sraverify 0.1.0__py3-none-any.whl

sraverify/services/waf/checks/sra_waf_02.py

@@ -0,0 +1,82 @@
+from typing import Dict, List, Any
+from sraverify.services.waf.base import WAFCheck
+
+class SRA_WAF_02(WAFCheck):
+    def __init__(self):
+        super().__init__()
+        self.check_id = "SRA-WAF-02"
+        self.check_name = "Application Load Balancers should be associated with AWS WAF"
+        self.description = "Ensures that all Application Load Balancers are protected by AWS WAF web ACLs to filter malicious traffic"
+        self.severity = "HIGH"
+        self.check_logic = "Lists all Application Load Balancers and verifies each has a WAF web ACL associated"
+
+    def execute(self) -> List[Dict[str, Any]]:
+        for region in self.regions:
+            load_balancers_response = self.get_load_balancers(region)
+
+            if "Error" in load_balancers_response:
+                self.findings.append(self.create_finding(
+                    status="ERROR",
+                    region=region,
+                    resource_id=None,
+                    actual_value=load_balancers_response["Error"].get("Message", "Unknown error"),
+                    remediation="Check IAM permissions for ELB and WAF API access"
+                ))
+                continue
+
+            load_balancers = load_balancers_response.get("LoadBalancers", [])
+            
+            # Filter for Application Load Balancers only
+            albs = [lb for lb in load_balancers if lb.get("Type") == "application"]
+
+            if not albs:
+                self.findings.append(self.create_finding(
+                    status="PASS",
+                    region=region,
+                    resource_id="No ALBs",
+                    actual_value="No Application Load Balancers found",
+                    remediation="No action needed"
+                ))
+                continue
+
+            for alb in albs:
+                alb_arn = alb.get("LoadBalancerArn")
+                alb_name = alb.get("LoadBalancerName")
+                
+                client = self.get_client(region)
+                if not client:
+                    continue
+
+                web_acl_response = client.get_web_acl_for_resource(alb_arn)
+
+                if "Error" in web_acl_response:
+                    self.findings.append(self.create_finding(
+                        status="ERROR",
+                        region=region,
+                        resource_id=alb_name,
+                        actual_value=web_acl_response["Error"].get("Message", "Unknown error"),
+                        remediation="Check IAM permissions for WAF API access"
+                    ))
+                    continue
+
+                web_acl = web_acl_response.get("WebACL")
+
+                if web_acl:
+                    web_acl_name = web_acl.get("Name", "Unknown")
+                    self.findings.append(self.create_finding(
+                        status="PASS",
+                        region=region,
+                        resource_id=alb_name,
+                        actual_value=f"WAF Web ACL associated: {web_acl_name}",
+                        remediation="No action needed"
+                    ))
+                else:
+                    self.findings.append(self.create_finding(
+                        status="FAIL",
+                        region=region,
+                        resource_id=alb_name,
+                        actual_value="No WAF Web ACL associated",
+                        remediation="Associate a WAF Web ACL with this Application Load Balancer using the AWS Console, CLI, or API"
+                    ))
+
+        return self.findings

