sraverify 0.1.0__py3-none-any.whl

sraverify/services/inspector/base.py

@@ -0,0 +1,233 @@
+"""
+Base class for Inspector security checks.
+"""
+from typing import List, Optional, Dict, Any
+from sraverify.core.check import SecurityCheck
+from sraverify.services.inspector.client import InspectorClient
+from sraverify.core.logging import logger
+
+
+class InspectorCheck(SecurityCheck):
+    """Base class for all Inspector security checks."""
+    
+    # Class-level caches shared across all instances
+    _inspector_account_status = {}
+    _inspector_batch_account_status = {}  # SRA-INSPECTOR-7
+    _inspector_delegated_admin = {}
+    _inspector_org_config = {}
+    _organization_members = {}
+    
+    def __init__(self):
+        """Initialize Inspector base check."""
+        super().__init__(
+            account_type="application",  # Default, can be overridden in subclasses
+            service="Inspector",
+            resource_type="AWS::Inspector::Assessment"
+        )
+    
+    def _setup_clients(self):
+        """Set up Inspector clients for each region."""
+        # Clear existing clients
+        self._clients.clear()
+        # Set up new clients only if regions are initialized
+        if hasattr(self, 'regions') and self.regions:
+            for region in self.regions:
+                self._clients[region] = InspectorClient(region, session=self.session)
+    
+    def get_client(self, region: str) -> Optional[InspectorClient]:
+        """
+        Get Inspector client for a specific region.
+        
+        Args:
+            region: AWS region name
+            
+        Returns:
+            InspectorClient for the region or None if not available
+        """
+        return self._clients.get(region)
+    
+    def get_account_status(self, region: str) -> Dict[str, Any]:
+        """
+        Get Inspector account status with caching.
+        
+        Args:
+            region: AWS region name
+            
+        Returns:
+            Dictionary containing account status
+        """
+        account_id = self.account_id
+        if not account_id:
+            logger.warning("Could not determine account ID")
+            return {}
+        
+        # Check cache first
+        cache_key = f"{account_id}:{region}"
+        if cache_key in self.__class__._inspector_account_status:
+            logger.debug(f"Using cached Inspector account status for {cache_key}")
+            return self.__class__._inspector_account_status[cache_key]
+        
+        client = self.get_client(region)
+        if not client:
+            logger.warning(f"No Inspector client available for region {region}")
+            return {}
+        
+        # Get account status from client
+        response = client.batch_get_account_status(account_ids=[account_id])
+        
+        # Extract the account status for the current account
+        account_status = {}
+        for status in response.get('accounts', []):
+            if status.get('accountId') == account_id:
+                # Restructure the account status to make it easier to access
+                account_status = {
+                    'accountId': status.get('accountId'),
+                    'state': status.get('state', {}),
+                    # Extract resource states to top level for easier access in checks
+                    'ec2': status.get('resourceState', {}).get('ec2', {}),
+                    'ecr': status.get('resourceState', {}).get('ecr', {}),
+                    'lambda': status.get('resourceState', {}).get('lambda', {}),
+                    'lambdaCode': status.get('resourceState', {}).get('lambdaCode', {})
+                }
+                break
+        
+        # Cache the result
+        self.__class__._inspector_account_status[cache_key] = account_status
+        logger.debug(f"Cached Inspector account status for {cache_key}")
+        
+        return account_status
+    
+    def get_delegated_admin(self, region: str) -> Dict[str, Any]:
+        """
+        Get Inspector delegated admin with caching.
+        
+        Args:
+            region: AWS region name
+            
+        Returns:
+            Dictionary containing delegated admin information
+        """
+        # Check cache first
+        cache_key = f"{self.session.region_name}:{region}"
+        if cache_key in self.__class__._inspector_delegated_admin:
+            logger.debug(f"Using cached Inspector delegated admin for {cache_key}")
+            return self.__class__._inspector_delegated_admin[cache_key]
+        
+        client = self.get_client(region)
+        if not client:
+            logger.warning(f"No Inspector client available for region {region}")
