sraverify 0.1.0__py3-none-any.whl

sraverify/services/config/checks/sra_config_01.py

@@ -0,0 +1,123 @@
+"""
+SRA-CONFIG-01: AWS Config Recorder Configured.
+"""
+from typing import List, Dict, Any
+from sraverify.services.config.base import ConfigCheck
+from sraverify.core.logging import logger
+
+
+class SRA_CONFIG_01(ConfigCheck):
+    """Check if AWS Config recorder is configured in each region."""
+    
+    def __init__(self):
+        """Initialize the check."""
+        super().__init__()
+        self.check_id = "SRA-CONFIG-01"
+        self.check_name = "AWS Config recorder is configured in this region"
+        self.account_type = "application"  
+        self.severity = "HIGH"
+        self.description = (
+            "This check verifies that a configuration recorder exists in the AWS Region. "
+            "AWS Config uses the configuration recorder to detect changes in your resource configurations "
+            "and capture these changes as configuration items. You must create a configuration recorder "
+            "in every AWS Region for AWS Config can track your resource configurations in the region."
+        )
+        self.check_logic = (
+            "Checks if AWS Config recorder exists in each region using describe-configuration-recorder-status API."
+        )
+    
+    def execute(self) -> List[Dict[str, Any]]:
+        """
+        Execute the check.
+        
+        Returns:
+            List of findings
+        """
+        findings = []
+        
+        if not self.regions:
+            findings.append(
+                self.create_finding(
+                    status="ERROR",
+                    region="global",
+                    resource_id="config:global",
+                    actual_value="No regions specified for check",
+                    remediation="Specify at least one region when running the check"
+                )
+            )
+            return findings
+        
+        # Check each region for configuration recorder
+        for region in self.regions:
+            # Get configuration recorders for the region
+            recorders = self.get_configuration_recorders(region)
+            
+            # Get configuration recorder status for the region
+            recorder_statuses = self.get_configuration_recorder_status(region)
+            
+            if not recorders:
+                # No configuration recorder found in this region
+                findings.append(
+                    self.create_finding(
+                        status="FAIL",
+                        region=region,
+                        resource_id=f"arn:aws:config:{region}:{self.account_id}:configurationRecorder/default",
+                        actual_value="No configuration recorder found in this region",
+                        remediation=(
+                            f"1. Check if the AWS Config service-linked role exists: aws iam get-role --role-name AWSServiceRoleForConfig. "
+                            f"2. If the role doesn't exist, create it: aws iam create-service-linked-role --aws-service-name config.amazonaws.com. "
+                            f"3. Create a configuration recorder in {region}: aws configservice put-configuration-recorder --configuration-recorder name=default,roleARN=arn:aws:iam::{self.account_id}:role/aws-service-role/config.amazonaws.com/AWSServiceRoleForConfig --recording-group allSupported=true,includeGlobalResourceTypes=true --region {region}"
+                        )
+                    )
+                )
+            else:
+                # Configuration recorder exists, check if it's enabled
+                recorder_name = recorders[0].get('name', 'default')
+                recorder_role_arn = recorders[0].get('roleARN', '')
+                
+                # Construct the Config Recorder ARN
+                recorder_arn = f"arn:aws:config:{region}:{self.account_id}:configurationRecorder/{recorder_name}"
+                
+                # Find the status for this recorder
+                recorder_status = next((status for status in recorder_statuses if status.get('name') == recorder_name), None)
+                
+                if recorder_status and recorder_status.get('recording', False):
+                    # Configuration recorder exists and is recording
+                    findings.append(
+                        self.create_finding(
+                            status="PASS",
+                            region=region,
+                            resource_id=recorder_arn,
+                            actual_value=f"Configuration recorder '{recorder_name}' exists and is recording",
+                            remediation="No remediation needed"
+                        )
+                    )
+                elif recorder_status:
+                    # Configuration recorder exists but is not recording
+                    findings.append(
+                        self.create_finding(
+                            status="FAIL",
+                            region=region,
+                            resource_id=recorder_arn,
+                            actual_value=f"Configuration recorder '{recorder_name}' exists but is not recording",
+                            remediation=(
+                                f"Start the configuration recorder in {region} using the AWS CLI command: "
+                                f"aws configservice start-configuration-recorder --configuration-recorder-name {recorder_name} --region {region}"
+                            )
+                        )
+                    )
+                else:
+                    # Configuration recorder exists but no status found
+                    findings.append(
+                        self.create_finding(
+                            status="FAIL",
+                            region=region,
+                            resource_id=recorder_arn,
+                            actual_value=f"Configuration recorder '{recorder_name}' exists but status could not be determined",
+                            remediation=(
+                                f"Check the configuration recorder status in {region} and ensure it's properly configured"
+                            )
+                        )
+                    )
+        
+        return findings

sraverify/services/config/checks/sra_config_02.py

@@ -0,0 +1,156 @@
+"""
+SRA-CONFIG-02: AWS Config Delivery Channel Configured.
