def control_2_6_s3_logging_enabled_cts3_bucket():
cont = Control(
'2.6',
'Ensure S3 bucket access logging is enabled on the CloudTrail S3 bucket',
True)
for each_trail in cloudtrial_describe_trails:
if 'LoggingEnabled' in S3_CLIENT.get_bucket_logging(
Bucket=each_trail['S3BucketName']):
continue
else:
if 'CloudTrail Bucket logging is not enabled' not in cont.fail_reason:
cont.fail_reason = 'CloudTrail Bucket logging is not enabled'
cont.offenders = each_trail['Name'] + \
' => ' + each_trail['S3BucketName']
if not cont.offenders:
cont.result = True
return {
'control_id': cont.id,
'scored': cont.scored,
'desc': cont.desc,
'result': cont.result,
'fail_reason': cont.fail_reason,
'offenders': cont.offenders
}
def control_1_14_hardware_mfa_enabled_root():
cont = Control('1.14',
'Ensure hardware MFA is enabled for the "root" account',
True)
root_account_MFA = IAM_CLIENT.get_account_summary(
)['SummaryMap']['AccountMFAEnabled']
if root_account_MFA == 1:
hardware_MFA_paginator = IAM_CLIENT.get_paginator(
'list_virtual_mfa_devices')
for resp in hardware_MFA_paginator.paginate(AssignmentStatus='Any'):
for hardware_MFA in resp['VirtualMFADevices']:
if "mfa/root-account-mfa-device" in hardware_MFA[
'SerialNumber']:
cont.result = True
break
if cont.result is False:
cont.fail_reason = 'The root account does not have Hardware MFA'
else:
cont.fail_reason = 'The root account does not have MFA enabled'
return {
'control_id': cont.id,
'scored': cont.scored,
'desc': cont.desc,
'result': cont.result,
'fail_reason': cont.fail_reason,
'offenders': cont.offenders
}
def control_4_4_vpc_peering_least_access():
cont = Control('4.4',
'Ensure routing tables for VPC peering are "least access',
False)
vpc_paginator = EC2_CLIENT.get_paginator('describe_route_tables')
for route_tables in vpc_paginator.paginate():
for routes in route_tables['RouteTables']:
for route in routes['Routes']:
if 'VpcPeeringConnectionId' in route:
if int(
str(route['DestinationCidrBlock']).split(
'/', 1)[1]) < 24:
if not cont.fail_reason:
cont.fail_reason = 'Large CIDR block routed to peer discovered'
cont.offenders = routes['RouteTableId']
if not cont.offenders:
cont.result = True
return {
'control_id': cont.id,
'scored': cont.scored,
'desc': cont.desc,
'result': cont.result,
'fail_reason': cont.fail_reason,
'offenders': cont.offenders
}
def control_1_21_intial_access_keys_setup():
cont = Control(
'1.21',
'Do not setup access keys during initial user setup for all IAM users that have a console password',
False)
users_paginate = IAM_CLIENT.get_paginator('list_users')
for users in users_paginate.paginate():
for user in users['Users']:
for access_time in IAM_CLIENT.list_access_keys(
UserName=user['UserName'])['AccessKeyMetadata']:
if access_time['CreateDate'] == access_time['CreateDate']:
if 'Keys that were created at the same time as the user profile' not in cont.fail_reason:
cont.fail_reason = 'Keys that were created at the same time as the user profile'
cont.offenders = user['UserName']
if not cont.offenders:
cont.result = True
return {
'control_id': cont.id,
'scored': cont.scored,
'desc': cont.desc,
'result': cont.result,
'fail_reason': cont.fail_reason,
'offenders': cont.offenders
}
def control_4_3_security_group_vpc_restricts():
cont = Control(
'4.3',
'Ensure the default security group of every VPC restricts all traffic',
