sraverify 0.1.0__py3-none-any.whl

sraverify/services/account/client.py

@@ -0,0 +1,51 @@
+"""
+Account client for interacting with AWS Account Management service.
+"""
+from typing import Dict, Optional, Any
+import boto3
+from botocore.exceptions import ClientError
+from sraverify.core.logging import logger
+
+
+class AccountClient:
+    """Client for interacting with AWS Account Management service."""
+    
+    def __init__(self, region: str, session: Optional[boto3.Session] = None):
+        """
+        Initialize Account client for a specific region.
+        
+        Args:
+            region: AWS region name
+            session: AWS session to use (if None, a new session will be created)
+        """
+        self.region = region
+        self.session = session or boto3.Session()
+        self.client = self.session.client('account', region_name=region)
+    
+    def get_alternate_contact(self, contact_type: str, account_id: Optional[str] = None) -> Dict[str, Any]:
+        """
+        Get alternate contact information for the specified type.
+        
+        Args:
+            contact_type: Type of contact (BILLING, OPERATIONS, or SECURITY)
+            account_id: Optional account ID (defaults to current account)
+            
+        Returns:
+            Dictionary containing contact details or error information
+        """
+        try:
+            params = {"AlternateContactType": contact_type}
+            if account_id:
+                params["AccountId"] = account_id
+                
+            return self.client.get_alternate_contact(**params)
+        except ClientError as e:
+            error_code = e.response.get('Error', {}).get('Code', '')
+            error_message = str(e)
+            logger.debug(f"Error getting {contact_type} alternate contact in {self.region}: {error_message}")
+            return {
+                "Error": {
+                    "Code": error_code,
+                    "Message": error_message
+                }
+            }

sraverify/services/auditmanager/__init__.py

@@ -0,0 +1,10 @@
+"""
+Audit Manager security checks.
+"""
+from sraverify.services.auditmanager.checks.sra_auditmanager_01 import SRA_AUDITMANAGER_01
+from sraverify.services.auditmanager.checks.sra_auditmanager_02 import SRA_AUDITMANAGER_02
+
+CHECKS = {
+    "SRA-AUDITMANAGER-01": SRA_AUDITMANAGER_01,
+    "SRA-AUDITMANAGER-02": SRA_AUDITMANAGER_02,
+}

sraverify/services/auditmanager/base.py

@@ -0,0 +1,72 @@
+"""
+Base class for Audit Manager security checks.
+"""
+from typing import Dict, Any
+from sraverify.core.check import SecurityCheck
+from sraverify.services.auditmanager.client import AuditManagerClient
+
+
+class AuditManagerCheck(SecurityCheck):
+    """Base class for all Audit Manager security checks."""
+    
+    # Class-level cache shared across all instances
+    _account_status_cache = {}
+    
+    def __init__(self):
+        """Initialize Audit Manager base check."""
+        super().__init__(
+            account_type="application",
+            service="AuditManager",
+            resource_type="AWS::AuditManager::Account"
+        )
+    
+    def _setup_clients(self):
+        """Set up Audit Manager clients for each region."""
+        self._clients.clear()
+        if hasattr(self, 'regions') and self.regions:
+            for region in self.regions:
+                self._clients[region] = AuditManagerClient(region, session=self.session)
+    
+    def get_account_status(self, region: str) -> Dict[str, Any]:
+        """
+        Get account status for a specific region with caching.
+        
+        Args:
+            region: AWS region name
+            
+        Returns:
+            Account status response or error information
+        """
+        cache_key = f"{self.account_id}:{region}"
+        if cache_key in AuditManagerCheck._account_status_cache:
+            return AuditManagerCheck._account_status_cache[cache_key]
+        
+        client = self.get_client(region)
+        if not client:
+            return {"Error": {"Code": "NoClient", "Message": f"No client available for region {region}"}}
+        
+        status = client.get_account_status()
+        AuditManagerCheck._account_status_cache[cache_key] = status
+        return status
+    
+    def get_organization_admin_account(self, region: str) -> Dict[str, Any]:
+        """
+        Get organization admin account for a specific region with caching.
+        
+        Args:
+            region: AWS region name
+            
+        Returns:
+            Organization admin account response or error information
+        """
+        cache_key = f"org_admin:{region}"
+        if cache_key in AuditManagerCheck._account_status_cache:
+            return AuditManagerCheck._account_status_cache[cache_key]
+        
+        client = self.get_client(region)
+        if not client:
+            return {"Error": {"Code": "NoClient", "Message": f"No client available for region {region}"}}
+        
+        admin_info = client.get_organization_admin_account()
+        AuditManagerCheck._account_status_cache[cache_key] = admin_info
+        return admin_info

