boto3-assist 0.32.0__py3-none-any.whl

boto3_assist/securityhub/securityhub.py

@@ -0,0 +1,150 @@
+"""
+Geek Cafe, LLC
+Maintainers: Eric Wilson
+MIT License.  See Project Root for the license information.
+"""
+
+import os
+from typing import Optional, Literal
+
+from aws_lambda_powertools import Logger
+
+from boto3_assist.securityhub.securityhub_connection import SecurityHubConnection
+
+logger = Logger("security-hub-service")
+
+
+class SecurityHub(SecurityHubConnection):
+    """Security Hub Service"""
+
+    def update_findings_status(
+        self,
+        region_name: str,
+        workflow_status: Literal["NEW", "NOTIFIED", "RESOLVED", "SUPPRESSED"],
+        note_text: Optional[str] = None,
+        updated_by: Optional[str] = None,
+    ):
+        """
+        Updates the workflow status for all findings in the specified region.
+
+        :param region_name: AWS region where Security Hub findings are located.
+        :param workflow_status: The new workflow status to apply (e.g., NEW, NOTIFIED, SUPPRESSED, RESOLVED).
+        """
+        # Initialize Security Hub client
+        client = self.client
+
+        findings_to_update = []
+        next_token = None
+
+        logger.info(f"Fetching findings in region: {region_name}...")
+
+        try:
+            # Paginate through findings
+            while True:
+                response = client.get_findings(
+                    MaxResults=100,
+                    Filters={
+                        "Region": [
+                            {"Value": region_name, "Comparison": "EQUALS"},
+                        ]
+                    },
+                    NextToken=next_token if next_token else "",
+                )
+
+                for finding in response.get("Findings", []):
+                    current_status = finding.get("Workflow", {}).get("Status")
+                    if (
+                        current_status
+                        and str(current_status).lower() != str(workflow_status).lower()
+                    ):
+                        findings_to_update.append(
+                            {
+                                "Id": finding["Id"],
+                                "ProductArn": finding["ProductArn"],
+                            }
+                        )
+                    else:
+                        logger.debug(
+                            f"Skipping: {finding['Id']} with a status of {current_status}"
+                        )
+
+                next_token = response.get("NextToken")
+                if not next_token:
+                    break
+
+            print(f"Found {len(findings_to_update)} findings to update.")
+
+            note_text = note_text or "Automated Update"
+            updated_by = updated_by or "System"
+            # Update workflow status in batches of 100
+            for i in range(0, len(findings_to_update), 100):
+                batch = findings_to_update[i : i + 100]
+                response = client.batch_update_findings(
+                    FindingIdentifiers=batch,
+                    Workflow={"Status": str(workflow_status).upper()},
+                    Note={"Text": note_text, "UpdatedBy": updated_by},
+                )
+                logger.debug(
+                    f"Updated findings {i + 1} to {i + len(batch)} to status: {workflow_status}"
+                )
+                print(response)
+
+            logger.info("All findings updated successfully!")
+
+        except Exception as e:
+            logger.exception(f"An error occurred: {str(e)}")
+            raise
+
+
+def main():
+    status = "RESOLVED"  # Change to NEW, NOTIFIED, SUPPRESSED, or RESOLVED
+    note_text = "This region is now disabled."
+    # these are my linked regions and the only ones I care about
+    # if have SCP's in place for the other regions
+    regions_to_skip = ["us-east-1", "us-west-2", "eu-west-2"]
+
+    aws_profile = os.getenv("SECURITY_HUB_PROFILE")
+
+    aws_regions = {
+        "af-south-1": "Africa (Cape Town)",
+        "ap-east-1": "Asia Pacific (Hong Kong)",
+        "ap-northeast-1": "Asia Pacific (Tokyo)",
+        "ap-northeast-2": "Asia Pacific (Seoul)",
+        "ap-northeast-3": "Asia Pacific (Osaka)",
+        "ap-south-1": "Asia Pacific (Mumbai)",
+        "ap-south-2": "Asia Pacific (Hyderabad)",
+        "ap-southeast-1": "Asia Pacific (Singapore)",
+        "ap-southeast-2": "Asia Pacific (Sydney)",
+        "ap-southeast-3": "Asia Pacific (Jakarta)",
+        "ap-southeast-4": "Asia Pacific (Melbourne)",
+        "ap-southeast-5": "Asia Pacific (Auckland)",
+        "ca-central-1": "Canada (Central)",
+        "ca-west-1": "Canada (West)",
+        "eu-central-1": "Europe (Frankfurt)",
+        "eu-central-2": "Europe (Zurich)",
+        "eu-north-1": "Europe (Stockholm)",
+        "eu-south-1": "Europe (Milan)",
+        "eu-south-2": "Europe (Spain)",
+        "eu-west-1": "Europe (Ireland)",
+        "eu-west-2": "Europe (London)",
+        "eu-west-3": "Europe (Paris)",
+        "il-central-1": "Israel (Tel Aviv)",
+        "me-central-1": "Middle East (UAE)",
+        "sa-east-1": "South America (São Paulo)",
+        "us-east-1": "US East (N. Virginia)",
+        "us-east-2": "US East (Ohio)",
+        "us-west-1": "US West (N. California)",
+        "us-west-2": "US West (Oregon)",
+    }
+
+    sh: SecurityHub = SecurityHub(aws_profile=aws_profile)
+    for region in aws_regions:
+        print(region)
+        if region not in regions_to_skip:
+            sh.update_findings_status(region, status, note_text=note_text)
+        else:
+            print(f"Skipping region: {region}")
+
+
+if __name__ == "__main__":
+    main()

