def create_report_batch_job_handler(event, context):
    check_history_id = eventhelper.get_check_history_id_batch(event)
    trace_id = check_history_id
    common_utils.begin_cw_logger(trace_id, __name__, inspect.currentframe())
    # セキュリティチェックレポート作成ジョブ登録
    return awssecuritychecks_logic.create_report_batch_job(
                                trace_id, check_history_id)
def execute_securitycheck_aggregate_handler(event, context):
    check_history_id = eventhelper.get_check_history_id_batch(event)
    trace_id = check_history_id
    common_utils.begin_cw_logger(trace_id, __name__, inspect.currentframe())
    # セキュリティチェック結果集計
    return awssecuritychecks_logic.execute_securitycheck_aggregate(
                                trace_id, check_history_id)
def create(trace_id,
           organization_id,
           notify_code,
           webhook_url,
           mentions,
           is_cw_logger=False):
    if (is_cw_logger):
        common_utils.begin_cw_logger(trace_id, __name__,
                                     inspect.currentframe())
    else:
        common_utils.begin_logger(trace_id, __name__, inspect.currentframe())

    if common_utils.is_null(mentions):
        mentions = None

    date_now = common_utils.get_current_date()
    org_notify_slack = {
        "OrganizationID": organization_id,
        "NotifyCode": notify_code,
        "WebhookURL": webhook_url,
        "Mentions": mentions,
        "CreatedAt": date_now,
        "UpdatedAt": date_now
    }
    DB_utils.create(trace_id,
                    Tables.PM_ORG_NOTIFY_SLACK,
                    org_notify_slack,
                    is_cw_logger=is_cw_logger)
def get_check_awsaccounts_handler(event, context):
    # 必要な情報を取得
    check_history_id = eventhelper.get_check_history_id_batch(event)
    trace_id = check_history_id
    common_utils.begin_cw_logger(trace_id, __name__, inspect.currentframe())

    # セキュリティチェック対象AWSアカウント取得
    return awssecuritychecks_logic.get_check_awsaccounts(
                                trace_id, check_history_id)
def update(trace_id, check_result_id, update_attribute, is_cw_logger=False):
    if (is_cw_logger):
        common_utils.begin_cw_logger(trace_id, __name__,
                                     inspect.currentframe())
    else:
        common_utils.begin_logger(trace_id, __name__, inspect.currentframe())
    key = {"CheckResultID": check_result_id}
    DB_utils.update(trace_id,
                    Tables.PM_CHECK_RESULTS,
                    key,
                    update_attribute,
                    is_cw_logger=is_cw_logger)
def execute_securitycheck_statemachine_handler(event, context):
    # Amazon SNSメッセージを取得
    message = eventhelper.get_message_from_sns(event)
    message = json.loads(message)

    # 必要な情報を取得
    check_history_id = eventhelper.get_check_history_id_batch(message)
    trace_id = check_history_id
    common_utils.begin_cw_logger(trace_id, __name__, inspect.currentframe())

