cartography 0.102.0rc2__py3-none-any.whl → 0.103.0rc1__py3-none-any.whl

cartography/intel/aws/secretsmanager.py

@@ -16,11 +16,11 @@ logger = logging.getLogger(__name__)
 @timeit
 @aws_handle_regions
 def get_secret_list(boto3_session: boto3.session.Session, region: str) -> List[Dict]:
-    client = boto3_session.client('secretsmanager', region_name=region)
-    paginator = client.get_paginator('list_secrets')
+    client = boto3_session.client("secretsmanager", region_name=region)
+    paginator = client.get_paginator("list_secrets")
     secrets: List[Dict] = []
     for page in paginator.paginate():
-        secrets.extend(page['SecretList'])
+        secrets.extend(page["SecretList"])
     return secrets
 
 
@@ -52,11 +52,11 @@ def load_secrets(
         SET r.lastupdated = $aws_update_tag
     """
     for secret in data:
-        secret['LastRotatedDate'] = dict_date_to_epoch(secret, 'LastRotatedDate')
-        secret['LastChangedDate'] = dict_date_to_epoch(secret, 'LastChangedDate')
-        secret['LastAccessedDate'] = dict_date_to_epoch(secret, 'LastAccessedDate')
-        secret['DeletedDate'] = dict_date_to_epoch(secret, 'DeletedDate')
-        secret['CreatedDate'] = dict_date_to_epoch(secret, 'CreatedDate')
+        secret["LastRotatedDate"] = dict_date_to_epoch(secret, "LastRotatedDate")
+        secret["LastChangedDate"] = dict_date_to_epoch(secret, "LastChangedDate")
+        secret["LastAccessedDate"] = dict_date_to_epoch(secret, "LastAccessedDate")
+        secret["DeletedDate"] = dict_date_to_epoch(secret, "DeletedDate")
+        secret["CreatedDate"] = dict_date_to_epoch(secret, "CreatedDate")
 
     neo4j_session.run(
         ingest_secrets,
@@ -69,16 +69,28 @@ def load_secrets(
 
 @timeit
 def cleanup_secrets(neo4j_session: neo4j.Session, common_job_parameters: Dict) -> None:
-    run_cleanup_job('aws_import_secrets_cleanup.json', neo4j_session, common_job_parameters)
+    run_cleanup_job(
+        "aws_import_secrets_cleanup.json",
+        neo4j_session,
+        common_job_parameters,
+    )
 
 
 @timeit
 def sync(
-    neo4j_session: neo4j.Session, boto3_session: boto3.session.Session, regions: List[str], current_aws_account_id: str,
-    update_tag: int, common_job_parameters: Dict,
+    neo4j_session: neo4j.Session,
+    boto3_session: boto3.session.Session,
+    regions: List[str],
+    current_aws_account_id: str,
+    update_tag: int,
+    common_job_parameters: Dict,
 ) -> None:
     for region in regions:
-        logger.info("Syncing Secrets Manager for region '%s' in account '%s'.", region, current_aws_account_id)
+        logger.info(
+            "Syncing Secrets Manager for region '%s' in account '%s'.",
+            region,
+            current_aws_account_id,
+        )
         secrets = get_secret_list(boto3_session, region)
         load_secrets(neo4j_session, secrets, region, current_aws_account_id, update_tag)
     cleanup_secrets(neo4j_session, common_job_parameters)

cartography/intel/aws/securityhub.py

@@ -14,7 +14,7 @@ logger = logging.getLogger(__name__)
 
 @timeit
 def get_hub(boto3_session: boto3.session.Session) -> Dict:
-    client = boto3_session.client('securityhub')
+    client = boto3_session.client("securityhub")
     try:
         return client.describe_hub()
     except client.exceptions.ResourceNotFoundException:
@@ -24,11 +24,11 @@ def get_hub(boto3_session: boto3.session.Session) -> Dict:
 
 
 def transform_hub(hub_data: Dict) -> None:
-    if 'SubscribedAt' in hub_data and hub_data['SubscribedAt']:
-        subbed_at = parser.parse(hub_data['SubscribedAt'])
-        hub_data['SubscribedAt'] = int(subbed_at.timestamp())
+    if "SubscribedAt" in hub_data and hub_data["SubscribedAt"]:
+        subbed_at = parser.parse(hub_data["SubscribedAt"])
+        hub_data["SubscribedAt"] = int(subbed_at.timestamp())
     else:
-        hub_data['SubscribedAt'] = None
+        hub_data["SubscribedAt"] = None
 
