runbooks 1.1.4__py3-none-any.whl → 1.1.5__py3-none-any.whl
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- runbooks/__init__.py +31 -2
- runbooks/__init___optimized.py +18 -4
- runbooks/_platform/__init__.py +1 -5
- runbooks/_platform/core/runbooks_wrapper.py +141 -138
- runbooks/aws2/accuracy_validator.py +812 -0
- runbooks/base.py +7 -0
- runbooks/cfat/assessment/compliance.py +1 -1
- runbooks/cfat/assessment/runner.py +1 -0
- runbooks/cfat/cloud_foundations_assessment.py +227 -239
- runbooks/cli/__init__.py +1 -1
- runbooks/cli/commands/cfat.py +64 -23
- runbooks/cli/commands/finops.py +1005 -54
- runbooks/cli/commands/inventory.py +138 -35
- runbooks/cli/commands/operate.py +9 -36
- runbooks/cli/commands/security.py +42 -18
- runbooks/cli/commands/validation.py +432 -18
- runbooks/cli/commands/vpc.py +81 -17
- runbooks/cli/registry.py +22 -10
- runbooks/cloudops/__init__.py +20 -27
- runbooks/cloudops/base.py +96 -107
- runbooks/cloudops/cost_optimizer.py +544 -542
- runbooks/cloudops/infrastructure_optimizer.py +5 -4
- runbooks/cloudops/interfaces.py +224 -225
- runbooks/cloudops/lifecycle_manager.py +5 -4
- runbooks/cloudops/mcp_cost_validation.py +252 -235
- runbooks/cloudops/models.py +78 -53
- runbooks/cloudops/monitoring_automation.py +5 -4
- runbooks/cloudops/notebook_framework.py +177 -213
- runbooks/cloudops/security_enforcer.py +125 -159
- runbooks/common/accuracy_validator.py +11 -0
- runbooks/common/aws_pricing.py +349 -326
- runbooks/common/aws_pricing_api.py +211 -212
- runbooks/common/aws_profile_manager.py +40 -36
- runbooks/common/aws_utils.py +74 -79
- runbooks/common/business_logic.py +126 -104
- runbooks/common/cli_decorators.py +36 -60
- runbooks/common/comprehensive_cost_explorer_integration.py +455 -463
- runbooks/common/cross_account_manager.py +197 -204
- runbooks/common/date_utils.py +27 -39
- runbooks/common/decorators.py +29 -19
- runbooks/common/dry_run_examples.py +173 -208
- runbooks/common/dry_run_framework.py +157 -155
- runbooks/common/enhanced_exception_handler.py +15 -4
- runbooks/common/enhanced_logging_example.py +50 -64
- runbooks/common/enhanced_logging_integration_example.py +65 -37
- runbooks/common/env_utils.py +16 -16
- runbooks/common/error_handling.py +40 -38
- runbooks/common/lazy_loader.py +41 -23
- runbooks/common/logging_integration_helper.py +79 -86
- runbooks/common/mcp_cost_explorer_integration.py +476 -493
- runbooks/common/mcp_integration.py +63 -74
- runbooks/common/memory_optimization.py +140 -118
- runbooks/common/module_cli_base.py +37 -58
- runbooks/common/organizations_client.py +175 -193
- runbooks/common/patterns.py +23 -25
- runbooks/common/performance_monitoring.py +67 -71
- runbooks/common/performance_optimization_engine.py +283 -274
- runbooks/common/profile_utils.py +111 -37
- runbooks/common/rich_utils.py +201 -141
- runbooks/common/sre_performance_suite.py +177 -186
- runbooks/enterprise/__init__.py +1 -1
- runbooks/enterprise/logging.py +144 -106
- runbooks/enterprise/security.py +187 -204
- runbooks/enterprise/validation.py +43 -56
- runbooks/finops/__init__.py +26 -30
- runbooks/finops/account_resolver.py +1 -1
- runbooks/finops/advanced_optimization_engine.py +980 -0
- runbooks/finops/automation_core.py +268 -231
- runbooks/finops/business_case_config.py +184 -179
- runbooks/finops/cli.py +660 -139
- runbooks/finops/commvault_ec2_analysis.py +157 -164
- runbooks/finops/compute_cost_optimizer.py +336 -320
- runbooks/finops/config.py +20 -20
- runbooks/finops/cost_optimizer.py +484 -618
- runbooks/finops/cost_processor.py +332 -214
- runbooks/finops/dashboard_runner.py +1006 -172
- runbooks/finops/ebs_cost_optimizer.py +991 -657
- runbooks/finops/elastic_ip_optimizer.py +317 -257
- runbooks/finops/enhanced_mcp_integration.py +340 -0
- runbooks/finops/enhanced_progress.py +32 -29
- runbooks/finops/enhanced_trend_visualization.py +3 -2
- runbooks/finops/enterprise_wrappers.py +223 -285
- runbooks/finops/executive_export.py +203 -160
- runbooks/finops/helpers.py +130 -288
- runbooks/finops/iam_guidance.py +1 -1
- runbooks/finops/infrastructure/__init__.py +80 -0
- runbooks/finops/infrastructure/commands.py +506 -0
- runbooks/finops/infrastructure/load_balancer_optimizer.py +866 -0
- runbooks/finops/infrastructure/vpc_endpoint_optimizer.py +832 -0
- runbooks/finops/markdown_exporter.py +337 -174
- runbooks/finops/mcp_validator.py +1952 -0
- runbooks/finops/nat_gateway_optimizer.py +1512 -481
- runbooks/finops/network_cost_optimizer.py +657 -587
- runbooks/finops/notebook_utils.py +226 -188
- runbooks/finops/optimization_engine.py +1136 -0
- runbooks/finops/optimizer.py +19 -23
- runbooks/finops/rds_snapshot_optimizer.py +367 -411
- runbooks/finops/reservation_optimizer.py +427 -363
- runbooks/finops/scenario_cli_integration.py +64 -65
- runbooks/finops/scenarios.py +1277 -438
- runbooks/finops/schemas.py +218 -182
- runbooks/finops/snapshot_manager.py +2289 -0
- runbooks/finops/types.py +3 -3
- runbooks/finops/validation_framework.py +259 -265
- runbooks/finops/vpc_cleanup_exporter.py +189 -144
- runbooks/finops/vpc_cleanup_optimizer.py +591 -573
- runbooks/finops/workspaces_analyzer.py +171 -182
- runbooks/integration/__init__.py +89 -0
- runbooks/integration/mcp_integration.py +1920 -0
- runbooks/inventory/CLAUDE.md +816 -0
- runbooks/inventory/__init__.py +2 -2
- runbooks/inventory/cloud_foundations_integration.py +144 -149
- runbooks/inventory/collectors/aws_comprehensive.py +1 -1
- runbooks/inventory/collectors/aws_networking.py +109 -99
- runbooks/inventory/collectors/base.py +4 -0
- runbooks/inventory/core/collector.py +495 -313
- runbooks/inventory/drift_detection_cli.py +69 -96
- runbooks/inventory/inventory_mcp_cli.py +48 -46
- runbooks/inventory/list_rds_snapshots_aggregator.py +192 -208
- runbooks/inventory/mcp_inventory_validator.py +549 -465
- runbooks/inventory/mcp_vpc_validator.py +359 -442
- runbooks/inventory/organizations_discovery.py +55 -51
- runbooks/inventory/rich_inventory_display.py +33 -32
- runbooks/inventory/unified_validation_engine.py +278 -251
- runbooks/inventory/vpc_analyzer.py +732 -695
- runbooks/inventory/vpc_architecture_validator.py +293 -348
- runbooks/inventory/vpc_dependency_analyzer.py +382 -378
- runbooks/inventory/vpc_flow_analyzer.py +1 -1
- runbooks/main.py +49 -34
- runbooks/main_final.py +91 -60
- runbooks/main_minimal.py +22 -10
- runbooks/main_optimized.py +131 -100
- runbooks/main_ultra_minimal.py +7 -2
- runbooks/mcp/__init__.py +36 -0
- runbooks/mcp/integration.py +679 -0
- runbooks/monitoring/performance_monitor.py +9 -4
- runbooks/operate/dynamodb_operations.py +3 -1
- runbooks/operate/ec2_operations.py +145 -137
- runbooks/operate/iam_operations.py +146 -152
- runbooks/operate/networking_cost_heatmap.py +29 -8
- runbooks/operate/rds_operations.py +223 -254
- runbooks/operate/s3_operations.py +107 -118
- runbooks/operate/vpc_operations.py +646 -616
- runbooks/remediation/base.py +1 -1
- runbooks/remediation/commons.py +10 -7
- runbooks/remediation/commvault_ec2_analysis.py +70 -66
- runbooks/remediation/ec2_unattached_ebs_volumes.py +1 -0
- runbooks/remediation/multi_account.py +24 -21
- runbooks/remediation/rds_snapshot_list.py +86 -60
- runbooks/remediation/remediation_cli.py +92 -146
- runbooks/remediation/universal_account_discovery.py +83 -79
- runbooks/remediation/workspaces_list.py +46 -41
- runbooks/security/__init__.py +19 -0
- runbooks/security/assessment_runner.py +1150 -0
- runbooks/security/baseline_checker.py +812 -0
- runbooks/security/cloudops_automation_security_validator.py +509 -535
- runbooks/security/compliance_automation_engine.py +17 -17
- runbooks/security/config/__init__.py +2 -2
- runbooks/security/config/compliance_config.py +50 -50
- runbooks/security/config_template_generator.py +63 -76
- runbooks/security/enterprise_security_framework.py +1 -1
- runbooks/security/executive_security_dashboard.py +519 -508
- runbooks/security/multi_account_security_controls.py +959 -1210
- runbooks/security/real_time_security_monitor.py +422 -444
- runbooks/security/security_baseline_tester.py +1 -1
- runbooks/security/security_cli.py +143 -112
- runbooks/security/test_2way_validation.py +439 -0
- runbooks/security/two_way_validation_framework.py +852 -0
- runbooks/sre/production_monitoring_framework.py +167 -177
- runbooks/tdd/__init__.py +15 -0
- runbooks/tdd/cli.py +1071 -0
- runbooks/utils/__init__.py +14 -17
- runbooks/utils/logger.py +7 -2
- runbooks/utils/version_validator.py +50 -47
- runbooks/validation/__init__.py +6 -6
- runbooks/validation/cli.py +9 -3
- runbooks/validation/comprehensive_2way_validator.py +745 -704
- runbooks/validation/mcp_validator.py +906 -228
- runbooks/validation/terraform_citations_validator.py +104 -115
- runbooks/validation/terraform_drift_detector.py +447 -451
- runbooks/vpc/README.md +617 -0
- runbooks/vpc/__init__.py +8 -1
- runbooks/vpc/analyzer.py +577 -0
- runbooks/vpc/cleanup_wrapper.py +476 -413
- runbooks/vpc/cli_cloudtrail_commands.py +339 -0
- runbooks/vpc/cli_mcp_validation_commands.py +480 -0
- runbooks/vpc/cloudtrail_audit_integration.py +717 -0
- runbooks/vpc/config.py +92 -97
- runbooks/vpc/cost_engine.py +411 -148
- runbooks/vpc/cost_explorer_integration.py +553 -0
- runbooks/vpc/cross_account_session.py +101 -106
- runbooks/vpc/enhanced_mcp_validation.py +917 -0
- runbooks/vpc/eni_gate_validator.py +961 -0
- runbooks/vpc/heatmap_engine.py +185 -160
- runbooks/vpc/mcp_no_eni_validator.py +680 -639
- runbooks/vpc/nat_gateway_optimizer.py +358 -0
- runbooks/vpc/networking_wrapper.py +15 -8
- runbooks/vpc/pdca_remediation_planner.py +528 -0
- runbooks/vpc/performance_optimized_analyzer.py +219 -231
- runbooks/vpc/runbooks_adapter.py +1167 -241
- runbooks/vpc/tdd_red_phase_stubs.py +601 -0
- runbooks/vpc/test_data_loader.py +358 -0
- runbooks/vpc/tests/conftest.py +314 -4
- runbooks/vpc/tests/test_cleanup_framework.py +1022 -0
- runbooks/vpc/tests/test_cost_engine.py +0 -2
- runbooks/vpc/topology_generator.py +326 -0
- runbooks/vpc/unified_scenarios.py +1297 -1124
- runbooks/vpc/vpc_cleanup_integration.py +1943 -1115
- runbooks-1.1.5.dist-info/METADATA +328 -0
- {runbooks-1.1.4.dist-info → runbooks-1.1.5.dist-info}/RECORD +214 -193
- runbooks/finops/README.md +0 -414
- runbooks/finops/accuracy_cross_validator.py +0 -647
- runbooks/finops/business_cases.py +0 -950
- runbooks/finops/dashboard_router.py +0 -922
- runbooks/finops/ebs_optimizer.py +0 -973
- runbooks/finops/embedded_mcp_validator.py +0 -1629
- runbooks/finops/enhanced_dashboard_runner.py +0 -527
- runbooks/finops/finops_dashboard.py +0 -584
- runbooks/finops/finops_scenarios.py +0 -1218
- runbooks/finops/legacy_migration.py +0 -730
- runbooks/finops/multi_dashboard.py +0 -1519
- runbooks/finops/single_dashboard.py +0 -1113
- runbooks/finops/unlimited_scenarios.py +0 -393
- runbooks-1.1.4.dist-info/METADATA +0 -800
- {runbooks-1.1.4.dist-info → runbooks-1.1.5.dist-info}/WHEEL +0 -0
- {runbooks-1.1.4.dist-info → runbooks-1.1.5.dist-info}/entry_points.txt +0 -0
- {runbooks-1.1.4.dist-info → runbooks-1.1.5.dist-info}/licenses/LICENSE +0 -0
- {runbooks-1.1.4.dist-info → runbooks-1.1.5.dist-info}/top_level.txt +0 -0
|
@@ -48,7 +48,7 @@ from runbooks.common.rich_utils import (
|
|
|
48
48
|
|
|
49
49
|
class CloudOpsSecurityLevel(Enum):
|
|
50
50
|
"""Security validation levels for CloudOps-Automation components."""
