")
+ short_report = short_annotation(control_result)
+ table.append("\n\n\n\n\n
AWS CIS Foundation Framework
\n\
+
")
table.append("
")
+ table.append("
| Whitepaper location: https://d0.awsstatic.com/whitepapers/compliance/AWS_CIS_Foundations_Benchmark.pdf |
")
+ table.append("
| " + short_report + " |
")
tableHeadOuter = "
"
tableHeadInner = ""
tableHeadHover = ""
table.append(tableHeadOuter) # Outer table
- for m, _ in enumerate(controlResult):
- table.append("| " + controlResult[m][0]['ControlId'].split('.')[0] + " | " + tableHeadInner)
- for n in range(len(controlResult[m])):
- if str(controlResult[m][n]['Result']) == "False":
- resultStyle = " style=\"background-color:#ef3d47;\""
- elif str(controlResult[m][n]['Result']) == "Manual":
- resultStyle = " style=\"background-color:#ffff99;\""
+ for m, _ in enumerate(control_result):
+ table.append(" |
|---|
| " + control_result[m][0]['ControlId'].split('.')[0] + " | " + tableHeadInner)
+ for n in range(len(control_result[m])):
+ if str(control_result[m][n]['Result']) == "False":
+ result_style = " style=\"background-color:#ef3d47;\""
+ elif str(control_result[m][n]['Result']) == "Manual":
+ result_style = " style=\"background-color:#ffff99;\""
else:
- resultStyle = " style=\"background-color:lightgreen;\""
- table.append(" |
|---|
" + controlResult[m][n]['ControlId'].split('.')[1] + "| " + tableHeadHover)
- table.append(" | | ControlId | " + controlResult[m][n]['ControlId'] + " |
|---|
")
- table.append("| Description | " + controlResult[m][n]['Description'] + " |
|---|
")
- table.append("| failReason | " + controlResult[m][n]['failReason'] + " |
|---|
")
- table.append("| Offenders | " + str(controlResult[m][n]['Offenders']).replace("', ", "',
") + " |
|---|
")
- table.append("| Result | " + str(controlResult[m][n]['Result']) + " |
|---|
")
- table.append("| ScoredControl | " + str(controlResult[m][n]['ScoredControl']) + " |
|---|
")
+ result_style = " style=\"background-color:lightgreen;\""
+ table.append("" + control_result[m][n]['ControlId'].split('.')[1] + "| " + tableHeadHover)
+ table.append(" | | ControlId | " + control_result[m][n]['ControlId'] + " |
|---|
")
+ table.append("| Description | " + control_result[m][n]['Description'] + " |
|---|
")
+ table.append("| failReason | " + control_result[m][n]['failReason'] + " |
|---|
")
+ table.append("| Offenders | " + str(control_result[m][n]['Offenders']).replace("', ", "',
") + " |
|---|
")
+ table.append("| Result | " + str(control_result[m][n]['Result']) + " |
|---|
")
+ table.append("| ScoredControl | " + str(control_result[m][n]['ScoredControl']) + " |
|---|
")
table.append("
")
table.append("
")
table.append("
")
table.append("
\n\n")
return table
-
-def s3report(htmlReport, account):
+def s3report(html_report, json_report, account):
"""Summary
Args:
- htmlReport (TYPE): Description
+ html_report (TYPE): Description
Returns:
TYPE: Description
"""
- if S3_WEB_REPORT_NAME_DETAILS is True:
- reportName = "cis_report_" + str(account) + "_" + str(datetime.now().strftime('%Y%m%d_%H%M')) + ".html"
- else:
- reportName = "cis_report.html"
- with tempfile.NamedTemporaryFile(delete=False) as f:
- for item in htmlReport:
- f.write(item)
- f.flush()
+ signed_url_list = list()
+ global S3_REPORT_BUCKET
+ if not S3_REPORT_BUCKET:
+ try:
+ S3_REPORT_BUCKET = os.environ['S3_REPORT_BUCKET']
+ except KeyError as e:
+ logger.error("Bucket not set: {0}".format(e))
+
+ def detailed_name(acc, ext):
+ return "{0}.{1}".format("cis_report_" + str(acc) + "_" + str(datetime.now().strftime('%Y%m%d_%H%M')), ext)
+
+ def s3_upload(byte_obj, name, bucket=S3_REPORT_BUCKET):