 
 @timeit
@@ -59,14 +59,25 @@ def load_hub(
 
 
 @timeit
-def cleanup_securityhub(neo4j_session: neo4j.Session, common_job_parameters: Dict) -> None:
-    run_cleanup_job('aws_import_securityhub_cleanup.json', neo4j_session, common_job_parameters)
+def cleanup_securityhub(
+    neo4j_session: neo4j.Session,
+    common_job_parameters: Dict,
+) -> None:
+    run_cleanup_job(
+        "aws_import_securityhub_cleanup.json",
+        neo4j_session,
+        common_job_parameters,
+    )
 
 
 @timeit
 def sync(
-    neo4j_session: neo4j.Session, boto3_session: boto3.session.Session, regions: List[str], current_aws_account_id: str,
-    update_tag: int, common_job_parameters: Dict,
+    neo4j_session: neo4j.Session,
+    boto3_session: boto3.session.Session,
+    regions: List[str],
+    current_aws_account_id: str,
+    update_tag: int,
+    common_job_parameters: Dict,
 ) -> None:
     logger.info("Syncing Security Hub in account '%s'.", current_aws_account_id)
     hub = get_hub(boto3_session)

cartography/intel/aws/sns.py

@@ -0,0 +1,166 @@
+import logging
+from typing import Dict
+from typing import List
+from typing import Optional
+
+import boto3
+import neo4j
+
+from cartography.client.core.tx import load
+from cartography.graph.job import GraphJob
+from cartography.models.aws.sns.topic import SNSTopicSchema
+from cartography.stats import get_stats_client
+from cartography.util import aws_handle_regions
+from cartography.util import merge_module_sync_metadata
+from cartography.util import timeit
+
+logger = logging.getLogger(__name__)
+stat_handler = get_stats_client(__name__)
+
+
+@timeit
+@aws_handle_regions
+def get_sns_topics(boto3_session: boto3.session.Session, region: str) -> List[Dict]:
+    """
+    Get all SNS Topics for a region.
+    """
+    client = boto3_session.client("sns", region_name=region)
+    paginator = client.get_paginator("list_topics")
+    topics = []
+    for page in paginator.paginate():
+        topics.extend(page.get("Topics", []))
+
+    return topics
+
+
+@timeit
+def get_topic_attributes(
+    boto3_session: boto3.session.Session, topic_arn: str, region: str
+) -> Optional[Dict]:
+    """
+    Get attributes for an SNS Topic.
+    """
+    client = boto3_session.client("sns", region_name=region)
+    try:
+        return client.get_topic_attributes(TopicArn=topic_arn)
+    except Exception as e:
+        logger.warning(f"Error getting attributes for SNS topic {topic_arn}: {e}")
+        return None
+
+
+def transform_sns_topics(
+    topics: List[Dict], attributes: Dict[str, Dict], region: str
+) -> List[Dict]:
+    """
+    Transform SNS topic data for ingestion
+    """
+    transformed_topics = []
+    for topic in topics:
+        topic_arn = topic["TopicArn"]
+
+        # Extract topic name from ARN
+        # Format: arn:aws:sns:region:account-id:topic-name
+        topic_name = topic_arn.split(":")[-1]
+
+        # Get attributes
+        topic_attrs = attributes.get(topic_arn, {}).get("Attributes", {})
+
+        transformed_topic = {
+            "TopicArn": topic_arn,
+            "TopicName": topic_name,
+            "DisplayName": topic_attrs.get("DisplayName", ""),
+            "Owner": topic_attrs.get("Owner", ""),
+            "SubscriptionsPending": int(topic_attrs.get("SubscriptionsPending", "0")),
+            "SubscriptionsConfirmed": int(
+                topic_attrs.get("SubscriptionsConfirmed", "0")
+            ),
+            "SubscriptionsDeleted": int(topic_attrs.get("SubscriptionsDeleted", "0")),
+            "DeliveryPolicy": topic_attrs.get("DeliveryPolicy", ""),
+            "EffectiveDeliveryPolicy": topic_attrs.get("EffectiveDeliveryPolicy", ""),
+            "KmsMasterKeyId": topic_attrs.get("KmsMasterKeyId", ""),
+        }
+
+        transformed_topics.append(transformed_topic)
+
+    return transformed_topics
+
+
+@timeit
+def load_sns_topics(
+    neo4j_session: neo4j.Session,
+    data: List[Dict],
+    region: str,
+    aws_account_id: str,
+    update_tag: int,
+) -> None:
+    """
+    Load SNS Topics information into the graph
+    """
+    logger.info(f"Loading {len(data)} SNS topics for region {region} into graph.")
+
+    load(
+        neo4j_session,
+        SNSTopicSchema(),
+        data,
+        lastupdated=update_tag,
+        Region=region,
+        AWS_ID=aws_account_id,
+    )
+
+
+@timeit
+def cleanup_sns(neo4j_session: neo4j.Session, common_job_parameters: Dict) -> None:
+    """
+    Run SNS cleanup job
+    """
+    logger.debug("Running SNS cleanup job.")
+    cleanup_job = GraphJob.from_node_schema(SNSTopicSchema(), common_job_parameters)
+    cleanup_job.run(neo4j_session)
+
+
+@timeit
+def sync(
+    neo4j_session: neo4j.Session,
+    boto3_session: boto3.session.Session,
+    regions: List[str],
+    current_aws_account_id: str,
+    update_tag: int,
+    common_job_parameters: Dict,
+) -> None:
+    """
+    Sync SNS Topics for all regions
+    """
+    for region in regions:
+        logger.info(
+            f"Syncing SNS Topics for {region} in account {current_aws_account_id}"
+        )
+        topics = get_sns_topics(boto3_session, region)
+
+        topic_attributes = {}
+        for topic in topics:
+            topic_arn = topic["TopicArn"]
+            attrs = get_topic_attributes(boto3_session, topic_arn, region)
+            if attrs:
+                topic_attributes[topic_arn] = attrs
+
+        transformed_topics = transform_sns_topics(topics, topic_attributes, region)
+
+        load_sns_topics(
+            neo4j_session,
+            transformed_topics,
+            region,
+            current_aws_account_id,
+            update_tag,
+        )
+
+    cleanup_sns(neo4j_session, common_job_parameters)
+
+    # Record that we've synced this module
+    merge_module_sync_metadata(
+        neo4j_session,
+        group_type="AWSAccount",
+        group_id=current_aws_account_id,
+        synced_type="SNSTopic",
+        update_tag=update_tag,
+        stat_handler=stat_handler,
+    )

