sraverify 0.1.0__py3-none-any.whl

sraverify/services/macie/checks/sra_macie_10.py

@@ -0,0 +1,81 @@
+"""
+SRA-MACIE-10: Macie member account limit not reached.
+"""
+from typing import List, Dict, Any
+from sraverify.services.macie.base import MacieCheck
+from sraverify.core.logging import logger
+
+
+class SRA_MACIE_10(MacieCheck):
+    """Check if Macie member account limit not reached."""
+    
+    def __init__(self):
+        """Initialize the check."""
+        super().__init__()
+        self.check_id = "SRA-MACIE-10"
+        self.check_name = "Macie member account limit not reached"
+        self.description = (
+            "This check verifies whether the maximum number of allowed member accounts are already associated with the "
+            "delegated administrator account for the AWS Organization."
+        )
+        self.severity = "MEDIUM"
+        self.account_type = "audit"
+        self.check_logic = "Check runs macie2 describe-organization-configuration. PASS if maxaccountlimitreached = False"
+        self.resource_type = "AWS::Macie::Session"
+    
+    def execute(self) -> List[Dict[str, Any]]:
+        """
+        Execute the check.
+        
+        Returns:
+            List of findings
+        """
+        findings = []
+        
+        for region in self.regions:
+            # Get organization configuration using the base class method with caching
+            org_config = self.get_organization_configuration(region)
+            
+            # Check if the API call was successful
+            if not org_config:
+                findings.append(
+                    self.create_finding(
+                        status="FAIL",
+                        region=region,
+                        resource_id=f"macie2/{self.account_id}/{region}",
+                        checked_value="maxAccountLimitReached: false",
+                        actual_value="Failed to retrieve Macie organization configuration",
+                        remediation="Ensure Macie is enabled and you have the necessary permissions to call the Macie DescribeOrganizationConfiguration API"
+                    )
+                )
+                continue
+            
+            # Check if max account limit is reached
+            max_account_limit_reached = org_config.get('maxAccountLimitReached', False)
+            
+            if not max_account_limit_reached:
+                findings.append(
+                    self.create_finding(
+                        status="PASS",
+                        region=region,
+                        resource_id=f"macie2/{self.account_id}/{region}",
+                        checked_value="maxAccountLimitReached: false",
+                        actual_value=f"Macie member account limit not reached in region {region}",
+                        remediation="No remediation needed"
+                    )
+                )
+            else:
+                findings.append(
+                    self.create_finding(
+                        status="FAIL",
+                        region=region,
+                        resource_id=f"macie2/{self.account_id}/{region}",
+                        checked_value="maxAccountLimitReached: false",
+                        actual_value=f"Macie member account limit reached in region {region}",
+                        remediation=(
+                            "Contact AWS Support to request an increase in the Macie member account limit"
+                        )
+                    )
+                )
+        
+        return findings

