sraverify 0.1.0__py3-none-any.whl

sraverify/services/macie/base.py

@@ -0,0 +1,271 @@
+"""
+Base class for Macie security checks.
+"""
+from typing import List, Optional, Dict, Any
+from sraverify.core.check import SecurityCheck
+from sraverify.services.macie.client import MacieClient
+from sraverify.core.logging import logger
+
+
+class MacieCheck(SecurityCheck):
+    """Base class for all Macie security checks."""
+    
+    # Class-level caches shared across all instances
+    _findings_publication_cache = {}
+    _export_configuration_cache = {}
+    _macie_delegated_admin_cache = {}
+    _macie_members_cache = {}
+    _org_members_cache = {}
+    _auto_enable_cache = {}
+    
+    def __init__(self):
+        """Initialize Macie base check."""
+        super().__init__(
+            account_type="application",  # Default, can be overridden in subclasses
+            service="Macie",
+            resource_type="AWS::Macie::Session"
+        )
+    
+    def _setup_clients(self):
+        """Set up Macie clients for each region."""
+        # Clear existing clients
+        self._clients.clear()
+        # Set up new clients only if regions are initialized
+        if hasattr(self, 'regions') and self.regions:
+            for region in self.regions:
+                self._clients[region] = MacieClient(region, session=self.session)
+    
+    def get_client(self, region: str) -> Optional[MacieClient]:
+        """
+        Get Macie client for a specific region.
+        
+        Args:
+            region: AWS region name
+            
+        Returns:
+            MacieClient for the region or None if not available
+        """
+        return self._clients.get(region)
+    
+    def get_findings_publication_configuration(self, region: str) -> Dict[str, Any]:
+        """
+        Get the findings publication configuration for Macie with caching.
+        
+        Args:
+            region: AWS region name
+            
+        Returns:
+            Dictionary containing findings publication configuration
+        """
+        # Check cache first
+        account_id = self.account_id
+        cache_key = f"{account_id}:{region}"
+        
+        if cache_key in self.__class__._findings_publication_cache:
+            logger.debug(f"Using cached Macie findings publication configuration for {region}")
+            return self.__class__._findings_publication_cache[cache_key]
+        
+        client = self.get_client(region)
+        if not client:
+            logger.warning(f"No Macie client available for region {region}")
+            return {}
+        
+        # Get findings publication configuration from client
+        config = client.get_findings_publication_configuration()
+        
+        # Cache the result
+        self.__class__._findings_publication_cache[cache_key] = config
+        logger.debug(f"Cached Macie findings publication configuration for {region}")
+        
+        return config
+    
+    def get_classification_export_configuration(self, region: str) -> Dict[str, Any]:
+        """
+        Get the classification export configuration for Macie with caching.
+        
+        Args:
+            region: AWS region name
+            
+        Returns:
+            Dictionary containing classification export configuration
+        """
+        # Check cache first
+        account_id = self.account_id
+        cache_key = f"{account_id}:{region}"
+        
+        if cache_key in self.__class__._export_configuration_cache:
+            logger.debug(f"Using cached Macie classification export configuration for {region}")
+            return self.__class__._export_configuration_cache[cache_key]
+        
+        client = self.get_client(region)
+        if not client:
+            logger.warning(f"No Macie client available for region {region}")
+            return {}
+        
+        # Get classification export configuration from client
+        config = client.get_classification_export_configuration()
+        
+        # Cache the result
+        self.__class__._export_configuration_cache[cache_key] = config
+        logger.debug(f"Cached Macie classification export configuration for {region}")
+        
+        return config
+    
+    def get_macie_delegated_admin(self, region: str) -> List[Dict[str, Any]]:
+        """
+        Get the Macie delegated administrator with caching.
+        
+        Args:
+            region: AWS region name
+            
+        Returns:
+            List of delegated administrators
+        """
+        # Check cache first
+        account_id = self.account_id
+        cache_key = f"{account_id}:{region}"
+        
+        if cache_key in self.__class__._macie_delegated_admin_cache:
+            logger.debug(f"Using cached Macie delegated administrator for {region}")
+            return self.__class__._macie_delegated_admin_cache[cache_key]
+        
+        client = self.get_client(region)
+        if not client:
+            logger.warning(f"No Macie client available for region {region}")