sraverify/services/auditmanager/checks/__init__.py

@@ -0,0 +1 @@
+# Audit Manager checks

sraverify/services/auditmanager/checks/sra_auditmanager_01.py

@@ -0,0 +1,58 @@
+"""
+Check if AWS Audit Manager is enabled.
+"""
+from typing import Dict, List, Any
+from sraverify.services.auditmanager.base import AuditManagerCheck
+
+
+class SRA_AUDITMANAGER_01(AuditManagerCheck):
+    """Check if AWS Audit Manager is enabled."""
+
+    def __init__(self):
+        """Initialize Audit Manager enabled check."""
+        super().__init__()
+        self.check_id = "SRA-AUDITMANAGER-01"
+        self.check_name = "AWS Audit Manager is enabled"
+        self.description = "This check verifies that AWS Audit Manager is enabled in the AWS account. Audit Manager helps you continuously audit your AWS usage to simplify how you assess risk and compliance with regulations and industry standards."
+        self.severity = "MEDIUM"
+        self.check_logic = "Check account registration status using GetAccountStatus API. Check passes if status is ACTIVE."
+    
+    def execute(self) -> List[Dict[str, Any]]:
+        """
+        Execute the check.
+        
+        Returns:
+            List of findings
+        """
+        for region in self.regions:
+            status_response = self.get_account_status(region)
+            
+            if "Error" in status_response:
+                self.findings.append(self.create_finding(
+                    status="ERROR",
+                    region=region,
+                    resource_id=None,
+                    actual_value=status_response["Error"].get("Message", "Unknown error"),
+                    remediation="Check IAM permissions for Audit Manager API access"
+                ))
+            else:
+                account_status = status_response.get("status", "UNKNOWN")
+                
+                if account_status == "ACTIVE":
+                    self.findings.append(self.create_finding(
+                        status="PASS",
+                        region=region,
+                        resource_id=f"auditmanager:{self.account_id}",
+                        actual_value=account_status,
+                        remediation=""
+                    ))
+                else:
+                    self.findings.append(self.create_finding(
+                        status="FAIL",
+                        region=region,
+                        resource_id=None,
+                        actual_value=account_status,
+                        remediation=f"Enable AWS Audit Manager in {region} by registering the account using the RegisterAccount API or AWS console"
+                    ))
+        
+        return self.findings

