sraverify 0.1.0__py3-none-any.whl

sraverify/services/shield/base.py

@@ -0,0 +1,199 @@
+"""
+Base class for Shield security checks.
+"""
+from typing import Dict, Any
+from sraverify.core.check import SecurityCheck
+from sraverify.services.shield.client import ShieldClient
+from sraverify.core.logging import logger
+
+
+class ShieldCheck(SecurityCheck):
+    """Base class for all Shield security checks."""
+    
+    # Class-level cache shared across all instances
+    _subscription_cache = {}
+    
+    def __init__(self):
+        """Initialize Shield base check."""
+        super().__init__(
+            account_type="application",
+            service="Shield",
+            resource_type="AWS::Shield::Subscription"
+        )
+    
+    def _setup_clients(self):
+        """Set up Shield clients for each region."""
+        self._clients.clear()
+        if hasattr(self, 'regions') and self.regions:
+            for region in self.regions:
+                self._clients[region] = ShieldClient(region, session=self.session)
+    
+    def get_subscription_state(self, region: str) -> Dict[str, Any]:
+        """
+        Get Shield Advanced subscription state with caching.
+        
+        Args:
+            region: AWS region name
+            
+        Returns:
+            Dictionary containing subscription details or empty dict if not available
+        """
+        cache_key = f"{self.session.region_name}:{region}"
+        if cache_key in ShieldCheck._subscription_cache:
+            logger.debug(f"Shield: Using cached subscription state for {region}")
+            return ShieldCheck._subscription_cache[cache_key]
+        
+        client = self.get_client(region)
+        if not client:
+            logger.warning(f"Shield: No Shield client available for region {region}")
+            return {}
+        
+        logger.debug(f"Shield: Fetching subscription state for {region}")
+        subscription = client.get_subscription_state()
+        
+        ShieldCheck._subscription_cache[cache_key] = subscription
+        logger.debug(f"Shield: Cached subscription state for {region}")
+        
+        return subscription
+    
+    def get_subscription_status(self, region: str) -> Dict[str, Any]:
+        """
+        Get Shield Advanced subscription status (ACTIVE/INACTIVE) with caching.
+        
+        Args:
+            region: AWS region name
+            
+        Returns:
+            Dictionary containing subscription status or empty dict if not available
+        """
+        cache_key = f"status:{self.session.region_name}:{region}"
+        if cache_key in ShieldCheck._subscription_cache:
+            logger.debug(f"Shield: Using cached subscription status for {region}")
+            return ShieldCheck._subscription_cache[cache_key]
+        
+        client = self.get_client(region)
+        if not client:
+            logger.warning(f"Shield: No Shield client available for region {region}")
+            return {}
+        
+        logger.debug(f"Shield: Fetching subscription status for {region}")
+        status = client.get_subscription_status()
+        
+        ShieldCheck._subscription_cache[cache_key] = status
+        logger.debug(f"Shield: Cached subscription status for {region}")
+        
+        return status
+    
+    def list_protections(self, region: str, resource_type: str = None) -> Dict[str, Any]:
+        """
+        List Shield Advanced protections with caching.
+        
+        Args:
+            region: AWS region name
+            resource_type: Optional resource type filter
+            
+        Returns:
+            Dictionary containing protections list or empty dict if not available
+        """
+        cache_key = f"protections:{self.session.region_name}:{region}:{resource_type or 'all'}"
+        if cache_key in ShieldCheck._subscription_cache:
+            logger.debug(f"Shield: Using cached protections for {region}")
+            return ShieldCheck._subscription_cache[cache_key]
+        
+        client = self.get_client(region)
+        if not client:
+            logger.warning(f"Shield: No Shield client available for region {region}")
+            return {}
+        
+        logger.debug(f"Shield: Listing protections for {region}")
+        protections = client.list_protections(resource_type)
+        
+        ShieldCheck._subscription_cache[cache_key] = protections
+        logger.debug(f"Shield: Cached protections for {region}")
+        
+        return protections
+    
+    def describe_drt_access(self, region: str) -> Dict[str, Any]:
+        """
+        Describe Shield Response Team (SRT) access configuration with caching.
+        
+        Args:
+            region: AWS region name
+            
+        Returns:
+            Dictionary containing DRT access details or empty dict if not available
+        """
+        cache_key = f"drt_access:{self.session.region_name}:{region}"
+        if cache_key in ShieldCheck._subscription_cache:
+            logger.debug(f"Shield: Using cached DRT access for {region}")
+            return ShieldCheck._subscription_cache[cache_key]
+        
+        client = self.get_client(region)
+        if not client:
+            logger.warning(f"Shield: No Shield client available for region {region}")
+            return {}
+        
+        logger.debug(f"Shield: Describing DRT access for {region}")
+        drt_access = client.describe_drt_access()
+        
+        ShieldCheck._subscription_cache[cache_key] = drt_access
+        logger.debug(f"Shield: Cached DRT access for {region}")
+        
+        return drt_access
+    
+    def get_lambda_function(self, region: str, function_name: str) -> Dict[str, Any]:
+        """
+        Get Lambda function details.
+        
+        Args:
+            region: AWS region name
+            function_name: Name of the Lambda function
+            
+        Returns:
+            Dictionary containing function details or empty dict if not available
+        """
+        client = self.get_client(region)
+        if not client:
+            logger.warning(f"Shield: No Shield client available for region {region}")
+            return {}
+        
+        logger.debug(f"Shield: Getting Lambda function {function_name} for {region}")
+        return client.get_lambda_function(function_name)
+    
+    def get_web_acl_for_resource(self, region: str, resource_arn: str) -> Dict[str, Any]:
+        """
+        Get WAF web ACL associated with a resource.
+        
+        Args:
+            region: AWS region name
+            resource_arn: ARN of the resource
+            
+        Returns:
+            Dictionary containing web ACL details or empty dict if not available
+        """
+        client = self.get_client(region)
+        if not client:
+            logger.warning(f"Shield: No Shield client available for region {region}")
+            return {}
+        
+        logger.debug(f"Shield: Getting web ACL for resource {resource_arn} in {region}")
+        return client.get_web_acl_for_resource(resource_arn)
+    
+    def get_cloudwatch_alarms_for_resource(self, region: str, resource_arn: str) -> Dict[str, Any]:
+        """
+        Get CloudWatch alarms for Shield Advanced DDoS metrics for a resource.
+        
+        Args:
+            region: AWS region name
+            resource_arn: ARN of the resource
+            
+        Returns:
+            Dictionary containing alarm details or empty dict if not available
+        """
+        client = self.get_client(region)
+        if not client:
+            logger.warning(f"Shield: No Shield client available for region {region}")
+            return {}
+        
+        logger.debug(f"Shield: Getting CloudWatch alarms for resource {resource_arn} in {region}")
+        return client.get_cloudwatch_alarms_for_resource(resource_arn)