|
|
51
|
-
|
|
51
|
+
|
|
52
52
|
BATTLE_TESTED = "BATTLE_TESTED" # 217 proven components
|
|
53
53
|
ENTERPRISE_READY = "ENTERPRISE_READY" # Multi-account validated
|
|
54
54
|
REAL_TIME_VALIDATED = "REAL_TIME_VALIDATED" # Live AWS API validated
|
|
@@ -57,9 +57,9 @@ class CloudOpsSecurityLevel(Enum):
|
|
|
57
57
|
|
|
58
58
|
class ValidationCategory(Enum):
|
|
59
59
|
"""CloudOps-Automation security validation categories."""
|
|
60
|
-
|
|
60
|
+
|
|
61
61
|
IAM_SECURITY = "IAM_SECURITY"
|
|
62
|
-
ENCRYPTION_COMPLIANCE = "ENCRYPTION_COMPLIANCE"
|
|
62
|
+
ENCRYPTION_COMPLIANCE = "ENCRYPTION_COMPLIANCE"
|
|
63
63
|
NETWORK_SECURITY = "NETWORK_SECURITY"
|
|
64
64
|
DATA_PROTECTION = "DATA_PROTECTION"
|
|
65
65
|
ACCESS_CONTROL = "ACCESS_CONTROL"
|
|
@@ -70,7 +70,7 @@ class ValidationCategory(Enum):
|
|
|
70
70
|
@dataclass
|
|
71
71
|
class CloudOpsSecurityComponent:
|
|
72
72
|
"""Represents a CloudOps-Automation security component for validation."""
|
|
73
|
-
|
|
73
|
+
|
|
74
74
|
component_name: str
|
|
75
75
|
component_path: str
|
|
76
76
|
validation_category: ValidationCategory
|
|
@@ -88,7 +88,7 @@ class CloudOpsSecurityComponent:
|
|
|
88
88
|
@dataclass
|
|
89
89
|
class MultiAccountSecurityValidation:
|
|
90
90
|
"""Multi-account security validation results."""
|
|
91
|
-
|
|
91
|
+
|
|
92
92
|
validation_id: str
|
|
93
93
|
timestamp: datetime
|
|
94
94
|
accounts_validated: int
|
|
@@ -107,10 +107,10 @@ class CloudOpsAutomationSecurityValidator:
|
|
|
107
107
|
"""
|
|
108
108
|
CloudOps-Automation Security Validation Framework
|
|
109
109
|
=================================================
|
|
110
|
-
|
|
110
|
+
|
|
111
111
|
Validates and integrates 217 battle-tested CloudOps-Automation components
|
|
112
112
|
with enterprise security-as-code patterns and real-time AWS validation.
|
|
113
|
-
|
|
113
|
+
|
|
114
114
|
Key Capabilities:
|
|
115
115
|
- Security assessment of CloudOps-Automation treasure trove
|
|
116
116
|
- Real-time AWS security state validation via MCP integration
|
|
@@ -123,24 +123,26 @@ class CloudOpsAutomationSecurityValidator:
|
|
|
123
123
|
self.profile = profile
|
|
124
124
|
self.output_dir = Path(output_dir)
|
|
125
125
|
self.output_dir.mkdir(parents=True, exist_ok=True)
|
|
126
|
-
|
|
126
|
+
|
|
127
127
|
# Initialize secure session
|
|
128
128
|
self.session = self._create_secure_session()
|
|
129
|
-
|
|
129
|
+
|
|
130
130
|
# CloudOps-Automation component inventory
|
|
131
|
-
self.automation_components_path = Path(
|
|
131
|
+
self.automation_components_path = Path(
|
|
132
|
+
"/Volumes/Working/1xOps/CloudOps-Runbooks/README/CloudOps-Automation/AWS/legos"
|
|
133
|
+
)
|
|
132
134
|
self.security_components = self._discover_security_components()
|
|
133
|
-
|
|
135
|
+
|
|
134
136
|
# Real-time validation engine
|
|
135
137
|
self.real_time_validator = RealTimeSecurityValidator(self.session)
|
|
136
138
|
self.mcp_integration_engine = MCPSecurityIntegration()
|
|
137
|
-
|
|
139
|
+
|
|
138
140
|
# Multi-account security controls
|
|
139
141
|
self.multi_account_controller = MultiAccountSecurityController(self.session)
|
|
140
|
-
|
|
142
|
+
|
|
141
143
|
# Compliance framework engine
|
|
142
144
|
self.compliance_engine = ComplianceFrameworkEngine()
|
|
143
|
-
|
|
145
|
+
|
|
144
146
|
print_header("CloudOps-Automation Security Validator", "1.0.0")
|
|
145
147
|
print_success(f"Discovered {len(self.security_components)} security components")
|
|
146
148
|
print_info(f"Profile: {profile}")
|
|
@@ -149,64 +151,64 @@ class CloudOpsAutomationSecurityValidator:
|
|
|
149
151
|
def _create_secure_session(self) -> boto3.Session:
|
|
150
152
|
"""Create secure AWS session for security validation."""
|
|
151
153
|
try:
|
|
152
|
-
session = create_management_session(
|
|
153
|
-
|
|
154
|
+
session = create_management_session(profile_name=self.profile)
|
|
155
|
+
|
|
154
156
|
# Validate session credentials
|
|
155
157
|
sts_client = session.client("sts")
|
|
156
158
|
identity = sts_client.get_caller_identity()
|
|
157
|
-
|
|
159
|
+
|
|
158
160
|
print_info(f"Secure session established for: {identity.get('Arn', 'Unknown')}")
|
|
159
161
|
return session
|
|
160
|
-
|
|
162
|
+
|
|
161
163
|
except (ClientError, NoCredentialsError) as e:
|
|
162
164
|
print_error(f"Failed to establish secure session: {str(e)}")
|
|
163
165
|
raise
|
|
164
166
|
|
|
165
167
|
def _discover_security_components(self) -> List[CloudOpsSecurityComponent]:
|
|
166
168
|
"""Discover and categorize CloudOps-Automation security components."""
|
|
167
|
-
|
|
169
|
+
|
|
168
170
|
print_info("Discovering CloudOps-Automation security components...")
