runbooks 0.1.7__py3-none-any.whl → 0.1.9__py3-none-any.whl

runbooks/security_baseline/checklist/trail_enabled.py

@@ -0,0 +1,69 @@
+import logging
+
+import botocore.exceptions
+
+from ..utils import common
+from ..utils import level_const as level
+
+
+def get_trail_status(client, trail_arn):
+    try:
+        return client.get_trail_status(Name=trail_arn)["IsLogging"]
+    except botocore.exceptions.ClientError as e:
+        logging.error(f"Error getting trail status for {trail_arn}: {str(e)}", exc_info=True)
+        return "ERR"
+
+
+def check_trail_enabled(session, translator) -> common.CheckResult:
+    logging.info(translator.translate("checking"))
+
+    ret = common.CheckResult()
+    ret.title = translator.translate("title")
+    ret.result_cols = ["Trail", "Is Logging"]
+
+    client = session.client("cloudtrail")
+
+    try:
+        trails = client.describe_trails()["trailList"]
+    except (
+        client.exceptions.UnsupportedOperationException,
+        client.exceptions.OperationNotPermittedException,
+        client.exceptions.NoManagementAccountSLRExistsException,
+        botocore.exceptions.ClientError,
+    ) as e:
+        logging.error(f"Error describing trails: {str(e)}", exc_info=True)
+        ret.level = level.error
+        ret.msg = translator.translate("describe_trails_error")
+        ret.result_rows.append(["ERR", "ERR"])
+        ret.error_message = str(e)
+        return ret
+
+    if not trails:
+        ret.level = level.danger
+        ret.msg = translator.translate("no_trail")
+        ret.result_rows.append(["-", "-"])
+        return ret
+
+    logging_disabled_counter = 0
+    for trail in trails:
+        trail_arn = trail["TrailARN"]
+        is_logging = get_trail_status(client, trail_arn)
+        ret.result_rows.append([trail_arn, str(is_logging)])
+        if is_logging == "ERR":
+            ret.level = level.error
+            ret.msg = translator.translate("get_trail_status_error")
+        elif not is_logging:
+            logging_disabled_counter += 1
+
+    if ret.level != level.error:
+        if logging_disabled_counter == len(trails):
+            ret.level = level.danger
+            ret.msg = translator.translate("danger")
+        elif logging_disabled_counter > 0:
+            ret.level = level.warning
+            ret.msg = translator.translate("warning")
+        else:
+            ret.level = level.success
+            ret.msg = translator.translate("success")
+
+    return ret

runbooks/security_baseline/checklist/trusted_advisor.py

@@ -0,0 +1,24 @@
+import logging
+
+from ..utils import common
+from ..utils import level_const as level
+
+
+def check_trust_advisor_configuration(translator) -> common.CheckResult:
+    logging.info(translator.translate("checking"))
+
+    ret = common.CheckResult()
+    ret.title = translator.translate("title")
+    ret.result_cols = []
+
+    try:
+        ret.level = level.info
+        ret.msg = translator.translate("info")
+        ret.result_rows.append([])
+    except Exception as e:
+        logging.error(f"Error in Trust Advisor check: {str(e)}", exc_info=True)
+        ret.level = level.error
+        ret.msg = translator.translate("error")
+        ret.error_message = str(e)
+
+    return ret

