def lambda_handler(event, context): global aws_access_key_id, aws_secret_access_key, aws_session_token, CustAccID, Region try: PolicyId = json.loads(event["body"])["PolicyId"] except: PolicyId = '' pass if not PolicyId: print("Executing auto-remediation") try: # common code CustAccID, role_arn = common.getRoleArn_cwlogs(event) aws_access_key_id, aws_secret_access_key, aws_session_token = common.getCredentials( role_arn) except ClientError as e: print(e) return {'statusCode': 400, 'body': str(e)} except Exception as e: print(e) return {'statusCode': 400, 'body': str(e)} try: Region = event["Region"] queue_url = event["QueueUrl"] records_json = json.loads(event["policies"]) records = records_json["RemediationPolicies"] except: Region = "" try: # Establish a session with the portal sqs = boto3.client('sqs', aws_access_key_id=aws_access_key_id, aws_secret_access_key=aws_secret_access_key, aws_session_token=aws_session_token, region_name=Region) except ClientError as e: print(e) return {'statusCode': 400, 'body': str(e)} except Exception as e: print(e) return {'statusCode': 400, 'body': str(e)} if "SQSSSEEnabled" in str(records): try: sqs_enable_sse.run_remediation(sqs, queue_url) except ClientError as e: print(e) return {'statusCode': 400, 'body': str(e)} except Exception as e: print(e) return {'statusCode': 400, 'body': str(e)} print('remediated-' + queue_url) #returning the output Array in json format return { 'statusCode': 200, 'body': json.dumps('remediated-' + queue_url) } else: print("CN-portal triggered remediation") try: CustAccID, role_arn = common.getRoleArn(event) aws_access_key_id, aws_secret_access_key, aws_session_token = common.getCredentials( role_arn) except ClientError as e: print(e) return {'statusCode': 400, 'body': str(e)} except Exception as e: print(e) return {'statusCode': 400, 'body': str(e)} try: Region_name = json.loads(event["body"])["Region"] Region = common.getRegionName(Region_name) queue_name = json.loads(event["body"])["ResourceName"] queue_url = "https://sqs." + Region_name + ".amazonaws.com/" + CustAccID + "/" + queue_name except: Region = "" try: # Establish a session with the portal sqs = boto3.client('sqs', aws_access_key_id=aws_access_key_id, aws_secret_access_key=aws_secret_access_key, aws_session_token=aws_session_token, region_name=Region) except ClientError as e: print(e) return {'statusCode': 400, 'body': str(e)} except Exception as e: print(e) return {'statusCode': 400, 'body': str(e)} try: # Create KMS client kms = boto3.client('kms', aws_access_key_id=aws_access_key_id, aws_secret_access_key=aws_secret_access_key, aws_session_token=aws_session_token, region_name=Region) except ClientError as e: print(e) return {'statusCode': 400, 'body': str(e)} except Exception as e: print(e) return {'statusCode': 400, 'body': str(e)} try: if PolicyId == "SQSSSEEnabled": responseCode, output = sqs_enable_sse.run_remediation( sqs, queue_url) except ClientError as e: responseCode = 400 output = "Unable to remediate sqs queue : " + str(e) except Exception as e: responseCode = 400 output = "Unable to remediate sqs queue : " + str(e) # returning the output Array in json format return {'statusCode': responseCode, 'body': output}
def lambda_handler(event, context): global aws_access_key_id, aws_secret_access_key, aws_session_token, CustAccID, Region snapshot_access = ["RDSSnapshotNoPublicAccess"] try: PolicyId = json.loads(event["body"])["PolicyId"] except: PolicyId = '' pass #region CW Call if not PolicyId: print("Executing auto-remediation") try: # common code CustAccID, role_arn = common.getRoleArn_cwlogs(event) aws_access_key_id, aws_secret_access_key, aws_session_token = common.getCredentials( role_arn) except ClientError as e: print("assume-role" + str(e)) return {'statusCode': 400, 'body': str(e)} except Exception as e: print(e) return {'statusCode': 400, 'body': str(e)} try: Region = event["Region"] RDSSnapshotName = event["RDSSnapshotName"] records_json = json.loads(event["policies"]) records = records_json["RemediationPolicies"] except: Region = "" try: rds = boto3.client('rds', aws_access_key_id=aws_access_key_id, aws_secret_access_key=aws_secret_access_key, aws_session_token=aws_session_token, region_name=Region) except ClientError as e: print("rds-client" + str(e)) return {'statusCode': 400, 'body': str(e)} except Exception as e: print(e) return {'statusCode': 400, 'body': str(e)} if set(snapshot_access).intersection(set(records)): try: rdssnapshot_access.run_remediation(rds, RDSSnapshotName) except ClientError as e: print(e) return {'statusCode': 400, 'body': str(e)} except Exception as e: print(e) return {'statusCode': 400, 'body': str(e)} print('remediated-' + RDSSnapshotName) #returning the output Array in json format return { 'statusCode': 200, 'body': json.dumps('remediated-' + RDSSnapshotName) } #endregion #region Portal Call else: print("CN-portal triggered remediation") try: CustAccID, role_arn = common.getRoleArn(event) aws_access_key_id, aws_secret_access_key, aws_session_token = common.getCredentials( role_arn) except ClientError as e: print(e) return {'statusCode': 400, 'body': str(e)} except Exception as e: print(e) return {'statusCode': 400, 'body': str(e)} try: Region_name = json.loads(event["body"])["Region"] Region = common.getRegionName(Region_name) RDSSnapshotName = json.loads(event["body"])["ResourceName"] except: Region = "" try: rds = boto3.client('rds', aws_access_key_id=aws_access_key_id, aws_secret_access_key=aws_secret_access_key, aws_session_token=aws_session_token, region_name=Region) except ClientError as e: print(e) return {'statusCode': 400, 'body': str(e)} except Exception as e: print(e) return {'statusCode': 400, 'body': str(e)} try: if PolicyId in snapshot_access: responseCode, output = rdssnapshot_access.run_remediation( rds, RDSSnapshotName) except ClientError as e: responseCode = 400 output = "Unable to remediate RDS cluster: " + str(e) except Exception as e: responseCode = 400 output = "Unable to remediate RDS cluster: " + str(e) # returning the output Array in json format return {'statusCode': responseCode, 'body': output}
def lambda_handler(event, context): global aws_access_key_id, aws_secret_access_key, aws_session_token, CustAccID, Region try: PolicyId = json.loads(event["body"])["PolicyId"] except: PolicyId = '' pass if not PolicyId: print("Executing auto-remediation") try: # common code CustAccID, role_arn = common.getRoleArn_cwlogs(event) aws_access_key_id, aws_secret_access_key, aws_session_token = common.getCredentials( role_arn) except ClientError as e: print(e) return {'statusCode': 400, 'body': str(e)} except Exception as e: print(e) return {'statusCode': 400, 'body': str(e)} try: Region = event["Region"] FileSystemId = event["FileSystemId"] records_json = json.loads(event["policies"]) records = records_json["RemediationPolicies"] except: Region = "" try: # Establish a session with the portal fsx = boto3.client('fsx', aws_access_key_id=aws_access_key_id, aws_secret_access_key=aws_secret_access_key, aws_session_token=aws_session_token, region_name=Region) except ClientError as e: print(e) return {'statusCode': 400, 'body': str(e)} except Exception as e: print(e) return {'statusCode': 400, 'body': str(e)} if "AWSFSxBackupRetentionPeriod7Days" in str( records) or "AWSFSxBackupRetentionPeriod" in str(records): try: fsx_windows_backup_retention.run_remediation(fsx, FileSystemId) print('remediated-' + FileSystemId) except ClientError as e: print(e) return {'statusCode': 400, 'body': str(e)} except Exception as e: print(e) return {'statusCode': 400, 'body': str(e)} #returning the output Array in json format return { 'statusCode': 200, 'body': json.dumps('remediated-' + FileSystemId) } else: print("CN-portal triggered remediation") try: CustAccID, role_arn = common.getRoleArn(event) aws_access_key_id, aws_secret_access_key, aws_session_token = common.getCredentials( role_arn) except ClientError as e: print(e) return {'statusCode': 400, 'body': str(e)} except Exception as e: print(e) return {'statusCode': 400, 'body': str(e)} try: Region_name = json.loads(event["body"])["Region"] Region = common.getRegionName(Region_name) FileSystemId = json.loads(event["body"])["ResourceName"] except: Region = "" try: # Establish a session with the portal fsx = boto3.client('fsx', aws_access_key_id=aws_access_key_id, aws_secret_access_key=aws_secret_access_key, aws_session_token=aws_session_token, region_name=Region) except ClientError as e: print(e) return {'statusCode': 400, 'body': str(e)} except Exception as e: print(e) return {'statusCode': 400, 'body': str(e)} try: if PolicyId in [ "AWSFSxBackupRetentionPeriod7Days", "AWSFSxBackupRetentionPeriod" ]: responseCode, output = fsx_windows_backup_retention.run_remediation( fsx, FileSystemId) except ClientError as e: responseCode = 400 output = "Unable to remediate fsx: " + str(e) except Exception as e: responseCode = 400 output = "Unable to remediate fsx: " + str(e) # returning the output Array in json format return {'statusCode': responseCode, 'body': output}