|
|
169
|
-
|
|
171
|
+
|
|
170
172
|
security_components = []
|
|
171
|
-
|
|
173
|
+
|
|
172
174
|
if not self.automation_components_path.exists():
|
|
173
175
|
print_warning(f"CloudOps-Automation path not found: {self.automation_components_path}")
|
|
174
176
|
return security_components
|
|
175
|
-
|
|
177
|
+
|
|
176
178
|
# Security-related component patterns
|
|
177
179
|
security_patterns = {
|
|
178
180
|
"iam": {
|
|
179
181
|
"patterns": ["iam", "policy", "role", "user", "access"],
|
|
180
182
|
"category": ValidationCategory.IAM_SECURITY,
|
|
181
|
-
"frameworks": ["SOC2", "AWS Well-Architected", "CIS Benchmarks"]
|
|
183
|
+
"frameworks": ["SOC2", "AWS Well-Architected", "CIS Benchmarks"],
|
|
182
184
|
},
|
|
183
185
|
"encryption": {
|
|
184
186
|
"patterns": ["encrypt", "kms", "ssl", "tls"],
|
|
185
187
|
"category": ValidationCategory.ENCRYPTION_COMPLIANCE,
|
|
186
|
-
"frameworks": ["SOC2", "PCI-DSS", "HIPAA"]
|
|
188
|
+
"frameworks": ["SOC2", "PCI-DSS", "HIPAA"],
|
|
187
189
|
},
|
|
188
190
|
"security_group": {
|
|
189
191
|
"patterns": ["security_group", "firewall", "network"],
|
|
190
192
|
"category": ValidationCategory.NETWORK_SECURITY,
|
|
191
|
-
"frameworks": ["AWS Well-Architected", "CIS Benchmarks"]
|
|
193
|
+
"frameworks": ["AWS Well-Architected", "CIS Benchmarks"],
|
|
192
194
|
},
|
|
193
195
|
"s3_security": {
|
|
194
196
|
"patterns": ["s3", "bucket", "public"],
|
|
195
197
|
"category": ValidationCategory.DATA_PROTECTION,
|
|
196
|
-
"frameworks": ["SOC2", "PCI-DSS", "HIPAA", "AWS Well-Architected"]
|
|
197
|
-
}
|
|
198
|
+
"frameworks": ["SOC2", "PCI-DSS", "HIPAA", "AWS Well-Architected"],
|
|
199
|
+
},
|
|
198
200
|
}
|
|
199
|
-
|
|
201
|
+
|
|
200
202
|
# Discover components
|
|
201
203
|
component_count = 0
|
|
202
204
|
for component_dir in self.automation_components_path.iterdir():
|
|
203
205
|
if component_dir.is_dir():
|
|
204
206
|
component_count += 1
|
|
205
|
-
|
|
207
|
+
|
|
206
208
|
# Analyze component for security relevance
|
|
207
209
|
component_name = component_dir.name
|
|
208
210
|
security_match = self._classify_security_component(component_name, security_patterns)
|
|
209
|
-
|
|
211
|
+
|
|
210
212
|
if security_match:
|
|
211
213
|
component = CloudOpsSecurityComponent(
|
|
212
214
|
component_name=component_name,
|
|
@@ -216,33 +218,35 @@ class CloudOpsAutomationSecurityValidator:
|
|
|
216
218
|
aws_services=self._extract_aws_services(component_name),
|
|
217
219
|
compliance_frameworks=security_match["frameworks"],
|
|
218
220
|
risk_assessment=self._assess_component_risk(component_name),
|
|
219
|
-
integration_priority=self._calculate_integration_priority(component_name, security_match)
|
|
221
|
+
integration_priority=self._calculate_integration_priority(component_name, security_match),
|
|
220
222
|
)
|
|
221
223
|
security_components.append(component)
|
|
222
|
-
|
|
224
|
+
|
|
223
225
|
print_success(f"Total CloudOps-Automation components discovered: {component_count}")
|
|
224
226
|
print_success(f"Security-relevant components identified: {len(security_components)}")
|
|
225
|
-
|
|
227
|
+
|
|
226
228
|
# Sort by integration priority
|
|
227
229
|
security_components.sort(key=lambda x: x.integration_priority, reverse=True)
|
|
228
|
-
|
|
230
|
+
|
|
229
231
|
return security_components
|
|
230
232
|
|
|
231
|
-
def _classify_security_component(
|
|
233
|
+
def _classify_security_component(
|
|
234
|
+
self, component_name: str, security_patterns: Dict[str, Any]
|
|
235
|
+
) -> Optional[Dict[str, Any]]:
|
|
232
236
|
"""Classify component as security-relevant based on naming patterns."""
|
|
233
|
-
|
|
237
|
+
|
|
234
238
|
component_lower = component_name.lower()
|
|
235
|
-
|
|
239
|
+
|
|
236
240
|
for pattern_type, pattern_config in security_patterns.items():
|
|
237
241
|
for pattern in pattern_config["patterns"]:
|
|
238
242
|
if pattern in component_lower:
|
|
239
243
|
return pattern_config
|
|
240
|
-
|
|
244
|
+
|
|
241
245
|
return None
|
|
242
246
|
|
|
243
247
|
def _extract_aws_services(self, component_name: str) -> List[str]:
|
|
244
248
|
"""Extract AWS services from component name."""
|
|
245
|
-
|
|
249
|
+
|
|
246
250
|
services = []
|
|
247
251
|
service_patterns = {
|
|
248
252
|
"s3": ["s3", "bucket"],
|
|
@@ -254,24 +258,24 @@ class CloudOpsAutomationSecurityValidator:
|
|
|
254
258
|
"vpc": ["vpc", "network"],
|
|
255
259
|
"lambda": ["lambda", "function"],
|
|
256
260
|
"sns": ["sns", "topic"],
|
|
257
|
-
"sqs": ["sqs", "queue"]
|
|
261
|
+
"sqs": ["sqs", "queue"],
|
|
258
262
|
}
|
|
259
|
-
|
|
263
|
+
|
|
260
264
|
component_lower = component_name.lower()
|
|
261
265
|
for service, patterns in service_patterns.items():
|
|
262
266
|
if any(pattern in component_lower for pattern in patterns):
|
|
263
267
|
services.append(service)
|
|
264
|
-
|
|
268
|
+
|
|
265
269
|
return services if services else ["unknown"]
|
|
266
270
|
|
|
267
271
|
def _assess_component_risk(self, component_name: str) -> str:
|
|
268
272
|
"""Assess security risk level of component."""
|
|
269
|
-
|
|
273
|
+
|
|
270
274
|
high_risk_patterns = ["terminate", "delete", "destroy", "public", "open"]
|
|
271
275
|
medium_risk_patterns = ["modify", "update", "change", "attach", "detach"]
|
|
272
|
-
|
|
276
|
+
|
|
273
277
|
component_lower = component_name.lower()
|
|
274
|
-
|
|
278
|
+
|
|
275
279
|
if any(pattern in component_lower for pattern in high_risk_patterns):
|
|
276
280
|
return "HIGH"
|
|
277
281
|
elif any(pattern in component_lower for pattern in medium_risk_patterns):
|
|
@@ -281,37 +285,35 @@ class CloudOpsAutomationSecurityValidator:
|
|
|
281
285
|
|
|
282
286
|
def _calculate_integration_priority(self, component_name: str, security_match: Dict[str, Any]) -> int:
|
|
283
287
|
"""Calculate integration priority (1-10) for runbooks integration."""
|
|
284
|
-
|
|
288
|
+
|
|
285
289
|
priority = 5 # Base priority
|
|
286
|
-
|
|
290
|
+
|
|
287
291
|
# High-value security operations get higher priority
|
|
288
292
|
high_value_patterns = ["iam_policy", "encrypt", "security_group", "access_control"]
|
|
289
293
|
if any(pattern in component_name.lower() for pattern in high_value_patterns):
|
|
290
294
|
priority += 3
|
|
291
|
-
|
|
295
|
+
|
|
292
296
|
# Critical compliance frameworks increase priority
|
|
293
297
|
if "SOC2" in security_match["frameworks"] or "PCI-DSS" in security_match["frameworks"]:
|
|
294
298
|
priority += 2
|
|
295
|
-
|
|
299
|
+
|
|
296
300
|
# Multi-service components get higher priority
|
|
297
301
|
if "aws_" in component_name.lower() and len(self._extract_aws_services(component_name)) > 1:
|
|
298
302
|
priority += 1
|
|
299
|
-
|
|
303
|
+
|
|
300
304
|
return min(10, priority) # Cap at 10
|
|
301
305
|
|
|
302
306
|
async def comprehensive_security_validation(
|
|
303
|
-
self,
|
|
304
|
-
target_accounts: Optional[List[str]] = None,
|
|
305
|
-
include_real_time_validation: bool = True
|
|
307
|
+
self, target_accounts: Optional[List[str]] = None, include_real_time_validation: bool = True
|
|
306
308
|
) -> MultiAccountSecurityValidation:
|
|
307
309
|
"""
|
|
308
310
|
Execute comprehensive security validation of CloudOps-Automation components
|
|
309
311
|
with real-time AWS security monitoring.
|
|
310
312
|
"""
|
|
311
|
-
|
|
313
|
+
|
|
312
314
|
validation_id = f"cloudops-security-{int(time.time())}"
|
|
313
315
|
start_time = datetime.utcnow()
|
|
314
|
-
|
|
316
|
+
|
|
315
317
|
console.print(
|
|
316
318
|
create_panel(
|
|
317
319
|
f"[bold cyan]CloudOps-Automation Security Validation[/bold cyan]\n\n"
|
|
@@ -322,287 +324,277 @@ class CloudOpsAutomationSecurityValidator:
|
|
|
322
324
|
border_style="cyan",
|
|
323
325
|
)
|
|
324
326
|
)
|
|
325
|
-
|
|
327
|
+
|
|
326
328
|
# Discover target accounts if not provided
|
|
327
329
|
if not target_accounts:
|
|
328
330
|
target_accounts = await self._discover_organization_accounts()
|
|
329
|
-
|
|
331
|
+
|
|
330
332
|
# Initialize validation results
|
|
331
333
|
validation_results = {
|
|
332
|
-
|
|
333
|
-
|
|
334
|
-
|
|
335
|
-
|
|
336
|
-
|
|
337
|
-
|
|
334
|
+
"battle_tested_validated": 0,
|
|
335
|
+
"enterprise_ready_validated": 0,
|
|
336
|
+
"real_time_validated": 0,
|
|
337
|
+
"compliance_validated": 0,
|
|
338
|
+
"critical_findings": [],
|
|
339
|
+
"integration_candidates": [],
|
|
338
340
|
}
|
|
339
|
-
|
|
341
|
+
|
|
340
342
|
# Validate security components
|
|
341
343
|
with create_progress_bar(description="Security Validation") as progress:
|
|
342
|
-
|
|
343
344
|
# Task 1: Validate CloudOps-Automation components
|
|
344
345
|
component_task = progress.add_task(
|
|
345
|
-
"[cyan]Validating CloudOps components...",
|
|
346
|
-
total=len(self.security_components)
|
|
346
|
+
"[cyan]Validating CloudOps components...", total=len(self.security_components)
|
|
347
347
|
)
|
|
348
|
-
|
|
348
|
+
|
|
349
349
|
for component in self.security_components:
|
|
350
350
|
component_result = await self._validate_security_component(component)
|
|
351
|
-
|
|
352
|
-
if component_result[
|
|
353
|
-
validation_results[
|
|
354
|
-
|
|
355
|
-
if component_result.get(
|
|
356
|
-
validation_results[
|
|
357
|
-
validation_results[
|
|
358
|
-
|
|
351
|
+
|
|
352
|
+
if component_result["valid"]:
|
|
353
|
+