+ ttl = int(S3_WEB_REPORT_EXPIRE) * 60
try:
- f.close()
- S3_CLIENT.upload_file(f.name, S3_WEB_REPORT_BUCKET, reportName)
- os.unlink(f.name)
+ S3_CLIENT.upload_fileobj(byte_obj, bucket, name)
except Exception as e:
- return "Failed to upload report to S3 because: " + str(e)
- ttl = int(S3_WEB_REPORT_EXPIRE) * 60
- signedURL = S3_CLIENT.generate_presigned_url(
- 'get_object',
- Params={
- 'Bucket': S3_WEB_REPORT_BUCKET,
- 'Key': reportName
- },
- ExpiresIn=ttl)
- return signedURL
-
-
-def json_output(controlResult):
+ logger.error("Failed to upload {0} report to S3 because: {1}".format(name, str(e)))
+ return ""
+
+ return S3_CLIENT.generate_presigned_url(
+ 'get_object',
+ Params={
+ 'Bucket': bucket,
+ 'Key': name
+ },
+ ExpiresIn=ttl)
+
+ # upload HTML report
+ if S3_WEB_REPORT_NAME_DETAILS:
+ html_report_name = detailed_name(account, 'html')
+ else:
+ html_report_name = "cis_report.html"
+ fd = StringIO()
+ for item in html_report:
+ fd.write(item)
+ html_url = s3_upload(BytesIO(fd.getvalue().encode()), html_report_name)
+
+ # upload json report
+ if S3_JSON_NAME_DETAILS:
+ json_report_name = detailed_name(account, 'json')
+ else:
+ json_report_name = "cis_report.json"
+
+ json_url = s3_upload(BytesIO(json_report.encode()), json_report_name)
+
+ signed_url_list = [html_url, json_url]
+
+ return signed_url_list
+
+
+def json_result(control_result):
"""Summary
Args:
- controlResult (TYPE): Description
+ control_result (TYPE): Description
Returns:
- TYPE: Description
+ string: json with all benchmark results
"""
- inner = dict()
+
outer = dict()
- for m in range(len(controlResult)):
+ for m in range(len(control_result)):
inner = dict()
- for n in range(len(controlResult[m])):
- x = int(controlResult[m][n]['ControlId'].split('.')[1])
- inner[x] = controlResult[m][n]
- y = controlResult[m][0]['ControlId'].split('.')[0]
+ for n in range(len(control_result[m])):
+ x = int(control_result[m][n]['ControlId'].split('.')[1])
+ inner[x] = control_result[m][n]
+ y = control_result[m][0]['ControlId'].split('.')[0]
outer[y] = inner
+ return json.dumps(outer, sort_keys=True, indent=4, separators=(',', ': '))
+
+
+def print_json(result, annotation):
+ """Summary
+
+ Args:
+ controlResult (TYPE): Description
+
+ Returns:
+ TYPE: Description
+ """
+
if OUTPUT_ONLY_JSON is True:
- print(json.dumps(outer, sort_keys=True, indent=4, separators=(',', ': ')))
+ logger.info(result)
else:
print("JSON output:")
print("-------------------------------------------------------")
- print(json.dumps(outer, sort_keys=True, indent=4, separators=(',', ': ')))
+ print(result)
print("-------------------------------------------------------")
print("\n")
print("Summary:")
- print(shortAnnotation(controlResult))
+ print(annotation)
print("\n")
return 0
-def shortAnnotation(controlResult):
+def short_annotation(control_result):
"""Summary
Args:
- controlResult (TYPE): Description
+ control_result (TYPE): Description
Returns:
TYPE: Description
"""
annotation = []
- longAnnotation = False
- for m, _ in enumerate(controlResult):
- for n in range(len(controlResult[m])):
- if controlResult[m][n]['Result'] is False:
+ long_annotation = False
+ for m, _ in enumerate(control_result):
+ for n in range(len(control_result[m])):
+ if control_result[m][n]['Result'] is False:
if len(str(annotation)) < 220:
- annotation.append(controlResult[m][n]['ControlId'])
+ annotation.append(control_result[m][n]['ControlId'])
else:
- longAnnotation = True
- if longAnnotation:
+ long_annotation = True
+ if long_annotation:
annotation.append("etc")
return "{\"Failed\":" + json.dumps(annotation) + "}"
else:
@@ -2221,6 +2390,13 @@ def send_results_to_sns(url):
