aws-inventory-manager 0.17.12__py3-none-any.whl

src/security/checks/iam_checks.py

@@ -0,0 +1,102 @@
+"""IAM security checks."""
+
+from __future__ import annotations
+
+from datetime import datetime, timezone
+from typing import List
+
+from ...models.security_finding import SecurityFinding, Severity
+from ...models.snapshot import Snapshot
+from .base import SecurityCheck
+
+
+class IAMCredentialAgeCheck(SecurityCheck):
+    """Check for IAM users with access keys older than 90 days.
+
+    CIS AWS Foundations Benchmark: 1.3 or 1.4
+    Severity: MEDIUM
+    """
+
+    @property
+    def check_id(self) -> str:
+        """Return check identifier."""
+        return "iam_credential_age"
+
+    @property
+    def severity(self) -> Severity:
+        """Return check severity."""
+        return Severity.MEDIUM
+
+    def execute(self, snapshot: Snapshot) -> List[SecurityFinding]:
+        """Execute IAM credential age check.
+
+        Checks for:
+        - IAM users with access keys older than 90 days
+
+        Args:
+            snapshot: Snapshot to scan
+
+        Returns:
+            List of findings for IAM users with old credentials
+        """
+        findings: List[SecurityFinding] = []
+        threshold_days = 90
+
+        for resource in snapshot.resources:
+            # Only check IAM users
+            if not resource.resource_type.startswith("iam:user"):
+                continue
+
+            if resource.raw_config is None:
+                continue
+
+            # Check access keys
+            access_keys = resource.raw_config.get("AccessKeys", [])
+            for key in access_keys:
+                create_date_str = key.get("CreateDate")
+                if not create_date_str:
+                    continue
+
+                # Parse the date string (handle ISO format)
+                if isinstance(create_date_str, str):
+                    # Remove trailing 'Z' if present and parse as ISO format
+                    create_date_str = create_date_str.rstrip("Z")
+                    if "+" in create_date_str:
+                        # Has timezone
+                        create_date = datetime.fromisoformat(create_date_str)
+                    else:
+                        # No timezone, add UTC
+                        create_date = datetime.fromisoformat(create_date_str).replace(tzinfo=timezone.utc)
+                else:
+                    # Assume it's already a datetime object
+                    create_date = create_date_str
+                    if create_date.tzinfo is None:
+                        create_date = create_date.replace(tzinfo=timezone.utc)
+
+                # Calculate age in days
+                days_old = (datetime.now(timezone.utc) - create_date).days
+
+                # Check if key is older than threshold (> 90 days, not >= 90 days)
+                if days_old > threshold_days:
+                    finding = SecurityFinding(
+                        resource_arn=resource.arn,
+                        finding_type=self.check_id,
+                        severity=self.severity,
+                        description=f"IAM user '{resource.name}' has an access key that is {days_old} days old, "
+                        f"exceeding the {threshold_days}-day threshold. Old credentials increase security risk.",
+                        remediation="Rotate the access key for this IAM user. "
+                        "Create a new access key, update all applications using the old key, "
+                        "then deactivate and delete the old key. "
+                        "Consider using IAM roles instead of long-term credentials.",
+                        cis_control="1.4",
+                        metadata={
+                            "user_name": resource.name,
+                            "key_age_days": days_old,
+                            "key_id": key.get("AccessKeyId", "unknown"),
+                        },
+                    )
+                    findings.append(finding)
+                    # Only report one finding per user (for the oldest key)
+                    break
+
+        return findings

