Exemplo n.º 1
0
 def __init__(self, session, account_id):
     self.session = session
     self.account_id = account_id
     self.iam = BotoFactory().get_capability(boto3.client,
                                             session,
                                             'iam',
                                             account_id=account_id)
Exemplo n.º 2
0
    def get_all_cloudtrails_list(self, session, account_id):
        cloudtrail = BotoFactory().get_capability(boto3.client, session,
                                                  'cloudtrail', account_id)
        trails = cloudtrail.describe_trails(
            includeShadowTrails=True).get('trailList')

        return trails
Exemplo n.º 3
0
    def get_all_email_validated_certs(self):
        """returns an ARN list of all ACM certificates with email validation"""
        certificates = list()
        for r in self.regions:
            logging.info(f"Processing {self.account_id}:{r}")
            try:
                acm = BotoFactory().get_capability(
                    boto3.client, self.session, 'acm',
                    account_id=self.account_id, region=r, rolename='AxisCloudAdmin'
                )

                pngt = acm.get_paginator('list_certificates')
                itr = pngt.paginate(
                    CertificateStatuses=self.certificate_status
                )
                for i in itr:
                    for c in i.get('CertificateSummaryList'):
                        result = (
                            acm.describe_certificate(
                                CertificateArn=c.get('CertificateArn')
                            )
                        )
                        validations_opts = result.get(
                            'Certificate').get(
                                'DomainValidationOptions')
                        for v in validations_opts:
                            if v.get('ValidationMethod') == 'EMAIL':
                                certificates.append(c.get('CertificateArn'))
            except Exception as e:
                logging.error(f"{e} for {r}")
        logging.info(certificates)
        return certificates
Exemplo n.º 4
0
    def all_stacks_all_regions(self):
        regions = [
            "eu-north-1", "ap-south-1", "eu-west-3", "eu-west-2", "eu-west-1",
            "ap-northeast-2", "ap-northeast-1", "sa-east-1", "ca-central-1",
            "ap-southeast-1", "ap-southeast-2", "eu-central-1", "us-east-1",
            "us-east-2", "us-west-1", "us-west-2"
        ]

        stacks_inventory = list()
        for r in regions:
            regional_cfn = BotoFactory().get_capability(
                boto3.client,
                self.session,
                'cloudformation',
                account_id=self.account_id,
                region=r)
            pgnt = regional_cfn.get_paginator('list_stacks')
            itr = pgnt.paginate()
            for i in itr:
                for stack in i['StackSummaries']:
                    log.info(f"{stack['StackId']}:{stack['StackStatus']}")
                    stacks_inventory.append(
                        f"{stack['StackId']}:{stack['StackStatus']}")

        log.info(stacks_inventory)
        return stacks_inventory
Exemplo n.º 5
0
 def __get_vpn_connections(self, region):
     ec2 = BotoFactory().get_capability(boto3.client,
                                        self.session,
                                        'ec2',
                                        account_id=self.account_id,
                                        region=region)
     result = ec2.describe_vpn_connections().get('VpnConnections')
     return result
Exemplo n.º 6
0
    def delete_cloudtrail_name(self, session, account_id, region, ct_name):
        cloudtrail = BotoFactory().get_capability(boto3.client, session,
                                                  'cloudtrail', account_id)

        arn = f"arn:aws:cloudtrail:{region}:{account_id}:trail/{ct_name}"
        try:
            print(cloudtrail.delete_trail(Name=arn))
        except Exception as e:
            logging.warning(e)
Exemplo n.º 7
0
    def __init__(self, session):
        if os.environ.get('OU_BLOCKLIST'):
            self.blocklist = os.environ.get('OU_BLOCKLIST').split(',')
            log.info(f"OU blocklist: {self.blocklist}")
        else:
            log.warn(
                "No OU_BLOCKLIST present in ENV, all OUs can be traversed")
            self.blocklist = set()