sraverify/services/auditmanager/checks/sra_auditmanager_02.py

@@ -0,0 +1,80 @@
+"""
+Check if Audit Manager delegated admin is the audit account.
+"""
+from typing import Dict, List, Any
+from sraverify.services.auditmanager.base import AuditManagerCheck
+
+
+class SRA_AUDITMANAGER_02(AuditManagerCheck):
+    """Check if Audit Manager delegated admin is the audit account."""
+
+    def __init__(self):
+        """Initialize Audit Manager delegated admin check."""
+        super().__init__()
+        self.account_type = "management"
+        self.check_id = "SRA-AUDITMANAGER-02"
+        self.check_name = "Audit Manager delegated admin is the audit account"
+        self.description = "This check verifies that the AWS Audit Manager delegated administrator is configured as the audit account. The delegated administrator should be the security tooling account to centralize audit management."
+        self.severity = "HIGH"
+        self.check_logic = "Get organization admin account using GetOrganizationAdminAccount API and verify it matches the audit account ID."
+    
+    def execute(self) -> List[Dict[str, Any]]:
+        """
+        Execute the check.
+        
+        Returns:
+            List of findings
+        """
+        for region in self.regions:
+            admin_response = self.get_organization_admin_account(region)
+            
+            if "Error" in admin_response:
+                error_code = admin_response["Error"].get("Code", "")
+                error_message = admin_response["Error"].get("Message", "")
+                
+                if error_code == "ResourceNotFoundException":
+                    self.findings.append(self.create_finding(
+                        status="FAIL",
+                        region=region,
+                        resource_id=None,
+                        actual_value="No delegated administrator configured",
+                        remediation=f"Configure a delegated administrator for Audit Manager in {region} using RegisterOrganizationAdminAccount API"
+                    ))
+                elif "Please complete AWS Audit Manager setup" in error_message:
+                    self.findings.append(self.create_finding(
+                        status="FAIL",
+                        region=region,
+                        resource_id=None,
+                        actual_value="Audit Manager setup not completed in this account",
+                        remediation=f"Complete AWS Audit Manager setup from the home page in {region} before configuring delegated administrator"
+                    ))
+                else:
+                    self.findings.append(self.create_finding(
+                        status="ERROR",
+                        region=region,
+                        resource_id=None,
+                        actual_value=error_message,
+                        remediation="Check IAM permissions for Audit Manager API access"
+                    ))
+            else:
+                admin_account_id = admin_response.get("adminAccountId")
+                audit_accounts = getattr(self, '_audit_accounts', [])
+                
+                if admin_account_id in audit_accounts:
+                    self.findings.append(self.create_finding(
+                        status="PASS",
+                        region=region,
+                        resource_id=f"auditmanager:admin:{admin_account_id}",
+                        actual_value=admin_account_id,
+                        remediation=""
+                    ))
+                else:
+                    self.findings.append(self.create_finding(
+                        status="FAIL",
+                        region=region,
+                        resource_id=f"auditmanager:admin:{admin_account_id}",
+                        actual_value=admin_account_id,
+                        remediation=f"Change delegated administrator to audit account in {region}. Current admin: {admin_account_id}, Expected audit accounts: {audit_accounts}"
+                    ))
+        
+        return self.findings

sraverify/services/auditmanager/client.py

@@ -0,0 +1,58 @@
+"""
+Audit Manager client for interacting with AWS Audit Manager service.
+"""
+from typing import Dict, Optional, Any
+import boto3
+from botocore.exceptions import ClientError
+from sraverify.core.logging import logger
+
+
+class AuditManagerClient:
+    """Client for interacting with AWS Audit Manager service."""
+
+    def __init__(self, region: str, session: Optional[boto3.Session] = None):
+        """
+        Initialize Audit Manager client for a specific region.
+
+        Args:
+            region: AWS region name
+            session: AWS session to use (if None, a new session will be created)
+        """
+        self.region = region
+        self.session = session or boto3.Session()
+        self.client = self.session.client('auditmanager', region_name=region)
+
+    def get_account_status(self) -> Dict[str, Any]:
+        """
+        Get the registration status of the account in Audit Manager.
+
+        Returns:
+            Dictionary containing status or error information
+        """
+        try:
+            response = self.client.get_account_status()
+            return response
+        except ClientError as e:
+            error_code = e.response.get('Error', {}).get('Code', '')
+            error_message = str(e)
+            logger.error(f"Error getting account status in {self.region}: {error_message}")
+
+    def get_organization_admin_account(self) -> Dict[str, Any]:
+        """
+        Get the delegated administrator account for the organization.
+
+        Returns:
+            Dictionary containing admin account info or error information
+        """
+        try:
+            response = self.client.get_organization_admin_account()
+            return response
+        except ClientError as e:
+            error_code = e.response.get('Error', {}).get('Code', '')
+            error_message = str(e)
+            
+            # Don't log setup required errors as they're handled as FAIL in the check
+            if "Please complete AWS Audit Manager setup" not in error_message:
+                logger.error(f"Error getting organization admin account in {self.region}: {error_message}")
+            
+            return {"Error": {"Code": error_code, "Message": error_message}}

