runbooks 0.7.6__py3-none-any.whl → 0.7.9__py3-none-any.whl

runbooks/security/compliance_automation.py

@@ -0,0 +1,632 @@
+#!/usr/bin/env python3
+"""
+Enterprise Security Compliance Automation Module
+
+Advanced compliance automation for multi-account AWS environments with
+zero-downtime security updates and continuous compliance monitoring.
+
+Enhanced features for Option B: Security Compliance Automation:
+- Automated security baseline enforcement
+- Multi-language compliance reports
+- Zero-downtime security updates
+- Continuous compliance monitoring
+- Enterprise security compliance frameworks
+
+Author: CloudOps Security Team
+Date: 2025-01-21
+Version: 1.0.0 - Advanced Compliance Automation
+"""
+
+import json
+import logging
+from datetime import datetime, timedelta
+from typing import Any, Dict, List, Optional, Tuple
+
+import boto3
+from botocore.exceptions import ClientError
+
+from .security_baseline_tester import SecurityBaselineTester
+from .utils import common, language
+
+
+class ComplianceAutomation:
+    """
+    Enterprise security compliance automation with zero-downtime deployment.
+
+    Provides automated enforcement of security baselines across multi-account
+    environments with comprehensive compliance monitoring and reporting.
+    """
+
+    def __init__(self, profile: str = "default", region: str = "us-east-1"):
+        self.profile = profile
+        self.region = region
+        self.session = self._create_session()
+        self.compliance_frameworks = {
+            "aws_well_architected": self._load_wa_framework(),
+            "soc2": self._load_soc2_framework(),
+            "enterprise_baseline": self._load_enterprise_framework(),
+        }
+
+    def _create_session(self):
+        """Create authenticated AWS session."""
+        if self.profile == "default":
+            return boto3.Session()
+        return boto3.Session(profile_name=self.profile)
+
+    def _load_wa_framework(self) -> Dict[str, Any]:
+        """Load AWS Well-Architected security framework requirements."""
+        return {
+            "name": "AWS Well-Architected Security Pillar",
+            "version": "2024.1",
+            "requirements": [
+                {
+                    "id": "SEC.1",
+                    "title": "Identity and Access Management",
+                    "checks": ["root_mfa", "iam_user_mfa", "iam_password_policy"],
+                    "severity": "critical",
+                    "automation_priority": 1,
+                },
+                {
+                    "id": "SEC.2",
+                    "title": "Detective Controls",
+                    "checks": ["guardduty_enabled", "trail_enabled", "cloudwatch_alarm_configuration"],
+                    "severity": "high",
+                    "automation_priority": 2,
+                },
+                {
+                    "id": "SEC.3",
+                    "title": "Infrastructure Protection",
+                    "checks": ["bucket_public_access", "account_level_bucket_public_access"],
+                    "severity": "high",
+                    "automation_priority": 2,
+                },
+            ],
+        }
+
+    def _load_soc2_framework(self) -> Dict[str, Any]:
+        """Load SOC2 compliance framework requirements."""
+        return {
+            "name": "SOC 2 Type II",
+            "version": "2023",
+            "requirements": [
+                {
+                    "id": "CC6.1",
+                    "title": "Logical and Physical Access Controls",
+                    "checks": ["root_mfa", "iam_user_mfa", "root_access_key"],
+                    "severity": "critical",
+                    "automation_priority": 1,
+                },
+                {
+                    "id": "CC6.7",
+                    "title": "Data Transmission and Disposal",
+                    "checks": ["bucket_public_access", "multi_region_trail"],
+                    "severity": "high",
+                    "automation_priority": 2,
+                },
+            ],
+        }
+
+    def _load_enterprise_framework(self) -> Dict[str, Any]:
+        """Load enterprise-specific security framework."""
