runbooks 1.1.4__py3-none-any.whl → 1.1.5__py3-none-any.whl

runbooks/cloudops/security_enforcer.py

@@ -6,7 +6,7 @@ Supports automated compliance enforcement, security policy implementation, and a
 
 Business Scenarios:
 - Security Incident Response: Automated remediation for compliance violations
-- S3 Encryption Enforcement: Compliance with SOC2, PCI-DSS, HIPAA requirements  
+- S3 Encryption Enforcement: Compliance with SOC2, PCI-DSS, HIPAA requirements
 - IAM Security Optimization: Least privilege principle enforcement
 - RDS Security Hardening: Database security and compliance
 - Multi-Account Security Governance: Organization-wide security policy enforcement
@@ -27,19 +27,33 @@ from botocore.exceptions import ClientError
 from datetime import datetime, timedelta
 
 from runbooks.common.rich_utils import (
-    console, print_header, print_success, print_error, print_warning, print_info,
-    create_table, create_progress_bar, format_cost, create_panel
+    console,
+    print_header,
+    print_success,
+    print_error,
+    print_warning,
+    print_info,
+    create_table,
+    create_progress_bar,
+    format_cost,
+    create_panel,
 )
 from .base import CloudOpsBase
 from .models import (
-    SecurityEnforcementResult, BusinessScenario, ExecutionMode, RiskLevel,
-    ResourceImpact, BusinessMetrics, ComplianceMetrics
+    SecurityEnforcementResult,
+    BusinessScenario,
+    ExecutionMode,
+    RiskLevel,
+    ResourceImpact,
+    BusinessMetrics,
+    ComplianceMetrics,
 )
 
+
 class SecurityEnforcer(CloudOpsBase):
     """
     Security enforcement scenarios for automated compliance and risk reduction.
-    
+
     Business Use Cases:
     1. Security incident response and automated remediation
     2. Compliance framework enforcement (SOC2, PCI-DSS, HIPAA)
@@ -47,122 +61,115 @@ class SecurityEnforcer(CloudOpsBase):
     4. Security baseline implementation and monitoring
     5. Executive security reporting and audit preparation
     """
-    
+
     def __init__(
-        self, 
-        profile: str = "default", 
-        dry_run: bool = True,
-        execution_mode: ExecutionMode = ExecutionMode.DRY_RUN
+        self, profile: str = "default", dry_run: bool = True, execution_mode: ExecutionMode = ExecutionMode.DRY_RUN
     ):
         """
         Initialize Security Enforcer with enterprise patterns.
-        
+
         Args:
             profile: AWS profile (typically management profile for cross-account access)
             dry_run: Enable safe analysis mode (default True)
             execution_mode: Execution mode for operations
         """
         super().__init__(profile, dry_run, execution_mode)
-        
+
         print_header("CloudOps Security Enforcer", "1.0.0")
         print_info(f"Execution mode: {execution_mode.value}")
         print_info(f"Profile: {profile}")
-        
+
         if dry_run:
             print_warning("🛡️  DRY RUN MODE: No security policies will be enforced")
-    
+
     async def enforce_s3_encryption(
-        self, 
-        regions: Optional[List[str]] = None,
-        encryption_type: str = "AES256"
+        self, regions: Optional[List[str]] = None, encryption_type: str = "AES256"
     ) -> SecurityEnforcementResult:
         """
         Business Scenario: Enforce S3 bucket encryption for compliance
         Source: AWS_encrypt_unencrypted_S3_buckets.ipynb
-        
+
         Typical Business Impact:
         - Compliance improvement: SOC2, PCI-DSS, HIPAA requirements
         - Risk reduction: Data protection and regulatory compliance
