runbooks 0.7.0__py3-none-any.whl → 0.7.6__py3-none-any.whl

runbooks/remediation/dynamodb_server_side_encryption.py

@@ -0,0 +1,108 @@
+"""
+DynamoDB Server-Side Encryption - Enable encryption at rest for all tables.
+"""
+
+import logging
+
+import click
+from botocore.exceptions import ClientError
+
+from .commons import display_aws_account_info, get_client, list_tables
+
+logger = logging.getLogger(__name__)
+
+
+def get_table_sse_status(table_name):
+    """Check if DynamoDB table has server-side encryption enabled."""
+    try:
+        dynamodb = get_client("dynamodb")
+        response = dynamodb.describe_table(TableName=table_name)
+        sse_description = response["Table"].get("SSEDescription")
+
+        if sse_description and sse_description.get("Status") == "ENABLED":
+            logger.debug(f"Table '{table_name}' has SSE enabled")
+            return sse_description
+        else:
+            logger.debug(f"Table '{table_name}' does not have SSE enabled")
+            return None
+
+    except ClientError as e:
+        logger.error(f"Failed to get SSE status for table '{table_name}': {e}")
+        return None
+
+
+def enable_table_sse(table_name):
+    """Enable server-side encryption for DynamoDB table using AWS managed key."""
+    kms_key_id = "alias/aws/dynamodb"  # Use AWS managed key for DynamoDB
+
+    try:
+        dynamodb = get_client("dynamodb")
+        dynamodb.update_table(
+            TableName=table_name,
+            SSESpecification={
+                "Enabled": True,
+                "SSEType": "KMS",
+                "KMSMasterKeyId": kms_key_id,
+            },
+        )
+        logger.info(f"Enabled SSE for table '{table_name}' with AWS managed key")
+        return True
+
+    except ClientError as e:
+        logger.error(f"Failed to enable SSE for table '{table_name}': {e}")
+        return False
+
+
+@click.command()
+@click.option("--dry-run", is_flag=True, default=True, help="Preview mode - show actions without making changes")
+def dynamodb_server_side_encryption(dry_run=True):
+    """Check and enable server-side encryption for all DynamoDB tables."""
+    logger.info(f"Checking DynamoDB encryption in {display_aws_account_info()}")
+
+    try:
+        table_names = list_tables()
+        if not table_names:
+            logger.info("No DynamoDB tables found")
+            return
+
+        logger.info(f"Found {len(table_names)} tables to check")
+
+        # Track results
+        tables_with_sse = []
+        tables_without_sse = []
+        tables_updated = []
+
+        # Check each table
+        for table_name in table_names:
+            logger.info(f"Checking table: {table_name}")
+            sse_status = get_table_sse_status(table_name)
+
+            if sse_status:
+                tables_with_sse.append(table_name)
+                logger.info(f"  ✓ SSE already enabled")
+            else:
+                tables_without_sse.append(table_name)
+                logger.info(f"  ✗ SSE not enabled")
+
+                # Enable SSE if not in dry-run mode
+                if not dry_run:
+                    logger.info(f"  → Enabling SSE for table '{table_name}'...")
+                    if enable_table_sse(table_name):
+                        tables_updated.append(table_name)
+                        logger.info(f"  ✓ Successfully enabled SSE")
+                    else:
+                        logger.error(f"  ✗ Failed to enable SSE")
+
+        # Summary
+        logger.info("\n=== SUMMARY ===")
+        logger.info(f"Tables with SSE: {len(tables_with_sse)}")
+        logger.info(f"Tables without SSE: {len(tables_without_sse)}")
+
+        if dry_run and tables_without_sse:
+            logger.info(f"To enable SSE on {len(tables_without_sse)} tables, run with --no-dry-run")
+        elif not dry_run:
+            logger.info(f"Successfully enabled SSE on {len(tables_updated)} tables")
+
+    except Exception as e:
+        logger.error(f"Failed to process DynamoDB encryption: {e}")
+        raise