        self.org = BotoFactory().get_capability(boto3.client, session,
                                                'organizations')
Exemplo n.º 8
0
def fetch_role_arn(session, account_id, rolename):
    global arn_list
    iam = BotoFactory().get_capability(
        boto3.resource, session, 'iam', account_id=account_id
    )
    try:
        role = iam.Role(rolename)
        print(role.arn)
        arn_list.append(role.arn)
    except iam.meta.client.exceptions.NoSuchEntityException as e:
        log.warn(f"not found in {account_id}, {e}")
Exemplo n.º 9
0
 def __get_subnets(self, region):
     ec2 = BotoFactory().get_capability(boto3.client,
                                        self.session,
                                        'ec2',
                                        account_id=self.account_id,
                                        region=region)
     pgnt = ec2.get_paginator('describe_subnets')
     itr = pgnt.paginate()
     for i in itr:
         result = i.get('Subnets')
         logging.info(f"{self.account_id}:{region}:{result}")
     return result
Exemplo n.º 10
0
def add_console_users_to_group(session, account_id, group_name):
    """
    adds all users with password (login profile) active to a specified group
    """
    users_w_pw = IAMOps().get_all_iam_users_with_pw(session, account_id)
    iam = BotoFactory().get_capability(
        boto3.client, session, 'iam', account_id=account_id
    )
    for user in users_w_pw:
        iam.add_user_to_group(
            GroupName='RequireMFA',
            UserName=user
        )
        log.info(f"Added {account_id}:{user} to {group_name}")
        print(f"Added {account_id}:{user} to {group_name}")
Exemplo n.º 11
0
def get_active_accounts(session):
    """
    Fetches all active account IDs from an Organization. To get accounts from
    an OU structure, refer to OrganizationsOps class instead, app/org_ops.py
    """
    org = BotoFactory().get_capability(
        boto3.client, session, 'organizations', os.getenv('ORG_ACCOUNT'),
        os.getenv('DEFAULT_ROLE')
    )
    accounts = dict()
    paginator = org.get_paginator('list_accounts')
    itr = paginator.paginate()
    for i in itr:
        for account in i['Accounts']:
            if account['Status'] == 'ACTIVE':
                accounts[account['Id']] = account
    return accounts
Exemplo n.º 12
0
class OrganizationsOps():
    def __init__(self, session):
        if os.environ.get('OU_BLOCKLIST'):
            self.blocklist = os.environ.get('OU_BLOCKLIST').split(',')
            log.info(f"OU blocklist: {self.blocklist}")
        else:
            log.warn(
                "No OU_BLOCKLIST present in ENV, all OUs can be traversed")
            self.blocklist = set()

        self.org = BotoFactory().get_capability(boto3.client, session,
                                                'organizations')

    def get_all_children_ou(self, parent_ou):
        ous = set()
        log.info(f"Getting children OU for {parent_ou}")
        pgnt = self.org.get_paginator('list_organizational_units_for_parent')
        itr = pgnt.paginate(ParentId=parent_ou)

        for i in itr:
            for ou in i['OrganizationalUnits']:
                if ou['Id'] not in self.blocklist:
                    ous.add(ou['Id'])

        if ous:
            for ou in ous.copy():
                ous.update(self.get_all_children_ou(ou))

        return ous

    def get_active_accounts_from_ous(self, ous):
        pngt = self.org.get_paginator('list_accounts_for_parent')
        accounts = list()
        for ou in ous:
            log.info(f"Getting accounts from {ou}")
            accounts.extend([
                account['Id'] for account in pngt.paginate(
                    ParentId=ou).build_full_result()['Accounts']
                if account['Status'] == 'ACTIVE'
            ])
        return accounts

    def get_accounts_from_root(self):
        root_ou = self.org.list_roots()['Roots'][0]['Id']
        return self.get_active_accounts_from_ous(
            self.get_all_children_ou(root_ou))
Exemplo n.º 13
0
    def get_all_iam_users_with_pw(self):
        iam_resource = BotoFactory().get_capability(boto3.resource,
                                                    self.session,
                                                    'iam',
                                                    account_id=self.account_id)

        users = self.get_all_iam_users()

        iam_users_with_passwords = set()
        for user in users:
            lp = iam_resource.LoginProfile(user)
            try:
                lp.create_date
                iam_users_with_passwords.add(
                    self.iam.get_user(UserName=user)['User']['UserName'])
            except self.iam.exceptions.NoSuchEntityException:
                pass

        return iam_users_with_passwords
Exemplo n.º 14
0
    def delete_role(self, rolename):
        try:
            # get all policies
            iam_r = BotoFactory().get_capability(boto3.resource, self.session,
                                                 'iam', self.account_id,
                                                 os.getenv('DEFAULT_ROLE'))
            role = iam_r.Role(rolename)

            itr = role.policies.all()
            for i in itr:
                i.delete()

