PyPI - sraverify - Versions diffs - 0.1.0__py3-none-any.whl - Mend

sraverify 0.1.0__py3-none-any.whl

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (261) hide show

sraverify/__init__.py +36 -0
sraverify/checks/__init__.py +56 -0
sraverify/checks/accessanalyzer/SRA_IAA_1.py +188 -0
sraverify/checks/accessanalyzer/SRA_IAA_2.py +162 -0
sraverify/checks/accessanalyzer/SRA_IAA_3.py +260 -0
sraverify/checks/accessanalyzer/SRA_IAA_4.py +207 -0
sraverify/checks/accessanalyzer/__init__.py +3 -0
sraverify/checks/cloudtrail/SRA-CT-1.py +220 -0
sraverify/checks/cloudtrail/SRA-CT-10.py +229 -0
sraverify/checks/cloudtrail/SRA-CT-11.py +242 -0
sraverify/checks/cloudtrail/SRA-CT-12.py +163 -0
sraverify/checks/cloudtrail/SRA-CT-13.py +279 -0
sraverify/checks/cloudtrail/SRA-CT-2.py +218 -0
sraverify/checks/cloudtrail/SRA-CT-3.py +196 -0
sraverify/checks/cloudtrail/SRA-CT-4.py +161 -0
sraverify/checks/cloudtrail/SRA-CT-5.py +200 -0
sraverify/checks/cloudtrail/SRA-CT-6.py +161 -0
sraverify/checks/cloudtrail/SRA-CT-7.py +194 -0
sraverify/checks/cloudtrail/SRA-CT-8.py +226 -0
sraverify/checks/cloudtrail/SRA-CT-9.py +226 -0
sraverify/checks/cloudtrail/__init__.py +3 -0
sraverify/checks/config/SRA-CONFIG-1.py +197 -0
sraverify/checks/config/__init__.py +3 -0
sraverify/core/__init__.py +3 -0
sraverify/core/check.py +227 -0
sraverify/core/logging.py +37 -0
sraverify/core/session.py +47 -0
sraverify/lib/__init__.py +4 -0
sraverify/lib/audit_info.py +37 -0
sraverify/lib/banner.py +42 -0
sraverify/lib/check_loader.py +80 -0
sraverify/lib/org_mgmt_checker.py +86 -0
sraverify/lib/outputs.py +46 -0
sraverify/lib/progress.py +75 -0
sraverify/lib/regions.py +27 -0
sraverify/lib/session.py +23 -0
sraverify/main.py +350 -0
sraverify/services/__init__.py +3 -0
sraverify/services/accessanalyzer/__init__.py +15 -0
sraverify/services/accessanalyzer/base.py +123 -0
sraverify/services/accessanalyzer/checks/__init__.py +3 -0
sraverify/services/accessanalyzer/checks/sra_accessanalyzer_01.py +82 -0
sraverify/services/accessanalyzer/checks/sra_accessanalyzer_02.py +82 -0
sraverify/services/accessanalyzer/checks/sra_accessanalyzer_03.py +103 -0
sraverify/services/accessanalyzer/checks/sra_accessanalyzer_04.py +139 -0
sraverify/services/accessanalyzer/client.py +123 -0
sraverify/services/account/__init__.py +9 -0
sraverify/services/account/base.py +56 -0
sraverify/services/account/checks/__init__.py +1 -0
sraverify/services/account/checks/sra_account_01.py +65 -0
sraverify/services/account/checks/sra_account_02.py +63 -0
sraverify/services/account/checks/sra_account_03.py +63 -0
sraverify/services/account/client.py +51 -0
sraverify/services/auditmanager/__init__.py +10 -0
sraverify/services/auditmanager/base.py +72 -0
sraverify/services/auditmanager/checks/__init__.py +1 -0
sraverify/services/auditmanager/checks/sra_auditmanager_01.py +58 -0
sraverify/services/auditmanager/checks/sra_auditmanager_02.py +80 -0
sraverify/services/auditmanager/client.py +58 -0
sraverify/services/cloudtrail/__init__.py +33 -0
sraverify/services/cloudtrail/base.py +167 -0
sraverify/services/cloudtrail/checks/__init__.py +1 -0
sraverify/services/cloudtrail/checks/sra_cloudtrail_01.py +83 -0
sraverify/services/cloudtrail/checks/sra_cloudtrail_02.py +99 -0
sraverify/services/cloudtrail/checks/sra_cloudtrail_03.py +94 -0
sraverify/services/cloudtrail/checks/sra_cloudtrail_04.py +92 -0
sraverify/services/cloudtrail/checks/sra_cloudtrail_05.py +106 -0
sraverify/services/cloudtrail/checks/sra_cloudtrail_06.py +93 -0
sraverify/services/cloudtrail/checks/sra_cloudtrail_07.py +96 -0
sraverify/services/cloudtrail/checks/sra_cloudtrail_08.py +145 -0
sraverify/services/cloudtrail/checks/sra_cloudtrail_09.py +167 -0
sraverify/services/cloudtrail/checks/sra_cloudtrail_10.py +162 -0
sraverify/services/cloudtrail/checks/sra_cloudtrail_11.py +178 -0
sraverify/services/cloudtrail/checks/sra_cloudtrail_12.py +77 -0
sraverify/services/cloudtrail/checks/sra_cloudtrail_13.py +120 -0
