sraverify 0.1.0__py3-none-any.whl

sraverify/services/s3/checks/sra_s3_04.py

@@ -0,0 +1,88 @@
+"""
+SRA-S3-04: S3 block public policy is enabled.
+"""
+from typing import List, Dict, Any
+from sraverify.services.s3.base import S3Check
+from sraverify.core.logging import logger
+
+
+class SRA_S3_04(S3Check):
+    """Check if S3 block public policy is enabled for the account."""
+    
+    def __init__(self):
+        """Initialize the check."""
+        super().__init__()
+        self.check_id = "SRA-S3-04"
+        self.check_name = "S3 block public policy is enabled"
+        self.account_type = "application"
+        self.severity = "HIGH"
+        self.description = (
+            "This check verifies whether S3 should block public bucket policies for buckets. "
+            "Setting this causes Amazon S3 to reject calls that attaches a public access bucket policy to a S3 bucket."
+        )
+        self.check_logic = (
+            "Check if BlockPublicPolicy is set to true in the account's public access block configuration."
+        )
+    
+    def execute(self) -> List[Dict[str, Any]]:
+        """
+        Execute the check.
+        
+        Returns:
+            List of findings
+        """
+        findings = []
+        
+        # Get public access block configuration using the base class method
+        # This will use the cache if available or make API calls if needed
+        public_access_config = self.get_public_access()
+        
+        # Check if the configuration exists and BlockPublicPolicy is enabled
+        if not public_access_config:
+            findings.append(
+                self.create_finding(
+                    status="FAIL",
+                    region="global",  # S3 public access block is a global setting
+                    resource_id=self.account_id,
+                    checked_value="BlockPublicPolicy: true",
+                    actual_value="No public access block configuration found",
+                    remediation=(
+                        "Enable S3 Block Public Access at the account level using the AWS CLI command: "
+                        f"aws s3control put-public-access-block --account-id {self.account_id} "
+                        "--public-access-block-configuration BlockPublicAcls=true,IgnorePublicAcls=true,"
+                        "BlockPublicPolicy=true,RestrictPublicBuckets=true"
+                    )
+                )
+            )
+            return findings
+        
+        block_public_policy = public_access_config.get('BlockPublicPolicy', False)
+        
+        if block_public_policy:
+            findings.append(
+                self.create_finding(
+                    status="PASS",
+                    region="global",  # S3 public access block is a global setting
+                    resource_id=self.account_id,
+                    checked_value="BlockPublicPolicy: true",
+                    actual_value="BlockPublicPolicy setting is true",
+                    remediation="No remediation needed"
+                )
+            )
+        else:
+            findings.append(
+                self.create_finding(
+                    status="FAIL",
+                    region="global",  # S3 public access block is a global setting
+                    resource_id=self.account_id,
+                    checked_value="BlockPublicPolicy: true",
+                    actual_value="BlockPublicPolicy setting is false",
+                    remediation=(
+                        "Enable S3 Block Public Policy at the account level using the AWS CLI command: "
+                        f"aws s3control put-public-access-block --account-id {self.account_id} "
+                        "--public-access-block-configuration BlockPublicPolicy=true"
+                    )
+                )
+            )
+        
+        return findings

sraverify/services/s3/client.py

@@ -0,0 +1,52 @@
+"""
+S3 client for interacting with AWS S3 service.
+"""
+from typing import Dict, List, Optional, Any
+import boto3
+from botocore.exceptions import ClientError
+from sraverify.core.logging import logger
+
+
+class S3Client:
+    """Client for interacting with AWS S3 service."""
+    
+    def __init__(self, region: str, session: Optional[boto3.Session] = None):
+        """
+        Initialize S3 client for a specific region.
+        
+        Args:
+            region: AWS region name
+            session: AWS session to use (if None, a new session will be created)
+        """
+        self.region = region
+        self.session = session or boto3.Session()
+        self.client = self.session.client('s3', region_name=region)
+        self.s3control_client = self.session.client('s3control', region_name=region)
+        
+    def get_public_access_block(self, account_id: str) -> Dict[str, Any]:
+        """
+        Get the public access block configuration for an account.
+        
+        Args:
+            account_id: AWS account ID
+            
+        Returns:
+            Public access block configuration
+        """
+        try:
+            logger.debug(f"Getting public access block configuration for account {account_id} in {self.region}")
+            response = self.s3control_client.get_public_access_block(
+                AccountId=account_id
+            )
+            return response.get('PublicAccessBlockConfiguration', {})
+        except ClientError as e:
+            if 'NoSuchPublicAccessBlockConfiguration' in str(e):
+                # Silently handle the case where no configuration exists
+                # This is a common case and not an error condition
+                logger.debug(f"No public access block configuration found for account {account_id} in {self.region}")
+                return {}
+            logger.error(f"Error getting public access block configuration for account {account_id} in {self.region}: {e}")
+            return {}
+        except Exception as e:
+            logger.error(f"Unexpected error getting public access block configuration for account {account_id} in {self.region}: {e}")
+            return {}

