PyPI - sraverify - Versions diffs - 0.1.0__py3-none-any.whl - Mend

sraverify 0.1.0__py3-none-any.whl

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (261) hide show

sraverify/__init__.py +36 -0
sraverify/checks/__init__.py +56 -0
sraverify/checks/accessanalyzer/SRA_IAA_1.py +188 -0
sraverify/checks/accessanalyzer/SRA_IAA_2.py +162 -0
sraverify/checks/accessanalyzer/SRA_IAA_3.py +260 -0
sraverify/checks/accessanalyzer/SRA_IAA_4.py +207 -0
sraverify/checks/accessanalyzer/__init__.py +3 -0
sraverify/checks/cloudtrail/SRA-CT-1.py +220 -0
sraverify/checks/cloudtrail/SRA-CT-10.py +229 -0
sraverify/checks/cloudtrail/SRA-CT-11.py +242 -0
sraverify/checks/cloudtrail/SRA-CT-12.py +163 -0
sraverify/checks/cloudtrail/SRA-CT-13.py +279 -0
sraverify/checks/cloudtrail/SRA-CT-2.py +218 -0
sraverify/checks/cloudtrail/SRA-CT-3.py +196 -0
sraverify/checks/cloudtrail/SRA-CT-4.py +161 -0
sraverify/checks/cloudtrail/SRA-CT-5.py +200 -0
sraverify/checks/cloudtrail/SRA-CT-6.py +161 -0
sraverify/checks/cloudtrail/SRA-CT-7.py +194 -0
sraverify/checks/cloudtrail/SRA-CT-8.py +226 -0
sraverify/checks/cloudtrail/SRA-CT-9.py +226 -0
sraverify/checks/cloudtrail/__init__.py +3 -0
sraverify/checks/config/SRA-CONFIG-1.py +197 -0
sraverify/checks/config/__init__.py +3 -0
sraverify/core/__init__.py +3 -0
sraverify/core/check.py +227 -0
sraverify/core/logging.py +37 -0
sraverify/core/session.py +47 -0
sraverify/lib/__init__.py +4 -0
sraverify/lib/audit_info.py +37 -0
sraverify/lib/banner.py +42 -0
sraverify/lib/check_loader.py +80 -0
sraverify/lib/org_mgmt_checker.py +86 -0
sraverify/lib/outputs.py +46 -0
sraverify/lib/progress.py +75 -0
sraverify/lib/regions.py +27 -0
sraverify/lib/session.py +23 -0
sraverify/main.py +350 -0
sraverify/services/__init__.py +3 -0
sraverify/services/accessanalyzer/__init__.py +15 -0
sraverify/services/accessanalyzer/base.py +123 -0
sraverify/services/accessanalyzer/checks/__init__.py +3 -0
sraverify/services/accessanalyzer/checks/sra_accessanalyzer_01.py +82 -0
sraverify/services/accessanalyzer/checks/sra_accessanalyzer_02.py +82 -0
sraverify/services/accessanalyzer/checks/sra_accessanalyzer_03.py +103 -0
sraverify/services/accessanalyzer/checks/sra_accessanalyzer_04.py +139 -0
sraverify/services/accessanalyzer/client.py +123 -0
sraverify/services/account/__init__.py +9 -0
sraverify/services/account/base.py +56 -0
sraverify/services/account/checks/__init__.py +1 -0
sraverify/services/account/checks/sra_account_01.py +65 -0
sraverify/services/account/checks/sra_account_02.py +63 -0
sraverify/services/account/checks/sra_account_03.py +63 -0
sraverify/services/account/client.py +51 -0
sraverify/services/auditmanager/__init__.py +10 -0
sraverify/services/auditmanager/base.py +72 -0
sraverify/services/auditmanager/checks/__init__.py +1 -0
sraverify/services/auditmanager/checks/sra_auditmanager_01.py +58 -0
sraverify/services/auditmanager/checks/sra_auditmanager_02.py +80 -0
sraverify/services/auditmanager/client.py +58 -0
sraverify/services/cloudtrail/__init__.py +33 -0
sraverify/services/cloudtrail/base.py +167 -0
sraverify/services/cloudtrail/checks/__init__.py +1 -0
sraverify/services/cloudtrail/checks/sra_cloudtrail_01.py +83 -0
sraverify/services/cloudtrail/checks/sra_cloudtrail_02.py +99 -0
sraverify/services/cloudtrail/checks/sra_cloudtrail_03.py +94 -0
sraverify/services/cloudtrail/checks/sra_cloudtrail_04.py +92 -0
sraverify/services/cloudtrail/checks/sra_cloudtrail_05.py +106 -0
sraverify/services/cloudtrail/checks/sra_cloudtrail_06.py +93 -0
sraverify/services/cloudtrail/checks/sra_cloudtrail_07.py +96 -0
sraverify/services/cloudtrail/checks/sra_cloudtrail_08.py +145 -0
sraverify/services/cloudtrail/checks/sra_cloudtrail_09.py +167 -0
sraverify/services/cloudtrail/checks/sra_cloudtrail_10.py +162 -0
sraverify/services/cloudtrail/checks/sra_cloudtrail_11.py +178 -0
sraverify/services/cloudtrail/checks/sra_cloudtrail_12.py +77 -0
sraverify/services/cloudtrail/checks/sra_cloudtrail_13.py +120 -0
sraverify/services/cloudtrail/client.py +118 -0
sraverify/services/config/__init__.py +25 -0
sraverify/services/config/base.py +249 -0
sraverify/services/config/checks/__init__.py +1 -0
sraverify/services/config/checks/sra_config_01.py +123 -0
sraverify/services/config/checks/sra_config_02.py +156 -0
sraverify/services/config/checks/sra_config_03.py +149 -0
sraverify/services/config/checks/sra_config_04.py +104 -0
sraverify/services/config/checks/sra_config_05.py +104 -0
sraverify/services/config/checks/sra_config_06.py +194 -0
sraverify/services/config/checks/sra_config_07.py +162 -0
sraverify/services/config/checks/sra_config_08.py +185 -0
sraverify/services/config/checks/sra_config_09.py +177 -0
sraverify/services/config/client.py +264 -0
sraverify/services/ec2/__init__.py +8 -0
sraverify/services/ec2/base.py +75 -0
sraverify/services/ec2/checks/__init__.py +1 -0
sraverify/services/ec2/checks/sra_ec2_01.py +83 -0
sraverify/services/ec2/client.py +63 -0
sraverify/services/firewallmanager/__init__.py +23 -0