validation_results["battle_tested_validated"] += 1
|
|
354
|
+
|
|
355
|
+
if component_result.get("enterprise_ready"):
|
|
356
|
+
validation_results["enterprise_ready_validated"] += 1
|
|
357
|
+
validation_results["integration_candidates"].append(component)
|
|
358
|
+
|
|
359
359
|
progress.update(component_task, advance=1)
|
|
360
|
-
|
|
360
|
+
|
|
361
361
|
# Task 2: Real-time AWS security validation
|
|
362
362
|
if include_real_time_validation:
|
|
363
|
-
aws_task = progress.add_task(
|
|
364
|
-
|
|
365
|
-
total=len(target_accounts)
|
|
366
|
-
)
|
|
367
|
-
|
|
363
|
+
aws_task = progress.add_task("[green]Real-time AWS validation...", total=len(target_accounts))
|
|
364
|
+
|
|
368
365
|
for account_id in target_accounts:
|
|
369
366
|
account_validation = await self._validate_account_real_time_security(account_id)
|
|
370
|
-
|
|
371
|
-
if account_validation[
|
|
372
|
-
validation_results[
|
|
373
|
-
|
|
374
|
-
validation_results[
|
|
375
|
-
|
|
376
|
-
)
|
|
377
|
-
|
|
367
|
+
|
|
368
|
+
if account_validation["success"]:
|
|
369
|
+
validation_results["real_time_validated"] += 1
|
|
370
|
+
|
|
371
|
+
validation_results["critical_findings"].extend(account_validation.get("critical_findings", []))
|
|
372
|
+
|
|
378
373
|
progress.update(aws_task, advance=1)
|
|
379
|
-
|
|
374
|
+
|
|
380
375
|
# Calculate scores
|
|
381
376
|
total_components = len(self.security_components)
|
|
382
|
-
compliance_score = (
|
|
383
|
-
|
|
384
|
-
security_posture_score = self._calculate_security_posture_score(
|
|
385
|
-
validation_results, target_accounts
|
|
377
|
+
compliance_score = (
|
|
378
|
+
(validation_results["battle_tested_validated"] / total_components * 100) if total_components > 0 else 0
|
|
386
379
|
)
|
|
387
|
-
|
|
380
|
+
|
|
381
|
+
security_posture_score = self._calculate_security_posture_score(validation_results, target_accounts)
|
|
382
|
+
|
|
388
383
|
# Generate integration roadmap
|
|
389
|
-
integration_roadmap = self._generate_integration_roadmap(
|
|
390
|
-
|
|
391
|
-
)
|
|
392
|
-
|
|
384
|
+
integration_roadmap = self._generate_integration_roadmap(validation_results["integration_candidates"])
|
|
385
|
+
|
|
393
386
|
# Generate recommendations
|
|
394
|
-
recommendations = self._generate_security_recommendations(
|
|
395
|
-
|
|
396
|
-
)
|
|
397
|
-
|
|
387
|
+
recommendations = self._generate_security_recommendations(validation_results, target_accounts)
|
|
388
|
+
|
|
398
389
|
# Create comprehensive validation result
|
|
399
390
|
validation_result = MultiAccountSecurityValidation(
|
|
400
391
|
validation_id=validation_id,
|
|
401
392
|
timestamp=start_time,
|
|
402
393
|
accounts_validated=len(target_accounts),
|
|
403
394
|
components_assessed=len(self.security_components),
|
|
404
|
-
battle_tested_components=validation_results[
|
|
405
|
-
enterprise_ready_components=validation_results[
|
|
406
|
-
real_time_validations=validation_results[
|
|
395
|
+
battle_tested_components=validation_results["battle_tested_validated"],
|
|
396
|
+
enterprise_ready_components=validation_results["enterprise_ready_validated"],
|
|
397
|
+
real_time_validations=validation_results["real_time_validated"],
|
|
407
398
|
compliance_score=compliance_score,
|
|
408
399
|
security_posture_score=security_posture_score,
|
|
409
|
-
critical_findings=validation_results[
|
|
400
|
+
critical_findings=validation_results["critical_findings"],
|
|
410
401
|
recommendations=recommendations,
|
|
411
|
-
integration_roadmap=integration_roadmap
|
|
402
|
+
integration_roadmap=integration_roadmap,
|
|
412
403
|
)
|
|
413
|
-
|
|
404
|
+
|
|
414
405
|
# Export validation results
|
|
415
406
|
await self._export_validation_results(validation_result)
|
|
416
|
-
|
|
407
|
+
|
|
417
408
|
# Display comprehensive summary
|
|
418
409
|
self._display_validation_summary(validation_result)
|
|
419
|
-
|
|
410
|
+
|
|
420
411
|
return validation_result
|
|
421
412
|
|
|
422
413
|
async def _validate_security_component(self, component: CloudOpsSecurityComponent) -> Dict[str, Any]:
|
|
423
414
|
"""Validate individual CloudOps-Automation security component."""
|
|
424
|
-
|
|
415
|
+
|
|
425
416
|
validation_result = {
|
|
426
|
-
|
|
427
|
-
|
|
428
|
-
|
|
429
|
-
|
|
430
|
-
|
|
417
|
+
"component_name": component.component_name,
|
|
418
|
+
"valid": False,
|
|
419
|
+
"enterprise_ready": False,
|
|
420
|
+
"issues": [],
|
|
421
|
+
"recommendations": [],
|
|
431
422
|
}
|
|
432
|
-
|
|
423
|
+
|
|
433
424
|
try:
|
|
434
425
|
component_path = Path(component.component_path)
|
|
435
|
-
|
|
426
|
+
|
|
436
427
|
# Check if component files exist
|
|
437
428
|
if not component_path.exists():
|
|
438
|
-
validation_result[
|
|
429
|
+
validation_result["issues"].append("Component path not found")
|
|
439
430
|
return validation_result
|
|
440
|
-
|
|
431
|
+
|
|
441
432
|
# Look for Python implementation file
|
|
442
433
|
py_files = list(component_path.glob("*.py"))
|
|
443
434
|
if not py_files:
|
|
444
|
-
validation_result[
|
|
435
|
+
validation_result["issues"].append("No Python implementation found")
|
|
445
436
|
return validation_result
|
|
446
|
-
|
|
437
|
+
|
|
447
438
|
# Basic validation - component has implementation
|
|
448
|
-
validation_result[
|
|
449
|
-
|
|
439
|
+
validation_result["valid"] = True
|
|
440
|
+
|
|
450
441
|
# Check for enterprise readiness indicators
|
|
451
442
|
main_py_file = py_files[0]
|
|
452
443
|
if main_py_file.exists():
|
|
453
|
-
with open(main_py_file,
|
|
444
|
+
with open(main_py_file, "r", encoding="utf-8", errors="ignore") as f:
|
|
454
445
|
content = f.read()
|
|
455
|
-
|
|
446
|
+
|
|
456
447
|
# Enterprise readiness checks
|
|
457
448
|
enterprise_indicators = [
|
|
458
|
-
|
|
459
|
-
|
|
460
|
-
|
|
461
|
-
|
|
449
|
+
"BaseModel", # Pydantic validation
|
|
450
|
+
"ClientError", # AWS error handling
|
|
451
|
+
"def ", # Function definitions
|
|
452
|
+
"try:", # Error handling
|
|
462
453
|
]
|
|
463
|
-
|
|
454
|
+
|
|
464
455
|
indicators_found = sum(1 for indicator in enterprise_indicators if indicator in content)
|
|
465
|
-
|
|
456
|
+
|
|
466
457
|
if indicators_found >= 3: # Most enterprise indicators present
|
|
467
|
-
validation_result[
|
|
458
|
+
validation_result["enterprise_ready"] = True
|
|
468
459
|
component.security_level = CloudOpsSecurityLevel.ENTERPRISE_READY
|
|
469
|
-
|
|
460
|
+
|
|
470
461
|
# Check for security best practices
|
|
471
|
-
if
|
|
472
|
-
validation_result[
|
|
462
|
+
if "ClientError" in content and "try:" in content:
|
|
463
|
+
validation_result["recommendations"].append(
|
|
473
464
|
"Component has good error handling - suitable for runbooks integration"
|
|
474
465
|
)
|
|
475
|
-
|
|
476
|
-
if
|
|
477
|
-
validation_result[
|
|
466
|
+
|
|
467
|
+
if "BaseModel" in content:
|
|
468
|
+
validation_result["recommendations"].append(
|
|
478
469
|
"Component uses Pydantic validation - aligns with runbooks v2 patterns"
|
|
479
470
|
)
|
|
480
|
-
|
|
471
|
+
|
|
481
472
|
component.validation_status = "validated"
|
|
482
473
|
component.validation_results = validation_result
|
|
483
|
-
|
|
474
|
+
|
|
484
475
|
except Exception as e:
|
|
485
|
-
validation_result[
|
|
486
|
-
|
|
476
|
+
validation_result["issues"].append(f"Validation error: {str(e)}")
|
|
477
|
+
|
|
487
478
|
return validation_result
|
|
488
479
|
|
|
489
480
|
async def _validate_account_real_time_security(self, account_id: str) -> Dict[str, Any]:
|
|
490
481
|
"""Validate real-time security state for account via MCP integration."""
|
|
491
|
-
|
|
482
|
+
|
|
492
483
|
print_info(f"Real-time security validation for account: {account_id}")
|
|
493
|
-
|
|
484
|
+
|
|
494
485
|
validation_result = {
|
|
495
|
-
|
|
496
|
-
|
|
497
|
-
|
|
498
|
-
|
|
499
|
-
|
|
486
|
+
"account_id": account_id,
|
|
487
|
+
"success": False,
|
|
488
|
+
"critical_findings": [],
|
|
489
|
+
"security_checks": [],
|
|
490
|
+
"mcp_integration_status": "pending",
|
|
500
491
|
}
|
|
501
|
-
|
|
492
|
+
|
|
502
493
|
try:
|
|
503
494
|
# Use real-time validator
|
|
504
495
|
security_state = await self.real_time_validator.validate_account_security(account_id)
|
|
505
|
-
|
|
496
|
+
|
|
506
497
|
if security_state:
|
|
507
|
-
validation_result[
|
|
508
|
-
validation_result[
|
|
509
|
-
validation_result[
|
|
510
|
-
validation_result[
|
|
511
|
-
|
|
498
|
+
validation_result["success"] = True
|
|
499
|
+
validation_result["security_checks"] = security_state.get("checks", [])
|
|
500
|
+
validation_result["critical_findings"] = security_state.get("critical_findings", [])
|
|
501
|
+
validation_result["mcp_integration_status"] = "success"
|
|
502
|
+
|
|
512
503
|
except Exception as e:
|
|
513
|
-
validation_result[
|
|
514
|
-
|
|
515
|
-
|
|
516
|
-
|
|
517
|
-
|
|
518
|
-
|
|
519
|
-
|
|
504
|
+
validation_result["critical_findings"].append(
|
|
505
|
+
{
|
|
506
|
+
"finding_type": "validation_error",
|
|
507
|
+
"severity": "HIGH",
|
|
508
|
+
"message": f"Real-time validation failed: {str(e)}",
|
|
509
|
+
"account_id": account_id,
|
|
510
|
+
}
|
|
511
|
+
)
|
|
512
|
+
|
|
520
513
|
return validation_result
|
|
521
514
|
|
|
522
515
|
async def _discover_organization_accounts(self) -> List[str]:
|
|
523
516
|
"""Discover AWS Organization accounts for multi-account validation."""
