PyPI - sraverify - Versions diffs - 0.1.0__py3-none-any.whl - Mend

sraverify 0.1.0__py3-none-any.whl

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (261) hide show

sraverify/__init__.py +36 -0
sraverify/checks/__init__.py +56 -0
sraverify/checks/accessanalyzer/SRA_IAA_1.py +188 -0
sraverify/checks/accessanalyzer/SRA_IAA_2.py +162 -0
sraverify/checks/accessanalyzer/SRA_IAA_3.py +260 -0
sraverify/checks/accessanalyzer/SRA_IAA_4.py +207 -0
sraverify/checks/accessanalyzer/__init__.py +3 -0
sraverify/checks/cloudtrail/SRA-CT-1.py +220 -0
sraverify/checks/cloudtrail/SRA-CT-10.py +229 -0
sraverify/checks/cloudtrail/SRA-CT-11.py +242 -0
sraverify/checks/cloudtrail/SRA-CT-12.py +163 -0
sraverify/checks/cloudtrail/SRA-CT-13.py +279 -0
sraverify/checks/cloudtrail/SRA-CT-2.py +218 -0
sraverify/checks/cloudtrail/SRA-CT-3.py +196 -0
sraverify/checks/cloudtrail/SRA-CT-4.py +161 -0
sraverify/checks/cloudtrail/SRA-CT-5.py +200 -0
sraverify/checks/cloudtrail/SRA-CT-6.py +161 -0
sraverify/checks/cloudtrail/SRA-CT-7.py +194 -0
sraverify/checks/cloudtrail/SRA-CT-8.py +226 -0
sraverify/checks/cloudtrail/SRA-CT-9.py +226 -0
sraverify/checks/cloudtrail/__init__.py +3 -0
sraverify/checks/config/SRA-CONFIG-1.py +197 -0
sraverify/checks/config/__init__.py +3 -0
sraverify/core/__init__.py +3 -0
sraverify/core/check.py +227 -0
sraverify/core/logging.py +37 -0
sraverify/core/session.py +47 -0
sraverify/lib/__init__.py +4 -0
sraverify/lib/audit_info.py +37 -0
sraverify/lib/banner.py +42 -0
sraverify/lib/check_loader.py +80 -0
sraverify/lib/org_mgmt_checker.py +86 -0
sraverify/lib/outputs.py +46 -0
sraverify/lib/progress.py +75 -0
sraverify/lib/regions.py +27 -0
sraverify/lib/session.py +23 -0
sraverify/main.py +350 -0
sraverify/services/__init__.py +3 -0
sraverify/services/accessanalyzer/__init__.py +15 -0
sraverify/services/accessanalyzer/base.py +123 -0
sraverify/services/accessanalyzer/checks/__init__.py +3 -0
sraverify/services/accessanalyzer/checks/sra_accessanalyzer_01.py +82 -0
sraverify/services/accessanalyzer/checks/sra_accessanalyzer_02.py +82 -0
sraverify/services/accessanalyzer/checks/sra_accessanalyzer_03.py +103 -0
sraverify/services/accessanalyzer/checks/sra_accessanalyzer_04.py +139 -0
sraverify/services/accessanalyzer/client.py +123 -0
sraverify/services/account/__init__.py +9 -0
sraverify/services/account/base.py +56 -0
sraverify/services/account/checks/__init__.py +1 -0
sraverify/services/account/checks/sra_account_01.py +65 -0
sraverify/services/account/checks/sra_account_02.py +63 -0
sraverify/services/account/checks/sra_account_03.py +63 -0
sraverify/services/account/client.py +51 -0
sraverify/services/auditmanager/__init__.py +10 -0
sraverify/services/auditmanager/base.py +72 -0
sraverify/services/auditmanager/checks/__init__.py +1 -0
sraverify/services/auditmanager/checks/sra_auditmanager_01.py +58 -0
sraverify/services/auditmanager/checks/sra_auditmanager_02.py +80 -0
sraverify/services/auditmanager/client.py +58 -0
sraverify/services/cloudtrail/__init__.py +33 -0
sraverify/services/cloudtrail/base.py +167 -0
sraverify/services/cloudtrail/checks/__init__.py +1 -0
sraverify/services/cloudtrail/checks/sra_cloudtrail_01.py +83 -0
sraverify/services/cloudtrail/checks/sra_cloudtrail_02.py +99 -0
sraverify/services/cloudtrail/checks/sra_cloudtrail_03.py +94 -0
sraverify/services/cloudtrail/checks/sra_cloudtrail_04.py +92 -0
sraverify/services/cloudtrail/checks/sra_cloudtrail_05.py +106 -0
sraverify/services/cloudtrail/checks/sra_cloudtrail_06.py +93 -0
sraverify/services/cloudtrail/checks/sra_cloudtrail_07.py +96 -0
sraverify/services/cloudtrail/checks/sra_cloudtrail_08.py +145 -0
sraverify/services/cloudtrail/checks/sra_cloudtrail_09.py +167 -0
sraverify/services/cloudtrail/checks/sra_cloudtrail_10.py +162 -0
sraverify/services/cloudtrail/checks/sra_cloudtrail_11.py +178 -0
sraverify/services/cloudtrail/checks/sra_cloudtrail_12.py +77 -0
sraverify/services/cloudtrail/checks/sra_cloudtrail_13.py +120 -0
sraverify/services/cloudtrail/client.py +118 -0
