def get_bucket_encryption(trace_id, s3_client, bucket, aws_account, region_name, is_cw_logger=False): if (is_cw_logger): logger = common_utils.begin_cw_logger(trace_id, __name__, inspect.currentframe()) else: logger = common_utils.begin_logger(trace_id, __name__, inspect.currentframe()) bucket_encryption = [] try: result = s3_client.get_bucket_encryption(Bucket=bucket) except ClientError as e: if e.response["Error"]["Code"] == CommonConst.SERVER_SIDE_ENCRYPTION_CONFIGURATION_NOT_FOUND_ERROR: logger.info("[%s]S3バケット暗号化情報がありません。(%s/%s)", aws_account, region_name, bucket) raise PmError(cause_error=e) elif e.response['Error']['Code'] in CommonConst.S3_SKIP_EXCEPTION: logger.warning("[%s] 権限エラーによりS3バケットリージョン情報の取得に失敗しました。(%s/%s)", aws_account, region_name, bucket) raise common_utils.write_log_warning(e, logger) else: logger.error("[%s]S3バケット暗号化情報の取得に失敗しました。(%s/%s)", aws_account, region_name, bucket) raise common_utils.write_log_exception(e, logger) if common_utils.check_key("ServerSideEncryptionConfiguration", result): if common_utils.check_key("Rules", result["ServerSideEncryptionConfiguration"]): bucket_encryption = result["ServerSideEncryptionConfiguration"]["Rules"] return bucket_encryption
def get_credential_report(trace_id, session, awsaccount): pm_logger = common_utils.begin_logger(trace_id, __name__, inspect.currentframe()) # 対象AWSアカウントに対する接続を作成します。 try: client = session.client(service_name="iam") except ClientError as e: pm_logger.error("[%s] IAMクライアント作成に失敗しました。", awsaccount) raise common_utils.write_log_exception(e, pm_logger) # IAMユーザーのCredentialReportを取得します。 try: result = client.generate_credential_report() while (result['State'] != 'COMPLETE'): time.sleep(2) result = client.generate_credential_report() credential_report = client.get_credential_report() except ClientError as e: pm_logger.error("[%s] CredentialReportの取得に失敗しました。", awsaccount) raise common_utils.write_log_exception(e, pm_logger) # return data if common_utils.check_key("Content", credential_report): return str(credential_report['Content'].decode()) return []
def get_list_policies(trace_id, session, awsaccount): pm_logger = common_utils.begin_logger(trace_id, __name__, inspect.currentframe()) # 対象AWSアカウントに対する接続を作成します。 try: client = session.client(service_name="iam") except ClientError as e: pm_logger.error("[%s] IAMクライアント作成に失敗しました。", awsaccount) raise common_utils.write_log_exception(e, pm_logger) # IAMのアカウントパスワードポリシー情報を取得します。 policies = [] try: response = client.list_policies() if common_utils.check_key("Policies", response): policies = response["Policies"] # AWS SDKを用いて複数件のリソース情報取得を行う際の注意事項 is_truncated = response['IsTruncated'] while (is_truncated is True): marker = response['Marker'] response = client.list_policies(Marker=marker) policies.extend(response['Policies']) is_truncated = response['IsTruncated'] except ClientError as e: pm_logger.error("[%s] ポリシー一覧情報の取得に失敗しました。", awsaccount) raise common_utils.write_log_exception(e, pm_logger) # return data return policies
def describe_security_groups(trace_id, awsaccount, ec2_client, region_name): pm_logger = common_utils.begin_logger(trace_id, __name__, inspect.currentframe()) security_groups = [] try: response = ec2_client.describe_security_groups() if common_utils.check_key("SecurityGroups", response): security_groups = response["SecurityGroups"] next_token = None if 'NextToken' in response: next_token = response['NextToken'] while (next_token is not None): response = ec2_client.describe_security_groups( NextToken=next_token) security_groups.extend(response['SecurityGroups']) if 'NextToken' in response: next_token = response['NextToken'] else: next_token = None except ClientError as e: pm_logger.error("[%s/%s] セキュリティグループ情報の取得に失敗しました。", awsaccount, region_name) raise common_utils.write_log_exception(e, pm_logger) return security_groups
