def describe_metric_filters(trace_id, logs_client, aws_account, region_name,
cloud_trail_log_group_name):
pm_logger = common_utils.begin_logger(trace_id, __name__,
inspect.currentframe())
metric_filters = []
try:
response = logs_client.describe_metric_filters(
logGroupName=cloud_trail_log_group_name)
if common_utils.check_key("metricFilters", response):
metric_filters = response["metricFilters"]
next_token = None
if 'NextToken' in response:
next_token = response['NextToken']
while(next_token is not None):
response = logs_client.describe_metric_filters(
logGroupName=cloud_trail_log_group_name, NextToken=next_token)
metric_filters.extend(response['metricFilters'])
if 'NextToken' in response:
next_token = response['NextToken']
else:
next_token = None
except ClientError as e:
pm_logger.error("[%s/%s] メトリクスフィルタ情報の取得に失敗しました。:LogGroupName=%s",
aws_account, region_name, cloud_trail_log_group_name)
raise common_utils.write_log_warning(e, pm_logger)
return metric_filters
def list_subscriptions_by_topic(trace_id, sns_client, aws_account, region_name,
topic_arn):
pm_logger = common_utils.begin_logger(trace_id, __name__,
inspect.currentframe())
subscriptions = []
try:
response = sns_client.list_subscriptions_by_topic(TopicArn=topic_arn)
if common_utils.check_key("Subscriptions", response):
subscriptions = response["Subscriptions"]
next_token = None
if 'NextToken' in response:
next_token = response['NextToken']
while (next_token is not None):
response = sns_client.list_subscriptions_by_topic(
TopicArn=topic_arn, NextToken=next_token)
subscriptions.extend(response['Subscriptions'])
if 'NextToken' in response:
next_token = response['NextToken']
else:
next_token = None
except ClientError as e:
pm_logger.error("[%s/%s] SNS Topicサブスクリプション情報の取得に失敗しました。: TopicArn=%s",
aws_account, region_name, topic_arn)
raise common_utils.write_log_warning(e, pm_logger)
return subscriptions
def describe_alarms(trace_id, aws_account, cloudwatch_client, region_name):
pm_logger = common_utils.begin_logger(trace_id, __name__,
inspect.currentframe())
metric_alarms = []
try:
response = cloudwatch_client.describe_alarms()
if common_utils.check_key("MetricAlarms", response):
metric_alarms = response["MetricAlarms"]
next_token = None
if 'NextToken' in response:
next_token = response['NextToken']
while (next_token is not None):
response = cloudwatch_client.describe_alarms(NextToken=next_token)
metric_alarms.extend(response['MetricAlarms'])
if 'NextToken' in response:
next_token = response['NextToken']
else:
next_token = None
except ClientError as e:
pm_logger.error("[%s/%s] CloudWatchAlarm情報の取得に失敗しました。", aws_account,
region_name)
raise common_utils.write_log_warning(e, pm_logger)
return metric_alarms
def get_bucket_encryption(trace_id, s3_client, bucket, aws_account,
region_name, is_cw_logger=False):
if (is_cw_logger):
logger = common_utils.begin_cw_logger(trace_id, __name__,
inspect.currentframe())
else:
logger = common_utils.begin_logger(trace_id, __name__,
inspect.currentframe())
bucket_encryption = []
try:
result = s3_client.get_bucket_encryption(Bucket=bucket)
except ClientError as e:
if e.response["Error"]["Code"] == CommonConst.SERVER_SIDE_ENCRYPTION_CONFIGURATION_NOT_FOUND_ERROR:
logger.info("[%s]S3バケット暗号化情報がありません。(%s/%s)", aws_account,
region_name, bucket)
raise PmError(cause_error=e)
elif e.response['Error']['Code'] in CommonConst.S3_SKIP_EXCEPTION:
logger.warning("[%s] 権限エラーによりS3バケットリージョン情報の取得に失敗しました。(%s/%s)",
aws_account, region_name, bucket)
raise common_utils.write_log_warning(e, logger)
else:
logger.error("[%s]S3バケット暗号化情報の取得に失敗しました。(%s/%s)", aws_account,
region_name, bucket)
raise common_utils.write_log_exception(e, logger)
if common_utils.check_key("ServerSideEncryptionConfiguration", result):
if common_utils.check_key("Rules", result["ServerSideEncryptionConfiguration"]):
bucket_encryption = result["ServerSideEncryptionConfiguration"]["Rules"]
return bucket_encryption
def get_role(trace_id, iam_client, role_name, is_cw_logger=False):
if (is_cw_logger):
logger = common_utils.begin_cw_logger(trace_id, __name__,
inspect.currentframe())