sraverify/services/securityhub/__init__.py

@@ -0,0 +1,27 @@
+"""SecurityHub service checks."""
+
+from sraverify.services.securityhub.checks.sra_securityhub_01 import SRA_SECURITYHUB_01
+from sraverify.services.securityhub.checks.sra_securityhub_02 import SRA_SECURITYHUB_02
+from sraverify.services.securityhub.checks.sra_securityhub_03 import SRA_SECURITYHUB_03
+from sraverify.services.securityhub.checks.sra_securityhub_04 import SRA_SECURITYHUB_04
+from sraverify.services.securityhub.checks.sra_securityhub_05 import SRA_SECURITYHUB_05
+from sraverify.services.securityhub.checks.sra_securityhub_06 import SRA_SECURITYHUB_06
+from sraverify.services.securityhub.checks.sra_securityhub_07 import SRA_SECURITYHUB_07
+from sraverify.services.securityhub.checks.sra_securityhub_08 import SRA_SECURITYHUB_08
+from sraverify.services.securityhub.checks.sra_securityhub_09 import SRA_SECURITYHUB_09
+from sraverify.services.securityhub.checks.sra_securityhub_10 import SRA_SECURITYHUB_10
+from sraverify.services.securityhub.checks.sra_securityhub_11 import SRA_SECURITYHUB_11
+
+CHECKS = {
+    "SRA-SECURITYHUB-01": SRA_SECURITYHUB_01,
+    "SRA-SECURITYHUB-02": SRA_SECURITYHUB_02,
+    "SRA-SECURITYHUB-03": SRA_SECURITYHUB_03,
+    "SRA-SECURITYHUB-04": SRA_SECURITYHUB_04,
+    "SRA-SECURITYHUB-05": SRA_SECURITYHUB_05,
+    "SRA-SECURITYHUB-06": SRA_SECURITYHUB_06,
+    "SRA-SECURITYHUB-07": SRA_SECURITYHUB_07,
+    "SRA-SECURITYHUB-08": SRA_SECURITYHUB_08,
+    "SRA-SECURITYHUB-09": SRA_SECURITYHUB_09,
+    "SRA-SECURITYHUB-10": SRA_SECURITYHUB_10,
+    "SRA-SECURITYHUB-11": SRA_SECURITYHUB_11,
+}