+            return {}
+        
+        # Get delegated admin from client
+        response = client.get_delegated_admin_account()
+        
+        # Cache the result
+        self.__class__._inspector_delegated_admin[cache_key] = response
+        logger.debug(f"Cached Inspector delegated admin for {cache_key}")
+        
+        return response
+    
+    def get_organization_members(self, region: str) -> List[Dict[str, Any]]:
+        """
+        Get all AWS Organization member accounts with caching.
+        
+        Args:
+            region: AWS region name (not used for Organizations API call)
+            
+        Returns:
+            List of organization member accounts
+        """
+        # Use the current session region for Organizations API call
+        current_region = self.session.region_name
+        
+        # Check cache first
+        cache_key = f"{current_region}:organizations"
+        if cache_key in self.__class__._organization_members:
+            logger.debug(f"Using cached organization members for {cache_key}")
+            return self.__class__._organization_members[cache_key]
+        
+        # Use the client for the current region
+        client = self.get_client(current_region)
+        if not client:
+            logger.warning(f"No Inspector client available for region {current_region}")
+            return []
+        
+        # Get organization members from client
+        accounts = client.list_organization_accounts()
+        
+        # Cache the result
+        self.__class__._organization_members[cache_key] = accounts
+        logger.debug(f"Cached {len(accounts)} organization members for {cache_key} (using current region)")
+        
+        return accounts
+        
+    def batch_get_account_status(self, region: str, account_ids: List[str]) -> Dict[str, Dict]:
+        """
+        Get Inspector account status for multiple accounts with caching.
+        
+        Args:
+            region: AWS region name
+            account_ids: List of account IDs to check
+            
+        Returns:
+            Dictionary mapping account IDs to their status
+        """
+        # Check cache first
+        cache_key = f"{self.session.region_name}:{region}:batch_status"
+        if cache_key in self.__class__._inspector_batch_account_status:
+            logger.debug(f"Using cached Inspector batch account status for {cache_key}")
+            return self.__class__._inspector_batch_account_status[cache_key]
+        
+        client = self.get_client(region)
+        if not client:
+            logger.warning(f"No Inspector client available for region {region}")
+            return {}
+        
+        # Process accounts in batches of 10 (API limit)
+        result = {}
+        for i in range(0, len(account_ids), 10):
+            batch = account_ids[i:i+10]
+            try:
+                response = client.batch_get_account_status(batch)
+                for account in response.get('accounts', []):
+                    acc_id = account.get('accountId')
+                    if acc_id:
+                        result[acc_id] = account
+            except Exception as e:
+                logger.debug(f"Error getting batch account status in {region}: {e}")
+        
+        # Cache the result
+        self.__class__._inspector_batch_account_status[cache_key] = result
+        logger.debug(f"Cached Inspector batch account status for {len(result)} accounts in {region}")
+        
+        return result
+        
+    def get_organization_configuration(self, region: str) -> Dict[str, Any]:
+        """
+        Get Inspector organization configuration with caching.
+        
+        Args:
+            region: AWS region name
+            
+        Returns:
+            Dictionary containing organization configuration
+        """
+        # Check cache first
+        cache_key = f"{self.session.region_name}:{region}"
+        if cache_key in self.__class__._inspector_org_config:
+            logger.debug(f"Using cached Inspector organization configuration for {cache_key}")
+            return self.__class__._inspector_org_config[cache_key]
+        
+        client = self.get_client(region)
+        if not client:
+            logger.warning(f"No Inspector client available for region {region}")
+            return {}
+        
+        # Get organization configuration from client
+        response = client.describe_organization_configuration()
+        
+        # Cache the result
+        self.__class__._inspector_org_config[cache_key] = response
+        logger.debug(f"Cached Inspector organization configuration for {cache_key}")
+        
+        return response

