sraverify 0.1.0__py3-none-any.whl

sraverify/services/guardduty/checks/sra_guardduty_12.py

@@ -0,0 +1,83 @@
+"""
+Check if GuardDuty has Lambda protection enabled.
+"""
+from typing import Dict, List, Any
+from sraverify.services.guardduty.base import GuardDutyCheck
+
+
+class SRA_GUARDDUTY_12(GuardDutyCheck):
+    """Check if GuardDuty has Lambda protection enabled."""
+
+    def __init__(self):
+        """Initialize GuardDuty Lambda protection check."""
+        super().__init__()
+        self.check_id = "SRA-GUARDDUTY-12"
+        self.check_name = "GuardDuty Lambda protection enabled"
+        self.description = ("This check verifies that GuardDuty Lambda protection is enabled. "
+                           "Lambda Protection helps identify potential security threats when an AWS Lambda "
+                           "function gets invoked in the AWS environment.")
+        self.severity = "HIGH"
+        self.check_logic = "Get detector details in each Region. Check if Lambda protection is enabled in the Features array."
+    
+    def execute(self) -> List[Dict[str, Any]]:
+        """
+        Execute the check.
+        
+        Returns:
+            List of findings
+        """
+        findings = []        
+        # Check all regions
+        for region in self.regions:
+            detector_id = self.get_detector_id(region)
+            
+            # Handle regions where we can't access GuardDuty
+            if not detector_id:
+                findings.append(self.create_finding(
+                    status="ERROR", 
+                    region=region, 
+                    resource_id=f"guardduty:{region}", 
+                    actual_value="Unable to access GuardDuty in this region", 
+                    remediation="Check permissions or if GuardDuty is supported in this region"
+                ))
+                continue
+                
+            # Get detector details
+            detector_details = self.get_detector_details(region)
+            
+            if detector_details:
+                # Check if Lambda protection is enabled in the Features array
+                lambda_protection_enabled = False
+                features = detector_details.get('Features', [])
+                
+                for feature in features:
+                    if feature.get('Name') == 'LAMBDA_NETWORK_LOGS' and feature.get('Status') == 'ENABLED':
+                        lambda_protection_enabled = True
+                        break
+                
+                if lambda_protection_enabled:
+                    findings.append(self.create_finding(
+                        status="PASS", 
+                        region=region, 
+                        resource_id=f"guardduty:{region}:{detector_id}", 
+                        actual_value="Lambda protection is enabled", 
+                        remediation=""
+                    ))
+                else:
+                    findings.append(self.create_finding(
+                        status="FAIL", 
+                        region=region, 
+                        resource_id=f"guardduty:{region}:{detector_id}", 
+                        actual_value="Lambda protection is not enabled", 
+                        remediation=f"Enable Lambda protection for GuardDuty in {region} to identify potential security threats in Lambda function invocations"
+                    ))
+            else:
+                findings.append(self.create_finding(
+                    status="FAIL", 
+                    region=region, 
+                    resource_id=f"guardduty:{region}:{detector_id}", 
+                    actual_value="Unable to retrieve detector details", 
+                    remediation="Check GuardDuty permissions and configuration"
+                ))
+        
+        return findings

