PyPI - runbooks - Versions diffs - 0.7.0__py3-none-any.whl → 0.7.6__py3-none-any.whl - Mend

runbooks 0.7.0py3-none-any.whl → 0.7.6py3-none-any.whl

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (132) hide show

runbooks/__init__.py +87 -37
runbooks/cfat/README.md +300 -49
runbooks/cfat/__init__.py +2 -2
runbooks/finops/__init__.py +1 -1
runbooks/finops/cli.py +1 -1
runbooks/inventory/collectors/__init__.py +8 -0
runbooks/inventory/collectors/aws_management.py +791 -0
runbooks/inventory/collectors/aws_networking.py +3 -3
runbooks/main.py +3389 -782
runbooks/operate/__init__.py +207 -0
runbooks/operate/base.py +311 -0
runbooks/operate/cloudformation_operations.py +619 -0
runbooks/operate/cloudwatch_operations.py +496 -0
runbooks/operate/dynamodb_operations.py +812 -0
runbooks/operate/ec2_operations.py +926 -0
runbooks/operate/iam_operations.py +569 -0
runbooks/operate/s3_operations.py +1211 -0
runbooks/operate/tagging_operations.py +655 -0
runbooks/remediation/CLAUDE.md +100 -0
runbooks/remediation/DOME9.md +218 -0
runbooks/remediation/README.md +26 -0
runbooks/remediation/Tests/__init__.py +0 -0
runbooks/remediation/Tests/update_policy.py +74 -0
runbooks/remediation/__init__.py +95 -0
runbooks/remediation/acm_cert_expired_unused.py +98 -0
runbooks/remediation/acm_remediation.py +875 -0
runbooks/remediation/api_gateway_list.py +167 -0
runbooks/remediation/base.py +643 -0
runbooks/remediation/cloudtrail_remediation.py +908 -0
runbooks/remediation/cloudtrail_s3_modifications.py +296 -0
runbooks/remediation/cognito_active_users.py +78 -0
runbooks/remediation/cognito_remediation.py +856 -0
runbooks/remediation/cognito_user_password_reset.py +163 -0
runbooks/remediation/commons.py +455 -0
runbooks/remediation/dynamodb_optimize.py +155 -0
runbooks/remediation/dynamodb_remediation.py +744 -0
runbooks/remediation/dynamodb_server_side_encryption.py +108 -0
runbooks/remediation/ec2_public_ips.py +134 -0
runbooks/remediation/ec2_remediation.py +892 -0
runbooks/remediation/ec2_subnet_disable_auto_ip_assignment.py +72 -0
runbooks/remediation/ec2_unattached_ebs_volumes.py +448 -0
runbooks/remediation/ec2_unused_security_groups.py +202 -0
runbooks/remediation/kms_enable_key_rotation.py +651 -0
runbooks/remediation/kms_remediation.py +717 -0
runbooks/remediation/lambda_list.py +243 -0
runbooks/remediation/lambda_remediation.py +971 -0
runbooks/remediation/multi_account.py +569 -0
runbooks/remediation/rds_instance_list.py +199 -0
runbooks/remediation/rds_remediation.py +873 -0
runbooks/remediation/rds_snapshot_list.py +192 -0
runbooks/remediation/requirements.txt +118 -0
runbooks/remediation/s3_block_public_access.py +159 -0
runbooks/remediation/s3_bucket_public_access.py +143 -0
runbooks/remediation/s3_disable_static_website_hosting.py +74 -0