            # delete role
            response = role.delete()
            logging.info(json.dumps(response, indent=4, default=str))

        except iam_r.meta.client.exceptions.NoSuchEntityException as e:
            logging.info(e)
            logging.info(f"{self.account_id}: role {rolename} doesn't exist")
Exemplo n.º 15
0
def get_all_hosted_zones(session, account_id):
    """
    get all HZ from a given account
    """
    global hosted_zone_dict
    r53_client = BotoFactory().get_capability(
        boto3.client, session, 'route53', account_id=account_id
    )
    hz = Route53Ops(client=r53_client).get_all_hosted_zones()
    log.info(f"{account_id}: {hz}")
    print(f"{account_id}: {hz}")
    if len(hz) > 0:
        hosted_zone_dict[account_id] = hz
Exemplo n.º 16
0
class CFNOps():
    def __init__(self, account_id):
        self.session = boto3.Session()
        self.account_id = account_id
        self.cfn = BotoFactory().get_capability(boto3.client, self.session,
                                                'cloudformation', account_id)

    def check_if_stackset_present(self, account_id, stackname):
        paginator = self.cfn.get_paginator('list_stacks')
        itr = paginator.paginate()
        for i in itr:
            for stack in i['StackSummaries']:
                if stackname in stack['StackName'] \
                        and stack['StackStatus'] == 'CREATE_COMPLETE':
                    return True
        return False

    def all_stacks_all_regions(self):
        regions = [
            "eu-north-1", "ap-south-1", "eu-west-3", "eu-west-2", "eu-west-1",
            "ap-northeast-2", "ap-northeast-1", "sa-east-1", "ca-central-1",
            "ap-southeast-1", "ap-southeast-2", "eu-central-1", "us-east-1",
            "us-east-2", "us-west-1", "us-west-2"
        ]

        stacks_inventory = list()
        for r in regions:
            regional_cfn = BotoFactory().get_capability(
                boto3.client,
                self.session,
                'cloudformation',
                account_id=self.account_id,
                region=r)
            pgnt = regional_cfn.get_paginator('list_stacks')
            itr = pgnt.paginate()
            for i in itr:
                for stack in i['StackSummaries']:
                    log.info(f"{stack['StackId']}:{stack['StackStatus']}")
                    stacks_inventory.append(
                        f"{stack['StackId']}:{stack['StackStatus']}")

        log.info(stacks_inventory)
        return stacks_inventory
Exemplo n.º 17
0
class IAMOps():
    def __init__(self, session, account_id):
        self.session = session
        self.account_id = account_id
        self.iam = BotoFactory().get_capability(boto3.client,
                                                session,
                                                'iam',
                                                account_id=account_id)

    def delete_role(self, rolename):
        try:
            # get all policies
            iam_r = BotoFactory().get_capability(boto3.resource, self.session,
                                                 'iam', self.account_id,
                                                 os.getenv('DEFAULT_ROLE'))
            role = iam_r.Role(rolename)

            itr = role.policies.all()
            for i in itr:
                i.delete()

            # delete role
            response = role.delete()
            logging.info(json.dumps(response, indent=4, default=str))

        except iam_r.meta.client.exceptions.NoSuchEntityException as e:
            logging.info(e)
            logging.info(f"{self.account_id}: role {rolename} doesn't exist")

    def remove_idp(self, idp_name):
        saml_arn = f"arn:aws:iam::{self.account_id}:saml-provider/{idp_name}"
        try:
            response = self.iam.delete_saml_provider(SAMLProviderArn=saml_arn)
            logging.info(json.dumps(response, indent=4, default=str))
        except self.iam.exceptions.NoSuchEntityException:
            logging.info(f"{self.account_id}: IdP {idp_name} doesn't exist")