sraverify/services/securityhub/base.py

@@ -0,0 +1,349 @@
+"""
+Base class for SecurityHub security checks.
+"""
+from typing import List, Optional, Dict, Any
+from sraverify.core.check import SecurityCheck
+from sraverify.services.securityhub.client import SecurityHubClient
+from sraverify.core.logging import logger
+
+
+class SecurityHubCheck(SecurityCheck):
+    """Base class for all SecurityHub security checks."""
+    
+    # Class-level caches shared across all instances
+    _enabled_standards_cache = {}
+    _admin_account_cache = {}
+    _organization_configuration_cache = {}
+    _product_integrations_cache = {}
+    _delegated_admin_cache = {}
+    _organization_accounts_cache = {}
+    _securityhub_members_cache = {}
+    
+    def __init__(self):
+        """Initialize SecurityHub base check."""
+        super().__init__(
+            account_type="audit",  # Default to audit, can be overridden in child classes
+            service="SecurityHub",
+            resource_type="AWS::SecurityHub::Hub"
+        )
+    
+    def _setup_clients(self):
+        """Set up SecurityHub clients for each region."""
+        # Clear existing clients
+        self._clients.clear()
+        # Set up new clients only if regions are initialized
+        if hasattr(self, 'regions') and self.regions:
+            for region in self.regions:
+                self._clients[region] = SecurityHubClient(region, session=self.session)
+    
+    def get_client(self, region: str) -> Optional[SecurityHubClient]:
+        """
+        Get SecurityHub client for a specific region.
+        
+        Args:
+            region: AWS region name
+            
+        Returns:
+            SecurityHubClient for the region or None if not available
+        """
+        return self._clients.get(region)
+    
+    def get_enabled_standards(self, region: str) -> List[Dict[str, Any]]:
+        """
+        Get enabled Security Hub standards for a region with caching.
+        
+        Args:
+            region: AWS region name
+            
+        Returns:
+            List of enabled standards or None if Security Hub is not enabled
+        """
+        account_id = self.account_id
+        if not account_id:
+            logger.warning("Could not determine account ID")
+            return []
+        
+        # Check cache first
+        cache_key = f"{account_id}:{region}"
+        if cache_key in self.__class__._enabled_standards_cache:
+            logger.debug(f"Using cached enabled standards for {cache_key}")
+            return self.__class__._enabled_standards_cache[cache_key]
+        
+        client = self.get_client(region)
+        if not client:
+            logger.warning(f"No SecurityHub client available for region {region}")
+            return []
+        
+        try:
+            # Get enabled standards from client
+            standards = client.get_enabled_standards()
+            
+            # If standards is None (Security Hub not enabled), don't try to cache it
+            if standards is None:
+                logger.debug(f"Security Hub is not enabled in region {region}")
+                return None
+            
+            # Cache the results
+            self.__class__._enabled_standards_cache[cache_key] = standards
+            logger.debug(f"Cached {len(standards)} enabled standards for {cache_key}")
+            
+            return standards
+        except Exception as e:
+            # Check if this is the "not subscribed to AWS Security Hub" error
+            if hasattr(e, 'response') and isinstance(e.response, dict):
+                error = e.response.get('Error', {})
+                if error.get('Code') == 'InvalidAccessException' and 'not subscribed to AWS Security Hub' in error.get('Message', ''):
+                    # Return None specifically for this error to indicate Security Hub is not enabled
+                    # Don't log this as an error since it's an expected condition we want to check for
+                    logger.debug(f"Security Hub is not enabled in region {region}")
+                    return None
+            
+            # For other errors, log a warning instead of an error to avoid cluttering the build logs
+            logger.warning(f"Error getting enabled standards in {region}: {e}")
+            return []
+    
+    def get_administrator_account(self, region: str) -> Dict[str, Any]:
+        """
+        Get Security Hub administrator account with caching.
+        
+        Args:
+            region: AWS region name
+            
+        Returns:
+            Administrator account information
+        """
+        account_id = self.account_id
+        if not account_id:
+            logger.warning("Could not determine account ID")
+            return {}
+        
+        # Check cache first
+        cache_key = f"{account_id}:{region}"
+        if cache_key in self.__class__._admin_account_cache:
+            logger.debug(f"Using cached administrator account for {cache_key}")
+            return self.__class__._admin_account_cache[cache_key]
+        
+        client = self.get_client(region)
+        if not client:
+            logger.warning(f"No SecurityHub client available for region {region}")
+            return {}
+        
+        # Get administrator account from client
+        admin_account = client.get_administrator_account()
+        
+        # Cache the results
+        self.__class__._admin_account_cache[cache_key] = admin_account
+        logger.debug(f"Cached administrator account for {cache_key}")
+        
+        return admin_account
+    
+    def get_organization_configuration(self, region: str) -> Dict[str, Any]:
+        """
+        Get Security Hub organization configuration with caching.
+        
+        Args:
+            region: AWS region name
+            
+        Returns:
+            Organization configuration
+        """
+        account_id = self.account_id
+        if not account_id:
+            logger.warning("Could not determine account ID")
+            return {}
+        
+        # Check cache first
+        cache_key = f"{account_id}:{region}"
+        if cache_key in self.__class__._organization_configuration_cache:
+            logger.debug(f"Using cached organization configuration for {cache_key}")
+            return self.__class__._organization_configuration_cache[cache_key]
+        
+        client = self.get_client(region)
+        if not client:
+            logger.warning(f"No SecurityHub client available for region {region}")
+            return {}
+        
+        # Get organization configuration from client
+        org_config = client.describe_organization_configuration()
+        
+        # Cache the results
+        self.__class__._organization_configuration_cache[cache_key] = org_config
