def list_user_pools(cache):
response = cache.get("list_user_pools")
if response:
return response
paginator = cognitoidp.get_paginator("list_user_pools")
response_iterator = paginator.paginate(PaginationConfig={"PageSize": 60})
cache["list_user_pools"] = accumulate_paged_results(
page_iterator=response_iterator, key="UserPools")
return cache["list_user_pools"]
def get_resource_shares(cache):
response = cache.get("get_resource_shares")
if response:
return response
paginator = ram.get_paginator("get_resource_shares")
response_iterator = paginator.paginate(resourceOwner="SELF")
results = accumulate_paged_results(page_iterator=response_iterator,
key="resourceShares")
cache["get_resource_shares"] = results
return cache["get_resource_shares"]
def get_regions(self, service):
paginator = ssm.get_paginator("get_parameters_by_path")
response_iterator = paginator.paginate(
Path=
f"/aws/service/global-infrastructure/services/{service}/regions",
PaginationConfig={
"MaxItems": 1000,
"PageSize": 10
},
)
results = accumulate_paged_results(page_iterator=response_iterator,
key="Parameters")
values = []
for parameter in results["Parameters"]:
values.append(parameter["Value"])
return values
def get_regions(self, service):
# Handle the weird v2 services names
if service == 'kinesisanalyticsv2':
service = 'kinesisanalytics'
elif service == 'macie2':
service = 'macie'
elif service == 'elbv2':
service = 'elb'
elif service == 'wafv2':
service = 'waf'
else:
service = service
paginator = ssm.get_paginator("get_parameters_by_path")
response_iterator = paginator.paginate(
Path=f"/aws/service/global-infrastructure/services/{service}/regions",
PaginationConfig={"MaxItems": 1000, "PageSize": 10},
)
results = accumulate_paged_results(
page_iterator=response_iterator, key="Parameters")
values = []
for parameter in results["Parameters"]:
values.append(parameter["Value"])
return values
def unhealthy_endpoint_group_check(cache: dict, awsAccountId: str,
awsRegion: str, awsPartition: str) -> dict:
"""[GlobalAccelerator.1] Endpoint should not be unhealthy"""
if awsRegion != "us-west-2":
pass
else:
paginator = globalaccelerator.get_paginator("list_accelerators")
response_iterator = paginator.paginate()
accelerators = accumulate_paged_results(
page_iterator=response_iterator, key="Accelerators")
iso8601Time = datetime.datetime.now(datetime.timezone.utc).isoformat()
for accelerator in accelerators["Accelerators"]:
paginator = globalaccelerator.get_paginator("list_listeners")
acceleratorArn = accelerator["AcceleratorArn"]
response_iterator = paginator.paginate(
AcceleratorArn=acceleratorArn)
listeners = accumulate_paged_results(
page_iterator=response_iterator, key="Listeners")
for listener in listeners["Listeners"]:
paginator = globalaccelerator.get_paginator(
"list_endpoint_groups")
response_iterator = paginator.paginate(
ListenerArn=listener["ListenerArn"])
endpointGroups = accumulate_paged_results(
page_iterator=response_iterator, key="EndpointGroups")
for endpointGroup in endpointGroups["EndpointGroups"]:
endpointGroupArn = endpointGroup["EndpointGroupArn"]
for description in endpointGroup["EndpointDescriptions"]:
endpointId = description["EndpointId"]
health = description["HealthState"]
generatorUuid = str(uuid.uuid4())
if health != "UNHEALTHY":
finding = {
"SchemaVersion":
"2018-10-08",
"Id":
endpointGroupArn +
"/unhealthy-endpoint-group-check",
"ProductArn":
f"arn:{awsPartition}:securityhub:{awsRegion}:{awsAccountId}:product/{awsAccountId}/default",
"GeneratorId":
generatorUuid,
"AwsAccountId":
awsAccountId,
"Types": [