+"""
+from typing import List, Dict, Any
+from sraverify.services.config.base import ConfigCheck
+from sraverify.core.logging import logger
+
+
+class SRA_CONFIG_02(ConfigCheck):
+    """Check if AWS Config recorder is running."""
+    
+    def __init__(self):
+        """Initialize the check."""
+        super().__init__()
+        self.check_id = "SRA-CONFIG-02"
+        self.check_name = "AWS Config recorder is running"
+        self.account_type = "application"  
+        self.severity = "HIGH"
+        self.description = (
+            "This check verifies that configuration recorder is running. AWS Config configuration "
+            "recorder must be started and running to record resource configurations. If you set up "
+            "AWS Config by using the console or the AWS CLI, AWS Config automatically creates and "
+            "then starts the configuration recorder for you. Users with right permission have the "
+            "ability to stop configuration recorder."
+        )
+        self.check_logic = (
+            "Checks if AWS Config recorder is running by verifying the lastStatus is SUCCESS."
+        )
+    
+    def execute(self) -> List[Dict[str, Any]]:
+        """
+        Execute the check.
+        
+        Returns:
+            List of findings
+        """
+        findings = []
+        
+        if not self.regions:
+            findings.append(
+                self.create_finding(
+                    status="ERROR",
+                    region="global",
+                    resource_id="config:global",
+                    actual_value="No regions specified for check",
+                    remediation="Specify at least one region when running the check"
+                )
+            )
+            return findings
+        
+        # Check each region for configuration recorder status
+        for region in self.regions:
+            # Get configuration recorders for the region
+            recorders = self.get_configuration_recorders(region)
+            
+            # Get configuration recorder status for the region
+            recorder_statuses = self.get_configuration_recorder_status(region)
+            
+            if not recorders:
+                # No configuration recorder found in this region
+                findings.append(
+                    self.create_finding(
+                        status="FAIL",
+                        region=region,
+                        resource_id=f"arn:aws:config:{region}:{self.account_id}:configurationRecorder/default",
+                        actual_value="No configuration recorder found in this region",
+                        remediation=(
+                            f"First create a configuration recorder in {region} using: aws configservice put-configuration-recorder --configuration-recorder name=default,roleARN=arn:aws:iam::{self.account_id}:role/aws-service-role/config.amazonaws.com/AWSServiceRoleForConfig --recording-group allSupported=true,includeGlobalResourceTypes=true --region {region}. "
+                            f"Then start the recorder with: aws configservice start-configuration-recorder --configuration-recorder-name default --region {region}"
+                        )
+                    )
+                )
+                continue
+            
+            # Configuration recorder exists, check if it's running
+            recorder_name = recorders[0].get('name', 'default')
+            
+            # Find the status for this recorder
+            recorder_status = next((status for status in recorder_statuses if status.get('name') == recorder_name), None)
+            
+            # Get the full ARN from the status if available
+            recorder_arn = None
+            if recorder_status and 'arn' in recorder_status:
+                recorder_arn = recorder_status.get('arn')
+            else:
+                # Construct the Config Recorder ARN if not available in status
+                recorder_arn = f"arn:aws:config:{region}:{self.account_id}:configurationRecorder/{recorder_name}"
+            
+            if not recorder_status:
+                # No status found for this recorder
+                findings.append(
+                    self.create_finding(
+                        status="FAIL",
+                        region=region,
+                        resource_id=recorder_arn,