+        return {
+            "name": "Enterprise Security Baseline",
+            "version": "1.0.0",
+            "requirements": [
+                {
+                    "id": "ENT.1",
+                    "title": "Multi-Account Security",
+                    "checks": ["alternate_contacts", "trusted_advisor", "multi_region_instance_usage"],
+                    "severity": "medium",
+                    "automation_priority": 3,
+                }
+            ],
+        }
+
+    def assess_compliance_status(self, framework: str = "enterprise_baseline", language: str = "en") -> Dict[str, Any]:
+        """
+        Assess current compliance status against specified framework.
+
+        Args:
+            framework: Compliance framework to assess against
+            language: Language code for reports (en, jp, kr, vn)
+
+        Returns:
+            Comprehensive compliance assessment results
+        """
+        logging.info(f"Starting compliance assessment for framework: {framework}")
+
+        if framework not in self.compliance_frameworks:
+            raise ValueError(f"Unsupported framework: {framework}")
+
+        framework_config = self.compliance_frameworks[framework]
+
+        # Run security baseline tests
+        tester = SecurityBaselineTester(
+            profile=self.profile,
+            lang_code=language,
+            output_dir=f"/tmp/compliance_{datetime.now().strftime('%Y%m%d_%H%M%S')}",
+        )
+
+        # Execute assessment
+        account_id, baseline_results = tester._execute_tests()
+
+        # Analyze results against framework requirements
+        compliance_analysis = self._analyze_compliance_results(baseline_results, framework_config)
+
+        # Generate compliance score
+        compliance_score = self._calculate_compliance_score(compliance_analysis)
+
+        return {
+            "assessment_timestamp": datetime.now().isoformat(),
+            "account_id": account_id,
+            "framework": framework_config,
+            "compliance_score": compliance_score,
+            "compliance_analysis": compliance_analysis,
+            "recommendations": self._generate_remediation_plan(compliance_analysis),
+            "language": language,
+        }
+
+    def _analyze_compliance_results(self, baseline_results: List[Dict], framework_config: Dict) -> Dict[str, Any]:
+        """Analyze baseline test results against framework requirements."""
+        analysis = {
+            "requirements_status": {},
+            "failed_checks": [],
+            "critical_findings": [],
+            "automation_candidates": [],
+        }
+
+        # Create lookup for baseline results
+        results_lookup = {result.get("check_name", ""): result for result in baseline_results}
+
+        for requirement in framework_config["requirements"]:
+            req_id = requirement["id"]
+            req_status = {
+                "title": requirement["title"],
+                "severity": requirement["severity"],
+                "checks_results": [],
+                "compliance_status": "compliant",
+            }
+
+            for check_name in requirement["checks"]:
+                check_result = results_lookup.get(check_name, {})
+                req_status["checks_results"].append(check_result)
+
+                # If any check failed, requirement is non-compliant
+                if check_result.get("status") == "FAIL":
+                    req_status["compliance_status"] = "non_compliant"
+                    analysis["failed_checks"].append(
+                        {"requirement_id": req_id, "check_name": check_name, "check_result": check_result}
+                    )
+
+                    if requirement["severity"] == "critical":
+                        analysis["critical_findings"].append(
+                            {
+                                "requirement_id": req_id,
+                                "check_name": check_name,
+                                "severity": "critical",
+                                "automation_priority": requirement["automation_priority"],
+                            }
+                        )
+
+                    # Add to automation candidates if high priority
+                    if requirement["automation_priority"] <= 2:
+                        analysis["automation_candidates"].append(
+                            {
+                                "requirement_id": req_id,
+                                "check_name": check_name,
+                                "automation_priority": requirement["automation_priority"],
+                                "estimated_fix_time": self._estimate_fix_time(check_name),
+                            }
+                        )
+
+            analysis["requirements_status"][req_id] = req_status
+
+        return analysis
+
+    def _calculate_compliance_score(self, analysis: Dict[str, Any]) -> Dict[str, float]:
+        """Calculate overall compliance score and breakdown."""