sraverify/services/config/__init__.py +25 -0
sraverify/services/config/base.py +249 -0
sraverify/services/config/checks/__init__.py +1 -0
sraverify/services/config/checks/sra_config_01.py +123 -0
sraverify/services/config/checks/sra_config_02.py +156 -0
sraverify/services/config/checks/sra_config_03.py +149 -0
sraverify/services/config/checks/sra_config_04.py +104 -0
sraverify/services/config/checks/sra_config_05.py +104 -0
sraverify/services/config/checks/sra_config_06.py +194 -0
sraverify/services/config/checks/sra_config_07.py +162 -0
sraverify/services/config/checks/sra_config_08.py +185 -0
sraverify/services/config/checks/sra_config_09.py +177 -0
sraverify/services/config/client.py +264 -0
sraverify/services/ec2/__init__.py +8 -0
sraverify/services/ec2/base.py +75 -0
sraverify/services/ec2/checks/__init__.py +1 -0
sraverify/services/ec2/checks/sra_ec2_01.py +83 -0
sraverify/services/ec2/client.py +63 -0
sraverify/services/firewallmanager/__init__.py +23 -0
sraverify/services/firewallmanager/base.py +48 -0
sraverify/services/firewallmanager/checks/__init__.py +1 -0
sraverify/services/firewallmanager/checks/sra_firewallmanager_01.py +75 -0
sraverify/services/firewallmanager/checks/sra_firewallmanager_02.py +57 -0
sraverify/services/firewallmanager/checks/sra_firewallmanager_03.py +51 -0
sraverify/services/firewallmanager/checks/sra_firewallmanager_04.py +51 -0
sraverify/services/firewallmanager/checks/sra_firewallmanager_05.py +51 -0
sraverify/services/firewallmanager/checks/sra_firewallmanager_06.py +51 -0
sraverify/services/firewallmanager/checks/sra_firewallmanager_07.py +51 -0
sraverify/services/firewallmanager/checks/sra_firewallmanager_08.py +61 -0
sraverify/services/firewallmanager/checks/sra_firewallmanager_09.py +61 -0
sraverify/services/firewallmanager/checks/sra_firewallmanager_10.py +71 -0
sraverify/services/firewallmanager/client.py +40 -0
sraverify/services/guardduty/__init__.py +58 -0
sraverify/services/guardduty/base.py +207 -0
sraverify/services/guardduty/checks/__init__.py +3 -0
sraverify/services/guardduty/checks/sra_guardduty_01.py +51 -0
sraverify/services/guardduty/checks/sra_guardduty_02.py +80 -0
sraverify/services/guardduty/checks/sra_guardduty_03.py +77 -0
sraverify/services/guardduty/checks/sra_guardduty_04.py +84 -0
sraverify/services/guardduty/checks/sra_guardduty_05.py +84 -0
sraverify/services/guardduty/checks/sra_guardduty_06.py +84 -0
sraverify/services/guardduty/checks/sra_guardduty_07.py +85 -0
sraverify/services/guardduty/checks/sra_guardduty_08.py +83 -0
sraverify/services/guardduty/checks/sra_guardduty_09.py +84 -0
sraverify/services/guardduty/checks/sra_guardduty_10.py +83 -0
sraverify/services/guardduty/checks/sra_guardduty_11.py +93 -0
sraverify/services/guardduty/checks/sra_guardduty_12.py +83 -0
sraverify/services/guardduty/checks/sra_guardduty_13.py +90 -0
sraverify/services/guardduty/checks/sra_guardduty_14.py +136 -0
sraverify/services/guardduty/checks/sra_guardduty_15.py +94 -0
sraverify/services/guardduty/checks/sra_guardduty_16.py +94 -0
sraverify/services/guardduty/checks/sra_guardduty_17.py +91 -0
sraverify/services/guardduty/checks/sra_guardduty_18.py +91 -0
sraverify/services/guardduty/checks/sra_guardduty_19.py +91 -0
sraverify/services/guardduty/checks/sra_guardduty_20.py +111 -0
sraverify/services/guardduty/checks/sra_guardduty_21.py +112 -0
sraverify/services/guardduty/checks/sra_guardduty_22.py +111 -0
sraverify/services/guardduty/checks/sra_guardduty_23.py +154 -0
sraverify/services/guardduty/checks/sra_guardduty_24.py +111 -0
sraverify/services/guardduty/checks/sra_guardduty_25.py +111 -0
sraverify/services/guardduty/client.py +107 -0
sraverify/services/inspector/__init__.py +29 -0
sraverify/services/inspector/base.py +233 -0
sraverify/services/inspector/checks/__init__.py +3 -0
sraverify/services/inspector/checks/sra_inspector_01.py +69 -0
sraverify/services/inspector/checks/sra_inspector_02.py +68 -0
sraverify/services/inspector/checks/sra_inspector_03.py +68 -0
