sraverify 0.1.0__py3-none-any.whl

sraverify/services/firewallmanager/checks/sra_firewallmanager_10.py

@@ -0,0 +1,71 @@
+from typing import Dict, List, Any
+from sraverify.services.firewallmanager.base import FirewallManagerCheck
+
+class SRA_FIREWALLMANAGER_10(FirewallManagerCheck):
+    def __init__(self):
+        super().__init__()
+        self.check_id = "SRA-FIREWALLMANAGER-10"
+        self.check_name = "Firewall Manager policy cleanup is enabled"
+        self.description = "Verifies that AWS Firewall Manager policies have cleanup enabled to remove protections from resources that leave policy scope"
+        self.severity = "MEDIUM"
+        self.check_logic = "Calls list_policies() per region and checks that policies have DeleteUnusedFMManagedResources set to true"
+
+    def execute(self) -> List[Dict[str, Any]]:
+        for region in self.regions:
+            policies_response = self.list_policies(region)
+            
+            if "Error" in policies_response:
+                self.findings.append(self.create_finding(
+                    status="ERROR",
+                    region=region,
+                    resource_id=None,
+                    actual_value=policies_response["Error"].get("Message", "Unknown error"),
+                    remediation="Check IAM permissions for Firewall Manager API access"
+                ))
+                continue
+            
+            policies = policies_response.get("PolicyList", [])
+            
+            if not policies:
+                self.findings.append(self.create_finding(
+                    status="PASS",
+                    region=region,
+                    resource_id=None,
+                    actual_value="No Firewall Manager policies configured in region",
+                    remediation="No remediation needed"
+                ))
+                continue
+            
+            for policy in policies:
+                policy_id = policy.get("PolicyId", "")
+                policy_name = policy.get("PolicyName", "Unknown")
+                security_service_type = policy.get("SecurityServiceType", "")
+                cleanup_enabled = policy.get("DeleteUnusedFMManagedResources", False)
+                
+                # Shield Advanced and WAF Classic don't support cleanup
+                if security_service_type in ["SHIELD_ADVANCED", "WAF"]:
+                    self.findings.append(self.create_finding(
+                        status="PASS",
+                        region=region,
+                        resource_id=policy_id,
+                        actual_value=f"Policy '{policy_name}' ({security_service_type}) does not support cleanup",
+                        remediation="No remediation needed - cleanup not available for this policy type"
+                    ))
+                elif not cleanup_enabled:
+                    self.findings.append(self.create_finding(
+                        status="FAIL",
+                        region=region,
+                        resource_id=policy_id,
+                        actual_value=f"Policy '{policy_name}' has cleanup disabled",
+                        remediation=f"Enable cleanup on policy '{policy_name}' to automatically remove protections from out-of-scope resources"
+                    ))
+                else:
+                    self.findings.append(self.create_finding(
+                        status="PASS",
+                        region=region,
+                        resource_id=policy_id,
+                        actual_value=f"Policy '{policy_name}' has cleanup enabled",
+                        remediation="No remediation needed"
+                    ))
+        
+        return self.findings

sraverify/services/firewallmanager/client.py

@@ -0,0 +1,40 @@
+from typing import Dict, Any, Optional
+import boto3
+from botocore.exceptions import ClientError
+from sraverify.core.logging import logger
+
+class FirewallManagerClient:
+    def __init__(self, region: str, session: Optional[boto3.Session] = None):
+        self.region = region
+        self.session = session or boto3.Session()
+        self.client = self.session.client('fms', region_name=region)
+
+    def get_admin_account(self) -> Dict[str, Any]:
+        try:
+            return self.client.get_admin_account()
+        except ClientError as e:
+            error_code = e.response.get('Error', {}).get('Code', '')
+            if error_code == 'ResourceNotFoundException':
+                return {"Error": {"Message": "No Firewall Manager administrator account configured"}}
+            logger.error(f"Error getting Firewall Manager admin account: {e}")
+            return {"Error": {"Message": str(e)}}
+
+    def list_policies(self) -> Dict[str, Any]:
+        try:
+            policies = []
+            next_token = None
+            while True:
+                if next_token:
+                    response = self.client.list_policies(NextToken=next_token, MaxResults=100)
+                else:
+                    response = self.client.list_policies(MaxResults=100)
+                
+                policies.extend(response.get('PolicyList', []))
+                next_token = response.get('NextToken')
+                if not next_token:
+                    break
+            
+            return {"PolicyList": policies}
+        except ClientError as e:
+            logger.error(f"Error listing Firewall Manager policies in {self.region}: {e}")
+            return {"Error": {"Message": str(e)}}

