diff --git a/deployment/configs/temp_whitelist_issues.json b/deployment/configs/temp_whitelist_issues.json new file mode 100644 index 00000000..678e80d2 --- /dev/null +++ b/deployment/configs/temp_whitelist_issues.json @@ -0,0 +1,91 @@ +{ + "__comment__": "Contains dictionary with security issues to quarantine (list of issues skipped now and will remediate in future) grouped by issue type and accounts. Put your account id as a key for desired security issue type and put a list with issues to ignore as a value.", + "cloudtrails": { + "__comment__": "Detects issues with CloudTrail (logging disabled or has issues with permissions). Key - account id, values - AWS regions.", + "123456789012": ["eu-west-1", "us-east-2"] + }, + "user_inactivekeys": { + "__comment__": "Detects IAM users with inactive access keys (not used more that definite number of days). Key - account id, values - IAM user names or access key ids.", + "123456789012": ["user1", "user2", "AKIAI6UV5TCF3NA223T1", "AKIAIG7Y36NN5DWX4NO3"] + }, + "user_keysrotation": { + "__comment__": "Detects IAM users expired access keys (created earlier than definite number of days). Key - account id, values - IAM user names or access key ids.", + "123456789012": ["user1", "user2", "AKIAI6UV5TCF3NA223T1", "AKIAIG7Y36NN5DWX4NO3"] + }, + "s3_bucket_acl": { + "__comment__": "Detects S3 buckets with public ACL (with AllUsers/AuthenticatedUsers groups in Grantee). Key - account id, values - S3 bucket names.", + "123456789012": ["public-site-bucket", "public-bucket-available-via-cloudfront"] + }, + "s3_bucket_policy": { + "__comment__": "Detects S3 buckets with public policy ('Allow' statements with '*' in Principal and not restricted by IP). Key - account id, values - S3 bucket names.", + "123456789012": ["public-site-bucket", "public-bucket-available-via-cloudfront"] + }, + "secgrp_unrestricted_access": { + "__comment__": "Detects security groups with world-wide open ports from the list. Key - account id, values - 1) security group ID or 2) VPC ID + security group Name separated by colon.", + "123456789012": ["sg-7c124307", "sg-2132a25b", "vpc-a372f3ca:default"] + }, + "ebs_unencrypted_volume": { + "__comment__": "Detects unencrypted EBS volumes. Key - account id, values - volume ids.", + "123456789012": ["vol-04ddaf8f2aef1b1f4", "vol-004156f485f6d57c7"] + }, + "ebs_public_snapshot": { + "__comment__": "Detects public EBS snapshots (with group 'all' in 'CreateVolumePermissions'). Key - account id, values - snapshot ids.", + "123456789012": ["snap-027927dbf368b3746", "snap-087534caad1ef1d0a"] + }, + "rds_public_snapshot":{ + "__comment__": "Detects public RDS snapshots (with 'all' in 'restore' attribute). Key - account id, values - snapshot ARNs.", + "123456789012": ["arn:aws:rds:eu-central-1:123456789012:snapshot:public", "arn:aws:rds:eu-west-1:123456789012:snapshot:rds:snapshot1"] + }, + "ec2_public_ami": { + "__comment__": "Detects public AMI issues (with 'all' in 'restore' attribute). Key - account id, values - AMI IDs.", + "123456789012": [""] + }, + "sqs_public_access":{ + "__comment__": "Detects public SQS polices (with 'all' in 'restore' attribute). Key - account id, values - SQS names.", + "123456789012": [""] + }, + "s3_encryption": { + "__comment__": "Detects Unencrypted s3 buckets (with 'all' in 'restore' attribute). Key - account id, values - S3 bucket names.", + "123456789012": [""] + }, + "rds_encryption": { + "__comment__": "Detects unencrypted RDS instances (with 'all' in 'restore' attribute). Key - account id, values - Instance ARNs.", + "123456789012": [""] + }, + "redshift_public_access":{ + "__comment__": "Detects publicly accessible Redshift Clusters.", + "123456789012": ["test-cluster"] + }, + "redshift_encryption":{ + "__comment__": "Detects unencrypted clusters.", + "123456789012": ["test-cluster"] + }, + "ecs_privileged_access":{ + "__comment__": "Detects ECS task definitions which are not enabled logging - task definitions ARNs.", + "1234567890123": ["arn:aws:ecs:us-east-1:1234567890123:task-definition/dev-admin:2993"] + }, + "ecs_logging":{ + "__comment__": "Detects ECS task definitions which are not enabled logging - task definitions ARNs.", + "1234567890123": ["arn:aws:ecs:us-east-1:1234567890123:task-definition/test-admin:2993"] + }, + "ecs_external_image_source":{ + "__comment__": "Detects ECS task definitions which are configured with external image source - task definitions ARNs.", + "1234567890123": ["arn:aws:ecs:us-east-1:1234567890123:task-definition/test-admin:2993"] + }, + "redshift_logging": { + "__comment__": "Detects Redshift clusters which are audit logging is not enabled.", + "123456789012": ["test-cluster"] + }, + "es_domain_logging": { + "__comment__": "Detects Elasticsearch domains which are not enabled logging - domain ARNs.", + "1234567890123": ["arn:aws:es:us-east-2:1234567890123:domain/new-domain"] + }, + "es_unencrypted_domain": { + "__comment__": "Detects Unencrypted Elasticsearch domains - domain ARNs.", + "1234567890123": ["arn:aws:es:us-east-2:1234567890123:domain/new-domain"] + }, + "es_public_access_domain": { + "__comment__": "Detects Unencrypted Elasticsearch publicly accessible domains - domain ARNs.", + "1234567890123": ["arn:aws:es:us-east-2:1234567890123:domain/new-domain"] + } +} diff --git a/deployment/configs/whitelist.json b/deployment/configs/whitelist.json index 6f648de0..02c4c7d4 100755 --- a/deployment/configs/whitelist.json +++ b/deployment/configs/whitelist.json @@ -36,7 +36,7 @@ "__comment__": "Detects public RDS snapshots (with 'all' in 'restore' attribute). Key - account id, values - snapshot ARNs.", "123456789012": ["arn:aws:rds:eu-central-1:123456789012:snapshot:public", "arn:aws:rds:eu-west-1:123456789012:snapshot:rds:snapshot1"] }, - "public_ami_issues": { + "ec2_public_ami": { }, "sqs_public_access":{ "__comment__": "Detects public SQS polices (with 'all' in 'restore' attribute). Key - account id, values - SQS ARNs.", diff --git a/hammer/identification/lambdas/ami-public-access-issues-identification/describe_public_ami_issues.py b/hammer/identification/lambdas/ami-public-access-issues-identification/describe_public_ami_issues.py index 6b957537..fef2f057 100644 --- a/hammer/identification/lambdas/ami-public-access-issues-identification/describe_public_ami_issues.py +++ b/hammer/identification/lambdas/ami-public-access-issues-identification/describe_public_ami_issues.py @@ -58,7 +58,10 @@ def lambda_handler(event, context): issue.issue_details.tags = ami.tags issue.issue_details.name = ami.name issue.issue_details.region = region - if config.publicAMIs.in_whitelist(account_id, ami.id): + + if config.publicAMIs.in_temp_whitelist(account_id, ami.id): + issue.status = IssueStatus.Tempwhitelist + elif config.publicAMIs.in_whitelist(account_id, ami.id): issue.status = IssueStatus.Whitelisted else: issue.status = IssueStatus.Open diff --git a/hammer/identification/lambdas/cloudtrails-issues-identification/describe_cloudtrails.py b/hammer/identification/lambdas/cloudtrails-issues-identification/describe_cloudtrails.py index b02ea0ec..81f86e3b 100755 --- a/hammer/identification/lambdas/cloudtrails-issues-identification/describe_cloudtrails.py +++ b/hammer/identification/lambdas/cloudtrails-issues-identification/describe_cloudtrails.py @@ -56,7 +56,10 @@ def lambda_handler(event, context): issue.issue_details.disabled = checker.disabled issue.issue_details.delivery_errors = checker.delivery_errors issue.add_trails(checker.trails) - if config.cloudtrails.in_whitelist(account_id, region): + + if config.cloudtrails.in_temp_whitelist(account_id, region): + issue.status = IssueStatus.Tempwhitelist + elif config.cloudtrails.in_whitelist(account_id, region): issue.status = IssueStatus.Whitelisted else: issue.status = IssueStatus.Open diff --git a/hammer/identification/lambdas/ebs-public-snapshots-identification/describe_ebs_public_snapshots.py b/hammer/identification/lambdas/ebs-public-snapshots-identification/describe_ebs_public_snapshots.py index dee609e9..5a901899 100755 --- a/hammer/identification/lambdas/ebs-public-snapshots-identification/describe_ebs_public_snapshots.py +++ b/hammer/identification/lambdas/ebs-public-snapshots-identification/describe_ebs_public_snapshots.py @@ -57,7 +57,10 @@ def lambda_handler(event, context): issue.issue_details.region = snapshot.account.region issue.issue_details.volume_id = snapshot.volume_id issue.issue_details.tags = snapshot.tags - if config.ebsSnapshot.in_whitelist(account_id, snapshot.id): + + if config.ebsSnapshot.in_temp_whitelist(account_id, snapshot.id): + issue.status = IssueStatus.Tempwhitelist + elif config.ebsSnapshot.in_whitelist(account_id, snapshot.id): issue.status = IssueStatus.Whitelisted else: issue.status = IssueStatus.Open diff --git a/hammer/identification/lambdas/ebs-unencrypted-volume-identification/describe_ebs_unencrypted_volumes.py b/hammer/identification/lambdas/ebs-unencrypted-volume-identification/describe_ebs_unencrypted_volumes.py index 6c295aff..b5f3764e 100755 --- a/hammer/identification/lambdas/ebs-unencrypted-volume-identification/describe_ebs_unencrypted_volumes.py +++ b/hammer/identification/lambdas/ebs-unencrypted-volume-identification/describe_ebs_unencrypted_volumes.py @@ -59,7 +59,10 @@ def lambda_handler(event, context): issue.issue_details.state = volume.state issue.issue_details.attachments = volume.attachments issue.issue_details.tags = volume.tags - if config.ebsVolume.in_whitelist(account_id, volume.id): + + if config.ebsVolume.in_temp_whitelist(account_id, volume.id): + issue.status = IssueStatus.Tempwhitelist + elif config.ebsVolume.in_whitelist(account_id, volume.id): issue.status = IssueStatus.Whitelisted else: issue.status = IssueStatus.Open diff --git a/hammer/identification/lambdas/ecs-external-image-source-issues-identification/describe_ecs_external_image_source_issues.py b/hammer/identification/lambdas/ecs-external-image-source-issues-identification/describe_ecs_external_image_source_issues.py index 2a93a799..8694c1e5 100644 --- a/hammer/identification/lambdas/ecs-external-image-source-issues-identification/describe_ecs_external_image_source_issues.py +++ b/hammer/identification/lambdas/ecs-external-image-source-issues-identification/describe_ecs_external_image_source_issues.py @@ -58,7 +58,10 @@ def lambda_handler(event, context): issue.issue_details.tags = task_definition.tags issue.issue_details.container_image_details = task_definition.container_image_details issue.issue_details.region = task_definition.account.region - if config.ecs_external_image_source.in_whitelist(account_id, task_definition.name): + + if config.ecs_external_image_source.in_temp_whitelist(account_id, task_definition.name): + issue.status = IssueStatus.Tempwhitelist + elif config.ecs_external_image_source.in_whitelist(account_id, task_definition.name): issue.status = IssueStatus.Whitelisted else: issue.status = IssueStatus.Open diff --git a/hammer/identification/lambdas/ecs-logging-issues-identification/describe_ecs_logging_issues.py b/hammer/identification/lambdas/ecs-logging-issues-identification/describe_ecs_logging_issues.py index 04fa3281..0c595cf4 100644 --- a/hammer/identification/lambdas/ecs-logging-issues-identification/describe_ecs_logging_issues.py +++ b/hammer/identification/lambdas/ecs-logging-issues-identification/describe_ecs_logging_issues.py @@ -59,7 +59,9 @@ def lambda_handler(event, context): issue.issue_details.disabled_logging_container_names = task_definition.disabled_logging_container_names issue.issue_details.tags = task_definition.tags - if config.ecs_logging.in_whitelist(account_id, task_definition.name): + if config.ecs_logging.in_temp_whitelist(account_id, task_definition.name): + issue.status = IssueStatus.Tempwhitelist + elif config.ecs_logging.in_whitelist(account_id, task_definition.name): issue.status = IssueStatus.Whitelisted else: issue.status = IssueStatus.Open diff --git a/hammer/identification/lambdas/ecs-privileged-access-issues-identification/describe_ecs_privileged_access_issues.py b/hammer/identification/lambdas/ecs-privileged-access-issues-identification/describe_ecs_privileged_access_issues.py index edaf5e1a..f23edf50 100644 --- a/hammer/identification/lambdas/ecs-privileged-access-issues-identification/describe_ecs_privileged_access_issues.py +++ b/hammer/identification/lambdas/ecs-privileged-access-issues-identification/describe_ecs_privileged_access_issues.py @@ -58,7 +58,9 @@ def lambda_handler(event, context): issue.issue_details.tags = task_definition.tags issue.issue_details.privileged_container_names = task_definition.privileged_container_names issue.issue_details.region = task_definition.account.region - if config.ecs_privileged_access.in_whitelist(account_id, task_definition.name): + if config.ecs_privileged_access.in_temp_whitelist(account_id, task_definition.name): + issue.status = IssueStatus.Tempwhitelist + elif config.ecs_privileged_access.in_whitelist(account_id, task_definition.name): issue.status = IssueStatus.Whitelisted else: issue.status = IssueStatus.Open diff --git a/hammer/identification/lambdas/elasticsearch-domain-logging-issues-identification/describe_elasticsearch_domains_logging_issues.py b/hammer/identification/lambdas/elasticsearch-domain-logging-issues-identification/describe_elasticsearch_domains_logging_issues.py index 0ba5f163..6eb906ba 100644 --- a/hammer/identification/lambdas/elasticsearch-domain-logging-issues-identification/describe_elasticsearch_domains_logging_issues.py +++ b/hammer/identification/lambdas/elasticsearch-domain-logging-issues-identification/describe_elasticsearch_domains_logging_issues.py @@ -59,7 +59,9 @@ def lambda_handler(event, context): issue.issue_details.arn = domain.arn issue.issue_details.tags = domain.tags - if config.esLogging.in_whitelist(account_id, domain.name): + if config.esLogging.in_temp_whitelist(account_id, domain.name): + issue.status = IssueStatus.Tempwhitelist + elif config.esLogging.in_whitelist(account_id, domain.name): issue.status = IssueStatus.Whitelisted else: issue.status = IssueStatus.Open diff --git a/hammer/identification/lambdas/elasticsearch-public-access-domain-identification/describe_elasticsearch_public_access_domains.py b/hammer/identification/lambdas/elasticsearch-public-access-domain-identification/describe_elasticsearch_public_access_domains.py index eccbd677..bc20bea8 100644 --- a/hammer/identification/lambdas/elasticsearch-public-access-domain-identification/describe_elasticsearch_public_access_domains.py +++ b/hammer/identification/lambdas/elasticsearch-public-access-domain-identification/describe_elasticsearch_public_access_domains.py @@ -59,7 +59,10 @@ def lambda_handler(event, context): issue.issue_details.arn = domain.arn issue.issue_details.tags = domain.tags issue.issue_details.policy = domain.policy - if config.esPublicAccess.in_whitelist(account_id, domain.name): + + if config.esPublicAccess.in_temp_whitelist(account_id, domain.name): + issue.status = IssueStatus.Tempwhitelist + elif config.esPublicAccess.in_whitelist(account_id, domain.name): issue.status = IssueStatus.Whitelisted else: issue.status = IssueStatus.Open diff --git a/hammer/identification/lambdas/elasticsearch-unencrypted-domain-identification/describe_elasticsearch_unencrypted_domains.py b/hammer/identification/lambdas/elasticsearch-unencrypted-domain-identification/describe_elasticsearch_unencrypted_domains.py index 8c5f1c56..b039d851 100644 --- a/hammer/identification/lambdas/elasticsearch-unencrypted-domain-identification/describe_elasticsearch_unencrypted_domains.py +++ b/hammer/identification/lambdas/elasticsearch-unencrypted-domain-identification/describe_elasticsearch_unencrypted_domains.py @@ -61,7 +61,9 @@ def lambda_handler(event, context): issue.issue_details.encrypted_at_rest = domain.encrypted_at_rest issue.issue_details.encrypted_at_transit = domain.encrypted_at_transit - if config.esEncrypt.in_whitelist(account_id, domain.name): + if config.esEncrypt.in_temp_whitelist(account_id, domain.name): + issue.status = IssueStatus.Tempwhitelist + elif config.esEncrypt.in_whitelist(account_id, domain.name): issue.status = IssueStatus.Whitelisted else: issue.status = IssueStatus.Open diff --git a/hammer/identification/lambdas/iam-keyrotation-issues-identification/describe_iam_key_rotation.py b/hammer/identification/lambdas/iam-keyrotation-issues-identification/describe_iam_key_rotation.py index b85e0bc2..2727f22d 100755 --- a/hammer/identification/lambdas/iam-keyrotation-issues-identification/describe_iam_key_rotation.py +++ b/hammer/identification/lambdas/iam-keyrotation-issues-identification/describe_iam_key_rotation.py @@ -56,7 +56,12 @@ def lambda_handler(event, context): issue = IAMKeyRotationIssue(account_id, key.id) issue.issue_details.username = user.id issue.issue_details.create_date = key.create_date.isoformat() - if config.iamUserKeysRotation.in_whitelist(account_id, key.id) or config.iamUserKeysRotation.in_whitelist(account_id, user.id): + + if config.iamUserKeysRotation.in_temp_whitelist(account_id, key.id) \ + or config.iamUserKeysRotation.in_temp_whitelist(account_id, user.id): + issue.status = IssueStatus.Tempwhitelist + elif config.iamUserKeysRotation.in_whitelist(account_id, key.id) \ + or config.iamUserKeysRotation.in_whitelist(account_id, user.id): issue.status = IssueStatus.Whitelisted else: issue.status = IssueStatus.Open diff --git a/hammer/identification/lambdas/iam-user-inactive-keys-identification/describe_iam_accesskey_details.py b/hammer/identification/lambdas/iam-user-inactive-keys-identification/describe_iam_accesskey_details.py index c1db9fac..9d5f6e9f 100755 --- a/hammer/identification/lambdas/iam-user-inactive-keys-identification/describe_iam_accesskey_details.py +++ b/hammer/identification/lambdas/iam-user-inactive-keys-identification/describe_iam_accesskey_details.py @@ -57,7 +57,12 @@ def lambda_handler(event, context): issue.issue_details.username = user.id issue.issue_details.last_used = key.last_used.isoformat() issue.issue_details.create_date = key.create_date.isoformat() - if config.iamUserInactiveKeys.in_whitelist(account_id, key.id) or config.iamUserInactiveKeys.in_whitelist(account_id, user.id): + + if config.iamUserInactiveKeys.in_temp_whitelist(account_id, key.id) \ + or config.iamUserInactiveKeys.in_temp_whitelist(account_id, user.id): + issue.status = IssueStatus.Tempwhitelist + elif config.iamUserInactiveKeys.in_whitelist(account_id, key.id) \ + or config.iamUserInactiveKeys.in_whitelist(account_id, user.id): issue.status = IssueStatus.Whitelisted else: issue.status = IssueStatus.Open diff --git a/hammer/identification/lambdas/rds-public-snapshots-identification/describe_rds_public_snapshots.py b/hammer/identification/lambdas/rds-public-snapshots-identification/describe_rds_public_snapshots.py index 6d155389..c0f0bd07 100755 --- a/hammer/identification/lambdas/rds-public-snapshots-identification/describe_rds_public_snapshots.py +++ b/hammer/identification/lambdas/rds-public-snapshots-identification/describe_rds_public_snapshots.py @@ -59,7 +59,10 @@ def lambda_handler(event, context): issue.issue_details.region = snapshot.account.region issue.issue_details.engine = snapshot.engine issue.issue_details.tags = snapshot.tags - if config.rdsSnapshot.in_whitelist(account_id, snapshot.id): + + if config.rdsSnapshot.in_temp_whitelist(account_id, snapshot.id): + issue.status = IssueStatus.Tempwhitelist + elif config.rdsSnapshot.in_whitelist(account_id, snapshot.id): issue.status = IssueStatus.Whitelisted else: issue.status = IssueStatus.Open diff --git a/hammer/identification/lambdas/rds-unencrypted-instance-identification/describe_rds_instance_encryption.py b/hammer/identification/lambdas/rds-unencrypted-instance-identification/describe_rds_instance_encryption.py index bc84e972..34fa4d32 100644 --- a/hammer/identification/lambdas/rds-unencrypted-instance-identification/describe_rds_instance_encryption.py +++ b/hammer/identification/lambdas/rds-unencrypted-instance-identification/describe_rds_instance_encryption.py @@ -59,7 +59,10 @@ def lambda_handler(event, context): issue.issue_details.region = instance.account.region issue.issue_details.engine = instance.engine issue.issue_details.tags = instance.tags - if config.rdsEncrypt.in_whitelist(account_id, instance.id): + + if config.rdsEncrypt.in_temp_whitelist(account_id, instance.id): + issue.status = IssueStatus.Tempwhitelist + elif config.rdsEncrypt.in_whitelist(account_id, instance.id): issue.status = IssueStatus.Whitelisted else: issue.status = IssueStatus.Open diff --git a/hammer/identification/lambdas/redshift-audit-logging-issues-identification/describe_redshift_logging_issues.py b/hammer/identification/lambdas/redshift-audit-logging-issues-identification/describe_redshift_logging_issues.py index 265591c3..06e35ef7 100644 --- a/hammer/identification/lambdas/redshift-audit-logging-issues-identification/describe_redshift_logging_issues.py +++ b/hammer/identification/lambdas/redshift-audit-logging-issues-identification/describe_redshift_logging_issues.py @@ -56,7 +56,10 @@ def lambda_handler(event, context): issue = RedshiftLoggingIssue(account_id, cluster.name) issue.issue_details.tags = cluster.tags issue.issue_details.region = cluster.account.region - if config.redshift_logging.in_whitelist(account_id, cluster.name): + + if config.redshift_logging.in_temp_whitelist(account_id, cluster.name): + issue.status = IssueStatus.Tempwhitelist + elif config.redshift_logging.in_whitelist(account_id, cluster.name): issue.status = IssueStatus.Whitelisted else: issue.status = IssueStatus.Open diff --git a/hammer/identification/lambdas/redshift-cluster-public-access-identification/describe_redshift_cluster_public_access.py b/hammer/identification/lambdas/redshift-cluster-public-access-identification/describe_redshift_cluster_public_access.py index 7410515c..7db33692 100644 --- a/hammer/identification/lambdas/redshift-cluster-public-access-identification/describe_redshift_cluster_public_access.py +++ b/hammer/identification/lambdas/redshift-cluster-public-access-identification/describe_redshift_cluster_public_access.py @@ -56,7 +56,10 @@ def lambda_handler(event, context): issue = RedshiftPublicAccessIssue(account_id, cluster.name) issue.issue_details.tags = cluster.tags issue.issue_details.region = cluster.account.region - if config.redshift_public_access.in_whitelist(account_id, cluster.name): + + if config.redshift_public_access.in_temp_whitelist(account_id, cluster.name): + issue.status = IssueStatus.Tempwhitelist + elif config.redshift_public_access.in_whitelist(account_id, cluster.name): issue.status = IssueStatus.Whitelisted else: issue.status = IssueStatus.Open diff --git a/hammer/identification/lambdas/redshift-unencrypted-cluster-identification/describe_redshift_encryption.py b/hammer/identification/lambdas/redshift-unencrypted-cluster-identification/describe_redshift_encryption.py index 71674c5b..4e1c5de3 100644 --- a/hammer/identification/lambdas/redshift-unencrypted-cluster-identification/describe_redshift_encryption.py +++ b/hammer/identification/lambdas/redshift-unencrypted-cluster-identification/describe_redshift_encryption.py @@ -56,7 +56,10 @@ def lambda_handler(event, context): issue = RedshiftEncryptionIssue(account_id, cluster.name) issue.issue_details.tags = cluster.tags issue.issue_details.region = cluster.account.region - if config.redshiftEncrypt.in_whitelist(account_id, cluster.name): + + if config.redshiftEncrypt.in_temp_whitelist(account_id, cluster.name): + issue.status = IssueStatus.Tempwhitelist + elif config.redshiftEncrypt.in_whitelist(account_id, cluster.name): issue.status = IssueStatus.Whitelisted else: issue.status = IssueStatus.Open diff --git a/hammer/identification/lambdas/requirements.txt b/hammer/identification/lambdas/requirements.txt index 7001ed12..663bd1f6 100755 --- a/hammer/identification/lambdas/requirements.txt +++ b/hammer/identification/lambdas/requirements.txt @@ -1,2 +1 @@ -boto3==1.9.42 requests \ No newline at end of file diff --git a/hammer/identification/lambdas/s3-acl-issues-identification/describe_s3_bucket_acl.py b/hammer/identification/lambdas/s3-acl-issues-identification/describe_s3_bucket_acl.py index 6f8f20fa..30b69fe3 100755 --- a/hammer/identification/lambdas/s3-acl-issues-identification/describe_s3_bucket_acl.py +++ b/hammer/identification/lambdas/s3-acl-issues-identification/describe_s3_bucket_acl.py @@ -55,7 +55,10 @@ def lambda_handler(event, context): issue.issue_details.owner = bucket.owner issue.issue_details.public_acls = bucket.get_public_acls() issue.issue_details.tags = bucket.tags - if config.s3acl.in_whitelist(account_id, bucket.name): + + if config.s3acl.in_temp_whitelist(account_id, bucket.name): + issue.status = IssueStatus.Tempwhitelist + elif config.s3acl.in_whitelist(account_id, bucket.name): issue.status = IssueStatus.Whitelisted else: issue.status = IssueStatus.Open diff --git a/hammer/identification/lambdas/s3-policy-issues-identification/describe_s3_bucket_policy.py b/hammer/identification/lambdas/s3-policy-issues-identification/describe_s3_bucket_policy.py index 2ac13ae0..e852cf4b 100755 --- a/hammer/identification/lambdas/s3-policy-issues-identification/describe_s3_bucket_policy.py +++ b/hammer/identification/lambdas/s3-policy-issues-identification/describe_s3_bucket_policy.py @@ -55,7 +55,10 @@ def lambda_handler(event, context): issue.issue_details.owner = bucket.owner issue.issue_details.tags = bucket.tags issue.issue_details.policy = bucket.policy - if config.s3policy.in_whitelist(account_id, bucket.name): + + if config.s3policy.in_temp_whitelist(account_id, bucket.name): + issue.status = IssueStatus.Tempwhitelist + elif config.s3policy.in_whitelist(account_id, bucket.name): issue.status = IssueStatus.Whitelisted else: issue.status = IssueStatus.Open diff --git a/hammer/identification/lambdas/s3-unencrypted-bucket-issues-identification/describe_s3_encryption.py b/hammer/identification/lambdas/s3-unencrypted-bucket-issues-identification/describe_s3_encryption.py index ecf8e766..4e14c5fb 100644 --- a/hammer/identification/lambdas/s3-unencrypted-bucket-issues-identification/describe_s3_encryption.py +++ b/hammer/identification/lambdas/s3-unencrypted-bucket-issues-identification/describe_s3_encryption.py @@ -54,7 +54,10 @@ def lambda_handler(event, context): issue = S3EncryptionIssue(account_id, bucket.name) issue.issue_details.owner = bucket.owner issue.issue_details.tags = bucket.tags - if config.s3Encrypt.in_whitelist(account_id, bucket.name): + + if config.s3Encrypt.in_temp_whitelist(account_id, bucket.name): + issue.status = IssueStatus.Tempwhitelist + elif config.s3Encrypt.in_whitelist(account_id, bucket.name): issue.status = IssueStatus.Whitelisted else: issue.status = IssueStatus.Open diff --git a/hammer/identification/lambdas/sg-issues-identification/describe_sec_grps_unrestricted_access.py b/hammer/identification/lambdas/sg-issues-identification/describe_sec_grps_unrestricted_access.py index 5228a266..74a2a47f 100755 --- a/hammer/identification/lambdas/sg-issues-identification/describe_sec_grps_unrestricted_access.py +++ b/hammer/identification/lambdas/sg-issues-identification/describe_sec_grps_unrestricted_access.py @@ -68,7 +68,11 @@ def lambda_handler(event, context): for ip_range in perm.ip_ranges: if not ip_range.restricted: issue.add_perm(perm.protocol, perm.from_port, perm.to_port, ip_range.cidr, ip_range.status) - if config.sg.in_whitelist(account_id, f"{sg.vpc_id}:{sg.name}") or \ + + if config.sg.in_temp_whitelist(account_id, f"{sg.vpc_id}:{sg.name}")or \ + config.sg.in_temp_whitelist(account_id, sg.id): + issue.status = IssueStatus.Tempwhitelist + elif config.sg.in_whitelist(account_id, f"{sg.vpc_id}:{sg.name}") or \ config.sg.in_whitelist(account_id, sg.id): issue.status = IssueStatus.Whitelisted else: diff --git a/hammer/identification/lambdas/sqs-public-policy-identification/describe_sqs_public_policy.py b/hammer/identification/lambdas/sqs-public-policy-identification/describe_sqs_public_policy.py index 63a02b12..0750b84c 100644 --- a/hammer/identification/lambdas/sqs-public-policy-identification/describe_sqs_public_policy.py +++ b/hammer/identification/lambdas/sqs-public-policy-identification/describe_sqs_public_policy.py @@ -59,7 +59,10 @@ def lambda_handler(event, context): issue.issue_details.name = queue.name issue.issue_details.region = queue.account.region issue.issue_details.policy = queue.policy - if config.sqspolicy.in_whitelist(account_id, queue.url): + + if config.sqspolicy.in_temp_whitelist(account_id, queue.url): + issue.status = IssueStatus.Tempwhitelist + elif config.sqspolicy.in_whitelist(account_id, queue.url): issue.status = IssueStatus.Whitelisted else: issue.status = IssueStatus.Open