         - Implementation time: 10-20 minutes
-        
+
         Args:
-            regions: Target regions (default: all available) 
+            regions: Target regions (default: all available)
             encryption_type: Encryption type (AES256 or aws:kms)
-            
+
         Returns:
             SecurityEnforcementResult with detailed compliance improvements
         """
         operation_name = "S3 Encryption Enforcement"
         print_header(f"🔒 {operation_name}")
-        
+
         # Initialize result tracking
         unencrypted_buckets = []
         encrypted_buckets = []
         total_violations = 0
         violations_fixed = 0
-        
+
         # Get target regions
-        target_regions = regions or self._get_available_regions('s3')[:3]  # S3 is global, limit regions
-        
+        target_regions = regions or self._get_available_regions("s3")[:3]  # S3 is global, limit regions
+
         print_info(f"Scanning S3 buckets for encryption compliance")
         print_info(f"Required encryption: {encryption_type}")
         print_info(f"Target regions: {len(target_regions)}")
-        
+
         # Progress tracking
         with create_progress_bar() as progress:
             task = progress.add_task("[cyan]Scanning S3 buckets...", total=len(target_regions))
-            
+
             for region in target_regions:
                 try:
-                    region_results = await self._analyze_s3_encryption_in_region(
-                        region, encryption_type
-                    )
-                    unencrypted_buckets.extend(region_results['unencrypted'])
-                    encrypted_buckets.extend(region_results['encrypted'])
-                    
+                    region_results = await self._analyze_s3_encryption_in_region(region, encryption_type)
+                    unencrypted_buckets.extend(region_results["unencrypted"])
+                    encrypted_buckets.extend(region_results["encrypted"])
+
                     progress.update(task, advance=1)
-                    
+
                 except Exception as e:
                     print_warning(f"Could not analyze region {region}: {str(e)}")
                     continue
-        
+
         total_violations = len(unencrypted_buckets)
-        
+
         # Create resource impacts for unencrypted buckets
         resource_impacts = []
         for bucket_info in unencrypted_buckets:
             impact = self.create_resource_impact(
                 resource_type="s3-bucket",
-                resource_id=bucket_info['bucket_name'],
-                region=bucket_info['region'],
+                resource_id=bucket_info["bucket_name"],
+                region=bucket_info["region"],
                 estimated_cost=0.0,  # No direct cost for encryption
                 projected_savings=0.0,  # Compliance value, not cost savings
                 risk_level=RiskLevel.HIGH,  # Unencrypted data is high risk
                 modification_required=True,
                 resource_name=f"S3 Bucket {bucket_info['bucket_name']}",
                 business_criticality="high",  # Data protection is critical
-                estimated_downtime=0.0  # S3 encryption enablement has no downtime
+                estimated_downtime=0.0,  # S3 encryption enablement has no downtime
             )
             resource_impacts.append(impact)
-        
+
         # Execute enforcement if not dry run
         if not self.dry_run and self.execution_mode == ExecutionMode.EXECUTE:
             print_info("🔧 Executing S3 encryption enforcement...")
