sraverify 0.1.0__py3-none-any.whl

sraverify/services/guardduty/checks/sra_guardduty_05.py

@@ -0,0 +1,84 @@
+"""
+Check if GuardDuty has VPC flow logs enabled as a log source.
+"""
+from typing import Dict, List, Any
+from sraverify.services.guardduty.base import GuardDutyCheck
+
+
+class SRA_GUARDDUTY_05(GuardDutyCheck):
+    """Check if GuardDuty has VPC flow logs enabled as a log source."""
+
+    def __init__(self):
+        """Initialize GuardDuty VPC flow logs check."""
+        super().__init__()
+        self.check_id = "SRA-GUARDDUTY-05"
+        self.check_name = "GuardDuty VPC flow logs enabled"
+        self.description = ("This check verifies that GuardDuty has VPC flow logs as one of the log sources, "
+                            "enabled.GuardDuty analyzes your VPC flow logs from Amazon EC2 instances within your account. "
+                            "It consumes VPC flow log events directly from the VPC Flow Logs feature through an independent "
+                            "and duplicated stream of flow logs.")
+        self.severity = "MEDIUM"
+        self.check_logic = "Get detector details in each Region. Check if VPC Flow logs are enabled in the Features array."
+    
+    def execute(self) -> List[Dict[str, Any]]:
+        """
+        Execute the check.
+        
+        Returns:
+            List of findings
+        """
+        findings = []        
+        # Check all regions
+        for region in self.regions:
+            detector_id = self.get_detector_id(region)
+            
+            # Handle regions where we can't access GuardDuty
+            if not detector_id:
+                findings.append(self.create_finding(
+                    status="ERROR", 
+                    region=region, 
+                    resource_id=f"guardduty:{region}", 
+                    actual_value="Unable to access GuardDuty in this region", 
+                    remediation="Check permissions or if GuardDuty is supported in this region"
+                ))
+                continue
+                
+            # Get detector details
+            detector_details = self.get_detector_details(region)
+            
+            if detector_details:
+                # Check if VPC flow logs are enabled in the Features array
+                vpc_logs_enabled = False
+                features = detector_details.get('Features', [])
+                
+                for feature in features:
+                    if feature.get('Name') == 'FLOW_LOGS' and feature.get('Status') == 'ENABLED':
+                        vpc_logs_enabled = True
+                        break
+                
+                if vpc_logs_enabled:
+                    findings.append(self.create_finding(
+                        status="PASS", 
+                        region=region, 
+                        resource_id=f"guardduty:{region}:{detector_id}", 
+                        actual_value="VPC flow logs are enabled as a data source", 
+                        remediation=""
+                    ))
+                else:
+                    findings.append(self.create_finding(
+                        status="FAIL", 
+                        region=region, 
+                        resource_id=f"guardduty:{region}:{detector_id}", 
+                        actual_value="VPC flow logs are not enabled as a data source", 
+                        remediation=f"Enable VPC flow logs as a data source for GuardDuty in {region}"
+                    ))
+            else:
+                findings.append(self.create_finding(
+                    status="FAIL", 
+                    region=region, 
+                    resource_id=f"guardduty:{region}:{detector_id}", 
+                    actual_value="Unable to retrieve detector details", 
+                    remediation="Check GuardDuty permissions and configuration"
+                ))
+        
+        return findings

