sraverify 0.1.0__py3-none-any.whl

sraverify/services/config/checks/sra_config_09.py

@@ -0,0 +1,177 @@
+"""
+SRA-CONFIG-09: AWS Config Aggregator Status.
+"""
+from typing import List, Dict, Any
+from sraverify.services.config.base import ConfigCheck
+from sraverify.core.logging import logger
+
+
+class SRA_CONFIG_09(ConfigCheck):
+    """Check if Config Organization aggregator is in a valid status."""
+    
+    def __init__(self):
+        """Initialize the check."""
+        super().__init__()
+        self.check_id = "SRA-CONFIG-09"
+        self.check_name = "Config Organization aggregator is in a valid status"
+        self.account_type = "audit"  # This check applies to audit account
+        self.severity = "MEDIUM"
+        self.description = (
+            "This check verifies whether Config Organization aggregator has a valid status. "
+            "A value of FAILED indicates errors while moving data and value OUTDATED indicates "
+            "the data is not the most recent."
+        )
+        self.check_logic = (
+            "Checks if all aggregator sources have a status of SUCCEEDED using "
+            "describe-configuration-aggregator-sources-status API."
+        )
+        self.resource_type = "AWS::Config::ConfigurationAggregator"
+    
+    def execute(self) -> List[Dict[str, Any]]:
+        """
+        Execute the check.
+        
+        Returns:
+            List of findings
+        """
+        findings = []
+        
+        if not self.regions:
+            findings.append(
+                self.create_finding(
+                    status="ERROR",
+                    region="global",
+                    resource_id="config:global",
+                    checked_value="All source statuses are SUCCEEDED",
+                    actual_value="No regions specified for check",
+                    remediation="Specify at least one region when running the check"
+                )
+            )
+            return findings
+        
+        # First, find an organization aggregator in any region
+        found_org_aggregator = False
+        org_aggregator_region = None
+        org_aggregator_name = None
+        org_aggregator_arn = None
+        
+        for region in self.regions:
+            # Get configuration aggregators for the region using the cache
+            aggregators = self.get_configuration_aggregators(region)
+            
+            # Check if any of the aggregators is an organization aggregator
+            for aggregator in aggregators:
+                if 'OrganizationAggregationSource' in aggregator:
+                    found_org_aggregator = True
+                    org_aggregator_region = region
+                    org_aggregator_name = aggregator.get('ConfigurationAggregatorName', 'Unknown')
+                    org_aggregator_arn = aggregator.get('ConfigurationAggregatorArn', 
+                                                      f"arn:aws:config:{region}:{self.account_id}:config-aggregator/{org_aggregator_name}")
+                    break
+            
+            if found_org_aggregator:
+                break
+        
+        # If no organization aggregator found in any region, return a global failure
+        if not found_org_aggregator:
+            findings.append(
+                self.create_finding(
+                    status="FAIL",
+                    region="global",
+                    resource_id=f"arn:aws:config:global:{self.account_id}:config-aggregator/none",
+                    checked_value="All source statuses are SUCCEEDED",
+                    actual_value="No organization aggregator found in any region",
+                    remediation=(
+                        "Create an organization configuration aggregator in at least one region using: aws configservice put-configuration-aggregator "
+                        "--configuration-aggregator-name organization-aggregator --organization-aggregation-source "
+                        f"\"EnableAllRegions=true,RoleArn=arn:aws:iam::{self.account_id}:role/aws-service-role/config.amazonaws.com/AWSServiceRoleForConfigServiceRole\" "
+                        "--region <region>"