+                        actual_value=f"Configuration recorder '{recorder_name}' exists but status could not be determined",
+                        remediation=(
+                            f"Check the configuration recorder status in {region} and ensure it's properly configured"
+                        )
+                    )
+                )
+                continue
+            
+            # Check if the recorder is recording
+            is_recording = recorder_status.get('recording', False)
+            last_status = recorder_status.get('lastStatus', 'UNKNOWN')
+            last_error_code = recorder_status.get('lastErrorCode', '')
+            last_error_message = recorder_status.get('lastErrorMessage', '')
+            
+            if is_recording and last_status == "SUCCESS":
+                # Configuration recorder is running successfully
+                findings.append(
+                    self.create_finding(
+                        status="PASS",
+                        region=region,
+                        resource_id=recorder_arn,
+                        actual_value=f"Configuration recorder '{recorder_name}' is running with lastStatus: SUCCESS",
+                        remediation="No remediation needed"
+                    )
+                )
+            elif is_recording:
+                # Configuration recorder is recording but not in SUCCESS state
+                error_info = f"lastStatus: {last_status}"
+                if last_error_code:
+                    error_info += f", errorCode: {last_error_code}"
+                if last_error_message:
+                    error_info += f", errorMessage: {last_error_message}"
+                
+                findings.append(
+                    self.create_finding(
+                        status="FAIL",
+                        region=region,
+                        resource_id=recorder_arn,
+                        actual_value=f"Configuration recorder '{recorder_name}' is recording but has issues: {error_info}",
+                        remediation=(
+                            f"Check the AWS Config logs and permissions in {region}. "
+                            f"Ensure the Config service role has the necessary permissions to record resources."
+                        )
+                    )
+                )
+            else:
+                # Configuration recorder is not recording
+                findings.append(
+                    self.create_finding(
+                        status="FAIL",
+                        region=region,
+                        resource_id=recorder_arn,
+                        actual_value=f"Configuration recorder '{recorder_name}' is not recording",
+                        remediation=(
+                            f"Start the configuration recorder in {region} using the AWS CLI command: "
+                            f"aws configservice start-configuration-recorder --configuration-recorder-name {recorder_name} --region {region}"
+                        )
+                    )
+                )
+        
+        return findings

sraverify/services/config/checks/sra_config_03.py

@@ -0,0 +1,149 @@
+"""
+SRA-CONFIG-03: AWS Config Recording All Resource Types.
+"""
+from typing import List, Dict, Any
+from sraverify.services.config.base import ConfigCheck
+from sraverify.core.logging import logger
+
+
+class SRA_CONFIG_03(ConfigCheck):
+    """Check if AWS Config latest recording event is processed successfully."""
+    
+    def __init__(self):
+        """Initialize the check."""
+        super().__init__()
+        self.check_id = "SRA-CONFIG-03"
+        self.check_name = "AWS Config latest recording event is processed successfully"
+        self.account_type = "application"  # This check applies to all account types
+        self.severity = "HIGH"
+        self.description = (
+            "This check verifies whether the last delivery attempt to the delivery channel was successful "
+            "to ensure you receive configuration change notifications. As AWS Config continually records "
+            "the changes that occur to your AWS resources, it sends notifications and updated configuration "
+            "states through the delivery channel."
+        )
+        self.check_logic = (
+            "Checks if the lastStatus of the delivery channel is SUCCESS."
+        )
+    
+    def execute(self) -> List[Dict[str, Any]]:
+        """
+        Execute the check.
