admin_session = common.assume_role(
            params.get("CONFIGURATION_ROLE_NAME", ""), "sra-macie-org",
            params.get("DELEGATED_ADMIN_ACCOUNT_ID", ""))

        macie.configure_macie(
            delegated_admin_session,
            params["DELEGATED_ADMIN_ACCOUNT_ID"],
            regions,
            params["PUBLISHING_DESTINATION_BUCKET_NAME"],
            params["KMS_KEY_ARN"],
            params["FINDING_PUBLISHING_FREQUENCY"],
        )
def configure_delegated_admin_securityhub(
    accounts: list, regions: list, delegated_admin_account_id: str, configuration_role_name: str, region_linking_mode: str, home_region: str
) -> None:
    """Configure delegated admin security hub.

    Args:
        accounts: list of account details [{"AccountId": "", "Email": ""}]
        regions: AWS Region List
        delegated_admin_account_id: Delegated Admin Account ID
        configuration_role_name: Configuration Role Name
        region_linking_mode: Region Linking Mode
        home_region: Home Region
    """
    process_organization_admin_account(delegated_admin_account_id, regions)
    delegated_admin_session = common.assume_role(configuration_role_name, "sra-enable-security-hub", delegated_admin_account_id)

    for region in regions:
        securityhub_delegated_admin_region_client: SecurityHubClient = delegated_admin_session.client("securityhub", region)
        update_organization_configuration_response = securityhub_delegated_admin_region_client.update_organization_configuration(AutoEnable=True)
        api_call_details = {"API_Call": "securityhub:UpdateOrganizationConfiguration", "API_Response": update_organization_configuration_response}
        LOGGER.info(api_call_details)
        LOGGER.info(f"SecurityHub organization configuration updated in {region}")

        update_security_hub_configuration_response = securityhub_delegated_admin_region_client.update_security_hub_configuration(
            AutoEnableControls=True
        )
        api_call_details = {"API_Call": "securityhub:UpdateSecurityHubConfiguration", "API_Response": update_security_hub_configuration_response}
        LOGGER.info(api_call_details)
        LOGGER.info(f"SecurityHub configuration updated in {region}")

        create_members(securityhub_delegated_admin_region_client, accounts)

    securityhub_delegated_admin_client: SecurityHubClient = delegated_admin_session.client("securityhub")
    create_finding_aggregator(securityhub_delegated_admin_client, region_linking_mode, regions, home_region)
def disable_securityhub(account_id: str, configuration_role_name: str, regions: list) -> None:  # noqa: CCR001
    """Disable Security Hub.

    Args:
        account_id: Account ID
        configuration_role_name: Configuration Role Name
        regions: AWS Region List
    """
    account_session = common.assume_role(configuration_role_name, "sra-disable-security-hub", account_id)

    for region in regions:
        securityhub_client: SecurityHubClient = account_session.client("securityhub", region)
        member_account_ids: list = get_associated_members(securityhub_client)

        if member_account_ids:
            disassociate_members_response = securityhub_client.disassociate_members(AccountIds=member_account_ids)
            api_call_details = {"API_Call": "securityhub:DisassociateMembers", "API_Response": disassociate_members_response}
            LOGGER.info(api_call_details)
            LOGGER.info(f"Member accounts disassociated in {region}")

            delete_members_response: DeleteMembersResponseTypeDef = securityhub_client.delete_members(AccountIds=member_account_ids)
            api_call_details = {"API_Call": "securityhub:DeleteMembers", "API_Response": delete_members_response}
            LOGGER.info(api_call_details)
            LOGGER.info(f"Member accounts deleted in {region}")

        try:
            disable_security_hub_response = securityhub_client.disable_security_hub()
            api_call_details = {"API_Call": "securityhub:DisableSecurityHub", "API_Response": disable_security_hub_response}
            LOGGER.info(api_call_details)
            LOGGER.info(f"SecurityHub disabled in {region}")
        except securityhub_client.exceptions.ResourceNotFoundException:
            LOGGER.info(f"SecurityHub is not enabled in {region}")
def process_delete_event(params: dict, regions: list, account_ids: list, include_members: bool = False) -> None:
    """Delete Macie solution resources.

