sraverify 0.1.0__py3-none-any.whl → 0.1.2__py3-none-any.whl

sraverify/core/logging.py

@@ -8,7 +8,7 @@ import sys
 logger = logging.getLogger("sraverify")
 
 # Create handlers
-console_handler = logging.StreamHandler(sys.stdout)
+console_handler = logging.StreamHandler(sys.stderr)
 
 # Create formatters
 default_format = "%(asctime)s - %(name)s - %(levelname)s - %(message)s"

sraverify/main.py

@@ -32,6 +32,7 @@ from sraverify.services.auditmanager import CHECKS as auditmanager_checks
 from sraverify.services.firewallmanager import CHECKS as firewallmanager_checks
 from sraverify.services.securitylake import CHECKS as securitylake_checks
 from sraverify.services.securityincidentresponse import CHECKS as securityincidentresponse_checks
+from sraverify.services.organizations import CHECKS as organizations_checks
 
 # Collect all checks from different services
 ALL_CHECKS = {
@@ -50,10 +51,8 @@ ALL_CHECKS = {
     **auditmanager_checks,
     **firewallmanager_checks,
     **securitylake_checks,
-    **securityincidentresponse_checks
-    # Add more service checks here as they're implemented
-    # **config_checks,
-    # etc.
+    **securityincidentresponse_checks,
+    **organizations_checks
 }
 
 class SRAVerify:

sraverify/services/organizations/__init__.py

@@ -0,0 +1,25 @@
+"""
+AWS Organizations security checks.
+"""
+from sraverify.services.organizations.checks.sra_organizations_01 import SRA_ORGANIZATIONS_01
+from sraverify.services.organizations.checks.sra_organizations_02 import SRA_ORGANIZATIONS_02
+from sraverify.services.organizations.checks.sra_organizations_03 import SRA_ORGANIZATIONS_03
+from sraverify.services.organizations.checks.sra_organizations_04 import SRA_ORGANIZATIONS_04
+from sraverify.services.organizations.checks.sra_organizations_05 import SRA_ORGANIZATIONS_05
+from sraverify.services.organizations.checks.sra_organizations_06 import SRA_ORGANIZATIONS_06
+from sraverify.services.organizations.checks.sra_organizations_07 import SRA_ORGANIZATIONS_07
+from sraverify.services.organizations.checks.sra_organizations_08 import SRA_ORGANIZATIONS_08
+from sraverify.services.organizations.checks.sra_organizations_09 import SRA_ORGANIZATIONS_09
+
+# Map check IDs to check classes for easy lookup
+CHECKS = {
+    "SRA-ORGANIZATIONS-01": SRA_ORGANIZATIONS_01,
+    "SRA-ORGANIZATIONS-02": SRA_ORGANIZATIONS_02,
+    "SRA-ORGANIZATIONS-03": SRA_ORGANIZATIONS_03,
+    "SRA-ORGANIZATIONS-04": SRA_ORGANIZATIONS_04,
+    "SRA-ORGANIZATIONS-05": SRA_ORGANIZATIONS_05,
+    "SRA-ORGANIZATIONS-06": SRA_ORGANIZATIONS_06,
+    "SRA-ORGANIZATIONS-07": SRA_ORGANIZATIONS_07,
+    "SRA-ORGANIZATIONS-08": SRA_ORGANIZATIONS_08,
+    "SRA-ORGANIZATIONS-09": SRA_ORGANIZATIONS_09,
+}

