PyPI - runbooks - Versions diffs - 0.6.1__py3-none-any.whl → 0.7.5__py3-none-any.whl - Mend

runbooks 0.6.1py3-none-any.whl → 0.7.5py3-none-any.whl

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (142) hide show

jupyter-agent/.env +2 -0
jupyter-agent/.gradio/certificate.pem +31 -0
jupyter-agent/__main__.log +8 -0
jupyter-agent/tmp/4ojbs8a02ir/jupyter-agent.ipynb +68 -0
jupyter-agent/tmp/cm5iasgpm3p/jupyter-agent.ipynb +91 -0
jupyter-agent/tmp/crqbsseag5/jupyter-agent.ipynb +91 -0
jupyter-agent/tmp/hohanq1u097/jupyter-agent.ipynb +57 -0
jupyter-agent/tmp/jns1sam29wm/jupyter-agent.ipynb +53 -0
jupyter-agent/tmp/jupyter-agent.ipynb +27 -0
runbooks/__init__.py +87 -37
runbooks/cfat/README.md +300 -49
runbooks/cfat/__init__.py +2 -2
runbooks/finops/README.md +337 -0
runbooks/finops/__init__.py +2 -4
runbooks/finops/cli.py +1 -1
runbooks/inventory/aws_organization.png +0 -0
runbooks/inventory/collectors/__init__.py +8 -0
runbooks/inventory/collectors/aws_management.py +791 -0
runbooks/inventory/collectors/aws_networking.py +3 -3
runbooks/main.py +3416 -590
runbooks/operate/__init__.py +207 -0
runbooks/operate/base.py +311 -0
runbooks/operate/cloudformation_operations.py +619 -0
runbooks/operate/cloudwatch_operations.py +496 -0
runbooks/operate/dynamodb_operations.py +812 -0
runbooks/operate/ec2_operations.py +926 -0
runbooks/operate/iam_operations.py +569 -0
runbooks/operate/s3_operations.py +1211 -0
runbooks/operate/tagging_operations.py +655 -0
runbooks/remediation/CLAUDE.md +100 -0
runbooks/remediation/DOME9.md +218 -0
runbooks/remediation/README.md +26 -0
runbooks/remediation/Tests/update_policy.py +74 -0
runbooks/remediation/__init__.py +95 -0
runbooks/remediation/acm_cert_expired_unused.py +98 -0
runbooks/remediation/acm_remediation.py +875 -0
runbooks/remediation/api_gateway_list.py +167 -0
runbooks/remediation/base.py +643 -0
runbooks/remediation/cloudtrail_remediation.py +908 -0
runbooks/remediation/cloudtrail_s3_modifications.py +296 -0
runbooks/remediation/cognito_active_users.py +78 -0
runbooks/remediation/cognito_remediation.py +856 -0
runbooks/remediation/cognito_user_password_reset.py +163 -0
runbooks/remediation/commons.py +455 -0
runbooks/remediation/dynamodb_optimize.py +155 -0
runbooks/remediation/dynamodb_remediation.py +744 -0
runbooks/remediation/dynamodb_server_side_encryption.py +108 -0
runbooks/remediation/ec2_public_ips.py +134 -0
runbooks/remediation/ec2_remediation.py +892 -0
runbooks/remediation/ec2_subnet_disable_auto_ip_assignment.py +72 -0
runbooks/remediation/ec2_unattached_ebs_volumes.py +448 -0
runbooks/remediation/ec2_unused_security_groups.py +202 -0
runbooks/remediation/kms_enable_key_rotation.py +651 -0
runbooks/remediation/kms_remediation.py +717 -0
runbooks/remediation/lambda_list.py +243 -0
runbooks/remediation/lambda_remediation.py +971 -0
runbooks/remediation/multi_account.py +569 -0
runbooks/remediation/rds_instance_list.py +199 -0
runbooks/remediation/rds_remediation.py +873 -0
runbooks/remediation/rds_snapshot_list.py +192 -0
runbooks/remediation/requirements.txt +118 -0
runbooks/remediation/s3_block_public_access.py +159 -0
runbooks/remediation/s3_bucket_public_access.py +143 -0
runbooks/remediation/s3_disable_static_website_hosting.py +74 -0
runbooks/remediation/s3_downloader.py +215 -0
runbooks/remediation/s3_enable_access_logging.py +562 -0
runbooks/remediation/s3_encryption.py +526 -0
runbooks/remediation/s3_force_ssl_secure_policy.py +143 -0
runbooks/remediation/s3_list.py +141 -0
runbooks/remediation/s3_object_search.py +201 -0
runbooks/remediation/s3_remediation.py +816 -0
runbooks/remediation/scan_for_phrase.py +425 -0
runbooks/remediation/workspaces_list.py +220 -0
runbooks/{security_baseline → security}/README.md +191 -68
runbooks/security/__init__.py +70 -0
runbooks/{security_baseline → security}/security_baseline_tester.py +5 -3