    Args:
        params: parameters
        regions: AWS regions
        account_ids: AWS account IDs
        include_members: True or False
    """
    delegated_admin_session = common.assume_role(params["CONFIGURATION_ROLE_NAME"], "sra-macie-org", params["DELEGATED_ADMIN_ACCOUNT_ID"])
    # Loop through the regions and disable Macie in the delegated admin account
    for region in regions:
        management_macie2_client: Macie2Client = MANAGEMENT_ACCOUNT_SESSION.client("macie2", region_name=region)
        disable_organization_admin_account(management_macie2_client, region)

        # Disable Macie in the Delegated Admin Account
        delegated_admin_macie2_client: Macie2Client = delegated_admin_session.client("macie2", region_name=region)
        disable_macie(delegated_admin_macie2_client, params["DELEGATED_ADMIN_ACCOUNT_ID"], region, True)

    deregister_delegated_administrator(params["DELEGATED_ADMIN_ACCOUNT_ID"], SERVICE_NAME)

    if include_members:
        management_sns_client: SNSClient = MANAGEMENT_ACCOUNT_SESSION.client("sns")
        for account_id in account_ids:
            sns_message = {
                "AccountId": account_id,
                "Regions": regions,
                "DisableMacieRoleName": params["DISABLE_MACIE_ROLE_NAME"],
                "Action": "disable",
            }
            LOGGER.info(f"Publishing message to disable Macie in {account_id}")
            LOGGER.info(f"{json.dumps(sns_message)}")
            management_sns_client.publish(TopicArn=params["SNS_TOPIC_ARN"], Message=json.dumps(sns_message))
def process_create_update_event(params: dict, regions: list) -> None:
    """Process create update events.

    Args:
        params: input parameters
        regions: AWS regions

    Raises:
        ValueError: GuardDuty detectors didn't get created in the allowed time
    """
    if (params.get(
            "DISABLE_GUARD_DUTY",
            "false")).lower() in "true" and params["action"] == "Update":
        account_ids = common.get_account_ids(
            [], params["DELEGATED_ADMIN_ACCOUNT_ID"])
        guardduty.process_delete_event(params, regions, account_ids, True)
    else:
        common.create_service_linked_role(
            "AWSServiceRoleForAmazonGuardDuty",
            "guardduty.amazonaws.com",
            "A service-linked role required for Amazon GuardDuty to access your resources.",
        )
        guardduty.process_organization_admin_account(
            params.get("DELEGATED_ADMIN_ACCOUNT_ID", ""), regions)
        sleep(60)
        session = common.assume_role(
            params.get("CONFIGURATION_ROLE_NAME", ""), "CreateGuardDuty",
            params.get("DELEGATED_ADMIN_ACCOUNT_ID", ""))
        detectors_exist = False
        run_count = 0

        while not detectors_exist and run_count < MAX_RUN_COUNT:
            run_count += 1
            detectors_exist = guardduty.check_for_detectors(session, regions)
            LOGGER.info(
                f"All Detectors Exist?: {detectors_exist} Count: {run_count}")
            if not detectors_exist:
                sleep(SLEEP_SECONDS)

        if not detectors_exist:
            raise ValueError(
                "GuardDuty Detectors did not get created in the allowed time. Check the Org Management delegated admin setup."
            )
        else:
            auto_enable_s3_logs = (params.get("AUTO_ENABLE_S3_LOGS",
                                              "false")).lower() in "true"

            guardduty.configure_guardduty(
                session,
                params["DELEGATED_ADMIN_ACCOUNT_ID"],
                auto_enable_s3_logs,
                regions,
                params.get("FINDING_PUBLISHING_FREQUENCY", "FIFTEEN_MINUTES"),
                params["KMS_KEY_ARN"],
                params["PUBLISHING_DESTINATION_BUCKET_ARN"],
            )
def enable_account_securityhub(
    account_id: str,
    regions: list,
    configuration_role_name: str,
    aws_partition: str,
    standards_user_input: dict,
    account_session: boto3.Session = None,
) -> None:
    """Enable account SecurityHub.