"Software and Configuration Checks/AWS Security Best Practices"
],
"FirstObservedAt":
iso8601Time,
"CreatedAt":
iso8601Time,
"UpdatedAt":
iso8601Time,
"Severity": {
"Label": "INFORMATIONAL"
},
"Confidence":
99,
"Title":
"[GlobalAccelerator.1] Endpoint should not be unhealthy",
"Description":
"Endpoint id " + endpointId +
" is not unhealthy.",
"Remediation": {
"Recommendation": {
"Text":
"For more information on the health of endpoints refer to the Endpoints in AWS Global Accelerator section of the AWS Global Accelerator Developer Guide",
"Url":
"https://docs.aws.amazon.com/global-accelerator/latest/dg/about-endpoints.html",
}
},
"ProductFields": {
"Product Name": "ElectricEye"
},
"Resources": [{
"Type": "AwsGlobalAcceleratorEndpoint",
"Id": endpointGroupArn,
"Partition": awsPartition,
"Region": awsRegion,
}],
"Compliance": {
"Status":
"PASSED",
"RelatedRequirements": [
"NIST CSF ID.AM-2",
"NIST SP 800-53 CM-8",
"NIST SP 800-53 PM-5",
"AICPA TSC CC3.2",
"AICPA TSC CC6.1",
"ISO 27001:2013 A.8.1.1",
"ISO 27001:2013 A.8.1.2",
"ISO 27001:2013 A.12.5.1",
],
},
"Workflow": {
"Status": "RESOLVED"
},
"RecordState":
"ARCHIVED",
}
yield finding
else:
finding = {
"SchemaVersion":
"2018-10-08",
"Id":
endpointGroupArn +
"/unhealthy-endpoint-group-check",
"ProductArn":
f"arn:{awsPartition}:securityhub:{awsRegion}:{awsAccountId}:product/{awsAccountId}/default",
"GeneratorId":
generatorUuid,
"AwsAccountId":
awsAccountId,
"Types": [
"Software and Configuration Checks/AWS Security Best Practices"
],
"FirstObservedAt":
iso8601Time,
"CreatedAt":
iso8601Time,
"UpdatedAt":
iso8601Time,
"Severity": {
"Label": "MEDIUM"
},
"Confidence":
99,
"Title":
"[GlobalAccelerator.1] Endpoint should not be unhealthy",
"Description":
"Endpoint id " + endpointId + " is unhealthy.",
"Remediation": {
"Recommendation": {
"Text":
"For more information on the health of endpoints refer to the Endpoints in AWS Global Accelerator section of the AWS Global Accelerator Developer Guide",
"Url":
"https://docs.aws.amazon.com/global-accelerator/latest/dg/about-endpoints.html",
}
},
"ProductFields": {
"Product Name": "ElectricEye"
},
"Resources": [{
"Type": "AwsGlobalAcceleratorEndpoint",
"Id": endpointGroupArn,
"Partition": awsPartition,
"Region": awsRegion,
}],
"Compliance": {
"Status":
"FAILED",
"RelatedRequirements": [
"NIST CSF ID.AM-2",
"NIST SP 800-53 CM-8",
"NIST SP 800-53 PM-5",
"AICPA TSC CC3.2",
"AICPA TSC CC6.1",
"ISO 27001:2013 A.8.1.1",
"ISO 27001:2013 A.8.1.2",
"ISO 27001:2013 A.12.5.1",
],
},
"Workflow": {
"Status": "NEW"
},
"RecordState":
"ACTIVE",
}
yield finding
def flow_logs_enabled_check(cache: dict, awsAccountId: str, awsRegion: str,
awsPartition: str) -> dict:
"""[GlobalAccelerator.2] Accelerator should have flow logs enabled"""
if awsRegion != "us-west-2":
pass
else:
paginator = globalaccelerator.get_paginator("list_accelerators")
response_iterator = paginator.paginate()
accelerators = accumulate_paged_results(
page_iterator=response_iterator, key="Accelerators")
iso8601Time = datetime.datetime.now(datetime.timezone.utc).isoformat()
for accelerator in accelerators["Accelerators"]:
acceleratorArn = accelerator["AcceleratorArn"]
acceleratorAttributes = globalaccelerator.describe_accelerator_attributes(
AcceleratorArn=acceleratorArn)
acceleratorName = accelerator["Name"]
generatorUuid = str(uuid.uuid4())
loggingEnabled = acceleratorAttributes["AcceleratorAttributes"][
"FlowLogsEnabled"]
if loggingEnabled:
finding = {
"SchemaVersion":
"2018-10-08",
"Id":
acceleratorArn + "/access-logging-enabled-check",
"ProductArn":