def describe_metric_filters(trace_id, logs_client, aws_account, region_name, cloud_trail_log_group_name): pm_logger = common_utils.begin_logger(trace_id, __name__, inspect.currentframe()) metric_filters = [] try: response = logs_client.describe_metric_filters( logGroupName=cloud_trail_log_group_name) if common_utils.check_key("metricFilters", response): metric_filters = response["metricFilters"] next_token = None if 'NextToken' in response: next_token = response['NextToken'] while(next_token is not None): response = logs_client.describe_metric_filters( logGroupName=cloud_trail_log_group_name, NextToken=next_token) metric_filters.extend(response['metricFilters']) if 'NextToken' in response: next_token = response['NextToken'] else: next_token = None except ClientError as e: pm_logger.error("[%s/%s] メトリクスフィルタ情報の取得に失敗しました。:LogGroupName=%s", aws_account, region_name, cloud_trail_log_group_name) raise common_utils.write_log_warning(e, pm_logger) return metric_filters
def describe_volumes(trace_id, awsaccount, ec2_client, region_name, is_cw_logger=False): if (is_cw_logger): logger = common_utils.begin_cw_logger(trace_id, __name__, inspect.currentframe()) else: logger = common_utils.begin_logger(trace_id, __name__, inspect.currentframe()) ebs_volumes = [] try: response = ec2_client.describe_volumes() if common_utils.check_key("Volumes", response): ebs_volumes = response["Volumes"] next_token = None if 'NextToken' in response: next_token = response['NextToken'] while (next_token is not None): response = ec2_client.describe_volumes(NextToken=next_token) ebs_volumes.extend(response['Volumes']) if 'NextToken' in response: next_token = response['NextToken'] else: next_token = None except ClientError as e: logger.error("[%s/%s] EBSボリューム情報の取得に失敗しました。", awsaccount, region_name) raise common_utils.write_log_exception(e, logger) return ebs_volumes
def describe_alarms(trace_id, aws_account, cloudwatch_client, region_name): pm_logger = common_utils.begin_logger(trace_id, __name__, inspect.currentframe()) metric_alarms = [] try: response = cloudwatch_client.describe_alarms() if common_utils.check_key("MetricAlarms", response): metric_alarms = response["MetricAlarms"] next_token = None if 'NextToken' in response: next_token = response['NextToken'] while (next_token is not None): response = cloudwatch_client.describe_alarms(NextToken=next_token) metric_alarms.extend(response['MetricAlarms']) if 'NextToken' in response: next_token = response['NextToken'] else: next_token = None except ClientError as e: pm_logger.error("[%s/%s] CloudWatchAlarm情報の取得に失敗しました。", aws_account, region_name) raise common_utils.write_log_warning(e, pm_logger) return metric_alarms
def query_key(trace_id, table_name, key, is_cw_logger=False): if (is_cw_logger): logger = common_utils.begin_cw_logger(trace_id, __name__, inspect.currentframe()) else: logger = common_utils.begin_logger(trace_id, __name__, inspect.currentframe()) try: table = connect_dynamodb(table_name) result = table.get_item(Key=key) result_item = None if (common_utils.check_key('Item', result)): result_item = result['Item'] return common_utils.response(result_item, logger) except ClientError as e: if retrycheck.check_retryable(e.response): retry_exception = RetryException(cause_error=e) logger.error(retry_exception) logger.exception("error_id: %s", retry_exception.error_id) raise retry_exception else: no_retry_exception = NoRetryException( cause_error=e, message=e.response['Error']['Message']) logger.error(no_retry_exception) raise no_retry_exception
