def get_bucket_encryption(trace_id, s3_client, bucket, aws_account,
region_name, is_cw_logger=False):
if (is_cw_logger):
logger = common_utils.begin_cw_logger(trace_id, __name__,
inspect.currentframe())
else:
logger = common_utils.begin_logger(trace_id, __name__,
inspect.currentframe())
bucket_encryption = []
try:
result = s3_client.get_bucket_encryption(Bucket=bucket)
except ClientError as e:
if e.response["Error"]["Code"] == CommonConst.SERVER_SIDE_ENCRYPTION_CONFIGURATION_NOT_FOUND_ERROR:
logger.info("[%s]S3バケット暗号化情報がありません。(%s/%s)", aws_account,
region_name, bucket)
raise PmError(cause_error=e)
elif e.response['Error']['Code'] in CommonConst.S3_SKIP_EXCEPTION:
logger.warning("[%s] 権限エラーによりS3バケットリージョン情報の取得に失敗しました。(%s/%s)",
aws_account, region_name, bucket)
raise common_utils.write_log_warning(e, logger)
else:
logger.error("[%s]S3バケット暗号化情報の取得に失敗しました。(%s/%s)", aws_account,
region_name, bucket)
raise common_utils.write_log_exception(e, logger)
if common_utils.check_key("ServerSideEncryptionConfiguration", result):
if common_utils.check_key("Rules", result["ServerSideEncryptionConfiguration"]):
bucket_encryption = result["ServerSideEncryptionConfiguration"]["Rules"]
return bucket_encryption
def get_credential_report(trace_id, session, awsaccount):
pm_logger = common_utils.begin_logger(trace_id, __name__,
inspect.currentframe())
# 対象AWSアカウントに対する接続を作成します。
try:
client = session.client(service_name="iam")
except ClientError as e:
pm_logger.error("[%s] IAMクライアント作成に失敗しました。", awsaccount)
raise common_utils.write_log_exception(e, pm_logger)
# IAMユーザーのCredentialReportを取得します。
try:
result = client.generate_credential_report()
while (result['State'] != 'COMPLETE'):
time.sleep(2)
result = client.generate_credential_report()
credential_report = client.get_credential_report()
except ClientError as e:
pm_logger.error("[%s] CredentialReportの取得に失敗しました。", awsaccount)
raise common_utils.write_log_exception(e, pm_logger)
# return data
if common_utils.check_key("Content", credential_report):
return str(credential_report['Content'].decode())
return []
def get_list_policies(trace_id, session, awsaccount):
pm_logger = common_utils.begin_logger(trace_id, __name__,
inspect.currentframe())
# 対象AWSアカウントに対する接続を作成します。
try:
client = session.client(service_name="iam")
except ClientError as e:
pm_logger.error("[%s] IAMクライアント作成に失敗しました。", awsaccount)
raise common_utils.write_log_exception(e, pm_logger)
# IAMのアカウントパスワードポリシー情報を取得します。
policies = []
try:
response = client.list_policies()
if common_utils.check_key("Policies", response):
policies = response["Policies"]
# AWS SDKを用いて複数件のリソース情報取得を行う際の注意事項
is_truncated = response['IsTruncated']
while (is_truncated is True):
marker = response['Marker']
response = client.list_policies(Marker=marker)
policies.extend(response['Policies'])
is_truncated = response['IsTruncated']
except ClientError as e:
pm_logger.error("[%s] ポリシー一覧情報の取得に失敗しました。", awsaccount)
raise common_utils.write_log_exception(e, pm_logger)
# return data
return policies
def describe_security_groups(trace_id, awsaccount, ec2_client, region_name):
pm_logger = common_utils.begin_logger(trace_id, __name__,
inspect.currentframe())
security_groups = []
try:
response = ec2_client.describe_security_groups()
if common_utils.check_key("SecurityGroups", response):
security_groups = response["SecurityGroups"]
next_token = None
if 'NextToken' in response:
next_token = response['NextToken']
while (next_token is not None):
response = ec2_client.describe_security_groups(
NextToken=next_token)
security_groups.extend(response['SecurityGroups'])
if 'NextToken' in response:
next_token = response['NextToken']
else:
next_token = None
except ClientError as e:
pm_logger.error("[%s/%s] セキュリティグループ情報の取得に失敗しました。", awsaccount,