cartography/intel/aws/sqs.py

@@ -19,36 +19,41 @@ logger = logging.getLogger(__name__)
 @timeit
 @aws_handle_regions
 def get_sqs_queue_list(boto3_session: boto3.session.Session, region: str) -> List[str]:
-    client = boto3_session.client('sqs', region_name=region)
-    paginator = client.get_paginator('list_queues')
+    client = boto3_session.client("sqs", region_name=region)
+    paginator = client.get_paginator("list_queues")
     queues: List[Any] = []
     for page in paginator.paginate():
-        queues.extend(page.get('QueueUrls', []))
+        queues.extend(page.get("QueueUrls", []))
     return queues
 
 
 @timeit
 @aws_handle_regions
 def get_sqs_queue_attributes(
-        boto3_session: boto3.session.Session,
-        queue_urls: List[str],
+    boto3_session: boto3.session.Session,
+    queue_urls: List[str],
 ) -> List[Tuple[str, Any]]:
     """
     Iterates over all SQS queues. Returns a dict with url as key, and attributes as value.
     """
-    client = boto3_session.client('sqs')
+    client = boto3_session.client("sqs")
 
     queue_attributes = []
     for queue_url in queue_urls:
         try:
-            response = client.get_queue_attributes(QueueUrl=queue_url, AttributeNames=['All'])
+            response = client.get_queue_attributes(
+                QueueUrl=queue_url,
+                AttributeNames=["All"],
+            )
         except ClientError as e:
-            if e.response['Error']['Code'] == 'AWS.SimpleQueueService.NonExistentQueue':
-                logger.warning(f"Failed to retrieve SQS queue {queue_url} - Queue does not exist error")
+            if e.response["Error"]["Code"] == "AWS.SimpleQueueService.NonExistentQueue":
+                logger.warning(
+                    f"Failed to retrieve SQS queue {queue_url} - Queue does not exist error",
+                )
                 continue
             else:
                 raise
-        queue_attributes.append((queue_url, response['Attributes']))
+        queue_attributes.append((queue_url, response["Attributes"]))
 
