sraverify 0.1.0__py3-none-any.whl

sraverify/services/securitylake/checks/sra_securitylake_14.py

@@ -0,0 +1,72 @@
+"""Check if Security Lake has a delegated administrator."""
+
+from typing import List, Dict, Any
+from sraverify.services.securitylake.base import SecurityLakeCheck
+from sraverify.core.logging import logger
+
+
+class SRA_SECURITYLAKE_14(SecurityLakeCheck):
+    """Check if Security Lake has a delegated administrator."""
+
+    def __init__(self):
+        """Initialize check."""
+        super().__init__()
+        self.account_type = "management"  # Delegated admin check runs from management account
+        self.check_id = "SRA-SECURITYLAKE-14"
+        self.check_name = "Security Lake has delegated administrator"
+        self.severity = "CRITICAL"
+        self.description = (
+            "This check verifies whether Security Lake service administration for "
+            "the AWS Organization is delegated out from AWS Organization management "
+            "account to a member account."
+        )
+        self.check_logic = (
+            "Checks if Security Lake has a delegated administrator configured. "
+            "The check passes if at least one delegated administrator is found for the Security Lake service. "
+            "The check fails if no delegated administrator is configured."
+        )
+
+    def execute(self) -> List[Dict[str, Any]]:
+        """Run check."""
+        findings = []
+
+        # This is a global check, so we only need to run it once
+        # Use the first region just to make the API call
+        region = self.regions[0] if self.regions else "us-east-1"
+        resource_id = f"arn:aws:organizations::global:delegatedadministrator/securitylake"
+
+        # Get delegated administrators using the base class method
+        delegated_admin = self.get_delegated_administrators(region)
+
+        if not delegated_admin:
+            findings.append(
+                self.create_finding(
+                    status="FAIL",
+                    region="global",
+                    resource_id=resource_id,
+                    checked_value="Delegated administrator configured",
+                    actual_value="No delegated administrator configured for Security Lake",
+                    remediation=(
+                        "Configure a delegated administrator for Security Lake. In the AWS Organizations console, "
+                        "navigate to Services > Security Lake and delegate administration to a member account. "
+                        "Alternatively, use the AWS CLI command: "
+                        "aws organizations register-delegated-administrator --service-principal securitylake.amazonaws.com "
+                        "--account-id ACCOUNT_ID"
+                    )
+                )
+            )
+        else:
+            admin_info = delegated_admin[0] if delegated_admin else {}  # Get first admin if exists
+            admin_id = admin_info.get('Id', 'Unknown')
+            findings.append(
+                self.create_finding(
+                    status="PASS",
+                    region="global",
+                    resource_id=resource_id,
+                    checked_value="Delegated administrator configured",
+                    actual_value=f"Delegated administrator {admin_id} is configured for Security Lake",
+                    remediation="No remediation needed"
+                )
+            )
+
+        return findings

