sraverify 0.1.0__py3-none-any.whl

sraverify/services/shield/checks/sra_shield_13.py

@@ -0,0 +1,112 @@
+"""
+Check if CloudWatch alarms exist for Shield Advanced protected CloudFront and Route53 resources.
+"""
+from typing import Dict, List, Any
+from sraverify.services.shield.base import ShieldCheck
+
+
+class SRA_SHIELD_13(ShieldCheck):
+    """Check if CloudWatch alarms exist for Shield Advanced protected CloudFront and Route53 resources."""
+
+    def __init__(self):
+        """Initialize Shield Advanced CloudWatch alarms check."""
+        super().__init__()
+        self.check_id = "SRA-SHIELD-13"
+        self.check_name = "CloudWatch alarms exist for Shield Advanced protected CloudFront and Route53 resources"
+        self.description = ("This check verifies that CloudWatch alarms are configured for "
+                           "Shield Advanced protected CloudFront distributions and Route53 hosted zones "
+                           "to monitor DDoS detection metrics (DDoSDetected).")
+        self.severity = "MEDIUM"
+        self.check_logic = ("List Shield protections for CloudFront and Route53 resources, "
+                           "then check if CloudWatch alarms exist for DDoSDetected metric.")
+
+    def execute(self) -> List[Dict[str, Any]]:
+        """
+        Execute the check.
+
+        Returns:
+            List of findings
+        """
+        # Shield metrics for CloudFront and Route53 are reported in us-east-1
+        region = "us-east-1"
+        protections = self.list_protections(region)
+
+        if "Error" in protections:
+            error_code = protections["Error"].get("Code", "")
+            if error_code == "ResourceNotFoundException":
+                self.findings.append(self.create_finding(
+                    status="FAIL",
+                    region=region,
+                    resource_id=None,
+                    actual_value="Shield Advanced subscription not found",
+                    remediation="Enable Shield Advanced subscription to protect resources"
+                ))
+            else:
+                self.findings.append(self.create_finding(
+                    status="ERROR",
+                    region=region,
+                    resource_id=None,
+                    actual_value=protections["Error"].get("Message", "Unknown error"),
+                    remediation="Check IAM permissions for Shield API access"
+                ))
+        elif protections.get("Protections"):
+            # Filter for CloudFront and Route53 resources
+            cf_r53_protections = [
+                p for p in protections["Protections"]
+                if ("cloudfront" in p.get("ResourceArn", "").lower() or
+                    "route53" in p.get("ResourceArn", "").lower())
+            ]
+
+            if not cf_r53_protections:
+                self.findings.append(self.create_finding(
+                    status="PASS",
+                    region=region,
+                    resource_id="shield:cloudwatch-alarms",
+                    actual_value="No CloudFront or Route53 protected resources found",
+                    remediation=""
+                ))
+                return self.findings
+
+            # Check each resource for CloudWatch alarms
+            for protection in cf_r53_protections:
+                resource_arn = protection.get("ResourceArn", "")
+                protection_name = protection.get("Name", "Unknown")
+
+                # Check for DDoSDetected alarm
+                alarms = self.get_cloudwatch_alarms_for_resource(region, resource_arn)
+
+                if "Error" in alarms:
+                    self.findings.append(self.create_finding(
+                        status="ERROR",
+                        region=region,
+                        resource_id=resource_arn,
+                        actual_value=alarms["Error"].get("Message", "Unknown error"),
+                        remediation="Check IAM permissions for CloudWatch API access"
+                    ))
+                elif alarms.get("DDoSDetectedAlarms"):
+                    alarm_names = [alarm["AlarmName"] for alarm in alarms["DDoSDetectedAlarms"]]
+                    self.findings.append(self.create_finding(
+                        status="PASS",
+                        region=region,
+                        resource_id=resource_arn,
+                        actual_value=f"DDoSDetected alarms configured: {', '.join(alarm_names)}",
+                        remediation=""
+                    ))
+                else:
+                    self.findings.append(self.create_finding(
+                        status="FAIL",
+                        region=region,
+                        resource_id=resource_arn,
+                        actual_value="No DDoSDetected CloudWatch alarms configured",
+                        remediation="Create CloudWatch alarm for DDoSDetected metric to monitor DDoS events"
+                    ))
+        else:
+            self.findings.append(self.create_finding(
+                status="PASS",
+                region=region,
+                resource_id=None,
+                actual_value="No Shield Advanced protections found",
+                remediation=""
+            ))
+
+        return self.findings