sraverify/services/guardduty/checks/sra_guardduty_06.py

@@ -0,0 +1,84 @@
+"""
+Check if GuardDuty has S3 protection enabled.
+"""
+from typing import Dict, List, Any
+from sraverify.services.guardduty.base import GuardDutyCheck
+
+
+class SRA_GUARDDUTY_06(GuardDutyCheck):
+    """Check if GuardDuty has S3 protection enabled."""
+
+    def __init__(self):
+        """Initialize GuardDuty S3 protection check."""
+        super().__init__()
+        self.check_id = "SRA-GUARDDUTY-06"
+        self.check_name = "GuardDuty S3 protection enabled"
+        self.description = ("This check verifies that GuardDuty has S3 protection enabled. "
+                           "GuardDuty provides enhanced visibility through S3 protection. "
+                           "GuardDuty monitors both AWS CloudTrail management events and AWS CloudTrail "
+                           "S3 data events to identify potential threats in your Amazon S3 resources.")
+        self.severity = "HIGH"
+        self.check_logic = "Get detector details in each Region. Check if S3 protection is enabled in the Features array."
+    
+    def execute(self) -> List[Dict[str, Any]]:
+        """
+        Execute the check.
+        
+        Returns:
+            List of findings
+        """
+        findings = []        
+        # Check all regions
+        for region in self.regions:
+            detector_id = self.get_detector_id(region)
+            
+            # Handle regions where we can't access GuardDuty
+            if not detector_id:
+                findings.append(self.create_finding(
+                    status="ERROR", 
+                    region=region, 
+                    resource_id=f"guardduty:{region}", 
+                    actual_value="Unable to access GuardDuty in this region", 
+                    remediation="Check permissions or if GuardDuty is supported in this region"
+                ))
+                continue
+                
+            # Get detector details
+            detector_details = self.get_detector_details(region)
+            
+            if detector_details:
+                # Check if S3 protection is enabled in the Features array
+                s3_protection_enabled = False
+                features = detector_details.get('Features', [])
+                
+                for feature in features:
+                    if feature.get('Name') == 'S3_DATA_EVENTS' and feature.get('Status') == 'ENABLED':
+                        s3_protection_enabled = True
+                        break
+                
+                if s3_protection_enabled:
+                    findings.append(self.create_finding(
+                        status="PASS", 
+                        region=region, 
+                        resource_id=f"guardduty:{region}:{detector_id}", 
+                        actual_value="S3 protection is enabled", 
+                        remediation=""
+                    ))
+                else:
+                    findings.append(self.create_finding(
+                        status="FAIL", 
+                        region=region, 
+                        resource_id=f"guardduty:{region}:{detector_id}", 
+                        actual_value="S3 protection is not enabled", 
+                        remediation=f"Enable S3 protection for GuardDuty in {region} to monitor CloudTrail management and S3 data events"
+                    ))
+            else:
+                findings.append(self.create_finding(
+                    status="FAIL", 
+                    region=region, 
+                    resource_id=f"guardduty:{region}:{detector_id}", 
+                    actual_value="Unable to retrieve detector details", 
+                    remediation="Check GuardDuty permissions and configuration"
+                ))
+        
+        return findings

