sraverify 0.1.0__py3-none-any.whl

sraverify/__init__.py

@@ -0,0 +1,36 @@
+"""
+sraverify - Security Reference Architecture Verification Tool
+
+This package provides both a command-line interface and a Python library for verifying
+AWS Security Reference Architecture implementations.
+
+Example usage as a library:
+
+    from sraverify import SRAVerify
+
+    # Create an instance with optional AWS profile and regions
+    sra = SRAVerify(profile='my-profile', regions=['us-east-1', 'us-west-2'])
+
+    # Get available checks and services
+    checks = sra.get_available_checks()
+    services = sra.get_available_services()
+
+    # Run checks with various filters
+    findings = sra.run_checks(
+        account_type='application',  # or 'audit', 'log-archive', 'management', 'all'
+        service='GuardDuty',        # optional service filter
+        check_id='SRA-GD-1',       # optional specific check
+        audit_accounts=['123456789012'],  # optional audit account IDs
+        log_archive_accounts=['987654321098']  # optional log archive account IDs
+    )
+
+    # Process findings
+    for finding in findings:
+        print(f"{finding['CheckId']}: {finding['Status']} - {finding['Title']}")
+"""
+
+__version__ = "0.1.0"
+
+from sraverify.main import SRAVerify
+
+__all__ = ['SRAVerify']

sraverify/checks/__init__.py

@@ -0,0 +1,56 @@
+# sraverify/checks/__init__.py
+"""
+Base classes for security checks
+"""
+from typing import List, Optional
+import boto3
+from sraverify.lib.org_mgmt_checker import OrgMgmtChecker
+
+
+class SecurityCheck:
+    """Base class for all security checks"""
+    def __init__(self, check_type="account"):
+        self.check_type = check_type
+        self.check_id = None
+        self.title = None
+        self.description = None
+        self.rationale = None
+        self.remediation = None
+        self.impact = "Unknown"
+        self.findings = []
+        self._regions = None
+        self.org_checker = OrgMgmtChecker()
+
+    def initialize(self, regions: Optional[List[str]] = None):
+        """Initialize check with optional regions"""
+        if self.check_type == "account":
+            self._regions = regions if regions else self._get_enabled_regions()
+        # Organization checks don't use regions, so we don't set them
+
+    def _get_enabled_regions(self) -> List[str]:
+        """Get all enabled regions in the AWS account"""
+        try:
+            session = boto3.Session()
+            ec2_client = session.client('ec2', region_name='us-east-1')
+            response = ec2_client.describe_regions(AllRegions=False)
+            return [region['RegionName'] for region in response['Regions']]
+        except Exception as e:
+            raise Exception(f"Failed to get enabled regions: {str(e)}")
+
+    def validate_regions(self, regions: List[str]) -> bool:
+        """Validate if specified regions are valid and enabled"""
+        enabled_regions = set(self._get_enabled_regions())
+        return all(region in enabled_regions for region in regions)
+
+    @property
+    def regions(self) -> List[str]:
+        """Get regions for this check"""
+        return self._regions if self._regions else []
+
+    def run(self, session):
+        """Run the security check"""
+        raise NotImplementedError("Subclasses must implement run()")
+
+    def get_findings(self):
+        """Return findings from the check"""
+        return self.findings