True)
security_groups_iterator = EC2_CLIENT.get_paginator(
'describe_security_groups')
for groups in security_groups_iterator.paginate(Filters=[
{
'Name': 'group-name',
'Values': [
'default',
]
},
]):
for group in groups['SecurityGroups']:
if not (len(group['IpPermissions']) +
len(group['IpPermissionsEgress'])) == 0:
if not cont.fail_reason:
cont.fail_reason = 'Default security groups with ingress or egress rules discovered'
cont.offenders = group['GroupId']
if not cont.offenders:
cont.result = True
return {
'control_id': cont.id,
'scored': cont.scored,
'desc': cont.desc,
'result': cont.result,
'fail_reason': cont.fail_reason,
'offenders': cont.offenders
}
def control_3_13_log_metric_alarm_for_route_table_changes():
cont = Control(
'3.13',
'Ensure a log metric filter and alarm exist for route table changes',
True)
res = monitoring_common_function([
"\$\.eventName\s*=\s*\"?CreateRoute(\"|\)|\s)",
"\$\.eventName\s*=\s*\"?CreateRouteTable(\"|\)|\s)",
"\$\.eventName\s*=\s*\"?ReplaceRoute(\"|\)|\s)",
"\$\.eventName\s*=\s*\"?ReplaceRouteTableAssociation(\"|\)|\s)",
"\$\.eventName\s*=\s*\"?DeleteRouteTable(\"|\)|\s)",
"\$\.eventName\s*=\s*\"?DeleteRoute(\"|\)|\s)",
"\$\.eventName\s*=\s*\"?DisassociateRouteTable(\"|\)|\s)"
], cloudtrials)
if res == 0:
cont.fail_reason = 'No trail found'
elif res == 1:
cont.fail_reason = 'No metric filter found from Log group'
elif res == 2:
cont.fail_reason = 'Pattern not found in the metric filter'
cont.offenders = 'No alarm exist for Route table changes'
elif res == 3:
cont.fail_reason = 'No alarm is found for the metric filter'
else:
cont.result = True
return {
'control_id': cont.id,
'scored': cont.scored,
'desc': cont.desc,
'result': cont.result,
'fail_reason': cont.fail_reason,
'offenders': cont.offenders
}
def control_3_12_log_metric_alarm_for_network_gateway_changes():
cont = Control(
'3.12',
'Ensure a log metric filter and alarm exist for changes to network gateways',
True)
res = monitoring_common_function([
"\$\.eventName\s*=\s*\"?CreateCustomerGateway(\"|\)|\s)",
"\$\.eventName\s*=\s*\"?DeleteCustomerGateway(\"|\)|\s)",
"\$\.eventName\s*=\s*\"?AttachInternetGateway(\"|\)|\s)",
"\$\.eventName\s*=\s*\"?CreateInternetGateway(\"|\)|\s)",
"\$\.eventName\s*=\s*\"?DeleteInternetGateway(\"|\)|\s)",
"\$\.eventName\s*=\s*\"?DetachInternetGateway(\"|\)|\s)"
], cloudtrials)
if res == 0:
cont.fail_reason = 'No trail found'
elif res == 1:
cont.fail_reason = 'No metric filter found from Log group'
elif res == 2:
cont.fail_reason = 'Pattern not found in the metric filter'
cont.offenders = 'No alarm exist for Network Gateway changes'
elif res == 3:
cont.fail_reason = 'No alarm is found for the metric filter'
else:
cont.result = True
return {
'control_id': cont.id,
'scored': cont.scored,
'desc': cont.desc,
'result': cont.result,
'fail_reason': cont.fail_reason,
'offenders': cont.offenders
}
def control_3_11_log_metric_alarm_for_NACL_changes():
cont = Control(
'3.11',
'Ensure a log metric filter and alarm exist for changes to Network Access Control Lists (NACL)',
True)
res = monitoring_common_function([
"\$\.eventName\s*=\s*\"?CreateNetworkAcl(\"|\)|\s)",
"\$\.eventName\s*=\s*\"?CreateNetworkAclEntry(\"|\)|\s)",
"\$\.eventName\s*=\s*\"?DeleteNetworkAcl(\"|\)|\s)",
"\$\.eventName\s*=\s*\"?DeleteNetworkAclEntry(\"|\)|\s)",