diff --git a/hammer/library/config.py b/hammer/library/config.py index 11ad9eee..29c43c0e 100755 --- a/hammer/library/config.py +++ b/hammer/library/config.py @@ -21,19 +21,23 @@ def __init__(self, configIniFile="config.ini", whitelistFile="whitelist.json", fixnowFile="fixnow.json", - ticketOwnersFile="ticket_owners.json"): + ticketOwnersFile="ticket_owners.json", + tempWhitelistFile="temp_whitelist_issues.json"): """ :param configFile: local path to configuration file in json format :param configIniFile: local path to configuration file in ini format (is used in r&r EC2, build from EC2 userdata) :param whitelistFile: local path to whitelist file in json format :param fixnowFile: local path to fixnow file in json format :param ticketOwnersFile: local path to file with default ticket owners by bu/account in json format + :param tempWhitelistFile: local path to list of temporary whitelist issues file in json format """ self._config = self.json_load_from_file(configFile) self._config['whitelist'] = self.json_load_from_file(whitelistFile, default={}) self._config['fixnow'] = self.json_load_from_file(fixnowFile, default={}) + self._config['tempwhitelist'] = self.json_load_from_file(tempWhitelistFile, default={}) + self.local = LocalConfig(configIniFile) self.owners = OwnersConfig(self.json_load_from_file(ticketOwnersFile, default={})) self.cronjobs = self._config.get('cronjobs', {}) @@ -480,6 +484,7 @@ def __init__(self, config, section): super().__init__(config, section) self._whitelist = config["whitelist"].get(section, {}) self._fixnow = config["fixnow"].get(section, {}) + self._tempwhitelist_list = config["tempwhitelist"].get(section, {}) # main accounts dict self._accounts = config["aws"]["accounts"] self.name = section @@ -543,6 +548,17 @@ def in_whitelist(self, account_id, issue): """ return issue in self._whitelist.get(account_id, []) + def in_temp_whitelist(self, account_id, issue): + """ + :param account_id: AWS account Id + :param issue: Issue id + + :return: boolean, if issue Id in temp whitelist file + """ + return issue in self._tempwhitelist_list.get(account_id, []) + + + @property def ddb_table_name(self): """ :return: DDB table name to use for storing issue details """ diff --git a/hammer/library/ddb_issues.py b/hammer/library/ddb_issues.py index 06cf1c4b..fb744954 100755 --- a/hammer/library/ddb_issues.py +++ b/hammer/library/ddb_issues.py @@ -20,6 +20,8 @@ class IssueStatus(Enum): Resolved = "resolved" # set by reporting after closing ticket Closed = "closed" + # set by identification - issue still exists but was added to temporary whitelist_list for future remediation + Tempwhitelist = "tempwhitelist" class Details(object): @@ -476,3 +478,16 @@ def set_status_updated(cls, ddb_table, issue): """ issue.timestamps.updated = issue.timestamps.reported cls.put(ddb_table, issue) + + @classmethod + def set_status_temp_whitelisted(cls, ddb_table, issue): + """ + Put issue with closed status and updated closed timestamp + + :param ddb_table: boto3 DDB table resource + :param issue: Issue instance + + :return: nothing + """ + issue.timestamps.temp_whitelisted = datetime.now(timezone.utc).isoformat() + cls.put(ddb_table, issue) \ No newline at end of file diff --git a/hammer/reporting-remediation/remediation/clean_ami_public_access.py b/hammer/reporting-remediation/remediation/clean_ami_public_access.py index e6f327bc..1a237412 100644 --- a/hammer/reporting-remediation/remediation/clean_ami_public_access.py +++ b/hammer/reporting-remediation/remediation/clean_ami_public_access.py @@ -39,6 +39,12 @@ def clean_ami_public_access(self): in_whitelist = self.config.publicAMIs.in_whitelist(account_id, ami_id) + in_temp_whitelist = self.config.publicAMIs.in_temp_whitelist(account_id, ami_id) + if in_temp_whitelist: + logging.debug(f"Skipping '{ami_id}' (in temporary whitelist items. " + f"Will remediate this issue in future)") + continue + if in_whitelist: logging.debug(f"Skipping {ami_id} (in whitelist)") diff --git a/hammer/reporting-remediation/remediation/clean_elasticsearch_domain_logging.py b/hammer/reporting-remediation/remediation/clean_elasticsearch_domain_logging.py index f1facfc8..d5b6c434 100644 --- a/hammer/reporting-remediation/remediation/clean_elasticsearch_domain_logging.py +++ b/hammer/reporting-remediation/remediation/clean_elasticsearch_domain_logging.py @@ -41,6 +41,11 @@ def clean_elasticsearch_domain_domain_logging_issues(self, batch=False): domain_name = issue.issue_id in_whitelist = self.config.esLogging.in_whitelist(account_id, domain_name) + in_temp_whitelist = self.config.esLogging.in_temp_whitelist(account_id, domain_name) + if in_temp_whitelist: + logging.debug(f"Skipping '{domain_name}' (in temporary whitelist items. " + f"Will remediate this issue in future)") + continue if in_whitelist: logging.debug(f"Skipping {domain_name} (in whitelist)") diff --git a/hammer/reporting-remediation/remediation/clean_elasticsearch_policy_permissions.py b/hammer/reporting-remediation/remediation/clean_elasticsearch_policy_permissions.py index d92f4365..6d04a5b9 100644 --- a/hammer/reporting-remediation/remediation/clean_elasticsearch_policy_permissions.py +++ b/hammer/reporting-remediation/remediation/clean_elasticsearch_policy_permissions.py @@ -41,7 +41,12 @@ def clean_elasticsearch_domain_policy_permissions(self, batch=False): domain_name = issue.issue_id in_whitelist = self.config.esPublicAccess.in_whitelist(account_id, domain_name) - #in_fixlist = self.config.esPublicAccess.in_fixnow(account_id, domain_name) + # in_fixlist = self.config.esPublicAccess.in_fixnow(account_id, domain_name) + in_temp_whitelist = self.config.esPublicAccess.in_temp_whitelist(account_id, domain_name) + if in_temp_whitelist: + logging.debug(f"Skipping '{domain_name}' (in temporary whitelist items. " + f"Will remediate this issue in future)") + continue if in_whitelist: logging.debug(f"Skipping {domain_name} (in whitelist)") diff --git a/hammer/reporting-remediation/remediation/clean_iam_key_rotation.py b/hammer/reporting-remediation/remediation/clean_iam_key_rotation.py index 42598920..2083b97f 100755 --- a/hammer/reporting-remediation/remediation/clean_iam_key_rotation.py +++ b/hammer/reporting-remediation/remediation/clean_iam_key_rotation.py @@ -43,6 +43,13 @@ def clean_iam_access_keys(self, batch=False): user_in_whitelist = self.config.iamUserKeysRotation.in_whitelist(account_id, username) key_in_whitelist = self.config.iamUserKeysRotation.in_whitelist(account_id, key_id) + user_in_temp_whitelist = self.config.iamUserKeysRotation.in_temp_whitelist(account_id, username) + key_in_temp_whitelist = self.config.iamUserKeysRotation.in_temp_whitelist(account_id, key_id) + if user_in_temp_whitelist or key_in_temp_whitelist: + logging.debug(f"Skipping '{key_id} / {username}' (in temporary whitelist items. " + f"Will remediate this issue in future)") + continue + if user_in_whitelist or key_in_whitelist: logging.debug(f"Skipping '{key_id} / {username}' (in whitelist)") diff --git a/hammer/reporting-remediation/remediation/clean_iam_keys_inactive.py b/hammer/reporting-remediation/remediation/clean_iam_keys_inactive.py index 6969f360..ba714422 100755 --- a/hammer/reporting-remediation/remediation/clean_iam_keys_inactive.py +++ b/hammer/reporting-remediation/remediation/clean_iam_keys_inactive.py @@ -42,6 +42,13 @@ def clean_iam_access_keys(self, batch=False): user_in_whitelist = self.config.iamUserInactiveKeys.in_whitelist(account_id, username) key_in_whitelist = self.config.iamUserInactiveKeys.in_whitelist(account_id, key_id) + user_in_temp_whitelist = self.config.iamUserInactiveKeys.in_temp_whitelist(account_id, username) + key_in_temp_whitelist = self.config.iamUserInactiveKeys.in_temp_whitelist(account_id, key_id) + if user_in_temp_whitelist or key_in_temp_whitelist: + logging.debug( + f"Skipping '{key_id} / {username}' (in temporary whitelist items. " + f"Will remediate this issue in future)") + continue if user_in_whitelist or key_in_whitelist: logging.debug(f"Skipping '{key_id} / {username}' (in whitelist)") diff --git a/hammer/reporting-remediation/remediation/clean_public_ebs_snapshots.py b/hammer/reporting-remediation/remediation/clean_public_ebs_snapshots.py index 99df6d66..53cb73fb 100755 --- a/hammer/reporting-remediation/remediation/clean_public_ebs_snapshots.py +++ b/hammer/reporting-remediation/remediation/clean_public_ebs_snapshots.py @@ -42,6 +42,12 @@ def clean_public_ebs_snapshots(self, batch=False): continue in_whitelist = self.config.ebsSnapshot.in_whitelist(account_id, issue.issue_id) + in_temp_whitelist = self.config.ebsSnapshot.in_temp_whitelist(account_id, issue.issue_id) + if in_temp_whitelist: + logging.debug(f"Skipping '{issue.issue_id}' (in temporary whitelist items. " + f"Will remediate this issue in future)") + continue + if in_whitelist: logging.debug(f"Skipping '{issue.issue_id}' (in whitelist)") diff --git a/hammer/reporting-remediation/remediation/clean_public_rds_snapshots.py b/hammer/reporting-remediation/remediation/clean_public_rds_snapshots.py index 60511540..94aaac70 100755 --- a/hammer/reporting-remediation/remediation/clean_public_rds_snapshots.py +++ b/hammer/reporting-remediation/remediation/clean_public_rds_snapshots.py @@ -43,6 +43,13 @@ def clean_public_rds_snapshots(self, batch=False): continue in_whitelist = self.config.rdsSnapshot.in_whitelist(account_id, issue.issue_id) + in_temp_whitelist = self.config.rdsSnapshot.in_temp_whitelist(account_id, issue.issue_id) + if in_temp_whitelist: + logging.debug( + f"Skipping '{issue.issue_id}' (in temporary whitelist items. " + f"Will