sraverify/services/guardduty/checks/sra_guardduty_13.py

@@ -0,0 +1,90 @@
+"""
+Check if GuardDuty service administration is delegated to a different account.
+"""
+from typing import Dict, List, Any
+from sraverify.services.guardduty.base import GuardDutyCheck
+
+
+class SRA_GUARDDUTY_13(GuardDutyCheck):
+    """Check if GuardDuty service administration is delegated to a different account."""
+
+    def __init__(self):
+        """Initialize GuardDuty service administration delegation check."""
+        super().__init__()
+        self.check_id = "SRA-GUARDDUTY-13"
+        self.check_name = "GuardDuty service administration delegated"
+        self.description = ("This check verifies whether GuardDuty service administration for the AWS Organization "
+                           "is delegated. Centralized management of GuardDuty across the organization improves "
+                           "security visibility and control.")
+        self.severity = "HIGH"
+        self.check_logic = "Check if GuardDuty is configured with a delegated administrator using GuardDuty list-organization-admin-accounts API."
+        self.account_type = "management"
+    
+    def execute(self) -> List[Dict[str, Any]]:
+        """
+        Execute the check.
+        
+        Returns:
+            List of findings
+        """
+        findings = []        
+        # Check all regions
+        for region in self.regions:
+            detector_id = self.get_detector_id(region)
+            
+            # Handle regions where we can't access GuardDuty
+            if not detector_id:
+                findings.append(self.create_finding(
+                    status="ERROR", 
+                    region=region, 
+                    resource_id=f"guardduty:{region}", 
+                    actual_value="Unable to access GuardDuty in this region", 
+                    remediation="Check permissions or if GuardDuty is supported in this region"
+                ))
+                continue
+                
+            # List organization admin accounts for GuardDuty
+            admin_accounts_response = self.list_organization_admin_accounts(region)
+            admin_accounts = admin_accounts_response.get('AdminAccounts', [])
+            
+            if admin_accounts:
+                # GuardDuty has an admin account
+                admin_account_id = admin_accounts[0].get('AdminAccountId')
+                admin_account_status = admin_accounts[0].get('AdminStatus', 'Unknown')
+                
+                # Check if the admin account is different from the current account and is enabled
+                if admin_account_id != self.account_id and admin_account_status == 'ENABLED':
+                    findings.append(self.create_finding(
+                        status="PASS", 
+                        region=region, 
+                        resource_id=f"guardduty:{region}:{detector_id}", 
+                        actual_value=f"GuardDuty service administration is delegated to account {admin_account_id}", 
+                        remediation=""
+                    ))
+                elif admin_account_id == self.account_id:
+                    findings.append(self.create_finding(
+                        status="FAIL", 
+                        region=region, 
+                        resource_id=f"guardduty:{region}:{detector_id}", 
+                        actual_value="GuardDuty service administration is delegated to the management account itself", 
+                        remediation=f"Delegate GuardDuty administration to a security account other than the management account in {region}"
+                    ))
+                else:
+                    findings.append(self.create_finding(
+                        status="FAIL", 
+                        region=region, 
+                        resource_id=f"guardduty:{region}:{detector_id}", 
+                        actual_value=f"GuardDuty service administration is delegated to account {admin_account_id} but status is {admin_account_status}", 
+                        remediation=f"Check the status of the delegated administrator account in {region}"
+                    ))
+            else:
+                # No admin account for GuardDuty
+                findings.append(self.create_finding(
+                    status="FAIL", 
+                    region=region, 
+                    resource_id=f"guardduty:{region}:{detector_id}", 
+                    actual_value="GuardDuty service administration is not delegated to any account", 
+                    remediation=f"Delegate GuardDuty administration to a security account using the Organizations service in {region}"
+                ))
+        
+        return findings

