sraverify 0.1.1__py3-none-any.whl → 0.1.3__py3-none-any.whl

sraverify/services/organizations/checks/sra_organizations_04.py

@@ -0,0 +1,123 @@
+"""
+Check if organization has foundational OU - Workloads.
+"""
+from typing import Dict, List, Any
+from sraverify.services.organizations.base import OrganizationsCheck
+
+
+class SRA_ORGANIZATIONS_04(OrganizationsCheck):
+    """Check if organization has foundational OU - Workloads."""
+
+    def __init__(self):
+        """Initialize Workloads OU check."""
+        super().__init__(resource_type="AWS::Organizations::OrganizationalUnit")
+        self.check_id = "SRA-ORGANIZATIONS-04"
+        self.check_name = "Organization has foundational OU - Workloads"
+        self.description = (
+            "This check verifies that the organization has a Workloads organizational unit (OU) "
+            "directly under the root. The Workloads OU is a foundational OU recommended by AWS SRA "
+            "for organizing application workload accounts including production and non-production environments."
+        )
+        self.severity = "MEDIUM"
+        self.check_logic = (
+            "Retrieve the organization root using ListRoots API, then list all OUs under the root "
+            "using ListOrganizationalUnitsForParent API. Check passes if an OU named 'Workloads' "
+            "exists directly under the root."
+        )
+
+    def execute(self) -> List[Dict[str, Any]]:
+        """
+        Execute the check.
+
+        Returns:
+            List of findings
+        """
+        # Organizations is a global service, use "global" as region
+        region = "global"
+
+        # Get organization roots
+        roots_response = self.get_roots()
+
+        # Check for errors getting roots
+        if "Error" in roots_response:
+            error_message = roots_response["Error"].get("Message", "Unknown error")
+            self.findings.append(self.create_finding(
+                status="ERROR",
+                region=region,
+                resource_id=None,
+                actual_value=f"Error: {error_message}",
+                remediation="Check IAM permissions for Organizations API access",
+                checked_value="Workloads OU exists under root"
+            ))
+            return self.findings
+
+        roots = roots_response.get("Roots", [])
+        if not roots:
+            self.findings.append(self.create_finding(
+                status="ERROR",
+                region=region,
+                resource_id=None,
+                actual_value="No organization root found",
+                remediation="Ensure AWS Organizations is enabled and properly configured",
+                checked_value="Workloads OU exists under root"
+            ))
+            return self.findings
+
+        # Get the first root (organizations have only one root)
+        root = roots[0]
+        root_id = root.get("Id", "")
+
+        # Get OUs under the root
+        ous_response = self.get_ous_for_parent(root_id)
+
+        # Check for errors getting OUs
+        if "Error" in ous_response:
+            error_message = ous_response["Error"].get("Message", "Unknown error")
+            self.findings.append(self.create_finding(
+                status="ERROR",
+                region=region,
+                resource_id=root_id,
+                actual_value=f"Error: {error_message}",
+                remediation="Check IAM permissions for Organizations API access",
+                checked_value="Workloads OU exists under root"
+            ))
+            return self.findings
+
+        ous = ous_response.get("OrganizationalUnits", [])
+
+        # Look for Workloads OU
+        workloads_ou = None
+        for ou in ous:
+            if ou.get("Name") == "Workloads":
+                workloads_ou = ou
+                break
+
+        if workloads_ou:
+            ou_id = workloads_ou.get("Id", "Unknown")
+            self.findings.append(self.create_finding(
+                status="PASS",
+                region=region,
+                resource_id=ou_id,
+                actual_value=f"Workloads OU exists: {ou_id}",
+                remediation="No remediation needed",
+                checked_value="Workloads OU exists under root"
+            ))
+        else:
+            # List existing OUs for context
+            existing_ous = [ou.get("Name", "Unknown") for ou in ous]
+            existing_ous_str = ", ".join(existing_ous) if existing_ous else "None"
+            self.findings.append(self.create_finding(
+                status="FAIL",
+                region=region,
+                resource_id=root_id,
+                actual_value=f"Workloads OU not found. Existing OUs under root: {existing_ous_str}",
+                remediation=(
+                    "Create a Workloads organizational unit under the organization root. "
+                    "Navigate to AWS Organizations in the console, select the root, and create "
+                    "a new OU named 'Workloads'. Alternatively, use the AWS CLI: "
+                    f"aws organizations create-organizational-unit --parent-id {root_id} --name Workloads"
+                ),
+                checked_value="Workloads OU exists under root"
+            ))
+
+        return self.findings

sraverify/services/organizations/checks/sra_organizations_05.py

@@ -0,0 +1,92 @@
+"""
+Check if organization has all features enabled.