sraverify/services/shield/checks/__init__.py

@@ -0,0 +1 @@
+"""Shield checks module."""

sraverify/services/shield/checks/sra_shield_01.py

@@ -0,0 +1,68 @@
+"""
+Check if Shield Advanced is enabled.
+"""
+from typing import Dict, List, Any
+from sraverify.services.shield.base import ShieldCheck
+
+
+class SRA_SHIELD_01(ShieldCheck):
+    """Check if Shield Advanced is enabled."""
+
+    def __init__(self):
+        """Initialize Shield Advanced enabled check."""
+        super().__init__()
+        self.check_id = "SRA-SHIELD-01"
+        self.check_name = "Shield Advanced is enabled"
+        self.description = ("This check verifies that AWS Shield Advanced is enabled. "
+                           "Shield Advanced provides enhanced DDoS protection for your AWS resources "
+                           "and includes 24/7 access to the AWS DDoS Response Team (DRT).")
+        self.severity = "HIGH"
+        self.check_logic = "Get Shield subscription state. Check fails if subscription is not active."
+
+    def execute(self) -> List[Dict[str, Any]]:
+        """
+        Execute the check.
+
+        Returns:
+            List of findings
+        """
+        # Shield is a global service, check only in us-east-1
+        region = "us-east-1"
+        status = self.get_subscription_status(region)
+
+        if "Error" in status:
+            error_code = status["Error"].get("Code", "")
+            if error_code == "ResourceNotFoundException":
+                self.findings.append(self.create_finding(
+                    status="FAIL",
+                    region=region,
+                    resource_id=None,
+                    actual_value="Shield Advanced not subscribed",
+                    remediation="Enable Shield Advanced subscription in the AWS Shield console"
+                ))
+            else:
+                self.findings.append(self.create_finding(
+                    status="ERROR",
+                    region=region,
+                    resource_id=None,
+                    actual_value=status["Error"].get("Message", "Unknown error"),
+                    remediation="Check IAM permissions for Shield API access"
+                ))
+        elif status.get("SubscriptionState") == "ACTIVE":
+            self.findings.append(self.create_finding(
+                status="PASS",
+                region=region,
+                resource_id="shield:subscription",
+                actual_value="Shield Advanced is active",
+                remediation=""
+            ))
+        else:
+            self.findings.append(self.create_finding(
+                status="FAIL",
+                region=region,
+                resource_id=None,
+                actual_value=f"Subscription state: {status.get('SubscriptionState', 'Unknown')}",
+                remediation="Enable Shield Advanced subscription in the AWS Shield console"
+            ))
+
+        return self.findings