sraverify/services/inspector/checks/__init__.py

@@ -0,0 +1,3 @@
+"""
+Inspector security checks.
+"""

sraverify/services/inspector/checks/sra_inspector_01.py

@@ -0,0 +1,69 @@
+"""
+SRA-INSPECTOR-01: Inspector Service Status.
+"""
+from typing import List, Dict, Any
+from sraverify.services.inspector.base import InspectorCheck
+from sraverify.core.logging import logger
+
+
+class SRA_INSPECTOR_01(InspectorCheck):
+    """Check if Inspector service is enabled for the account."""
+    
+    def __init__(self):
+        """Initialize the check."""
+        super().__init__()
+        self.check_id = "SRA-INSPECTOR-01"
+        self.check_name = "Inspector service is enabled"
+        self.account_type = "application"
+        self.severity = "HIGH"
+        self.description = (
+            "This check verifies whether Inspector service status for the account is enabled. "
+            "Amazon Inspector is a vulnerability management service that continuously scans your AWS "
+            "workloads for software vulnerabilities and unintended network exposure."
+        )
+        self.check_logic = (
+            "Check runs inspector2 batch-get-account-status. Check PASS if response state status = Enabled"
+        )
+    
+    def execute(self) -> List[Dict[str, Any]]:
+        """
+        Execute the check.
+        
+        Returns:
+            List of findings
+        """
+        
+        for region in self.regions:
+            # Get account status using the base class method with caching
+            account_status = self.get_account_status(region)
+            
+            # Check if state status is enabled
+            state_status = account_status.get('state', {}).get('status')
+            
+            if not account_status or state_status != 'ENABLED':
+                self.findings.append(
+                    self.create_finding(
+                        status="FAIL",
+                        region=region,
+                        resource_id=f"inspector2/{self.account_id}",
+                        checked_value="Inspector state status: ENABLED",
+                        actual_value=f"Inspector state status: {state_status if state_status else 'NOT_ENABLED'}",
+                        remediation=(
+                            "Enable Amazon Inspector for your account using the AWS Console or CLI command: "
+                            f"aws inspector2 enable --account-ids {self.account_id} --resource-types EC2 ECR LAMBDA LAMBDA_CODE --region {region}"
+                        )
+                    )
+                )
+            else:
+                self.findings.append(
+                    self.create_finding(
+                        status="PASS",
+                        region=region,
+                        resource_id=f"inspector2/{self.account_id}",
+                        checked_value="Inspector state status: ENABLED",
+                        actual_value=f"Inspector state status: {state_status}",
+                        remediation="No remediation needed"
+                    )
+                )
+        
+        return self.findings

sraverify/services/inspector/checks/sra_inspector_02.py

@@ -0,0 +1,68 @@
+"""
+SRA-INSPECTOR-02: Inspector EC2 Vulnerability Scanning.
+"""
+from typing import List, Dict, Any
+from sraverify.services.inspector.base import InspectorCheck
+from sraverify.core.logging import logger
+
+
+class SRA_INSPECTOR_02(InspectorCheck):
+    """Check if Inspector EC2 vulnerability scanning is enabled for the account."""
+    
+    def __init__(self):
+        """Initialize the check."""
+        super().__init__()
+        self.check_id = "SRA-INSPECTOR-02"
+        self.check_name = "Inspector EC2 vulnerability scanning is enabled"
+        self.account_type = "application"
+        self.severity = "HIGH"
+        self.description = (
+            "This check verifies whether Inspector EC2 vulnerability scanning feature is enabled. "
+            "Inspector automatically discovers EC2 instances and scans for software vulnerability."
+        )
+        self.check_logic = (
+            "Check runs inspector2 batch-get-account-status. Check PASS if response ec2 status = ENABLED"
+        )
+    
+    def execute(self) -> List[Dict[str, Any]]:
+        """
+        Execute the check.
+        
+        Returns:
+            List of findings
+        """
+        
+        for region in self.regions:
+            # Get account status using the base class method with caching
+            account_status = self.get_account_status(region)
+            
+            # Check if EC2 scanning is enabled
+            ec2_status = account_status.get('ec2', {}).get('status')
+            
+            if not account_status or ec2_status != 'ENABLED':
+                self.findings.append(
+                    self.create_finding(
+                        status="FAIL",
+                        region=region,
+                        resource_id=f"inspector2/{self.account_id}/ec2",
+                        checked_value="Inspector EC2 scanning: ENABLED",
+                        actual_value=f"Inspector EC2 scanning: {ec2_status if ec2_status else 'NOT_ENABLED'}",
+                        remediation=(
+                            "Enable Amazon Inspector EC2 scanning for your account using the AWS Console or CLI command: "
+                            f"aws inspector2 enable --account-ids {self.account_id} --resource-types EC2 --region {region}"
+                        )
+                    )
+                )
+            else:
+                self.findings.append(
+                    self.create_finding(
+                        status="PASS",
+                        region=region,
+                        resource_id=f"inspector2/{self.account_id}/ec2",
+                        checked_value="Inspector EC2 scanning: ENABLED",
+                        actual_value=f"Inspector EC2 scanning: {ec2_status}",
+                        remediation="No remediation needed"
+                    )
+                )
+        
+        return self.findings