boto3_assist/securityhub/securityhub_connection.py

@@ -0,0 +1,57 @@
+"""
+Geek Cafe, LLC
+Maintainers: Eric Wilson
+MIT License.  See Project Root for the license information.
+"""
+
+from typing import Optional
+from typing import TYPE_CHECKING
+
+from aws_lambda_powertools import Logger
+
+from boto3_assist.connection import Connection
+
+if TYPE_CHECKING:
+    from mypy_boto3_securityhub import SecurityHubClient
+else:
+    SecurityHubClient = object
+
+
+logger = Logger()
+
+
+class SecurityHubConnection(Connection):
+    """Connection"""
+
+    def __init__(
+        self,
+        *,
+        aws_profile: Optional[str] = None,
+        aws_region: Optional[str] = None,
+        aws_end_point_url: Optional[str] = None,
+        aws_access_key_id: Optional[str] = None,
+        aws_secret_access_key: Optional[str] = None,
+    ) -> None:
+        super().__init__(
+            service_name="securityhub",
+            aws_profile=aws_profile,
+            aws_region=aws_region,
+            aws_access_key_id=aws_access_key_id,
+            aws_secret_access_key=aws_secret_access_key,
+            aws_end_point_url=aws_end_point_url,
+        )
+
+        self.__client: SecurityHubClient | None = None
+
+    @property
+    def client(self) -> SecurityHubClient:
+        """Client Connection"""
+        if self.__client is None:
+            self.__client = self.session.client
+
+        return self.__client
+
+    @client.setter
+    def client(self, value: SecurityHubClient):
+        logger.info("Setting Client")
+        self.__client = value

boto3_assist/session_setup_mixin.py

@@ -0,0 +1,70 @@
+"""
+Geek Cafe, LLC
+Maintainers: Eric Wilson
+MIT License.  See Project Root for the license information.
+"""
+
+import os
+import boto3
+from typing import Optional
+from boto3_assist.aws_config import AWSConfig
+
+
+class SessionSetupMixin:
+    def _create_base_session(
+        self,
+        aws_profile: Optional[str],
+        aws_region: Optional[str],
+        aws_access_key_id: Optional[str],
+        aws_secret_access_key: Optional[str],
+        aws_session_token: Optional[str],
+    ) -> boto3.Session:
+        try:
+            return boto3.Session(
+                profile_name=aws_profile,
+                region_name=aws_region,
+                aws_access_key_id=aws_access_key_id,
+                aws_secret_access_key=aws_secret_access_key,
+                aws_session_token=aws_session_token,
+            )
+        except Exception as e:
+
+            error_message = f"Failed to create boto3 session "
+            if "profile" in str(e).lower():
+                error_message += " due to a profile error "
+
+                error_message += f" with profile '{aws_profile}'."
+                config: AWSConfig = AWSConfig()
+                if not config.path_exists():
+                    error_message += (
+                        f" The AWS config file '{config.get_path()}' was not found. "
+                        "Please ensure that the AWS CLI is installed and configured correctly. "
+                        "You can install the AWS CLI by running 'pip install awscli' or 'pip install awscli --upgrade'. "
+                    )
+
+                    if (
+                        os.getenv("HOME") == "/tmp"
+                        or os.getenv("AWS_CONFIG_FILE") == "/tmp"
+                    ):
+                        error_message += (
+                            f'The environment HOME path is set to {os.getenv("HOME")}. '
+                        )
+                        if os.getenv("AWS_CONFIG_FILE"):
+                            error_message += (
+                                f"The environment AWS_CONFIG_FILE is set to {os.getenv('AWS_CONFIG_FILE')}. "
+                                "The AWS_CONFIG_FILE overrides the HOME directory and path. "
+                            )
+
+                        error_message += (
+                            "If you are running this locally and expecting it to be in your users home "
+                            "directory, you may need to set the HOME or AWS_CONFIG_FILE environment variable manually. "
+                            "There could be other actions such as a Lambda environment resetting the path to /tmp. "
+                            "If you are running in a GitHub Actions environment, "
+                            "you may need to set the HOME or AWS_CONFIG_FILE environment variable to '/home/runner'. "
+                        )
+                elif not config.has_profile(aws_profile):
+                    error_message += f" The profile '{aws_profile}' was not found in the AWS config file in {config.get_path()}."
+
+            # check for the existence of the profile and the path to the profile
+
+            raise RuntimeError(error_message) from e