sraverify/services/organizations/base.py

@@ -0,0 +1,176 @@
+"""
+Base class for AWS Organizations security checks.
+"""
+from typing import List, Optional, Dict, Any
+from sraverify.core.check import SecurityCheck
+from sraverify.services.organizations.client import OrganizationsClient
+from sraverify.core.logging import logger
+
+
+class OrganizationsCheck(SecurityCheck):
+    """Base class for all AWS Organizations security checks."""
+    
+    # Class-level caches shared across all instances
+    _organization_cache = {}
+    _roots_cache = {}
+    _ous_cache = {}
+    _policies_cache = {}
+    _accounts_cache = {}
+    
+    def __init__(self, resource_type: str = "AWS::Organizations::Organization"):
+        """
+        Initialize Organizations base check.
+        
+        Args:
+            resource_type: AWS resource type for findings (default: Organization)
+        """
+        super().__init__(
+            account_type="management",
+            service="Organizations",
+            resource_type=resource_type
+        )
+        self._org_client = None
+    
+    def _setup_clients(self):
+        """Set up Organizations client (global service, no per-region clients needed)."""
+        # Organizations is a global service, we only need one client
+        self._org_client = OrganizationsClient(session=self.session)
+        # Clear existing regional clients dict since Organizations doesn't use them
+        self._clients.clear()
+
+    def get_org_client(self) -> OrganizationsClient:
+        """
+        Get the Organizations client.
+        
+        Returns:
+            OrganizationsClient instance
+        """
+        return self._org_client
+    
+    def get_organization(self) -> Dict[str, Any]:
+        """
+        Get organization details with caching.
+        
+        Returns:
+            Dictionary containing organization details or Error key if failed.
+        """
+        # Check class-level cache
+        cache_key = f"{self.account_id}:organization"
+        if cache_key in OrganizationsCheck._organization_cache:
+            logger.debug("Organizations: Using cached organization details")
+            return OrganizationsCheck._organization_cache[cache_key]
+        
+        # Get organization details
+        logger.debug("Organizations: Fetching organization details")
+        response = self._org_client.describe_organization()
+        
+        # Cache the response
+        OrganizationsCheck._organization_cache[cache_key] = response
+        logger.debug("Organizations: Cached organization details")
+        
+        return response
+    
+    def get_roots(self) -> Dict[str, Any]:
+        """
+        Get organization roots with caching.
+        
+        Returns:
+            Dictionary with Roots key containing list of roots,
+            or Error key if failed.
+        """
+        # Check class-level cache
+        cache_key = f"{self.account_id}:roots"
+        if cache_key in OrganizationsCheck._roots_cache:
+            logger.debug("Organizations: Using cached roots")
+            return OrganizationsCheck._roots_cache[cache_key]
+        
+        # Get roots
+        logger.debug("Organizations: Fetching organization roots")
+        response = self._org_client.list_roots()
+        
+        # Cache the response
+        OrganizationsCheck._roots_cache[cache_key] = response
+        logger.debug("Organizations: Cached roots")
+        
+        return response
+    
+    def get_ous_for_parent(self, parent_id: str) -> Dict[str, Any]:
+        """
+        Get organizational units for a parent with caching.
+        
+        Args:
+            parent_id: The ID of the parent root or OU
+            
+        Returns:
+            Dictionary with OrganizationalUnits key containing list of OUs,
+            or Error key if failed.
+        """
+        # Check class-level cache
+        cache_key = f"{self.account_id}:{parent_id}:ous"
+        if cache_key in OrganizationsCheck._ous_cache:
+            logger.debug(f"Organizations: Using cached OUs for parent {parent_id}")
+            return OrganizationsCheck._ous_cache[cache_key]
+        
+        # Get OUs
+        logger.debug(f"Organizations: Fetching OUs for parent {parent_id}")
+        response = self._org_client.list_organizational_units_for_parent(parent_id)
+        
+        # Cache the response
+        OrganizationsCheck._ous_cache[cache_key] = response
+        logger.debug(f"Organizations: Cached OUs for parent {parent_id}")
+        
+        return response
+    
+    def list_policies(self, policy_type: str = "SERVICE_CONTROL_POLICY") -> Dict[str, Any]:
+        """
+        List policies by type with caching.
+        
+        Args:
+            policy_type: Type of policy to list (default: SERVICE_CONTROL_POLICY)
+            
+        Returns:
+            Dictionary with Policies key containing list of policies,
+            or Error key if failed.
+        """
+        # Check class-level cache
+        cache_key = f"{self.account_id}:{policy_type}:policies"
+        if cache_key in OrganizationsCheck._policies_cache:
+            logger.debug(f"Organizations: Using cached policies of type {policy_type}")
+            return OrganizationsCheck._policies_cache[cache_key]
+        
+        # Get policies
+        logger.debug(f"Organizations: Fetching policies of type {policy_type}")
+        response = self._org_client.list_policies(policy_type)
+        
+        # Cache the response
+        OrganizationsCheck._policies_cache[cache_key] = response
+        logger.debug(f"Organizations: Cached policies of type {policy_type}")
+        
+        return response
+
+    def get_accounts_for_parent(self, parent_id: str) -> Dict[str, Any]:
+        """
+        Get accounts for a parent (root or OU) with caching.
+        
+        Args:
+            parent_id: The ID of the parent root or OU
+            
+        Returns:
+            Dictionary with Accounts key containing list of accounts,
+            or Error key if failed.
+        """
+        # Check class-level cache
+        cache_key = f"{self.account_id}:{parent_id}:accounts"
+        if cache_key in OrganizationsCheck._accounts_cache:
+            logger.debug(f"Organizations: Using cached accounts for parent {parent_id}")
+            return OrganizationsCheck._accounts_cache[cache_key]
+        
+        # Get accounts
+        logger.debug(f"Organizations: Fetching accounts for parent {parent_id}")
+        response = self._org_client.list_accounts_for_parent(parent_id)
+        
+        # Cache the response
+        OrganizationsCheck._accounts_cache[cache_key] = response
+        logger.debug(f"Organizations: Cached accounts for parent {parent_id}")
+        
+        return response

