aws-inventory-manager 0.17.12__py3-none-any.whl

src/restore/dependency.py

@@ -0,0 +1,254 @@
+"""Dependency graph analysis for resource deletion ordering.
+
+Builds dependency graph from resource metadata and computes deletion order
+using Kahn's topological sort algorithm.
+"""
+
+from __future__ import annotations
+
+from collections import defaultdict, deque
+from typing import Any
+
+
+class DependencyResolver:
+    """Dependency resolver for resource deletion ordering.
+
+    Builds dependency graph from resource metadata and computes safe deletion
+    order using Kahn's topological sort algorithm. Detects circular dependencies
+    and assigns resources to deletion tiers.
+
+    Attributes:
+        graph: Dependency graph where graph[child] = [parent1, parent2, ...]
+               Children must be deleted before parents
+    """
+
+    # Dependency field mappings for common AWS resource types
+    DEPENDENCY_FIELDS = {
+        "AWS::EC2::Instance": ["VpcId", "SubnetId", "SecurityGroupIds"],
+        "AWS::EC2::Subnet": ["VpcId"],
+        "AWS::EC2::SecurityGroup": ["VpcId"],
+        "AWS::EC2::VPC": [],  # VPCs have no dependencies
+        "AWS::RDS::DBInstance": ["DBSubnetGroupName", "VpcSecurityGroupIds"],
+        "AWS::Lambda::Function": ["VpcConfig.SubnetIds", "Role"],
+        "AWS::ECS::Service": ["Cluster", "LoadBalancers.TargetGroupArn"],
+    }
+
+    def __init__(self) -> None:
+        """Initialize dependency resolver with empty graph."""
+        self.graph: dict[str, list[str]] = {}
+
+    def add_dependency(self, parent: str, child: str) -> None:
+        """Add dependency: child must be deleted before parent.
+
+        Args:
+            parent: Resource ID that depends on child
+            child: Resource ID that parent depends on
+        """
+        if child not in self.graph:
+            self.graph[child] = []
+
+        if parent not in self.graph[child]:
+            self.graph[child].append(parent)
+
+        # Ensure parent exists in graph even if it has no dependencies
+        if parent not in self.graph:
+            self.graph[parent] = []
+
+    def build_graph_from_resources(self, resources: list[dict]) -> None:
+        """Build dependency graph from resource metadata.
+
+        Automatically detects dependencies based on resource type and metadata
+        fields (VpcId, SubnetId, etc.).
+
+        Args:
+            resources: List of resource dictionaries with metadata
+        """
+        # Build resource ID index
+        resource_index = {r["resource_id"]: r for r in resources}
+
+        for resource in resources:
+            resource_id = resource["resource_id"]
+            resource_type = resource.get("resource_type", "")
+            metadata = resource.get("metadata", {})
+
+            # Get dependency fields for this resource type
+            dep_fields = self.DEPENDENCY_FIELDS.get(resource_type, [])
+
+            for field in dep_fields:
+                # Handle nested fields (e.g., "VpcConfig.SubnetIds")
+                field_value = self._get_nested_field(metadata, field)
+
+                if field_value:
+                    # Handle list values (e.g., SecurityGroupIds)
+                    if isinstance(field_value, list):
+                        for dep_id in field_value:
+                            if dep_id in resource_index:
+                                # resource_id depends on dep_id (parent)
+                                # resource_id must be deleted before dep_id
+                                self.add_dependency(parent=dep_id, child=resource_id)
+                    else:
+                        if field_value in resource_index:
+                            # resource_id depends on field_value (parent)
+                            # resource_id must be deleted before field_value
+                            self.add_dependency(parent=field_value, child=resource_id)
+
+    def compute_deletion_order(self, resources: list[str]) -> list[str]:
+        """Compute deletion order using Kahn's topological sort algorithm.
+
+        Args:
+            resources: List of resource IDs to order
+
+        Returns:
+            List of resource IDs in deletion order (children before parents)
+
+        Raises:
+            ValueError: If circular dependency detected
+        """
+        if self.has_cycle():
+            raise ValueError("Circular dependency detected - cannot compute deletion order")
+
+        # Build in-degree map (number of dependencies each resource has)
+        in_degree = {resource: 0 for resource in resources}
+
+        for resource in resources:
+            if resource in self.graph:
+                # Count how many parents depend on this resource