    # セキュリティチェックStepFunctions起動
    awssecuritychecks_logic.execute_securitycheck_statemachine(
        trace_id, check_history_id)
def create(trace_id,
           check_result_id,
           check_history_id,
           check_rule_code,
           organization_id,
           organization_name,
           project_id,
           project_name,
           aws_account_coop_id,
           aws_account,
           sort_code,
           ok_count,
           critical_count,
           ng_count,
           executed_date_time,
           time_to_live,
           aws_account_name,
           is_cw_logger=False):
    if (is_cw_logger):
        common_utils.begin_cw_logger(trace_id, __name__,
                                     inspect.currentframe())
    else:
        common_utils.begin_logger(trace_id, __name__, inspect.currentframe())
    # 不要なクラムを作成することを避けるため
    date_now = common_utils.get_current_date()
    data_create = {
        'CheckResultID': check_result_id,
        'CheckHistoryID': check_history_id,
        'CheckRuleCode': check_rule_code,
        'OrganizationID': organization_id,
        'OrganizationName': organization_name,
        'ProjectID': project_id,
        'ProjectName': project_name,
        'AWSAccountCoopID': aws_account_coop_id,
        'AWSAccount': aws_account,
        'SortCode': sort_code,
        'OKCount': ok_count,
        'CriticalCount': critical_count,
        'NGCount': ng_count,
        'ExecutedDateTime': executed_date_time,
        'TimeToLive': time_to_live,
        'CreatedAt': date_now,
        'UpdatedAt': date_now,
        'AWSAccountName': aws_account_name
    }
    condition_expression = Attr("CheckResultID").not_exists()
    DB_utils.create(trace_id,
                    Tables.PM_CHECK_RESULTS,
                    data_create,
                    condition_expression,
                    is_cw_logger=is_cw_logger)
示例#8
0
def create(trace_id,
           table_name,
           create_data,
           condition_expression=None,
           is_cw_logger=False):
    if (is_cw_logger):
        logger = common_utils.begin_cw_logger(trace_id, __name__,
                                              inspect.currentframe())
    else:
        logger = common_utils.begin_logger(trace_id, __name__,
                                           inspect.currentframe())
    try:
        table = connect_dynamodb(table_name)
        if (condition_expression is None):
            table.put_item(Item=create_data)
        else:
            table.put_item(Item=create_data,
                           ConditionExpression=condition_expression)
        logger.info(table_name.value + "正常に作成しました。")
    except ClientError as e:
        if retrycheck.check_retryable(e.response):
            retry_exception = RetryException(cause_error=e)
            logger.error(retry_exception)
            logger.exception("error_id: %s", retry_exception.error_id)
            raise retry_exception
        else:
            no_retry_exception = NoRetryException(
                cause_error=e, message=e.response['Error']['Message'])
            logger.error(no_retry_exception)
            raise no_retry_exception
示例#9
0
def query_index(trace_id,
                table_name,
                index_name,
                key_conditions,
                filter_expression,
                scan_index_forward=True,
                is_cw_logger=False):
    if (is_cw_logger):
        logger = common_utils.begin_cw_logger(trace_id, __name__,
                                              inspect.currentframe())
    else:
        logger = common_utils.begin_logger(trace_id, __name__,
                                           inspect.currentframe())
    exclusiveStartKey = None
    list_data = []
    while True:
        try:
            result = query_index_db(trace_id,
                                    table_name,
                                    index_name,
                                    key_conditions,
                                    filter_expression,
                                    scan_index_forward,
                                    exclusiveStartKey,
                                    is_cw_logger=is_cw_logger)
            list_data.extend(result['Items'])
            if common_utils.check_key('LastEvaluatedKey', result) is False:
                break
            exclusiveStartKey = result['LastEvaluatedKey']
        except Exception as e:
            logger.error(e)
            break
    return common_utils.response(list_data, logger)