sraverify/services/waf/checks/sra_waf_03.py

@@ -0,0 +1,123 @@
+from typing import Dict, List, Any
+from sraverify.services.waf.base import WAFCheck
+
+class SRA_WAF_03(WAFCheck):
+    def __init__(self):
+        super().__init__()
+        self.resource_type = "AWS::ApiGateway::RestApi"
+        self.check_id = "SRA-WAF-03"
+        self.check_name = "API Gateway REST APIs should be associated with AWS WAF"
+        self.description = "Ensures that all API Gateway REST APIs are protected by AWS WAF web ACLs to filter malicious traffic"
+        self.severity = "HIGH"
+        self.check_logic = "Lists all API Gateway REST APIs and verifies each has a WAF web ACL associated"
+
+    def execute(self) -> List[Dict[str, Any]]:
+        for region in self.regions:
+            rest_apis_response = self.get_rest_apis(region)
+
+            if "Error" in rest_apis_response:
+                self.findings.append(self.create_finding(
+                    status="ERROR",
+                    region=region,
+                    resource_id=None,
+                    actual_value=rest_apis_response["Error"].get("Message", "Unknown error"),
+                    remediation="Check IAM permissions for API Gateway and WAF API access"
+                ))
+                continue
+
+            rest_apis = rest_apis_response.get("items", [])
+
+            if not rest_apis:
+                self.findings.append(self.create_finding(
+                    status="PASS",
+                    region=region,
+                    resource_id="No REST APIs",
+                    actual_value="No API Gateway REST APIs found",
+                    remediation="No action needed"
+                ))
+                continue
+
+            for api in rest_apis:
+                api_id = api.get("id")
+                api_name = api.get("name")
+                
+                # Get all stages for this API
+                stages_response = self.get_stages(region, api_id)
+                
+                if "Error" in stages_response:
+                    self.findings.append(self.create_finding(
+                        status="ERROR",
+                        region=region,
+                        resource_id=api_name or api_id,
+                        actual_value=stages_response["Error"].get("Message", "Unknown error"),
+                        remediation="Check IAM permissions for API Gateway access"
+                    ))
+                    continue
+                
+                stages = stages_response.get("item", [])
+                
+                if not stages:
+                    self.findings.append(self.create_finding(
+                        status="FAIL",
+                        region=region,
+                        resource_id=api_name or api_id,
+                        actual_value="No stages deployed",
+                        remediation="Deploy the API to a stage and associate a WAF Web ACL"
+                    ))
+                    continue
+                
+                # Check each stage for WAF association
+                for stage in stages:
+                    stage_name = stage.get("stageName")
+                    resource_id = f"{api_name or api_id}/{stage_name}"
+                    
+                    # Construct the API Gateway stage ARN for WAF association check
+                    api_arn = f"arn:aws:apigateway:{region}::/restapis/{api_id}/stages/{stage_name}"
+                    
+                    client = self.get_client(region)
+                    if not client:
+                        continue
+
+                    web_acl_response = client.get_web_acl_for_resource(api_arn)
+
+                    if "Error" in web_acl_response:
+                        error_code = web_acl_response["Error"].get("Code")
+                        if error_code == "AccessDeniedException":
+                            self.findings.append(self.create_finding(
+                                status="ERROR",
+                                region=region,
+                                resource_id=resource_id,
+                                actual_value=web_acl_response["Error"].get("Message", "Access denied"),
+                                remediation="Check IAM permissions for wafv2:GetWebACLForResource"
+                            ))
+                        else:
+                            self.findings.append(self.create_finding(
+                                status="FAIL",
+                                region=region,
+                                resource_id=resource_id,
+                                actual_value="No WAF Web ACL associated",
+                                remediation="Associate a WAF Web ACL with this API Gateway stage using the AWS Console, CLI, or API"
+                            ))
+                        continue
+
+                    web_acl = web_acl_response.get("WebACL")
+
+                    if web_acl:
+                        web_acl_name = web_acl.get("Name", "Unknown")
+                        self.findings.append(self.create_finding(
+                            status="PASS",
+                            region=region,
+                            resource_id=resource_id,
+                            actual_value=f"WAF Web ACL associated: {web_acl_name}",
+                            remediation="No action needed"
+                        ))
+                    else:
+                        self.findings.append(self.create_finding(
+                            status="FAIL",
+                            region=region,
+                            resource_id=resource_id,
+                            actual_value="No WAF Web ACL associated",
+                            remediation="Associate a WAF Web ACL with this API Gateway stage using the AWS Console, CLI, or API"
+                        ))
+
+        return self.findings

