def test_crossaccount_snstopicpolicy_method_1(self):
au = SNSAuditor(debug=True)
data = {
'policy': {
'Statement': [
{
'Principal': {
'AWS': '*'
},
'Condition': {
'StringEquals': {
'AWS:SourceOwner': '000000000000'
}
}
}
]
}
}
obj = SNSItem(region='test-region', account='test-account', name='test-name', config=data)
au.check_snstopicpolicy_crossaccount(obj)
self.assertEquals(len(obj.audit_issues), 1)
if len(obj.audit_issues) == 1:
for issue in obj.audit_issues:
self.assertEquals(issue.score, 10)
self.assertRegexpMatches(issue.issue, "Unknown Cross Account Access from .*")
self.assertIsNone(issue.notes)
def test_check_snstopicpolicy_empty(self):
auditor = SNSAuditor(accounts=['TEST_ACCOUNT'])
item = SNSItem(config=dict())
auditor.check_snstopicpolicy_empty(item)
self.assertEqual(len(item.audit_issues), 1)
self.assertEqual(item.audit_issues[0].score, 1)
def test_crossaccount_snstopicpolicy_method_1(self):
au = SNSAuditor(debug=True)
data = {
'SNSPolicy': {
'Statement': [
{
'Principal': {
'AWS': '*'
},
'Condition': {
'StringEquals': {
'AWS:SourceOwner': '000000000000'
}
}
}
]
}
}
obj = SNSItem(region='test-region', account='test-account', name='test-name', config=data)
au.check_snstopicpolicy_crossaccount(obj)
self.assertEquals(len(obj.audit_issues), 1)
if len(obj.audit_issues) == 1:
for issue in obj.audit_issues:
self.assertEquals(issue.score, 10)
self.assertRegexpMatches(issue.issue, "Unknown Cross Account Access from .*")
self.assertIsNone(issue.notes)
def test_check_snstopicpolicy_empty(self):
auditor = SNSAuditor(accounts=['TEST_ACCOUNT'])
item = SNSItem(config=dict())
auditor.check_snstopicpolicy_empty(item)
self.assertEquals(len(item.audit_issues), 1)
self.assertEquals(item.audit_issues[0].score, 1)
def test_crossaccount_snstopicpolicy_method_5(self):
au = SNSAuditor(debug=True)
data = {
'policy': {
'Statement': [{
'Principal': {
'AWS': '*'
},
'Condition': {
'StringEquals': {
# Missing SourceOwner
}
}
}]
}
}
obj = SNSItem(region='test-region',
account='test-account',
name='test-name',
config=data)
au.check_snstopicpolicy_crossaccount(obj)
self.assertEquals(len(obj.audit_issues), 1)
issue = obj.audit_issues[0]
self.assertEqual(issue.score, 10)
self.assertEqual(issue.issue, "SNS Topic open to everyone")
def check_arn(self, arn):
au = SNSAuditor(debug=True)
data = {'policy': {'Statement': [{'Principal': {'AWS': arn}}]}}
obj = SNSItem(region='test-region',
account='test-account',
name='test-name',
config=data)
au.check_snstopicpolicy_crossaccount(obj)
return obj
def test_empty_snstopicpolicy(self):
au = SNSAuditor(debug=True)
obj = SNSItem(region='test-region', account='test-account', name='test-name', config={'policy': {}})
au.check_snstopicpolicy_empty(obj)
self.assertEquals(len(obj.audit_issues), 1)
if len(obj.audit_issues) == 1:
for issue in obj.audit_issues:
self.assertEquals(issue.score, 1)
self.assertEquals(issue.issue, "SNS Topic Policy is empty")
self.assertIsNone(issue.notes)
def test_empty_snstopicpolicy(self):
au = SNSAuditor(debug=True)
obj = SNSItem(region='test-region', account='test-account', name='test-name', config={'SNSPolicy': {}})
au.check_snstopicpolicy_empty(obj)
self.assertEquals(len(obj.audit_issues), 1)
if len(obj.audit_issues) == 1:
for issue in obj.audit_issues:
self.assertEquals(issue.score, 1)
self.assertEquals(issue.issue, "SNS Topic Policy is empty")
self.assertIsNone(issue.notes)
def audit_sns(accounts, send_report):
""" Runs auditors/sns """
accounts = __prep_accounts__(accounts)
au = SNSAuditor(accounts=accounts, debug=True)
au.audit_all_objects()
if send_report:
report = au.create_report()
