sraverify 0.1.0__py3-none-any.whl

sraverify/services/firewallmanager/__init__.py

@@ -0,0 +1,23 @@
+from sraverify.services.firewallmanager.checks.sra_firewallmanager_01 import SRA_FIREWALLMANAGER_01
+from sraverify.services.firewallmanager.checks.sra_firewallmanager_02 import SRA_FIREWALLMANAGER_02
+from sraverify.services.firewallmanager.checks.sra_firewallmanager_03 import SRA_FIREWALLMANAGER_03
+from sraverify.services.firewallmanager.checks.sra_firewallmanager_04 import SRA_FIREWALLMANAGER_04
+from sraverify.services.firewallmanager.checks.sra_firewallmanager_05 import SRA_FIREWALLMANAGER_05
+from sraverify.services.firewallmanager.checks.sra_firewallmanager_06 import SRA_FIREWALLMANAGER_06
+from sraverify.services.firewallmanager.checks.sra_firewallmanager_07 import SRA_FIREWALLMANAGER_07
+from sraverify.services.firewallmanager.checks.sra_firewallmanager_08 import SRA_FIREWALLMANAGER_08
+from sraverify.services.firewallmanager.checks.sra_firewallmanager_09 import SRA_FIREWALLMANAGER_09
+from sraverify.services.firewallmanager.checks.sra_firewallmanager_10 import SRA_FIREWALLMANAGER_10
+
+CHECKS = {
+    "SRA-FIREWALLMANAGER-01": SRA_FIREWALLMANAGER_01,
+    "SRA-FIREWALLMANAGER-02": SRA_FIREWALLMANAGER_02,
+    "SRA-FIREWALLMANAGER-03": SRA_FIREWALLMANAGER_03,
+    "SRA-FIREWALLMANAGER-04": SRA_FIREWALLMANAGER_04,
+    "SRA-FIREWALLMANAGER-05": SRA_FIREWALLMANAGER_05,
+    "SRA-FIREWALLMANAGER-06": SRA_FIREWALLMANAGER_06,
+    "SRA-FIREWALLMANAGER-07": SRA_FIREWALLMANAGER_07,
+    "SRA-FIREWALLMANAGER-08": SRA_FIREWALLMANAGER_08,
+    "SRA-FIREWALLMANAGER-09": SRA_FIREWALLMANAGER_09,
+    "SRA-FIREWALLMANAGER-10": SRA_FIREWALLMANAGER_10,
+}

sraverify/services/firewallmanager/base.py

@@ -0,0 +1,48 @@
+from typing import Dict, Any
+from sraverify.core.check import SecurityCheck
+from sraverify.services.firewallmanager.client import FirewallManagerClient
+from sraverify.core.logging import logger
+
+class FirewallManagerCheck(SecurityCheck):
+    # Class-level caches shared across all instances
+    _admin_account_cache = None
+    _policies_cache = {}
+
+    def __init__(self):
+        super().__init__(
+            account_type="audit",
+            service="FirewallManager",
+            resource_type="AWS::FMS::Policy"
+        )
+
+    def _setup_clients(self):
+        self._clients.clear()
+        # Firewall Manager admin APIs are global (us-east-1)
+        self._clients['us-east-1'] = FirewallManagerClient('us-east-1', session=self.session)
+        # For regional policy checks, create clients for all regions
+        if hasattr(self, 'regions') and self.regions:
+            for region in self.regions:
+                if region not in self._clients:
+                    self._clients[region] = FirewallManagerClient(region, session=self.session)
+
+    def get_admin_account(self) -> Dict[str, Any]:
+        if FirewallManagerCheck._admin_account_cache is None:
+            logger.debug("FirewallManager: Fetching admin account")
+            client = self.get_client('us-east-1')
+            if client:
+                FirewallManagerCheck._admin_account_cache = client.get_admin_account()
+                logger.debug("FirewallManager: Cached admin account")
+        else:
+            logger.debug("FirewallManager: Using cached admin account")
+        return FirewallManagerCheck._admin_account_cache or {}
+
+    def list_policies(self, region: str) -> Dict[str, Any]:
+        if region not in FirewallManagerCheck._policies_cache:
+            logger.debug(f"FirewallManager: Fetching policies for {region}")
+            client = self.get_client(region)
+            if client:
+                FirewallManagerCheck._policies_cache[region] = client.list_policies()
+                logger.debug(f"FirewallManager: Cached policies for {region}")
+        else:
+            logger.debug(f"FirewallManager: Using cached policies for {region}")
+        return FirewallManagerCheck._policies_cache.get(region, {})

