def control_1_16_policy_attached_grp_roles():
cont = Control('1.16',
'Ensure IAM policies are attached only to groups or roles',
True)
all_users_paginator = IAM_CLIENT.get_paginator('list_users')
for users in all_users_paginator.paginate():
for user in users['Users']:
if user is None:
continue
if IAM_CLIENT.list_attached_user_policies(
UserName=user['UserName'])['AttachedPolicies']:
if 'Managed Policies attached directly to user.' not in cont.fail_reason:
cont.fail_reason = "Managed Policies attached directly to user."
cont.offenders = user['Arn'] + ":=> Managed policy"
if IAM_CLIENT.list_user_policies(
UserName=user['UserName'])['PolicyNames']:
if 'Inline Policies are attached directly to user.' not in cont.fail_reason:
cont.fail_reason = "Inline Policies are attached directly to user."
cont.offenders = user['Arn'] + ":=> Inline policy"
if not cont.offenders:
cont.result = True
return {
'control_id': cont.id,
'scored': cont.scored,
'desc': cont.desc,
'result': cont.result,
'fail_reason': cont.fail_reason,
'offenders': cont.offenders
}
def control_1_3_creds_unused_90_days():
cont = Control(
"1.3", 'Ensure credentials unused for 90 days or greater are disabled',
True)
report = CRED_REPORT
for each_report in report:
try:
if each_report['password_enabled'] == 'true':
passd_date = (
datetime.strptime(now, fmt) -
datetime.strptime(each_report['password_last_used'], fmt))
if passd_date.days > 90:
if 'Password unused more than 90 days.' not in cont.fail_reason:
cont.fail_reason = 'Password unused more than 90 days.'
cont.offenders = each_report['arn'] + "=>:password"
except:
pass
try:
if each_report['access_key_1_active'] == 'true':
access_key_1_date = (
datetime.strptime(now, fmt) - datetime.strptime(
each_report['access_key_1_last_used_date'], fmt))
if access_key_1_date.days > 90:
if 'Access key unused more than 90 days.' not in cont.fail_reason:
cont.fail_reason = 'Access key unused more than 90 days.'
cont.offenders = each_report['arn'] + "=>:access_key_1"
except:
pass
try:
if each_report['access_key_2_active'] == 'true':
access_key_1_date = (
datetime.strptime(now, fmt) - datetime.strptime(
each_report['access_key_2_last_used_date'], fmt))
if access_key_1_date.days > 90:
if 'Access key unused more than 90 days.' not in cont.fail_reason:
cont.fail_reason = 'Access key unused more than 90 days.'
cont.offenders = each_report['arn'] + "=>:access_key_2"
except:
pass
if not cont.offenders:
cont.result = True
return {
'control_id': cont.id,
'scored': cont.scored,
'desc': cont.desc,
'result': cont.result,
'fail_reason': cont.fail_reason,
'offenders': cont.offenders
}
def control_3_13_log_metric_alarm_for_route_table_changes():
cont = Control(
'3.13',
'Ensure a log metric filter and alarm exist for route table changes',
True)
res = monitoring_common_function([
"\$\.eventName\s*=\s*\"?CreateRoute(\"|\)|\s)",
"\$\.eventName\s*=\s*\"?CreateRouteTable(\"|\)|\s)",
"\$\.eventName\s*=\s*\"?ReplaceRoute(\"|\)|\s)",
"\$\.eventName\s*=\s*\"?ReplaceRouteTableAssociation(\"|\)|\s)",
"\$\.eventName\s*=\s*\"?DeleteRouteTable(\"|\)|\s)",
"\$\.eventName\s*=\s*\"?DeleteRoute(\"|\)|\s)",
"\$\.eventName\s*=\s*\"?DisassociateRouteTable(\"|\)|\s)"
], cloudtrials)
if res == 0:
cont.fail_reason = 'No trail found'
elif res == 1:
cont.fail_reason = 'No metric filter found from Log group'
elif res == 2:
cont.fail_reason = 'Pattern not found in the metric filter'
cont.offenders = 'No alarm exist for Route table changes'
elif res == 3:
cont.fail_reason = 'No alarm is found for the metric filter'
else:
cont.result = True
return {
'control_id': cont.id,
