sraverify 0.1.0__py3-none-any.whl

sraverify/services/securityhub/checks/sra_securityhub_08.py

@@ -0,0 +1,113 @@
+"""
+SRA-SECURITYHUB-08: Security Hub check.
+"""
+from typing import List, Dict, Any, Set
+from sraverify.services.securityhub.base import SecurityHubCheck
+from sraverify.core.logging import logger
+
+
+class SRA_SECURITYHUB_08(SecurityHubCheck):
+    """Check if all active organization accounts are Security Hub members."""
+    
+    def __init__(self):
+        """Initialize the check."""
+        super().__init__()
+        self.check_id = "SRA-SECURITYHUB-08"
+        self.check_name = "All active organization accounts are Security Hub members"
+        self.account_type = "audit"  # This check is for the audit account
+        self.severity = "HIGH"
+        self.description = (
+            "This check verifies whether all active members accounts of the AWS Organization are Security Hub members. "
+            "Security Hub provides comprehensive security state and should include all AWS accounts."
+        )
+        self.check_logic = (
+            "Compare the outputs of organizations list-accounts and securityhub list-members. "
+            "Make sure that the list includes all accounts, excluding the Security Hub admin (audit account) "
+            "which is not considered a member."
+        )
+        self._audit_accounts = []  # Will be populated from command line args
+    
+    def execute(self) -> List[Dict[str, Any]]:
+        """
+        Execute the check.
+        
+        Returns:
+            List of findings
+        """
+        findings = []
+        
+        # Check each region separately
+        for region in self.regions:
+            # Get all organization accounts
+            org_accounts = self.get_organization_accounts(region)
+            
+            # Get Security Hub members
+            securityhub_members = self.get_security_hub_members(region)
+            
+            resource_id = f"securityhub:members/{self.account_id}/{region}"
+            
+            # Create sets of account IDs for comparison
+            active_org_account_ids = set()
+            for account in org_accounts:
+                if account.get('Status') == 'ACTIVE':
+                    active_org_account_ids.add(account.get('Id'))
+            
+            securityhub_member_ids = set()
+            for member in securityhub_members:
+                securityhub_member_ids.add(member.get('AccountId'))
+            
+            # Determine the audit account ID
+            audit_account_id = None
+            if self._audit_accounts:
+                audit_account_id = self._audit_accounts[0]
+            else:
+                # If no audit account is provided, assume the current account is the audit account
+                audit_account_id = self.account_id
+            
+            # Remove the audit account from the list of active organization accounts
+            # since the audit account is the Security Hub admin and not a member
+            if audit_account_id in active_org_account_ids:
+                active_org_account_ids.remove(audit_account_id)
+            
+            # Find accounts that should be Security Hub members but aren't
+            missing_accounts = active_org_account_ids - securityhub_member_ids
+            
+            if missing_accounts:
+                missing_accounts_list = ', '.join(missing_accounts)
+                findings.append(
+                    self.create_finding(
+                        status="FAIL",
+                        region=region,
+                        resource_id=resource_id,
+                        checked_value="All active organization accounts are Security Hub members",
+                        actual_value=(
+                            f"The following active organization accounts are not Security Hub members in region {region}: "
+                            f"{missing_accounts_list}. "
+                            f"Active organization accounts: {len(active_org_account_ids)}, "
+                            f"Security Hub members: {len(securityhub_member_ids)}"
+                        ),
+                        remediation=(
+                            f"Add the missing accounts as Security Hub members in region {region}. "
+                            f"In the AWS Console, navigate to Security Hub in the audit account, go to Settings > Accounts, "
+                            f"and add the missing accounts. Alternatively, use the AWS CLI command: "
+                            f"aws securityhub create-members --account-details 'AccountId={missing_accounts_list.replace(', ', ',AccountId=')}' --region {region}"
+                        )
+                    )
+                )
+            else:
+                findings.append(
+                    self.create_finding(
+                        status="PASS",
+                        region=region,
+                        resource_id=resource_id,
+                        checked_value="All active organization accounts are Security Hub members",
+                        actual_value=(
+                            f"All active organization accounts are Security Hub members in region {region}. "
+                            f"Active organization accounts (excluding admin): {len(active_org_account_ids)}, "
+                            f"Security Hub members: {len(securityhub_member_ids)}"
+                        ),
+                        remediation="No remediation needed"
+                    )
+                )
+        
+        return findings

