sraverify 0.1.0__py3-none-any.whl

sraverify/checks/cloudtrail/SRA-CT-9.py

@@ -0,0 +1,226 @@
+from typing import Dict, List, Any
+from sraverify.checks import SecurityCheck
+from botocore.exceptions import ClientError
+import logging
+from datetime import datetime, timezone
+
+class SRACT9(SecurityCheck):
+    """SRA-CT-9: Organization Trail CloudWatch Logs Delivery Status"""
+    
+    def __init__(self, check_type="organization"):
+        """Initialize the check with organization type"""
+        super().__init__(check_type=check_type)
+        self.check_id = "SRA-CT-9"
+        self.check_name = "Organization trail is publishing logs to CloudWatch Logs"
+        self.description = ('This check verifies that last attempt to send CloudTrail logs to CloudWatch Logs was successful. '
+                          'Successful delivery of CloudTrails logs to CloudWatch ensures later availability for monitoring. '
+                          'CloudTrail requires right permission to send log events to CloudWatch Logs.')
+        self.service = "CloudTrail"
+        self.severity = "HIGH"
+        self.check_type = check_type
+        self.check_logic = ('1. Verify execution from Organization Management Account | '
+                          '2. List CloudTrail trails in current region | '
+                          '3. Check for organization trail with IsOrganizationTrail=true | '
+                          '4. Verify CloudWatch Logs configuration and successful delivery by checking: '
+                          'a) CloudWatch Logs group is configured, b) IAM role is configured, '
+                          'c) No delivery errors exist, d) Latest delivery was successful within 24 hours')
+        self.logger = logging.getLogger(self.__class__.__name__)
+        self.findings = []
+
+    def get_findings(self) -> List[Dict[str, Any]]:
+        """Return the findings"""
+        return self.findings
+
+    def check_cloudwatch_delivery_status(self, cloudtrail_client, trail_name: str) -> tuple:
+        """Check CloudWatch Logs delivery status and return status details"""
+        try:
+            status = cloudtrail_client.get_trail_status(Name=trail_name)
+            latest_delivery_time = status.get('LatestCloudWatchLogsDeliveryTime')
+            latest_delivery_error = status.get('LatestCloudWatchLogsDeliveryError', '')
+            is_logging = status.get('IsLogging', False)
+            
+
+             # Step 1: Verify we're in management account using org_mgmt_checker
+            is_management, error_message = self.org_checker.verify_org_management()
+            if not is_management:
+                finding = {
+                    'CheckId': self.check_id,
+                    'Status': 'ERROR',
+                    'Region': region,
+                    "Severity": self.severity,
+                    'Title': f"{self.check_id} {self.check_name}",
+                    'Description': self.description,
+                    'ResourceId': account_id,
+                    'ResourceType': 'AWS::Organizations::Account',
+                    'AccountId': account_id,
+                    'CheckedValue': 'Management Account Access',
+                    'ActualValue': error_message if error_message else 'Not running from management account',
+                    'Remediation': 'Run this check from the Organization Management Account',
+                    'Service': self.service,
+                    'CheckLogic': self.check_logic,
+                    'CheckType': self.check_type
+                }
+                self.findings.append(finding)
+                return self.findings
+
+
+            # Check if delivery is recent (within 24 hours)
+            current_time = datetime.now(timezone.utc)
+            is_recent = False
+            if latest_delivery_time:
+                time_difference = current_time - latest_delivery_time
+                is_recent = time_difference.total_seconds() < 86400  # 24 hours
+            
+            return is_logging, is_recent, latest_delivery_error
+            
+        except ClientError as e:
+            self.logger.error(f"Error getting trail status for {trail_name}: {str(e)}")
+            return False, False, str(e)
+
+    def run(self, session) -> None:
+        """Run the security check"""
+        try:
+            # Get account information
+            sts_client = session.client('sts')
+            account_id = sts_client.get_caller_identity()['Account']
+            region = session.region_name
+            self.logger.debug(f"Running check for account: {account_id} in region: {region}")
+            
+            # Initialize CloudTrail client
+            cloudtrail_client = session.client('cloudtrail')
+            
+            try:
+                # List trails and find organization trails
+                trails = cloudtrail_client.describe_trails(includeShadowTrails=True)
+                org_trails = [t for t in trails['trailList'] if t.get('IsOrganizationTrail')]
+                self.logger.debug(f"Found {len(org_trails)} organization trails")
+
+                if not org_trails:
+                    self.findings.append({
+                        "CheckId": self.check_id,
+                        "Status": "FAIL",
+                        "Region": region,
+                        "Severity": self.severity,
+                        "Title": f"{self.check_id} {self.check_name}",
+                        "Description": self.description,
+                        "ResourceId": "organization-trail",
+                        "ResourceType": "AWS::CloudTrail::Trail",
+                        "AccountId": account_id,
+                        "CheckedValue": "Organization Trail Configuration",
+                        "ActualValue": "No organization trail found",
+                        "Remediation": "Create an organization trail with CloudWatch Logs configuration",
+                        "Service": self.service,
+                        "CheckLogic": self.check_logic,
+                        "CheckType": self.check_type
+                    })
+                    return
+