+                for parent in self.graph[resource]:
+                    if parent in in_degree:
+                        in_degree[parent] += 1
+
+        # Start with resources that have no dependencies (in-degree = 0)
+        queue = deque([resource for resource, degree in in_degree.items() if degree == 0])
+        result = []
+
+        while queue:
+            # Remove resource with no dependencies
+            current = queue.popleft()
+            result.append(current)
+
+            # Reduce in-degree for all parents of this resource
+            if current in self.graph:
+                for parent in self.graph[current]:
+                    if parent in in_degree:
+                        in_degree[parent] -= 1
+
+                        # If parent now has no dependencies, add to queue
+                        if in_degree[parent] == 0:
+                            queue.append(parent)
+
+        # If result doesn't contain all resources, there's a cycle
+        if len(result) != len(resources):
+            raise ValueError("Circular dependency detected - some resources not reachable")
+
+        return result
+
+    def has_cycle(self) -> bool:
+        """Detect if dependency graph contains cycles.
+
+        Returns:
+            True if circular dependency exists, False otherwise
+        """
+        # Use DFS with color marking (white, gray, black)
+        white = 0  # Unvisited
+        gray = 1  # Visiting
+        black = 2  # Visited
+
+        color = {node: white for node in self.graph}
+
+        def dfs(node: str) -> bool:
+            """DFS visit that returns True if cycle found."""
+            if color.get(node, white) == gray:
+                # Back edge found - cycle exists
+                return True
+
+            if color.get(node, white) == black:
+                # Already visited
+                return False
+
+            # Mark as visiting
+            color[node] = gray
+
+            # Visit all parents
+            for parent in self.graph.get(node, []):
+                if dfs(parent):
+                    return True
+
+            # Mark as visited
+            color[node] = black
+            return False
+
+        # Check all nodes
+        for node in self.graph:
+            if color[node] == white:
+                if dfs(node):
+                    return True
+
+        return False
+
+    def get_deletion_tiers(self, resources: list[str]) -> dict[int, list[str]]:
+        """Assign resources to deletion tiers based on dependency depth.
+
+        Tier 1: Resources with no dependencies (delete first)
+        Tier 2: Resources depending only on tier 1
+        Tier 3: Resources depending on tier 2, etc.
+
+        Args:
+            resources: List of resource IDs
+
+        Returns:
+            Dictionary mapping tier number to list of resource IDs
+        """
+        # Build tier assignment based on dependency depth
+        tiers: dict[int, list[str]] = defaultdict(list)
+        resource_tier: dict[str, int] = {}
+
+        # Build in-degree map
+        in_degree = {resource: 0 for resource in resources}
+        for resource in resources:
+            if resource in self.graph:
+                for parent in self.graph[resource]:
+                    if parent in in_degree:
+                        in_degree[parent] += 1
+
+        # Start with tier 1 (resources with no dependencies)
+        queue = deque([(resource, 1) for resource, degree in in_degree.items() if degree == 0])
+
+        while queue:
+            current, tier = queue.popleft()
+            tiers[tier].append(current)
+            resource_tier[current] = tier
+
+            # Process children (resources that depend on current)
+            if current in self.graph:
+                for parent in self.graph[current]:
+                    if parent in in_degree:
+                        in_degree[parent] -= 1
+
+                        if in_degree[parent] == 0:
+                            # Parent goes in next tier
+                            queue.append((parent, tier + 1))
+
+        return dict(tiers)
+
+    def _get_nested_field(self, metadata: dict, field_path: str) -> Any:
+        """Get nested field value from metadata.
+
+        Args:
+            metadata: Resource metadata dictionary
+            field_path: Field path (e.g., "VpcConfig.SubnetIds")
+
+        Returns:
+            Field value if found, None otherwise
+        """
+        parts = field_path.split(".")
+        value: Any = metadata
+
+        for part in parts:
+            if isinstance(value, dict):
+                value = value.get(part)
+                if value is None:
+                    return None
+            else:
+                return None
+
+        return value