runbooks/security_baseline/report_generator.py

@@ -0,0 +1,150 @@
+import datetime
+import os
+from pathlib import Path
+from string import Template
+
+from jinja2 import Template
+
+from runbooks.utils.logger import configure_logger
+
+from .utils import language, level_const
+
+## ✅ Configure Logger
+logger = configure_logger(__name__)
+
+
+class ReportGenerator:
+    def __init__(self, account_id, results, language_code):
+        self.account_id = account_id
+        self.results = results
+        self.language = language_code
+        self.generated_at = datetime.datetime.now().strftime("(UTC) %Y-%m-%d %H:%M:%S")
+
+    def create_html_report(self):
+        template = self._load_template()
+        context = self._prepare_context()
+        return template.render(context)
+
+    def _load_template(self):
+        """
+        Load the appropriate HTML template based on self.language.
+
+        Supported languages: KR, JP, VN, EN (default).
+        Falls back to English template if self.language is unrecognized.
+        """
+        ## Normalize user input like "en", "En", "EN" -> "EN"
+        lang = self.language.upper() if self.language else "EN"
+
+        ## Map language codes to template filenames
+        template_map = {
+            "KR": "report_template_kr.html",
+            "JP": "report_template_jp.html",
+            "VN": "report_template_vn.html",
+            "EN": "report_template_en.html",
+        }
+
+        ## Fall back to English if language code not recognized
+        template_filename = template_map.get(lang, "report_template_en.html")
+
+        # Always resolve paths relative to this file’s directory
+        script_dir = Path(__file__).resolve().parent
+        template_path = script_dir / template_filename
+
+        ## Attempt to read the template file
+        if not template_path.is_file():
+            logger.error("Template file '%s' for language '%s' not found at %s", template_filename, lang, template_path)
+            raise FileNotFoundError(f"Could not find the template '{template_filename}' for language '{lang}'.")
+
+        with template_path.open("r", encoding="utf-8") as file:
+            return Template(file.read())
+
+        # if self.language == "KR":
+        #     with open("report_template_kr.html", "r") as file:
+        #         return Template(file.read())
+        # elif self.language == "JP":
+        #     with open("report_template_jp.html", "r") as file:
+        #         return Template(file.read())
+        # elif self.language == "VN":
+        #     with open("report_template_vn.html", "r") as file:
+        #         return Template(file.read())
+        # else:
+        #     ## Get the absolute directory where *this script* is located
+        #     report_dir = os.path.dirname(os.path.abspath(__file__))
+        #     report_path = os.path.join(report_dir, "report_template_en.html")
+        #     ## with open("report_template_en.html", "r") as file:
+        #     with open(report_path, "r") as file:
+        #         return Template(file.read())
+
+    def _prepare_context(self):
+        return {
+            "account_id": self.account_id,
+            "generated_at": self.generated_at,
+            "overview": self._generate_overview(),
+            "result_sections": self._generate_result_sections(),
+            "language": self.language,
+        }
+
+    def _generate_overview(self):
+        filtered_results = {level: len(results) for level, results in self.results.items() if isinstance(results, list)}
+        desired_levels = ["Danger", "Warning", "Success", "Info", "Error"]
+        sorted_result = [(level, filtered_results[level]) for level in desired_levels]
+
+        return sorted_result
+
+    def _generate_result_sections(self):
+        sections = []
+        for level, results in self.results.items():
+            if isinstance(results, list):
+                if len(results) == 0:
+                    ## This condition only applies when there are no 'Error' items at all.
+                    formatted_results = [
+                        {
+                            "title": "All inspection items were successfully checked.",
+                            "message": "No results available for this section. All checks were successful.",
+                            "table": [],
+                        }
+                    ]
+                else:
+                    formatted_results = self._format_results(results, level)
+
+                sections.append({"level": level, "result_items": formatted_results})
+
+        sort_order = {"Danger": 0, "Warning": 1, "Success": 2, "Info": 3, "Error": 4}
+
+        sections.sort(key=lambda x: sort_order.get(x["level"], len(sort_order)))
+        return sections
+
+    def _format_results(self, results, level):
+        formatted_results = []
+        for result in results:
+            if isinstance(result, dict):  # if type(result) is dict
+                formatted_result = {
+                    "title": result.get("title", "Unknown"),
+                    "message": result.get("msg", "No message"),
+                    "table": self._format_table(result.get("result_cols", []), result.get("result_rows", [])),
+                }
+                if level == level_const.error:
+                    formatted_result["error_message"] = result.get("error_message", "Unknown error")
+                formatted_results.append(formatted_result)
+            elif hasattr(result, "to_dict"):  # if the result object has 'to_dict' attribute
+                result_dict = result.to_dict()
+                formatted_result = {
+                    "title": result_dict.get("title", "Unknown"),
+                    "message": result_dict.get("msg", "No message"),
+                    "table": self._format_table(result_dict.get("result_cols", []), result_dict.get("result_rows", [])),
+                }
+                if level == level_const.error:
+                    formatted_result["error_message"] = result_dict.get("error_message", "Unknown error")
+                formatted_results.append(formatted_result)
+
+        return formatted_results
+
+    def _format_table(self, cols, rows):
+        if not rows:
+            return None
+        return {"headers": cols, "rows": rows}
+
+
+def generate_html_report(account_id_str, result_sort_by_level, language_code):
+    generator = ReportGenerator(account_id_str, result_sort_by_level, language_code)
+    return generator.create_html_report()