def lambda_handler(event, context): global aws_access_key_id, aws_secret_access_key, aws_session_token, CustAccID, Region try: PolicyId = json.loads(event["body"])["PolicyId"] except: PolicyId = '' pass if not PolicyId: print("Executing auto-remediation") try: # common code CustAccID, role_arn = common.getRoleArn_cwlogs(event) aws_access_key_id, aws_secret_access_key, aws_session_token = common.getCredentials(role_arn) except ClientError as e: print(e) return { 'statusCode': 400, 'body': str(e) } except Exception as e: print(e) return { 'statusCode': 400, 'body': str(e) } try: Region = event["Region"] docdb_clustername = event["DocdbClusterName"] records_json = json.loads(event["policies"]) records = records_json["RemediationPolicies"] except: Region = "" try: # Establish a session with the portal docdb = boto3.client('docdb', aws_access_key_id=aws_access_key_id, aws_secret_access_key=aws_secret_access_key,aws_session_token=aws_session_token,region_name=Region) except ClientError as e: print(e) return { 'statusCode': 400, 'body': str(e) } except Exception as e: print(e) return { 'statusCode': 400, 'body': str(e) } if "DocDBDeletionProtection" in str(records): try: docdbcluster_deletion_protection.run_remediation(docdb,docdb_clustername) print('remediated-' + docdb_clustername) except ClientError as e: print(e) return { 'statusCode': 400, 'body': str(e) } except Exception as e: print(e) return { 'statusCode': 400, 'body': str(e) } if "DocDBBackupRetentionPeriod" in str(records): try: docdbcluster_backup_retention.run_remediation(docdb,docdb_clustername) print('remediated-' + docdb_clustername) except ClientError as e: print(e) return { 'statusCode': 400, 'body': str(e) } except Exception as e: print(e) return { 'statusCode': 400, 'body': str(e) } if "DocDBCloudWatchLogsEnabled" in str(records): try: docdbcluster_logexport.run_remediation(docdb,docdb_clustername) print('remediated-' + docdb_clustername) except ClientError as e: print(e) return { 'statusCode': 400, 'body': str(e) } except Exception as e: print(e) return { 'statusCode': 400, 'body': str(e) } #returning the output Array in json format return { 'statusCode': 200, 'body': json.dumps('remediated-' + docdb_clustername) } else: print("CN-portal triggered remediation") try: CustAccID, role_arn = common.getRoleArn(event) aws_access_key_id, aws_secret_access_key, aws_session_token = common.getCredentials(role_arn) except ClientError as e: print(e) return { 'statusCode': 400, 'body': str(e) } except Exception as e: print(e) return { 'statusCode': 400, 'body': str(e) } try: Region_name = json.loads(event["body"])["Region"] Region = common.getRegionName(Region_name) docdb_clustername = json.loads(event["body"])["ResourceName"] except: Region = "" try: # Establish a session with the portal docdb = boto3.client('docdb', aws_access_key_id=aws_access_key_id, aws_secret_access_key=aws_secret_access_key,aws_session_token=aws_session_token,region_name=Region) except ClientError as e: print(e) return { 'statusCode': 400, 'body': str(e) } except Exception as e: print(e) return { 'statusCode': 400, 'body': str(e) } try: if PolicyId == "DocDBBackupRetentionPeriod": responseCode,output = docdbcluster_backup_retention.run_remediation(docdb,docdb_clustername) if PolicyId == "DocDBCloudWatchLogsEnabled": responseCode,output = docdbcluster_logexport.run_remediation(docdb,docdb_clustername) if PolicyId == "DocDBDeletionProtection": responseCode,output = docdbcluster_deletion_protection.run_remediation(docdb,docdb_clustername) except ClientError as e: responseCode = 400 output = "Unable to remediate docdb cluster: " + str(e) except Exception as e: responseCode = 400 output = "Unable to remediate docdb cluster: " + str(e) # returning the output Array in json format return { 'statusCode': responseCode, 'body': output }
def lambda_handler(event, context): global aws_access_key_id, aws_secret_access_key, aws_session_token, CustAccID, Region try: PolicyId = json.loads(event["body"])["PolicyId"] except: PolicyId = '' pass if not PolicyId: print("Executing auto-remediation") try: # common code CustAccID, role_arn = common.getRoleArn_cwlogs(event) aws_access_key_id, aws_secret_access_key, aws_session_token = common.getCredentials( role_arn) except ClientError as e: print(e) return {'statusCode': 400, 'body': str(e)} except Exception as e: print(e) return {'statusCode': 400, 'body': str(e)} try: Region = event["Region"] Trail = event["Trail"] records_json = json.loads(event["policies"]) records = records_json["RemediationPolicies"] except: Region = "" try: # Establish a session with the portal cloudtrail_client = boto3.client( 'cloudtrail', aws_access_key_id=aws_access_key_id, aws_secret_access_key=aws_secret_access_key, aws_session_token=aws_session_token, region_name=Region) except ClientError as e: print(e) return {'statusCode': 400, 'body': str(e)} except Exception as e: print(e) return {'statusCode': 400, 'body': str(e)} if "CTMultiRegionTrail" in str(records): try: cloudtrail_enable_multi_region_trail.run_remediation( cloudtrail_client, Trail) print('remediated-' + Trail) except ClientError as e: print(e) return {'statusCode': 400, 'body': str(e)} except Exception as e: print(e) return {'statusCode': 400, 'body': str(e)} if "CTLogFileValidation" in str(records): try: cloudtrail_enable_log_file_validation.run_remediation( cloudtrail_client, Trail) print('remediated-' + Trail) except ClientError as e: print(e) return {'statusCode': 400, 'body': str(e)} except Exception as e: print(e) return {'statusCode': 400, 'body': str(e)} if "CTIsLogging" in str(records): try: cloudtrail_enable_trail_logging.run_remediation( cloudtrail_client, Trail) print('remediated-' + Trail) except ClientError as e: print(e) return {'statusCode': 400, 'body': str(e)} except Exception as e: print(e) return {'statusCode': 400, 'body': str(e)} #returning the output Array in json format return {'statusCode': 200, 'body': json.dumps('remediated-' + Trail)} else: print("CN-portal triggered remediation") try: CustAccID, role_arn = common.getRoleArn(event) aws_access_key_id, aws_secret_access_key, aws_session_token = common.getCredentials( role_arn) except ClientError as e: print(e) return {'statusCode': 400, 'body': str(e)} except Exception as e: print(e) return {'statusCode': 400, 'body': str(e)} try: Region_name = json.loads(event["body"])["Region"] Region = common.getRegionName(Region_name) Trail = json.loads(event["body"])["ResourceName"] except: Region = "" try: # Establish a session with the portal cloudtrail_client = boto3.client( 'cloudtrail', aws_access_key_id=aws_access_key_id, aws_secret_access_key=aws_secret_access_key, aws_session_token=aws_session_token, region_name=Region) except ClientError as e: print(e) return {'statusCode': 400, 'body': str(e)} except Exception as e: print(e) return {'statusCode': 400, 'body': str(e)} try: if PolicyId == "CTMultiRegionTrail": responseCode, output = cloudtrail_enable_multi_region_trail.run_remediation( cloudtrail_client, Trail) except ClientError as e: responseCode = 400 output = "Unable to remediate Cloudtrail: " + str(e) except Exception as e: responseCode = 400 output = "Unable to remediate Cloudtrail: " + str(e) try: if PolicyId == "CTLogFileValidation": responseCode, output = cloudtrail_enable_log_file_validation.run_remediation( cloudtrail_client, Trail) except ClientError as e: responseCode = 400 output = "Unable to remediate Cloudtrail: " + str(e) except Exception as e: responseCode = 400 output = "Unable to remediate Cloudtrail: " + str(e) try: if PolicyId == "CTIsLogging": responseCode, output = cloudtrail_enable_trail_logging.run_remediation( cloudtrail_client, Trail) except ClientError as e: responseCode = 400 output = "Unable to remediate Cloudtrail: " + str(e) except Exception as e: responseCode = 400 output = "Unable to remediate Cloudtrail: " + str(e) # returning the output Array in json format return {'statusCode': responseCode, 'body': output}
def lambda_handler(event, context): global aws_access_key_id, aws_secret_access_key, aws_session_token, CustAccID, Region try: PolicyId = json.loads(event["body"])["PolicyId"] except: PolicyId = '' pass if not PolicyId: try: # common code CustAccID, role_arn = common.getRoleArn_cwlogs(event) aws_access_key_id, aws_secret_access_key, aws_session_token = common.getCredentials(role_arn) except ClientError as e: print(e) return { 'statusCode': 400, 'body': str(e) } except Exception as e: print(e) return { 'statusCode': 400, 'body': str(e) } try: Region = event["Region"] redshift_name = event["redshift"] records_json = json.loads(event["policies"]) records = records_json["RemediationPolicies"] except: Region = "" try: # Establish a session with the portal redshift = boto3.client('redshift', aws_access_key_id=aws_access_key_id, aws_secret_access_key=aws_secret_access_key,aws_session_token=aws_session_token,region_name=Region) except ClientError as e: print(e) return { 'statusCode': 400, 'body': str(e) } except Exception as e: print(e) return { 'statusCode': 400, 'body': str(e) } if "RedShiftNotPublic" in str(records): try: redshift_not_public.run_remediation(redshift,redshift_name) except ClientError as e: print(e) return { 'statusCode': 400, 'body': str(e) } except Exception as e: print(e) return { 'statusCode': 400, 'body': str(e) } if "RedShiftVersionUpgrade" in str(records): try: redshift_autoversionupgrade.run_remediation(redshift,redshift_name) except ClientError as e: print(e) return { 'statusCode': 400, 'body': str(e) } except Exception as e: print(e) return { 'statusCode': 400, 'body': str(e) } if "RedShiftAutomatedSnapshot" in str(records): try: redshift_automatic_retention.run_remediation(redshift,redshift_name) except ClientError as e: print(e) return { 'statusCode': 400, 'body': str(e) } except Exception as e: print(e) return { 'statusCode': 400, 'body': str(e) } print('remediated-' + redshift_name) #returning the output Array in json format return { 'statusCode': 200, 'body': json.dumps('remediated-' + redshift_name) } else: print("CN-portal triggered remediation") try: CustAccID, role_arn = common.getRoleArn(event) aws_access_key_id, aws_secret_access_key, aws_session_token = common.getCredentials(role_arn) except ClientError as e: print(e) return { 'statusCode': 400, 'body': str(e) } except Exception as e: print(e) return { 'statusCode': 400, 'body': str(e) } try: Region_name = json.loads(event["body"])["Region"] Region = common.getRegionName(Region_name) redshift_name = json.loads(event["body"])["ResourceName"] except: Region = "" try: # Establish a session with the portal redshift = boto3.client('redshift', aws_access_key_id=aws_access_key_id, aws_secret_access_key=aws_secret_access_key,aws_session_token=aws_session_token,region_name=Region) except ClientError as e: print(e) return { 'statusCode': 400, 'body': str(e) } except Exception as e: print(e) return { 'statusCode': 400, 'body': str(e) } try: if PolicyId == "RedShiftNotPublic": responseCode,output = redshift_not_public.run_remediation(redshift,redshift_name) if PolicyId == "RedShiftVersionUpgrade": responseCode,output = redshift_autoversionupgrade.run_remediation(redshift,redshift_name) if PolicyId == "RedShiftAutomatedSnapshot": responseCode,output = redshift_automatic_retention.run_remediation(redshift,redshift_name) except ClientError as e: responseCode = 400 output = "Unable to remediate redshift: " + str(e) except Exception as e: responseCode = 400 output = "Unable to remediate redshift: " + str(e) # returning the output Array in json format return { 'statusCode': responseCode, 'body': output }