             violations_fixed = await self._apply_s3_encryption(unencrypted_buckets, encryption_type)
-        
+
         # Calculate compliance scores
         total_buckets = len(encrypted_buckets) + len(unencrypted_buckets)
         security_score_before = (len(encrypted_buckets) / total_buckets * 100) if total_buckets > 0 else 100.0
-        
+
         if violations_fixed > 0:
-            security_score_after = ((len(encrypted_buckets) + violations_fixed) / total_buckets * 100)
+            security_score_after = (len(encrypted_buckets) + violations_fixed) / total_buckets * 100
         else:
             security_score_after = security_score_before
-        
+
         # Display results
         if unencrypted_buckets:
             print_warning(f"⚠️  Found {len(unencrypted_buckets)} unencrypted S3 buckets")
-            
+
             # Detailed table
             s3_table = create_table(
                 title="S3 Encryption Compliance Analysis",
@@ -171,26 +178,20 @@ class SecurityEnforcer(CloudOpsBase):
                     {"name": "Region", "style": "green"},
                     {"name": "Current Encryption", "style": "red"},
                     {"name": "Required Action", "style": "yellow"},
-                    {"name": "Compliance Risk", "style": "blue"}
-                ]
+                    {"name": "Compliance Risk", "style": "blue"},
+                ],
             )
-            
+
             for bucket in unencrypted_buckets[:10]:  # Show top 10
-                s3_table.add_row(
-                    bucket['bucket_name'],
-                    bucket['region'],
-                    "None",
-                    f"Apply {encryption_type}",
-                    "High"
-                )
-            
+                s3_table.add_row(bucket["bucket_name"], bucket["region"], "None", f"Apply {encryption_type}", "High")
+
             console.print(s3_table)
-            
+
             if violations_fixed > 0:
                 print_success(f"🔐 Successfully encrypted {violations_fixed} buckets")
         else:
             print_success("✅ All S3 buckets are properly encrypted")
-        
+
         # Create compliance metrics
         compliance_metrics = [
             ComplianceMetrics(
@@ -198,26 +199,26 @@ class SecurityEnforcer(CloudOpsBase):
                 current_score=security_score_after,
                 target_score=100.0,
                 violations_found=total_violations,
-                violations_fixed=violations_fixed
+                violations_fixed=violations_fixed,
             ),
             ComplianceMetrics(
                 framework="PCI-DSS",
                 current_score=security_score_after,
                 target_score=100.0,
                 violations_found=total_violations,
-                violations_fixed=violations_fixed
-            )
+                violations_fixed=violations_fixed,
+            ),
         ]
-        
+
         # Business metrics
         business_metrics = self.create_business_metrics(
             total_savings=0.0,  # Security compliance doesn't directly save costs
             implementation_cost=0.0,  # No cost for S3 encryption
-            overall_risk=RiskLevel.LOW if total_violations == 0 else RiskLevel.MEDIUM
+            overall_risk=RiskLevel.LOW if total_violations == 0 else RiskLevel.MEDIUM,
         )
         business_metrics.operational_efficiency_gain = 90.0  # High automation value
         business_metrics.business_continuity_impact = "positive"  # Improves security posture
-        
+
         # Create comprehensive result
         result = SecurityEnforcementResult(
             scenario=BusinessScenario.SECURITY_ENFORCEMENT,
@@ -235,12 +236,11 @@ class SecurityEnforcer(CloudOpsBase):
                 "Implement bucket policy to require encryption for new objects",
                 "Set up CloudTrail logging for S3 encryption compliance monitoring",
                 "Consider AWS Config rules for continuous compliance validation",
-                "Review and update data classification policies"
+                "Review and update data classification policies",
             ],
             aws_profile_used=self.profile,
             regions_analyzed=target_regions,
             services_analyzed=["s3"],
-            
             # Security-specific metrics
             security_score_before=security_score_before,
             security_score_after=security_score_after,
@@ -250,171 +250,137 @@ class SecurityEnforcer(CloudOpsBase):
             medium_findings=0,
             low_findings=0,
             auto_remediated=violations_fixed,
-            manual_remediation_required=max(0, total_violations - violations_fixed)
+            manual_remediation_required=max(0, total_violations - violations_fixed),
         )
-        
+
         self.display_execution_summary(result)
         return result
-    
+
     async def _analyze_s3_encryption_in_region(
-        self, 
-        region: str, 
-        required_encryption: str
+        self, region: str, required_encryption: str
     ) -> Dict[str, List[Dict[str, str]]]:
         """
         Analyze S3 buckets in a specific region for encryption compliance.