sraverify/services/waf/checks/sra_waf_04.py

@@ -0,0 +1,94 @@
+from typing import Dict, List, Any
+from sraverify.services.waf.base import WAFCheck
+
+class SRA_WAF_04(WAFCheck):
+    def __init__(self):
+        super().__init__()
+        self.resource_type = "AWS::AppSync::GraphQLApi"
+        self.check_id = "SRA-WAF-04"
+        self.check_name = "AppSync GraphQL APIs should be associated with AWS WAF"
+        self.description = "Ensures that all AppSync GraphQL APIs are protected by AWS WAF web ACLs to filter malicious traffic"
+        self.severity = "HIGH"
+        self.check_logic = "Lists all AppSync GraphQL APIs and verifies each has a WAF web ACL associated"
+
+    def execute(self) -> List[Dict[str, Any]]:
+        for region in self.regions:
+            graphql_apis_response = self.get_graphql_apis(region)
+
+            if "Error" in graphql_apis_response:
+                self.findings.append(self.create_finding(
+                    status="ERROR",
+                    region=region,
+                    resource_id=None,
+                    actual_value=graphql_apis_response["Error"].get("Message", "Unknown error"),
+                    remediation="Check IAM permissions for AppSync and WAF API access"
+                ))
+                continue
+
+            graphql_apis = graphql_apis_response.get("graphqlApis", [])
+
+            if not graphql_apis:
+                self.findings.append(self.create_finding(
+                    status="PASS",
+                    region=region,
+                    resource_id="No GraphQL APIs",
+                    actual_value="No AppSync GraphQL APIs found",
+                    remediation="No action needed"
+                ))
+                continue
+
+            for api in graphql_apis:
+                api_arn = api.get("arn")
+                api_name = api.get("name")
+                api_id = api.get("apiId")
+                
+                # Check if WAF is already associated (wafWebAclArn field)
+                waf_web_acl_arn = api.get("wafWebAclArn")
+                
+                if waf_web_acl_arn:
+                    self.findings.append(self.create_finding(
+                        status="PASS",
+                        region=region,
+                        resource_id=api_name or api_id,
+                        actual_value=f"WAF Web ACL associated: {waf_web_acl_arn}",
+                        remediation="No action needed"
+                    ))
+                else:
+                    # Double-check using WAF API
+                    client = self.get_client(region)
+                    if not client:
+                        continue
+
+                    web_acl_response = client.get_web_acl_for_resource(api_arn)
+
+                    if "Error" in web_acl_response:
+                        self.findings.append(self.create_finding(
+                            status="FAIL",
+                            region=region,
+                            resource_id=api_name or api_id,
+                            actual_value="No WAF Web ACL associated",
+                            remediation="Associate a WAF Web ACL with this AppSync GraphQL API using the AWS Console, CLI, or API"
+                        ))
+                        continue
+
+                    web_acl = web_acl_response.get("WebACL")
+
+                    if web_acl:
+                        web_acl_name = web_acl.get("Name", "Unknown")
+                        self.findings.append(self.create_finding(
+                            status="PASS",
+                            region=region,
+                            resource_id=api_name or api_id,
+                            actual_value=f"WAF Web ACL associated: {web_acl_name}",
+                            remediation="No action needed"
+                        ))
+                    else:
+                        self.findings.append(self.create_finding(
+                            status="FAIL",
+                            region=region,
+                            resource_id=api_name or api_id,
+                            actual_value="No WAF Web ACL associated",
+                            remediation="Associate a WAF Web ACL with this AppSync GraphQL API using the AWS Console, CLI, or API"
+                        ))
+
+        return self.findings