sraverify/services/organizations/checks/__init__.py

@@ -0,0 +1,3 @@
+"""
+AWS Organizations security check implementations.
+"""

sraverify/services/organizations/checks/sra_organizations_01.py

@@ -0,0 +1,84 @@
+"""
+Check if AWS Organizations is enabled.
+"""
+from typing import Dict, List, Any
+from sraverify.services.organizations.base import OrganizationsCheck
+
+
+class SRA_ORGANIZATIONS_01(OrganizationsCheck):
+    """Check if AWS Organizations is enabled."""
+
+    def __init__(self):
+        """Initialize Organizations enabled check."""
+        super().__init__(resource_type="AWS::Organizations::Organization")
+        self.check_id = "SRA-ORGANIZATIONS-01"
+        self.check_name = "AWS Organizations is enabled"
+        self.description = (
+            "This check verifies that AWS Organizations is enabled for the account. "
+            "AWS Organizations enables central management and governance of multiple AWS accounts, "
+            "providing consolidated billing, account management, and policy-based controls."
+        )
+        self.severity = "HIGH"
+        self.check_logic = (
+            "Call DescribeOrganization API to confirm an organization exists. "
+            "Check passes if an organization is found, fails if no organization exists."
+        )
+
+    def execute(self) -> List[Dict[str, Any]]:
+        """
+        Execute the check.
+        
+        Returns:
+            List of findings
+        """
+        # Organizations is a global service, use "global" as region
+        region = "global"
+        
+        # Get organization details
+        response = self.get_organization()
+        
+        # Check for errors
+        if "Error" in response:
+            error_code = response["Error"].get("Code", "")
+            error_message = response["Error"].get("Message", "Unknown error")
+            
+            # AWSOrganizationsNotInUseException means no organization exists
+            if error_code == "AWSOrganizationsNotInUseException":
+                self.findings.append(self.create_finding(
+                    status="FAIL",
+                    region=region,
+                    resource_id=None,
+                    actual_value="No organization exists",
+                    remediation=(
+                        "Create an AWS Organization by navigating to AWS Organizations in the console "
+                        "and clicking 'Create organization', or use the AWS CLI command: "
+                        "aws organizations create-organization"
+                    ),
+                    checked_value="AWS Organizations enabled"
+                ))
+            else:
+                # Other errors (permissions, service errors)
+                self.findings.append(self.create_finding(
+                    status="ERROR",
+                    region=region,
+                    resource_id=None,
+                    actual_value=f"Error: {error_message}",
+                    remediation="Check IAM permissions for Organizations API access",
+                    checked_value="AWS Organizations enabled"
+                ))
+            return self.findings
+        
+        # Organization exists - extract details
+        organization = response.get("Organization", {})
+        org_id = organization.get("Id", "Unknown")
+        
+        self.findings.append(self.create_finding(
+            status="PASS",
+            region=region,
+            resource_id=org_id,
+            actual_value=f"Organization exists: {org_id}",
+            remediation="No remediation needed",
+            checked_value="AWS Organizations enabled"
+        ))
+        
+        return self.findings