sraverify/services/shield/checks/sra_shield_02.py

@@ -0,0 +1,77 @@
+"""
+Check if Shield Advanced auto-renew is enabled.
+"""
+from typing import Dict, List, Any
+from sraverify.services.shield.base import ShieldCheck
+
+
+class SRA_SHIELD_02(ShieldCheck):
+    """Check if Shield Advanced auto-renew is enabled."""
+
+    def __init__(self):
+        """Initialize Shield Advanced auto-renew check."""
+        super().__init__()
+        self.check_id = "SRA-SHIELD-02"
+        self.check_name = "Shield Advanced auto-renew is enabled"
+        self.description = ("This check verifies that AWS Shield Advanced subscription "
+                           "has auto-renew enabled to ensure continuous protection.")
+        self.severity = "MEDIUM"
+        self.check_logic = "Get Shield subscription details. Check fails if auto-renew is disabled."
+
+    def execute(self) -> List[Dict[str, Any]]:
+        """
+        Execute the check.
+
+        Returns:
+            List of findings
+        """
+        # Shield is a global service, check only in us-east-1
+        region = "us-east-1"
+        subscription = self.get_subscription_state(region)
+
+        if "Error" in subscription:
+            error_code = subscription["Error"].get("Code", "")
+            if error_code == "ResourceNotFoundException":
+                self.findings.append(self.create_finding(
+                    status="FAIL",
+                    region=region,
+                    resource_id=None,
+                    actual_value="Shield Advanced not subscribed",
+                    remediation="Enable Shield Advanced subscription in the AWS Shield console"
+                ))
+            else:
+                self.findings.append(self.create_finding(
+                    status="ERROR",
+                    region=region,
+                    resource_id=None,
+                    actual_value=subscription["Error"].get("Message", "Unknown error"),
+                    remediation="Check IAM permissions for Shield API access"
+                ))
+        elif "Subscription" in subscription:
+            auto_renew = subscription["Subscription"].get("AutoRenew", "")
+            if auto_renew == "ENABLED":
+                self.findings.append(self.create_finding(
+                    status="PASS",
+                    region=region,
+                    resource_id="shield:subscription",
+                    actual_value="Auto-renew is enabled",
+                    remediation=""
+                ))
+            else:
+                self.findings.append(self.create_finding(
+                    status="FAIL",
+                    region=region,
+                    resource_id="shield:subscription",
+                    actual_value=f"Auto-renew is {auto_renew}",
+                    remediation="Enable auto-renew for Shield Advanced subscription using UpdateSubscription API"
+                ))
+        else:
+            self.findings.append(self.create_finding(
+                status="FAIL",
+                region=region,
+                resource_id=None,
+                actual_value="Shield Advanced subscription not found",
+                remediation="Enable Shield Advanced subscription in the AWS Shield console"
+            ))
+
+        return self.findings