-        
+
         Args:
             region: AWS region to analyze
             required_encryption: Required encryption type
-            
+
         Returns:
             Dictionary with encrypted and unencrypted bucket lists
         """
         encrypted_buckets = []
         unencrypted_buckets = []
-        
+
         try:
-            s3 = self.session.client('s3', region_name=region)
-            
+            s3 = self.session.client("s3", region_name=region)
+
             # List all buckets (S3 buckets are global, but we check from each region)
-            if region == 'us-east-1':  # Only check from one region to avoid duplicates
+            if region == "us-east-1":  # Only check from one region to avoid duplicates
                 response = s3.list_buckets()
-                
-                for bucket in response.get('Buckets', []):
-                    bucket_name = bucket['Name']
-                    
+
+                for bucket in response.get("Buckets", []):
+                    bucket_name = bucket["Name"]
+
                     try:
                         # Check bucket encryption
                         encryption_response = s3.get_bucket_encryption(Bucket=bucket_name)
-                        
+
                         # Bucket has encryption configured
-                        encrypted_buckets.append({
-                            'bucket_name': bucket_name,
-                            'region': region,
-                            'encryption_type': 'Configured'
-                        })
-                        
+                        encrypted_buckets.append(
+                            {"bucket_name": bucket_name, "region": region, "encryption_type": "Configured"}
+                        )
+
                     except ClientError as e:
-                        if e.response['Error']['Code'] == 'ServerSideEncryptionConfigurationNotFoundError':
+                        if e.response["Error"]["Code"] == "ServerSideEncryptionConfigurationNotFoundError":
                             # Bucket has no encryption
-                            unencrypted_buckets.append({
-                                'bucket_name': bucket_name,
-                                'region': region,
-                                'encryption_type': 'None'
-                            })
+                            unencrypted_buckets.append(
+                                {"bucket_name": bucket_name, "region": region, "encryption_type": "None"}
+                            )
                         else:
                             print_warning(f"Could not check encryption for bucket {bucket_name}: {str(e)}")
-                            
+
         except ClientError as e:
             print_warning(f"Could not analyze S3 buckets in {region}: {str(e)}")
-        
-        return {
-            'encrypted': encrypted_buckets,
-            'unencrypted': unencrypted_buckets
-        }
-    
-    async def _apply_s3_encryption(
-        self, 
-        unencrypted_buckets: List[Dict[str, str]], 
-        encryption_type: str
-    ) -> int:
+
+        return {"encrypted": encrypted_buckets, "unencrypted": unencrypted_buckets}
+
+    async def _apply_s3_encryption(self, unencrypted_buckets: List[Dict[str, str]], encryption_type: str) -> int:
         """
         Apply encryption to unencrypted S3 buckets.
-        
+
         Args:
             unencrypted_buckets: List of buckets requiring encryption
             encryption_type: Encryption type to apply
-            
+
         Returns:
             Number of buckets successfully encrypted
         """
         if self.dry_run:
             print_info("DRY RUN: Would apply S3 encryption")
             return 0
-        
+
         violations_fixed = 0
         print_warning("🚨 EXECUTING S3 encryption enforcement - this will modify bucket policies!")