src/restore/safety.py

@@ -0,0 +1,115 @@
+"""Safety checks and protection rule evaluation.
+
+Evaluates resources against protection rules to prevent accidental deletion.
+"""
+
+from __future__ import annotations
+
+from typing import Optional
+
+from src.models.protection_rule import ProtectionRule
+
+
+class SafetyChecker:
+    """Safety checker for resource protection evaluation.
+
+    Evaluates resources against configured protection rules to determine if
+    they should be protected from deletion. Supports multiple rule types
+    (tag, type, age, cost, native) with priority-based evaluation.
+
+    Attributes:
+        rules: List of protection rules sorted by priority
+    """
+
+    def __init__(self, rules: list[ProtectionRule]) -> None:
+        """Initialize safety checker.
+
+        Args:
+            rules: List of protection rules (sorted by priority, 1=highest)
+        """
+        self.rules = sorted(rules, key=lambda r: r.priority)
+
+    def is_protected(self, resource: dict) -> tuple[bool, Optional[str]]:
+        """Check if resource is protected by any rule.
+
+        Evaluates resource against all enabled protection rules in priority order.
+        Returns on first matching rule (highest priority wins).
+
+        Args:
+            resource: Resource metadata dictionary
+
+        Returns:
+            Tuple of (is_protected, reason)
+                is_protected: True if resource matches any protection rule
+                reason: Human-readable reason for protection, None if not protected
+        """
+        for rule in self.rules:
+            if not rule.enabled:
+                continue
+
+            if rule.matches(resource):
+                reason = self._get_protection_reason(rule, resource)
+                return True, reason
+
+        return False, None
+
+    def check_all_protections(self, resource: dict) -> list[ProtectionRule]:
+        """Check which protection rules match a resource.
+
+        Unlike is_protected(), this returns ALL matching rules, not just the
+        first one. Useful for detailed protection analysis.
+
+        Args:
+            resource: Resource metadata dictionary
+
+        Returns:
+            List of all matching protection rules
+        """
+        matching_rules = []
+
+        for rule in self.rules:
+            if not rule.enabled:
+                continue
+
+            if rule.matches(resource):
+                matching_rules.append(rule)
+
+        return matching_rules
+
+    def _get_protection_reason(self, rule: ProtectionRule, resource: dict) -> str:
+        """Generate human-readable protection reason.
+
+        Args:
+            rule: Protection rule that matched
+            resource: Resource metadata
+
+        Returns:
+            Human-readable protection reason string
+        """
+        if rule.description:
+            return f"{rule.description} (rule: {rule.rule_id})"
+
+        # Generate default reason based on rule type
+        if rule.rule_type.value == "tag":
+            tag_key = rule.patterns.get("tag_key", "")
+            resource_tag_value = resource.get("tags", {}).get(tag_key, "")
+            return f"Tag {tag_key}={resource_tag_value} (rule: {rule.rule_id})"
+
+        elif rule.rule_type.value == "type":
+            resource_type = resource.get("resource_type", "")
+            return f"Resource type {resource_type} protected (rule: {rule.rule_id})"
+
+        elif rule.rule_type.value == "age":
+            age_days = resource.get("age_days", 0)
+            threshold = rule.threshold_value
+            return f"Resource age {age_days} days < {threshold} days threshold (rule: {rule.rule_id})"
+
+        elif rule.rule_type.value == "cost":
+            cost = resource.get("estimated_monthly_cost", 0)
+            threshold = rule.threshold_value
+            return f"Resource cost ${cost}/month >= ${threshold} threshold (rule: {rule.rule_id})"
+
+        elif rule.rule_type.value == "native":
+            return f"Native protection enabled (rule: {rule.rule_id})"
+
+        return f"Protected by rule {rule.rule_id}"

src/security/checks/base.py

@@ -0,0 +1,56 @@
+"""Base class for security checks."""
+
+from __future__ import annotations
+
+from abc import ABC, abstractmethod
+from typing import List
+
+from ...models.security_finding import SecurityFinding, Severity
+from ...models.snapshot import Snapshot
+
+
+class SecurityCheck(ABC):
+    """Abstract base class for all security checks.
+
+    Each security check should:
+    1. Have a unique check_id
+    2. Have a defined severity level
+    3. Implement the execute method to scan a snapshot
+    4. Return a list of SecurityFinding objects
+    """
+
+    def __init__(self) -> None:
+        """Initialize the security check."""
+        pass
+
+    @property
+    @abstractmethod
+    def check_id(self) -> str:
+        """Unique identifier for this check.
+
+        Returns:
+            String identifier (e.g., "s3_public_bucket")
+        """
+        pass
+
+    @property
+    @abstractmethod
+    def severity(self) -> Severity:
+        """Severity level for findings from this check.
+
+        Returns:
+            Severity enum value
+        """
+        pass
+
+    @abstractmethod
+    def execute(self, snapshot: Snapshot) -> List[SecurityFinding]:
+        """Execute the security check on a snapshot.
+
+        Args:
+            snapshot: Snapshot to scan for security issues
+
+        Returns:
+            List of SecurityFinding objects (empty list if no issues found)
+        """
+        pass