runbooks/security_baseline/run_script.py

@@ -0,0 +1,76 @@
+#!/usr/bin/env python3
+
+"""
+AWS Security Baseline Tester Script
+
+Date: 2025-01-10
+Version: 1.1.0
+
+This script evaluates AWS account security configurations against a baseline checklist
+and generates a multilingual report in HTML format.
+
+Compatible with both local (via pip or Docker) and AWS Lambda environments.
+"""
+
+import argparse
+import sys
+
+from runbooks.utils.logger import configure_logger
+
+from .security_baseline_tester import SecurityBaselineTester
+
+## ✅ Configure Logger
+logger = configure_logger(__name__)
+
+
+# ==============================
+# Parse Command-Line Arguments
+# ==============================
+def parse_arguments():
+    """
+    Parses command-line arguments for the security baseline tester.
+
+    Returns:
+        argparse.Namespace: Parsed arguments.
+    """
+    parser = argparse.ArgumentParser(
+        description="AWS Security Baseline Tester - Evaluate your AWS account's security configuration."
+    )
+    parser.add_argument(
+        "--profile", default="default", help="AWS IAM profile to use for authentication (default: 'default')."
+    )
+    parser.add_argument(
+        "--language",
+        choices=["EN", "JP", "KR", "VN"],
+        default="EN",
+        help="Language for the Security Baseline Report (default: 'EN').",
+    )
+    return parser.parse_args()
+
+
+# ==============================
+# Main Function
+# ==============================
+def main():
+    """
+    Main entry point for the AWS Security Baseline Tester.
+    """
+    try:
+        args = parse_arguments()
+
+        logger.info("Starting AWS Security Baseline Tester...")
+        logger.info(f"Using AWS profile: {args.profile}")
+        logger.info(f"Report language: {args.language}")
+
+        ## Instantiate and run the Security Baseline Tester
+        tester = SecurityBaselineTester(args.profile, args.language)
+        tester.run()
+
+        logger.info("AWS Security Baseline testing completed successfully.")
+    except Exception as e:
+        logger.error(f"An unexpected error occurred: {e}", exc_info=True)
+        sys.exit(1)
+
+
+if __name__ == "__main__":
+    main()