src/security/checks/rds_checks.py

@@ -0,0 +1,140 @@
+"""RDS security checks."""
+
+from __future__ import annotations
+
+from typing import Any, Dict, List
+
+from ...models.security_finding import SecurityFinding, Severity
+from ...models.snapshot import Snapshot
+from .base import SecurityCheck
+
+
+class RDSPublicCheck(SecurityCheck):
+    """Check for RDS instances with security issues.
+
+    Checks for:
+    - Publicly accessible RDS instances (PubliclyAccessible=True)
+    - Unencrypted RDS storage (StorageEncrypted=False)
+
+    Severity: HIGH
+    """
+
+    @property
+    def check_id(self) -> str:
+        """Return check identifier."""
+        return "rds_publicly_accessible"
+
+    @property
+    def severity(self) -> Severity:
+        """Return check severity."""
+        return Severity.HIGH
+
+    def execute(self, snapshot: Snapshot) -> List[SecurityFinding]:
+        """Execute RDS security checks.
+
+        Checks for:
+        - PubliclyAccessible set to True
+        - StorageEncrypted set to False
+
+        Args:
+            snapshot: Snapshot to scan
+
+        Returns:
+            List of findings for RDS security issues
+        """
+        findings: List[SecurityFinding] = []
+
+        for resource in snapshot.resources:
+            # Only check RDS resources
+            if not resource.resource_type.startswith("rds:"):
+                continue
+
+            if resource.raw_config is None:
+                continue
+
+            # Check for public accessibility
+            if self._is_publicly_accessible(resource.raw_config):
+                finding = self._create_public_finding(resource.name, resource.arn, resource.region)
+                findings.append(finding)
+
+            # Check for unencrypted storage
+            if not self._is_encrypted(resource.raw_config):
+                finding = self._create_encryption_finding(resource.name, resource.arn, resource.region)
+                findings.append(finding)
+
+        return findings
+
+    def _is_publicly_accessible(self, config: Dict[str, Any]) -> bool:
+        """Check if RDS instance is publicly accessible.
+
+        Args:
+            config: RDS instance raw configuration
+
+        Returns:
+            True if PubliclyAccessible is True
+        """
+        return config.get("PubliclyAccessible", False)
+
+    def _is_encrypted(self, config: Dict[str, Any]) -> bool:
+        """Check if RDS instance storage is encrypted.
+
+        Args:
+            config: RDS instance raw configuration
+
+        Returns:
+            True if StorageEncrypted is True
+        """
+        return config.get("StorageEncrypted", False)
+
+    def _create_public_finding(self, db_identifier: str, arn: str, region: str) -> SecurityFinding:
+        """Create a finding for publicly accessible RDS instance.
+
+        Args:
+            db_identifier: Database instance identifier
+            arn: Resource ARN
+            region: AWS region
+
+        Returns:
+            SecurityFinding for public accessibility issue
+        """
+        return SecurityFinding(
+            resource_arn=arn,
+            finding_type=self.check_id,
+            severity=self.severity,
+            description=f"RDS instance '{db_identifier}' is publicly accessible. "
+            f"The database is configured with PubliclyAccessible=True, which allows "
+            f"connections from the internet if security groups permit.",
+            remediation="Disable public accessibility for this RDS instance. "
+            "Use AWS CLI: 'aws rds modify-db-instance --db-instance-identifier "
+            f"{db_identifier} --no-publicly-accessible' or modify the instance "
+            "in the RDS console by setting 'Publicly accessible' to 'No' under "
+            "Connectivity & security settings.",
+            metadata={"db_identifier": db_identifier, "region": region},
+        )
+
+    def _create_encryption_finding(self, db_identifier: str, arn: str, region: str) -> SecurityFinding:
+        """Create a finding for unencrypted RDS instance.
+
+        Args:
+            db_identifier: Database instance identifier
+            arn: Resource ARN
+            region: AWS region
+
+        Returns:
+            SecurityFinding for encryption issue
+        """
+        return SecurityFinding(
+            resource_arn=arn,
+            finding_type=self.check_id,
+            severity=self.severity,
+            description=f"RDS instance '{db_identifier}' does not have storage encryption enabled. "
+            f"The database is configured with StorageEncrypted=False, which means data at rest "
+            f"is not encrypted.",
+            remediation="Enable encryption for this RDS instance. Note: Encryption cannot be "
+            "enabled on existing instances. You must create a snapshot, copy it with encryption "
+            "enabled, and restore a new instance from the encrypted snapshot. "
+            "Use AWS CLI: 'aws rds copy-db-snapshot --source-db-snapshot-identifier <snapshot-id> "
+            "--target-db-snapshot-identifier <encrypted-snapshot-id> --kms-key-id <kms-key>' "
+            "then restore from the encrypted snapshot.",
+            metadata={"db_identifier": db_identifier, "region": region},
+        )