sraverify/services/shield/checks/sra_shield_14.py

@@ -0,0 +1,111 @@
+"""
+Check if Shield Advanced protected resources have automatic application layer DDoS mitigation enabled.
+"""
+from typing import Dict, List, Any
+from sraverify.services.shield.base import ShieldCheck
+
+
+class SRA_SHIELD_14(ShieldCheck):
+    """Check if Shield Advanced protected resources have automatic application layer DDoS mitigation enabled."""
+
+    def __init__(self):
+        """Initialize Shield Advanced automatic mitigation check."""
+        super().__init__()
+        self.check_id = "SRA-SHIELD-14"
+        self.check_name = "Shield Advanced protected resources have automatic application layer DDoS mitigation enabled"
+        self.description = ("This check verifies that Shield Advanced protected application layer resources "
+                           "(CloudFront distributions and Application Load Balancers) have automatic "
+                           "application layer DDoS mitigation enabled with Block action for effective protection.")
+        self.severity = "HIGH"
+        self.check_logic = ("List Shield protections and check ApplicationLayerAutomaticResponseConfiguration "
+                           "status and action for application layer resources.")
+
+    def execute(self) -> List[Dict[str, Any]]:
+        """
+        Execute the check.
+
+        Returns:
+            List of findings
+        """
+        # Shield is a global service, check only in us-east-1
+        region = "us-east-1"
+        protections = self.list_protections(region)
+
+        if "Error" in protections:
+            error_code = protections["Error"].get("Code", "")
+            if error_code == "ResourceNotFoundException":
+                self.findings.append(self.create_finding(
+                    status="FAIL",
+                    region=region,
+                    resource_id=None,
+                    actual_value="Shield Advanced subscription not found",
+                    remediation="Enable Shield Advanced subscription to protect resources"
+                ))
+            else:
+                self.findings.append(self.create_finding(
+                    status="ERROR",
+                    region=region,
+                    resource_id=None,
+                    actual_value=protections["Error"].get("Message", "Unknown error"),
+                    remediation="Check IAM permissions for Shield API access"
+                ))
+        elif protections.get("Protections"):
+            # Filter for application layer resources (CloudFront and ALB)
+            app_layer_protections = [
+                p for p in protections["Protections"]
+                if ("cloudfront" in p.get("ResourceArn", "").lower() or
+                    "elasticloadbalancing" in p.get("ResourceArn", "").lower())
+            ]
+
+            if not app_layer_protections:
+                self.findings.append(self.create_finding(
+                    status="PASS",
+                    region=region,
+                    resource_id="shield:automatic-mitigation",
+                    actual_value="No application layer protected resources found",
+                    remediation=""
+                ))
+                return self.findings
+
+            # Check each application layer resource for automatic mitigation
+            for protection in app_layer_protections:
+                resource_arn = protection.get("ResourceArn", "")
+                
+                # Check if ApplicationLayerAutomaticResponseConfiguration exists in the protection
+                auto_response_config = protection.get("ApplicationLayerAutomaticResponseConfiguration")
+                
+                if auto_response_config and auto_response_config.get("Status") == "ENABLED":
+                    if "Block" in auto_response_config.get("Action", {}):
+                        self.findings.append(self.create_finding(
+                            status="PASS",
+                            region=region,
+                            resource_id=resource_arn,
+                            actual_value="Automatic mitigation enabled with Block action",
+                            remediation=""
+                        ))
+                    else:
+                        self.findings.append(self.create_finding(
+                            status="FAIL",
+                            region=region,
+                            resource_id=resource_arn,
+                            actual_value="Automatic mitigation enabled but using Count action",
+                            remediation="Change automatic mitigation action from Count to Block for effective protection"
+                        ))
+                else:
+                    self.findings.append(self.create_finding(
+                        status="FAIL",
+                        region=region,
+                        resource_id=resource_arn,
+                        actual_value="Automatic application layer DDoS mitigation not enabled",
+                        remediation="Enable automatic application layer DDoS mitigation with Block action in Shield Advanced console"
+                    ))
+        else:
+            self.findings.append(self.create_finding(
+                status="PASS",
+                region=region,
+                resource_id=None,
+                actual_value="No Shield Advanced protections found",
+                remediation=""
+            ))
+
+        return self.findings