region_name)
raise common_utils.write_log_exception(e, pm_logger)
return security_groups
def describe_metric_filters(trace_id, logs_client, aws_account, region_name,
cloud_trail_log_group_name):
pm_logger = common_utils.begin_logger(trace_id, __name__,
inspect.currentframe())
metric_filters = []
try:
response = logs_client.describe_metric_filters(
logGroupName=cloud_trail_log_group_name)
if common_utils.check_key("metricFilters", response):
metric_filters = response["metricFilters"]
next_token = None
if 'NextToken' in response:
next_token = response['NextToken']
while(next_token is not None):
response = logs_client.describe_metric_filters(
logGroupName=cloud_trail_log_group_name, NextToken=next_token)
metric_filters.extend(response['metricFilters'])
if 'NextToken' in response:
next_token = response['NextToken']
else:
next_token = None
except ClientError as e:
pm_logger.error("[%s/%s] メトリクスフィルタ情報の取得に失敗しました。:LogGroupName=%s",
aws_account, region_name, cloud_trail_log_group_name)
raise common_utils.write_log_warning(e, pm_logger)
return metric_filters
def describe_volumes(trace_id,
awsaccount,
ec2_client,
region_name,
is_cw_logger=False):
if (is_cw_logger):
logger = common_utils.begin_cw_logger(trace_id, __name__,
inspect.currentframe())
else:
logger = common_utils.begin_logger(trace_id, __name__,
inspect.currentframe())
ebs_volumes = []
try:
response = ec2_client.describe_volumes()
if common_utils.check_key("Volumes", response):
ebs_volumes = response["Volumes"]
next_token = None
if 'NextToken' in response:
next_token = response['NextToken']
while (next_token is not None):
response = ec2_client.describe_volumes(NextToken=next_token)
ebs_volumes.extend(response['Volumes'])
if 'NextToken' in response:
next_token = response['NextToken']
else:
next_token = None
except ClientError as e:
logger.error("[%s/%s] EBSボリューム情報の取得に失敗しました。", awsaccount, region_name)
raise common_utils.write_log_exception(e, logger)
return ebs_volumes
def describe_alarms(trace_id, aws_account, cloudwatch_client, region_name):
pm_logger = common_utils.begin_logger(trace_id, __name__,
inspect.currentframe())
metric_alarms = []
try:
response = cloudwatch_client.describe_alarms()
if common_utils.check_key("MetricAlarms", response):
metric_alarms = response["MetricAlarms"]
next_token = None
if 'NextToken' in response:
next_token = response['NextToken']
while (next_token is not None):
response = cloudwatch_client.describe_alarms(NextToken=next_token)
metric_alarms.extend(response['MetricAlarms'])
if 'NextToken' in response:
next_token = response['NextToken']
else:
next_token = None
except ClientError as e:
pm_logger.error("[%s/%s] CloudWatchAlarm情報の取得に失敗しました。", aws_account,
region_name)
raise common_utils.write_log_warning(e, pm_logger)
return metric_alarms
def query_key(trace_id, table_name, key, is_cw_logger=False):
if (is_cw_logger):
logger = common_utils.begin_cw_logger(trace_id, __name__,
inspect.currentframe())
else:
logger = common_utils.begin_logger(trace_id, __name__,
inspect.currentframe())
try:
table = connect_dynamodb(table_name)
result = table.get_item(Key=key)
result_item = None
if (common_utils.check_key('Item', result)):
result_item = result['Item']
return common_utils.response(result_item, logger)
except ClientError as e:
if retrycheck.check_retryable(e.response):
retry_exception = RetryException(cause_error=e)
logger.error(retry_exception)
logger.exception("error_id: %s", retry_exception.error_id)
raise retry_exception
else:
no_retry_exception = NoRetryException(
cause_error=e, message=e.response['Error']['Message'])
logger.error(no_retry_exception)
raise no_retry_exception
def query_index(trace_id,
table_name,
index_name,
key_conditions,
filter_expression,
scan_index_forward=True,