au.email_report(report)
au.save_issues()
db.session.close()
def __init__(self, accounts=None, alert_accounts=None, debug=False):
self.account_watchers = {}
self.account_alerters = {}
if not alert_accounts:
alert_accounts = accounts
for account in accounts:
self.account_watchers[account] = [
(SQS(accounts=[account], debug=debug), None),
(ELB(accounts=[account], debug=debug), None),
(IAMSSL(accounts=[account], debug=debug), None),
(RDSSecurityGroup(accounts=[account], debug=debug),
RDSSecurityGroupAuditor(accounts=[account], debug=debug)),
(SecurityGroup(accounts=[account], debug=debug),
SecurityGroupAuditor(accounts=[account], debug=debug)),
(S3(accounts=[account],
debug=debug), S3Auditor(accounts=[account], debug=debug)),
(IAMUser(accounts=[account], debug=debug),
IAMUserAuditor(accounts=[account], debug=debug)),
(IAMGroup(accounts=[account], debug=debug), None),
(IAMRole(accounts=[account], debug=debug), None),
(Keypair(accounts=[account], debug=debug), None),
(SNS(accounts=[account],
debug=debug), SNSAuditor(accounts=[account], debug=debug))
]
if account in alert_accounts:
self.account_alerters[account] = Alerter(
watchers_auditors=self.account_watchers[account],
account=account)
def check_arn(self, arn):
au = SNSAuditor(debug=True)
data = {
'policy': {
'Statement': [
{
'Principal': {
'AWS': arn
}
}
]
}
}
obj = SNSItem(region='test-region', account='test-account', name='test-name', config=data)
au.check_snstopicpolicy_crossaccount(obj)
return obj
def audit_sns(accounts, send_report):
""" Runs auditors/sns """
accounts = __prep_accounts__(accounts)
au = SNSAuditor(accounts=accounts, debug=True)
au.audit_all_objects()
if send_report.lower() == 'true' or send_report == True:
report = au.create_report()
au.email_report(report)
au.save_issues()
db.session.close()
def find_sns_changes(accounts):
""" Runs watchers/sns """
accounts = __prep_accounts__(accounts)
cw = SNS(accounts=accounts, debug=True)
(items, exception_map) = cw.slurp()
cw.find_changes(current=items, exception_map=exception_map)
# Audit these changed items
items_to_audit = []
for item in cw.created_items + cw.changed_items:
snsitem = SNSItem(region=item.region, account=item.account, name=item.name, config=item.new_config)
items_to_audit.append(snsitem)
au = SNSAuditor(debug=True)
au.audit_these_objects(items_to_audit)
au.save_issues()
cw.save()
db.session.close()
def test_check_subscriptions_crossaccount(self):
auditor = SNSAuditor(accounts=['TEST_ACCOUNT'])
auditor.prep_for_audit()
# Unknown account ID
item = SNSItem(config=dict(
subscriptions=[{
"Owner": "020202020202",
"Endpoint": "*****@*****.**",
"Protocol": "email",
"TopicArn": "arn:aws:sns:us-east-1:020202020202:somesnstopic",
"SubscriptionArn": "arn:aws:sns:us-east-1:020202020202:somesnstopic:..."
}]))
auditor.check_subscriptions_crossaccount(item)
self.assertEqual(len(item.audit_issues), 1)
self.assertEqual(item.audit_issues[0].score, 10)
# Friendly account ID
item = SNSItem(config=dict(
subscriptions=[{
"Owner": "222222222222",
"Endpoint": "*****@*****.**",
"Protocol": "email",
"TopicArn": "arn:aws:sns:us-east-1:012345678910:somesnstopic",
"SubscriptionArn": "arn:aws:sns:us-east-1:012345678910:somesnstopic:..."
}]))
auditor.check_subscriptions_crossaccount(item)
self.assertEqual(len(item.audit_issues), 1)
self.assertEqual(item.audit_issues[0].score, 0)
# ThirdParty account ID
item = SNSItem(config=dict(
subscriptions=[{
"Owner": "333333333333",
"Endpoint": "*****@*****.**",
"Protocol": "email",
"TopicArn": "arn:aws:sns:us-east-1:012345678910:somesnstopic",
"SubscriptionArn": "arn:aws:sns:us-east-1:012345678910:somesnstopic:..."