+                    )
+                )
+            )
+            return findings
+        
+        # Get client for the region where we found the organization aggregator
+        client = self.get_client(org_aggregator_region)
+        if not client:
+            findings.append(
+                self.create_finding(
+                    status="ERROR",
+                    region="global",
+                    resource_id=org_aggregator_arn,
+                    checked_value="All source statuses are SUCCEEDED",
+                    actual_value=f"No Config client available for region {org_aggregator_region}",
+                    remediation="Ensure AWS Config service is available in the region and you have proper permissions"
+                )
+            )
+            return findings
+        
+        # Get aggregator sources status
+        try:
+            source_statuses = client.describe_configuration_aggregator_sources_status(org_aggregator_name)
+        except Exception as e:
+            findings.append(
+                self.create_finding(
+                    status="ERROR",
+                    region="global",
+                    resource_id=org_aggregator_arn,
+                    checked_value="All source statuses are SUCCEEDED",
+                    actual_value=f"Error getting source statuses for aggregator '{org_aggregator_name}' in region {org_aggregator_region}: {str(e)}",
+                    remediation="Ensure you have proper permissions to check aggregator status"
+                )
+            )
+            return findings
+        
+        if not source_statuses:
+            # No source statuses found
+            findings.append(
+                self.create_finding(
+                    status="FAIL",
+                    region="global",
+                    resource_id=org_aggregator_arn,
+                    checked_value="All source statuses are SUCCEEDED",
+                    actual_value=f"No source statuses found for organization aggregator '{org_aggregator_name}' in region {org_aggregator_region}",
+                    remediation=f"Check the aggregator configuration in {org_aggregator_region} and ensure it has valid sources"
+                )
+            )
+            return findings
+        
+        # Check if all sources have SUCCEEDED status
+        failed_sources = []
+        for source in source_statuses:
+            source_id = source.get('SourceId', 'Unknown')
+            source_type = source.get('SourceType', 'Unknown')
+            source_status = source.get('LastUpdateStatus', 'UNKNOWN')
+            
+            if source_status != "SUCCEEDED":
+                failed_sources.append(f"{source_type}:{source_id} ({source_status})")
+        
+        if failed_sources:
+            # Some sources have failed
+            findings.append(
+                self.create_finding(
+                    status="FAIL",
+                    region="global",
+                    resource_id=org_aggregator_arn,
+                    checked_value="All source statuses are SUCCEEDED",
+                    actual_value=f"Organization aggregator '{org_aggregator_name}' in region {org_aggregator_region} has sources with status: {', '.join(failed_sources)}",
+                    remediation=(
+                        f"Check the AWS Config logs for errors related to the aggregator sources. "
+                        f"Ensure the aggregator has the necessary permissions to access the source accounts."
+                    )
+                )
+            )
+        else:
+            # All sources have succeeded
+            findings.append(
+                self.create_finding(
+                    status="PASS",
+                    region="global",
+                    resource_id=org_aggregator_arn,
+                    checked_value="All source statuses are SUCCEEDED",
+                    actual_value=f"Organization aggregator '{org_aggregator_name}' in region {org_aggregator_region} has all sources with status SUCCEEDED",
+                    remediation="No remediation needed"
+                )
+            )
+        
+        return findings