runbooks/remediation/s3_downloader.py +215 -0
runbooks/remediation/s3_enable_access_logging.py +562 -0
runbooks/remediation/s3_encryption.py +526 -0
runbooks/remediation/s3_force_ssl_secure_policy.py +143 -0
runbooks/remediation/s3_list.py +141 -0
runbooks/remediation/s3_object_search.py +201 -0
runbooks/remediation/s3_remediation.py +816 -0
runbooks/remediation/scan_for_phrase.py +425 -0
runbooks/remediation/workspaces_list.py +220 -0
runbooks/security/__init__.py +9 -10
runbooks/security/security_baseline_tester.py +4 -2
runbooks-0.7.6.dist-info/METADATA +608 -0
{runbooks-0.7.0.dist-info → runbooks-0.7.6.dist-info}/RECORD +84 -76
{runbooks-0.7.0.dist-info → runbooks-0.7.6.dist-info}/entry_points.txt +0 -1
{runbooks-0.7.0.dist-info → runbooks-0.7.6.dist-info}/top_level.txt +0 -1
jupyter-agent/.env +0 -2
jupyter-agent/.env.template +0 -2
jupyter-agent/.gitattributes +0 -35
jupyter-agent/.gradio/certificate.pem +0 -31
jupyter-agent/README.md +0 -16
jupyter-agent/__main__.log +0 -8
jupyter-agent/app.py +0 -256
jupyter-agent/cloudops-agent.png +0 -0
jupyter-agent/ds-system-prompt.txt +0 -154
jupyter-agent/jupyter-agent.png +0 -0
jupyter-agent/llama3_template.jinja +0 -123
jupyter-agent/requirements.txt +0 -9
jupyter-agent/tmp/4ojbs8a02ir/jupyter-agent.ipynb +0 -68
jupyter-agent/tmp/cm5iasgpm3p/jupyter-agent.ipynb +0 -91
jupyter-agent/tmp/crqbsseag5/jupyter-agent.ipynb +0 -91
jupyter-agent/tmp/hohanq1u097/jupyter-agent.ipynb +0 -57
jupyter-agent/tmp/jns1sam29wm/jupyter-agent.ipynb +0 -53
jupyter-agent/tmp/jupyter-agent.ipynb +0 -27
jupyter-agent/utils.py +0 -409
runbooks/aws/__init__.py +0 -58
runbooks/aws/dynamodb_operations.py +0 -231
runbooks/aws/ec2_copy_image_cross-region.py +0 -195
runbooks/aws/ec2_describe_instances.py +0 -202
runbooks/aws/ec2_ebs_snapshots_delete.py +0 -186
runbooks/aws/ec2_run_instances.py +0 -213
runbooks/aws/ec2_start_stop_instances.py +0 -212
runbooks/aws/ec2_terminate_instances.py +0 -143
runbooks/aws/ec2_unused_eips.py +0 -196
runbooks/aws/ec2_unused_volumes.py +0 -188
runbooks/aws/s3_create_bucket.py +0 -142
runbooks/aws/s3_list_buckets.py +0 -152
runbooks/aws/s3_list_objects.py +0 -156
runbooks/aws/s3_object_operations.py +0 -183
runbooks/aws/tagging_lambda_handler.py +0 -183
runbooks/inventory/FAILED_SCRIPTS_TROUBLESHOOTING.md +0 -619
runbooks/inventory/PASSED_SCRIPTS_GUIDE.md +0 -738
runbooks/inventory/aws_organization.png +0 -0
runbooks/inventory/cfn_move_stack_instances.py +0 -1526
runbooks/inventory/delete_s3_buckets_objects.py +0 -169
runbooks/inventory/lockdown_cfn_stackset_role.py +0 -224
runbooks/inventory/update_aws_actions.py +0 -173
runbooks/inventory/update_cfn_stacksets.py +0 -1215
runbooks/inventory/update_cloudwatch_logs_retention_policy.py +0 -294
runbooks/inventory/update_iam_roles_cross_accounts.py +0 -478