-        
+
         for bucket_info in unencrypted_buckets:
-            bucket_name = bucket_info['bucket_name']
-            
+            bucket_name = bucket_info["bucket_name"]
+
             try:
-                s3 = self.session.client('s3', region_name='us-east-1')
-                
+                s3 = self.session.client("s3", region_name="us-east-1")
+
                 # Apply server-side encryption configuration
                 if encryption_type == "AES256":
-                    encryption_config = {
-                        'Rules': [
-                            {
-                                'ApplyServerSideEncryptionByDefault': {
-                                    'SSEAlgorithm': 'AES256'
-                                }
-                            }
-                        ]
-                    }
+                    encryption_config = {"Rules": [{"ApplyServerSideEncryptionByDefault": {"SSEAlgorithm": "AES256"}}]}
                 else:  # aws:kms
-                    encryption_config = {
-                        'Rules': [
-                            {
-                                'ApplyServerSideEncryptionByDefault': {
-                                    'SSEAlgorithm': 'aws:kms'
-                                }
-                            }
-                        ]
-                    }
-                
-                s3.put_bucket_encryption(
-                    Bucket=bucket_name,
-                    ServerSideEncryptionConfiguration=encryption_config
-                )
-                
+                    encryption_config = {"Rules": [{"ApplyServerSideEncryptionByDefault": {"SSEAlgorithm": "aws:kms"}}]}
+
+                s3.put_bucket_encryption(Bucket=bucket_name, ServerSideEncryptionConfiguration=encryption_config)
+
                 print_success(f"✅ Applied {encryption_type} encryption to bucket {bucket_name}")
                 violations_fixed += 1
-                
+
             except ClientError as e:
                 print_error(f"❌ Failed to encrypt bucket {bucket_name}: {str(e)}")
-        
+
         return violations_fixed
-    
+
     async def security_incident_response(
-        self,
-        incident_type: str = "compliance_violation",
-        severity: str = "high"
+        self, incident_type: str = "compliance_violation", severity: str = "high"
     ) -> SecurityEnforcementResult:
         """
         Business Scenario: Automated security incident response
-        
+
         Designed for: CISO escalations, compliance violations, security alerts
         Response time: <15 minutes for initial remediation
-        
+
         Args:
             incident_type: Type of security incident
             severity: Incident severity level
-            
+
         Returns:
             SecurityEnforcementResult with incident response analysis
         """
         operation_name = "Security Incident Response"
         print_header(f"🚨 {operation_name}")
-        
+
         print_warning(f"Security incident detected: {incident_type}")
         print_warning(f"Severity level: {severity}")
-        
+
         # This would integrate multiple security enforcement scenarios
         # for rapid security response in incident situations
-        
+
         response_actions = [
             "Immediate security assessment and vulnerability scanning",
             "Automated policy enforcement and compliance validation",
             "Security posture analysis and risk assessment",
-            "Incident documentation and audit trail generation"
+            "Incident documentation and audit trail generation",
         ]
-        
+
         print_info("Security incident response actions:")
         for action in response_actions:
             print_info(f"  • {action}")
-        
+
         return SecurityEnforcementResult(
             scenario=BusinessScenario.SECURITY_ENFORCEMENT,
             scenario_name="Security Incident Response",
@@ -427,12 +393,12 @@ class SecurityEnforcer(CloudOpsBase):
             resources_impacted=[],
             business_metrics=self.create_business_metrics(
                 total_savings=0.0,  # Security response doesn't directly save costs
-                overall_risk=RiskLevel.HIGH if severity == "critical" else RiskLevel.MEDIUM
+                overall_risk=RiskLevel.HIGH if severity == "critical" else RiskLevel.MEDIUM,
             ),
             recommendations=[
                 "Implement continuous security monitoring and alerting",
                 "Establish security incident response playbooks",
-                "Regular security posture assessments and compliance validation"
+                "Regular security posture assessments and compliance validation",
             ],
             aws_profile_used=self.profile,
             regions_analyzed=[],
@@ -445,5 +411,5 @@ class SecurityEnforcer(CloudOpsBase):
             medium_findings=1 if severity == "medium" else 0,
             low_findings=0,
             auto_remediated=1,
-            manual_remediation_required=0
-        )
+            manual_remediation_required=0,
+        )

runbooks/common/accuracy_validator.py

@@ -59,6 +59,17 @@ from ..common.rich_utils import (
     print_warning,
 )
 
+
+# Define common enums that are needed regardless of FinOps availability
+class ErrorCategory(Enum):
+    AWS_CREDENTIALS = "AWS_CREDENTIALS"
+    AWS_THROTTLING = "AWS_THROTTLING"
+    NETWORK = "NETWORK"
+    PERMISSION = "PERMISSION"
+    DATA_VALIDATION = "DATA_VALIDATION"
+    CONFIGURATION = "CONFIGURATION"
+
+
 # Import the proven FinOps accuracy patterns
 try:
     from ..finops.accuracy_cross_validator import (