src/security/checks/s3_checks.py

@@ -0,0 +1,95 @@
+"""S3 security checks."""
+
+from __future__ import annotations
+
+from typing import Any, Dict, List
+
+from ...models.security_finding import SecurityFinding, Severity
+from ...models.snapshot import Snapshot
+from .base import SecurityCheck
+
+
+class S3PublicBucketCheck(SecurityCheck):
+    """Check for publicly accessible S3 buckets.
+
+    CIS AWS Foundations Benchmark: 2.1.5
+    Severity: CRITICAL
+    """
+
+    @property
+    def check_id(self) -> str:
+        """Return check identifier."""
+        return "s3_public_bucket"
+
+    @property
+    def severity(self) -> Severity:
+        """Return check severity."""
+        return Severity.CRITICAL
+
+    def execute(self, snapshot: Snapshot) -> List[SecurityFinding]:
+        """Execute S3 public bucket check.
+
+        Checks for:
+        - Public access block configuration disabled
+        - Bucket ACLs allowing public read/write
+        - Bucket policies allowing public access
+
+        Args:
+            snapshot: Snapshot to scan
+
+        Returns:
+            List of findings for publicly accessible buckets
+        """
+        findings: List[SecurityFinding] = []
+
+        for resource in snapshot.resources:
+            # Only check S3 buckets
+            if not resource.resource_type.startswith("s3:"):
+                continue
+
+            if resource.raw_config is None:
+                continue
+
+            # Check PublicAccessBlockConfiguration
+            is_public = self._is_bucket_public(resource.raw_config)
+
+            if is_public:
+                finding = SecurityFinding(
+                    resource_arn=resource.arn,
+                    finding_type=self.check_id,
+                    severity=self.severity,
+                    description=f"S3 bucket '{resource.name}' is publicly accessible. "
+                    f"Public access block configuration is disabled, allowing public access to the bucket.",
+                    remediation="Enable S3 Block Public Access settings for this bucket. "
+                    "Go to the S3 console, select the bucket, choose 'Permissions', "
+                    "then 'Block Public Access' and enable all four settings.",
+                    cis_control="2.1.5",
+                    metadata={"bucket_name": resource.name, "region": resource.region},
+                )
+                findings.append(finding)
+
+        return findings
+
+    def _is_bucket_public(self, config: Dict[str, Any]) -> bool:
+        """Check if bucket configuration indicates public access.
+
+        Args:
+            config: Bucket raw configuration
+
+        Returns:
+            True if bucket appears to be publicly accessible
+        """
+        # Check PublicAccessBlockConfiguration
+        public_access_block = config.get("PublicAccessBlockConfiguration", {})
+
+        # If any of these are False, bucket might be public
+        block_public_acls = public_access_block.get("BlockPublicAcls", False)
+        ignore_public_acls = public_access_block.get("IgnorePublicAcls", False)
+        block_public_policy = public_access_block.get("BlockPublicPolicy", False)
+        restrict_public_buckets = public_access_block.get("RestrictPublicBuckets", False)
+
+        # Bucket is considered public if ANY of the blocks are disabled (False)
+        if not (block_public_acls and ignore_public_acls and block_public_policy and restrict_public_buckets):
+            return True
+
+        return False

src/security/checks/secrets_checks.py

@@ -0,0 +1,96 @@
+"""Secrets Manager security checks."""
+
+from __future__ import annotations
+
+from datetime import datetime, timezone
+from typing import List
+
+from ...models.security_finding import SecurityFinding, Severity
+from ...models.snapshot import Snapshot
+from .base import SecurityCheck
+
+
+class SecretsRotationCheck(SecurityCheck):
+    """Check for Secrets Manager secrets not rotated in 90+ days.
+
+    Severity: MEDIUM
+    """
+
+    @property
+    def check_id(self) -> str:
+        """Return check identifier."""
+        return "secrets_rotation_age"
+
+    @property
+    def severity(self) -> Severity:
+        """Return check severity."""
+        return Severity.MEDIUM
+
+    def execute(self, snapshot: Snapshot) -> List[SecurityFinding]:
+        """Execute secrets rotation check.
+
+        Checks for:
+        - Secrets Manager secrets not rotated in 90+ days
+
+        Args:
+            snapshot: Snapshot to scan
+
+        Returns:
+            List of findings for secrets not rotated recently
+        """
+        findings: List[SecurityFinding] = []
+        threshold_days = 90
+
+        for resource in snapshot.resources:
+            # Only check Secrets Manager secrets
+            if not resource.resource_type.startswith("secretsmanager:"):
+                continue
+
+            if resource.raw_config is None:
+                continue
+
+            # Check last rotated date
+            last_rotated_str = resource.raw_config.get("LastRotatedDate")
+            if not last_rotated_str:
+                continue
+
+            # Parse the date string (handle ISO format)
+            if isinstance(last_rotated_str, str):
+                # Remove trailing 'Z' if present and parse as ISO format
+                last_rotated_str = last_rotated_str.rstrip("Z")
+                if "+" in last_rotated_str:
+                    # Has timezone
+                    last_rotated = datetime.fromisoformat(last_rotated_str)
+                else:
+                    # No timezone, add UTC
+                    last_rotated = datetime.fromisoformat(last_rotated_str).replace(tzinfo=timezone.utc)
+            else:
+                # Assume it's already a datetime object
+                last_rotated = last_rotated_str
+                if last_rotated.tzinfo is None:
+                    last_rotated = last_rotated.replace(tzinfo=timezone.utc)
+
+            # Calculate days since rotation
+            days_since_rotation = (datetime.now(timezone.utc) - last_rotated).days
+
+            # Check if secret hasn't been rotated recently (> 90 days, not >= 90 days)
+            if days_since_rotation > threshold_days:
+                finding = SecurityFinding(
+                    resource_arn=resource.arn,
+                    finding_type=self.check_id,
+                    severity=self.severity,
+                    description=f"Secret '{resource.name}' has not been rotated in {days_since_rotation} days, "
+                    f"exceeding the {threshold_days}-day threshold. "
+                    f"Regular rotation reduces risk of credential compromise.",
+                    remediation="Rotate the secret in AWS Secrets Manager. "
+                    "You can manually rotate the secret or enable automatic rotation. "
+                    "Go to the Secrets Manager console, select the secret, and choose 'Rotate secret immediately'.",
+                    metadata={
+                        "secret_name": resource.name,
+                        "days_since_rotation": days_since_rotation,
+                        "region": resource.region,
+                    },
+                )
+                findings.append(finding)
+
+        return findings