runbooks/inventory/update_s3_public_access_block.py +0 -539
runbooks/organizations/__init__.py +0 -12
runbooks/organizations/manager.py +0 -374
runbooks-0.7.0.dist-info/METADATA +0 -375
/runbooks/inventory/{tests → Tests}/common_test_data.py +0 -0
/runbooks/inventory/{tests → Tests}/common_test_functions.py +0 -0
/runbooks/inventory/{tests → Tests}/script_test_data.py +0 -0
/runbooks/inventory/{tests → Tests}/setup.py +0 -0
/runbooks/inventory/{tests → Tests}/src.py +0 -0
/runbooks/inventory/{tests/test_inventory_modules.py → Tests/test_Inventory_Modules.py} +0 -0
/runbooks/inventory/{tests → Tests}/test_cfn_describe_stacks.py +0 -0
/runbooks/inventory/{tests → Tests}/test_ec2_describe_instances.py +0 -0
/runbooks/inventory/{tests → Tests}/test_lambda_list_functions.py +0 -0
/runbooks/inventory/{tests → Tests}/test_moto_integration_example.py +0 -0
/runbooks/inventory/{tests → Tests}/test_org_list_accounts.py +0 -0
/runbooks/inventory/{Inventory_Modules.py → inventory_modules.py} +0 -0
/runbooks/{aws → operate}/tags.json +0 -0
{runbooks-0.7.0.dist-info → runbooks-0.7.6.dist-info}/WHEEL +0 -0
{runbooks-0.7.0.dist-info → runbooks-0.7.6.dist-info}/licenses/LICENSE +0 -0

runbooks/remediation/cloudtrail_s3_modifications.py ADDED Viewed

@@ -0,0 +1,296 @@
+"""
+🚨 HIGH-RISK: CloudTrail S3 Policy Modifications - Audit trail security operations.
+"""
+import json
+import logging
+from datetime import datetime, timedelta
+import click
+from botocore.exceptions import ClientError
+from .commons import display_aws_account_info, get_client
+logger = logging.getLogger(__name__)
+def apply_policy(policy_json: dict, bucket_name: str, backup_enabled: bool = True):
+    """Apply S3 bucket policy with backup and validation."""
+    try:
+        s3 = get_client("s3")
+        # Backup existing policy before applying new one
+        backup_policy = None
+        if backup_enabled:
+            try:
+                backup_response = s3.get_bucket_policy(Bucket=bucket_name)
+                backup_policy = backup_response["Policy"]
+                logger.info(f"✅ Backed up existing policy for bucket: {bucket_name}")
+            except ClientError as e:
+                if e.response.get("Error", {}).get("Code") != "NoSuchBucketPolicy":
+                    logger.warning(f"Could not backup policy: {e}")
+        # Apply the new policy
+        s3.put_bucket_policy(Bucket=bucket_name, Policy=json.dumps(policy_json))
+        logger.info(f"✅ Applied new policy to bucket: {bucket_name}")
+        return backup_policy
+    except ClientError as e:
+        logger.error(f"❌ Failed to apply policy to bucket '{bucket_name}': {e}")
+        raise
+def get_s3_policy_modifications(user_email, start_time=None, end_time=None):
+    """Search CloudTrail for S3 policy modifications by a specific user."""
