def remediate(finding, metrics_data):

    message = {
        'Note': '',
        'State': 'INFO',
        'Account': finding.account_id,
        'Remediation': REMEDIATION,
        'metrics_data': metrics_data
    }

    def failed():
        """
        Send Failed status message
        """
        message['State'] = 'FAILED'
        message['Note'] = ''
        notify(finding, message, LOGGER, cwlogs=APPLOGGER)

    # Make sure it matches - custom action can be initiated for any finding.
    # Ignore if the finding selected and the playbook do not match
    cis_data = finding.is_cis_ruleset()
    if not cis_data:
        # Not an applicable finding - does not match ruleset
        # send an error and exit
        LOGGER.debug('CIS 1.3 - 1.4: incorrect custom action selection')
        APPLOGGER.add_message(
            'CIS 1.3 - 1.4: incorrect custom action selection')
        return

    if (cis_data['ruleid'] not in ['1.3', '1.4']):
        # Not an applicable finding - does not match rule
        # send an error and exit
        LOGGER.debug('CIS 1.3 - 1.4: incorrect custom action selection')
        APPLOGGER.add_message(
            'CIS 1.3 - 1.4: incorrect custom action selection')
        return

    resource_type = str(finding.details['Resources'][0]['Type'])

    if resource_type == 'AwsAccount':
        # This code snippet is invoked when the user selects a finding with type as AwsAccount
        # this finding in security hub is more referring to the account in general and doesn't provide
        # information of the specific remediation, once the specific Resource Type errors are resolved
        # this finding will be resolved as well, therefore there is no specific remediation for this finding.
        LOGGER.debug('for finding type AwsAccount, there is no resolution.')
        APPLOGGER.add_message(
            'AwsAccount is a general finding for the entire account. Once the specific findings are resolved for resource type(s) other than AwsAccount, \
         this will be marked as resolved.')
        message['State'] = 'INITIAL'
        message['Note'] = 'The finding is related to the AWS account.'
        notify(finding, message, LOGGER, cwlogs=APPLOGGER)

        return

    #==========================================================================
    # Import boto3 clients
    try:
        sess = BotoSession(finding.account_id, LAMBDA_ROLE)
        iam = sess.client('iam')
        iam_resource = sess.resource('iam')
    except Exception as e:
        LOGGER.error(e)
        failed()
        return

    try:
        non_rotated_key_user = str(finding.details['Resources'][0]['Id'])[31:]
    except KeyError as key:
        LOGGER.error('Could not find ' + str(key) +
                     ' in Resources data for the finding')
        failed()
        return
    except Exception as e:
        LOGGER.error(e)
        return

    # Mark the finding NOTIFIED while we remediate
    message['State'] = 'INITIAL'
    notify(finding, message, LOGGER, cwlogs=APPLOGGER)

    try:
        todays_date_time = datetime.datetime.now(datetime.timezone.utc)

        paginator = iam.get_paginator('list_access_keys')

        for response in paginator.paginate(UserName=non_rotated_key_user):

            for key_metadata in response['AccessKeyMetadata']:
                access_key_id = str(key_metadata['AccessKeyId'])
                key_age_finder = todays_date_time - datetime.datetime.fromisoformat(
                    str(key_metadata['CreateDate']))

                if key_age_finder <= datetime.timedelta(days=90):
                    LOGGER.debug("Access key: " + access_key_id +
                                 "is compliant.")
                    # APPLOGGER.add_message("Access key: " + access_key_id + "is compliant.")

                else:
                    message[
                        'Note'] = "Access key over 90 days old found: " + access_key_id
                    message['State'] = 'INFO'
                    message[
                        'AffectedObject'] = AFFECTED_OBJECT + ': ' + access_key_id
                    notify(finding,
                           message,
                           LOGGER,
                           cwlogs=APPLOGGER,
                           sechub=False)

                    access_key = iam_resource.AccessKey(
                        non_rotated_key_user, access_key_id)
                    # deactivate the key
                    access_key.deactivate()
                    get_key_status = iam.list_access_keys(
                        UserName=non_rotated_key_user, MaxItems=20)
                    for keys in get_key_status['AccessKeyMetadata']:
                        this_access_key_id = str(keys['AccessKeyId'])
                        this_key_status = str(keys['Status'])
                        # find the key Id that matches the exposed key
                        if this_access_key_id == access_key_id and this_key_status == 'Inactive':
                            message['State'] = 'RESOLVED'
                            message[
                                'Note'] = 'Remediation completed successfully, create new access keys using IAM console.'
                            notify(finding,
                                   message,
                                   LOGGER,
                                   cwlogs=APPLOGGER,
                                   sechub=True,
                                   sns=AWS)