sraverify/services/firewallmanager/checks/__init__.py

@@ -0,0 +1 @@
+# Firewall Manager checks

sraverify/services/firewallmanager/checks/sra_firewallmanager_01.py

@@ -0,0 +1,75 @@
+from typing import Dict, List, Any
+from sraverify.services.firewallmanager.base import FirewallManagerCheck
+
+class SRA_FIREWALLMANAGER_01(FirewallManagerCheck):
+    def __init__(self):
+        super().__init__()
+        # Override account type for this specific check
+        self.account_type = "management"
+        self.resource_type = "AWS::FMS::AdminAccount"
+        self.check_id = "SRA-FIREWALLMANAGER-01"
+        self.check_name = "Firewall Manager delegated administrator is the audit account"
+        self.description = "Verifies that AWS Firewall Manager delegated administrator is configured and set to the audit account"
+        self.severity = "HIGH"
+        self.check_logic = "Calls get_admin_account() to retrieve the Firewall Manager administrator account and verifies it matches the audit account ID"
+
+    def execute(self) -> List[Dict[str, Any]]:
+        region = "us-east-1"
+
+        admin_response = self.get_admin_account()
+
+        if "Error" in admin_response:
+            self.findings.append(self.create_finding(
+                status="ERROR",
+                region=region,
+                resource_id=None,
+                actual_value=admin_response["Error"].get("Message", "Unknown error"),
+                remediation="Configure Firewall Manager delegated administrator: https://docs.aws.amazon.com/waf/latest/developerguide/fms-prereq.html"
+            ))
+            return self.findings
+
+        admin_account = admin_response.get("AdminAccount")
+        role_status = admin_response.get("RoleStatus")
+
+        if not admin_account:
+            self.findings.append(self.create_finding(
+                status="FAIL",
+                region=region,
+                resource_id=None,
+                actual_value="No Firewall Manager administrator configured",
+                remediation="Set up Firewall Manager administrator account: https://docs.aws.amazon.com/waf/latest/developerguide/fms-prereq.html"
+            ))
+        elif not hasattr(self, '_audit_accounts'):
+            self.findings.append(self.create_finding(
+                status="FAIL",
+                region=region,
+                resource_id=admin_account,
+                actual_value=f"Firewall Manager administrator is {admin_account}, but audit account not specified",
+                remediation="Run check with --audit-account parameter to verify delegated administrator"
+            ))
+        elif admin_account not in self._audit_accounts:
+            self.findings.append(self.create_finding(
+                status="FAIL",
+                region=region,
+                resource_id=admin_account,
+                actual_value=f"Firewall Manager administrator is {admin_account}, expected one of {self._audit_accounts}",
+                remediation=f"Change Firewall Manager administrator to audit account using PutAdminAccount API"
+            ))
+        elif role_status != "READY":
+            self.findings.append(self.create_finding(
+                status="FAIL",
+                region=region,
+                resource_id=admin_account,
+                actual_value=f"Firewall Manager administrator status is {role_status}",
+                remediation="Wait for administrator account to reach READY status or reconfigure if in error state"
+            ))
+        else:
+            self.findings.append(self.create_finding(
+                status="PASS",
+                region=region,
+                resource_id=admin_account,
+                actual_value=f"Firewall Manager administrator is audit account {admin_account} with status {role_status}",
+                remediation="No remediation needed"
+            ))
+
+        return self.findings