"\$\.eventName\s*=\s*\"?ReplaceNetworkAclEntry(\"|\)|\s)",
"\$\.eventName\s*=\s*\"?ReplaceNetworkAclAssociation(\"|\)|\s)"
], cloudtrials)
if res == 0:
cont.fail_reason = 'No trail found'
elif res == 1:
cont.fail_reason = 'No metric filter found from Log group'
elif res == 2:
cont.fail_reason = 'Pattern not found in the metric filter'
cont.offenders = 'No alarm exist for Network Access Control Lists (NACL) changes'
elif res == 3:
cont.fail_reason = 'No alarm is found for the metric filter'
else:
cont.result = True
return {
'control_id': cont.id,
'scored': cont.scored,
'desc': cont.desc,
'result': cont.result,
'fail_reason': cont.fail_reason,
'offenders': cont.offenders
}
def control_3_10_log_metric_alarm_for_security_group_changes():
cont = Control(
'3.10',
'Ensure a log metric filter and alarm exist for security group changes',
True)
res = monitoring_common_function([
"\$\.eventName\s*=\s*\"?AuthorizeSecurityGroupIngress(\"|\)|\s)",
"\$\.eventName\s*=\s*\"?AuthorizeSecurityGroupEgress(\"|\)|\s)",
"\$\.eventName\s*=\s*\"?RevokeSecurityGroupIngress(\"|\)|\s)",
"\$\.eventName\s*=\s*\"?RevokeSecurityGroupEgress(\"|\)|\s)",
"\$\.eventName\s*=\s*\"?CreateSecurityGroup(\"|\)|\s)",
"\$\.eventName\s*=\s*\"?DeleteSecurityGroup(\"|\)|\s)"
], cloudtrials)
if res == 0:
cont.fail_reason = 'No trail found'
elif res == 1:
cont.fail_reason = 'No metric filter found from Log group'
elif res == 2:
cont.fail_reason = 'Pattern not found in the metric filter'
cont.offenders = 'No alarm exist for Security group changes'
elif res == 3:
cont.fail_reason = 'No alarm is found for the metric filter'
else:
cont.result = True
return {
'control_id': cont.id,
'scored': cont.scored,
'desc': cont.desc,
'result': cont.result,
'fail_reason': cont.fail_reason,
'offenders': cont.offenders
}
def control_3_9_log_metric_alarm_for_awsconfig_config_changes():
cont = Control(
'3.9',
'Ensure a log metric filter and alarm exist for AWS Config configuration changes',
True)
res = monitoring_common_function([
"\$\.eventSource\s*=\s*\"?config\.amazonaws\.com(\"|\)|\s)",
"\$\.eventName\s*=\s*\"?StopConfigurationRecorder(\"|\)|\s)",
"\$\.eventName\s*=\s*\"?DeleteDeliveryChannel(\"|\)|\s)",
"\$\.eventName\s*=\s*\"?PutDeliveryChannel(\"|\)|\s)",
"\$\.eventName\s*=\s*\"?PutConfigurationRecorder(\"|\)|\s)"
], cloudtrials)
if res == 0:
cont.fail_reason = 'No trail found'
elif res == 1:
cont.fail_reason = 'No metric filter found from Log group'
elif res == 2:
cont.fail_reason = 'Pattern not found in the metric filter'
cont.offenders = 'No alarm exist for AWSConfig configuration changes'
elif res == 3:
cont.fail_reason = 'No alarm is found for the metric filter'
else:
cont.result = True
return {
'control_id': cont.id,
'scored': cont.scored,
'desc': cont.desc,
'result': cont.result,
'fail_reason': cont.fail_reason,
'offenders': cont.offenders
}
def control_3_7_log_metric_alarm_for_disable_deletion_CMK():
cont = Control(
'3.7',
'Ensure a log metric filter and alarm exist for disabling or scheduled deletion of customer created CMKs',
True)
res = monitoring_common_function([
"\$\.eventSource\s*=\s*\"?kms\.amazonaws\.com(\"|\)|\s)",
"\$\.eventName\s*=\s*\"?DisableKey(\"|\)|\s)",
"\$\.eventName\s*=\s*\"?ScheduleKeyDeletion(\"|\)|\s)"
], cloudtrials)
if res == 0:
cont.fail_reason = 'No trail found'