sraverify/services/inspector/checks/sra_inspector_03.py

@@ -0,0 +1,68 @@
+"""
+SRA-INSPECTOR-03: Inspector ECR Image Vulnerability Scanning.
+"""
+from typing import List, Dict, Any
+from sraverify.services.inspector.base import InspectorCheck
+from sraverify.core.logging import logger
+
+
+class SRA_INSPECTOR_03(InspectorCheck):
+    """Check if Inspector ECR image vulnerability scanning is enabled for the account."""
+    
+    def __init__(self):
+        """Initialize the check."""
+        super().__init__()
+        self.check_id = "SRA-INSPECTOR-03"
+        self.check_name = "Inspector ECR image vulnerability scanning is enabled"
+        self.account_type = "application"
+        self.severity = "HIGH"
+        self.description = (
+            "This check verifies whether Inspector ECR image vulnerability scanning feature is enabled. "
+            "Amazon Inspector scans container images stored in Amazon ECR for software vulnerabilities to generate findings."
+        )
+        self.check_logic = (
+            "Check runs inspector2 batch-get-account-status. Check PASS if ecr status = ENABLED"
+        )
+    
+    def execute(self) -> List[Dict[str, Any]]:
+        """
+        Execute the check.
+        
+        Returns:
+            List of findings
+        """
+        
+        for region in self.regions:
+            # Get account status using the base class method with caching
+            account_status = self.get_account_status(region)
+            
+            # Check if ECR scanning is enabled
+            ecr_status = account_status.get('ecr', {}).get('status')
+            
+            if not account_status or ecr_status != 'ENABLED':
+                self.findings.append(
+                    self.create_finding(
+                        status="FAIL",
+                        region=region,
+                        resource_id=f"inspector2/{self.account_id}/ecr",
+                        checked_value="Inspector ECR scanning: ENABLED",
+                        actual_value=f"Inspector ECR scanning: {ecr_status if ecr_status else 'NOT_ENABLED'}",
+                        remediation=(
+                            "Enable Amazon Inspector ECR scanning for your account using the AWS Console or CLI command: "
+                            f"aws inspector2 enable --account-ids {self.account_id} --resource-types ECR --region {region}"
+                        )
+                    )
+                )
+            else:
+                self.findings.append(
+                    self.create_finding(
+                        status="PASS",
+                        region=region,
+                        resource_id=f"inspector2/{self.account_id}/ecr",
+                        checked_value="Inspector ECR scanning: ENABLED",
+                        actual_value=f"Inspector ECR scanning: {ecr_status}",
+                        remediation="No remediation needed"
+                    )
+                )
+        
+        return self.findings