sraverify/services/firewallmanager/checks/sra_firewallmanager_02.py

@@ -0,0 +1,57 @@
+from typing import Dict, List, Any
+from sraverify.services.firewallmanager.base import FirewallManagerCheck
+
+class SRA_FIREWALLMANAGER_02(FirewallManagerCheck):
+    def __init__(self):
+        super().__init__()
+        self.check_id = "SRA-FIREWALLMANAGER-02"
+        self.check_name = "Firewall Manager manages security groups"
+        self.description = "Verifies that AWS Firewall Manager has security group policies configured in each region"
+        self.severity = "MEDIUM"
+        self.check_logic = "Calls list_policies() per region and checks for policies with SecurityServiceType of SECURITY_GROUPS_COMMON, SECURITY_GROUPS_CONTENT_AUDIT, or SECURITY_GROUPS_USAGE_AUDIT"
+
+    def execute(self) -> List[Dict[str, Any]]:
+        account_id = self.account_id
+        
+        for region in self.regions:
+            policies_response = self.list_policies(region)
+            
+            if "Error" in policies_response:
+                self.findings.append(self.create_finding(
+                    status="ERROR",
+                    region=region,
+                    resource_id=None,
+                    actual_value=policies_response["Error"].get("Message", "Unknown error"),
+                    remediation="Check IAM permissions for Firewall Manager API access"
+                ))
+                continue
+            
+            policies = policies_response.get("PolicyList", [])
+            sg_policies = [
+                p for p in policies 
+                if p.get("SecurityServiceType") in [
+                    "SECURITY_GROUPS_COMMON",
+                    "SECURITY_GROUPS_CONTENT_AUDIT", 
+                    "SECURITY_GROUPS_USAGE_AUDIT"
+                ]
+            ]
+            
+            if not sg_policies:
+                self.findings.append(self.create_finding(
+                    status="FAIL",
+                    region=region,
+                    resource_id=None,
+                    actual_value="No security group policies configured",
+                    remediation="Create Firewall Manager security group policies: https://docs.aws.amazon.com/waf/latest/developerguide/security-group-policies.html"
+                ))
+            else:
+                policy_names = [p.get("PolicyName", "Unknown") for p in sg_policies]
+                self.findings.append(self.create_finding(
+                    status="PASS",
+                    region=region,
+                    resource_id=",".join([p.get("PolicyId", "") for p in sg_policies]),
+                    actual_value=f"{len(sg_policies)} security group policy(ies) configured: {', '.join(policy_names)}",
+                    remediation="No remediation needed"
+                ))
+        
+        return self.findings

sraverify/services/firewallmanager/checks/sra_firewallmanager_03.py

@@ -0,0 +1,51 @@
+from typing import Dict, List, Any
+from sraverify.services.firewallmanager.base import FirewallManagerCheck
+
+class SRA_FIREWALLMANAGER_03(FirewallManagerCheck):
+    def __init__(self):
+        super().__init__()
+        self.check_id = "SRA-FIREWALLMANAGER-03"
+        self.check_name = "Firewall Manager manages WAF policies"
+        self.description = "Verifies that AWS Firewall Manager has WAF policies configured in each region"
+        self.severity = "MEDIUM"
+        self.check_logic = "Calls list_policies() per region and checks for policies with SecurityServiceType of WAF or WAFV2"
+
+    def execute(self) -> List[Dict[str, Any]]:
+        for region in self.regions:
+            policies_response = self.list_policies(region)
+            
+            if "Error" in policies_response:
+                self.findings.append(self.create_finding(
+                    status="ERROR",
+                    region=region,
+                    resource_id=None,
+                    actual_value=policies_response["Error"].get("Message", "Unknown error"),
+                    remediation="Check IAM permissions for Firewall Manager API access"
+                ))
+                continue
+            
+            policies = policies_response.get("PolicyList", [])
+            waf_policies = [
+                p for p in policies 
+                if p.get("SecurityServiceType") in ["WAF", "WAFV2"]
+            ]
+            
+            if not waf_policies:
+                self.findings.append(self.create_finding(
+                    status="FAIL",
+                    region=region,
+                    resource_id=None,
+                    actual_value="No WAF policies configured",
+                    remediation="Create Firewall Manager WAF policies: https://docs.aws.amazon.com/waf/latest/developerguide/waf-policies.html"
+                ))
+            else:
+                policy_names = [p.get("PolicyName", "Unknown") for p in waf_policies]
+                self.findings.append(self.create_finding(
+                    status="PASS",
+                    region=region,
+                    resource_id=",".join([p.get("PolicyId", "") for p in waf_policies]),
+                    actual_value=f"{len(waf_policies)} WAF policy(ies) configured: {', '.join(policy_names)}",
+                    remediation="No remediation needed"
+                ))
+        
+        return self.findings

