PyPI - sraverify - Versions diffs - 0.1.0__py3-none-any.whl - Mend

sraverify 0.1.0__py3-none-any.whl

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (261) hide show

sraverify/__init__.py +36 -0
sraverify/checks/__init__.py +56 -0
sraverify/checks/accessanalyzer/SRA_IAA_1.py +188 -0
sraverify/checks/accessanalyzer/SRA_IAA_2.py +162 -0
sraverify/checks/accessanalyzer/SRA_IAA_3.py +260 -0
sraverify/checks/accessanalyzer/SRA_IAA_4.py +207 -0
sraverify/checks/accessanalyzer/__init__.py +3 -0
sraverify/checks/cloudtrail/SRA-CT-1.py +220 -0
sraverify/checks/cloudtrail/SRA-CT-10.py +229 -0
sraverify/checks/cloudtrail/SRA-CT-11.py +242 -0
sraverify/checks/cloudtrail/SRA-CT-12.py +163 -0
sraverify/checks/cloudtrail/SRA-CT-13.py +279 -0
sraverify/checks/cloudtrail/SRA-CT-2.py +218 -0
sraverify/checks/cloudtrail/SRA-CT-3.py +196 -0
sraverify/checks/cloudtrail/SRA-CT-4.py +161 -0
sraverify/checks/cloudtrail/SRA-CT-5.py +200 -0
sraverify/checks/cloudtrail/SRA-CT-6.py +161 -0
sraverify/checks/cloudtrail/SRA-CT-7.py +194 -0
sraverify/checks/cloudtrail/SRA-CT-8.py +226 -0
sraverify/checks/cloudtrail/SRA-CT-9.py +226 -0
sraverify/checks/cloudtrail/__init__.py +3 -0
sraverify/checks/config/SRA-CONFIG-1.py +197 -0
sraverify/checks/config/__init__.py +3 -0
sraverify/core/__init__.py +3 -0
sraverify/core/check.py +227 -0
sraverify/core/logging.py +37 -0
sraverify/core/session.py +47 -0
sraverify/lib/__init__.py +4 -0
sraverify/lib/audit_info.py +37 -0
sraverify/lib/banner.py +42 -0
sraverify/lib/check_loader.py +80 -0
sraverify/lib/org_mgmt_checker.py +86 -0
sraverify/lib/outputs.py +46 -0
sraverify/lib/progress.py +75 -0
sraverify/lib/regions.py +27 -0
sraverify/lib/session.py +23 -0
sraverify/main.py +350 -0
sraverify/services/__init__.py +3 -0
sraverify/services/accessanalyzer/__init__.py +15 -0
sraverify/services/accessanalyzer/base.py +123 -0
sraverify/services/accessanalyzer/checks/__init__.py +3 -0
sraverify/services/accessanalyzer/checks/sra_accessanalyzer_01.py +82 -0
sraverify/services/accessanalyzer/checks/sra_accessanalyzer_02.py +82 -0
sraverify/services/accessanalyzer/checks/sra_accessanalyzer_03.py +103 -0
sraverify/services/accessanalyzer/checks/sra_accessanalyzer_04.py +139 -0
sraverify/services/accessanalyzer/client.py +123 -0
sraverify/services/account/__init__.py +9 -0
sraverify/services/account/base.py +56 -0
sraverify/services/account/checks/__init__.py +1 -0
sraverify/services/account/checks/sra_account_01.py +65 -0
sraverify/services/account/checks/sra_account_02.py +63 -0
sraverify/services/account/checks/sra_account_03.py +63 -0
sraverify/services/account/client.py +51 -0
sraverify/services/auditmanager/__init__.py +10 -0
sraverify/services/auditmanager/base.py +72 -0
sraverify/services/auditmanager/checks/__init__.py +1 -0
sraverify/services/auditmanager/checks/sra_auditmanager_01.py +58 -0
sraverify/services/auditmanager/checks/sra_auditmanager_02.py +80 -0
sraverify/services/auditmanager/client.py +58 -0
sraverify/services/cloudtrail/__init__.py +33 -0
sraverify/services/cloudtrail/base.py +167 -0
sraverify/services/cloudtrail/checks/__init__.py +1 -0
sraverify/services/cloudtrail/checks/sra_cloudtrail_01.py +83 -0
sraverify/services/cloudtrail/checks/sra_cloudtrail_02.py +99 -0
sraverify/services/cloudtrail/checks/sra_cloudtrail_03.py +94 -0
sraverify/services/cloudtrail/checks/sra_cloudtrail_04.py +92 -0
sraverify/services/cloudtrail/checks/sra_cloudtrail_05.py +106 -0
sraverify/services/cloudtrail/checks/sra_cloudtrail_06.py +93 -0
sraverify/services/cloudtrail/checks/sra_cloudtrail_07.py +96 -0
sraverify/services/cloudtrail/checks/sra_cloudtrail_08.py +145 -0
sraverify/services/cloudtrail/checks/sra_cloudtrail_09.py +167 -0
sraverify/services/cloudtrail/checks/sra_cloudtrail_10.py +162 -0
sraverify/services/cloudtrail/checks/sra_cloudtrail_11.py +178 -0
sraverify/services/cloudtrail/checks/sra_cloudtrail_12.py +77 -0
sraverify/services/cloudtrail/checks/sra_cloudtrail_13.py +120 -0
sraverify/services/cloudtrail/client.py +118 -0
sraverify/services/config/__init__.py +25 -0
sraverify/services/config/base.py +249 -0
sraverify/services/config/checks/__init__.py +1 -0
sraverify/services/config/checks/sra_config_01.py +123 -0
sraverify/services/config/checks/sra_config_02.py +156 -0
sraverify/services/config/checks/sra_config_03.py +149 -0
sraverify/services/config/checks/sra_config_04.py +104 -0
sraverify/services/config/checks/sra_config_05.py +104 -0
sraverify/services/config/checks/sra_config_06.py +194 -0
sraverify/services/config/checks/sra_config_07.py +162 -0
sraverify/services/config/checks/sra_config_08.py +185 -0
sraverify/services/config/checks/sra_config_09.py +177 -0
sraverify/services/config/client.py +264 -0
sraverify/services/ec2/__init__.py +8 -0
sraverify/services/ec2/base.py +75 -0
sraverify/services/ec2/checks/__init__.py +1 -0
sraverify/services/ec2/checks/sra_ec2_01.py +83 -0
sraverify/services/ec2/client.py +63 -0