示例#10
0
def query_key(trace_id, table_name, key, is_cw_logger=False):
    if (is_cw_logger):
        logger = common_utils.begin_cw_logger(trace_id, __name__,
                                              inspect.currentframe())
    else:
        logger = common_utils.begin_logger(trace_id, __name__,
                                           inspect.currentframe())
    try:
        table = connect_dynamodb(table_name)
        result = table.get_item(Key=key)
        result_item = None
        if (common_utils.check_key('Item', result)):
            result_item = result['Item']
        return common_utils.response(result_item, logger)
    except ClientError as e:
        if retrycheck.check_retryable(e.response):
            retry_exception = RetryException(cause_error=e)
            logger.error(retry_exception)
            logger.exception("error_id: %s", retry_exception.error_id)
            raise retry_exception
        else:
            no_retry_exception = NoRetryException(
                cause_error=e, message=e.response['Error']['Message'])
            logger.error(no_retry_exception)
            raise no_retry_exception
def query_key(trace_id,
              organization_id,
              notify_code,
              convert_response=None,
              is_cw_logger=False):
    if (is_cw_logger):
        logger = common_utils.begin_cw_logger(trace_id, __name__,
                                              inspect.currentframe())
    else:
        logger = common_utils.begin_logger(trace_id, __name__,
                                           inspect.currentframe())
    key = {"OrganizationID": organization_id, "NotifyCode": notify_code}
    result = DB_utils.query_key(trace_id,
                                Tables.PM_ORG_NOTIFY_MAIL_DESTINATIONS,
                                key,
                                is_cw_logger=is_cw_logger)
    if result and convert_response:
        result = common_utils.convert_response(
            trace_id,
            result,
            RESPONSE_ORG_NOTIFY_MAIL_DESTINATIONS,
            is_cw_logger=is_cw_logger)
        result['destinations'] = common_utils.convert_list_response(
            trace_id,
            result['destinations'],
            RESPONSE_DESTINATIONS,
            is_cw_logger=is_cw_logger)
    return common_utils.response(result, logger)
示例#12
0
def get_bucket_encryption(trace_id, s3_client, bucket, aws_account,
                          region_name, is_cw_logger=False):
    if (is_cw_logger):
        logger = common_utils.begin_cw_logger(trace_id, __name__,
                                              inspect.currentframe())
    else:
        logger = common_utils.begin_logger(trace_id, __name__,
                                           inspect.currentframe())
    bucket_encryption = []
    try:
        result = s3_client.get_bucket_encryption(Bucket=bucket)
    except ClientError as e:
        if e.response["Error"]["Code"] == CommonConst.SERVER_SIDE_ENCRYPTION_CONFIGURATION_NOT_FOUND_ERROR:
            logger.info("[%s]S3バケット暗号化情報がありません。(%s/%s)", aws_account,
                        region_name, bucket)
            raise PmError(cause_error=e)
        elif e.response['Error']['Code'] in CommonConst.S3_SKIP_EXCEPTION:
            logger.warning("[%s] 権限エラーによりS3バケットリージョン情報の取得に失敗しました。(%s/%s)",
                           aws_account, region_name, bucket)
            raise common_utils.write_log_warning(e, logger)
        else:
            logger.error("[%s]S3バケット暗号化情報の取得に失敗しました。(%s/%s)", aws_account,
                         region_name, bucket)
            raise common_utils.write_log_exception(e, logger)
    if common_utils.check_key("ServerSideEncryptionConfiguration", result):
        if common_utils.check_key("Rules", result["ServerSideEncryptionConfiguration"]):
            bucket_encryption = result["ServerSideEncryptionConfiguration"]["Rules"]
    return bucket_encryption
示例#13
0
def get_cognito_user_info_by_user_name(trace_id, user_name,
                                       is_cw_logger=False):
    if (is_cw_logger):
        logger = common_utils.begin_cw_logger(trace_id, __name__,
                                              inspect.currentframe())
    else:
        logger = common_utils.begin_logger(trace_id, __name__,
                                           inspect.currentframe())
    # get user_pool
    try:
        client = boto3.client("cognito-idp")
    except ClientError as e:
        raise common_utils.write_log_exception(e, logger)