src/security/checks/ec2_checks.py

@@ -0,0 +1,88 @@
+"""EC2 security checks."""
+
+from __future__ import annotations
+
+from typing import Any, Dict, List
+
+from ...models.security_finding import SecurityFinding, Severity
+from ...models.snapshot import Snapshot
+from .base import SecurityCheck
+
+
+class EC2IMDSv1Check(SecurityCheck):
+    """Check for EC2 instances with IMDSv1 enabled.
+
+    EC2 instances should require IMDSv2 (Instance Metadata Service Version 2)
+    for better security. IMDSv1 is vulnerable to SSRF attacks.
+
+    Severity: MEDIUM
+    """
+
+    @property
+    def check_id(self) -> str:
+        """Return check identifier."""
+        return "ec2_imdsv1_enabled"
+
+    @property
+    def severity(self) -> Severity:
+        """Return check severity."""
+        return Severity.MEDIUM
+
+    def execute(self, snapshot: Snapshot) -> List[SecurityFinding]:
+        """Execute EC2 IMDSv1 check.
+
+        Checks for:
+        - EC2 instances with MetadataOptions.HttpTokens = "optional" (IMDSv1 enabled)
+
+        Args:
+            snapshot: Snapshot to scan
+
+        Returns:
+            List of findings for EC2 instances with IMDSv1 enabled
+        """
+        findings: List[SecurityFinding] = []
+
+        for resource in snapshot.resources:
+            # Only check EC2 instances
+            if not resource.resource_type.startswith("ec2:instance"):
+                continue
+
+            if resource.raw_config is None:
+                continue
+
+            # Check if IMDSv1 is enabled
+            if self._is_imdsv1_enabled(resource.raw_config):
+                instance_id = resource.raw_config.get("InstanceId", "unknown")
+                finding = SecurityFinding(
+                    resource_arn=resource.arn,
+                    finding_type=self.check_id,
+                    severity=self.severity,
+                    description=f"EC2 instance '{instance_id}' has IMDSv1 enabled. "
+                    f"The instance allows optional use of session tokens for metadata access, "
+                    f"making it vulnerable to SSRF attacks.",
+                    remediation="Require IMDSv2 for this EC2 instance. "
+                    "Use the AWS CLI command: "
+                    f"'aws ec2 modify-instance-metadata-options --instance-id {instance_id} "
+                    "--http-tokens required --http-endpoint enabled' "
+                    "or update the instance's metadata options in the EC2 console to require IMDSv2.",
+                    metadata={"instance_id": instance_id, "region": resource.region},
+                )
+                findings.append(finding)
+
+        return findings
+
+    def _is_imdsv1_enabled(self, config: Dict[str, Any]) -> bool:
+        """Check if instance has IMDSv1 enabled.
+
+        Args:
+            config: Instance raw configuration
+
+        Returns:
+            True if IMDSv1 is enabled (HttpTokens is "optional")
+        """
+        metadata_options = config.get("MetadataOptions", {})
+        http_tokens = metadata_options.get("HttpTokens", "optional")
+
+        # "optional" means IMDSv1 is enabled (BAD)
+        # "required" means IMDSv2 is required (GOOD)
+        return http_tokens == "optional"