sraverify/services/guardduty/__init__.py

@@ -0,0 +1,58 @@
+"""
+GuardDuty security checks.
+"""
+from sraverify.services.guardduty.checks.sra_guardduty_01 import SRA_GUARDDUTY_01
+from sraverify.services.guardduty.checks.sra_guardduty_02 import SRA_GUARDDUTY_02
+from sraverify.services.guardduty.checks.sra_guardduty_03 import SRA_GUARDDUTY_03
+from sraverify.services.guardduty.checks.sra_guardduty_04 import SRA_GUARDDUTY_04
+from sraverify.services.guardduty.checks.sra_guardduty_05 import SRA_GUARDDUTY_05
+from sraverify.services.guardduty.checks.sra_guardduty_06 import SRA_GUARDDUTY_06
+from sraverify.services.guardduty.checks.sra_guardduty_07 import SRA_GUARDDUTY_07
+from sraverify.services.guardduty.checks.sra_guardduty_08 import SRA_GUARDDUTY_08
+from sraverify.services.guardduty.checks.sra_guardduty_09 import SRA_GUARDDUTY_09
+from sraverify.services.guardduty.checks.sra_guardduty_10 import SRA_GUARDDUTY_10
+from sraverify.services.guardduty.checks.sra_guardduty_11 import SRA_GUARDDUTY_11
+from sraverify.services.guardduty.checks.sra_guardduty_12 import SRA_GUARDDUTY_12
+from sraverify.services.guardduty.checks.sra_guardduty_13 import SRA_GUARDDUTY_13
+from sraverify.services.guardduty.checks.sra_guardduty_14 import SRA_GUARDDUTY_14
+from sraverify.services.guardduty.checks.sra_guardduty_15 import SRA_GUARDDUTY_15
+from sraverify.services.guardduty.checks.sra_guardduty_16 import SRA_GUARDDUTY_16
+from sraverify.services.guardduty.checks.sra_guardduty_17 import SRA_GUARDDUTY_17
+from sraverify.services.guardduty.checks.sra_guardduty_18 import SRA_GUARDDUTY_18
+from sraverify.services.guardduty.checks.sra_guardduty_19 import SRA_GUARDDUTY_19
+from sraverify.services.guardduty.checks.sra_guardduty_20 import SRA_GUARDDUTY_20
+from sraverify.services.guardduty.checks.sra_guardduty_21 import SRA_GUARDDUTY_21
+from sraverify.services.guardduty.checks.sra_guardduty_22 import SRA_GUARDDUTY_22
+from sraverify.services.guardduty.checks.sra_guardduty_23 import SRA_GUARDDUTY_23
+from sraverify.services.guardduty.checks.sra_guardduty_24 import SRA_GUARDDUTY_24
+from sraverify.services.guardduty.checks.sra_guardduty_25 import SRA_GUARDDUTY_25
+
+# Map check IDs to check classes for easy lookup
+CHECKS = {
+    "SRA-GUARDDUTY-01": SRA_GUARDDUTY_01,
+    "SRA-GUARDDUTY-02": SRA_GUARDDUTY_02,
+    "SRA-GUARDDUTY-03": SRA_GUARDDUTY_03,
+    "SRA-GUARDDUTY-04": SRA_GUARDDUTY_04,
+    "SRA-GUARDDUTY-05": SRA_GUARDDUTY_05,
+    "SRA-GUARDDUTY-06": SRA_GUARDDUTY_06,
+    "SRA-GUARDDUTY-07": SRA_GUARDDUTY_07,
+    "SRA-GUARDDUTY-08": SRA_GUARDDUTY_08,
+    "SRA-GUARDDUTY-09": SRA_GUARDDUTY_09,
+    "SRA-GUARDDUTY-10": SRA_GUARDDUTY_10,
+    "SRA-GUARDDUTY-11": SRA_GUARDDUTY_11,
+    "SRA-GUARDDUTY-12": SRA_GUARDDUTY_12,
+    "SRA-GUARDDUTY-13": SRA_GUARDDUTY_13,
+    "SRA-GUARDDUTY-14": SRA_GUARDDUTY_14,
+    "SRA-GUARDDUTY-15": SRA_GUARDDUTY_15,
+    "SRA-GUARDDUTY-16": SRA_GUARDDUTY_16,
+    "SRA-GUARDDUTY-17": SRA_GUARDDUTY_17,
+    "SRA-GUARDDUTY-18": SRA_GUARDDUTY_18,
+    "SRA-GUARDDUTY-19": SRA_GUARDDUTY_19,
+    "SRA-GUARDDUTY-20": SRA_GUARDDUTY_20,
+    "SRA-GUARDDUTY-21": SRA_GUARDDUTY_21,
+    "SRA-GUARDDUTY-22": SRA_GUARDDUTY_22,
+    "SRA-GUARDDUTY-23": SRA_GUARDDUTY_23,
+    "SRA-GUARDDUTY-24": SRA_GUARDDUTY_24,
+    "SRA-GUARDDUTY-25": SRA_GUARDDUTY_25
+    # Add more checks here as they are implemented
+}

