sraverify 0.1.0__py3-none-any.whl

sraverify/services/guardduty/checks/sra_guardduty_18.py

@@ -0,0 +1,91 @@
+"""
+Check if GuardDuty has ECS Fargate agent management enabled.
+"""
+from typing import Dict, List, Any
+from sraverify.services.guardduty.base import GuardDutyCheck
+
+
+class SRA_GUARDDUTY_18(GuardDutyCheck):
+    """Check if GuardDuty has ECS Fargate agent management enabled."""
+
+    def __init__(self):
+        """Initialize GuardDuty ECS Fargate agent management check."""
+        super().__init__()
+        self.check_id = "SRA-GUARDDUTY-18"
+        self.check_name = "GuardDuty ECS Fargate agent management enabled"
+        self.description = ("This check verifies that GuardDuty has ECS Fargate agent management enabled. "
+                           "ECS Fargate agent management allows GuardDuty to automatically deploy and manage "
+                           "the security agent on your ECS Fargate tasks, simplifying the setup and maintenance "
+                           "of runtime monitoring for containerized workloads.")
+        self.severity = "HIGH"
+        self.check_logic = "Get detector details in each Region. Check if ECS_FARGATE_AGENT_MANAGEMENT is enabled in the RUNTIME_MONITORING feature's AdditionalConfiguration."
+    
+    def execute(self) -> List[Dict[str, Any]]:
+        """
+        Execute the check.
+        
+        Returns:
+            List of findings
+        """
+        findings = []        
+        # Check all regions
+        for region in self.regions:
+            detector_id = self.get_detector_id(region)
+            
+            # Handle regions where we can't access GuardDuty
+            if not detector_id:
+                findings.append(self.create_finding(
+                    status="ERROR", 
+                    region=region, 
+                    resource_id=f"guardduty:{region}", 
+                    actual_value="Unable to access GuardDuty in this region", 
+                    remediation="Check permissions or if GuardDuty is supported in this region"
+                ))
+                continue
+                
+            # Get detector details
+            detector_details = self.get_detector_details(region)
+            
+            if detector_details:
+                # Check if ECS_FARGATE_AGENT_MANAGEMENT is enabled in any RUNTIME_MONITORING feature
+                ecs_fargate_agent_management_enabled = False
+                features = detector_details.get('Features', [])
+                
+                for feature in features:
+                    if feature.get('Name') == 'RUNTIME_MONITORING':
+                        # Check AdditionalConfiguration for ECS_FARGATE_AGENT_MANAGEMENT
+                        additional_configs = feature.get('AdditionalConfiguration', [])
+                        for config in additional_configs:
+                            if config.get('Name') == 'ECS_FARGATE_AGENT_MANAGEMENT' and config.get('Status') == 'ENABLED':
+                                ecs_fargate_agent_management_enabled = True
+                                break
+                        
+                        if ecs_fargate_agent_management_enabled:
+                            break
+                
+                if ecs_fargate_agent_management_enabled:
+                    findings.append(self.create_finding(
+                        status="PASS", 
+                        region=region, 
+                        resource_id=f"guardduty:{region}:{detector_id}", 
+                        actual_value="ECS Fargate agent management is enabled", 
+                        remediation=""
+                    ))
+                else:
+                    findings.append(self.create_finding(
+                        status="FAIL", 
+                        region=region, 
+                        resource_id=f"guardduty:{region}:{detector_id}", 
+                        actual_value="ECS Fargate agent management is not enabled", 
+                        remediation=f"Enable ECS Fargate agent management in the Runtime Monitoring configuration for GuardDuty in {region}"
+                    ))
+            else:
+                findings.append(self.create_finding(
+                    status="FAIL", 
+                    region=region, 
+                    resource_id=f"guardduty:{region}:{detector_id}", 
+                    actual_value="Unable to retrieve detector details", 
+                    remediation="Check GuardDuty permissions and configuration"
+                ))
+        
+        return findings