    user_pool_id = os.environ.get("COGNITO_USER_POOL_ID")
    try:
        user_info = client.admin_get_user(
            UserPoolId=user_pool_id,
            Username=user_name)
    except ClientError as e:
        if e.response['Error']['Code'] == CommonConst.COGNITO_USER_NOT_FOUND_EXCEPTION:
            return None

        raise common_utils.write_log_exception(e, logger)
    logger.info("End : get cognito users info success")
    return user_info
    def test_execute_securitycheck_statemachine_case_error_validate_param(
            self):
        # create data mock
        cw_logger = common_utils.begin_cw_logger(trace_id, __name__,
                                                 inspect.currentframe())

        # patch mock
        patch_begin_cw_logger = patch(
            "premembers.common.common_utils.begin_cw_logger")
        patch_logger_error = patch.object(CwLogAdapter, "error")

        # start mock object
        mock_begin_cw_logger = patch_begin_cw_logger.start()
        mock_logger_error = patch_logger_error.start()

        # mock object
        mock_begin_cw_logger.return_value = cw_logger

        # addCleanup stop mock object
        self.addCleanup(patch_begin_cw_logger.stop)
        self.addCleanup(patch_logger_error.stop)

        with self.assertRaises(PmError) as exception:
            # call function test
            awssecuritychecks_logic.execute_securitycheck_statemachine(
                trace_id, "")

        # check error
        actual_message = exception.exception.message
        self.assertEquals("CKEX_SECURITY-001", actual_message)

        # check log message error
        mock_logger_error.assert_any_call("チェック履歴IDが指定されていません。")
def query_check_history_index(trace_id,
                              check_history_id,
                              sort_code=None,
                              filter_expression=None,
                              is_cw_logger=False):
    if (is_cw_logger):
        logger = common_utils.begin_cw_logger(trace_id, __name__,
                                              inspect.currentframe())
    else:
        logger = common_utils.begin_logger(trace_id, __name__,
                                           inspect.currentframe())
    key_conditions = {
        'CheckHistoryID': {
            'AttributeValueList': [check_history_id],
            'ComparisonOperator': 'EQ'
        }
    }
    if sort_code is not None:
        key_conditions['SortCode'] = {
            'AttributeValueList': [sort_code],
            'ComparisonOperator': 'EQ'
        }
    result = DB_utils.query_index(trace_id,
                                  Tables.PM_CHECK_RESULT_ITEMS,
                                  CHECK_HISTORY_INDEX,
                                  key_conditions,
                                  filter_expression,
                                  is_cw_logger=is_cw_logger)
    return common_utils.response(result, logger)
示例#16
0
def query_history_index(trace_id,
                        check_history_id,
                        filter_expression=None,
                        convert_response=None,
                        is_cw_logger=False):
    if (is_cw_logger):
        logger = common_utils.begin_cw_logger(trace_id, __name__,
                                              inspect.currentframe())
    else:
        logger = common_utils.begin_logger(trace_id, __name__,
                                           inspect.currentframe())
    key_conditions = {
        'CheckHistoryID': {
            'AttributeValueList': [check_history_id],
            'ComparisonOperator': 'EQ'
        }
    }
    result = DB_utils.query_index(trace_id,
                                  Tables.PM_CHECK_RESULTS,
                                  CHECK_HISTORY_INDEX,
                                  key_conditions,
                                  filter_expression,
                                  is_cw_logger=is_cw_logger)
    if result and convert_response:
        result = common_utils.convert_list_response(trace_id,
                                                    result,
                                                    RESPONSE_CHECK_RESULTS,
                                                    RESPONSE_REQUIRED,
                                                    is_cw_logger=is_cw_logger)
    return common_utils.response(result, logger)
    def test_check_effective_awsaccount_case_error_validate_param(self):
        # create data mock
        cw_logger = common_utils.begin_cw_logger(trace_id, __name__,
                                                 inspect.currentframe())

        # patch mock
        patch_begin_cw_logger = patch(
            "premembers.common.common_utils.begin_cw_logger")
        patch_logger_error = patch.object(CwLogAdapter, "error")

        # start mock object
        mock_begin_cw_logger = patch_begin_cw_logger.start()
        mock_logger_error = patch_logger_error.start()

        # mock object
        mock_begin_cw_logger.return_value = cw_logger

        # addCleanup stop mock object
        self.addCleanup(patch_begin_cw_logger.stop)
        self.addCleanup(patch_logger_error.stop)

        # call function test
        actual_response = awssecuritychecks_logic.check_effective_awsaccount(
            trace_id, "", "", role_name, external_id, organization_id,
            project_id, check_history_id)

        expect_response = {"TaskResult": "Fail"}
        # check result
        self.assertDictEqual(expect_response, actual_response)