+        total_requirements = len(analysis["requirements_status"])
+        compliant_requirements = sum(
+            1 for req in analysis["requirements_status"].values() if req["compliance_status"] == "compliant"
+        )
+
+        overall_score = (compliant_requirements / total_requirements) * 100 if total_requirements > 0 else 0
+
+        # Calculate severity-based scores
+        critical_total = sum(1 for req in analysis["requirements_status"].values() if req["severity"] == "critical")
+        critical_compliant = sum(
+            1
+            for req in analysis["requirements_status"].values()
+            if req["severity"] == "critical" and req["compliance_status"] == "compliant"
+        )
+        critical_score = (critical_compliant / critical_total) * 100 if critical_total > 0 else 100
+
+        return {
+            "overall_compliance": round(overall_score, 2),
+            "critical_compliance": round(critical_score, 2),
+            "total_requirements": total_requirements,
+            "compliant_requirements": compliant_requirements,
+            "failed_requirements": total_requirements - compliant_requirements,
+            "critical_findings": len(analysis["critical_findings"]),
+        }
+
+    def _generate_remediation_plan(self, analysis: Dict[str, Any]) -> List[Dict[str, Any]]:
+        """Generate automated remediation plan for non-compliant items."""
+        remediation_plan = []
+
+        for candidate in analysis["automation_candidates"]:
+            remediation = {
+                "requirement_id": candidate["requirement_id"],
+                "check_name": candidate["check_name"],
+                "priority": candidate["automation_priority"],
+                "estimated_time": candidate["estimated_fix_time"],
+                "automation_method": self._get_automation_method(candidate["check_name"]),
+                "risk_level": self._assess_automation_risk(candidate["check_name"]),
+                "prerequisites": self._get_automation_prerequisites(candidate["check_name"]),
+            }
+            remediation_plan.append(remediation)
+
+        # Sort by priority (lower number = higher priority)
+        remediation_plan.sort(key=lambda x: x["priority"])
+
+        return remediation_plan
+
+    def _estimate_fix_time(self, check_name: str) -> str:
+        """Estimate time required to fix a specific check."""
+        time_estimates = {
+            "root_mfa": "5 minutes",
+            "iam_user_mfa": "10 minutes per user",
+            "iam_password_policy": "2 minutes",
+            "guardduty_enabled": "3 minutes",
+            "trail_enabled": "5 minutes",
+            "bucket_public_access": "2 minutes per bucket",
+            "default": "15 minutes",
+        }
+        return time_estimates.get(check_name, time_estimates["default"])
+
+    def _get_automation_method(self, check_name: str) -> str:
+        """Get automation method for a specific check."""
+        automation_methods = {
+            "root_mfa": "IAM Console API",
+            "iam_password_policy": "IAM SetAccountPasswordPolicy API",
+            "guardduty_enabled": "GuardDuty CreateDetector API",
+            "trail_enabled": "CloudTrail CreateTrail API",
+            "bucket_public_access": "S3 PutBucketPublicAccessBlock API",
+            "default": "Manual remediation required",
+        }
+        return automation_methods.get(check_name, automation_methods["default"])
+
+    def _assess_automation_risk(self, check_name: str) -> str:
+        """Assess risk level of automating a specific check remediation."""
+        risk_levels = {
+            "root_mfa": "low",
+            "iam_password_policy": "low",
+            "guardduty_enabled": "low",
+            "trail_enabled": "medium",
+            "bucket_public_access": "medium",
+            "iam_user_mfa": "high",  # Affects user access
+            "default": "medium",
+        }
+        return risk_levels.get(check_name, risk_levels["default"])
+
+    def _get_automation_prerequisites(self, check_name: str) -> List[str]:
+        """Get prerequisites for automating a specific check remediation."""
+        prerequisites = {
+            "root_mfa": ["Root account access", "MFA device available"],
+            "iam_password_policy": ["IAM administrative permissions"],
+            "guardduty_enabled": ["GuardDuty service permissions", "Cost approval for GuardDuty charges"],
+            "trail_enabled": ["CloudTrail permissions", "S3 bucket for logs"],
+            "bucket_public_access": ["S3 administrative permissions", "Application impact assessment"],
+            "default": ["Administrative permissions", "Change approval"],
+        }
+        return prerequisites.get(check_name, prerequisites["default"])
+
+    def automate_compliance_remediation(
+        self, remediation_plan: List[Dict[str, Any]], dry_run: bool = True
+    ) -> Dict[str, Any]:
+        """
+        Execute automated compliance remediation with zero-downtime deployment.