'scored': cont.scored,
'desc': cont.desc,
'result': cont.result,
'fail_reason': cont.fail_reason,
'offenders': cont.offenders
}
def control_3_12_log_metric_alarm_for_network_gateway_changes():
cont = Control(
'3.12',
'Ensure a log metric filter and alarm exist for changes to network gateways',
True)
res = monitoring_common_function([
"\$\.eventName\s*=\s*\"?CreateCustomerGateway(\"|\)|\s)",
"\$\.eventName\s*=\s*\"?DeleteCustomerGateway(\"|\)|\s)",
"\$\.eventName\s*=\s*\"?AttachInternetGateway(\"|\)|\s)",
"\$\.eventName\s*=\s*\"?CreateInternetGateway(\"|\)|\s)",
"\$\.eventName\s*=\s*\"?DeleteInternetGateway(\"|\)|\s)",
"\$\.eventName\s*=\s*\"?DetachInternetGateway(\"|\)|\s)"
], cloudtrials)
if res == 0:
cont.fail_reason = 'No trail found'
elif res == 1:
cont.fail_reason = 'No metric filter found from Log group'
elif res == 2:
cont.fail_reason = 'Pattern not found in the metric filter'
cont.offenders = 'No alarm exist for Network Gateway changes'
elif res == 3:
cont.fail_reason = 'No alarm is found for the metric filter'
else:
cont.result = True
return {
'control_id': cont.id,
'scored': cont.scored,
'desc': cont.desc,
'result': cont.result,
'fail_reason': cont.fail_reason,
'offenders': cont.offenders
}
def control_3_11_log_metric_alarm_for_NACL_changes():
cont = Control(
'3.11',
'Ensure a log metric filter and alarm exist for changes to Network Access Control Lists (NACL)',
True)
res = monitoring_common_function([
"\$\.eventName\s*=\s*\"?CreateNetworkAcl(\"|\)|\s)",
"\$\.eventName\s*=\s*\"?CreateNetworkAclEntry(\"|\)|\s)",
"\$\.eventName\s*=\s*\"?DeleteNetworkAcl(\"|\)|\s)",
"\$\.eventName\s*=\s*\"?DeleteNetworkAclEntry(\"|\)|\s)",
"\$\.eventName\s*=\s*\"?ReplaceNetworkAclEntry(\"|\)|\s)",
"\$\.eventName\s*=\s*\"?ReplaceNetworkAclAssociation(\"|\)|\s)"
], cloudtrials)
if res == 0:
cont.fail_reason = 'No trail found'
elif res == 1:
cont.fail_reason = 'No metric filter found from Log group'
elif res == 2:
cont.fail_reason = 'Pattern not found in the metric filter'
cont.offenders = 'No alarm exist for Network Access Control Lists (NACL) changes'
elif res == 3:
cont.fail_reason = 'No alarm is found for the metric filter'
else:
cont.result = True
return {
'control_id': cont.id,
'scored': cont.scored,
'desc': cont.desc,
'result': cont.result,
'fail_reason': cont.fail_reason,
'offenders': cont.offenders
}
def control_3_10_log_metric_alarm_for_security_group_changes():
cont = Control(
'3.10',
'Ensure a log metric filter and alarm exist for security group changes',
True)
res = monitoring_common_function([
"\$\.eventName\s*=\s*\"?AuthorizeSecurityGroupIngress(\"|\)|\s)",
"\$\.eventName\s*=\s*\"?AuthorizeSecurityGroupEgress(\"|\)|\s)",
"\$\.eventName\s*=\s*\"?RevokeSecurityGroupIngress(\"|\)|\s)",
"\$\.eventName\s*=\s*\"?RevokeSecurityGroupEgress(\"|\)|\s)",
"\$\.eventName\s*=\s*\"?CreateSecurityGroup(\"|\)|\s)",
"\$\.eventName\s*=\s*\"?DeleteSecurityGroup(\"|\)|\s)"
], cloudtrials)
if res == 0:
cont.fail_reason = 'No trail found'
elif res == 1:
cont.fail_reason = 'No metric filter found from Log group'
elif res == 2:
cont.fail_reason = 'Pattern not found in the metric filter'
cont.offenders = 'No alarm exist for Security group changes'
elif res == 3:
cont.fail_reason = 'No alarm is found for the metric filter'
else:
cont.result = True
return {
'control_id': cont.id,
'scored': cont.scored,
'desc': cont.desc,
'result': cont.result,
'fail_reason': cont.fail_reason,
'offenders': cont.offenders
}
def control_3_9_log_metric_alarm_for_awsconfig_config_changes():
cont = Control(
'3.9',
'Ensure a log metric filter and alarm exist for AWS Config configuration changes',