src/security/checks/elasticache_checks.py

@@ -0,0 +1,149 @@
+"""ElastiCache security checks."""
+
+from __future__ import annotations
+
+from typing import Any, Dict, List
+
+from ...models.security_finding import SecurityFinding, Severity
+from ...models.snapshot import Snapshot
+from .base import SecurityCheck
+
+
+class ElastiCacheEncryptionCheck(SecurityCheck):
+    """Check for ElastiCache clusters with encryption issues.
+
+    Checks for:
+    - Redis clusters without encryption at rest (AtRestEncryptionEnabled=False)
+    - Redis/Memcached clusters without encryption in transit (TransitEncryptionEnabled=False)
+
+    Note: Memcached does not support encryption at rest, so only in-transit
+    encryption is checked for Memcached clusters.
+
+    Severity: MEDIUM
+    """
+
+    @property
+    def check_id(self) -> str:
+        """Return check identifier."""
+        return "elasticache_unencrypted"
+
+    @property
+    def severity(self) -> Severity:
+        """Return check severity."""
+        return Severity.MEDIUM
+
+    def execute(self, snapshot: Snapshot) -> List[SecurityFinding]:
+        """Execute ElastiCache encryption checks.
+
+        Checks for:
+        - Redis: AtRestEncryptionEnabled=False or TransitEncryptionEnabled=False
+        - Memcached: TransitEncryptionEnabled=False only (doesn't support at-rest)
+
+        Args:
+            snapshot: Snapshot to scan
+
+        Returns:
+            List of findings for ElastiCache encryption issues
+        """
+        findings: List[SecurityFinding] = []
+
+        for resource in snapshot.resources:
+            # Only check ElastiCache resources
+            if not resource.resource_type.startswith("elasticache:"):
+                continue
+
+            if resource.raw_config is None:
+                continue
+
+            engine = resource.raw_config.get("Engine", "").lower()
+
+            # Check encryption at rest (Redis only)
+            if engine == "redis" and not self._is_encrypted_at_rest(resource.raw_config):
+                finding = self._create_at_rest_finding(resource.name, resource.arn, resource.region, engine)
+                findings.append(finding)
+
+            # Check encryption in transit (both Redis and Memcached)
+            if not self._is_encrypted_in_transit(resource.raw_config):
+                finding = self._create_in_transit_finding(resource.name, resource.arn, resource.region, engine)
+                findings.append(finding)
+
+        return findings
+
+    def _is_encrypted_at_rest(self, config: Dict[str, Any]) -> bool:
+        """Check if cluster has encryption at rest enabled.
+
+        Args:
+            config: ElastiCache cluster raw configuration
+
+        Returns:
+            True if AtRestEncryptionEnabled is True
+        """
+        return config.get("AtRestEncryptionEnabled", False)
+
+    def _is_encrypted_in_transit(self, config: Dict[str, Any]) -> bool:
+        """Check if cluster has encryption in transit enabled.
+
+        Args:
+            config: ElastiCache cluster raw configuration
+
+        Returns:
+            True if TransitEncryptionEnabled is True
+        """
+        return config.get("TransitEncryptionEnabled", False)
+
+    def _create_at_rest_finding(self, cluster_id: str, arn: str, region: str, engine: str) -> SecurityFinding:
+        """Create a finding for cluster without encryption at rest.
+
+        Args:
+            cluster_id: Cluster identifier
+            arn: Resource ARN
+            region: AWS region
+            engine: Engine type (redis/memcached)
+
+        Returns:
+            SecurityFinding for at-rest encryption issue
+        """
+        return SecurityFinding(
+            resource_arn=arn,
+            finding_type=self.check_id,
+            severity=self.severity,
+            description=f"ElastiCache {engine} cluster '{cluster_id}' does not have encryption at rest enabled. "
+            f"Data stored on disk is not encrypted, which could expose sensitive cached data "
+            f"if storage media is compromised.",
+            remediation="Enable encryption at rest for this ElastiCache cluster. "
+            "Note: Encryption at rest cannot be enabled on existing clusters. "
+            "You must create a new cluster with encryption enabled and migrate your data. "
+            "Create a backup of your existing cluster, then restore it to a new cluster with "
+            "AtRestEncryptionEnabled=true. For Redis clusters, ensure you specify a KMS key. "
+            "After verification, update your applications to point to the new encrypted cluster.",
+            metadata={"cluster_id": cluster_id, "region": region, "engine": engine},
+        )
+
+    def _create_in_transit_finding(self, cluster_id: str, arn: str, region: str, engine: str) -> SecurityFinding:
+        """Create a finding for cluster without encryption in transit.
+
+        Args:
+            cluster_id: Cluster identifier
+            arn: Resource ARN
+            region: AWS region
+            engine: Engine type (redis/memcached)
+
+        Returns:
+            SecurityFinding for in-transit encryption issue
+        """
+        return SecurityFinding(
+            resource_arn=arn,
+            finding_type=self.check_id,
+            severity=self.severity,
+            description=f"ElastiCache {engine} cluster '{cluster_id}' does not have encryption in transit enabled. "
+            f"Data transmitted between the cache and clients is not encrypted, which could expose "
+            f"sensitive cached data during transmission.",
+            remediation="Enable encryption in transit for this ElastiCache cluster. "
+            "Note: Encryption in transit cannot be enabled on existing clusters. "
+            "You must create a new cluster with encryption enabled. "
+            f"For {engine}, create a new cluster with TransitEncryptionEnabled=true. "
+            "After creating the encrypted cluster, update your application connection strings "
+            "to use TLS/SSL connections and point to the new cluster endpoint. "
+            "Verify the encrypted connection is working before decommissioning the old cluster.",
+            metadata={"cluster_id": cluster_id, "region": region, "engine": engine},
+        )