elif res == 1:
cont.fail_reason = 'No metric filter found from Log group'
elif res == 2:
cont.fail_reason = 'Pattern not found in the metric filter'
cont.offenders = 'No alarm exist for disabling or scheduled deletion of Customer Managed keys'
elif res == 3:
cont.fail_reason = 'No alarm is found for the metric filter'
else:
cont.result = True
return {
'control_id': cont.id,
'scored': cont.scored,
'desc': cont.desc,
'result': cont.result,
'fail_reason': cont.fail_reason,
'offenders': cont.offenders
}
def control_3_6_log_metric_alarm_for_aws_console_auth_failures():
cont = Control(
'3.6',
'Ensure a log metric filter and alarm exist for AWS Management Console authentication failures',
True)
res = monitoring_common_function([
"\$\.eventName\s*=\s*\"?ConsoleLogin(\"|\)|\s)",
"\$\.errorMessage\s*=\s*\"?Failed authentication(\"|\)|\s)"
], cloudtrials)
if res == 0:
cont.fail_reason = 'No trail found'
elif res == 1:
cont.fail_reason = 'No metric filter found from Log group'
elif res == 2:
cont.fail_reason = 'Pattern not found in the metric filter'
cont.offenders = 'No alarm exist for AWS Console authentication failures'
elif res == 3:
cont.fail_reason = 'No alarm is found for the metric filter'
else:
cont.result = True
return {
'control_id': cont.id,
'scored': cont.scored,
'desc': cont.desc,
'result': cont.result,
'fail_reason': cont.fail_reason,
'offenders': cont.offenders
}
def control_3_5_log_metric_alarm_for_cloudtrail_config_changes():
cont = Control(
'3.5',
'Ensure a log metric filter and alarm exist for CloudTrail configuration changes',
True)
res = monitoring_common_function([
"\$\.eventName\s*=\s*\"?CreateTrail(\"|\)|\s)",
"\$\.eventName\s*=\s*\"?UpdateTrail(\"|\)|\s)",
"\$\.eventName\s*=\s*\"?DeleteTrail(\"|\)|\s)",
"\$\.eventName\s*=\s*\"?StartLogging(\"|\)|\s)",
"\$\.eventName\s*=\s*\"?StopLogging(\"|\)|\s)"
], cloudtrials)
if res == 0:
cont.fail_reason = 'No trail found'
elif res == 1:
cont.fail_reason = 'No metric filter found from Log group'
elif res == 2:
cont.fail_reason = 'Pattern not found in the metric filter'
cont.offenders = 'No alarm exist for Cloudtrail configuration changes'
elif res == 3:
cont.fail_reason = 'No alarm is found for the metric filter'
else:
cont.result = True
return {
'control_id': cont.id,
'scored': cont.scored,
'desc': cont.desc,
'result': cont.result,
'fail_reason': cont.fail_reason,
'offenders': cont.offenders
}
def control_3_2_log_metric_alarm_for_signin_without_MFA():
cont = Control(
'3.2',
'Ensure a log metric filter and alarm exist for Management Console sign-in without MFA',
True)
res = monitoring_common_function([
"\$\.eventName\s*=\s*\"?ConsoleLogin(\"|\)|\s)",
"\$\.additionalEventData\.MFAUsed\s*\!=\s*\"?Yes"
], cloudtrials)
if res == 0:
cont.fail_reason = 'No trail found'
elif res == 1:
cont.fail_reason = 'No metric filter found from Log group'
elif res == 2:
cont.fail_reason = 'Pattern not found in the metric filter'
cont.offenders = 'No alarm exist for Sign-in without MFA'
elif res == 3:
cont.fail_reason = 'No alarm is found for the metric filter'
else:
cont.result = True
return {
'control_id': cont.id,
'scored': cont.scored,
'desc': cont.desc,
'result': cont.result,
'fail_reason': cont.fail_reason,
'offenders': cont.offenders
}
def control_3_3_log_metric_alarm_for_usage_root_account():
cont = Control(