True)
res = monitoring_common_function([
"\$\.eventSource\s*=\s*\"?config\.amazonaws\.com(\"|\)|\s)",
"\$\.eventName\s*=\s*\"?StopConfigurationRecorder(\"|\)|\s)",
"\$\.eventName\s*=\s*\"?DeleteDeliveryChannel(\"|\)|\s)",
"\$\.eventName\s*=\s*\"?PutDeliveryChannel(\"|\)|\s)",
"\$\.eventName\s*=\s*\"?PutConfigurationRecorder(\"|\)|\s)"
], cloudtrials)
if res == 0:
cont.fail_reason = 'No trail found'
elif res == 1:
cont.fail_reason = 'No metric filter found from Log group'
elif res == 2:
cont.fail_reason = 'Pattern not found in the metric filter'
cont.offenders = 'No alarm exist for AWSConfig configuration changes'
elif res == 3:
cont.fail_reason = 'No alarm is found for the metric filter'
else:
cont.result = True
return {
'control_id': cont.id,
'scored': cont.scored,
'desc': cont.desc,
'result': cont.result,
'fail_reason': cont.fail_reason,
'offenders': cont.offenders
}
def control_3_7_log_metric_alarm_for_disable_deletion_CMK():
cont = Control(
'3.7',
'Ensure a log metric filter and alarm exist for disabling or scheduled deletion of customer created CMKs',
True)
res = monitoring_common_function([
"\$\.eventSource\s*=\s*\"?kms\.amazonaws\.com(\"|\)|\s)",
"\$\.eventName\s*=\s*\"?DisableKey(\"|\)|\s)",
"\$\.eventName\s*=\s*\"?ScheduleKeyDeletion(\"|\)|\s)"
], cloudtrials)
if res == 0:
cont.fail_reason = 'No trail found'
elif res == 1:
cont.fail_reason = 'No metric filter found from Log group'
elif res == 2:
cont.fail_reason = 'Pattern not found in the metric filter'
cont.offenders = 'No alarm exist for disabling or scheduled deletion of Customer Managed keys'
elif res == 3:
cont.fail_reason = 'No alarm is found for the metric filter'
else:
cont.result = True
return {
'control_id': cont.id,
'scored': cont.scored,
'desc': cont.desc,
'result': cont.result,
'fail_reason': cont.fail_reason,
'offenders': cont.offenders
}
def control_3_6_log_metric_alarm_for_aws_console_auth_failures():
cont = Control(
'3.6',
'Ensure a log metric filter and alarm exist for AWS Management Console authentication failures',
True)
res = monitoring_common_function([
"\$\.eventName\s*=\s*\"?ConsoleLogin(\"|\)|\s)",
"\$\.errorMessage\s*=\s*\"?Failed authentication(\"|\)|\s)"
], cloudtrials)
if res == 0:
cont.fail_reason = 'No trail found'
elif res == 1:
cont.fail_reason = 'No metric filter found from Log group'
elif res == 2:
cont.fail_reason = 'Pattern not found in the metric filter'
cont.offenders = 'No alarm exist for AWS Console authentication failures'
elif res == 3:
cont.fail_reason = 'No alarm is found for the metric filter'
else:
cont.result = True
return {
'control_id': cont.id,
'scored': cont.scored,
'desc': cont.desc,
'result': cont.result,
'fail_reason': cont.fail_reason,
'offenders': cont.offenders
}
def control_3_5_log_metric_alarm_for_cloudtrail_config_changes():
cont = Control(
'3.5',
'Ensure a log metric filter and alarm exist for CloudTrail configuration changes',
True)
res = monitoring_common_function([
"\$\.eventName\s*=\s*\"?CreateTrail(\"|\)|\s)",
"\$\.eventName\s*=\s*\"?UpdateTrail(\"|\)|\s)",
"\$\.eventName\s*=\s*\"?DeleteTrail(\"|\)|\s)",
"\$\.eventName\s*=\s*\"?StartLogging(\"|\)|\s)",
"\$\.eventName\s*=\s*\"?StopLogging(\"|\)|\s)"
], cloudtrials)
if res == 0:
cont.fail_reason = 'No trail found'
elif res == 1:
cont.fail_reason = 'No metric filter found from Log group'
elif res == 2:
cont.fail_reason = 'Pattern not found in the metric filter'
cont.offenders = 'No alarm exist for Cloudtrail configuration changes'
elif res == 3:
cont.fail_reason = 'No alarm is found for the metric filter'