sraverify/services/waf/checks/sra_waf_05.py

@@ -0,0 +1,94 @@
+from typing import Dict, List, Any
+from sraverify.services.waf.base import WAFCheck
+
+class SRA_WAF_05(WAFCheck):
+    def __init__(self):
+        super().__init__()
+        self.resource_type = "AWS::Cognito::UserPool"
+        self.check_id = "SRA-WAF-05"
+        self.check_name = "Cognito user pools should be associated with AWS WAF"
+        self.description = "Ensures that all Cognito user pools are protected by AWS WAF web ACLs to filter malicious traffic"
+        self.severity = "HIGH"
+        self.check_logic = "Lists all Cognito user pools and verifies each has a WAF web ACL associated"
+
+    def execute(self) -> List[Dict[str, Any]]:
+        for region in self.regions:
+            user_pools_response = self.get_user_pools(region)
+
+            if "Error" in user_pools_response:
+                self.findings.append(self.create_finding(
+                    status="ERROR",
+                    region=region,
+                    resource_id=None,
+                    actual_value=user_pools_response["Error"].get("Message", "Unknown error"),
+                    remediation="Check IAM permissions for Cognito and WAF API access"
+                ))
+                continue
+
+            user_pools = user_pools_response.get("UserPools", [])
+
+            if not user_pools:
+                self.findings.append(self.create_finding(
+                    status="PASS",
+                    region=region,
+                    resource_id="No user pools",
+                    actual_value="No Cognito user pools found",
+                    remediation="No action needed"
+                ))
+                continue
+
+            for pool in user_pools:
+                pool_id = pool.get("Id")
+                pool_name = pool.get("Name")
+                
+                # Construct the Cognito user pool ARN for WAF association check
+                # Format: arn:partition:cognito-idp:region:account-id:userpool/user-pool-id
+                pool_arn = f"arn:aws:cognito-idp:{region}:{self.account_id}:userpool/{pool_id}"
+                
+                client = self.get_client(region)
+                if not client:
+                    continue
+
+                web_acl_response = client.get_web_acl_for_resource(pool_arn)
+
+                if "Error" in web_acl_response:
+                    error_code = web_acl_response["Error"].get("Code")
+                    if error_code == "AccessDeniedException":
+                        self.findings.append(self.create_finding(
+                            status="ERROR",
+                            region=region,
+                            resource_id=pool_name or pool_id,
+                            actual_value=web_acl_response["Error"].get("Message", "Access denied"),
+                            remediation="Check IAM permissions for wafv2:GetWebACLForResource"
+                        ))
+                    else:
+                        self.findings.append(self.create_finding(
+                            status="FAIL",
+                            region=region,
+                            resource_id=pool_name or pool_id,
+                            actual_value="No WAF Web ACL associated",
+                            remediation="Associate a WAF Web ACL with this Cognito user pool using the AWS Console, CLI, or API"
+                        ))
+                    continue
+
+                web_acl = web_acl_response.get("WebACL")
+
+                if web_acl:
+                    web_acl_name = web_acl.get("Name", "Unknown")
+                    self.findings.append(self.create_finding(
+                        status="PASS",
+                        region=region,
+                        resource_id=pool_name or pool_id,
+                        actual_value=f"WAF Web ACL associated: {web_acl_name}",
+                        remediation="No action needed"
+                    ))
+                else:
+                    self.findings.append(self.create_finding(
+                        status="FAIL",
+                        region=region,
+                        resource_id=pool_name or pool_id,
+                        actual_value="No WAF Web ACL associated",
+                        remediation="Associate a WAF Web ACL with this Cognito user pool using the AWS Console, CLI, or API"
+                    ))
+
+        return self.findings