f"arn:{awsPartition}:securityhub:{awsRegion}:{awsAccountId}:product/{awsAccountId}/default",
"GeneratorId":
generatorUuid,
"AwsAccountId":
awsAccountId,
"Types": [
"Software and Configuration Checks/AWS Security Best Practices"
],
"FirstObservedAt":
iso8601Time,
"CreatedAt":
iso8601Time,
"UpdatedAt":
iso8601Time,
"Severity": {
"Label": "INFORMATIONAL"
},
"Confidence":
99,
"Title":
"[GlobalAccelerator.2] Accelerator should have flow logs enabled",
"Description":
"Accelerator " + acceleratorName +
" has flow logs enabled.",
"Remediation": {
"Recommendation": {
"Text":
"For more information on accelerator flow logs refer to the Flow logs in AWS Global Accelerator section of the AWS Global Accelerator Developer Guide",
"Url":
"https://docs.aws.amazon.com/global-accelerator/latest/dg/monitoring-global-accelerator.flow-logs.html",
}
},
"ProductFields": {
"Product Name": "ElectricEye"
},
"Resources": [{
"Type": "AwsGlobalAcceleratorAccelerator",
"Id": acceleratorArn,
"Partition": awsPartition,
"Region": awsRegion,
}],
"Compliance": {
"Status":
"PASSED",
"RelatedRequirements": [
"NIST CSF DE.AE-3",
"NIST SP 800-53 AU-6",
"NIST SP 800-53 CA-7",
"NIST SP 800-53 IR-4",
"NIST SP 800-53 IR-5",
"NIST SP 800-53 IR-8",
"NIST SP 800-53 SI-4",
"AICPA TSC CC7.2",
"ISO 27001:2013 A.12.4.1",
"ISO 27001:2013 A.16.1.7",
],
},
"Workflow": {
"Status": "RESOLVED"
},
"RecordState":
"ARCHIVED",
}
yield finding
else:
finding = {
"SchemaVersion":
"2018-10-08",
"Id":
acceleratorArn + "/access-logging-enabled-check",
"ProductArn":
f"arn:{awsPartition}:securityhub:{awsRegion}:{awsAccountId}:product/{awsAccountId}/default",
"GeneratorId":
generatorUuid,
"AwsAccountId":
awsAccountId,
"Types": [
"Software and Configuration Checks/AWS Security Best Practices"
],
"FirstObservedAt":
iso8601Time,
"CreatedAt":
iso8601Time,
"UpdatedAt":
iso8601Time,
"Severity": {
"Label": "MEDIUM"
},
"Confidence":
99,
"Title":
"[GlobalAccelerator.2] Accelerator should have flow logs enabled",
"Description":
"Accelerator " + acceleratorName +
" does not have flow logs enabled.",
"Remediation": {
"Recommendation": {
"Text":
"For more information on accelerator flow logs refer to the Flow logs in AWS Global Accelerator section of the AWS Global Accelerator Developer Guide",
"Url":
"https://docs.aws.amazon.com/global-accelerator/latest/dg/monitoring-global-accelerator.flow-logs.html",
}
},
"ProductFields": {
"Product Name": "ElectricEye"
},
"Resources": [{
"Type": "AwsGlobalAcceleratorAccelerator",
"Id": acceleratorArn,
"Partition": awsPartition,
"Region": awsRegion,
}],
"Compliance": {
"Status":
"FAILED",
"RelatedRequirements": [
"NIST CSF DE.AE-3",
"NIST SP 800-53 AU-6",
"NIST SP 800-53 CA-7",
"NIST SP 800-53 IR-4",
"NIST SP 800-53 IR-5",
"NIST SP 800-53 IR-8",
"NIST SP 800-53 SI-4",
"AICPA TSC CC7.2",
"ISO 27001:2013 A.12.4.1",
"ISO 27001:2013 A.16.1.7",
],
},
"Workflow": {
"Status": "NEW"
},
"RecordState":
"ACTIVE",
}
yield finding
def kda_log_to_cloudwatch_check(cache: dict, awsAccountId: str, awsRegion: str, awsPartition: str) -> dict:
"""[KinesisAnalytics.1] Applications should log to CloudWatch"""
paginator = kinesisanalyticsv2.get_paginator("list_applications")
response_iterator = paginator.paginate()
responses = accumulate_paged_results(
page_iterator=response_iterator, key="ApplicationSummaries"
)
applications = responses["ApplicationSummaries"]
iso8601Time = (
datetime.datetime.utcnow().replace(tzinfo=datetime.timezone.utc).isoformat()
)
for application in applications:
applicationName = application["ApplicationName"]
applicationDescription = kinesisanalyticsv2.describe_application(