sraverify/services/guardduty/base.py

@@ -0,0 +1,207 @@
+"""
+Base class for GuardDuty security checks.
+"""
+from typing import List, Optional, Dict, Any
+from sraverify.core.check import SecurityCheck
+from sraverify.services.guardduty.client import GuardDutyClient
+from sraverify.core.logging import logger
+
+
+class GuardDutyCheck(SecurityCheck):
+    """Base class for all GuardDuty security checks."""
+    
+    # Class-level caches shared across all instances
+    _detector_details_cache = {}
+    _detector_ids_cache = {}
+    _org_config_cache = {}
+    _admin_accounts_cache = {}
+    
+    def __init__(self):
+        """Initialize GuardDuty base check."""
+        super().__init__(
+            account_type="application",
+            service="GuardDuty",
+            resource_type="AWS::GuardDuty::Detector"
+        )
+    
+    def _setup_clients(self):
+        """Set up GuardDuty clients for each region."""
+        # Clear existing clients
+        self._clients.clear()
+        # Set up new clients only if regions are initialized
+        if hasattr(self, 'regions') and self.regions:
+            for region in self.regions:
+                self._clients[region] = GuardDutyClient(region, session=self.session)
+    
+    def get_detector_id(self, region: str) -> Optional[str]:
+        """
+        Get detector ID for a specific region with caching.
+        
+        Args:
+            region: AWS region name
+            
+        Returns:
+            Detector ID if available, None otherwise
+        """
+        # Check class-level cache
+        cache_key = f"{self.session.region_name}:{region}"
+        if cache_key in GuardDutyCheck._detector_ids_cache:
+            logger.debug(f"GuardDuty: Using cached detector ID for {region}")
+            return GuardDutyCheck._detector_ids_cache[cache_key]
+        
+        # Get client
+        client = self.get_client(region)
+        if not client:
+            logger.warning(f"GuardDuty: No GuardDuty client available for region {region}")
+            return None
+        
+        # Get detector ID
+        logger.debug(f"GuardDuty: Fetching detector ID for {region}")
+        detector_id = client.get_detector_id()
+        
+        # Check if detector_id contains an error
+        if detector_id and isinstance(detector_id, str) and detector_id.startswith("ERROR:"):
+            _, error_code, error_message = detector_id.split(":", 2)
+            logger.warning(f"GuardDuty: Error accessing GuardDuty in {region}: {error_code}")
+            GuardDutyCheck._detector_ids_cache[cache_key] = None
+            return None
+        
+        # Cache the detector ID
+        if detector_id:
+            logger.debug(f"GuardDuty: Found detector ID {detector_id} for {region}")
+            GuardDutyCheck._detector_ids_cache[cache_key] = detector_id
+        else:
+            logger.debug(f"GuardDuty: No detector ID found for {region}")
+        
+        return detector_id
+    
+    def get_detector_details(self, region: str) -> Dict[str, Any]:
+        """
+        Get detector details for a specific region.
+        
+        Args:
+            region: AWS region name
+            
+        Returns:
+            Dictionary containing detector details or empty dict if not available
+        """
+        # Check if we already have cached details in the class-level cache
+        cache_key = f"{self.session.region_name}:{region}"  # Include session region to avoid conflicts
+        if cache_key in GuardDutyCheck._detector_details_cache:
+            logger.debug(f"GuardDuty: Using cached detector details for {region}")
+            return GuardDutyCheck._detector_details_cache[cache_key]
+        
+        # Get detector ID
+        detector_id = self.get_detector_id(region)
+        if not detector_id:
+            logger.debug(f"GuardDuty: No detector ID found for region {region}")
+            return {}
+        
+        # Get client
+        client = self.get_client(region)
+        if not client:
+            logger.warning(f"GuardDuty: No GuardDuty client available for region {region}")
+            return {}
+        
+        # Get detector details
+        logger.debug(f"GuardDuty: Getting detector details for {detector_id} in {region}")
+        details = client.get_detector_details(detector_id)