else:
cont.result = True
return {
'control_id': cont.id,
'scored': cont.scored,
'desc': cont.desc,
'result': cont.result,
'fail_reason': cont.fail_reason,
'offenders': cont.offenders
}
def control_1_21_intial_access_keys_setup():
cont = Control(
'1.21',
'Do not setup access keys during initial user setup for all IAM users that have a console password',
False)
users_paginate = IAM_CLIENT.get_paginator('list_users')
for users in users_paginate.paginate():
for user in users['Users']:
for access_time in IAM_CLIENT.list_access_keys(
UserName=user['UserName'])['AccessKeyMetadata']:
if access_time['CreateDate'] == access_time['CreateDate']:
if 'Keys that were created at the same time as the user profile' not in cont.fail_reason:
cont.fail_reason = 'Keys that were created at the same time as the user profile'
cont.offenders = user['UserName']
if not cont.offenders:
cont.result = True
return {
'control_id': cont.id,
'scored': cont.scored,
'desc': cont.desc,
'result': cont.result,
'fail_reason': cont.fail_reason,
'offenders': cont.offenders
}
def control_3_2_log_metric_alarm_for_signin_without_MFA():
cont = Control(
'3.2',
'Ensure a log metric filter and alarm exist for Management Console sign-in without MFA',
True)
res = monitoring_common_function([
"\$\.eventName\s*=\s*\"?ConsoleLogin(\"|\)|\s)",
"\$\.additionalEventData\.MFAUsed\s*\!=\s*\"?Yes"
], cloudtrials)
if res == 0:
cont.fail_reason = 'No trail found'
elif res == 1:
cont.fail_reason = 'No metric filter found from Log group'
elif res == 2:
cont.fail_reason = 'Pattern not found in the metric filter'
cont.offenders = 'No alarm exist for Sign-in without MFA'
elif res == 3:
cont.fail_reason = 'No alarm is found for the metric filter'
else:
cont.result = True
return {
'control_id': cont.id,
'scored': cont.scored,
'desc': cont.desc,
'result': cont.result,
'fail_reason': cont.fail_reason,
'offenders': cont.offenders
}
def control_4_4_vpc_peering_least_access():
cont = Control('4.4',
'Ensure routing tables for VPC peering are "least access',
False)
vpc_paginator = EC2_CLIENT.get_paginator('describe_route_tables')
for route_tables in vpc_paginator.paginate():
for routes in route_tables['RouteTables']:
for route in routes['Routes']:
if 'VpcPeeringConnectionId' in route:
if int(
str(route['DestinationCidrBlock']).split(
'/', 1)[1]) < 24:
if not cont.fail_reason:
cont.fail_reason = 'Large CIDR block routed to peer discovered'
cont.offenders = routes['RouteTableId']
if not cont.offenders:
cont.result = True
return {
'control_id': cont.id,
'scored': cont.scored,
'desc': cont.desc,
'result': cont.result,
'fail_reason': cont.fail_reason,
'offenders': cont.offenders
}
def control_3_3_log_metric_alarm_for_usage_root_account():
cont = Control(
'3.3',
'Ensure a log metric filter and alarm exist for usage of "root" account',
True)
res = monitoring_common_function([
"\$\.userIdentity\.type\s*=\s*\"?Root",
"\$\.userIdentity\.invokedBy\s*NOT\s*EXISTS",
"\$\.eventType\s*\!=\s*\"?AwsServiceEvent(\"|\)|\s)"
], cloudtrials)
if res == 0:
cont.fail_reason = 'No trail found'
elif res == 1:
cont.fail_reason = 'No metric filter found from Log group'
elif res == 2:
cont.fail_reason = 'Pattern not found in the metric filter'
cont.offenders = 'No alarm exist for usage of root account'
elif res == 3:
cont.fail_reason = 'No alarm is found for the metric filter'
else:
cont.result = True
return {
'control_id': cont.id,
'scored': cont.scored,
'desc': cont.desc,
'result': cont.result,
'fail_reason': cont.fail_reason,
'offenders': cont.offenders
}
def control_2_6_s3_logging_enabled_cts3_bucket():
