Пример #1
0
def get_cred_report():
    """[summary]
    """
    x = 0
    status = ''
    try:
        while IAM_CLIENT.generate_credential_report()['State'] != "COMPLETE":
            time.sleep(2)
            x = x + 1
            if x == 5:
                status = "Failure"
                break
        if "Fail" in status:
            return status
        cred_response = IAM_CLIENT.get_credential_report()
        reader = DictReader(
            cred_response['Content'].decode('utf-8').splitlines(),
            delimiter=',')
        report = list()
        for row in reader:
            report.append(row)
        return report
    except ClientError as ce:
        if ce.response['Error']['Code'] == 'LimitExceededException':
            print('API call limit exceeded')
Пример #2
0
def control_1_21_intial_access_keys_setup():
    cont = Control(
        '1.21',
        'Do not setup access keys during initial user setup for all IAM users that have a console password',
        False)
    users_paginate = IAM_CLIENT.get_paginator('list_users')
    for users in users_paginate.paginate():
        for user in users['Users']:
            for access_time in IAM_CLIENT.list_access_keys(
                    UserName=user['UserName'])['AccessKeyMetadata']:
                if access_time['CreateDate'] == access_time['CreateDate']:
                    if 'Keys that were created at the same time as the user profile' not in cont.fail_reason:
                        cont.fail_reason = 'Keys that were created at the same time as the user profile'
                    cont.offenders = user['UserName']
    if not cont.offenders:
        cont.result = True

    return {
        'control_id': cont.id,
        'scored': cont.scored,
        'desc': cont.desc,
        'result': cont.result,
        'fail_reason': cont.fail_reason,
        'offenders': cont.offenders
    }
Пример #3
0
def control_1_16_policy_attached_grp_roles():
    cont = Control('1.16',
                   'Ensure IAM policies are attached only to groups or roles',
                   True)
    all_users_paginator = IAM_CLIENT.get_paginator('list_users')
    for users in all_users_paginator.paginate():
        for user in users['Users']:
            if user is None:
                continue
            if IAM_CLIENT.list_attached_user_policies(
                    UserName=user['UserName'])['AttachedPolicies']:
                if 'Managed Policies attached directly to user.' not in cont.fail_reason:
                    cont.fail_reason = "Managed Policies attached directly to user."
                cont.offenders = user['Arn'] + ":=> Managed policy"
            if IAM_CLIENT.list_user_policies(
                    UserName=user['UserName'])['PolicyNames']:
                if 'Inline Policies are attached directly to user.' not in cont.fail_reason:
                    cont.fail_reason = "Inline Policies are attached directly to user."
                cont.offenders = user['Arn'] + ":=> Inline policy"
    if not cont.offenders:
        cont.result = True

    return {
        'control_id': cont.id,
        'scored': cont.scored,
        'desc': cont.desc,
        'result': cont.result,
        'fail_reason': cont.fail_reason,
        'offenders': cont.offenders
    }
Пример #4
0
def control_1_14_hardware_mfa_enabled_root():
    cont = Control('1.14',
                   'Ensure hardware MFA is enabled for the "root" account',
                   True)
    root_account_MFA = IAM_CLIENT.get_account_summary(
    )['SummaryMap']['AccountMFAEnabled']
    if root_account_MFA == 1:
        hardware_MFA_paginator = IAM_CLIENT.get_paginator(
            'list_virtual_mfa_devices')
        for resp in hardware_MFA_paginator.paginate(AssignmentStatus='Any'):
            for hardware_MFA in resp['VirtualMFADevices']:
                if "mfa/root-account-mfa-device" in hardware_MFA[
                        'SerialNumber']:
                    cont.result = True
                    break
        if cont.result is False:
            cont.fail_reason = 'The root account does not have Hardware MFA'
    else:
        cont.fail_reason = 'The root account does not have MFA enabled'

    return {
        'control_id': cont.id,
        'scored': cont.scored,
        'desc': cont.desc,
        'result': cont.result,
        'fail_reason': cont.fail_reason,
        'offenders': cont.offenders
    }
Пример #5
0
def control_1_22_iam_full_admin_privileges():
    cont = Control(
        '1.22',
        'Ensure IAM policies that allow full "*:*" administrative privileges are not created',
        True)
    policies_paginator = IAM_CLIENT.get_paginator('list_policies')
    for policies in policies_paginator.paginate(Scope='Local',
                                                OnlyAttached=False):
        for each_policy in policies['Policies']:
            statements = IAM_CLIENT.get_policy_version(
                PolicyArn=each_policy['Arn'],
                VersionId=each_policy['DefaultVersionId']
            )['PolicyVersion']['Document']['Statement']
            if isinstance(statements, list):
                for each_statement in statements:
                    if 'Action' in each_statement.keys(
                    ) and each_statement['Effect'] == 'Allow':
                        if isinstance(each_statement['Action'],
                                      str) or isinstance(
                                          each_statement['Resource'], str):
                            if each_statement[
                                    'Action'] == '*' and each_statement[
                                        'Resource'] == '*':
                                if 'IAM policies has full "*:*" administrative privilege' not in cont.fail_reason:
                                    cont.fail_reason = 'IAM policies has full "*:*" administrative privilege'
                                cont.offenders = each_policy['Arn']

    if not cont.offenders:
        cont.result = True

    return {
        'control_id': cont.id,
        'scored': cont.scored,
        'desc': cont.desc,
        'result': cont.result,
        'fail_reason': cont.fail_reason,
        'offenders': cont.offenders
    }
Пример #6
0
def control_1_13_mfa_enabled_root():
    cont = Control('1.13', 'Ensure MFA is enabled for the "root" account',
                   True)
    root_account_MFA = IAM_CLIENT.get_account_summary(
    )['SummaryMap']['AccountMFAEnabled']
    if root_account_MFA == 1:
        cont.result = True
    else:
        cont.fail_reason = 'The root account does not have MFA enabled'

    return {
        'control_id': cont.id,
        'scored': cont.scored,
        'desc': cont.desc,
        'result': cont.result,
        'fail_reason': cont.fail_reason,
        'offenders': cont.offenders
    }
Пример #7
0
def control_1_20_support_role_manage_incident():
    cont = Control(
        '1.20',
        'Ensure a support role has been created to manage incidents with AWS Support',
        True)
    entities = IAM_CLIENT.list_entities_for_policy(
        PolicyArn='arn:aws:iam::aws:policy/AWSSupportAccess')
    if entities['PolicyGroups'] or entities['PolicyUsers'] or entities[
            'PolicyRoles']:
        cont.result = True
    else:
        cont.fail_reason = 'AWSSupportAccess is not attached to any IAM user,group or role'
        cont.offenders = 'AWSSupportAccess should be attached to IAM user,group or role in order to manage incidents'

    return {
        'control_id': cont.id,
        'scored': cont.scored,
        'desc': cont.desc,
        'result': cont.result,
        'fail_reason': cont.fail_reason,
        'offenders': cont.offenders
    }
Пример #8
0
def get_password_policy():
    while True:
        if IAM_CLIENT.get_account_password_policy(
        )['ResponseMetadata']['HTTPStatusCode'] == 200:
            return IAM_CLIENT.get_account_password_policy()['PasswordPolicy']