sraverify/services/guardduty/checks/sra_guardduty_19.py

@@ -0,0 +1,91 @@
+"""
+Check if GuardDuty has EC2 agent management enabled.
+"""
+from typing import Dict, List, Any
+from sraverify.services.guardduty.base import GuardDutyCheck
+
+
+class SRA_GUARDDUTY_19(GuardDutyCheck):
+    """Check if GuardDuty has EC2 agent management enabled."""
+
+    def __init__(self):
+        """Initialize GuardDuty EC2 agent management check."""
+        super().__init__()
+        self.check_id = "SRA-GUARDDUTY-19"
+        self.check_name = "GuardDuty EC2 agent management enabled"
+        self.description = ("This check verifies that GuardDuty has EC2 agent management enabled. "
+                           "EC2 agent management allows GuardDuty to automatically deploy and manage "
+                           "the security agent on your EC2 instances, simplifying the setup and maintenance "
+                           "of runtime monitoring for EC2 workloads.")
+        self.severity = "HIGH"
+        self.check_logic = "Get detector details in each Region. Check if EC2_AGENT_MANAGEMENT is enabled in the RUNTIME_MONITORING feature's AdditionalConfiguration."
+    
+    def execute(self) -> List[Dict[str, Any]]:
+        """
+        Execute the check.
+        
+        Returns:
+            List of findings
+        """
+        findings = []        
+        # Check all regions
+        for region in self.regions:
+            detector_id = self.get_detector_id(region)
+            
+            # Handle regions where we can't access GuardDuty
+            if not detector_id:
+                findings.append(self.create_finding(
+                    status="ERROR", 
+                    region=region, 
+                    resource_id=f"guardduty:{region}", 
+                    actual_value="Unable to access GuardDuty in this region", 
+                    remediation="Check permissions or if GuardDuty is supported in this region"
+                ))
+                continue
+                
+            # Get detector details
+            detector_details = self.get_detector_details(region)
+            
+            if detector_details:
+                # Check if EC2_AGENT_MANAGEMENT is enabled in any RUNTIME_MONITORING feature
+                ec2_agent_management_enabled = False
+                features = detector_details.get('Features', [])
+                
+                for feature in features:
+                    if feature.get('Name') == 'RUNTIME_MONITORING':
+                        # Check AdditionalConfiguration for EC2_AGENT_MANAGEMENT
+                        additional_configs = feature.get('AdditionalConfiguration', [])
+                        for config in additional_configs:
+                            if config.get('Name') == 'EC2_AGENT_MANAGEMENT' and config.get('Status') == 'ENABLED':
+                                ec2_agent_management_enabled = True
+                                break
+                        
+                        if ec2_agent_management_enabled:
+                            break
+                
+                if ec2_agent_management_enabled:
+                    findings.append(self.create_finding(
+                        status="PASS", 
+                        region=region, 
+                        resource_id=f"guardduty:{region}:{detector_id}", 
+                        actual_value="EC2 agent management is enabled", 
+                        remediation=""
+                    ))
+                else:
+                    findings.append(self.create_finding(
+                        status="FAIL", 
+                        region=region, 
+                        resource_id=f"guardduty:{region}:{detector_id}", 
+                        actual_value="EC2 agent management is not enabled", 
+                        remediation=f"Enable EC2 agent management in the Runtime Monitoring configuration for GuardDuty in {region}"
+                    ))
+            else:
+                findings.append(self.create_finding(
+                    status="FAIL", 
+                    region=region, 
+                    resource_id=f"guardduty:{region}:{detector_id}", 
+                    actual_value="Unable to retrieve detector details", 
+                    remediation="Check GuardDuty permissions and configuration"
+                ))
+        
+        return findings