sraverify/services/securityhub/checks/sra_securityhub_09.py

@@ -0,0 +1,100 @@
+"""
+SRA-SECURITYHUB-09: Security Hub check.
+"""
+from typing import List, Dict, Any
+from sraverify.services.securityhub.base import SecurityHubCheck
+from sraverify.core.logging import logger
+
+
+class SRA_SECURITYHUB_09(SecurityHubCheck):
+    """Check if all Security Hub member accounts have Enabled status."""
+    
+    def __init__(self):
+        """Initialize the check."""
+        super().__init__()
+        self.check_id = "SRA-SECURITYHUB-09"
+        self.check_name = "All Security Hub member accounts have Enabled status"
+        self.account_type = "audit"  # This check is for the audit account
+        self.severity = "HIGH"
+        self.description = (
+            "This check verifies whether each Security Hub member account has member status Enabled. "
+            "Enabled status indicates that the member account is currently active. For manually invited "
+            "member accounts, it indicates that the member account accepted the invitation."
+        )
+        self.check_logic = (
+            "Check runs aws securityhub list-members in each region and verifies that all members have "
+            "MemberStatus: Enabled. PASS if all members have Enabled status."
+        )
+    
+    def execute(self) -> List[Dict[str, Any]]:
+        """
+        Execute the check.
+        
+        Returns:
+            List of findings
+        """
+        findings = []
+        
+        # Check each region separately
+        for region in self.regions:
+            # Get Security Hub members
+            securityhub_members = self.get_security_hub_members(region)
+            
+            resource_id = f"securityhub:members/{self.account_id}/{region}"
+            
+            # Check if there are any members
+            if not securityhub_members:
+                findings.append(
+                    self.create_finding(
+                        status="PASS",
+                        region=region,
+                        resource_id=resource_id,
+                        checked_value="All Security Hub member accounts have Enabled status",
+                        actual_value=f"No Security Hub member accounts found in region {region}",
+                        remediation="No remediation needed"
+                    )
+                )
+                continue
+            
+            # Find members that don't have Enabled status
+            non_enabled_members = []
+            for member in securityhub_members:
+                member_id = member.get('AccountId')
+                member_status = member.get('MemberStatus')
+                
+                if member_status != 'Enabled':
+                    non_enabled_members.append(f"{member_id} (Status: {member_status})")
+            
+            if non_enabled_members:
+                findings.append(
+                    self.create_finding(
+                        status="FAIL",
+                        region=region,
+                        resource_id=resource_id,
+                        checked_value="All Security Hub member accounts have Enabled status",
+                        actual_value=(
+                            f"The following Security Hub member accounts do not have Enabled status in region {region}: "
+                            f"{', '.join(non_enabled_members)}"
+                        ),
+                        remediation=(
+                            f"Ensure all Security Hub member accounts have Enabled status in region {region}. "
+                            f"For manually invited accounts, the member account needs to accept the invitation. "
+                            f"For organization-based members, verify the account is properly configured. "
+                            f"In the AWS Console, navigate to Security Hub in the audit account, go to Settings > Accounts, "
+                            f"and check the status of each member account."
+                        )
+                    )
+                )
+            else:
+                findings.append(
+                    self.create_finding(
+                        status="PASS",
+                        region=region,
+                        resource_id=resource_id,
+                        checked_value="All Security Hub member accounts have Enabled status",
+                        actual_value=f"All {len(securityhub_members)} Security Hub member accounts have Enabled status in region {region}",
+                        remediation="No remediation needed"
+                    )
+                )
+        
+        return findings