TYPE: Description
"""
# Get correct region for the TopicARN
+ global SNS_TOPIC_ARN
+ if not SNS_TOPIC_ARN:
+ try:
+ SNS_TOPIC_ARN = os.environ['SNS_TOPIC_ARN']
+ except KeyError as e:
+ logger.error("Bucket not set: {0}".format(e))
+
region = (SNS_TOPIC_ARN.split("sns:", 1)[1]).split(":", 1)[0]
client = boto3.client('sns', region_name=region)
client.publish(
@@ -2249,112 +2425,132 @@ def lambda_handler(event, context):
# Check if the script is initiade from AWS Config Rules
try:
if event['configRuleId']:
- configRule = True
+ config_rule = True
# Verify correct format of event
- invokingEvent = json.loads(event['invokingEvent'])
+ invoking_event = json.loads(event['invokingEvent'])
except:
- configRule = False
+ config_rule = False
# Globally used resources
region_list = get_regions()
cred_report = get_cred_report()
password_policy = get_account_password_policy()
cloud_trails = get_cloudtrails(region_list)
- accountNumber = get_account_number()
-
- # Run individual controls.
- # Comment out unwanted controls
- control1 = []
- control1.append(control_1_1_root_use(cred_report))
- control1.append(control_1_2_mfa_on_password_enabled_iam(cred_report))
- control1.append(control_1_3_unused_credentials(cred_report))
- control1.append(control_1_4_rotated_keys(cred_report))
- control1.append(control_1_5_password_policy_uppercase(password_policy))
- control1.append(control_1_6_password_policy_lowercase(password_policy))
- control1.append(control_1_7_password_policy_symbol(password_policy))
- control1.append(control_1_8_password_policy_number(password_policy))
- control1.append(control_1_9_password_policy_length(password_policy))
- control1.append(control_1_10_password_policy_reuse(password_policy))
- control1.append(control_1_11_password_policy_expire(password_policy))
- control1.append(control_1_12_root_key_exists(cred_report))
- control1.append(control_1_13_root_mfa_enabled())
- control1.append(control_1_14_root_hardware_mfa_enabled())
- control1.append(control_1_15_security_questions_registered())
- control1.append(control_1_16_no_policies_on_iam_users())
- control1.append(control_1_17_detailed_billing_enabled())
- control1.append(control_1_18_ensure_iam_master_and_manager_roles())
- control1.append(control_1_19_maintain_current_contact_details())
- control1.append(control_1_20_ensure_security_contact_details())
- control1.append(control_1_21_ensure_iam_instance_roles_used())
- control1.append(control_1_22_ensure_incident_management_roles())
- control1.append(control_1_23_no_active_initial_access_keys_with_iam_user(cred_report))
- control1.append(control_1_24_no_overly_permissive_policies())
-
- control2 = []
- control2.append(control_2_1_ensure_cloud_trail_all_regions(cloud_trails))
- control2.append(control_2_2_ensure_cloudtrail_validation(cloud_trails))
- control2.append(control_2_3_ensure_cloudtrail_bucket_not_public(cloud_trails))
- control2.append(control_2_4_ensure_cloudtrail_cloudwatch_logs_integration(cloud_trails))
- control2.append(control_2_5_ensure_config_all_regions(region_list))
- control2.append(control_2_6_ensure_cloudtrail_bucket_logging(cloud_trails))
- control2.append(control_2_7_ensure_cloudtrail_encryption_kms(cloud_trails))
- control2.append(control_2_8_ensure_kms_cmk_rotation(region_list))
-
- control3 = []
- control3.append(control_3_1_ensure_log_metric_filter_unauthorized_api_calls(cloud_trails))
- control3.append(control_3_2_ensure_log_metric_filter_console_signin_no_mfa(cloud_trails))
- control3.append(control_3_3_ensure_log_metric_filter_root_usage(cloud_trails))
- control3.append(control_3_4_ensure_log_metric_iam_policy_change(cloud_trails))