sraverify/services/inspector/checks/sra_inspector_04.py +70 -0
sraverify/services/inspector/checks/sra_inspector_05.py +69 -0
sraverify/services/inspector/checks/sra_inspector_06.py +115 -0
sraverify/services/inspector/checks/sra_inspector_07.py +109 -0
sraverify/services/inspector/checks/sra_inspector_08.py +69 -0
sraverify/services/inspector/checks/sra_inspector_09.py +69 -0
sraverify/services/inspector/checks/sra_inspector_10.py +69 -0
sraverify/services/inspector/checks/sra_inspector_11.py +69 -0
sraverify/services/inspector/client.py +99 -0
sraverify/services/macie/__init__.py +27 -0
sraverify/services/macie/base.py +271 -0
sraverify/services/macie/checks/__init__.py +1 -0
sraverify/services/macie/checks/sra_macie_01.py +100 -0
sraverify/services/macie/checks/sra_macie_02.py +102 -0
sraverify/services/macie/checks/sra_macie_03.py +152 -0
sraverify/services/macie/checks/sra_macie_04.py +120 -0
sraverify/services/macie/checks/sra_macie_05.py +85 -0
sraverify/services/macie/checks/sra_macie_06.py +124 -0
sraverify/services/macie/checks/sra_macie_07.py +138 -0
sraverify/services/macie/checks/sra_macie_08.py +82 -0
sraverify/services/macie/checks/sra_macie_09.py +103 -0
sraverify/services/macie/checks/sra_macie_10.py +81 -0
sraverify/services/macie/client.py +220 -0
sraverify/services/s3/__init__.py +16 -0
sraverify/services/s3/base.py +69 -0
sraverify/services/s3/checks/__init__.py +1 -0
sraverify/services/s3/checks/sra_s3_01.py +89 -0
sraverify/services/s3/checks/sra_s3_02.py +89 -0
sraverify/services/s3/checks/sra_s3_03.py +88 -0
sraverify/services/s3/checks/sra_s3_04.py +88 -0
sraverify/services/s3/client.py +52 -0
sraverify/services/securityhub/__init__.py +27 -0
sraverify/services/securityhub/base.py +349 -0
sraverify/services/securityhub/checks/__init__.py +1 -0
sraverify/services/securityhub/checks/sra_securityhub_01.py +115 -0
sraverify/services/securityhub/checks/sra_securityhub_02.py +114 -0
sraverify/services/securityhub/checks/sra_securityhub_03.py +136 -0
sraverify/services/securityhub/checks/sra_securityhub_04.py +75 -0
sraverify/services/securityhub/checks/sra_securityhub_05.py +102 -0
sraverify/services/securityhub/checks/sra_securityhub_06.py +113 -0
sraverify/services/securityhub/checks/sra_securityhub_07.py +121 -0
sraverify/services/securityhub/checks/sra_securityhub_08.py +113 -0
sraverify/services/securityhub/checks/sra_securityhub_09.py +100 -0
sraverify/services/securityhub/checks/sra_securityhub_10.py +94 -0
sraverify/services/securityhub/checks/sra_securityhub_11.py +73 -0
sraverify/services/securityhub/client.py +249 -0
sraverify/services/securityincidentresponse/__init__.py +13 -0
sraverify/services/securityincidentresponse/base.py +95 -0
sraverify/services/securityincidentresponse/checks/__init__.py +1 -0
sraverify/services/securityincidentresponse/checks/sra_securityincidentresponse_01.py +77 -0
sraverify/services/securityincidentresponse/checks/sra_securityincidentresponse_02.py +72 -0
sraverify/services/securityincidentresponse/checks/sra_securityincidentresponse_03.py +86 -0
sraverify/services/securityincidentresponse/checks/sra_securityincidentresponse_04.py +117 -0
sraverify/services/securityincidentresponse/checks/sra_securityincidentresponse_05.py +55 -0
sraverify/services/securityincidentresponse/client.py +71 -0
sraverify/services/securitylake/__init__.py +39 -0
sraverify/services/securitylake/base.py +461 -0
sraverify/services/securitylake/checks/__init__.py +1 -0
sraverify/services/securitylake/checks/sra_securitylake_01.py +98 -0
sraverify/services/securitylake/checks/sra_securitylake_02.py +133 -0
sraverify/services/securitylake/checks/sra_securitylake_03.py +116 -0
sraverify/services/securitylake/checks/sra_securitylake_04.py +72 -0
sraverify/services/securitylake/checks/sra_securitylake_05.py +116 -0
sraverify/services/securitylake/checks/sra_securitylake_06.py +104 -0
sraverify/services/securitylake/checks/sra_securitylake_07.py +108 -0
sraverify/services/securitylake/checks/sra_securitylake_08.py +107 -0