sraverify/services/firewallmanager/__init__.py +23 -0
sraverify/services/firewallmanager/base.py +48 -0
sraverify/services/firewallmanager/checks/__init__.py +1 -0
sraverify/services/firewallmanager/checks/sra_firewallmanager_01.py +75 -0
sraverify/services/firewallmanager/checks/sra_firewallmanager_02.py +57 -0
sraverify/services/firewallmanager/checks/sra_firewallmanager_03.py +51 -0
sraverify/services/firewallmanager/checks/sra_firewallmanager_04.py +51 -0
sraverify/services/firewallmanager/checks/sra_firewallmanager_05.py +51 -0
sraverify/services/firewallmanager/checks/sra_firewallmanager_06.py +51 -0
sraverify/services/firewallmanager/checks/sra_firewallmanager_07.py +51 -0
sraverify/services/firewallmanager/checks/sra_firewallmanager_08.py +61 -0
sraverify/services/firewallmanager/checks/sra_firewallmanager_09.py +61 -0
sraverify/services/firewallmanager/checks/sra_firewallmanager_10.py +71 -0
sraverify/services/firewallmanager/client.py +40 -0
sraverify/services/guardduty/__init__.py +58 -0
sraverify/services/guardduty/base.py +207 -0
sraverify/services/guardduty/checks/__init__.py +3 -0
sraverify/services/guardduty/checks/sra_guardduty_01.py +51 -0
sraverify/services/guardduty/checks/sra_guardduty_02.py +80 -0
sraverify/services/guardduty/checks/sra_guardduty_03.py +77 -0
sraverify/services/guardduty/checks/sra_guardduty_04.py +84 -0
sraverify/services/guardduty/checks/sra_guardduty_05.py +84 -0
sraverify/services/guardduty/checks/sra_guardduty_06.py +84 -0
sraverify/services/guardduty/checks/sra_guardduty_07.py +85 -0
sraverify/services/guardduty/checks/sra_guardduty_08.py +83 -0
sraverify/services/guardduty/checks/sra_guardduty_09.py +84 -0
sraverify/services/guardduty/checks/sra_guardduty_10.py +83 -0
sraverify/services/guardduty/checks/sra_guardduty_11.py +93 -0
sraverify/services/guardduty/checks/sra_guardduty_12.py +83 -0
sraverify/services/guardduty/checks/sra_guardduty_13.py +90 -0
sraverify/services/guardduty/checks/sra_guardduty_14.py +136 -0
sraverify/services/guardduty/checks/sra_guardduty_15.py +94 -0
sraverify/services/guardduty/checks/sra_guardduty_16.py +94 -0
sraverify/services/guardduty/checks/sra_guardduty_17.py +91 -0
sraverify/services/guardduty/checks/sra_guardduty_18.py +91 -0
sraverify/services/guardduty/checks/sra_guardduty_19.py +91 -0
sraverify/services/guardduty/checks/sra_guardduty_20.py +111 -0
sraverify/services/guardduty/checks/sra_guardduty_21.py +112 -0
sraverify/services/guardduty/checks/sra_guardduty_22.py +111 -0
sraverify/services/guardduty/checks/sra_guardduty_23.py +154 -0
sraverify/services/guardduty/checks/sra_guardduty_24.py +111 -0
sraverify/services/guardduty/checks/sra_guardduty_25.py +111 -0
sraverify/services/guardduty/client.py +107 -0
sraverify/services/inspector/__init__.py +29 -0
sraverify/services/inspector/base.py +233 -0
sraverify/services/inspector/checks/__init__.py +3 -0
sraverify/services/inspector/checks/sra_inspector_01.py +69 -0
sraverify/services/inspector/checks/sra_inspector_02.py +68 -0
sraverify/services/inspector/checks/sra_inspector_03.py +68 -0
sraverify/services/inspector/checks/sra_inspector_04.py +70 -0
sraverify/services/inspector/checks/sra_inspector_05.py +69 -0
sraverify/services/inspector/checks/sra_inspector_06.py +115 -0
sraverify/services/inspector/checks/sra_inspector_07.py +109 -0
sraverify/services/inspector/checks/sra_inspector_08.py +69 -0
sraverify/services/inspector/checks/sra_inspector_09.py +69 -0
sraverify/services/inspector/checks/sra_inspector_10.py +69 -0
sraverify/services/inspector/checks/sra_inspector_11.py +69 -0
sraverify/services/inspector/client.py +99 -0
sraverify/services/macie/__init__.py +27 -0
sraverify/services/macie/base.py +271 -0
sraverify/services/macie/checks/__init__.py +1 -0
sraverify/services/macie/checks/sra_macie_01.py +100 -0
sraverify/services/macie/checks/sra_macie_02.py +102 -0
sraverify/services/macie/checks/sra_macie_03.py +152 -0
sraverify/services/macie/checks/sra_macie_04.py +120 -0
sraverify/services/macie/checks/sra_macie_05.py +85 -0
sraverify/services/macie/checks/sra_macie_06.py +124 -0
sraverify/services/macie/checks/sra_macie_07.py +138 -0
sraverify/services/macie/checks/sra_macie_08.py +82 -0
sraverify/services/macie/checks/sra_macie_09.py +103 -0
sraverify/services/macie/checks/sra_macie_10.py +81 -0
sraverify/services/macie/client.py +220 -0
sraverify/services/s3/__init__.py +16 -0
sraverify/services/s3/base.py +69 -0
sraverify/services/s3/checks/__init__.py +1 -0
sraverify/services/s3/checks/sra_s3_01.py +89 -0
sraverify/services/s3/checks/sra_s3_02.py +89 -0
sraverify/services/s3/checks/sra_s3_03.py +88 -0
sraverify/services/s3/checks/sra_s3_04.py +88 -0
sraverify/services/s3/client.py +52 -0
sraverify/services/securityhub/__init__.py +27 -0
sraverify/services/securityhub/base.py +349 -0
sraverify/services/securityhub/checks/__init__.py +1 -0