+                # Check each organization trail for CloudWatch Logs delivery status
+                valid_trail = None
+                for trail in org_trails:
+                    trail_name = trail['Name']
+                    cloudwatch_logs_group = trail.get('CloudWatchLogsLogGroupArn')
+                    cloudwatch_logs_role = trail.get('CloudWatchLogsRoleArn')
+                    
+                    # Skip if CloudWatch Logs is not configured
+                    if not (cloudwatch_logs_group and cloudwatch_logs_role):
+                        continue
+                    
+                    is_logging, is_recent, delivery_error = self.check_cloudwatch_delivery_status(cloudtrail_client, trail_name)
+                    
+                    if is_logging and is_recent and not delivery_error:
+                        valid_trail = trail
+                        self.logger.debug(f"Found valid trail with successful CloudWatch Logs delivery: {trail_name}")
+                        break
+
+                # Create finding based on CloudWatch Logs delivery status
+                if valid_trail:
+                    self.findings.append({
+                        "CheckId": self.check_id,
+                        "Status": "PASS",
+                        "Region": region,
+                        "Severity": self.severity,
+                        "Title": f"{self.check_id} {self.check_name}",
+                        "Description": self.description,
+                        "ResourceId": valid_trail['TrailARN'],
+                        "ResourceType": "AWS::CloudTrail::Trail",
+                        "AccountId": account_id,
+                        "CheckedValue": "CloudWatch Logs Delivery Status",
+                        "ActualValue": f"Organization trail {valid_trail['Name']} is successfully delivering logs to CloudWatch Logs group",
+                        "Remediation": "None required",
+                        "Service": self.service,
+                        "CheckLogic": self.check_logic,
+                        "CheckType": self.check_type
+                    })
+                else:
+                    actual_value = "No organization trail found with successful recent CloudWatch Logs delivery"
+                    remediation = "Verify CloudWatch Logs configuration and permissions"
+                    if org_trails:
+                        trail = org_trails[0]
+                        if not (trail.get('CloudWatchLogsLogGroupArn') and trail.get('CloudWatchLogsRoleArn')):
+                            actual_value = f"Trail {trail['Name']} has incomplete CloudWatch Logs configuration"
+                            remediation = "Configure CloudWatch Logs group and IAM role for the organization trail"
+                        elif delivery_error:
+                            actual_value = f"Trail {trail['Name']} has delivery error: {delivery_error}"
+                            remediation = "Resolve CloudWatch Logs delivery errors (check IAM role permissions)"
+                        elif not is_recent:
+                            actual_value = f"Trail {trail['Name']} has no recent CloudWatch Logs delivery"
+                            remediation = "Verify trail logging is enabled and check CloudWatch Logs permissions"
+
+                    self.findings.append({
+                        "CheckId": self.check_id,
+                        "Status": "FAIL",
+                        "Region": region,
+                        "Severity": self.severity,
+                        "Title": f"{self.check_id} {self.check_name}",
+                        "Description": self.description,
+                        "ResourceId": (valid_trail or org_trails[0])['TrailARN'],
+                        "ResourceType": "AWS::CloudTrail::Trail",
+                        "AccountId": account_id,
+                        "CheckedValue": "CloudWatch Logs Delivery Status",
+                        "ActualValue": actual_value,
+                        "Remediation": remediation,
+                        "Service": self.service,
+                        "CheckLogic": self.check_logic,
+                        "CheckType": self.check_type
+                    })
+
+            except ClientError as e:
+                self.logger.error(f"Error accessing CloudTrail: {str(e)}")
+                self.findings.append({
+                    "CheckId": self.check_id,
+                    "Status": "ERROR",
+                    "Region": region,
+                    "Severity": self.severity,
+                    "Title": f"{self.check_id} {self.check_name}",
+                    "Description": self.description,
+                    "ResourceId": "cloudtrail",
+                    "ResourceType": "AWS::CloudTrail::Trail",
+                    "AccountId": account_id,
+                    "CheckedValue": "CloudTrail API Access",
+                    "ActualValue": f"Error accessing CloudTrail: {str(e)}",
+                    "Remediation": "Verify CloudTrail permissions",
+                    "Service": self.service,
+                    "CheckLogic": self.check_logic,
+                    "CheckType": self.check_type
+                })
+
+        except Exception as e:
+            self.logger.error(f"Unexpected error in check: {str(e)}")
+            self.findings.append({
+                "CheckId": self.check_id,
+                "Status": "ERROR",
+                "Region": region if 'region' in locals() else session.region_name,
+                "Severity": self.severity,
+                "Title": f"{self.check_id} {self.check_name}",
+                "Description": self.description,
+                "ResourceId": "check-execution",
+                "ResourceType": "AWS::CloudTrail::Trail",
+                "AccountId": account_id if 'account_id' in locals() else "unknown",
+                "CheckedValue": "Check Execution",
+                "ActualValue": f"Unexpected error: {str(e)}",
+                "Remediation": "Contact support team",
+                "Service": self.service,
+                "CheckLogic": self.check_logic,
+                "CheckType": self.check_type
+            })