sraverify/services/macie/client.py

@@ -0,0 +1,220 @@
+"""
+Macie client for interacting with AWS Macie service.
+"""
+from typing import Dict, List, Optional, Any
+import boto3
+from botocore.exceptions import ClientError
+from sraverify.core.logging import logger
+
+
+class MacieClient:
+    """Client for interacting with AWS Macie service."""
+    
+    def __init__(self, region: str, session: Optional[boto3.Session] = None):
+        """
+        Initialize Macie client for a specific region.
+        
+        Args:
+            region: AWS region name
+            session: AWS session to use (if None, a new session will be created)
+        """
+        self.region = region
+        self.session = session or boto3.Session()
+        self.client = self.session.client('macie2', region_name=region)
+        self.org_client = self.session.client('organizations', region_name=region)
+
+    def get_findings_publication_configuration(self) -> Dict[str, Any]:
+        """
+        Get the findings publication configuration for Macie.
+        
+        Returns:
+            Dictionary containing findings publication configuration
+        """
+        try:
+            logger.debug(f"Getting Macie findings publication configuration in {self.region}")
+            response = self.client.get_findings_publication_configuration()
+            logger.debug(f"Macie findings publication configuration in {self.region}: {response}")
+            return response
+        except ClientError as e:
+            error_code = getattr(e, 'response', {}).get('Error', {}).get('Code', '')
+            error_message = str(e)
+            if error_code == 'AccessDeniedException' or 'Macie is not enabled' in error_message:
+                # If we get an access denied exception, it might be because Macie is not enabled
+                # in this region for this account
+                logger.debug(f"Access denied when getting Macie findings publication configuration in {self.region}. Macie might not be enabled in this region.")
+            else:
+                logger.debug(f"Error getting Macie findings publication configuration in {self.region}: {e}")
+            return {}
+        except Exception as e:
+            logger.debug(f"Unexpected error getting Macie findings publication configuration in {self.region}: {e}")
+            return {}
+    
+    def get_classification_export_configuration(self) -> Dict[str, Any]:
+        """
+        Get the classification export configuration for Macie.
+        
+        Returns:
+            Dictionary containing classification export configuration
+        """
+        try:
+            logger.debug(f"Getting Macie classification export configuration in {self.region}")
+            response = self.client.get_classification_export_configuration()
+            logger.debug(f"Macie classification export configuration in {self.region}: {response}")
+            return response
+        except ClientError as e:
+            error_code = getattr(e, 'response', {}).get('Error', {}).get('Code', '')
+            error_message = str(e)
+            if error_code == 'AccessDeniedException' or 'Macie is not enabled' in error_message:
+                logger.debug(f"Access denied when getting Macie classification export configuration in {self.region}. Macie might not be enabled in this region.")
+            else:
+                logger.debug(f"Error getting Macie classification export configuration in {self.region}: {e}")
+            return {}
+        except Exception as e:
+            logger.debug(f"Unexpected error getting Macie classification export configuration in {self.region}: {e}")
+            return {}
+    
+    def list_delegated_administrators(self, service_principal: str = "macie.amazonaws.com") -> List[Dict[str, Any]]:
+        """
+        List delegated administrators for Macie.
+        
+        Args:
+            service_principal: Service principal to check for delegated administrators
+            
+        Returns:
+            List of delegated administrators
+        """
+        try:
+            logger.debug(f"Listing delegated administrators for {service_principal} in {self.region}")
+            response = self.org_client.list_delegated_administrators(ServicePrincipal=service_principal)
+            delegated_admins = response.get('DelegatedAdministrators', [])
+            logger.debug(f"Found {len(delegated_admins)} delegated administrators for {service_principal}")
+            for admin in delegated_admins:
+                logger.debug(f"Delegated admin: {admin.get('Id')} - {admin.get('Name')}")
+            return delegated_admins
+        except ClientError as e:
+            logger.error(f"Error listing delegated administrators for {service_principal}: {e}")
+            return []
+        except Exception as e:
+            logger.error(f"Unexpected error listing delegated administrators: {e}")
+            return []
+    
+    def list_members(self) -> List[Dict[str, Any]]:
+        """
+        List Macie members.
+        
+        Returns:
+            List of Macie members
+        """
+        try:
+            logger.debug(f"Listing Macie members in {self.region}")
+            members = []
+            paginator = self.client.get_paginator('list_members')