sraverify/services/cloudtrail/client.py +118 -0
sraverify/services/config/__init__.py +25 -0
sraverify/services/config/base.py +249 -0
sraverify/services/config/checks/__init__.py +1 -0
sraverify/services/config/checks/sra_config_01.py +123 -0
sraverify/services/config/checks/sra_config_02.py +156 -0
sraverify/services/config/checks/sra_config_03.py +149 -0
sraverify/services/config/checks/sra_config_04.py +104 -0
sraverify/services/config/checks/sra_config_05.py +104 -0
sraverify/services/config/checks/sra_config_06.py +194 -0
sraverify/services/config/checks/sra_config_07.py +162 -0
sraverify/services/config/checks/sra_config_08.py +185 -0
sraverify/services/config/checks/sra_config_09.py +177 -0
sraverify/services/config/client.py +264 -0
sraverify/services/ec2/__init__.py +8 -0
sraverify/services/ec2/base.py +75 -0
sraverify/services/ec2/checks/__init__.py +1 -0
sraverify/services/ec2/checks/sra_ec2_01.py +83 -0
sraverify/services/ec2/client.py +63 -0
sraverify/services/firewallmanager/__init__.py +23 -0
sraverify/services/firewallmanager/base.py +48 -0
sraverify/services/firewallmanager/checks/__init__.py +1 -0
sraverify/services/firewallmanager/checks/sra_firewallmanager_01.py +75 -0
sraverify/services/firewallmanager/checks/sra_firewallmanager_02.py +57 -0
sraverify/services/firewallmanager/checks/sra_firewallmanager_03.py +51 -0
sraverify/services/firewallmanager/checks/sra_firewallmanager_04.py +51 -0
sraverify/services/firewallmanager/checks/sra_firewallmanager_05.py +51 -0
sraverify/services/firewallmanager/checks/sra_firewallmanager_06.py +51 -0
sraverify/services/firewallmanager/checks/sra_firewallmanager_07.py +51 -0
sraverify/services/firewallmanager/checks/sra_firewallmanager_08.py +61 -0
sraverify/services/firewallmanager/checks/sra_firewallmanager_09.py +61 -0
sraverify/services/firewallmanager/checks/sra_firewallmanager_10.py +71 -0
sraverify/services/firewallmanager/client.py +40 -0
sraverify/services/guardduty/__init__.py +58 -0
sraverify/services/guardduty/base.py +207 -0
sraverify/services/guardduty/checks/__init__.py +3 -0
sraverify/services/guardduty/checks/sra_guardduty_01.py +51 -0
sraverify/services/guardduty/checks/sra_guardduty_02.py +80 -0
sraverify/services/guardduty/checks/sra_guardduty_03.py +77 -0
sraverify/services/guardduty/checks/sra_guardduty_04.py +84 -0
sraverify/services/guardduty/checks/sra_guardduty_05.py +84 -0
sraverify/services/guardduty/checks/sra_guardduty_06.py +84 -0
sraverify/services/guardduty/checks/sra_guardduty_07.py +85 -0
sraverify/services/guardduty/checks/sra_guardduty_08.py +83 -0
sraverify/services/guardduty/checks/sra_guardduty_09.py +84 -0
sraverify/services/guardduty/checks/sra_guardduty_10.py +83 -0
sraverify/services/guardduty/checks/sra_guardduty_11.py +93 -0
sraverify/services/guardduty/checks/sra_guardduty_12.py +83 -0
sraverify/services/guardduty/checks/sra_guardduty_13.py +90 -0
sraverify/services/guardduty/checks/sra_guardduty_14.py +136 -0
sraverify/services/guardduty/checks/sra_guardduty_15.py +94 -0
sraverify/services/guardduty/checks/sra_guardduty_16.py +94 -0
sraverify/services/guardduty/checks/sra_guardduty_17.py +91 -0
sraverify/services/guardduty/checks/sra_guardduty_18.py +91 -0
sraverify/services/guardduty/checks/sra_guardduty_19.py +91 -0
sraverify/services/guardduty/checks/sra_guardduty_20.py +111 -0
sraverify/services/guardduty/checks/sra_guardduty_21.py +112 -0
sraverify/services/guardduty/checks/sra_guardduty_22.py +111 -0
sraverify/services/guardduty/checks/sra_guardduty_23.py +154 -0
sraverify/services/guardduty/checks/sra_guardduty_24.py +111 -0
sraverify/services/guardduty/checks/sra_guardduty_25.py +111 -0
sraverify/services/guardduty/client.py +107 -0
sraverify/services/inspector/__init__.py +29 -0
sraverify/services/inspector/base.py +233 -0
sraverify/services/inspector/checks/__init__.py +3 -0
sraverify/services/inspector/checks/sra_inspector_01.py +69 -0
sraverify/services/inspector/checks/sra_inspector_02.py +68 -0