sraverify/services/securitylake/checks/sra_securitylake_15.py

@@ -0,0 +1,120 @@
+"""Check if Security Lake delegated admin is Log Archive account."""
+
+from typing import List, Dict, Any
+from sraverify.services.securitylake.base import SecurityLakeCheck
+from sraverify.core.logging import logger
+
+
+class SRA_SECURITYLAKE_15(SecurityLakeCheck):
+    """Check if Security Lake delegated admin is Log Archive account."""
+
+    def __init__(self):
+        """Initialize check."""
+        super().__init__()
+        self.account_type = "management"  # Delegated admin check runs from management account
+        self.check_id = "SRA-SECURITYLAKE-15"
+        self.check_name = "Security Lake delegated admin is log archive account"
+        self.severity = "CRITICAL"
+        self.description = (
+            "This check verifies whether Security Lake delegated admin account "
+            "is the Log Archive account of your AWS organization. The Log Archive "
+            "account is dedicated to ingesting and archiving all security-related "
+            "logs and backups."
+        )
+        self.check_logic = (
+            "Checks if the Security Lake delegated administrator is the Log Archive account. "
+            "The check passes if the delegated administrator account ID matches the Log Archive account ID. "
+            "The check fails if there is no delegated administrator or if the delegated administrator "
+            "is not the Log Archive account."
+        )
+        # Initialize log archive account attribute
+        self._log_archive_accounts = None
+
+    def execute(self) -> List[Dict[str, Any]]:
+        """
+        Execute the check.
+
+        Returns:
+            List of findings
+        """
+
+        # This is a global check, so we only need to run it once
+        # Use the first region just to make the API call
+        region = self.regions[0] if self.regions else "us-east-1"
+        resource_id = f"arn:aws:organizations::global:delegatedadministrator/securitylake"
+
+        # Check if Log Archive account ID is provided
+        if not hasattr(self, '_log_archive_accounts') or not self._log_archive_accounts:
+            self.findings.append(
+                self.create_finding(
+                    status="ERROR",
+                    region="global",
+                    resource_id=resource_id,
+                    checked_value="Delegated administrator is Log Archive account",
+                    actual_value="Log Archive Account ID not provided",
+                    remediation="Provide the Log Archive account ID using the --log-archive-account parameter"
+                )
+            )
+            return self.findings
+
+        # Use the first log archive account if multiple are provided
+        log_archive_account = self._log_archive_accounts[0]
+        logger.debug(f"Using Log Archive account: {log_archive_account}")
+
+        # Get delegated administrators using the base class method
+        delegated_admin = self.get_delegated_administrators(region)
+
+        if not delegated_admin:
+            self.findings.append(
+                self.create_finding(
+                    status="FAIL",
+                    region="global",
+                    resource_id=resource_id,
+                    checked_value=f"Delegated administrator is Log Archive account {log_archive_account}",
+                    actual_value="No delegated administrator configured for Security Lake",
+                    remediation=(
+                        f"Configure a delegated administrator for Security Lake and ensure it is the Log Archive account. "
+                        f"In the AWS Organizations console, navigate to Services > Security Lake and delegate "
+                        f"administration to the Log Archive account {log_archive_account}."
+                    )
+                )
+            )
+            return self.findings
+
+        # Get the delegated admin account ID
+        admin_info = delegated_admin[0] if delegated_admin else {}
+        admin_id = admin_info.get('Id', 'Unknown')
+
+        # Check if the delegated admin is the Log Archive account
+        if admin_id == log_archive_account:
+            self.findings.append(
+                self.create_finding(
+                    status="PASS",
+                    region="global",
+                    resource_id=resource_id,
+                    checked_value=f"Delegated administrator is Log Archive account {log_archive_account}",
+                    actual_value=f"Delegated administrator {admin_id} is the Log Archive account",
+                    remediation="No remediation needed"
+                )
+            )
+        else:
+            self.findings.append(
+                self.create_finding(
+                    status="FAIL",
+                    region="global",
+                    resource_id=resource_id,
+                    checked_value=f"Delegated administrator is Log Archive account {log_archive_account}",
+                    actual_value=f"Delegated administrator {admin_id} is not the Log Archive account {log_archive_account}",
+                    remediation=(
+                        f"Update the delegated administrator for Security Lake to be the Log Archive account. "
+                        f"1. Deregister the current delegated administrator: "
+                        f"aws organizations deregister-delegated-administrator --service-principal securitylake.amazonaws.com "
+                        f"--account-id {admin_id} "
+                        f"2. Register the Log Archive account: "
+                        f"aws organizations register-delegated-administrator --service-principal securitylake.amazonaws.com "
+                        f"--account-id {log_archive_account}"
+                    )
+                )
+            )
+
+        return self.findings