ApplicationName=applicationName
)
cwDescription = applicationDescription["ApplicationDetail"][
"CloudWatchLoggingOptionDescriptions"
]
applicationArn = applicationDescription["ApplicationDetail"]["ApplicationARN"]
generatorUuid = str(uuid.uuid4())
if not cwDescription:
finding = {
"SchemaVersion": "2018-10-08",
"Id": applicationArn + "/kda-log-to-cloudwatch-check",
"ProductArn": f"arn:{awsPartition}:securityhub:{awsRegion}:{awsAccountId}:product/{awsAccountId}/default",
"GeneratorId": generatorUuid,
"AwsAccountId": awsAccountId,
"Types": [
"Software and Configuration Checks/AWS Security Best Practices"
],
"FirstObservedAt": iso8601Time,
"CreatedAt": iso8601Time,
"UpdatedAt": iso8601Time,
"Severity": {"Label": "LOW"},
"Confidence": 99,
"Title": "[KinesisAnalytics.1] Applications should log to CloudWatch",
"Description": "Application "
+ applicationName
+ " does not log to CloudWatch.",
"Remediation": {
"Recommendation": {
"Text": "For more information on monitoring applications using CloudWatch Logs refer to the Best Practices for Kinesis Data Analytics for Apache Flink section of the Amazon Kinesis Data Analytics Developer Guide",
"Url": "https://docs.aws.amazon.com/kinesisanalytics/latest/java/best-practices.html#how-dev-bp-logging",
}
},
"ProductFields": {"Product Name": "ElectricEye"},
"Resources": [
{
"Type": "AwsKinesisDataAnalyticsApplication",
"Id": applicationArn,
"Partition": awsPartition,
"Region": awsRegion,
}
],
"Compliance": {
"Status": "FAILED",
"RelatedRequirements": [
"NIST CSF DE.AE-3",
"NIST SP 800-53 AU-6",
"NIST SP 800-53 CA-7",
"NIST SP 800-53 IR-4",
"NIST SP 800-53 IR-5",
"NIST SP 800-53 IR-8",
"NIST SP 800-53 SI-4",
"AICPA TSC CC7.2",
"ISO 27001:2013 A.12.4.1",
"ISO 27001:2013 A.16.1.7",
],
},
"Workflow": {"Status": "NEW"},
"RecordState": "ACTIVE",
}
yield finding
else:
finding = {
"SchemaVersion": "2018-10-08",
"Id": applicationArn + "/kda-log-to-cloudwatch-check",
"ProductArn": f"arn:{awsPartition}:securityhub:{awsRegion}:{awsAccountId}:product/{awsAccountId}/default",
"GeneratorId": generatorUuid,
"AwsAccountId": awsAccountId,
"Types": [
"Software and Configuration Checks/AWS Security Best Practices"
],
"FirstObservedAt": iso8601Time,
"CreatedAt": iso8601Time,
"UpdatedAt": iso8601Time,
"Severity": {"Label": "INFORMATIONAL"},
"Confidence": 99,
"Title": "[KinesisAnalytics.1] Applications should log to CloudWatch",
"Description": "Application "
+ applicationName
+ " does not log to CloudWatch.",
"Remediation": {
"Recommendation": {
"Text": "For more information on monitoring applications using CloudWatch Logs refer to the Best Practices for Kinesis Data Analytics for Apache Flink section of the Amazon Kinesis Data Analytics Developer Guide",
"Url": "https://docs.aws.amazon.com/kinesisanalytics/latest/java/best-practices.html#how-dev-bp-logging",
}
},
"ProductFields": {"Product Name": "ElectricEye"},
"Resources": [
{
"Type": "AwsKinesisDataAnalyticsApplication",
"Id": applicationArn,
"Partition": awsPartition,
"Region": awsRegion,
}
],
"Compliance": {
"Status": "PASSED",
"RelatedRequirements": [
"NIST CSF DE.AE-3",
"NIST SP 800-53 AU-6",
"NIST SP 800-53 CA-7",
"NIST SP 800-53 IR-4",
"NIST SP 800-53 IR-5",
"NIST SP 800-53 IR-8",
"NIST SP 800-53 SI-4",
"AICPA TSC CC7.2",
"ISO 27001:2013 A.12.4.1",
"ISO 27001:2013 A.16.1.7",
],
},
"Workflow": {"Status": "RESOLVED"},
"RecordState": "ARCHIVED",
}
yield finding
def ram_resource_shares_status_check(cache: dict, awsAccountId: str, awsRegion: str, awsPartition: str) -> dict:
"""[RAM.1] Resource share should not have a failed status"""