- control3.append(control_3_5_ensure_log_metric_cloudtrail_configuration_changes(cloud_trails))
- control3.append(control_3_6_ensure_log_metric_console_auth_failures(cloud_trails))
- control3.append(control_3_7_ensure_log_metric_disabling_scheduled_delete_of_kms_cmk(cloud_trails))
- control3.append(control_3_8_ensure_log_metric_s3_bucket_policy_changes(cloud_trails))
- control3.append(control_3_9_ensure_log_metric_config_configuration_changes(cloud_trails))
- control3.append(control_3_10_ensure_log_metric_security_group_changes(cloud_trails))
- control3.append(control_3_11_ensure_log_metric_nacl(cloud_trails))
- control3.append(control_3_12_ensure_log_metric_changes_to_network_gateways(cloud_trails))
- control3.append(control_3_13_ensure_log_metric_changes_to_route_tables(cloud_trails))
- control3.append(control_3_14_ensure_log_metric_changes_to_vpc(cloud_trails))
- control3.append(control_3_15_verify_sns_subscribers())
-
- control4 = []
- control4.append(control_4_1_ensure_ssh_not_open_to_world(region_list))
- control4.append(control_4_2_ensure_rdp_not_open_to_world(region_list))
- control4.append(control_4_3_ensure_flow_logs_enabled_on_all_vpc(region_list))
- control4.append(control_4_4_ensure_default_security_groups_restricts_traffic(region_list))
- control4.append(control_4_5_ensure_route_tables_are_least_access(region_list))
-
- # Join results
+ account_number = get_account_number()
+
+
+ global_resources = {
+ "regions": region_list,
+ "credreport": cred_report,
+ "passwordpolicy": password_policy,
+ "cloudtrails": cloud_trails,
+ "accountnumber": account_number
+ }
+
+ controls_map = {
+ "control1": [
+ control_1_1_root_use,
+ control_1_2_mfa_on_password_enabled_iam,
+ control_1_3_unused_credentials,
+ control_1_4_rotated_keys,
+ control_1_5_password_policy_uppercase,
+ control_1_6_password_policy_lowercase,
+ control_1_7_password_policy_symbol,
+ control_1_8_password_policy_number,
+ control_1_9_password_policy_length,
+ control_1_10_password_policy_reuse,
+ control_1_11_password_policy_expire,
+ control_1_12_root_key_exists,
+ control_1_13_root_mfa_enabled,
+ control_1_14_root_hardware_mfa_enabled,
+ control_1_15_security_questions_registered,
+ control_1_16_no_policies_on_iam_users,
+ control_1_17_maintain_current_contact_details,
+ control_1_18_ensure_security_contact_details,
+ control_1_19_ensure_iam_instance_roles_used,
+ control_1_20_ensure_incident_management_roles,
+ control_1_21_no_active_initial_access_keys_with_iam_user,
+ control_1_22_no_overly_permissive_policies
+ ],
+ 'control2': [
+ control_2_1_ensure_cloud_trail_all_regions,
+ control_2_2_ensure_cloudtrail_validation,
+ control_2_3_ensure_cloudtrail_bucket_not_public,
+ control_2_4_ensure_cloudtrail_cloudwatch_logs_integration,
+ control_2_5_ensure_config_all_regions,
+ control_2_6_ensure_cloudtrail_bucket_logging,
+ control_2_7_ensure_cloudtrail_encryption_kms,
+ control_2_8_ensure_kms_cmk_rotation,
+ control_2_9_ensure_flow_logs_enabled_on_all_vpc
+ ],
+ 'control3': [
+ control_3_1_ensure_log_metric_filter_unauthorized_api_calls,
+ control_3_2_ensure_log_metric_filter_console_signin_no_mfa,
+ control_3_3_ensure_log_metric_filter_root_usage,
+ control_3_4_ensure_log_metric_iam_policy_change,
+ control_3_5_ensure_log_metric_cloudtrail_configuration_changes,
+ control_3_6_ensure_log_metric_console_auth_failures,
+ control_3_7_ensure_log_metric_disabling_scheduled_delete_of_kms_cmk,
+ control_3_8_ensure_log_metric_s3_bucket_policy_changes,
+ control_3_9_ensure_log_metric_config_configuration_changes,
+ control_3_10_ensure_log_metric_security_group_changes,
+ control_3_11_ensure_log_metric_nacl,