sraverify/services/shield/checks/sra_shield_03.py

@@ -0,0 +1,84 @@
+"""
+Check if Shield Advanced is configured for CloudFront distributions.
+"""
+from typing import Dict, List, Any
+from sraverify.services.shield.base import ShieldCheck
+
+
+class SRA_SHIELD_03(ShieldCheck):
+    """Check if Shield Advanced is configured for CloudFront distributions."""
+
+    def __init__(self):
+        """Initialize Shield Advanced CloudFront protection check."""
+        super().__init__()
+        self.check_id = "SRA-SHIELD-03"
+        self.check_name = "Shield Advanced is configured for CloudFront distributions"
+        self.description = ("This check verifies that AWS Shield Advanced is protecting "
+                            "at least one CloudFront distribution.")
+        self.severity = "HIGH"
+        self.check_logic = ("List Shield protections filtered by CloudFront resource type. "
+                            "Check fails if no CloudFront distributions are protected.")
+
+    def execute(self) -> List[Dict[str, Any]]:
+        """
+        Execute the check.
+
+        Returns:
+            List of findings
+        """
+        # Shield is a global service, check only in us-east-1
+        region = "us-east-1"
+        protections = self.list_protections(region)
+
+        if "Error" in protections:
+            error_code = protections["Error"].get("Code", "")
+            if error_code == "ResourceNotFoundException":
+                self.findings.append(self.create_finding(
+                    status="FAIL",
+                    region=region,
+                    resource_id=None,
+                    actual_value="Shield Advanced subscription not found",
+                    remediation="Enable Shield Advanced subscription to protect resources"
+                ))
+            else:
+                self.findings.append(self.create_finding(
+                    status="ERROR",
+                    region=region,
+                    resource_id=None,
+                    actual_value=protections["Error"].get("Message", "Unknown error"),
+                    remediation="Check IAM permissions for Shield API access"
+                ))
+        elif protections.get("Protections"):
+            # Filter for CloudFront distributions by checking ResourceArn
+            cloudfront_protections = [
+                p for p in protections["Protections"]
+                if "cloudfront" in p.get("ResourceArn", "").lower()
+            ]
+
+            if cloudfront_protections:
+                protected_count = len(cloudfront_protections)
+                self.findings.append(self.create_finding(
+                    status="PASS",
+                    region=region,
+                    resource_id="shield:cloudfront-protections",
+                    actual_value=f"{protected_count} CloudFront distribution(s) protected",
+                    remediation=""
+                ))
+            else:
+                self.findings.append(self.create_finding(
+                    status="FAIL",
+                    region=region,
+                    resource_id=None,
+                    actual_value="No CloudFront distributions protected",
+                    remediation="Enable Shield Advanced protection for CloudFront distributions in the AWS Shield console"
+                ))
+        else:
+            self.findings.append(self.create_finding(
+                status="FAIL",
+                region=region,
+                resource_id=None,
+                actual_value="No CloudFront distributions protected",
+                remediation="Enable Shield Advanced protection for CloudFront distributions in the AWS Shield console"
+            ))
+
+        return self.findings

sraverify/services/shield/checks/sra_shield_04.py

@@ -0,0 +1,84 @@
+"""
+Check if Shield Advanced is configured for load balancers.
+"""
+from typing import Dict, List, Any
+from sraverify.services.shield.base import ShieldCheck
+
+
+class SRA_SHIELD_04(ShieldCheck):
+    """Check if Shield Advanced is configured for load balancers."""
+
+    def __init__(self):
+        """Initialize Shield Advanced load balancer protection check."""
+        super().__init__()
+        self.check_id = "SRA-SHIELD-04"
+        self.check_name = "Shield Advanced is configured for load balancers"
+        self.description = ("This check verifies that AWS Shield Advanced is protecting "
+                            "at least one load balancer (Application or Classic Load Balancer).")
+        self.severity = "HIGH"
+        self.check_logic = ("List Shield protections and filter by load balancer ARNs. "
+                            "Check fails if no load balancers are protected.")
+
+    def execute(self) -> List[Dict[str, Any]]:
+        """
+        Execute the check.
+
+        Returns:
+            List of findings
+        """
+        # Shield is a global service, check only in us-east-1
+        region = "us-east-1"
+        protections = self.list_protections(region)
+
+        if "Error" in protections:
+            error_code = protections["Error"].get("Code", "")
+            if error_code == "ResourceNotFoundException":
+                self.findings.append(self.create_finding(
+                    status="FAIL",
+                    region=region,
+                    resource_id=None,
+                    actual_value="Shield Advanced subscription not found",
+                    remediation="Enable Shield Advanced subscription to protect resources"
+                ))
+            else:
+                self.findings.append(self.create_finding(
+                    status="ERROR",
+                    region=region,
+                    resource_id=None,
+                    actual_value=protections["Error"].get("Message", "Unknown error"),
+                    remediation="Check IAM permissions for Shield API access"
+                ))
+        elif protections.get("Protections"):
+            # Filter for load balancers by checking ResourceArn
+            lb_protections = [
+                p for p in protections["Protections"]
+                if "elasticloadbalancing" in p.get("ResourceArn", "").lower()
+            ]
+
+            if lb_protections:
+                protected_count = len(lb_protections)
+                self.findings.append(self.create_finding(
+                    status="PASS",
+                    region=region,
+                    resource_id="shield:loadbalancer-protections",
+                    actual_value=f"{protected_count} load balancer(s) protected",
+                    remediation=""
+                ))
+            else:
+                self.findings.append(self.create_finding(
+                    status="FAIL",
+                    region=region,
+                    resource_id=None,
+                    actual_value="No load balancers protected",
+                    remediation="Enable Shield Advanced protection for Application or Classic Load Balancers in the AWS Shield console"
+                ))
+        else:
+            self.findings.append(self.create_finding(
+                status="FAIL",
+                region=region,
+                resource_id=None,
+                actual_value="No load balancers protected",
+                remediation="Enable Shield Advanced protection for Application or Classic Load Balancers in the AWS Shield console"
+            ))
+
+        return self.findings