}]))
auditor.check_subscriptions_crossaccount(item)
self.assertEqual(len(item.audit_issues), 1)
self.assertEqual(item.audit_issues[0].score, 0)
def test_crossaccount_snstopicpolicy_method_6(self):
au = SNSAuditor(debug=True)
data = {
'SNSPolicy': {
'Statement': [
{
'Principal': {
'AWS': '*'
},
'Condition': {
'StringEquals': {
'AWS:SourceOwner': 'BADDEADBEEF'
}
}
}
]
}
}
obj = SNSItem(region='test-region', account='test-account', name='test-name', config=data)
with self.assertRaises(InvalidSourceOwner):
au.check_snstopicpolicy_crossaccount(obj)
def test_crossaccount_snstopicpolicy_method_6(self):
au = SNSAuditor(debug=True)
data = {
'policy': {
'Statement': [
{
'Principal': {
'AWS': '*'
},
'Condition': {
'StringEquals': {
'AWS:SourceOwner': 'BADDEADBEEF'
}
}
}
]
}
}
obj = SNSItem(region='test-region', account='test-account', name='test-name', config=data)
with self.assertRaises(InvalidSourceOwner):
au.check_snstopicpolicy_crossaccount(obj)
def test_check_subscriptions_crossaccount(self):
auditor = SNSAuditor(accounts=['TEST_ACCOUNT'])
auditor.prep_for_audit()
# Unknown account ID
item = SNSItem(config=dict(
subscriptions=[{
"Owner": "020202020202",
"Endpoint": "*****@*****.**",
"Protocol": "email",
"TopicArn": "arn:aws:sns:us-east-1:020202020202:somesnstopic",
"SubscriptionArn": "arn:aws:sns:us-east-1:020202020202:somesnstopic:..."
}]))
auditor.check_subscriptions_crossaccount(item)
self.assertEquals(len(item.audit_issues), 1)
self.assertEquals(item.audit_issues[0].score, 10)
# Friendly account ID
item = SNSItem(config=dict(
subscriptions=[{
"Owner": "222222222222",
"Endpoint": "*****@*****.**",
"Protocol": "email",
"TopicArn": "arn:aws:sns:us-east-1:012345678910:somesnstopic",
"SubscriptionArn": "arn:aws:sns:us-east-1:012345678910:somesnstopic:..."
}]))
auditor.check_subscriptions_crossaccount(item)
self.assertEquals(len(item.audit_issues), 1)
self.assertEquals(item.audit_issues[0].score, 0)
# ThirdParty account ID
item = SNSItem(config=dict(
subscriptions=[{
"Owner": "333333333333",
"Endpoint": "*****@*****.**",
"Protocol": "email",
"TopicArn": "arn:aws:sns:us-east-1:012345678910:somesnstopic",
"SubscriptionArn": "arn:aws:sns:us-east-1:012345678910:somesnstopic:..."
}]))
auditor.check_subscriptions_crossaccount(item)
self.assertEquals(len(item.audit_issues), 1)
self.assertEquals(item.audit_issues[0].score, 0)
def test_crossaccount_snstopicpolicy_method_5(self):
au = SNSAuditor(debug=True)
data = {
'policy': {
'Statement': [
{
'Principal': {
'AWS': '*'
},
'Condition': {
'StringEquals': {
# Missing SourceOwner
}
}
}
]
}
}
obj = SNSItem(region='test-region', account='test-account', name='test-name', config=data)
au.check_snstopicpolicy_crossaccount(obj)
self.assertEquals(len(obj.audit_issues), 1)
issue = obj.audit_issues[0]
self.assertEqual(issue.score, 10)
self.assertEqual(issue.issue, "SNS Topic open to everyone")
def pre_test_setup(self):
SNSAuditor(accounts=['TEST_ACCOUNT']).OBJECT_STORE.clear()
account_type_result = AccountType(name='AWS')
db.session.add(account_type_result)
db.session.commit()
# main
account = Account(identifier="123456789123", name="TEST_ACCOUNT",
account_type_id=account_type_result.id, notes="TEST_ACCOUNT",
third_party=False, active=True)
# friendly
account2 = Account(identifier="222222222222", name="TEST_ACCOUNT_TWO",
account_type_id=account_type_result.id, notes="TEST_ACCOUNT_TWO",
third_party=False, active=True)
# third party
account3 = Account(identifier="333333333333", name="TEST_ACCOUNT_THREE",
account_type_id=account_type_result.id, notes="TEST_ACCOUNT_THREE",
third_party=True, active=True)
db.session.add(account)
db.session.add(account2)
db.session.add(account3)
db.session.commit()
def find_sns_changes(accounts):
""" Runs watchers/sns """
accounts = __prep_accounts__(accounts)
cw = SNS(accounts=accounts, debug=True)
(items, exception_map) = cw.slurp()
cw.find_changes(current=items, exception_map=exception_map)
# Audit these changed items
items_to_audit = []
for item in cw.created_items + cw.changed_items:
snsitem = SNSItem(region=item.region, account=item.account, name=item.name, config=item.new_config)
items_to_audit.append(snsitem)
au = SNSAuditor(accounts=accounts, debug=True)
au.audit_these_objects(items_to_audit)
au.save_issues()
cw.save()
db.session.close()