sraverify/services/guardduty/checks/sra_guardduty_14.py

@@ -0,0 +1,136 @@
+"""
+Check if GuardDuty delegated admin account is the audit account.
+"""
+from typing import Dict, List, Any
+from sraverify.services.guardduty.base import GuardDutyCheck
+from sraverify.core.logging import logger
+
+
+class SRA_GUARDDUTY_14(GuardDutyCheck):
+    """Check if GuardDuty delegated admin account is the audit account."""
+
+    def __init__(self):
+        """Initialize GuardDuty delegated admin check."""
+        super().__init__()
+        self.check_id = "SRA-GUARDDUTY-14"
+        self.check_name = "GuardDuty delegated admin is audit account"
+        self.description = ("This check verifies whether GuardDuty delegated admin account is the audit account "
+                           "of your AWS organization. The audit account is dedicated to operating security services, "
+                           "monitoring AWS accounts, and automating security alerting and response. GuardDuty helps "
+                           "monitor resources for unusual and suspicious activities.")
+        self.severity = "HIGH"
+        self.check_logic = "Check if GuardDuty delegated administrator is the audit account using GuardDuty list-organization-admin-accounts API."
+        self.account_type = "management"
+        self._audit_accounts = []
+    
+    def execute(self) -> List[Dict[str, Any]]:
+        """
+        Execute the check.
+        
+        Returns:
+            List of findings
+        """
+        findings = []        
+        # Get the audit account ID from the _audit_accounts list
+        # This is populated by main.py from the CLI arguments
+        if not self._audit_accounts:
+            logger.warning("Audit account ID not provided. Check cannot be completed.")
+            for region in self.regions:
+                findings.append(self.create_finding(
+                    status="ERROR", 
+                    region=region, 
+                    resource_id=f"guardduty:{region}", 
+                    actual_value="Audit account ID not provided", 
+                    remediation="Run sraverify with --audit-account parameter"
+                ))
+            return findings
+        
+        # Use the first audit account in the list
+        audit_account_id = self._audit_accounts[0]
+        logger.debug(f"Using audit account ID: {audit_account_id}")
+        
+        # Check all regions
+        for region in self.regions:
+            detector_id = self.get_detector_id(region)
+            
+            # Handle regions where we can't access GuardDuty
+            if not detector_id:
+                findings.append(self.create_finding(
+                    status="ERROR", 
+                    region=region, 
+                    resource_id=f"guardduty:{region}", 
+                    actual_value="Unable to access GuardDuty in this region", 
+                    remediation="Check permissions or if GuardDuty is supported in this region"
+                ))
+                continue
+                
+            # List organization admin accounts for GuardDuty
+            admin_accounts_response = self.list_organization_admin_accounts(region)
+            
+            # Check if there was an error in the response
+            if "Error" in admin_accounts_response:
+                error_code = admin_accounts_response["Error"].get("Code", "Unknown")
+                error_message = admin_accounts_response["Error"].get("Message", "Unknown error")
+                
+                # Handle BadRequestException specifically for non-management accounts
+                if error_code == "BadRequestException" and "not the master account" in error_message:
+                    findings.append(self.create_finding(
+                        status="ERROR", 
+                        region=region, 
+                        resource_id=f"guardduty:{region}:{detector_id}", 
+                        actual_value=f"This check must be run from the organization management account", 
+                        remediation="Run this check from the AWS Organizations management account"
+                    ))
+                else:
+                    findings.append(self.create_finding(
+                        status="ERROR", 
+                        region=region, 
+                        resource_id=f"guardduty:{region}:{detector_id}", 
+                        actual_value=f"Error accessing GuardDuty organization information: {error_code}", 
+                        remediation="Check permissions and AWS Organizations configuration"
+                    ))
+                continue
+            
+            admin_accounts = admin_accounts_response.get('AdminAccounts', [])
+            
+            if admin_accounts:
+                # GuardDuty has an admin account
+                admin_account_id = admin_accounts[0].get('AdminAccountId')
+                admin_account_status = admin_accounts[0].get('AdminStatus', 'Unknown')
+                
+                # Check if the admin account is the audit account and is enabled
+                if admin_account_id == audit_account_id and admin_account_status == 'ENABLED':
+                    findings.append(self.create_finding(
+                        status="PASS", 
+                        region=region, 
+                        resource_id=f"guardduty:{region}:{detector_id}", 
+                        actual_value=f"GuardDuty delegated admin account is the audit account ({audit_account_id})", 
+                        remediation=""
+                    ))
+                elif admin_account_id != audit_account_id:
+                    findings.append(self.create_finding(
+                        status="FAIL", 
+                        region=region, 
+                        resource_id=f"guardduty:{region}:{detector_id}", 
+                        actual_value=f"GuardDuty delegated admin account ({admin_account_id}) is not the audit account ({audit_account_id})", 
+                        remediation=f"Delegate GuardDuty administration to the audit account ({audit_account_id}) in {region}"
+                    ))
+                else:
+                    findings.append(self.create_finding(
+                        status="FAIL", 
+                        region=region, 
+                        resource_id=f"guardduty:{region}:{detector_id}", 
+                        actual_value=f"GuardDuty delegated admin is the audit account but status is {admin_account_status}", 
+                        remediation=f"Check the status of the delegated administrator account in {region}"
+                    ))
+            else:
+                # No admin account for GuardDuty
+                findings.append(self.create_finding(
+                    status="FAIL", 
+                    region=region, 
+                    resource_id=f"guardduty:{region}:{detector_id}", 
+                    actual_value="GuardDuty service administration is not delegated to any account", 
+                    remediation=f"Delegate GuardDuty administration to the audit account ({audit_account_id}) using the Organizations service in {region}"
+                ))
+        
+        return findings