sraverify/services/securitylake/checks/sra_securitylake_16.py

@@ -0,0 +1,104 @@
+"""Check if Audit account has query access."""
+
+from typing import List, Dict, Any
+from sraverify.services.securitylake.base import SecurityLakeCheck
+from sraverify.core.logging import logger
+
+
+class SRA_SECURITYLAKE_16(SecurityLakeCheck):
+    """Check if Audit account has query access."""
+
+    def __init__(self):
+        """Initialize check."""
+        super().__init__()
+        self.check_id = "SRA-SECURITYLAKE-16"
+        self.check_name = "Security Lake audit account has query access"
+        self.severity = "HIGH"
+        self.description = (
+            "This check verifies whether the AWS Organization audit "
+            "account is set up as query access subscriber. These "
+            "subscribers directly query AWS Lake Formation tables in your S3 "
+            "bucket with services like Amazon Athena. Separation of log storage "
+            "(Log Archive account) and log access (audit account) "
+            "helps is separation of duties and helps in least privilege access."
+        )
+        self.check_logic = (
+            "Checks if the audit account is set up as a query access subscriber. "
+            "The check passes if there is at least one subscriber with type QUERY_ACCESS and "
+            "the account ID matches the audit account ID. "
+            "The check fails if no query access subscriber is found for the audit account."
+        )
+        self._audit_accounts = []
+
+    def execute(self) -> List[Dict[str, Any]]:
+        """Run check."""
+        findings = []
+
+        # Check if audit account ID is provided
+        if not self._audit_accounts:
+            logger.warning("Audit account ID not provided. Check cannot be completed.")
+            findings.append(
+                self.create_finding(
+                    status="ERROR",
+                    region="global",
+                    resource_id=f"arn:aws:securitylake::global:subscriber/query-access",
+                    checked_value="Security tooling account has query access",
+                    actual_value="Audit account ID not provided",
+                    remediation="Run sraverify with --audit-account parameter"
+                )
+            )
+            return findings
+
+        # Use the first audit account in the list
+        audit_account_id = self._audit_accounts[0]
+        logger.debug(f"Using audit account ID: {audit_account_id}")
+
+        # Check each region
+        for region in self.regions:
+            resource_id = f"arn:aws:securitylake:{region}:{self.account_id}:subscriber/query-access"
+
+            # Get subscribers using the base class method
+            subscribers = self.get_subscribers(region)
+
+            # Check if any subscriber is the audit account with query access
+            audit_subscriber = next(
+                (sub for sub in subscribers
+                 if "LAKEFORMATION" in sub.get("accessTypes", []) and
+                 sub.get("subscriberIdentity", {}).get("principal") == audit_account_id),
+                None
+            )
+
+            if not audit_subscriber:
+                logger.debug(f"Audit account is not set up as query access subscriber in {region}")
+                findings.append(
+                    self.create_finding(
+                        status="FAIL",
+                        region=region,
+                        resource_id=resource_id,
+                        checked_value=f"Audit account {audit_account_id} has query access",
+                        actual_value=f"Audit account {audit_account_id} is not set up as query access subscriber",
+                        remediation=(
+                            f"Set up the audit account {audit_account_id} as a query access subscriber in Security Lake. "
+                            "In the Security Lake console, navigate to Subscribers > Create subscriber and select "
+                            f"the audit account {audit_account_id} with Query access type."
+                        )
+                    )
+                )
+            else:
+                # Get subscriber ID for resource ID
+                subscriber_id = audit_subscriber.get("subscriberId", "default")
+                resource_id = f"arn:aws:securitylake:{region}:{self.account_id}:subscriber/{subscriber_id}"
+
+                logger.debug(f"Audit account is set up as query access subscriber in {region}")
+                findings.append(
+                    self.create_finding(
+                        status="PASS",
+                        region=region,
+                        resource_id=resource_id,
+                        checked_value=f"Audit account {audit_account_id} has query access",
+                        actual_value=f"Audit account {audit_account_id} is set up as query access subscriber",
+                        remediation="No remediation needed"
+                    )
+                )
+
+        return findings