sraverify/checks/cloudtrail/__init__.py

@@ -0,0 +1,3 @@
+"""
+Package containing Cloud Trail security checks.
+"""

sraverify/checks/config/SRA-CONFIG-1.py

@@ -0,0 +1,197 @@
+from typing import Dict, List, Any, Optional
+from botocore.exceptions import ClientError
+import logging
+from sraverify.lib.check_loader import SecurityCheck
+
+class SRACONFIG1(SecurityCheck):
+    """SRA-CONFIG-1: AWS Config recorder configuration check"""
+    
+    def __init__(self, check_type="account"):
+        """Initialize the check with account type"""
+        super().__init__(check_type=check_type)
+        self.check_id = "SRA-CONFIG-1"
+        self.check_name = "AWS Config recorder is configured in this region"
+        self.description = ('This check verifies that a configuration recorders exists in the AWS Region. '
+                          'AWS Config uses the configuration recorder to detect changes in your resource '
+                          'configurations and capture these changes as configuration items. You must create '
+                          'a configuration recorder in every AWS Region for AWS Config can track your '
+                          'resource configurations in the region.')
+        self.service = "Config"
+        self.severity = "HIGH"
+        self.check_type = check_type
+        self.check_logic = ('1. List Config recorders in current region | '
+                          '2. Verify at least one recorder exists | '
+                          '3. Check recorder configuration status')
+        self.logger = logging.getLogger(self.__class__.__name__)
+        self.findings = []
+        self._regions = None
+
+    def initialize(self, regions: Optional[List[str]] = None):
+        """Initialize check with optional regions"""
+        self._regions = regions
+
+    def get_findings(self) -> List[Dict[str, Any]]:
+        """Return the findings"""
+        return self.findings
+
+    def _create_finding(self, status: str, region: str, account_id: str,
+                       resource_id: str, actual_value: str,
+                       remediation: str) -> Dict[str, Any]:
+        """Create a standardized finding"""
+        return {
+            "CheckId": self.check_id,
+            "Status": status,
+            "Region": region,
+            "Severity": self.severity,
+            "Title": f"{self.check_id} {self.check_name}",
+            "Description": self.description,
+            "ResourceId": resource_id,
+            "ResourceType": "AWS::Config::ConfigurationRecorder",
+            "AccountId": account_id,
+            "CheckedValue": "Configuration Recorder Status",
+            "ActualValue": actual_value,
+            "Remediation": remediation,
+            "Service": self.service,
+            "CheckLogic": self.check_logic,
+            "CheckType": self.check_type
+        }
+
+    def check_recorder_status(self, config_client, recorder_name: str) -> tuple:
+        """Check Config recorder status and return details"""
+        try:
+            status = config_client.describe_configuration_recorder_status(
+                ConfigurationRecorderNames=[recorder_name]
+            )
+            if status['ConfigurationRecordersStatus']:
+                recorder_status = status['ConfigurationRecordersStatus'][0]
+                return (
+                    recorder_status.get('recording', False),
+                    recorder_status.get('lastStatus', 'ERROR'),
+                    recorder_status.get('lastErrorCode', ''),
+                    recorder_status.get('lastErrorMessage', '')
+                )
+            return False, 'ERROR', 'NO_STATUS', 'No recorder status found'
+            
+        except ClientError as e:
+            self.logger.error(f"Error getting recorder status for {recorder_name}: {str(e)}")
+            return False, 'ERROR', str(e), 'Error getting recorder status'
+
+    def _check_region(self, session, region: str) -> Optional[Dict[str, Any]]:
+        """Check Config configuration in a specific region"""
+        try:
+            account_id = session.client('sts').get_caller_identity()['Account']
+            self.logger.debug(f"Checking region: {region}")
+            
+            # Initialize Config client for the specific region
+            config_client = session.client('config', region_name=region)
+            
+            try:
+                # List configuration recorders
+                recorders = config_client.describe_configuration_recorders()
+                if not recorders['ConfigurationRecorders']:
+                    return self._create_finding(
