sraverify 0.1.0__py3-none-any.whl

sraverify/services/inspector/checks/sra_inspector_06.py

@@ -0,0 +1,115 @@
+"""
+SRA-INSPECTOR-06: Inspector Delegated Admin Account is the Audit Account.
+"""
+from typing import List, Dict, Any
+from sraverify.services.inspector.base import InspectorCheck
+from sraverify.core.logging import logger
+
+
+class SRA_INSPECTOR_06(InspectorCheck):
+    """Check if Inspector delegated admin account is the audit account."""
+    
+    def __init__(self):
+        """Initialize the check."""
+        super().__init__()
+        self.check_id = "SRA-INSPECTOR-06"
+        self.check_name = "Inspector delegated admin account is the audit account"
+        self.account_type = "management"
+        self.severity = "HIGH"
+        self.description = (
+            "This check verifies whether Inspector delegated admin account is the audit account of your AWS organization. "
+            "Audit account is dedicated to operating security services, monitoring AWS accounts, and automating security "
+            "alerting and response. Inspector provides vulnerability management service."
+        )
+        self.check_logic = (
+            "Check runs inspector2 get-delegated-admin-account. PASS if delegated admin is the Audit account "
+            "specified by flag --audit-account"
+        )
+    
+    def execute(self) -> List[Dict[str, Any]]:
+        """
+        Execute the check.
+        
+        Returns:
+            List of findings
+        """
+        
+        # Check each region separately
+        for region in self.regions:
+            # Get delegated admin account for this region
+            delegated_admin_response = self.get_delegated_admin(region)
+            delegated_admin = delegated_admin_response.get('delegatedAdmin', {})
+            delegated_admin_id = delegated_admin.get('accountId')
+            
+            # If no delegated admin is configured, report a failure
+            if not delegated_admin_id:
+                self.findings.append(
+                    self.create_finding(
+                        status="FAIL",
+                        region=region,
+                        resource_id=f"inspector2/{region}/delegated-admin",
+                        checked_value="Inspector delegated admin account is the audit account",
+                        actual_value="No delegated admin account is configured",
+                        remediation=(
+                            "Configure a delegated admin account for Inspector using the AWS Console or CLI command: "
+                            f"aws organizations register-delegated-administrator --account-id <AUDIT_ACCOUNT_ID> "
+                            f"--service-principal inspector2.amazonaws.com --region {region}"
+                        )
+                    )
+                )
+                continue
+            
+            # Check if audit_accounts is provided via _audit_accounts (new attribute name)
+            audit_accounts = []
+            if hasattr(self, '_audit_accounts') and self._audit_accounts:
+                audit_accounts = self._audit_accounts
+            # For backward compatibility, also check the old attribute name
+            elif hasattr(self, 'audit_accounts') and self.audit_accounts:
+                audit_accounts = self.audit_accounts
+                
+            if not audit_accounts:
+                self.findings.append(
+                    self.create_finding(
+                        status="ERROR",
+                        region=region,
+                        resource_id=f"inspector2/{region}/delegated-admin",
+                        checked_value="Inspector delegated admin account is the audit account",
+                        actual_value=f"Delegated admin account is {delegated_admin_id}, but no audit account was specified for comparison",
+                        remediation="Run the check with the --audit-account parameter to specify the audit account"
+                    )
+                )
+                continue
+            
+            # Check if the delegated admin is one of the audit accounts
+            if delegated_admin_id in audit_accounts:
+                self.findings.append(
+                    self.create_finding(
+                        status="PASS",
+                        region=region,
+                        resource_id=f"inspector2/{region}/delegated-admin",
+                        checked_value="Inspector delegated admin account is the audit account",
+                        actual_value=f"Inspector delegated administrator (Account: {delegated_admin_id}) "
+                                   f"matches one of the specified Audit accounts {', '.join(audit_accounts)}",
+                        remediation="No remediation needed"
+                    )
+                )
+            else:
+                self.findings.append(
+                    self.create_finding(
+                        status="FAIL",
+                        region=region,
+                        resource_id=f"inspector2/{region}/delegated-admin",
+                        checked_value="Inspector delegated admin account is the audit account",
+                        actual_value=f"Inspector delegated administrator (Account: {delegated_admin_id}) "
+                                   f"does not match any of the specified Audit accounts ({', '.join(audit_accounts)})",
+                        remediation=(
+                            "Update the delegated admin account to be the audit account using the AWS Console or CLI commands: "
+                            f"1. aws organizations deregister-delegated-administrator --account-id {delegated_admin_id} "
+                            f"--service-principal inspector2.amazonaws.com --region {region}\n"
+                            f"2. aws organizations register-delegated-administrator --account-id {audit_accounts[0]} "
+                            f"--service-principal inspector2.amazonaws.com --region {region}"
+                        )
+                    )
+                )
+        
+        return self.findings