else:
logger = common_utils.begin_logger(trace_id, __name__,
inspect.currentframe())
try:
response = iam_client.get_role(RoleName=role_name)
except ClientError as e:
raise common_utils.write_log_warning(e, logger)
return response
def get_key_rotation_status(trace_id, awsaccount, kms_client, region_name,
key_id):
pm_logger = common_utils.begin_logger(trace_id, __name__,
inspect.currentframe())
key_rotation_status = []
try:
key_rotation_status = kms_client.get_key_rotation_status(KeyId=key_id)
except ClientError as e:
if (e.response['Error']['Code'] in CommonConst.KMS_SKIP_EXCEPTION):
raise common_utils.write_log_warning(e, pm_logger)
pm_logger.error("[%s/%s] マスターキー(%s)のローテーションステータス情報取得に失敗しました。",
awsaccount, region_name, key_id)
raise common_utils.write_log_exception(e, pm_logger)
return key_rotation_status
def get_bucket_acl(trace_id, s3_client, bucket, awsaccount, region_name,
is_cw_logger=False):
if (is_cw_logger):
logger = common_utils.begin_cw_logger(trace_id, __name__,
inspect.currentframe())
else:
logger = common_utils.begin_logger(trace_id, __name__,
inspect.currentframe())
try:
result = s3_client.get_bucket_acl(Bucket=bucket)
except ClientError as e:
if e.response['Error']['Code'] in CommonConst.S3_SKIP_EXCEPTION:
logger.warning("[%s/%s] 権限エラーによりS3バケットACL情報の取得に失敗しました。(%s)",
awsaccount, region_name, bucket)
raise common_utils.write_log_warning(e, logger)
else:
logger.error("[%s/%s]S3バケットACL情報の取得に失敗しました。(%s)", awsaccount,
region_name, bucket)
raise common_utils.write_log_exception(e, logger)
return result
def get_bucket_location(trace_id, s3_client, bucket, aws_account,
is_cw_logger=False):
if (is_cw_logger):
logger = common_utils.begin_cw_logger(trace_id, __name__,
inspect.currentframe())
else:
logger = common_utils.begin_logger(trace_id, __name__,
inspect.currentframe())
try:
result = s3_client.get_bucket_location(Bucket=bucket)
except ClientError as e:
if e.response['Error']['Code'] in CommonConst.S3_SKIP_EXCEPTION:
logger.warning("[%s] 権限エラーによりS3バケットリージョン情報の取得に失敗しました。(%s)",
aws_account, bucket)
raise common_utils.write_log_warning(e, logger)
else:
logger.error("[%s]S3バケットリージョン情報の取得に失敗しました。(%s)", aws_account,
bucket)
raise common_utils.write_log_exception(e, logger)
if common_utils.check_key("LocationConstraint", result):
return result["LocationConstraint"]
return None
def get_bucket_logging(trace_id, aws_account, s3_client, bucketName,
region_name, is_cw_logger=False):
if (is_cw_logger):
logger = common_utils.begin_cw_logger(trace_id, __name__,
inspect.currentframe())
else:
logger = common_utils.begin_logger(trace_id, __name__,
inspect.currentframe())
bucket_logging = []
try:
result = s3_client.get_bucket_logging(Bucket=bucketName)
except ClientError as e:
if e.response['Error']['Code'] in CommonConst.S3_SKIP_EXCEPTION:
logger.warning("[%s/%s] 権限エラーによりS3バケットロギング情報の取得に失敗しました。(%s)",
aws_account, region_name, bucketName)
raise common_utils.write_log_warning(e, logger)
else:
logger.error("[%s/%s] S3バケットロギング情報の取得に失敗しました。%s", aws_account,
region_name, bucketName)
raise common_utils.write_log_exception(e, logger)
if common_utils.check_key("LoggingEnabled", result):
bucket_logging = result["LoggingEnabled"]
return bucket_logging
def get_bucket_policy(trace_id, s3_client, bucket, awsaccount, region_name,
is_cw_logger=False):
if (is_cw_logger):
logger = common_utils.begin_cw_logger(trace_id, __name__,
inspect.currentframe())
else:
logger = common_utils.begin_logger(trace_id, __name__,
inspect.currentframe())
try:
result = s3_client.get_bucket_policy(Bucket=bucket)
except ClientError as e:
if e.response["Error"]["Code"] == CommonConst.NO_SUCH_BUCKET_POLICY:
logger.info("[%s/%s]S3バケットポリシーは未設定です。(%s)", awsaccount,
region_name, bucket)
return None
elif e.response['Error']['Code'] in CommonConst.S3_SKIP_EXCEPTION:
logger.warning("[%s/%s] 権限エラーによりS3バケットポリシー情報の取得に失敗しました。(%s)",
awsaccount, region_name, bucket)
raise common_utils.write_log_warning(e, logger)
else:
logger.error("[%s/%s]S3バケットポリシー情報の取得に失敗しました。(%s)", awsaccount,
region_name, bucket)
raise common_utils.write_log_exception(e, logger)
return result