sraverify 0.1.0__py3-none-any.whl

sraverify/services/cloudtrail/checks/sra_cloudtrail_12.py

@@ -0,0 +1,77 @@
+"""
+SRA-CLOUDTRAIL-12: CloudTrail Delegated Administrator Configuration.
+"""
+from typing import List, Dict, Any
+from sraverify.services.cloudtrail.base import CloudTrailCheck
+from sraverify.core.logging import logger
+
+
+class SRA_CLOUDTRAIL_12(CloudTrailCheck):
+    """Check if CloudTrail service administration is delegated out of AWS Organization management account."""
+    
+    def __init__(self):
+        """Initialize the check."""
+        super().__init__()
+        self.check_id = "SRA-CLOUDTRAIL-12"
+        self.check_name = "Delegated Administrator set for CloudTrail"
+        self.account_type = "management"
+        self.severity = "MEDIUM"
+        self.description = (
+            "This check verifies whether CloudTrail service administration is delegated out of AWS Organization "
+            "management account. The delegated administrator has permissions to create and manage analyzers "
+            "with the AWS organization as the zone of trust."
+        )
+        self.check_logic = (
+            "Check if there is at least one delegated administrator for CloudTrail service."
+        )
+    
+    def execute(self) -> List[Dict[str, Any]]:
+        """
+        Execute the check.
+        
+        Returns:
+            List of findings
+        """
+        findings = []
+        
+        # Get delegated administrators for CloudTrail
+        # This will use the cache if available or make API calls if needed
+        delegated_admins = self.get_delegated_administrators()
+        
+        if not delegated_admins:
+            findings.append(
+                self.create_finding(
+                    status="FAIL",
+                    region="global",
+                    resource_id=f"organization/{self.account_id}",
+                    checked_value="At least one delegated administrator for CloudTrail",
+                    actual_value="No delegated administrator configured for CloudTrail",
+                    remediation=(
+                        "Register a delegated administrator for CloudTrail using the AWS CLI command: "
+                        "aws organizations register-delegated-administrator "
+                        "--account-id ACCOUNT_ID --service-principal cloudtrail.amazonaws.com"
+                    )
+                )
+            )
+            return findings
+        
+        # If we have delegated administrators, create a PASS finding for each one
+        for admin in delegated_admins:
+            admin_id = admin.get('Id', 'Unknown')
+            admin_name = admin.get('Name', 'Unknown')
+            
+            # Create a resource ID that includes the delegated admin info
+            resource_id = f"cloudtrail arn has delegated administrator set to {admin_id}"
+            
+            findings.append(
+                self.create_finding(
+                    status="PASS",
+                    region="global",
+                    resource_id=resource_id,
+                    checked_value="At least one delegated administrator for CloudTrail",
+                    actual_value=f"CloudTrail has delegated administrator: {admin_id} ({admin_name})",
+                    remediation="No remediation needed"
+                )
+            )
+        
+        return findings