+        logger.debug(f"Cached organization configuration for {cache_key}")
+        
+        return org_config
+    
+    def get_enabled_products_for_import(self, region: str) -> Optional[List[str]]:
+        """
+        Get enabled products for import with caching.
+        
+        Args:
+            region: AWS region name
+            
+        Returns:
+            List of enabled product ARNs, or None if Security Hub is not enabled
+        """
+        account_id = self.account_id
+        if not account_id:
+            logger.warning("Could not determine account ID")
+            return []
+        
+        # Check cache first
+        cache_key = f"{account_id}:{region}"
+        if cache_key in self.__class__._product_integrations_cache:
+            logger.debug(f"Using cached product integrations for {cache_key}")
+            return self.__class__._product_integrations_cache[cache_key]
+        
+        client = self.get_client(region)
+        if not client:
+            logger.warning(f"No SecurityHub client available for region {region}")
+            return []
+        
+        # Get enabled products from client
+        products = client.list_enabled_products_for_import()
+        
+        # Only cache if we got a valid response (not None)
+        if products is not None:
+            self.__class__._product_integrations_cache[cache_key] = products
+            logger.debug(f"Cached {len(products)} product integrations for {cache_key}")
+        
+        return products
+    
+    def get_delegated_administrators(self, region: str) -> List[Dict[str, Any]]:
+        """
+        Get SecurityHub delegated administrators with caching.
+        
+        Args:
+            region: AWS region name
+            
+        Returns:
+            List of delegated administrators
+        """
+        account_id = self.account_id
+        if not account_id:
+            logger.warning("Could not determine account ID")
+            return []
+        
+        # Check cache first
+        cache_key = f"{account_id}:{region}"
+        if cache_key in self.__class__._delegated_admin_cache:
+            logger.debug(f"Using cached delegated administrators for {cache_key}")
+            return self.__class__._delegated_admin_cache[cache_key]
+        
+        client = self.get_client(region)
+        if not client:
+            logger.warning(f"No SecurityHub client available for region {region}")
+            return []
+        
+        # Get delegated administrators from client
+        delegated_admins = client.list_delegated_administrators()
+        
+        # Cache the results
+        self.__class__._delegated_admin_cache[cache_key] = delegated_admins
+        logger.debug(f"Cached {len(delegated_admins)} delegated administrators for {cache_key}")
+        
+        return delegated_admins
+    
+    def get_organization_admin_accounts(self, region: str) -> List[Dict[str, Any]]:
+        """
+        Get Security Hub organization admin accounts with caching.
+        
+        Args:
+            region: AWS region name
+            
+        Returns:
+            List of organization admin accounts
+        """
+        account_id = self.account_id
+        if not account_id:
+            logger.warning("Could not determine account ID")
+            return []
+        
+        # Check cache first
+        cache_key = f"{account_id}:{region}"
+        if cache_key in self.__class__._admin_account_cache:
+            logger.debug(f"Using cached organization admin accounts for {cache_key}")
+            return self.__class__._admin_account_cache[cache_key]
+        
+        client = self.get_client(region)
+        if not client:
+            logger.warning(f"No SecurityHub client available for region {region}")
+            return []
+        
+        # Get organization admin accounts from client
+        admin_accounts = client.list_organization_admin_accounts()
+        
+        # Cache the results
+        self.__class__._admin_account_cache[cache_key] = admin_accounts
+        logger.debug(f"Cached {len(admin_accounts)} organization admin accounts for {cache_key}")
+        
+        return admin_accounts
+    
+    def get_organization_accounts(self, region: str) -> List[Dict[str, Any]]:
+        """
+        Get all organization accounts with caching.
+        
+        Args:
+            region: AWS region name
+            
+        Returns:
+            List of organization accounts
+        """
+        account_id = self.account_id
+        if not account_id:
+            logger.warning("Could not determine account ID")
+            return []
+        
+        # Check cache first
+        cache_key = f"{account_id}:{region}"
+        if cache_key in self.__class__._organization_accounts_cache:
+            logger.debug(f"Using cached organization accounts for {cache_key}")
+            return self.__class__._organization_accounts_cache[cache_key]
+        
+        client = self.get_client(region)
+        if not client:
+            logger.warning(f"No SecurityHub client available for region {region}")
+            return []
+        
+        # Get organization accounts from client
+        accounts = client.list_organization_accounts()
+        
+        # Cache the results
+        self.__class__._organization_accounts_cache[cache_key] = accounts
+        logger.debug(f"Cached {len(accounts)} organization accounts for {cache_key}")
+        
+        return accounts
+    
+    def get_security_hub_members(self, region: str) -> List[Dict[str, Any]]:
+        """
+        Get Security Hub member accounts with caching.
+        
+        Args:
+            region: AWS region name
+            
+        Returns:
+            List of Security Hub member accounts
+        """
+        account_id = self.account_id
+        if not account_id:
+            logger.warning("Could not determine account ID")
+            return []
+        
+        # Check cache first
+        cache_key = f"{account_id}:{region}"
+        if cache_key in self.__class__._securityhub_members_cache:
+            logger.debug(f"Using cached Security Hub members for {cache_key}")
+            return self.__class__._securityhub_members_cache[cache_key]
+        
+        client = self.get_client(region)
+        if not client:
+            logger.warning(f"No SecurityHub client available for region {region}")
+            return []
+        
+        # Get Security Hub members from client
+        members = client.list_members()
+        
+        # Cache the results
+        self.__class__._securityhub_members_cache[cache_key] = members
+        logger.debug(f"Cached {len(members)} Security Hub members for {cache_key}")
+        
+        return members