|
|
524
|
-
|
|
517
|
+
|
|
525
518
|
accounts = []
|
|
526
|
-
|
|
519
|
+
|
|
527
520
|
try:
|
|
528
|
-
organizations = self.session.client(
|
|
529
|
-
|
|
521
|
+
organizations = self.session.client("organizations")
|
|
522
|
+
|
|
530
523
|
# List organization accounts
|
|
531
|
-
paginator = organizations.get_paginator(
|
|
532
|
-
|
|
524
|
+
paginator = organizations.get_paginator("list_accounts")
|
|
525
|
+
|
|
533
526
|
for page in paginator.paginate():
|
|
534
|
-
for account in page.get(
|
|
535
|
-
if account[
|
|
536
|
-
accounts.append(account[
|
|
537
|
-
|
|
527
|
+
for account in page.get("Accounts", []):
|
|
528
|
+
if account["Status"] == "ACTIVE":
|
|
529
|
+
accounts.append(account["Id"])
|
|
530
|
+
|
|
538
531
|
print_success(f"Discovered {len(accounts)} active organization accounts")
|
|
539
|
-
|
|
532
|
+
|
|
540
533
|
except ClientError as e:
|
|
541
534
|
print_warning(f"Could not discover organization accounts: {str(e)}")
|
|
542
535
|
# Fallback to current account
|
|
543
|
-
sts = self.session.client(
|
|
544
|
-
current_account = sts.get_caller_identity()[
|
|
536
|
+
sts = self.session.client("sts")
|
|
537
|
+
current_account = sts.get_caller_identity()["Account"]
|
|
545
538
|
accounts = [current_account]
|
|
546
539
|
print_info(f"Using current account for validation: {current_account}")
|
|
547
|
-
|
|
540
|
+
|
|
548
541
|
return accounts
|
|
549
542
|
|
|
550
543
|
def _calculate_security_posture_score(
|
|
551
|
-
self,
|
|
552
|
-
validation_results: Dict[str, Any],
|
|
553
|
-
target_accounts: List[str]
|
|
544
|
+
self, validation_results: Dict[str, Any], target_accounts: List[str]
|
|
554
545
|
) -> float:
|
|
555
546
|
"""Calculate overall security posture score."""
|
|
556
|
-
|
|
547
|
+
|
|
557
548
|
# Base score from component validation
|
|
558
549
|
component_score = 0.0
|
|
559
550
|
if len(self.security_components) > 0:
|
|
560
|
-
component_score = (validation_results[
|
|
561
|
-
|
|
551
|
+
component_score = (validation_results["battle_tested_validated"] / len(self.security_components)) * 50
|
|
552
|
+
|
|
562
553
|
# Real-time validation score
|
|
563
554
|
real_time_score = 0.0
|
|
564
555
|
if len(target_accounts) > 0:
|
|
565
|
-
real_time_score = (validation_results[
|
|
566
|
-
|
|
556
|
+
real_time_score = (validation_results["real_time_validated"] / len(target_accounts)) * 30
|
|
557
|
+
|
|
567
558
|
# Enterprise readiness score
|
|
568
559
|
enterprise_score = 0.0
|
|
569
|
-
if validation_results[
|
|
570
|
-
enterprise_score = (
|
|
571
|
-
|
|
560
|
+
if validation_results["battle_tested_validated"] > 0:
|
|
561
|
+
enterprise_score = (
|
|
562
|
+
validation_results["enterprise_ready_validated"] / validation_results["battle_tested_validated"]
|
|
563
|
+
) * 20
|
|
564
|
+
|
|
572
565
|
total_score = component_score + real_time_score + enterprise_score
|
|
573
|
-
|
|
566
|
+
|
|
574
567
|
return min(100.0, total_score)
|
|
575
568
|
|
|
576
569
|
def _generate_integration_roadmap(
|
|
577
|
-
self,
|
|
578
|
-
integration_candidates: List[CloudOpsSecurityComponent]
|
|
570
|
+
self, integration_candidates: List[CloudOpsSecurityComponent]
|
|
579
571
|
) -> List[Dict[str, Any]]:
|
|
580
572
|
"""Generate integration roadmap for high-priority components."""
|
|
581
|
-
|
|
573
|
+
|
|
582
574
|
roadmap = []
|
|
583
|
-
|
|
575
|
+
|
|
584
576
|
# Sort by integration priority
|
|
585
577
|
sorted_candidates = sorted(integration_candidates, key=lambda x: x.integration_priority, reverse=True)
|
|
586
|
-
|
|
578
|
+
|
|
587
579
|
for i, component in enumerate(sorted_candidates[:10]): # Top 10 candidates
|
|
588
580
|
roadmap_item = {
|
|
589
|
-
|
|
590
|
-
|
|
591
|
-
|
|
592
|
-
|
|
593
|
-
|
|
594
|
-
|
|
595
|
-
|
|
596
|
-
|
|
597
|
-
|
|
581
|
+
"phase": f"Phase {(i // 3) + 1}", # Group into phases
|
|
582
|
+
"priority": component.integration_priority,
|
|
583
|
+
"component_name": component.component_name,
|
|
584
|
+
"category": component.validation_category.value,
|
|
585
|
+
"aws_services": component.aws_services,
|
|
586
|
+
"compliance_frameworks": component.compliance_frameworks,
|
|
587
|
+
"integration_effort": self._estimate_integration_effort(component),
|
|
588
|
+
"business_value": self._estimate_business_value(component),
|
|
589
|
+
"recommended_timeline": f"{(i // 3) * 2 + 2}-{(i // 3) * 2 + 4} weeks",
|
|
598
590
|
}
|
|
599
591
|
roadmap.append(roadmap_item)
|
|
600
|
-
|
|
592
|
+
|
|
601
593
|
return roadmap
|
|
602
594
|
|
|
603
595
|
def _estimate_integration_effort(self, component: CloudOpsSecurityComponent) -> str:
|
|
604
596
|
"""Estimate integration effort for component."""
|
|
605
|
-
|
|
597
|
+
|
|
606
598
|
if component.integration_priority >= 8:
|
|
607
599
|
return "LOW" # High priority usually means straightforward integration
|
|
608
600
|
elif component.integration_priority >= 6:
|
|
@@ -612,100 +604,95 @@ class CloudOpsAutomationSecurityValidator:
|
|
|
612
604
|
|
|
613
605
|
def _estimate_business_value(self, component: CloudOpsSecurityComponent) -> str:
|
|
614
606
|
"""Estimate business value of component integration."""
|
|
615
|
-
|
|
616
|
-
high_value_categories = [
|
|
617
|
-
|
|
618
|
-
ValidationCategory.ENCRYPTION_COMPLIANCE
|
|
619
|
-
]
|
|
620
|
-
|
|
607
|
+
|
|
608
|
+
high_value_categories = [ValidationCategory.IAM_SECURITY, ValidationCategory.ENCRYPTION_COMPLIANCE]
|
|
609
|
+
|
|
621
610
|
if component.validation_category in high_value_categories:
|
|
622
611
|
return "HIGH"
|
|
623
612
|
elif len(component.compliance_frameworks) >= 3:
|
|
624
|
-
return "HIGH"
|
|
613
|
+
return "HIGH"
|
|
625
614
|
else:
|
|
626
615
|
return "MEDIUM"
|
|
627
616
|
|
|
628
617
|
def _generate_security_recommendations(
|
|
629
|
-
self,
|
|
630
|
-
validation_results: Dict[str, Any],
|
|
631
|
-
target_accounts: List[str]
|
|
618
|
+
self, validation_results: Dict[str, Any], target_accounts: List[str]
|
|
632
619
|
) -> List[str]:
|
|
633
620
|
"""Generate security recommendations based on validation results."""
|
|
634
|
-
|
|
621
|
+
|
|
635
622
|
recommendations = []
|
|
636
|
-
|
|
623
|
+
|
|
637
624
|
# Component integration recommendations
|
|
638
|
-
if validation_results[
|
|
625
|
+
if validation_results["enterprise_ready_validated"] > 0:
|
|
639
626
|
recommendations.append(
|
|
640
627
|
f"Integrate {validation_results['enterprise_ready_validated']} enterprise-ready "
|
|
641
628
|
"CloudOps-Automation components into runbooks security module"
|
|
642
629
|
)
|
|
643
|
-
|
|
630
|
+
|
|
644
631
|
# Real-time validation recommendations
|
|
645
|
-
if validation_results[
|
|
646
|
-
recommendations.append(
|
|
647
|
-
|
|
648
|
-
)
|
|
649
|
-
|
|
632
|
+
if validation_results["real_time_validated"] < len(target_accounts):
|
|
633
|
+
recommendations.append("Implement MCP-based real-time security monitoring for all organization accounts")
|
|
634
|
+
|
|
650
635
|
# Critical findings recommendations
|
|
651
|
-
if validation_results[
|
|
636
|
+
if validation_results["critical_findings"]:
|
|
652
637
|
recommendations.append(
|
|
653
638
|
f"Address {len(validation_results['critical_findings'])} critical security findings "
|
|
654
639
|
"identified during validation"
|
|
655
640
|
)
|
|
656
|
-
|
|
641
|
+
|
|
657
642
|
# Compliance recommendations
|
|
658
|
-
recommendations.extend(
|
|
659
|
-
|
|
660
|
-
|
|
661
|
-
|
|
662
|
-
|
|
663
|
-
|
|
664
|
-
|
|
643
|
+
recommendations.extend(
|
|
644
|
+
[
|
|
645
|
+
"Establish continuous security validation pipeline using CloudOps-Automation patterns",
|
|
646
|
+
"Implement automated security remediation workflows with approval gates",
|
|
647
|
+
"Deploy security-as-code patterns across all organization accounts",
|
|
648
|
+
"Integrate security validation with existing DORA metrics and FAANG SDLC processes",
|
|
649
|
+
]
|
|
650
|
+
)
|
|
651
|
+
|
|
665
652
|
return recommendations
|
|
666
653
|
|
|
667
654
|
async def _export_validation_results(self, validation_result: MultiAccountSecurityValidation):
|
|
668
655
|
"""Export comprehensive validation results."""
|
|
669
|
-
|
|
656
|
+
|
|
670
657
|
# Export JSON report
|
|
671
658
|
json_report_path = self.output_dir / f"security_validation_{validation_result.validation_id}.json"
|
|
672
|
-
|
|
659
|
+
|
|
673
660
|
report_data = {
|
|
674
|
-
|
|
675
|
-
|
|
676
|
-
|
|
677
|
-
|
|
678
|
-
|
|
679
|
-
|
|
680
|
-
|
|
681
|
-
|
|
682
|
-
|
|
661
|
+
"validation_id": validation_result.validation_id,
|
|
662
|
+
"timestamp": validation_result.timestamp.isoformat(),
|
|
663
|
+
"summary": {
|
|
664
|
+
"accounts_validated": validation_result.accounts_validated,
|
|
665
|
+
"components_assessed": validation_result.components_assessed,
|
|
666
|
+
"battle_tested_components": validation_result.battle_tested_components,
|
|
667
|
+
"enterprise_ready_components": validation_result.enterprise_ready_components,
|
|
668
|
+
"compliance_score": validation_result.compliance_score,
|
|
669
|
+
"security_posture_score": validation_result.security_posture_score,
|
|
683
670
|
},
|
|
684
|
-
|
|
685
|
-
|
|
686
|
-
|
|
687
|
-
|
|
671
|
+
"critical_findings": validation_result.critical_findings,
|
|
672
|
+
"recommendations": validation_result.recommendations,
|
|
673
|
+
"integration_roadmap": validation_result.integration_roadmap,
|
|
674
|
+
"component_details": [
|
|
688
675
|
{
|
|
689
|
-
|
|
690
|
-
|
|
691
|
-
|
|
692
|
-
|
|
693
|
-
|
|
694
|
-
|
|
695
|
-
|
|
676
|
+
"name": comp.component_name,
|
|
677
|
+
"category": comp.validation_category.value,
|
|
678
|
+
"security_level": comp.security_level.value,
|
|
679
|
+
"priority": comp.integration_priority,
|
|
680
|
+
"aws_services": comp.aws_services,
|
|
681
|
+
"compliance_frameworks": comp.compliance_frameworks,
|
|
682
|
+
"validation_status": comp.validation_status,
|
|
696
683
|
}
|
|
697
684
|
for comp in self.security_components
|
|
698
|
-
]
|
|
685
|
+
],
|
|
699
686
|
}
|
|
700
|
-
|
|
701
|
-
with open(json_report_path,
|
|
687
|
+
|
|
688
|
+
with open(json_report_path, "w") as f:
|
|
702
689
|
json.dump(report_data, f, indent=2)
|
|
703
|
-
|
|
690
|
+
|
|
704
691
|
print_success(f"Validation results exported to: {json_report_path}")
|
|
705
692
|
|
|
706
693
|
def _display_validation_summary(self, validation_result: MultiAccountSecurityValidation):
|
|
707
694
|
"""Display comprehensive validation summary with Rich formatting."""
