PyPI - sraverify - Versions diffs - 0.1.1__py3-none-any.whl → 0.1.3__py3-none-any.whl - Mend

sraverify 0.1.1py3-none-any.whl → 0.1.3py3-none-any.whl

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (22) hide show

sraverify/services/organizations/checks/sra_organizations_09.py ADDED Viewed

@@ -0,0 +1,167 @@
+"""
+Check if log archive account is in Security OU.
+"""
+from typing import Dict, List, Any
+from sraverify.services.organizations.base import OrganizationsCheck
+class SRA_ORGANIZATIONS_09(OrganizationsCheck):
+    """Check if log archive account is in Security OU."""
+    def __init__(self):
+        """Initialize log archive account in Security OU check."""
+        super().__init__(resource_type="AWS::Organizations::Account")
+        self.check_id = "SRA-ORGANIZATIONS-09"
+        self.check_name = "Log Archive account is in Security OU"
+        self.description = (
+            "This check verifies that the log archive account is located in the Security organizational unit. "
+            "According to AWS SRA best practices, the log archive account should be placed in the Security OU "
+            "to ensure proper isolation and governance of centralized logging infrastructure."
+        )
+        self.severity = "HIGH"
+        self.check_logic = (
+            "Get the Security OU under the organization root, then list all accounts in the Security OU. "
+            "Check passes if the log archive account (provided via --log-archive-account CLI parameter) "
+            "is found in the Security OU."
+        )
+        self._log_archive_accounts = []  # Will be populated from CLI --log-archive-account parameter
+    def execute(self) -> List[Dict[str, Any]]:
+        """
+        Execute the check.
+        Returns:
+            List of findings
+        """
+        # Organizations is a global service, use "global" as region
+        region = "global"
+        # Check if log archive account is provided
+        if not self._log_archive_accounts:
+            self.findings.append(self.create_finding(
+                status="FAIL",
+                region=region,
+                resource_id=None,
+                actual_value="Log archive account ID not provided",
+                remediation="Run check with --log-archive-account parameter to specify the log archive account ID",
+                checked_value="Log Archive account in Security OU"
+            ))
+            return self.findings
+        # Get organization roots
+        roots_response = self.get_roots()
+        if "Error" in roots_response:
+            error_message = roots_response["Error"].get("Message", "Unknown error")
+            self.findings.append(self.create_finding(
+                status="ERROR",
+                region=region,
+                resource_id=None,
+                actual_value=f"Error: {error_message}",
+                remediation="Check IAM permissions for Organizations API access",
+                checked_value="Log Archive account in Security OU"
+            ))
+            return self.findings
+        roots = roots_response.get("Roots", [])
+        if not roots:
+            self.findings.append(self.create_finding(
+                status="ERROR",
+                region=region,
+                resource_id=None,
+                actual_value="No organization root found",
+                remediation="Ensure AWS Organizations is enabled and properly configured",
+                checked_value="Log Archive account in Security OU"
+            ))
+            return self.findings
+        root = roots[0]
+        root_id = root.get("Id", "")
+        # Get OUs under the root to find Security OU
+        ous_response = self.get_ous_for_parent(root_id)
+        if "Error" in ous_response:
+            error_message = ous_response["Error"].get("Message", "Unknown error")