sraverify/checks/accessanalyzer/SRA_IAA_1.py

@@ -0,0 +1,188 @@
+# sraverify/checks/accessanalyzer/SRA_IAA_1.py
+
+from typing import Dict, List, Any, Optional
+from botocore.exceptions import ClientError
+import boto3
+from sraverify.lib.check_loader import SecurityCheck
+
+class SRAIAA1(SecurityCheck):
+    """SRA-IAA-1: IAM Access Analyzer External Access"""
+    
+    def __init__(self, check_type="account"):
+        """Initialize the check with account type"""
+        super().__init__(check_type=check_type)
+        self.check_type = check_type  
+        self.check_id = "SRA-IAA-1"
+        self.check_type = "account"
+        self.check_name = "IAM Access Analyzer External Access"
+        self.severity = 'HIGH'
+        self.description = ('This check verifies whether IAA external access analyzer is configured with a zone of trust '
+                          'of AWS account. IAM Access Analyzer generates a finding for each instance of a resource-based '
+                          'policy that grants access to a resource within your zone of trust to a principal that is not '
+                          'within your zone of trust.')
+        self.check_logic = ('1. Check for active analyzer within account with account zone of trust | '
+                          '2. Verify archive rules configuration for findings management | '
+                          '3. Verify analyzer status and configuration | '
+                          '4. Check passes if account-level analyzer is active with proper configuration')
+        self.service = 'IAM'
+        self.findings = []
+        self._regions = None
+
+    def initialize(self, regions: Optional[List[str]] = None):
+        """Initialize check with optional regions"""
+        self._regions = regions
+
+    def get_findings(self):
+        """Return the findings"""
+        return self.findings
+
+    def _create_finding(self, status: str, region: str, account_id: str, 
+                       resource_id: str, actual_value: str, 
+                       remediation: str) -> Dict[str, Any]:
+        """Create a standardized finding"""
+        return {
+            'CheckId': self.check_id,
+            'Status': status,
+            'Region': region,
+            "Severity": self.severity,
+            'Title': f"{self.check_id} {self.check_name}",
+            'Description': self.description,
+            'ResourceId': resource_id,
+            'ResourceType': 'AWS::AccessAnalyzer::Analyzer',
+            'AccountId': account_id,
+            'CheckedValue': 'Access Analyzer Configuration',
+            'ActualValue': actual_value,
+            'Remediation': remediation,
+            'Service': self.service,
+            'CheckLogic': self.check_logic,
+            'CheckType': self.check_type
+        }
+
+    def _check_region(self, session: boto3.Session, region: str) -> Optional[Dict[str, Any]]:
+        """Check Access Analyzer configuration in a specific region"""
+        try:
+            account_id = session.client('sts').get_caller_identity()['Account']
+            analyzer_client = session.client('accessanalyzer', region_name=region)
+
+            # Step 1: Check for account-level analyzer
+            try:
+                analyzers = analyzer_client.list_analyzers()['analyzers']
+                account_analyzer = None
+
+                for analyzer in analyzers:
+                    if (analyzer['status'] == 'ACTIVE' and 
+                        analyzer['type'] == 'ACCOUNT'):
+                        account_analyzer = analyzer
+                        break
+
+                if not account_analyzer:
+                    return self._create_finding(
+                        status='FAIL',
+                        region=region,
+                        account_id=account_id,
+                        resource_id=account_id,
+                        actual_value='No active account-level analyzer found',
+                        remediation='Create an account-level IAM Access Analyzer'
+                    )
+
+                # Step 2: Check archive rules configuration
+                try:
+                    archive_rules = analyzer_client.list_archive_rules(
+                        analyzerName=account_analyzer['name']
+                    )['archiveRules']
+
+                    # Step 3: Verify analyzer configuration
+                    try:
+                        analyzer_details = analyzer_client.get_analyzer(
+                            analyzerName=account_analyzer['name']
+                        )
+
+                        # Step 4: All checks passed
+                        return self._create_finding(
+                            status='PASS',
+                            region=region,
+                            account_id=account_id,
+                            resource_id=account_analyzer['arn'],
+                            actual_value=(f"Active account analyzer: {account_analyzer['name']}, "
+                                        f"Archive Rules: {len(archive_rules)}"),
+                            remediation='None required'
+                        )
+
+                    except ClientError as e:
+                        return self._create_finding(
+                            status='ERROR',
+                            region=region,
+                            account_id=account_id,
+                            resource_id=account_analyzer['arn'],
+                            actual_value=f'Error checking analyzer configuration: {str(e)}',
+                            remediation='Verify IAM Access Analyzer permissions'
+                        )
+
+                except ClientError as e:
+                    return self._create_finding(
+                        status='ERROR',
+                        region=region,
+                        account_id=account_id,
+                        resource_id=account_analyzer['arn'],
+                        actual_value=f'Error checking archive rules: {str(e)}',
+                        remediation='Verify IAM Access Analyzer permissions'
+                    )
+
+            except ClientError as e:
+                return self._create_finding(
+                    status='ERROR',
+                    region=region,
+                    account_id=account_id,
+                    resource_id=account_id,
+                    actual_value=f'Error accessing Access Analyzer: {str(e)}',
+                    remediation='Verify IAM Access Analyzer permissions'
+                )
+
+        except Exception as e:
+            return self._create_finding(
+                status='ERROR',
+                region=region,
+                account_id='Unknown',
+                resource_id='Unknown',
+                actual_value=f'Error: {str(e)}',
+                remediation='Check logs for more details'
+            )
+
+    def run(self, session: boto3.Session):
+        """Run the security check"""
+        try:
+            # Get regions to check
+            regions_to_check = self._regions if self._regions else [session.region_name]
+            
+            # Check each region
+            for region in regions_to_check:
+                try:
+                    finding = self._check_region(session, region)
+                    if finding:
+                        self.findings.append(finding)
+                except Exception as e:
+                    self.findings.append(
+                        self._create_finding(
+                            status='ERROR',
+                            region=region,
+                            account_id='Unknown',
+                            resource_id='Unknown',
+                            actual_value=f'Region check failed: {str(e)}',
+                            remediation='Check regional access and permissions'
+                        )
+                    )
+
+        except Exception as e:
+            # Handle any unexpected errors during check execution
+            self.findings.append(
+                self._create_finding(
+                    status='ERROR',
+                    region='Unknown',
+                    account_id='Unknown',
+                    resource_id='Unknown',
+                    actual_value=f'Check execution failed: {str(e)}',
+                    remediation='Check logs for more details'
+                )
+            )
+
+        return self.findings