+    try:
+        cloudtrail = get_client("cloudtrail")
+        config = get_client("config")
+        # Set default time range if not provided (last 30 days)
+        if not end_time:
+            end_time = datetime.utcnow()
+        if not start_time:
+            start_time = end_time - timedelta(days=30)
+        logger.info(f"🔍 Searching CloudTrail events from {start_time} to {end_time}")
+        # Define CloudTrail LookupEvent parameters
+        event_selector = {
+            "LookupAttributes": [
+                {"AttributeKey": "EventName", "AttributeValue": "PutBucketPolicy"},
+                {"AttributeKey": "ResourceType", "AttributeValue": "AWS::S3::Bucket"},
+            ],
+            "StartTime": start_time,
+            "EndTime": end_time,
+        }
+        response = cloudtrail.lookup_events(**event_selector)
+        events = response.get("Events", [])
+        logger.info(f"Found {len(events)} S3 policy modification events")
+        modifications = []
+        for event in events:
+            try:
+                cloudtrail_event = json.loads(event["CloudTrailEvent"])
+                user_identity = cloudtrail_event.get("userIdentity", {})
+                # Check for modifications by the specified user (multiple ways to match)
+                user_matches = False
+                principal_id = user_identity.get("principalId", "")
+                user_name = user_identity.get("userName", "")
+                arn = user_identity.get("arn", "")
+                if user_email in principal_id or user_email in user_name or user_email in arn:
+                    user_matches = True
+                if user_matches:
+                    # Extract bucket name and policy changes
+                    request_params = cloudtrail_event.get("requestParameters", {})
+                    bucket_name = request_params.get("bucketName")
+                    new_policy = request_params.get("bucketPolicy")
+                    if not bucket_name:
+                        logger.warning(f"No bucket name found in event: {event.get('EventId', 'Unknown')}")
+                        continue
+                    logger.debug(f"Found modification to bucket: {bucket_name}")
+                    # Try to get previous policy from AWS Config
+                    old_policy = None
+                    try:
+                        config_response = config.get_resource_config_history(
+                            resourceType="AWS::S3::Bucket",
+                            resourceId=bucket_name,
+                            laterTime=event["EventTime"],
+                            limit=1,
+                        )
+                        if config_response.get("configurationItems"):
+                            old_config = config_response["configurationItems"][0]
+                            bucket_policy_config = old_config.get("supplementaryConfiguration", {}).get("BucketPolicy")
+                            if bucket_policy_config:
+                                policy_data = json.loads(bucket_policy_config)
+                                if policy_data.get("policyText"):
+                                    old_policy = json.loads(policy_data["policyText"])
+                    except ClientError as e:
+                        error_code = e.response.get("Error", {}).get("Code", "Unknown")
+                        if error_code == "ResourceNotDiscoveredException":
+                            logger.debug(f"Bucket {bucket_name} not tracked in Config")
+                        else:
+                            logger.warning(f"Config query failed for {bucket_name}: {e}")
+                    modification = {
+                        "BucketName": bucket_name,
+                        "NewPolicy": new_policy,
+                        "OldPolicy": old_policy,
+                        "EventTime": event["EventTime"],
+                        "EventId": event.get("EventId"),
+                        "UserIdentity": user_identity,
+                    }
+                    modifications.append(modification)
+            except (json.JSONDecodeError, KeyError) as e:
+                logger.warning(f"Failed to parse CloudTrail event: {e}")
+                continue
+        logger.info(f"Found {len(modifications)} policy modifications by user: {user_email}")
+        return modifications
+    except ClientError as e:
+        logger.error(f"Failed to query CloudTrail: {e}")
+        raise
+@click.command()
+@click.option("--email", required=True, help="User email to check for S3 policy modifications")
+@click.option("--days", default=30, help="Number of days to look back for modifications")
+@click.option("--dry-run", is_flag=True, default=True, help="Preview mode - show analysis without reverting policies")
+@click.option("--confirm", is_flag=True, help="Skip confirmation prompts (dangerous!)")
+def cloudtrail_s3_modifications(email, days, dry_run, confirm):
+    """🚨 HIGH-RISK: Analyze and potentially revert S3 policy modifications from CloudTrail."""