sraverify/services/organizations/checks/sra_organizations_02.py

@@ -0,0 +1,123 @@
+"""
+Check if organization has foundational OU - Security.
+"""
+from typing import Dict, List, Any
+from sraverify.services.organizations.base import OrganizationsCheck
+
+
+class SRA_ORGANIZATIONS_02(OrganizationsCheck):
+    """Check if organization has foundational OU - Security."""
+
+    def __init__(self):
+        """Initialize Security OU check."""
+        super().__init__(resource_type="AWS::Organizations::OrganizationalUnit")
+        self.check_id = "SRA-ORGANIZATIONS-02"
+        self.check_name = "Organization has foundational OU - Security"
+        self.description = (
+            "This check verifies that the organization has a Security organizational unit (OU) "
+            "directly under the root. The Security OU is a foundational OU recommended by AWS SRA "
+            "for isolating security-related accounts such as the Security Tooling and Log Archive accounts."
+        )
+        self.severity = "MEDIUM"
+        self.check_logic = (
+            "Retrieve the organization root using ListRoots API, then list all OUs under the root "
+            "using ListOrganizationalUnitsForParent API. Check passes if an OU named 'Security' "
+            "exists directly under the root."
+        )
+
+    def execute(self) -> List[Dict[str, Any]]:
+        """
+        Execute the check.
+        
+        Returns:
+            List of findings
+        """
+        # Organizations is a global service, use "global" as region
+        region = "global"
+        
+        # Get organization roots
+        roots_response = self.get_roots()
+        
+        # Check for errors getting roots
+        if "Error" in roots_response:
+            error_message = roots_response["Error"].get("Message", "Unknown error")
+            self.findings.append(self.create_finding(
+                status="ERROR",
+                region=region,
+                resource_id=None,
+                actual_value=f"Error: {error_message}",
+                remediation="Check IAM permissions for Organizations API access",
+                checked_value="Security OU exists under root"
+            ))
+            return self.findings
+        
+        roots = roots_response.get("Roots", [])
+        if not roots:
+            self.findings.append(self.create_finding(
+                status="ERROR",
+                region=region,
+                resource_id=None,
+                actual_value="No organization root found",
+                remediation="Ensure AWS Organizations is enabled and properly configured",
+                checked_value="Security OU exists under root"
+            ))
+            return self.findings
+        
+        # Get the first root (organizations have only one root)
+        root = roots[0]
+        root_id = root.get("Id", "")
+        
+        # Get OUs under the root
+        ous_response = self.get_ous_for_parent(root_id)
+        
+        # Check for errors getting OUs
+        if "Error" in ous_response:
+            error_message = ous_response["Error"].get("Message", "Unknown error")
+            self.findings.append(self.create_finding(
+                status="ERROR",
+                region=region,
+                resource_id=root_id,
+                actual_value=f"Error: {error_message}",
+                remediation="Check IAM permissions for Organizations API access",
+                checked_value="Security OU exists under root"
+            ))
+            return self.findings
+        
+        ous = ous_response.get("OrganizationalUnits", [])
+        
+        # Look for Security OU
+        security_ou = None
+        for ou in ous:
+            if ou.get("Name") == "Security":
+                security_ou = ou
+                break
+        
+        if security_ou:
+            ou_id = security_ou.get("Id", "Unknown")
+            self.findings.append(self.create_finding(
+                status="PASS",
+                region=region,
+                resource_id=ou_id,
+                actual_value=f"Security OU exists: {ou_id}",
+                remediation="No remediation needed",
+                checked_value="Security OU exists under root"
+            ))
+        else:
+            # List existing OUs for context
+            existing_ous = [ou.get("Name", "Unknown") for ou in ous]
+            existing_ous_str = ", ".join(existing_ous) if existing_ous else "None"
+            self.findings.append(self.create_finding(
+                status="FAIL",
+                region=region,
+                resource_id=root_id,
+                actual_value=f"Security OU not found. Existing OUs under root: {existing_ous_str}",
+                remediation=(
+                    "Create a Security organizational unit under the organization root. "
+                    "Navigate to AWS Organizations in the console, select the root, and create "
+                    "a new OU named 'Security'. Alternatively, use the AWS CLI: "
+                    f"aws organizations create-organizational-unit --parent-id {root_id} --name Security"
+                ),
+                checked_value="Security OU exists under root"
+            ))
+        
+        return self.findings