runbooks/remediation/ec2_public_ips.py

@@ -0,0 +1,134 @@
+"""
+EC2 Public IP Analysis - Identify instances with public IP addresses.
+"""
+
+import logging
+from typing import Any, Dict, List
+
+import click
+from botocore.exceptions import ClientError
+
+from .commons import display_aws_account_info, get_client
+
+logger = logging.getLogger(__name__)
+
+
+def is_vpc_public(vpc_id: str) -> bool:
+    """Check if VPC has internet connectivity (IGW or NAT gateway)."""
+    try:
+        ec2 = get_client("ec2")
+
+        # Check for internet gateway attached to VPC
+        igw_response = ec2.describe_internet_gateways(Filters=[{"Name": "attachment.vpc-id", "Values": [vpc_id]}])
+        has_igw = len(igw_response.get("InternetGateways", [])) > 0
+
+        # Check for NAT gateways in VPC
+        nat_response = ec2.describe_nat_gateways(Filters=[{"Name": "vpc-id", "Values": [vpc_id]}])
+        has_nat = any(gw.get("State") == "available" for gw in nat_response.get("NatGateways", []))
+
+        return has_igw or has_nat
+
+    except ClientError as e:
+        logger.error(f"Failed to check VPC connectivity for {vpc_id}: {e}")
+        return False
+
+
+def get_instance_public_ips(instance: Dict[str, Any]) -> List[str]:
+    """Get all public IP addresses and DNS names for an EC2 instance."""
+    public_ips = set()
+
+    # Instance-level public IP and DNS
+    if instance.get("PublicIpAddress"):
+        public_ips.add(instance["PublicIpAddress"])
+    if instance.get("PublicDnsName") and instance["PublicDnsName"]:
+        public_ips.add(instance["PublicDnsName"])
+
+    # Network interface public IPs and DNS
+    for interface in instance.get("NetworkInterfaces", []):
+        association = interface.get("Association", {})
+        if association.get("PublicIp"):
+            public_ips.add(association["PublicIp"])
+        if association.get("PublicDnsName") and association["PublicDnsName"]:
+            public_ips.add(association["PublicDnsName"])
+
+    return list(public_ips)
+
+
+@click.command()
+@click.option("--instance-id", multiple=True, help="Specific instance IDs to check (checks all if not provided)")
+@click.option("--show-private", is_flag=True, help="Also show instances without public IPs")
+def get_public_ips(instance_id: tuple, show_private: bool):
+    """Analyze EC2 instances for public IP addresses and VPC connectivity."""
+    logger.info(f"Analyzing EC2 public IPs in {display_aws_account_info()}")
+
+    try:
+        ec2 = get_client("ec2")
+
+        # Build query filters
+        if instance_id:
+            logger.info(f"Checking specific instances: {list(instance_id)}")
+            response = ec2.describe_instances(Filters=[{"Name": "instance-id", "Values": list(instance_id)}])
+        else:
+            logger.info("Checking all EC2 instances")
+            response = ec2.describe_instances()
+
+        # Track results
+        instances_with_public_ips = []
+        instances_without_public_ips = []
+        total_instances = 0
+
+        # Process all instances
+        for reservation in response["Reservations"]:
+            for instance in reservation["Instances"]:
+                total_instances += 1
+                instance_id = instance["InstanceId"]
+                instance_state = instance.get("State", {}).get("Name", "unknown")
+                vpc_id = instance.get("VpcId", "unknown")
+
+                # Get public IPs for this instance
+                public_ips = get_instance_public_ips(instance)
+                vpc_is_public = is_vpc_public(vpc_id)
+
+                instance_info = {
+                    "instance_id": instance_id,
+                    "state": instance_state,
+                    "vpc_id": vpc_id,
+                    "public_ips": public_ips,
+                    "vpc_has_internet": vpc_is_public,
+                }
+
+                if public_ips:
+                    instances_with_public_ips.append(instance_info)
+                    logger.info(f"Instance {instance_id} ({instance_state})")
+                    logger.info(f"  Public IPs: {', '.join(public_ips)}")
+                    logger.info(f"  VPC {vpc_id} has internet: {vpc_is_public}")
+                else:
+                    instances_without_public_ips.append(instance_info)
+                    if show_private:
+                        logger.info(f"Instance {instance_id} ({instance_state})")
+                        logger.info(f"  No public IPs")
+                        logger.info(f"  VPC {vpc_id} has internet: {vpc_is_public}")
+
+        # Summary
+        logger.info("\n=== SUMMARY ===")
+        logger.info(f"Total instances: {total_instances}")
+        logger.info(f"Instances with public IPs: {len(instances_with_public_ips)}")
+        logger.info(f"Instances without public IPs: {len(instances_without_public_ips)}")
+
+        if instances_with_public_ips:
+            logger.warning(f"⚠ {len(instances_with_public_ips)} instances have public IP addresses")
+            logger.info("Review these instances for security implications")
+
+        if not show_private and instances_without_public_ips:
+            logger.info(f"Use --show-private to see {len(instances_without_public_ips)} instances without public IPs")
+
+    except ClientError as e:
+        logger.error(f"Failed to describe EC2 instances: {e}")
+        raise
+    except Exception as e:
+        logger.error(f"Unexpected error: {e}")
+        raise
+
+
+if __name__ == "__main__":
+    get_public_ips()