sraverify/services/firewallmanager/base.py +48 -0
sraverify/services/firewallmanager/checks/__init__.py +1 -0
sraverify/services/firewallmanager/checks/sra_firewallmanager_01.py +75 -0
sraverify/services/firewallmanager/checks/sra_firewallmanager_02.py +57 -0
sraverify/services/firewallmanager/checks/sra_firewallmanager_03.py +51 -0
sraverify/services/firewallmanager/checks/sra_firewallmanager_04.py +51 -0
sraverify/services/firewallmanager/checks/sra_firewallmanager_05.py +51 -0
sraverify/services/firewallmanager/checks/sra_firewallmanager_06.py +51 -0
sraverify/services/firewallmanager/checks/sra_firewallmanager_07.py +51 -0
sraverify/services/firewallmanager/checks/sra_firewallmanager_08.py +61 -0
sraverify/services/firewallmanager/checks/sra_firewallmanager_09.py +61 -0
sraverify/services/firewallmanager/checks/sra_firewallmanager_10.py +71 -0
sraverify/services/firewallmanager/client.py +40 -0
sraverify/services/guardduty/__init__.py +58 -0
sraverify/services/guardduty/base.py +207 -0
sraverify/services/guardduty/checks/__init__.py +3 -0
sraverify/services/guardduty/checks/sra_guardduty_01.py +51 -0
sraverify/services/guardduty/checks/sra_guardduty_02.py +80 -0
sraverify/services/guardduty/checks/sra_guardduty_03.py +77 -0
sraverify/services/guardduty/checks/sra_guardduty_04.py +84 -0
sraverify/services/guardduty/checks/sra_guardduty_05.py +84 -0
sraverify/services/guardduty/checks/sra_guardduty_06.py +84 -0
sraverify/services/guardduty/checks/sra_guardduty_07.py +85 -0
sraverify/services/guardduty/checks/sra_guardduty_08.py +83 -0
sraverify/services/guardduty/checks/sra_guardduty_09.py +84 -0
sraverify/services/guardduty/checks/sra_guardduty_10.py +83 -0
sraverify/services/guardduty/checks/sra_guardduty_11.py +93 -0
sraverify/services/guardduty/checks/sra_guardduty_12.py +83 -0
sraverify/services/guardduty/checks/sra_guardduty_13.py +90 -0
sraverify/services/guardduty/checks/sra_guardduty_14.py +136 -0
sraverify/services/guardduty/checks/sra_guardduty_15.py +94 -0
sraverify/services/guardduty/checks/sra_guardduty_16.py +94 -0
sraverify/services/guardduty/checks/sra_guardduty_17.py +91 -0
sraverify/services/guardduty/checks/sra_guardduty_18.py +91 -0
sraverify/services/guardduty/checks/sra_guardduty_19.py +91 -0
sraverify/services/guardduty/checks/sra_guardduty_20.py +111 -0
sraverify/services/guardduty/checks/sra_guardduty_21.py +112 -0
sraverify/services/guardduty/checks/sra_guardduty_22.py +111 -0
sraverify/services/guardduty/checks/sra_guardduty_23.py +154 -0
sraverify/services/guardduty/checks/sra_guardduty_24.py +111 -0
sraverify/services/guardduty/checks/sra_guardduty_25.py +111 -0
sraverify/services/guardduty/client.py +107 -0
sraverify/services/inspector/__init__.py +29 -0
sraverify/services/inspector/base.py +233 -0
sraverify/services/inspector/checks/__init__.py +3 -0
sraverify/services/inspector/checks/sra_inspector_01.py +69 -0
sraverify/services/inspector/checks/sra_inspector_02.py +68 -0
sraverify/services/inspector/checks/sra_inspector_03.py +68 -0
sraverify/services/inspector/checks/sra_inspector_04.py +70 -0
sraverify/services/inspector/checks/sra_inspector_05.py +69 -0
sraverify/services/inspector/checks/sra_inspector_06.py +115 -0
sraverify/services/inspector/checks/sra_inspector_07.py +109 -0
sraverify/services/inspector/checks/sra_inspector_08.py +69 -0
sraverify/services/inspector/checks/sra_inspector_09.py +69 -0
sraverify/services/inspector/checks/sra_inspector_10.py +69 -0
sraverify/services/inspector/checks/sra_inspector_11.py +69 -0
sraverify/services/inspector/client.py +99 -0
sraverify/services/macie/__init__.py +27 -0
sraverify/services/macie/base.py +271 -0
sraverify/services/macie/checks/__init__.py +1 -0
sraverify/services/macie/checks/sra_macie_01.py +100 -0
sraverify/services/macie/checks/sra_macie_02.py +102 -0
sraverify/services/macie/checks/sra_macie_03.py +152 -0
sraverify/services/macie/checks/sra_macie_04.py +120 -0
sraverify/services/macie/checks/sra_macie_05.py +85 -0
sraverify/services/macie/checks/sra_macie_06.py +124 -0
sraverify/services/macie/checks/sra_macie_07.py +138 -0
sraverify/services/macie/checks/sra_macie_08.py +82 -0
sraverify/services/macie/checks/sra_macie_09.py +103 -0
sraverify/services/macie/checks/sra_macie_10.py +81 -0
sraverify/services/macie/client.py +220 -0
sraverify/services/s3/__init__.py +16 -0
sraverify/services/s3/base.py +69 -0
sraverify/services/s3/checks/__init__.py +1 -0
sraverify/services/s3/checks/sra_s3_01.py +89 -0
sraverify/services/s3/checks/sra_s3_02.py +89 -0
sraverify/services/s3/checks/sra_s3_03.py +88 -0
sraverify/services/s3/checks/sra_s3_04.py +88 -0
sraverify/services/s3/client.py +52 -0
sraverify/services/securityhub/__init__.py +27 -0
sraverify/services/securityhub/base.py +349 -0
sraverify/services/securityhub/checks/__init__.py +1 -0
sraverify/services/securityhub/checks/sra_securityhub_01.py +115 -0
sraverify/services/securityhub/checks/sra_securityhub_02.py +114 -0