sraverify/services/organizations/checks/sra_organizations_03.py

@@ -0,0 +1,123 @@
+"""
+Check if organization has foundational OU - Infrastructure.
+"""
+from typing import Dict, List, Any
+from sraverify.services.organizations.base import OrganizationsCheck
+
+
+class SRA_ORGANIZATIONS_03(OrganizationsCheck):
+    """Check if organization has foundational OU - Infrastructure."""
+
+    def __init__(self):
+        """Initialize Infrastructure OU check."""
+        super().__init__(resource_type="AWS::Organizations::OrganizationalUnit")
+        self.check_id = "SRA-ORGANIZATIONS-03"
+        self.check_name = "Organization has foundational OU - Infrastructure"
+        self.description = (
+            "This check verifies that the organization has an Infrastructure organizational unit (OU) "
+            "directly under the root. The Infrastructure OU is a foundational OU recommended by AWS SRA "
+            "for organizing infrastructure-related accounts such as shared services and networking accounts."
+        )
+        self.severity = "MEDIUM"
+        self.check_logic = (
+            "Retrieve the organization root using ListRoots API, then list all OUs under the root "
+            "using ListOrganizationalUnitsForParent API. Check passes if an OU named 'Infrastructure' "
+            "exists directly under the root."
+        )
+
+    def execute(self) -> List[Dict[str, Any]]:
+        """
+        Execute the check.
+
+        Returns:
+            List of findings
+        """
+        # Organizations is a global service, use "global" as region
+        region = "global"
+
+        # Get organization roots
+        roots_response = self.get_roots()
+
+        # Check for errors getting roots
+        if "Error" in roots_response:
+            error_message = roots_response["Error"].get("Message", "Unknown error")
+            self.findings.append(self.create_finding(
+                status="ERROR",
+                region=region,
+                resource_id=None,
+                actual_value=f"Error: {error_message}",
+                remediation="Check IAM permissions for Organizations API access",
+                checked_value="Infrastructure OU exists under root"
+            ))
+            return self.findings
+
+        roots = roots_response.get("Roots", [])
+        if not roots:
+            self.findings.append(self.create_finding(
+                status="ERROR",
+                region=region,
+                resource_id=None,
+                actual_value="No organization root found",
+                remediation="Ensure AWS Organizations is enabled and properly configured",
+                checked_value="Infrastructure OU exists under root"
+            ))
+            return self.findings
+
+        # Get the first root (organizations have only one root)
+        root = roots[0]
+        root_id = root.get("Id", "")
+
+        # Get OUs under the root
+        ous_response = self.get_ous_for_parent(root_id)
+
+        # Check for errors getting OUs
+        if "Error" in ous_response:
+            error_message = ous_response["Error"].get("Message", "Unknown error")
+            self.findings.append(self.create_finding(
+                status="ERROR",
+                region=region,
+                resource_id=root_id,
+                actual_value=f"Error: {error_message}",
+                remediation="Check IAM permissions for Organizations API access",
+                checked_value="Infrastructure OU exists under root"
+            ))
+            return self.findings
+
+        ous = ous_response.get("OrganizationalUnits", [])
+
+        # Look for Infrastructure OU
+        infrastructure_ou = None
+        for ou in ous:
+            if ou.get("Name") == "Infrastructure":
+                infrastructure_ou = ou
+                break
+
+        if infrastructure_ou:
+            ou_id = infrastructure_ou.get("Id", "Unknown")
+            self.findings.append(self.create_finding(
+                status="PASS",
+                region=region,
+                resource_id=ou_id,
+                actual_value=f"Infrastructure OU exists: {ou_id}",
+                remediation="No remediation needed",
+                checked_value="Infrastructure OU exists under root"
+            ))
+        else:
+            # List existing OUs for context
+            existing_ous = [ou.get("Name", "Unknown") for ou in ous]
+            existing_ous_str = ", ".join(existing_ous) if existing_ous else "None"
+            self.findings.append(self.create_finding(
+                status="FAIL",
+                region=region,
+                resource_id=root_id,
+                actual_value=f"Infrastructure OU not found. Existing OUs under root: {existing_ous_str}",
+                remediation=(
+                    "Create an Infrastructure organizational unit under the organization root. "
+                    "Navigate to AWS Organizations in the console, select the root, and create "
+                    "a new OU named 'Infrastructure'. Alternatively, use the AWS CLI: "
+                    f"aws organizations create-organizational-unit --parent-id {root_id} --name Infrastructure"
+                ),
+                checked_value="Infrastructure OU exists under root"
+            ))
+
+        return self.findings