runbooks/security_baseline/security_baseline_tester.py

@@ -0,0 +1,184 @@
+import datetime
+import importlib
+import json
+import logging
+import os
+from concurrent.futures import ThreadPoolExecutor, as_completed
+from pathlib import Path
+
+import boto3
+import botocore
+
+from . import report_generator
+from .checklist import *  # noqa: F403
+from .utils import common, language, level_const
+
+# from .utils.language import get_translator
+
+
+class SecurityBaselineTester:
+    def __init__(self, profile, lang_code):
+        self.profile = profile
+        self.language = lang_code
+        self.session = self._create_session()
+        self.config = self._load_config()
+        ## Call module 'language' and pass the string 'lang_code'
+        self.translator = language.get_translator("main", lang_code)
+
+    def _create_session(self):
+        if self.profile == "default":
+            return boto3.Session()
+        return boto3.Session(profile_name=self.profile)
+
+    def _load_config(self):
+        ## Get the absolute directory where *this script* is located
+        script_dir = os.path.dirname(os.path.abspath(__file__))
+        config_path = os.path.join(script_dir, "config.json")
+
+        try:
+            # with open("./config.json", "r") as file:
+            with open(config_path, "r") as file:
+                return json.load(file)
+        except FileNotFoundError:
+            logging.error("config.json file not found. Please ensure it exists in the same directory as this script.")
+            raise
+        except json.JSONDecodeError:
+            logging.error("Error parsing config.json. Please ensure it is a valid JSON file.")
+            raise
+
+    def run(self):
+        try:
+            self._validate_session()
+            caller_identity = self._get_caller_identity()
+            self._print_auditor_info(caller_identity)
+
+            logging.info(self.translator.translate("start_test"))
+
+            account_id, results = self._execute_tests()
+            self._generate_report(account_id, results)
+
+            logging.info(self.translator.translate("test_completed"))
+        except Exception as e:
+            logging.error(f"An error occurred during the security baseline test: {str(e)}", exc_info=True)
+
+    def _validate_session(self):
+        if self.session.region_name is None:
+            raise ValueError('AWS region is not specified. Run "aws configure" to set it.')
+
+    def _get_caller_identity(self):
+        try:
+            return self.session.client("sts").get_caller_identity()
+        except botocore.exceptions.ClientError as e:
+            logging.error(f"Failed to get caller identity: {str(e)}")
+            raise
+
+    def _print_auditor_info(self, caller_identity):
+        logging.info("==================== AUDITOR INFO ====================")
+        logging.info(f"USER ID : {caller_identity['UserId']}")
+        logging.info(f"ACCOUNT : {caller_identity['Account']}")
+        logging.info(f"ARN     : {caller_identity['Arn']}")
+        logging.info("=====================================================")
+
+    def _execute_tests(self):
+        iam_client = self.session.client("iam")
+        sts_client = self.session.client("sts")
+
+        account_id = common.get_account_id(sts_client)
+        logging.info(self.translator.translate("request_credential_report"))
+        credential_report = common.generate_credential_report(iam_client)
+
+        with ThreadPoolExecutor(max_workers=self.config.get("max_workers", 5)) as executor:
+            futures = {
+                executor.submit(self._run_check, check_name, credential_report): check_name
+                for check_name in self.config.get("checks", [])
+            }
+
+            results = {
+                level: [] for level in ["Success", "Warning", "Danger", "Error", "Info"] if isinstance(level, str)
+            }
+            for future in as_completed(futures):
+                result = future.result()
+                results[result.level].append(result)
+
+        return account_id, results
+
+    def _run_check(self, check_name, credential_report):
+        # check_module = __import__(f"checklist.{check_name}", fromlist=[check_name])
+        check_module = importlib.import_module(f"runbooks.security_baseline.checklist.{check_name}")
+        check_method = getattr(check_module, self.config["checks"][check_name])
+        translator = language.get_translator(check_name, self.language)
+
+        if check_name in [
+            "alternate_contacts",
+            "account_level_bucket_public_access",
+            "bucket_public_access",
+            "cloudwatch_alarm_configuration",
+            "direct_attached_policy",
+            "guardduty_enabled",
+            "multi_region_instance_usage",
+            "multi_region_trail",
+            "trail_enabled",
+            "iam_password_policy",
+        ]:
+            return check_method(self.session, translator)
+        elif check_name in ["root_mfa", "root_usage", "root_access_key", "iam_user_mfa"]:
+            return check_method(self.session, translator, credential_report)
+        elif check_name == "trusted_advisor":
+            return check_method(translator)
+        else:
+            raise ValueError(f"Unknown check method: {check_name}")
+
+    def _check_result_directory(self):
+        """
+        Ensures that the 'results' directory (located next to this script) exists.
+
+        :return: A Path object pointing to the results directory.
+        """
+
+        # directory_name = "./results"
+        # if not os.path.exists(directory_name):
+        #     os.makedirs(directory_name)
+        #     logging.info(self.translator.translate("results_folder_created"))
+        # else:
+        #     logging.info(self.translator.translate("results_folder_already_exists"))
+
+        script_dir = Path(__file__).resolve().parent
+        results_dir = script_dir / "results"
+
+        if not results_dir.exists():
+            results_dir.mkdir(parents=True, exist_ok=True)
+            logging.info(self.translator.translate("results_folder_created"))
+        else:
+            logging.info(self.translator.translate("results_folder_already_exists"))
+
+        return results_dir
+
+    def _generate_report(self, account_id, results):
+        """
+        Generates an HTML security report and writes it to the 'results' directory.
+
+        :param account_id: The AWS account ID or similar identifier.
+        :param results:    A dictionary containing the security baseline results.
+        """
+        html_report = report_generator.generate_html_report(account_id, results, self.language)
+
+        current_time = datetime.datetime.now().strftime("%y%m%d-%H%M%S")
+        short_account_id = account_id[-4:]
+
+        ## Ensure the results directory exists
+        results_dir = self._check_result_directory()
+
+        ## Build the report filename
+        report_filename = f"security-report-{short_account_id}-{current_time}.html"
+        report_path = results_dir / report_filename
+
+        ## Get the absolute directory where *this script* is located
+        # test_report_dir = os.path.dirname(os.path.abspath(__file__))
+        # test_report_path = os.path.join(test_report_dir, report_filename)
+
+        # with open(test_report_path, "w") as file:
+        ## Write the report to disk
+        with report_path.open("w", encoding="utf-8") as file:
+            file.write(html_report)
+
+        logging.info(self.translator.translate("generate_result_report"))