+"""
+from typing import Dict, List, Any
+from sraverify.services.organizations.base import OrganizationsCheck
+
+
+class SRA_ORGANIZATIONS_05(OrganizationsCheck):
+    """Check if organization has all features enabled."""
+
+    def __init__(self):
+        """Initialize all features enabled check."""
+        super().__init__(resource_type="AWS::Organizations::Organization")
+        self.check_id = "SRA-ORGANIZATIONS-05"
+        self.check_name = "Organization has all features enabled"
+        self.description = (
+            "This check verifies that the organization has all features enabled. "
+            "All features mode enables full governance capabilities including Service Control Policies (SCPs), "
+            "tag policies, backup policies, and AI services opt-out policies. Organizations with only "
+            "consolidated billing have limited governance capabilities."
+        )
+        self.severity = "HIGH"
+        self.check_logic = (
+            "Call DescribeOrganization API to retrieve organization details. "
+            "Check passes if FeatureSet equals 'ALL', fails if FeatureSet equals 'CONSOLIDATED_BILLING'."
+        )
+
+    def execute(self) -> List[Dict[str, Any]]:
+        """
+        Execute the check.
+
+        Returns:
+            List of findings
+        """
+        # Organizations is a global service, use "global" as region
+        region = "global"
+
+        # Get organization details
+        response = self.get_organization()
+
+        # Check for errors
+        if "Error" in response:
+            error_message = response["Error"].get("Message", "Unknown error")
+            self.findings.append(self.create_finding(
+                status="ERROR",
+                region=region,
+                resource_id=None,
+                actual_value=f"Error: {error_message}",
+                remediation="Check IAM permissions for Organizations API access",
+                checked_value="Organization FeatureSet"
+            ))
+            return self.findings
+
+        # Extract organization details
+        organization = response.get("Organization", {})
+        org_id = organization.get("Id", "Unknown")
+        feature_set = organization.get("FeatureSet", "Unknown")
+
+        if feature_set == "ALL":
+            self.findings.append(self.create_finding(
+                status="PASS",
+                region=region,
+                resource_id=org_id,
+                actual_value=f"FeatureSet: {feature_set}",
+                remediation="No remediation needed",
+                checked_value="Organization FeatureSet"
+            ))
+        elif feature_set == "CONSOLIDATED_BILLING":
+            self.findings.append(self.create_finding(
+                status="FAIL",
+                region=region,
+                resource_id=org_id,
+                actual_value=f"FeatureSet: {feature_set}",
+                remediation=(
+                    "Enable all features in AWS Organizations to gain full governance capabilities. "
+                    "Navigate to AWS Organizations in the console and enable all features. "
+                    "Note: This requires consent from all member accounts. "
+                    "See: https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_org_support-all-features.html"
+                ),
+                checked_value="Organization FeatureSet"
+            ))
+        else:
+            self.findings.append(self.create_finding(
+                status="ERROR",
+                region=region,
+                resource_id=org_id,
+                actual_value=f"Unknown FeatureSet: {feature_set}",
+                remediation="Verify organization configuration",
+                checked_value="Organization FeatureSet"
+            ))
+
+        return self.findings

sraverify/services/organizations/checks/sra_organizations_06.py

@@ -0,0 +1,125 @@
+"""
+Check if organization has Service Control Policies configured.