sraverify/services/securityhub/checks/sra_securityhub_03.py +136 -0
sraverify/services/securityhub/checks/sra_securityhub_04.py +75 -0
sraverify/services/securityhub/checks/sra_securityhub_05.py +102 -0
sraverify/services/securityhub/checks/sra_securityhub_06.py +113 -0
sraverify/services/securityhub/checks/sra_securityhub_07.py +121 -0
sraverify/services/securityhub/checks/sra_securityhub_08.py +113 -0
sraverify/services/securityhub/checks/sra_securityhub_09.py +100 -0
sraverify/services/securityhub/checks/sra_securityhub_10.py +94 -0
sraverify/services/securityhub/checks/sra_securityhub_11.py +73 -0
sraverify/services/securityhub/client.py +249 -0
sraverify/services/securityincidentresponse/__init__.py +13 -0
sraverify/services/securityincidentresponse/base.py +95 -0
sraverify/services/securityincidentresponse/checks/__init__.py +1 -0
sraverify/services/securityincidentresponse/checks/sra_securityincidentresponse_01.py +77 -0
sraverify/services/securityincidentresponse/checks/sra_securityincidentresponse_02.py +72 -0
sraverify/services/securityincidentresponse/checks/sra_securityincidentresponse_03.py +86 -0
sraverify/services/securityincidentresponse/checks/sra_securityincidentresponse_04.py +117 -0
sraverify/services/securityincidentresponse/checks/sra_securityincidentresponse_05.py +55 -0
sraverify/services/securityincidentresponse/client.py +71 -0
sraverify/services/securitylake/__init__.py +39 -0
sraverify/services/securitylake/base.py +461 -0
sraverify/services/securitylake/checks/__init__.py +1 -0
sraverify/services/securitylake/checks/sra_securitylake_01.py +98 -0
sraverify/services/securitylake/checks/sra_securitylake_02.py +133 -0
sraverify/services/securitylake/checks/sra_securitylake_03.py +116 -0
sraverify/services/securitylake/checks/sra_securitylake_04.py +72 -0
sraverify/services/securitylake/checks/sra_securitylake_05.py +116 -0
sraverify/services/securitylake/checks/sra_securitylake_06.py +104 -0
sraverify/services/securitylake/checks/sra_securitylake_07.py +108 -0
sraverify/services/securitylake/checks/sra_securitylake_08.py +107 -0
sraverify/services/securitylake/checks/sra_securitylake_09.py +107 -0
sraverify/services/securitylake/checks/sra_securitylake_10.py +106 -0
sraverify/services/securitylake/checks/sra_securitylake_11.py +109 -0
sraverify/services/securitylake/checks/sra_securitylake_12.py +108 -0
sraverify/services/securitylake/checks/sra_securitylake_13.py +108 -0
sraverify/services/securitylake/checks/sra_securitylake_14.py +72 -0
sraverify/services/securitylake/checks/sra_securitylake_15.py +120 -0
sraverify/services/securitylake/checks/sra_securitylake_16.py +104 -0
sraverify/services/securitylake/checks/sra_securitylake_17.py +103 -0
sraverify/services/securitylake/client.py +247 -0
sraverify/services/shield/__init__.py +33 -0
sraverify/services/shield/base.py +199 -0
sraverify/services/shield/checks/__init__.py +1 -0
sraverify/services/shield/checks/sra_shield_01.py +68 -0
sraverify/services/shield/checks/sra_shield_02.py +77 -0
sraverify/services/shield/checks/sra_shield_03.py +84 -0
sraverify/services/shield/checks/sra_shield_04.py +84 -0
sraverify/services/shield/checks/sra_shield_05.py +84 -0
sraverify/services/shield/checks/sra_shield_06.py +84 -0
sraverify/services/shield/checks/sra_shield_07.py +84 -0
sraverify/services/shield/checks/sra_shield_08.py +69 -0
sraverify/services/shield/checks/sra_shield_09.py +86 -0
sraverify/services/shield/checks/sra_shield_10.py +100 -0
sraverify/services/shield/checks/sra_shield_11.py +71 -0
sraverify/services/shield/checks/sra_shield_12.py +130 -0
sraverify/services/shield/checks/sra_shield_13.py +112 -0
sraverify/services/shield/checks/sra_shield_14.py +111 -0
sraverify/services/shield/client.py +214 -0
sraverify/services/waf/__init__.py +21 -0
sraverify/services/waf/base.py +100 -0
sraverify/services/waf/checks/__init__.py +1 -0
sraverify/services/waf/checks/sra_waf_01.py +63 -0
sraverify/services/waf/checks/sra_waf_02.py +82 -0
sraverify/services/waf/checks/sra_waf_03.py +123 -0
sraverify/services/waf/checks/sra_waf_04.py +94 -0
sraverify/services/waf/checks/sra_waf_05.py +94 -0
sraverify/services/waf/checks/sra_waf_06.py +91 -0
sraverify/services/waf/checks/sra_waf_07.py +94 -0
sraverify/services/waf/checks/sra_waf_08.py +66 -0
sraverify/services/waf/checks/sra_waf_09.py +95 -0
sraverify/services/waf/client.py +109 -0
sraverify/utils/__init__.py +3 -0
sraverify/utils/banner.py +65 -0
sraverify/utils/outputs.py +57 -0
sraverify/utils/progress.py +97 -0
sraverify-0.1.0.dist-info/LICENSE +175 -0
sraverify-0.1.0.dist-info/METADATA +516 -0
sraverify-0.1.0.dist-info/NOTICE +1 -0
sraverify-0.1.0.dist-info/RECORD +261 -0
sraverify-0.1.0.dist-info/WHEEL +5 -0
sraverify-0.1.0.dist-info/entry_points.txt +2 -0
sraverify-0.1.0.dist-info/top_level.txt +1 -0

sraverify/services/cloudtrail/checks/sra_cloudtrail_08.py ADDED Viewed

@@ -0,0 +1,145 @@
+"""
+SRA-CLOUDTRAIL-08: Organization CloudTrail S3 Delivery.