sraverify/services/inspector/checks/sra_inspector_07.py

@@ -0,0 +1,109 @@
+"""
+SRA-INSPECTOR-07: All Active Member Accounts Have Inspector Enabled.
+"""
+from typing import List, Dict, Any, Set
+from sraverify.services.inspector.base import InspectorCheck
+from sraverify.core.logging import logger
+
+
+class SRA_INSPECTOR_07(InspectorCheck):
+    """Check if all active member accounts have Inspector enabled."""
+    
+    def __init__(self):
+        """Initialize the check."""
+        super().__init__()
+        self.check_id = "SRA-INSPECTOR-07"
+        self.check_name = "All active member accounts have Inspector enabled"
+        self.account_type = "audit"
+        self.severity = "HIGH"
+        self.description = (
+            "This check verifies whether all active members accounts of the AWS Organization have Inspector enabled. "
+            "Inspector is an automated vulnerability management service that continually scans Amazon Elastic Compute Cloud (EC2), "
+            "AWS Lambda functions, and container images in Amazon ECR."
+        )
+        self.check_logic = (
+            "Check runs aws organizations list-accounts AND aws inspector2 batch-get-account-status. "
+            "PASS if all organization accounts (except audit) have Inspector enabled"
+        )
+        self._audit_accounts = []  # Will be populated from command line args
+    
+    def execute(self) -> List[Dict[str, Any]]:
+        """
+        Execute the check using BatchGetAccountStatus.
+        
+        Returns:
+            List of findings
+        """
+        
+        # Check each region separately
+        for region in self.regions:
+            # Get organization members
+            org_accounts = self.get_organization_members(region)
+            
+            # Create a set of all active organization account IDs
+            org_account_ids = set()
+            for account in org_accounts:
+                if account.get('Status') == 'ACTIVE':
+                    org_account_ids.add(account.get('Id'))
+            
+            # Get delegated admin account
+            delegated_admin_response = self.get_delegated_admin(region)
+            delegated_admin = delegated_admin_response.get('delegatedAdmin', {})
+            delegated_admin_id = delegated_admin.get('accountId')
+            
+            # Use the delegated admin ID as the audit account if no audit accounts are provided
+            audit_accounts = self._audit_accounts.copy()
+            if not audit_accounts and delegated_admin_id:
+                audit_accounts = [delegated_admin_id]
+            elif not audit_accounts:
+                audit_accounts = [self.account_id]
+            
+            # Remove audit accounts from the list of accounts to check
+            accounts_to_check = org_account_ids - set(audit_accounts)
+            
+            # Convert to list for the API call
+            accounts_list = list(accounts_to_check)
+            
+            # Use BatchGetAccountStatus to check which accounts have Inspector enabled
+            account_statuses = self.batch_get_account_status(region, accounts_list)
+            
+            # Find accounts that should have Inspector enabled but don't
+            missing_accounts = set()
+            for acc_id in accounts_to_check:
+                # Check if the account is in the results
+                if acc_id not in account_statuses:
+                    missing_accounts.add(acc_id)
+                    continue
+                
+                # Check if Inspector is enabled for this account
+                status = account_statuses[acc_id].get('state', {}).get('status')
+                if status != 'ENABLED':
+                    missing_accounts.add(acc_id)
+            
+            if missing_accounts:
+                self.findings.append(
+                    self.create_finding(
+                        status="FAIL",
+                        region=region,
+                        resource_id=f"inspector2/{region}/organization/members",
+                        checked_value="All active organization accounts (except audit) have Inspector enabled",
+                        actual_value=f"The following accounts do not have Inspector enabled in {region}: {', '.join(missing_accounts)}",
+                        remediation=(
+                            "Enable Inspector for all member accounts using the AWS Console or CLI command: "
+                            f"aws inspector2 enable --account-ids {' '.join(missing_accounts)} --resource-types EC2 ECR LAMBDA LAMBDA_CODE --region {region}"
+                        )
+                    )
+                )
+            else:
+                self.findings.append(
+                    self.create_finding(
+                        status="PASS",
+                        region=region,
+                        resource_id=f"inspector2/{region}/organization/members",
+                        checked_value="All active organization accounts (except audit) have Inspector enabled",
+                        actual_value=f"All {len(accounts_to_check)} active organization accounts (except audit) have Inspector enabled in {region}",
+                        remediation="No remediation needed"
+                    )
+                )
+        
+        return self.findings