+        
+        # Cache the details in the class-level cache
+        GuardDutyCheck._detector_details_cache[cache_key] = details
+        logger.debug(f"GuardDuty: Cached detector details for {region}")
+        
+        return details
+    
+    def get_organization_configuration(self, region: str) -> Dict[str, Any]:
+        """
+        Get organization configuration for a specific region.
+        
+        Args:
+            region: AWS region name
+            
+        Returns:
+            Dictionary containing organization configuration details or empty dict if not available
+        """
+        # Check if we already have cached org config in the class-level cache
+        cache_key = f"{self.session.region_name}:{region}"
+        if cache_key in GuardDutyCheck._org_config_cache:
+            logger.debug(f"GuardDuty: Using cached organization configuration for {region}")
+            return GuardDutyCheck._org_config_cache[cache_key]
+        
+        # Get detector ID
+        detector_id = self.get_detector_id(region)
+        if not detector_id:
+            logger.debug(f"GuardDuty: No detector ID found for region {region}")
+            return {}
+        
+        # Get client
+        client = self.get_client(region)
+        if not client:
+            logger.warning(f"GuardDuty: No GuardDuty client available for region {region}")
+            return {}
+        
+        # Get organization configuration
+        logger.debug(f"GuardDuty: Getting organization configuration for {detector_id} in {region}")
+        org_config = client.describe_organization_configuration(detector_id)
+        
+        # Cache the org config in the class-level cache
+        GuardDutyCheck._org_config_cache[cache_key] = org_config
+        logger.debug(f"GuardDuty: Cached organization configuration for {region}")
+        
+        return org_config
+    
+    def list_organization_admin_accounts(self, region: str) -> Dict[str, Any]:
+        """
+        List organization admin accounts for GuardDuty.
+        
+        Args:
+            region: AWS region name
+            
+        Returns:
+            Dictionary containing organization admin accounts details or empty dict if not available
+        """
+        # Check if we already have cached admin accounts in the class-level cache
+        cache_key = f"{self.session.region_name}:{region}"
+        if cache_key in GuardDutyCheck._admin_accounts_cache:
+            logger.debug(f"GuardDuty: Using cached organization admin accounts for {region}")
+            return GuardDutyCheck._admin_accounts_cache[cache_key]
+        
+        # Get client
+        client = self.get_client(region)
+        if not client:
+            logger.warning(f"GuardDuty: No GuardDuty client available for region {region}")
+            return {}
+        
+        # List organization admin accounts
+        logger.debug(f"GuardDuty: Listing organization admin accounts in {region}")
+        admin_accounts = client.list_organization_admin_accounts()
+        
+        # Cache the admin accounts in the class-level cache
+        GuardDutyCheck._admin_accounts_cache[cache_key] = admin_accounts
+        logger.debug(f"GuardDuty: Cached organization admin accounts for {region}")
+        
+        return admin_accounts
+    
+    def get_enabled_regions(self) -> List[str]:
+        """
+        Get list of regions where GuardDuty is enabled.
+        
+        Returns:
+            List of region names where GuardDuty is enabled
+        """
+        # If no detector IDs have been discovered yet, try to discover them
+        if not any(k.endswith(f":{region}") for k in GuardDutyCheck._detector_ids_cache.keys() 
+                  for region in self.regions):
+            logger.debug("GuardDuty: No detector IDs cached, discovering them now")
+            for region in self.regions:
+                self.get_detector_id(region)
+        
+        # Get regions from the class-level cache that match the current session
+        prefix = f"{self.session.region_name}:"
+        enabled_regions = [
+            key.split(":")[-1] for key in GuardDutyCheck._detector_ids_cache.keys()
+            if key.startswith(prefix) and GuardDutyCheck._detector_ids_cache[key] is not None
+        ]
+        
+        return enabled_regions

