PyPI - runbooks - Versions diffs - 0.7.0__py3-none-any.whl → 0.7.5__py3-none-any.whl - Mend

runbooks 0.7.0py3-none-any.whl → 0.7.5py3-none-any.whl

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (100) hide show

runbooks/__init__.py +87 -37
runbooks/cfat/README.md +300 -49
runbooks/cfat/__init__.py +2 -2
runbooks/finops/__init__.py +1 -1
runbooks/finops/cli.py +1 -1
runbooks/inventory/collectors/__init__.py +8 -0
runbooks/inventory/collectors/aws_management.py +791 -0
runbooks/inventory/collectors/aws_networking.py +3 -3
runbooks/main.py +3389 -782
runbooks/operate/__init__.py +207 -0
runbooks/operate/base.py +311 -0
runbooks/operate/cloudformation_operations.py +619 -0
runbooks/operate/cloudwatch_operations.py +496 -0
runbooks/operate/dynamodb_operations.py +812 -0
runbooks/operate/ec2_operations.py +926 -0
runbooks/operate/iam_operations.py +569 -0
runbooks/operate/s3_operations.py +1211 -0
runbooks/operate/tagging_operations.py +655 -0
runbooks/remediation/CLAUDE.md +100 -0
runbooks/remediation/DOME9.md +218 -0
runbooks/remediation/README.md +26 -0
runbooks/remediation/Tests/__init__.py +0 -0
runbooks/remediation/Tests/update_policy.py +74 -0
runbooks/remediation/__init__.py +95 -0
runbooks/remediation/acm_cert_expired_unused.py +98 -0
runbooks/remediation/acm_remediation.py +875 -0
runbooks/remediation/api_gateway_list.py +167 -0
runbooks/remediation/base.py +643 -0
runbooks/remediation/cloudtrail_remediation.py +908 -0
runbooks/remediation/cloudtrail_s3_modifications.py +296 -0
runbooks/remediation/cognito_active_users.py +78 -0
runbooks/remediation/cognito_remediation.py +856 -0
runbooks/remediation/cognito_user_password_reset.py +163 -0
runbooks/remediation/commons.py +455 -0
runbooks/remediation/dynamodb_optimize.py +155 -0
runbooks/remediation/dynamodb_remediation.py +744 -0
runbooks/remediation/dynamodb_server_side_encryption.py +108 -0
runbooks/remediation/ec2_public_ips.py +134 -0
runbooks/remediation/ec2_remediation.py +892 -0
runbooks/remediation/ec2_subnet_disable_auto_ip_assignment.py +72 -0
runbooks/remediation/ec2_unattached_ebs_volumes.py +448 -0
runbooks/remediation/ec2_unused_security_groups.py +202 -0
runbooks/remediation/kms_enable_key_rotation.py +651 -0
runbooks/remediation/kms_remediation.py +717 -0
runbooks/remediation/lambda_list.py +243 -0
runbooks/remediation/lambda_remediation.py +971 -0
runbooks/remediation/multi_account.py +569 -0
runbooks/remediation/rds_instance_list.py +199 -0
runbooks/remediation/rds_remediation.py +873 -0
runbooks/remediation/rds_snapshot_list.py +192 -0
runbooks/remediation/requirements.txt +118 -0
runbooks/remediation/s3_block_public_access.py +159 -0
runbooks/remediation/s3_bucket_public_access.py +143 -0
runbooks/remediation/s3_disable_static_website_hosting.py +74 -0
runbooks/remediation/s3_downloader.py +215 -0
runbooks/remediation/s3_enable_access_logging.py +562 -0
runbooks/remediation/s3_encryption.py +526 -0
runbooks/remediation/s3_force_ssl_secure_policy.py +143 -0
runbooks/remediation/s3_list.py +141 -0
runbooks/remediation/s3_object_search.py +201 -0
runbooks/remediation/s3_remediation.py +816 -0
runbooks/remediation/scan_for_phrase.py +425 -0
runbooks/remediation/workspaces_list.py +220 -0
runbooks/security/__init__.py +9 -10
runbooks/security/security_baseline_tester.py +4 -2
runbooks-0.7.5.dist-info/METADATA +606 -0
{runbooks-0.7.0.dist-info → runbooks-0.7.5.dist-info}/RECORD +72 -44
{runbooks-0.7.0.dist-info → runbooks-0.7.5.dist-info}/entry_points.txt +0 -1
runbooks/aws/__init__.py +0 -58
runbooks/aws/dynamodb_operations.py +0 -231
runbooks/aws/ec2_copy_image_cross-region.py +0 -195
runbooks/aws/ec2_describe_instances.py +0 -202
runbooks/aws/ec2_ebs_snapshots_delete.py +0 -186
runbooks/aws/ec2_run_instances.py +0 -213
runbooks/aws/ec2_start_stop_instances.py +0 -212
runbooks/aws/ec2_terminate_instances.py +0 -143
runbooks/aws/ec2_unused_eips.py +0 -196
runbooks/aws/ec2_unused_volumes.py +0 -188
runbooks/aws/s3_create_bucket.py +0 -142
runbooks/aws/s3_list_buckets.py +0 -152
runbooks/aws/s3_list_objects.py +0 -156
runbooks/aws/s3_object_operations.py +0 -183
runbooks/aws/tagging_lambda_handler.py +0 -183
runbooks/inventory/FAILED_SCRIPTS_TROUBLESHOOTING.md +0 -619
runbooks/inventory/PASSED_SCRIPTS_GUIDE.md +0 -738
runbooks/inventory/cfn_move_stack_instances.py +0 -1526
runbooks/inventory/delete_s3_buckets_objects.py +0 -169
runbooks/inventory/lockdown_cfn_stackset_role.py +0 -224
runbooks/inventory/update_aws_actions.py +0 -173
runbooks/inventory/update_cfn_stacksets.py +0 -1215
runbooks/inventory/update_cloudwatch_logs_retention_policy.py +0 -294
runbooks/inventory/update_iam_roles_cross_accounts.py +0 -478
runbooks/inventory/update_s3_public_access_block.py +0 -539
runbooks/organizations/__init__.py +0 -12
runbooks/organizations/manager.py +0 -374
runbooks-0.7.0.dist-info/METADATA +0 -375
/runbooks/{aws → operate}/tags.json +0 -0
{runbooks-0.7.0.dist-info → runbooks-0.7.5.dist-info}/WHEEL +0 -0
{runbooks-0.7.0.dist-info → runbooks-0.7.5.dist-info}/licenses/LICENSE +0 -0
{runbooks-0.7.0.dist-info → runbooks-0.7.5.dist-info}/top_level.txt +0 -0