+            self.findings.append(self.create_finding(
+                status="ERROR",
+                region=region,
+                resource_id=root_id,
+                actual_value=f"Error: {error_message}",
+                remediation="Check IAM permissions for Organizations API access",
+                checked_value="Log Archive account in Security OU"
+            ))
+            return self.findings
+        ous = ous_response.get("OrganizationalUnits", [])
+        # Find Security OU
+        security_ou = None
+        for ou in ous:
+            if ou.get("Name") == "Security":
+                security_ou = ou
+                break
+        if not security_ou:
+            self.findings.append(self.create_finding(
+                status="FAIL",
+                region=region,
+                resource_id=root_id,
+                actual_value="Security OU not found under organization root",
+                remediation=(
+                    "Create a Security organizational unit under the organization root and move the "
+                    "log archive account into it. Navigate to AWS Organizations in the console, create the "
+                    "Security OU, then move the log archive account to the Security OU."
+                ),
+                checked_value="Log Archive account in Security OU"
+            ))
+            return self.findings
+        security_ou_id = security_ou.get("Id", "")
+        # Get accounts in Security OU
+        accounts_response = self.get_accounts_for_parent(security_ou_id)
+        if "Error" in accounts_response:
+            error_message = accounts_response["Error"].get("Message", "Unknown error")
+            self.findings.append(self.create_finding(
+                status="ERROR",
+                region=region,
+                resource_id=security_ou_id,
+                actual_value=f"Error: {error_message}",
+                remediation="Check IAM permissions for Organizations API access",
+                checked_value="Log Archive account in Security OU"
+            ))
+            return self.findings
+        accounts = accounts_response.get("Accounts", [])
+        account_ids_in_security_ou = [acc.get("Id") for acc in accounts]
+        # Check if log archive account(s) are in Security OU
+        for log_archive_account_id in self._log_archive_accounts:
+            if log_archive_account_id in account_ids_in_security_ou:
+                # Find account name for better reporting
+                account_name = next(
+                    (acc.get("Name", "Unknown") for acc in accounts if acc.get("Id") == log_archive_account_id),
+                    "Unknown"
+                )
+                self.findings.append(self.create_finding(
+                    status="PASS",
+                    region=region,
+                    resource_id=log_archive_account_id,
+                    actual_value=f"Log archive account {log_archive_account_id} ({account_name}) is in Security OU",
+                    remediation="No remediation needed",
+                    checked_value="Log Archive account in Security OU"
+                ))
+            else:
+                self.findings.append(self.create_finding(
+                    status="FAIL",
+                    region=region,
+                    resource_id=log_archive_account_id,
+                    actual_value=f"Log archive account {log_archive_account_id} is not in Security OU",
+                    remediation=(
+                        f"Move the log archive account {log_archive_account_id} to the Security OU. "
+                        "Navigate to AWS Organizations in the console, select the log archive account, "
+                        "and move it to the Security OU."
+                    ),
+                    checked_value="Log Archive account in Security OU"
+                ))
+        return self.findings