responses = []
responses.append(get_resource_shares(cache))
paginator = ram.get_paginator("get_resource_shares")
response_iterator = paginator.paginate(resourceOwner="OTHER-ACCOUNTS")
responses.append(
accumulate_paged_results(page_iterator=response_iterator, key="resourceShares")
)
for response in responses:
resourceShares = response["resourceShares"]
iso8601Time = datetime.datetime.now(datetime.timezone.utc).isoformat()
for resourceShare in resourceShares:
resourceshareArn = resourceShare["resourceShareArn"]
status = resourceShare["status"]
shareName = resourceShare["name"]
generatorUuid = str(uuid.uuid4())
if status != "FAILED":
finding = {
"SchemaVersion": "2018-10-08",
"Id": resourceshareArn + "/ram-resource-shares-status-check",
"ProductArn": f"arn:{awsPartition}:securityhub:{awsRegion}:{awsAccountId}:product/{awsAccountId}/default",
"GeneratorId": generatorUuid,
"AwsAccountId": awsAccountId,
"Types": [
"Software and Configuration Checks/AWS Security Best Practices"
],
"FirstObservedAt": iso8601Time,
"CreatedAt": iso8601Time,
"UpdatedAt": iso8601Time,
"Severity": {"Label": "INFORMATIONAL"},
"Confidence": 99,
"Title": "[RAM.1] Resource share should not have a failed status",
"Description": "Resource share "
+ shareName
+ " does not have a failed status.",
"Remediation": {
"Recommendation": {
"Text": "For more information on resource share statuses refer to the Viewing Resource Shares section of the AWS Resource Access Manager User Guide",
"Url": "https://docs.aws.amazon.com/ram/latest/userguide/working-with-shared.html#working-with-shared-view-rs",
}
},
"ProductFields": {"Product Name": "ElectricEye"},
"Resources": [
{
"Type": "AwsResourceAccessManagerShare",
"Id": resourceshareArn,
"Partition": awsPartition,
"Region": awsRegion,
}
],
"Compliance": {
"Status": "PASSED",
"RelatedRequirements": [
"NIST CSF ID.AM-2",
"NIST SP 800-53 CM-8",
"NIST SP 800-53 PM-5",
"AICPA TSC CC3.2",
"AICPA TSC CC6.1",
"ISO 27001:2013 A.8.1.1",
"ISO 27001:2013 A.8.1.2",
"ISO 27001:2013 A.12.5.1",
],
},
"Workflow": {"Status": "RESOLVED"},
"RecordState": "ARCHIVED",
}
yield finding
else:
finding = {
"SchemaVersion": "2018-10-08",
"Id": resourceshareArn + "/ram-resource-shares-status-check",
"ProductArn": f"arn:{awsPartition}:securityhub:{awsRegion}:{awsAccountId}:product/{awsAccountId}/default",
"GeneratorId": generatorUuid,
"AwsAccountId": awsAccountId,
"Types": [
"Software and Configuration Checks/AWS Security Best Practices"
],
"FirstObservedAt": iso8601Time,
"CreatedAt": iso8601Time,
"UpdatedAt": iso8601Time,
"Severity": {"Label": "MEDIUM"},
"Confidence": 99,
"Title": "[RAM.1] Resource share should not have a failed status",
"Description": "Resource share "
+ shareName
+ " has a failed status.",
"Remediation": {
"Recommendation": {
"Text": "For more information on resource share statuses refer to the Viewing Resource Shares section of the AWS Resource Access Manager User Guide",
"Url": "https://docs.aws.amazon.com/ram/latest/userguide/working-with-shared.html#working-with-shared-view-rs",
}
},
"ProductFields": {"Product Name": "ElectricEye"},
"Resources": [
{
"Type": "AwsResourceAccessManagerShare",
"Id": resourceshareArn,
"Partition": awsPartition,
"Region": awsRegion,
}
],
"Compliance": {
"Status": "FAILED",
"RelatedRequirements": [
"NIST CSF ID.AM-2",
"NIST SP 800-53 CM-8",
"NIST SP 800-53 PM-5",
"AICPA TSC CC3.2",
"AICPA TSC CC6.1",
"ISO 27001:2013 A.8.1.1",
"ISO 27001:2013 A.8.1.2",
"ISO 27001:2013 A.12.5.1",
],
},
"Workflow": {"Status": "NEW"},
"RecordState": "ACTIVE",
}
yield finding