+"""
+from typing import List, Dict, Any
+from datetime import datetime, timedelta, timezone
+from sraverify.services.cloudtrail.base import CloudTrailCheck
+from sraverify.core.logging import logger
+class SRA_CLOUDTRAIL_08(CloudTrailCheck):
+    """Check if organization trails are publishing logs to destination S3 bucket."""
+    def __init__(self):
+        """Initialize the check."""
+        super().__init__()
+        self.check_id = "SRA-CLOUDTRAIL-08"
+        self.check_name = "Organization trail is publishing logs to destination S3 bucket"
+        self.account_type = "management"
+        self.severity = "HIGH"
+        self.description = (
+            "This check verifies that last attempt to send CloudTrail logs to S3 bucket was successful. "
+            "CloudTrail log files are an audit log of actions taken by an IAM identity or an AWS service. "
+            "The integrity, completeness and availability of these logs is crucial for forensic and auditing purposes. "
+            "By logging to a dedicated and centralized Amazon S3 bucket, you can enforce strict security controls, "
+            "access, and segregation of duties."
+        )
+        self.check_logic = (
+            "Check if organization trails have LatestDeliveryTime within the last 24 hours."
+        )
+    def execute(self) -> List[Dict[str, Any]]:
+        """
+        Execute the check.
+        Returns:
+            List of findings
+        """
+        findings = []
+        # Get organization trails
+        org_trails = self.get_organization_trails()
+        if not org_trails:
+            findings.append(
+                self.create_finding(
+                    status="FAIL",
+                    region="global",
+                    resource_id=f"organization/{self.account_id}",
+                    checked_value="LatestDeliveryTime: within last 24 hours",
+                    actual_value="No organization trails found",
+                    remediation=(
+                        "Create an organization trail in the management account using the AWS CLI command: "
+                        f"aws cloudtrail create-trail --name org-trail --is-organization-trail --s3-bucket-name cloudtrail-logs-{self.account_id} "
+                        f"--is-multi-region-trail --region {self.regions[0] if self.regions else 'us-east-1'} && "
+                        f"aws cloudtrail start-logging --name org-trail --region {self.regions[0] if self.regions else 'us-east-1'}"
+                    )
+                )
+            )
+            return findings
+        # Check each organization trail for S3 delivery
+        for trail in org_trails:
+            trail_name = trail.get('Name', 'Unknown')
+            trail_arn = trail.get('TrailARN', 'Unknown')
+            home_region = trail.get('HomeRegion', 'Unknown')
+            s3_bucket_name = trail.get('S3BucketName', 'Unknown')
+            # Get trail status to check S3 delivery
+            trail_status = self.get_trail_status(home_region, trail_arn)
+            latest_delivery_time_str = trail_status.get('LatestDeliveryTime', None)
+            latest_delivery_error = trail_status.get('LatestDeliveryError', None)
+            # Check if delivery time exists and is within the last 24 hours
+            if latest_delivery_time_str:
+                try:
+                    # Convert string to datetime object
+                    if isinstance(latest_delivery_time_str, str):
+                        latest_delivery_time = datetime.fromisoformat(latest_delivery_time_str.replace('Z', '+00:00'))
+                    else:
+                        # Assume it's already a datetime object
+                        latest_delivery_time = latest_delivery_time_str
+                    # Get current time in UTC
+                    now = datetime.now(timezone.utc)
+                    # Check if delivery was within the last 24 hours
+                    if now - latest_delivery_time < timedelta(hours=24):
+                        # Trail is delivering logs to S3 within the last 24 hours
+                        findings.append(
+                            self.create_finding(
+                                status="PASS",
+                                region="global",
+                                resource_id=trail_arn,
+                                checked_value="LatestDeliveryTime: within last 24 hours",
+                                actual_value=f"Organization trail '{trail_name}' is publishing logs to S3 bucket '{s3_bucket_name}', latest delivery time: {latest_delivery_time_str}",
+                                remediation="No remediation needed"
+                            )
+                        )
+                    else:
+                        # Trail has not delivered logs to S3 within the last 24 hours
+                        findings.append(
+                            self.create_finding(
+                                status="FAIL",
+                                region="global",
+                                resource_id=trail_arn,
+                                checked_value="LatestDeliveryTime: within last 24 hours",
+                                actual_value=f"Organization trail '{trail_name}' has not published logs to S3 bucket '{s3_bucket_name}' within the last 24 hours, latest delivery time: {latest_delivery_time_str}",
+                                remediation=(
+                                    f"Check the CloudTrail configuration and S3 bucket permissions. Ensure the trail is active using: "
+                                    f"aws cloudtrail start-logging --name {trail_name} --region {home_region}"
+                                )
+                            )
+                        )
+                except (ValueError, TypeError) as e:
+                    # Error parsing delivery time
+                    findings.append(
+                        self.create_finding(
+                            status="FAIL",
+                            region="global",
+                            resource_id=trail_arn,
+                            checked_value="LatestDeliveryTime: within last 24 hours",
+                            actual_value=f"Organization trail '{trail_name}' has an invalid delivery time format: {latest_delivery_time_str}, error: {str(e)}",
+                            remediation=(
+                                f"Check the CloudTrail configuration and S3 bucket permissions. Ensure the trail is active using: "
+                                f"aws cloudtrail start-logging --name {trail_name} --region {home_region}"
+                            )
+                        )
+                    )
+            else:
+                # No delivery time found
+                findings.append(
+                    self.create_finding(
+                        status="FAIL",
+                        region="global",
+                        resource_id=trail_arn,
+                        checked_value="LatestDeliveryTime: within last 24 hours",
+                        actual_value=f"Organization trail '{trail_name}' has no record of delivering logs to S3 bucket '{s3_bucket_name}'",
+                        remediation=(
+                            f"Check the CloudTrail configuration and S3 bucket permissions. Ensure the trail is active using: "
+                            f"aws cloudtrail start-logging --name {trail_name} --region {home_region}"
+                        )
+                    )
+                )
+        return findings

sraverify/services/cloudtrail/checks/sra_cloudtrail_09.py ADDED Viewed

@@ -0,0 +1,167 @@
+"""
+SRA-CLOUDTRAIL-09: Organization CloudTrail CloudWatch Logs Delivery.