def query_index(trace_id, table_name, index_name, key_conditions, filter_expression, scan_index_forward=True, is_cw_logger=False): if (is_cw_logger): logger = common_utils.begin_cw_logger(trace_id, __name__, inspect.currentframe()) else: logger = common_utils.begin_logger(trace_id, __name__, inspect.currentframe()) exclusiveStartKey = None list_data = [] while True: try: result = query_index_db(trace_id, table_name, index_name, key_conditions, filter_expression, scan_index_forward, exclusiveStartKey, is_cw_logger=is_cw_logger) list_data.extend(result['Items']) if common_utils.check_key('LastEvaluatedKey', result) is False: break exclusiveStartKey = result['LastEvaluatedKey'] except Exception as e: logger.error(e) break return common_utils.response(list_data, logger)
def list_subscriptions_by_topic(trace_id, sns_client, aws_account, region_name, topic_arn): pm_logger = common_utils.begin_logger(trace_id, __name__, inspect.currentframe()) subscriptions = [] try: response = sns_client.list_subscriptions_by_topic(TopicArn=topic_arn) if common_utils.check_key("Subscriptions", response): subscriptions = response["Subscriptions"] next_token = None if 'NextToken' in response: next_token = response['NextToken'] while (next_token is not None): response = sns_client.list_subscriptions_by_topic( TopicArn=topic_arn, NextToken=next_token) subscriptions.extend(response['Subscriptions']) if 'NextToken' in response: next_token = response['NextToken'] else: next_token = None except ClientError as e: pm_logger.error("[%s/%s] SNS Topicサブスクリプション情報の取得に失敗しました。: TopicArn=%s", aws_account, region_name, topic_arn) raise common_utils.write_log_warning(e, pm_logger) return subscriptions
def get_data_json_by_key(key, json): result = None if common_utils.check_key( key, json) and common_utils.is_null(json[key]) is False: if (common_utils.is_number(json[key])): result = str(json[key]) else: result = json[key] return result
def get_check_cis_item_4_03_result(check1, check2, region_name): result = { 'Region': region_name, 'Level': CommonConst.LEVEL_CODE_11, 'DetectionItem': {} } if len(check1) > 0: result['DetectionItem']['AbnormalitySecurityGroups'] = check1 if len(check2) > 0: result_check2 = [] for item in check2: sub_result_check2 = {} if common_utils.check_key('InstanceId', item) is True: sub_result_check2['InstanceId'] = item['InstanceId'] if common_utils.check_key('InstanceName', item) is True: sub_result_check2['InstanceName'] = item['InstanceName'] result_check2.append(sub_result_check2) result['DetectionItem']['AbnormalityEc2Instances'] = result_check2 return result
def query_key(table_name, key): try: table = resource_connect().Table(table_name.value) result = table.get_item(Key=key) result_item = None if (common_utils.check_key('Item', result)): result_item = result['Item'] return result_item except Exception as e: raise e
def describe_vpcs(trace_id, aws_account, ec2_client, region_name): pm_logger = common_utils.begin_logger(trace_id, __name__, inspect.currentframe()) try: vpc_info = ec2_client.describe_vpcs() except ClientError as e: pm_logger.error("[%s/%s] VPC情報の取得に失敗しました。", aws_account, region_name) raise common_utils.write_log_exception(e, pm_logger) if common_utils.check_key("Vpcs", vpc_info): return vpc_info['Vpcs'] return []
def get_list_distributions(trace_id, cloud_front_client, aws_account): pm_logger = common_utils.begin_logger(trace_id, __name__, inspect.currentframe()) distribution_list = [] try: response = cloud_front_client.list_distributions() if common_utils.check_key('DistributionList', response): if common_utils.check_key('Items', response['DistributionList']): distribution_list = response['DistributionList']['Items'] is_truncated = response['DistributionList']['IsTruncated'] while (is_truncated is True): next_marker = response['DistributionList']['NextMarker'] response = cloud_front_client.list_distributions( Marker=next_marker) distribution_list.extend( response['DistributionList']['Items']) is_truncated = response['DistributionList']['IsTruncated'] except ClientError as e: pm_logger.error("[%s] ディストリビューション一覧情報取得に失敗しました。", aws_account) raise common_utils.write_log_exception(e, pm_logger) return distribution_list