|
|
708
|
-
|
|
695
|
+
|
|
709
696
|
# Summary panel
|
|
710
697
|
summary_content = (
|
|
711
698
|
f"[bold green]Validation ID:[/bold green] {validation_result.validation_id}\n"
|
|
@@ -716,13 +703,13 @@ class CloudOpsAutomationSecurityValidator:
|
|
|
716
703
|
f"[bold cyan]Compliance Score:[/bold cyan] {validation_result.compliance_score:.1f}%\n"
|
|
717
704
|
f"[bold magenta]Security Posture Score:[/bold magenta] {validation_result.security_posture_score:.1f}%"
|
|
718
705
|
)
|
|
719
|
-
|
|
720
|
-
console.print(
|
|
721
|
-
|
|
722
|
-
|
|
723
|
-
|
|
724
|
-
)
|
|
725
|
-
|
|
706
|
+
|
|
707
|
+
console.print(
|
|
708
|
+
create_panel(
|
|
709
|
+
summary_content, title="🔒 CloudOps-Automation Security Validation Summary", border_style="green"
|
|
710
|
+
)
|
|
711
|
+
)
|
|
712
|
+
|
|
726
713
|
# Critical findings table
|
|
727
714
|
if validation_result.critical_findings:
|
|
728
715
|
findings_table = create_table(
|
|
@@ -731,20 +718,22 @@ class CloudOpsAutomationSecurityValidator:
|
|
|
731
718
|
{"name": "Account", "style": "red"},
|
|
732
719
|
{"name": "Finding Type", "style": "yellow"},
|
|
733
720
|
{"name": "Severity", "style": "red"},
|
|
734
|
-
{"name": "Message", "style": "white"}
|
|
735
|
-
]
|
|
721
|
+
{"name": "Message", "style": "white"},
|
|
722
|
+
],
|
|
736
723
|
)
|
|
737
|
-
|
|
724
|
+
|
|
738
725
|
for finding in validation_result.critical_findings[:10]: # Show top 10
|
|
739
726
|
findings_table.add_row(
|
|
740
|
-
finding.get(
|
|
741
|
-
finding.get(
|
|
742
|
-
finding.get(
|
|
743
|
-
finding.get(
|
|
727
|
+
finding.get("account_id", "Unknown"),
|
|
728
|
+
finding.get("finding_type", "Unknown"),
|
|
729
|
+
finding.get("severity", "Unknown"),
|
|
730
|
+
finding.get("message", "Unknown")[:80] + "..."
|
|
731
|
+
if len(finding.get("message", "")) > 80
|
|
732
|
+
else finding.get("message", ""),
|
|
744
733
|
)
|
|
745
|
-
|
|
734
|
+
|
|
746
735
|
console.print(findings_table)
|
|
747
|
-
|
|
736
|
+
|
|
748
737
|
# Integration roadmap table
|
|
749
738
|
if validation_result.integration_roadmap:
|
|
750
739
|
roadmap_table = create_table(
|
|
@@ -755,22 +744,22 @@ class CloudOpsAutomationSecurityValidator:
|
|
|
755
744
|
{"name": "Category", "style": "yellow"},
|
|
756
745
|
{"name": "Priority", "style": "red"},
|
|
757
746
|
{"name": "Business Value", "style": "magenta"},
|
|
758
|
-
{"name": "Timeline", "style": "blue"}
|
|
759
|
-
]
|
|
747
|
+
{"name": "Timeline", "style": "blue"},
|
|
748
|
+
],
|
|
760
749
|
)
|
|
761
|
-
|
|
750
|
+
|
|
762
751
|
for item in validation_result.integration_roadmap:
|
|
763
752
|
roadmap_table.add_row(
|
|
764
|
-
item[
|
|
765
|
-
item[
|
|
766
|
-
item[
|
|
767
|
-
str(item[
|
|
768
|
-
item[
|
|
769
|
-
item[
|
|
753
|
+
item["phase"],
|
|
754
|
+
item["component_name"][:30] + "..." if len(item["component_name"]) > 30 else item["component_name"],
|
|
755
|
+
item["category"],
|
|
756
|
+
str(item["priority"]),
|
|
757
|
+
item["business_value"],
|
|
758
|
+
item["recommended_timeline"],
|
|
770
759
|
)
|
|
771
|
-
|
|
760
|
+
|
|
772
761
|
console.print(roadmap_table)
|
|
773
|
-
|
|
762
|
+
|
|
774
763
|
# Recommendations
|
|
775
764
|
if validation_result.recommendations:
|
|
776
765
|
print_header("Security Recommendations", "")
|
|
@@ -780,385 +769,370 @@ class CloudOpsAutomationSecurityValidator:
|
|
|
780
769
|
|
|
781
770
|
class RealTimeSecurityValidator:
|
|
782
771
|
"""Real-time AWS security state validation via MCP integration."""
|
|
783
|
-
|
|
772
|
+
|
|
784
773
|
def __init__(self, session: boto3.Session):
|
|
785
774
|
self.session = session
|
|
786
|
-
|
|
775
|
+
|
|
787
776
|
async def validate_account_security(self, account_id: str) -> Dict[str, Any]:
|
|
788
777
|
"""Validate real-time security state for account."""
|
|
789
|
-
|
|
778
|
+
|
|
790
779
|
security_checks = []
|
|
791
780
|
critical_findings = []
|
|
792
|
-
|
|
781
|
+
|
|
793
782
|
try:
|
|
794
783
|
# Assume cross-account role if needed
|
|
795
|
-
if account_id != self.session.client(
|
|
784
|
+
if account_id != self.session.client("sts").get_caller_identity()["Account"]:
|
|
796
785
|
# For now, use current session - cross-account role assumption would be implemented here
|
|
797
786
|
pass
|
|
798
|
-
|
|
787
|
+
|
|
799
788
|
# Real-time security validations
|
|
800
|
-
|
|
789
|
+
|
|
801
790
|
# 1. IAM security validation
|
|
802
791
|
iam_results = await self._validate_iam_security()
|
|
803
|
-
security_checks.extend(iam_results[
|
|
804
|
-
critical_findings.extend(iam_results[
|
|
805
|
-
|
|
792
|
+
security_checks.extend(iam_results["checks"])
|
|
793
|
+
critical_findings.extend(iam_results["critical_findings"])
|
|
794
|
+
|
|
806
795
|
# 2. S3 encryption validation
|
|
807
796
|
s3_results = await self._validate_s3_encryption()
|
|
808
|
-
security_checks.extend(s3_results[
|
|
809
|
-
critical_findings.extend(s3_results[
|
|
810
|
-
|
|
797
|
+
security_checks.extend(s3_results["checks"])
|
|
798
|
+
critical_findings.extend(s3_results["critical_findings"])
|
|
799
|
+
|
|
811
800
|
# 3. Network security validation
|
|
812
801
|
network_results = await self._validate_network_security()
|
|
813
|
-
security_checks.extend(network_results[
|
|
814
|
-
critical_findings.extend(network_results[
|
|
815
|
-
|
|
802
|
+
security_checks.extend(network_results["checks"])
|
|
803
|
+
critical_findings.extend(network_results["critical_findings"])
|
|
804
|
+
|
|
816
805
|
except Exception as e:
|
|
817
|
-
critical_findings.append(
|
|
818
|
-
|
|
819
|
-
|
|
820
|
-
|
|
821
|
-
|
|
822
|
-
|
|
823
|
-
|
|
806
|
+
critical_findings.append(
|
|
807
|
+
{
|
|
808
|
+
"finding_type": "real_time_validation_error",
|
|
809
|
+
"severity": "HIGH",
|
|
810
|
+
"message": f"Real-time validation failed: {str(e)}",
|
|
811
|
+
"account_id": account_id,
|
|
812
|
+
}
|
|
813
|
+
)
|
|
814
|
+
|
|
824
815
|
return {
|
|
825
|
-
|
|
826
|
-
|
|
827
|
-
|
|
828
|
-
|
|
816
|
+
"account_id": account_id,
|
|
817
|
+
"checks": security_checks,
|
|
818
|
+
"critical_findings": critical_findings,
|
|
819
|
+
"validation_timestamp": datetime.utcnow().isoformat(),
|
|
829
820
|
}
|
|
830
|
-
|
|
821
|
+
|
|
831
822
|
async def _validate_iam_security(self) -> Dict[str, Any]:
|
|
832
823
|
"""Validate IAM security configuration."""