sraverify/services/securitylake/checks/sra_securitylake_09.py +107 -0
sraverify/services/securitylake/checks/sra_securitylake_10.py +106 -0
sraverify/services/securitylake/checks/sra_securitylake_11.py +109 -0
sraverify/services/securitylake/checks/sra_securitylake_12.py +108 -0
sraverify/services/securitylake/checks/sra_securitylake_13.py +108 -0
sraverify/services/securitylake/checks/sra_securitylake_14.py +72 -0
sraverify/services/securitylake/checks/sra_securitylake_15.py +120 -0
sraverify/services/securitylake/checks/sra_securitylake_16.py +104 -0
sraverify/services/securitylake/checks/sra_securitylake_17.py +103 -0
sraverify/services/securitylake/client.py +247 -0
sraverify/services/shield/__init__.py +33 -0
sraverify/services/shield/base.py +199 -0
sraverify/services/shield/checks/__init__.py +1 -0
sraverify/services/shield/checks/sra_shield_01.py +68 -0
sraverify/services/shield/checks/sra_shield_02.py +77 -0
sraverify/services/shield/checks/sra_shield_03.py +84 -0
sraverify/services/shield/checks/sra_shield_04.py +84 -0
sraverify/services/shield/checks/sra_shield_05.py +84 -0
sraverify/services/shield/checks/sra_shield_06.py +84 -0
sraverify/services/shield/checks/sra_shield_07.py +84 -0
sraverify/services/shield/checks/sra_shield_08.py +69 -0
sraverify/services/shield/checks/sra_shield_09.py +86 -0
sraverify/services/shield/checks/sra_shield_10.py +100 -0
sraverify/services/shield/checks/sra_shield_11.py +71 -0
sraverify/services/shield/checks/sra_shield_12.py +130 -0
sraverify/services/shield/checks/sra_shield_13.py +112 -0
sraverify/services/shield/checks/sra_shield_14.py +111 -0
sraverify/services/shield/client.py +214 -0
sraverify/services/waf/__init__.py +21 -0
sraverify/services/waf/base.py +100 -0
sraverify/services/waf/checks/__init__.py +1 -0
sraverify/services/waf/checks/sra_waf_01.py +63 -0
sraverify/services/waf/checks/sra_waf_02.py +82 -0
sraverify/services/waf/checks/sra_waf_03.py +123 -0
sraverify/services/waf/checks/sra_waf_04.py +94 -0
sraverify/services/waf/checks/sra_waf_05.py +94 -0
sraverify/services/waf/checks/sra_waf_06.py +91 -0
sraverify/services/waf/checks/sra_waf_07.py +94 -0
sraverify/services/waf/checks/sra_waf_08.py +66 -0
sraverify/services/waf/checks/sra_waf_09.py +95 -0
sraverify/services/waf/client.py +109 -0
sraverify/utils/__init__.py +3 -0
sraverify/utils/banner.py +65 -0
sraverify/utils/outputs.py +57 -0
sraverify/utils/progress.py +97 -0
sraverify-0.1.0.dist-info/LICENSE +175 -0
sraverify-0.1.0.dist-info/METADATA +516 -0
sraverify-0.1.0.dist-info/NOTICE +1 -0
sraverify-0.1.0.dist-info/RECORD +261 -0
sraverify-0.1.0.dist-info/WHEEL +5 -0
sraverify-0.1.0.dist-info/entry_points.txt +2 -0
sraverify-0.1.0.dist-info/top_level.txt +1 -0

sraverify/checks/cloudtrail/SRA-CT-1.py ADDED Viewed

@@ -0,0 +1,220 @@
+from typing import Dict, List, Any
+from sraverify.checks import SecurityCheck
+from botocore.exceptions import ClientError
+class SRACT1(SecurityCheck):
+    """SRA-CT-1: Organization CloudTrail Configuration"""
+    def __init__(self, check_type="organization"):
+        super().__init__(check_type=check_type)
+        self.check_id = "SRA-CT-1"
+        self.check_name = "Organization CloudTrail Configuration"
+        self.severity = "HIGH"
+        self.description = ('This check verifies that an organization trail is configured for your AWS Organization. '
+                          'It is important to have uniform logging strategy for your AWS environment. Organization '
+                          'trail logs all events for all AWS accounts in that organization and delivers logs to a '
+                          'single S3 bucket, CloudWatch Logs and Event Bridge. Organization trails are automatically '
+                          'applied to all member accounts in the organization. Member accounts can see the '
+                          'organization trail, but can\'t modify or delete it. Organization trail should be '
+                          'configured for all AWS regions even if you are not operating out of any region.')