sraverify/services/cloudtrail/__init__.py

@@ -0,0 +1,33 @@
+"""
+Cloudtrail security checks.
+"""
+from sraverify.services.cloudtrail.checks.sra_cloudtrail_01 import SRA_CLOUDTRAIL_01
+from sraverify.services.cloudtrail.checks.sra_cloudtrail_02 import SRA_CLOUDTRAIL_02
+from sraverify.services.cloudtrail.checks.sra_cloudtrail_03 import SRA_CLOUDTRAIL_03
+from sraverify.services.cloudtrail.checks.sra_cloudtrail_04 import SRA_CLOUDTRAIL_04
+from sraverify.services.cloudtrail.checks.sra_cloudtrail_05 import SRA_CLOUDTRAIL_05
+from sraverify.services.cloudtrail.checks.sra_cloudtrail_06 import SRA_CLOUDTRAIL_06
+from sraverify.services.cloudtrail.checks.sra_cloudtrail_07 import SRA_CLOUDTRAIL_07
+from sraverify.services.cloudtrail.checks.sra_cloudtrail_08 import SRA_CLOUDTRAIL_08
+from sraverify.services.cloudtrail.checks.sra_cloudtrail_09 import SRA_CLOUDTRAIL_09
+from sraverify.services.cloudtrail.checks.sra_cloudtrail_10 import SRA_CLOUDTRAIL_10
+from sraverify.services.cloudtrail.checks.sra_cloudtrail_11 import SRA_CLOUDTRAIL_11
+from sraverify.services.cloudtrail.checks.sra_cloudtrail_12 import SRA_CLOUDTRAIL_12
+from sraverify.services.cloudtrail.checks.sra_cloudtrail_13 import SRA_CLOUDTRAIL_13
+
+# Register checks
+CHECKS = {
+    "SRA-CLOUDTRAIL-01": SRA_CLOUDTRAIL_01,
+    "SRA-CLOUDTRAIL-02": SRA_CLOUDTRAIL_02,
+    "SRA-CLOUDTRAIL-03": SRA_CLOUDTRAIL_03,
+    "SRA-CLOUDTRAIL-04": SRA_CLOUDTRAIL_04,
+    "SRA-CLOUDTRAIL-05": SRA_CLOUDTRAIL_05,
+    "SRA-CLOUDTRAIL-06": SRA_CLOUDTRAIL_06,
+    "SRA-CLOUDTRAIL-07": SRA_CLOUDTRAIL_07,
+    "SRA-CLOUDTRAIL-08": SRA_CLOUDTRAIL_08,
+    "SRA-CLOUDTRAIL-09": SRA_CLOUDTRAIL_09,
+    "SRA-CLOUDTRAIL-10": SRA_CLOUDTRAIL_10,
+    "SRA-CLOUDTRAIL-11": SRA_CLOUDTRAIL_11,
+    "SRA-CLOUDTRAIL-12": SRA_CLOUDTRAIL_12,
+    "SRA-CLOUDTRAIL-13": SRA_CLOUDTRAIL_13,
+}