sraverify/services/config/client.py

@@ -0,0 +1,264 @@
+"""
+AWS Config client for interacting with AWS Config service.
+"""
+from typing import Dict, List, Optional, Any
+import boto3
+from botocore.exceptions import ClientError
+from sraverify.core.logging import logger
+
+
+class ConfigClient:
+    """Client for interacting with AWS Config service."""
+    
+    def __init__(self, region: str, session: Optional[boto3.Session] = None):
+        """
+        Initialize Config client for a specific region.
+        
+        Args:
+            region: AWS region name
+            session: AWS session to use (if None, a new session will be created)
+        """
+        self.region = region
+        self.session = session or boto3.Session()
+        self.client = self.session.client('config', region_name=region)
+        self.org_client = self.session.client('organizations', region_name=region)
+        self.s3_client = self.session.client('s3', region_name=region)
+
+    def get_account_id(self) -> Optional[str]:
+        """
+        Get the current account ID.
+        
+        Returns:
+            Current account ID or None if not available
+        """
+        try:
+            logger.debug(f"Getting current account ID in {self.region}")
+            sts_client = self.session.client("sts")
+            response = sts_client.get_caller_identity()
+            account_id = response["Account"]
+            logger.debug(f"Current account ID: {account_id}")
+            return account_id
+        except ClientError as e:
+            logger.error(f"Error getting current account ID: {e}")
+            return None
+        except Exception as e:
+            logger.error(f"Unexpected error getting current account ID: {e}")
+            return None
+    
+    def get_management_account_id(self) -> Optional[str]:
+        """
+        Get the management account ID for the organization.
+        
+        Returns:
+            Management account ID or None if not available
+        """
+        try:
+            logger.debug(f"Getting management account ID in {self.region}")
+            response = self.org_client.describe_organization()
+            management_account_id = response["Organization"]["MasterAccountId"]
+            logger.debug(f"Management account ID: {management_account_id}")
+            return management_account_id
+        except ClientError as e:
+            logger.error(f"Error getting management account ID: {e}")
+            return None
+        except Exception as e:
+            logger.error(f"Unexpected error getting management account ID: {e}")
+            return None
+
+    def describe_configuration_recorders(self) -> List[Dict[str, Any]]:
+        """
+        Describe configuration recorders in the current region.
+        
+        Returns:
+            List of configuration recorders
+        """
+        try:
+            logger.debug(f"Describing configuration recorders in {self.region}")
+            response = self.client.describe_configuration_recorders()
+            recorders = response.get('ConfigurationRecorders', [])
+            logger.debug(f"Found {len(recorders)} configuration recorders in {self.region}")
+            return recorders
+        except ClientError as e:
+            logger.error(f"Error describing configuration recorders in {self.region}: {e}")
+            return []
+        except Exception as e:
+            logger.error(f"Unexpected error describing configuration recorders in {self.region}: {e}")
+            return []
+    
+    def describe_configuration_recorder_status(self) -> List[Dict[str, Any]]:
+        """
+        Describe configuration recorder status in the current region.
+        
+        Returns:
+            List of configuration recorder statuses
+        """
+        try:
+            logger.debug(f"Describing configuration recorder status in {self.region}")
+            response = self.client.describe_configuration_recorder_status()
+            statuses = response.get('ConfigurationRecordersStatus', [])
+            logger.debug(f"Found {len(statuses)} configuration recorder statuses in {self.region}")
+            return statuses
+        except ClientError as e:
+            logger.error(f"Error describing configuration recorder status in {self.region}: {e}")
+            return []
+        except Exception as e:
+            logger.error(f"Unexpected error describing configuration recorder status in {self.region}: {e}")
+            return []
+    
+    def describe_delivery_channels(self) -> List[Dict[str, Any]]:
+        """
+        Describe delivery channels in the current region.
+        
+        Returns:
+            List of delivery channels
+        """
+        try:
+            logger.debug(f"Describing delivery channels in {self.region}")
+            response = self.client.describe_delivery_channels()
+            channels = response.get('DeliveryChannels', [])
+            logger.debug(f"Found {len(channels)} delivery channels in {self.region}")
+            return channels
+        except ClientError as e:
+            logger.error(f"Error describing delivery channels in {self.region}: {e}")
+            return []
+        except Exception as e:
+            logger.error(f"Unexpected error describing delivery channels in {self.region}: {e}")
+            return []
+    
+    def describe_delivery_channel_status(self) -> List[Dict[str, Any]]:
+        """
+        Describe delivery channel status in the current region.
+        
+        Returns:
+            List of delivery channel statuses
+        """
+        try:
+            logger.debug(f"Describing delivery channel status in {self.region}")
+            response = self.client.describe_delivery_channel_status()
+            statuses = response.get('DeliveryChannelsStatus', [])
+            logger.debug(f"Found {len(statuses)} delivery channel statuses in {self.region}")