sraverify/services/inspector/checks/sra_inspector_08.py

@@ -0,0 +1,69 @@
+"""
+SRA-INSPECTOR-08: Inspector EC2 Auto-Enable is Configured.
+"""
+from typing import List, Dict, Any
+from sraverify.services.inspector.base import InspectorCheck
+from sraverify.core.logging import logger
+
+
+class SRA_INSPECTOR_08(InspectorCheck):
+    """Check if Inspector EC2 auto-enable is configured."""
+    
+    def __init__(self):
+        """Initialize the check."""
+        super().__init__()
+        self.check_id = "SRA-INSPECTOR-08"
+        self.check_name = "Inspector EC2 auto-enable is configured"
+        self.account_type = "audit"
+        self.severity = "HIGH"
+        self.description = (
+            "This check verifies whether Inspector is configured to automatically enable EC2 scanning for new accounts. "
+            "Auto-enable ensures that EC2 instances in new accounts added to the organization are automatically scanned."
+        )
+        self.check_logic = (
+            "Check runs inspector2 describe-organization-configuration. Check PASS if autoEnable.ec2=true"
+        )
+    
+    def execute(self) -> List[Dict[str, Any]]:
+        """
+        Execute the check.
+        
+        Returns:
+            List of findings
+        """
+        
+        # Check each region separately
+        for region in self.regions:
+            # Get organization configuration for this region
+            org_config = self.get_organization_configuration(region)
+            
+            # Check if EC2 auto-enable is configured
+            ec2_enabled = org_config.get('autoEnable', {}).get('ec2', False)
+            
+            if not ec2_enabled:
+                self.findings.append(
+                    self.create_finding(
+                        status="FAIL",
+                        region=region,
+                        resource_id=f"inspector2/{region}/organization-configuration/ec2",
+                        checked_value="Inspector EC2 auto-enable is configured",
+                        actual_value=f"EC2 auto-enable is not configured in {region}",
+                        remediation=(
+                            "Configure Inspector EC2 auto-enable using the AWS Console or CLI command: "
+                            f"aws inspector2 update-organization-configuration --auto-enable ec2=true --region {region}"
+                        )
+                    )
+                )
+            else:
+                self.findings.append(
+                    self.create_finding(
+                        status="PASS",
+                        region=region,
+                        resource_id=f"inspector2/{region}/organization-configuration/ec2",
+                        checked_value="Inspector EC2 auto-enable is configured",
+                        actual_value=f"EC2 auto-enable is configured in {region}",
+                        remediation="No remediation needed"
+                    )
+                )
+        
+        return self.findings