def get_policy_version(trace_id, client, aws_account, policy_arn, version_id): pm_logger = common_utils.begin_logger(trace_id, __name__, inspect.currentframe()) try: response = client.get_policy_version(PolicyArn=policy_arn, VersionId=version_id) except ClientError as e: pm_logger.error("[%s]ポリシー情報の取得に失敗しました。(%s)", aws_account, policy_arn) raise common_utils.write_log_exception(e, pm_logger) if common_utils.check_key("PolicyVersion", response): return response['PolicyVersion'] return []
def describe_cloud_trails(trace_id, awsaccount, trail_client, region_name): pm_logger = common_utils.begin_logger(trace_id, __name__, inspect.currentframe()) trail_lists = [] try: result = trail_client.describe_trails(includeShadowTrails=False) except ClientError as e: pm_logger.error("[%s/%s] CloudTrail情報の取得に失敗しました。", awsaccount, region_name) raise common_utils.write_log_exception(e, pm_logger) if common_utils.check_key("trailList", result): trail_lists = result["trailList"] return trail_lists
def query(table_name, key_conditions, filter_expression): exclusiveStartKey = None list_data = [] while True: try: result = query_db(table_name, key_conditions, filter_expression, exclusiveStartKey) list_data.extend(result['Items']) if common_utils.check_key('LastEvaluatedKey', result) is False: break exclusiveStartKey = result['LastEvaluatedKey'] except Exception as e: raise e break return list_data
def describe_delivery_channels(trace_id, awsaccount, config_client, region_name): pm_logger = common_utils.begin_logger(trace_id, __name__, inspect.currentframe()) delivery_channels = [] try: response = config_client.describe_delivery_channels() if common_utils.check_key("DeliveryChannels", response): delivery_channels = response["DeliveryChannels"] except ClientError as e: pm_logger.error("[%s/%s] Configデリバリーチャネル情報の取得に失敗しました。", awsaccount, region_name) raise common_utils.write_log_exception(e, pm_logger) return delivery_channels
def describe_configuration_recorders(trace_id, awsaccount, config_client, region_name): pm_logger = common_utils.begin_logger(trace_id, __name__, inspect.currentframe()) configuration_recorders = [] try: response = config_client.describe_configuration_recorders() if common_utils.check_key("ConfigurationRecorders", response): configuration_recorders = response["ConfigurationRecorders"] except ClientError as e: pm_logger.error("[%s/%s] Configレコーダー情報の取得に失敗しました。", awsaccount, region_name) raise common_utils.write_log_exception(e, pm_logger) return configuration_recorders
def sqs_receive_message(trace_id): pm_logger = common_utils.begin_logger(trace_id, __name__, inspect.currentframe()) queue_url = os.environ.get("SQS_ORGANIZATION_QUEUE") try: client = boto3.client("sqs") response = client.receive_message( QueueUrl=queue_url, MaxNumberOfMessages=10 ) messages = None if (common_utils.check_key('Messages', response)): messages = common_utils.response(response['Messages'], pm_logger) return common_utils.response(messages, pm_logger) except ClientError as e: common_utils.write_log_exception(e, pm_logger, True)