sraverify/services/inspector/checks/sra_inspector_03.py +68 -0
sraverify/services/inspector/checks/sra_inspector_04.py +70 -0
sraverify/services/inspector/checks/sra_inspector_05.py +69 -0
sraverify/services/inspector/checks/sra_inspector_06.py +115 -0
sraverify/services/inspector/checks/sra_inspector_07.py +109 -0
sraverify/services/inspector/checks/sra_inspector_08.py +69 -0
sraverify/services/inspector/checks/sra_inspector_09.py +69 -0
sraverify/services/inspector/checks/sra_inspector_10.py +69 -0
sraverify/services/inspector/checks/sra_inspector_11.py +69 -0
sraverify/services/inspector/client.py +99 -0
sraverify/services/macie/__init__.py +27 -0
sraverify/services/macie/base.py +271 -0
sraverify/services/macie/checks/__init__.py +1 -0
sraverify/services/macie/checks/sra_macie_01.py +100 -0
sraverify/services/macie/checks/sra_macie_02.py +102 -0
sraverify/services/macie/checks/sra_macie_03.py +152 -0
sraverify/services/macie/checks/sra_macie_04.py +120 -0
sraverify/services/macie/checks/sra_macie_05.py +85 -0
sraverify/services/macie/checks/sra_macie_06.py +124 -0
sraverify/services/macie/checks/sra_macie_07.py +138 -0
sraverify/services/macie/checks/sra_macie_08.py +82 -0
sraverify/services/macie/checks/sra_macie_09.py +103 -0
sraverify/services/macie/checks/sra_macie_10.py +81 -0
sraverify/services/macie/client.py +220 -0
sraverify/services/s3/__init__.py +16 -0
sraverify/services/s3/base.py +69 -0
sraverify/services/s3/checks/__init__.py +1 -0
sraverify/services/s3/checks/sra_s3_01.py +89 -0
sraverify/services/s3/checks/sra_s3_02.py +89 -0
sraverify/services/s3/checks/sra_s3_03.py +88 -0
sraverify/services/s3/checks/sra_s3_04.py +88 -0
sraverify/services/s3/client.py +52 -0
sraverify/services/securityhub/__init__.py +27 -0
sraverify/services/securityhub/base.py +349 -0
sraverify/services/securityhub/checks/__init__.py +1 -0
sraverify/services/securityhub/checks/sra_securityhub_01.py +115 -0
sraverify/services/securityhub/checks/sra_securityhub_02.py +114 -0
sraverify/services/securityhub/checks/sra_securityhub_03.py +136 -0
sraverify/services/securityhub/checks/sra_securityhub_04.py +75 -0
sraverify/services/securityhub/checks/sra_securityhub_05.py +102 -0
sraverify/services/securityhub/checks/sra_securityhub_06.py +113 -0
sraverify/services/securityhub/checks/sra_securityhub_07.py +121 -0
sraverify/services/securityhub/checks/sra_securityhub_08.py +113 -0
sraverify/services/securityhub/checks/sra_securityhub_09.py +100 -0
sraverify/services/securityhub/checks/sra_securityhub_10.py +94 -0
sraverify/services/securityhub/checks/sra_securityhub_11.py +73 -0
sraverify/services/securityhub/client.py +249 -0
sraverify/services/securityincidentresponse/__init__.py +13 -0
sraverify/services/securityincidentresponse/base.py +95 -0
sraverify/services/securityincidentresponse/checks/__init__.py +1 -0
sraverify/services/securityincidentresponse/checks/sra_securityincidentresponse_01.py +77 -0
sraverify/services/securityincidentresponse/checks/sra_securityincidentresponse_02.py +72 -0
sraverify/services/securityincidentresponse/checks/sra_securityincidentresponse_03.py +86 -0
sraverify/services/securityincidentresponse/checks/sra_securityincidentresponse_04.py +117 -0
sraverify/services/securityincidentresponse/checks/sra_securityincidentresponse_05.py +55 -0
sraverify/services/securityincidentresponse/client.py +71 -0
sraverify/services/securitylake/__init__.py +39 -0
sraverify/services/securitylake/base.py +461 -0
sraverify/services/securitylake/checks/__init__.py +1 -0
sraverify/services/securitylake/checks/sra_securitylake_01.py +98 -0
sraverify/services/securitylake/checks/sra_securitylake_02.py +133 -0
sraverify/services/securitylake/checks/sra_securitylake_03.py +116 -0
sraverify/services/securitylake/checks/sra_securitylake_04.py +72 -0
sraverify/services/securitylake/checks/sra_securitylake_05.py +116 -0
sraverify/services/securitylake/checks/sra_securitylake_06.py +104 -0
sraverify/services/securitylake/checks/sra_securitylake_07.py +108 -0