'3.3',
'Ensure a log metric filter and alarm exist for usage of "root" account',
True)
res = monitoring_common_function([
"\$\.userIdentity\.type\s*=\s*\"?Root",
"\$\.userIdentity\.invokedBy\s*NOT\s*EXISTS",
"\$\.eventType\s*\!=\s*\"?AwsServiceEvent(\"|\)|\s)"
], cloudtrials)
if res == 0:
cont.fail_reason = 'No trail found'
elif res == 1:
cont.fail_reason = 'No metric filter found from Log group'
elif res == 2:
cont.fail_reason = 'Pattern not found in the metric filter'
cont.offenders = 'No alarm exist for usage of root account'
elif res == 3:
cont.fail_reason = 'No alarm is found for the metric filter'
else:
cont.result = True
return {
'control_id': cont.id,
'scored': cont.scored,
'desc': cont.desc,
'result': cont.result,
'fail_reason': cont.fail_reason,
'offenders': cont.offenders
}
def control_1_17_current_contact_details():
cont = Control('1.17', 'Maintain current contact details', False)
cont.offenders = 'Check manually in AWS console'
cont.fail_reason = 'No API available to perform this action'
cont.result = None
return {
'control_id': cont.id,
'scored': cont.scored,
'desc': cont.desc,
'result': cont.result,
'fail_reason': cont.fail_reason,
'offenders': cont.offenders
}
def control_1_18_security_contact_info():
cont = Control('1.18', 'Ensure security contact information is registered',
False)
cont.fail_reason = 'Check manually in AWS console'
cont.fail_reason = 'No API available to perform this action'
cont.result = None
return {
'control_id': cont.id,
'scored': cont.scored,
'desc': cont.desc,
'result': cont.result,
'fail_reason': cont.fail_reason,
'offenders': cont.offenders
}
def control_2_9_vpc_logging_enabled():
cont = Control('2.9', 'Ensure VPC flow logging is enabled in all VPCs',
True)
cont.fail_reason = 'API is not available to perform this action'
cont.offenders = 'Cannot perform this action'
cont.result = None
return {
'control_id': cont.id,
'scored': cont.scored,
'desc': cont.desc,
'result': cont.result,
'fail_reason': cont.fail_reason,
'offenders': cont.offenders
}
def control_1_3_creds_unused_90_days():
cont = Control(
"1.3", 'Ensure credentials unused for 90 days or greater are disabled',
True)
report = CRED_REPORT
for each_report in report:
try:
if each_report['password_enabled'] == 'true':
passd_date = (
datetime.strptime(now, fmt) -
datetime.strptime(each_report['password_last_used'], fmt))
if passd_date.days > 90:
if 'Password unused more than 90 days.' not in cont.fail_reason:
cont.fail_reason = 'Password unused more than 90 days.'
cont.offenders = each_report['arn'] + "=>:password"
except:
pass
try:
if each_report['access_key_1_active'] == 'true':
access_key_1_date = (
datetime.strptime(now, fmt) - datetime.strptime(
each_report['access_key_1_last_used_date'], fmt))
if access_key_1_date.days > 90:
if 'Access key unused more than 90 days.' not in cont.fail_reason:
cont.fail_reason = 'Access key unused more than 90 days.'
cont.offenders = each_report['arn'] + "=>:access_key_1"
except:
pass
try:
if each_report['access_key_2_active'] == 'true':
access_key_1_date = (
datetime.strptime(now, fmt) - datetime.strptime(
each_report['access_key_2_last_used_date'], fmt))
if access_key_1_date.days > 90:
if 'Access key unused more than 90 days.' not in cont.fail_reason:
cont.fail_reason = 'Access key unused more than 90 days.'