|
|
833
|
-
|
|
824
|
+
|
|
834
825
|
checks = []
|
|
835
826
|
critical_findings = []
|
|
836
|
-
|
|
827
|
+
|
|
837
828
|
try:
|
|
838
|
-
iam = self.session.client(
|
|
839
|
-
|
|
829
|
+
iam = self.session.client("iam")
|
|
830
|
+
|
|
840
831
|
# Check for root access keys
|
|
841
832
|
try:
|
|
842
|
-
account_summary = iam.get_account_summary()[
|
|
843
|
-
if account_summary.get(
|
|
844
|
-
critical_findings.append(
|
|
845
|
-
|
|
846
|
-
|
|
847
|
-
|
|
848
|
-
|
|
849
|
-
|
|
850
|
-
|
|
851
|
-
|
|
852
|
-
|
|
853
|
-
|
|
854
|
-
|
|
855
|
-
|
|
833
|
+
account_summary = iam.get_account_summary()["SummaryMap"]
|
|
834
|
+
if account_summary.get("AccountAccessKeysPresent", 0) > 0:
|
|
835
|
+
critical_findings.append(
|
|
836
|
+
{
|
|
837
|
+
"finding_type": "root_access_keys",
|
|
838
|
+
"severity": "CRITICAL",
|
|
839
|
+
"message": "Root account has active access keys",
|
|
840
|
+
"remediation": "Delete root access keys and enable MFA",
|
|
841
|
+
}
|
|
842
|
+
)
|
|
843
|
+
|
|
844
|
+
checks.append(
|
|
845
|
+
{
|
|
846
|
+
"check_type": "root_access_keys",
|
|
847
|
+
"status": "fail" if account_summary.get("AccountAccessKeysPresent", 0) > 0 else "pass",
|
|
848
|
+
}
|
|
849
|
+
)
|
|
850
|
+
|
|
856
851
|
except ClientError:
|
|
857
852
|
pass # May not have permissions
|
|
858
|
-
|
|
853
|
+
|
|
859
854
|
except ClientError as e:
|
|
860
|
-
critical_findings.append(
|
|
861
|
-
|
|
862
|
-
|
|
863
|
-
|
|
864
|
-
|
|
865
|
-
|
|
866
|
-
|
|
867
|
-
|
|
855
|
+
critical_findings.append(
|
|
856
|
+
{
|
|
857
|
+
"finding_type": "iam_validation_error",
|
|
858
|
+
"severity": "HIGH",
|
|
859
|
+
"message": f"IAM validation failed: {str(e)}",
|
|
860
|
+
}
|
|
861
|
+
)
|
|
862
|
+
|
|
863
|
+
return {"checks": checks, "critical_findings": critical_findings}
|
|
864
|
+
|
|
868
865
|
async def _validate_s3_encryption(self) -> Dict[str, Any]:
|
|
869
866
|
"""Validate S3 encryption compliance."""
|
|
870
|
-
|
|
867
|
+
|
|
871
868
|
checks = []
|
|
872
869
|
critical_findings = []
|
|
873
|
-
|
|
870
|
+
|
|
874
871
|
try:
|
|
875
|
-
s3 = self.session.client(
|
|
876
|
-
|
|
872
|
+
s3 = self.session.client("s3")
|
|
873
|
+
|
|
877
874
|
# List buckets and check encryption
|
|
878
875
|
response = s3.list_buckets()
|
|
879
|
-
|
|
880
|
-
for bucket in response.get(
|
|
881
|
-
bucket_name = bucket[
|
|
882
|
-
|
|
876
|
+
|
|
877
|
+
for bucket in response.get("Buckets", []):
|
|
878
|
+
bucket_name = bucket["Name"]
|
|
879
|
+
|
|
883
880
|
try:
|
|
884
881
|
# Check bucket encryption
|
|
885
882
|
s3.get_bucket_encryption(Bucket=bucket_name)
|
|
886
|
-
|
|
887
|
-
checks.append({
|
|
888
|
-
|
|
889
|
-
'resource': bucket_name,
|
|
890
|
-
'status': 'pass'
|
|
891
|
-
})
|
|
892
|
-
|
|
883
|
+
|
|
884
|
+
checks.append({"check_type": "s3_encryption", "resource": bucket_name, "status": "pass"})
|
|
885
|
+
|
|
893
886
|
except ClientError as e:
|
|
894
|
-
if e.response[
|
|
895
|
-
critical_findings.append(
|
|
896
|
-
|
|
897
|
-
|
|
898
|
-
|
|
899
|
-
|
|
900
|
-
|
|
901
|
-
|
|
902
|
-
|
|
903
|
-
|
|
904
|
-
|
|
905
|
-
|
|
906
|
-
|
|
907
|
-
})
|
|
908
|
-
|
|
887
|
+
if e.response["Error"]["Code"] == "ServerSideEncryptionConfigurationNotFoundError":
|
|
888
|
+
critical_findings.append(
|
|
889
|
+
{
|
|
890
|
+
"finding_type": "s3_unencrypted",
|
|
891
|
+
"severity": "HIGH",
|
|
892
|
+
"message": f"S3 bucket {bucket_name} is not encrypted",
|
|
893
|
+
"resource": bucket_name,
|
|
894
|
+
"remediation": f"Enable encryption on bucket {bucket_name}",
|
|
895
|
+
}
|
|
896
|
+
)
|
|
897
|
+
|
|
898
|
+
checks.append({"check_type": "s3_encryption", "resource": bucket_name, "status": "fail"})
|
|
899
|
+
|
|
909
900
|
except ClientError as e:
|
|
910
|
-
critical_findings.append(
|
|
911
|
-
|
|
912
|
-
|
|
913
|
-
|
|
914
|
-
|
|
915
|
-
|
|
916
|
-
|
|
917
|
-
|
|
901
|
+
critical_findings.append(
|
|
902
|
+
{
|
|
903
|
+
"finding_type": "s3_validation_error",
|
|
904
|
+
"severity": "HIGH",
|
|
905
|
+
"message": f"S3 validation failed: {str(e)}",
|
|
906
|
+
}
|
|
907
|
+
)
|
|
908
|
+
|
|
909
|
+
return {"checks": checks, "critical_findings": critical_findings}
|
|
910
|
+
|
|
918
911
|
async def _validate_network_security(self) -> Dict[str, Any]:
|
|
919
912
|
"""Validate network security configuration."""
|
|
920
|
-
|
|
913
|
+
|
|
921
914
|
checks = []
|
|
922
915
|
critical_findings = []
|
|
923
|
-
|
|
916
|
+
|
|
924
917
|
try:
|
|
925
|
-
ec2 = self.session.client(
|
|
926
|
-
|
|
918
|
+
ec2 = self.session.client("ec2")
|
|
919
|
+
|
|
927
920
|
# Check security groups for open access
|
|
928
|
-
security_groups = ec2.describe_security_groups()[
|
|
929
|
-
|
|
921
|
+
security_groups = ec2.describe_security_groups()["SecurityGroups"]
|
|
922
|
+
|
|
930
923
|
for sg in security_groups:
|
|
931
|
-
sg_id = sg[
|
|
932
|
-
|
|
924
|
+
sg_id = sg["GroupId"]
|
|
925
|
+
|
|
933
926
|
# Check for overly permissive rules
|
|
934
|
-
for rule in sg.get(
|
|
935
|
-
for ip_range in rule.get(
|
|
936
|
-
if ip_range.get(
|
|
937
|
-
|
|
927
|
+
for rule in sg.get("IpPermissions", []):
|
|
928
|
+
for ip_range in rule.get("IpRanges", []):
|
|
929
|
+
if ip_range.get("CidrIp") == "0.0.0.0/0":
|
|
938
930
|
# Determine severity based on port
|
|
939
|
-
port = rule.get(
|
|
940
|
-
severity =
|
|
941
|
-
|
|
942
|
-
critical_findings.append(
|
|
943
|
-
|
|
944
|
-
|
|
945
|
-
|
|
946
|
-
|
|
947
|
-
|
|
948
|
-
|
|
949
|
-
|
|
950
|
-
|
|
951
|
-
|
|
952
|
-
|
|
953
|
-
'status': 'fail'
|
|
954
|
-
})
|
|
931
|
+
port = rule.get("FromPort", "unknown")
|
|
932
|
+
severity = "CRITICAL" if port in [22, 3389, 80, 443] else "HIGH"
|
|
933
|
+
|
|
934
|
+
critical_findings.append(
|
|
935
|
+
{
|
|
936
|
+
"finding_type": "open_security_group",
|
|
937
|
+
"severity": severity,
|
|
938
|
+
"message": f"Security group {sg_id} allows unrestricted access on port {port}",
|
|
939
|
+
"resource": sg_id,
|
|
940
|
+
"remediation": f"Restrict access in security group {sg_id}",
|
|
941
|
+
}
|
|
942
|
+
)
|
|
943
|
+
|
|
944
|
+
checks.append({"check_type": "security_group_rules", "resource": sg_id, "status": "fail"})
|
|
955
945
|
break
|
|
956
946
|
else:
|
|
957
|
-
checks.append({
|
|
958
|
-
|
|
959
|
-
'resource': sg_id,
|
|
960
|
-
'status': 'pass'
|
|
961
|
-
})
|
|
962
|
-
|
|
947
|
+
checks.append({"check_type": "security_group_rules", "resource": sg_id, "status": "pass"})
|
|
948
|
+
|
|
963
949
|
except ClientError as e:
|
|
964
|
-
critical_findings.append(
|
|
965
|
-
|
|
966
|
-
|
|
967
|
-
|
|
968
|
-
|
|
969
|
-
|
|
970
|
-
|
|
950
|
+
critical_findings.append(
|
|
951
|
+
{
|
|
952
|
+
"finding_type": "network_validation_error",
|
|
953
|
+
"severity": "HIGH",
|
|
954
|
+
"message": f"Network validation failed: {str(e)}",
|
|
955
|
+
}
|
|
956
|
+
)
|
|
957
|
+
|
|
958
|
+
return {"checks": checks, "critical_findings": critical_findings}
|
|
971
959
|
|
|
972
960
|
|
|
973
961
|
class MCPSecurityIntegration:
|
|
974
962
|
"""MCP integration for real-time security monitoring."""
|
|
975
|
-
|
|
963
|
+
|
|
976
964
|
def __init__(self):
|
|
977
965
|
self.mcp_endpoints = self._initialize_mcp_endpoints()
|
|
978
|
-
|
|
966
|
+
|
|
979
967
|
def _initialize_mcp_endpoints(self) -> Dict[str, str]:
|
|
980
968
|
"""Initialize MCP endpoints for security monitoring."""
|
|
981
|
-
|
|
969
|
+
|
|
982
970
|
return {
|
|
983
|
-
|
|
984
|
-
|
|
985
|
-
|
|
986
|
-
|
|
987
|
-
|
|
971
|
+
"cost_explorer": "mcp://aws/cost-explorer",
|
|
972
|
+
"organizations": "mcp://aws/organizations",
|
|
973
|
+
"security_hub": "mcp://aws/security-hub",
|
|
974
|
+
"config": "mcp://aws/config",
|
|
975
|
+
"cloudtrail": "mcp://aws/cloudtrail",
|
|
988
976
|
}
|
|
989
|
-
|
|
977
|
+
|
|
990
978
|
async def validate_security_via_mcp(self, account_id: str) -> Dict[str, Any]:
|
|
991
979
|
"""Validate security state via MCP integration."""
|
|
992
|
-
|
|
980
|
+
|
|
993
981
|
# Placeholder for MCP integration
|
|
994
982
|
# This would integrate with actual MCP servers for real-time data
|
|
995
|
-
|
|
983
|
+
|
|
996
984
|
return {
|
|
997
|
-
|
|
998
|
-
|
|
999
|
-
|
|
1000
|
-
|
|
985
|
+
"account_id": account_id,
|
|
986
|
+
"mcp_status": "available",
|
|
987
|
+
"security_score": 85.0,
|
|
988
|
+
"last_updated": datetime.utcnow().isoformat(),
|
|
1001
989
|
}
|
|
1002
990
|
|
|
1003
991
|
|
|
1004
992
|
class MultiAccountSecurityController:
|
|
1005
993
|
"""Multi-account security controls for 61-account operations."""