     return queue_attributes
 
@@ -91,23 +96,25 @@ def load_sqs_queues(
     dead_letter_queues: List[Dict] = []
     queues: List[Dict] = []
     for url, queue in data:
-        queue['url'] = url
-        queue['name'] = queue['QueueArn'].split(':')[-1]
-        queue['CreatedTimestamp'] = int(queue['CreatedTimestamp'])
-        queue['LastModifiedTimestamp'] = int(queue['LastModifiedTimestamp'])
-        redrive_policy = queue.get('RedrivePolicy')
+        queue["url"] = url
+        queue["name"] = queue["QueueArn"].split(":")[-1]
+        queue["CreatedTimestamp"] = int(queue["CreatedTimestamp"])
+        queue["LastModifiedTimestamp"] = int(queue["LastModifiedTimestamp"])
+        redrive_policy = queue.get("RedrivePolicy")
         if redrive_policy:
             try:
                 rp = json.loads(redrive_policy)
             except TypeError:
                 rp = {}
-            queue['RedrivePolicy'] = rp
-            dead_letter_arn = rp.get('deadLetterTargetArn')
+            queue["RedrivePolicy"] = rp
+            dead_letter_arn = rp.get("deadLetterTargetArn")
             if dead_letter_arn:
-                dead_letter_queues.append({
-                    'arn': queue['QueueArn'],
-                    'dead_letter_arn': dead_letter_arn,
-                })
+                dead_letter_queues.append(
+                    {
+                        "arn": queue["QueueArn"],
+                        "dead_letter_arn": dead_letter_arn,
+                    },
+                )
         queues.append(queue)
 
     neo4j_session.run(
@@ -122,7 +129,11 @@ def load_sqs_queues(
 
 
 @timeit
-def _attach_dead_letter_queues(neo4j_session: neo4j.Session, data: List[Dict[str, str]], aws_update_tag: int) -> None:
+def _attach_dead_letter_queues(
+    neo4j_session: neo4j.Session,
+    data: List[Dict[str, str]],
+    aws_update_tag: int,
+) -> None:
     """
     Attach deadletter queues to their queues.
     """
@@ -141,20 +152,41 @@ def _attach_dead_letter_queues(neo4j_session: neo4j.Session, data: List[Dict[str
 
 
 @timeit
-def cleanup_sqs_queues(neo4j_session: neo4j.Session, common_job_parameters: Dict) -> None:
-    run_cleanup_job('aws_import_sqs_queues_cleanup.json', neo4j_session, common_job_parameters)
+def cleanup_sqs_queues(
+    neo4j_session: neo4j.Session,
+    common_job_parameters: Dict,
+) -> None:
+    run_cleanup_job(
+        "aws_import_sqs_queues_cleanup.json",
+        neo4j_session,
+        common_job_parameters,
+    )
 
 
 @timeit
 def sync(
-    neo4j_session: neo4j.Session, boto3_session: boto3.session.Session, regions: List[str], current_aws_account_id: str,
-    update_tag: int, common_job_parameters: Dict,
+    neo4j_session: neo4j.Session,
+    boto3_session: boto3.session.Session,
+    regions: List[str],
+    current_aws_account_id: str,
+    update_tag: int,
+    common_job_parameters: Dict,
 ) -> None:
     for region in regions:
-        logger.info("Syncing SQS for region '%s' in account '%s'.", region, current_aws_account_id)
+        logger.info(
+            "Syncing SQS for region '%s' in account '%s'.",
+            region,
+            current_aws_account_id,
+        )
         queue_urls = get_sqs_queue_list(boto3_session, region)
         if len(queue_urls) == 0:
             continue
         queue_attributes = get_sqs_queue_attributes(boto3_session, queue_urls)
-        load_sqs_queues(neo4j_session, queue_attributes, region, current_aws_account_id, update_tag)
+        load_sqs_queues(
+            neo4j_session,
+            queue_attributes,
+            region,
+            current_aws_account_id,
+            update_tag,
+        )
     cleanup_sqs_queues(neo4j_session, common_job_parameters)

cartography/intel/aws/ssm.py

@@ -18,58 +18,74 @@ logger = logging.getLogger(__name__)
 