sraverify/services/securitylake/checks/sra_securitylake_08.py +107 -0
sraverify/services/securitylake/checks/sra_securitylake_09.py +107 -0
sraverify/services/securitylake/checks/sra_securitylake_10.py +106 -0
sraverify/services/securitylake/checks/sra_securitylake_11.py +109 -0
sraverify/services/securitylake/checks/sra_securitylake_12.py +108 -0
sraverify/services/securitylake/checks/sra_securitylake_13.py +108 -0
sraverify/services/securitylake/checks/sra_securitylake_14.py +72 -0
sraverify/services/securitylake/checks/sra_securitylake_15.py +120 -0
sraverify/services/securitylake/checks/sra_securitylake_16.py +104 -0
sraverify/services/securitylake/checks/sra_securitylake_17.py +103 -0
sraverify/services/securitylake/client.py +247 -0
sraverify/services/shield/__init__.py +33 -0
sraverify/services/shield/base.py +199 -0
sraverify/services/shield/checks/__init__.py +1 -0
sraverify/services/shield/checks/sra_shield_01.py +68 -0
sraverify/services/shield/checks/sra_shield_02.py +77 -0
sraverify/services/shield/checks/sra_shield_03.py +84 -0
sraverify/services/shield/checks/sra_shield_04.py +84 -0
sraverify/services/shield/checks/sra_shield_05.py +84 -0
sraverify/services/shield/checks/sra_shield_06.py +84 -0
sraverify/services/shield/checks/sra_shield_07.py +84 -0
sraverify/services/shield/checks/sra_shield_08.py +69 -0
sraverify/services/shield/checks/sra_shield_09.py +86 -0
sraverify/services/shield/checks/sra_shield_10.py +100 -0
sraverify/services/shield/checks/sra_shield_11.py +71 -0
sraverify/services/shield/checks/sra_shield_12.py +130 -0
sraverify/services/shield/checks/sra_shield_13.py +112 -0
sraverify/services/shield/checks/sra_shield_14.py +111 -0
sraverify/services/shield/client.py +214 -0
sraverify/services/waf/__init__.py +21 -0
sraverify/services/waf/base.py +100 -0
sraverify/services/waf/checks/__init__.py +1 -0
sraverify/services/waf/checks/sra_waf_01.py +63 -0
sraverify/services/waf/checks/sra_waf_02.py +82 -0
sraverify/services/waf/checks/sra_waf_03.py +123 -0
sraverify/services/waf/checks/sra_waf_04.py +94 -0
sraverify/services/waf/checks/sra_waf_05.py +94 -0
sraverify/services/waf/checks/sra_waf_06.py +91 -0
sraverify/services/waf/checks/sra_waf_07.py +94 -0
sraverify/services/waf/checks/sra_waf_08.py +66 -0
sraverify/services/waf/checks/sra_waf_09.py +95 -0
sraverify/services/waf/client.py +109 -0
sraverify/utils/__init__.py +3 -0
sraverify/utils/banner.py +65 -0
sraverify/utils/outputs.py +57 -0
sraverify/utils/progress.py +97 -0
sraverify-0.1.0.dist-info/LICENSE +175 -0
sraverify-0.1.0.dist-info/METADATA +516 -0
sraverify-0.1.0.dist-info/NOTICE +1 -0
sraverify-0.1.0.dist-info/RECORD +261 -0
sraverify-0.1.0.dist-info/WHEEL +5 -0
sraverify-0.1.0.dist-info/entry_points.txt +2 -0
sraverify-0.1.0.dist-info/top_level.txt +1 -0

sraverify/checks/cloudtrail/SRA-CT-13.py ADDED Viewed

@@ -0,0 +1,279 @@
+from typing import Dict, List, Any
+from sraverify.checks import SecurityCheck
+from botocore.exceptions import ClientError
+import logging
+class SRACT13(SecurityCheck):
+    """SRA-CT-13: Security Tooling Account CloudTrail Delegated Administrator"""
+    def __init__(self, check_type="organization", security_ou_name=None):
+        """Initialize the check with organization type and optional security OU name"""
+        super().__init__(check_type=check_type)
+        self.check_id = "SRA-CT-13"
+        self.check_name = "The Security Tooling Account is the Delegated Administrator set for CloudTrail"
+        self.description = ('This check verifies whether CloudTrail delegated admin account is the security tooling account '
+                          'of your AWS organization. Security Tooling account is dedicated to operating security services, '
+                          'monitoring AWS accounts, and automating security alerting and response. CloudTrail helps monitor '
+                          'API activities across all your AWS accounts and regions.')