remediate this issue in future)") + continue + if in_whitelist: logging.debug(f"Skipping '{issue.issue_id}' (in whitelist)") diff --git a/hammer/reporting-remediation/remediation/clean_redshift_cluster_unencrypted.py b/hammer/reporting-remediation/remediation/clean_redshift_cluster_unencrypted.py index 99df8cf6..30344b4a 100644 --- a/hammer/reporting-remediation/remediation/clean_redshift_cluster_unencrypted.py +++ b/hammer/reporting-remediation/remediation/clean_redshift_cluster_unencrypted.py @@ -40,6 +40,12 @@ def cleanredshiftclusterunencryption(self, batch=False): cluster_id = issue.issue_id in_whitelist = self.config.redshiftEncrypt.in_whitelist(account_id, cluster_id) + in_temp_whitelist = self.config.redshiftEncrypt.in_temp_whitelist(account_id, issue.issue_id) + if in_temp_whitelist: + logging.debug( + f"Skipping '{issue.issue_id}' (in temporary whitelist items. " + f"Will remediate this issue in future)") + continue if in_whitelist: logging.debug(f"Skipping {cluster_id} (in whitelist)") diff --git a/hammer/reporting-remediation/remediation/clean_redshift_public_access.py b/hammer/reporting-remediation/remediation/clean_redshift_public_access.py index a67f29be..374441d4 100644 --- a/hammer/reporting-remediation/remediation/clean_redshift_public_access.py +++ b/hammer/reporting-remediation/remediation/clean_redshift_public_access.py @@ -40,6 +40,12 @@ def clean_redshift_public_access(self, batch=False): cluster_id = issue.issue_id in_whitelist = self.config.redshift_public_access.in_whitelist(account_id, cluster_id) + in_temp_whitelist = self.config.redshift_public_access.in_temp_whitelist(account_id, issue.issue_id) + if in_temp_whitelist: + logging.debug( + f"Skipping '{issue.issue_id}' (in temporary whitelist items. " + f"Will remediate this issue in future)") + continue if in_whitelist: logging.debug(f"Skipping {cluster_id} (in whitelist)") diff --git a/hammer/reporting-remediation/remediation/clean_s3bucket_acl_permissions.py b/hammer/reporting-remediation/remediation/clean_s3bucket_acl_permissions.py index f98773e9..88cd12ae 100755 --- a/hammer/reporting-remediation/remediation/clean_s3bucket_acl_permissions.py +++ b/hammer/reporting-remediation/remediation/clean_s3bucket_acl_permissions.py @@ -42,6 +42,12 @@ def cleans3bucketaclpermissions(self, batch=False): in_whitelist = self.config.s3acl.in_whitelist(account_id, bucket_name) in_fixlist = True #self.config.s3acl.in_fixnow(account_id, bucket_name) + in_temp_whitelist = self.config.s3acl.in_temp_whitelist(account_id, issue.issue_id) + if in_temp_whitelist: + logging.debug( + f"Skipping '{issue.issue_id}' (in temporary whitelist items. " + f"Will remediate this issue in future)") + continue if in_whitelist: logging.debug(f"Skipping {bucket_name} (in whitelist)") diff --git a/hammer/reporting-remediation/remediation/clean_s3bucket_policy_permissions.py b/hammer/reporting-remediation/remediation/clean_s3bucket_policy_permissions.py index 37dca5ba..3cea5ffb 100755 --- a/hammer/reporting-remediation/remediation/clean_s3bucket_policy_permissions.py +++ b/hammer/reporting-remediation/remediation/clean_s3bucket_policy_permissions.py @@ -41,7 +41,13 @@ def clean_s3bucket_policy_permissions(self, batch=False): bucket_name = issue.issue_id in_whitelist = self.config.s3policy.in_whitelist(account_id, bucket_name) - #in_fixlist = self.config.s3policy.in_fixnow(account_id, bucket_name) + # in_fixlist = self.config.s3policy.in_fixnow(account_id, bucket_name) + in_temp_whitelist = self.config.s3policy.in_temp_whitelist(account_id, issue.issue_id) + if in_temp_whitelist: + logging.debug( + f"Skipping '{issue.issue_id}' (in temporary whitelist items. " + f"Will remediate this issue in future)") + continue if in_whitelist: logging.debug(f"Skipping {bucket_name} (in whitelist)") diff --git a/hammer/reporting-remediation/remediation/clean_s3bucket_unencrypted.py b/hammer/reporting-remediation/remediation/clean_s3bucket_unencrypted.py index ca6de0f4..305d59c3 100644 --- a/hammer/reporting-remediation/remediation/clean_s3bucket_unencrypted.py +++ b/hammer/reporting-remediation/remediation/clean_s3bucket_unencrypted.py @@ -41,6 +41,12 @@ def cleans3bucketunencrypted(self, batch=False): in_whitelist = self.config.s3Encrypt.in_whitelist(account_id, bucket_name) in_fixlist = True + in_temp_whitelist = self.config.s3Encrypt.in_temp_whitelist(account_id, issue.issue_id) + if in_temp_whitelist: + logging.debug( + f"Skipping '{issue.issue_id}' (in temporary whitelist items. " + f"Will remediate this issue in future)") + continue if in_whitelist: logging.debug(f"Skipping {bucket_name} (in whitelist)") diff --git a/hammer/reporting-remediation/remediation/clean_security_groups.py b/hammer/reporting-remediation/remediation/clean_security_groups.py index 91d0c7ad..a6afa9c0 100755 --- a/hammer/reporting-remediation/remediation/clean_security_groups.py +++ b/hammer/reporting-remediation/remediation/clean_security_groups.py @@ -47,6 +47,14 @@ def clean_security_groups(self, batch=False): name_in_whitelist = self.config.sg.in_whitelist(account_id, f"{group_vpc_id}:{group_name}") id_in_whitelist = self.config.sg.in_whitelist(account_id, group_id) + name_in_temp_whitelist = self.config.sg.in_temp_whitelist(account_id, f"{group_vpc_id}:{group_name}") + id_in_temp_whitelist = self.config.sg.in_temp_whitelist(account_id, group_id) + if name_in_temp_whitelist or id_in_temp_whitelist: + logging.debug( + f"Skipping '{group_name}' / '{group_id}' (in temporary whitelist items." + f" Will remediate this issue in future)") + continue + if name_in_whitelist or id_in_whitelist: logging.debug(f"Skipping '{group_name} / {group_id}' (in whitelist)") diff --git a/hammer/reporting-remediation/remediation/clean_sqs_policy_permissions.py b/hammer/reporting-remediation/remediation/clean_sqs_policy_permissions.py index a62d7bdb..3e0a3188 100644 --- a/hammer/reporting-remediation/remediation/clean_sqs_policy_permissions.py +++ b/hammer/reporting-remediation/remediation/clean_sqs_policy_permissions.py @@ -41,6 +41,12 @@ def clean_sqs_policy_permissions(self): queue_region = issue.issue_details.region in_whitelist = self.config.sqspolicy.in_whitelist(account_id, queue_url) + in_temp_whitelist = self.config.sqspolicy.in_temp_whitelist(account_id, issue.issue_id) + if in_temp_whitelist: + logging.debug( + f"Skipping '{issue.issue_id}' (in temporary whitelist items. " + f"Will remediate this issue in future)") + continue if in_whitelist: logging.debug(f"Skipping {queue_name} (in whitelist)") diff --git a/hammer/reporting-remediation/reporting/create_cloudtrail_tickets.py b/hammer/reporting-remediation/reporting/create_cloudtrail_tickets.py index 9a9768d0..15a27f9f 100755 --- a/hammer/reporting-remediation/reporting/create_cloudtrail_tickets.py +++ b/hammer/reporting-remediation/reporting/create_cloudtrail_tickets.py @@ -54,9 +54,29 @@ def create_tickets_cloud_trail_logging(self): issues = IssueOperations.get_account_not_closed_issues(ddb_table, account_id, CloudTrailIssue) for issue in issues: region = issue.issue_id + + in_temp_whitelist = self.config.cloudtrails.in_temp_whitelist(account_id, issue.issue_id) # issue has been already reported if issue.timestamps.reported is not None: - if issue.status in [IssueStatus.Resolved, IssueStatus.Whitelisted]: + if (in_temp_whitelist or issue.status in [IssueStatus.Tempwhitelist]) \ + and issue.timestamps.temp_whitelisted is None: + logging.debug(f"CloudTrail logging issue with '{region}' " + f"is added to temporary whitelist. ") + + comment = (f"CloudTrail logging issue with '{region}' " + f"in '{account_name} / {account_id}' account is added to temporary whitelist.") + jira.update_issue( + ticket_id=issue.jira_details.ticket, + comment=comment + ) + + slack.report_issue( + msg=f"{comment}" + f"{' (' + jira.ticket_url(issue.jira_details.ticket) + ')' if issue.jira_details.ticket else ''}", + account_id=account_id + ) + IssueOperations.set_status_temp_whitelisted(ddb_table, issue) + elif issue.status in [IssueStatus.Resolved, IssueStatus.Whitelisted]: logging.debug(f"Closing {issue.status.value} '{region}' CloudTrail logging issue") comment = (f"Closing {issue.status.value} issue with '{region}' CloudTrail logging in " diff --git a/hammer/reporting-remediation/reporting/create_ebs_public_snapshot_issue_tickets.py b/hammer/reporting-remediation/reporting/create_ebs_public_snapshot_issue_tickets.py index 204fc4f5..bf459b13 100755 --- a/hammer/reporting-remediation/reporting/create_ebs_public_snapshot_issue_tickets.py +++ b/hammer/reporting-remediation/reporting/create_ebs_public_snapshot_issue_tickets.py @@ -37,13 +37,33 @@ def create_tickets_ebs_public_snapshots(self): volume_id = issue.issue_details.volume_id region = issue.issue_details.region tags = issue.issue_details.tags + in_temp_whitelist = self.config.ebsSnapshot.in_temp_whitelist(account_id, issue.issue_id) # issue has been already reported if issue.timestamps.reported is not None: owner = issue.jira_details.owner bu = issue.jira_details.business_unit product = issue.jira_details.product - if issue.status in [IssueStatus.Resolved, IssueStatus.Whitelisted]: + if (in_temp_whitelist or issue.status in [IssueStatus.Tempwhitelist]) and issue.timestamps.temp_whitelisted is None: + logging.debug(f"EBS public snapshot '{snapshot_id}' is added to temporary whitelist items. ") + + comment = (f"EBS public snapshot '{snapshot_id}' " + f"in '{account_name} / {account_id}' account, {region} " + f"region added to temporary whitelist.") + jira.update_issue( + ticket_id=issue.jira_details.ticket, + comment=comment + ) + + slack.report_issue( + msg=f"{comment}" + f"{' (' + jira.ticket_url(issue.jira_details.ticket) + ')' if issue.jira_details.ticket else ''}", + owner=owner, + account_id=account_id, + bu=bu, product=product, + ) + IssueOperations.set_status_temp_whitelisted(ddb_table, issue) + elif issue.status in [IssueStatus.Resolved, IssueStatus.Whitelisted]: logging.debug(f"Closing {issue.status.value} EBS public snapshot '{snapshot_id}' issue") comment = (f"Closing {issue.status.value} EBS public snapshot '{snapshot_id}' issue " @@ -101,8 +121,9 @@ def create_tickets_ebs_public_snapshots(self): f"*Volume ID*: {volume_id}\n" f"\n") - auto_remediation_date = (self.config.now + self.config.ebsSnapshot.issue_retention_date).date() - issue_description += f"\n{{color:red}}*Auto-Remediation Date*: {auto_remediation_date}{{color}}\n\n" + if self.config.ebsSnapshot.remediation and not (in_temp_whitelist or issue.status in [IssueStatus.Tempwhitelist]): + auto_remediation_date = (self.config.now + self.config.ebsSnapshot.issue_retention_date).date() + issue_description += f"\n{{color:red}}*Auto-Remediation Date*: {auto_remediation_date}{{color}}\n\n" issue_description += JiraOperations.build_tags_table(tags) diff --git a/hammer/reporting-remediation/reporting/create_ebs_volume_issue_tickets.py b/hammer/reporting-remediation/reporting/create_ebs_volume_issue_tickets.py index b8dc8db7..3bad6185 100755 --- a/hammer/reporting-remediation/reporting/create_ebs_volume_issue_tickets.py +++ b/hammer/reporting-remediation/reporting/create_ebs_volume_issue_tickets.py @@ -84,13 +84,34 @@ def create_tickets_ebsvolumes(self): volume_id = issue.issue_id region = issue.issue_details.region tags = issue.issue_details.tags + + in_temp_whitelist = self.config.ebsVolume.in_temp_whitelist(account_id, issue.issue_id) # issue has been already reported if issue.timestamps.reported is not None: owner = issue.jira_details.owner bu = issue.jira_details.business_unit product = issue.jira_details.product - if issue.status in [IssueStatus.Resolved, IssueStatus.Whitelisted]: + if (in_temp_whitelist or issue.status in [IssueStatus.Tempwhitelist]) and issue.timestamps.temp_whitelisted is None: + logging.debug(f"EBS unencrypted volume '{volume_id}' is added to temporary whitelist items. ") + + comment = (f"EBS unencrypted volume '{volume_id}' " + f"in '{account_name} / {account_id}' account, {region} " + f"region added to temporary whitelist items.") + jira.update_issue( + ticket_id=issue.jira_details.ticket, + comment=comment + ) + + slack.report_issue( + msg=f"{comment}" + f"{' (' + jira.ticket_url(issue.jira_details.ticket) + ')' if issue.jira_details.ticket else ''}", + owner=owner, + account_id=account_id, + bu=bu, product=product, + ) + IssueOperations.set_status_temp_whitelisted(ddb_table, issue) + elif issue.status in [IssueStatus.Resolved, IssueStatus.Whitelisted]: logging.debug(f"Closing {issue.status.value} EBS unencrypted volume '{volume_id}' issue") comment = (f"Closing {issue.status.value} EBS unencrypted volume '{volume_id}' issue " @@ -174,7 +195,8 @@ def create_tickets_ebsvolumes(self): issue_description += "*Recommendation*: Encrypt EBS volume. " if self.config.whitelisting_procedure_url: - issue_description += (f"For any other exceptions, please follow the [whitelisting procedure|{self.config.whitelisting_procedure_url}] " + issue_description += (f"For any other exceptions, please follow the " + f"[whitelisting procedure|{self.config.whitelisting_procedure_url}] " f"and provide a strong business reasoning. ") issue_summary = (f"EBS unencrypted volume '{volume_id}' " diff --git a/hammer/reporting-remediation/reporting/create_ecs_external_image_source_issue_tickets.py b/hammer/reporting-remediation/reporting/create_ecs_external_image_source_issue_tickets.py index 63b56de0..ad3d31aa 100644 --- a/hammer/reporting-remediation/reporting/create_ecs_external_image_source_issue_tickets.py +++ b/hammer/reporting-remediation/reporting/create_ecs_external_image_source_issue_tickets.py @@ -37,13 +37,35 @@ def create_tickets_ecs_external_images(self): region = issue.issue_details.region tags = issue.issue_details.tags container_image_details = issue.issue_details.container_image_details + + in_temp_whitelist = self.config.ecs_external_image_source.in_temp_whitelist(account_id, issue.issue_id) # issue has been already reported if issue.timestamps.reported is not None: owner = issue.jira_details.owner bu = issue.jira_details.business_unit product = issue.jira_details.product - if issue.status in [IssueStatus.Resolved, IssueStatus.Whitelisted]: + if (in_temp_whitelist or issue.status in [IssueStatus.Tempwhitelist]) and issue.timestamps.temp_whitelisted is None: + logging.debug(f"ECS external image source '{task_definition_name}' " + f"is added to temporary whitelist items. ") + + comment = (f"ECS external image source '{task_definition_name}' " + f"in '{account_name} / {account_id}' account, {region} " + f"region added to temporary whitelist items.") + jira.update_issue( + ticket_id=issue.jira_details.ticket, + comment=comment + ) + + slack.report_issue( + msg=f"{comment}" + f"{' (' + jira.ticket_url(issue.jira_details.ticket) + ')' if issue.jira_details.ticket else ''}", + owner=owner, + account_id=account_id, + bu=bu, product=product, + ) + IssueOperations.set_status_temp_whitelisted(ddb_table, issue) + elif issue.status in [IssueStatus.Resolved, IssueStatus.Whitelisted]: logging.debug(f"Closing {issue.status.value} ECS external image source '{task_definition_name}' issue") comment = (f"Closing {issue.status.value} ECS external image source '{task_definition_name}' issue " diff --git a/hammer/reporting-remediation/reporting/create_ecs_logging_issue_tickets.py b/hammer/reporting-remediation/reporting/create_ecs_logging_issue_tickets.py index afbaadb3..fda2a33c 100644 --- a/hammer/reporting-remediation/reporting/create_ecs_logging_issue_tickets.py +++ b/hammer/reporting-remediation/reporting/create_ecs_logging_issue_tickets.py @@ -37,13 +37,35 @@ def create_tickets_ecs_logging(self): disabled_logging_container_names = issue.issue_details.disabled_logging_container_names region = issue.issue_details.region tags = issue.issue_details.tags + + in_temp_whitelist = self.config.ecs_logging.in_temp_whitelist(account_id, issue.issue_id) # issue has been already reported if issue.timestamps.reported is not None: owner = issue.jira_details.owner bu = issue.jira_details.business_unit product = issue.jira_details.product - if issue.status in [IssueStatus.Resolved, IssueStatus.Whitelisted]: + if (in_temp_whitelist or issue.status in [IssueStatus.Tempwhitelist]) and issue.timestamps.temp_whitelisted is None: + logging.debug( + f"ECS logging issue '{task_definition_name}' is added to temporary whitelist items. ") + + comment = (f"ECS logging issue '{task_definition_name}' " + f"in '{account_name} / {account_id}' account, {region} " + f"region added to temporary whitelist items.") + jira.update_issue( + ticket_id=issue.jira_details.ticket, + comment=comment + ) + + slack.report_issue( + msg=f"{comment}" + f"{' (' + jira.ticket_url(issue.jira_details.ticket) + ')' if issue.jira_details.ticket else ''}", + owner=owner, + account_id=account_id, + bu=bu, product=product, + ) + IssueOperations.set_status_temp_whitelisted(ddb_table, issue) + elif issue.status in [IssueStatus.Resolved, IssueStatus.Whitelisted]: logging.debug(f"Closing {issue.status.value} ECS logging enabled '{task_definition_name}' issue") comment = (f"Closing {issue.status.value} ECS logging enabled '{task_definition_name}' issue " diff --git a/hammer/reporting-remediation/reporting/create_ecs_privileged_access_issue_tickets.py b/hammer/reporting-remediation/reporting/create_ecs_privileged_access_issue_tickets.py index 533ef7df..d363fcff 100644 --- a/hammer/reporting-remediation/reporting/create_ecs_privileged_access_issue_tickets.py +++ b/hammer/reporting-remediation/reporting/create_ecs_privileged_access_issue_tickets.py @@ -37,13 +37,36 @@ def create_tickets_ecs_privileged(self): privileged_container_names = issue.issue_details.privileged_container_names region = issue.issue_details.region tags = issue.issue_details.tags + + in_temp_whitelist = self.config.ecs_privileged_access.in_temp_whitelist(account_id, issue.issue_id) # issue has been already reported if issue.timestamps.reported is not None: owner = issue.jira_details.owner bu = issue.jira_details.business_unit product = issue.jira_details.product - if issue.status in [IssueStatus.Resolved, IssueStatus.Whitelisted]: + if (in_temp_whitelist or issue.status in [IssueStatus.Tempwhitelist]) and issue.timestamps.temp_whitelisted is None: + logging.debug( + f"ECS privileged access issue '{task_definition_name}' " + f"is added to temporary whitelist items.") + + comment = (f"ECS privileged access issue '{task_definition_name}' " + f"in '{account_name} / {account_id}' account, {region} " + f"region added to temporary whitelist items.") + jira.update_issue( + ticket_id=issue.jira_details.ticket, + comment=comment + ) + + slack.report_issue( + msg=f"{comment}" + f"{' (' + jira.ticket_url(issue.jira_details.ticket) + ')' if issue.jira_details.ticket else ''}", + owner=owner, + account_id=account_id, + bu=bu, product=product, + ) + IssueOperations.set_status_temp_whitelisted(ddb_table, issue) + elif issue.status in [IssueStatus.Resolved, IssueStatus.Whitelisted]: logging.debug(f"Closing {issue.status.value} ECS privileged access disabled " f"'{task_definition_name}' issue") diff --git a/hammer/reporting-remediation/reporting/create_elasticsearch_domain_logging_issue_tickets.py