sraverify/services/firewallmanager/checks/sra_firewallmanager_04.py

@@ -0,0 +1,51 @@
+from typing import Dict, List, Any
+from sraverify.services.firewallmanager.base import FirewallManagerCheck
+
+class SRA_FIREWALLMANAGER_04(FirewallManagerCheck):
+    def __init__(self):
+        super().__init__()
+        self.check_id = "SRA-FIREWALLMANAGER-04"
+        self.check_name = "Firewall Manager manages Shield Advanced policies"
+        self.description = "Verifies that AWS Firewall Manager has Shield Advanced policies configured in each region"
+        self.severity = "MEDIUM"
+        self.check_logic = "Calls list_policies() per region and checks for policies with SecurityServiceType of SHIELD_ADVANCED"
+
+    def execute(self) -> List[Dict[str, Any]]:
+        for region in self.regions:
+            policies_response = self.list_policies(region)
+            
+            if "Error" in policies_response:
+                self.findings.append(self.create_finding(
+                    status="ERROR",
+                    region=region,
+                    resource_id=None,
+                    actual_value=policies_response["Error"].get("Message", "Unknown error"),
+                    remediation="Check IAM permissions for Firewall Manager API access"
+                ))
+                continue
+            
+            policies = policies_response.get("PolicyList", [])
+            shield_policies = [
+                p for p in policies 
+                if p.get("SecurityServiceType") == "SHIELD_ADVANCED"
+            ]
+            
+            if not shield_policies:
+                self.findings.append(self.create_finding(
+                    status="FAIL",
+                    region=region,
+                    resource_id=None,
+                    actual_value="No Shield Advanced policies configured",
+                    remediation="Create Firewall Manager Shield Advanced policies: https://docs.aws.amazon.com/waf/latest/developerguide/shield-policies.html"
+                ))
+            else:
+                policy_names = [p.get("PolicyName", "Unknown") for p in shield_policies]
+                self.findings.append(self.create_finding(
+                    status="PASS",
+                    region=region,
+                    resource_id=",".join([p.get("PolicyId", "") for p in shield_policies]),
+                    actual_value=f"{len(shield_policies)} Shield Advanced policy(ies) configured: {', '.join(policy_names)}",
+                    remediation="No remediation needed"
+                ))
+        
+        return self.findings

sraverify/services/firewallmanager/checks/sra_firewallmanager_05.py

@@ -0,0 +1,51 @@
+from typing import Dict, List, Any
+from sraverify.services.firewallmanager.base import FirewallManagerCheck
+
+class SRA_FIREWALLMANAGER_05(FirewallManagerCheck):
+    def __init__(self):
+        super().__init__()
+        self.check_id = "SRA-FIREWALLMANAGER-05"
+        self.check_name = "Firewall Manager manages Network ACL policies"
+        self.description = "Verifies that AWS Firewall Manager has Network ACL policies configured in each region"
+        self.severity = "MEDIUM"
+        self.check_logic = "Calls list_policies() per region and checks for policies with SecurityServiceType of NETWORK_ACL_COMMON"
+
+    def execute(self) -> List[Dict[str, Any]]:
+        for region in self.regions:
+            policies_response = self.list_policies(region)
+            
+            if "Error" in policies_response:
+                self.findings.append(self.create_finding(
+                    status="ERROR",
+                    region=region,
+                    resource_id=None,
+                    actual_value=policies_response["Error"].get("Message", "Unknown error"),
+                    remediation="Check IAM permissions for Firewall Manager API access"
+                ))
+                continue
+            
+            policies = policies_response.get("PolicyList", [])
+            nacl_policies = [
+                p for p in policies 
+                if p.get("SecurityServiceType") == "NETWORK_ACL_COMMON"
+            ]
+            
+            if not nacl_policies:
+                self.findings.append(self.create_finding(
+                    status="FAIL",
+                    region=region,
+                    resource_id=None,
+                    actual_value="No Network ACL policies configured",
+                    remediation="Create Firewall Manager Network ACL policies: https://docs.aws.amazon.com/waf/latest/developerguide/network-acl-policies.html"
+                ))
+            else:
+                policy_names = [p.get("PolicyName", "Unknown") for p in nacl_policies]
+                self.findings.append(self.create_finding(
+                    status="PASS",
+                    region=region,
+                    resource_id=",".join([p.get("PolicyId", "") for p in nacl_policies]),
+                    actual_value=f"{len(nacl_policies)} Network ACL policy(ies) configured: {', '.join(policy_names)}",
+                    remediation="No remediation needed"
+                ))
+        
+        return self.findings