sraverify/checks/accessanalyzer/SRA_IAA_2.py

@@ -0,0 +1,162 @@
+from typing import Dict, List, Any
+from sraverify.checks import SecurityCheck
+from botocore.exceptions import ClientError
+
+class SRAIAA2(SecurityCheck):
+    """SRA-IAA-2: IAM Access Analyzer Delegated Administration"""
+    
+    def __init__(self, check_type="organization"):
+        # Ensure parent class is initialized first
+        super().__init__(check_type=check_type)
+        self.check_id = "SRA-IAA-2"
+        self.check_name = "IAM Access Analyzer Delegated Administration"
+        self.severity = "HIGH"
+        self.description = ('This check verifies whether IAA service administration for your AWS Organization is '
+                          'delegated out of your AWS Organization management account. The delegated administrator '
+                          'has permissions to create and manage analyzers with the AWS organization as the zone of trust.')
+        self.check_logic = ('1. Verify execution from Organization Management account | '
+                          '2. Check for delegated administrator for IAA service | '
+                          '3. Confirm that delegated administrator is not management account | '
+                          '4. Check passes if IAA delegated administrator is not in management account')
+        self.service = 'IAM'
+
+    def run(self, session):
+        """Run the security check"""
+        try:
+            region = session.region_name
+            account_id = session.client('sts').get_caller_identity()['Account']
+
+            # Step 1: Verify we're in management account using org_mgmt_checker
+            is_management, error_message = self.org_checker.verify_org_management()
+            if not is_management:
+                finding = {
+                    'CheckId': self.check_id,
+                    'Status': 'ERROR',
+                    'Region': region,
+                    "Severity": self.severity,
+                    'Title': f"{self.check_id} {self.check_name}",
+                    'Description': self.description,
+                    'ResourceId': account_id,
+                    'ResourceType': 'AWS::Organizations::Account',
+                    'AccountId': account_id,
+                    'CheckedValue': 'Management Account Access',
+                    'ActualValue': error_message if error_message else 'Not running from management account',
+                    'Remediation': 'Run this check from the Organization Management Account',
+                    'Service': self.service,
+                    'CheckLogic': self.check_logic,
+                    'CheckType': self.check_type
+                }
+                self.findings.append(finding)
+                return self.findings
+
+            # Step 2: Check for delegated administrator
+            try:
+                org_client = session.client('organizations')
+                delegated_admins = org_client.list_delegated_administrators(
+                    ServicePrincipal='access-analyzer.amazonaws.com'
+                ).get('DelegatedAdministrators', [])
+
+                if not delegated_admins:
+                    finding = {
+                        'CheckId': self.check_id,
+                        'Status': 'FAIL',
+                        'Region': region,
+                        "Severity": self.severity,
+                        'Title': f"{self.check_id} {self.check_name}",
+                        'Description': self.description,
+                        'ResourceId': account_id,
+                        'ResourceType': 'AWS::Organizations::Account',
+                        'AccountId': account_id,
+                        'CheckedValue': 'IAA Delegated Administrator',
+                        'ActualValue': 'No delegated administrator configured',
+                        'Remediation': 'Configure a member account as IAA delegated administrator',
+                        'Service': self.service,
+                        'CheckLogic': self.check_logic,
+                        'CheckType': self.check_type
+                    }
+                    self.findings.append(finding)
+                    return self.findings
+