+        self.check_logic = ('1. Verify execution from Organization Management account | '  # Step 1: Check account permissions
+                          '2. List CloudTrail trails in current region | '  # Step 2: Get all trails
+                          '3. Check for organization trail with IsOrganizationTrail=true and IsMultiRegionTrail=true | '  # Step 3: Verify organization trail exists
+                          '4. Verify trail configuration (S3 bucket, CloudWatch Logs, EventBridge) | '  # Step 4: Check trail settings
+                          '5. Check passes if organization trail is properly configured')  # Step 5: All checks must pass
+        self.service = 'CloudTrail'
+    def get_findings(self):
+        """Return the findings"""
+        return self.findings
+    def run(self, session):
+        """Run the security check"""
+        try:
+            region = session.region_name
+            account_id = session.client('sts').get_caller_identity()['Account']
+            # Initialize clients
+            org_client = session.client('organizations')
+            cloudtrail_client = session.client('cloudtrail')
+             # Step 1: Verify we're in management account using org_mgmt_checker
+            is_management, error_message = self.org_checker.verify_org_management()
+            if not is_management:
+                finding = {
+                    'CheckId': self.check_id,
+                    'Status': 'ERROR',
+                    'Region': region,
+                    "Severity": self.severity,
+                    'Title': f"{self.check_id} {self.check_name}",
+                    'Description': self.description,
+                    'ResourceId': account_id,
+                    'ResourceType': 'AWS::Organizations::Account',
+                    'AccountId': account_id,
+                    'CheckedValue': 'Management Account Access',
+                    'ActualValue': error_message if error_message else 'Not running from management account',
+                    'Remediation': 'Run this check from the Organization Management Account',
+                    'Service': self.service,
+                    'CheckLogic': self.check_logic,
+                    'CheckType': self.check_type
+                }
+                self.findings.append(finding)
+                return self.findings
+            # Steps 2 & 3: Check for organization trail
+            try:
+                trails = cloudtrail_client.list_trails()['Trails']
+                org_trail = None
+                non_org_trails = []
+                for trail in trails:
+                    trail_info = cloudtrail_client.get_trail(Name=trail['Name'])['Trail']
+                    if (trail_info.get('IsOrganizationTrail', False) and
+                        trail_info.get('IsMultiRegionTrail', False)):
+                        org_trail = trail_info
+                        break
+                    else:
+                        non_org_trails.append(trail['Name'])
+                if not org_trail:
+                    failure_details = []
+                    if not trails:
+                        failure_details.append("No trails found")
+                    if non_org_trails:
+                        failure_details.append(f"Found non-organization trails: {', '.join(non_org_trails)}")
+                    self.findings.append({
+                        'CheckId': self.check_id,
+                        'Status': 'FAIL',
+                        'Region': region,
+                        "Severity": self.severity,
+                        'Title': f"{self.check_id} {self.check_name}",
+                        'Description': self.description,
+                        'ResourceId': account_id,
+                        'ResourceType': 'AWS::CloudTrail::Trail',
+                        'AccountId': account_id,
+                        'CheckedValue': 'Organization Trail Configuration',
+                        'ActualValue': ' | '.join(failure_details) if failure_details else 'No organization-wide trail found',
+                        'Remediation': 'Create an organization trail that logs all regions',
+                        'Service': 'CloudTrail',
+                        'CheckLogic': self.check_logic,
+                        'CheckType': self.check_type
+                    })
+                    return self.findings
+                # Step 4: Verify trail configuration
+                try:
+                    trail_status = cloudtrail_client.get_trail_status(Name=org_trail['Name'])
+                    config_issues = []
+                    if not org_trail.get('CloudWatchLogsLogGroupArn'):
+                        config_issues.append("CloudWatch Logs integration not configured")
+                    if not org_trail.get('S3BucketName'):
+                        config_issues.append("S3 bucket not configured")
+                    if not trail_status.get('IsLogging', False):
+                        config_issues.append("Trail logging is not enabled")
+                    if config_issues:
+                        self.findings.append({
+                            'CheckId': self.check_id,
+                            'Status': 'FAIL',
+                            'Region': region,
+                            "Severity": self.severity,
+                            'Title': f"{self.check_id} {self.check_name}",
+                            'Description': self.description,
+                            'ResourceId': org_trail['TrailARN'],
+                            'ResourceType': 'AWS::CloudTrail::Trail',
+                            'AccountId': account_id,
+                            'CheckedValue': 'Trail Configuration Details',