sraverify/services/guardduty/checks/sra_guardduty_20.py

@@ -0,0 +1,111 @@
+"""
+Check if GuardDuty S3 data events are configured for auto-enablement.
+"""
+from typing import Dict, List, Any
+from sraverify.services.guardduty.base import GuardDutyCheck
+from sraverify.core.logging import logger
+
+
+class SRA_GUARDDUTY_20(GuardDutyCheck):
+    """Check if GuardDuty S3 data events are configured for auto-enablement."""
+
+    def __init__(self):
+        """Initialize GuardDuty S3 data events auto-enablement check."""
+        super().__init__()
+        self.check_id = "SRA-GUARDDUTY-20"
+        self.check_name = "GuardDuty S3 data events auto-enablement configured"
+        self.description = ("This check verifies whether S3 data events are configured for auto-enablement "
+                           "in GuardDuty for all member accounts. S3 data events provide visibility into "
+                           "object-level API operations, enhancing threat detection for S3 buckets.")
+        self.severity = "HIGH"
+        self.check_logic = "Check if S3_DATA_EVENTS feature is configured with AutoEnable set to ALL."
+        self.account_type = "audit"
+    
+    def execute(self) -> List[Dict[str, Any]]:
+        """
+        Execute the check.
+        
+        Returns:
+            List of findings
+        """
+        findings = []        
+        # Check all regions
+        for region in self.regions:
+            detector_id = self.get_detector_id(region)
+            
+            # Handle regions where we can't access GuardDuty
+            if not detector_id:
+                findings.append(self.create_finding(
+                    status="ERROR", 
+                    region=region, 
+                    resource_id=f"guardduty:{region}", 
+                    actual_value="Unable to access GuardDuty in this region", 
+                    remediation="Check permissions or if GuardDuty is supported in this region"
+                ))
+                continue
+                
+            # Get organization configuration for GuardDuty
+            org_config = self.get_organization_configuration(region)
+            
+            # Check if there was an error in the response
+            if "Error" in org_config:
+                error_code = org_config["Error"].get("Code", "Unknown")
+                error_message = org_config["Error"].get("Message", "Unknown error")
+                
+                # Handle BadRequestException specifically for non-management accounts
+                if error_code == "BadRequestException":
+                    findings.append(self.create_finding(
+                        status="FAIL", 
+                        region=region, 
+                        resource_id=f"guardduty:{region}:{detector_id}", 
+                        actual_value=f"{error_code} {error_message}", 
+                        remediation="Verify that GuardDuty is the delegated admin in this Region and run the check again."
+                    ))
+                else:
+                    findings.append(self.create_finding(
+                        status="ERROR", 
+                        region=region, 
+                        resource_id=f"guardduty:{region}:{detector_id}", 
+                        actual_value=f"Error accessing GuardDuty organization configuration: {error_code}", 
+                        remediation="Check permissions and AWS Organizations configuration"
+                    ))
+                continue
+            
+            # Check if S3 data events are configured for auto-enablement
+            # Look for S3_DATA_EVENTS in Features
+            s3_data_events_found = False
+            s3_data_events_auto_enable = "NOT_CONFIGURED"
+            features = org_config.get('Features', [])
+            
+            for feature in features:
+                if feature.get('Name') == 'S3_DATA_EVENTS':
+                    s3_data_events_found = True
+                    s3_data_events_auto_enable = feature.get('AutoEnable', 'NONE')
+                    break
+            
+            if s3_data_events_found and s3_data_events_auto_enable == 'ALL':
+                findings.append(self.create_finding(
+                    status="PASS", 
+                    region=region, 
+                    resource_id=f"guardduty:{region}:{detector_id}", 
+                    actual_value="GuardDuty S3 data events are configured for auto-enablement for all accounts (AutoEnable=ALL)", 
+                    remediation=""
+                ))
+            elif s3_data_events_found:
+                findings.append(self.create_finding(
+                    status="FAIL", 
+                    region=region, 
+                    resource_id=f"guardduty:{region}:{detector_id}", 
+                    actual_value=f"GuardDuty S3 data events are configured with AutoEnable={s3_data_events_auto_enable}, but should be ALL", 
+                    remediation=f"Configure S3 data events auto-enablement for all accounts in {region} by setting AutoEnable to ALL"
+                ))
+            else:
+                findings.append(self.create_finding(
+                    status="FAIL", 
+                    region=region, 
+                    resource_id=f"guardduty:{region}:{detector_id}", 
+                    actual_value=f"GuardDuty S3 data events feature is not configured", 
+                    remediation=f"Enable S3 data events feature and configure auto-enablement for all accounts in {region}"
+                ))
+        
+        return findings