sraverify/services/guardduty/checks/sra_guardduty_07.py

@@ -0,0 +1,85 @@
+"""
+Check if GuardDuty has EKS protection enabled.
+"""
+from typing import Dict, List, Any
+from sraverify.services.guardduty.base import GuardDutyCheck
+
+
+class SRA_GUARDDUTY_07(GuardDutyCheck):
+    """Check if GuardDuty has EKS protection enabled."""
+
+    def __init__(self):
+        """Initialize GuardDuty EKS protection check."""
+        super().__init__()
+        self.check_id = "SRA-GUARDDUTY-07"
+        self.check_name = "GuardDuty EKS protection enabled"
+        self.description = ("This check verifies that GuardDuty has EKS protection enabled. "
+                           "EKS Audit Log Monitoring helps you detect potentially suspicious activities "
+                           "in your EKS clusters within Amazon Elastic Kubernetes Service. It consumes "
+                           "Kubernetes audit log events directly from the Amazon EKS control plane logging "
+                           "feature through an independent and duplicated stream of audit logs.")
+        self.severity = "HIGH"
+        self.check_logic = "Get detector details in each Region. Check if EKS protection is enabled in the Features array."
+    
+    def execute(self) -> List[Dict[str, Any]]:
+        """
+        Execute the check.
+        
+        Returns:
+            List of findings
+        """
+        findings = []        
+        # Check all regions
+        for region in self.regions:
+            detector_id = self.get_detector_id(region)
+            
+            # Handle regions where we can't access GuardDuty
+            if not detector_id:
+                findings.append(self.create_finding(
+                    status="ERROR", 
+                    region=region, 
+                    resource_id=f"guardduty:{region}", 
+                    actual_value="Unable to access GuardDuty in this region", 
+                    remediation="Check permissions or if GuardDuty is supported in this region"
+                ))
+                continue
+                
+            # Get detector details
+            detector_details = self.get_detector_details(region)
+            
+            if detector_details:
+                # Check if EKS protection is enabled in the Features array
+                eks_protection_enabled = False
+                features = detector_details.get('Features', [])
+                
+                for feature in features:
+                    if feature.get('Name') == 'EKS_AUDIT_LOGS' and feature.get('Status') == 'ENABLED':
+                        eks_protection_enabled = True
+                        break
+                
+                if eks_protection_enabled:
+                    findings.append(self.create_finding(
+                        status="PASS", 
+                        region=region, 
+                        resource_id=f"guardduty:{region}:{detector_id}", 
+                        actual_value="EKS protection is enabled", 
+                        remediation=""
+                    ))
+                else:
+                    findings.append(self.create_finding(
+                        status="FAIL", 
+                        region=region, 
+                        resource_id=f"guardduty:{region}:{detector_id}", 
+                        actual_value="EKS protection is not enabled", 
+                        remediation=f"Enable EKS protection for GuardDuty in {region} to monitor Kubernetes audit logs for suspicious activities"
+                    ))
+            else:
+                findings.append(self.create_finding(
+                    status="FAIL", 
+                    region=region, 
+                    resource_id=f"guardduty:{region}:{detector_id}", 
+                    actual_value="Unable to retrieve detector details", 
+                    remediation="Check GuardDuty permissions and configuration"
+                ))
+        
+        return findings

sraverify/services/guardduty/checks/sra_guardduty_08.py

@@ -0,0 +1,83 @@
+"""
+Check if GuardDuty has CloudTrail event and management logs enabled.
+"""
+from typing import Dict, List, Any
+from sraverify.services.guardduty.base import GuardDutyCheck
+
+
+class SRA_GUARDDUTY_08(GuardDutyCheck):
+    """Check if GuardDuty has CloudTrail event and management logs enabled."""
+
+    def __init__(self):
+        """Initialize GuardDuty CloudTrail logs check."""
+        super().__init__()
+        self.check_id = "SRA-GUARDDUTY-08"
+        self.check_name = "GuardDuty CloudTrail logs enabled"
+        self.description = ("This check verifies that GuardDuty has CloudTrail event and management logs as one of the feature, enabled. "
+                           "GuardDuty consumes CloudTrail management events directly from CloudTrail through an independent and "
+                           "duplicated stream of events and analyzes the CloudTrail event logs.")
+        self.severity = "HIGH"
+        self.check_logic = "Get detector details in each Region. Check if CloudTrail logs are enabled in the Features array."
+    
+    def execute(self) -> List[Dict[str, Any]]:
+        """
+        Execute the check.
+        
+        Returns:
+            List of findings
+        """
+        findings = []        
+        # Check all regions
+        for region in self.regions:
+            detector_id = self.get_detector_id(region)
+            
+            # Handle regions where we can't access GuardDuty
+            if not detector_id:
+                findings.append(self.create_finding(
+                    status="ERROR", 
+                    region=region, 
+                    resource_id=f"guardduty:{region}", 
+                    actual_value="Unable to access GuardDuty in this region", 
+                    remediation="Check permissions or if GuardDuty is supported in this region"
+                ))
+                continue
+                
+            # Get detector details
+            detector_details = self.get_detector_details(region)
+            
+            if detector_details:
+                # Check if CloudTrail logs are enabled in the Features array
+                cloudtrail_enabled = False
+                features = detector_details.get('Features', [])
+                
+                for feature in features:
+                    if feature.get('Name') == 'CLOUD_TRAIL' and feature.get('Status') == 'ENABLED':
+                        cloudtrail_enabled = True
+                        break
+                
+                if cloudtrail_enabled:
+                    findings.append(self.create_finding(
+                        status="PASS", 
+                        region=region, 
+                        resource_id=f"guardduty:{region}:{detector_id}", 
+                        actual_value="CloudTrail event and management logs are enabled", 
+                        remediation=""
+                    ))
+                else:
+                    findings.append(self.create_finding(
+                        status="FAIL", 
+                        region=region, 
+                        resource_id=f"guardduty:{region}:{detector_id}", 
+                        actual_value="CloudTrail event and management logs are not enabled", 
+                        remediation=f"Enable CloudTrail event and management logs for GuardDuty in {region} to monitor for suspicious API activity"
+                    ))
+            else:
+                findings.append(self.create_finding(
+                    status="FAIL", 
+                    region=region, 
+                    resource_id=f"guardduty:{region}:{detector_id}", 
+                    actual_value="Unable to retrieve detector details", 
+                    remediation="Check GuardDuty permissions and configuration"
+                ))
+        
+        return findings