+                # Step 3: Confirm delegated administrator is not management account
+                delegated_admin = delegated_admins[0]
+                if delegated_admin['Id'] == account_id:
+                    finding = {
+                        'CheckId': self.check_id,
+                        'Status': 'FAIL',
+                        'Region': region,
+                        "Severity": self.severity,
+                        'Title': f"{self.check_id} {self.check_name}",
+                        'Description': self.description,
+                        'ResourceId': account_id,
+                        'ResourceType': 'AWS::Organizations::Account',
+                        'AccountId': account_id,
+                        'CheckedValue': 'IAA Delegated Administrator Configuration',
+                        'ActualValue': f'Delegated administrator is management account: {account_id}',
+                        'Remediation': 'Configure a member account (not management account) as IAA delegated administrator',
+                        'Service': self.service,
+                        'CheckLogic': self.check_logic,
+                        'CheckType': self.check_type
+                    }
+                    self.findings.append(finding)
+                else:
+                    # Step 4: Check passes if delegated administrator is not management account
+                    finding = {
+                        'CheckId': self.check_id,
+                        'Status': 'PASS',
+                        'Region': region,
+                        "Severity": self.severity,
+                        'Title': f"{self.check_id} {self.check_name}",
+                        'Description': self.description,
+                        'ResourceId': delegated_admin['Id'],
+                        'ResourceType': 'AWS::Organizations::Account',
+                        'AccountId': account_id,
+                        'CheckedValue': 'IAA Delegated Administrator Configuration',
+                        'ActualValue': f'Delegated administrator account: {delegated_admin["Id"]}',
+                        'Remediation': 'None required',
+                        'Service': self.service,
+                        'CheckLogic': self.check_logic,
+                        'CheckType': self.check_type
+                    }
+                    self.findings.append(finding)
+
+            except ClientError as e:
+                finding = {
+                    'CheckId': self.check_id,
+                    'Status': 'ERROR',
+                    'Region': region,
+                    "Severity": self.severity,
+                    'Title': f"{self.check_id} {self.check_name}",
+                    'Description': self.description,
+                    'ResourceId': account_id,
+                    'ResourceType': 'AWS::Organizations::Account',
+                    'AccountId': account_id,
+                    'CheckedValue': 'Delegated Administrator Access',
+                    'ActualValue': f'Error checking delegated administrator: {str(e)}',
+                    'Remediation': 'Verify Organizations permissions',
+                    'Service': self.service,
+                    'CheckLogic': self.check_logic,
+                    'CheckType': self.check_type
+                }
+                self.findings.append(finding)
+
+        except Exception as e:
+            finding = {
+                'CheckId': self.check_id,
+                'Status': 'ERROR',
+                'Region': region,
+                "Severity": self.severity,
+                'Title': f"{self.check_id} {self.check_name}",
+                'Description': self.description,
+                'ResourceId': account_id,
+                'ResourceType': 'AWS::Organizations::Account',
+                'AccountId': account_id,
+                'CheckedValue': 'Check Execution',
+                'ActualValue': f'Error: {str(e)}',
+                'Remediation': 'Check logs for more details',
+                'Service': self.service,
+                'CheckLogic': self.check_logic,
+                'CheckType': self.check_type
+            }
+            self.findings.append(finding)
+
+        return self.findings