def get_cred_report():
"""[summary]
"""
x = 0
status = ''
try:
while IAM_CLIENT.generate_credential_report()['State'] != "COMPLETE":
time.sleep(2)
x = x + 1
if x == 5:
status = "Failure"
break
if "Fail" in status:
return status
cred_response = IAM_CLIENT.get_credential_report()
reader = DictReader(
cred_response['Content'].decode('utf-8').splitlines(),
delimiter=',')
report = list()
for row in reader:
report.append(row)
return report
except ClientError as ce:
if ce.response['Error']['Code'] == 'LimitExceededException':
print('API call limit exceeded')
def control_1_21_intial_access_keys_setup():
cont = Control(
'1.21',
'Do not setup access keys during initial user setup for all IAM users that have a console password',
False)
users_paginate = IAM_CLIENT.get_paginator('list_users')
for users in users_paginate.paginate():
for user in users['Users']:
for access_time in IAM_CLIENT.list_access_keys(
UserName=user['UserName'])['AccessKeyMetadata']:
if access_time['CreateDate'] == access_time['CreateDate']:
if 'Keys that were created at the same time as the user profile' not in cont.fail_reason:
cont.fail_reason = 'Keys that were created at the same time as the user profile'
cont.offenders = user['UserName']
if not cont.offenders:
cont.result = True
return {
'control_id': cont.id,
'scored': cont.scored,
'desc': cont.desc,
'result': cont.result,
'fail_reason': cont.fail_reason,
'offenders': cont.offenders
}
def control_1_16_policy_attached_grp_roles():
cont = Control('1.16',
'Ensure IAM policies are attached only to groups or roles',
True)
all_users_paginator = IAM_CLIENT.get_paginator('list_users')
for users in all_users_paginator.paginate():
for user in users['Users']:
if user is None:
continue
if IAM_CLIENT.list_attached_user_policies(
UserName=user['UserName'])['AttachedPolicies']:
if 'Managed Policies attached directly to user.' not in cont.fail_reason:
cont.fail_reason = "Managed Policies attached directly to user."
cont.offenders = user['Arn'] + ":=> Managed policy"
if IAM_CLIENT.list_user_policies(
UserName=user['UserName'])['PolicyNames']:
if 'Inline Policies are attached directly to user.' not in cont.fail_reason:
cont.fail_reason = "Inline Policies are attached directly to user."
cont.offenders = user['Arn'] + ":=> Inline policy"
if not cont.offenders:
cont.result = True
return {
'control_id': cont.id,
'scored': cont.scored,
'desc': cont.desc,
'result': cont.result,
'fail_reason': cont.fail_reason,
'offenders': cont.offenders
}
def control_1_14_hardware_mfa_enabled_root():
cont = Control('1.14',
'Ensure hardware MFA is enabled for the "root" account',
True)
root_account_MFA = IAM_CLIENT.get_account_summary(
)['SummaryMap']['AccountMFAEnabled']
if root_account_MFA == 1:
hardware_MFA_paginator = IAM_CLIENT.get_paginator(
'list_virtual_mfa_devices')
for resp in hardware_MFA_paginator.paginate(AssignmentStatus='Any'):
for hardware_MFA in resp['VirtualMFADevices']:
if "mfa/root-account-mfa-device" in hardware_MFA[
'SerialNumber']:
cont.result = True
break
if cont.result is False:
cont.fail_reason = 'The root account does not have Hardware MFA'
else:
cont.fail_reason = 'The root account does not have MFA enabled'
return {
'control_id': cont.id,
'scored': cont.scored,
'desc': cont.desc,
'result': cont.result,
'fail_reason': cont.fail_reason,
'offenders': cont.offenders
}
def control_1_22_iam_full_admin_privileges():
cont = Control(
'1.22',
'Ensure IAM policies that allow full "*:*" administrative privileges are not created',
True)
policies_paginator = IAM_CLIENT.get_paginator('list_policies')
for policies in policies_paginator.paginate(Scope='Local',
OnlyAttached=False):
for each_policy in policies['Policies']:
statements = IAM_CLIENT.get_policy_version(
PolicyArn=each_policy['Arn'],
VersionId=each_policy['DefaultVersionId']
)['PolicyVersion']['Document']['Statement']
if isinstance(statements, list):
for each_statement in statements:
if 'Action' in each_statement.keys(
) and each_statement['Effect'] == 'Allow':
if isinstance(each_statement['Action'],
str) or isinstance(
each_statement['Resource'], str):
if each_statement[
'Action'] == '*' and each_statement[
'Resource'] == '*':
if 'IAM policies has full "*:*" administrative privilege' not in cont.fail_reason:
cont.fail_reason = 'IAM policies has full "*:*" administrative privilege'
cont.offenders = each_policy['Arn']
if not cont.offenders:
cont.result = True
return {
'control_id': cont.id,
'scored': cont.scored,
'desc': cont.desc,
'result': cont.result,
'fail_reason': cont.fail_reason,
'offenders': cont.offenders
}
def control_1_13_mfa_enabled_root():
cont = Control('1.13', 'Ensure MFA is enabled for the "root" account',
True)
root_account_MFA = IAM_CLIENT.get_account_summary(
)['SummaryMap']['AccountMFAEnabled']
if root_account_MFA == 1:
cont.result = True
else:
cont.fail_reason = 'The root account does not have MFA enabled'
return {
'control_id': cont.id,
'scored': cont.scored,
'desc': cont.desc,
'result': cont.result,
'fail_reason': cont.fail_reason,
'offenders': cont.offenders
}
def control_1_20_support_role_manage_incident():
cont = Control(
'1.20',
'Ensure a support role has been created to manage incidents with AWS Support',
True)
entities = IAM_CLIENT.list_entities_for_policy(
PolicyArn='arn:aws:iam::aws:policy/AWSSupportAccess')
if entities['PolicyGroups'] or entities['PolicyUsers'] or entities[
'PolicyRoles']:
cont.result = True
else:
cont.fail_reason = 'AWSSupportAccess is not attached to any IAM user,group or role'
cont.offenders = 'AWSSupportAccess should be attached to IAM user,group or role in order to manage incidents'
return {
'control_id': cont.id,
'scored': cont.scored,
'desc': cont.desc,
'result': cont.result,
'fail_reason': cont.fail_reason,
'offenders': cont.offenders
}
def get_password_policy():
while True:
if IAM_CLIENT.get_account_password_policy(
)['ResponseMetadata']['HTTPStatusCode'] == 200:
return IAM_CLIENT.get_account_password_policy()['PasswordPolicy']