sraverify/services/inspector/checks/sra_inspector_04.py

@@ -0,0 +1,70 @@
+"""
+SRA-INSPECTOR-04: Inspector Lambda Function and Layers Vulnerability Scanning.
+"""
+from typing import List, Dict, Any
+from sraverify.services.inspector.base import InspectorCheck
+from sraverify.core.logging import logger
+
+
+class SRA_INSPECTOR_04(InspectorCheck):
+    """Check if Inspector Lambda function and layers vulnerability scanning is enabled for the account."""
+    
+    def __init__(self):
+        """Initialize the check."""
+        super().__init__()
+        self.check_id = "SRA-INSPECTOR-04"
+        self.check_name = "Inspector Lambda function and layers vulnerability scanning is enabled"
+        self.account_type = "application"
+        self.severity = "HIGH"
+        self.description = (
+            "This check verifies whether Inspector Lambda function and layers for package and code vulnerability. "
+            "Amazon Inspector monitors each Lambda function throughout its lifetime until it's either deleted or excluded from scanning."
+        )
+        self.check_logic = (
+            "Check runs inspector2 batch-get-account-status. Check PASS if lambda status = ENABLED AND lambdaCode status = ENABLED"
+        )
+    
+    def execute(self) -> List[Dict[str, Any]]:
+        """
+        Execute the check.
+        
+        Returns:
+            List of findings
+        """
+        
+        for region in self.regions:
+            # Get account status using the base class method with caching
+            account_status = self.get_account_status(region)
+            
+            # Check if Lambda and LambdaCode scanning are enabled
+            lambda_status = account_status.get('lambda', {}).get('status')
+            lambda_code_status = account_status.get('lambdaCode', {}).get('status')
+            
+            if not account_status or lambda_status != 'ENABLED' or lambda_code_status != 'ENABLED':
+                self.findings.append(
+                    self.create_finding(
+                        status="FAIL",
+                        region=region,
+                        resource_id=f"inspector2/{self.account_id}/lambda",
+                        checked_value="Inspector Lambda scanning: ENABLED, LambdaCode scanning: ENABLED",
+                        actual_value=f"Inspector Lambda scanning: {lambda_status if lambda_status else 'NOT_ENABLED'}, "
+                                    f"LambdaCode scanning: {lambda_code_status if lambda_code_status else 'NOT_ENABLED'}",
+                        remediation=(
+                            "Enable Amazon Inspector Lambda and LambdaCode scanning for your account using the AWS Console or CLI command: "
+                            f"aws inspector2 enable --account-ids {self.account_id} --resource-types LAMBDA LAMBDA_CODE --region {region}"
+                        )
+                    )
+                )
+            else:
+                self.findings.append(
+                    self.create_finding(
+                        status="PASS",
+                        region=region,
+                        resource_id=f"inspector2/{self.account_id}/lambda",
+                        checked_value="Inspector Lambda scanning: ENABLED, LambdaCode scanning: ENABLED",
+                        actual_value=f"Inspector Lambda scanning: {lambda_status}, LambdaCode scanning: {lambda_code_status}",
+                        remediation="No remediation needed"
+                    )
+                )
+        
+        return self.findings

sraverify/services/inspector/checks/sra_inspector_05.py

@@ -0,0 +1,69 @@
+"""
+SRA-INSPECTOR-05: Inspector Delegated Admin Account is Configured.
+"""
+from typing import List, Dict, Any
+from sraverify.services.inspector.base import InspectorCheck
+from sraverify.core.logging import logger
+
+
+class SRA_INSPECTOR_05(InspectorCheck):
+    """Check if Inspector delegated admin account is configured."""
+    
+    def __init__(self):
+        """Initialize the check."""
+        super().__init__()
+        self.check_id = "SRA-INSPECTOR-05"
+        self.check_name = "Inspector delegated admin account is configured"
+        self.account_type = "management"
+        self.severity = "HIGH"
+        self.description = (
+            "This check verifies whether a delegated administrator account is configured for Amazon Inspector. "
+            "A delegated administrator can manage Inspector findings across all accounts in the organization."
+        )
+        self.check_logic = (
+            "Check runs inspector2 get-delegated-admin-account. Check PASS if response contains delegatedAdmin"
+        )
+    
+    def execute(self) -> List[Dict[str, Any]]:
+        """
+        Execute the check.
+        
+        Returns:
+            List of findings
+        """
+        
+        # Check each region separately
+        for region in self.regions:
+            # Get delegated admin account for this region
+            delegated_admin_response = self.get_delegated_admin(region)
+            delegated_admin = delegated_admin_response.get('delegatedAdmin', {})
+            delegated_admin_id = delegated_admin.get('accountId')
+            
+            if not delegated_admin_id:
+                self.findings.append(
+                    self.create_finding(
+                        status="FAIL",
+                        region=region,
+                        resource_id=f"inspector2/{region}/delegated-admin",
+                        checked_value="Inspector delegated admin account is configured",
+                        actual_value="No delegated admin account is configured",
+                        remediation=(
+                            "Configure a delegated admin account for Inspector using the AWS Console or CLI command: "
+                            f"aws organizations register-delegated-administrator --account-id <AUDIT_ACCOUNT_ID> "
+                            f"--service-principal inspector2.amazonaws.com --region {region}"
+                        )
+                    )
+                )
+            else:
+                self.findings.append(
+                    self.create_finding(
+                        status="PASS",
+                        region=region,
+                        resource_id=f"inspector2/{region}/delegated-admin",
+                        checked_value="Inspector delegated admin account is configured",
+                        actual_value=f"Delegated admin account {delegated_admin_id} is configured",
+                        remediation="No remediation needed"
+                    )
+                )
+        
+        return self.findings