+            
+            for page in paginator.paginate():
+                members.extend(page.get('members', []))
+            
+            logger.debug(f"Found {len(members)} Macie members in {self.region}")
+            return members
+        except ClientError as e:
+            error_code = getattr(e, 'response', {}).get('Error', {}).get('Code', '')
+            error_message = str(e)
+            if error_code == 'AccessDeniedException' or 'Macie is not enabled' in error_message:
+                logger.debug(f"Access denied when listing Macie members in {self.region}. This is expected if the account is not a Macie admin account or Macie is not enabled.")
+            else:
+                logger.debug(f"Error listing Macie members in {self.region}: {e}")
+            return []
+        except Exception as e:
+            logger.debug(f"Unexpected error listing Macie members in {self.region}: {e}")
+            return []
+    
+    def list_organization_accounts(self) -> List[Dict[str, Any]]:
+        """
+        List all accounts in the AWS Organization.
+        
+        Returns:
+            List of accounts in the AWS Organization
+        """
+        try:
+            logger.debug(f"Listing AWS Organization accounts in {self.region}")
+            accounts = []
+            paginator = self.org_client.get_paginator('list_accounts')
+            
+            for page in paginator.paginate():
+                accounts.extend(page.get('Accounts', []))
+            
+            logger.debug(f"Found {len(accounts)} AWS Organization accounts")
+            return accounts
+        except ClientError as e:
+            logger.error(f"Error listing AWS Organization accounts: {e}")
+            return []
+        except Exception as e:
+            logger.error(f"Unexpected error listing AWS Organization accounts: {e}")
+            return []
+    
+    def describe_organization_configuration(self) -> Dict[str, Any]:
+        """
+        Describe the Macie organization configuration.
+        
+        Returns:
+            Dictionary containing Macie organization configuration
+        """
+        try:
+            logger.debug(f"Describing Macie organization configuration in {self.region}")
+            response = self.client.describe_organization_configuration()
+            logger.debug(f"Macie organization configuration in {self.region}: {response}")
+            return response
+        except ClientError as e:
+            error_code = getattr(e, 'response', {}).get('Error', {}).get('Code', '')
+            error_message = str(e)
+            if error_code == 'AccessDeniedException' or 'Macie is not enabled' in error_message or 'must be the Macie administrator' in error_message:
+                logger.debug(f"Access denied when describing Macie organization configuration in {self.region}. This is expected if the account is not a Macie admin account or Macie is not enabled.")
+            else:
+                logger.debug(f"Error describing Macie organization configuration in {self.region}: {e}")
+            return {}
+        except Exception as e:
+            logger.debug(f"Unexpected error describing Macie organization configuration in {self.region}: {e}")
+            return {}
+    
+    def get_account_id(self) -> Optional[str]:
+        """
+        Get the current account ID.
+        
+        Returns:
+            Current account ID or None if not available
+        """
+        try:
+            logger.debug(f"Getting current account ID in {self.region}")
+            sts_client = self.session.client("sts")
+            response = sts_client.get_caller_identity()
+            account_id = response["Account"]
+            logger.debug(f"Current account ID: {account_id}")
+            return account_id
+        except ClientError as e:
+            logger.error(f"Error getting current account ID: {e}")
+            return None
+        except Exception as e:
+            logger.error(f"Unexpected error getting current account ID: {e}")
+            return None
+    def get_administrator_account(self) -> Dict[str, Any]:
+        """
+        Get the Macie administrator account.
+        
+        Returns:
+            Dictionary containing Macie administrator account information
+        """
+        try:
+            logger.debug(f"Getting Macie administrator account in {self.region}")
+            response = self.client.get_administrator_account()
+            logger.debug(f"Macie administrator account in {self.region}: {response}")
+            return response
+        except ClientError as e:
+            error_code = getattr(e, 'response', {}).get('Error', {}).get('Code', '')
+            error_message = str(e)
+            if error_code == 'AccessDeniedException' or 'Macie is not enabled' in error_message:
+                logger.debug(f"Access denied when getting Macie administrator account in {self.region}. Macie might not be enabled in this region.")
+            else:
+                logger.debug(f"Error getting Macie administrator account in {self.region}: {e}")
+            return {}
+        except Exception as e:
+            logger.debug(f"Unexpected error getting Macie administrator account in {self.region}: {e}")
+            return {}