runbooks-0.7.5.dist-info/METADATA +606 -0
{runbooks-0.6.1.dist-info → runbooks-0.7.5.dist-info}/RECORD +115 -75
{runbooks-0.6.1.dist-info → runbooks-0.7.5.dist-info}/entry_points.txt +0 -1
runbooks/aws/__init__.py +0 -58
runbooks/aws/dynamodb_operations.py +0 -231
runbooks/aws/ec2_copy_image_cross-region.py +0 -195
runbooks/aws/ec2_describe_instances.py +0 -202
runbooks/aws/ec2_ebs_snapshots_delete.py +0 -186
runbooks/aws/ec2_run_instances.py +0 -213
runbooks/aws/ec2_start_stop_instances.py +0 -212
runbooks/aws/ec2_terminate_instances.py +0 -143
runbooks/aws/ec2_unused_eips.py +0 -196
runbooks/aws/ec2_unused_volumes.py +0 -188
runbooks/aws/s3_create_bucket.py +0 -142
runbooks/aws/s3_list_buckets.py +0 -152
runbooks/aws/s3_list_objects.py +0 -156
runbooks/aws/s3_object_operations.py +0 -183
runbooks/aws/tagging_lambda_handler.py +0 -183
runbooks/inventory/cfn_move_stack_instances.py +0 -1526
runbooks/inventory/delete_s3_buckets_objects.py +0 -169
runbooks/inventory/lockdown_cfn_stackset_role.py +0 -224
runbooks/inventory/update_aws_actions.py +0 -173
runbooks/inventory/update_cfn_stacksets.py +0 -1215
runbooks/inventory/update_cloudwatch_logs_retention_policy.py +0 -294
runbooks/inventory/update_iam_roles_cross_accounts.py +0 -478
runbooks/inventory/update_s3_public_access_block.py +0 -539
runbooks/organizations/__init__.py +0 -12
runbooks/organizations/manager.py +0 -374
runbooks/security_baseline/requirements.txt +0 -7
runbooks-0.6.1.dist-info/METADATA +0 -373
/runbooks/{aws → operate}/tags.json +0 -0
/runbooks/{security_baseline → remediation/Tests}/__init__.py +0 -0
/runbooks/{security_baseline → security}/checklist/__init__.py +0 -0
/runbooks/{security_baseline → security}/checklist/account_level_bucket_public_access.py +0 -0
/runbooks/{security_baseline → security}/checklist/alternate_contacts.py +0 -0
/runbooks/{security_baseline → security}/checklist/bucket_public_access.py +0 -0
/runbooks/{security_baseline → security}/checklist/cloudwatch_alarm_configuration.py +0 -0
/runbooks/{security_baseline → security}/checklist/direct_attached_policy.py +0 -0
/runbooks/{security_baseline → security}/checklist/guardduty_enabled.py +0 -0
/runbooks/{security_baseline → security}/checklist/iam_password_policy.py +0 -0
/runbooks/{security_baseline → security}/checklist/iam_user_mfa.py +0 -0
/runbooks/{security_baseline → security}/checklist/multi_region_instance_usage.py +0 -0
/runbooks/{security_baseline → security}/checklist/multi_region_trail.py +0 -0
/runbooks/{security_baseline → security}/checklist/root_access_key.py +0 -0
/runbooks/{security_baseline → security}/checklist/root_mfa.py +0 -0
/runbooks/{security_baseline → security}/checklist/root_usage.py +0 -0
/runbooks/{security_baseline → security}/checklist/trail_enabled.py +0 -0
/runbooks/{security_baseline → security}/checklist/trusted_advisor.py +0 -0
/runbooks/{security_baseline → security}/config-origin.json +0 -0
/runbooks/{security_baseline → security}/config.json +0 -0
/runbooks/{security_baseline → security}/permission.json +0 -0
/runbooks/{security_baseline → security}/report_generator.py +0 -0
/runbooks/{security_baseline → security}/report_template_en.html +0 -0
/runbooks/{security_baseline → security}/report_template_jp.html +0 -0
/runbooks/{security_baseline → security}/report_template_kr.html +0 -0
/runbooks/{security_baseline → security}/report_template_vn.html +0 -0
/runbooks/{security_baseline → security}/run_script.py +0 -0
/runbooks/{security_baseline → security}/utils/__init__.py +0 -0
/runbooks/{security_baseline → security}/utils/common.py +0 -0
/runbooks/{security_baseline → security}/utils/enums.py +0 -0
/runbooks/{security_baseline → security}/utils/language.py +0 -0
/runbooks/{security_baseline → security}/utils/level_const.py +0 -0