sraverify/services/waf/checks/sra_waf_06.py

@@ -0,0 +1,91 @@
+from typing import Dict, List, Any
+from sraverify.services.waf.base import WAFCheck
+
+class SRA_WAF_06(WAFCheck):
+    def __init__(self):
+        super().__init__()
+        self.resource_type = "AWS::AppRunner::Service"
+        self.check_id = "SRA-WAF-06"
+        self.check_name = "App Runner services should be associated with AWS WAF"
+        self.description = "Ensures that all App Runner services are protected by AWS WAF web ACLs to filter malicious traffic"
+        self.severity = "HIGH"
+        self.check_logic = "Lists all App Runner services and verifies each has a WAF web ACL associated"
+
+    def execute(self) -> List[Dict[str, Any]]:
+        for region in self.regions:
+            services_response = self.get_apprunner_services(region)
+
+            if "Error" in services_response:
+                self.findings.append(self.create_finding(
+                    status="ERROR",
+                    region=region,
+                    resource_id=None,
+                    actual_value=services_response["Error"].get("Message", "Unknown error"),
+                    remediation="Check IAM permissions for App Runner and WAF API access"
+                ))
+                continue
+
+            services = services_response.get("ServiceSummaryList", [])
+
+            if not services:
+                self.findings.append(self.create_finding(
+                    status="PASS",
+                    region=region,
+                    resource_id="No App Runner services",
+                    actual_value="No App Runner services found",
+                    remediation="No action needed"
+                ))
+                continue
+
+            for service in services:
+                service_arn = service.get("ServiceArn")
+                service_name = service.get("ServiceName")
+                service_id = service.get("ServiceId")
+                
+                client = self.get_client(region)
+                if not client:
+                    continue
+
+                web_acl_response = client.get_web_acl_for_resource(service_arn)
+
+                if "Error" in web_acl_response:
+                    error_code = web_acl_response["Error"].get("Code")
+                    if error_code == "AccessDeniedException":
+                        self.findings.append(self.create_finding(
+                            status="ERROR",
+                            region=region,
+                            resource_id=service_name or service_id,
+                            actual_value=web_acl_response["Error"].get("Message", "Access denied"),
+                            remediation="Check IAM permissions for wafv2:GetWebACLForResource and apprunner:DescribeWebAclForService"
+                        ))
+                    else:
+                        self.findings.append(self.create_finding(
+                            status="FAIL",
+                            region=region,
+                            resource_id=service_name or service_id,
+                            actual_value="No WAF Web ACL associated",
+                            remediation="Associate a WAF Web ACL with this App Runner service using the AWS Console, CLI, or API"
+                        ))
+                    continue
+
+                web_acl = web_acl_response.get("WebACL")
+
+                if web_acl:
+                    web_acl_name = web_acl.get("Name", "Unknown")
+                    self.findings.append(self.create_finding(
+                        status="PASS",
+                        region=region,
+                        resource_id=service_name or service_id,
+                        actual_value=f"WAF Web ACL associated: {web_acl_name}",
+                        remediation="No action needed"
+                    ))
+                else:
+                    self.findings.append(self.create_finding(
+                        status="FAIL",
+                        region=region,
+                        resource_id=service_name or service_id,
+                        actual_value="No WAF Web ACL associated",
+                        remediation="Associate a WAF Web ACL with this App Runner service using the AWS Console, CLI, or API"
+                    ))
+
+        return self.findings

sraverify/services/waf/checks/sra_waf_07.py

@@ -0,0 +1,94 @@
+from typing import Dict, List, Any
+from sraverify.services.waf.base import WAFCheck
+
+class SRA_WAF_07(WAFCheck):
+    def __init__(self):
+        super().__init__()
+        self.resource_type = "AWS::EC2::VerifiedAccessInstance"
+        self.check_id = "SRA-WAF-07"
+        self.check_name = "Verified Access instances should be associated with AWS WAF"
+        self.description = "Ensures that all Verified Access instances are protected by AWS WAF web ACLs to filter malicious traffic"
+        self.severity = "HIGH"
+        self.check_logic = "Lists all Verified Access instances and verifies each has a WAF web ACL associated"
+
+    def execute(self) -> List[Dict[str, Any]]:
+        for region in self.regions:
+            instances_response = self.get_verified_access_instances(region)
+
+            if "Error" in instances_response:
+                self.findings.append(self.create_finding(
+                    status="ERROR",
+                    region=region,
+                    resource_id=None,
+                    actual_value=instances_response["Error"].get("Message", "Unknown error"),
+                    remediation="Check IAM permissions for EC2 and WAF API access"
+                ))
+                continue
+
+            instances = instances_response.get("VerifiedAccessInstances", [])
+
+            if not instances:
+                self.findings.append(self.create_finding(
+                    status="PASS",
+                    region=region,
+                    resource_id="No Verified Access instances",
+                    actual_value="No Verified Access instances found",
+                    remediation="No action needed"
+                ))
+                continue
+
+            for instance in instances:
+                instance_id = instance.get("VerifiedAccessInstanceId")
+                description = instance.get("Description", "")
+                
+                # Construct the Verified Access instance ARN for WAF association check
+                # Format: arn:partition:ec2:region:account-id:verified-access-instance/instance-id
+                instance_arn = f"arn:aws:ec2:{region}:{self.account_id}:verified-access-instance/{instance_id}"
+                
+                client = self.get_client(region)
+                if not client:
+                    continue
+
+                web_acl_response = client.get_web_acl_for_resource(instance_arn)
+
+                if "Error" in web_acl_response:
+                    error_code = web_acl_response["Error"].get("Code")
+                    if error_code == "AccessDeniedException":
+                        self.findings.append(self.create_finding(
+                            status="ERROR",
+                            region=region,
+                            resource_id=instance_id,
+                            actual_value=web_acl_response["Error"].get("Message", "Access denied"),
+                            remediation="Check IAM permissions for wafv2:GetWebACLForResource and ec2:GetVerifiedAccessInstanceWebAcl"
+                        ))
+                    else:
+                        self.findings.append(self.create_finding(
+                            status="FAIL",
+                            region=region,
+                            resource_id=instance_id,
+                            actual_value="No WAF Web ACL associated",
+                            remediation="Associate a WAF Web ACL with this Verified Access instance using the AWS Console, CLI, or API"
+                        ))
+                    continue
+
+                web_acl = web_acl_response.get("WebACL")
+
+                if web_acl:
+                    web_acl_name = web_acl.get("Name", "Unknown")
+                    self.findings.append(self.create_finding(
+                        status="PASS",
+                        region=region,
+                        resource_id=instance_id,
+                        actual_value=f"WAF Web ACL associated: {web_acl_name}",
+                        remediation="No action needed"
+                    ))
+                else:
+                    self.findings.append(self.create_finding(
+                        status="FAIL",
+                        region=region,
+                        resource_id=instance_id,
+                        actual_value="No WAF Web ACL associated",
+                        remediation="Associate a WAF Web ACL with this Verified Access instance using the AWS Console, CLI, or API"
+                    ))
+
+        return self.findings