+"""
+from typing import List, Dict, Any
+from datetime import datetime, timedelta, timezone
+from sraverify.services.cloudtrail.base import CloudTrailCheck
+from sraverify.core.logging import logger
+class SRA_CLOUDTRAIL_09(CloudTrailCheck):
+    """Check if organization trails are publishing logs to CloudWatch Logs."""
+    def __init__(self):
+        """Initialize the check."""
+        super().__init__()
+        self.check_id = "SRA-CLOUDTRAIL-09"
+        self.check_name = "Organization trail is publishing logs to CloudWatch Logs"
+        self.account_type = "management"
+        self.severity = "MEDIUM"
+        self.description = (
+            "This check verifies that last attempt to send CloudTrail logs to CloudWatch Logs was successful. "
+            "Successful delivery of CloudTrails logs to CloudWatch ensures later availability for monitoring. "
+            "CloudTrail requires right permission to send log events to CloudWatch Logs."
+        )
+        self.check_logic = (
+            "Check if organization trails have LatestCloudWatchLogsDeliveryTime within the last 24 hours."
+        )
+    def execute(self) -> List[Dict[str, Any]]:
+        """
+        Execute the check.
+        Returns:
+            List of findings
+        """
+        findings = []
+        # Get organization trails
+        org_trails = self.get_organization_trails()
+        if not org_trails:
+            findings.append(
+                self.create_finding(
+                    status="FAIL",
+                    region="global",
+                    resource_id=f"organization/{self.account_id}",
+                    checked_value="LatestCloudWatchLogsDeliveryTime: within last 24 hours",
+                    actual_value="No organization trails found",
+                    remediation=(
+                        "Create an organization trail with CloudWatch Logs delivery in the management account using the AWS CLI command: "
+                        f"aws cloudtrail create-trail --name org-trail --is-organization-trail --s3-bucket-name cloudtrail-logs-{self.account_id} "
+                        f"--cloud-watch-logs-log-group-arn arn:aws:logs:{self.regions[0] if self.regions else 'us-east-1'}:{self.account_id}:log-group:CloudTrail/Logs:* "
+                        f"--cloud-watch-logs-role-arn arn:aws:iam::{self.account_id}:role/CloudTrail_CloudWatchLogs_Role "
+                        f"--is-multi-region-trail --region {self.regions[0] if self.regions else 'us-east-1'}"
+                    )
+                )
+            )
+            return findings
+        # Check each organization trail for CloudWatch Logs delivery
+        for trail in org_trails:
+            trail_name = trail.get('Name', 'Unknown')
+            trail_arn = trail.get('TrailARN', 'Unknown')
+            home_region = trail.get('HomeRegion', 'Unknown')
+            cloudwatch_logs_group_arn = trail.get('CloudWatchLogsLogGroupArn', '')
+            # Skip trails without CloudWatch Logs configuration
+            if not cloudwatch_logs_group_arn:
+                findings.append(
+                    self.create_finding(
+                        status="FAIL",
+                        region="global",
+                        resource_id=trail_arn,
+                        checked_value="LatestCloudWatchLogsDeliveryTime: within last 24 hours",
+                        actual_value=f"Organization trail '{trail_name}' is not configured to deliver logs to CloudWatch Logs",
+                        remediation=(
+                            f"Configure CloudTrail '{trail_name}' to use CloudWatch Logs using the AWS CLI command: "
+                            f"aws cloudtrail update-trail --name {trail_name} "
+                            f"--cloud-watch-logs-log-group-arn arn:aws:logs:{home_region}:{self.account_id}:log-group:CloudTrail/Logs:* "
+                            f"--cloud-watch-logs-role-arn arn:aws:iam::{self.account_id}:role/CloudTrail_CloudWatchLogs_Role "
+                            f"--region {home_region}"
+                        )
+                    )
+                )
+                continue
+            # Get trail status to check CloudWatch Logs delivery
+            trail_status = self.get_trail_status(home_region, trail_arn)
+            latest_cloudwatch_logs_delivery_time_str = trail_status.get('LatestCloudWatchLogsDeliveryTime', None)
+            latest_cloudwatch_logs_delivery_error = trail_status.get('LatestCloudWatchLogsDeliveryError', None)
+            # Check if delivery time exists and is within the last 24 hours
+            if latest_cloudwatch_logs_delivery_time_str:
+                try:
+                    # Convert string to datetime object
+                    if isinstance(latest_cloudwatch_logs_delivery_time_str, str):
+                        latest_delivery_time = datetime.fromisoformat(latest_cloudwatch_logs_delivery_time_str.replace('Z', '+00:00'))
+                    else:
+                        # Assume it's already a datetime object
+                        latest_delivery_time = latest_cloudwatch_logs_delivery_time_str
+                    # Get current time in UTC
+                    now = datetime.now(timezone.utc)