sraverify/services/securityhub/checks/sra_securityhub_10.py

@@ -0,0 +1,94 @@
+"""
+SRA-SECURITYHUB-10: Security Hub check.
+"""
+from typing import List, Dict, Any
+from sraverify.services.securityhub.base import SecurityHubCheck
+from sraverify.core.logging import logger
+
+
+class SRA_SECURITYHUB_10(SecurityHubCheck):
+    """Check if Security Hub auto-enable is configured for new member accounts."""
+    
+    def __init__(self):
+        """Initialize the check."""
+        super().__init__()
+        self.check_id = "SRA-SECURITYHUB-10"
+        self.check_name = "Security Hub auto-enable is configured"
+        self.account_type = "audit"  # This check is for the audit account
+        self.severity = "MEDIUM"
+        self.description = (
+            "This check verifies whether Security Hub is configured to be automatically enabled "
+            "for new member accounts when they join the organization."
+        )
+        self.check_logic = (
+            "Check evaluates Security Hub organization configuration. For central configuration, "
+            "PASS if ConfigurationType is CENTRAL (uses configuration policies). For local configuration, "
+            "PASS if AutoEnable is true."
+        )
+    
+    def execute(self) -> List[Dict[str, Any]]:
+        """
+        Execute the check.
+        
+        Returns:
+            List of findings
+        """
+        findings = []
+        
+        # Check each region separately
+        for region in self.regions:
+            # Get organization configuration in this specific region
+            org_config = self.get_organization_configuration(region)
+            
+            resource_id = f"securityhub:organization-configuration/{self.account_id}"
+            
+            # Check if using central configuration
+            org_configuration = org_config.get('OrganizationConfiguration', {})
+            config_type = org_configuration.get('ConfigurationType')
+            
+            if config_type == 'CENTRAL':
+                # In central configuration, AutoEnable is always false and not relevant
+                # Configuration policies handle new account enablement
+                findings.append(
+                    self.create_finding(
+                        status="PASS",
+                        region=region,
+                        resource_id=resource_id,
+                        checked_value="Security Hub auto-enable configured for new accounts",
+                        actual_value=f"Central configuration enabled [ConfigurationType: CENTRAL] in region {region} - new accounts managed via configuration policies",
+                        remediation="No remediation needed - central configuration manages new account enablement through configuration policies"
+                    )
+                )
+            else:
+                # For local configuration, check AutoEnable
+                auto_enable = org_config.get('AutoEnable', False)
+                
+                if not auto_enable:
+                    findings.append(
+                        self.create_finding(
+                            status="FAIL",
+                            region=region,
+                            resource_id=resource_id,
+                            checked_value="Security Hub is set to auto-enable for new member accounts",
+                            actual_value=f"AutoEnable is set to false in region {region}",
+                            remediation=(
+                                f"Configure Security Hub to automatically enable for new member accounts in region {region}. "
+                                f"In the AWS Console, navigate to Security Hub in region {region}, go to Settings > Configuration, "
+                                f"and enable 'Auto-enable Security Hub for new accounts'. Alternatively, use the AWS CLI command: "
+                                f"aws securityhub update-organization-configuration --auto-enable --region {region}"
+                            )
+                        )
+                    )
+                else:
+                    findings.append(
+                        self.create_finding(
+                            status="PASS",
+                            region=region,
+                            resource_id=resource_id,
+                            checked_value="Security Hub is set to auto-enable for new member accounts",
+                            actual_value=f"AutoEnable is set to true in region {region}",
+                            remediation="No remediation needed"
+                        )
+                    )
+        
+        return findings