        # check log message error
        mock_logger_error.assert_any_call("%sが指定されていません。",
                                          "AWSAccount, CoopID")
示例#18
0
def query_userid_key(trace_id,
                     user_id,
                     organization_id=None,
                     filter_expression=None,
                     convert_response=None,
                     is_cw_logger=False):
    if (is_cw_logger):
        logger = common_utils.begin_cw_logger(trace_id, __name__,
                                              inspect.currentframe())
    else:
        logger = common_utils.begin_logger(trace_id, __name__,
                                           inspect.currentframe())
    key_conditions = {
        'UserID': {
            'AttributeValueList': [user_id],
            'ComparisonOperator': 'EQ'
        }
    }
    if (organization_id):
        key_conditions['OrganizationID'] = {
            'AttributeValueList': [organization_id],
            'ComparisonOperator': 'EQ'
        }
    result = DB_utils.query(trace_id,
                            Tables.PM_AFFILIATION,
                            key_conditions,
                            filter_expression,
                            is_cw_logger=is_cw_logger)
    if result and convert_response:
        result = common_utils.convert_list_response(trace_id,
                                                    result,
                                                    RESPONSE_AFFILIATION,
                                                    is_cw_logger=is_cw_logger)
    return common_utils.response(result, logger)
示例#19
0
def describe_volumes(trace_id,
                     awsaccount,
                     ec2_client,
                     region_name,
                     is_cw_logger=False):
    if (is_cw_logger):
        logger = common_utils.begin_cw_logger(trace_id, __name__,
                                              inspect.currentframe())
    else:
        logger = common_utils.begin_logger(trace_id, __name__,
                                           inspect.currentframe())
    ebs_volumes = []
    try:
        response = ec2_client.describe_volumes()
        if common_utils.check_key("Volumes", response):
            ebs_volumes = response["Volumes"]

        next_token = None
        if 'NextToken' in response:
            next_token = response['NextToken']
        while (next_token is not None):
            response = ec2_client.describe_volumes(NextToken=next_token)
            ebs_volumes.extend(response['Volumes'])
            if 'NextToken' in response:
                next_token = response['NextToken']
            else:
                next_token = None
    except ClientError as e:
        logger.error("[%s/%s] EBSボリューム情報の取得に失敗しました。", awsaccount, region_name)
        raise common_utils.write_log_exception(e, logger)
    return ebs_volumes
示例#20
0
def get_regions(trace_id, session=None,
                filter_describe_regions=CommonConst.FILTER_DESCRIBE_REGIONS,
                all_regions=True, is_cw_logger=False):
    if (is_cw_logger):
        logger = common_utils.begin_cw_logger(trace_id, __name__,
                                              inspect.currentframe())
    else:
        logger = common_utils.begin_logger(trace_id, __name__,
                                           inspect.currentframe())
    try:
        if session:
            ec2_client = session.client('ec2')
        else:
            ec2_client = boto3.client('ec2')
        if filter_describe_regions is not None and all_regions is not None:
            response = ec2_client.describe_regions(
                Filters=filter_describe_regions, AllRegions=all_regions)
        elif filter_describe_regions is not None:
            response = ec2_client.describe_regions(
                Filters=filter_describe_regions)
        elif all_regions is not None:
            response = ec2_client.describe_regions(
                AllRegions=all_regions)
        else:
            response = ec2_client.describe_regions()
    except ClientError as e:
        raise common_utils.write_log_exception(e, logger)

    return response['Regions']
示例#21
0
def update(trace_id,
           check_history_id,
           update_attribute,
           target_update_date,
           is_cw_logger=False):
    if (is_cw_logger):
        common_utils.begin_cw_logger(trace_id, __name__,
                                     inspect.currentframe())
    else:
        common_utils.begin_logger(trace_id, __name__, inspect.currentframe())
    key = {"CheckHistoryID": check_history_id}
    DB_utils.update(trace_id,
                    Tables.PM_CHECK_HISTORY,
                    key,
                    update_attribute,
                    target_update_date,
                    is_cw_logger=is_cw_logger)
def update_awscoops(trace_id,
                    coop_id,
                    update_attribute,
                    target_update_date=None,
                    is_cw_logger=False):
    if (is_cw_logger):
        common_utils.begin_cw_logger(trace_id, __name__,
                                     inspect.currentframe())
    else:
        common_utils.begin_logger(trace_id, __name__, inspect.currentframe())