+                    # Use the delivery time as the resource ID
+                    resource_id = f"cloudtrail arn delivery to CloudWatch logs within 24 hrs = true"
+                    # Check if delivery was within the last 24 hours
+                    if now - latest_delivery_time < timedelta(hours=24):
+                        # Trail is delivering logs to CloudWatch Logs within the last 24 hours
+                        findings.append(
+                            self.create_finding(
+                                status="PASS",
+                                region="global",
+                                resource_id=resource_id,
+                                checked_value="LatestCloudWatchLogsDeliveryTime: within last 24 hours",
+                                actual_value=f"Organization trail '{trail_name}' is publishing logs to CloudWatch Logs, latest delivery time: {latest_cloudwatch_logs_delivery_time_str}",
+                                remediation="No remediation needed"
+                            )
+                        )
+                    else:
+                        # Trail has not delivered logs to CloudWatch Logs within the last 24 hours
+                        findings.append(
+                            self.create_finding(
+                                status="FAIL",
+                                region="global",
+                                resource_id=resource_id,
+                                checked_value="LatestCloudWatchLogsDeliveryTime: within last 24 hours",
+                                actual_value=f"Organization trail '{trail_name}' has not published logs to CloudWatch Logs within the last 24 hours, latest delivery time: {latest_cloudwatch_logs_delivery_time_str}",
+                                remediation=(
+                                    f"Check the CloudTrail configuration and CloudWatch Logs permissions. Ensure the trail is active using: "
+                                    f"aws cloudtrail start-logging --name {trail_name} --region {home_region}"
+                                )
+                            )
+                        )
+                except (ValueError, TypeError) as e:
+                    # Error parsing delivery time
+                    findings.append(
+                        self.create_finding(
+                            status="FAIL",
+                            region="global",
+                            resource_id=trail_arn,
+                            checked_value="LatestCloudWatchLogsDeliveryTime: within last 24 hours",
+                            actual_value=f"Organization trail '{trail_name}' has an invalid CloudWatch Logs delivery time format: {latest_cloudwatch_logs_delivery_time_str}, error: {str(e)}",
+                            remediation=(
+                                f"Check the CloudTrail configuration and CloudWatch Logs permissions. Ensure the trail is active using: "
+                                f"aws cloudtrail start-logging --name {trail_name} --region {home_region}"
+                            )
+                        )
+                    )
+            else:
+                # No CloudWatch Logs delivery time found
+                findings.append(
+                    self.create_finding(
+                        status="FAIL",
+                        region="global",
+                        resource_id=trail_arn,
+                        checked_value="LatestCloudWatchLogsDeliveryTime: within last 24 hours",
+                        actual_value=f"Organization trail '{trail_name}' has no record of delivering logs to CloudWatch Logs",
+                        remediation=(
+                            f"Check the CloudTrail configuration and CloudWatch Logs permissions. Ensure the trail is active using: "
+                            f"aws cloudtrail start-logging --name {trail_name} --region {home_region}"
+                        )
+                    )
+                )
+        return findings

sraverify/services/cloudtrail/checks/sra_cloudtrail_10.py ADDED Viewed

@@ -0,0 +1,162 @@
+"""
+SRA-CLOUDTRAIL-10: Organization CloudTrail Log File Validation Digest Delivery.
+"""
+from typing import List, Dict, Any
+from datetime import datetime, timedelta, timezone
+from sraverify.services.cloudtrail.base import CloudTrailCheck
+from sraverify.core.logging import logger
+class SRA_CLOUDTRAIL_10(CloudTrailCheck):
+    """Check if organization trails are delivering log file validation digest files."""
+    def __init__(self):
+        """Initialize the check."""
+        super().__init__()
+        self.check_id = "SRA-CLOUDTRAIL-10"
+        self.check_name = "Organization trail is configured to deliver Log file validation digest files to destination bucket"
+        self.account_type = "management"
+        self.severity = "MEDIUM"
+        self.description = (
+            "This check verifies that log file validation digest files are being successfully delivered to a S3 bucket."
+        )
+        self.check_logic = (
+            "Check if organization trails have LatestDigestDeliveryTime within the last 24 hours."
+        )
+    def execute(self) -> List[Dict[str, Any]]:
+        """
+        Execute the check.