+            return statuses
+        except ClientError as e:
+            logger.error(f"Error describing delivery channel status in {self.region}: {e}")
+            return []
+        except Exception as e:
+            logger.error(f"Unexpected error describing delivery channel status in {self.region}: {e}")
+            return []
+            
+    def describe_configuration_aggregators(self) -> List[Dict[str, Any]]:
+        """
+        Describe configuration aggregators in the current region.
+        
+        Returns:
+            List of configuration aggregators
+        """
+        try:
+            logger.debug(f"Describing configuration aggregators in {self.region}")
+            response = self.client.describe_configuration_aggregators()
+            aggregators = response.get('ConfigurationAggregators', [])
+            logger.debug(f"Found {len(aggregators)} configuration aggregators in {self.region}")
+            return aggregators
+        except ClientError as e:
+            logger.error(f"Error describing configuration aggregators in {self.region}: {e}")
+            return []
+        except Exception as e:
+            logger.error(f"Unexpected error describing configuration aggregators in {self.region}: {e}")
+            return []
+            
+    def describe_configuration_aggregator_sources_status(self, aggregator_name: str) -> List[Dict[str, Any]]:
+        """
+        Describe configuration aggregator sources status in the current region.
+        
+        Args:
+            aggregator_name: Name of the configuration aggregator
+            
+        Returns:
+            List of configuration aggregator sources statuses
+        """
+        try:
+            logger.debug(f"Describing configuration aggregator sources status for {aggregator_name} in {self.region}")
+            response = self.client.describe_configuration_aggregator_sources_status(
+                ConfigurationAggregatorName=aggregator_name
+            )
+            source_statuses = response.get('AggregatedSourceStatusList', [])
+            logger.debug(f"Found {len(source_statuses)} source statuses for aggregator {aggregator_name} in {self.region}")
+            return source_statuses
+        except ClientError as e:
+            logger.error(f"Error describing configuration aggregator sources status in {self.region}: {e}")
+            return []
+        except Exception as e:
+            logger.error(f"Unexpected error describing configuration aggregator sources status in {self.region}: {e}")
+            return []
+            
+    def get_bucket_location(self, bucket_name: str) -> Optional[str]:
+        """
+        Get the location of an S3 bucket.
+        
+        Args:
+            bucket_name: Name of the S3 bucket
+            
+        Returns:
+            Region of the S3 bucket or None if not available
+        """
+        try:
+            logger.debug(f"Getting location for bucket {bucket_name}")
+            response = self.s3_client.get_bucket_location(Bucket=bucket_name)
+            location = response.get('LocationConstraint')
+            # If location is None, the bucket is in us-east-1
+            bucket_region = location if location else 'us-east-1'
+            logger.debug(f"Bucket {bucket_name} is in region {bucket_region}")
+            return bucket_region
+        except ClientError as e:
+            logger.error(f"Error getting bucket location for {bucket_name}: {e}")
+            return None
+        except Exception as e:
+            logger.error(f"Unexpected error getting bucket location for {bucket_name}: {e}")
+            return None
+            
+    def get_bucket_policy(self, bucket_name: str) -> Optional[Dict[str, Any]]:
+        """
+        Get the policy of an S3 bucket.
+        
+        Args:
+            bucket_name: Name of the S3 bucket
+            
+        Returns:
+            Policy of the S3 bucket or None if not available
+        """
+        try:
+            logger.debug(f"Getting policy for bucket {bucket_name}")
+            response = self.s3_client.get_bucket_policy(Bucket=bucket_name)
+            policy = response.get('Policy')
+            logger.debug(f"Got policy for bucket {bucket_name}")
+            return policy
+        except ClientError as e:
+            logger.error(f"Error getting bucket policy for {bucket_name}: {e}")
+            return None
+        except Exception as e:
+            logger.error(f"Unexpected error getting bucket policy for {bucket_name}: {e}")
+            return None
+            
+    def list_delegated_administrators(self, service_principal: str = "config.amazonaws.com") -> List[Dict[str, Any]]:
+        """
+        List delegated administrators for a specific service principal.
+        
+        Args:
+            service_principal: Service principal to check for delegated administrators
+            
+        Returns:
+            List of delegated administrators
+        """
+        try:
+            logger.debug(f"Listing delegated administrators for {service_principal} in {self.region}")
+            response = self.org_client.list_delegated_administrators(ServicePrincipal=service_principal)
+            delegated_admins = response.get('DelegatedAdministrators', [])
+            logger.debug(f"Found {len(delegated_admins)} delegated administrators for {service_principal}")
+            for admin in delegated_admins:
+                logger.debug(f"Delegated admin: {admin.get('Id')} - {admin.get('Name')}")
+            return delegated_admins
+        except ClientError as e:
+            logger.error(f"Error listing delegated administrators for {service_principal}: {e}")
+            return []
+        except Exception as e:
+            logger.error(f"Unexpected error listing delegated administrators: {e}")
+            return []