sraverify/services/securityhub/checks/sra_securityhub_11.py

@@ -0,0 +1,73 @@
+"""
+SRA-SECURITYHUB-11: Security Hub check.
+"""
+from typing import List, Dict, Any
+from sraverify.services.securityhub.base import SecurityHubCheck
+from sraverify.core.logging import logger
+
+
+class SRA_SECURITYHUB_11(SecurityHubCheck):
+    """Check if Security Hub member account limit has not been reached."""
+    
+    def __init__(self):
+        """Initialize the check."""
+        super().__init__()
+        self.check_id = "SRA-SECURITYHUB-11"
+        self.check_name = "Security Hub member account limit not reached"
+        self.account_type = "audit"  # This check is for the audit account
+        self.severity = "HIGH"
+        self.description = (
+            "This check verifies whether the maximum number of allowed member accounts are already associated "
+            "with the delegated administrator account for the AWS Organization."
+        )
+        self.check_logic = (
+            "Check evaluates if Security Hub describe-organization-configuration returns \"MemberAccountLimitReached\": false. "
+            "PASS if MemberAccountLimitReached is false."
+        )
+    
+    def execute(self) -> List[Dict[str, Any]]:
+        """
+        Execute the check.
+        
+        Returns:
+            List of findings
+        """
+        findings = []
+        
+        # Check each region separately
+        for region in self.regions:
+            # Get organization configuration in this specific region
+            org_config = self.get_organization_configuration(region)
+            
+            resource_id = f"securityhub:member-quota/{self.account_id}"
+            
+            # Check if MemberAccountLimitReached is false
+            limit_reached = org_config.get('MemberAccountLimitReached', True)
+            
+            if limit_reached:
+                findings.append(
+                    self.create_finding(
+                        status="FAIL",
+                        region=region,
+                        resource_id=resource_id,
+                        checked_value="Security Hub has not hit member account limit",
+                        actual_value=f"Security Hub has hit member account limit in region {region}",
+                        remediation=(
+                            f"Contact AWS Support to request an increase in the Security Hub member account limit for region {region}. "
+                            f"Alternatively, review your Security Hub member accounts and consider removing inactive or unnecessary accounts."
+                        )
+                    )
+                )
+            else:
+                findings.append(
+                    self.create_finding(
+                        status="PASS",
+                        region=region,
+                        resource_id=resource_id,
+                        checked_value="Security Hub has not hit member account limit",
+                        actual_value=f"Security Hub has not hit member account limit in region {region}",
+                        remediation="No remediation needed"
+                    )
+                )
+        
+        return findings