sraverify/services/securityhub/checks/sra_securityhub_01.py +115 -0
sraverify/services/securityhub/checks/sra_securityhub_02.py +114 -0
sraverify/services/securityhub/checks/sra_securityhub_03.py +136 -0
sraverify/services/securityhub/checks/sra_securityhub_04.py +75 -0
sraverify/services/securityhub/checks/sra_securityhub_05.py +102 -0
sraverify/services/securityhub/checks/sra_securityhub_06.py +113 -0
sraverify/services/securityhub/checks/sra_securityhub_07.py +121 -0
sraverify/services/securityhub/checks/sra_securityhub_08.py +113 -0
sraverify/services/securityhub/checks/sra_securityhub_09.py +100 -0
sraverify/services/securityhub/checks/sra_securityhub_10.py +94 -0
sraverify/services/securityhub/checks/sra_securityhub_11.py +73 -0
sraverify/services/securityhub/client.py +249 -0
sraverify/services/securityincidentresponse/__init__.py +13 -0
sraverify/services/securityincidentresponse/base.py +95 -0
sraverify/services/securityincidentresponse/checks/__init__.py +1 -0
sraverify/services/securityincidentresponse/checks/sra_securityincidentresponse_01.py +77 -0
sraverify/services/securityincidentresponse/checks/sra_securityincidentresponse_02.py +72 -0
sraverify/services/securityincidentresponse/checks/sra_securityincidentresponse_03.py +86 -0
sraverify/services/securityincidentresponse/checks/sra_securityincidentresponse_04.py +117 -0
sraverify/services/securityincidentresponse/checks/sra_securityincidentresponse_05.py +55 -0
sraverify/services/securityincidentresponse/client.py +71 -0
sraverify/services/securitylake/__init__.py +39 -0
sraverify/services/securitylake/base.py +461 -0
sraverify/services/securitylake/checks/__init__.py +1 -0
sraverify/services/securitylake/checks/sra_securitylake_01.py +98 -0
sraverify/services/securitylake/checks/sra_securitylake_02.py +133 -0
sraverify/services/securitylake/checks/sra_securitylake_03.py +116 -0
sraverify/services/securitylake/checks/sra_securitylake_04.py +72 -0
sraverify/services/securitylake/checks/sra_securitylake_05.py +116 -0
sraverify/services/securitylake/checks/sra_securitylake_06.py +104 -0
sraverify/services/securitylake/checks/sra_securitylake_07.py +108 -0
sraverify/services/securitylake/checks/sra_securitylake_08.py +107 -0
sraverify/services/securitylake/checks/sra_securitylake_09.py +107 -0
sraverify/services/securitylake/checks/sra_securitylake_10.py +106 -0
sraverify/services/securitylake/checks/sra_securitylake_11.py +109 -0
sraverify/services/securitylake/checks/sra_securitylake_12.py +108 -0
sraverify/services/securitylake/checks/sra_securitylake_13.py +108 -0
sraverify/services/securitylake/checks/sra_securitylake_14.py +72 -0
sraverify/services/securitylake/checks/sra_securitylake_15.py +120 -0
sraverify/services/securitylake/checks/sra_securitylake_16.py +104 -0
sraverify/services/securitylake/checks/sra_securitylake_17.py +103 -0
sraverify/services/securitylake/client.py +247 -0
sraverify/services/shield/__init__.py +33 -0
sraverify/services/shield/base.py +199 -0
sraverify/services/shield/checks/__init__.py +1 -0
sraverify/services/shield/checks/sra_shield_01.py +68 -0
sraverify/services/shield/checks/sra_shield_02.py +77 -0
sraverify/services/shield/checks/sra_shield_03.py +84 -0
sraverify/services/shield/checks/sra_shield_04.py +84 -0
sraverify/services/shield/checks/sra_shield_05.py +84 -0
sraverify/services/shield/checks/sra_shield_06.py +84 -0
sraverify/services/shield/checks/sra_shield_07.py +84 -0
sraverify/services/shield/checks/sra_shield_08.py +69 -0
sraverify/services/shield/checks/sra_shield_09.py +86 -0
sraverify/services/shield/checks/sra_shield_10.py +100 -0
sraverify/services/shield/checks/sra_shield_11.py +71 -0
sraverify/services/shield/checks/sra_shield_12.py +130 -0
sraverify/services/shield/checks/sra_shield_13.py +112 -0
sraverify/services/shield/checks/sra_shield_14.py +111 -0
sraverify/services/shield/client.py +214 -0
sraverify/services/waf/__init__.py +21 -0
sraverify/services/waf/base.py +100 -0
sraverify/services/waf/checks/__init__.py +1 -0
sraverify/services/waf/checks/sra_waf_01.py +63 -0
sraverify/services/waf/checks/sra_waf_02.py +82 -0
sraverify/services/waf/checks/sra_waf_03.py +123 -0
sraverify/services/waf/checks/sra_waf_04.py +94 -0
sraverify/services/waf/checks/sra_waf_05.py +94 -0
sraverify/services/waf/checks/sra_waf_06.py +91 -0
sraverify/services/waf/checks/sra_waf_07.py +94 -0
sraverify/services/waf/checks/sra_waf_08.py +66 -0
sraverify/services/waf/checks/sra_waf_09.py +95 -0
sraverify/services/waf/client.py +109 -0
sraverify/utils/__init__.py +3 -0
sraverify/utils/banner.py +65 -0
sraverify/utils/outputs.py +57 -0
sraverify/utils/progress.py +97 -0
sraverify-0.1.0.dist-info/LICENSE +175 -0
sraverify-0.1.0.dist-info/METADATA +516 -0
sraverify-0.1.0.dist-info/NOTICE +1 -0
sraverify-0.1.0.dist-info/RECORD +261 -0
sraverify-0.1.0.dist-info/WHEEL +5 -0
sraverify-0.1.0.dist-info/entry_points.txt +2 -0
sraverify-0.1.0.dist-info/top_level.txt +1 -0