sraverify/services/shield/client.py

@@ -0,0 +1,214 @@
+"""
+Shield client for interacting with AWS Shield service.
+"""
+from typing import Dict, Optional, Any
+import boto3
+from botocore.exceptions import ClientError
+from sraverify.core.logging import logger
+
+
+class ShieldClient:
+    """Client for interacting with AWS Shield service."""
+    
+    def __init__(self, region: str, session: Optional[boto3.Session] = None):
+        """
+        Initialize Shield client for a specific region.
+        
+        Args:
+            region: AWS region name
+            session: AWS session to use (if None, a new session will be created)
+        """
+        self.region = region
+        self.session = session or boto3.Session()
+        self.client = self.session.client('shield', region_name=region)
+    
+    def get_subscription_state(self) -> Dict[str, Any]:
+        """
+        Get Shield Advanced subscription state.
+        
+        Returns:
+            Dictionary containing subscription details or error information
+        """
+        try:
+            return self.client.describe_subscription()
+        except ClientError as e:
+            error_code = e.response.get('Error', {}).get('Code', '')
+            error_message = str(e)
+            logger.debug(f"Error getting Shield subscription in {self.region}: {error_message}")
+            return {
+                "Error": {
+                    "Code": error_code,
+                    "Message": error_message
+                }
+            }
+    
+    def get_subscription_status(self) -> Dict[str, Any]:
+        """
+        Get Shield Advanced subscription status (ACTIVE/INACTIVE).
+        
+        Returns:
+            Dictionary containing subscription state or error information
+        """
+        try:
+            return self.client.get_subscription_state()
+        except ClientError as e:
+            error_code = e.response.get('Error', {}).get('Code', '')
+            error_message = str(e)
+            logger.debug(f"Error getting Shield subscription state in {self.region}: {error_message}")
+            return {
+                "Error": {
+                    "Code": error_code,
+                    "Message": error_message
+                }
+            }
+    
+    def list_protections(self, resource_type: Optional[str] = None) -> Dict[str, Any]:
+        """
+        List Shield Advanced protections.
+        
+        Args:
+            resource_type: Optional resource type filter
+            
+        Returns:
+            Dictionary containing protections list or error information
+        """
+        try:
+            params = {}
+            if resource_type:
+                params['InclusionFilters'] = {'ResourceTypes': [resource_type]}
+            
+            return self.client.list_protections(**params)
+        except ClientError as e:
+            error_code = e.response.get('Error', {}).get('Code', '')
+            error_message = str(e)
+            logger.debug(f"Error listing Shield protections in {self.region}: {error_message}")
+            return {
+                "Error": {
+                    "Code": error_code,
+                    "Message": error_message
+                }
+            }
+    
+    def describe_drt_access(self) -> Dict[str, Any]:
+        """
+        Describe Shield Response Team (SRT) access configuration.
+        
+        Returns:
+            Dictionary containing DRT access details or error information
+        """
+        try:
+            return self.client.describe_drt_access()
+        except ClientError as e:
+            error_code = e.response.get('Error', {}).get('Code', '')
+            error_message = str(e)
+            logger.debug(f"Error describing DRT access in {self.region}: {error_message}")
+            return {
+                "Error": {
+                    "Code": error_code,
+                    "Message": error_message
+                }
+            }
+    
+    def get_lambda_function(self, function_name: str) -> Dict[str, Any]:
+        """
+        Get Lambda function details.
+        
+        Args:
+            function_name: Name of the Lambda function
+            
+        Returns:
+            Dictionary containing function details or error information
+        """
+        try:
+            lambda_client = self.session.client('lambda', region_name=self.region)
+            return lambda_client.get_function(FunctionName=function_name)
+        except ClientError as e:
+            error_code = e.response.get('Error', {}).get('Code', '')
+            error_message = str(e)
+            logger.debug(f"Error getting Lambda function {function_name} in {self.region}: {error_message}")
+            return {
+                "Error": {
+                    "Code": error_code,
+                    "Message": error_message
+                }
+            }
+    
+    def get_web_acl_for_resource(self, resource_arn: str) -> Dict[str, Any]:
+        """
+        Get WAF web ACL associated with a resource.
+        
+        Args:
+            resource_arn: ARN of the resource
+            
+        Returns:
+            Dictionary containing web ACL details or error information
+        """
+        try:
+            # For CloudFront distributions, use CloudFront API
+            if "cloudfront" in resource_arn.lower():
+                # Extract distribution ID from ARN: arn:aws:cloudfront::account:distribution/ID
+                distribution_id = resource_arn.split("/")[-1]
+                cloudfront_client = self.session.client('cloudfront', region_name='us-east-1')
+                response = cloudfront_client.get_distribution_config(Id=distribution_id)
+                web_acl_id = response.get('DistributionConfig', {}).get('WebACLId', '')
+                
+                if web_acl_id:
+                    return {"WebACL": {"Id": web_acl_id, "Name": f"WebACL-{web_acl_id}"}}
+                else:
+                    return {"Error": {"Code": "WAFNonexistentItemException", "Message": "No web ACL associated"}}
+            else:
+                # For other resources, use WAFv2 API
+                wafv2_client = self.session.client('wafv2', region_name=self.region)
+                return wafv2_client.get_web_acl_for_resource(ResourceArn=resource_arn)
+        except ClientError as e:
+            error_code = e.response.get('Error', {}).get('Code', '')
+            error_message = str(e)
+            logger.debug(f"Error getting web ACL for resource {resource_arn} in {self.region}: {error_message}")
+            return {
+                "Error": {
+                    "Code": error_code,
+                    "Message": error_message
+                }
+            }
+    
+    def get_cloudwatch_alarms_for_resource(self, resource_arn: str) -> Dict[str, Any]:
+        """
+        Get CloudWatch alarms for Shield Advanced DDoS metrics for a resource.
+        
+        Args:
+            resource_arn: ARN of the resource
+            
+        Returns:
+            Dictionary containing alarm details or error information
+        """
+        try:
+            cloudwatch_client = self.session.client('cloudwatch', region_name=self.region)
+            
+            # Look for alarms on DDoSDetected metric for this resource
+            response = cloudwatch_client.describe_alarms_for_metric(
+                MetricName='DDoSDetected',
+                Namespace='AWS/DDoSProtection',
+                Dimensions=[
+                    {
+                        'Name': 'ResourceArn',
+                        'Value': resource_arn
+                    }
+                ]
+            )
+            
+            ddos_alarms = response.get('MetricAlarms', [])
+            
+            return {
+                "DDoSDetectedAlarms": ddos_alarms
+            }
+            
+        except ClientError as e:
+            error_code = e.response.get('Error', {}).get('Code', '')
+            error_message = str(e)
+            logger.debug(f"Error getting CloudWatch alarms for resource {resource_arn} in {self.region}: {error_message}")
+            return {
+                "Error": {
+                    "Code": error_code,
+                    "Message": error_message
+                }
+            }