sraverify/services/cloudtrail/checks/sra_cloudtrail_13.py

@@ -0,0 +1,120 @@
+"""
+SRA-CLOUDTRAIL-13: CloudTrail Delegated Administrator is the Audit Account.
+"""
+from typing import List, Dict, Any
+from sraverify.services.cloudtrail.base import CloudTrailCheck
+from sraverify.core.logging import logger
+
+
+class SRA_CLOUDTRAIL_13(CloudTrailCheck):
+    """Check if CloudTrail delegated administrator is the Audit account."""
+    
+    def __init__(self):
+        """Initialize the check."""
+        super().__init__()
+        self.check_id = "SRA-CLOUDTRAIL-13"
+        self.check_name = "The audit account is the Delegated Administrator set for CloudTrail"
+        self.account_type = "management"
+        self.severity = "HIGH"
+        self.description = (
+            "This check verifies whether CloudTrail delegated admin account is the audit account of your AWS organization. "
+            "Audit account is dedicated to operating security services, monitoring AWS accounts, and "
+            "automating security alerting and response. CloudTrail helps monitor API activities across "
+            "all your AWS accounts and regions."
+        )
+        self.check_logic = (
+            "Check if the delegated administrator account matches any of the specified Audit account IDs."
+        )
+    
+    def execute(self) -> List[Dict[str, Any]]:
+        """
+        Execute the check.
+        
+        Returns:
+            List of findings
+        """
+        findings = []
+        
+        # Get delegated administrators for CloudTrail
+        # This will use the cache if available or make API calls if needed
+        delegated_admins = self.get_delegated_administrators()
+        
+        if not delegated_admins:
+            findings.append(
+                self.create_finding(
+                    status="FAIL",
+                    region="global",
+                    resource_id=f"organization/{self.account_id}",
+                    checked_value="CloudTrail delegated administrator is an Audit account",
+                    actual_value="No delegated administrator configured for CloudTrail",
+                    remediation=(
+                        "Register an Audit account as delegated administrator for CloudTrail using the AWS CLI command: "
+                        "aws organizations register-delegated-administrator "
+                        "--account-id AUDIT_ACCOUNT_ID --service-principal cloudtrail.amazonaws.com"
+                    )
+                )
+            )
+            return findings
+        
+        # Check if audit_accounts is provided via _audit_accounts attribute
+        audit_accounts = []
+        if hasattr(self, '_audit_accounts') and self._audit_accounts:
+            audit_accounts = self._audit_accounts
+        
+        if not audit_accounts:
+            findings.append(
+                self.create_finding(
+                    status="ERROR",
+                    region="global",
+                    resource_id=f"organization/{self.account_id}",
+                    checked_value="CloudTrail delegated administrator is an Audit account",
+                    actual_value="Audit Account ID not provided",
+                    remediation="Provide the Audit account IDs using --audit-account flag"
+                )
+            )
+            return findings
+        
+        # Check if any of the delegated administrators is an Audit account
+        for admin in delegated_admins:
+            admin_id = admin.get('Id', 'Unknown')
+            admin_name = admin.get('Name', 'Unknown')
+            
+            # Create a resource ID that includes the delegated admin and audit account info
+            resource_id = f"cloudtrail arn has delegated administrator set to {admin_id}, audit account is {audit_accounts[0]}, {admin_id in audit_accounts}"
+            
+            if admin_id in audit_accounts:
+                # This delegated admin is in the audit accounts list
+                findings.append(
+                    self.create_finding(
+                        status="PASS",
+                        region="global",
+                        resource_id=resource_id,
+                        checked_value=f"CloudTrail delegated administrator is an Audit account ({', '.join(audit_accounts)})",
+                        actual_value=f"CloudTrail delegated administrator {admin_id} ({admin_name}) is an Audit account",
+                        remediation="No remediation needed"
+                    )
+                )
+            else:
+                # This delegated admin is not in the audit accounts list
+                findings.append(
+                    self.create_finding(
+                        status="FAIL",
+                        region="global",
+                        resource_id=resource_id,
+                        checked_value=f"CloudTrail delegated administrator is an Audit account ({', '.join(audit_accounts)})",
+                        actual_value=(
+                            f"CloudTrail delegated administrator {admin_id} ({admin_name}) "
+                            f"is not in the specified Audit accounts ({', '.join(audit_accounts)})"
+                        ),
+                        remediation=(
+                            "Deregister the current delegated administrator and register an Audit account "
+                            "as delegated administrator for CloudTrail using the AWS CLI commands: "
+                            f"aws organizations deregister-delegated-administrator "
+                            f"--account-id {admin_id} --service-principal cloudtrail.amazonaws.com && "
+                            "aws organizations register-delegated-administrator "
+                            f"--account-id {audit_accounts[0]} --service-principal cloudtrail.amazonaws.com"
+                        )
+                    )
+                )
+        
+        return findings