cont = Control(
'2.6',
'Ensure S3 bucket access logging is enabled on the CloudTrail S3 bucket',
True)
for each_trail in cloudtrial_describe_trails:
if 'LoggingEnabled' in S3_CLIENT.get_bucket_logging(
Bucket=each_trail['S3BucketName']):
continue
else:
if 'CloudTrail Bucket logging is not enabled' not in cont.fail_reason:
cont.fail_reason = 'CloudTrail Bucket logging is not enabled'
cont.offenders = each_trail['Name'] + \
' => ' + each_trail['S3BucketName']
if not cont.offenders:
cont.result = True
return {
'control_id': cont.id,
'scored': cont.scored,
'desc': cont.desc,
'result': cont.result,
'fail_reason': cont.fail_reason,
'offenders': cont.offenders
}
def control_4_3_security_group_vpc_restricts():
cont = Control(
'4.3',
'Ensure the default security group of every VPC restricts all traffic',
True)
security_groups_iterator = EC2_CLIENT.get_paginator(
'describe_security_groups')
for groups in security_groups_iterator.paginate(Filters=[
{
'Name': 'group-name',
'Values': [
'default',
]
},
]):
for group in groups['SecurityGroups']:
if not (len(group['IpPermissions']) +
len(group['IpPermissionsEgress'])) == 0:
if not cont.fail_reason:
cont.fail_reason = 'Default security groups with ingress or egress rules discovered'
cont.offenders = group['GroupId']
if not cont.offenders:
cont.result = True
return {
'control_id': cont.id,
'scored': cont.scored,
'desc': cont.desc,
'result': cont.result,
'fail_reason': cont.fail_reason,
'offenders': cont.offenders
}
def control_1_4_access_key_rotated():
cont = Control('1.4',
'Ensure access keys are rotated every 90 days or less',
True)
report = CRED_REPORT
for each_report in report:
if each_report['access_key_1_active'] == 'true':
if each_report['access_key_1_last_used_date'] == 'N/A':
cont.fail_reason = 'Access key unused more than 90 days.'
cont.offenders = each_report['arn'] + "=>:access_key_1"
else:
access_key_1_date = (
datetime.strptime(now, fmt) - datetime.strptime(
each_report['access_key_1_last_used_date'], fmt))
if access_key_1_date.days > 90:
if 'Access key unused more than 90 days.' not in cont.fail_reason:
cont.fail_reason = 'Access key unused more than 90 days.'
cont.offenders = each_report['arn'] + "=>:access_key_1"
if each_report['access_key_2_active'] == 'true':
if each_report['access_key_1_last_used_date'] == 'N/A':
cont.fail_reason = 'Access key unused more than 90 days.'
cont.offenders = each_report['arn'] + "=>:access_key_1"
else:
access_key_1_date = (
datetime.strptime(now, fmt) - datetime.strptime(
each_report['access_key_2_last_used_date'], fmt))
if access_key_1_date.days > 90:
if 'Access key unused more than 90 days.' not in cont.fail_reason:
cont.fail_reason = 'Access key unused more than 90 days.'
cont.offenders = each_report['arn'] + "=>:access_key_2"
if not cont.offenders:
cont.result = True
return {
'control_id': cont.id,
'scored': cont.scored,
'desc': cont.desc,
'result': cont.result,
'fail_reason': cont.fail_reason,
'offenders': cont.offenders
}
def control_2_5_aws_config_enabled_all_regions():
cont = Control('2.5', 'Ensure AWS Config is enabled in all regions', True)
flag = False
configuration_recorders = CONFIG_SERVICE_CLIENT.describe_configuration_recorders(
)['ConfigurationRecorders']
recorders = list()
for each_recorder in configuration_recorders:
if each_recorder['recordingGroup'][
'allSupported'] is True and each_recorder['recordingGroup'][
'includeGlobalResourceTypes'] is True:
flag = True
recorders.append(each_recorder['name'])
if not recorders:
cont.fail_reason = 'No Configservice recorders found'
cont.offenders = 'No recoders found!.'