sraverify/services/guardduty/checks/__init__.py

@@ -0,0 +1,3 @@
+"""
+GuardDuty security check implementations.
+"""

sraverify/services/guardduty/checks/sra_guardduty_01.py

@@ -0,0 +1,51 @@
+"""
+Check if GuardDuty detector exists.
+"""
+from typing import Dict, List, Any
+from sraverify.services.guardduty.base import GuardDutyCheck
+
+
+class SRA_GUARDDUTY_01(GuardDutyCheck):
+    """Check if GuardDuty detector exists."""
+
+    def __init__(self):
+        """Initialize GuardDuty enabled check."""
+        super().__init__()
+        self.check_id = "SRA-GUARDDUTY-01"
+        self.check_name = "GuardDuty detector exists"
+        self.description = "This check verifies that an GuardDuty detector exists in the AWS Region.\
+              A detector is a resource that represents the GuardDuty service and should be present \
+                in all AWS member account and AWS Region so that GuardDuty can generate findings \
+                    about unauthorized or unusual activity even in those Regions that you may not \
+                        be using actively."
+        self.severity = "HIGH"
+        self.check_logic = "Get detector_id in each Region. Check fails if there is no detector_id"
+    
+    def execute(self) -> List[Dict[str, Any]]:
+        """
+        Execute the check.
+        
+        Returns:
+            List of findings
+        """
+        for region in self.regions:
+            detector_id = self.get_detector_id(region)
+            
+            if not detector_id:
+                self.findings.append(self.create_finding(
+                    status="FAIL", 
+                    region=region, 
+                    resource_id=None, 
+                    actual_value=None, 
+                    remediation=f"Enable GuardDuty in {region}"
+                ))
+            else:
+                self.findings.append(self.create_finding(
+                    status="PASS", 
+                    region=region, 
+                    resource_id=f"guardduty:{region}:{detector_id}", 
+                    actual_value=None, 
+                    remediation=""
+                ))
+        
+        return self.findings