sraverify/services/guardduty/checks/sra_guardduty_15.py

@@ -0,0 +1,94 @@
+"""
+Check if GuardDuty auto-enablement is configured for member accounts.
+"""
+from typing import Dict, List, Any
+from sraverify.services.guardduty.base import GuardDutyCheck
+from sraverify.core.logging import logger
+
+
+class SRA_GUARDDUTY_15(GuardDutyCheck):
+    """Check if GuardDuty auto-enablement is configured for member accounts."""
+
+    def __init__(self):
+        """Initialize GuardDuty auto-enablement check."""
+        super().__init__()
+        self.check_id = "SRA-GUARDDUTY-15"
+        self.check_name = "GuardDuty auto-enablement configured"
+        self.description = ("This check verifies whether auto-enablement configuration for GuardDuty is "
+                           " enabled for member accounts of the AWS Organization. This ensures that all  "
+                           "existing and new member accounts will have GuardDuty monitoring.")
+        self.severity = "HIGH"
+        self.check_logic = "Check if GuardDuty AutoEnableOrganizationMembers is set to ALL using describe-organization-configuration API."
+        self.account_type = "audit"
+    
+    def execute(self) -> List[Dict[str, Any]]:
+        """
+        Execute the check.
+        
+        Returns:
+            List of findings
+        """
+        findings = []        
+        # Check all regions
+        for region in self.regions:
+            detector_id = self.get_detector_id(region)
+            
+            # Handle regions where we can't access GuardDuty
+            if not detector_id:
+                findings.append(self.create_finding(
+                    status="ERROR", 
+                    region=region, 
+                    resource_id=f"guardduty:{region}", 
+                    actual_value="Unable to access GuardDuty in this region", 
+                    remediation="Check permissions or if GuardDuty is supported in this region"
+                ))
+                continue
+                
+            # Get organization configuration for GuardDuty
+            org_config = self.get_organization_configuration(region)
+
+            # Check if there was an error in the response
+            if "Error" in org_config:
+                error_code = org_config["Error"].get("Code", "Unknown")
+                error_message = org_config["Error"].get("Message", "Unknown error")
+                
+                # Handle BadRequestException specifically for non-delegated admin accounts
+                if error_code == "BadRequestException":
+                    findings.append(self.create_finding(
+                        status="FAIL", 
+                        region=region, 
+                        resource_id=f"guardduty:{region}:{detector_id}", 
+                        actual_value="This account is not the GuardDuty delegated administrator", 
+                        remediation="This check must be run from the GuardDuty delegated administrator account. Verify that this account is the delegated admin for GuardDuty in this region."
+                    ))
+                else:
+                    findings.append(self.create_finding(
+                        status="ERROR", 
+                        region=region, 
+                        resource_id=f"guardduty:{region}:{detector_id}", 
+                        actual_value=f"Error accessing GuardDuty organization configuration: {error_code}", 
+                        remediation="Check permissions and AWS Organizations configuration"
+                    ))
+                continue
+            
+            # Check if AutoEnableOrganizationMembers is set to ALL
+            auto_enable_org_members = org_config.get('AutoEnableOrganizationMembers', 'NONE')
+            
+            if auto_enable_org_members == 'ALL':
+                findings.append(self.create_finding(
+                    status="PASS", 
+                    region=region, 
+                    resource_id=f"guardduty:{region}:{detector_id}", 
+                    actual_value="GuardDuty AutoEnableOrganizationMembers is set to ALL", 
+                    remediation=""
+                ))
+            else:
+                findings.append(self.create_finding(
+                    status="FAIL", 
+                    region=region, 
+                    resource_id=f"guardduty:{region}:{detector_id}", 
+                    actual_value=f"GuardDuty AutoEnableOrganizationMembers is set to {auto_enable_org_members}", 
+                    remediation=f"Set AutoEnableOrganizationMembers to ALL in {region} to ensure GuardDuty is enabled for all organization members"
+                ))
+        
+        return findings