+"""
+from typing import Dict, List, Any
+from sraverify.services.organizations.base import OrganizationsCheck
+
+
+class SRA_ORGANIZATIONS_06(OrganizationsCheck):
+    """Check if organization has Service Control Policies configured."""
+
+    def __init__(self):
+        """Initialize SCP check."""
+        super().__init__(resource_type="AWS::Organizations::Policy")
+        self.check_id = "SRA-ORGANIZATIONS-06"
+        self.check_name = "Organization has Service Control Policies configured"
+        self.description = (
+            "This check verifies that the organization has at least one custom Service Control Policy (SCP) "
+            "configured beyond the default FullAWSAccess policy. SCPs are essential for implementing "
+            "permission guardrails across the organization to enforce security and compliance requirements."
+        )
+        self.severity = "HIGH"
+        self.check_logic = (
+            "Call ListPolicies API with filter for SERVICE_CONTROL_POLICY type. "
+            "Check passes if at least one custom SCP exists (AwsManaged=False), "
+            "fails if only the default FullAWSAccess policy exists or no SCPs are found."
+        )
+
+    def execute(self) -> List[Dict[str, Any]]:
+        """
+        Execute the check.
+
+        Returns:
+            List of findings
+        """
+        # Organizations is a global service, use "global" as region
+        region = "global"
+
+        # Get organization details for org_id
+        org_response = self.get_organization()
+        org_id = None
+        if "Organization" in org_response:
+            org_id = org_response["Organization"].get("Id", "Unknown")
+
+        # Get SCPs
+        response = self.list_policies("SERVICE_CONTROL_POLICY")
+
+        # Check for errors
+        if "Error" in response:
+            error_code = response["Error"].get("Code", "")
+            error_message = response["Error"].get("Message", "Unknown error")
+
+            # PolicyTypeNotEnabledException means SCPs are not enabled
+            if error_code == "PolicyTypeNotEnabledException":
+                self.findings.append(self.create_finding(
+                    status="FAIL",
+                    region=region,
+                    resource_id=org_id,
+                    actual_value="Service Control Policies are not enabled",
+                    remediation=(
+                        "Enable Service Control Policies in AWS Organizations. "
+                        "Navigate to AWS Organizations > Policies > Service control policies and enable SCPs. "
+                        "Then create custom SCPs to implement permission guardrails."
+                    ),
+                    checked_value="Custom SCPs configured"
+                ))
+            else:
+                self.findings.append(self.create_finding(
+                    status="ERROR",
+                    region=region,
+                    resource_id=org_id,
+                    actual_value=f"Error: {error_message}",
+                    remediation="Check IAM permissions for Organizations API access",
+                    checked_value="Custom SCPs configured"
+                ))
+            return self.findings
+
+        policies = response.get("Policies", [])
+
+        # Count custom SCPs (not AWS managed)
+        custom_scps = [p for p in policies if not p.get("AwsManaged", False)]
+        custom_scp_count = len(custom_scps)
+
+        if not policies:
+            # No SCPs at all - SCPs might not be enabled
+            self.findings.append(self.create_finding(
+                status="FAIL",
+                region=region,
+                resource_id=org_id,
+                actual_value="No Service Control Policies found",
+                remediation=(
+                    "Enable Service Control Policies in AWS Organizations and create custom SCPs. "
+                    "Navigate to AWS Organizations > Policies > Service control policies and enable SCPs. "
+                    "Then create custom SCPs to implement permission guardrails."
+                ),
+                checked_value="Custom SCPs configured"
+            ))
+        elif custom_scp_count == 0:
+            # Only AWS managed policies (FullAWSAccess)
+            policy_names = [p.get("Name", "Unknown") for p in policies]
+            self.findings.append(self.create_finding(
+                status="FAIL",
+                region=region,
+                resource_id=org_id,
+                actual_value=f"Only default policies found: {', '.join(policy_names)}",
+                remediation=(
+                    "Create custom Service Control Policies to implement permission guardrails. "
+                    "Navigate to AWS Organizations > Policies > Service control policies and create new SCPs. "
+                    "Consider implementing SCPs for: denying root user actions, restricting regions, "
+                    "preventing disabling of security services, and enforcing encryption."