sraverify/services/inspector/checks/sra_inspector_09.py

@@ -0,0 +1,69 @@
+"""
+SRA-INSPECTOR-09: Inspector ECR Auto-Enable is Configured.
+"""
+from typing import List, Dict, Any
+from sraverify.services.inspector.base import InspectorCheck
+from sraverify.core.logging import logger
+
+
+class SRA_INSPECTOR_09(InspectorCheck):
+    """Check if Inspector ECR auto-enable is configured."""
+    
+    def __init__(self):
+        """Initialize the check."""
+        super().__init__()
+        self.check_id = "SRA-INSPECTOR-09"
+        self.check_name = "Inspector ECR auto-enable is configured"
+        self.account_type = "audit"
+        self.severity = "HIGH"
+        self.description = (
+            "This check verifies whether Inspector is configured to automatically enable ECR scanning for new accounts. "
+            "Auto-enable ensures that container images in ECR repositories in new accounts added to the organization are automatically scanned."
+        )
+        self.check_logic = (
+            "Check runs inspector2 describe-organization-configuration. Check PASS if autoEnable.ecr=true"
+        )
+    
+    def execute(self) -> List[Dict[str, Any]]:
+        """
+        Execute the check.
+        
+        Returns:
+            List of findings
+        """
+        
+        # Check each region separately
+        for region in self.regions:
+            # Get organization configuration for this region
+            org_config = self.get_organization_configuration(region)
+            
+            # Check if ECR auto-enable is configured
+            ecr_enabled = org_config.get('autoEnable', {}).get('ecr', False)
+            
+            if not ecr_enabled:
+                self.findings.append(
+                    self.create_finding(
+                        status="FAIL",
+                        region=region,
+                        resource_id=f"inspector2/{region}/organization-configuration/ecr",
+                        checked_value="Inspector ECR auto-enable is configured",
+                        actual_value="ECR auto-enable is not configured",
+                        remediation=(
+                            "Configure Inspector ECR auto-enable using the AWS Console or CLI command: "
+                            f"aws inspector2 update-organization-configuration --auto-enable ecr=true --region {region}"
+                        )
+                    )
+                )
+            else:
+                self.findings.append(
+                    self.create_finding(
+                        status="PASS",
+                        region=region,
+                        resource_id=f"inspector2/{region}/organization-configuration/ecr",
+                        checked_value="Inspector ECR auto-enable is configured",
+                        actual_value="ECR auto-enable is configured",
+                        remediation="No remediation needed"
+                    )
+                )
+        
+        return self.findings

sraverify/services/inspector/checks/sra_inspector_10.py

@@ -0,0 +1,69 @@
+"""
+SRA-INSPECTOR-10: Inspector Lambda Auto-Enable is Configured.
+"""
+from typing import List, Dict, Any
+from sraverify.services.inspector.base import InspectorCheck
+from sraverify.core.logging import logger
+
+
+class SRA_INSPECTOR_10(InspectorCheck):
+    """Check if Inspector Lambda auto-enable is configured."""
+    
+    def __init__(self):
+        """Initialize the check."""
+        super().__init__()
+        self.check_id = "SRA-INSPECTOR-10"
+        self.check_name = "Inspector Lambda auto-enable is configured"
+        self.account_type = "audit"
+        self.severity = "HIGH"
+        self.description = (
+            "This check verifies whether Inspector is configured to automatically enable Lambda scanning for new accounts. "
+            "Auto-enable ensures that Lambda functions in new accounts added to the organization are automatically scanned."
+        )
+        self.check_logic = (
+            "Check runs inspector2 describe-organization-configuration. Check PASS if autoEnable.lambda=true"
+        )
+    
+    def execute(self) -> List[Dict[str, Any]]:
+        """
+        Execute the check.
+        
+        Returns:
+            List of findings
+        """
+        
+        # Check each region separately
+        for region in self.regions:
+            # Get organization configuration for this region
+            org_config = self.get_organization_configuration(region)
+            
+            # Check if Lambda auto-enable is configured
+            lambda_enabled = org_config.get('autoEnable', {}).get('lambda', False)
+            
+            if not lambda_enabled:
+                self.findings.append(
+                    self.create_finding(
+                        status="FAIL",
+                        region=region,
+                        resource_id=f"inspector2/{region}/organization-configuration/lambda",
+                        checked_value="Inspector Lambda auto-enable is configured",
+                        actual_value="Lambda auto-enable is not configured",
+                        remediation=(
+                            "Configure Inspector Lambda auto-enable using the AWS Console or CLI command: "
+                            f"aws inspector2 update-organization-configuration --auto-enable lambda=true --region {region}"
+                        )
+                    )
+                )
+            else:
+                self.findings.append(
+                    self.create_finding(
+                        status="PASS",
+                        region=region,
+                        resource_id=f"inspector2/{region}/organization-configuration/lambda",
+                        checked_value="Inspector Lambda auto-enable is configured",
+                        actual_value="Lambda auto-enable is configured",
+                        remediation="No remediation needed"
+                    )
+                )
+        
+        return self.findings