 
 @timeit
-def get_instance_ids(neo4j_session: neo4j.Session, region: str, current_aws_account_id: str) -> List[str]:
+def get_instance_ids(
+    neo4j_session: neo4j.Session,
+    region: str,
+    current_aws_account_id: str,
+) -> List[str]:
     get_instances_query = """
     MATCH (:AWSAccount{id: $AWS_ACCOUNT_ID})-[:RESOURCE]->(i:EC2Instance)
     WHERE i.region = $Region
     RETURN i.id
     """
-    results = neo4j_session.run(get_instances_query, AWS_ACCOUNT_ID=current_aws_account_id, Region=region)
+    results = neo4j_session.run(
+        get_instances_query,
+        AWS_ACCOUNT_ID=current_aws_account_id,
+        Region=region,
+    )
     instance_ids = []
     for r in results:
-        instance_ids.append(r['i.id'])
+        instance_ids.append(r["i.id"])
     return instance_ids
 
 
 @timeit
 @aws_handle_regions
 def get_instance_information(
-        boto3_session: boto3.session.Session,
-        region: str,
-        instance_ids: List[str],
+    boto3_session: boto3.session.Session,
+    region: str,
+    instance_ids: List[str],
 ) -> List[Dict[str, Any]]:
-    client = boto3_session.client('ssm', region_name=region)
+    client = boto3_session.client("ssm", region_name=region)
     instance_information: List[Dict[str, Any]] = []
-    paginator = client.get_paginator('describe_instance_information')
+    paginator = client.get_paginator("describe_instance_information")
     for i in range(0, len(instance_ids), 50):
-        instance_ids_chunk = instance_ids[i:i + 50]
+        instance_ids_chunk = instance_ids[i : i + 50]
         for info_chunk in paginator.paginate(
             Filters=[{"Key": "InstanceIds", "Values": instance_ids_chunk}],
             MaxResults=50,
         ):
-            instance_information.extend(info_chunk.get('InstanceInformationList', []))
+            instance_information.extend(info_chunk.get("InstanceInformationList", []))
     return instance_information
 
 
-def transform_instance_information(data_list: List[Dict[str, Any]]) -> List[Dict[str, Any]]:
+def transform_instance_information(
+    data_list: List[Dict[str, Any]],
+) -> List[Dict[str, Any]]:
     for ii in data_list:
         ii["LastPingDateTime"] = dict_date_to_epoch(ii, "LastPingDateTime")
         ii["RegistrationDate"] = dict_date_to_epoch(ii, "RegistrationDate")
-        ii["LastAssociationExecutionDate"] = dict_date_to_epoch(ii, "LastAssociationExecutionDate")
-        ii["LastSuccessfulAssociationExecutionDate"] = dict_date_to_epoch(ii, "LastSuccessfulAssociationExecutionDate")
+        ii["LastAssociationExecutionDate"] = dict_date_to_epoch(
+            ii,
+            "LastAssociationExecutionDate",
+        )
+        ii["LastSuccessfulAssociationExecutionDate"] = dict_date_to_epoch(
+            ii,
+            "LastSuccessfulAssociationExecutionDate",
+        )
     return data_list
 
 
 @timeit
 @aws_handle_regions
 def get_instance_patches(
-        boto3_session: boto3.session.Session,
-        region: str,
-        instance_ids: List[str],
+    boto3_session: boto3.session.Session,
+    region: str,
+    instance_ids: List[str],
 ) -> List[Dict[str, Any]]:
-    client = boto3_session.client('ssm', region_name=region)
+    client = boto3_session.client("ssm", region_name=region)
     instance_patches: List[Dict[str, Any]] = []
-    paginator = client.get_paginator('describe_instance_patches')
+    paginator = client.get_paginator("describe_instance_patches")
     for instance_id in instance_ids:
         patches = []
         for page in paginator.paginate(InstanceId=instance_id):
@@ -128,29 +144,53 @@ def load_instance_patches(
 
 
 @timeit
-def cleanup_ssm(neo4j_session: neo4j.Session, common_job_parameters: Dict[str, Any]) -> None:
+def cleanup_ssm(
+    neo4j_session: neo4j.Session,
+    common_job_parameters: Dict[str, Any],
+) -> None:
     logger.info("Running SSM cleanup")
-    GraphJob.from_node_schema(SSMInstanceInformationSchema(), common_job_parameters).run(neo4j_session)
-    GraphJob.from_node_schema(SSMInstancePatchSchema(), common_job_parameters).run(neo4j_session)
+    GraphJob.from_node_schema(
+        SSMInstanceInformationSchema(),
+        common_job_parameters,
+    ).run(neo4j_session)
+    GraphJob.from_node_schema(SSMInstancePatchSchema(), common_job_parameters).run(
+        neo4j_session,
+    )
 