+        self.service = "CloudTrail"
+        self.severity = "HIGH"
+        self.check_type = check_type
+        self.check_logic = ('1. Verify execution from Organization Management Account | '
+                          '2. List all Organization Units and find specified OU (via flag --security-ou-name) or OU containing "security" | '
+                          '3. List accounts in Security OU | '
+                          '4. List CloudTrail delegated administrators | '
+                          '5. Verify delegated admin account exists in Security OU')
+        self.logger = logging.getLogger(self.__class__.__name__)
+        self.findings = []
+        self.security_ou_name = security_ou_name.lower() if security_ou_name else None
+    def get_findings(self) -> List[Dict[str, Any]]:
+        """Return the findings"""
+        return self.findings
+    def find_security_ou(self, org_client, root_id):
+        """Find the security OU based on name parameter or default search"""
+        paginator = org_client.get_paginator('list_organizational_units_for_parent')
+        search_term = self.security_ou_name if self.security_ou_name else 'security'
+        for page in paginator.paginate(ParentId=root_id):
+            for ou in page['OrganizationalUnits']:
+                # If security_ou_name is provided, use exact match
+                if self.security_ou_name and self.security_ou_name == ou['Name'].lower():
+                    return ou['Id'], ou['Name'], search_term
+                # If no security_ou_name provided, look for 'security' in name
+                elif not self.security_ou_name and 'security' in ou['Name'].lower():
+                    return ou['Id'], ou['Name'], search_term
+        return None, None, search_term
+    def get_accounts_in_ou(self, organizations_client, ou_id: str) -> List[str]:
+        """Get list of account IDs in the specified OU"""
+        try:
+            account_ids = []
+            paginator = organizations_client.get_paginator('list_accounts_for_parent')
+            for page in paginator.paginate(ParentId=ou_id):
+                for account in page['Accounts']:
+                    account_ids.append(account['Id'])
+            return account_ids
+        except ClientError as e:
+            self.logger.error(f"Error listing accounts in OU: {str(e)}")
+            return []
+    def run(self, session) -> None:
+        """Run the security check"""
+        try:
+            # Get account information
+            sts_client = session.client('sts')
+            account_id = sts_client.get_caller_identity()['Account']
+            region = session.region_name
+            self.logger.debug(f"Running check for account: {account_id} in region: {region}")
+            # Step 1: Verify execution from Organization Management Account
+            is_management, error_message = self.org_checker.verify_org_management()
+            if not is_management:
+                self.findings.append({
+                    'CheckId': self.check_id,
+                    'Status': 'ERROR',
+                    'Region': region,
+                    "Severity": self.severity,
+                    'Title': f"{self.check_id} {self.check_name}",
+                    'Description': self.description,
+                    'ResourceId': account_id,
+                    'ResourceType': 'AWS::Organizations::Account',
+                    'AccountId': account_id,
+                    'CheckedValue': 'Management Account Access',
+                    'ActualValue': error_message if error_message else 'Not running from management account',
+                    'Remediation': 'Run this check from the Organization Management Account',
+                    'Service': self.service,
+                    'CheckLogic': self.check_logic,
+                    'CheckType': self.check_type
+                })
+                return self.findings
+            try:
+                # Initialize Organizations client
+                organizations_client = session.client('organizations')
+                # Step 2: List all Organization Units and find Security OU
+                root_id = organizations_client.list_roots()['Roots'][0]['Id']
+                security_ou_id, security_ou_name, search_term = self.find_security_ou(organizations_client, root_id)
+                if not security_ou_id:
+                    self.findings.append({
+                        "CheckId": self.check_id,
+                        "Status": "ERROR",
+                        "Region": region,
+                        "Severity": self.severity,
+                        "Title": f"{self.check_id} {self.check_name}",
+                        "Description": self.description,
+                        "ResourceId": "security-ou",
+                        "ResourceType": "AWS::Organizations::OrganizationalUnit",
+                        "AccountId": account_id,
+                        "CheckedValue": "Security OU Existence",
+                        "ActualValue": f"No OU found matching search term: {search_term}",
+                        "Remediation": "Verify Security OU name or existence of OU containing 'security'",
+                        "Service": self.service,
+                        "CheckLogic": self.check_logic,
+                        "CheckType": self.check_type
+                    })
+                    return
+                # Step 3: List accounts in Security OU
+                security_accounts = self.get_accounts_in_ou(organizations_client, security_ou_id)
+                if not security_accounts:
+                    self.findings.append({
+                        "CheckId": self.check_id,
+                        "Status": "FAIL",
+                        "Region": region,
+                        "Severity": self.severity,
+                        "Title": f"{self.check_id} {self.check_name}",
+                        "Description": self.description,
+                        "ResourceId": security_ou_id,
+                        "ResourceType": "AWS::Organizations::OrganizationalUnit",
+                        "AccountId": account_id,
+                        "CheckedValue": "Security OU Accounts",
+                        "ActualValue": f"No accounts found in Security OU: {security_ou_name}",
+                        "Remediation": "Verify Security OU configuration and account assignments",
+                        "Service": self.service,