sraverify/services/inspector/checks/sra_inspector_11.py

@@ -0,0 +1,69 @@
+"""
+SRA-INSPECTOR-11: Inspector Lambda Code Auto-Enable is Configured.
+"""
+from typing import List, Dict, Any
+from sraverify.services.inspector.base import InspectorCheck
+from sraverify.core.logging import logger
+
+
+class SRA_INSPECTOR_11(InspectorCheck):
+    """Check if Inspector Lambda Code auto-enable is configured."""
+    
+    def __init__(self):
+        """Initialize the check."""
+        super().__init__()
+        self.check_id = "SRA-INSPECTOR-11"
+        self.check_name = "Inspector Lambda Code auto-enable is configured"
+        self.account_type = "audit"
+        self.severity = "HIGH"
+        self.description = (
+            "This check verifies whether Inspector is configured to automatically enable Lambda Code scanning for new accounts. "
+            "Auto-enable ensures that Lambda function code in new accounts added to the organization is automatically scanned."
+        )
+        self.check_logic = (
+            "Check runs inspector2 describe-organization-configuration. Check PASS if autoEnable.lambdaCode=true"
+        )
+    
+    def execute(self) -> List[Dict[str, Any]]:
+        """
+        Execute the check.
+        
+        Returns:
+            List of findings
+        """
+        
+        # Check each region separately
+        for region in self.regions:
+            # Get organization configuration for this region
+            org_config = self.get_organization_configuration(region)
+            
+            # Check if Lambda Code auto-enable is configured
+            lambda_code_enabled = org_config.get('autoEnable', {}).get('lambdaCode', False)
+            
+            if not lambda_code_enabled:
+                self.findings.append(
+                    self.create_finding(
+                        status="FAIL",
+                        region=region,
+                        resource_id=f"inspector2/{region}/organization-configuration/lambdaCode",
+                        checked_value="Inspector Lambda Code auto-enable is configured",
+                        actual_value="Lambda Code auto-enable is not configured",
+                        remediation=(
+                            "Configure Inspector Lambda Code auto-enable using the AWS Console or CLI command: "
+                            f"aws inspector2 update-organization-configuration --auto-enable lambdaCode=true --region {region}"
+                        )
+                    )
+                )
+            else:
+                self.findings.append(
+                    self.create_finding(
+                        status="PASS",
+                        region=region,
+                        resource_id=f"inspector2/{region}/organization-configuration/lambdaCode",
+                        checked_value="Inspector Lambda Code auto-enable is configured",
+                        actual_value="Lambda Code auto-enable is configured",
+                        remediation="No remediation needed"
+                    )
+                )
+        
+        return self.findings