    except Exception as e:
        LOGGER.error(e)
        failed()
        return
def remediate(finding, metrics_data):

    message = {
        'Note': '',
        'State': 'INFO',
        'Account': finding.account_id,
        'Remediation': REMEDIATION,
        'metrics_data': metrics_data
    }

    def failed():
        """
        Send Failed status message
        """
        message['State'] = 'FAILED'
        message['Note'] = ''
        notify(finding, message, LOGGER, cwlogs=APPLOGGER)

    # Make sure it matches - custom action can be initiated for any finding.
    # Ignore if the finding selected and the playbook do not match
    cis_data = finding.is_cis_ruleset()
    if not cis_data:
        # Not an applicable finding - does not match ruleset
        # send an error and exit
        LOGGER.debug('CIS 4.3: incorrect custom action selection')
        APPLOGGER.add_message('CIS 4.3: incorrect custom action selection')
        return

    if cis_data['ruleid'] not in ['4.3']:
        # Not an applicable finding - does not match rule
        # send an error and exit
        LOGGER.debug('CIS 4.3: incorrect custom action selection')
        APPLOGGER.add_message('CIS 4.3: incorrect custom action selection')
        return

    sg_type = str(finding.details['Resources'][0]['Type'])
    if sg_type == 'AwsAccount':
        # This code snippet is invoked when the user selects a finding with type as AwsAccount
        # this finding in security hub is more referring to the account in general and doesn't provide
        # information of the specific security group, once the specific security group errors are resolved
        # this finding will be resolved as well, therefore there is no specific remediation for this finding.
        LOGGER.debug(
            'for security group finding type AwsAccount, there is no resolution.'
        )
        APPLOGGER.add_message(
            'AwsAccount is a general finding for the entire account. Once the specific findings are resolved for resource type(s) other than AwsAccount, \
         this will be marked as resolved.')
        message['State'] = 'INITIAL'
        message['Note'] = 'The finding is related to the AWS account.'
        notify(finding, message, LOGGER, cwlogs=APPLOGGER)
        return

    #==========================================================================
    try:
        myDefaultSecGroupId = str(
            finding.details['Resources'][0]['Details'][sg_type]['GroupId'])
    except KeyError as key:
        LOGGER.error('Could not find ' + str(key) +
                     ' in Resources data for the finding')
        failed()
        return
    except Exception as e:
        LOGGER.error('Unexpected error: ' + str(sys.exc_info()))
        LOGGER.error(e)
        return

    message['AffectedObject'] = AFFECTED_OBJECT + ': ' + myDefaultSecGroupId

    try:
        sess = BotoSession(finding.account_id, LAMBDA_ROLE)
        ec2 = sess.resource('ec2')
    except Exception as e:
        LOGGER.error('Unexpected error: ' + str(sys.exc_info()))
        LOGGER.error(e)
        failed()
        return

    # Mark the finding NOTIFIED while we remediate
    message['State'] = 'INITIAL'
    notify(finding, message, LOGGER, cwlogs=APPLOGGER)

    try:
        # sg ec2 resource object
        defaultSG = ec2.SecurityGroup(myDefaultSecGroupId)
        # find ingress + egress rules
        defaultIngress = defaultSG.ip_permissions
        defaultEgress = defaultSG.ip_permissions_egress
        revokeIngress = defaultSG.revoke_ingress(IpPermissions=defaultIngress)
        revokeEgress = defaultSG.revoke_egress(IpPermissions=defaultEgress)
        LOGGER.info(revokeIngress)
        LOGGER.info(revokeEgress)
        message['State'] = 'RESOLVED'
        message['Note'] = ''  # Reset the value
        notify(finding, message, LOGGER, cwlogs=APPLOGGER, sns=AWS)
    except Exception as e:
        LOGGER.error('Unexpected error: ' + str(sys.exc_info()))
        LOGGER.error(e)
        failed()
        return