+
+        Args:
+            remediation_plan: List of remediation actions to execute
+            dry_run: If True, simulate actions without making changes
+
+        Returns:
+            Execution results for each remediation action
+        """
+        execution_results = {
+            "execution_timestamp": datetime.now().isoformat(),
+            "dry_run_mode": dry_run,
+            "total_actions": len(remediation_plan),
+            "results": [],
+            "summary": {"successful": 0, "failed": 0, "skipped": 0},
+        }
+
+        for remediation in remediation_plan:
+            result = self._execute_remediation_action(remediation, dry_run)
+            execution_results["results"].append(result)
+
+            # Update summary
+            if result["status"] == "success":
+                execution_results["summary"]["successful"] += 1
+            elif result["status"] == "failed":
+                execution_results["summary"]["failed"] += 1
+            else:
+                execution_results["summary"]["skipped"] += 1
+
+        return execution_results
+
+    def _execute_remediation_action(self, remediation: Dict[str, Any], dry_run: bool) -> Dict[str, Any]:
+        """Execute a single remediation action with error handling."""
+        action_result = {
+            "requirement_id": remediation["requirement_id"],
+            "check_name": remediation["check_name"],
+            "action": remediation["automation_method"],
+            "status": "pending",
+            "message": "",
+            "timestamp": datetime.now().isoformat(),
+        }
+
+        try:
+            check_name = remediation["check_name"]
+
+            if dry_run:
+                action_result["status"] = "success"
+                action_result["message"] = f"DRY RUN: Would execute {remediation['automation_method']}"
+                return action_result
+
+            # Execute specific remediation based on check type
+            if check_name == "iam_password_policy":
+                self._remediate_iam_password_policy()
+            elif check_name == "guardduty_enabled":
+                self._remediate_guardduty_enabled()
+            elif check_name == "trail_enabled":
+                self._remediate_cloudtrail_enabled()
+            elif check_name == "bucket_public_access":
+                self._remediate_bucket_public_access()
+            else:
+                action_result["status"] = "skipped"
+                action_result["message"] = f"Manual remediation required for {check_name}"
+                return action_result
+
+            action_result["status"] = "success"
+            action_result["message"] = f"Successfully remediated {check_name}"
+
+        except Exception as e:
+            action_result["status"] = "failed"
+            action_result["message"] = f"Failed to remediate {check_name}: {str(e)}"
+            logging.error(f"Remediation failed for {check_name}: {str(e)}")
+
+        return action_result
+
+    def _remediate_iam_password_policy(self):
+        """Automatically configure IAM password policy."""
+        iam_client = self.session.client("iam")
+
+        # Enterprise-grade password policy
+        password_policy = {
+            "MinimumPasswordLength": 14,
+            "RequireSymbols": True,
+            "RequireNumbers": True,
+            "RequireUppercaseCharacters": True,
+            "RequireLowercaseCharacters": True,
+            "AllowUsersToChangePassword": True,
+            "MaxPasswordAge": 90,
+            "PasswordReusePrevention": 12,
+            "HardExpiry": False,
+        }
+
+        iam_client.update_account_password_policy(**password_policy)
+        logging.info("Successfully updated IAM password policy")
+
+    def _remediate_guardduty_enabled(self):
+        """Automatically enable GuardDuty."""
+        guardduty_client = self.session.client("guardduty")
+
+        try:
+            # Check if GuardDuty is already enabled
+            response = guardduty_client.list_detectors()
+            if response["DetectorIds"]:
+                logging.info("GuardDuty already enabled")
+                return
+        except ClientError:
+            pass
+
+        # Enable GuardDuty
+        response = guardduty_client.create_detector(Enable=True, FindingPublishingFrequency="FIFTEEN_MINUTES")
+        logging.info(f"Successfully enabled GuardDuty with detector ID: {response['DetectorId']}")
+
+    def _remediate_cloudtrail_enabled(self):
+        """Automatically enable CloudTrail."""