+                        "CheckLogic": self.check_logic,
+                        "CheckType": self.check_type
+                    })
+                    return
+                # Step 4: List CloudTrail delegated administrators
+                try:
+                    delegated_admins = organizations_client.list_delegated_administrators(
+                        ServicePrincipal='cloudtrail.amazonaws.com'
+                    )
+                    admin_accounts = delegated_admins.get('DelegatedAdministrators', [])
+                    if not admin_accounts:
+                        self.findings.append({
+                            "CheckId": self.check_id,
+                            "Status": "FAIL",
+                            "Region": region,
+                            "Severity": self.severity,
+                            "Title": f"{self.check_id} {self.check_name}",
+                            "Description": self.description,
+                            "ResourceId": "cloudtrail-delegated-admin",
+                            "ResourceType": "AWS::Organizations::Account",
+                            "AccountId": account_id,
+                            "CheckedValue": "Delegated Administrator Configuration",
+                            "ActualValue": "No CloudTrail delegated administrators configured",
+                            "Remediation": "Configure a Security Tooling account as CloudTrail delegated administrator",
+                            "Service": self.service,
+                            "CheckLogic": self.check_logic,
+                            "CheckType": self.check_type
+                        })
+                        return
+                    # Step 5: Verify delegated admin account exists in Security OU
+                    valid_admin = None
+                    for admin in admin_accounts:
+                        if admin['Id'] in security_accounts:
+                            valid_admin = admin
+                            break
+                    if valid_admin:
+                        self.findings.append({
+                            "CheckId": self.check_id,
+                            "Status": "PASS",
+                            "Region": region,
+                            "Severity": self.severity,
+                            "Title": f"{self.check_id} {self.check_name}",
+                            "Description": self.description,
+                            "ResourceId": valid_admin['Id'],
+                            "ResourceType": "AWS::Organizations::Account",
+                            "AccountId": account_id,
+                            "CheckedValue": "CloudTrail Delegated Administrator",
+                            "ActualValue": f"CloudTrail delegated administrator {valid_admin['Id']} is in Security OU {security_ou_name}",
+                            "Remediation": "None required",
+                            "Service": self.service,
+                            "CheckLogic": self.check_logic,
+                            "CheckType": self.check_type
+                        })
+                    else:
+                        admin_list = ', '.join([admin['Id'] for admin in admin_accounts])
+                        self.findings.append({
+                            "CheckId": self.check_id,
+                            "Status": "FAIL",
+                            "Region": region,
+                            "Severity": self.severity,
+                            "Title": f"{self.check_id} {self.check_name}",
+                            "Description": self.description,
+                            "ResourceId": "cloudtrail-delegated-admin",
+                            "ResourceType": "AWS::Organizations::Account",
+                            "AccountId": account_id,
+                            "CheckedValue": "CloudTrail Delegated Administrator",
+                            "ActualValue": f"CloudTrail delegated administrators ({admin_list}) are not in Security OU {security_ou_name}",
+                            "Remediation": f"Configure a Security Tooling account from Security OU {security_ou_name} as CloudTrail delegated administrator",
+                            "Service": self.service,
+                            "CheckLogic": self.check_logic,
+                            "CheckType": self.check_type
+                        })
+                except ClientError as e:
+                    if 'AccessDeniedException' in str(e):
+                        self.findings.append({
+                            "CheckId": self.check_id,
+                            "Status": "ERROR",
+                            "Region": region,
+                            "Severity": self.severity,
+                            "Title": f"{self.check_id} {self.check_name}",
+                            "Description": self.description,
+                            "ResourceId": "organizations-permissions",
+                            "ResourceType": "AWS::Organizations::Account",
+                            "AccountId": account_id,
+                            "CheckedValue": "Organizations Permissions",
+                            "ActualValue": "Insufficient permissions to list delegated administrators",
+                            "Remediation": "Verify Organizations permissions in management account",
+                            "Service": self.service,
+                            "CheckLogic": self.check_logic,
+                            "CheckType": self.check_type
+                        })
+                    else:
+                        raise e
+            except ClientError as e:
+                self.logger.error(f"Error accessing Organizations: {str(e)}")
+                self.findings.append({
+                    "CheckId": self.check_id,
+                    "Status": "ERROR",
+                    "Region": region,
+                    "Severity": self.severity,
+                    "Title": f"{self.check_id} {self.check_name}",
+                    "Description": self.description,
+                    "ResourceId": "organizations",
+                    "ResourceType": "AWS::Organizations::Account",
+                    "AccountId": account_id,
+                    "CheckedValue": "Organizations API Access",
+                    "ActualValue": f"Error accessing Organizations: {str(e)}",