+            return []
+        
+        # Get delegated administrator from client
+        delegated_admin = client.list_delegated_administrators()
+        
+        # Cache the result
+        self.__class__._macie_delegated_admin_cache[cache_key] = delegated_admin
+        logger.debug(f"Cached Macie delegated administrator for {region}")
+        
+        return delegated_admin
+    
+    def get_macie_members(self, region: str) -> List[Dict[str, Any]]:
+        """
+        Get Macie members with caching.
+        
+        Args:
+            region: AWS region name
+            
+        Returns:
+            List of Macie members
+        """
+        # Check cache first
+        account_id = self.account_id
+        cache_key = f"{account_id}:{region}"
+        
+        if cache_key in self.__class__._macie_members_cache:
+            logger.debug(f"Using cached Macie members for {region}")
+            return self.__class__._macie_members_cache[cache_key]
+        
+        client = self.get_client(region)
+        if not client:
+            logger.warning(f"No Macie client available for region {region}")
+            return []
+        
+        # Get members from client
+        members = client.list_members()
+        
+        # Cache the result
+        self.__class__._macie_members_cache[cache_key] = members
+        logger.debug(f"Cached {len(members)} Macie members for {region}")
+        
+        return members
+    
+    def get_organization_members(self, region: str) -> List[Dict[str, Any]]:
+        """
+        Get AWS Organization members with caching.
+        
+        Args:
+            region: AWS region name
+            
+        Returns:
+            List of AWS Organization members
+        """
+        # Check cache first
+        account_id = self.account_id
+        cache_key = f"{account_id}:{region}"
+        
+        if cache_key in self.__class__._org_members_cache:
+            logger.debug(f"Using cached AWS Organization members for {region}")
+            return self.__class__._org_members_cache[cache_key]
+        
+        client = self.get_client(region)
+        if not client:
+            logger.warning(f"No Macie client available for region {region}")
+            return []
+        
+        # Get organization members from client
+        members = client.list_organization_accounts()
+        
+        # Cache the result
+        self.__class__._org_members_cache[cache_key] = members
+        logger.debug(f"Cached {len(members)} AWS Organization members for {region}")
+        
+        return members
+    
+    def get_organization_configuration(self, region: str) -> Dict[str, Any]:
+        """
+        Get Macie organization configuration with caching.
+        
+        Args:
+            region: AWS region name
+            
+        Returns:
+            Dictionary containing Macie organization configuration
+        """
+        # Check cache first
+        account_id = self.account_id
+        cache_key = f"{account_id}:{region}"
+        
+        if cache_key in self.__class__._auto_enable_cache:
+            logger.debug(f"Using cached Macie organization configuration for {region}")
+            return self.__class__._auto_enable_cache[cache_key]
+        
+        client = self.get_client(region)
+        if not client:
+            logger.warning(f"No Macie client available for region {region}")
+            return {}
+        
+        # Get organization configuration from client
+        config = client.describe_organization_configuration()
+        
+        # Cache the result
+        self.__class__._auto_enable_cache[cache_key] = config
+        logger.debug(f"Cached Macie organization configuration for {region}")
+        
+        return config
+    def get_macie_administrator_account(self, region: str) -> Dict[str, Any]:
+        """
+        Get the Macie administrator account with caching.
+        
+        Args:
+            region: AWS region name
+            
+        Returns:
+            Dictionary containing Macie administrator account information
+        """
+        # Check cache first
+        account_id = self.account_id
+        cache_key = f"{account_id}:{region}"
+        
+        if cache_key in self.__class__._macie_delegated_admin_cache:
+            logger.debug(f"Using cached Macie administrator account for {region}")
+            return self.__class__._macie_delegated_admin_cache[cache_key]
+        
+        client = self.get_client(region)
+        if not client:
+            logger.warning(f"No Macie client available for region {region}")
+            return {}
+        
+        # Get administrator account from client
+        admin_account = client.get_administrator_account()
+        
+        # Cache the result
+        self.__class__._macie_delegated_admin_cache[cache_key] = admin_account
+        logger.debug(f"Cached Macie administrator account for {region}")
+        
+        return admin_account