sraverify/services/securitylake/checks/sra_securitylake_17.py

@@ -0,0 +1,103 @@
+"""Check if Audit account has data access."""
+
+from typing import List, Dict, Any
+from sraverify.services.securitylake.base import SecurityLakeCheck
+from sraverify.core.logging import logger
+
+
+class SRA_SECURITYLAKE_17(SecurityLakeCheck):
+    """Check if Audit account has data access."""
+
+    def __init__(self):
+        """Initialize check."""
+        super().__init__()
+        self.check_id = "SRA-SECURITYLAKE-17"
+        self.check_name = "Security Lake audit account has data access"
+        self.severity = "HIGH"
+        self.description = (
+            "This check verifies whether the AWS Organization "
+            "Audit account is set up as data access subscriber. These "
+            "subscribers can directly access the S3 objects and receive "
+            "notifications of new objects through a subscription endpoint or "
+            "by polling an Amazon SQS queue."
+        )
+        self.check_logic = (
+            "Checks if the audit account is set up as a data access subscriber. "
+            "The check passes if there is at least one subscriber with type DATA_ACCESS and "
+            "the account ID matches the audit account ID. "
+            "The check fails if no data access subscriber is found for the audit account."
+        )
+        self._audit_accounts = []
+
+    def execute(self) -> List[Dict[str, Any]]:
+        """Run check."""
+        findings = []
+
+        # Check if audit account ID is provided
+        if not self._audit_accounts:
+            logger.warning("Audit account ID not provided. Check cannot be completed.")
+            findings.append(
+                self.create_finding(
+                    status="ERROR",
+                    region="global",
+                    resource_id=f"arn:aws:securitylake::global:subscriber/data-access",
+                    checked_value="Security tooling account has data access",
+                    actual_value="Audit account ID not provided",
+                    remediation="Run sraverify with --audit-account parameter"
+                )
+            )
+            return findings
+
+        # Use the first audit account in the list
+        audit_account_id = self._audit_accounts[0]
+        logger.debug(f"Using audit account ID: {audit_account_id}")
+
+        # Check each region
+        for region in self.regions:
+            resource_id = f"arn:aws:securitylake:{region}:{self.account_id}:subscriber/data-access"
+
+            # Get subscribers using the base class method
+            subscribers = self.get_subscribers(region)
+
+            # Check if any subscriber is the audit account with data access
+            audit_subscriber = next(
+                (sub for sub in subscribers
+                 if "S3" in sub.get("accessTypes", []) and
+                 sub.get("subscriberIdentity", {}).get("principal") == audit_account_id),
+                None
+            )
+
+            if not audit_subscriber:
+                logger.debug(f"Audit account is not set up as data access subscriber in {region}")
+                findings.append(
+                    self.create_finding(
+                        status="FAIL",
+                        region=region,
+                        resource_id=resource_id,
+                        checked_value=f"Audit account {audit_account_id} has data access",
+                        actual_value=f"Audit account {audit_account_id} is not set up as data access subscriber",
+                        remediation=(
+                            f"Set up the audit account {audit_account_id} as a data access subscriber in Security Lake. "
+                            "In the Security Lake console, navigate to Subscribers > Create subscriber and select "
+                            f"the audit account {audit_account_id} with Data access type."
+                        )
+                    )
+                )
+            else:
+                # Get subscriber ID for resource ID
+                subscriber_id = audit_subscriber.get("subscriberId", "default")
+                resource_id = f"arn:aws:securitylake:{region}:{self.account_id}:subscriber/{subscriber_id}"
+
+                logger.debug(f"Audit account is set up as data access subscriber in {region}")
+                findings.append(
+                    self.create_finding(
+                        status="PASS",
+                        region=region,
+                        resource_id=resource_id,
+                        checked_value=f"Audit account {audit_account_id} has data access",
+                        actual_value=f"Audit account {audit_account_id} is set up as data access subscriber",
+                        remediation="No remediation needed"
+                    )
+                )
+
+        return findings