sraverify/services/securityhub/checks/__init__.py

@@ -0,0 +1 @@
+"""SecurityHub checks."""

sraverify/services/securityhub/checks/sra_securityhub_01.py

@@ -0,0 +1,115 @@
+"""
+SRA-SECURITYHUB-01: Security Hub check.
+"""
+from typing import List, Dict, Any
+from sraverify.services.securityhub.base import SecurityHubCheck
+from sraverify.core.logging import logger
+
+
+class SRA_SECURITYHUB_01(SecurityHubCheck):
+    """Check if Security Hub enabled account level standards exist."""
+    
+    def __init__(self):
+        """Initialize the check."""
+        super().__init__()
+        self.check_id = "SRA-SECURITYHUB-01"
+        self.check_name = "Security Hub enabled account level standards exist"
+        self.account_type = "application"  # This check is for application accounts
+        self.severity = "HIGH"
+        self.description = (
+            "This check verifies whether a list of enabled Security Hub standards for the current AWS account exists."
+        )
+        self.check_logic = (
+            "Check evaluates if there are any standards enabled in the AWS account and AWS region. "
+            "Check PASS if there are any standards enabled."
+        )
+    
+    def execute(self) -> List[Dict[str, Any]]:
+        """
+        Execute the check.
+        
+        Returns:
+            List of findings
+        """
+        findings = []
+        
+        # If no regions have Security Hub available, return a single failure
+        if not self._clients:
+            findings.append(
+                self.create_finding(
+                    status="FAIL",
+                    region="global",
+                    resource_id="securityhub:global",
+                    checked_value="Security Hub is enabled",
+                    actual_value="Security Hub not available in any region",
+                    remediation="Enable Security Hub in at least one region"
+                )
+            )
+            return findings
+        
+        # Check each region where Security Hub is available
+        for region in self.regions:
+            # Get enabled standards for the current account in this region
+            enabled_standards = self.get_enabled_standards(region)
+            
+            # If None is returned, Security Hub is not enabled
+            if enabled_standards is None:
+                findings.append(
+                    self.create_finding(
+                        status="FAIL",
+                        region=region,
+                        resource_id=f"securityhub:service/{self.account_id}",
+                        checked_value="Security Hub is enabled",
+                        actual_value=f"Security Hub is not enabled in region {region}",
+                        remediation=(
+                            "Enable Security Hub in this region. In the AWS console, navigate to Security Hub and enable the service. "
+                            "Alternatively, use the AWS CLI command: "
+                            f"aws securityhub enable-security-hub --region {region}"
+                        )
+                    )
+                )
+                continue
+            
+            # Extract standard names for better reporting
+            standard_names = []
+            for standard in enabled_standards:
+                standard_arn = standard.get('StandardsArn', '')
+                # Extract the standard name from the ARN
+                if '/standards/' in standard_arn:
+                    standard_name = standard_arn.split('/standards/')[1]
+                    standard_names.append(standard_name)
+                else:
+                    standard_names.append(standard_arn)
+            
+            # Format the list of standards for reporting
+            standards_list = ', '.join(standard_names) if standard_names else "None"
+            
+            if not enabled_standards:
+                findings.append(
+                    self.create_finding(
+                        status="FAIL",
+                        region=region,
+                        resource_id=f"securityhub:standards/{self.account_id}",
+                        checked_value="Security Hub standards are enabled",
+                        actual_value=f"Account {self.account_id} region {region} has no Security Hub standards enabled",
+                        remediation=(
+                            "Enable Security Hub standards for this account. In the Security Hub console, "
+                            "navigate to Settings > Standards and enable the required standards. "
+                            "Alternatively, use the AWS CLI command: "
+                            f"aws securityhub batch-enable-standards --standards-subscription-requests 'StandardsArn=arn:aws:securityhub:{region}::standards/aws-foundational-security-best-practices/v/1.0.0' --region {region}"
+                        )
+                    )
+                )
+            else:
+                findings.append(
+                    self.create_finding(
+                        status="PASS",
+                        region=region,
+                        resource_id=f"securityhub:standards/{self.account_id}",
+                        checked_value="Security Hub standards are enabled",
+                        actual_value=f"Account {self.account_id} region {region} has the following standards enabled: {standards_list}",
+                        remediation="No remediation needed"
+                    )
+                )
+        
+        return findings