+                            'ActualValue': f"Configuration issues found: {' | '.join(config_issues)}",
+                            'Remediation': 'Configure CloudWatch Logs, S3 bucket, and enable logging for the organization trail',
+                            'Service': 'CloudTrail',
+                            'CheckLogic': self.check_logic,
+                            'CheckType': self.check_type
+                        })
+                        return self.findings
+                    # All checks passed
+                    self.findings.append({
+                        'CheckId': self.check_id,
+                        'Status': 'PASS',
+                        'Region': region,
+                        "Severity": self.severity,
+                        'Title': f"{self.check_id} {self.check_name}",
+                        'Description': self.description,
+                        'ResourceId': org_trail['TrailARN'],
+                        'ResourceType': 'AWS::CloudTrail::Trail',
+                        'AccountId': account_id,
+                        'CheckedValue': 'Organization Trail Configuration',
+                        'ActualValue': (f"Organization trail: {org_trail['Name']} | "
+                                      f"Multi-region: {org_trail['IsMultiRegionTrail']} | "
+                                      f"Logging Enabled: {trail_status['IsLogging']} | "
+                                      f"S3 Bucket: {org_trail['S3BucketName']} | "
+                                      f"CloudWatch Logs Configured: {'Yes' if org_trail.get('CloudWatchLogsLogGroupArn') else 'No'}"),
+                        'Remediation': 'None required',
+                        'Service': 'CloudTrail',
+                        'CheckLogic': self.check_logic,
+                        'CheckType': self.check_type
+                    })
+                except ClientError as e:
+                    self.findings.append({
+                        'CheckId': self.check_id,
+                        'Status': 'ERROR',
+                        'Region': region,
+                        "Severity": self.severity,
+                        'Title': f"{self.check_id} {self.check_name}",
+                        'Description': self.description,
+                        'ResourceId': org_trail['TrailARN'],
+                        'ResourceType': 'AWS::CloudTrail::Trail',
+                        'AccountId': account_id,
+                        'CheckedValue': 'Trail Status',
+                        'ActualValue': f'Error checking trail status: {str(e)} | Error Code: {e.response["Error"]["Code"]}',
+                        'Remediation': 'Verify CloudTrail permissions and trail configuration',
+                        'Service': 'CloudTrail',
+                        'CheckLogic': self.check_logic,
+                        'CheckType': self.check_type
+                    })
+            except ClientError as e:
+                self.findings.append({
+                    'CheckId': self.check_id,
+                    'Status': 'ERROR',
+                    'Region': region,
+                    "Severity": self.severity,
+                    'Title': f"{self.check_id} {self.check_name}",
+                    'Description': self.description,
+                    'ResourceId': account_id,
+                    'ResourceType': 'AWS::CloudTrail::Trail',
+                    'AccountId': account_id,
+                    'CheckedValue': 'CloudTrail Access',
+                    'ActualValue': f'Error accessing CloudTrail: {str(e)} | Error Code: {e.response["Error"]["Code"]}',
+                    'Remediation': 'Verify CloudTrail permissions and service availability',
+                    'Service': 'CloudTrail',
+                    'CheckLogic': self.check_logic,
+                    'CheckType': self.check_type
+                })
+        except Exception as e:
+            self.findings.append({
+                'CheckId': self.check_id,
+                'Status': 'ERROR',
+                'Region': region,
+                "Severity": self.severity,
+                'Title': f"{self.check_id} {self.check_name}",
+                'Description': self.description,
+                'ResourceId': account_id,
+                'ResourceType': 'AWS::CloudTrail::Trail',
+                'AccountId': account_id,
+                'CheckedValue': 'Check Execution',
+                'ActualValue': f'Unexpected error during check execution: {str(e)}',
+                'Remediation': 'Review error logs and verify AWS credentials and permissions',
+                'Service': 'CloudTrail',
+                'CheckLogic': self.check_logic,
+                'CheckType': self.check_type
+            })
+        return self.findings

sraverify/checks/cloudtrail/SRA-CT-10.py ADDED Viewed

@@ -0,0 +1,229 @@
+from typing import Dict, List, Any
+from sraverify.checks import SecurityCheck
+from botocore.exceptions import ClientError
+import logging
+from datetime import datetime, timezone
+class SRACT10(SecurityCheck):
+    """SRA-CT-10: Organization Trail Log File Validation Status"""
+    def __init__(self, check_type="organization"):
+        """Initialize the check with organization type"""
+        super().__init__(check_type=check_type)
+        self.check_id = "SRA-CT-10"
+        self.check_name = "Organization trail is configured to deliver Log file validation digest files to destination bucket"
+        self.description = ('This check verifies that log file validation digest files are being successfully delivered to a S3 bucket. '
+                          'Log file validation helps ensure the integrity and authenticity of CloudTrail logs by creating digitally '
+                          'signed digest files containing hashes of log files.')