sraverify/services/inspector/client.py

@@ -0,0 +1,99 @@
+"""
+Inspector client for interacting with AWS Inspector service.
+"""
+from typing import Dict, List, Optional, Any
+import boto3
+from botocore.exceptions import ClientError
+from sraverify.core.logging import logger
+
+
+class InspectorClient:
+    """Client for interacting with AWS Inspector service."""
+    
+    def __init__(self, region: str, session: Optional[boto3.Session] = None):
+        """
+        Initialize Inspector client for a specific region.
+        
+        Args:
+            region: AWS region name
+            session: AWS session to use (if None, a new session will be created)
+        """
+        self.region = region
+        self.session = session or boto3.Session()
+        self.client = self.session.client('inspector2', region_name=region)
+        self.org_client = self.session.client('organizations', region_name=region)
+
+    def batch_get_account_status(self, account_ids: List[str]) -> Dict[str, Any]:
+        """
+        Get the Inspector account status for specified accounts.
+        
+        Args:
+            account_ids: List of AWS account IDs
+            
+        Returns:
+            Dictionary containing account status information
+        """
+        try:
+            logger.debug(f"Getting Inspector account status for accounts {account_ids} in {self.region}")
+            response = self.client.batch_get_account_status(accountIds=account_ids)
+            return response
+        except ClientError as e:
+            logger.debug(f"Error getting Inspector account status in {self.region}: {e}")
+            return {}
+        except Exception as e:
+            logger.debug(f"Unexpected error getting Inspector account status in {self.region}: {e}")
+            return {}
+    
+    def get_delegated_admin_account(self) -> Dict[str, Any]:
+        """
+        Get the delegated administrator account for Inspector.
+        
+        Returns:
+            Dictionary containing delegated admin account information
+        """
+        try:
+            logger.debug(f"Getting Inspector delegated admin account in {self.region}")
+            response = self.client.get_delegated_admin_account()
+            return response
+        except ClientError as e:
+            logger.debug(f"Error getting Inspector delegated admin account in {self.region}: {e}")
+            return {}
+        except Exception as e:
+            logger.debug(f"Unexpected error getting Inspector delegated admin account in {self.region}: {e}")
+            return {}
+    
+    def describe_organization_configuration(self) -> Dict[str, Any]:
+        """
+        Describe Inspector organization configuration.
+        
+        Returns:
+            Dictionary containing organization configuration
+        """
+        try:
+            logger.debug(f"Describing Inspector organization configuration in {self.region}")
+            response = self.client.describe_organization_configuration()
+            return response
+        except ClientError as e:
+            logger.debug(f"Error describing Inspector organization configuration in {self.region}: {e}")
+            return {}
+        except Exception as e:
+            logger.debug(f"Unexpected error describing Inspector organization configuration in {self.region}: {e}")
+            return {}
+    
+    def list_organization_accounts(self) -> List[Dict[str, Any]]:
+        """
+        List all accounts in the AWS Organization.
+        
+        Returns:
+            List of organization accounts
+        """
+        try:
+            logger.debug(f"Listing organization accounts in {self.region}")
+            response = self.org_client.list_accounts()
+            return response.get('Accounts', [])
+        except ClientError as e:
+            logger.debug(f"Error listing organization accounts in {self.region}: {e}")
+            return []
+        except Exception as e:
+            logger.debug(f"Unexpected error listing organization accounts in {self.region}: {e}")
+            return []

sraverify/services/macie/__init__.py

@@ -0,0 +1,27 @@
+"""
+Macie security checks.
+"""
+from sraverify.services.macie.checks.sra_macie_01 import SRA_MACIE_01
+from sraverify.services.macie.checks.sra_macie_02 import SRA_MACIE_02
+from sraverify.services.macie.checks.sra_macie_03 import SRA_MACIE_03
+from sraverify.services.macie.checks.sra_macie_04 import SRA_MACIE_04
+from sraverify.services.macie.checks.sra_macie_05 import SRA_MACIE_05
+from sraverify.services.macie.checks.sra_macie_06 import SRA_MACIE_06
+from sraverify.services.macie.checks.sra_macie_07 import SRA_MACIE_07
+from sraverify.services.macie.checks.sra_macie_08 import SRA_MACIE_08
+from sraverify.services.macie.checks.sra_macie_09 import SRA_MACIE_09
+from sraverify.services.macie.checks.sra_macie_10 import SRA_MACIE_10
+
+# Register checks
+CHECKS = {
+    "SRA-MACIE-01": SRA_MACIE_01,
+    "SRA-MACIE-02": SRA_MACIE_02,
+    "SRA-MACIE-03": SRA_MACIE_03,
+    "SRA-MACIE-04": SRA_MACIE_04,
+    "SRA-MACIE-05": SRA_MACIE_05,
+    "SRA-MACIE-06": SRA_MACIE_06,
+    "SRA-MACIE-07": SRA_MACIE_07,
+    "SRA-MACIE-08": SRA_MACIE_08,
+    "SRA-MACIE-09": SRA_MACIE_09,
+    "SRA-MACIE-10": SRA_MACIE_10,
+}