sraverify/services/firewallmanager/checks/sra_firewallmanager_06.py

@@ -0,0 +1,51 @@
+from typing import Dict, List, Any
+from sraverify.services.firewallmanager.base import FirewallManagerCheck
+
+class SRA_FIREWALLMANAGER_06(FirewallManagerCheck):
+    def __init__(self):
+        super().__init__()
+        self.check_id = "SRA-FIREWALLMANAGER-06"
+        self.check_name = "Firewall Manager manages AWS Network Firewall policies"
+        self.description = "Verifies that AWS Firewall Manager has Network Firewall policies configured in each region"
+        self.severity = "MEDIUM"
+        self.check_logic = "Calls list_policies() per region and checks for policies with SecurityServiceType of NETWORK_FIREWALL"
+
+    def execute(self) -> List[Dict[str, Any]]:
+        for region in self.regions:
+            policies_response = self.list_policies(region)
+            
+            if "Error" in policies_response:
+                self.findings.append(self.create_finding(
+                    status="ERROR",
+                    region=region,
+                    resource_id=None,
+                    actual_value=policies_response["Error"].get("Message", "Unknown error"),
+                    remediation="Check IAM permissions for Firewall Manager API access"
+                ))
+                continue
+            
+            policies = policies_response.get("PolicyList", [])
+            nfw_policies = [
+                p for p in policies 
+                if p.get("SecurityServiceType") == "NETWORK_FIREWALL"
+            ]
+            
+            if not nfw_policies:
+                self.findings.append(self.create_finding(
+                    status="FAIL",
+                    region=region,
+                    resource_id=None,
+                    actual_value="No Network Firewall policies configured",
+                    remediation="Create Firewall Manager Network Firewall policies: https://docs.aws.amazon.com/waf/latest/developerguide/network-firewall-policies.html"
+                ))
+            else:
+                policy_names = [p.get("PolicyName", "Unknown") for p in nfw_policies]
+                self.findings.append(self.create_finding(
+                    status="PASS",
+                    region=region,
+                    resource_id=",".join([p.get("PolicyId", "") for p in nfw_policies]),
+                    actual_value=f"{len(nfw_policies)} Network Firewall policy(ies) configured: {', '.join(policy_names)}",
+                    remediation="No remediation needed"
+                ))
+        
+        return self.findings

sraverify/services/firewallmanager/checks/sra_firewallmanager_07.py

@@ -0,0 +1,51 @@
+from typing import Dict, List, Any
+from sraverify.services.firewallmanager.base import FirewallManagerCheck
+
+class SRA_FIREWALLMANAGER_07(FirewallManagerCheck):
+    def __init__(self):
+        super().__init__()
+        self.check_id = "SRA-FIREWALLMANAGER-07"
+        self.check_name = "Firewall Manager manages Route 53 DNS Firewall policies"
+        self.description = "Verifies that AWS Firewall Manager has Route 53 DNS Firewall policies configured in each region"
+        self.severity = "MEDIUM"
+        self.check_logic = "Calls list_policies() per region and checks for policies with SecurityServiceType of DNS_FIREWALL"
+
+    def execute(self) -> List[Dict[str, Any]]:
+        for region in self.regions:
+            policies_response = self.list_policies(region)
+            
+            if "Error" in policies_response:
+                self.findings.append(self.create_finding(
+                    status="ERROR",
+                    region=region,
+                    resource_id=None,
+                    actual_value=policies_response["Error"].get("Message", "Unknown error"),
+                    remediation="Check IAM permissions for Firewall Manager API access"
+                ))
+                continue
+            
+            policies = policies_response.get("PolicyList", [])
+            dns_policies = [
+                p for p in policies 
+                if p.get("SecurityServiceType") == "DNS_FIREWALL"
+            ]
+            
+            if not dns_policies:
+                self.findings.append(self.create_finding(
+                    status="FAIL",
+                    region=region,
+                    resource_id=None,
+                    actual_value="No Route 53 DNS Firewall policies configured",
+                    remediation="Create Firewall Manager Route 53 DNS Firewall policies: https://docs.aws.amazon.com/waf/latest/developerguide/dns-firewall-policies.html"
+                ))
+            else:
+                policy_names = [p.get("PolicyName", "Unknown") for p in dns_policies]
+                self.findings.append(self.create_finding(
+                    status="PASS",
+                    region=region,
+                    resource_id=",".join([p.get("PolicyId", "") for p in dns_policies]),
+                    actual_value=f"{len(dns_policies)} Route 53 DNS Firewall policy(ies) configured: {', '.join(policy_names)}",
+                    remediation="No remediation needed"
+                ))
+        
+        return self.findings