+        self.service = "CloudTrail"
+        self.severity = "HIGH"
+        self.check_type = check_type
+        self.check_logic = ('1. Verify execution from Organization Management Account | '
+                          '2. List CloudTrail trails in current region | '
+                          '3. Check for organization trail with IsOrganizationTrail=true | '
+                          '4. Verify log file validation configuration and successful delivery by checking: '
+                          'a) EnableLogFileValidation is true, b) S3 bucket is configured, '
+                          'c) No digest delivery errors exist, d) Latest digest delivery was successful within 24 hours')
+        self.logger = logging.getLogger(self.__class__.__name__)
+        self.findings = []
+    def get_findings(self) -> List[Dict[str, Any]]:
+        """Return the findings"""
+        return self.findings
+    def check_digest_delivery_status(self, cloudtrail_client, trail_name: str) -> tuple:
+        """Check digest file delivery status and return status details"""
+        try:
+            status = cloudtrail_client.get_trail_status(Name=trail_name)
+            latest_delivery_time = status.get('LatestDigestDeliveryTime')
+            latest_delivery_error = status.get('LatestDigestDeliveryError', '')
+            is_logging = status.get('IsLogging', False)
+             # Step 1: Verify we're in management account using org_mgmt_checker
+            is_management, error_message = self.org_checker.verify_org_management()
+            if not is_management:
+                finding = {
+                    'CheckId': self.check_id,
+                    'Status': 'ERROR',
+                    'Region': region,
+                    "Severity": self.severity,
+                    'Title': f"{self.check_id} {self.check_name}",
+                    'Description': self.description,
+                    'ResourceId': account_id,
+                    'ResourceType': 'AWS::Organizations::Account',
+                    'AccountId': account_id,
+                    'CheckedValue': 'Management Account Access',
+                    'ActualValue': error_message if error_message else 'Not running from management account',
+                    'Remediation': 'Run this check from the Organization Management Account',
+                    'Service': self.service,
+                    'CheckLogic': self.check_logic,
+                    'CheckType': self.check_type
+                }
+                self.findings.append(finding)
+                return self.findings
+            # Check if delivery is recent (within 24 hours)
+            current_time = datetime.now(timezone.utc)
+            is_recent = False
+            if latest_delivery_time:
+                time_difference = current_time - latest_delivery_time
+                is_recent = time_difference.total_seconds() < 86400  # 24 hours
+            return is_logging, is_recent, latest_delivery_error
+        except ClientError as e:
+            self.logger.error(f"Error getting trail status for {trail_name}: {str(e)}")
+            return False, False, str(e)
+    def run(self, session) -> None:
+        """Run the security check"""
+        try:
+            # Get account information
+            sts_client = session.client('sts')
+            account_id = sts_client.get_caller_identity()['Account']
+            region = session.region_name
+            self.logger.debug(f"Running check for account: {account_id} in region: {region}")
+            # Initialize CloudTrail client
+            cloudtrail_client = session.client('cloudtrail')
+            try:
+                # List trails and find organization trails
+                trails = cloudtrail_client.describe_trails(includeShadowTrails=True)
+                org_trails = [t for t in trails['trailList'] if t.get('IsOrganizationTrail')]
+                self.logger.debug(f"Found {len(org_trails)} organization trails")
+                if not org_trails:
+                    self.findings.append({
+                        "CheckId": self.check_id,
+                        "Status": "FAIL",
+                        "Region": region,
+                        "Severity": self.severity,
+                        "Title": f"{self.check_id} {self.check_name}",
+                        "Description": self.description,
+                        "ResourceId": "organization-trail",
+                        "ResourceType": "AWS::CloudTrail::Trail",
+                        "AccountId": account_id,
+                        "CheckedValue": "Organization Trail Configuration",
+                        "ActualValue": "No organization trail found",
+                        "Remediation": "Create an organization trail with log file validation enabled",
+                        "Service": self.service,
+                        "CheckLogic": self.check_logic,
+                        "CheckType": self.check_type
+                    })
+                    return
+                # Check each organization trail for log file validation and digest delivery
+                valid_trail = None
+                for trail in org_trails:
+                    trail_name = trail['Name']
+                    log_validation_enabled = trail.get('LogFileValidationEnabled', False)
+                    s3_bucket = trail.get('S3BucketName')
+                    # Skip if log validation is not enabled or S3 bucket is not configured
+                    if not (log_validation_enabled and s3_bucket):
+                        continue
+                    is_logging, is_recent, delivery_error = self.check_digest_delivery_status(cloudtrail_client, trail_name)