else:
flg = False
for recoder_status in CONFIG_SERVICE_CLIENT.describe_configuration_recorder_status(
ConfigurationRecorderNames=recorders
)['ConfigurationRecordersStatus']:
if recoder_status['recording'] is True and recoder_status[
'lastStatus'] == 'Success':
flg = True
break
if flg is False:
cont.fail_reason = 'No recorders is recording or and State is not success'
if flag is True:
cont.result = True
else:
cont.fail_reason = 'The Recording group does not suport all regions and resources'
cont.offenders = 'Configuration Recorders'
return {
'control_id': cont.id,
'scored': cont.scored,
'desc': cont.desc,
'result': cont.result,
'fail_reason': cont.fail_reason,
'offenders': cont.offenders
}
def control_2_3_cloudtrail_s3_not_public_accessable():
cont = Control(
'2.3',
'Ensure the S3 bucket used to store CloudTrail logs is not publicly accessible',
True)
for each_trail_bucket in cloudtrial_describe_trails:
s3_grants = S3_CLIENT.get_bucket_acl(
Bucket=each_trail_bucket['S3BucketName'])['Grants']
for grant in s3_grants:
if 'URI' in grant:
if grant['URI'] == 'http://acs.amazonaws.com/groups/global/AuthenticatedUsers' or grant[
'URI'] == 'http://acs.amazonaws.com/groups/global/AllUsers':
fail_res = 'All Users or Authenticated Users are granted privelge to the bucket'
if fail_res not in cont.fail_reason:
cont.fail_reason = fail_res
cont.offenders = each_trail_bucket['S3BucketName']
bucket_policy = loads(
S3_CLIENT.get_bucket_policy(
Bucket=each_trail_bucket['S3BucketName'])
['Policy'])['Statement']
for policy in bucket_policy:
if policy['Effect'] == 'Allow' and ('*' in policy['Principal'] or
'AWS' in policy['Principal']):
fail_res = 'Bucket policy is set for Public access'
if fail_res not in cont.fail_reason:
cont.fail_reason = fail_res
cont.offenders = each_trail_bucket['S3BucketName']
if not cont.offenders:
cont.result = True
return {
'control_id': cont.id,
'scored': cont.scored,
'desc': cont.desc,
'result': cont.result,
'fail_reason': cont.fail_reason,
'offenders': cont.offenders
}
def control_2_2_cloudtrail_log_file_validation():
cont = Control('2.2', 'Ensure CloudTrail log file validation is enabled',
True)
if not cloudtrial_describe_trails:
cont.fail_reason = 'CloudTrail is not created'
cont.offenders = 'CloudTrail is not created'
else:
for each_trail in cloudtrial_describe_trails:
if each_trail['LogFileValidationEnabled'] is False:
if 'Logfile Validation is not enabled' not in cont.fail_reason:
cont.fail_reason = 'Logfile Validation is not enabled'
cont.offenders = each_trail['TrailARN']
if not cont.offenders:
cont.result = True
return {
'control_id': cont.id,
'scored': cont.scored,
'desc': cont.desc,
'result': cont.result,
'fail_reason': cont.fail_reason,
'offenders': cont.offenders
}
def control_1_17_current_contact_details():
cont = Control('1.17', 'Maintain current contact details', False)
cont.offenders = 'Check manually in AWS console'
cont.fail_reason = 'No API available to perform this action'
cont.result = None
return {
'control_id': cont.id,
'scored': cont.scored,
'desc': cont.desc,
'result': cont.result,
'fail_reason': cont.fail_reason,
'offenders': cont.offenders
}
def control_2_4_cloudtrail_integrated_cloudwatch():
cont = Control(
'2.4', 'Ensure CloudTrail trails are integrated with CloudWatch Logs',
True)
for each_trail in cloudtrial_describe_trails:
if 'CloudWatchLogsLogGroupArn' in each_trail or 'LatestCloudWatchLogsDeliveryTime' in CLOUDTRAIL_CLIENT.get_trail_status(
Name=each_trail['Name']):
if not each_trail['CloudWatchLogsLogGroupArn']:
fail_res = 'CloudWatch Logs Group Arn is empty'
if fail_res not in cont.fail_reason:
cont.fail_reason = fail_res
cont.offenders = each_trail['TrailARN']