sraverify/services/guardduty/checks/sra_guardduty_02.py

@@ -0,0 +1,80 @@
+"""
+Check if GuardDuty finding frequency is set.
+"""
+from typing import Dict, List, Any
+from sraverify.services.guardduty.base import GuardDutyCheck
+
+
+class SRA_GUARDDUTY_02(GuardDutyCheck):
+    """Check if GuardDuty finding frequency is set."""
+
+    def __init__(self):
+        """Initialize GuardDuty enabled check."""
+        super().__init__()
+        self.check_id = "SRA-GUARDDUTY-02"
+        self.check_name = "GuardDuty finding frequency is set"
+        self.description = ("This check verifies that the GuardDuty finding frequency is set "
+                           "as per your organization requirement. This determines how often updates to active "
+                           "findings are exported to EventBridge, S3 (optional) and Detective (optional). "
+                           "By default, updated findings are exported every 6 hours but you can set to "
+                           "every 15 minutes or 1 hour.")
+        self.severity = "LOW"
+        self.check_logic = "Get detector details in each Region. Check value of FindingPublishingFrequency."
+    
+    def execute(self) -> List[Dict[str, Any]]:
+        """
+        Execute the check.
+        
+        Returns:
+            List of findings
+        """
+        findings = []        
+        # Check all regions
+        for region in self.regions:
+            detector_id = self.get_detector_id(region)
+            
+            # Handle regions where we can't access GuardDuty
+            if not detector_id:
+                findings.append(self.create_finding(
+                    status="ERROR", 
+                    region=region, 
+                    resource_id=f"guardduty:{region}", 
+                    actual_value="Unable to access GuardDuty in this region", 
+                    remediation="Check permissions or if GuardDuty is supported in this region"
+                ))
+                continue
+                
+            # Use helper method from the base class
+            detector_details = self.get_detector_details(region)
+            
+            if detector_details:
+                finding_frequency = detector_details.get('FindingPublishingFrequency', 'Not set')
+                
+                # Determine if the frequency is set to a valid value
+                valid_frequencies = ['FIFTEEN_MINUTES', 'ONE_HOUR', 'SIX_HOURS']
+                if finding_frequency in valid_frequencies:
+                    findings.append(self.create_finding(
+                        status="PASS", 
+                        region=region, 
+                        resource_id=f"guardduty:{region}:{detector_id}", 
+                        actual_value=f"Finding frequency is set to {finding_frequency}", 
+                        remediation="No remediation needed"
+                    ))
+                else:
+                    findings.append(self.create_finding(
+                        status="FAIL", 
+                        region=region, 
+                        resource_id=f"guardduty:{region}:{detector_id}", 
+                        actual_value=f"Finding frequency is not properly set: {finding_frequency}", 
+                        remediation="Set GuardDuty finding frequency to FIFTEEN_MINUTES, ONE_HOUR, or SIX_HOURS"
+                    ))
+            else:
+                findings.append(self.create_finding(
+                    status="FAIL", 
+                    region=region, 
+                    resource_id=f"guardduty:{region}:{detector_id}", 
+                    actual_value="Unable to retrieve detector details", 
+                    remediation="Check GuardDuty permissions and configuration"
+                ))
+        
+        return findings

sraverify/services/guardduty/checks/sra_guardduty_03.py

@@ -0,0 +1,77 @@
+"""
+Check if GuardDuty detector is enabled.
+"""
+from typing import Dict, List, Any
+from sraverify.services.guardduty.base import GuardDutyCheck
+
+
+class SRA_GUARDDUTY_03(GuardDutyCheck):
+    """Check if GuardDuty detector is enabled."""
+
+    def __init__(self):
+        """Initialize GuardDuty enabled check."""
+        super().__init__()
+        self.check_id = "SRA-GUARDDUTY-03"
+        self.check_name = "GuardDuty detector is enabled"
+        self.description = ("This check verifies that the GuardDuty detector in the "
+                            "AWS account and AWS region is enabled. Detector represents " 
+                            "GuardDuty service in the AWS account and specific region, "
+                            "if disabled will not provided threat intelligence service.")
+        self.severity = "HIGH"
+        self.check_logic = "Get detector details in each Region. Check value of FindingPublishingFrequency."
+    
+    def execute(self) -> List[Dict[str, Any]]:
+        """
+        Execute the check.
+        
+        Returns:
+            List of findings
+        """
+        findings = []        
+        # Check all regions
+        for region in self.regions:
+            detector_id = self.get_detector_id(region)
+            
+            # Handle regions where we can't access GuardDuty
+            if not detector_id:
+                findings.append(self.create_finding(
+                    status="ERROR", 
+                    region=region, 
+                    resource_id=f"guardduty:{region}", 
+                    actual_value="Unable to access GuardDuty in this region", 
+                    remediation="Check permissions or if GuardDuty is supported in this region"
+                ))
+                continue
+                
+            # Use helper method from the base class
+            detector_details = self.get_detector_details(region)
+            
+            if detector_details:
+                detector_status = detector_details.get('Status', 'Not set')
+                
+                if detector_status == 'ENABLED':
+                    findings.append(self.create_finding(
+                        status="PASS", 
+                        region=region, 
+                        resource_id=f"guardduty:{region}:{detector_id}", 
+                        actual_value=f"Detector status is {detector_status}", 
+                        remediation="No remediation needed"
+                    ))
+                else:
+                    findings.append(self.create_finding(
+                        status="FAIL", 
+                        region=region, 
+                        resource_id=f"guardduty:{region}:{detector_id}", 
+                        actual_value=f"Detector status is {detector_status}", 
+                        remediation="Enabled GuardDuty"
+                    ))
+            else:
+                findings.append(self.create_finding(
+                    status="FAIL", 
+                    region=region, 
+                    resource_id=f"guardduty:{region}:{detector_id}", 
+                    actual_value="Unable to retrieve detector details", 
+                    remediation="Check GuardDuty permissions and configuration"
+                ))
+        
+        return findings