sraverify/services/securitylake/client.py

@@ -0,0 +1,247 @@
+"""Security Lake client for interacting with AWS Security Lake service."""
+
+from typing import Dict, List, Optional, Any
+import boto3
+from botocore.exceptions import ClientError
+from sraverify.core.logging import logger
+
+
+class SecurityLakeClient:
+    """Client for interacting with AWS Security Lake service."""
+
+    def __init__(self, region: str, session: Optional[boto3.Session] = None):
+        """
+        Initialize Security Lake client.
+
+        Args:
+            region: AWS region name
+            session: Optional boto3 session
+        """
+        self.region = region
+        self.session = session or boto3.Session()
+        self.client = self.session.client('securitylake', region_name=region)
+        self.org_client = self.session.client('organizations', region_name=region)
+
+    def is_security_lake_enabled(self):
+        """
+        Check if Security Lake is enabled in the region.
+
+        Returns:
+            True if enabled, False otherwise
+        """
+        try:
+            response = self.client.list_data_lakes(regions=[self.region])
+            data_lakes = response.get('dataLakes', [])
+            return len(data_lakes) > 0
+        except ClientError as e:
+            logger.debug(f"Error checking Security Lake status in {self.region}: {e}")
+            return False
+
+    def get_organization_configuration(self):
+        """
+        Get Security Lake organization configuration.
+
+        Returns:
+            Organization configuration or empty dict if error
+        """
+        try:
+            response = self.client.get_data_lake_organization_configuration()
+            return response
+        except self.client.exceptions.ResourceNotFoundException:
+            logger.debug(f"No organization configuration found in region {self.region}")
+            return {}
+        except ClientError as e:
+            logger.error(f"Error getting organization configuration in {self.region}: {e}")
+            return {}
+
+    def list_data_lakes(self):
+        """
+        List Security Lake data lakes.
+
+        Returns:
+            List of data lakes or empty list if error
+        """
+        try:
+            response = self.client.list_data_lakes(regions=[self.region])
+            return response.get("dataLakes", [])
+        except self.client.exceptions.ResourceNotFoundException:
+            logger.debug(f"No data lakes found in region {self.region}")
+            return []
+        except ClientError as e:
+            logger.error(f"Error listing data lakes in {self.region}: {e}")
+            return []
+
+    def list_log_sources(self, regions=None, accounts=None):
+        """
+        List enabled log sources with pagination support.
+
+        Args:
+            regions: List of regions to filter (optional)
+            accounts: List of account IDs to filter (optional)
+
+        Returns:
+            List of log sources or empty list if error
+        """
+        try:
+            params = {}
+            if regions:
+                params['regions'] = regions
+            if accounts:
+                params['accounts'] = accounts
+                
+            response = self.client.list_log_sources(**params)
+            log_sources = response.get("sources", [])
+
+            # Handle pagination
+            while response.get('nextToken'):
+                params['nextToken'] = response['nextToken']
+                response = self.client.list_log_sources(**params)
+                log_sources.extend(response.get("sources", []))
+
+            return log_sources
+        except self.client.exceptions.ResourceNotFoundException:
+            logger.debug(f"No log sources found in region {self.region}")
+            return []
+        except ClientError as e:
+            logger.error(f"Error listing log sources in {self.region}: {e}")
+            return []
+
+    def list_subscribers(self):
+        """
+        List Security Lake subscribers with pagination support.
+
+        Returns:
+            List of subscribers or empty list if error
+        """
+        try:
+            response = self.client.list_subscribers()
+            subscribers = response.get("subscribers", [])
+
+            # Handle pagination
+            while response.get('nextToken'):
+                response = self.client.list_subscribers(nextToken=response['nextToken'])
+                subscribers.extend(response.get("subscribers", []))
+
+            return subscribers
+        except self.client.exceptions.ResourceNotFoundException:
+            logger.debug(f"No subscribers found in region {self.region}")
+            return []
+        except ClientError as e:
+            logger.error(f"Error listing subscribers in {self.region}: {e}")
+            return []
+
+    def get_delegated_admin(self):
+        """
+        Get Security Lake delegated admin account.
+
+        Returns:
+            Delegated admin info or None if error
+        """
+        try:
+            response = self.org_client.list_delegated_administrators(ServicePrincipal="securitylake.amazonaws.com")
+            admins = response.get("DelegatedAdministrators", [])
+            return admins[0] if admins else None
+        except ClientError as e:
+            logger.error(f"Error getting delegated admin: {e}")
+            return None
+
+    def list_delegated_administrators(self, service_principal: str = "securitylake.amazonaws.com") -> List[Dict[str, Any]]:
+        """
+        List delegated administrators for SecurityLake.
+
+        Args:
+            service_principal: Service principal to check for delegated administrators
+
+        Returns:
+            List of delegated administrators or empty list if error
+        """
+        try:
+            response = self.org_client.list_delegated_administrators(ServicePrincipal=service_principal)
+            delegated_admins = response.get("DelegatedAdministrators", [])
+
+            logger.debug(f"Found {len(delegated_admins)} delegated administrators for {service_principal}")
+            for admin in delegated_admins:
+                logger.debug(f"Delegated admin: {admin.get('Id')} - {admin.get('Name')}")
+            return delegated_admins
+        except ClientError as e:
+            logger.error(f"Error listing delegated administrators for {service_principal}: {e}")
+            return []
+
+    def get_sqs_queue_encryption(self, queue_url):
+        """
+        Get SQS queue encryption settings.
+
+        Args:
+            queue_url: SQS queue URL
+
+        Returns:
+            KMS key ID or None if error
+        """
+        try:
+            sqs = self.session.client('sqs', region_name=self.region)
+            response = sqs.get_queue_attributes(
+                QueueUrl=queue_url,
+                AttributeNames=["KmsMasterKeyId"]
+            )
+            return response.get("Attributes", {}).get("KmsMasterKeyId")
+        except ClientError as e:
+            logger.error(f"Error getting SQS queue encryption for {queue_url}: {e}")
+            return None
+
+    def list_organization_accounts(self) -> List[Dict[str, Any]]:
+        """
+        List all accounts in the organization.
+
+        Returns:
+            List of organization accounts or empty list if error
+        """
+        try:
+            response = self.org_client.list_accounts()
+            accounts = response.get('Accounts', [])
+
+            # Handle pagination
+            while response.get('NextToken'):
+                response = self.org_client.list_accounts(NextToken=response['NextToken'])
+                accounts.extend(response.get('Accounts', []))
+
+            logger.debug(f"Found {len(accounts)} organization accounts")
+            return accounts
+        except ClientError as e:
+            logger.error(f"Error listing organization accounts: {e}")
+            return []
+
+    def get_data_lake_sources(self, account_id: str = None):
+        """
+        Get data lake sources for a specific account.
+        
+        Args:
+            account_id: AWS account ID string to check sources for
+            
+        Returns:
+            List of data lake sources or empty list if error
+        """
+        try:
+            request_body = {}
+            if account_id:
+                # Ensure account_id is a string (extract ID if it's a dict like SecurityHub pattern)
+                if isinstance(account_id, dict):
+                    if 'Id' in account_id:
+                        account_id = account_id['Id']
+                    else:
+                        logger.error(f"Cannot extract account ID from dict: {account_id}")
+                        return []
+                        
+                request_body["accounts"] = [account_id]
+                
+            response = self.client.get_data_lake_sources(**request_body)
+            return response.get("dataLakeSources", [])
+        except self.client.exceptions.ResourceNotFoundException:
+            logger.debug(f"No data lake sources found in region {self.region}")
+            return []
+        except ClientError as e:
+            # Use debug level for UnauthorizedException as it's expected when Security Lake isn't enabled
+            if e.response.get('Error', {}).get('Code') == 'UnauthorizedException':
+                logger.debug(f"Security Lake not enabled in {self.region}: {e}")
+            else:
+                logger.error(f"Error getting data lake sources in {self.region}: {e}")
+            return []