sraverify/services/macie/checks/__init__.py

@@ -0,0 +1 @@
+"""Macie security checks."""

sraverify/services/macie/checks/sra_macie_01.py

@@ -0,0 +1,100 @@
+"""
+SRA-MACIE-01: Macie publish policy findings to Security Hub is enabled.
+"""
+from typing import List, Dict, Any
+from sraverify.services.macie.base import MacieCheck
+from sraverify.core.logging import logger
+
+
+class SRA_MACIE_01(MacieCheck):
+    """Check if Macie publish policy findings to Security Hub is enabled."""
+    
+    def __init__(self):
+        """Initialize the check."""
+        super().__init__()
+        self.check_id = "SRA-MACIE-01"
+        self.check_name = "Macie publish policy findings to Security Hub is enabled"
+        self.description = (
+            "This check verifies whether Macie is configured to publish new and updated policy findings to AWS Security Hub. "
+            "Policy findings denotes potential security or privacy issue with a S3 bucket."
+        )
+        self.severity = "HIGH"
+        self.account_type = "application"
+        self.check_logic = "Check validates macie2 get-findings-publication-configuration. Check PASS if 'publishPolicyFindings': true"
+        self.resource_type = "AWS::Macie::Session"
+    
+    def execute(self) -> List[Dict[str, Any]]:
+        """
+        Execute the check.
+        
+        Returns:
+            List of findings
+        """
+        findings = []
+        
+        for region in self.regions:
+            # Get findings publication configuration using the base class method with caching
+            config = self.get_findings_publication_configuration(region)
+            
+            # Check if the API call was successful
+            if not config:
+                findings.append(
+                    self.create_finding(
+                        status="FAIL",
+                        region=region,
+                        resource_id=f"macie2/{self.account_id}/{region}",
+                        checked_value="publishPolicyFindings: true",
+                        actual_value="Failed to retrieve Macie findings publication configuration",
+                        remediation="Ensure Macie is enabled and you have the necessary permissions to call the Macie GetFindingsPublicationConfiguration API"
+                    )
+                )
+                continue
+            
+            # Check if Security Hub configuration exists
+            security_hub_config = config.get('securityHubConfiguration', {})
+            if not security_hub_config:
+                findings.append(
+                    self.create_finding(
+                        status="FAIL",
+                        region=region,
+                        resource_id=f"macie2/{self.account_id}/{region}",
+                        checked_value="publishPolicyFindings: true",
+                        actual_value="Security Hub configuration not found in Macie findings publication configuration",
+                        remediation=(
+                            f"Configure Macie to publish findings to Security Hub in region {region} using the AWS CLI command: "
+                            f"aws macie2 put-findings-publication-configuration --security-hub-configuration publishPolicyFindings=true --region {region}"
+                        )
+                    )
+                )
+                continue
+            
+            # Check if policy findings are published to Security Hub
+            publish_policy_findings = security_hub_config.get('publishPolicyFindings', False)
+            
+            if publish_policy_findings:
+                findings.append(
+                    self.create_finding(
+                        status="PASS",
+                        region=region,
+                        resource_id=f"macie2/{self.account_id}/{region}",
+                        checked_value="publishPolicyFindings: true",
+                        actual_value=f"Macie is configured to publish policy findings to Security Hub in region {region}",
+                        remediation="No remediation needed"
+                    )
+                )
+            else:
+                findings.append(
+                    self.create_finding(
+                        status="FAIL",
+                        region=region,
+                        resource_id=f"macie2/{self.account_id}/{region}",
+                        checked_value="publishPolicyFindings: true",
+                        actual_value=f"Macie is not configured to publish policy findings to Security Hub in region {region}",
+                        remediation=(
+                            f"Configure Macie to publish policy findings to Security Hub in region {region} using the AWS CLI command: "
+                            f"aws macie2 put-findings-publication-configuration --security-hub-configuration publishPolicyFindings=true --region {region}"
+                        )
+                    )
+                )
+        
+        return findings