|
|
1006
|
-
|
|
994
|
+
|
|
1007
995
|
def __init__(self, session: boto3.Session):
|
|
1008
996
|
self.session = session
|
|
1009
|
-
|
|
997
|
+
|
|
1010
998
|
async def apply_security_controls(self, account_ids: List[str]) -> Dict[str, Any]:
|
|
1011
999
|
"""Apply security controls across multiple accounts."""
|
|
1012
|
-
|
|
1013
|
-
results = {
|
|
1014
|
-
|
|
1015
|
-
'controls_applied': 0,
|
|
1016
|
-
'failures': []
|
|
1017
|
-
}
|
|
1018
|
-
|
|
1000
|
+
|
|
1001
|
+
results = {"accounts_processed": 0, "controls_applied": 0, "failures": []}
|
|
1002
|
+
|
|
1019
1003
|
for account_id in account_ids:
|
|
1020
1004
|
try:
|
|
1021
1005
|
# Apply security controls to account
|
|
1022
1006
|
account_result = await self._apply_account_security_controls(account_id)
|
|
1023
|
-
|
|
1024
|
-
if account_result[
|
|
1025
|
-
results[
|
|
1026
|
-
results[
|
|
1007
|
+
|
|
1008
|
+
if account_result["success"]:
|
|
1009
|
+
results["accounts_processed"] += 1
|
|
1010
|
+
results["controls_applied"] += account_result["controls_applied"]
|
|
1027
1011
|
else:
|
|
1028
|
-
results[
|
|
1029
|
-
|
|
1030
|
-
'error': account_result['error']
|
|
1031
|
-
})
|
|
1032
|
-
|
|
1012
|
+
results["failures"].append({"account_id": account_id, "error": account_result["error"]})
|
|
1013
|
+
|
|
1033
1014
|
except Exception as e:
|
|
1034
|
-
results[
|
|
1035
|
-
|
|
1036
|
-
'error': str(e)
|
|
1037
|
-
})
|
|
1038
|
-
|
|
1015
|
+
results["failures"].append({"account_id": account_id, "error": str(e)})
|
|
1016
|
+
|
|
1039
1017
|
return results
|
|
1040
|
-
|
|
1018
|
+
|
|
1041
1019
|
async def _apply_account_security_controls(self, account_id: str) -> Dict[str, Any]:
|
|
1042
1020
|
"""Apply security controls to individual account."""
|
|
1043
|
-
|
|
1021
|
+
|
|
1044
1022
|
# Placeholder for multi-account security control implementation
|
|
1045
1023
|
# This would implement cross-account role assumption and security policy enforcement
|
|
1046
|
-
|
|
1024
|
+
|
|
1047
1025
|
return {
|
|
1048
|
-
|
|
1049
|
-
|
|
1050
|
-
|
|
1051
|
-
|
|
1026
|
+
"account_id": account_id,
|
|
1027
|
+
"success": True,
|
|
1028
|
+
"controls_applied": 5, # Example: 5 security controls applied
|
|
1029
|
+
"error": None,
|
|
1052
1030
|
}
|
|
1053
1031
|
|
|
1054
1032
|
|
|
1055
1033
|
class ComplianceFrameworkEngine:
|
|
1056
1034
|
"""Compliance framework validation engine."""
|
|
1057
|
-
|
|
1035
|
+
|
|
1058
1036
|
def __init__(self):
|
|
1059
1037
|
self.frameworks = {
|
|
1060
|
-
|
|
1061
|
-
|
|
1062
|
-
|
|
1063
|
-
|
|
1064
|
-
|
|
1038
|
+
"SOC2": self._soc2_requirements,
|
|
1039
|
+
"PCI-DSS": self._pci_dss_requirements,
|
|
1040
|
+
"HIPAA": self._hipaa_requirements,
|
|
1041
|
+
"AWS_Well_Architected": self._aws_wa_requirements,
|
|
1042
|
+
"CIS_Benchmarks": self._cis_requirements,
|
|
1065
1043
|
}
|
|
1066
|
-
|
|
1044
|
+
|
|
1067
1045
|
def _soc2_requirements(self) -> List[str]:
|
|
1068
1046
|
"""SOC2 compliance requirements."""
|
|
1069
1047
|
return [
|
|
1070
|
-
|
|
1071
|
-
|
|
1072
|
-
|
|
1073
|
-
|
|
1074
|
-
|
|
1048
|
+
"Encryption at rest for sensitive data",
|
|
1049
|
+
"Access controls and authentication",
|
|
1050
|
+
"Audit logging and monitoring",
|
|
1051
|
+
"Incident response procedures",
|
|
1052
|
+
"Change management controls",
|
|
1075
1053
|
]
|
|
1076
|
-
|
|
1054
|
+
|
|
1077
1055
|
def _pci_dss_requirements(self) -> List[str]:
|
|
1078
1056
|
"""PCI-DSS compliance requirements."""
|
|
1079
1057
|
return [
|
|
1080
|
-
|
|
1081
|
-
|
|
1082
|
-
|
|
1083
|
-
|
|
1084
|
-
|
|
1058
|
+
"Cardholder data encryption",
|
|
1059
|
+
"Network security controls",
|
|
1060
|
+
"Strong authentication mechanisms",
|
|
1061
|
+
"Regular security testing",
|
|
1062
|
+
"Information security policy",
|
|
1085
1063
|
]
|
|
1086
|
-
|
|
1064
|
+
|
|
1087
1065
|
def _hipaa_requirements(self) -> List[str]:
|
|
1088
1066
|
"""HIPAA compliance requirements."""
|
|
1089
1067
|
return [
|
|
1090
|
-
|
|
1091
|
-
|
|
1092
|
-
|
|
1093
|
-
|
|
1094
|
-
|
|
1068
|
+
"PHI encryption and access controls",
|
|
1069
|
+
"Audit trails for PHI access",
|
|
1070
|
+
"Risk assessment and management",
|
|
1071
|
+
"Security incident response",
|
|
1072
|
+
"Business associate agreements",
|
|
1095
1073
|
]
|
|
1096
|
-
|
|
1074
|
+
|
|
1097
1075
|
def _aws_wa_requirements(self) -> List[str]:
|
|
1098
1076
|
"""AWS Well-Architected security pillar requirements."""
|
|
1099
1077
|
return [
|
|
1100
|
-
|
|
1101
|
-
|
|
1102
|
-
|
|
1103
|
-
|
|
1104
|
-
|
|
1078
|
+
"Identity and access management",
|
|
1079
|
+
"Detective controls",
|
|
1080
|
+
"Infrastructure protection",
|
|
1081
|
+
"Data protection",
|
|
1082
|
+
"Incident response capability",
|
|
1105
1083
|
]
|
|
1106
|
-
|
|
1084
|
+
|
|
1107
1085
|
def _cis_requirements(self) -> List[str]:
|
|
1108
1086
|
"""CIS Benchmarks requirements."""
|
|
1109
1087
|
return [
|
|
1110
|
-
|
|
1111
|
-
|
|
1112
|
-
|
|
1113
|
-
|
|
1114
|
-
|
|
1088
|
+
"Account security configuration",
|
|
1089
|
+
"Network security controls",
|
|
1090
|
+
"Identity and access management",
|
|
1091
|
+
"Data protection controls",
|
|
1092
|
+
"Monitoring and logging",
|
|
1115
1093
|
]
|
|
1116
|
-
|
|
1094
|
+
|
|
1117
1095
|
def validate_compliance(self, framework: str, validation_results: Dict[str, Any]) -> Dict[str, Any]:
|
|
1118
1096
|
"""Validate compliance against specific framework."""
|
|
1119
|
-
|
|
1097
|
+
|
|
1120
1098
|
if framework not in self.frameworks:
|
|
1121
|
-
return {
|
|
1122
|
-
|
|
1099
|
+
return {"error": f"Framework {framework} not supported"}
|
|
1100
|
+
|
|
1123
1101
|
requirements = self.frameworks[framework]()
|
|
1124
|
-
|
|
1125
|
-
compliance_score = len(validation_results.get(
|
|
1126
|
-
|
|
1102
|
+
|
|
1103
|
+
compliance_score = len(validation_results.get("passed_checks", [])) / len(requirements) * 100
|
|
1104
|
+
|
|
1127
1105
|
return {
|
|
1128
|
-
|
|
1129
|
-
|
|
1130
|
-
|
|
1131
|
-
|
|
1132
|
-
|
|
1106
|
+
"framework": framework,
|
|
1107
|
+
"compliance_score": compliance_score,
|
|
1108
|
+
"requirements": requirements,
|
|
1109
|
+
"passed_checks": validation_results.get("passed_checks", []),
|
|
1110
|
+
"failed_checks": validation_results.get("failed_checks", []),
|
|
1133
1111
|
}
|
|
1134
1112
|
|
|
1135
1113
|
|
|
1136
1114
|
# CLI integration for enterprise security validation
|
|
1137
1115
|
if __name__ == "__main__":
|
|
1138
1116
|
import argparse
|
|
1139
|
-
|
|
1140
|
-
parser = argparse.ArgumentParser(description=
|
|
1141
|
-
parser.add_argument(
|
|
1142
|
-
parser.add_argument(
|
|
1143
|
-
parser.add_argument(
|
|
1144
|
-
parser.add_argument(
|
|
1145
|
-
|
|
1117
|
+
|
|
1118
|
+
parser = argparse.ArgumentParser(description="CloudOps-Automation Security Validator")
|
|
1119
|
+
parser.add_argument("--profile", default="default", help="AWS profile to use")
|
|
1120
|
+
parser.add_argument("--accounts", nargs="+", help="Target account IDs (optional)")
|
|
1121
|
+
parser.add_argument("--real-time", action="store_true", help="Include real-time validation")
|
|
1122
|
+
parser.add_argument("--output-dir", default="./artifacts/cloudops-security", help="Output directory")
|
|
1123
|
+
|
|
1146
1124
|
args = parser.parse_args()
|
|
1147
|
-
|
|
1125
|
+
|
|
1148
1126
|
async def main():
|
|
1149
|
-
validator = CloudOpsAutomationSecurityValidator(
|
|
1150
|
-
|
|
1151
|
-
output_dir=args.output_dir
|
|
1152
|
-
)
|
|
1153
|
-
|
|
1127
|
+
validator = CloudOpsAutomationSecurityValidator(profile=args.profile, output_dir=args.output_dir)
|
|
1128
|
+
|
|
1154
1129
|
result = await validator.comprehensive_security_validation(
|
|
1155
|
-
target_accounts=args.accounts,
|
|
1156
|
-
include_real_time_validation=args.real_time
|
|
1130
|
+
target_accounts=args.accounts, include_real_time_validation=args.real_time
|
|
1157
1131
|
)
|
|
1158
|
-
|
|
1132
|
+
|
|
1159
1133
|
print_success(f"Security validation completed: {result.validation_id}")
|
|
1160
1134
|
print_info(f"Compliance score: {result.compliance_score:.1f}%")
|
|
1161
1135
|
print_info(f"Security posture score: {result.security_posture_score:.1f}%")
|
|
1162
|
-
|
|
1136
|
+
|
|
1163
1137
|
# Run the async main function
|
|
1164
|
-
asyncio.run(main())
|
|
1138
|
+
asyncio.run(main())
|