a = datetime.now(tz=tz.tzlocal()) - timedelta(days=1)
delivery_time = CLOUDTRAIL_CLIENT.get_trail_status(
Name=each_trail['Name'])['LatestCloudWatchLogsDeliveryTime']
if delivery_time <= datetime.now(tz=tz.tzlocal()) - timedelta(
days=1):
fail = 'Latest CloudWatch Logs Delivery Time is greater than one day'
if fail not in cont.fail_reason:
cont.fail_reason = fail
cont.offenders = each_trail['TrailARN']
else:
if "CloudTrail logs doesn't attached to CloudWatch Logs log group" not in cont.fail_reason:
cont.fail_reason = "CloudTrail logs doesn't attached to CloudWatch Logs log group"
cont.offenders = each_trail['TrailARN']
if not cont.offenders:
cont.result = True
return {
'control_id': cont.id,
'scored': cont.scored,
'desc': cont.desc,
'result': cont.result,
'fail_reason': cont.fail_reason,
'offenders': cont.offenders
}
def control_2_9_vpc_logging_enabled():
cont = Control('2.9', 'Ensure VPC flow logging is enabled in all VPCs',
True)
cont.fail_reason = 'API is not available to perform this action'
cont.offenders = 'Cannot perform this action'
cont.result = None
return {
'control_id': cont.id,
'scored': cont.scored,
'desc': cont.desc,
'result': cont.result,
'fail_reason': cont.fail_reason,
'offenders': cont.offenders
}
def control_4_2_no_security_ingress_port_3389():
cont = Control(
'4.2',
'Ensure no security groups allow ingress from 0.0.0.0/0 to port 3389',
True)
security_groups_iterator = EC2_CLIENT.get_paginator(
'describe_security_groups')
for groups in security_groups_iterator.paginate():
for group in groups['SecurityGroups']:
if '0.0.0.0/0' in str(group['IpPermissions']):
for each_ip_perm in group['IpPermissions']:
try:
if int(each_ip_perm['FromPort']) <= 3389 <= int(
each_ip_perm['ToPort']) and '0.0.0.0/0' in str(
each_ip_perm['IpRanges']):
if not cont.fail_reason:
cont.fail_reason = 'Found Security Group with port 3389 open to the internet (0.0.0.0/0)'
cont.offenders = group['GroupId']
except:
if str(each_ip_perm['IpProtocol']
) == '-1' and '0.0.0.0/0' in str(
each_ip_perm['IpRanges']):
if not cont.fail_reason:
cont.fail_reason = 'Found Security Group with port 3389 open to the internet (0.0.0.0/0)'
cont.offenders = group['GroupId']
if not cont.offenders:
cont.result = True
return {
'control_id': cont.id,
'scored': cont.scored,
'desc': cont.desc,
'result': cont.result,
'fail_reason': cont.fail_reason,
'offenders': cont.offenders
}
def control_2_1_cloudtrail_enabled_all_regions():
cont = Control('2.1', 'Ensure CloudTrail is enabled in all regions', True)
for each_trail in cloudtrial_describe_trails:
if each_trail['IsMultiRegionTrail'] is True:
if CLOUDTRAIL_CLIENT.get_trail_status(
Name=each_trail['TrailARN'])['IsLogging'] is True:
resp = CLOUDTRAIL_CLIENT.get_event_selectors(
TrailName=each_trail['TrailARN'])['EventSelectors']
flag = False
for each_event_selectors in resp:
if each_event_selectors[
'IncludeManagementEvents'] is True and each_event_selectors[
'ReadWriteType'] == 'All':
flag = True
break
if flag is False:
cont.fail_reason = 'Event selectors are not properly enabled'
cont.offenders = each_trail['TrailARN']
else:
cont.fail_reason = 'Logging is not enabled'
cont.offenders = each_trail['TrailARN']
else:
cont.fail_reason = 'MultiregionTrial is not enabled'
cont.offenders = each_trail['TrailARN']
if not cont.offenders:
cont.result = True
return {
'control_id': cont.id,
'scored': cont.scored,
'desc': cont.desc,
'result': cont.result,
'fail_reason': cont.fail_reason,
'offenders': cont.offenders
}
def control_1_15_security_question():
cont = Control(
'1.15', 'Ensure security questions are registered in the AWS account',
False)
cont.fail_reason = 'No API available to perform this action'
cont.offenders = 'Check it manually using the AWS console'