    def update_assume_role_policy(self, rolename, policy):
        """policy should be in dict-format to be translated to json"""
        try:
            return self.iam.update_assume_role_policy(
                RoleName=rolename, PolicyDocument=json.dumps(policy))
        except Exception as e:
            logging.warning(e)

    def list_roles_with_trust(self, trusted_account):
        roles = list()
        pgn = self.iam.get_paginator('list_roles')
        itr = pgn.paginate()
        for i in itr:
            for r in i['Roles']:
                policy_doc = r['AssumeRolePolicyDocument']
                if trusted_account in json.dumps(policy_doc):
                    roles.append((r['Arn']))
        print(roles)
        return roles

    def get_all_iam_users(self):
        users = set()
        pgnt = self.iam.get_paginator('list_users')
        itr = pgnt.paginate()
        for i in itr:
            for user in i['Users']:
                users.add(user['UserName'])
        return users

    def get_all_iam_users_with_pw(self):
        iam_resource = BotoFactory().get_capability(boto3.resource,
                                                    self.session,
                                                    'iam',
                                                    account_id=self.account_id)

        users = self.get_all_iam_users()

        iam_users_with_passwords = set()
        for user in users:
            lp = iam_resource.LoginProfile(user)
            try:
                lp.create_date
                iam_users_with_passwords.add(
                    self.iam.get_user(UserName=user)['User']['UserName'])
            except self.iam.exceptions.NoSuchEntityException:
                pass

        return iam_users_with_passwords

    def compare_pw_policy(self, desired_pw_policy):
        """
        Takes IAM current password policy and compares to the desired, return
        map with each discrepancy. desired_pw_policy is in DICT format, see
        boto3 documentation for all options.

        Example desired_pw_policy:

        {
            "MinimumPasswordLength": 16,
            "RequireSymbols": True,
            "RequireNumbers": True,
            "RequireUppercaseCharacters": True,
            "RequireLowercaseCharacters": True,
            "AllowUsersToChangePassword": True,
            "ExpirePasswords": True,
            "MaxPasswordAge": 90,
            "PasswordReusePrevention": 10,
            "HardExpiry": False
        }

        """
        try:
            account_policy = self.iam.get_account_password_policy().get(
                'PasswordPolicy')
            diff_items = {
                k: account_policy[k]
                for k in account_policy if k in desired_pw_policy
                and account_policy[k] != desired_pw_policy[k]
            }
            return diff_items
        except self.iam.exceptions.NoSuchEntityException as e:
            logging.warn(f"No password policy exists. {e}")
            return False

    def set_minimum_pw_policy(self, desired_pw_policy):
        """
        Sets the minimum password policy in the IAM client's AWS account
        If there are stronger password requirements than those in the minimum
        one, the stronger requirement stays
        """
        try:
            account_policy = self.iam.get_account_password_policy().get(
                'PasswordPolicy')
        except self.iam.exceptions.NoSuchEntityException as e:
            logging.warn(
                f"{e}: No password policy exists, setting the desired policy")
            self.iam.update_account_password_policy(**desired_pw_policy)
            return self.iam.get_account_password_policy().get('PasswordPolicy')

        check_if_better = ['MinimumPasswordLength', 'PasswordReusePrevention']

        for check in check_if_better:
            try:
                if account_policy[check] > desired_pw_policy[check]:
                    desired_pw_policy[check] = account_policy[check]
            except KeyError:
                pass
        self.iam.update_account_password_policy(**desired_pw_policy)
        return (account_policy)

    def add_pw_parameter(self, key, value):
        """
        pushes a specific password policy parameter to the IAM password policy,
        e.g. HardExpiry, MinimumPasswordLength...
        """
        pw_pol = self.iam.get_account_password_policy()['PasswordPolicy']

        try:
            pw_pol[key]
        except KeyError:
            pw_pol[key] = None

        if not pw_pol[key] == value:
            pw_pol[key] = value
            pw_pol.pop('ExpirePasswords')
            self.iam.update_account_password_policy(**pw_pol)
            return f"success"
        else:
            return f"already compliant"
Exemplo n.º 18
0
 def __init__(self, account_id):
     self.session = boto3.Session()
     self.account_id = account_id
     self.cfn = BotoFactory().get_capability(boto3.client, self.session,
                                             'cloudformation', account_id)