is_cw_logger=False):
if (is_cw_logger):
logger = common_utils.begin_cw_logger(trace_id, __name__,
inspect.currentframe())
else:
logger = common_utils.begin_logger(trace_id, __name__,
inspect.currentframe())
exclusiveStartKey = None
list_data = []
while True:
try:
result = query_index_db(trace_id,
table_name,
index_name,
key_conditions,
filter_expression,
scan_index_forward,
exclusiveStartKey,
is_cw_logger=is_cw_logger)
list_data.extend(result['Items'])
if common_utils.check_key('LastEvaluatedKey', result) is False:
break
exclusiveStartKey = result['LastEvaluatedKey']
except Exception as e:
logger.error(e)
break
return common_utils.response(list_data, logger)
def list_subscriptions_by_topic(trace_id, sns_client, aws_account, region_name,
topic_arn):
pm_logger = common_utils.begin_logger(trace_id, __name__,
inspect.currentframe())
subscriptions = []
try:
response = sns_client.list_subscriptions_by_topic(TopicArn=topic_arn)
if common_utils.check_key("Subscriptions", response):
subscriptions = response["Subscriptions"]
next_token = None
if 'NextToken' in response:
next_token = response['NextToken']
while (next_token is not None):
response = sns_client.list_subscriptions_by_topic(
TopicArn=topic_arn, NextToken=next_token)
subscriptions.extend(response['Subscriptions'])
if 'NextToken' in response:
next_token = response['NextToken']
else:
next_token = None
except ClientError as e:
pm_logger.error("[%s/%s] SNS Topicサブスクリプション情報の取得に失敗しました。: TopicArn=%s",
aws_account, region_name, topic_arn)
raise common_utils.write_log_warning(e, pm_logger)
return subscriptions
def get_data_json_by_key(key, json):
result = None
if common_utils.check_key(
key, json) and common_utils.is_null(json[key]) is False:
if (common_utils.is_number(json[key])):
result = str(json[key])
else:
result = json[key]
return result
def get_check_cis_item_4_03_result(check1, check2, region_name):
result = {
'Region': region_name,
'Level': CommonConst.LEVEL_CODE_11,
'DetectionItem': {}
}
if len(check1) > 0:
result['DetectionItem']['AbnormalitySecurityGroups'] = check1
if len(check2) > 0:
result_check2 = []
for item in check2:
sub_result_check2 = {}
if common_utils.check_key('InstanceId', item) is True:
sub_result_check2['InstanceId'] = item['InstanceId']
if common_utils.check_key('InstanceName', item) is True:
sub_result_check2['InstanceName'] = item['InstanceName']
result_check2.append(sub_result_check2)
result['DetectionItem']['AbnormalityEc2Instances'] = result_check2
return result
def query_key(table_name, key):
try:
table = resource_connect().Table(table_name.value)
result = table.get_item(Key=key)
result_item = None
if (common_utils.check_key('Item', result)):
result_item = result['Item']
return result_item
except Exception as e:
raise e
def describe_vpcs(trace_id, aws_account, ec2_client, region_name):
pm_logger = common_utils.begin_logger(trace_id, __name__,
inspect.currentframe())
try:
vpc_info = ec2_client.describe_vpcs()
except ClientError as e:
pm_logger.error("[%s/%s] VPC情報の取得に失敗しました。", aws_account, region_name)
raise common_utils.write_log_exception(e, pm_logger)
if common_utils.check_key("Vpcs", vpc_info):
return vpc_info['Vpcs']
return []
def get_list_distributions(trace_id, cloud_front_client, aws_account):
pm_logger = common_utils.begin_logger(trace_id, __name__,
inspect.currentframe())
distribution_list = []
try:
response = cloud_front_client.list_distributions()
if common_utils.check_key('DistributionList', response):
if common_utils.check_key('Items', response['DistributionList']):
distribution_list = response['DistributionList']['Items']
is_truncated = response['DistributionList']['IsTruncated']
while (is_truncated is True):
next_marker = response['DistributionList']['NextMarker']