sraverify/services/s3/__init__.py

@@ -0,0 +1,16 @@
+"""
+S3 security checks.
+"""
+from sraverify.services.s3.checks.sra_s3_01 import SRA_S3_01
+from sraverify.services.s3.checks.sra_s3_02 import SRA_S3_02
+from sraverify.services.s3.checks.sra_s3_03 import SRA_S3_03
+from sraverify.services.s3.checks.sra_s3_04 import SRA_S3_04
+
+# Register checks
+CHECKS = {
+    "SRA-S3-01": SRA_S3_01,
+    "SRA-S3-02": SRA_S3_02,
+    "SRA-S3-03": SRA_S3_03,
+    "SRA-S3-04": SRA_S3_04,
+
+}

sraverify/services/s3/base.py

@@ -0,0 +1,69 @@
+"""
+Base class for S3 security checks.
+"""
+from typing import List, Optional, Dict, Any
+from sraverify.core.check import SecurityCheck
+from sraverify.services.s3.client import S3Client
+from sraverify.core.logging import logger
+
+
+class S3Check(SecurityCheck):
+    """Base class for all S3 security checks."""
+    
+    # Class-level cache shared across all instances
+    _public_access_cache = {}
+    
+    def __init__(self):
+        """Initialize S3 base check."""
+        super().__init__(
+            account_type="application",
+            service="S3",
+            resource_type="AWS::S3::AccountPublicAccessBlock"
+        )
+    
+    def _setup_clients(self):
+        """Set up S3 clients for each region."""
+        # Clear existing clients
+        self._clients.clear()
+        # Set up new clients only if regions are initialized
+        if hasattr(self, 'regions') and self.regions:
+            for region in self.regions:
+                self._clients[region] = S3Client(region, session=self.session)
+    
+    def get_public_access(self) -> Dict[str, Any]:
+        """
+        Get the public access block configuration for the account with caching.
+        
+        Returns:
+            Public access block configuration
+        """
+        if not self.regions:
+            logger.warning("No regions specified")
+            return {}
+        
+        account_id = self.account_id
+        if not account_id:
+            logger.warning("Could not determine account ID")
+            return {}
+        
+        # Use session region name as part of cache key
+        cache_key = f"public_access:{account_id}:{self.session.region_name}"
+        if cache_key in self.__class__._public_access_cache:
+            logger.debug(f"Using cached public access block configuration for {cache_key}")
+            return self.__class__._public_access_cache[cache_key]
+        
+        # Use any region to get public access block configuration
+        # S3 is a global service, but we need to use a regional endpoint
+        client = self._clients.get(self.regions[0])
+        if not client:
+            logger.warning("No S3 client available")
+            return {}
+        
+        # Get public access block configuration from client
+        public_access_config = client.get_public_access_block(account_id)
+        
+        # Cache the results
+        self.__class__._public_access_cache[cache_key] = public_access_config
+        logger.debug(f"Cached public access block configuration for {cache_key}")
+        
+        return public_access_config

sraverify/services/s3/checks/__init__.py

@@ -0,0 +1 @@
+"""S3 service checks."""