+        cloudtrail_client = self.session.client("cloudtrail")
+
+        # Check if any trails exist
+        response = cloudtrail_client.list_trails()
+        if response["Trails"]:
+            logging.info("CloudTrail already configured")
+            return
+
+        # Create S3 bucket for CloudTrail logs (simplified for demo)
+        trail_name = f"enterprise-security-trail-{datetime.now().strftime('%Y%m%d')}"
+
+        # Note: In production, this would need proper S3 bucket setup
+        logging.info(f"Would create CloudTrail: {trail_name}")
+
+    def _remediate_bucket_public_access(self):
+        """Automatically block public access on S3 buckets."""
+        s3_client = self.session.client("s3")
+
+        # Enable account-level public access block
+        try:
+            s3_client.put_public_access_block(
+                PublicAccessBlockConfiguration={
+                    "BlockPublicAcls": True,
+                    "IgnorePublicAcls": True,
+                    "BlockPublicPolicy": True,
+                    "RestrictPublicBuckets": True,
+                }
+            )
+            logging.info("Successfully enabled account-level public access block")
+        except ClientError as e:
+            logging.warning(f"Could not set account-level public access block: {str(e)}")
+
+    def generate_compliance_dashboard(self, assessment_results: Dict[str, Any], format: str = "html") -> str:
+        """
+        Generate executive compliance dashboard.
+
+        Args:
+            assessment_results: Results from assess_compliance_status()
+            format: Output format (html, json, csv)
+
+        Returns:
+            Path to generated dashboard file
+        """
+        timestamp = datetime.now().strftime("%Y%m%d_%H%M%S")
+
+        if format == "html":
+            dashboard_content = self._generate_html_dashboard(assessment_results)
+            filename = f"compliance_dashboard_{timestamp}.html"
+        elif format == "json":
+            dashboard_content = json.dumps(assessment_results, indent=2)
+            filename = f"compliance_dashboard_{timestamp}.json"
+        else:
+            raise ValueError(f"Unsupported format: {format}")
+
+        dashboard_path = f"/tmp/{filename}"
+        with open(dashboard_path, "w") as f:
+            f.write(dashboard_content)
+
+        logging.info(f"Generated compliance dashboard: {dashboard_path}")
+        return dashboard_path
+
+    def _generate_html_dashboard(self, results: Dict[str, Any]) -> str:
+        """Generate HTML compliance dashboard."""
+        score = results["compliance_score"]
+
+        # Determine overall status and color
+        if score["overall_compliance"] >= 90:
+            status_color = "#28a745"
+            status_text = "COMPLIANT"
+        elif score["overall_compliance"] >= 75:
+            status_color = "#ffc107"
+            status_text = "PARTIALLY COMPLIANT"
+        else:
+            status_color = "#dc3545"
+            status_text = "NON-COMPLIANT"
+
+        html_template = f"""
+<!DOCTYPE html>
+<html>
+<head>
+    <title>Enterprise Security Compliance Dashboard</title>
+    <style>
+        body {{ font-family: Arial, sans-serif; margin: 20px; }}
+        .header {{ background-color: #f8f9fa; padding: 20px; border-radius: 8px; }}
+        .score-card {{ background-color: white; border: 2px solid {status_color}; 
+                      padding: 20px; border-radius: 8px; margin: 20px 0; }}
+        .metric {{ display: inline-block; margin: 10px 20px; }}
+        .metric-value {{ font-size: 24px; font-weight: bold; color: {status_color}; }}
+        .metric-label {{ font-size: 14px; color: #666; }}
+        .recommendations {{ background-color: #f8f9fa; padding: 15px; border-radius: 8px; }}
+        .critical-finding {{ color: #dc3545; font-weight: bold; }}
+        .framework-info {{ color: #666; font-size: 12px; }}
+    </style>
+</head>
+<body>
+    <div class="header">
+        <h1>Enterprise Security Compliance Dashboard</h1>
+        <p class="framework-info">
+            Framework: {results["framework"]["name"]} v{results["framework"]["version"]}<br>
+            Assessment Date: {results["assessment_timestamp"]}<br>