+                        status="FAIL",
+                        region=region,
+                        account_id=account_id,
+                        resource_id="config-recorder",
+                        actual_value="No configuration recorder found in region",
+                        remediation="Create a configuration recorder in this region"
+                    )
+
+                # Check each recorder's status
+                valid_recorder = None
+                for recorder in recorders['ConfigurationRecorders']:
+                    recorder_name = recorder['name']
+                    is_recording, last_status, error_code, error_message = self.check_recorder_status(
+                        config_client, 
+                        recorder_name
+                    )
+                    
+                    if is_recording and last_status == 'SUCCESS':
+                        valid_recorder = recorder
+                        self.logger.debug(f"Found active recorder: {recorder_name}")
+                        break
+
+                if valid_recorder:
+                    return self._create_finding(
+                        status="PASS",
+                        region=region,
+                        account_id=account_id,
+                        resource_id=valid_recorder['name'],
+                        actual_value=f"Configuration recorder {valid_recorder['name']} is active and recording",
+                        remediation="None required"
+                    )
+                else:
+                    recorder = recorders['ConfigurationRecorders'][0]
+                    actual_value = f"Configuration recorder {recorder['name']} exists but "
+                    if not is_recording:
+                        actual_value += "is not recording"
+                    else:
+                        actual_value += f"has status: {last_status}"
+                        if error_code:
+                            actual_value += f" (Error: {error_code} - {error_message})"
+
+                    return self._create_finding(
+                        status="FAIL",
+                        region=region,
+                        account_id=account_id,
+                        resource_id=recorder['name'],
+                        actual_value=actual_value,
+                        remediation="Start the configuration recorder or fix configuration errors"
+                    )
+
+            except ClientError as e:
+                return self._create_finding(
+                    status="ERROR",
+                    region=region,
+                    account_id=account_id,
+                    resource_id="config",
+                    actual_value=f"Error accessing Config: {str(e)}",
+                    remediation="Verify Config permissions"
+                )
+
+        except Exception as e:
+            return self._create_finding(
+                status="ERROR",
+                region=region,
+                account_id="Unknown",
+                resource_id="check-execution",
+                actual_value=f"Error: {str(e)}",
+                remediation="Check logs for more details"
+            )
+
+    def run(self, session) -> None:
+        """Run the security check"""
+        try:
+            # Get regions to check
+            regions_to_check = self._regions if self._regions else [session.region_name]
+            
+            # Check each region
+            for region in regions_to_check:
+                try:
+                    finding = self._check_region(session, region)
+                    if finding:
+                        self.findings.append(finding)
+                except Exception as e:
+                    self.findings.append(
+                        self._create_finding(
+                            status="ERROR",
+                            region=region,
+                            account_id="Unknown",
+                            resource_id="Unknown",
+                            actual_value=f"Region check failed: {str(e)}",
+                            remediation="Check regional access and permissions"
+                        )
+                    )
+
+        except Exception as e:
+            self.findings.append(
+                self._create_finding(
+                    status="ERROR",
+                    region="Unknown",
+                    account_id="Unknown",
+                    resource_id="Unknown",
+                    actual_value=f"Check execution failed: {str(e)}",
+                    remediation="Check logs for more details"
+                )
+            )