sraverify/services/s3/checks/sra_s3_01.py

@@ -0,0 +1,89 @@
+"""
+SRA-S3-01: S3 restrict public bucket is enabled.
+"""
+from typing import List, Dict, Any
+from sraverify.services.s3.base import S3Check
+from sraverify.core.logging import logger
+
+
+class SRA_S3_01(S3Check):
+    """Check if S3 restrict public bucket is enabled for the account."""
+    
+    def __init__(self):
+        """Initialize the check."""
+        super().__init__()
+        self.check_id = "SRA-S3-01"
+        self.check_name = "S3 restrict public bucket is enabled"
+        self.account_type = "application"
+        self.severity = "HIGH"
+        self.description = (
+            "This check verifies whether S3 should restrict public policies for S3 buckets. "
+            "Setting this restricts access to this bucket to only AWS service principals and authorized users "
+            "within this account if the bucket has a public policy."
+        )
+        self.check_logic = (
+            "Check if RestrictPublicBuckets is set to true in the account's public access block configuration."
+        )
+    
+    def execute(self) -> List[Dict[str, Any]]:
+        """
+        Execute the check.
+        
+        Returns:
+            List of findings
+        """
+        findings = []
+        
+        # Get public access block configuration using the base class method
+        # This will use the cache if available or make API calls if needed
+        public_access_config = self.get_public_access()
+        
+        # Check if the configuration exists and RestrictPublicBuckets is enabled
+        if not public_access_config:
+            findings.append(
+                self.create_finding(
+                    status="FAIL",
+                    region="global",  # S3 public access block is a global setting
+                                        resource_id=self.account_id,
+                    checked_value="RestrictPublicBuckets: true",
+                    actual_value="No public access block configuration found",
+                    remediation=(
+                        "Enable S3 Block Public Access at the account level using the AWS CLI command: "
+                        f"aws s3control put-public-access-block --account-id {self.account_id} "
+                        "--public-access-block-configuration BlockPublicAcls=true,IgnorePublicAcls=true,"
+                        "BlockPublicPolicy=true,RestrictPublicBuckets=true"
+                    )
+                )
+            )
+            return findings
+        
+        restrict_public_buckets = public_access_config.get('RestrictPublicBuckets', False)
+        
+        if restrict_public_buckets:
+            findings.append(
+                self.create_finding(
+                    status="PASS",
+                    region="global",  # S3 public access block is a global setting
+                                        resource_id=self.account_id,
+                    checked_value="RestrictPublicBuckets: true",
+                    actual_value="RestrictPublicBuckets setting is true",
+                    remediation="No remediation needed"
+                )
+            )
+        else:
+            findings.append(
+                self.create_finding(
+                    status="FAIL",
+                    region="global",  # S3 public access block is a global setting
+                                        resource_id=self.account_id,
+                    checked_value="RestrictPublicBuckets: true",
+                    actual_value="RestrictPublicBuckets setting is false",
+                    remediation=(
+                        "Enable S3 Restrict Public Buckets at the account level using the AWS CLI command: "
+                        f"aws s3control put-public-access-block --account-id {self.account_id} "
+                        "--public-access-block-configuration RestrictPublicBuckets=true"
+                    )
+                )
+            )
+        
+        return findings

sraverify/services/s3/checks/sra_s3_02.py

@@ -0,0 +1,89 @@
+"""
+SRA-S3-02: S3 block public ACLs is set.
+"""
+from typing import List, Dict, Any
+from sraverify.services.s3.base import S3Check
+from sraverify.core.logging import logger
+
+
+class SRA_S3_02(S3Check):
+    """Check if S3 block public ACLs is enabled for the account."""
+    
+    def __init__(self):
+        """Initialize the check."""
+        super().__init__()
+        self.check_id = "SRA-S3-02"
+        self.check_name = "S3 block public ACLs is set"
+        self.account_type = "application"
+        self.severity = "HIGH"
+        self.description = (
+            "This check verifies whether S3 public block access control lists (ACLs) for buckets and object is enabled. "
+            "Setting this fails prevents from setting a public ACL on S3 buckets and Objects. It also prevent creating "
+            "a bucket with public ACL and uploading a object with public ACL."
+        )
+        self.check_logic = (
+            "Check if BlockPublicAcls is set to true in the account's public access block configuration."
+        )
+    
+    def execute(self) -> List[Dict[str, Any]]:
+        """
+        Execute the check.
+        
+        Returns:
+            List of findings
+        """
+        findings = []
+        
+        # Get public access block configuration using the base class method
+        # This will use the cache if available or make API calls if needed
+        public_access_config = self.get_public_access()
+        
+        # Check if the configuration exists and BlockPublicAcls is enabled
+        if not public_access_config:
+            findings.append(
+                self.create_finding(
+                    status="FAIL",
+                    region="global",  # S3 public access block is a global setting
+                    resource_id=self.account_id,
+                    checked_value="BlockPublicAcls: true",
+                    actual_value="No public access block configuration found",
+                    remediation=(
+                        "Enable S3 Block Public Access at the account level using the AWS CLI command: "
+                        f"aws s3control put-public-access-block --account-id {self.account_id} "
+                        "--public-access-block-configuration BlockPublicAcls=true,IgnorePublicAcls=true,"
+                        "BlockPublicPolicy=true,RestrictPublicBuckets=true"
+                    )
+                )
+            )
+            return findings
+        
+        block_public_acls = public_access_config.get('BlockPublicAcls', False)
+        
+        if block_public_acls:
+            findings.append(
+                self.create_finding(
+                    status="PASS",
+                    region="global",  # S3 public access block is a global setting
+                    resource_id=self.account_id,
+                    checked_value="BlockPublicAcls: true",
+                    actual_value="BlockPublicAcls setting is true",
+                    remediation="No remediation needed"
+                )
+            )
+        else:
+            findings.append(
+                self.create_finding(
+                    status="FAIL",
+                    region="global",  # S3 public access block is a global setting
+                    resource_id=self.account_id,
+                    checked_value="BlockPublicAcls: true",
+                    actual_value="BlockPublicAcls setting is false",
+                    remediation=(
+                        "Enable S3 Block Public Access at the account level using the AWS CLI command: "
+                        f"aws s3control put-public-access-block --account-id {self.account_id} "
+                        "--public-access-block-configuration BlockPublicAcls=true"
+                    )
+                )
+            )
+        
+        return findings