sraverify/services/guardduty/checks/sra_guardduty_21.py

@@ -0,0 +1,112 @@
+"""
+Check if GuardDuty EBS Malware Protection is configured for auto-enablement.
+"""
+from typing import Dict, List, Any
+from sraverify.services.guardduty.base import GuardDutyCheck
+from sraverify.core.logging import logger
+
+
+class SRA_GUARDDUTY_21(GuardDutyCheck):
+    """Check if GuardDuty EBS Malware Protection is configured for auto-enablement."""
+
+    def __init__(self):
+        """Initialize GuardDuty EBS Malware Protection auto-enablement check."""
+        super().__init__()
+        self.check_id = "SRA-GUARDDUTY-21"
+        self.check_name = "GuardDuty EBS Malware Protection auto-enablement configured"
+        self.description = ("This check verifies whether EBS Malware Protection is configured for auto-enablement "
+                           "in GuardDuty for all member accounts. EBS Malware Protection scans EBS volumes for "
+                           "malware when GuardDuty detects a potential threat, helping to identify and remediate "
+                           "malware infections in your AWS environment.")
+        self.severity = "HIGH"
+        self.check_logic = "Check if EBS_MALWARE_PROTECTION feature is configured with AutoEnable set to ALL."
+        self.account_type = "audit"
+    
+    def execute(self) -> List[Dict[str, Any]]:
+        """
+        Execute the check.
+        
+        Returns:
+            List of findings
+        """
+        findings = []        
+        # Check all regions
+        for region in self.regions:
+            detector_id = self.get_detector_id(region)
+            
+            # Handle regions where we can't access GuardDuty
+            if not detector_id:
+                findings.append(self.create_finding(
+                    status="ERROR", 
+                    region=region, 
+                    resource_id=f"guardduty:{region}", 
+                    actual_value="Unable to access GuardDuty in this region", 
+                    remediation="Check permissions or if GuardDuty is supported in this region"
+                ))
+                continue
+                
+            # Get organization configuration for GuardDuty
+            org_config = self.get_organization_configuration(region)
+            
+            # Check if there was an error in the response
+            if "Error" in org_config:
+                error_code = org_config["Error"].get("Code", "Unknown")
+                error_message = org_config["Error"].get("Message", "Unknown error")
+                
+                # Handle BadRequestException specifically for non-management accounts
+                if error_code == "BadRequestException":
+                    findings.append(self.create_finding(
+                        status="FAIL", 
+                        region=region, 
+                        resource_id=f"guardduty:{region}:{detector_id}", 
+                        actual_value=f"{error_code} {error_message}", 
+                        remediation="Verify that GuardDuty is the delegated admin in this Region and run the check again."
+                    ))
+                else:
+                    findings.append(self.create_finding(
+                        status="ERROR", 
+                        region=region, 
+                        resource_id=f"guardduty:{region}:{detector_id}", 
+                        actual_value=f"Error accessing GuardDuty organization configuration: {error_code}", 
+                        remediation="Check permissions and AWS Organizations configuration"
+                    ))
+                continue
+            
+            # Check if EBS Malware Protection is configured for auto-enablement
+            # Look for EBS_MALWARE_PROTECTION in Features
+            ebs_malware_protection_found = False
+            ebs_malware_protection_auto_enable = "NOT_CONFIGURED"
+            features = org_config.get('Features', [])
+            
+            for feature in features:
+                if feature.get('Name') == 'EBS_MALWARE_PROTECTION':
+                    ebs_malware_protection_found = True
+                    ebs_malware_protection_auto_enable = feature.get('AutoEnable', 'NONE')
+                    break
+            
+            if ebs_malware_protection_found and ebs_malware_protection_auto_enable == 'ALL':
+                findings.append(self.create_finding(
+                    status="PASS", 
+                    region=region, 
+                    resource_id=f"guardduty:{region}:{detector_id}", 
+                    actual_value="GuardDuty EBS Malware Protection is configured for auto-enablement for all accounts (AutoEnable=ALL)", 
+                    remediation=""
+                ))
+            elif ebs_malware_protection_found:
+                findings.append(self.create_finding(
+                    status="FAIL", 
+                    region=region, 
+                    resource_id=f"guardduty:{region}:{detector_id}", 
+                    actual_value=f"GuardDuty EBS Malware Protection is configured with AutoEnable={ebs_malware_protection_auto_enable}, but should be ALL", 
+                    remediation=f"Configure EBS Malware Protection auto-enablement for all accounts in {region} by setting AutoEnable to ALL"
+                ))
+            else:
+                findings.append(self.create_finding(
+                    status="FAIL", 
+                    region=region, 
+                    resource_id=f"guardduty:{region}:{detector_id}", 
+                    actual_value=f"GuardDuty EBS Malware Protection feature is not configured", 
+                    remediation=f"Enable EBS Malware Protection feature and configure auto-enablement for all accounts in {region}"
+                ))
+        
+        return findings