+                ),
+                checked_value="Custom SCPs configured"
+            ))
+        else:
+            # Custom SCPs exist
+            custom_scp_names = [p.get("Name", "Unknown") for p in custom_scps]
+            self.findings.append(self.create_finding(
+                status="PASS",
+                region=region,
+                resource_id=org_id,
+                actual_value=f"{custom_scp_count} custom SCP(s) configured: {', '.join(custom_scp_names)}",
+                remediation="No remediation needed",
+                checked_value="Custom SCPs configured"
+            ))
+
+        return self.findings

sraverify/services/organizations/checks/sra_organizations_07.py

@@ -0,0 +1,128 @@
+"""
+Check if organization has Resource Control Policies configured.
+"""
+from typing import Dict, List, Any
+from sraverify.services.organizations.base import OrganizationsCheck
+
+
+class SRA_ORGANIZATIONS_07(OrganizationsCheck):
+    """Check if organization has Resource Control Policies configured."""
+
+    def __init__(self):
+        """Initialize RCP check."""
+        super().__init__(resource_type="AWS::Organizations::Policy")
+        self.check_id = "SRA-ORGANIZATIONS-07"
+        self.check_name = "Organization has Resource Control Policies configured"
+        self.description = (
+            "This check verifies that the organization has at least one custom Resource Control Policy (RCP) "
+            "configured beyond the default RCPFullAWSAccess policy. RCPs are a type of organization policy "
+            "that help you centrally establish data perimeter controls across AWS resources in your organization. "
+            "RCPs complement SCPs by controlling what resources can be accessed rather than what actions "
+            "principals can perform."
+        )
+        self.severity = "MEDIUM"
+        self.check_logic = (
+            "Call ListPolicies API with filter for RESOURCE_CONTROL_POLICY type. "
+            "Check passes if at least one custom RCP exists (AwsManaged=False), "
+            "fails if only the default RCPFullAWSAccess policy exists or no RCPs are found."
+        )
+
+    def execute(self) -> List[Dict[str, Any]]:
+        """
+        Execute the check.
+
+        Returns:
+            List of findings
+        """
+        # Organizations is a global service, use "global" as region
+        region = "global"
+
+        # Get organization details for org_id
+        org_response = self.get_organization()
+        org_id = None
+        if "Organization" in org_response:
+            org_id = org_response["Organization"].get("Id", "Unknown")
+
+        # Get RCPs
+        response = self.list_policies("RESOURCE_CONTROL_POLICY")
+
+        # Check for errors
+        if "Error" in response:
+            error_code = response["Error"].get("Code", "")
+            error_message = response["Error"].get("Message", "Unknown error")
+
+            # PolicyTypeNotEnabledException means RCPs are not enabled
+            if error_code == "PolicyTypeNotEnabledException":
+                self.findings.append(self.create_finding(
+                    status="FAIL",
+                    region=region,
+                    resource_id=org_id,
+                    actual_value="Resource Control Policies are not enabled",
+                    remediation=(
+                        "Enable Resource Control Policies in AWS Organizations. "
+                        "Navigate to AWS Organizations > Policies > Resource control policies and enable RCPs. "
+                        "Then create RCPs to implement data perimeter controls across your organization."