sraverify/services/guardduty/checks/sra_guardduty_09.py

@@ -0,0 +1,84 @@
+"""
+Check if GuardDuty has malware protection for EBS enabled.
+"""
+from typing import Dict, List, Any
+from sraverify.services.guardduty.base import GuardDutyCheck
+
+
+class SRA_GUARDDUTY_09(GuardDutyCheck):
+    """Check if GuardDuty has malware protection for EBS enabled."""
+
+    def __init__(self):
+        """Initialize GuardDuty malware protection for EBS check."""
+        super().__init__()
+        self.check_id = "SRA-GUARDDUTY-09"
+        self.check_name = "GuardDuty malware protection for EBS enabled"
+        self.description = ("This check verifies that GuardDuty malware protection for EBS is enabled. "
+                           "Malware Protection for EC2 helps you detect the potential presence of malware "
+                           "by scanning the Amazon EBS volumes that are attached to the Amazon EC2 instances "
+                           "and container workloads.")
+        self.severity = "HIGH"
+        self.check_logic = "Get detector details in each Region. Check if malware protection for EBS is enabled in the Features array."
+    
+    def execute(self) -> List[Dict[str, Any]]:
+        """
+        Execute the check.
+        
+        Returns:
+            List of findings
+        """
+        findings = []        
+        # Check all regions
+        for region in self.regions:
+            detector_id = self.get_detector_id(region)
+            
+            # Handle regions where we can't access GuardDuty
+            if not detector_id:
+                findings.append(self.create_finding(
+                    status="ERROR", 
+                    region=region, 
+                    resource_id=f"guardduty:{region}", 
+                    actual_value="Unable to access GuardDuty in this region", 
+                    remediation="Check permissions or if GuardDuty is supported in this region"
+                ))
+                continue
+                
+            # Get detector details
+            detector_details = self.get_detector_details(region)
+            
+            if detector_details:
+                # Check if malware protection for EBS is enabled in the Features array
+                ebs_malware_protection_enabled = False
+                features = detector_details.get('Features', [])
+                
+                for feature in features:
+                    if feature.get('Name') == 'EBS_MALWARE_PROTECTION' and feature.get('Status') == 'ENABLED':
+                        ebs_malware_protection_enabled = True
+                        break
+                
+                if ebs_malware_protection_enabled:
+                    findings.append(self.create_finding(
+                        status="PASS", 
+                        region=region, 
+                        resource_id=f"guardduty:{region}:{detector_id}", 
+                        actual_value="Malware protection for EBS is enabled", 
+                        remediation=""
+                    ))
+                else:
+                    findings.append(self.create_finding(
+                        status="FAIL", 
+                        region=region, 
+                        resource_id=f"guardduty:{region}:{detector_id}", 
+                        actual_value="Malware protection for EBS is not enabled", 
+                        remediation=f"Enable malware protection for EBS in GuardDuty in {region} to scan EC2 instances and container workloads for malware"
+                    ))
+            else:
+                findings.append(self.create_finding(
+                    status="FAIL", 
+                    region=region, 
+                    resource_id=f"guardduty:{region}:{detector_id}", 
+                    actual_value="Unable to retrieve detector details", 
+                    remediation="Check GuardDuty permissions and configuration"
+                ))
+        
+        return findings