runbooks/security_baseline/utils/__init__.py

@@ -0,0 +1,2 @@
+## security_baseline/utils/__init__.py
+__all__ = ["common", "level_const", "language", "enums"]

runbooks/security_baseline/utils/common.py

@@ -0,0 +1,109 @@
+import json
+import logging
+import os
+import time
+
+import botocore.exceptions
+
+from .enums import CREDENTIAL_REPORT_COLS
+
+
+class Ret:
+    def __init__(self) -> None:
+        self.status_code = 200
+        self.body = "success"
+        self.headers = {"Content-Type": "text/html;charset=UTF-8"}
+
+    def to_dict(self) -> dict:
+        return {"statusCode": self.status_code, "body": self.body, "headers": self.headers}
+
+
+class CheckResult:
+    def __init__(self) -> None:
+        self.title = "UNKNOWN"
+        self.level = "UNKNOWN"
+        self.msg = "UNKNOWN"
+        self.result_rows = []
+        self.result_cols = []
+        self.error_message = None  # 새로 추가된 필드
+
+    def to_dict(self) -> dict:
+        return {
+            "title": self.title,
+            "level": self.level,
+            "msg": self.msg,
+            "result_rows": self.result_rows,
+            "result_cols": self.result_cols,
+            "error_message": self.error_message,
+        }
+
+    def get_table(self) -> dict:
+        return {"cols": self.result_cols, "rows": self.result_rows}
+
+
+def load_config():
+    config_path = os.path.join(os.path.dirname(os.path.dirname(__file__)), "config.json")
+    try:
+        with open(config_path, "r") as file:
+            return json.load(file)
+    except FileNotFoundError:
+        logging.error(f"Config file not found: {config_path}")
+        raise
+    except json.JSONDecodeError:
+        logging.error(f"Invalid JSON in config file: {config_path}")
+        raise
+
+
+config = load_config()
+
+
+def get_iam_credential_report(credential_report) -> list:
+    first_iam_user_row_index = config["credential_report"]["first_iam_user_row_index"]
+    if len(credential_report) < first_iam_user_row_index + 1:
+        return []
+    else:
+        return list(map(lambda x: x.split(","), credential_report[first_iam_user_row_index:]))
+
+
+def get_root_credential_report(credential_report) -> list:
+    root_row_index = config["credential_report"]["root_row_index"]
+    return credential_report[root_row_index].split(",")
+
+
+def generate_credential_report(client) -> list:
+    try:
+        for trial in range(1, 5):
+            response = client.generate_credential_report()
+            logging.info(
+                f"Generating credentials report for your account...({str(trial)}) Current state is {str(response['State'])}."
+            )
+
+            if response["State"] == "COMPLETE":
+                return client.get_credential_report()["Content"].decode("ascii").split()
+
+            time.sleep(5)
+
+        raise TimeoutError("Time out")
+
+    except (TimeoutError, botocore.exceptions.ClientError) as e:
+        logging.error(f"Couldn't generate a credentials report for your account. (Error : {str(e)})")
+        return []
+
+
+def get_account_id(client) -> str:
+    try:
+        return str(client.get_caller_identity()["Account"])
+    except botocore.exceptions.ClientError as e:
+        logging.error(f"Error getting account ID: {str(e)}")
+        return "ERR"
+
+
+def get_opted_in_regions(ec2_client) -> list:
+    try:
+        response = ec2_client.describe_regions(
+            Filters=[{"Name": "opt-in-status", "Values": ["opted-in", "opt-in-not-required"]}]
+        )
+        return [region["RegionName"] for region in response["Regions"]]
+    except botocore.exceptions.ClientError as e:
+        logging.error(f"Error getting opted-in regions: {str(e)}")
+        raise