response = cloud_front_client.list_distributions(
Marker=next_marker)
distribution_list.extend(
response['DistributionList']['Items'])
is_truncated = response['DistributionList']['IsTruncated']
except ClientError as e:
pm_logger.error("[%s] ディストリビューション一覧情報取得に失敗しました。", aws_account)
raise common_utils.write_log_exception(e, pm_logger)
return distribution_list
def get_policy_version(trace_id, client, aws_account, policy_arn, version_id):
pm_logger = common_utils.begin_logger(trace_id, __name__,
inspect.currentframe())
try:
response = client.get_policy_version(PolicyArn=policy_arn,
VersionId=version_id)
except ClientError as e:
pm_logger.error("[%s]ポリシー情報の取得に失敗しました。(%s)", aws_account, policy_arn)
raise common_utils.write_log_exception(e, pm_logger)
if common_utils.check_key("PolicyVersion", response):
return response['PolicyVersion']
return []
def describe_cloud_trails(trace_id, awsaccount, trail_client, region_name):
pm_logger = common_utils.begin_logger(trace_id, __name__,
inspect.currentframe())
trail_lists = []
try:
result = trail_client.describe_trails(includeShadowTrails=False)
except ClientError as e:
pm_logger.error("[%s/%s] CloudTrail情報の取得に失敗しました。", awsaccount,
region_name)
raise common_utils.write_log_exception(e, pm_logger)
if common_utils.check_key("trailList", result):
trail_lists = result["trailList"]
return trail_lists
def query(table_name, key_conditions, filter_expression):
exclusiveStartKey = None
list_data = []
while True:
try:
result = query_db(table_name, key_conditions, filter_expression,
exclusiveStartKey)
list_data.extend(result['Items'])
if common_utils.check_key('LastEvaluatedKey', result) is False:
break
exclusiveStartKey = result['LastEvaluatedKey']
except Exception as e:
raise e
break
return list_data
def describe_delivery_channels(trace_id, awsaccount, config_client,
region_name):
pm_logger = common_utils.begin_logger(trace_id, __name__,
inspect.currentframe())
delivery_channels = []
try:
response = config_client.describe_delivery_channels()
if common_utils.check_key("DeliveryChannels", response):
delivery_channels = response["DeliveryChannels"]
except ClientError as e:
pm_logger.error("[%s/%s] Configデリバリーチャネル情報の取得に失敗しました。", awsaccount,
region_name)
raise common_utils.write_log_exception(e, pm_logger)
return delivery_channels
def describe_configuration_recorders(trace_id, awsaccount, config_client,
region_name):
pm_logger = common_utils.begin_logger(trace_id, __name__,
inspect.currentframe())
configuration_recorders = []
try:
response = config_client.describe_configuration_recorders()
if common_utils.check_key("ConfigurationRecorders", response):
configuration_recorders = response["ConfigurationRecorders"]
except ClientError as e:
pm_logger.error("[%s/%s] Configレコーダー情報の取得に失敗しました。", awsaccount,
region_name)
raise common_utils.write_log_exception(e, pm_logger)
return configuration_recorders
def sqs_receive_message(trace_id):
pm_logger = common_utils.begin_logger(trace_id, __name__,
inspect.currentframe())
queue_url = os.environ.get("SQS_ORGANIZATION_QUEUE")
try:
client = boto3.client("sqs")
response = client.receive_message(
QueueUrl=queue_url,
MaxNumberOfMessages=10
)
messages = None
if (common_utils.check_key('Messages', response)):
messages = common_utils.response(response['Messages'], pm_logger)
return common_utils.response(messages, pm_logger)
except ClientError as e:
common_utils.write_log_exception(e, pm_logger, True)
def create_notifyslack(trace_id, organization_id, data_body):
pm_logger = common_utils.begin_logger(trace_id, __name__,
inspect.currentframe())
# リクエストボディのJSONでパースエラーが発生した場合は、ログを出力してエラーレスポンスを返します。
try:
body_object = json.loads(data_body)
notify_code = body_object['notifyCode']
webhook_url = body_object['webhookUrl']
except Exception as e:
return common_utils.error_exception(MsgConst.ERR_REQUEST_202,
HTTPStatus.BAD_REQUEST, e,
pm_logger, True)
mentions = None
if common_utils.check_key('mentions', body_object):
mentions = body_object['mentions']
# バリデーションチェックを行います。
list_error = validate_notifyslack(notify_code, webhook_url)
if list_error:
return common_utils.error_validate(MsgConst.ERR_REQUEST_201,
HTTPStatus.UNPROCESSABLE_ENTITY,
list_error, pm_logger)
# Slack通知設定情報を作成します。
try:
pm_orgNotifySlack.create(trace_id, organization_id, notify_code,
webhook_url, mentions)
except PmError as e:
return common_utils.error_exception(MsgConst.ERR_DB_403,
HTTPStatus.INTERNAL_SERVER_ERROR,
e, pm_logger, True)
# get record created
try:
org_notify_slack_created = pm_orgNotifySlack.query_key(
trace_id, organization_id, notify_code, True)
except PmError as e:
return common_utils.error_exception(MsgConst.ERR_402,
HTTPStatus.INTERNAL_SERVER_ERROR,
e, pm_logger, True)
# return data
response = common_utils.get_response_by_response_body(
HTTPStatus.CREATED, org_notify_slack_created)
return common_utils.response(response, pm_logger)
def get_account_summary(trace_id, session, aws_account):
pm_logger = common_utils.begin_logger(trace_id, __name__,
inspect.currentframe())
# 対象AWSアカウントに対する接続を作成します。
try:
client = session.client(service_name="iam")
except ClientError as e:
pm_logger.error("[%s] IAMクライアント作成に失敗しました。", aws_account)
raise common_utils.write_log_exception(e, pm_logger)
try:
response = client.get_account_summary()
except ClientError as e:
pm_logger.error("[%s] アカウントサマリーの取得に失敗しました。", aws_account)
raise common_utils.write_log_exception(e, pm_logger)
if common_utils.check_key("SummaryMap", response):
return response['SummaryMap']
return []
def get_event_selectors(trace_id, awsaccount, trail_client, region_name,
trail_arn):
pm_logger = common_utils.begin_logger(trace_id, __name__,
inspect.currentframe())
event_selectors = []
try:
result = trail_client.get_event_selectors(TrailName=trail_arn)
except ClientError as e:
pm_logger.error("[%s/%s] CloudTrailのイベントセレクタ情報の取得に失敗しました。", awsaccount,
region_name)
data_body = {'TrailARN': trail_arn}
pm_error = common_utils.write_log_exception(e, pm_logger)
pm_error.pm_notification_error = PmNotificationError(
code_error=CommonConst.KEY_CODE_ERROR_GET_EVENT_SELECTORS,
data_body=data_body)
raise common_utils.write_log_pm_error(pm_error, pm_logger)
if common_utils.check_key("EventSelectors", result):
event_selectors = result["EventSelectors"]
return event_selectors
def check_ibp_item_07_08(trace_id, check_history_id, organization_id,
project_id, aws_account, session, result_json_path):
pm_logger = common_utils.begin_logger(trace_id, __name__,
inspect.currentframe())
check_results = []
# チェック結果
try:
account_password_policy = ibp_item_common_logic.get_account_password_policy(
trace_id, check_history_id, organization_id, project_id,
aws_account, session, result_json_path)
if (common_utils.check_key("AllowUsersToChangePassword",
account_password_policy) is False
or account_password_policy['AllowUsersToChangePassword'] is
False):
check_results.append(get_check_ibp_item_07_08_result())
except PmError as e:
if e.cause_error.response['Error'][
'Code'] == CommonConst.NO_SUCH_ENTITY:
check_results.append(get_check_ibp_item_07_08_result())
else:
pm_logger.error("[%s] チェック処理中にエラーが発生しました。", aws_account)
return CheckResult.Error
# Export File CHECK_IBP_ITEM_07_08.json
try:
current_date = date_utils.get_current_date_by_format(
date_utils.PATTERN_YYYYMMDDHHMMSS)
check_password_policy = {
'AWSAccount': aws_account,
'CheckResults': check_results,
'DateTime': current_date
}
FileUtils.upload_s3(trace_id, check_password_policy, result_json_path,
True)
except Exception as e:
pm_logger.error("[%s] チェック結果JSONファイルの保存に失敗しました。", aws_account)