+                    ),
+                    checked_value="RCPs configured"
+                ))
+            else:
+                self.findings.append(self.create_finding(
+                    status="ERROR",
+                    region=region,
+                    resource_id=org_id,
+                    actual_value=f"Error: {error_message}",
+                    remediation="Check IAM permissions for Organizations API access",
+                    checked_value="RCPs configured"
+                ))
+            return self.findings
+
+        policies = response.get("Policies", [])
+
+        # Count custom RCPs (not AWS managed - exclude RCPFullAWSAccess)
+        custom_rcps = [p for p in policies if not p.get("AwsManaged", False)]
+        custom_rcp_count = len(custom_rcps)
+
+        if not policies:
+            # No RCPs at all - RCPs might not be enabled
+            self.findings.append(self.create_finding(
+                status="FAIL",
+                region=region,
+                resource_id=org_id,
+                actual_value="No Resource Control Policies found",
+                remediation=(
+                    "Enable Resource Control Policies in AWS Organizations and create RCPs. "
+                    "Navigate to AWS Organizations > Policies > Resource control policies and enable RCPs. "
+                    "Then create RCPs to implement data perimeter controls such as restricting access "
+                    "to resources based on organization membership or network location."
+                ),
+                checked_value="Custom RCPs configured"
+            ))
+        elif custom_rcp_count == 0:
+            # Only AWS managed policies (RCPFullAWSAccess)
+            policy_names = [p.get("Name", "Unknown") for p in policies]
+            self.findings.append(self.create_finding(
+                status="FAIL",
+                region=region,
+                resource_id=org_id,
+                actual_value=f"Only default policies found: {', '.join(policy_names)}",
+                remediation=(
+                    "Create custom Resource Control Policies to implement data perimeter controls. "
+                    "Navigate to AWS Organizations > Policies > Resource control policies and create new RCPs. "
+                    "Consider implementing RCPs for: restricting access to resources based on organization "
+                    "membership, enforcing HTTPS connections, and cross-service confused deputy protection."
+                ),
+                checked_value="Custom RCPs configured"
+            ))
+        else:
+            # Custom RCPs exist
+            custom_rcp_names = [p.get("Name", "Unknown") for p in custom_rcps]
+            self.findings.append(self.create_finding(
+                status="PASS",
+                region=region,
+                resource_id=org_id,
+                actual_value=f"{custom_rcp_count} custom RCP(s) configured: {', '.join(custom_rcp_names)}",
+                remediation="No remediation needed",
+                checked_value="Custom RCPs configured"
+            ))
+
+        return self.findings

sraverify/services/organizations/checks/sra_organizations_08.py

@@ -0,0 +1,167 @@
+"""
+Check if audit account is in Security OU.
+"""
+from typing import Dict, List, Any
+from sraverify.services.organizations.base import OrganizationsCheck
+
+
+class SRA_ORGANIZATIONS_08(OrganizationsCheck):
+    """Check if audit account is in Security OU."""
+
+    def __init__(self):
+        """Initialize audit account in Security OU check."""
+        super().__init__(resource_type="AWS::Organizations::Account")
+        self.check_id = "SRA-ORGANIZATIONS-08"
+        self.check_name = "Audit account is in Security OU"
+        self.description = (
+            "This check verifies that the audit account (Security Tooling account) is located in the "
+            "Security organizational unit. According to AWS SRA best practices, the audit account should "
+            "be placed in the Security OU to ensure proper isolation and governance of security tooling."
+        )
+        self.severity = "HIGH"
+        self.check_logic = (
+            "Get the Security OU under the organization root, then list all accounts in the Security OU. "
+            "Check passes if the audit account (provided via --audit-account CLI parameter) is found in "
+            "the Security OU."
+        )
+        self._audit_accounts = []  # Will be populated from CLI --audit-account parameter
+
+    def execute(self) -> List[Dict[str, Any]]:
+        """
+        Execute the check.