sraverify/services/organizations/client.py ADDED Viewed

@@ -0,0 +1,153 @@
+"""
+Organizations client for interacting with AWS Organizations service.
+"""
+from typing import Dict, List, Optional, Any
+import boto3
+from botocore.exceptions import ClientError
+from sraverify.core.logging import logger
+class OrganizationsClient:
+    """Client for interacting with AWS Organizations service."""
+    def __init__(self, session: Optional[boto3.Session] = None):
+        """
+        Initialize Organizations client.
+        Args:
+            session: AWS session to use (if None, a new session will be created)
+        """
+        self.session = session or boto3.Session()
+        # Organizations is a global service, always use us-east-1
+        self.client = self.session.client('organizations', region_name='us-east-1')
+    def describe_organization(self) -> Dict[str, Any]:
+        """
+        Get organization details.
+        Returns:
+            Dictionary with Organization key containing organization details,
+            or Error key if an error occurred.
+        """
+        try:
+            response = self.client.describe_organization()
+            return response
+        except ClientError as e:
+            error_code = e.response.get('Error', {}).get('Code', '')
+            error_message = e.response.get('Error', {}).get('Message', str(e))
+            logger.error(f"Error describing organization: {error_message}")
+            return {
+                "Error": {
+                    "Code": error_code,
+                    "Message": error_message
+                }
+            }
+    def list_roots(self) -> Dict[str, Any]:
+        """
+        List organization roots with pagination support.
+        Returns:
+            Dictionary with Roots key containing list of roots,
+            or Error key if an error occurred.
+        """
+        try:
+            roots = []
+            paginator = self.client.get_paginator('list_roots')
+            for page in paginator.paginate():
+                roots.extend(page.get('Roots', []))
+            return {"Roots": roots}
+        except ClientError as e:
+            error_code = e.response.get('Error', {}).get('Code', '')
+            error_message = e.response.get('Error', {}).get('Message', str(e))
+            logger.error(f"Error listing roots: {error_message}")
+            return {
+                "Error": {
+                    "Code": error_code,
+                    "Message": error_message
+                }
+            }
+    def list_organizational_units_for_parent(self, parent_id: str) -> Dict[str, Any]:
+        """
+        List organizational units under a parent with pagination support.
+        Args:
+            parent_id: The ID of the parent root or OU
+        Returns:
+            Dictionary with OrganizationalUnits key containing list of OUs,
+            or Error key if an error occurred.
+        """
+        try:
+            ous = []
+            paginator = self.client.get_paginator('list_organizational_units_for_parent')
+            for page in paginator.paginate(ParentId=parent_id):
+                ous.extend(page.get('OrganizationalUnits', []))
+            return {"OrganizationalUnits": ous}
+        except ClientError as e:
+            error_code = e.response.get('Error', {}).get('Code', '')
+            error_message = e.response.get('Error', {}).get('Message', str(e))
+            logger.error(f"Error listing OUs for parent {parent_id}: {error_message}")
+            return {
+                "Error": {
+                    "Code": error_code,
+                    "Message": error_message
+                }
+            }
+    def list_policies(self, policy_type: str = "SERVICE_CONTROL_POLICY") -> Dict[str, Any]:
+        """
+        List policies by type with pagination support.
+        Args:
+            policy_type: Type of policy to list (default: SERVICE_CONTROL_POLICY)
+        Returns:
+            Dictionary with Policies key containing list of policies,
+            or Error key if an error occurred.
+        """
+        try:
+            policies = []
+            paginator = self.client.get_paginator('list_policies')
+            for page in paginator.paginate(Filter=policy_type):
+                policies.extend(page.get('Policies', []))
+            return {"Policies": policies}
+        except ClientError as e:
+            error_code = e.response.get('Error', {}).get('Code', '')
+            error_message = e.response.get('Error', {}).get('Message', str(e))
+            logger.error(f"Error listing policies of type {policy_type}: {error_message}")
+            return {
+                "Error": {
+                    "Code": error_code,
+                    "Message": error_message
+                }
+            }
+    def list_accounts_for_parent(self, parent_id: str) -> Dict[str, Any]:
+        """
+        List accounts under a parent (root or OU) with pagination support.
+        Args:
+            parent_id: The ID of the parent root or OU
+        Returns:
+            Dictionary with Accounts key containing list of accounts,
+            or Error key if an error occurred.
+        """
+        try:
+            accounts = []
+            paginator = self.client.get_paginator('list_accounts_for_parent')
+            for page in paginator.paginate(ParentId=parent_id):
+                accounts.extend(page.get('Accounts', []))
+            return {"Accounts": accounts}
+        except ClientError as e:
+            error_code = e.response.get('Error', {}).get('Code', '')
+            error_message = e.response.get('Error', {}).get('Message', str(e))
+            logger.error(f"Error listing accounts for parent {parent_id}: {error_message}")
+            return {
+                "Error": {
+                    "Code": error_code,
+                    "Message": error_message
+                }
+            }

{sraverify-0.1.1.dist-info → sraverify-0.1.3.dist-info}/METADATA RENAMED Viewed

@@ -1,6 +1,6 @@
 Metadata-Version: 2.1
 Name: sraverify
-Version: 0.1.1
+Version: 0.1.3
 Summary: AWS Security Reference Architecture Verification Tool
 Home-page: https://github.com/awslabs/sra-verify
 Author: SRA Verify team