runbooks/remediation/acm_cert_expired_unused.py ADDED Viewed

@@ -0,0 +1,98 @@
+"""
+ACM Certificate Cleanup - Remove expired and unused SSL certificates.
+"""
+import logging
+import click
+from botocore.exceptions import ClientError
+from .commons import display_aws_account_info, get_client
+logger = logging.getLogger(__name__)
+@click.command()
+@click.option("--dry-run", is_flag=True, default=True, help="Preview mode - show actions without making changes")
+def clean_acm_certificates(dry_run):
+    """Clean up expired and unused ACM certificates."""
+    logger.info(f"Cleaning ACM certificates in {display_aws_account_info()}")
+    try:
+        acm_client = get_client("acm")
+        # Get all certificates
+        response = acm_client.list_certificates()
+        certificates = response.get("CertificateSummaryList", [])
+        if not certificates:
+            logger.info("No ACM certificates found")
+            return
+        logger.info(f"Found {len(certificates)} certificates to check")
+        # Track results
+        expired_unused = []
+        expired_in_use = []
+        unused_valid = []
+        certificates_deleted = []
+        # Check each certificate
+        for cert in certificates:
+            cert_arn = cert["CertificateArn"]
+            cert_status = cert.get("Status", "Unknown")
+            cert_in_use = cert.get("InUse", False)
+            logger.info(f"Certificate: {cert_arn[:50]}...")
+            logger.info(f"  Status: {cert_status}, In Use: {cert_in_use}")
+            # Categorize certificates
+            if cert_status == "EXPIRED" and not cert_in_use:
+                expired_unused.append(cert_arn)
+                logger.info(f"  → Expired and unused - candidate for deletion")
+                # Delete if not in dry-run mode
+                if not dry_run:
+                    try:
+                        acm_client.delete_certificate(CertificateArn=cert_arn)
+                        certificates_deleted.append(cert_arn)
+                        logger.info(f"  ✓ Successfully deleted")
+                    except ClientError as e:
+                        logger.error(f"  ✗ Failed to delete: {e}")
+            elif cert_status == "EXPIRED" and cert_in_use:
+                expired_in_use.append(cert_arn)
+                logger.info(f"  ⚠ Expired but still in use - requires manual review")
+            elif not cert_in_use and cert_status in ["ISSUED", "PENDING_VALIDATION"]:
+                unused_valid.append(cert_arn)
+                logger.info(f"  ⚠ Valid but unused - consider for cleanup")
+            else:
+                logger.info(f"  ✓ Active certificate")
+        # Summary
+        logger.info("\n=== SUMMARY ===")
+        logger.info(f"Total certificates: {len(certificates)}")
+        logger.info(f"Expired & unused: {len(expired_unused)}")
+        logger.info(f"Expired but in use: {len(expired_in_use)}")
+        logger.info(f"Valid but unused: {len(unused_valid)}")
+        if dry_run and expired_unused:
+            logger.info(f"To delete {len(expired_unused)} expired certificates, run with --no-dry-run")
+        elif not dry_run:
+            logger.info(f"Successfully deleted {len(certificates_deleted)} certificates")
+        if expired_in_use:
+            logger.warning(f"⚠ {len(expired_in_use)} expired certificates are still in use - manual review needed")
+    except ClientError as e:
+        logger.error(f"Failed to process ACM certificates: {e}")
+        raise
+    except Exception as e:
+        logger.error(f"Unexpected error: {e}")
+        raise
+if __name__ == "__main__":
+    clean_acm_certificates()

runbooks 0.7.0__py3-none-any.whl → 0.7.5__py3-none-any.whl

runbooks 0.7.0py3-none-any.whl → 0.7.5py3-none-any.whl