    key = {"CoopID": coop_id}
    DB_utils.update(trace_id,
                    Tables.PM_AWSACCOUNTCOOPS,
                    key,
                    update_attribute,
                    target_update_date,
                    is_cw_logger=is_cw_logger)
def get_step_functions_client(trace_id):
    cw_logger = common_utils.begin_cw_logger(trace_id, __name__,
                                             inspect.currentframe())
    try:
        step_functions_client = boto3.client('stepfunctions')
    except ClientError as e:
        cw_logger.error("Step Functionsクライアント作成に失敗しました。")
        raise common_utils.write_log_exception(e, cw_logger)
    return step_functions_client
示例#24
0
    def test_get_check_awsaccounts_case_error_get_record_pm_project(self):
        # create data mock
        cw_logger = common_utils.begin_cw_logger(trace_id, __name__,
                                                 inspect.currentframe())
        pm_error = PmError()

        # patch mock
        patch_begin_cw_logger = patch(
            "premembers.common.common_utils.begin_cw_logger")
        patch_query_key_pm_check_history = patch(
            "premembers.repository.pm_checkHistory.query_key")
        patch_query_key_pm_organizations = patch(
            "premembers.repository.pm_organizations.get_organization")
        patch_query_key_pm_project = patch(
            "premembers.repository.pm_projects.query_key")
        patch_logger_error = patch.object(CwLogAdapter, "error")
        patch_write_log_pm_error = patch(
            "premembers.common.common_utils.write_log_pm_error")

        # start mock object
        mock_begin_cw_logger = patch_begin_cw_logger.start()
        mock_query_key_pm_check_history = patch_query_key_pm_check_history.start(
        )
        mock_query_key_pm_organizations = patch_query_key_pm_organizations.start(
        )
        mock_query_key_pm_project = patch_query_key_pm_project.start()
        mock_logger_error = patch_logger_error.start()
        mock_write_log_pm_error = patch_write_log_pm_error.start()

        # mock data
        mock_begin_cw_logger.return_value = cw_logger
        mock_query_key_pm_check_history.return_value = data_pm_check_history
        mock_query_key_pm_organizations.return_value = data_pm_organizations
        mock_query_key_pm_project.side_effect = pm_error
        mock_write_log_pm_error.return_value = pm_error

        # addCleanup stop mock object
        self.addCleanup(patch_begin_cw_logger.stop)
        self.addCleanup(patch_query_key_pm_check_history.stop)
        self.addCleanup(patch_query_key_pm_organizations.stop)
        self.addCleanup(patch_query_key_pm_project.stop)
        self.addCleanup(patch_logger_error.stop)
        self.addCleanup(patch_write_log_pm_error.stop)

        with self.assertRaises(PmError):
            # call function test
            awssecuritychecks_logic.get_check_awsaccounts(
                trace_id, check_history_id)

        # check log message error
        mock_logger_error.assert_called_once_with(
            "プロジェクト情報の取得に失敗しました。: ProjectID=%s", project_id)

        # check call function write_log_pm_error
        mock_write_log_pm_error.assert_called_once_with(
            pm_error, cw_logger, "GCA_SECURITY-004")
def check_effective_awsaccount_handler(event, context):
    # 必要な情報を取得
    check_history_id = eventhelper.get_check_history_id_batch(event)
    trace_id = check_history_id
    coop_id = eventhelper.get_coop_id_batch(event)
    role_name = eventhelper.get_role_name(event)
    external_id = eventhelper.get_external_id(event)
    organization_id = eventhelper.get_organization_id_batch(event)
    project_id = eventhelper.get_project_id_batch(event)

    common_utils.begin_cw_logger(trace_id, __name__, inspect.currentframe())