cont.offenders = each_report['arn'] + "=>:access_key_2"
except:
pass
if not cont.offenders:
cont.result = True
return {
'control_id': cont.id,
'scored': cont.scored,
'desc': cont.desc,
'result': cont.result,
'fail_reason': cont.fail_reason,
'offenders': cont.offenders
}
def control_1_15_security_question():
cont = Control(
'1.15', 'Ensure security questions are registered in the AWS account',
False)
cont.fail_reason = 'No API available to perform this action'
cont.offenders = 'Check it manually using the AWS console'
cont.result = None
return {
'control_id': cont.id,
'scored': cont.scored,
'desc': cont.desc,
'result': cont.result,
'fail_reason': cont.fail_reason,
'offenders': cont.offenders
}
def control_1_19_iam_instance_roles():
cont = Control(
'1.19',
'Ensure IAM instance roles are used for AWS resource access from instances',
False)
cont.fail_reason = 'Check manually in AWS console'
cont.fail_reason = 'No API available to perform this action'
cont.result = None
return {
'control_id': cont.id,
'scored': cont.scored,
'desc': cont.desc,
'result': cont.result,
'fail_reason': cont.fail_reason,
'offenders': cont.offenders
}
def control_3_1_log_metric_alarm_for_unauthorized_API():
cont = Control(
'3.1',
'Ensure a log metric filter and alarm exist for unauthorized API calls',
True)
res = monitoring_common_function([
"\$\.errorCode\s*=\s*\"?\*UnauthorizedOperation(\"|\)|\s)",
"\$\.errorCode\s*=\s*\"?AccessDenied\*(\"|\)|\s)"
], cloudtrials)
if res == 0:
cont.fail_reason = 'No trail found'
elif res == 1:
cont.fail_reason = 'No metric filter found from Log group'
elif res == 2:
cont.fail_reason = 'Pattern not found in the metric filter'
elif res == 3:
cont.fail_reason = 'No alarm is found for the metric filter'
else:
cont.result = True
return {
'control_id': cont.id,
'scored': cont.scored,
'desc': cont.desc,
'result': cont.result,
'fail_reason': cont.fail_reason,
'offenders': cont.offenders
}
def control_1_16_policy_attached_grp_roles():
cont = Control('1.16',
'Ensure IAM policies are attached only to groups or roles',
True)
all_users_paginator = IAM_CLIENT.get_paginator('list_users')
for users in all_users_paginator.paginate():
for user in users['Users']:
if user is None:
continue
if IAM_CLIENT.list_attached_user_policies(
UserName=user['UserName'])['AttachedPolicies']:
if 'Managed Policies attached directly to user.' not in cont.fail_reason:
cont.fail_reason = "Managed Policies attached directly to user."
cont.offenders = user['Arn'] + ":=> Managed policy"
if IAM_CLIENT.list_user_policies(
UserName=user['UserName'])['PolicyNames']:
if 'Inline Policies are attached directly to user.' not in cont.fail_reason:
cont.fail_reason = "Inline Policies are attached directly to user."
cont.offenders = user['Arn'] + ":=> Inline policy"
if not cont.offenders:
cont.result = True
return {
'control_id': cont.id,
'scored': cont.scored,
'desc': cont.desc,
'result': cont.result,
'fail_reason': cont.fail_reason,
'offenders': cont.offenders
}
def control_1_13_mfa_enabled_root():
cont = Control('1.13', 'Ensure MFA is enabled for the "root" account',
True)
root_account_MFA = IAM_CLIENT.get_account_summary(
)['SummaryMap']['AccountMFAEnabled']
if root_account_MFA == 1:
cont.result = True
else:
cont.fail_reason = 'The root account does not have MFA enabled'
return {
'control_id': cont.id,
'scored': cont.scored,
'desc': cont.desc,
'result': cont.result,
'fail_reason': cont.fail_reason,
'offenders': cont.offenders
}
def control_2_7_cloudtrail_logs_encrypted_kms():
cont = Control(
'2.7', 'Ensure CloudTrail logs are encrypted at rest using KMS CMKs',
True)
for each_trail in cloudtrial_describe_trails:
if not 'KmsKeyId' in each_trail:
if not cont.fail_reason:
cont.fail_reason = 'CloudTrail Logs are not encrypted at rest using CMK'
cont.offenders = each_trail['TrailARN']
if not cont.offenders:
cont.result = True
return {
'control_id': cont.id,
'scored': cont.scored,
'desc': cont.desc,
'result': cont.result,
'fail_reason': cont.fail_reason,
'offenders': cont.offenders
}
def control_1_8_passwd_policy_one_number():
cont = Control('1.8',
'Ensure IAM password policy require at least one number',
True)
if ACCOUNT_PASSWORD_POLICY is False:
cont.fail_reason = "Account does not have a IAM password policy"
else:
if ACCOUNT_PASSWORD_POLICY['RequireNumbers'] is True:
cont.result = True
else:
cont.fail_reason = 'Require atleast one number is not set.'