sraverify/services/s3/checks/sra_s3_03.py

@@ -0,0 +1,88 @@
+"""
+SRA-S3-03: S3 ignore public ACL is enabled.
+"""
+from typing import List, Dict, Any
+from sraverify.services.s3.base import S3Check
+from sraverify.core.logging import logger
+
+
+class SRA_S3_03(S3Check):
+    """Check if S3 ignore public ACLs is enabled for the account."""
+    
+    def __init__(self):
+        """Initialize the check."""
+        super().__init__()
+        self.check_id = "SRA-S3-03"
+        self.check_name = "S3 ignore public ACL is enabled"
+        self.account_type = "application"
+        self.severity = "HIGH"
+        self.description = (
+            "This check verifies whether the IgnorePublicACLs is set to True. Setting this causes Amazon S3 "
+            "to ignore all public ACLs on buckets and objects in the bucket."
+        )
+        self.check_logic = (
+            "Check if IgnorePublicAcls is set to true in the account's public access block configuration."
+        )
+    
+    def execute(self) -> List[Dict[str, Any]]:
+        """
+        Execute the check.
+        
+        Returns:
+            List of findings
+        """
+        findings = []
+        
+        # Get public access block configuration using the base class method
+        # This will use the cache if available or make API calls if needed
+        public_access_config = self.get_public_access()
+        
+        # Check if the configuration exists and IgnorePublicAcls is enabled
+        if not public_access_config:
+            findings.append(
+                self.create_finding(
+                    status="FAIL",
+                    region="global",  # S3 public access block is a global setting
+                    resource_id=self.account_id,
+                    checked_value="IgnorePublicAcls: true",
+                    actual_value="No public access block configuration found",
+                    remediation=(
+                        "Enable S3 Block Public Access at the account level using the AWS CLI command: "
+                        f"aws s3control put-public-access-block --account-id {self.account_id} "
+                        "--public-access-block-configuration BlockPublicAcls=true,IgnorePublicAcls=true,"
+                        "BlockPublicPolicy=true,RestrictPublicBuckets=true"
+                    )
+                )
+            )
+            return findings
+        
+        ignore_public_acls = public_access_config.get('IgnorePublicAcls', False)
+        
+        if ignore_public_acls:
+            findings.append(
+                self.create_finding(
+                    status="PASS",
+                    region="global",  # S3 public access block is a global setting
+                    resource_id=self.account_id,
+                    checked_value="IgnorePublicAcls: true",
+                    actual_value="IgnorePublicAcls setting is true",
+                    remediation="No remediation needed"
+                )
+            )
+        else:
+            findings.append(
+                self.create_finding(
+                    status="FAIL",
+                    region="global",  # S3 public access block is a global setting
+                    resource_id=self.account_id,
+                    checked_value="IgnorePublicAcls: true",
+                    actual_value="IgnorePublicAcls setting is false",
+                    remediation=(
+                        "Enable S3 Ignore Public ACLs at the account level using the AWS CLI command: "
+                        f"aws s3control put-public-access-block --account-id {self.account_id} "
+                        "--public-access-block-configuration IgnorePublicAcls=true"
+                    )
+                )
+            )
+        
+        return findings