    Args:
        account_id: Account ID
        regions: AWS Region List
        configuration_role_name: Configuration Role Name
        aws_partition: AWS Partition
        standards_user_input: Dictionary of standards
        account_session: Boto3 session. Defaults to None.
    """
    if not account_session:
        account_session = common.assume_role(configuration_role_name, "sra-configure-security-hub", account_id)
    iam_client: IAMClient = account_session.client("iam")
    common.create_service_linked_role(
        "AWSServiceRoleForSecurityHub",
        "securityhub.amazonaws.com",
        "A service-linked role required for AWS Security Hub to access your resources.",
        iam_client,
    )

    for region in regions:
        standard_dict: dict = get_standard_dictionary(
            account_id,
            region,
            aws_partition,
            standards_user_input["SecurityBestPracticesVersion"],
            standards_user_input["CISVersion"],
            standards_user_input["PCIVersion"],
        )
        securityhub_client: SecurityHubClient = account_session.client("securityhub", region)

        try:
            enable_security_hub_response: Any = securityhub_client.enable_security_hub(EnableDefaultStandards=False)
            api_call_details = {"API_Call": "securityhub:EnableSecurityHub", "API_Response": enable_security_hub_response}
            LOGGER.info(api_call_details)
            LOGGER.info(f"SecurityHub enabled in {account_id} {region}")
        except securityhub_client.exceptions.ResourceConflictException:
            LOGGER.info(f"SecurityHub already enabled in {account_id} {region}")

        process_standards(securityhub_client, standard_dict, standards_user_input["StandardsToEnable"])
def process_delete_event(params: dict,
                         regions: list,
                         account_ids: list,
                         include_members: bool = False) -> None:
    """Delete GuardDuty solution resources.

    Args:
        params: parameters
        regions: AWS regions
        account_ids: AWS account IDs
        include_members: Include Members
    """
    delegated_admin_session = common.assume_role(
        params["CONFIGURATION_ROLE_NAME"], "DeleteGuardDuty",
        params["DELEGATED_ADMIN_ACCOUNT_ID"])
    # Loop through the regions and disable GuardDuty in the delegated admin account
    for region in regions:
        management_guardduty_client: GuardDutyClient = MANAGEMENT_ACCOUNT_SESSION.client(
            "guardduty", region_name=region)
        disable_organization_admin_account(management_guardduty_client, region)

        # Delete Detectors in the Delegated Admin Account
        delegated_admin_guardduty_client: GuardDutyClient = delegated_admin_session.client(
            "guardduty", region_name=region)
        delete_detectors(delegated_admin_guardduty_client, region, True)

    deregister_delegated_administrator(params["DELEGATED_ADMIN_ACCOUNT_ID"],
                                       SERVICE_NAME)

    if include_members:
        management_sns_client: SNSClient = MANAGEMENT_ACCOUNT_SESSION.client(
            "sns")
        for account_id in account_ids:
            sns_message = {
                "AccountId": account_id,
                "Regions": regions,
                "DeleteDetectorRoleName": params["DELETE_DETECTOR_ROLE_NAME"],
                "Action": "delete-member",
            }
            LOGGER.info(
                f"Publishing message to cleanup GuardDuty in {account_id}")
            LOGGER.info(f"{json.dumps(sns_message)}")
            management_sns_client.publish(TopicArn=params["SNS_TOPIC_ARN"],
                                          Message=json.dumps(sns_message))
def disable_member_account(account_id: str, disable_macie_role_name: str, regions: list) -> dict:
    """Disable member account.