+        Returns:
+            List of findings
+        """
+        findings = []
+        # Get organization trails
+        org_trails = self.get_organization_trails()
+        if not org_trails:
+            findings.append(
+                self.create_finding(
+                    status="FAIL",
+                    region="global",
+                    resource_id=f"organization/{self.account_id}",
+                    checked_value="LatestDigestDeliveryTime: within last 24 hours",
+                    actual_value="No organization trails found",
+                    remediation=(
+                        "Create an organization trail with log file validation in the management account using the AWS CLI command: "
+                        f"aws cloudtrail create-trail --name org-trail --is-organization-trail --s3-bucket-name cloudtrail-logs-{self.account_id} "
+                        f"--enable-log-file-validation --is-multi-region-trail --region {self.regions[0] if self.regions else 'us-east-1'}"
+                    )
+                )
+            )
+            return findings
+        # Check each organization trail for digest delivery
+        for trail in org_trails:
+            trail_name = trail.get('Name', 'Unknown')
+            trail_arn = trail.get('TrailARN', 'Unknown')
+            home_region = trail.get('HomeRegion', 'Unknown')
+            log_file_validation_enabled = trail.get('LogFileValidationEnabled', False)
+            s3_bucket_name = trail.get('S3BucketName', 'Unknown')
+            # Skip trails without log file validation enabled
+            if not log_file_validation_enabled:
+                findings.append(
+                    self.create_finding(
+                        status="FAIL",
+                        region="global",
+                        resource_id=trail_arn,
+                        checked_value="LatestDigestDeliveryTime: within last 24 hours",
+                        actual_value=f"Organization trail '{trail_name}' does not have log file validation enabled",
+                        remediation=(
+                            f"Enable log file validation for the organization trail '{trail_name}' using the AWS CLI command: "
+                            f"aws cloudtrail update-trail --name {trail_name} --enable-log-file-validation --region {home_region}"
+                        )
+                    )
+                )
+                continue
+            # Get trail status to check digest delivery
+            trail_status = self.get_trail_status(home_region, trail_arn)
+            latest_digest_delivery_time_str = trail_status.get('LatestDigestDeliveryTime', None)
+            latest_digest_delivery_error = trail_status.get('LatestDigestDeliveryError', None)
+            # Use the trail ARN with digest info as the resource ID
+            resource_id = f"cloudtrail arn of digest within 24 hrs = true"
+            # Check if digest delivery time exists and is within the last 24 hours
+            if latest_digest_delivery_time_str:
+                try:
+                    # Convert string to datetime object
+                    if isinstance(latest_digest_delivery_time_str, str):
+                        latest_delivery_time = datetime.fromisoformat(latest_digest_delivery_time_str.replace('Z', '+00:00'))
+                    else:
+                        # Assume it's already a datetime object
+                        latest_delivery_time = latest_digest_delivery_time_str
+                    # Get current time in UTC
+                    now = datetime.now(timezone.utc)
+                    # Check if delivery was within the last 24 hours
+                    if now - latest_delivery_time < timedelta(hours=24):
+                        # Trail is delivering digest files within the last 24 hours
+                        findings.append(
+                            self.create_finding(
+                                status="PASS",
+                                region="global",
+                                resource_id=resource_id,
+                                checked_value="LatestDigestDeliveryTime: within last 24 hours",
+                                actual_value=f"Organization trail '{trail_name}' is delivering log file validation digest files to S3 bucket '{s3_bucket_name}', latest delivery time: {latest_digest_delivery_time_str}",
+                                remediation="No remediation needed"
+                            )
+                        )
+                    else:
+                        # Trail has not delivered digest files within the last 24 hours
+                        findings.append(
+                            self.create_finding(
+                                status="FAIL",
+                                region="global",
+                                resource_id=resource_id,
+                                checked_value="LatestDigestDeliveryTime: within last 24 hours",
+                                actual_value=f"Organization trail '{trail_name}' has not delivered log file validation digest files to S3 bucket '{s3_bucket_name}' within the last 24 hours, latest delivery time: {latest_digest_delivery_time_str}",
+                                remediation=(
+                                    f"Check the CloudTrail configuration and S3 bucket permissions. Ensure the trail is active using: "
+                                    f"aws cloudtrail start-logging --name {trail_name} --region {home_region}"
+                                )
+                            )
+                        )
+                except (ValueError, TypeError) as e:
+                    # Error parsing delivery time
+                    findings.append(
+                        self.create_finding(
+                            status="FAIL",
+                            region="global",
+                            resource_id=trail_arn,
+                            checked_value="LatestDigestDeliveryTime: within last 24 hours",
+                            actual_value=f"Organization trail '{trail_name}' has an invalid digest delivery time format: {latest_digest_delivery_time_str}, error: {str(e)}",
+                            remediation=(
+                                f"Check the CloudTrail configuration and S3 bucket permissions. Ensure the trail is active using: "
+                                f"aws cloudtrail start-logging --name {trail_name} --region {home_region}"
+                            )
+                        )
+                    )
+            else:
+                # No digest delivery time found
+                findings.append(
+                    self.create_finding(
+                        status="FAIL",
+                        region="global",
+                        resource_id=trail_arn,
+                        checked_value="LatestDigestDeliveryTime: within last 24 hours",
+                        actual_value=f"Organization trail '{trail_name}' has no record of delivering log file validation digest files to S3 bucket '{s3_bucket_name}'",
+                        remediation=(
+                            f"Check the CloudTrail configuration and S3 bucket permissions. Ensure the trail is active and log file validation is enabled using: "
+                            f"aws cloudtrail update-trail --name {trail_name} --enable-log-file-validation --region {home_region} && "
+                            f"aws cloudtrail start-logging --name {trail_name} --region {home_region}"
+                        )
+                    )
+                )
+        return findings

sraverify/services/cloudtrail/checks/sra_cloudtrail_11.py ADDED Viewed

@@ -0,0 +1,178 @@
+"""
+SRA-CLOUDTRAIL-11: Organization CloudTrail Logs Centralized in Log Archive Account.
+"""
+from typing import List, Dict, Any
+from sraverify.services.cloudtrail.base import CloudTrailCheck
+from sraverify.core.logging import logger
+class SRA_CLOUDTRAIL_11(CloudTrailCheck):
+    """Check if organization trails logs are delivered to a centralized S3 bucket in the Log Archive account."""
+    def __init__(self):
+        """Initialize the check."""
+        super().__init__()
+        self.check_id = "SRA-CLOUDTRAIL-11"
+        self.check_name = "Organization trail Logs are delivered to a centralized S3 bucket in the Log Archive Account"
+        self.account_type = "management"
+        self.severity = "HIGH"
+        self.description = (
+            "This check verifies whether the corresponding S3 buckets that stores organization trail logs "
+            "in created in Log Archive account. This separates the management and usage of CloudTrail log "
+            "privileges. The Log Archive account is dedicated to ingesting and archiving all security-related "
+            "logs and backups."
+        )
+        self.check_logic = (
+            "Check if organization trails are configured to deliver logs to S3 buckets owned by "
+            "the Log Archive account by comparing the S3 bucket ARN with the provided Log Archive account IDs."
+        )
+    def execute(self) -> List[Dict[str, Any]]:
+        """
+        Execute the check.