    # 対象となるAWSアカウント
    target_aws_account = eventhelper.get_awsaccount(event)

    # AWSアカウントチェック
    return awssecuritychecks_logic.check_effective_awsaccount(
        trace_id, target_aws_account, coop_id, role_name, external_id,
        organization_id, project_id, check_history_id)
示例#26
0
def update(trace_id,
           table_name,
           key,
           update_attribute,
           target_update_date=None,
           is_cw_logger=False):
    if (is_cw_logger):
        logger = common_utils.begin_cw_logger(trace_id, __name__,
                                              inspect.currentframe())
    else:
        logger = common_utils.begin_logger(trace_id, __name__,
                                           inspect.currentframe())
    date_now = common_utils.get_current_date()
    update_attribute['UpdatedAt'] = {'Value': date_now}
    update_expression = 'SET '
    update_expression_attribute_values = {
        ':UpdatedAt': update_attribute['UpdatedAt']['Value']
    }
    first_row = True
    for update_key in update_attribute.keys():
        update_value_key = ":{}".format(update_key)
        update_value = " {} = {}".format(update_key, update_value_key)
        if (first_row):
            update_expression += update_value
            first_row = False
        else:
            update_expression += ", {}".format(update_value)
        update_expression_attribute_values[
            update_value_key] = update_attribute[update_key]['Value']
    condition_expression = Attr('UpdatedAt').eq(target_update_date)
    try:
        table = connect_dynamodb(table_name)
        if target_update_date:
            table.update_item(
                Key=key,
                ExpressionAttributeValues=update_expression_attribute_values,
                UpdateExpression=update_expression,
                ConditionExpression=condition_expression)
        else:
            table.update_item(
                Key=key,
                ExpressionAttributeValues=update_expression_attribute_values,
                UpdateExpression=update_expression)
        logger.info(table_name.value + "を正常に更新しました。")
    except ClientError as e:
        if retrycheck.check_retryable(e.response):
            retry_exception = RetryException(cause_error=e)
            logger.error(retry_exception)
            logger.exception("error_id: %s", retry_exception.error_id)
            raise retry_exception
        else:
            no_retry_exception = NoRetryException(
                cause_error=e, message=e.response['Error']['Message'])
            logger.error(no_retry_exception)
            raise no_retry_exception
示例#27
0
def get_role(trace_id, iam_client, role_name, is_cw_logger=False):
    if (is_cw_logger):
        logger = common_utils.begin_cw_logger(trace_id, __name__,
                                              inspect.currentframe())
    else:
        logger = common_utils.begin_logger(trace_id, __name__,
                                           inspect.currentframe())
    try:
        response = iam_client.get_role(RoleName=role_name)
    except ClientError as e:
        raise common_utils.write_log_warning(e, logger)
    return response
def check_asc_item_copy_cis_check(trace_id, check_history_id, organization_id,
                                  project_id, aws_account, session,
                                  result_json_path, check_cis_item):
    cw_logger = common_utils.begin_cw_logger(trace_id, __name__,
                                             inspect.currentframe())
    error_cis = LIST_ERROR_CIS[check_cis_item]
    try:
        try:
            check_result_items = pm_checkResultItems.query_by_check_history_id_and_check_item_code_and_aws_account(
                trace_id,
                check_history_id,
                check_cis_item,
                aws_account,
                is_cw_logger=True)
        except Exception as e:
            cw_logger.error("[%s] %sのチェック結果を取得できませんでした。", aws_account,
                            error_cis)
            return CheckResult.Error

        # チェック結果が「マネージド-1」だった場合は、チェック結果ファイルは作られていないのでファイル取得はスキップします。
        check_result = check_result_items[0]["CheckResult"]
        if check_result == CheckResult.MembersManagement:
            return check_result

        s3_file_name = CommonConst.PATH_CHECK_RESULT.format(
            check_history_id, organization_id, project_id, aws_account,
            check_cis_item + ".json")
        try:
            check_results_s3 = FileUtils.read_json(trace_id,
                                                   CommonConst.S3_CHECK_BUCKET,
                                                   s3_file_name,
                                                   is_cw_logger=True)
        except PmError as e:
            cw_logger.error("[%s] %sのチェック結果ファイルを取得できませんでした。", aws_account,
                            error_cis)
            return CheckResult.Error
    except Exception as e:
        cw_logger.error("[%s] チェック処理中にエラーが発生しました。", aws_account)
        return CheckResult.Error