return CheckResult.Error
# チェック結果
if len(check_results) == 0:
return CheckResult.Normal
return CheckResult.CriticalDefect
def get_all_organizationTask(trace_id):
pm_logger = common_utils.begin_logger(trace_id, __name__,
inspect.currentframe())
exclusiveStartKey = None
organizationTasks = []
limit = 10
while True:
try:
result = DB_utils.scan(trace_id, Tables.PM_ORGANIZATION_TASKS,
limit, exclusiveStartKey)
organizationTasks.extend(result['Items'])
if (common_utils.check_key('LastEvaluatedKey', result)):
exclusiveStartKey = result['LastEvaluatedKey']
else:
break
time.sleep(1)
except PmError as e:
break
return common_utils.response(organizationTasks, pm_logger)
def get_bucket_location(trace_id, s3_client, bucket, aws_account,
is_cw_logger=False):
if (is_cw_logger):
logger = common_utils.begin_cw_logger(trace_id, __name__,
inspect.currentframe())
else:
logger = common_utils.begin_logger(trace_id, __name__,
inspect.currentframe())
try:
result = s3_client.get_bucket_location(Bucket=bucket)
except ClientError as e:
if e.response['Error']['Code'] in CommonConst.S3_SKIP_EXCEPTION:
logger.warning("[%s] 権限エラーによりS3バケットリージョン情報の取得に失敗しました。(%s)",
aws_account, bucket)
raise common_utils.write_log_warning(e, logger)
else:
logger.error("[%s]S3バケットリージョン情報の取得に失敗しました。(%s)", aws_account,
bucket)
raise common_utils.write_log_exception(e, logger)
if common_utils.check_key("LocationConstraint", result):
return result["LocationConstraint"]
return None
def describe_instances(trace_id, awsaccount, ec2_client, region_name):
pm_logger = common_utils.begin_logger(trace_id, __name__,
inspect.currentframe())
reservation_instances = []
try:
response = ec2_client.describe_instances()
if common_utils.check_key("Reservations", response):
reservation_instances = response["Reservations"]
next_token = None
if 'NextToken' in response:
next_token = response['NextToken']
while (next_token is not None):
response = ec2_client.describe_instances(NextToken=next_token)
reservation_instances.extend(response['Reservations'])
if 'NextToken' in response:
next_token = response['NextToken']
else:
next_token = None
except ClientError as e:
pm_logger.error("[%s/%s] EC2インスタンス情報の取得に失敗しました。", awsaccount,
region_name)
raise common_utils.write_log_exception(e, pm_logger)
return reservation_instances
def get_all_projects(trace_id):
pm_logger = common_utils.begin_logger(trace_id, __name__,
inspect.currentframe())
exclusiveStartKey = None
projects = []
limit = int(common_utils.get_environ("NUM_OF_PROJECT_ITEMS_PER_1TIME"))
segment = 0
while True:
try:
result = DB_utils.scan(trace_id, Tables.PM_PROJECTS, limit,
exclusiveStartKey)
projects.extend(result['Items'])
if (common_utils.check_key('LastEvaluatedKey', result)):
exclusiveStartKey = result['LastEvaluatedKey']
else:
break
segment += 1
time.sleep(1)
except PmError as e:
pm_logger.warning("プロジェクト情報取得に失敗しました。: 取得回数=%s、一度に取得する件数=%s",
segment, limit)
break
return common_utils.response(projects, pm_logger), segment
def describe_flow_logs(trace_id, aws_account, ec2_client, region_name):
pm_logger = common_utils.begin_logger(trace_id, __name__,
inspect.currentframe())
flow_logs = []
try:
response = ec2_client.describe_flow_logs()
if common_utils.check_key("FlowLogs", response):
flow_logs = response["FlowLogs"]
next_token = None
if 'NextToken' in response:
next_token = response['NextToken']
while (next_token is not None):
response = ec2_client.describe_flow_logs(NextToken=next_token)
flow_logs.extend(response['FlowLogs'])
if 'NextToken' in response:
next_token = response['NextToken']
else:
next_token = None
except ClientError as e:
pm_logger.error("[%s/%s] VPCフローログ情報の取得に失敗しました。", aws_account,
region_name)
raise common_utils.write_log_exception(e, pm_logger)
return flow_logs