    Args:
        account_id: Account ID
        disable_macie_role_name: Disable Macie Role Name
        regions: AWS Regions

    Returns:
        Account ID
    """
    session = common.assume_role(disable_macie_role_name, "sra-macie-org-disable", account_id)

    for region in regions:
        LOGGER.info(f"Disabling Macie in {account_id} {region}")
        macie2_client: Macie2Client = session.client("macie2", region_name=region)
        disable_macie(macie2_client, account_id, region, False)

    return {"AccountId": account_id}
def cleanup_member_account(account_id: str, delete_detector_role_name: str,
                           regions: list) -> dict:
    """Cleanup member account.

    Args:
        account_id: Account ID
        delete_detector_role_name: Delete Detector Role Name
        regions: AWS Regions

    Returns:
        Account ID
    """
    session = common.assume_role(delete_detector_role_name,
                                 "sra-delete-guardduty", account_id)

    for region in regions:
        LOGGER.info(f"Deleting GuardDuty detector in {account_id} {region}")
        guardduty_client: GuardDutyClient = session.client("guardduty",
                                                           region_name=region)
        delete_detectors(guardduty_client, region, False)

    return {"AccountId": account_id}
Exemple #11
0
def process_lifecycle_event(event: Dict[str, Any]) -> str:
    """Process Lifecycle Event.

    Args:
        event: event data

    Returns:
        string with account ID
    """
    params = get_configuration_ssm_parameters()
    LOGGER.info(f"Parameters: {params}")

    enable_block_public_acls = (params.get("ENABLE_BLOCK_PUBLIC_ACLS",
                                           "true")).lower() in "true"
    enable_ignore_public_acls = (params.get("ENABLE_IGNORE_PUBLIC_ACLS",
                                            "true")).lower() in "true"
    enable_block_public_policy = (params.get("ENABLE_BLOCK_PUBLIC_POLICY",
                                             "true")).lower() in "true"
    enable_restrict_public_buckets = (params.get(
        "ENABLE_RESTRICT_PUBLIC_BUCKETS", "true")).lower() in "true"

    account_id = event["detail"]["serviceEventDetails"][
        "createManagedAccountStatus"]["account"]["accountId"]

    account_session = common.assume_role(params["ROLE_TO_ASSUME"],
                                         params["ROLE_SESSION_NAME"],
                                         account_id)
    s3_client: S3ControlClient = account_session.client("s3control")
    put_account_public_access_block(
        s3_client,
        account_id,
        enable_block_public_acls,
        enable_ignore_public_acls,
        enable_block_public_policy,
        enable_restrict_public_buckets,
    )

    return f"lifecycle-event-processed-for-{account_id}"
Exemple #12
0
def process_put_account_public_access_block(
    role_to_assume: str,
    role_session_name: str,
    account_id: str,
    enable_block_public_acls: bool,
    enable_ignore_public_acls: bool,
    enable_block_public_policy: bool,
    enable_restrict_public_buckets: bool,
) -> None:
    """Process put account public access block.

    Args:
        role_to_assume: Role to assume
        role_session_name: Role session name
        account_id: account to assume role in
        enable_block_public_acls: true or false
        enable_ignore_public_acls: true or false
        enable_block_public_policy: true or false
        enable_restrict_public_buckets: true or false
    """
    account_session = common.assume_role(role_to_assume, role_session_name,
                                         account_id,
                                         MANAGEMENT_ACCOUNT_SESSION)
    s3_client: S3ControlClient = account_session.client("s3control")

    if settings_changed(s3_client, account_id, enable_block_public_acls,
                        enable_ignore_public_acls, enable_block_public_policy,
                        enable_restrict_public_buckets):
        put_account_public_access_block(
            s3_client,
            account_id,
            enable_block_public_acls,
            enable_ignore_public_acls,
            enable_block_public_policy,
            enable_restrict_public_buckets,
        )
        LOGGER.info(f"Enabled account S3 Block Public Access in {account_id}")