+                    "Remediation": "Verify Organizations permissions",
+                    "Service": self.service,
+                    "CheckLogic": self.check_logic,
+                    "CheckType": self.check_type
+                })
+        except Exception as e:
+            self.logger.error(f"Unexpected error in check: {str(e)}")
+            self.findings.append({
+                "CheckId": self.check_id,
+                "Status": "ERROR",
+                "Region": region if 'region' in locals() else session.region_name,
+                "Severity": self.severity,
+                "Title": f"{self.check_id} {self.check_name}",
+                "Description": self.description,
+                "ResourceId": "check-execution",
+                "ResourceType": "AWS::Organizations::Account",
+                "AccountId": account_id if 'account_id' in locals() else "unknown",
+                "CheckedValue": "Check Execution",
+                "ActualValue": f"Unexpected error: {str(e)}",
+                "Remediation": "Contact support team",
+                "Service": self.service,
+                "CheckLogic": self.check_logic,
+                "CheckType": self.check_type
+            })

sraverify/checks/cloudtrail/SRA-CT-2.py ADDED Viewed

@@ -0,0 +1,218 @@
+from typing import Dict, List, Any
+from sraverify.checks import SecurityCheck
+from botocore.exceptions import ClientError
+class SRACT2(SecurityCheck):
+    """SRA-CT-2: Organization trail is encrypted with KMS"""
+    def __init__(self, check_type="organization"):
+        super().__init__(check_type=check_type)
+        self.check_id = "SRA-CT-2"
+        self.check_name = "Organization trail is encrypted with KMS"
+        self.severity = 'HIGH'
+        self.description = ('This check verifies that your organization trail is encrypted with a KMS key. '
+                          'Log files delivered by CloudTrail to your bucket should be encrypted by using SSE-KMS. '
+                          'This is selected by default in the console but can be altered by users. With SSE-KMS '
+                          'you create and manage the KMS key yourself with the ability to manage permissions on '
+                          'who can use the key. For a user to read log files they must have read permissions to '
+                          'the bucket and have permissions that allows decrypt permission on the key applied by '
+                          'the KMS key policy.')
+        self.check_logic = ('1. Verify execution from Organization Management account | '
+                          '2. List all CloudTrail trails in the region | '
+                          '3. Identify organization trail | '
+                          '4. Check if trail is enabled and logging | '
+                          '5. Verify KMS encryption is enabled on the trail | '
+                          '6. Validate KMS key exists and is accessible | '
+                          '7. Check passes if organization trail uses KMS encryption')
+        self.service = 'CloudTrail'
+    def get_findings(self) -> List[Dict[str, Any]]:
+        """Return the findings of the check"""
+        return self.findings
+    def run(self, session):
+        """Run the CloudTrail organization trail encryption check"""
+        try:
+            cloudtrail_client = session.client('cloudtrail')
+            account_id = session.client('sts').get_caller_identity()['Account']
+            region = session.region_name
+             # Step 1: Verify we're in management account using org_mgmt_checker
+            is_management, error_message = self.org_checker.verify_org_management()
+            if not is_management:
+                finding = {
+                    'CheckId': self.check_id,
+                    'Status': 'ERROR',
+                    'Region': region,
+                    "Severity": self.severity,
+                    'Title': f"{self.check_id} {self.check_name}",
+                    'Description': self.description,
+                    'ResourceId': account_id,
+                    'ResourceType': 'AWS::Organizations::Account',
+                    'AccountId': account_id,
+                    'CheckedValue': 'Management Account Access',
+                    'ActualValue': error_message if error_message else 'Not running from management account',
+                    'Remediation': 'Run this check from the Organization Management Account',
+                    'Service': self.service,
+                    'CheckLogic': self.check_logic,
+                    'CheckType': self.check_type
+                }
+                self.findings.append(finding)
+                return self.findings
+            try:
+                # Step 2: List all CloudTrail trails in the region
+                trails = cloudtrail_client.list_trails()
+                if not trails['Trails']:
+                    self.findings.append({
+                        'CheckId': self.check_id,
+                        'Status': 'FAIL',
+                        'Region': region,
+                        "Severity": self.severity,
+                        'Title': f"{self.check_id} {self.check_name}",
+                        'Description': self.description,
+                        'ResourceId': account_id,
+                        'ResourceType': 'AWS::CloudTrail::Trail',
+                        'AccountId': account_id,
+                        'CheckedValue': 'Organization CloudTrail',
+                        'ActualValue': 'No trails found',
+                        'Remediation': 'Create an organization-level CloudTrail with KMS encryption enabled',
+                        'Service': 'CloudTrail',
+                        'CheckLogic': self.check_logic,
+                        'CheckType': self.check_type
+                    })
+                    return self.findings
+                org_trail_found = False
+                for trail in trails['Trails']:
+                    trail_name = trail['Name']
+                    trail_arn = trail['TrailARN']
+                    # Step 3: Identify organization trail
+                    trail_info = cloudtrail_client.get_trail(Name=trail_name)['Trail']
+                    if trail_info.get('IsOrganizationTrail'):
+                        org_trail_found = True
+                        # Step 4: Check if trail is enabled and logging
+                        trail_status = cloudtrail_client.get_trail_status(Name=trail_name)