 
 @timeit
 def sync(
-        neo4j_session: neo4j.Session,
-        boto3_session: boto3.session.Session,
-        regions: List[str],
-        current_aws_account_id: str,
-        update_tag: int,
-        common_job_parameters: Dict[str, Any],
+    neo4j_session: neo4j.Session,
+    boto3_session: boto3.session.Session,
+    regions: List[str],
+    current_aws_account_id: str,
+    update_tag: int,
+    common_job_parameters: Dict[str, Any],
 ) -> None:
     for region in regions:
-        logger.info("Syncing SSM for region '%s' in account '%s'.", region, current_aws_account_id)
+        logger.info(
+            "Syncing SSM for region '%s' in account '%s'.",
+            region,
+            current_aws_account_id,
+        )
         instance_ids = get_instance_ids(neo4j_session, region, current_aws_account_id)
         data = get_instance_information(boto3_session, region, instance_ids)
         data = transform_instance_information(data)
-        load_instance_information(neo4j_session, data, region, current_aws_account_id, update_tag)
+        load_instance_information(
+            neo4j_session,
+            data,
+            region,
+            current_aws_account_id,
+            update_tag,
+        )
 
         data = get_instance_patches(boto3_session, region, instance_ids)
         data = transform_instance_patches(data)
-        load_instance_patches(neo4j_session, data, region, current_aws_account_id, update_tag)
+        load_instance_patches(
+            neo4j_session,
+            data,
+            region,
+            current_aws_account_id,
+            update_tag,
+        )
     cleanup_ssm(neo4j_session, common_job_parameters)

cartography/intel/aws/util/arns.py

@@ -2,16 +2,16 @@ from typing import Optional
 
 
 def build_arn(
-        resource: str,
-        account: str,
-        typename: str,
-        name: str,
-        region: Optional[str] = None,
-        partition: Optional[str] = None,
+    resource: str,
+    account: str,
+    typename: str,
+    name: str,
+    region: Optional[str] = None,
+    partition: Optional[str] = None,
 ) -> str:
     if not partition:
         # TODO: support partitions from others. Please file an issue on this if needed, would love to hear from you
-        partition = 'aws'
+        partition = "aws"
     if not region:
         # Some resources are present in all regions, e.g. IAM policies
         region = ""

cartography/intel/aws/util/common.py

@@ -1,21 +1,48 @@
+import logging
 from typing import List
 
 from cartography.intel.aws.resources import RESOURCE_FUNCTIONS
 
+logger = logging.getLogger(__name__)
+
 
 def parse_and_validate_aws_requested_syncs(aws_requested_syncs: str) -> List[str]:
     validated_resources: List[str] = []
-    for resource in aws_requested_syncs.split(','):
+    for resource in aws_requested_syncs.split(","):
         resource = resource.strip()
 
         if resource in RESOURCE_FUNCTIONS:
             validated_resources.append(resource)
         else:
-            valid_syncs: str = ', '.join(RESOURCE_FUNCTIONS.keys())
+            valid_syncs: str = ", ".join(RESOURCE_FUNCTIONS.keys())
             raise ValueError(
                 f'Error parsing `aws-requested-syncs`. You specified "{aws_requested_syncs}". '
-                f'Please check that your string is formatted properly. '
+                f"Please check that your string is formatted properly. "
                 f'Example valid input looks like "s3,iam,rds" or "s3, ec2:instance, dynamodb". '
-                f'Our full list of valid values is: {valid_syncs}.',
+                f"Our full list of valid values is: {valid_syncs}.",
             )
     return validated_resources
+
+
+def parse_and_validate_aws_regions(aws_regions: str) -> list[str]:
+    """
+    Parse and validate a comma-separated string of AWS regions.
+    :param aws_regions: Comma-separated string of AWS regions
+    :return: A validated list of AWS regions
+    """
+    validated_regions: List[str] = []
+    for region in aws_regions.split(","):
+        region = region.strip()
+        if region:
+            validated_regions.append(region)
+        else:
+            logger.warning(
+                f'Unable to parse string "{region}". Please check the value you passed to `aws-regions`. '
+                f'You specified "{aws_regions}". Continuing on with sync.',
+            )
+
+    if not validated_regions:
+        raise ValueError(
+            f'`aws-regions` was set but no regions were specified. You provided this string: "{aws_regions}"',
+        )
+    return validated_regions