def lambda_handler(event, context): global aws_access_key_id, aws_secret_access_key, aws_session_token, CustAccID, Region common_policies = [ "S3bucketNoPublicAAUFull", "S3bucketNoPublicAAURead", "S3bucketNoPublicAAUReadACP", "S3bucketNoPublicAAUWrite", "S3bucketNoPublicAAUWriteACP", "S3notPublictoInternet", "S3notPublicRead", "S3notPublicReadACP", "S3notPublicWrite", "S3notPublicWriteACP" ] try: PolicyId = json.loads(event["body"])["PolicyId"] except: PolicyId = '' pass if not PolicyId: print("Executing auto-remediation") try: # common code CustAccID, role_arn = common.getRoleArn_cwlogs(event) aws_access_key_id, aws_secret_access_key, aws_session_token = common.getCredentials( role_arn) except ClientError as e: print(e) return {'statusCode': 400, 'body': str(e)} except Exception as e: print(e) return {'statusCode': 400, 'body': str(e)} try: Region = event["Region"] bucket_name = event["bucket"] records_json = json.loads(event["policies"]) records = records_json["RemediationPolicies"] except: Region = "" try: # Establish a session with the portal s3_client = boto3.client( 's3', aws_access_key_id=aws_access_key_id, aws_secret_access_key=aws_secret_access_key, aws_session_token=aws_session_token) except ClientError as e: print(e) return {'statusCode': 400, 'body': str(e)} except Exception as e: print(e) return {'statusCode': 400, 'body': str(e)} if "S3EncryptionEnabled" in str(records): try: s3_put_bucket_encryption.run_remediation( s3_client, bucket_name) except ClientError as e: print(e) return {'statusCode': 400, 'body': str(e)} except Exception as e: print(e) return {'statusCode': 400, 'body': str(e)} if "S3VersioningEnabled" in str(records): try: s3_put_bucket_versioning.run_remediation( s3_client, bucket_name) except ClientError as e: print(e) return {'statusCode': 400, 'body': str(e)} except Exception as e: print(e) return {'statusCode': 400, 'body': str(e)} if set(common_policies).intersection(set(records)): try: s3_put_bucket_acl.run_remediation(s3_client, bucket_name) except ClientError as e: print(e) return {'statusCode': 400, 'body': str(e)} except Exception as e: print(e) return {'statusCode': 400, 'body': str(e)} print('remediated-' + bucket_name) #returning the output Array in json format return { 'statusCode': 200, 'body': json.dumps('remediated-' + bucket_name) } else: print("CN-portal triggered remediation") try: CustAccID, role_arn = common.getRoleArn(event) aws_access_key_id, aws_secret_access_key, aws_session_token = common.getCredentials( role_arn) except ClientError as e: print(e) return {'statusCode': 400, 'body': str(e)} except Exception as e: print(e) return {'statusCode': 400, 'body': str(e)} try: Region_name = json.loads(event["body"])["Region"] Region = common.getRegionName(Region_name) bucket_name = json.loads(event["body"])["ResourceName"] except: Region = "" try: # Establish a session with the portal s3_client = boto3.client( 's3', aws_access_key_id=aws_access_key_id, aws_secret_access_key=aws_secret_access_key, aws_session_token=aws_session_token) except ClientError as e: print("Error:" + str(e)) return {'statusCode': 400, 'body': ("Error:" + str(e))} except Exception as e: print(e) return {'statusCode': 400, 'body': ("Error:" + str(e))} try: if PolicyId == "S3EncryptionEnabled": responseCode, output = s3_put_bucket_encryption.run_remediation( s3_client, bucket_name) if PolicyId == "S3VersioningEnabled": responseCode, output = s3_put_bucket_versioning.run_remediation( s3_client, bucket_name) if PolicyId in str(common_policies): responseCode, output = s3_put_bucket_acl.run_remediation( s3_client, bucket_name) except ClientError as e: responseCode = 400 output = "Unable to remediate bucket: " + str(e) except Exception as e: responseCode = 400 output = "Unable to remediate bucket: " + str(e) # returning the output Array in json format return {'statusCode': responseCode, 'body': output}
def lambda_handler(event, context): global aws_access_key_id, aws_secret_access_key, aws_session_token, CustAccID, Region try: PolicyId = json.loads(event["body"])["PolicyId"] except: PolicyId = '' pass if not PolicyId: print("Executing auto-remediation") try: # common code CustAccID, role_arn = common.getRoleArn_cwlogs(event) aws_access_key_id, aws_secret_access_key, aws_session_token = common.getCredentials( role_arn) except ClientError as e: print(e) return {'statusCode': 400, 'body': str(e)} except Exception as e: print(e) return {'statusCode': 400, 'body': str(e)} try: Region = event["Region"] delivery_stream_name = event["StreamName"] records_json = json.loads(event["policies"]) records = records_json["RemediationPolicies"] except: Region = "" try: # Establish a session with the portal kinesis_firehose = boto3.client( 'firehose', aws_access_key_id=aws_access_key_id, aws_secret_access_key=aws_secret_access_key, aws_session_token=aws_session_token, region_name=Region) except ClientError as e: print(e) return {'statusCode': 400, 'body': str(e)} except Exception as e: print(e) return {'statusCode': 400, 'body': str(e)} if "KinesisFirehoseEncryption" in str(records): try: kinesis_firehose_default_encryption.run_remediation( kinesis_firehose, delivery_stream_name) print('remediated-' + delivery_stream_name) #returning the output Array in json format return { 'statusCode': 200, 'body': json.dumps('remediated-' + delivery_stream_name) } except ClientError as e: print(e) return {'statusCode': 400, 'body': str(e)} except Exception as e: print(e) return {'statusCode': 400, 'body': str(e)} else: print("CN-portal triggered remediation") try: CustAccID, role_arn = common.getRoleArn(event) aws_access_key_id, aws_secret_access_key, aws_session_token = common.getCredentials( role_arn) except ClientError as e: print(e) return {'statusCode': 400, 'body': str(e)} except Exception as e: print(e) return {'statusCode': 400, 'body': str(e)} try: Region_name = json.loads(event["body"])["Region"] Region = common.getRegionName(Region_name) delivery_stream_name = json.loads(event["body"])["ResourceName"] except: Region = "" try: # Establish a session with the portal kinesis_firehose = boto3.client( 'firehose', aws_access_key_id=aws_access_key_id, aws_secret_access_key=aws_secret_access_key, aws_session_token=aws_session_token, region_name=Region) except ClientError as e: print(e) return {'statusCode': 400, 'body': str(e)} except Exception as e: print(e) return {'statusCode': 400, 'body': str(e)} try: if PolicyId == "KinesisFirehoseEncryption": responseCode, output = kinesis_firehose_default_encryption.run_remediation( kinesis_firehose, delivery_stream_name) except ClientError as e: responseCode = 400 output = "Unable to remediate kinesis firehose: " + str(e) except Exception as e: responseCode = 400 output = "Unable to remediate kinesis firehose: " + str(e) # returning the output Array in json format return {'statusCode': responseCode, 'body': output}
def lambda_handler(event, context): global aws_access_key_id, aws_secret_access_key, aws_session_token, CustAccID try: PolicyId = json.loads(event["body"])["PolicyId"] except: PolicyId = '' pass if not PolicyId: print("Executing auto-remediation") try: # common code CustAccID, role_arn = common.getRoleArn_cwlogs(event) aws_access_key_id, aws_secret_access_key, aws_session_token = common.getCredentials( role_arn) except ClientError as e: print(e) return {'statusCode': 400, 'body': str(e)} except Exception as e: print(e) return {'statusCode': 400, 'body': str(e)} try: records_json = json.loads(event["policies"]) records = records_json["RemediationPolicies"] except: pass try: # Establish a session with the portal iam_client = boto3.client( 'iam', aws_access_key_id=aws_access_key_id, aws_secret_access_key=aws_secret_access_key, aws_session_token=aws_session_token) except ClientError as e: print(e) return {'statusCode': 400, 'body': str(e)} except Exception as e: print(e) return {'statusCode': 400, 'body': str(e)} if "IAMPasswordRequiredNumber" in str(records): try: iam_require_numbers.run_remediation(iam_client) except ClientError as e: print(e) return {'statusCode': 400, 'body': str(e)} except Exception as e: print(e) return {'statusCode': 400, 'body': str(e)} if "IAMPasswordUpCaseLetter" in str(records): try: iam_require_uppercaseletters.run_remediation(iam_client) except ClientError as e: print(e) return {'statusCode': 400, 'body': str(e)} except Exception as e: print(e) return {'statusCode': 400, 'body': str(e)} if "IAMPasswordRequiredSymbols" in str(records): try: iam_require_symbols.run_remediation(iam_client) except ClientError as e: print(e) return {'statusCode': 400, 'body': str(e)} except Exception as e: print(e) return {'statusCode': 400, 'body': str(e)} if "IAMRequireLowercaseLetter" in str(records): try: iam_require_lowercaseletters.run_remediation(iam_client) except ClientError as e: print(e) return {'statusCode': 400, 'body': str(e)} except Exception as e: print(e) return {'statusCode': 400, 'body': str(e)} if "IAMMinPasswordLength" in str(records): try: iam_minimum_passwordlength.run_remediation(iam_client) except ClientError as e: print(e) return {'statusCode': 400, 'body': str(e)} except Exception as e: print(e) return {'statusCode': 400, 'body': str(e)} if "IAMExpirePasswords" in str(records): try: iam_password_expiration.run_remediation(iam_client) except ClientError as e: print(e) return {'statusCode': 400, 'body': str(e)} except Exception as e: print(e) return {'statusCode': 400, 'body': str(e)} if "IAMPasswordReusePrevention" in str(records): try: iam_password_reuse.run_remediation(iam_client) except ClientError as e: print(e) return {'statusCode': 400, 'body': str(e)} except Exception as e: print(e) return {'statusCode': 400, 'body': str(e)} print("Remediated IAM policies") #returning the output Array in json format return { 'statusCode': 200, 'body': json.dumps("Remediated IAM policies") } else: print("CN-portal triggered remediation") try: # common code CustAccID, role_arn = common.getRoleArn(event) aws_access_key_id, aws_secret_access_key, aws_session_token = common.getCredentials( role_arn) except ClientError as e: print(e) return {'statusCode': 400, 'body': str(e)} except Exception as e: print(e) return {'statusCode': 400, 'body': str(e)} try: # Establish a session with the portal iam_client = boto3.client( 'iam', aws_access_key_id=aws_access_key_id, aws_secret_access_key=aws_secret_access_key, aws_session_token=aws_session_token) except ClientError as e: print(e) return {'statusCode': 400, 'body': str(e)} except Exception as e: print(e) return {'statusCode': 400, 'body': str(e)} try: responseCode = 400 output = "Policies not configured" if PolicyId == "IAMPasswordRequiredNumber": responseCode, output = iam_require_numbers.run_remediation( iam_client) if PolicyId == "IAMPasswordUpCaseLetter": responseCode, output = iam_require_uppercaseletters.run_remediation( iam_client) if PolicyId == "IAMPasswordRequiredSymbols": responseCode, output = iam_require_symbols.run_remediation( iam_client) if PolicyId == "IAMRequireLowercaseLetter": responseCode, output = iam_require_lowercaseletters.run_remediation( iam_client) if PolicyId == "IAMMinPasswordLength": responseCode, output = iam_minimum_passwordlength.run_remediation( iam_client) if PolicyId == "IAMExpirePasswords": responseCode, output = iam_password_expiration.run_remediation( iam_client) if PolicyId == "IAMPasswordReusePrevention": responseCode, output = iam_password_reuse.run_remediation( iam_client) except ClientError as e: responseCode = 400 output = "Unable to remediate IAM Policies: " + str(e) except Exception as e: responseCode = 400 output = "Unable to remediate IAM Policies: " + str(e) # returning the output Array in json format return {'statusCode': responseCode, 'body': output}
def lambda_handler(event, context): global aws_access_key_id, aws_secret_access_key, aws_session_token, CustAccID, Region backup_retention = [ "SQLBackup", "SQLBackupTerm", "MariadbBackup", "MariadbBackupTerm", "OracleBackup", "OracleBackupTerm", "SQLServerBackup", "SQLServerBackupTerm", "MySQLBackup", "MySQLBackupTerm" ] copytagstosnapshot = [ "SQLCopyTagsToSnapshot", "MariadbCopyTagsToSnapshot", "OracleCopyTagsToSnapshot", "SQLServerCopyTagsToSnapshot", "MySQLCopyTagsToSnapshot" ] deletion_protection = [ "SQLDeletionProtection", "MariadbDeletionProtection", "OracleDeletionProtection", "SQLServerDeletionProtection", "MySQLDeletionProtection" ] disable_public_access = [ "SQLPrivateInstance", "MariadbPrivateInstance", "OraclePrivateInstance", "SQLServerPrivateInstance", "AuroraInstancePrivateInstance", "MySQLPrivateInstance" ] minor_version = [ "SQLVersionUpgrade", "MariadbVersionUpgrade", "OracleVersionUpgrade", "SQLServerVersionUpgrade", "AuroraInstanceVersionUpgrade", "MySQLVersionUpgrade" ] multiaz = [ "SQLMultiAZEnabled", "MariadbMultiAZEnabled", "OracleMultiAZEnabled", "SQLServerMultiAZEnabled", "MySQLMultiAZEnabled" ] performance_insights = [ "SQLPerformanceInsights", "MariadbPerformanceInsights", "OraclePerformanceInsights", "SQLServerPerformanceInsights", "AuroraInstancePerformanceInsights", "MySQLPerformanceInsights" ] instance_logexport = [ "MySQLlogExport", "MariadblogExport", "OraclelogExport" ] instance_iam_auth = ["SQLIAMAuthEnabled", "MySQLIAMAuthEnabled"] db_parameters = ["MySQLBlockEncryption", "MySQLEnableFIPS"] try: PolicyId = json.loads(event["body"])["PolicyId"] except: PolicyId = '' pass #region CW Call if not PolicyId: try: # common code CustAccID, role_arn = common.getRoleArn_cwlogs(event) aws_access_key_id, aws_secret_access_key, aws_session_token = common.getCredentials( role_arn) except ClientError as e: print(e) return {'statusCode': 400, 'body': str(e)} except Exception as e: print(e) return {'statusCode': 400, 'body': str(e)} try: Region = event["Region"] RDSInstanceName = event["RDSInstanceName"] records_json = json.loads(event["policies"]) records = records_json["RemediationPolicies"] except: Region = "" try: rds = boto3.client('rds', aws_access_key_id=aws_access_key_id, aws_secret_access_key=aws_secret_access_key, aws_session_token=aws_session_token, region_name=Region) except ClientError as e: print(e) return {'statusCode': 400, 'body': str(e)} except Exception as e: print(e) return {'statusCode': 400, 'body': str(e)} if set(backup_retention).intersection(set(records)): try: rdsinstance_backupretention.run_remediation( rds, RDSInstanceName) except ClientError as e: print(e) return {'statusCode': 400, 'body': str(e)} except Exception as e: print(e) return {'statusCode': 400, 'body': str(e)} if set(copytagstosnapshot).intersection(set(records)): try: rdsinstance_copytagstosnapshot.run_remediation( rds, RDSInstanceName) except ClientError as e: print(e) return {'statusCode': 400, 'body': str(e)} except Exception as e: print(e) return {'statusCode': 400, 'body': str(e)} if set(deletion_protection).intersection(set(records)): try: rdsinstance_deletion_protection.run_remediation( rds, RDSInstanceName) except ClientError as e: print(e) return {'statusCode': 400, 'body': str(e)} except Exception as e: print(e) return {'statusCode': 400, 'body': str(e)} if set(disable_public_access).intersection(set(records)): try: rdsinstance_disable_public_access.run_remediation( rds, RDSInstanceName) except ClientError as e: print(e) return {'statusCode': 400, 'body': str(e)} except Exception as e: print(e) return {'statusCode': 400, 'body': str(e)} if set(minor_version).intersection(set(records)): try: rdsinstance_minorversionupgrade.run_remediation( rds, RDSInstanceName) except ClientError as e: print(e) return {'statusCode': 400, 'body': str(e)} except Exception as e: print(e) return {'statusCode': 400, 'body': str(e)} if set(performance_insights).intersection(set(records)): try: rdsinstance_performanceinsights.run_remediation( rds, RDSInstanceName) except ClientError as e: print(e) return {'statusCode': 400, 'body': str(e)} except Exception as e: print(e) return {'statusCode': 400, 'body': str(e)} if set(instance_logexport).intersection(set(records)): try: rdsinstance_logsenabled.run_remediation(rds, RDSInstanceName) except ClientError as e: print(e) return {'statusCode': 400, 'body': str(e)} except Exception as e: print(e) return {'statusCode': 400, 'body': str(e)} if set(instance_iam_auth).intersection(set(records)): try: rdsinstance_iam_auth.run_remediation(rds, RDSInstanceName) except ClientError as e: print(e) return {'statusCode': 400, 'body': str(e)} except Exception as e: print(e) return {'statusCode': 400, 'body': str(e)} if set(db_parameters).intersection(set(records)): try: rdsinstance_updateparameters.run_remediation( rds, RDSInstanceName) except ClientError as e: print(e) return {'statusCode': 400, 'body': str(e)} except Exception as e: print(e) return {'statusCode': 400, 'body': str(e)} if set(multiaz).intersection(set(records)): try: rdsinstance_multizone.run_remediation(rds, RDSInstanceName) except ClientError as e: print(e) return {'statusCode': 400, 'body': str(e)} except Exception as e: print(e) return {'statusCode': 400, 'body': str(e)} print('remediated-' + RDSInstanceName) #returning the output Array in json format return { 'statusCode': 200, 'body': json.dumps('remediated-' + RDSInstanceName) } #endregion #region Portal Call else: print("CN-portal triggered remediation") try: CustAccID, role_arn = common.getRoleArn(event) aws_access_key_id, aws_secret_access_key, aws_session_token = common.getCredentials( role_arn) except ClientError as e: print(e) return {'statusCode': 400, 'body': str(e)} except Exception as e: print(e) return {'statusCode': 400, 'body': str(e)} try: Region_name = json.loads(event["body"])["Region"] Region = common.getRegionName(Region_name) RDSInstanceName = json.loads(event["body"])["ResourceName"] except: Region = "" try: rds = boto3.client('rds', aws_access_key_id=aws_access_key_id, aws_secret_access_key=aws_secret_access_key, aws_session_token=aws_session_token, region_name=Region) except ClientError as e: print(e) return {'statusCode': 400, 'body': str(e)} except Exception as e: print(e) return {'statusCode': 400, 'body': str(e)} try: if PolicyId in backup_retention: responseCode, output = rdsinstance_backupretention.run_remediation( rds, RDSInstanceName) if PolicyId in copytagstosnapshot: responseCode, output = rdsinstance_copytagstosnapshot.run_remediation( rds, RDSInstanceName) if PolicyId in deletion_protection: responseCode, output = rdsinstance_deletion_protection.run_remediation( rds, RDSInstanceName) if PolicyId in disable_public_access: responseCode, output = rdsinstance_disable_public_access.run_remediation( rds, RDSInstanceName) if PolicyId in minor_version: responseCode, output = rdsinstance_minorversionupgrade.run_remediation( rds, RDSInstanceName) if PolicyId in multiaz: responseCode, output = rdsinstance_multizone.run_remediation( rds, RDSInstanceName) if PolicyId in performance_insights: responseCode, output = rdsinstance_performanceinsights.run_remediation( rds, RDSInstanceName) if PolicyId in instance_logexport: responseCode, output = rdsinstance_logsenabled.run_remediation( rds, RDSInstanceName) if PolicyId in instance_iam_auth: responseCode, output = rdsinstance_iam_auth.run_remediation( rds, RDSInstanceName) if PolicyId in db_parameters: responseCode, output = rdsinstance_updateparameters.run_remediation( rds, RDSInstanceName) except ClientError as e: responseCode = 400 output = "Unable to remediate RDS Instance: " + str(e) except Exception as e: responseCode = 400 output = "Unable to remediate RDS Instance: " + str(e) return {'statusCode': responseCode, 'body': output}