runbooks/security_baseline/utils/enums.py

@@ -0,0 +1,44 @@
+from enum import Enum
+
+
+class CREDENTIAL_REPORT_COLS(Enum):
+    USER = 0
+    ARN = 1
+    USER_CREATION_TIME = 2
+    PASSWORD_ENABLED = 3
+    PASSWORD_LAST_USED = 4
+    PASSWORD_LAST_CHANGED = 5
+    PASSWORD_NEXT_ROTATION = 6
+    MFA_ACTIVE = 7
+    ACCESS_KEY_1_ACTIVE = 8
+    ACCESS_KEY_1_LAST_ROTATED = 9
+    ACCESS_KEY_1_LAST_USED_DATE = 10
+    ACCESS_KEY_1_LAST_USED_REGION = 11
+    ACCESS_KEY_1_LAST_USED_SERVICE = 12
+    ACCESS_KEY_2_ACTIVE = 13
+    ACCESS_KEY_2_LAST_ROTATED = 14
+    ACCESS_KEY_2_LAST_USED_DATE = 15
+    ACCESS_KEY_2_LAST_USED_REGION = 16
+    ACCESS_KEY_2_LAST_USED_SERVICE = 17
+    CERT_1_ACTIVE = 18
+    CERT_1_LAST_ROTATED = 19
+    CERT_2_ACTIVE = 20
+    CERT_2_LAST_ROTATED = 21
+
+
+class CHECKLIST_INDEX_CONST(Enum):
+    ROOT_MFA_SETTING_CHECK = 0
+    ROOT_USAGE_CHECK = 1
+    ROOT_CREDENTIAL_CHECK = 2
+    IAM_MFA_SETTING_CHECK = 3
+    IAM_PASSWORD_POLICY_CHECK = 4
+    NON_GROUP_POLICY_CHECK = 5
+    ALTERNATE_CONTACT_CHECK = 6
+    TRAIL_ENABLED_CHECK = 7
+    MULTIREGION_TRAIL_CHECK = 8
+    ACCOUNT_LEVEL_BUCKET_PUBLIC_ACCESS_CHECK = 9
+    BUCKET_LEVEL_PUBLIC_ACCESS_CHECK = 10
+    CLOUDWATCH_ALARM_CONFIGURATION_CHECK = 11
+    MULTIREGION_INSTANCE_USAGE_CHECK = 12
+    GUARD_DUTY_ENABLED_CHECK = 13
+    TRUST_ADVISOR_CHECK = 14