sraverify/services/securityhub/client.py

@@ -0,0 +1,249 @@
+"""
+SecurityHub client for interacting with AWS SecurityHub service.
+"""
+from typing import Dict, List, Optional, Any
+import boto3
+from botocore.exceptions import ClientError
+from sraverify.core.logging import logger
+
+
+class SecurityHubClient:
+    """Client for interacting with AWS SecurityHub service."""
+    
+    def __init__(self, region: str, session: Optional[boto3.Session] = None):
+        """
+        Initialize SecurityHub client for a specific region.
+        
+        Args:
+            region: AWS region name
+            session: AWS session to use (if None, a new session will be created)
+        """
+        self.region = region
+        self.session = session or boto3.Session()
+        self.client = self.session.client('securityhub', region_name=region)
+        self.org_client = self.session.client('organizations', region_name=region)
+
+    def get_enabled_standards(self) -> List[Dict[str, Any]]:
+        """
+        Get all enabled Security Hub standards.
+        
+        Returns:
+            List of enabled standards or None if Security Hub is not enabled
+        """
+        try:
+            logger.debug(f"Getting enabled standards in {self.region}")
+            response = self.client.get_enabled_standards()
+            standards = response.get('StandardsSubscriptions', [])
+            
+            # Handle pagination
+            while response.get('NextToken'):
+                response = self.client.get_enabled_standards(NextToken=response['NextToken'])
+                standards.extend(response.get('StandardsSubscriptions', []))
+                
+            logger.debug(f"Found {len(standards)} enabled standards in {self.region}")
+            return standards
+        except ClientError as e:
+            error_code = e.response.get('Error', {}).get('Code', '')
+            error_message = e.response.get('Error', {}).get('Message', '')
+            
+            # Check if this is the "not subscribed to AWS Security Hub" error
+            if error_code == 'InvalidAccessException' and 'not subscribed to AWS Security Hub' in error_message:
+                # Return None specifically for this error to indicate Security Hub is not enabled
+                # Don't log this as an error since it's an expected condition we want to check for
+                logger.debug(f"Security Hub is not enabled in {self.region}")
+                return None
+                
+            # For other errors, log a warning instead of an error
+            logger.warning(f"Error getting enabled standards in {self.region}: {e}")
+            return []
+        except Exception as e:
+            logger.warning(f"Unexpected error getting enabled standards in {self.region}: {e}")
+            return []
+    
+    def list_organization_admin_accounts(self) -> List[Dict[str, Any]]:
+        """
+        List Security Hub administrator accounts for the organization.
+        
+        Returns:
+            List of administrator accounts
+        """
+        try:
+            logger.debug(f"Listing organization admin accounts in {self.region}")
+            response = self.client.list_organization_admin_accounts()
+            admin_accounts = response.get('AdminAccounts', [])
+            
+            # Handle pagination
+            while response.get('NextToken'):
+                response = self.client.list_organization_admin_accounts(NextToken=response['NextToken'])
+                admin_accounts.extend(response.get('AdminAccounts', []))
+                
+            logger.debug(f"Found {len(admin_accounts)} organization admin accounts in {self.region}")
+            return admin_accounts
+        except ClientError as e:
+            logger.error(f"Error listing organization admin accounts in {self.region}: {e}")
+            return []
+        except Exception as e:
+            logger.error(f"Unexpected error listing organization admin accounts in {self.region}: {e}")
+            return []
+    
+    def get_administrator_account(self) -> Dict[str, Any]:
+        """
+        Get the Security Hub administrator account for the current account.
+        
+        Returns:
+            Administrator account information
+        """
+        try:
+            logger.debug(f"Getting administrator account in {self.region}")
+            response = self.client.get_administrator_account()
+            logger.debug(f"Administrator account: {response}")
+            return response
+        except ClientError as e:
+            logger.error(f"Error getting administrator account in {self.region}: {e}")
+            return {}
+        except Exception as e:
+            logger.error(f"Unexpected error getting administrator account in {self.region}: {e}")
+            return {}
+    
+    def describe_organization_configuration(self) -> Dict[str, Any]:
+        """
+        Describe the Security Hub organization configuration.
+        
+        Returns:
+            Organization configuration
+        """
+        try:
+            logger.debug(f"Describing organization configuration in {self.region}")
+            response = self.client.describe_organization_configuration()
+            logger.debug(f"Organization configuration: {response}")
+            return response
+        except ClientError as e:
+            # Don't log the error here, let the check handle it
+            return {}
+        except Exception as e:
+            # Only log unexpected errors
+            logger.error(f"Unexpected error describing organization configuration in {self.region}: {e}")
+            return {}
+    
+    
+    def list_enabled_products_for_import(self) -> Optional[List[str]]:
+        """
+        List enabled products for import into Security Hub.
+        
+        Returns:
+            List of enabled product ARNs, or None if Security Hub is not enabled
+        """
+        try:
+            logger.debug(f"Listing enabled products for import in {self.region}")
+            response = self.client.list_enabled_products_for_import()
+            product_subscriptions = response.get('ProductSubscriptions', [])
+            
+            # Handle pagination
+            while response.get('NextToken'):
+                response = self.client.list_enabled_products_for_import(NextToken=response['NextToken'])
+                product_subscriptions.extend(response.get('ProductSubscriptions', []))
+                
+            logger.debug(f"Found {len(product_subscriptions)} enabled products in {self.region}")
+            return product_subscriptions
+        except ClientError as e:
+            error_code = e.response.get('Error', {}).get('Code', '')
+            error_message = e.response.get('Error', {}).get('Message', '')
+            
+            # Check if this is the "not subscribed to AWS Security Hub" error
+            if error_code == 'InvalidAccessException' and 'not subscribed to AWS Security Hub' in error_message:
+                # Return None specifically for this error to indicate Security Hub is not enabled
+                logger.debug(f"Security Hub is not enabled in {self.region}")
+                return None
+                
+            # For other errors, log as error and return empty list
+            logger.error(f"Error listing enabled products in {self.region}: {e}")
+            return []
+        except Exception as e:
+            logger.error(f"Unexpected error listing enabled products in {self.region}: {e}")
+            return []
+    
+    def list_delegated_administrators(self, service_principal: str = "securityhub.amazonaws.com") -> List[Dict[str, Any]]:
+        """
+        List delegated administrators for SecurityHub.
+        
+        Args:
+            service_principal: Service principal to check for delegated administrators
+            
+        Returns:
+            List of delegated administrators
+        """
+        try:
+            logger.debug(f"Listing delegated administrators for {service_principal} in {self.region}")
+            response = self.org_client.list_delegated_administrators(ServicePrincipal=service_principal)
+            delegated_admins = response.get('DelegatedAdministrators', [])
+            
+            # Handle pagination
+            while response.get('NextToken'):
+                response = self.org_client.list_delegated_administrators(
+                    ServicePrincipal=service_principal,
+                    NextToken=response['NextToken']
+                )
+                delegated_admins.extend(response.get('DelegatedAdministrators', []))
+                
+            logger.debug(f"Found {len(delegated_admins)} delegated administrators for {service_principal}")
+            for admin in delegated_admins:
+                logger.debug(f"Delegated admin: {admin.get('Id')} - {admin.get('Name')}")
+            return delegated_admins
+        except ClientError as e:
+            logger.error(f"Error listing delegated administrators for {service_principal}: {e}")
+            return []
+        except Exception as e:
+            logger.error(f"Unexpected error listing delegated administrators: {e}")
+            return []
+    
+    def list_members(self) -> List[Dict[str, Any]]:
+        """
+        List Security Hub member accounts.
+        
+        Returns:
+            List of member accounts
+        """
+        try:
+            logger.debug(f"Listing Security Hub members in {self.region}")
+            response = self.client.list_members()
+            members = response.get('Members', [])
+            
+            # Handle pagination
+            while response.get('NextToken'):
+                response = self.client.list_members(NextToken=response['NextToken'])
+                members.extend(response.get('Members', []))
+                
+            logger.debug(f"Found {len(members)} Security Hub members in {self.region}")
+            return members
+        except ClientError as e:
+            logger.error(f"Error listing Security Hub members in {self.region}: {e}")
+            return []
+        except Exception as e:
+            logger.error(f"Unexpected error listing Security Hub members in {self.region}: {e}")
+            return []
+    
+    def list_organization_accounts(self) -> List[Dict[str, Any]]:
+        """
+        List all accounts in the organization.
+        
+        Returns:
+            List of organization accounts
+        """
+        try:
+            logger.debug(f"Listing organization accounts in {self.region}")
+            response = self.org_client.list_accounts()
+            accounts = response.get('Accounts', [])
+            
+            # Handle pagination
+            while response.get('NextToken'):
+                response = self.org_client.list_accounts(NextToken=response['NextToken'])
+                accounts.extend(response.get('Accounts', []))
+                
+            logger.debug(f"Found {len(accounts)} organization accounts")
+            return accounts
+        except ClientError as e:
+            logger.error(f"Error listing organization accounts: {e}")
+            return []
+        except Exception as e:
+            logger.error(f"Unexpected error listing organization accounts: {e}")
+            return []