sraverify/services/guardduty/checks/sra_guardduty_22.py

@@ -0,0 +1,111 @@
+"""
+Check if GuardDuty EKS Audit Logs are configured for auto-enablement.
+"""
+from typing import Dict, List, Any
+from sraverify.services.guardduty.base import GuardDutyCheck
+from sraverify.core.logging import logger
+
+
+class SRA_GUARDDUTY_22(GuardDutyCheck):
+    """Check if GuardDuty EKS Audit Logs are configured for auto-enablement."""
+
+    def __init__(self):
+        """Initialize GuardDuty EKS Audit Logs auto-enablement check."""
+        super().__init__()
+        self.check_id = "SRA-GUARDDUTY-22"
+        self.check_name = "GuardDuty EKS Audit Logs auto-enablement configured"
+        self.description = ("This check verifies whether EKS Audit Logs are configured for auto-enablement "
+                           "in GuardDuty for all member accounts. EKS Audit Logs monitoring analyzes Kubernetes "
+                           "audit logs to detect potentially suspicious activities in Amazon EKS clusters.")
+        self.severity = "HIGH"
+        self.check_logic = "Check if EKS_AUDIT_LOGS feature is configured with AutoEnable set to ALL."
+        self.account_type = "audit"
+    
+    def execute(self) -> List[Dict[str, Any]]:
+        """
+        Execute the check.
+        
+        Returns:
+            List of findings
+        """
+        findings = []        
+        # Check all regions
+        for region in self.regions:
+            detector_id = self.get_detector_id(region)
+            
+            # Handle regions where we can't access GuardDuty
+            if not detector_id:
+                findings.append(self.create_finding(
+                    status="ERROR", 
+                    region=region, 
+                    resource_id=f"guardduty:{region}", 
+                    actual_value="Unable to access GuardDuty in this region", 
+                    remediation="Check permissions or if GuardDuty is supported in this region"
+                ))
+                continue
+                
+            # Get organization configuration for GuardDuty
+            org_config = self.get_organization_configuration(region)
+            
+            # Check if there was an error in the response
+            if "Error" in org_config:
+                error_code = org_config["Error"].get("Code", "Unknown")
+                error_message = org_config["Error"].get("Message", "Unknown error")
+                
+                # Handle BadRequestException specifically for non-management accounts
+                if error_code == "BadRequestException":
+                    findings.append(self.create_finding(
+                        status="FAIL", 
+                        region=region, 
+                        resource_id=f"guardduty:{region}:{detector_id}", 
+                        actual_value=f"{error_code} {error_message}", 
+                        remediation="Verify that GuardDuty is the delegated admin in this Region and run the check again."
+                    ))
+                else:
+                    findings.append(self.create_finding(
+                        status="ERROR", 
+                        region=region, 
+                        resource_id=f"guardduty:{region}:{detector_id}", 
+                        actual_value=f"Error accessing GuardDuty organization configuration: {error_code}", 
+                        remediation="Check permissions and AWS Organizations configuration"
+                    ))
+                continue
+            
+            # Check if EKS Audit Logs are configured for auto-enablement
+            # Look for EKS_AUDIT_LOGS in Features
+            eks_audit_logs_found = False
+            eks_audit_logs_auto_enable = "NOT_CONFIGURED"
+            features = org_config.get('Features', [])
+            
+            for feature in features:
+                if feature.get('Name') == 'EKS_AUDIT_LOGS':
+                    eks_audit_logs_found = True
+                    eks_audit_logs_auto_enable = feature.get('AutoEnable', 'NONE')
+                    break
+            
+            if eks_audit_logs_found and eks_audit_logs_auto_enable == 'ALL':
+                findings.append(self.create_finding(
+                    status="PASS", 
+                    region=region, 
+                    resource_id=f"guardduty:{region}:{detector_id}", 
+                    actual_value="GuardDuty EKS Audit Logs are configured for auto-enablement for all accounts (AutoEnable=ALL)", 
+                    remediation=""
+                ))
+            elif eks_audit_logs_found:
+                findings.append(self.create_finding(
+                    status="FAIL", 
+                    region=region, 
+                    resource_id=f"guardduty:{region}:{detector_id}", 
+                    actual_value=f"GuardDuty EKS Audit Logs are configured with AutoEnable={eks_audit_logs_auto_enable}, but should be ALL", 
+                    remediation=f"Configure EKS Audit Logs auto-enablement for all accounts in {region} by setting AutoEnable to ALL"
+                ))
+            else:
+                findings.append(self.create_finding(
+                    status="FAIL", 
+                    region=region, 
+                    resource_id=f"guardduty:{region}:{detector_id}", 
+                    actual_value=f"GuardDuty EKS Audit Logs feature is not configured", 
+                    remediation=f"Enable EKS Audit Logs feature and configure auto-enablement for all accounts in {region}"
+                ))
+        
+        return findings