sraverify/services/guardduty/checks/sra_guardduty_10.py

@@ -0,0 +1,83 @@
+"""
+Check if GuardDuty has RDS protection enabled.
+"""
+from typing import Dict, List, Any
+from sraverify.services.guardduty.base import GuardDutyCheck
+
+
+class SRA_GUARDDUTY_10(GuardDutyCheck):
+    """Check if GuardDuty has RDS protection enabled."""
+
+    def __init__(self):
+        """Initialize GuardDuty RDS protection check."""
+        super().__init__()
+        self.check_id = "SRA-GUARDDUTY-10"
+        self.check_name = "GuardDuty RDS protection enabled"
+        self.description = ("This check verifies that GuardDuty RDS protection is enabled. "
+                           "RDS Protection in Amazon GuardDuty analyzes and profiles RDS login activity "
+                           "for potential access threats to Amazon Aurora databases and Amazon RDS for PostgreSQL.")
+        self.severity = "HIGH"
+        self.check_logic = "Get detector details in each Region. Check if RDS protection is enabled in the Features array."
+    
+    def execute(self) -> List[Dict[str, Any]]:
+        """
+        Execute the check.
+        
+        Returns:
+            List of findings
+        """
+        findings = []        
+        # Check all regions
+        for region in self.regions:
+            detector_id = self.get_detector_id(region)
+            
+            # Handle regions where we can't access GuardDuty
+            if not detector_id:
+                findings.append(self.create_finding(
+                    status="ERROR", 
+                    region=region, 
+                    resource_id=f"guardduty:{region}", 
+                    actual_value="Unable to access GuardDuty in this region", 
+                    remediation="Check permissions or if GuardDuty is supported in this region"
+                ))
+                continue
+                
+            # Get detector details
+            detector_details = self.get_detector_details(region)
+            
+            if detector_details:
+                # Check if RDS protection is enabled in the Features array
+                rds_protection_enabled = False
+                features = detector_details.get('Features', [])
+                
+                for feature in features:
+                    if feature.get('Name') == 'RDS_LOGIN_EVENTS' and feature.get('Status') == 'ENABLED':
+                        rds_protection_enabled = True
+                        break
+                
+                if rds_protection_enabled:
+                    findings.append(self.create_finding(
+                        status="PASS", 
+                        region=region, 
+                        resource_id=f"guardduty:{region}:{detector_id}", 
+                        actual_value="RDS protection is enabled", 
+                        remediation=""
+                    ))
+                else:
+                    findings.append(self.create_finding(
+                        status="FAIL", 
+                        region=region, 
+                        resource_id=f"guardduty:{region}:{detector_id}", 
+                        actual_value="RDS protection is not enabled", 
+                        remediation=f"Enable RDS protection for GuardDuty in {region} to monitor login activity for potential threats to Aurora and RDS for PostgreSQL databases"
+                    ))
+            else:
+                findings.append(self.create_finding(
+                    status="FAIL", 
+                    region=region, 
+                    resource_id=f"guardduty:{region}:{detector_id}", 
+                    actual_value="Unable to retrieve detector details", 
+                    remediation="Check GuardDuty permissions and configuration"
+                ))
+        
+        return findings