sraverify/checks/config/__init__.py

@@ -0,0 +1,3 @@
+"""
+Package containing AWS Config security checks.
+"""

sraverify/core/__init__.py

@@ -0,0 +1,3 @@
+"""
+Core components for the SRA Verify framework.
+"""

sraverify/core/check.py

@@ -0,0 +1,227 @@
+"""
+Base class for security checks.
+"""
+from typing import List, Optional, Dict, Any
+import boto3
+from sraverify.core.logging import logger
+
+
+class SecurityCheck:
+    """Base class for all security checks."""
+    
+    # Class-level cache for account information shared across all instances
+    _account_info_cache = {}
+    
+    def __init__(self, account_type="application", service=None, resource_type=None):
+        """
+        Initialize security check.
+        
+        Args:
+            account_type: Type of account (application, audit, log-archive, management)
+            service: AWS service name
+            resource_type: AWS resource type for findings
+        """
+        self.account_type = account_type
+        self.service = service
+        self.resource_type = resource_type
+        self.check_id = None
+        self.check_name = None
+        self.description = None
+        self.rationale = None
+        self.remediation = None
+        self.severity = "Unknown"
+        self.check_logic = None
+        self.findings = []
+        self.regions = []
+        self.session = None
+        self._clients = {}
+        self.account_info = None  # Will hold {'account_id': str, 'account_name': str}
+        
+    def initialize(self, session: boto3.Session, regions: Optional[List[str]] = None):
+        """
+        Initialize check with AWS session and optional regions.
+        
+        Args:
+            session: AWS session to use for the check
+            regions: List of AWS regions to check. If not provided, enabled regions will be detected.
+        """
+        logger.debug(f"Initializing {self.__class__.__name__} check")
+        self.session = session
+        # All account types need regions, so we'll get them regardless of account type
+        self.regions = regions if regions else self._get_enabled_regions()
+        logger.debug(f"Check will run in regions: {', '.join(self.regions)}")
+        
+        # Get account info once during initialization
+        self.account_info = self._get_account_info()
+        logger.debug(f"Check initialized for account: {self.account_info['account_name']} ({self.account_info['account_id']})")
+        
+        self._setup_clients()
+
+    def _get_enabled_regions(self) -> List[str]:
+        """
+        Get all enabled regions in the AWS account.
+        
+        Returns:
+            List of enabled region names
+        """
+        try:
+            logger.debug("Getting enabled AWS regions")
+            session = boto3.Session()
+            ec2_client = session.client('ec2', region_name='us-east-1')
+            response = ec2_client.describe_regions(AllRegions=False)
+            regions = [region['RegionName'] for region in response['Regions']]
+            logger.debug(f"Found {len(regions)} enabled regions")
+            return regions
+        except Exception as e:
+            logger.error(f"Failed to get enabled regions: {str(e)}")
+            raise Exception(f"Failed to get enabled regions: {str(e)}")
+    
+    def _setup_clients(self):
+        """
+        Set up clients for each region. Must be implemented by subclasses.
+        """
+        raise NotImplementedError("Subclasses must implement _setup_clients method")
+    
+    def get_client(self, region: str) -> Optional[Any]:
+        """
+        Get client for a specific region.
+        
+        Args:
+            region: AWS region name
+            
+        Returns:
+            Client for the region or None if not available
+        """
+        return self._clients.get(region)
+    
+    def create_finding(self, status: str, region: str, resource_id: str, 
+                      actual_value: str, remediation: str, 
+                      checked_value: Optional[str] = None) -> Dict[str, Any]:
+        """
+        Create a standardized finding.
+        
+        Args:
+            status: Check status (PASS/FAIL/ERROR)
+            region: AWS region
+            resource_id: Resource identifier
+            actual_value: Actual value found
+            remediation: Remediation steps
+            checked_value: Value that was checked (defaults to service name + " Configuration")
+            
+        Returns:
+            Finding dictionary
+            
+        Note: account_id and account_name are automatically populated from initialization.
+        """
+        if checked_value is None:
+            checked_value = f"{self.service} Configuration"
+            
+        return {
+            "CheckId": self.check_id,
+            "Status": status,
+            "Region": region,
+            "Severity": self.severity,
+            "Title": f"{self.check_id} {self.check_name}",
+            "Description": self.description,
+            "ResourceId": resource_id,
+            "ResourceType": self.resource_type,
+            "AccountId": self.account_id,
+            "AccountName": self.account_name,
+            "CheckedValue": checked_value,
+            "ActualValue": actual_value,
+            "Remediation": remediation,
+            "Service": self.service,
+            "CheckLogic": self.check_logic,
+            "AccountType": self.account_type
+        }
+    
+    def execute(self) -> List[Dict[str, Any]]:
+        """
+        Execute the check. Must be implemented by subclasses.
+        
+        Returns:
+            List of findings
+        """
+        raise NotImplementedError("Subclasses must implement execute method")
+    
+    def get_findings(self) -> List[Dict[str, Any]]:
+        """
+        Get findings from the check.
+        
+        Returns:
+            List of findings
+        """
+        return self.findings
+
+    def _get_account_info(self) -> Dict[str, str]:
+        """
+        Get account ID and name from AWS Account API with caching.
+        
+        Returns:
+            Dictionary with 'account_id' and 'account_name' keys
+        """
+        # Get account ID from STS first (reliable, high rate limits)
+        try:
+            sts_client = self.session.client("sts")
+            response = sts_client.get_caller_identity()
+            account_id = response["Account"]
+        except Exception as e:
+            logger.error(f"Failed to get account ID from STS: {str(e)}")
+            raise Exception(f"Failed to get account ID: {str(e)}")
+        
+        # Check class-level cache
+        if account_id in SecurityCheck._account_info_cache:
+            logger.debug(f"Using cached account information for {account_id}")
+            return SecurityCheck._account_info_cache[account_id]
+        
+        # Try to get account name from Account API (low rate limits)
+        try:
+            logger.debug("Getting AWS account name from Account API")
+            account_client = self.session.client("account")
+            response = account_client.get_account_information()
+            account_name = response['AccountName']
+            logger.debug(f"Retrieved account name: {account_name}")
+        except Exception as e:
+            logger.warning(f"Failed to get account name from Account API: {str(e)}")
+            account_name = ""  # Blank account name when Account API fails
+        
+        # Create and cache account info
+        account_info = {
+            'account_id': account_id,
+            'account_name': account_name
+        }
+        SecurityCheck._account_info_cache[account_id] = account_info
+        logger.debug(f"Cached account information for {account_id}")
+        
+        return account_info
+
+    @property
+    def account_id(self) -> str:
+        """Get current account ID."""
+        return self.account_info['account_id'] if self.account_info else None
+    
+    @property 
+    def account_name(self) -> str:
+        """Get current account name."""
+        return self.account_info['account_name'] if self.account_info else None
+
+    def get_management_accountId(self, session: boto3.Session) -> str:
+        """
+        Get AWS management account ID from the session.
+
+        Args:
+            session: AWS session
+
+        Returns:
+            AWS management account ID
+        """
+        try:
+            logger.debug("Getting AWS management account ID")
+            org_client = session.client("organizations")
+            response = org_client.describe_organization()
+            management_account_id = response["Organization"]["MasterAccountId"]
+            logger.debug(f"Management account ID: {management_account_id}")
+            return management_account_id
+        except Exception as e:
+            logger.error(f"Failed to get AWS management account ID: {str(e)}")
+            raise Exception(f"Failed to get AWS management account ID: {str(e)}")