/runbooks/{security_baseline → security}/utils/permission_list.py +0 -0
{runbooks-0.6.1.dist-info → runbooks-0.7.5.dist-info}/WHEEL +0 -0
{runbooks-0.6.1.dist-info → runbooks-0.7.5.dist-info}/licenses/LICENSE +0 -0
{runbooks-0.6.1.dist-info → runbooks-0.7.5.dist-info}/top_level.txt +0 -0

runbooks/remediation/lambda_list.py ADDED Viewed

@@ -0,0 +1,243 @@
+"""
+Lambda Function Inventory - Analyze and optimize Lambda function configurations.
+"""
+import copy
+import json
+import logging
+import re
+import click
+from botocore.exceptions import ClientError
+from .commons import (
+    display_aws_account_info,
+    get_client,
+    get_lambda_invocations,
+    get_lambda_total_duration,
+    write_to_csv,
+)
+logger = logging.getLogger(__name__)
+# Lambda pricing (adjust for your region)
+PRICE_PER_GB_SECOND = 0.00001667  # US East (N. Virginia) - update for your region
+def update_iam_role_with_inline_policies(role_name, new_policy_document):
+    """Update IAM role inline policies with improved error handling."""
+    try:
+        client_iam = get_client("iam")
+        for policy_name, policy in new_policy_document.items():
+            policy_string = json.dumps(policy)
+            try:
+                client_iam.put_role_policy(RoleName=role_name, PolicyName=policy_name, PolicyDocument=policy_string)
+                logger.info(f"✓ Updated policy '{policy_name}' for role '{role_name}'")
+            except ClientError as e:
+                error_code = e.response.get("Error", {}).get("Code", "Unknown")
+                logger.error(f"✗ Failed to update policy '{policy_name}' for role '{role_name}': {error_code}")
+    except Exception as e:
+        logger.error(f"Failed to update IAM role policies: {e}")
+        raise
+def update_policy_document(policy_document):
+    new_policy_document = copy.deepcopy(policy_document)
+    changes = {}
+    for policy_name, policy in new_policy_document.items():
+        for statement in iterate_policy_statement(policy):
+            # Check if 'Action' is '*'
+            if statement["Action"] == "*" and statement["Resource"] != "*" and isinstance(statement["Resource"], str):
+                match = re.search(r"arn:aws:(\w+):", statement["Resource"])
+                if match and set(statement["Action"]) != {f"{match.group(1)}:*"}:
+                    statement["Action"] = f"{match.group(1)}:*"
+                    changes.setdefault(policy_name, []).append(statement["Action"])
+            elif isinstance(statement["Resource"], list) and statement["Action"] == "*":
+                statement["Action"] = []
+                for resource in statement["Resource"]:
+                    match = re.search(r"arn:aws:(\w+):", resource)
+                    if match and set(statement["Action"]) != {f"{match.group(1)}:*"}:
+                        statement["Action"].append(f"{match.group(1)}:*")
+                        changes.setdefault(policy_name, []).append(statement["Action"])
+            # Check if 'Resource' is '*'
+            if statement["Resource"] == "*" and statement["Action"] != "*" and isinstance(statement["Action"], str):
+                match = re.search(r"(\w+):", statement["Action"])
+                if match and set(statement["Resource"]) != {f"arn:aws:{match.group(1)}:*:*:*"}:
+                    statement["Resource"] = f"arn:aws:{match.group(1)}:*:*:*"
+                    changes.setdefault(policy_name, []).append(statement["Resource"])
+            elif isinstance(statement["Action"], list) and statement["Resource"] == "*":
+                statement["Resource"] = []
+                for action in statement["Action"]:
+                    match = re.search(r"(\w+):", action)
+                    if match and set(statement["Resource"]) != {f"arn:aws:{match.group(1)}:*:*:*"}:
+                        statement["Resource"].append(f"arn:aws:{match.group(1)}:*:*:*")