def lambda_handler(event, context): cloudtrail_list = ["CTMultiRegionTrail", "CTLogFileValidation"] elb_list = ["ClassicLBConnDraining"] elbv2_list = ["AppLBDeletionProtection", "NetworkLBDeletionProtection"] iam_list = [ "IAMPasswordRequiredNumber", "IAMPasswordUpCaseLetter", "IAMPasswordRequiredSymbols", "IAMRequireLowercaseLetter", "IAMMinPasswordLength", "IAMExpirePasswords", "IAMPasswordReusePrevention" ] kinesis_list = ["KinesisEnhancedMonitoring", "KinesisSSE"] kms_list = ["KMSKeyRotation"] rds_cluster_list = [ "AuroraDeleteProtection", "AuroraServerlessDeleteProtection", "AuroraPostgresServerlessDeleteProtection", "AuroraBackup", "AuroraBackupTerm", "AuroraServerlessBackupTerm", "AuroraPostgresServerlessBackupTerm", "AuroraCopyTagsToSnapshot", "AuroraServerlessCopyTagsToSnapshot", "AuroraPostgresServerlessCopyTagsToSnapshot", "AuroraServerlessScalingAutoPause", "AuroraPostgresServerlessScalingAutoPause" ] rds_instance_list = [ "SQLBackup", "SQLBackupTerm", "MariadbBackup", "MariadbBackupTerm", "OracleBackup", "OracleBackupTerm", "SQLServerBackup", "SQLServerBackupTerm", "SQLCopyTagsToSnapshot", "MariadbCopyTagsToSnapshot", "OracleCopyTagsToSnapshot", "SQLServerCopyTagsToSnapshot", "SQLDeletionProtection", "MariadbDeletionProtection", "OracleDeletionProtection", "SQLServerDeletionProtection", "SQLPrivateInstance", "MariadbPrivateInstance", "OraclePrivateInstance", "SQLServerPrivateInstance", "AuroraInstancePrivateInstance", "SQLVersionUpgrade", "MariadbVersionUpgrade", "OracleVersionUpgrade", "SQLServerVersionUpgrade", "AuroraInstanceVersionUpgrade", "SQLMultiAZEnabled", "MariadbMultiAZEnabled", "OracleMultiAZEnabled", "SQLServerMultiAZEnabled", "SQLPerformanceInsights", "MariadbPerformanceInsights", "OraclePerformanceInsights", "SQLServerPerformanceInsights", "AuroraInstancePerformanceInsights" ] redshift_list = [ "RedShiftNotPublic", "RedShiftVersionUpgrade", "RedShiftAutomatedSnapshot" ] s3_list = [ "S3VersioningEnabled", "S3EncryptionEnabled", "S3bucketNoPublicAAUFull", "S3bucketNoPublicAAURead", "S3bucketNoPublicAAUReadACP", "S3bucketNoPublicAAUWrite", "S3bucketNoPublicAAUWriteACP", "S3notPublictoInternet", "S3notPublicRead", "S3notPublicReadACP", "S3notPublicWrite", "S3notPublicWriteACP" ] try: runtime_region = os.environ['AWS_REGION'] except: runtime_region = 'us-east-1' try: policy_list = json.loads(event['body'])['RemediationPolicies'] policy_flag = 1 except: policy_flag = 0 pass try: PolicyId = json.loads(event["body"])["PolicyId"] except: PolicyId = '' pass try: cw_data = event['awslogs']['data'] except: cw_data = '' try: VerifyAccess = json.loads(event['body'])['VerifyAccess'] except: VerifyAccess = '' #region Policy Discovery if policy_flag: try: RemediationAWSAccountId = json.loads( event['body'])['RemediationAWSAccountId'] RemAccHash = hashlib.md5( str(RemediationAWSAccountId).encode('utf-8')).hexdigest() s3Client = boto3.client('s3') buckets = s3Client.list_buckets()['Buckets'] for i in range(len(buckets)): if RemAccHash in str(buckets[i]['Name']): rem_bucket = buckets[i]['Name'] try: s3Client.get_bucket_versioning(Bucket=rem_bucket) break except: pass except ClientError as e: print(e) return {'statusCode': 401, 'body': json.dumps(str(e))} except Exception as e: print(e) return {'statusCode': 401, 'body': json.dumps(str(e))} # rem_bucket = 'cn-rem-cust-rem-acc' available_list = cloudtrail_list + elb_list + elbv2_list + iam_list + kinesis_list + kms_list + rds_cluster_list + rds_instance_list + redshift_list + s3_list try: if set(policy_list) <= set(available_list): RemediationData = json.loads(event['body']) AWSAccountId = json.loads(event['body'])["AWSAccountId"] hash_object = hashlib.sha256('{AWSAccountId}'.format( AWSAccountId=AWSAccountId).encode()) hash_key = hash_object.hexdigest() hash_key = 'policy_config/' + hash_key s3Client.put_object(Bucket=rem_bucket, Key=hash_key, Body=(bytes( json.dumps(RemediationData, indent=2).encode('UTF-8')))) return { 'statusCode': 200, 'body': json.dumps("Policies configured") } else: return { 'statusCode': 403, 'body': json.dumps("Update Remediation Framework") } #update remediation framework except ClientError as e: print(e) return {'statusCode': 401, 'body': json.dumps(str(e))} except Exception as e: print(e) return {'statusCode': 401, 'body': json.dumps(str(e))} #endregion #region Auto-remediation elif cw_data: try: records = "" compressed_payload = base64.b64decode(cw_data) uncompressed_payload = gzip.decompress(compressed_payload) payload = json.loads(uncompressed_payload) log_events = payload['logEvents'] log_event = json.loads(log_events[0]['message']) AWSAccId = log_event["userIdentity"]["accountId"] EventName = log_event["eventName"] EventSource = log_event["userIdentity"]["arn"] except ClientError as e: print(e) return {'statusCode': 401, 'body': json.dumps(str(e))} except Exception as e: print(e) return {'statusCode': 401, 'body': json.dumps(str(e))} try: sts = boto3.client('sts') RemediationAWSAccountId = sts.get_caller_identity()['Account'] except: RemediationAWSAccountId = AWSAccId if "assumed-role/CN-Auto-Remediation-Role" not in str(EventSource): try: hash_object = hashlib.sha256( '{AWSAccId}'.format(AWSAccId=AWSAccId).encode()) hash_key = hash_object.hexdigest() hash_key = 'policy_config/' + hash_key except ClientError as e: print(e) return {'statusCode': 401, 'body': json.dumps(str(e))} except Exception as e: print(e) return {'statusCode': 401, 'body': json.dumps(str(e))} try: s3Client = boto3.client('s3') buckets = s3Client.list_buckets()['Buckets'] RemAccHash = hashlib.md5( str(RemediationAWSAccountId).encode('utf-8')).hexdigest() for i in range(len(buckets)): if RemAccHash in str(buckets[i]['Name']): rem_bucket = buckets[i]['Name'] try: s3Client.get_bucket_versioning(Bucket=rem_bucket) break except: pass # SQL="select s.RemediationPolicies from s3object s where s.AWSAccountId = '" + cust_acc + "'" SQL = "select s.RemediationPolicies from s3object s" data = s3Client.select_object_content( Bucket=rem_bucket, Key=hash_key, ExpressionType='SQL', Expression=SQL, InputSerialization={ 'CompressionType': 'NONE', 'JSON': { 'Type': 'DOCUMENT' } }, OutputSerialization={'JSON': { 'RecordDelimiter': '\n', }}) for event in data['Payload']: if 'Records' in event: records = event['Records']['Payload'].decode('utf-8') except ClientError as e: print(e) return {'statusCode': 400, 'body': json.dumps(str(e))} except Exception as e: print(e) return {'statusCode': 400, 'body': json.dumps(str(e))} if records: try: invokeLambda = boto3.client('lambda', region_name=runtime_region) except ClientError as e: print(e) return { 'statusCode': 401, 'body': json.dumps('Error during remediation, error:' + str(e)) } except Exception as e: print(e) return { 'statusCode': 401, 'body': json.dumps('Error during remediation, error:' + str(e)) } #region cloudtrail sub-orchestrator call if EventName in ["CreateTrail", "UpdateTrail"]: try: Trail = log_event["responseElements"]["name"] Region = log_event["awsRegion"] remediationObj = { "accountId": AWSAccId, "Trail": Trail, "Region": Region, "policies": records } response = invokeLambda.invoke( FunctionName='cn-aws-remediate-cloudtrail', InvocationType='RequestResponse', Payload=json.dumps(remediationObj)) response = json.loads(response['Payload'].read()) print(response) return { 'statusCode': 200, 'body': json.dumps(response) } except ClientError as e: print('Error during remediation, error:' + str(e)) except Exception as e: print('Error during remediation, error:' + str(e)) #endregion #region load-balancer sub-orchestrator call if EventName in [ "CreateLoadBalancer", "ModifyLoadBalancerAttributes" ]: if EventName == "CreateLoadBalancer": try: lb_detail = log_event["requestParameters"]["type"] if lb_detail in ["application", "network"]: lb_type = 'elbv2' else: lb_type = 'elb' except: lb_type = 'elb' else: try: lb_attributes = log_event["requestParameters"][ "attributes"] lb_type = 'elbv2' except: lb_type = 'elb' if lb_type == 'elbv2': try: if EventName == "CreateLoadBalancer": LoadBalancerArn = log_event[ "responseElements"]["loadBalancers"][0][ "loadBalancerArn"] else: LoadBalancerArn = log_event[ "requestParameters"]["loadBalancerArn"] Region = log_event["awsRegion"] remediationObj = { "accountId": AWSAccId, "LoadBalancerArn": LoadBalancerArn, "Region": Region, "policies": records } response = invokeLambda.invoke( FunctionName='cn-aws-remediate-elbv2', InvocationType='RequestResponse', Payload=json.dumps(remediationObj)) response = json.loads(response['Payload'].read()) print(response) return { 'statusCode': 200, 'body': json.dumps(response) } except ClientError as e: print('Error during remediation, error:' + str(e)) except Exception as e: print('Error during remediation, error:' + str(e)) else: try: LoadBalancerName = log_event["requestParameters"][ "loadBalancerName"] Region = log_event["awsRegion"] remediationObj = { "accountId": AWSAccId, "LoadBalancerName": LoadBalancerName, "Region": Region, "policies": records } response = invokeLambda.invoke( FunctionName='cn-aws-remediate-elb', InvocationType='RequestResponse', Payload=json.dumps(remediationObj)) response = json.loads(response['Payload'].read()) print(response) return { 'statusCode': 200, 'body': json.dumps(response) } except ClientError as e: print('Error during remediation, error:' + str(e)) except Exception as e: print('Error during remediation, error:' + str(e)) #endregion #region IAM sub-orchestrator call if EventName in [ "UpdateAccountPasswordPolicy", "DeleteAccountPasswordPolicy" ]: try: remediationObj = { "accountId": AWSAccId, "policies": records } response = invokeLambda.invoke( FunctionName='cn-aws-remediate-iam', InvocationType='RequestResponse', Payload=json.dumps(remediationObj)) response = json.loads(response['Payload'].read()) print(response) return { 'statusCode': 200, 'body': json.dumps(response) } except ClientError as e: print('Error during remediation, error:' + str(e)) except Exception as e: print('Error during remediation, error:' + str(e)) #endregion #region Kinesis sub-orchestrator call if EventName in [ "CreateStream", "StopStreamEncryption", "DisableEnhancedMonitoring" ]: try: kinesis_stream = log_event["requestParameters"][ "streamName"] Region = log_event["awsRegion"] remediationObj = { "accountId": AWSAccId, "kinesis_stream": kinesis_stream, "Region": Region, "policies": records } response = invokeLambda.invoke( FunctionName='cn-aws-remediate-kinesis', InvocationType='RequestResponse', Payload=json.dumps(remediationObj)) response = json.loads(response['Payload'].read()) print(response) return { 'statusCode': 200, 'body': json.dumps(response) } except ClientError as e: print('Error during remediation, error:' + str(e)) except Exception as e: print('Error during remediation, error:' + str(e)) #endregion #region kms suborchestrator