{sraverify-0.1.1.dist-info → sraverify-0.1.3.dist-info}/RECORD RENAMED Viewed

@@ -1,5 +1,5 @@
 sraverify/__init__.py,sha256=6gfuKM0QW6xcFPeN782mbPiCK8PEolaXL05Mbdli32Y,1201
-sraverify/main.py,sha256=nq6Z5oPcgZeOYUKZEKSr9tDEEoODiqHgVNAwrgsFJpk,14449
+sraverify/main.py,sha256=Ohfe-jymToqLpdsMnDm_q73MwQ-5DnkEU4cd98aczHI,14461
 sraverify/checks/__init__.py,sha256=I12r97y4IJH00Y2yUgxK_VJn1eANva19v0FMdydnGvA,2033
 sraverify/checks/accessanalyzer/SRA_IAA_1.py,sha256=hsVfgo-ia7uvNs4PNdk2ikTAxVUOmViQ8KeTJXJ7Ljg,8205
 sraverify/checks/accessanalyzer/SRA_IAA_2.py,sha256=mcDEhQdqu4w9e_Egdtcc0iTKHSnpm4VMf_R559Wi5pQ,8251
@@ -24,7 +24,7 @@ sraverify/checks/config/SRA-CONFIG-1.py,sha256=DT2Nce99vFHBuFjVDyLYQc2VCcBmziXlj
 sraverify/checks/config/__init__.py,sha256=ZcR-cj0dQNGFi_TKwOREXGr3Onju9VtFsds8rtbBg6s,55
 sraverify/core/__init__.py,sha256=zoDY1Q-oGF9IVGD5f07yJ4d1KuWKQq3IqEDmetOFdok,54
 sraverify/core/check.py,sha256=MDjjHV3mFYprEeHCEadzme3A0UHUpLEbLJ4wGpi0rSU,8559
-sraverify/core/logging.py,sha256=yBxy9Js3ktMfzv1N_HKVRViCvW7d5gVK2-AzIvwQYFQ,870
+sraverify/core/logging.py,sha256=xG7ySsfu45IEApS1nLMn118iXdt-pOJyM-d7y4AofWA,2329
 sraverify/core/session.py,sha256=vbLyGEhFJ8thU9BHgN80MexZLoJMKlZDFIcGwKECblo,1507
 sraverify/lib/__init__.py,sha256=ENiW27PYy5d_2BeoIxdxckFmW9KcrVX1dp97smmVx0c,55
 sraverify/lib/audit_info.py,sha256=c6O4I9mJFjxzHFLROQ_1PcR0lQmT_tA0JQMtCNUlS2s,1553
@@ -164,6 +164,19 @@ sraverify/services/macie/checks/sra_macie_07.py,sha256=QMNS6lds_9yzM3IAwVUBM0utG
 sraverify/services/macie/checks/sra_macie_08.py,sha256=2CX2r8JZ58OgkpO2VpCtA32mtsItxbRRC-8k2NQuiN8,3631
 sraverify/services/macie/checks/sra_macie_09.py,sha256=ivKtS2ZX9AfpJ4iQyie1f5bM_Y0FolnWM2zppilLNw0,4701
 sraverify/services/macie/checks/sra_macie_10.py,sha256=CpsIR43yxXtcEOo0NdlTUdSZSa_2g-jSSQ_Y6on5biM,3406
+sraverify/services/organizations/__init__.py,sha256=CSnyU3J9e985U7W4HSAHwQA2Q5UXzxjEhCALzKpxcRE,1402
+sraverify/services/organizations/base.py,sha256=BWR656oIIhvSCnSMRb6GUWfvo7BAaXpLGwxIG30VWAM,6578
+sraverify/services/organizations/client.py,sha256=xyIm34ei5jRtSMxLPInGLSjzutryiu_xpKCm8wy_KB4,5860
+sraverify/services/organizations/checks/__init__.py,sha256=y6QCfZhmcKUPml_LUuIiDOiAFjwKr4Bibog9JxPxazQ,58
+sraverify/services/organizations/checks/sra_organizations_01.py,sha256=lOvLU7f0FL54R6DEnf5trjVEfq8s1ZYcpqYWtarmdgA,3410
+sraverify/services/organizations/checks/sra_organizations_02.py,sha256=ntDmc2MXmCyLgC8S-AxTh-g5t5-q-Yd5PMRZHoc6HOA,5090
+sraverify/services/organizations/checks/sra_organizations_03.py,sha256=QpRwu1_hidgDnhVJvOcrozSGsEZe8XB0gGP8Fe1vFcQ,5143
+sraverify/services/organizations/checks/sra_organizations_04.py,sha256=GNmORLBislFj85JQveiLwpKPSP8NzeuPdJ5hq18mei8,5029
+sraverify/services/organizations/checks/sra_organizations_05.py,sha256=hxXky9D4aclvf3jb3SfchYPwvT6TiV1YUr0uqjx00nk,3814