+        
+        Returns:
+            List of findings
+        """
+        findings = []
+        
+        if not self.regions:
+            findings.append(
+                self.create_finding(
+                    status="ERROR",
+                    region="global",
+                    resource_id="config:global",
+                    actual_value="No regions specified for check",
+                    remediation="Specify at least one region when running the check"
+                )
+            )
+            return findings
+        
+        # Check each region for delivery channel status
+        for region in self.regions:
+            # Get delivery channels for the region
+            channels = self.get_delivery_channels(region)
+            
+            # Get delivery channel status for the region
+            channel_statuses = self.get_delivery_channel_status(region)
+            
+            if not channels:
+                # No delivery channel found in this region
+                findings.append(
+                    self.create_finding(
+                        status="FAIL",
+                        region=region,
+                        resource_id=f"arn:aws:config:{region}:{self.account_id}:deliveryChannel/default",
+                        actual_value="No delivery channel found in this region",
+                        remediation=(
+                            f"Create a delivery channel in {region} using: aws configservice put-delivery-channel --delivery-channel name=default,s3BucketName=config-bucket-{self.account_id},snsTopicARN=arn:aws:sns:{region}:{self.account_id}:config-notifications --region {region}. "
+                            f"Note: You must first create an S3 bucket and SNS topic with appropriate permissions for AWS Config."
+                        )
+                    )
+                )
+                continue
+            
+            if not channel_statuses:
+                # No delivery channel status found in this region
+                findings.append(
+                    self.create_finding(
+                        status="FAIL",
+                        region=region,
+                        resource_id=f"arn:aws:config:{region}:{self.account_id}:deliveryChannel/default",
+                        actual_value="No delivery channel status found in this region",
+                        remediation=(
+                            f"Check the delivery channel configuration in {region} and ensure it's properly configured. "
+                            f"Verify S3 bucket permissions and SNS topic permissions are correctly set up for AWS Config."
+                        )
+                    )
+                )
+                continue
+            
+            # Check each delivery channel status
+            for status in channel_statuses:
+                channel_name = status.get('name', 'default')
+                resource_id = f"config:deliveryChannel:{channel_name}"
+                
+                # Check configHistoryDeliveryInfo - this is the most important one
+                history_info = status.get('configHistoryDeliveryInfo', {})
+                history_status = history_info.get('lastStatus', 'UNKNOWN')
+                history_attempt_time = history_info.get('lastAttemptTime', 'UNKNOWN')
+                history_success_time = history_info.get('lastSuccessfulTime', 'UNKNOWN')
+                
+                # Check configSnapshotDeliveryInfo - may be UNKNOWN if no snapshot has been taken yet
+                snapshot_info = status.get('configSnapshotDeliveryInfo', {})
+                snapshot_status = snapshot_info.get('lastStatus', 'UNKNOWN')
+                
+                # Check configStreamDeliveryInfo - may be NOT_APPLICABLE if streaming is not configured
+                stream_info = status.get('configStreamDeliveryInfo', {})
+                stream_status = stream_info.get('lastStatus', 'UNKNOWN')
+                
+                # Determine overall status - focus on history delivery as the primary indicator
+                # Stream may be NOT_APPLICABLE and snapshot may be UNKNOWN if not configured/used
+                if history_status == "SUCCESS":
+                    # History delivery is successful, which is the most important
+                    findings.append(
+                        self.create_finding(
+                            status="PASS",
+                            region=region,
+                            resource_id=resource_id,
+                            actual_value=(
+                                f"Delivery channel '{channel_name}' is processing events successfully: "
+                                f"Config History: {history_status} (Last success: {history_success_time}), "
+                                f"Config Snapshot: {snapshot_status}, "
+                                f"Config Stream: {stream_status}"
+                            ),
+                            remediation="No remediation needed"
+                        )
+                    )
+                else:
+                    # History delivery is not successful
+                    findings.append(
+                        self.create_finding(
+                            status="FAIL",
+                            region=region,
+                            resource_id=resource_id,
+                            actual_value=(
+                                f"Delivery channel '{channel_name}' has issues processing events: "
+                                f"Config History: {history_status} (Last attempt: {history_attempt_time}), "
+                                f"Config Snapshot: {snapshot_status}, "
+                                f"Config Stream: {stream_status}"
+                            ),
+                            remediation=(
+                                "Check the following: 1. S3 bucket permissions - ensure Config has write access. "
+                                "2. SNS topic permissions - ensure Config can publish to the topic. "
+                                "3. IAM role permissions - ensure Config service role has necessary permissions. "
+                                "4. Check CloudWatch Logs for Config service errors."