sraverify/services/securityincidentresponse/base.py ADDED Viewed

@@ -0,0 +1,95 @@
+from typing import Dict, Any
+from sraverify.core.check import SecurityCheck
+from sraverify.services.securityincidentresponse.client import SecurityIncidentResponseClient
+from sraverify.core.logging import logger
+class SecurityIncidentResponseCheck(SecurityCheck):
+    def __init__(self):
+        super().__init__(
+            account_type="management",
+            service="SecurityIncidentResponse",
+            resource_type="AWS::Organizations::DelegatedAdministrator"
+        )
+    def _setup_clients(self):
+        self._clients.clear()
+        # Use first region specified, or us-east-1 as fallback
+        region = self.regions[0] if self.regions else "us-east-1"
+        self._clients[region] = SecurityIncidentResponseClient(region, session=self.session)
+    def get_delegated_administrators(self) -> Dict[str, Any]:
+        """Get delegated administrators for Security Incident Response."""
+        region = self.regions[0] if self.regions else "us-east-1"
+        client = self.get_client(region)
+        if not client:
+            return {}
+        return client.list_delegated_administrators()
+    def list_memberships(self) -> Dict[str, Any]:
+        """List Security Incident Response memberships."""
+        region = self.regions[0] if self.regions else "us-east-1"
+        client = self.get_client(region)
+        if not client:
+            return {}
+        return client.list_memberships()
+    def get_membership(self, membership_id: str) -> Dict[str, Any]:
+        """Get Security Incident Response membership details."""
+        sir_region = self.discover_sir_region()
+        client = self.get_client(sir_region)
+        if not client:
+            self._clients[sir_region] = SecurityIncidentResponseClient(sir_region, session=self.session)
+            client = self.get_client(sir_region)
+        return client.get_membership(membership_id)
+    def batch_get_member_account_details(self, membership_id: str, account_ids: list) -> Dict[str, Any]:
+        """Get member account details for multiple accounts."""
+        sir_region = self.discover_sir_region()
+        client = self.get_client(sir_region)
+        if not client:
+            self._clients[sir_region] = SecurityIncidentResponseClient(sir_region, session=self.session)
+            client = self.get_client(sir_region)
+        return client.batch_get_member_account_details(membership_id, account_ids)
+    def get_organization_accounts(self) -> list:
+        """Get all accounts in the organization."""
+        region = self.regions[0] if self.regions else "us-east-1"
+        client = self.get_client(region)
+        if not client:
+            return []
+        response = client.list_accounts()
+        if "Error" in response:
+            return []
+        return response.get("Accounts", [])
+    def get_role(self, role_name: str) -> Dict[str, Any]:
+        """Get IAM role details."""
+        region = self.regions[0] if self.regions else "us-east-1"
+        client = self.get_client(region)
+        if not client:
+            return {}
+        return client.get_role(role_name)
+    def discover_sir_region(self) -> str:
+        """Discover the region where Security Incident Response is configured."""
+        # Try each region until we find one with memberships
+        regions_to_try = self.regions
+        for region in regions_to_try:
+            try:
+                # Create a temporary client for this region
+                temp_client = SecurityIncidentResponseClient(region, session=self.session)
+                response = temp_client.list_memberships()
+                if "Error" not in response:
+                    memberships = response.get("items", [])
+                    if memberships:
+                        # Return the region from the first membership
+                        return memberships[0].get("region", region)
+            except Exception:
+                continue
+        # Fallback to first region or us-east-1
+        return self.regions[0] if self.regions else "us-east-1"

sraverify/services/securityincidentresponse/checks/__init__.py ADDED Viewed

	@@ -0,0 +1 @@
1	+ # Security Incident Response checks

sraverify/services/securityincidentresponse/checks/sra_securityincidentresponse_01.py ADDED Viewed