sraverify/services/ec2/__init__.py

@@ -0,0 +1,8 @@
+"""
+EC2 security checks.
+"""
+from sraverify.services.ec2.checks.sra_ec2_01 import SRA_EC2_01
+
+CHECKS = {
+    "SRA-EC2-01": SRA_EC2_01,
+}

sraverify/services/ec2/base.py

@@ -0,0 +1,75 @@
+"""
+Base class for EC2 security checks.
+"""
+from typing import Dict, Optional, Any
+from sraverify.core.check import SecurityCheck
+from sraverify.services.ec2.client import EC2Client
+from sraverify.core.logging import logger
+
+
+class EC2Check(SecurityCheck):
+    """Base class for all EC2 security checks."""
+    
+    # Class-level caches shared across all instances
+    _ebs_encryption_default_cache = {}
+    
+    def __init__(self):
+        """Initialize EC2 base check."""
+        super().__init__(
+            account_type="application",
+            service="EC2",
+            resource_type="AWS::EC2::Instance"
+        )
+    
+    def _setup_clients(self):
+        """Set up EC2 clients for each region."""
+        # Clear existing clients
+        self._clients.clear()
+        # Set up new clients only if regions are initialized
+        if hasattr(self, 'regions') and self.regions:
+            for region in self.regions:
+                self._clients[region] = EC2Client(region, session=self.session)
+    
+    def get_client(self, region: str) -> Optional[EC2Client]:
+        """
+        Get EC2 client for a specific region.
+        
+        Args:
+            region: AWS region name
+            
+        Returns:
+            EC2Client for the region or None if not available
+        """
+        return self._clients.get(region)
+    
+    def get_ebs_encryption_by_default(self, region: str) -> Dict[str, Any]:
+        """
+        Get the EBS encryption by default status for the account in the region with caching.
+        
+        Args:
+            region: AWS region name
+            
+        Returns:
+            Dictionary containing EBS encryption by default status
+        """
+        # Check cache first
+        account_id = self.account_id
+        cache_key = f"{account_id}:{region}"
+        
+        if cache_key in self.__class__._ebs_encryption_default_cache:
+            logger.debug(f"Using cached EBS encryption by default status for {region}")
+            return self.__class__._ebs_encryption_default_cache[cache_key]
+        
+        client = self.get_client(region)
+        if not client:
+            logger.warning(f"No EC2 client available for region {region}")
+            return {}
+        
+        # Get EBS encryption by default status from client
+        encryption_status = client.get_ebs_encryption_by_default()
+        
+        # Cache the result
+        self.__class__._ebs_encryption_default_cache[cache_key] = encryption_status
+        logger.debug(f"Cached EBS encryption by default status for {region}")
+        
+        return encryption_status

sraverify/services/ec2/checks/__init__.py

@@ -0,0 +1 @@
+"""EC2 security checks."""