+                    if is_logging and is_recent and not delivery_error:
+                        valid_trail = trail
+                        self.logger.debug(f"Found valid trail with successful digest delivery: {trail_name}")
+                        break
+                # Create finding based on log validation and digest delivery status
+                if valid_trail:
+                    self.findings.append({
+                        "CheckId": self.check_id,
+                        "Status": "PASS",
+                        "Region": region,
+                        "Severity": self.severity,
+                        "Title": f"{self.check_id} {self.check_name}",
+                        "Description": self.description,
+                        "ResourceId": valid_trail['TrailARN'],
+                        "ResourceType": "AWS::CloudTrail::Trail",
+                        "AccountId": account_id,
+                        "CheckedValue": "Log File Validation Status",
+                        "ActualValue": f"Organization trail {valid_trail['Name']} is successfully delivering digest files to S3 bucket {valid_trail['S3BucketName']}",
+                        "Remediation": "None required",
+                        "Service": self.service,
+                        "CheckLogic": self.check_logic,
+                        "CheckType": self.check_type
+                    })
+                else:
+                    actual_value = "No organization trail found with successful recent digest file delivery"
+                    remediation = "Verify log file validation configuration and S3 permissions"
+                    if org_trails:
+                        trail = org_trails[0]
+                        if not trail.get('LogFileValidationEnabled'):
+                            actual_value = f"Trail {trail['Name']} does not have log file validation enabled"
+                            remediation = "Enable log file validation for the organization trail"
+                        elif not trail.get('S3BucketName'):
+                            actual_value = f"Trail {trail['Name']} has no S3 bucket configured"
+                            remediation = "Configure S3 bucket for the organization trail"
+                        elif delivery_error:
+                            actual_value = f"Trail {trail['Name']} has digest delivery error: {delivery_error}"
+                            remediation = "Resolve digest delivery errors (check S3 bucket permissions)"
+                        elif not is_recent:
+                            actual_value = f"Trail {trail['Name']} has no recent digest file delivery"
+                            remediation = "Verify trail logging is enabled and check CloudWatch logs for errors"
+                    self.findings.append({
+                        "CheckId": self.check_id,
+                        "Status": "FAIL",
+                        "Region": region,
+                        "Severity": self.severity,
+                        "Title": f"{self.check_id} {self.check_name}",
+                        "Description": self.description,
+                        "ResourceId": (valid_trail or org_trails[0])['TrailARN'],
+                        "ResourceType": "AWS::CloudTrail::Trail",
+                        "AccountId": account_id,
+                        "CheckedValue": "Log File Validation Status",
+                        "ActualValue": actual_value,
+                        "Remediation": remediation,
+                        "Service": self.service,
+                        "CheckLogic": self.check_logic,
+                        "CheckType": self.check_type
+                    })
+            except ClientError as e:
+                self.logger.error(f"Error accessing CloudTrail: {str(e)}")
+                self.findings.append({
+                    "CheckId": self.check_id,
+                    "Status": "ERROR",
+                    "Region": region,
+                    "Severity": self.severity,
+                    "Title": f"{self.check_id} {self.check_name}",
+                    "Description": self.description,
+                    "ResourceId": "cloudtrail",
+                    "ResourceType": "AWS::CloudTrail::Trail",
+                    "AccountId": account_id,
+                    "CheckedValue": "CloudTrail API Access",
+                    "ActualValue": f"Error accessing CloudTrail: {str(e)}",
+                    "Remediation": "Verify CloudTrail permissions",
+                    "Service": self.service,
+                    "CheckLogic": self.check_logic,
+                    "CheckType": self.check_type
+                })
+        except Exception as e:
+            self.logger.error(f"Unexpected error in check: {str(e)}")
+            self.findings.append({
+                "CheckId": self.check_id,
+                "Status": "ERROR",
+                "Region": region if 'region' in locals() else session.region_name,
+                "Severity": self.severity,
+                "Title": f"{self.check_id} {self.check_name}",
+                "Description": self.description,
+                "ResourceId": "check-execution",
+                "ResourceType": "AWS::CloudTrail::Trail",
+                "AccountId": account_id if 'account_id' in locals() else "unknown",
+                "CheckedValue": "Check Execution",
+                "ActualValue": f"Unexpected error: {str(e)}",
+                "Remediation": "Contact support team",
+                "Service": self.service,
+                "CheckLogic": self.check_logic,
+                "CheckType": self.check_type
+            })