+                            )
+                        )
+                    )
+        
+        return findings

sraverify/services/config/checks/sra_config_04.py

@@ -0,0 +1,104 @@
+"""
+SRA-CONFIG-04: AWS Config Recording Global Resources.
+"""
+from typing import List, Dict, Any
+from sraverify.services.config.base import ConfigCheck
+from sraverify.core.logging import logger
+
+
+class SRA_CONFIG_04(ConfigCheck):
+    """Check if AWS Config has an organization aggregator."""
+    
+    def __init__(self):
+        """Initialize the check."""
+        super().__init__()
+        self.check_id = "SRA-CONFIG-04"
+        self.check_name = "AWS Config has organization aggregator"
+        self.account_type = "audit"  # This check applies to audit account
+        self.severity = "HIGH"
+        self.description = (
+            "This check verifies that a AWS Config aggregator exists in the AWS Region that collects "
+            "configuration and compliance data from all member accounts of the AWS Organization. "
+            "It periodically retrieves configuration snapshots from the source accounts and stores "
+            "them in the designated S3 bucket."
+        )
+        self.check_logic = (
+            "Checks if AWS Config aggregator exists using describe-configuration-aggregators API."
+        )
+        self.resource_type = "AWS::Config::ConfigurationAggregator"
+    
+    def execute(self) -> List[Dict[str, Any]]:
+        """
+        Execute the check.
+        
+        Returns:
+            List of findings
+        """
+        findings = []
+        
+        if not self.regions:
+            findings.append(
+                self.create_finding(
+                    status="ERROR",
+                    region="global",
+                    resource_id="config:global",
+                    checked_value="Configuration aggregator exists",
+                    actual_value="No regions specified for check",
+                    remediation="Specify at least one region when running the check"
+                )
+            )
+            return findings
+        
+        # Check if an organization aggregator exists in any region
+        found_org_aggregator = False
+        org_aggregator_region = None
+        org_aggregator_name = None
+        org_aggregator_arn = None
+        
+        for region in self.regions:
+            # Get configuration aggregators for the region using the cache
+            aggregators = self.get_configuration_aggregators(region)
+            
+            # Check if any of the aggregators is an organization aggregator
+            for aggregator in aggregators:
+                if 'OrganizationAggregationSource' in aggregator:
+                    found_org_aggregator = True
+                    org_aggregator_region = region
+                    org_aggregator_name = aggregator.get('ConfigurationAggregatorName', 'Unknown')
+                    org_aggregator_arn = aggregator.get('ConfigurationAggregatorArn', 
+                                                      f"arn:aws:config:{region}:{self.account_id}:config-aggregator/{org_aggregator_name}")
+                    break
+            
+            if found_org_aggregator:
+                break
+        
+        # Return a single finding based on whether an organization aggregator was found
+        if found_org_aggregator:
+            findings.append(
+                self.create_finding(
+                    status="PASS",
+                    region="global",
+                    resource_id=org_aggregator_arn,
+                    checked_value="Configuration aggregator exists",
+                    actual_value=f"Configuration aggregator '{org_aggregator_name}' exists in region {org_aggregator_region} with Source Type \"My Organization\"",
+                    remediation="No remediation needed"
+                )
+            )
+        else:
+            findings.append(
+                self.create_finding(
+                    status="FAIL",
+                    region="global",
+                    resource_id=f"arn:aws:config:global:{self.account_id}:config-aggregator/none",
+                    checked_value="Configuration aggregator exists",
+                    actual_value="No organization aggregator found in any region",
+                    remediation=(
+                        "Create an organization configuration aggregator in at least one region using: aws configservice put-configuration-aggregator "
+                        "--configuration-aggregator-name organization-aggregator --organization-aggregation-source "
+                        f"\"EnableAllRegions=true,RoleArn=arn:aws:iam::{self.account_id}:role/aws-service-role/config.amazonaws.com/AWSServiceRoleForConfigServiceRole\" "
+                        "--region <region>"
+                    )
+                )
+            )
+        
+        return findings

sraverify/services/config/checks/sra_config_05.py

@@ -0,0 +1,104 @@
+"""
+SRA-CONFIG-05: AWS Config Recorder Status.