@@ -0,0 +1,77 @@
+from typing import Dict, List, Any
+from sraverify.services.securityincidentresponse.base import SecurityIncidentResponseCheck
+class SRA_SECURITYINCIDENTRESPONSE_01(SecurityIncidentResponseCheck):
+    def __init__(self):
+        super().__init__()
+        self.check_id = "SRA-SECURITYINCIDENTRESPONSE-01"
+        self.check_name = "Security Incident Response delegated admin is audit account"
+        self.description = "Verifies that the Security Incident Response delegated administrator is configured and is the audit account"
+        self.severity = "HIGH"
+        self.check_logic = "Lists delegated administrators for security-ir.amazonaws.com and verifies the audit account is designated"
+    def execute(self) -> List[Dict[str, Any]]:
+        region = self.regions[0] if self.regions else "us-east-1"
+        # Check if audit accounts are provided
+        audit_accounts = getattr(self, '_audit_accounts', None)
+        if not audit_accounts:
+            self.findings.append(self.create_finding(
+                status="ERROR",
+                region=region,
+                resource_id=None,
+                actual_value="No audit accounts specified",
+                remediation="Run with --audit-account parameter to specify audit account IDs"
+            ))
+            return self.findings
+        response = self.get_delegated_administrators()
+        if "Error" in response:
+            self.findings.append(self.create_finding(
+                status="ERROR",
+                region=region,
+                resource_id=None,
+                actual_value=response["Error"].get("Message", "Unknown error"),
+                remediation="Check IAM permissions for Organizations API access"
+            ))
+            return self.findings
+        delegated_admins = response.get("DelegatedAdministrators", [])
+        if not delegated_admins:
+            self.findings.append(self.create_finding(
+                status="FAIL",
+                region=region,
+                resource_id=None,
+                actual_value="No delegated administrator configured for Security Incident Response",
+                remediation="Configure a delegated administrator for Security Incident Response using: aws organizations register-delegated-administrator --account-id <audit-account-id> --service-principal security-ir.amazonaws.com"
+            ))
+        else:
+            # Check if any of the delegated admins is the audit account
+            audit_admin_found = False
+            for admin in delegated_admins:
+                admin_id = admin.get("Id")
+                if admin_id in audit_accounts:
+                    audit_admin_found = True
+                    self.findings.append(self.create_finding(
+                        status="PASS",
+                        region=region,
+                        resource_id=admin_id,
+                        actual_value=f"Audit account {admin_id} is configured as delegated administrator",
+                        remediation="No remediation needed"
+                    ))
+                    break
+            if not audit_admin_found:
+                admin_ids = [admin.get("Id") for admin in delegated_admins]
+                self.findings.append(self.create_finding(
+                    status="FAIL",
+                    region=region,
+                    resource_id=None,
+                    actual_value=f"Delegated administrators found: {admin_ids}, but none are audit accounts: {audit_accounts}",
+                    remediation="Register the audit account as delegated administrator: aws organizations register-delegated-administrator --account-id <audit-account-id> --service-principal security-ir.amazonaws.com"
+                ))
+        return self.findings

sraverify/services/securityincidentresponse/checks/sra_securityincidentresponse_02.py ADDED Viewed

@@ -0,0 +1,72 @@
+from typing import Dict, List, Any
+from sraverify.services.securityincidentresponse.base import SecurityIncidentResponseCheck
+class SRA_SECURITYINCIDENTRESPONSE_02(SecurityIncidentResponseCheck):
+    def __init__(self):
+        super().__init__()
+        self.account_type = "audit"
+        self.check_id = "SRA-SECURITYINCIDENTRESPONSE-02"
+        self.check_name = "Security Incident Response membership active"
+        self.description = "Verifies that Security Incident Response membership is active"
+        self.severity = "HIGH"
+        self.check_logic = "Lists memberships and verifies status is Active"
+    def execute(self) -> List[Dict[str, Any]]:
+        region = self.regions[0] if self.regions else "us-east-1"
+        response = self.list_memberships()
+        if "Error" in response:
+            self.findings.append(self.create_finding(
+                status="ERROR",
+                region=region,
+                resource_id=None,
+                actual_value=response["Error"].get("Message", "Unknown error"),
+                remediation="Check IAM permissions for Security Incident Response API access"
+            ))
+            return self.findings
+        memberships = response.get("items", [])
+        if not memberships:
+            self.findings.append(self.create_finding(
+                status="FAIL",
+                region=region,
+                resource_id=None,
+                actual_value="No Security Incident Response memberships found",
+                remediation="Create a Security Incident Response membership through the AWS console or API"
+            ))
+        else:
+            active_found = False
+            for membership in memberships:
+                membership_id = membership.get("membershipId")
+                status = membership.get("membershipStatus")
+                if status == "Active":
+                    active_found = True
+                    self.findings.append(self.create_finding(
+                        status="PASS",
+                        region=region,
+                        resource_id=membership_id,
+                        actual_value=f"Membership {membership_id} is Active",
+                        remediation="No remediation needed"
+                    ))
+                else:
+                    self.findings.append(self.create_finding(
+                        status="FAIL",
+                        region=region,
+                        resource_id=membership_id,
+                        actual_value=f"Membership {membership_id} status is {status}",
+                        remediation="Activate the Security Incident Response membership through the AWS console"
+                    ))
+            if not active_found:
+                self.findings.append(self.create_finding(
+                    status="FAIL",
+                    region=region,
+                    resource_id=None,
+                    actual_value="No active Security Incident Response memberships found",
+                    remediation="Activate an existing membership or create a new active membership"
+                ))
+        return self.findings

sraverify/services/securityincidentresponse/checks/sra_securityincidentresponse_03.py ADDED Viewed