sraverify/services/firewallmanager/checks/sra_firewallmanager_08.py

@@ -0,0 +1,61 @@
+from typing import Dict, List, Any
+from sraverify.services.firewallmanager.base import FirewallManagerCheck
+
+class SRA_FIREWALLMANAGER_08(FirewallManagerCheck):
+    def __init__(self):
+        super().__init__()
+        self.check_id = "SRA-FIREWALLMANAGER-08"
+        self.check_name = "Firewall Manager policy remediation is enabled"
+        self.description = "Verifies that AWS Firewall Manager policies have remediation enabled to automatically apply to new resources"
+        self.severity = "MEDIUM"
+        self.check_logic = "Calls list_policies() per region and checks that all policies have RemediationEnabled set to true"
+
+    def execute(self) -> List[Dict[str, Any]]:
+        for region in self.regions:
+            policies_response = self.list_policies(region)
+            
+            if "Error" in policies_response:
+                self.findings.append(self.create_finding(
+                    status="ERROR",
+                    region=region,
+                    resource_id=None,
+                    actual_value=policies_response["Error"].get("Message", "Unknown error"),
+                    remediation="Check IAM permissions for Firewall Manager API access"
+                ))
+                continue
+            
+            policies = policies_response.get("PolicyList", [])
+            
+            if not policies:
+                self.findings.append(self.create_finding(
+                    status="PASS",
+                    region=region,
+                    resource_id=None,
+                    actual_value="No Firewall Manager policies configured in region",
+                    remediation="No remediation needed"
+                ))
+                continue
+            
+            for policy in policies:
+                policy_id = policy.get("PolicyId", "")
+                policy_name = policy.get("PolicyName", "Unknown")
+                remediation_enabled = policy.get("RemediationEnabled", False)
+                
+                if not remediation_enabled:
+                    self.findings.append(self.create_finding(
+                        status="FAIL",
+                        region=region,
+                        resource_id=policy_id,
+                        actual_value=f"Policy '{policy_name}' has remediation disabled",
+                        remediation=f"Enable remediation on policy '{policy_name}' to automatically apply to new resources"
+                    ))
+                else:
+                    self.findings.append(self.create_finding(
+                        status="PASS",
+                        region=region,
+                        resource_id=policy_id,
+                        actual_value=f"Policy '{policy_name}' has remediation enabled",
+                        remediation="No remediation needed"
+                    ))
+        
+        return self.findings

sraverify/services/firewallmanager/checks/sra_firewallmanager_09.py

@@ -0,0 +1,61 @@
+from typing import Dict, List, Any
+from sraverify.services.firewallmanager.base import FirewallManagerCheck
+
+class SRA_FIREWALLMANAGER_09(FirewallManagerCheck):
+    def __init__(self):
+        super().__init__()
+        self.check_id = "SRA-FIREWALLMANAGER-09"
+        self.check_name = "Firewall Manager policies are in active status"
+        self.description = "Verifies that AWS Firewall Manager policies are in ACTIVE status and not out of admin scope"
+        self.severity = "HIGH"
+        self.check_logic = "Calls list_policies() per region and checks that all policies have PolicyStatus set to ACTIVE"
+
+    def execute(self) -> List[Dict[str, Any]]:
+        for region in self.regions:
+            policies_response = self.list_policies(region)
+            
+            if "Error" in policies_response:
+                self.findings.append(self.create_finding(
+                    status="ERROR",
+                    region=region,
+                    resource_id=None,
+                    actual_value=policies_response["Error"].get("Message", "Unknown error"),
+                    remediation="Check IAM permissions for Firewall Manager API access"
+                ))
+                continue
+            
+            policies = policies_response.get("PolicyList", [])
+            
+            if not policies:
+                self.findings.append(self.create_finding(
+                    status="PASS",
+                    region=region,
+                    resource_id=None,
+                    actual_value="No Firewall Manager policies configured in region",
+                    remediation="No remediation needed"
+                ))
+                continue
+            
+            for policy in policies:
+                policy_id = policy.get("PolicyId", "")
+                policy_name = policy.get("PolicyName", "Unknown")
+                policy_status = policy.get("PolicyStatus", "")
+                
+                if policy_status != "ACTIVE":
+                    self.findings.append(self.create_finding(
+                        status="FAIL",
+                        region=region,
+                        resource_id=policy_id,
+                        actual_value=f"Policy '{policy_name}' has status '{policy_status}'",
+                        remediation=f"Ensure policy '{policy_name}' is within admin scope to make it ACTIVE"
+                    ))
+                else:
+                    self.findings.append(self.create_finding(
+                        status="PASS",
+                        region=region,
+                        resource_id=policy_id,
+                        actual_value=f"Policy '{policy_name}' is ACTIVE",
+                        remediation="No remediation needed"
+                    ))
+        
+        return self.findings