cont.result = None
return {
'control_id': cont.id,
'scored': cont.scored,
'desc': cont.desc,
'result': cont.result,
'fail_reason': cont.fail_reason,
'offenders': cont.offenders
}
def control_3_4_log_metric_alarm_for_IAM_policy_changes():
cont = Control(
'3.4',
'Ensure a log metric filter and alarm exist for IAM policy changes',
True)
res = monitoring_common_function([
"\$\.eventName\s*=\s*\"?DeleteGroupPolicy(\"|\)|\s)",
"\$\.eventName\s*=\s*\"?DeleteRolePolicy(\"|\)|\s)",
"\$\.eventName\s*=\s*\"?DeleteUserPolicy(\"|\)|\s)",
"\$\.eventName\s*=\s*\"?PutGroupPolicy(\"|\)|\s)",
"\$\.eventName\s*=\s*\"?PutRolePolicy(\"|\)|\s)",
"\$\.eventName\s*=\s*\"?PutUserPolicy(\"|\)|\s)",
"\$\.eventName\s*=\s*\"?CreatePolicy(\"|\)|\s)",
"\$\.eventName\s*=\s*\"?DeletePolicy(\"|\)|\s)",
"\$\.eventName\s*=\s*\"?CreatePolicyVersion(\"|\)|\s)",
"\$\.eventName\s*=\s*\"?DeletePolicyVersion(\"|\)|\s)",
"\$\.eventName\s*=\s*\"?AttachRolePolicy(\"|\)|\s)",
"\$\.eventName\s*=\s*\"?DetachRolePolicy(\"|\)|\s)",
"\$\.eventName\s*=\s*\"?AttachUserPolicy(\"|\)|\s)",
"\$\.eventName\s*=\s*\"?DetachUserPolicy(\"|\)|\s)",
"\$\.eventName\s*=\s*\"?AttachGroupPolicy(\"|\)|\s)",
"\$\.eventName\s*=\s*\"?DetachGroupPolicy(\"|\)|\s)"
], cloudtrials)
if res == 0:
cont.fail_reason = 'No trail found'
elif res == 1:
cont.fail_reason = 'No metric filter found from Log group'
elif res == 2:
cont.fail_reason = 'Pattern not found in the metric filter'
cont.offenders = 'No alarm exist for usage of root account'
elif res == 3:
cont.fail_reason = 'No alarm is found for the metric filter'
else:
cont.result = True
return {
'control_id': cont.id,
'scored': cont.scored,
'desc': cont.desc,
'result': cont.result,
'fail_reason': cont.fail_reason,
'offenders': cont.offenders
}
def control_2_7_cloudtrail_logs_encrypted_kms():
cont = Control(
'2.7', 'Ensure CloudTrail logs are encrypted at rest using KMS CMKs',
True)
for each_trail in cloudtrial_describe_trails:
if not 'KmsKeyId' in each_trail:
if not cont.fail_reason:
cont.fail_reason = 'CloudTrail Logs are not encrypted at rest using CMK'
cont.offenders = each_trail['TrailARN']
if not cont.offenders:
cont.result = True
return {
'control_id': cont.id,
'scored': cont.scored,
'desc': cont.desc,
'result': cont.result,
'fail_reason': cont.fail_reason,
'offenders': cont.offenders
}
def control_1_10_passwd_policy_passd_reuse():
cont = Control('1.10',
'Ensure IAM password policy prevents password reuse', True)
if ACCOUNT_PASSWORD_POLICY is False:
cont.fail_reason = "Account does not have a IAM password policy"
else:
if ACCOUNT_PASSWORD_POLICY['PasswordReusePrevention'] == 24:
cont.result = True
else:
cont.fail_reason = 'Requires minimum password reuse is 24.'
cont.offenders = 'The current password resuse policy is {0}'.format(
ACCOUNT_PASSWORD_POLICY['PasswordReusePrevention'])
return {
'control_id': cont.id,
'scored': cont.scored,
'desc': cont.desc,
'result': cont.result,
'fail_reason': cont.fail_reason,
'offenders': cont.offenders
}
def control_1_20_support_role_manage_incident():
cont = Control(
'1.20',
'Ensure a support role has been created to manage incidents with AWS Support',
True)
entities = IAM_CLIENT.list_entities_for_policy(
PolicyArn='arn:aws:iam::aws:policy/AWSSupportAccess')
if entities['PolicyGroups'] or entities['PolicyUsers'] or entities[
'PolicyRoles']:
cont.result = True
else:
cont.fail_reason = 'AWSSupportAccess is not attached to any IAM user,group or role'
cont.offenders = 'AWSSupportAccess should be attached to IAM user,group or role in order to manage incidents'
return {
'control_id': cont.id,
'scored': cont.scored,
'desc': cont.desc,
'result': cont.result,
'fail_reason': cont.fail_reason,
'offenders': cont.offenders
}