return {
'control_id': cont.id,
'scored': cont.scored,
'desc': cont.desc,
'result': cont.result,
'fail_reason': cont.fail_reason,
'offenders': cont.offenders
}
def control_1_6_passwd_policy_lowercase():
cont = Control(
'1.6',
'Ensure IAM password policy require at least one lowercase letter',
True)
if ACCOUNT_PASSWORD_POLICY is False:
cont.fail_reason = "Account does not have a IAM password policy"
else:
if ACCOUNT_PASSWORD_POLICY['RequireLowercaseCharacters'] is True:
cont.result = True
else:
cont.fail_reason = 'Require lowercase characters is not set.'
return {
'control_id': cont.id,
'scored': cont.scored,
'desc': cont.desc,
'result': cont.result,
'fail_reason': cont.fail_reason,
'offenders': cont.offenders
}
def control_1_20_support_role_manage_incident():
cont = Control(
'1.20',
'Ensure a support role has been created to manage incidents with AWS Support',
True)
entities = IAM_CLIENT.list_entities_for_policy(
PolicyArn='arn:aws:iam::aws:policy/AWSSupportAccess')
if entities['PolicyGroups'] or entities['PolicyUsers'] or entities[
'PolicyRoles']:
cont.result = True
else:
cont.fail_reason = 'AWSSupportAccess is not attached to any IAM user,group or role'
cont.offenders = 'AWSSupportAccess should be attached to IAM user,group or role in order to manage incidents'
return {
'control_id': cont.id,
'scored': cont.scored,
'desc': cont.desc,
'result': cont.result,
'fail_reason': cont.fail_reason,
'offenders': cont.offenders
}
def control_1_12_no_root_account_key():
cont = Control('1.12', 'Ensure no root account access key exists', True)
root_access_key = CRED_REPORT[0]
try:
if root_access_key['user'] == '<root_account>':
if root_access_key[
'access_key_1_active'] == 'false' and root_access_key[
'access_key_2_active'] == 'false':
cont.result = True
else:
cont.fail_reason = 'The root account access key exists'
except:
pass
return {
'control_id': cont.id,
'scored': cont.scored,
'desc': cont.desc,
'result': cont.result,
'fail_reason': cont.fail_reason,
'offenders': cont.offenders
}
def control_1_22_iam_full_admin_privileges():
cont = Control(
'1.22',
'Ensure IAM policies that allow full "*:*" administrative privileges are not created',
True)
policies_paginator = IAM_CLIENT.get_paginator('list_policies')
for policies in policies_paginator.paginate(Scope='Local',
OnlyAttached=False):
for each_policy in policies['Policies']:
statements = IAM_CLIENT.get_policy_version(
PolicyArn=each_policy['Arn'],
VersionId=each_policy['DefaultVersionId']
)['PolicyVersion']['Document']['Statement']
if isinstance(statements, list):
for each_statement in statements:
if 'Action' in each_statement.keys(
) and each_statement['Effect'] == 'Allow':
if isinstance(each_statement['Action'],
str) or isinstance(
each_statement['Resource'], str):
if each_statement[
'Action'] == '*' and each_statement[
'Resource'] == '*':
if 'IAM policies has full "*:*" administrative privilege' not in cont.fail_reason:
cont.fail_reason = 'IAM policies has full "*:*" administrative privilege'
cont.offenders = each_policy['Arn']
if not cont.offenders:
cont.result = True
return {
'control_id': cont.id,
'scored': cont.scored,
'desc': cont.desc,
'result': cont.result,
'fail_reason': cont.fail_reason,
'offenders': cont.offenders
}