sraverify/services/macie/checks/sra_macie_02.py

@@ -0,0 +1,102 @@
+"""
+SRA-MACIE-02: Macie publish classification findings to Security Hub is enabled.
+"""
+from typing import List, Dict, Any
+from sraverify.services.macie.base import MacieCheck
+from sraverify.core.logging import logger
+
+
+class SRA_MACIE_02(MacieCheck):
+    """Check if Macie publish classification findings to Security Hub is enabled."""
+    
+    def __init__(self):
+        """Initialize the check."""
+        super().__init__()
+        self.check_id = "SRA-MACIE-02"
+        self.check_name = "Macie publish classification findings to Security Hub is enabled"
+        self.description = (
+            "This check verifies whether Macie is configured to publish sensitive data findings to AWS Security Hub. "
+            "Sensitive data findings denotes potential sensitive data in as S3 object. Macie continually evaluates your "
+            "S3 bucket inventory and uses sampling techniques to identify and select representative S3 objects from your buckets. "
+            "Macie then retrieves and analyzes the selected objects, inspecting them for sensitive data."
+        )
+        self.severity = "HIGH"
+        self.account_type = "application"
+        self.check_logic = "Check validates macie2 get-findings-publication-configuration. Check PASS if 'publishClassificationFindings': true"
+        self.resource_type = "AWS::Macie::Session"
+    
+    def execute(self) -> List[Dict[str, Any]]:
+        """
+        Execute the check.
+        
+        Returns:
+            List of findings
+        """
+        findings = []
+        
+        for region in self.regions:
+            # Get findings publication configuration using the base class method with caching
+            config = self.get_findings_publication_configuration(region)
+            
+            # Check if the API call was successful
+            if not config:
+                findings.append(
+                    self.create_finding(
+                        status="FAIL",
+                        region=region,
+                        resource_id=f"macie2/{self.account_id}/{region}",
+                        checked_value="publishClassificationFindings: true",
+                        actual_value="Failed to retrieve Macie findings publication configuration",
+                        remediation="Ensure Macie is enabled and you have the necessary permissions to call the Macie GetFindingsPublicationConfiguration API"
+                    )
+                )
+                continue
+            
+            # Check if Security Hub configuration exists
+            security_hub_config = config.get('securityHubConfiguration', {})
+            if not security_hub_config:
+                findings.append(
+                    self.create_finding(
+                        status="FAIL",
+                        region=region,
+                        resource_id=f"macie2/{self.account_id}/{region}",
+                        checked_value="publishClassificationFindings: true",
+                        actual_value="Security Hub configuration not found in Macie findings publication configuration",
+                        remediation=(
+                            f"Configure Macie to publish findings to Security Hub in region {region} using the AWS CLI command: "
+                            f"aws macie2 put-findings-publication-configuration --security-hub-configuration publishClassificationFindings=true --region {region}"
+                        )
+                    )
+                )
+                continue
+            
+            # Check if classification findings are published to Security Hub
+            publish_classification_findings = security_hub_config.get('publishClassificationFindings', False)
+            
+            if publish_classification_findings:
+                findings.append(
+                    self.create_finding(
+                        status="PASS",
+                        region=region,
+                        resource_id=f"macie2/{self.account_id}/{region}",
+                        checked_value="publishClassificationFindings: true",
+                        actual_value=f"Macie is configured to publish classification findings to Security Hub in region {region}",
+                        remediation="No remediation needed"
+                    )
+                )
+            else:
+                findings.append(
+                    self.create_finding(
+                        status="FAIL",
+                        region=region,
+                        resource_id=f"macie2/{self.account_id}/{region}",
+                        checked_value="publishClassificationFindings: true",
+                        actual_value=f"Macie is not configured to publish classification findings to Security Hub in region {region}",
+                        remediation=(
+                            f"Configure Macie to publish classification findings to Security Hub in region {region} using the AWS CLI command: "
+                            f"aws macie2 put-findings-publication-configuration --security-hub-configuration publishClassificationFindings=true --region {region}"
+                        )
+                    )
+                )
+        
+        return findings