invocation if EventName in ["CreateKey", "DisableKeyRotation"]: try: KeyId = log_event["responseElements"]["keyMetadata"][ "keyId"] Region = log_event["awsRegion"] except: KeyId = log_event["requestParameters"]["keyId"] Region = log_event["awsRegion"] try: remediationObj = { "accountId": AWSAccId, "KeyId": KeyId, "Region": Region, "policies": records } response = invokeLambda.invoke( FunctionName='cn-aws-remediate-kms', InvocationType='RequestResponse', Payload=json.dumps(remediationObj)) response = json.loads(response['Payload'].read()) print(response) return { 'statusCode': 200, 'body': json.dumps(response) } except ClientError as e: print('Error during remediation, error:' + str(e)) except Exception as e: print('Error during remediation, error:' + str(e)) #endregion #region rds cluster suborchestrator call if EventName in [ "CreateDBCluster", "ModifyDBCluster", "CreateDBInstance" ]: try: DBEngine = log_event["responseElements"]["engine"] except: DBEngine = '' if 'aurora' in str(DBEngine): try: RDSClusterName = log_event["responseElements"][ "dBClusterIdentifier"] Region = log_event["awsRegion"] remediationObj = { "accountId": AWSAccId, "RDSClusterName": RDSClusterName, "Region": Region, "policies": records } response = invokeLambda.invoke( FunctionName='cn-aws-remediate-rdscluster', InvocationType='RequestResponse', Payload=json.dumps(remediationObj)) response = json.loads(response['Payload'].read()) print(response) return { 'statusCode': 200, 'body': json.dumps(response) } except ClientError as e: print('Error during remediation, error:' + str(e)) except Exception as e: print('Error during remediation, error:' + str(e)) #endregion #region rds instance suborchestrator call if EventName in ["CreateDBInstance", "ModifyDBInstance"]: try: RDSInstanceName = log_event["responseElements"][ "dBInstanceIdentifier"] Region = log_event["awsRegion"] remediationObj = { "accountId": AWSAccId, "RDSInstanceName": RDSInstanceName, "Region": Region, "policies": records } response = invokeLambda.invoke( FunctionName='cn-aws-remediate-rdsinstance', InvocationType='RequestResponse', Payload=json.dumps(remediationObj)) response = json.loads(response['Payload'].read()) print(response) return { 'statusCode': 200, 'body': json.dumps(response) } except ClientError as e: print('Error during remediation, error:' + str(e)) except Exception as e: print('Error during remediation, error:' + str(e)) #endregion #region redshift sub-orchestrator call if EventName in ["CreateCluster", "ModifyCluster"]: try: redshift = log_event["requestParameters"][ "clusterIdentifier"] Region = log_event["awsRegion"] remediationObj = { "accountId": AWSAccId, "redshift": redshift, "Region": Region, "policies": records } response = invokeLambda.invoke( FunctionName='cn-aws-remediate-redshift', InvocationType='RequestResponse', Payload=json.dumps(remediationObj)) response = json.loads(response['Payload'].read()) print(response) return { 'statusCode': 200, 'body': json.dumps(response) } except ClientError as e: print('Error during remediation, error:' + str(e)) except Exception as e: print('Error during remediation, error:' + str(e)) #endregion #region S3 sub-orchestrator call if EventName in [ "CreateBucket", "PutBucketAcl", "DeleteBucketEncryption", "PutBucketVersioning" ]: try: bucket = log_event["requestParameters"]["bucketName"] Region = log_event["awsRegion"] remediationObj = { "accountId": AWSAccId, "bucket": bucket, "Region": Region, "policies": records } response = invokeLambda.invoke( FunctionName='cn-aws-remediate-s3-bucket', InvocationType='RequestResponse', Payload=json.dumps(remediationObj)) response = json.loads(response['Payload'].read()) print(response) return { 'statusCode': 200, 'body': json.dumps(response) } except ClientError as e: print('Error during remediation, error:' + str(e)) except Exception as e: print('Error during remediation, error:' + str(e)) #endregion else: print("Policies not configured for remediation") return { 'statusCode': 200, 'body': json.dumps("Policies not configured for remediation") } else: return { 'statusCode': 200, 'body': json.dumps("Resource already remediated!") } #endregion #region Verify-Access elif VerifyAccess: OrchestartorAccess, RelayAccess = (True, ) * 2 try: AWSAccId = json.loads(event['body'])['AWSAccountId'] RemAccId = json.loads(event['body'])['RemediationAWSAccountId'] except: pass if RemAccId != AWSAccId: try: cust_accid, remdiationfunc_rolearn = common.getRoleArn(event) aws_access_key_id, aws_secret_access_key, aws_session_token = common.getCredentials( remdiationfunc_rolearn) except: OrchestartorAccess = False try: invokeLambda = boto3.client( 'lambda', aws_access_key_id=aws_access_key_id, aws_secret_access_key=aws_secret_access_key, aws_session_token=aws_session_token, region_name=runtime_region) response = invokeLambda.invoke( FunctionName='cn-aws-remediate-relayfunction', InvocationType='RequestResponse', Payload=json.dumps(event)) RelayAccess = json.loads(response['Payload'].read()) except: RelayAccess = False else: try: cust_accid, remdiatoracc_rolearn = common.getRoleArn(event) common.getCredentials(remdiatoracc_rolearn) except: OrchestartorAccess = False return [RelayAccess, OrchestartorAccess] #endregion #region CN Portal Triggered remediation else: try: invokeLambda = boto3.client('lambda', region_name=runtime_region) except ClientError as e: print(e) response = {'statusCode': 400, 'body': str(e)} except Exception as e: print(e) return {'statusCode': 400, 'body': json.dumps(str(e))} #region cloudtrail suborchestrator call if PolicyId in (cloudtrail_list): try: response = invokeLambda.invoke( FunctionName='cn-aws-remediate-cloudtrail', InvocationType='RequestResponse', Payload=json.dumps(event)) response = json.loads(response['Payload'].read()) print(response) except ClientError as e: print('Error during remediation, error:' + str(e)) except Exception as e: print('Error during remediation, error:' + str(e)) #endregion #region elb suborchestrator call if PolicyId in (elb_list): try: response = invokeLambda.invoke( FunctionName='cn-aws-remediate-elb', InvocationType='RequestResponse', Payload=json.dumps(event)) response = json.loads(response['Payload'].read()) print(response) except ClientError as e: print('Error during remediation, error:' + str(e)) except Exception as e: print('Error during remediation, error:' + str(e)) #endregion #region elb suborchestrator call if PolicyId in (elbv2_list): try: response = invokeLambda.invoke( FunctionName='cn-aws-remediate-elbv2', InvocationType='RequestResponse', Payload=json.dumps(event)) response = json.loads(response['Payload'].read()) print(response) except ClientError as e: print('Error during remediation, error:' + str(e)) except Exception as e: print('Error during remediation, error:' + str(e)) #endregion #region IAM sub-orchestrator call if PolicyId in (iam_list): try: response = invokeLambda.invoke( FunctionName='cn-aws-remediate-iam', InvocationType='RequestResponse', Payload=json.dumps(event)) response = json.loads(response['Payload'].read()) print(response) except ClientError as e: print('Error during remediation, error:' + str(e)) response = {'statusCode': 401, 'body': str(e)} except Exception as e: print('Error during remediation, error:' + str(e)) return {'statusCode': 401, 'body': str(e)} #endregion #region Kinesis sub-orchestrator call if PolicyId in (kinesis_list): try: response = invokeLambda.invoke( FunctionName='cn-aws-remediate-kinesis', InvocationType='RequestResponse', Payload=json.dumps(event)) response = json.loads(response['Payload'].read()) print(response) except ClientError as e: print('Error during remediation, error:' + str(e)) response = {'statusCode': 401, 'body': str(e)} except Exception as e: print('Error during remediation, error:' + str(e)) return {'statusCode': 401, 'body': str(e)} #endregion #region kms suborchestrator call if PolicyId in (kms_list): try: response = invokeLambda.invoke( FunctionName='cn-aws-remediate-kms', InvocationType='RequestResponse', Payload=json.dumps(event)) response = json.loads(response['Payload'].read()) print(response) except ClientError as e: print('Error during remediation, error:' + str(e)) except Exception as e: print('Error during remediation, error:' + str(e)) #endregion #region rds cluster suborchestrator call if PolicyId in (rds_cluster_list): try: response = invokeLambda.invoke( FunctionName='cn-aws-remediate-rdscluster', InvocationType='RequestResponse', Payload=json.dumps(event)) response = json.loads(response['Payload'].read()) print(response) except ClientError as e: print('Error during remediation, error:' + str(e)) except Exception as e: print('Error during remediation, error:' + str(e)) #endregion #region rds instance suborchestrator call if PolicyId in (rds_instance_list): try: response = invokeLambda.invoke( FunctionName='cn-aws-remediate-rdsinstance', InvocationType='RequestResponse', Payload=json.dumps(event)) response = json.loads(response['Payload'].read()) print(response) except ClientError as e: print('Error during remediation, error:' + str(e)) except Exception as e: print('Error during remediation, error:' + str(e)) #endregion #region Redshift sub-orchestrator call if PolicyId in (redshift_list): try: response = invokeLambda.invoke( FunctionName='cn-aws-remediate-redshift', InvocationType='RequestResponse', Payload=json.dumps(event)) response = json.loads(response['Payload'].read()) print(response) except ClientError as e: print('Error during remediation, error:' + str(e)) response = {'statusCode': 401, 'body': str(e)} except Exception as e: print('Error during remediation, error:' + str(e)) return {'statusCode': 401, 'body': str(e)} #endregion #region S3 sub-orchestrator call if PolicyId in str(s3_list): try: response = invokeLambda.invoke( FunctionName='cn-aws-remediate-s3-bucket', InvocationType='RequestResponse', Payload=json.dumps(event)) response = json.loads(response['Payload'].read()) print(response) except ClientError as e: print('Error during remediation, error:' + str(e)) response = {'statusCode': 401, 'body': str(e)} except Exception as e: print(e) return {'statusCode': 401, 'body': str(e)} #endregion return {'statusCode': response['statusCode'], 'body': response['body']}