@@ -0,0 +1,86 @@
+from typing import Dict, List, Any
+from sraverify.services.securityincidentresponse.base import SecurityIncidentResponseCheck
+class SRA_SECURITYINCIDENTRESPONSE_03(SecurityIncidentResponseCheck):
+    def __init__(self):
+        super().__init__()
+        self.account_type = "audit"
+        self.check_id = "SRA-SECURITYINCIDENTRESPONSE-03"
+        self.check_name = "Security Incident Response proactive response enabled"
+        self.description = "Verifies that Security Incident Response proactive response (Triage) feature is enabled"
+        self.severity = "MEDIUM"
+        self.check_logic = "Lists memberships and checks if Triage opt-in feature is enabled"
+    def execute(self) -> List[Dict[str, Any]]:
+        # Discover the region where Security Incident Response is configured
+        region = self.discover_sir_region()
+        # First get list of memberships
+        memberships_response = self.list_memberships()
+        if "Error" in memberships_response:
+            self.findings.append(self.create_finding(
+                status="ERROR",
+                region=region,
+                resource_id=None,
+                actual_value=memberships_response["Error"].get("Message", "Unknown error"),
+                remediation="Check IAM permissions for Security Incident Response API access"
+            ))
+            return self.findings
+        memberships = memberships_response.get("items", [])
+        if not memberships:
+            self.findings.append(self.create_finding(
+                status="FAIL",
+                region=region,
+                resource_id=None,
+                actual_value="No Security Incident Response memberships found",
+                remediation="Create a Security Incident Response membership first"
+            ))
+            return self.findings
+        # Check each membership for proactive response
+        for membership in memberships:
+            membership_id = membership.get("membershipId")
+            # Get detailed membership info
+            membership_details = self.get_membership(membership_id)
+            if "Error" in membership_details:
+                self.findings.append(self.create_finding(
+                    status="ERROR",
+                    region=region,
+                    resource_id=membership_id,
+                    actual_value=membership_details["Error"].get("Message", "Unknown error"),
+                    remediation="Check IAM permissions for Security Incident Response GetMembership API access"
+                ))
+                continue
+            # Check opt-in features for Triage
+            opt_in_features = membership_details.get("optInFeatures", [])
+            triage_enabled = False
+            for feature in opt_in_features:
+                if feature.get("featureName") == "Triage" and feature.get("isEnabled"):
+                    triage_enabled = True
+                    break
+            if triage_enabled:
+                self.findings.append(self.create_finding(
+                    status="PASS",
+                    region=region,
+                    resource_id=membership_id,
+                    actual_value="Proactive response (Triage) is enabled",
+                    remediation="No remediation needed"
+                ))
+            else:
+                self.findings.append(self.create_finding(
+                    status="FAIL",
+                    region=region,
+                    resource_id=membership_id,
+                    actual_value="Proactive response (Triage) is not enabled",
+                    remediation="Enable proactive response in the Security Incident Response console under membership settings"
+                ))
+        return self.findings

sraverify/services/securityincidentresponse/checks/sra_securityincidentresponse_04.py ADDED Viewed

@@ -0,0 +1,117 @@
+from typing import Dict, List, Any
+from sraverify.services.securityincidentresponse.base import SecurityIncidentResponseCheck
+class SRA_SECURITYINCIDENTRESPONSE_04(SecurityIncidentResponseCheck):
+    def __init__(self):
+        super().__init__()
+        self.account_type = "audit"
+        self.check_id = "SRA-SECURITYINCIDENTRESPONSE-04"
+        self.check_name = "Security Incident Response enabled for all organization accounts"
+        self.description = "Verifies that all active organization accounts are covered by Security Incident Response"
+        self.severity = "HIGH"
+        self.check_logic = "Gets all organization accounts and checks if each is associated with Security Incident Response membership"
+    def execute(self) -> List[Dict[str, Any]]:
+        # Discover the region where Security Incident Response is configured
+        region = self.discover_sir_region()
+        # Get all organization accounts
+        org_accounts = self.get_organization_accounts()
+        if not org_accounts:
+            self.findings.append(self.create_finding(
+                status="ERROR",
+                region=region,
+                resource_id=None,
+                actual_value="Unable to retrieve organization accounts",
+                remediation="Check IAM permissions for Organizations API access"
+            ))
+            return self.findings
+        # Get active memberships
+        memberships_response = self.list_memberships()
+        if "Error" in memberships_response:
+            self.findings.append(self.create_finding(
+                status="ERROR",
+                region=region,
+                resource_id=None,
+                actual_value=memberships_response["Error"].get("Message", "Unknown error"),
+                remediation="Check IAM permissions for Security Incident Response API access"
+            ))
+            return self.findings
+        memberships = memberships_response.get("items", [])
+        active_memberships = [m for m in memberships if m.get("membershipStatus") == "Active"]
+        if not active_memberships:
+            self.findings.append(self.create_finding(
+                status="ERROR",
+                region=region,
+                resource_id=None,
+                actual_value="No active Security Incident Response memberships found",
+                remediation="Create and activate a Security Incident Response membership first"
+            ))
+            return self.findings
+        # Use first active membership
+        membership_id = active_memberships[0].get("membershipId")
+        # Get active organization accounts
+        active_accounts = [acc for acc in org_accounts if acc.get("Status") == "ACTIVE"]
+        account_ids = [acc.get("Id") for acc in active_accounts]
+        # Process accounts in batches of 100 (API limit)
+        batch_size = 100
+        for i in range(0, len(account_ids), batch_size):
+            batch_account_ids = account_ids[i:i + batch_size]
+            response = self.batch_get_member_account_details(membership_id, batch_account_ids)
+            if "Error" in response:
+                for account_id in batch_account_ids:
+                    self.findings.append(self.create_finding(
+                        status="ERROR",
+                        region=region,
+                        resource_id=account_id,
+                        actual_value=response["Error"].get("Message", "Unknown error"),
+                        remediation="Check IAM permissions for Security Incident Response BatchGetMemberAccountDetails API access or ensure you specified the region where Security Incident Response is enabled with the --regions flag"
+                    ))
+                continue
+            # Process results
+            items = response.get("items", [])
+            errors = response.get("errors", [])
+            # Handle errors
+            for error in errors:
+                account_id = error.get("accountId")
+                self.findings.append(self.create_finding(
+                    status="ERROR",
+                    region=region,
+                    resource_id=account_id,
+                    actual_value=error.get("message", "Unknown error"),
+                    remediation="Check account status and Security Incident Response configuration"
+                ))
+            # Check each account's association status
+            for item in items:
+                account_id = item.get("accountId")
+                relationship_status = item.get("relationshipStatus")
+                if relationship_status == "Associated":
+                    self.findings.append(self.create_finding(
+                        status="PASS",
+                        region=region,
+                        resource_id=account_id,
+                        actual_value=f"Account {account_id} is associated with Security Incident Response",
+                        remediation="No remediation needed"
+                    ))
+                else:
+                    self.findings.append(self.create_finding(
+                        status="FAIL",
+                        region=region,
+                        resource_id=account_id,
+                        actual_value=f"Account {account_id} relationship status is {relationship_status}",
+                        remediation="Associate the account with Security Incident Response membership through organizational units or direct association"
+                    ))
+        return self.findings