sraverify/services/guardduty/checks/sra_guardduty_16.py

@@ -0,0 +1,94 @@
+"""
+Check if GuardDuty member account limit is reached.
+"""
+from typing import Dict, List, Any
+from sraverify.services.guardduty.base import GuardDutyCheck
+from sraverify.core.logging import logger
+
+
+class SRA_GUARDDUTY_16(GuardDutyCheck):
+    """Check if GuardDuty member account limit is reached."""
+
+    def __init__(self):
+        """Initialize GuardDuty member account limit check."""
+        super().__init__()
+        self.check_id = "SRA-GUARDDUTY-16"
+        self.check_name = "GuardDuty member account limit not reached"
+        self.description = ("This check verifies whether the maximum number of allowed member accounts are already "
+                           "associated with the delegated administrator account for the AWS Organization. "
+                           "Reaching the limit prevents adding new accounts to GuardDuty monitoring.")
+        self.severity = "HIGH"
+        self.check_logic = "Check if MemberAccountLimitReached is false using describe-organization-configuration API."
+        self.account_type = "audit"
+    
+    def execute(self) -> List[Dict[str, Any]]:
+        """
+        Execute the check.
+        
+        Returns:
+            List of findings
+        """
+        findings = []        
+        # Check all regions
+        for region in self.regions:
+            detector_id = self.get_detector_id(region)
+            
+            # Handle regions where we can't access GuardDuty
+            if not detector_id:
+                findings.append(self.create_finding(
+                    status="ERROR", 
+                    region=region, 
+                    resource_id=f"guardduty:{region}", 
+                    actual_value="Unable to access GuardDuty in this region", 
+                    remediation="Check permissions or if GuardDuty is supported in this region"
+                ))
+                continue
+                
+            # Get organization configuration for GuardDuty
+            org_config = self.get_organization_configuration(region)
+            
+            # Check if there was an error in the response
+            if "Error" in org_config:
+                error_code = org_config["Error"].get("Code", "Unknown")
+                error_message = org_config["Error"].get("Message", "Unknown error")
+                
+                # Handle BadRequestException specifically for non-management accounts
+                if error_code == "BadRequestException":
+                    findings.append(self.create_finding(
+                        status="FAIL", 
+                        region=region, 
+                        resource_id=f"guardduty:{region}:{detector_id}", 
+                        actual_value=f"{error_code} {error_message}", 
+                        remediation="Verify that GuardDuty is the delegated admin in this Region and run the check again."
+                    ))
+                else:
+                    findings.append(self.create_finding(
+                        status="ERROR", 
+                        region=region, 
+                        resource_id=f"guardduty:{region}:{detector_id}", 
+                        actual_value=f"Error accessing GuardDuty organization configuration: {error_code}", 
+                        remediation="Check permissions and AWS Organizations configuration"
+                    ))
+                continue
+            
+            # Check if member account limit is reached
+            member_account_limit_reached = org_config.get('MemberAccountLimitReached', False)
+            
+            if not member_account_limit_reached:
+                findings.append(self.create_finding(
+                    status="PASS", 
+                    region=region, 
+                    resource_id=f"guardduty:{region}:{detector_id}", 
+                    actual_value="GuardDuty member account limit is not reached", 
+                    remediation=""
+                ))
+            else:
+                findings.append(self.create_finding(
+                    status="FAIL", 
+                    region=region, 
+                    resource_id=f"guardduty:{region}:{detector_id}", 
+                    actual_value="GuardDuty member account limit is reached", 
+                    remediation=f"Contact AWS Support to request an increase in the GuardDuty member account limit for {region}"
+                ))
+        
+        return findings