sraverify/services/waf/checks/sra_waf_08.py

@@ -0,0 +1,66 @@
+from typing import Dict, List, Any
+from sraverify.services.waf.base import WAFCheck
+
+class SRA_WAF_08(WAFCheck):
+    def __init__(self):
+        super().__init__()
+        self.resource_type = "AWS::Amplify::App"
+        self.check_id = "SRA-WAF-08"
+        self.check_name = "Amplify applications should be associated with AWS WAF"
+        self.description = "Ensures that all Amplify applications are protected by AWS WAF web ACLs to filter malicious traffic"
+        self.severity = "HIGH"
+        self.check_logic = "Lists all Amplify applications and verifies each has a WAF web ACL associated"
+
+    def execute(self) -> List[Dict[str, Any]]:
+        for region in self.regions:
+            apps_response = self.get_amplify_apps(region)
+
+            if "Error" in apps_response:
+                self.findings.append(self.create_finding(
+                    status="ERROR",
+                    region=region,
+                    resource_id=None,
+                    actual_value=apps_response["Error"].get("Message", "Unknown error"),
+                    remediation="Check IAM permissions for Amplify and WAF API access"
+                ))
+                continue
+
+            apps = apps_response.get("apps", [])
+
+            if not apps:
+                self.findings.append(self.create_finding(
+                    status="PASS",
+                    region=region,
+                    resource_id="No Amplify apps",
+                    actual_value="No Amplify applications found",
+                    remediation="No action needed"
+                ))
+                continue
+
+            for app in apps:
+                app_id = app.get("appId")
+                app_name = app.get("name")
+                waf_config = app.get("wafConfiguration", {})
+                
+                # Check WAF configuration from the app response
+                waf_status = waf_config.get("wafStatus")
+                web_acl_arn = waf_config.get("webAclArn")
+                
+                if waf_status == "ENABLED" and web_acl_arn:
+                    self.findings.append(self.create_finding(
+                        status="PASS",
+                        region=region,
+                        resource_id=app_name or app_id,
+                        actual_value=f"WAF Web ACL associated: {web_acl_arn}",
+                        remediation="No action needed"
+                    ))
+                else:
+                    self.findings.append(self.create_finding(
+                        status="FAIL",
+                        region=region,
+                        resource_id=app_name or app_id,
+                        actual_value="No WAF Web ACL associated",
+                        remediation="Associate a WAF Web ACL with this Amplify application using the AWS Console, CLI, or API"
+                    ))
+
+        return self.findings