+        Returns:
+            List of findings
+        """
+        findings = []
+        # Get organization trails
+        org_trails = self.get_organization_trails()
+        if not org_trails:
+            findings.append(
+                self.create_finding(
+                    status="FAIL",
+                    region="global",
+                    resource_id=f"organization/{self.account_id}",
+                    checked_value="S3 bucket in Log Archive account",
+                    actual_value="No organization trails found",
+                    remediation=(
+                        "Create an organization trail with S3 bucket in the Log Archive account using the AWS CLI command: "
+                        "aws cloudtrail create-trail --name org-trail --is-organization-trail "
+                        "--s3-bucket-name aws-controltower-logs-{LOG_ARCHIVE_ACCOUNT_ID}-{REGION}"
+                    )
+                )
+            )
+            return findings
+        # Check if log_archive_accounts is provided via _log_archive_accounts attribute
+        log_archive_accounts = []
+        if hasattr(self, '_log_archive_accounts') and self._log_archive_accounts:
+            log_archive_accounts = self._log_archive_accounts
+        if not log_archive_accounts:
+            findings.append(
+                self.create_finding(
+                    status="ERROR",
+                    region="global",
+                    resource_id=f"organization/{self.account_id}",
+                    checked_value="S3 bucket in Log Archive account",
+                    actual_value="Log Archive Account ID not provided",
+                    remediation="Provide the Log Archive account IDs using --log-archive-account flag"
+                )
+            )
+            return findings
+        # Check each organization trail for S3 bucket ownership
+        for trail in org_trails:
+            trail_name = trail.get('Name', 'Unknown')
+            trail_arn = trail.get('TrailARN', 'Unknown')
+            s3_bucket_name = trail.get('S3BucketName', '')
+            # Get the home region from the trail
+            home_region = trail.get('HomeRegion', 'Unknown')
+            # We need to determine the owner of the S3 bucket
+            # For this check, we'll use the bucket name to infer ownership
+            # Another implementation could be to make an S3 API call to get the bucket owner
+            # But for this example, we'll assume the bucket name contains the account ID or has a specific pattern
+            # Check if we can determine the bucket owner from the trail configuration
+            bucket_owner_account = None
+            # Try to get the bucket owner from the S3BucketOwnerName field if available
+            s3_bucket_owner = trail.get('S3BucketOwnerName', '')
+            if s3_bucket_owner:
+                # If we have the bucket owner name, we can check if it's in the log archive accounts
+                # This is a simplification - in reality, you'd need to map account IDs to account names
+                bucket_owner_account = s3_bucket_owner
+            # If we couldn't determine the bucket owner, check if the bucket name contains the account ID
+            if not bucket_owner_account:
+                for log_archive_account in log_archive_accounts:
+                    if log_archive_account in s3_bucket_name:
+                        bucket_owner_account = log_archive_account
+                        break
+            # Create appropriate resource IDs based on whether the bucket is in the Log Archive account
+            if bucket_owner_account and bucket_owner_account in log_archive_accounts:
+                resource_id = f"cloudtrail logs being delivered to Log Archive account {log_archive_accounts[0]} and bucket name {s3_bucket_name}"
+            else:
+                resource_id = f"cloudtrail logs not being delivered to S3 bucket in the Log Archive account"
+            # If we still couldn't determine the bucket owner, we'll need to make an API call
+            # For this example, we'll just report that we couldn't determine the bucket owner
+            if not bucket_owner_account:
+                # Generate a recommended bucket name using the first log archive account
+                recommended_bucket_name = f"aws-controltower-logs-{log_archive_accounts[0]}-{home_region}"
+                findings.append(
+                    self.create_finding(
+                        status="FAIL",
+                        region="global",
+                        resource_id=resource_id,
+                        checked_value=f"S3 bucket in Log Archive account ({', '.join(log_archive_accounts)})",
+                        actual_value=(
+                            f"Organization trail '{trail_name}' is using S3 bucket '{s3_bucket_name}' "
+                            f"but the bucket owner could not be determined"
+                        ),
+                        remediation=(
+                            f"Update the organization trail '{trail_name}' to use an S3 bucket in the Log Archive account "
+                            f"using the AWS CLI command: aws cloudtrail update-trail --name {trail_name} "
+                            f"--s3-bucket-name {recommended_bucket_name}"
+                        )
+                    )
+                )
+                continue
+            # Check if the bucket owner is in the log archive accounts
+            if bucket_owner_account in log_archive_accounts:
+                # Trail is using an S3 bucket in the Log Archive account
+                findings.append(
+                    self.create_finding(
+                        status="PASS",
+                        region="global",
+                        resource_id=resource_id,
+                        checked_value=f"S3 bucket in Log Archive account ({', '.join(log_archive_accounts)})",
+                        actual_value=(
+                            f"Organization trail '{trail_name}' is using S3 bucket '{s3_bucket_name}' "
+                            f"owned by Log Archive account {bucket_owner_account}"
+                        ),
+                        remediation="No remediation needed"
+                    )
+                )
+            else:
+                # Trail is not using an S3 bucket in the Log Archive account
+                # Generate a recommended bucket name using the first log archive account
+                recommended_bucket_name = f"aws-controltower-logs-{log_archive_accounts[0]}-{home_region}"
+                findings.append(
+                    self.create_finding(
+                        status="FAIL",
+                        region="global",
+                        resource_id=resource_id,
+                        checked_value=f"S3 bucket in Log Archive account ({', '.join(log_archive_accounts)})",
+                        actual_value=(
+                            f"Organization trail '{trail_name}' is using S3 bucket '{s3_bucket_name}' "
+                            f"owned by account {bucket_owner_account}, which is not a Log Archive account"
+                        ),
+                        remediation=(
+                            f"Update the organization trail '{trail_name}' to use an S3 bucket in the Log Archive account "
+                            f"using the AWS CLI command: aws cloudtrail update-trail --name {trail_name} "
+                            f"--s3-bucket-name {recommended_bucket_name}"
+                        )
+                    )
+                )
+        return findings