sraverify/services/guardduty/checks/sra_guardduty_04.py

@@ -0,0 +1,84 @@
+"""
+Check if GuardDuty has DNS logs enabled as a log source.
+"""
+from typing import Dict, List, Any
+from sraverify.services.guardduty.base import GuardDutyCheck
+
+
+class SRA_GUARDDUTY_04(GuardDutyCheck):
+    """Check if GuardDuty has DNS logs enabled as a log source."""
+
+    def __init__(self):
+        """Initialize GuardDuty DNS logs check."""
+        super().__init__()
+        self.check_id = "SRA-GUARDDUTY-04"
+        self.check_name = "GuardDuty DNS logs enabled"
+        self.description = ("This check verifies that GuardDuty has DNS logs as one of the log sources, enabled. "
+                            "If you use AWS DNS resolvers for your Amazon EC2 instances (the default setting), " 
+                            "then GuardDuty can access and process your request and response DNS logs through the " 
+                            "internal AWS DNS resolvers.")
+        self.severity = "MEDIUM"
+        self.check_logic = "Get detector details in each Region. Check if DNS logs are enabled in the Features array."
+    
+    def execute(self) -> List[Dict[str, Any]]:
+        """
+        Execute the check.
+        
+        Returns:
+            List of findings
+        """
+        findings = []        
+        # Check all regions
+        for region in self.regions:
+            detector_id = self.get_detector_id(region)
+            
+            # Handle regions where we can't access GuardDuty
+            if not detector_id:
+                findings.append(self.create_finding(
+                    status="ERROR", 
+                    region=region, 
+                    resource_id=f"guardduty:{region}", 
+                    actual_value="Unable to access GuardDuty in this region", 
+                    remediation="Check permissions or if GuardDuty is supported in this region"
+                ))
+                continue
+                
+            # Get detector details
+            detector_details = self.get_detector_details(region)
+            
+            if detector_details:
+                # Check if DNS logs are enabled in the Features array
+                dns_logs_enabled = False
+                features = detector_details.get('Features', [])
+                
+                for feature in features:
+                    if feature.get('Name') == 'DNS_LOGS' and feature.get('Status') == 'ENABLED':
+                        dns_logs_enabled = True
+                        break
+                
+                if dns_logs_enabled:
+                    findings.append(self.create_finding(
+                        status="PASS", 
+                        region=region, 
+                        resource_id=f"guardduty:{region}:{detector_id}", 
+                        actual_value="DNS logs are enabled as a data source", 
+                        remediation=""
+                    ))
+                else:
+                    findings.append(self.create_finding(
+                        status="FAIL", 
+                        region=region, 
+                        resource_id=f"guardduty:{region}:{detector_id}", 
+                        actual_value="DNS logs are not enabled as a data source", 
+                        remediation=f"Enable DNS logs as a data source for GuardDuty in {region}"
+                    ))
+            else:
+                findings.append(self.create_finding(
+                    status="FAIL", 
+                    region=region, 
+                    resource_id=f"guardduty:{region}:{detector_id}", 
+                    actual_value="Unable to retrieve detector details", 
+                    remediation="Check GuardDuty permissions and configuration"
+                ))
+        
+        return findings