+                        if not trail_status.get('IsLogging', False):
+                            self.findings.append({
+                                'CheckId': self.check_id,
+                                'Status': 'FAIL',
+                                'Region': region,
+                                "Severity": self.severity,
+                                'Title': f"{self.check_id} {self.check_name}",
+                                'Description': self.description,
+                                'ResourceId': trail_arn,
+                                'ResourceType': 'AWS::CloudTrail::Trail',
+                                'AccountId': account_id,
+                                'CheckedValue': 'Trail Logging Status',
+                                'ActualValue': 'Organization trail is not logging',
+                                'Remediation': 'Enable logging for the organization trail',
+                                'Service': 'CloudTrail',
+                                'CheckLogic': self.check_logic,
+                                'CheckType': self.check_type
+                            })
+                            continue
+                        # Step 5: Verify KMS encryption is enabled on the trail
+                        # Step 6: Validate KMS key exists and is accessible
+                        if not trail_info.get('KmsKeyId'):
+                            self.findings.append({
+                                'CheckId': self.check_id,
+                                'Status': 'FAIL',
+                                'Region': region,
+                                "Severity": self.severity,
+                                'Title': f"{self.check_id} {self.check_name}",
+                                'Description': self.description,
+                                'ResourceId': trail_arn,
+                                'ResourceType': 'AWS::CloudTrail::Trail',
+                                'AccountId': account_id,
+                                'CheckedValue': 'KMS Encryption',
+                                'ActualValue': 'Organization trail is not KMS encrypted',
+                                'Remediation': 'Enable KMS encryption for the organization trail',
+                                'Service': 'CloudTrail',
+                                'CheckLogic': self.check_logic,
+                                'CheckType': self.check_type
+                            })
+                        else:
+                            # Step 7: Check passes if organization trail uses KMS encryption
+                            self.findings.append({
+                                'CheckId': self.check_id,
+                                'Status': 'PASS',
+                                'Region': region,
+                                "Severity": self.severity,
+                                'Title': f"{self.check_id} {self.check_name}",
+                                'Description': self.description,
+                                'ResourceId': trail_arn,
+                                'ResourceType': 'AWS::CloudTrail::Trail',
+                                'AccountId': account_id,
+                                'CheckedValue': 'KMS Encryption',
+                                'ActualValue': f"Organization trail is encrypted with key: {trail_info['KmsKeyId']}",
+                                'Remediation': 'None required',
+                                'Service': 'CloudTrail',
+                                'CheckLogic': self.check_logic,
+                                'CheckType': self.check_type
+                            })
+                if not org_trail_found:
+                    self.findings.append({
+                        'CheckId': self.check_id,
+                        'Status': 'FAIL',
+                        'Region': region,
+                        "Severity": self.severity,
+                        'Title': f"{self.check_id} {self.check_name}",
+                        'Description': self.description,
+                        'ResourceId': account_id,
+                        'ResourceType': 'AWS::CloudTrail::Trail',
+                        'AccountId': account_id,
+                        'CheckedValue': 'Organization Trail',
+                        'ActualValue': 'No organization trail found',
+                        'Remediation': 'Create an organization-level CloudTrail with KMS encryption enabled',
+                        'Service': 'CloudTrail',
+                        'CheckLogic': self.check_logic,
+                        'CheckType': self.check_type
+                    })
+            except ClientError as e:
+                self.findings.append({
+                    'CheckId': self.check_id,
+                    'Status': 'ERROR',
+                    'Region': region,
+                    "Severity": self.severity,
+                    'Title': f"{self.check_id} {self.check_name}",
+                    'Description': self.description,
+                    'ResourceId': account_id,
+                    'ResourceType': 'AWS::CloudTrail::Trail',
+                    'AccountId': account_id,
+                    'CheckedValue': 'CloudTrail Access',
+                    'ActualValue': f"Error: {str(e)}",
+                    'Remediation': 'Check CloudTrail permissions and try again',
+                    'Service': 'CloudTrail',
+                    'CheckLogic': self.check_logic,
+                    'CheckType': self.check_type
+                })
+        except Exception as e:
+            self.findings.append({
+                'CheckId': self.check_id,
+                'Status': 'ERROR',
+                'Region': region,
+                "Severity": self.severity,
+                'Title': f"{self.check_id} {self.check_name}",
+                'Description': self.description,
+                'ResourceId': account_id,
+                'ResourceType': 'AWS::CloudTrail::Trail',
+                'AccountId': account_id,
+                'CheckedValue': 'Check Execution',
+                'ActualValue': f"Error: {str(e)}",
+                'Remediation': 'Check permissions and try again',
+                'Service': 'CloudTrail',
+                'CheckLogic': self.check_logic,
+                'CheckType': self.check_type
+            })
+        return self.findings