sraverify/services/guardduty/checks/sra_guardduty_11.py

@@ -0,0 +1,93 @@
+"""
+Check if GuardDuty has EKS runtime protection enabled.
+"""
+from typing import Dict, List, Any
+from sraverify.services.guardduty.base import GuardDutyCheck
+
+
+class SRA_GUARDDUTY_11(GuardDutyCheck):
+    """Check if GuardDuty has EKS runtime protection enabled."""
+
+    def __init__(self):
+        """Initialize GuardDuty EKS runtime protection check."""
+        super().__init__()
+        self.check_id = "SRA-GUARDDUTY-11"
+        self.check_name = "GuardDuty EKS runtime protection enabled"
+        self.description = ("This check verifies that GuardDuty EKS runtime (original) or runtime protection is enabled. "
+                           "Runtime Monitoring observes and analyzes operating system-level, networking, "
+                           "and file events to help you detect potential threats in specific AWS workloads")
+        self.severity = "HIGH"
+        self.check_logic = "Get detector details in each Region. Check if EKS runtime monitoring or runtime monitoring is enabled in the Features array."
+    
+    def execute(self) -> List[Dict[str, Any]]:
+        """
+        Execute the check.
+        
+        Returns:
+            List of findings
+        """
+        findings = []        
+        # Check all regions
+        for region in self.regions:
+            detector_id = self.get_detector_id(region)
+            
+            # Handle regions where we can't access GuardDuty
+            if not detector_id:
+                findings.append(self.create_finding(
+                    status="ERROR", 
+                    region=region, 
+                    resource_id=f"guardduty:{region}", 
+                    actual_value="Unable to access GuardDuty in this region", 
+                    remediation="Check permissions or if GuardDuty is supported in this region"
+                ))
+                continue
+                
+            # Get detector details
+            detector_details = self.get_detector_details(region)
+            
+            if detector_details:
+                # Check if EKS runtime protection is enabled in the Features array
+                # We need to check both EKS_RUNTIME_MONITORING (original) and RUNTIME_MONITORING features
+                eks_runtime_protection_enabled = False
+                runtime_monitoring_enabled = False
+                features = detector_details.get('Features', [])
+                
+                for feature in features:
+                    if feature.get('Name') == 'EKS_RUNTIME_MONITORING' and feature.get('Status') == 'ENABLED':
+                        eks_runtime_protection_enabled = True
+                    if feature.get('Name') == 'RUNTIME_MONITORING' and feature.get('Status') == 'ENABLED':
+                        runtime_monitoring_enabled = True
+                
+                # Consider the check passed if either of the runtime monitoring features is enabled
+                if eks_runtime_protection_enabled or runtime_monitoring_enabled:
+                    enabled_features = []
+                    if eks_runtime_protection_enabled:
+                        enabled_features.append("EKS_RUNTIME_MONITORING")
+                    if runtime_monitoring_enabled:
+                        enabled_features.append("RUNTIME_MONITORING")
+                    
+                    findings.append(self.create_finding(
+                        status="PASS", 
+                        region=region, 
+                        resource_id=f"guardduty:{region}:{detector_id}", 
+                        actual_value=f"Runtime protection is enabled: {', '.join(enabled_features)}", 
+                        remediation=""
+                    ))
+                else:
+                    findings.append(self.create_finding(
+                        status="FAIL", 
+                        region=region, 
+                        resource_id=f"guardduty:{region}:{detector_id}", 
+                        actual_value="Runtime protection is not enabled", 
+                        remediation=f"Enable Runtime Monitoring for GuardDuty in {region} to monitor operating system-level, networking, and file events in workloads"
+                    ))
+            else:
+                findings.append(self.create_finding(
+                    status="FAIL", 
+                    region=region, 
+                    resource_id=f"guardduty:{region}:{detector_id}", 
+                    actual_value="Unable to retrieve detector details", 
+                    remediation="Check GuardDuty permissions and configuration"
+                ))
+        
+        return findings