+
+        Returns:
+            List of findings
+        """
+        # Organizations is a global service, use "global" as region
+        region = "global"
+
+        # Check if audit account is provided
+        if not self._audit_accounts:
+            self.findings.append(self.create_finding(
+                status="FAIL",
+                region=region,
+                resource_id=None,
+                actual_value="Audit account ID not provided",
+                remediation="Run check with --audit-account parameter to specify the audit account ID",
+                checked_value="Audit account in Security OU"
+            ))
+            return self.findings
+
+        # Get organization roots
+        roots_response = self.get_roots()
+        if "Error" in roots_response:
+            error_message = roots_response["Error"].get("Message", "Unknown error")
+            self.findings.append(self.create_finding(
+                status="ERROR",
+                region=region,
+                resource_id=None,
+                actual_value=f"Error: {error_message}",
+                remediation="Check IAM permissions for Organizations API access",
+                checked_value="Audit account in Security OU"
+            ))
+            return self.findings
+
+        roots = roots_response.get("Roots", [])
+        if not roots:
+            self.findings.append(self.create_finding(
+                status="ERROR",
+                region=region,
+                resource_id=None,
+                actual_value="No organization root found",
+                remediation="Ensure AWS Organizations is enabled and properly configured",
+                checked_value="Audit account in Security OU"
+            ))
+            return self.findings
+
+        root = roots[0]
+        root_id = root.get("Id", "")
+
+        # Get OUs under the root to find Security OU
+        ous_response = self.get_ous_for_parent(root_id)
+        if "Error" in ous_response:
+            error_message = ous_response["Error"].get("Message", "Unknown error")
+            self.findings.append(self.create_finding(
+                status="ERROR",
+                region=region,
+                resource_id=root_id,
+                actual_value=f"Error: {error_message}",
+                remediation="Check IAM permissions for Organizations API access",
+                checked_value="Audit account in Security OU"
+            ))
+            return self.findings
+
+        ous = ous_response.get("OrganizationalUnits", [])
+
+        # Find Security OU
+        security_ou = None
+        for ou in ous:
+            if ou.get("Name") == "Security":
+                security_ou = ou
+                break
+
+        if not security_ou:
+            self.findings.append(self.create_finding(
+                status="FAIL",
+                region=region,
+                resource_id=root_id,
+                actual_value="Security OU not found under organization root",
+                remediation=(
+                    "Create a Security organizational unit under the organization root and move the "
+                    "audit account into it. Navigate to AWS Organizations in the console, create the "
+                    "Security OU, then move the audit account to the Security OU."
+                ),
+                checked_value="Audit account in Security OU"
+            ))
+            return self.findings
+
+        security_ou_id = security_ou.get("Id", "")
+
+        # Get accounts in Security OU
+        accounts_response = self.get_accounts_for_parent(security_ou_id)
+        if "Error" in accounts_response:
+            error_message = accounts_response["Error"].get("Message", "Unknown error")
+            self.findings.append(self.create_finding(
+                status="ERROR",
+                region=region,
+                resource_id=security_ou_id,
+                actual_value=f"Error: {error_message}",
+                remediation="Check IAM permissions for Organizations API access",
+                checked_value="Audit account in Security OU"
+            ))
+            return self.findings
+
+        accounts = accounts_response.get("Accounts", [])
+        account_ids_in_security_ou = [acc.get("Id") for acc in accounts]
+
+        # Check if audit account(s) are in Security OU
+        for audit_account_id in self._audit_accounts:
+            if audit_account_id in account_ids_in_security_ou:
+                # Find account name for better reporting
+                account_name = next(
+                    (acc.get("Name", "Unknown") for acc in accounts if acc.get("Id") == audit_account_id),
+                    "Unknown"
+                )
+                self.findings.append(self.create_finding(
+                    status="PASS",
+                    region=region,
+                    resource_id=audit_account_id,
+                    actual_value=f"Audit account {audit_account_id} ({account_name}) is in Security OU",
+                    remediation="No remediation needed",
+                    checked_value="Audit account in Security OU"
+                ))
+            else:
+                self.findings.append(self.create_finding(
+                    status="FAIL",
+                    region=region,
+                    resource_id=audit_account_id,
+                    actual_value=f"Audit account {audit_account_id} is not in Security OU",
+                    remediation=(
+                        f"Move the audit account {audit_account_id} to the Security OU. "
+                        "Navigate to AWS Organizations in the console, select the audit account, "
+                        "and move it to the Security OU."
+                    ),
+                    checked_value="Audit account in Security OU"
+                ))
+
+        return self.findings