sraverify/services/securityincidentresponse/checks/sra_securityincidentresponse_05.py ADDED Viewed

@@ -0,0 +1,55 @@
+from typing import Dict, List, Any
+from sraverify.services.securityincidentresponse.base import SecurityIncidentResponseCheck
+class SRA_SECURITYINCIDENTRESPONSE_05(SecurityIncidentResponseCheck):
+    def __init__(self):
+        super().__init__()
+        self.account_type = "application"
+        self.check_id = "SRA-SECURITYINCIDENTRESPONSE-05"
+        self.check_name = "Security Incident Response triage service linked role exists"
+        self.description = "Verifies that the AWSServiceRoleForSecurityIncidentResponse_Triage service linked role exists"
+        self.severity = "MEDIUM"
+        self.check_logic = "Checks if the AWSServiceRoleForSecurityIncidentResponse_Triage IAM role exists in the account"
+    def execute(self) -> List[Dict[str, Any]]:
+        region = "global"  # IAM is global
+        role_name = "AWSServiceRoleForSecurityIncidentResponse_Triage"
+        management_account_id = self.get_management_accountId(self.session)
+        is_management_account = self.account_id == management_account_id
+        response = self.get_role(role_name)
+        if "Error" in response:
+            error_code = response["Error"].get("Code")
+            if error_code == "NoSuchEntity":
+                if is_management_account:
+                    remediation = "Security Incident Response cannot automatically create the triage service linked role in the management account. Create it manually using: aws iam create-service-linked-role --aws-service-name triage.security-ir.amazonaws.com"
+                else:
+                    remediation = "The triage service linked role is created when onboarding to Security Incident Response. If deleted, recreate by onboarding to the service again or manually using: aws iam create-service-linked-role --aws-service-name triage.security-ir.amazonaws.com"
+                self.findings.append(self.create_finding(
+                    status="FAIL",
+                    region=region,
+                    resource_id=f"arn:aws:iam::{self.account_id}:role/{role_name}",
+                    actual_value=f"Service linked role {role_name} does not exist",
+                    remediation=remediation
+                ))
+            else:
+                self.findings.append(self.create_finding(
+                    status="ERROR",
+                    region=region,
+                    resource_id=f"arn:aws:iam::{self.account_id}:role/{role_name}",
+                    actual_value=response["Error"].get("Message", "Unknown error"),
+                    remediation="Check IAM permissions for GetRole API access"
+                ))
+        else:
+            role_arn = response.get("Role", {}).get("Arn")
+            self.findings.append(self.create_finding(
+                status="PASS",
+                region=region,
+                resource_id=role_arn,
+                actual_value=f"Service linked role {role_name} exists",
+                remediation="No remediation needed"
+            ))
+        return self.findings