sraverify/services/waf/__init__.py

@@ -0,0 +1,21 @@
+from sraverify.services.waf.checks.sra_waf_01 import SRA_WAF_01
+from sraverify.services.waf.checks.sra_waf_02 import SRA_WAF_02
+from sraverify.services.waf.checks.sra_waf_03 import SRA_WAF_03
+from sraverify.services.waf.checks.sra_waf_04 import SRA_WAF_04
+from sraverify.services.waf.checks.sra_waf_05 import SRA_WAF_05
+from sraverify.services.waf.checks.sra_waf_06 import SRA_WAF_06
+from sraverify.services.waf.checks.sra_waf_07 import SRA_WAF_07
+from sraverify.services.waf.checks.sra_waf_08 import SRA_WAF_08
+from sraverify.services.waf.checks.sra_waf_09 import SRA_WAF_09
+
+CHECKS = {
+    "SRA-WAF-01": SRA_WAF_01,
+    "SRA-WAF-02": SRA_WAF_02,
+    "SRA-WAF-03": SRA_WAF_03,
+    "SRA-WAF-04": SRA_WAF_04,
+    "SRA-WAF-05": SRA_WAF_05,
+    "SRA-WAF-06": SRA_WAF_06,
+    "SRA-WAF-07": SRA_WAF_07,
+    "SRA-WAF-08": SRA_WAF_08,
+    "SRA-WAF-09": SRA_WAF_09,
+}

sraverify/services/waf/base.py

@@ -0,0 +1,100 @@
+from typing import Dict, Any
+from sraverify.core.check import SecurityCheck
+from sraverify.services.waf.client import WAFClient
+
+class WAFCheck(SecurityCheck):
+    def __init__(self):
+        super().__init__(
+            account_type="application",
+            service="WAF",
+            resource_type="AWS::ElasticLoadBalancingV2::LoadBalancer"
+        )
+        self._distributions_cache = {}
+        self._load_balancers_cache = {}
+        self._rest_apis_cache = {}
+        self._graphql_apis_cache = {}
+        self._user_pools_cache = {}
+        self._apprunner_services_cache = {}
+        self._verified_access_instances_cache = {}
+        self._amplify_apps_cache = {}
+        self._web_acls_cache = {}
+
+    def _setup_clients(self):
+        self._clients.clear()
+        # WAF for CloudFront is global, use us-east-1
+        self._clients['us-east-1'] = WAFClient('us-east-1', session=self.session)
+        # For ALB, API Gateway, AppSync, Cognito, App Runner, Verified Access, Amplify, and Web ACLs, create clients for all regions
+        if hasattr(self, 'regions') and self.regions:
+            for region in self.regions:
+                if region not in self._clients:
+                    self._clients[region] = WAFClient(region, session=self.session)
+
+    def get_distributions(self) -> Dict[str, Any]:
+        if not self._distributions_cache:
+            client = self.get_client('us-east-1')
+            if client:
+                self._distributions_cache = client.list_distributions()
+        return self._distributions_cache
+
+    def get_load_balancers(self, region: str) -> Dict[str, Any]:
+        if region not in self._load_balancers_cache:
+            client = self.get_client(region)
+            if client:
+                self._load_balancers_cache[region] = client.describe_load_balancers()
+        return self._load_balancers_cache.get(region, {})
+
+    def get_rest_apis(self, region: str) -> Dict[str, Any]:
+        if region not in self._rest_apis_cache:
+            client = self.get_client(region)
+            if client:
+                self._rest_apis_cache[region] = client.get_rest_apis()
+        return self._rest_apis_cache.get(region, {})
+
+    def get_stages(self, region: str, rest_api_id: str) -> Dict[str, Any]:
+        client = self.get_client(region)
+        if client:
+            return client.get_stages(rest_api_id)
+        return {"Error": {"Message": "No client available"}}
+
+    def get_graphql_apis(self, region: str) -> Dict[str, Any]:
+        if region not in self._graphql_apis_cache:
+            client = self.get_client(region)
+            if client:
+                self._graphql_apis_cache[region] = client.list_graphql_apis()
+        return self._graphql_apis_cache.get(region, {})
+
+    def get_user_pools(self, region: str) -> Dict[str, Any]:
+        if region not in self._user_pools_cache:
+            client = self.get_client(region)
+            if client:
+                self._user_pools_cache[region] = client.list_user_pools()
+        return self._user_pools_cache.get(region, {})
+
+    def get_apprunner_services(self, region: str) -> Dict[str, Any]:
+        if region not in self._apprunner_services_cache:
+            client = self.get_client(region)
+            if client:
+                self._apprunner_services_cache[region] = client.list_services()
+        return self._apprunner_services_cache.get(region, {})
+
+    def get_verified_access_instances(self, region: str) -> Dict[str, Any]:
+        if region not in self._verified_access_instances_cache:
+            client = self.get_client(region)
+            if client:
+                self._verified_access_instances_cache[region] = client.describe_verified_access_instances()
+        return self._verified_access_instances_cache.get(region, {})
+
+    def get_amplify_apps(self, region: str) -> Dict[str, Any]:
+        if region not in self._amplify_apps_cache:
+            client = self.get_client(region)
+            if client:
+                self._amplify_apps_cache[region] = client.list_apps()
+        return self._amplify_apps_cache.get(region, {})
+
+    def get_web_acls(self, region: str, scope: str = "REGIONAL") -> Dict[str, Any]:
+        cache_key = f"{region}_{scope}"
+        if cache_key not in self._web_acls_cache:
+            client = self.get_client(region)
+            if client:
+                self._web_acls_cache[cache_key] = client.list_web_acls(scope)
+        return self._web_acls_cache.get(cache_key, {})