sraverify/services/guardduty/checks/sra_guardduty_17.py

@@ -0,0 +1,91 @@
+"""
+Check if GuardDuty has EKS addon management enabled.
+"""
+from typing import Dict, List, Any
+from sraverify.services.guardduty.base import GuardDutyCheck
+
+
+class SRA_GUARDDUTY_17(GuardDutyCheck):
+    """Check if GuardDuty has EKS addon management enabled."""
+
+    def __init__(self):
+        """Initialize GuardDuty EKS addon management check."""
+        super().__init__()
+        self.check_id = "SRA-GUARDDUTY-17"
+        self.check_name = "GuardDuty EKS addon management enabled"
+        self.description = ("This check verifies that GuardDuty has EKS addon management enabled. "
+                           "EKS addon management allows GuardDuty to automatically deploy and manage "
+                           "the security agent on your EKS clusters, simplifying the setup and maintenance "
+                           "of runtime monitoring for Kubernetes workloads.")
+        self.severity = "HIGH"
+        self.check_logic = "Get detector details in each Region. Check if EKS_ADDON_MANAGEMENT is enabled in the RUNTIME_MONITORING feature's AdditionalConfiguration."
+    
+    def execute(self) -> List[Dict[str, Any]]:
+        """
+        Execute the check.
+        
+        Returns:
+            List of findings
+        """
+        findings = []        
+        # Check all regions
+        for region in self.regions:
+            detector_id = self.get_detector_id(region)
+            
+            # Handle regions where we can't access GuardDuty
+            if not detector_id:
+                findings.append(self.create_finding(
+                    status="ERROR", 
+                    region=region, 
+                    resource_id=f"guardduty:{region}", 
+                    actual_value="Unable to access GuardDuty in this region", 
+                    remediation="Check permissions or if GuardDuty is supported in this region"
+                ))
+                continue
+                
+            # Get detector details
+            detector_details = self.get_detector_details(region)
+            
+            if detector_details:
+                # Check if EKS_ADDON_MANAGEMENT is enabled in any RUNTIME_MONITORING feature
+                eks_addon_management_enabled = False
+                features = detector_details.get('Features', [])
+                
+                for feature in features:
+                    if feature.get('Name') == 'RUNTIME_MONITORING':
+                        # Check AdditionalConfiguration for EKS_ADDON_MANAGEMENT
+                        additional_configs = feature.get('AdditionalConfiguration', [])
+                        for config in additional_configs:
+                            if config.get('Name') == 'EKS_ADDON_MANAGEMENT' and config.get('Status') == 'ENABLED':
+                                eks_addon_management_enabled = True
+                                break
+                        
+                        if eks_addon_management_enabled:
+                            break
+                
+                if eks_addon_management_enabled:
+                    findings.append(self.create_finding(
+                        status="PASS", 
+                        region=region, 
+                        resource_id=f"guardduty:{region}:{detector_id}", 
+                        actual_value="EKS addon management is enabled", 
+                        remediation=""
+                    ))
+                else:
+                    findings.append(self.create_finding(
+                        status="FAIL", 
+                        region=region, 
+                        resource_id=f"guardduty:{region}:{detector_id}", 
+                        actual_value="EKS addon management is not enabled", 
+                        remediation=f"Enable EKS addon management in the Runtime Monitoring configuration for GuardDuty in {region}"
+                    ))
+            else:
+                findings.append(self.create_finding(
+                    status="FAIL", 
+                    region=region, 
+                    resource_id=f"guardduty:{region}:{detector_id}", 
+                    actual_value="Unable to retrieve detector details", 
+                    remediation="Check GuardDuty permissions and configuration"
+                ))
+        
+        return findings