src/security/checks/sg_checks.py

@@ -0,0 +1,142 @@
+"""Security Group security checks."""
+
+from __future__ import annotations
+
+from typing import Any, Dict, List
+
+from ...models.security_finding import SecurityFinding, Severity
+from ...models.snapshot import Snapshot
+from .base import SecurityCheck
+
+
+class SecurityGroupOpenCheck(SecurityCheck):
+    """Check for security groups with critical ports open to 0.0.0.0/0.
+
+    Critical ports checked:
+    - 22 (SSH) - CIS 5.2
+    - 3389 (RDP) - CIS 5.3
+    - 3306 (MySQL)
+    - 5432 (PostgreSQL)
+    - 1433 (Microsoft SQL Server)
+    - 27017 (MongoDB)
+
+    Severity: HIGH
+    """
+
+    # Critical ports to check and their descriptions
+    CRITICAL_PORTS = {
+        22: ("SSH", "5.2"),
+        3389: ("RDP", "5.3"),
+        3306: ("MySQL", "5.2"),
+        5432: ("PostgreSQL", "5.2"),
+        1433: ("Microsoft SQL Server", "5.2"),
+        27017: ("MongoDB", "5.2"),
+    }
+
+    @property
+    def check_id(self) -> str:
+        """Return check identifier."""
+        return "security_group_open"
+
+    @property
+    def severity(self) -> Severity:
+        """Return check severity."""
+        return Severity.HIGH
+
+    def execute(self, snapshot: Snapshot) -> List[SecurityFinding]:
+        """Execute security group open port check.
+
+        Checks for critical ports (22, 3389, 3306, 5432, 1433, 27017) that are
+        open to 0.0.0.0/0 in security group ingress rules.
+
+        Args:
+            snapshot: Snapshot to scan
+
+        Returns:
+            List of findings for security groups with open critical ports
+        """
+        findings: List[SecurityFinding] = []
+
+        for resource in snapshot.resources:
+            # Only check EC2 security groups
+            if not resource.resource_type.startswith("ec2:security-group"):
+                continue
+
+            if resource.raw_config is None:
+                continue
+
+            # Check for open critical ports
+            open_ports = self._find_open_critical_ports(resource.raw_config)
+
+            # Create one finding per open port
+            for port in open_ports:
+                port_name, cis_control = self.CRITICAL_PORTS[port]
+
+                finding = SecurityFinding(
+                    resource_arn=resource.arn,
+                    finding_type=self.check_id,
+                    severity=self.severity,
+                    description=f"Security group '{resource.name}' has port {port} ({port_name}) "
+                    f"open to 0.0.0.0/0. This allows unrestricted access from the internet.",
+                    remediation=f"Restrict access to port {port} by removing the 0.0.0.0/0 CIDR range "
+                    f"from the security group ingress rules. Only allow access from specific, "
+                    f"trusted IP addresses or CIDR blocks that require access.",
+                    cis_control=cis_control,
+                    metadata={
+                        "group_id": resource.raw_config.get("GroupId", ""),
+                        "port": port,
+                        "protocol": "tcp",
+                        "cidr": "0.0.0.0/0",
+                    },
+                )
+                findings.append(finding)
+
+        return findings
+
+    def _find_open_critical_ports(self, config: Dict[str, Any]) -> List[int]:
+        """Find critical ports that are open to 0.0.0.0/0.
+
+        Args:
+            config: Security group raw configuration
+
+        Returns:
+            List of critical port numbers that are open to 0.0.0.0/0
+        """
+        open_ports: List[int] = []
+        ip_permissions = config.get("IpPermissions", [])
+
+        for permission in ip_permissions:
+            # Get the port range
+            from_port = permission.get("FromPort")
+            to_port = permission.get("ToPort")
+
+            # Skip if no ports defined
+            if from_port is None or to_port is None:
+                continue
+
+            # Check if any critical port is in this range
+            for critical_port in self.CRITICAL_PORTS.keys():
+                if from_port <= critical_port <= to_port:
+                    # Check if this port is open to 0.0.0.0/0
+                    if self._is_open_to_world(permission):
+                        open_ports.append(critical_port)
+
+        return open_ports
+
+    def _is_open_to_world(self, permission: Dict[str, Any]) -> bool:
+        """Check if a permission allows access from 0.0.0.0/0.
+
+        Args:
+            permission: IP permission dictionary from IpPermissions
+
+        Returns:
+            True if permission includes 0.0.0.0/0
+        """
+        ip_ranges = permission.get("IpRanges", [])
+
+        for ip_range in ip_ranges:
+            cidr = ip_range.get("CidrIp", "")
+            if cidr == "0.0.0.0/0":
+                return True
+
+        return False