+sraverify/services/organizations/checks/sra_organizations_06.py,sha256=tZ5kaH5eBsJKaSo7BUdvjndlR08eX9BZf3L8PDOtERM,5622
+sraverify/services/organizations/checks/sra_organizations_07.py,sha256=YG1KwupIGFp2Vw1amt4QIk992OZOsg4GF6ALUnjpKC0,5965
+sraverify/services/organizations/checks/sra_organizations_08.py,sha256=-atpxnq6lSoH8qE50Drpl7Qh-W2BV0rEJBTWU5k5QL8,7120
+sraverify/services/organizations/checks/sra_organizations_09.py,sha256=rAM3m8bNpkK7Bz0R4W6SWbXkAKGM0f5gmX7AGvRMvKk,7345
 sraverify/services/s3/__init__.py,sha256=x0vB4X1I_b66RlKfcJDn7ZvIoTywySHK0vWBvoLDcyY,417
 sraverify/services/s3/base.py,sha256=-3czNyp2vZ_HKQ3xh6gtAG9AHnPpxtDTaIA1OF1I1BQ,2542
 sraverify/services/s3/client.py,sha256=acd3YlcK-FyIvdAg5obcqHG2HdGbJk8WO0BwYHrHvCc,2146
@@ -252,10 +265,10 @@ sraverify/utils/__init__.py,sha256=IjhsKkC2WOXrINnNksrNX69R5XwTCTO6gVlLkv_guxQ,5
 sraverify/utils/banner.py,sha256=zMLBKuw7G8mielJeMXXPaAMnwKy6CpapX-1GVfKyux8,2756
 sraverify/utils/outputs.py,sha256=HlEuy21RgrcTuRjWkFDfrY6GfO1DNVzGMBLOxvemjek,1721
 sraverify/utils/progress.py,sha256=B_Dhaep3inav3SC1ZpKPcH74tgJqf6wmY2ILzAGbOeU,3190
-sraverify-0.1.1.dist-info/LICENSE,sha256=CeipvOyAZxBGUsFoaFqwkx54aPnIKEtm9a5u2uXxEws,10142
-sraverify-0.1.1.dist-info/METADATA,sha256=VnxpjniXZflUNTEnpIsPIgtxXAP9YXA78nexza0Q_qs,17007
-sraverify-0.1.1.dist-info/NOTICE,sha256=1CkO1kwu3Q_OHYTj-d-yiBJA_lNN73a4zSntavaD4oc,67
-sraverify-0.1.1.dist-info/WHEEL,sha256=tZoeGjtWxWRfdplE7E3d45VPlLNQnvbKiYnx7gwAy8A,92
-sraverify-0.1.1.dist-info/entry_points.txt,sha256=lewX6FKnqbko4m2xq4N_UiJbzSrghnjoZyD1YdBmoO8,50
-sraverify-0.1.1.dist-info/top_level.txt,sha256=dqkttmF4ZzAyRMF2tDxRuIvDZGjyVIoV9eDqK5sMzYM,10
-sraverify-0.1.1.dist-info/RECORD,,
+sraverify-0.1.3.dist-info/LICENSE,sha256=CeipvOyAZxBGUsFoaFqwkx54aPnIKEtm9a5u2uXxEws,10142
+sraverify-0.1.3.dist-info/METADATA,sha256=kS1he0LIztFx0s2qXGVkfbC2L9FleVFFzD-BW3ka6gk,17007
+sraverify-0.1.3.dist-info/NOTICE,sha256=1CkO1kwu3Q_OHYTj-d-yiBJA_lNN73a4zSntavaD4oc,67
+sraverify-0.1.3.dist-info/WHEEL,sha256=tZoeGjtWxWRfdplE7E3d45VPlLNQnvbKiYnx7gwAy8A,92
+sraverify-0.1.3.dist-info/entry_points.txt,sha256=lewX6FKnqbko4m2xq4N_UiJbzSrghnjoZyD1YdBmoO8,50
+sraverify-0.1.3.dist-info/top_level.txt,sha256=dqkttmF4ZzAyRMF2tDxRuIvDZGjyVIoV9eDqK5sMzYM,10
+sraverify-0.1.3.dist-info/RECORD,,

{sraverify-0.1.1.dist-info → sraverify-0.1.3.dist-info}/LICENSE RENAMED Viewed

File without changes

{sraverify-0.1.1.dist-info → sraverify-0.1.3.dist-info}/NOTICE RENAMED Viewed

File without changes

{sraverify-0.1.1.dist-info → sraverify-0.1.3.dist-info}/WHEEL RENAMED Viewed

File without changes

{sraverify-0.1.1.dist-info → sraverify-0.1.3.dist-info}/entry_points.txt RENAMED Viewed

File without changes

{sraverify-0.1.1.dist-info → sraverify-0.1.3.dist-info}/top_level.txt RENAMED Viewed

File without changes

sraverify 0.1.1__py3-none-any.whl → 0.1.3__py3-none-any.whl

sraverify 0.1.1py3-none-any.whl → 0.1.3py3-none-any.whl