sraverify/services/waf/checks/__init__.py

@@ -0,0 +1 @@
+# WAF security checks

sraverify/services/waf/checks/sra_waf_01.py

@@ -0,0 +1,63 @@
+from typing import Dict, List, Any
+from sraverify.services.waf.base import WAFCheck
+
+class SRA_WAF_01(WAFCheck):
+    def __init__(self):
+        super().__init__()
+        self.resource_type = "AWS::CloudFront::Distribution"
+        self.check_id = "SRA-WAF-01"
+        self.check_name = "CloudFront distributions should be associated with AWS WAF"
+        self.description = "Ensures that all CloudFront distributions are protected by AWS WAF web ACLs to filter malicious traffic"
+        self.severity = "HIGH"
+        self.check_logic = "Lists all CloudFront distributions and verifies each has a WebACLId configured"
+
+    def execute(self) -> List[Dict[str, Any]]:
+        region = "us-east-1"  # CloudFront is global service
+
+        distributions_response = self.get_distributions()
+
+        if "Error" in distributions_response:
+            self.findings.append(self.create_finding(
+                status="ERROR",
+                region=region,
+                resource_id=None,
+                actual_value=distributions_response["Error"].get("Message", "Unknown error"),
+                remediation="Check IAM permissions for CloudFront API access"
+            ))
+            return self.findings
+
+        distribution_list = distributions_response.get("DistributionList", {})
+        distributions = distribution_list.get("Items", [])
+
+        if not distributions:
+            self.findings.append(self.create_finding(
+                status="PASS",
+                region=region,
+                resource_id="No distributions",
+                actual_value="No CloudFront distributions found",
+                remediation="No action needed"
+            ))
+            return self.findings
+
+        for distribution in distributions:
+            distribution_id = distribution.get("Id")
+            web_acl_id = distribution.get("WebACLId")
+
+            if web_acl_id:
+                self.findings.append(self.create_finding(
+                    status="PASS",
+                    region=region,
+                    resource_id=distribution_id,
+                    actual_value=f"WAF Web ACL associated: {web_acl_id}",
+                    remediation="No action needed"
+                ))
+            else:
+                self.findings.append(self.create_finding(
+                    status="FAIL",
+                    region=region,
+                    resource_id=distribution_id,
+                    actual_value="No WAF Web ACL associated",
+                    remediation="Associate a WAF Web ACL with this CloudFront distribution using the AWS Console, CLI, or API"
+                ))
+
+        return self.findings