src/security/cis_mapper.py

@@ -0,0 +1,97 @@
+"""CIS Benchmark mapper for security findings."""
+
+from __future__ import annotations
+
+from typing import Dict, List, Optional
+
+from src.models.security_finding import SecurityFinding
+
+
+class CISMapper:
+    """Maps security findings to CIS AWS Foundations Benchmark controls."""
+
+    # CIS control ID to human-readable name mapping
+    CIS_CONTROLS = {
+        "2.1.5": "S3 Bucket Public Access Block",
+        "5.2": "Security Groups - SSH Access",
+        "5.3": "Security Groups - RDP Access",
+        "1.3": "IAM Access Keys Rotated",
+        "1.4": "IAM Credentials Unused",
+    }
+
+    def get_cis_control(self, finding: SecurityFinding) -> Optional[str]:
+        """Get the CIS control ID from a security finding.
+
+        Args:
+            finding: SecurityFinding to extract control ID from
+
+        Returns:
+            CIS control ID string or None if not mapped
+        """
+        return finding.cis_control
+
+    def get_control_name(self, control_id: str) -> Optional[str]:
+        """Get the human-readable name for a CIS control ID.
+
+        Args:
+            control_id: CIS control ID (e.g., "2.1.5")
+
+        Returns:
+            Human-readable control name or None if not found
+        """
+        return self.CIS_CONTROLS.get(control_id)
+
+    def get_summary(self, findings: List[SecurityFinding]) -> dict:
+        """Generate a summary of CIS control pass/fail statistics.
+
+        Args:
+            findings: List of security findings
+
+        Returns:
+            Dictionary with total_controls_checked, controls_failed, controls_passed
+        """
+        # If no findings, return zeros
+        if not findings:
+            return {
+                "total_controls_checked": 0,
+                "controls_failed": 0,
+                "controls_passed": 0,
+            }
+
+        # Count unique CIS controls that have findings (failures)
+        failed_controls = set()
+        for finding in findings:
+            if finding.cis_control:
+                failed_controls.add(finding.cis_control)
+
+        controls_failed = len(failed_controls)
+
+        # For this implementation, we assume all known CIS controls were checked
+        # and only the ones with findings failed
+        total_controls_checked = len(self.CIS_CONTROLS)
+        controls_passed = total_controls_checked - controls_failed
+
+        return {
+            "total_controls_checked": total_controls_checked,
+            "controls_failed": controls_failed,
+            "controls_passed": controls_passed,
+        }
+
+    def group_by_control(self, findings: List[SecurityFinding]) -> Dict[str, List[SecurityFinding]]:
+        """Group security findings by their CIS control ID.
+
+        Args:
+            findings: List of security findings
+
+        Returns:
+            Dictionary mapping CIS control IDs to lists of findings
+        """
+        grouped: Dict[str, List[SecurityFinding]] = {}
+
+        for finding in findings:
+            if finding.cis_control:
+                if finding.cis_control not in grouped:
+                    grouped[finding.cis_control] = []
+                grouped[finding.cis_control].append(finding)
+
+        return grouped