sraverify/services/ec2/checks/sra_ec2_01.py

@@ -0,0 +1,83 @@
+"""
+SRA-EC2-01: AWS account level EBS encryption by default is enabled.
+"""
+from typing import List, Dict, Any
+from sraverify.services.ec2.base import EC2Check
+from sraverify.core.logging import logger
+
+
+class SRA_EC2_01(EC2Check):
+    """Check if AWS account level EBS encryption by default is enabled."""
+    
+    def __init__(self):
+        """Initialize the check."""
+        super().__init__()
+        self.check_id = "SRA-EC2-01"
+        self.check_name = "AWS account level EBS encryption by default is enabled"
+        self.description = (
+            "This check verifies that the AWS account level configuration to encrypt EBS volumes by default "
+            "is enabled in the AWS Region. This enforces, at AWS account level, the encryption of the new EBS "
+            "volumes and snapshot copies that you create. You can use AWS managed keys or a customer managed KMS key."
+        )
+        self.severity = "HIGH"
+        self.account_type = "application"
+        self.check_logic = "Check Pass if 'EbsEncryptionByDefault' = true."
+        self.resource_type = "AWS::EC2::Volume"
+    
+    def execute(self) -> List[Dict[str, Any]]:
+        """
+        Execute the check.
+        
+        Returns:
+            List of findings
+        """
+        findings = []
+        
+        for region in self.regions:
+            # Get EBS encryption by default status using the base class method with caching
+            encryption_status = self.get_ebs_encryption_by_default(region)
+            
+            # Check if the API call was successful
+            if not encryption_status:
+                findings.append(
+                    self.create_finding(
+                        status="ERROR",
+                        region=region,
+                        resource_id=f"account/{self.account_id}/region/{region}",
+                        checked_value="EbsEncryptionByDefault: true",
+                        actual_value="Failed to retrieve EBS encryption by default status",
+                        remediation="Ensure you have the necessary permissions to call the EC2 GetEbsEncryptionByDefault API"
+                    )
+                )
+                continue
+            
+            # Check if EBS encryption by default is enabled
+            is_encryption_enabled = encryption_status.get('EbsEncryptionByDefault', False)
+            
+            if is_encryption_enabled:
+                findings.append(
+                    self.create_finding(
+                        status="PASS",
+                        region=region,
+                        resource_id=f"account/{self.account_id}/region/{region}",
+                        checked_value="EbsEncryptionByDefault: true",
+                        actual_value=f"EBS encryption by default is enabled in region {region}",
+                        remediation="No remediation needed"
+                    )
+                )
+            else:
+                findings.append(
+                    self.create_finding(
+                        status="FAIL",
+                        region=region,
+                        resource_id=f"account/{self.account_id}/region/{region}",
+                        checked_value="EbsEncryptionByDefault: true",
+                        actual_value=f"EBS encryption by default is not enabled in region {region}",
+                        remediation=(
+                            f"Enable EBS encryption by default in region {region} using the AWS CLI command: "
+                            f"aws ec2 enable-ebs-encryption-by-default --region {region}"
+                        )
+                    )
+                )
+        
+        return findings

sraverify/services/ec2/client.py

@@ -0,0 +1,63 @@
+"""
+EC2 client for interacting with AWS EC2 service.
+"""
+from typing import Dict, List, Optional, Any
+import boto3
+from botocore.exceptions import ClientError
+from sraverify.core.logging import logger
+
+
+class EC2Client:
+    """Client for interacting with AWS EC2 service."""
+    
+    def __init__(self, region: str, session: Optional[boto3.Session] = None):
+        """
+        Initialize EC2 client for a specific region.
+        
+        Args:
+            region: AWS region name
+            session: AWS session to use (if None, a new session will be created)
+        """
+        self.region = region
+        self.session = session or boto3.Session()
+        self.client = self.session.client('ec2', region_name=region)
+
+    def get_ebs_encryption_by_default(self) -> Dict[str, Any]:
+        """
+        Get the EBS encryption by default status for the account in the region.
+        
+        Returns:
+            Dictionary containing EBS encryption by default status
+        """
+        try:
+            logger.debug(f"Getting EBS encryption by default status in {self.region}")
+            response = self.client.get_ebs_encryption_by_default()
+            logger.debug(f"EBS encryption by default status in {self.region}: {response}")
+            return response
+        except ClientError as e:
+            logger.error(f"Error getting EBS encryption by default status in {self.region}: {e}")
+            return {}
+        except Exception as e:
+            logger.error(f"Unexpected error getting EBS encryption by default status in {self.region}: {e}")
+            return {}
+    
+    def get_account_id(self) -> Optional[str]:
+        """
+        Get the current account ID.
+        
+        Returns:
+            Current account ID or None if not available
+        """
+        try:
+            logger.debug(f"Getting current account ID in {self.region}")
+            sts_client = self.session.client("sts")
+            response = sts_client.get_caller_identity()
+            account_id = response["Account"]
+            logger.debug(f"Current account ID: {account_id}")
+            return account_id
+        except ClientError as e:
+            logger.error(f"Error getting current account ID: {e}")
+            return None
+        except Exception as e:
+            logger.error(f"Unexpected error getting current account ID: {e}")
+            return None