+    # HIGH-RISK OPERATION WARNING
+    if not dry_run and not confirm:
+        logger.warning("🚨 HIGH-RISK OPERATION: S3 Policy Reversion")
+        logger.warning("This operation can modify S3 bucket policies based on CloudTrail analysis")
+        if not click.confirm("Do you want to continue?"):
+            logger.info("Operation cancelled by user")
+            return
+    logger.info(f"🔍 CloudTrail S3 policy analysis in {display_aws_account_info()}")
+    logger.info(f"Analyzing modifications by user: {email}")
+    logger.info(f"Looking back {days} days")
+    try:
+        # Set time range
+        end_time = datetime.utcnow()
+        start_time = end_time - timedelta(days=days)
+        # Get policy modifications
+        policy_changes = get_s3_policy_modifications(email, start_time, end_time)
+        if not policy_changes:
+            logger.info(f"✅ No S3 bucket policy modifications found for user: {email}")
+            return
+        logger.warning(f"⚠ Found {len(policy_changes)} policy modifications")
+        # Analyze each modification
+        reversion_candidates = []
+        for i, change in enumerate(policy_changes, 1):
+            bucket_name = change["BucketName"]
+            event_time = change["EventTime"]
+            event_id = change.get("EventId", "Unknown")
+            logger.info(f"\n📋 Modification {i}/{len(policy_changes)}:")
+            logger.info(f"  Bucket: {bucket_name}")
+            logger.info(f"  Event Time: {event_time}")
+            logger.info(f"  Event ID: {event_id}")
+            # Show user identity details
+            user_identity = change.get("UserIdentity", {})
+            logger.info(f"  User Type: {user_identity.get('type', 'Unknown')}")
+            logger.info(f"  Principal ID: {user_identity.get('principalId', 'Unknown')}")
+            # Analyze policy changes
+            new_policy = change.get("NewPolicy")
+            old_policy = change.get("OldPolicy")
+            if old_policy:
+                logger.info(f"  ✅ Previous policy found - reversion possible")
+                # Check if current policy still matches the problematic one
+                try:
+                    s3 = get_client("s3")
+                    current_response = s3.get_bucket_policy(Bucket=bucket_name)
+                    current_policy = json.loads(current_response["Policy"])
+                    # Simple comparison - check if old policy statements are missing
+                    old_statements = old_policy.get("Statement", [])
+                    current_statements = current_policy.get("Statement", [])
+                    missing_statements = []
+                    for old_stmt in old_statements:
+                        if old_stmt not in current_statements:
+                            missing_statements.append(old_stmt)
+                    if missing_statements:
+                        logger.warning(f"  ⚠ {len(missing_statements)} policy statements appear to be missing")
+                        reversion_candidates.append(
+                            {
+                                "bucket": bucket_name,
+                                "old_policy": old_policy,
+                                "current_policy": current_policy,
+                                "missing_statements": missing_statements,
+                                "event_time": event_time,
+                            }
+                        )
+                    else:
+                        logger.info(f"  ✓ Current policy appears to include previous statements")
+                except ClientError as e:
+                    error_code = e.response.get("Error", {}).get("Code", "Unknown")
+                    if error_code == "NoSuchBucketPolicy":
+                        logger.warning(f"  ⚠ Bucket currently has no policy")
+                    else:
+                        logger.error(f"  ❌ Failed to get current policy: {e}")
+            else:
+                logger.warning(f"  ⚠ No previous policy found - cannot revert")
+            # Show policy details if verbose
+            logger.debug(f"  New Policy: {json.dumps(new_policy, indent=2) if new_policy else 'None'}")
+            logger.debug(f"  Old Policy: {json.dumps(old_policy, indent=2) if old_policy else 'None'}")
+        # Summary and reversion
+        logger.info(f"\n=== ANALYSIS SUMMARY ===")
+        logger.info(f"Total modifications found: {len(policy_changes)}")
+        logger.info(f"Buckets eligible for reversion: {len(reversion_candidates)}")
+        if reversion_candidates:
+            logger.warning(f"⚠ {len(reversion_candidates)} buckets have potential policy issues")
+            if dry_run:
+                logger.info("DRY-RUN: Would attempt to revert the following buckets:")
+                for candidate in reversion_candidates:
+                    logger.info(f"  - {candidate['bucket']} (modified: {candidate['event_time']})")
+                logger.info("To perform actual reversion, run with --no-dry-run")
+            else:
+                # Perform reversions with confirmation
+                for candidate in reversion_candidates:
+                    bucket_name = candidate["bucket"]
+                    old_policy = candidate["old_policy"]
+                    if not confirm:
+                        logger.warning(f"\n🚨 REVERT BUCKET POLICY:")
+                        logger.warning(f"  Bucket: {bucket_name}")
+                        logger.warning(f"  Event Time: {candidate['event_time']}")
+                        if not click.confirm(f"Revert policy for bucket {bucket_name}?"):
+                            logger.info(f"Skipped reversion for {bucket_name}")
+                            continue
+                    logger.info(f"🔄 Reverting policy for bucket: {bucket_name}")
+                    try:
+                        backup_policy = apply_policy(old_policy, bucket_name, backup_enabled=True)
+                        logger.info(f"✅ Successfully reverted policy for: {bucket_name}")
+                        # Log the reversion for audit
+                        logger.info(f"🔍 Audit: Policy reversion completed")
+                        logger.info(f"  Bucket: {bucket_name}")
+                        logger.info(f"  Original Event Time: {candidate['event_time']}")
+                    except Exception as e:
+                        logger.error(f"❌ Failed to revert policy for {bucket_name}: {e}")
+        else:
+            logger.info("✅ No policy reversions needed")
+    except Exception as e:
+        logger.error(f"❌ CloudTrail analysis failed: {e}")
+        raise

runbooks/remediation/cognito_active_users.py ADDED Viewed

@@ -0,0 +1,78 @@
+"""
+Cognito User Analysis - List active users in Cognito User Pools.