sraverify/services/shield/checks/sra_shield_05.py

@@ -0,0 +1,84 @@
+"""
+Check if Shield Advanced is configured for Elastic IP addresses.
+"""
+from typing import Dict, List, Any
+from sraverify.services.shield.base import ShieldCheck
+
+
+class SRA_SHIELD_05(ShieldCheck):
+    """Check if Shield Advanced is configured for Elastic IP addresses."""
+
+    def __init__(self):
+        """Initialize Shield Advanced Elastic IP protection check."""
+        super().__init__()
+        self.check_id = "SRA-SHIELD-05"
+        self.check_name = "Shield Advanced is configured for Elastic IP addresses"
+        self.description = ("This check verifies that AWS Shield Advanced is protecting "
+                            "at least one Elastic IP address.")
+        self.severity = "HIGH"
+        self.check_logic = ("List Shield protections and filter by Elastic IP ARNs. "
+                            "Check fails if no Elastic IP addresses are protected.")
+
+    def execute(self) -> List[Dict[str, Any]]:
+        """
+        Execute the check.
+
+        Returns:
+            List of findings
+        """
+        # Shield is a global service, check only in us-east-1
+        region = "us-east-1"
+        protections = self.list_protections(region)
+
+        if "Error" in protections:
+            error_code = protections["Error"].get("Code", "")
+            if error_code == "ResourceNotFoundException":
+                self.findings.append(self.create_finding(
+                    status="FAIL",
+                    region=region,
+                    resource_id=None,
+                    actual_value="Shield Advanced subscription not found",
+                    remediation="Enable Shield Advanced subscription to protect resources"
+                ))
+            else:
+                self.findings.append(self.create_finding(
+                    status="ERROR",
+                    region=region,
+                    resource_id=None,
+                    actual_value=protections["Error"].get("Message", "Unknown error"),
+                    remediation="Check IAM permissions for Shield API access"
+                ))
+        elif protections.get("Protections"):
+            # Filter for Elastic IPs by checking ResourceArn
+            eip_protections = [
+                p for p in protections["Protections"]
+                if "eip-allocation" in p.get("ResourceArn", "").lower()
+            ]
+
+            if eip_protections:
+                protected_count = len(eip_protections)
+                self.findings.append(self.create_finding(
+                    status="PASS",
+                    region=region,
+                    resource_id="shield:eip-protections",
+                    actual_value=f"{protected_count} Elastic IP address(es) protected",
+                    remediation=""
+                ))
+            else:
+                self.findings.append(self.create_finding(
+                    status="FAIL",
+                    region=region,
+                    resource_id=None,
+                    actual_value="No Elastic IP addresses protected",
+                    remediation="Enable Shield Advanced protection for Elastic IP addresses in the AWS Shield console"
+                ))
+        else:
+            self.findings.append(self.create_finding(
+                status="FAIL",
+                region=region,
+                resource_id=None,
+                actual_value="No Elastic IP addresses protected",
+                remediation="Enable Shield Advanced protection for Elastic IP addresses in the AWS Shield console"
+            ))
+
+        return self.findings