sraverify/services/cloudtrail/client.py

@@ -0,0 +1,118 @@
+"""
+CloudTrail client for interacting with AWS CloudTrail service.
+"""
+from typing import Dict, List, Optional, Any
+import boto3
+from botocore.exceptions import ClientError
+from sraverify.core.logging import logger
+
+
+class CloudTrailClient:
+    """Client for interacting with AWS CloudTrail service."""
+    
+    def __init__(self, region: str, session: Optional[boto3.Session] = None):
+        """
+        Initialize CloudTrail client for a specific region.
+        
+        Args:
+            region: AWS region name
+            session: AWS session to use (if None, a new session will be created)
+        """
+        self.region = region
+        self.session = session or boto3.Session()
+        self.client = self.session.client('cloudtrail', region_name=region)
+        self.org_client = self.session.client('organizations', region_name=region)
+
+    def describe_trails(self, trail_name_list: Optional[List[str]] = None, include_shadow_trails: bool = True) -> List[Dict[str, Any]]:
+        """
+        Describe one or more trails.
+        
+        Args:
+            trail_name_list: List of trail names to describe (if None, all trails are described)
+            include_shadow_trails: Include shadow trails in the response
+            
+        Returns:
+            List of trail descriptions
+        """
+        try:
+            params = {}
+            if trail_name_list:
+                params['trailNameList'] = trail_name_list
+            params['includeShadowTrails'] = include_shadow_trails
+            
+            logger.debug(f"Describing trails in {self.region} with params: {params}")
+            response = self.client.describe_trails(**params)
+            return response.get('trailList', [])
+        except ClientError as e:
+            logger.error(f"Error describing trails in {self.region}: {e}")
+            return []
+        except Exception as e:
+            logger.error(f"Unexpected error describing trails in {self.region}: {e}")
+            return []
+    
+    def get_trail_status(self, trail_arn: str) -> Dict[str, Any]:
+        """
+        Get the status of a trail.
+        
+        Args:
+            trail_arn: ARN of the trail
+            
+        Returns:
+            Trail status
+        """
+        try:
+            logger.debug(f"Getting status for trail {trail_arn} in {self.region}")
+            response = self.client.get_trail_status(Name=trail_arn)
+            return response
+        except ClientError as e:
+            logger.error(f"Error getting trail status for {trail_arn} in {self.region}: {e}")
+            return {}
+        except Exception as e:
+            logger.error(f"Unexpected error getting trail status for {trail_arn} in {self.region}: {e}")
+            return {}
+    
+    def list_delegated_administrators(self, service_principal: str = "cloudtrail.amazonaws.com") -> List[Dict[str, Any]]:
+        """
+        List delegated administrators for CloudTrail.
+        
+        Args:
+            service_principal: Service principal to check for delegated administrators
+            
+        Returns:
+            List of delegated administrators
+        """
+        try:
+            logger.debug(f"Listing delegated administrators for {service_principal} in {self.region}")
+            response = self.org_client.list_delegated_administrators(ServicePrincipal=service_principal)
+            delegated_admins = response.get('DelegatedAdministrators', [])
+            logger.debug(f"Found {len(delegated_admins)} delegated administrators for {service_principal}")
+            for admin in delegated_admins:
+                logger.debug(f"Delegated admin: {admin.get('Id')} - {admin.get('Name')}")
+            return delegated_admins
+        except ClientError as e:
+            logger.error(f"Error listing delegated administrators for {service_principal}: {e}")
+            return []
+        except Exception as e:
+            logger.error(f"Unexpected error listing delegated administrators: {e}")
+            return []
+    
+    def get_account_id(self) -> Optional[str]:
+        """
+        Get the current account ID.
+        
+        Returns:
+            Current account ID or None if not available
+        """
+        try:
+            logger.debug(f"Getting current account ID in {self.region}")
+            sts_client = self.session.client("sts")
+            response = sts_client.get_caller_identity()
+            account_id = response["Account"]
+            logger.debug(f"Current account ID: {account_id}")
+            return account_id
+        except ClientError as e:
+            logger.error(f"Error getting current account ID: {e}")
+            return None
+        except Exception as e:
+            logger.error(f"Unexpected error getting current account ID: {e}")
+            return None

sraverify/services/config/__init__.py

@@ -0,0 +1,25 @@
+"""
+AWS Config security checks.
+"""
+from sraverify.services.config.checks.sra_config_01 import SRA_CONFIG_01
+from sraverify.services.config.checks.sra_config_02 import SRA_CONFIG_02
+from sraverify.services.config.checks.sra_config_03 import SRA_CONFIG_03
+from sraverify.services.config.checks.sra_config_04 import SRA_CONFIG_04
+from sraverify.services.config.checks.sra_config_05 import SRA_CONFIG_05
+from sraverify.services.config.checks.sra_config_06 import SRA_CONFIG_06
+from sraverify.services.config.checks.sra_config_07 import SRA_CONFIG_07
+from sraverify.services.config.checks.sra_config_08 import SRA_CONFIG_08
+from sraverify.services.config.checks.sra_config_09 import SRA_CONFIG_09
+
+# Register checks
+CHECKS = {
+    "SRA-CONFIG-01": SRA_CONFIG_01,
+    "SRA-CONFIG-02": SRA_CONFIG_02,
+    "SRA-CONFIG-03": SRA_CONFIG_03,
+    "SRA-CONFIG-04": SRA_CONFIG_04,
+    "SRA-CONFIG-05": SRA_CONFIG_05,
+    "SRA-CONFIG-06": SRA_CONFIG_06,
+    "SRA-CONFIG-07": SRA_CONFIG_07,
+    "SRA-CONFIG-08": SRA_CONFIG_08,
+    "SRA-CONFIG-09": SRA_CONFIG_09,
+}