boto3_assist/ssm/connection.py

@@ -0,0 +1,57 @@
+"""
+Geek Cafe, LLC
+Maintainers: Eric Wilson
+MIT License.  See Project Root for the license information.
+"""
+
+from typing import Optional
+from typing import TYPE_CHECKING
+
+from aws_lambda_powertools import Logger
+
+from boto3_assist.connection import Connection
+
+if TYPE_CHECKING:
+    from mypy_boto3_ssm import Client
+else:
+    Client = object
+
+
+logger = Logger()
+
+
+class SSMConnection(Connection):
+    """Connection"""
+
+    def __init__(
+        self,
+        *,
+        aws_profile: Optional[str] = None,
+        aws_region: Optional[str] = None,
+        aws_end_point_url: Optional[str] = None,
+        aws_access_key_id: Optional[str] = None,
+        aws_secret_access_key: Optional[str] = None,
+    ) -> None:
+        super().__init__(
+            service_name="ssm",
+            aws_profile=aws_profile,
+            aws_region=aws_region,
+            aws_access_key_id=aws_access_key_id,
+            aws_secret_access_key=aws_secret_access_key,
+            aws_end_point_url=aws_end_point_url,
+        )
+
+        self.__client: Client | None = None
+
+    @property
+    def client(self) -> Client:
+        """Client Connection"""
+        if self.__client is None:
+            self.__client = self.session.client
+
+        return self.__client
+
+    @client.setter
+    def client(self, value: Client):
+        logger.info("Setting Client")
+        self.__client = value

boto3_assist/ssm/parameter_store/parameter_store.py

@@ -0,0 +1,116 @@
+"""
+Geek Cafe, LLC
+Maintainers: Eric Wilson
+MIT License.  See Project Root for the license information.
+"""
+
+from typing import Optional, Literal
+
+from botocore.exceptions import ClientError
+from boto3_assist.ssm.connection import SSMConnection
+
+
+class ParameterStore(SSMConnection):
+    """Parameter Store"""
+
+    def get_parameter(self, name: str, with_decryption=True):
+        """
+        Retrieve a parameter from Parameter Store.
+
+        :param name: The full name of the parameter.
+        :param with_decryption: If True, decrypt secure strings.
+        :return: The parameter value or None if an error occurs.
+        """
+        try:
+            response = self.client.get_parameter(
+                Name=name, WithDecryption=with_decryption
+            )
+            return response["Parameter"]["Value"]
+        except ClientError as e:
+            print(f"Error getting parameter {name}: {e}")
+            raise
+
+    def put_parameter(
+        self,
+        name: str,
+        value: str,
+        type: Literal["String", "StringList", "SecureString"] = "String",  # pylint: disable=redefined-builtin
+        overwrite=True,
+    ):
+        """
+        Create or update a parameter in Parameter Store.
+
+        :param name: The full name of the parameter.
+        :param value: The value to store.
+        :param type: Parameter type ('String', 'StringList', or 'SecureString').
+        :param overwrite: If True, overwrite an existing parameter.
+        :return: The response from the put_parameter call or None on error.
+        """
+        try:
+            response = self.client.put_parameter(
+                Name=name, Value=value, Type=type, Overwrite=overwrite
+            )
+            return response
+        except ClientError as e:
+            print(f"Error putting parameter {name}: {e}")
+            raise
+
+    def delete_parameter(self, name: str):
+        """
+        Delete a parameter from Parameter Store.
+
+        :param name: The full name of the parameter.
+        :return: The response from the delete_parameter call or None on error.
+        """
+        try:
+            response = self.client.delete_parameter(Name=name)
+            return response
+        except ClientError as e:
+            print(f"Error deleting parameter {name}: {e}")
+            raise
+
+    def list_parameters(self, path: str = "/", recursive=True):
+        """
+        List parameters in a given path.
+
+        :param path: The hierarchical path for the parameters.
+        :param recursive: If True, retrieve parameters recursively.
+        :return: A list of parameter metadata dictionaries.
+        """
+        try:
+            paginator = self.client.get_paginator("describe_parameters")
+            parameters = []
+            filters = [
+                {
+                    "Key": "Path",
+                    "Option": "Recursive" if recursive else "OneLevel",
+                    "Values": [path],
+                }
+            ]
+            for page in paginator.paginate(ParameterFilters=filters):
+                parameters.extend(page.get("Parameters", []))
+            return parameters
+        except ClientError as e:
+            print(f"Error listing parameters for path {path}: {e}")
+            raise
+
+
+# Example usage:
+if __name__ == "__main__":
+    # Initialize the ParameterStore class.
+    ssm = ParameterStore()
+    # Example: Put a parameter.
+    put_response = ssm.put_parameter("/myapp/AccountNumber", "123456789012")
+    print("Put parameter response:", put_response)
+
+    # Example: Get a parameter.
+    account_number = ssm.get_parameter("/myapp/AccountNumber")
+    print("Account Number:", account_number)
+
+    # Example: List parameters under /myapp.
+    params = ssm.list_parameters(path="/myapp")
+    print("Parameters under /myapp:", params)
+
+    # Example: Delete a parameter.
+    delete_response = ssm.delete_parameter("/myapp/AccountNumber")
+    print("Delete parameter response:", delete_response)