sraverify/services/securityincidentresponse/client.py ADDED Viewed

@@ -0,0 +1,71 @@
+from typing import Dict, Optional, Any, List
+import boto3
+from botocore.exceptions import ClientError
+from sraverify.core.logging import logger
+class SecurityIncidentResponseClient:
+    def __init__(self, region: str, session: Optional[boto3.Session] = None):
+        self.region = region
+        self.session = session or boto3.Session()
+        self.org_client = self.session.client('organizations', region_name=region)
+        self.sir_client = self.session.client('security-ir', region_name=region)
+        self.iam_client = self.session.client('iam', region_name=region)
+    def list_delegated_administrators(self, service_principal: str = "security-ir.amazonaws.com") -> Dict[str, Any]:
+        """List delegated administrators for Security Incident Response service."""
+        try:
+            response = self.org_client.list_delegated_administrators(
+                ServicePrincipal=service_principal
+            )
+            return response
+        except ClientError as e:
+            logger.error(f"Error listing delegated administrators in {self.region}: {e}")
+            return {"Error": {"Code": e.response['Error']['Code'], "Message": e.response['Error']['Message']}}
+    def list_memberships(self) -> Dict[str, Any]:
+        """List Security Incident Response memberships."""
+        try:
+            response = self.sir_client.list_memberships()
+            return response
+        except ClientError as e:
+            logger.error(f"Error listing memberships in {self.region}: {e}")
+            return {"Error": {"Code": e.response['Error']['Code'], "Message": e.response['Error']['Message']}}
+    def get_membership(self, membership_id: str) -> Dict[str, Any]:
+        """Get Security Incident Response membership details."""
+        try:
+            response = self.sir_client.get_membership(membershipId=membership_id)
+            return response
+        except ClientError as e:
+            logger.error(f"Error getting membership {membership_id} in {self.region}: {e}")
+            return {"Error": {"Code": e.response['Error']['Code'], "Message": e.response['Error']['Message']}}
+    def batch_get_member_account_details(self, membership_id: str, account_ids: List[str]) -> Dict[str, Any]:
+        """Get member account details for multiple accounts."""
+        try:
+            response = self.sir_client.batch_get_member_account_details(
+                membershipId=membership_id,
+                accountIds=account_ids
+            )
+            return response
+        except ClientError as e:
+            logger.error(f"Error getting member account details for membership {membership_id} in {self.region}: {e}")
+            return {"Error": {"Code": e.response['Error']['Code'], "Message": e.response['Error']['Message']}}
+    def list_accounts(self) -> Dict[str, Any]:
+        """List all accounts in the organization."""
+        try:
+            response = self.org_client.list_accounts()
+            return response
+        except ClientError as e:
+            logger.error(f"Error listing organization accounts in {self.region}: {e}")
+            return {"Error": {"Code": e.response['Error']['Code'], "Message": e.response['Error']['Message']}}
+    def get_role(self, role_name: str) -> Dict[str, Any]:
+        """Get IAM role details."""
+        try:
+            response = self.iam_client.get_role(RoleName=role_name)
+            return response
+        except ClientError as e:
+            logger.error(f"Error getting role {role_name}: {e}")
+            return {"Error": {"Code": e.response['Error']['Code'], "Message": e.response['Error']['Message']}}

sraverify/services/securitylake/__init__.py ADDED Viewed

@@ -0,0 +1,39 @@
+"""Security Lake checks."""
+from sraverify.services.securitylake.checks.sra_securitylake_01 import SRA_SECURITYLAKE_01
+from sraverify.services.securitylake.checks.sra_securitylake_02 import SRA_SECURITYLAKE_02
+from sraverify.services.securitylake.checks.sra_securitylake_03 import SRA_SECURITYLAKE_03
+from sraverify.services.securitylake.checks.sra_securitylake_04 import SRA_SECURITYLAKE_04
+from sraverify.services.securitylake.checks.sra_securitylake_05 import SRA_SECURITYLAKE_05
+from sraverify.services.securitylake.checks.sra_securitylake_06 import SRA_SECURITYLAKE_06
+from sraverify.services.securitylake.checks.sra_securitylake_07 import SRA_SECURITYLAKE_07
+from sraverify.services.securitylake.checks.sra_securitylake_08 import SRA_SECURITYLAKE_08
+from sraverify.services.securitylake.checks.sra_securitylake_09 import SRA_SECURITYLAKE_09
+from sraverify.services.securitylake.checks.sra_securitylake_10 import SRA_SECURITYLAKE_10
+from sraverify.services.securitylake.checks.sra_securitylake_11 import SRA_SECURITYLAKE_11
+from sraverify.services.securitylake.checks.sra_securitylake_12 import SRA_SECURITYLAKE_12
+from sraverify.services.securitylake.checks.sra_securitylake_13 import SRA_SECURITYLAKE_13
+from sraverify.services.securitylake.checks.sra_securitylake_14 import SRA_SECURITYLAKE_14
+from sraverify.services.securitylake.checks.sra_securitylake_15 import SRA_SECURITYLAKE_15
+from sraverify.services.securitylake.checks.sra_securitylake_16 import SRA_SECURITYLAKE_16
+from sraverify.services.securitylake.checks.sra_securitylake_17 import SRA_SECURITYLAKE_17
+CHECKS = {
+    "SRA-SECURITYLAKE-01": SRA_SECURITYLAKE_01,
+    "SRA-SECURITYLAKE-02": SRA_SECURITYLAKE_02,
+    "SRA-SECURITYLAKE-03": SRA_SECURITYLAKE_03,
+    "SRA-SECURITYLAKE-04": SRA_SECURITYLAKE_04,
+    "SRA-SECURITYLAKE-05": SRA_SECURITYLAKE_05,
+    "SRA-SECURITYLAKE-06": SRA_SECURITYLAKE_06,
+    "SRA-SECURITYLAKE-07": SRA_SECURITYLAKE_07,
+    "SRA-SECURITYLAKE-08": SRA_SECURITYLAKE_08,
+    "SRA-SECURITYLAKE-09": SRA_SECURITYLAKE_09,
+    "SRA-SECURITYLAKE-10": SRA_SECURITYLAKE_10,
+    "SRA-SECURITYLAKE-11": SRA_SECURITYLAKE_11,
+    "SRA-SECURITYLAKE-12": SRA_SECURITYLAKE_12,
+    "SRA-SECURITYLAKE-13": SRA_SECURITYLAKE_13,
+    "SRA-SECURITYLAKE-14": SRA_SECURITYLAKE_14,
+    "SRA-SECURITYLAKE-15": SRA_SECURITYLAKE_15,
+    "SRA-SECURITYLAKE-16": SRA_SECURITYLAKE_16,
+    "SRA-SECURITYLAKE-17": SRA_SECURITYLAKE_17
+}