def lambda_handler(event, context): global aws_access_key_id, aws_secret_access_key, aws_session_token, CustAccID, Region try: PolicyId = json.loads(event["body"])["PolicyId"] except: PolicyId = '' pass if not PolicyId: print("Executing auto-remediation") try: # common code CustAccID, role_arn = common.getRoleArn_cwlogs(event) aws_access_key_id, aws_secret_access_key, aws_session_token = common.getCredentials( role_arn) except ClientError as e: print(e) return {'statusCode': 400, 'body': str(e)} except Exception as e: print(e) return {'statusCode': 400, 'body': str(e)} try: Region = event["Region"] neptune_name = event["NeptuneInstanceName"] records_json = json.loads(event["policies"]) records = records_json["RemediationPolicies"] except: Region = "" try: # Establish a session with the portal neptune = boto3.client('neptune', aws_access_key_id=aws_access_key_id, aws_secret_access_key=aws_secret_access_key, aws_session_token=aws_session_token, region_name=Region) except ClientError as e: print(e) return {'statusCode': 400, 'body': str(e)} except Exception as e: print(e) return {'statusCode': 400, 'body': str(e)} if "NeptuneAutoMinorVersionUpgrade" in str(records): try: neptuneinstance_minorversionupgrade.run_remediation( neptune, neptune_name) print('remediated-' + neptune_name) except ClientError as e: print(e) return {'statusCode': 400, 'body': str(e)} except Exception as e: print(e) return {'statusCode': 400, 'body': str(e)} if "NeptuneCpoyTagsToSnapshots" in str(records): try: neptuneinstance_copytagstosnapshot.run_remediation( neptune, neptune_name) print('remediated-' + neptune_name) except ClientError as e: print(e) return {'statusCode': 400, 'body': str(e)} except Exception as e: print(e) return {'statusCode': 400, 'body': str(e)} if "NeptunePrivateAccess" in str(records): try: neptuneinstance_disable_public_access.run_remediation( neptune, neptune_name) print('remediated-' + neptune_name) except ClientError as e: print(e) return {'statusCode': 400, 'body': str(e)} except Exception as e: print(e) return {'statusCode': 400, 'body': str(e)} #returning the output Array in json format return { 'statusCode': 200, 'body': json.dumps('remediated-' + neptune_name) } else: print("CN-portal triggered remediation") try: CustAccID, role_arn = common.getRoleArn(event) aws_access_key_id, aws_secret_access_key, aws_session_token = common.getCredentials( role_arn) except ClientError as e: print(e) return {'statusCode': 400, 'body': str(e)} except Exception as e: print(e) return {'statusCode': 400, 'body': str(e)} try: Region_name = json.loads(event["body"])["Region"] Region = common.getRegionName(Region_name) neptune_name = json.loads(event["body"])["ResourceName"] except: Region = "" try: # Establish a session with the portal neptune = boto3.client('neptune', aws_access_key_id=aws_access_key_id, aws_secret_access_key=aws_secret_access_key, aws_session_token=aws_session_token, region_name=Region) except ClientError as e: print(e) return {'statusCode': 400, 'body': str(e)} except Exception as e: print(e) return {'statusCode': 400, 'body': str(e)} try: if PolicyId == "NeptuneAutoMinorVersionUpgrade": responseCode, output = neptuneinstance_minorversionupgrade.run_remediation( neptune, neptune_name) if PolicyId == "NeptuneCpoyTagsToSnapshots": responseCode, output = neptuneinstance_copytagstosnapshot.run_remediation( neptune, neptune_name) if PolicyId == "NeptunePrivateAccess": responseCode, output = neptuneinstance_disable_public_accessw.run_remediation( neptune, neptune_name) except ClientError as e: responseCode = 400 output = "Unable to remediate neptune: " + str(e) except Exception as e: responseCode = 400 output = "Unable to remediate neptune: " + str(e) # returning the output Array in json format return {'statusCode': responseCode, 'body': output}
def lambda_handler(event, context): global aws_access_key_id, aws_secret_access_key, aws_session_token, CustAccID, Region deletion_protection = [ "AppLBDeletionProtection", "NetworkLBDeletionProtection" ] try: PolicyId = json.loads(event["body"])["PolicyId"] except: PolicyId = '' pass if not PolicyId: print("Executing auto-remediation") try: # common code CustAccID, role_arn = common.getRoleArn_cwlogs(event) aws_access_key_id, aws_secret_access_key, aws_session_token = common.getCredentials( role_arn) except ClientError as e: print(e) return {'statusCode': 400, 'body': str(e)} except Exception as e: print(e) return {'statusCode': 400, 'body': str(e)} try: Region = event["Region"] LoadBalancerArn = event["LoadBalancerArn"] records_json = json.loads(event["policies"]) records = records_json["RemediationPolicies"] except: Region = "" try: # Establish a session with the portal elbv2 = boto3.client('elbv2', aws_access_key_id=aws_access_key_id, aws_secret_access_key=aws_secret_access_key, aws_session_token=aws_session_token, region_name=Region) except ClientError as e: print(e) return {'statusCode': 400, 'body': str(e)} except Exception as e: print(e) return {'statusCode': 400, 'body': str(e)} if set(deletion_protection).intersection(set(records)): try: elbv2_deletionprotection.run_remediation( elbv2, LoadBalancerArn) except ClientError as e: print(e) return {'statusCode': 400, 'body': str(e)} except Exception as e: print(e) return {'statusCode': 400, 'body': str(e)} print('remediated-' + LoadBalancerArn) #returning the output Array in json format return { 'statusCode': 200, 'body': json.dumps('remediated-' + LoadBalancerArn) } else: print("CN-portal triggered remediation") try: CustAccID, role_arn = common.getRoleArn(event) aws_access_key_id, aws_secret_access_key, aws_session_token = common.getCredentials( role_arn) except ClientError as e: print(e) return {'statusCode': 400, 'body': str(e)} except Exception as e: print(e) return {'statusCode': 400, 'body': str(e)} try: Region_name = json.loads(event["body"])["Region"] Region = common.getRegionName(Region_name) LoadBalancerArn = json.loads(event["body"])["ResourceName"] except: Region = "" try: # Establish a session with the portal elbv2 = boto3.client('elbv2', aws_access_key_id=aws_access_key_id, aws_secret_access_key=aws_secret_access_key, aws_session_token=aws_session_token, region_name=Region) except ClientError as e: print(e) return {'statusCode': 400, 'body': str(e)} except Exception as e: print(e) return {'statusCode': 400, 'body': str(e)} try: if PolicyId in deletion_protection: responseCode, output = elbv2_deletionprotection.run_remediation( elbv2, LoadBalancerArn) except ClientError as e: responseCode = 400 output = "Unable to remediate load balancer: " + str(e) except Exception as e: responseCode = 400 output = "Unable to remediate load balancer: " + str(e) # returning the output Array in json format return {'statusCode': responseCode, 'body': output}
def lambda_handler(event, context): global aws_access_key_id, aws_secret_access_key, aws_session_token, CustAccID, Region try: PolicyId = json.loads(event["body"])["PolicyId"] except: PolicyId = '' pass if not PolicyId: print("Executing auto-remediation") try: # common code CustAccID, role_arn = common.getRoleArn_cwlogs(event) aws_access_key_id, aws_secret_access_key, aws_session_token = common.getCredentials(role_arn) except ClientError as e: print(e) return { 'statusCode': 400, 'body': str(e) } except Exception as e: print(e) return { 'statusCode': 400, 'body': str(e) } try: Region = event["Region"] EKSClusterName = event["EKSClusterName"] records_json = json.loads(event["policies"]) records = records_json["RemediationPolicies"] except: Region = "" try: # Establish a session with the portal eks = boto3.client('eks', aws_access_key_id=aws_access_key_id, aws_secret_access_key=aws_secret_access_key,aws_session_token=aws_session_token,region_name=Region) except ClientError as e: print(e) return { 'statusCode': 400, 'body': str(e) } except Exception as e: print(e) return { 'statusCode': 400, 'body': str(e) } if "EKSClusterLogging" in str(records): try: eks_controlplanlogging.run_remediation(eks,EKSClusterName) except ClientError as e: print(e) return { 'statusCode': 400, 'body': str(e) } except Exception as e: print(e) return { 'statusCode': 400, 'body': str(e) } print('remediated-' + EKSClusterName) #returning the output Array in json format return { 'statusCode': 200, 'body': json.dumps('remediated-' + EKSClusterName) } else: print("CN-portal triggered remediation") try: CustAccID, role_arn = common.getRoleArn(event) aws_access_key_id, aws_secret_access_key, aws_session_token = common.getCredentials(role_arn) except ClientError as e: print(e) return { 'statusCode': 400, 'body': str(e) } except Exception as e: print(e) return { 'statusCode': 400, 'body': str(e) } try: Region_name = json.loads(event["body"])["Region"] Region = common.getRegionName(Region_name) EKSClusterName = json.loads(event["body"])["ResourceName"] except: Region = "" try: # Establish a session with the portal eks = boto3.client('eks', aws_access_key_id=aws_access_key_id, aws_secret_access_key=aws_secret_access_key,aws_session_token=aws_session_token,region_name=Region) except ClientError as e: print(e) return { 'statusCode': 400, 'body': str(e) } except Exception as e: print(e) return { 'statusCode': 400, 'body': str(e) } try: if PolicyId == "EKSClusterLogging": responseCode,output = eks_controlplanlogging.run_remediation(eks,EKSClusterName) except ClientError as e: responseCode = 400 output = "Unable to remediate EKS Cluster: " + str(e) except Exception as e: responseCode = 400 output = "Unable to remediate EKS Cluster: " + str(e) # returning the output Array in json format return { 'statusCode': responseCode, 'body': output }