sraverify/services/config/base.py

@@ -0,0 +1,249 @@
+"""
+Base class for AWS Config security checks.
+"""
+from typing import List, Optional, Dict, Any
+from sraverify.core.check import SecurityCheck
+from sraverify.services.config.client import ConfigClient
+from sraverify.core.logging import logger
+
+
+class ConfigCheck(SecurityCheck):
+    """Base class for all AWS Config security checks."""
+    
+    # Class-level caches shared across all instances
+    _config_recorder_status_cache = {}
+    _config_delivery_channel_status_cache = {}
+    _config_organization_aggregator = {}
+    _config_delivery_channel_cache = {}
+    _config_delegated_admin_cache = {}
+    
+    # Config service principals
+    CONFIG_SERVICE_PRINCIPALS = [
+        "config.amazonaws.com",
+        "config-multiaccountsetup.amazonaws.com"
+    ]
+    
+    def __init__(self):
+        """Initialize Config base check."""
+        super().__init__(
+            account_type="account",  # Default to account, can be overridden in child classes
+            service="Config",
+            resource_type="AWS::Config::ConfigurationRecorder"
+        )
+    
+    def _setup_clients(self):
+        """Set up Config clients for each region."""
+        # Clear existing clients
+        self._clients.clear()
+        # Set up new clients only if regions are initialized
+        if hasattr(self, 'regions') and self.regions:
+            for region in self.regions:
+                self._clients[region] = ConfigClient(region, session=self.session)
+    
+    def get_client(self, region: str) -> Optional[ConfigClient]:
+        """
+        Get Config client for a specific region.
+        
+        Args:
+            region: AWS region name
+            
+        Returns:
+            ConfigClient for the region or None if not available
+        """
+        return self._clients.get(region)
+    
+    def get_configuration_recorders(self, region: str) -> List[Dict[str, Any]]:
+        """
+        Get configuration recorders for a specific region.
+        
+        Args:
+            region: AWS region name
+            
+        Returns:
+            List of configuration recorders
+        """
+        # Get client for the region
+        client = self.get_client(region)
+        if not client:
+            logger.warning(f"No Config client available for region {region}")
+            return []
+        
+        # Get configuration recorders from client
+        recorders = client.describe_configuration_recorders()
+        logger.debug(f"Found {len(recorders)} configuration recorders for {region}")
+        
+        return recorders
+    
+    def get_configuration_recorder_status(self, region: str) -> List[Dict[str, Any]]:
+        """
+        Get configuration recorder status for a specific region with caching.
+        
+        Args:
+            region: AWS region name
+            
+        Returns:
+            List of configuration recorder statuses
+        """
+        # Check cache first
+        cache_key = f"{region}:{self.session.region_name}"
+        if cache_key in self.__class__._config_recorder_status_cache:
+            logger.debug(f"Using cached configuration recorder status for {region}")
+            return self.__class__._config_recorder_status_cache[cache_key]
+        
+        # Get client for the region
+        client = self.get_client(region)
+        if not client:
+            logger.warning(f"No Config client available for region {region}")
+            return []
+        
+        # Get configuration recorder status from client
+        statuses = client.describe_configuration_recorder_status()
+        
+        # Cache the results - store the complete response
+        self.__class__._config_recorder_status_cache[cache_key] = statuses
+        logger.debug(f"Cached {len(statuses)} configuration recorder statuses for {region}")
+        
+        return statuses
+    
+    def get_delivery_channels(self, region: str) -> List[Dict[str, Any]]:
+        """
+        Get delivery channels for a specific region.
+        
+        Args:
+            region: AWS region name
+            
+        Returns:
+            List of delivery channels
+        """
+        # Check cache first
+        cache_key = f"{region}:{self.session.region_name}"
+        if cache_key in self.__class__._config_delivery_channel_cache:
+            logger.debug(f"Using cached delivery channels for {region}")
+            return self.__class__._config_delivery_channel_cache[cache_key]
+            
+        # Get client for the region
+        client = self.get_client(region)
+        if not client:
+            logger.warning(f"No Config client available for region {region}")
+            return []
+        
+        # Get delivery channels from client
+        channels = client.describe_delivery_channels()
+        
+        # Cache the results