+                        changes.setdefault(policy_name, []).append(statement["Resource"])
+    return changes, new_policy_document
+def iterate_policy_statement(policy):
+    if isinstance(policy["Statement"], list):
+        for statement in policy["Statement"]:
+            yield statement
+    elif isinstance(policy["Statement"], dict):
+        yield policy["Statement"]
+def list_all_lambda_functions(client_lambda):
+    """Generator that yields all Lambda functions with pagination."""
+    try:
+        paginator = client_lambda.get_paginator("list_functions")
+        for page in paginator.paginate():
+            for function in page["Functions"]:
+                yield function
+    except ClientError as e:
+        logger.error(f"Failed to list Lambda functions: {e}")
+        raise
+@click.command()
+@click.option(
+    "--dry-run", is_flag=True, default=True, help="Preview mode - show analysis without making policy changes"
+)
+@click.option("--output-file", default="lambda_functions.csv", help="Output CSV file path")
+@click.option("--days", default=360, help="Number of days to analyze for invocations")
+def list_lambda_functions(dry_run: bool = True, output_file: str = "lambda_functions.csv", days: int = 360):
+    """Analyze Lambda functions, costs, and IAM policies with optimization suggestions."""
+    logger.info(f"Analyzing Lambda functions in {display_aws_account_info()}")
+    try:
+        # Initialize AWS clients
+        client_lambda = get_client("lambda")
+        client_cloudwatch = get_client("cloudwatch")
+        client_iam = get_client("iam")
+        # Get all Lambda functions
+        all_functions = list(list_all_lambda_functions(client_lambda))
+        if not all_functions:
+            logger.info("No Lambda functions found")
+            return
+        logger.info(f"Found {len(all_functions)} Lambda functions to analyze")
+        data = []
+        policy_updates_count = 0
+        # Analyze each function
+        for i, function in enumerate(all_functions, 1):
+            function_name = function["FunctionName"]
+            logger.info(f"Analyzing function {i}/{len(all_functions)}: {function_name}")
+            try:
+                # Get function metrics
+                invocations = get_lambda_invocations(function_name, days)
+                total_duration = get_lambda_total_duration(client_cloudwatch, function_name)
+                memory_size_gb = function["MemorySize"] / 1024  # Convert to GB
+                role_arn = function["Role"]
+                role_name = role_arn.split("/")[-1]
+                warnings = []
+                # Get IAM role policies
+                try:
+                    attached_response = client_iam.list_attached_role_policies(RoleName=role_name)
+                    attached_policies = attached_response.get("AttachedPolicies", [])
+                except ClientError as e:
+                    if e.response.get("Error", {}).get("Code") == "NoSuchEntity":
+                        message = f"Role {role_name} does not exist for function {function_name}"
+                        logger.warning(message)
+                        warnings.append(message)
+                        attached_policies = []
+                    else:
+                        raise
+                try:
+                    inline_response = client_iam.list_role_policies(RoleName=role_name)
+                    inline_policies = inline_response.get("PolicyNames", [])
+                except ClientError as e:
+                    if e.response.get("Error", {}).get("Code") == "NoSuchEntity":
+                        inline_policies = []
+                    else:
+                        raise
+                # Get inline policy documents
+                inline_policy_documents = {}