def create_notifyslack(trace_id, organization_id, data_body): pm_logger = common_utils.begin_logger(trace_id, __name__, inspect.currentframe()) # リクエストボディのJSONでパースエラーが発生した場合は、ログを出力してエラーレスポンスを返します。 try: body_object = json.loads(data_body) notify_code = body_object['notifyCode'] webhook_url = body_object['webhookUrl'] except Exception as e: return common_utils.error_exception(MsgConst.ERR_REQUEST_202, HTTPStatus.BAD_REQUEST, e, pm_logger, True) mentions = None if common_utils.check_key('mentions', body_object): mentions = body_object['mentions'] # バリデーションチェックを行います。 list_error = validate_notifyslack(notify_code, webhook_url) if list_error: return common_utils.error_validate(MsgConst.ERR_REQUEST_201, HTTPStatus.UNPROCESSABLE_ENTITY, list_error, pm_logger) # Slack通知設定情報を作成します。 try: pm_orgNotifySlack.create(trace_id, organization_id, notify_code, webhook_url, mentions) except PmError as e: return common_utils.error_exception(MsgConst.ERR_DB_403, HTTPStatus.INTERNAL_SERVER_ERROR, e, pm_logger, True) # get record created try: org_notify_slack_created = pm_orgNotifySlack.query_key( trace_id, organization_id, notify_code, True) except PmError as e: return common_utils.error_exception(MsgConst.ERR_402, HTTPStatus.INTERNAL_SERVER_ERROR, e, pm_logger, True) # return data response = common_utils.get_response_by_response_body( HTTPStatus.CREATED, org_notify_slack_created) return common_utils.response(response, pm_logger)
def get_account_summary(trace_id, session, aws_account): pm_logger = common_utils.begin_logger(trace_id, __name__, inspect.currentframe()) # 対象AWSアカウントに対する接続を作成します。 try: client = session.client(service_name="iam") except ClientError as e: pm_logger.error("[%s] IAMクライアント作成に失敗しました。", aws_account) raise common_utils.write_log_exception(e, pm_logger) try: response = client.get_account_summary() except ClientError as e: pm_logger.error("[%s] アカウントサマリーの取得に失敗しました。", aws_account) raise common_utils.write_log_exception(e, pm_logger) if common_utils.check_key("SummaryMap", response): return response['SummaryMap'] return []
def get_event_selectors(trace_id, awsaccount, trail_client, region_name, trail_arn): pm_logger = common_utils.begin_logger(trace_id, __name__, inspect.currentframe()) event_selectors = [] try: result = trail_client.get_event_selectors(TrailName=trail_arn) except ClientError as e: pm_logger.error("[%s/%s] CloudTrailのイベントセレクタ情報の取得に失敗しました。", awsaccount, region_name) data_body = {'TrailARN': trail_arn} pm_error = common_utils.write_log_exception(e, pm_logger) pm_error.pm_notification_error = PmNotificationError( code_error=CommonConst.KEY_CODE_ERROR_GET_EVENT_SELECTORS, data_body=data_body) raise common_utils.write_log_pm_error(pm_error, pm_logger) if common_utils.check_key("EventSelectors", result): event_selectors = result["EventSelectors"] return event_selectors
def check_ibp_item_07_08(trace_id, check_history_id, organization_id, project_id, aws_account, session, result_json_path): pm_logger = common_utils.begin_logger(trace_id, __name__, inspect.currentframe()) check_results = [] # チェック結果 try: account_password_policy = ibp_item_common_logic.get_account_password_policy( trace_id, check_history_id, organization_id, project_id, aws_account, session, result_json_path) if (common_utils.check_key("AllowUsersToChangePassword", account_password_policy) is False or account_password_policy['AllowUsersToChangePassword'] is False): check_results.append(get_check_ibp_item_07_08_result()) except PmError as e: if e.cause_error.response['Error'][ 'Code'] == CommonConst.NO_SUCH_ENTITY: check_results.append(get_check_ibp_item_07_08_result()) else: pm_logger.error("[%s] チェック処理中にエラーが発生しました。", aws_account) return CheckResult.Error # Export File CHECK_IBP_ITEM_07_08.json try: current_date = date_utils.get_current_date_by_format( date_utils.PATTERN_YYYYMMDDHHMMSS) check_password_policy = { 'AWSAccount': aws_account, 'CheckResults': check_results, 'DateTime': current_date } FileUtils.upload_s3(trace_id, check_password_policy, result_json_path, True) except Exception as e: pm_logger.error("[%s] チェック結果JSONファイルの保存に失敗しました。", aws_account) return CheckResult.Error # チェック結果 if len(check_results) == 0: return CheckResult.Normal return CheckResult.CriticalDefect