sraverify/services/macie/checks/sra_macie_03.py

@@ -0,0 +1,152 @@
+"""
+SRA-MACIE-03: Macie findings exported to a S3 bucket in Log Archive account are encrypted at rest.
+"""
+from typing import List, Dict, Any
+from sraverify.services.macie.base import MacieCheck
+from sraverify.core.logging import logger
+
+
+class SRA_MACIE_03(MacieCheck):
+    """Check if Macie findings are exported to a S3 bucket in Log Archive account."""
+    
+    def __init__(self):
+        """Initialize the check."""
+        super().__init__()
+        self.check_id = "SRA-MACIE-03"
+        self.check_name = "Macie findings exported to a S3 bucket in Log Archive account are encrypted at rest"
+        self.description = (
+            "This check verifies whether all Macie findings are being exported to a S3 bucket within the Log Archive account. "
+            "Log Archive account is the central repository of all AWS Organization logs."
+        )
+        self.severity = "HIGH"
+        self.account_type = "application"
+        self.check_logic = (
+            "Check validates using get-classification-export-configuration if Macie is set to export findings to S3 AND "
+            "if the S3 bucket is in the log archive account validated by EITHER the bucket name containing OR the KMS key "
+            "arn containing the --log-archive account ID. If bucket account can't be validated to --log-archive FAIL with value of bucket."
+        )
+        self.resource_type = "AWS::Macie::Session"
+    
+    def execute(self) -> List[Dict[str, Any]]:
+        """
+        Execute the check.
+        
+        Returns:
+            List of findings
+        """
+        findings = []
+        
+        # Check if log archive accounts are provided
+        log_archive_accounts = []
+        if hasattr(self, '_log_archive_accounts') and self._log_archive_accounts:
+            log_archive_accounts = self._log_archive_accounts
+        
+        if not log_archive_accounts:
+            for region in self.regions:
+                findings.append(
+                    self.create_finding(
+                        status="FAIL",
+                        region=region,
+                        resource_id=f"macie2/{self.account_id}/{region}",
+                        checked_value="S3 bucket in Log Archive account",
+                        actual_value="Log Archive account ID not provided",
+                        remediation="Provide the Log Archive account IDs using --log-archive-account flag"
+                    )
+                )
+            return findings
+        
+        for region in self.regions:
+            # Get classification export configuration using the base class method with caching
+            export_config = self.get_classification_export_configuration(region)
+            
+            # Check if the API call was successful
+            if not export_config:
+                findings.append(
+                    self.create_finding(
+                        status="FAIL",
+                        region=region,
+                        resource_id=f"macie2/{self.account_id}/{region}",
+                        checked_value="S3 bucket in Log Archive account",
+                        actual_value="Failed to retrieve Macie classification export configuration",
+                        remediation="Ensure Macie is enabled and you have the necessary permissions to call the Macie GetClassificationExportConfiguration API"
+                    )
+                )
+                continue
+            
+            # Check if export configuration exists
+            configuration = export_config.get('configuration', {})
+            if not configuration:
+                findings.append(
+                    self.create_finding(
+                        status="FAIL",
+                        region=region,
+                        resource_id=f"macie2/{self.account_id}/{region}",
+                        checked_value="S3 bucket in Log Archive account",
+                        actual_value="Macie findings export configuration not found",
+                        remediation=(
+                            f"Configure Macie to export findings to a S3 bucket in the Log Archive account in region {region} using the AWS CLI command: "
+                            f"aws macie2 put-classification-export-configuration --s3-destination bucketName=macie-findings-{log_archive_accounts[0]},kmsKeyArn=arn:aws:kms:{region}:{log_archive_accounts[0]}:key/your-key-id --region {region}"
+                        )
+                    )
+                )
+                continue
+            
+            # Check if S3 destination exists
+            s3_destination = configuration.get('s3Destination', {})
+            if not s3_destination:
+                findings.append(
+                    self.create_finding(
+                        status="FAIL",
+                        region=region,
+                        resource_id=f"macie2/{self.account_id}/{region}",
+                        checked_value="S3 bucket in Log Archive account",
+                        actual_value="S3 destination not found in Macie findings export configuration",
+                        remediation=(
+                            f"Configure Macie to export findings to a S3 bucket in the Log Archive account in region {region} using the AWS CLI command: "
+                            f"aws macie2 put-classification-export-configuration --s3-destination bucketName=macie-findings-{log_archive_accounts[0]},kmsKeyArn=arn:aws:kms:{region}:{log_archive_accounts[0]}:key/your-key-id --region {region}"
+                        )
+                    )
+                )
+                continue
+            
+            # Get bucket name and KMS key ARN
+            bucket_name = s3_destination.get('bucketName', '')
+            kms_key_arn = s3_destination.get('kmsKeyArn', '')
+            
+            # Check if bucket name or KMS key ARN contains log archive account ID
+            is_in_log_archive = False
+            log_archive_account_found = None
+            
+            for log_archive_account in log_archive_accounts:
+                if log_archive_account in bucket_name or log_archive_account in kms_key_arn:
+                    is_in_log_archive = True
+                    log_archive_account_found = log_archive_account
+                    break
+            
+            if is_in_log_archive:
+                findings.append(
+                    self.create_finding(
+                        status="PASS",
+                        region=region,
+                        resource_id=f"macie2/{self.account_id}/{region}",
+                        checked_value="S3 bucket in Log Archive account",
+                        actual_value=f"Macie findings are exported to S3 bucket '{bucket_name}' in Log Archive account {log_archive_account_found} in region {region}",
+                        remediation="No remediation needed"
+                    )
+                )
+            else:
+                findings.append(
+                    self.create_finding(
+                        status="FAIL",
+                        region=region,
+                        resource_id=f"macie2/{self.account_id}/{region}",
+                        checked_value="S3 bucket in Log Archive account",
+                        actual_value=f"Macie findings are exported to S3 bucket '{bucket_name}' which is not in any of the specified Log Archive accounts {', '.join(log_archive_accounts)} in region {region}",
+                        remediation=(
+                            f"Configure Macie to export findings to a S3 bucket in the Log Archive account in region {region} using the AWS CLI command: "
+                            f"aws macie2 put-classification-export-configuration --s3-destination bucketName=macie-findings-{log_archive_accounts[0]},kmsKeyArn=arn:aws:kms:{region}:{log_archive_accounts[0]}:key/your-key-id --region {region}"
+                        )
+                    )
+                )
+        
+        return findings