sraverify/services/securityincidentresponse/__init__.py

@@ -0,0 +1,13 @@
+from sraverify.services.securityincidentresponse.checks.sra_securityincidentresponse_01 import SRA_SECURITYINCIDENTRESPONSE_01
+from sraverify.services.securityincidentresponse.checks.sra_securityincidentresponse_02 import SRA_SECURITYINCIDENTRESPONSE_02
+from sraverify.services.securityincidentresponse.checks.sra_securityincidentresponse_03 import SRA_SECURITYINCIDENTRESPONSE_03
+from sraverify.services.securityincidentresponse.checks.sra_securityincidentresponse_04 import SRA_SECURITYINCIDENTRESPONSE_04
+from sraverify.services.securityincidentresponse.checks.sra_securityincidentresponse_05 import SRA_SECURITYINCIDENTRESPONSE_05
+
+CHECKS = {
+    "SRA-SECURITYINCIDENTRESPONSE-01": SRA_SECURITYINCIDENTRESPONSE_01,
+    "SRA-SECURITYINCIDENTRESPONSE-02": SRA_SECURITYINCIDENTRESPONSE_02,
+    "SRA-SECURITYINCIDENTRESPONSE-03": SRA_SECURITYINCIDENTRESPONSE_03,
+    "SRA-SECURITYINCIDENTRESPONSE-04": SRA_SECURITYINCIDENTRESPONSE_04,
+    "SRA-SECURITYINCIDENTRESPONSE-05": SRA_SECURITYINCIDENTRESPONSE_05,
+}