sraverify/services/cloudtrail/base.py

@@ -0,0 +1,167 @@
+"""
+Base class for CloudTrail security checks.
+"""
+from typing import List, Optional, Dict, Any
+from sraverify.core.check import SecurityCheck
+from sraverify.services.cloudtrail.client import CloudTrailClient
+from sraverify.core.logging import logger
+
+
+class CloudTrailCheck(SecurityCheck):
+    """Base class for all CloudTrail security checks."""
+    
+    # Class-level caches shared across all instances - only keeping the ones specified
+    _describe_trails_cache = {}
+    _trail_status_cache = {}
+    _delegated_admin_account_id_cache = {}
+    
+    def __init__(self):
+        """Initialize CloudTrail base check."""
+        super().__init__(
+            account_type="management",
+            service="CloudTrail",
+            resource_type="AWS::CloudTrail::Trail"
+        )
+    
+    def _setup_clients(self):
+        """Set up CloudTrail clients for each region."""
+        # Clear existing clients
+        self._clients.clear()
+        # Set up new clients only if regions are initialized
+        if hasattr(self, 'regions') and self.regions:
+            for region in self.regions:
+                self._clients[region] = CloudTrailClient(region, session=self.session)
+    
+    def get_client(self, region: str) -> Optional[CloudTrailClient]:
+        """
+        Get CloudTrail client for a specific region.
+        
+        Args:
+            region: AWS region name
+            
+        Returns:
+            CloudTrailClient for the region or None if not available
+        """
+        return self._clients.get(region)
+    
+    def describe_trails(self, include_shadow_trails: bool = True) -> List[Dict[str, Any]]:
+        """
+        Get all CloudTrail trails across all regions using the client with caching.
+        
+        Args:
+            include_shadow_trails: Include shadow trails in the response
+            
+        Returns:
+            List of all trails
+        """
+        if not self.regions:
+            logger.warning("No regions specified")
+            return []
+        
+        # Use session region name as part of cache key
+        cache_key = f"describe_trails:{self.session.region_name}:{include_shadow_trails}"
+        if cache_key in self.__class__._describe_trails_cache:
+            logger.debug(f"Using cached trails for {cache_key}")
+            return self.__class__._describe_trails_cache[cache_key]
+        
+        # Use any region to get all trails
+        client = self.get_client(self.regions[0])
+        if not client:
+            logger.warning("No CloudTrail client available")
+            return []
+        
+        # Get all trails using the client
+        trails = client.describe_trails(include_shadow_trails=include_shadow_trails)
+        
+        # Cache the results
+        self.__class__._describe_trails_cache[cache_key] = trails
+        logger.debug(f"Cached {len(trails)} trails for {cache_key}")
+        
+        return trails
+    
+    def get_organization_trails(self) -> List[Dict[str, Any]]:
+        """
+        Get all organization CloudTrail trails.
+        
+        Returns:
+            List of organization trails
+        """
+        # Get all trails first
+        all_trails = self.describe_trails()
+        
+        # Filter for organization trails
+        org_trails = [
+            trail for trail in all_trails 
+            if trail.get('IsOrganizationTrail', False)
+        ]
+        
+        logger.debug(f"Found {len(org_trails)} organization trails")
+        return org_trails
+    
+    def get_trail_status(self, region: str, trail_arn: str) -> Dict[str, Any]:
+        """
+        Get status of a specific CloudTrail trail using the client with caching.
+        
+        Args:
+            region: AWS region name
+            trail_arn: ARN of the trail
+            
+        Returns:
+            Dictionary containing trail status
+        """
+        # Check cache first
+        cache_key = f"{trail_arn}:{region}"
+        if cache_key in self.__class__._trail_status_cache:
+            logger.debug(f"Using cached trail status for {trail_arn} in {region}")
+            return self.__class__._trail_status_cache[cache_key]
+        
+        client = self.get_client(region)
+        if not client:
+            logger.warning(f"No CloudTrail client available for region {region}")
+            return {}
+        
+        # Get trail status from client
+        status = client.get_trail_status(trail_arn)
+        
+        # Cache the result
+        self.__class__._trail_status_cache[cache_key] = status
+        logger.debug(f"Cached trail status for {trail_arn} in {region}")
+        
+        return status
+    
+    def get_delegated_administrators(self) -> List[Dict[str, Any]]:
+        """
+        Get CloudTrail delegated administrators with caching.
+        
+        Returns:
+            List of delegated administrators
+        """
+        if not self.regions:
+            logger.warning("No regions specified")
+            return []
+        
+        account_id = self.account_id
+        if not account_id:
+            logger.warning("Could not determine account ID")
+            return []
+        
+        # Check cache first
+        cache_key = f"{account_id}:{self.session.region_name}"
+        if cache_key in self.__class__._delegated_admin_account_id_cache:
+            logger.debug(f"Using cached delegated administrators for {cache_key}")
+            return self.__class__._delegated_admin_account_id_cache[cache_key]
+        
+        # Use any region to get delegated administrators
+        client = self.get_client(self.regions[0])
+        if not client:
+            logger.warning("No CloudTrail client available")
+            return []
+        
+        # Get delegated administrators from client
+        delegated_admins = client.list_delegated_administrators()
+        
+        # Cache the results
+        self.__class__._delegated_admin_account_id_cache[cache_key] = delegated_admins
+        logger.debug(f"Cached {len(delegated_admins)} delegated administrators for {cache_key}")
+        
+        return delegated_admins