+ control_3_12_ensure_log_metric_changes_to_network_gateways,
+ control_3_13_ensure_log_metric_changes_to_route_tables,
+ control_3_14_ensure_log_metric_changes_to_vpc
+ ],
+ 'control4': [
+ control_4_1_ensure_ssh_not_open_to_world,
+ control_4_2_ensure_rdp_not_open_to_world,
+ control_4_3_ensure_default_security_groups_restricts_traffic,
+ control_4_4_ensure_route_tables_are_least_access
+ ]
+ }
+
+ # multipreocessing per controls set
+ # TODO: rework the logic in order to handle all benchmarks in one pool.map
+ pool = ThreadPool(processes=10)
+
+ def worker(func):
+ return func(global_resources)
+
controls = []
- controls.append(control1)
- controls.append(control2)
- controls.append(control3)
- controls.append(control4)
+ controls.append(pool.map(worker, controls_map['control1']))
+ controls.append(pool.map(worker, controls_map['control2']))
+ controls.append(pool.map(worker, controls_map['control3']))
+ controls.append(pool.map(worker, controls_map['control4']))
+
+
+ # JSON result
+ json_out = json_result(controls)
+
+ # Annotation
+ annotation = short_annotation(controls)
# Build JSON structure for console output if enabled
if SCRIPT_OUTPUT_JSON:
- json_output(controls)
+ print_json(json_out, annotation)
# Create HTML report file if enabled
if S3_WEB_REPORT:
- htmlReport = json2html(controls, accountNumber)
+ html_report = json2html(controls, account_number)
if S3_WEB_REPORT_OBFUSCATE_ACCOUNT:
- for n, _ in enumerate(htmlReport):
- htmlReport[n] = re.sub(r"\d{12}", "111111111111", htmlReport[n])
- signedURL = s3report(htmlReport, accountNumber)
+ for n, _ in enumerate(html_report):
+ html_report[n] = re.sub(r"\d{12}", "111111111111", html_report[n])
+ signed_url_list = s3report(html_report, json_out, account_number)
if OUTPUT_ONLY_JSON is False:
- print("SignedURL:\n" + signedURL)
+ [logger.info("SignedURL: " + signed_url) if signed_url else "URL not available" for signed_url in signed_url_list]
if SEND_REPORT_URL_TO_SNS is True:
- send_results_to_sns(signedURL)
+ [send_results_to_sns(signed_url) if signed_url else "URL not available" for signed_url in signed_url_list]
# Report back to Config if we detected that the script is initiated from Config Rules
- if configRule:
- evalAnnotation = shortAnnotation(controls)
- set_evaluation(invokingEvent, event, evalAnnotation)
+ if config_rule:
+ eval_annotation = short_annotation(controls)
+ set_evaluation(invoking_event, event, eval_annotation)
if __name__ == '__main__':
- profile_name = ''
+ PROFILE_NAME = ''
try:
opts, args = getopt.getopt(sys.argv[1:], "p:h", ["profile=", "help"])
except getopt.GetoptError:
@@ -2376,15 +2572,14 @@ def lambda_handler(event, context):
print("python " + sys.argv[0] + ' -p
')
sys.exit()
elif opt in ("-p", "--profile"):
- profile_name = arg
+ PROFILE_NAME = arg
# Verify that the profile exist
- if not profile_name == "":
+ if not PROFILE_NAME == "":
try:
- boto3.setup_default_session(profile_name=profile_name)
+ boto3.setup_default_session(profile_name=PROFILE_NAME)
# Update globals with new profile
IAM_CLIENT = boto3.client('iam')
- S3_CLIENT = boto3.client('s3')
except Exception as e:
if "could not be found" in str(e):
print("Error: " + str(e))
@@ -2396,8 +2591,8 @@ def lambda_handler(event, context):
client = boto3.client('ec2')
except Exception as e:
if "You must specify a region" in str(e):
- if profile_name == "":
+ if PROFILE_NAME == "":
boto3.setup_default_session(region_name='us-east-1')
else:
- boto3.setup_default_session(profile_name=profile_name, region_name='us-east-1')
+ boto3.setup_default_session(profile_name=PROFILE_NAME, region_name='us-east-1')
lambda_handler("test", "test")