def get_all_organizationTask(trace_id): pm_logger = common_utils.begin_logger(trace_id, __name__, inspect.currentframe()) exclusiveStartKey = None organizationTasks = [] limit = 10 while True: try: result = DB_utils.scan(trace_id, Tables.PM_ORGANIZATION_TASKS, limit, exclusiveStartKey) organizationTasks.extend(result['Items']) if (common_utils.check_key('LastEvaluatedKey', result)): exclusiveStartKey = result['LastEvaluatedKey'] else: break time.sleep(1) except PmError as e: break return common_utils.response(organizationTasks, pm_logger)
def get_bucket_location(trace_id, s3_client, bucket, aws_account, is_cw_logger=False): if (is_cw_logger): logger = common_utils.begin_cw_logger(trace_id, __name__, inspect.currentframe()) else: logger = common_utils.begin_logger(trace_id, __name__, inspect.currentframe()) try: result = s3_client.get_bucket_location(Bucket=bucket) except ClientError as e: if e.response['Error']['Code'] in CommonConst.S3_SKIP_EXCEPTION: logger.warning("[%s] 権限エラーによりS3バケットリージョン情報の取得に失敗しました。(%s)", aws_account, bucket) raise common_utils.write_log_warning(e, logger) else: logger.error("[%s]S3バケットリージョン情報の取得に失敗しました。(%s)", aws_account, bucket) raise common_utils.write_log_exception(e, logger) if common_utils.check_key("LocationConstraint", result): return result["LocationConstraint"] return None
def describe_instances(trace_id, awsaccount, ec2_client, region_name): pm_logger = common_utils.begin_logger(trace_id, __name__, inspect.currentframe()) reservation_instances = [] try: response = ec2_client.describe_instances() if common_utils.check_key("Reservations", response): reservation_instances = response["Reservations"] next_token = None if 'NextToken' in response: next_token = response['NextToken'] while (next_token is not None): response = ec2_client.describe_instances(NextToken=next_token) reservation_instances.extend(response['Reservations']) if 'NextToken' in response: next_token = response['NextToken'] else: next_token = None except ClientError as e: pm_logger.error("[%s/%s] EC2インスタンス情報の取得に失敗しました。", awsaccount, region_name) raise common_utils.write_log_exception(e, pm_logger) return reservation_instances
def get_all_projects(trace_id): pm_logger = common_utils.begin_logger(trace_id, __name__, inspect.currentframe()) exclusiveStartKey = None projects = [] limit = int(common_utils.get_environ("NUM_OF_PROJECT_ITEMS_PER_1TIME")) segment = 0 while True: try: result = DB_utils.scan(trace_id, Tables.PM_PROJECTS, limit, exclusiveStartKey) projects.extend(result['Items']) if (common_utils.check_key('LastEvaluatedKey', result)): exclusiveStartKey = result['LastEvaluatedKey'] else: break segment += 1 time.sleep(1) except PmError as e: pm_logger.warning("プロジェクト情報取得に失敗しました。: 取得回数=%s、一度に取得する件数=%s", segment, limit) break return common_utils.response(projects, pm_logger), segment
def describe_flow_logs(trace_id, aws_account, ec2_client, region_name): pm_logger = common_utils.begin_logger(trace_id, __name__, inspect.currentframe()) flow_logs = [] try: response = ec2_client.describe_flow_logs() if common_utils.check_key("FlowLogs", response): flow_logs = response["FlowLogs"] next_token = None if 'NextToken' in response: next_token = response['NextToken'] while (next_token is not None): response = ec2_client.describe_flow_logs(NextToken=next_token) flow_logs.extend(response['FlowLogs']) if 'NextToken' in response: next_token = response['NextToken'] else: next_token = None except ClientError as e: pm_logger.error("[%s/%s] VPCフローログ情報の取得に失敗しました。", aws_account, region_name) raise common_utils.write_log_exception(e, pm_logger) return flow_logs