+"""
+from typing import List, Dict, Any
+from sraverify.services.config.base import ConfigCheck
+from sraverify.core.logging import logger
+
+
+class SRA_CONFIG_05(ConfigCheck):
+    """Check if AWS Config organization aggregator includes all regions."""
+    
+    def __init__(self):
+        """Initialize the check."""
+        super().__init__()
+        self.check_id = "SRA-CONFIG-05"
+        self.check_name = "AWS Config organization aggregator includes all regions"
+        self.account_type = "audit"  # This check applies to audit account
+        self.severity = "MEDIUM"
+        self.description = (
+            "This check verifies that the AWS Config organization aggregator is configured to aggregate "
+            "config data from all existing and future AWS Regions. This provides you visibility into "
+            "activities across all regions even if your business does not operate in the region."
+        )
+        self.check_logic = (
+            "Checks if AWS Config organization aggregator has AllAwsRegions set to true."
+        )
+        self.resource_type = "AWS::Config::ConfigurationAggregator"
+    
+    def execute(self) -> List[Dict[str, Any]]:
+        """
+        Execute the check.
+        
+        Returns:
+            List of findings
+        """
+        findings = []
+        
+        if not self.regions:
+            findings.append(
+                self.create_finding(
+                    status="ERROR",
+                    region="global",
+                    resource_id="config:global",
+                    checked_value="AllAwsRegions: true",
+                    actual_value="No regions specified for check",
+                    remediation="Specify at least one region when running the check"
+                )
+            )
+            return findings
+        
+        # Check if an organization aggregator with AllAwsRegions=true exists in any region
+        found_all_regions_aggregator = False
+        all_regions_aggregator_region = None
+        all_regions_aggregator_name = None
+        all_regions_aggregator_arn = None
+        
+        for region in self.regions:
+            # Get configuration aggregators for the region from cache
+            aggregators = self.get_configuration_aggregators(region)
+            
+            # Check if any of the aggregators is an organization aggregator with all regions enabled
+            for aggregator in aggregators:
+                if ('OrganizationAggregationSource' in aggregator and 
+                    aggregator.get('OrganizationAggregationSource', {}).get('AllAwsRegions', False)):
+                    found_all_regions_aggregator = True
+                    all_regions_aggregator_region = region
+                    all_regions_aggregator_name = aggregator.get('ConfigurationAggregatorName', 'Unknown')
+                    all_regions_aggregator_arn = aggregator.get('ConfigurationAggregatorArn', 
+                                                              f"arn:aws:config:{region}:{self.account_id}:config-aggregator/{all_regions_aggregator_name}")
+                    break
+            
+            if found_all_regions_aggregator:
+                break
+        
+        # Return a single finding based on whether an organization aggregator with AllAwsRegions=true was found
+        if found_all_regions_aggregator:
+            findings.append(
+                self.create_finding(
+                    status="PASS",
+                    region="global",
+                    resource_id=all_regions_aggregator_arn,
+                    checked_value="AllAwsRegions: true",
+                    actual_value=f"Configuration aggregator '{all_regions_aggregator_name}' is configured to aggregate all regions, located in region {all_regions_aggregator_region} with Region selection \"All current and future AWS regions\"",
+                    remediation="No remediation needed"
+                )
+            )
+        else:
+            findings.append(
+                self.create_finding(
+                    status="FAIL",
+                    region="global",
+                    resource_id=f"arn:aws:config:global:{self.account_id}:config-aggregator/none",
+                    checked_value="AllAwsRegions: true",
+                    actual_value="No organization aggregator with AllAwsRegions=true found in any region",
+                    remediation=(
+                        "Create an organization configuration aggregator with AllAwsRegions=true in at least one region using: aws configservice put-configuration-aggregator "
+                        "--configuration-aggregator-name organization-aggregator --organization-aggregation-source "
+                        f"\"EnableAllRegions=true,RoleArn=arn:aws:iam::{self.account_id}:role/aws-service-role/config.amazonaws.com/AWSServiceRoleForConfigServiceRole\" "
+                        "--region <region>"
+                    )
+                )
+            )
+        
+        return findings