+                for policy_name in inline_policies:
+                    try:
+                        policy_response = client_iam.get_role_policy(RoleName=role_name, PolicyName=policy_name)
+                        inline_policy_documents[policy_name] = policy_response["PolicyDocument"]
+                    except ClientError as e:
+                        logger.warning(f"Could not get policy '{policy_name}' for role '{role_name}': {e}")
+                # Analyze and potentially update policies
+                changes, new_policy_document = update_policy_document(inline_policy_documents)
+                if changes:
+                    logger.info(f"  → Policy optimization recommendations found for {role_name}")
+                    if not dry_run:
+                        logger.info(f"  → Updating policies for role: {role_name}")
+                        update_iam_role_with_inline_policies(role_name, new_policy_document)
+                        policy_updates_count += 1
+                    else:
+                        logger.info(f"  → DRY-RUN: Would update policies for role: {role_name}")
+                # Calculate cost estimate
+                gb_seconds = (total_duration / 1000) * memory_size_gb
+                cost_estimate = gb_seconds * PRICE_PER_GB_SECOND
+                # Collect function data
+                function_data = {
+                    "FunctionName": function_name,
+                    "Runtime": function.get("Runtime", ""),
+                    "MemorySize": function.get("MemorySize", 0),
+                    "Timeout": function.get("Timeout", 0),
+                    "LastModified": function.get("LastModified", ""),
+                    "Description": function.get("Description", ""),
+                    "Version": function.get("Version", ""),
+                    f"Total Invocations in {days} days": invocations,
+                    "Total Duration 30 days (seconds)": total_duration / 1000,
+                    "Estimated Cost (30 days)": round(cost_estimate, 4),
+                    "IAM Role": role_name,
+                    "Attached Policies Count": len(attached_policies),
+                    "Inline Policies Count": len(inline_policies),
+                    "Policy Optimization": "Changes available" if changes else "No changes needed",
+                    "Warnings": "; ".join(warnings) if warnings else "None",
+                }
+                data.append(function_data)
+            except Exception as e:
+                logger.error(f"  ✗ Failed to analyze function {function_name}: {e}")
+                # Add minimal data for failed analysis
+                data.append({"FunctionName": function_name, "Error": str(e), "Status": "Analysis Failed"})
+        # Export results
+        write_to_csv(data, output_file)
+        logger.info(f"Lambda analysis exported to: {output_file}")
+        # Summary
+        logger.info("\n=== ANALYSIS SUMMARY ===")
+        logger.info(f"Functions analyzed: {len(all_functions)}")
+        logger.info(
+            f"Functions with policy optimizations: {sum(1 for d in data if d.get('Policy Optimization') == 'Changes available')}"
+        )
+        if dry_run and policy_updates_count == 0:
+            policy_candidates = sum(1 for d in data if d.get("Policy Optimization") == "Changes available")
+            if policy_candidates > 0:
+                logger.info(f"To apply {policy_candidates} policy optimizations, run with --no-dry-run")
+        elif not dry_run:
+            logger.info(f"Applied policy updates to {policy_updates_count} roles")
+    except Exception as e:
+        logger.error(f"Failed to analyze Lambda functions: {e}")
+        raise

runbooks 0.6.1__py3-none-any.whl → 0.7.5__py3-none-any.whl

runbooks 0.6.1py3-none-any.whl → 0.7.5py3-none-any.whl