def lambda_handler(event, context): global aws_access_key_id, aws_secret_access_key, aws_session_token, CustAccID, Region try: PolicyId = json.loads(event["body"])["PolicyId"] except: PolicyId = '' pass if not PolicyId: print("Executing auto-remediation") try: # common code CustAccID, role_arn = common.getRoleArn_cwlogs(event) aws_access_key_id, aws_secret_access_key, aws_session_token = common.getCredentials(role_arn) except ClientError as e: print(e) return { 'statusCode': 400, 'body': str(e) } except Exception as e: print(e) return { 'statusCode': 400, 'body': str(e) } try: Region = event["Region"] ConfigRoleARN = event["ConfigRoleARN"] Name = event["Name"] records_json = json.loads(event["policies"]) records = records_json["RemediationPolicies"] except: Region = "" try: # Establish a session with the portal config = boto3.client('config', aws_access_key_id=aws_access_key_id, aws_secret_access_key=aws_secret_access_key,aws_session_token=aws_session_token,region_name=Region) except ClientError as e: print(e) return { 'statusCode': 400, 'body': str(e) } except Exception as e: print(e) return { 'statusCode': 400, 'body': str(e) } if "ConfigCaptureGlobalResources" in str(records): try: config_include_global_resources.run_remediation(config,ConfigRoleARN,Name) print('remediated-' + Name) #returning the output Array in json format return { 'statusCode': 200, 'body': json.dumps('remediated-' + Name) } except ClientError as e: print(e) return { 'statusCode': 400, 'body': str(e) } except Exception as e: print(e) return { 'statusCode': 400, 'body': str(e) } else: print("CN-portal triggered remediation") try: CustAccID, role_arn = common.getRoleArn(event) aws_access_key_id, aws_secret_access_key, aws_session_token = common.getCredentials(role_arn) except ClientError as e: print(e) return { 'statusCode': 400, 'body': str(e) } except Exception as e: print(e) return { 'statusCode': 400, 'body': str(e) } try: Region_name = json.loads(event["body"])["Region"] Region = common.getRegionName(Region_name) ConfigRoleARN = '' Name = '' except: Region = "" try: # Establish a session with the portal config = boto3.client('config', aws_access_key_id=aws_access_key_id, aws_secret_access_key=aws_secret_access_key,aws_session_token=aws_session_token,region_name=Region) except ClientError as e: print(e) return { 'statusCode': 400, 'body': str(e) } except Exception as e: print(e) return { 'statusCode': 400, 'body': str(e) } try: if PolicyId == "ConfigCaptureGlobalResources": responseCode,output = config_include_global_resources.run_remediation(config,ConfigRoleARN,Name) except ClientError as e: responseCode = 400 output = "Unable to remediate classic load balancer: " + str(e) except Exception as e: responseCode = 400 output = "Unable to remediate classic load balancer: " + str(e) # returning the output Array in json format return { 'statusCode': responseCode, 'body': output }
def lambda_handler(event, context): global aws_access_key_id, aws_secret_access_key, aws_session_token, CustAccID, Region auto_pause = [ "AuroraServerlessScalingAutoPause", "AuroraPostgresServerlessScalingAutoPause" ] backup_retention = [ "AuroraBackup", "AuroraBackupTerm", "AuroraServerlessBackupTerm", "AuroraPostgresServerlessBackupTerm" ] copytagstosnapshots = [ "AuroraCopyTagsToSnapshot", "AuroraServerlessCopyTagsToSnapshot", "AuroraPostgresServerlessCopyTagsToSnapshot" ] deletion_protection = [ "AuroraDeleteProtection", "AuroraServerlessDeleteProtection", "AuroraPostgresServerlessDeleteProtection" ] try: PolicyId = json.loads(event["body"])["PolicyId"] except: PolicyId = '' pass #region CW Call if not PolicyId: print("Executing auto-remediation") try: # common code CustAccID, role_arn = common.getRoleArn_cwlogs(event) aws_access_key_id, aws_secret_access_key, aws_session_token = common.getCredentials( role_arn) except ClientError as e: print("assume-role" + str(e)) return {'statusCode': 400, 'body': str(e)} except Exception as e: print(e) return {'statusCode': 400, 'body': str(e)} try: Region = event["Region"] RDSClusterName = event["RDSClusterName"] records_json = json.loads(event["policies"]) records = records_json["RemediationPolicies"] except: Region = "" try: rds = boto3.client('rds', aws_access_key_id=aws_access_key_id, aws_secret_access_key=aws_secret_access_key, aws_session_token=aws_session_token, region_name=Region) except ClientError as e: print("rds-client" + str(e)) return {'statusCode': 400, 'body': str(e)} except Exception as e: print(e) return {'statusCode': 400, 'body': str(e)} if set(auto_pause).intersection(set(records)): try: rdscluster_autopause.run_remediation(rds, RDSClusterName) except ClientError as e: print(e) return {'statusCode': 400, 'body': str(e)} except Exception as e: print(e) return {'statusCode': 400, 'body': str(e)} if set(backup_retention).intersection(set(records)): try: rdscluster_backupretention.run_remediation(rds, RDSClusterName) except ClientError as e: print(e) return {'statusCode': 400, 'body': str(e)} except Exception as e: print(e) return {'statusCode': 400, 'body': str(e)} if set(copytagstosnapshots).intersection(set(records)): try: rdscluster_copytagstosnapshot.run_remediation( rds, RDSClusterName) except ClientError as e: print(e) return {'statusCode': 400, 'body': str(e)} except Exception as e: print(e) return {'statusCode': 400, 'body': str(e)} if set(deletion_protection).intersection(set(records)): try: rdscluster_deletion_protection.run_remediation( rds, RDSClusterName) except ClientError as e: print(e) return {'statusCode': 400, 'body': str(e)} except Exception as e: print(e) return {'statusCode': 400, 'body': str(e)} print('remediated-' + RDSClusterName) #returning the output Array in json format return { 'statusCode': 200, 'body': json.dumps('remediated-' + RDSClusterName) } #endregion #region Portal Call else: print("CN-portal triggered remediation") try: CustAccID, role_arn = common.getRoleArn(event) aws_access_key_id, aws_secret_access_key, aws_session_token = common.getCredentials( role_arn) except ClientError as e: print(e) return {'statusCode': 400, 'body': str(e)} except Exception as e: print(e) return {'statusCode': 400, 'body': str(e)} try: Region_name = json.loads(event["body"])["Region"] Region = common.getRegionName(Region_name) RDSClusterName = json.loads(event["body"])["ResourceName"] except: Region = "" try: rds = boto3.client('rds', aws_access_key_id=aws_access_key_id, aws_secret_access_key=aws_secret_access_key, aws_session_token=aws_session_token, region_name=Region) except ClientError as e: print(e) return {'statusCode': 400, 'body': str(e)} except Exception as e: print(e) return {'statusCode': 400, 'body': str(e)} try: if PolicyId in auto_pause: responseCode, output = rdscluster_autopause.run_remediation( rds, RDSClusterName) if PolicyId in backup_retention: responseCode, output = rdscluster_backupretention.run_remediation( rds, RDSClusterName) if PolicyId in copytagstosnapshots: responseCode, output = rdscluster_copytagstosnapshot.run_remediation( rds, RDSClusterName) if PolicyId in deletion_protection: responseCode, output = rdscluster_deletion_protection.run_remediation( rds, RDSClusterName) except ClientError as e: responseCode = 400 output = "Unable to remediate RDS cluster: " + str(e) except Exception as e: responseCode = 400 output = "Unable to remediate RDS cluster: " + str(e) # returning the output Array in json format return {'statusCode': responseCode, 'body': output}
def lambda_handler(event, context): global aws_access_key_id, aws_secret_access_key, aws_session_token, CustAccID, Region try: PolicyId = json.loads(event["body"])["PolicyId"] except: PolicyId = '' pass if not PolicyId: print("Executing auto-remediation") try: # common code CustAccID, role_arn = common.getRoleArn_cwlogs(event) aws_access_key_id, aws_secret_access_key, aws_session_token = common.getCredentials(role_arn) except ClientError as e: print(e) return { 'statusCode': 400, 'body': str(e) } except Exception as e: print(e) return { 'statusCode': 400, 'body': str(e) } try: Region = event["Region"] Instance_ID = event["InstanceID"] records_json = json.loads(event["policies"]) records = records_json["RemediationPolicies"] except: Region = "" try: # Establish a session with the portal ec2 = boto3.client('ec2', aws_access_key_id=aws_access_key_id, aws_secret_access_key=aws_secret_access_key,aws_session_token=aws_session_token,region_name=Region) except ClientError as e: print(e) return { 'statusCode': 400, 'body': str(e) } except Exception as e: print(e) return { 'statusCode': 400, 'body': str(e) } if "EC2MonitoringState" in str(records): try: ec2_detailed_monitoring.run_remediation(ec2,Instance_ID) print('remediated-' + Instance_ID) except ClientError as e: print(e) return { 'statusCode': 400, 'body': str(e) } except Exception as e: print(e) return { 'statusCode': 400, 'body': str(e) } if "EC2TerminationProtection" in str(records): try: ec2_termination_protection.run_remediation(ec2,Instance_ID) print('remediated-' + Instance_ID) except ClientError as e: print(e) return { 'statusCode': 400, 'body': str(e) } except Exception as e: print(e) return { 'statusCode': 400, 'body': str(e) } #returning the output Array in json format return { 'statusCode': 200, 'body': json.dumps('remediated-' + Instance_ID) } else: print("CN-portal triggered remediation") try: CustAccID, role_arn = common.getRoleArn(event) aws_access_key_id, aws_secret_access_key, aws_session_token = common.getCredentials(role_arn) except ClientError as e: print(e) return { 'statusCode': 400, 'body': str(e) } except Exception as e: print(e) return { 'statusCode': 400, 'body': str(e) } try: Region_name = json.loads(event["body"])["Region"] Region = common.getRegionName(Region_name) Instance_ID = json.loads(event["body"])["ResourceName"] except: Region = "" try: # Establish a session with the portal ec2 = boto3.client('ec2', aws_access_key_id=aws_access_key_id, aws_secret_access_key=aws_secret_access_key,aws_session_token=aws_session_token,region_name=Region) except ClientError as e: print(e) return { 'statusCode': 400, 'body': str(e) } except Exception as e: print(e) return { 'statusCode': 400, 'body': str(e) } try: if PolicyId == "EC2MonitoringState": responseCode,output = ec2_detailed_monitoring.run_remediation(ec2,Instance_ID) if PolicyId == "EC2TerminationProtection": responseCode,output = ec2_termination_protection.run_remediation(ec2,Instance_ID) except ClientError as e: responseCode = 400 output = "Unable to remediate classic load balancer: " + str(e) except Exception as e: responseCode = 400 output = "Unable to remediate classic load balancer: " + str(e) # returning the output Array in json format return { 'statusCode': responseCode, 'body': output }