    # Export File Json
    try:
        FileUtils.upload_s3(trace_id,
                            check_results_s3,
                            result_json_path,
                            format_json=True,
                            is_cw_logger=True)
    except Exception as e:
        cw_logger.error("[%s] チェック結果JSONファイルの保存に失敗しました。", aws_account)
        return CheckResult.Error

    # チェック結果
    return check_result
    def test_check_effective_awsaccount_case_error_create_session_client(self):
        # create data mock
        cw_logger = common_utils.begin_cw_logger(trace_id, __name__,
                                                 inspect.currentframe())

        # patch mock
        patch_begin_cw_logger = patch(
            "premembers.common.common_utils.begin_cw_logger")
        patch_logger_warning = patch.object(CwLogAdapter, "warning")
        patch_do_disable_awscoop = patch(
            "premembers.check.logic.awssecuritychecks_logic.do_disable_awscoop"
        )
        patch_create_session_client = patch(
            "premembers.common.aws_common.create_session_client")
        patch_query_awscoop_coop_key = patch(
            "premembers.repository.pm_awsAccountCoops.query_awscoop_coop_key")

        # start mock object
        mock_begin_cw_logger = patch_begin_cw_logger.start()
        mock_logger_warning = patch_logger_warning.start()
        mock_do_disable_awscoop = patch_do_disable_awscoop.start()
        mock_create_session_client = patch_create_session_client.start()
        mock_query_awscoop_coop_key = patch_query_awscoop_coop_key.start()

        # mock object
        mock_begin_cw_logger.return_value = cw_logger
        mock_do_disable_awscoop.side_effect = None
        mock_create_session_client.side_effect = PmError()
        mock_query_awscoop_coop_key.side_effect = None

        # addCleanup stop mock object
        self.addCleanup(patch_begin_cw_logger.stop)
        self.addCleanup(patch_logger_warning.stop)
        self.addCleanup(patch_do_disable_awscoop.stop)
        self.addCleanup(patch_create_session_client.stop)
        self.addCleanup(patch_query_awscoop_coop_key.stop)

        # call function test
        actual_response = awssecuritychecks_logic.check_effective_awsaccount(
            trace_id, aws_account, coop_id, role_name, external_id,
            organization_id, project_id, check_history_id)

        expect_response = {"TaskResult": "Fail"}
        # check result
        self.assertDictEqual(expect_response, actual_response)

        # check log message warning
        mock_logger_warning.assert_any_call("[%s] Credentialsを取得できませんでした。",
                                            aws_account)

        # check call function do_disable_awscoop
        mock_do_disable_awscoop.assert_called_once_with(
            trace_id, coop_id, aws_account)
def execute_asc_check_handler(event, context):
    check_history_id = eventhelper.get_check_history_id_batch(event)
    trace_id = check_history_id
    aws_account = eventhelper.get_awsaccount(event)
    coop_id = eventhelper.get_coop_id_batch(event)
    aws_account_name = eventhelper.get_awsaccount_name_batch(event)
    role_name = eventhelper.get_role_name(event)
    external_id = eventhelper.get_external_id(event)
    organization_id = eventhelper.get_organization_id_batch(event)
    organization_name = eventhelper.get_organization_name_batch(event)
    project_id = eventhelper.get_project_id_batch(event)
    project_name = eventhelper.get_project_name_batch(event)
    check_result_id = eventhelper.get_check_result_id_batch(event)
    effective_awsaccount = eventhelper.get_effective_awsaccount(event)
    common_utils.begin_cw_logger(trace_id, __name__, inspect.currentframe())

    # セキュリティチェックASC実行
    return awssecuritychecks_logic.execute_asc_check(
        trace_id, aws_account, coop_id, aws_account_name, role_name,
        external_id, organization_id, organization_name, project_id,
        project_name, check_history_id, check_result_id, effective_awsaccount)