+        self.__class__._config_delivery_channel_cache[cache_key] = channels
+        logger.debug(f"Cached {len(channels)} delivery channels for {region}")
+        
+        return channels
+    
+    def get_delivery_channel_status(self, region: str) -> List[Dict[str, Any]]:
+        """
+        Get delivery channel status for a specific region with caching.
+        
+        Args:
+            region: AWS region name
+            
+        Returns:
+            List of delivery channel statuses
+        """
+        # Check cache first
+        cache_key = f"{region}:{self.session.region_name}"
+        if cache_key in self.__class__._config_delivery_channel_status_cache:
+            logger.debug(f"Using cached delivery channel status for {region}")
+            return self.__class__._config_delivery_channel_status_cache[cache_key]
+        
+        # Get client for the region
+        client = self.get_client(region)
+        if not client:
+            logger.warning(f"No Config client available for region {region}")
+            return []
+        
+        # Get delivery channel status from client
+        statuses = client.describe_delivery_channel_status()
+        
+        # Cache the results - store the complete response
+        self.__class__._config_delivery_channel_status_cache[cache_key] = statuses
+        logger.debug(f"Cached {len(statuses)} delivery channel statuses for {region}")
+        
+        return statuses
+        
+    def get_configuration_aggregators(self, region: str) -> List[Dict[str, Any]]:
+        """
+        Get configuration aggregators for a specific region with caching.
+        
+        Args:
+            region: AWS region name
+            
+        Returns:
+            List of configuration aggregators
+        """
+        # Check cache first
+        cache_key = f"{region}:{self.session.region_name}"
+        if cache_key in self.__class__._config_organization_aggregator:
+            logger.debug(f"Using cached configuration aggregators for {region}")
+            return self.__class__._config_organization_aggregator[cache_key]
+        
+        # Get client for the region
+        client = self.get_client(region)
+        if not client:
+            logger.warning(f"No Config client available for region {region}")
+            return []
+        
+        # Get configuration aggregators from client
+        aggregators = client.describe_configuration_aggregators()
+        
+        # Cache the results
+        self.__class__._config_organization_aggregator[cache_key] = aggregators
+        logger.debug(f"Cached {len(aggregators)} configuration aggregators for {region}")
+        
+        return aggregators
+        
+    def get_delegated_administrators(self, service_principal=None) -> List[Dict[str, Any]]:
+        """
+        Get Config delegated administrators with caching.
+        
+        Args:
+            service_principal: Optional specific service principal to check
+            
+        Returns:
+            List of delegated administrators
+        """
+        if not self.regions:
+            logger.warning("No regions specified")
+            return []
+        
+        account_id = self.account_id
+        if not account_id:
+            logger.warning("Could not determine account ID")
+            return []
+        
+        # If a specific service principal is provided, only check that one
+        service_principals = [service_principal] if service_principal else self.CONFIG_SERVICE_PRINCIPALS
+        
+        all_delegated_admins = []
+        
+        for sp in service_principals:
+            # Check cache first
+            cache_key = f"{account_id}:{self.session.region_name}:{sp}"
+            if cache_key in self.__class__._config_delegated_admin_cache:
+                logger.debug(f"Using cached delegated administrators for {cache_key}")
+                admins = self.__class__._config_delegated_admin_cache[cache_key]
+                all_delegated_admins.extend(admins)
+                continue
+            
+            # Use any region to get delegated administrators
+            client = self.get_client(self.regions[0])
+            if not client:
+                logger.warning("No Config client available")
+                continue
+            
+            # Get delegated administrators from client
+            delegated_admins = client.list_delegated_administrators(sp)
+            
+            # Cache the results
+            self.__class__._config_delegated_admin_cache[cache_key] = delegated_admins
+            logger.debug(f"Cached {len(delegated_admins)} delegated administrators for {cache_key}")
+            
+            all_delegated_admins.extend(delegated_admins)
+        
+        return all_delegated_admins

sraverify/services/config/checks/__init__.py

@@ -0,0 +1 @@
+"""Config checks package."""