+"""
+import logging
+import click
+from botocore.exceptions import ClientError
+from .commons import get_client, write_to_csv
+logger = logging.getLogger(__name__)
+@click.command()
+@click.option("--user-pool-id", prompt="User Pool ID", help="The ID of the Cognito User Pool")
+@click.option("--output-file", default="cognito_active_users.csv", help="Output CSV file path")
+def get_active_users_in_cognito_pool(user_pool_id, output_file):
+    """Get active users in a Cognito User Pool and export to CSV."""
+    logger.info(f"Getting active users from Cognito User Pool: {user_pool_id}")
+    try:
+        client_cognito = get_client("cognito-idp")
+        # Get active users (enabled status)
+        response = client_cognito.list_users(UserPoolId=user_pool_id, Filter='status="Enabled"')
+        users = response.get("Users", [])
+        if not users:
+            logger.info("No active users found in the user pool")
+            return
+        logger.info(f"Found {len(users)} active users")
+        # Process user data
+        user_data = []
+        for user in users:
+            user_info = {
+                "username": user.get("Username", ""),
+                "status": user.get("UserStatus", ""),
+                "created_at": user["UserCreateDate"].isoformat() if "UserCreateDate" in user else "",
+                "last_modified_at": user["UserLastModifiedDate"].isoformat() if "UserLastModifiedDate" in user else "",
+                "enabled": user.get("Enabled", False),
+                "email_verified": False,
+                "phone_verified": False,
+            }
+            # Extract email and phone verification status from attributes
+            for attr in user.get("Attributes", []):
+                if attr.get("Name") == "email_verified":
+                    user_info["email_verified"] = attr.get("Value") == "true"
+                elif attr.get("Name") == "phone_number_verified":
+                    user_info["phone_verified"] = attr.get("Value") == "true"
+            user_data.append(user_info)
+            logger.debug(f"Processed user: {user_info['username']}")
+        # Export to CSV
+        write_to_csv(user_data, output_file)
+        logger.info(f"User data exported to: {output_file}")
+        # Summary
+        enabled_count = sum(1 for u in user_data if u["enabled"])
+        email_verified_count = sum(1 for u in user_data if u["email_verified"])
+        logger.info(f"Summary: {enabled_count} enabled users, {email_verified_count} with verified emails")
+    except ClientError as e:
+        error_code = e.response.get("Error", {}).get("Code", "Unknown")
+        if error_code == "ResourceNotFoundException":
+            logger.error(f"User pool not found: {user_pool_id}")
+        else:
+            logger.error(f"Failed to get Cognito users: {e}")
+        raise
+    except Exception as e:
+        logger.error(f"Unexpected error: {e}")
+        raise

runbooks 0.7.0__py3-none-any.whl → 0.7.6__py3-none-any.whl

runbooks 0.7.0py3-none-any.whl → 0.7.6py3-none-any.whl