def test_check_snstopicpolicy_empty(self): auditor = SNSAuditor(accounts=['TEST_ACCOUNT']) item = SNSItem(config=dict()) auditor.check_snstopicpolicy_empty(item) self.assertEqual(len(item.audit_issues), 1) self.assertEqual(item.audit_issues[0].score, 1)
def __init__(self, accounts=None, alert_accounts=None, debug=False): self.account_watchers = {} self.account_alerters = {} if not alert_accounts: alert_accounts = accounts for account in accounts: self.account_watchers[account] = [ (SQS(accounts=[account], debug=debug), None), (ELB(accounts=[account], debug=debug), None), (IAMSSL(accounts=[account], debug=debug), None), (RDSSecurityGroup(accounts=[account], debug=debug), RDSSecurityGroupAuditor(accounts=[account], debug=debug)), (SecurityGroup(accounts=[account], debug=debug), SecurityGroupAuditor(accounts=[account], debug=debug)), (S3(accounts=[account], debug=debug), S3Auditor(accounts=[account], debug=debug)), (IAMUser(accounts=[account], debug=debug), IAMUserAuditor(accounts=[account], debug=debug)), (IAMGroup(accounts=[account], debug=debug), None), (IAMRole(accounts=[account], debug=debug), None), (Keypair(accounts=[account], debug=debug), None), (SNS(accounts=[account], debug=debug), SNSAuditor(accounts=[account], debug=debug)) ] if account in alert_accounts: self.account_alerters[account] = Alerter( watchers_auditors=self.account_watchers[account], account=account)
def test_crossaccount_snstopicpolicy_method_1(self): au = SNSAuditor(debug=True) data = { 'SNSPolicy': { 'Statement': [ { 'Principal': { 'AWS': '*' }, 'Condition': { 'StringEquals': { 'AWS:SourceOwner': '000000000000' } } } ] } } obj = SNSItem(region='test-region', account='test-account', name='test-name', config=data) au.check_snstopicpolicy_crossaccount(obj) self.assertEquals(len(obj.audit_issues), 1) if len(obj.audit_issues) == 1: for issue in obj.audit_issues: self.assertEquals(issue.score, 10) self.assertRegexpMatches(issue.issue, "Unknown Cross Account Access from .*") self.assertIsNone(issue.notes)
def test_crossaccount_snstopicpolicy_method_5(self): au = SNSAuditor(debug=True) data = { 'policy': { 'Statement': [{ 'Principal': { 'AWS': '*' }, 'Condition': { 'StringEquals': { # Missing SourceOwner } } }] } } obj = SNSItem(region='test-region', account='test-account', name='test-name', config=data) au.check_snstopicpolicy_crossaccount(obj) self.assertEquals(len(obj.audit_issues), 1) issue = obj.audit_issues[0] self.assertEqual(issue.score, 10) self.assertEqual(issue.issue, "SNS Topic open to everyone")
def test_empty_snstopicpolicy(self): au = SNSAuditor(debug=True) obj = SNSItem(region='test-region', account='test-account', name='test-name', config={'SNSPolicy': {}}) au.check_snstopicpolicy_empty(obj) self.assertEquals(len(obj.audit_issues), 1) if len(obj.audit_issues) == 1: for issue in obj.audit_issues: self.assertEquals(issue.score, 1) self.assertEquals(issue.issue, "SNS Topic Policy is empty") self.assertIsNone(issue.notes)
def check_arn(self, arn): au = SNSAuditor(debug=True) data = {'policy': {'Statement': [{'Principal': {'AWS': arn}}]}} obj = SNSItem(region='test-region', account='test-account', name='test-name', config=data) au.check_snstopicpolicy_crossaccount(obj) return obj
def audit_sns(accounts, send_report): """ Runs auditors/sns """ accounts = __prep_accounts__(accounts) au = SNSAuditor(accounts=accounts, debug=True) au.audit_all_objects() if send_report: report = au.create_report() au.email_report(report) au.save_issues() db.session.close()
def find_sns_changes(accounts): """ Runs watchers/sns """ accounts = __prep_accounts__(accounts) cw = SNS(accounts=accounts, debug=True) (items, exception_map) = cw.slurp() cw.find_changes(current=items, exception_map=exception_map) # Audit these changed items items_to_audit = [] for item in cw.created_items + cw.changed_items: snsitem = SNSItem(region=item.region, account=item.account, name=item.name, config=item.new_config) items_to_audit.append(snsitem) au = SNSAuditor(accounts=accounts, debug=True) au.audit_these_objects(items_to_audit) au.save_issues() cw.save() db.session.close()
def test_check_subscriptions_crossaccount(self): auditor = SNSAuditor(accounts=['TEST_ACCOUNT']) auditor.prep_for_audit() # Unknown account ID item = SNSItem(config=dict( subscriptions=[{ "Owner": "020202020202", "Endpoint": "*****@*****.**", "Protocol": "email", "TopicArn": "arn:aws:sns:us-east-1:020202020202:somesnstopic", "SubscriptionArn": "arn:aws:sns:us-east-1:020202020202:somesnstopic:..." }])) auditor.check_subscriptions_crossaccount(item) self.assertEqual(len(item.audit_issues), 1) self.assertEqual(item.audit_issues[0].score, 10) # Friendly account ID item = SNSItem(config=dict( subscriptions=[{ "Owner": "222222222222", "Endpoint": "*****@*****.**", "Protocol": "email", "TopicArn": "arn:aws:sns:us-east-1:012345678910:somesnstopic", "SubscriptionArn": "arn:aws:sns:us-east-1:012345678910:somesnstopic:..." }])) auditor.check_subscriptions_crossaccount(item) self.assertEqual(len(item.audit_issues), 1) self.assertEqual(item.audit_issues[0].score, 0) # ThirdParty account ID item = SNSItem(config=dict( subscriptions=[{ "Owner": "333333333333", "Endpoint": "*****@*****.**", "Protocol": "email", "TopicArn": "arn:aws:sns:us-east-1:012345678910:somesnstopic", "SubscriptionArn": "arn:aws:sns:us-east-1:012345678910:somesnstopic:..." }])) auditor.check_subscriptions_crossaccount(item) self.assertEqual(len(item.audit_issues), 1) self.assertEqual(item.audit_issues[0].score, 0)
def test_crossaccount_snstopicpolicy_method_6(self): au = SNSAuditor(debug=True) data = { 'SNSPolicy': { 'Statement': [ { 'Principal': { 'AWS': '*' }, 'Condition': { 'StringEquals': { 'AWS:SourceOwner': 'BADDEADBEEF' } } } ] } } obj = SNSItem(region='test-region', account='test-account', name='test-name', config=data) with self.assertRaises(InvalidSourceOwner): au.check_snstopicpolicy_crossaccount(obj)
def pre_test_setup(self): SNSAuditor(accounts=['TEST_ACCOUNT']).OBJECT_STORE.clear() account_type_result = AccountType(name='AWS') db.session.add(account_type_result) db.session.commit() # main account = Account(identifier="123456789123", name="TEST_ACCOUNT", account_type_id=account_type_result.id, notes="TEST_ACCOUNT", third_party=False, active=True) # friendly account2 = Account(identifier="222222222222", name="TEST_ACCOUNT_TWO", account_type_id=account_type_result.id, notes="TEST_ACCOUNT_TWO", third_party=False, active=True) # third party account3 = Account(identifier="333333333333", name="TEST_ACCOUNT_THREE", account_type_id=account_type_result.id, notes="TEST_ACCOUNT_THREE", third_party=True, active=True) db.session.add(account) db.session.add(account2) db.session.add(account3) db.session.commit()