sraverify/services/shield/__init__.py

@@ -0,0 +1,33 @@
+"""Shield service checks."""
+
+from sraverify.services.shield.checks.sra_shield_01 import SRA_SHIELD_01
+from sraverify.services.shield.checks.sra_shield_02 import SRA_SHIELD_02
+from sraverify.services.shield.checks.sra_shield_03 import SRA_SHIELD_03
+from sraverify.services.shield.checks.sra_shield_04 import SRA_SHIELD_04
+from sraverify.services.shield.checks.sra_shield_05 import SRA_SHIELD_05
+from sraverify.services.shield.checks.sra_shield_06 import SRA_SHIELD_06
+from sraverify.services.shield.checks.sra_shield_07 import SRA_SHIELD_07
+from sraverify.services.shield.checks.sra_shield_08 import SRA_SHIELD_08
+from sraverify.services.shield.checks.sra_shield_09 import SRA_SHIELD_09
+from sraverify.services.shield.checks.sra_shield_10 import SRA_SHIELD_10
+from sraverify.services.shield.checks.sra_shield_11 import SRA_SHIELD_11
+from sraverify.services.shield.checks.sra_shield_12 import SRA_SHIELD_12
+from sraverify.services.shield.checks.sra_shield_13 import SRA_SHIELD_13
+from sraverify.services.shield.checks.sra_shield_14 import SRA_SHIELD_14
+
+CHECKS = {
+    "SRA-SHIELD-01": SRA_SHIELD_01,
+    "SRA-SHIELD-02": SRA_SHIELD_02,
+    "SRA-SHIELD-03": SRA_SHIELD_03,
+    "SRA-SHIELD-04": SRA_SHIELD_04,
+    "SRA-SHIELD-05": SRA_SHIELD_05,
+    "SRA-SHIELD-06": SRA_SHIELD_06,
+    "SRA-SHIELD-07": SRA_SHIELD_07,
+    "SRA-SHIELD-08": SRA_SHIELD_08,
+    "SRA-SHIELD-09": SRA_SHIELD_09,
+    "SRA-SHIELD-10": SRA_SHIELD_10,
+    "SRA-SHIELD-11": SRA_SHIELD_11,
+    "SRA-SHIELD-12": SRA_SHIELD_12,
+    "SRA-SHIELD-13": SRA_SHIELD_13,
+    "SRA-SHIELD-14": SRA_SHIELD_14,
+}