sraverify/services/cloudtrail/checks/__init__.py

@@ -0,0 +1 @@
+"""CloudTrail security checks."""

sraverify/services/cloudtrail/checks/sra_cloudtrail_01.py

@@ -0,0 +1,83 @@
+"""
+SRA-CLOUDTRAIL-01: Organization CloudTrail Configuration.
+"""
+from typing import List, Dict, Any
+from sraverify.services.cloudtrail.base import CloudTrailCheck
+from sraverify.core.logging import logger
+
+
+class SRA_CLOUDTRAIL_01(CloudTrailCheck):
+    """Check if an Organization trail is configured for the AWS Organization."""
+    
+    def __init__(self):
+        """Initialize the check."""
+        super().__init__()
+        self.check_id = "SRA-CLOUDTRAIL-01"
+        self.check_name = "An Organization trail is configured for the AWS Organization"
+        self.account_type = "management"
+        self.severity = "HIGH"
+        self.description = (
+            "This check verifies that an organization trail is configured for your AWS Organization. "
+            "It is important to have uniform logging strategy for your AWS environment. Organization trail "
+            "logs all events for all AWS accounts in that organization and delivers logs to a single S3 bucket, "
+            "CloudWatch Logs and Event Bridge. Organization trails are automatically applied to all member accounts "
+            "in the organization. Member accounts can see the organization trail, but can't modify or delete it. "
+            "Organization trail should be configured for all AWS regions even if you are not operating out of any region."
+        )
+        self.check_logic = (
+            "Check if at least one trail has IsOrganizationTrail set to true."
+        )
+    
+    def execute(self) -> List[Dict[str, Any]]:
+        """
+        Execute the check.
+        
+        Returns:
+            List of findings
+        """
+        findings = []
+        
+        # Get all trails using the base class method
+        # This will use the cache if available or make API calls if needed
+        all_trails = self.describe_trails()
+        
+        # Filter for organization trails
+        org_trails = [
+            trail for trail in all_trails 
+            if trail.get('IsOrganizationTrail', False)
+        ]
+        
+        if not org_trails:
+            findings.append(
+                self.create_finding(
+                    status="FAIL",
+                    region="global",
+                    resource_id=f"organization/{self.account_id}",
+                    checked_value="IsOrganizationTrail: true",
+                    actual_value="No organization trails found",
+                    remediation=(
+                        "Create an organization trail in the management account using the AWS CLI command: "
+                        f"aws cloudtrail create-trail --name org-trail --is-organization-trail --s3-bucket-name cloudtrail-logs-{self.account_id} "
+                        f"--is-multi-region-trail --region {self.regions[0] if self.regions else 'us-east-1'}"
+                    )
+                )
+            )
+            return findings
+        
+        # If we have organization trails, create a PASS finding for each one
+        for trail in org_trails:
+            trail_name = trail.get('Name', 'Unknown')
+            trail_arn = trail.get('TrailARN', 'Unknown')
+            
+            findings.append(
+                self.create_finding(
+                    status="PASS",
+                    region="global",
+                    resource_id=trail_arn,
+                    checked_value="IsOrganizationTrail: true",
+                    actual_value=f"Organization trail '{trail_name}' is configured",
+                    remediation="No remediation needed"
+                )
+            )
+        
+        return findings