+            Account ID: {results["account_id"]}
+        </p>
+    </div>
+    
+    <div class="score-card">
+        <h2 style="color: {status_color};">Overall Status: {status_text}</h2>
+        
+        <div class="metric">
+            <div class="metric-value">{score["overall_compliance"]:.1f}%</div>
+            <div class="metric-label">Overall Compliance</div>
+        </div>
+        
+        <div class="metric">
+            <div class="metric-value">{score["critical_compliance"]:.1f}%</div>
+            <div class="metric-label">Critical Controls</div>
+        </div>
+        
+        <div class="metric">
+            <div class="metric-value">{score["failed_requirements"]}</div>
+            <div class="metric-label">Failed Requirements</div>
+        </div>
+        
+        <div class="metric">
+            <div class="metric-value">{score["critical_findings"]}</div>
+            <div class="metric-label">Critical Findings</div>
+        </div>
+    </div>
+    
+    <div class="recommendations">
+        <h3>Automated Remediation Plan</h3>
+        <p>Found {len(results["recommendations"])} automation opportunities:</p>
+        <ul>
+"""
+
+        for rec in results["recommendations"][:5]:  # Show top 5 recommendations
+            html_template += f"""
+            <li>
+                <strong>{rec["requirement_id"]}</strong>: {rec["check_name"]} 
+                (Priority {rec["priority"]}, Est. {rec["estimated_time"]})
+                <br><small>Method: {rec["automation_method"]} | Risk: {rec["risk_level"]}</small>
+            </li>
+"""
+
+        html_template += """
+        </ul>
+    </div>
+    
+    <footer style="margin-top: 40px; color: #666; font-size: 12px;">
+        Generated by CloudOps Enterprise Security Compliance Automation
+    </footer>
+</body>
+</html>
+"""
+        return html_template
+
+
+def main():
+    """Main entry point for compliance automation testing."""
+    compliance = ComplianceAutomation()
+
+    # Run compliance assessment
+    results = compliance.assess_compliance_status(framework="enterprise_baseline", language="en")
+
+    # Generate dashboard
+    dashboard_path = compliance.generate_compliance_dashboard(results, format="html")
+
+    # Execute automated remediation (dry run)
+    if results["recommendations"]:
+        remediation_results = compliance.automate_compliance_remediation(results["recommendations"], dry_run=True)
+
+        # Import Rich utilities for professional output
+        from runbooks.common.rich_utils import console, create_panel
+        
+        # Display professional compliance assessment results
+        compliance_summary = f"""
+[bold cyan]Security Compliance Assessment Results[/bold cyan]
+
+[green]Overall Compliance Score:[/green] {results['compliance_score']['overall_compliance']:.1f}%
+[green]Critical Controls Score:[/green] {results['compliance_score']['critical_compliance']:.1f}%
+[yellow]Remediation Actions Required:[/yellow] {len(results['recommendations'])}
+[blue]Dashboard Location:[/blue] {dashboard_path}
+"""
+        
+        console.print(create_panel(
+            compliance_summary.strip(),
+            title="🛡️ Compliance Assessment Complete",
+            border_style="green" if results['compliance_score']['overall_compliance'] > 80 else "yellow"
+        ))
+
+
+if __name__ == "__main__":
+    main()

runbooks/security/report_generator.py

@@ -6,6 +6,14 @@ from string import Template
 from jinja2 import Template
 
 from runbooks.utils.logger import configure_logger
+from runbooks.common.rich_utils import (
+    console,
+    create_panel,
+    print_error,
+    print_info,
+    print_success,
+    print_warning,
+)
 
 from .utils import language, level_const
 
@@ -52,6 +60,8 @@ class ReportGenerator:
 
         ## Attempt to read the template file
         if not template_path.is_file():
+            error_msg = f"Template file '{template_filename}' for language '{lang}' not found at {template_path}"
+            print_error(error_msg)
             logger.error(
                 "Template file '%s' for language '%s' not found at %s",
                 template_filename,