b/hammer/reporting-remediation/reporting/create_elasticsearch_domain_logging_issue_tickets.py index 8649ca6b..c5c6a1cf 100644 --- a/hammer/reporting-remediation/reporting/create_elasticsearch_domain_logging_issue_tickets.py +++ b/hammer/reporting-remediation/reporting/create_elasticsearch_domain_logging_issue_tickets.py @@ -37,13 +37,35 @@ def create_tickets_elasticsearch_domain_logging(self): region = issue.issue_details.region tags = issue.issue_details.tags + in_temp_whitelist = self.config.esLogging.in_temp_whitelist(account_id, issue.issue_id) + # issue has been already reported if issue.timestamps.reported is not None: owner = issue.jira_details.owner bu = issue.jira_details.business_unit product = issue.jira_details.product - if issue.status in [IssueStatus.Resolved, IssueStatus.Whitelisted]: + if (in_temp_whitelist or issue.status in [IssueStatus.Tempwhitelist]) and issue.timestamps.temp_whitelisted is None: + logging.debug( + f"Elasticsearch logging issue '{domain_name}' is added to temporary whitelist items.") + + comment = (f"Elasticsearch domain logging issue '{domain_name}' " + f"in '{account_name} / {account_id}' account, {region} " + f"region added to temporary whitelist items.") + jira.update_issue( + ticket_id=issue.jira_details.ticket, + comment=comment + ) + + slack.report_issue( + msg=f"{comment}" + f"{' (' + jira.ticket_url(issue.jira_details.ticket) + ')' if issue.jira_details.ticket else ''}", + owner=owner, + account_id=account_id, + bu=bu, product=product, + ) + IssueOperations.set_status_temp_whitelisted(ddb_table, issue) + elif issue.status in [IssueStatus.Resolved, IssueStatus.Whitelisted]: logging.debug(f"Closing {issue.status.value} Elasticsearch domain logging " f"'{domain_name}' issue") @@ -88,7 +110,8 @@ def create_tickets_elasticsearch_domain_logging(self): issue_description += JiraOperations.build_tags_table(tags) - if self.config.esLogging.remediation: + if self.config.esLogging.remediation \ + and not (in_temp_whitelist or issue.status in [IssueStatus.Tempwhitelist]): auto_remediation_date = (self.config.now + self.config.esLogging.issue_retention_date).date() issue_description += f"\n{{color:red}}*Auto-Remediation Date*: {auto_remediation_date}{{color}}\n\n" diff --git a/hammer/reporting-remediation/reporting/create_elasticsearch_public_access_issue_tickets.py b/hammer/reporting-remediation/reporting/create_elasticsearch_public_access_issue_tickets.py index 72c1cfc3..fb1c6990 100644 --- a/hammer/reporting-remediation/reporting/create_elasticsearch_public_access_issue_tickets.py +++ b/hammer/reporting-remediation/reporting/create_elasticsearch_public_access_issue_tickets.py @@ -40,17 +40,42 @@ def create_tickets_elasticsearch_public_access(self): region = issue.issue_details.region tags = issue.issue_details.tags policy = issue.issue_details.policy + + in_temp_whitelist = self.config.esPublicAccess.in_temp_whitelist(account_id, issue.issue_id) # issue has been already reported if issue.timestamps.reported is not None: owner = issue.jira_details.owner bu = issue.jira_details.business_unit product = issue.jira_details.product - if issue.status in [IssueStatus.Resolved, IssueStatus.Whitelisted]: - logging.debug(f"Closing {issue.status.value} Elasticsearch publicly accessible domain '{domain_name}' issue") + if (in_temp_whitelist or issue.status in [IssueStatus.Tempwhitelist]) \ + and issue.timestamps.temp_whitelisted is None: + logging.debug( + f"Elasticsearch publicly accessible domain issue '{domain_name}' " + f"is added to temporary whitelist items.") + + comment = (f"Elasticsearch publicly accessible domain issue '{domain_name}' " + f"in '{account_name} / {account_id}' account, {region} " + f"region added to temporary whitelist items.") + jira.update_issue( + ticket_id=issue.jira_details.ticket, + comment=comment + ) + + slack.report_issue( + msg=f"{comment}" + f"{' (' + jira.ticket_url(issue.jira_details.ticket) + ')' if issue.jira_details.ticket else ''}", + owner=owner, + account_id=account_id, + bu=bu, product=product, + ) + IssueOperations.set_status_temp_whitelisted(ddb_table, issue) + elif issue.status in [IssueStatus.Resolved, IssueStatus.Whitelisted]: + logging.debug(f"Closing {issue.status.value} Elasticsearch publicly accessible domain '" + f"{domain_name}' issue") - comment = (f"Closing {issue.status.value} Elasticsearch publicly accessible domain '{domain_name}' issue " - f"in '{account_name} / {account_id}' account, '{region}' region") + comment = (f"Closing {issue.status.value} Elasticsearch publicly accessible domain '" + f"{domain_name}' issue in '{account_name} / {account_id}' account,'{region}' region") if issue.status == IssueStatus.Whitelisted: # Adding label with "whitelisted" to jira ticket. jira.add_label( @@ -90,9 +115,11 @@ def create_tickets_elasticsearch_public_access(self): issue_description += JiraOperations.build_tags_table(tags) - if self.config.esPublicAccess.remediation: + if self.config.esPublicAccess.remediation \ + and not (in_temp_whitelist or issue.status in [IssueStatus.Tempwhitelist]): auto_remediation_date = (self.config.now + self.config.esPublicAccess.issue_retention_date).date() - issue_description += f"\n{{color:red}}*Auto-Remediation Date*: {auto_remediation_date}{{color}}\n\n" + issue_description += f"\n{{color:red}}*Auto-Remediation Date*: {auto_remediation_date}" \ + f"{{color}}\n\n" issue_description += ( f"*Recommendation*: " diff --git a/hammer/reporting-remediation/reporting/create_elasticsearch_unencrypted_issue_tickets.py b/hammer/reporting-remediation/reporting/create_elasticsearch_unencrypted_issue_tickets.py index 52dacd89..b6c2b048 100644 --- a/hammer/reporting-remediation/reporting/create_elasticsearch_unencrypted_issue_tickets.py +++ b/hammer/reporting-remediation/reporting/create_elasticsearch_unencrypted_issue_tickets.py @@ -38,17 +38,42 @@ def create_tickets_elasticsearch_unencryption(self): tags = issue.issue_details.tags encrypted_at_rest = issue.issue_details.encrypted_at_rest encrypted_at_transit = issue.issue_details.encrypted_at_transit + + in_temp_whitelist = self.config.esEncrypt.in_temp_whitelist(account_id, issue.issue_id) # issue has been already reported if issue.timestamps.reported is not None: owner = issue.jira_details.owner bu = issue.jira_details.business_unit product = issue.jira_details.product - if issue.status in [IssueStatus.Resolved, IssueStatus.Whitelisted]: - logging.debug(f"Closing {issue.status.value} Elasticsearch unencrypted domain '{domain_name}' issue") + if (in_temp_whitelist or issue.status in [IssueStatus.Tempwhitelist]) and issue.timestamps.temp_whitelisted is None: + logging.debug( + f"Elasticsearch unencrypted domain issue '{domain_name}' " + f"is added to temporary whitelist items.") + + comment = (f"Elasticsearch unencrypted domain issue '{domain_name}' " + f"in '{account_name} / {account_id}' account, {region} " + f"region added to temporary whitelist items.") + jira.update_issue( + ticket_id=issue.jira_details.ticket, + comment=comment + ) - comment = (f"Closing {issue.status.value} Elasticsearch unencrypted domain '{domain_name}' issue " - f"in '{account_name} / {account_id}' account, '{region}' region") + slack.report_issue( + msg=f"{comment}" + f"{' (' + jira.ticket_url(issue.jira_details.ticket) + ')' if issue.jira_details.ticket else ''}", + owner=owner, + account_id=account_id, + bu=bu, product=product, + ) + IssueOperations.set_status_temp_whitelisted(ddb_table, issue) + elif issue.status in [IssueStatus.Resolved, IssueStatus.Whitelisted]: + logging.debug(f"Closing {issue.status.value} Elasticsearch unencrypted domain " + f"'{domain_name}' issue") + + comment = (f"Closing {issue.status.value} Elasticsearch unencrypted domain " + f"'{domain_name}' issue in '{account_name} / {account_id}' account, '{region}' " + f"region") if issue.status == IssueStatus.Whitelisted: # Adding label with "whitelisted" to jira ticket. jira.add_label( diff --git a/hammer/reporting-remediation/reporting/create_iam_key_inactive_tickets.py b/hammer/reporting-remediation/reporting/create_iam_key_inactive_tickets.py index f43b7555..16adc82b 100755 --- a/hammer/reporting-remediation/reporting/create_iam_key_inactive_tickets.py +++ b/hammer/reporting-remediation/reporting/create_iam_key_inactive_tickets.py @@ -36,9 +36,29 @@ def create_jira_ticket(self): for issue in issues: key_id = issue.issue_id username = issue.issue_details.username + + in_temp_whitelist = self.config.iamUserInactiveKeys.in_temp_whitelist(account_id, issue.issue_id) # issue has been already reported if issue.timestamps.reported is not None: - if issue.status in [IssueStatus.Resolved, IssueStatus.Whitelisted]: + if (in_temp_whitelist or issue.status in [IssueStatus.Tempwhitelist]) and issue.timestamps.temp_whitelisted is None: + logging.debug( + f"IAM Inactive access key issue '{key_id} / {username}' is " + f"added to temporary whitelist items.") + + comment = (f"IAM Inactive access key issue '{key_id} / {username}' " + f"in '{account_name} / {account_id}' account is added to temporary whitelist items.") + jira.update_issue( + ticket_id=issue.jira_details.ticket, + comment=comment + ) + + slack.report_issue( + msg=f"{comment}" + f"{' (' + jira.ticket_url(issue.jira_details.ticket) + ')' if issue.jira_details.ticket else ''}", + account_id=account_id + ) + IssueOperations.set_status_temp_whitelisted(ddb_table, issue) + elif issue.status in [IssueStatus.Resolved, IssueStatus.Whitelisted]: logging.debug(f"Closing {issue.status.value} inactive access key '{key_id} / {username}' issue") comment = (f"Closing {issue.status.value} inactive access key '{key_id} / {username}' issue " @@ -82,8 +102,10 @@ def create_jira_ticket(self): f"*Key last used*: {last_used}\n" f"\n") - auto_remediation_date = (self.config.now + self.config.iamUserInactiveKeys.issue_retention_date).date() - issue_description += f"\n{{color:red}}*Auto-Remediation Date*: {auto_remediation_date}{{color}}\n\n" + if self.config.iamUserInactiveKeys.remediation \ + and not (in_temp_whitelist or issue.status in [IssueStatus.Tempwhitelist]): + auto_remediation_date = (self.config.now + self.config.iamUserInactiveKeys.issue_retention_date).date() + issue_description += f"\n{{color:red}}*Auto-Remediation Date*: {auto_remediation_date}{{color}}\n\n" issue_description += f"*Recommendation*: Deactivate specified inactive user access key. " diff --git a/hammer/reporting-remediation/reporting/create_iam_key_rotation_tickets.py b/hammer/reporting-remediation/reporting/create_iam_key_rotation_tickets.py index 74fd5872..52fd8ea5 100755 --- a/hammer/reporting-remediation/reporting/create_iam_key_rotation_tickets.py +++ b/hammer/reporting-remediation/reporting/create_iam_key_rotation_tickets.py @@ -36,9 +36,29 @@ def create_jira_ticket(self): for issue in issues: key_id = issue.issue_id username = issue.issue_details.username + + in_temp_whitelist = self.config.iamUserKeysRotation.in_temp_whitelist(account_id, issue.issue_id) # issue has been already reported if issue.timestamps.reported is not None: - if issue.status in [IssueStatus.Resolved, IssueStatus.Whitelisted]: + if (in_temp_whitelist or issue.status in [IssueStatus.Tempwhitelist]) and issue.timestamps.temp_whitelisted is None: + logging.debug( + f"IAM stale access key issue '{key_id} / {username}' " + f"is added to temporary whitelist items.") + + comment = (f"IAM stale access key issue '{key_id} / {username}' " + f"in '{account_name} / {account_id}' account is added to temporary whitelist items.") + jira.update_issue( + ticket_id=issue.jira_details.ticket, + comment=comment + ) + + slack.report_issue( + msg=f"{comment}" + f"{' (' + jira.ticket_url(issue.jira_details.ticket) + ')' if issue.jira_details.ticket else ''}", + account_id=account_id + ) + IssueOperations.set_status_temp_whitelisted(ddb_table, issue) + elif issue.status in [IssueStatus.Resolved, IssueStatus.Whitelisted]: logging.debug(f"Closing stale access key {issue.status.value} '{key_id} / {username}' issue") comment = (f"Closing {issue.status.value} stale access key '{key_id} / {username}' issue " diff --git a/hammer/reporting-remediation/reporting/create_public_ami_issue_tickets.py b/hammer/reporting-remediation/reporting/create_public_ami_issue_tickets.py index 3cf6b7f5..e267ac9a 100644 --- a/hammer/reporting-remediation/reporting/create_public_ami_issue_tickets.py +++ b/hammer/reporting-remediation/reporting/create_public_ami_issue_tickets.py @@ -36,13 +36,35 @@ def create_tickets_public_ami(self): ami_id = issue.issue_id ami_region = issue.issue_details.region tags = issue.issue_details.tags + + in_temp_whitelist = self.config.publicAMIs.in_temp_whitelist(account_id, issue.issue_id) # issue has been already reported if issue.timestamps.reported is not None: owner = issue.issue_details.owner bu = issue.jira_details.business_unit product = issue.jira_details.product - if issue.status in [IssueStatus.Resolved, IssueStatus.Whitelisted]: + if (in_temp_whitelist or issue.status in [IssueStatus.Tempwhitelist]) \ + and issue.timestamps.temp_whitelisted is None: + logging.debug(f"AMI '{ami_id}' is added to temporary whitelist items.") + + comment = (f"AMI '{ami_id}' public access issue " + f"in '{account_name} / {account_id}' account, {ami_region} " + f"region added to temporary whitelist items.") + jira.update_issue( + ticket_id=issue.jira_details.ticket, + comment=comment + ) + + slack.report_issue( + msg=f"{comment}" + f"{' (' + jira.ticket_url(issue.jira_details.ticket) + ')' if issue.jira_details.ticket else ''}", + owner=owner, + account_id=account_id, + bu=bu, product=product, + ) + IssueOperations.set_status_temp_whitelisted(ddb_table, issue) + elif issue.status in [IssueStatus.Resolved, IssueStatus.Whitelisted]: logging.debug(f"Closing {issue.status.value} AMI '{ami_id}' public access issue") comment = (f"Closing {issue.status.value} AMI '{ami_id}' public access issue " @@ -112,8 +134,10 @@ def create_tickets_public_ami(self): f"*AMI Id*: {ami_id}\n" f"\n") - auto_remediation_date = (self.config.now + self.config.publicAMIs.issue_retention_date).date() - issue_description += f"\n{{color:red}}*Auto-Remediation Date*: {auto_remediation_date}{{color}}\n\n" + if self.config.publicAMIs.remediation \ + and not (in_temp_whitelist or issue.status in [IssueStatus.Tempwhitelist]): + auto_remediation_date = (self.config.now + self.config.publicAMIs.issue_retention_date).date() + issue_description += f"\n{{color:red}}*Auto-Remediation Date*: {auto_remediation_date}{{color}}\n\n" issue_description += JiraOperations.build_tags_table(tags) diff --git a/hammer/reporting-remediation/reporting/create_rds_public_snapshot_issue_tickets.py b/hammer/reporting-remediation/reporting/create_rds_public_snapshot_issue_tickets.py index e0227dca..1f7f68e1 100755 --- a/hammer/reporting-remediation/reporting/create_rds_public_snapshot_issue_tickets.py +++ b/hammer/reporting-remediation/reporting/create_rds_public_snapshot_issue_tickets.py @@ -36,13 +36,35 @@ def create_tickets_rds_public_snapshots(self): snapshot_id = issue.issue_id region = issue.issue_details.region tags = issue.issue_details.tags + + in_temp_whitelist = self.config.rdsSnapshot.in_temp_whitelist(account_id, issue.issue_id) # issue has been already reported if issue.timestamps.reported is not None: owner = issue.jira_details.owner bu = issue.jira_details.business_unit product = issue.jira_details.product - if issue.status in [IssueStatus.Resolved, IssueStatus.Whitelisted]: + if (in_temp_whitelist or issue.status in [IssueStatus.Tempwhitelist]) \ + and issue.timestamps.temp_whitelisted is None: + logging.debug(f"RDS public snapshot '{snapshot_id}' is added to temporary whitelist items.") + + comment = (f"RDS public snapshot '{snapshot_id}' issue " + f"in '{account_name} / {account_id}' account, {region} " + f"region added to temporary whitelist items.") + jira.update_issue( + ticket_id=issue.jira_details.ticket, + comment=comment + ) + + slack.report_issue( + msg=f"{comment}" + f"{' (' + jira.ticket_url(issue.jira_details.ticket) + ')' if issue.jira_details.ticket else ''}", + owner=owner, + account_id=account_id, + bu=bu, product=product, + ) + IssueOperations.set_status_temp_whitelisted(ddb_table, issue) + elif issue.status in [IssueStatus.Resolved, IssueStatus.Whitelisted]: logging.debug(f"Closing {issue.status.value} RDS public snapshot '{snapshot_id}' issue") comment = (f"Closing {issue.status.value} RDS public snapshot '{snapshot_id}' issue " @@ -98,8 +120,10 @@ def create_tickets_rds_public_snapshots(self): f"*Region*: {region}\n" f"*RDS Snapshot ID*: {snapshot_id}\n") - auto_remediation_date = (self.config.now + self.config.rdsSnapshot.issue_retention_date).date() - issue_description += f"\n{{color:red}}*Auto-Remediation Date*: {auto_remediation_date}{{color}}\n\n" + if self.config.rdsSnapshot.remediation \ + and not (in_temp_whitelist or issue.status in [IssueStatus.Tempwhitelist]): + auto_remediation_date = (self.config.now + self.config.rdsSnapshot.issue_retention_date).date() + issue_description += f"\n{{color:red}}*Auto-Remediation Date*: {auto_remediation_date}{{color}}\n\n" issue_description += JiraOperations.build_tags_table(tags) diff --git a/hammer/reporting-remediation/reporting/create_rds_unencrypted_instance_issue_tickets.py b/hammer/reporting-remediation/reporting/create_rds_unencrypted_instance_issue_tickets.py index 10a71429..cd41e7a8 100644 --- a/hammer/reporting-remediation/reporting/create_rds_unencrypted_instance_issue_tickets.py +++ b/hammer/reporting-remediation/reporting/create_rds_unencrypted_instance_issue_tickets.py @@ -37,13 +37,36 @@ def create_tickets_rds_unencrypted_instances(self): instance_name = issue.issue_details.name region = issue.issue_details.region tags = issue.issue_details.tags + + in_temp_whitelist = self.config.rdsEncrypt.in_temp_whitelist(account_id, issue.issue_id) # issue has been already reported if issue.timestamps.reported is not None: owner = issue.jira_details.owner bu = issue.jira_details.business_unit product = issue.jira_details.product - if issue.status in [IssueStatus.Resolved, IssueStatus.Whitelisted]: + if (in_temp_whitelist or issue.status in [IssueStatus.Tempwhitelist])\ + and issue.timestamps.temp_whitelisted is None: + logging.debug(f"RDS unencrypted instance '{instance_name}' " + f"is added to temporary whitelist items.") + + comment = (f"RDS unencrypted instance '{instance_name}' issue " + f"in '{account_name} / {account_id}' account, {region} " + f"region added to temporary whitelist items.") + jira.update_issue( + ticket_id=issue.jira_details.ticket, + comment=comment + ) + + slack.report_issue( + msg=f"{comment}" + f"{' (' + jira.ticket_url(issue.jira_details.ticket) + ')' if issue.jira_details.ticket else ''}", + owner=owner, + account_id=account_id, + bu=bu, product=product, + ) + IssueOperations.set_status_temp_whitelisted(ddb_table, issue) + elif issue.status in [IssueStatus.Resolved, IssueStatus.Whitelisted]: logging.debug(f"Closing {issue.status.value} RDS unencrypted instance '{instance_name}' issue") comment = (f"Closing {issue.status.value} RDS unencrypted instance '{instance_name}' issue " diff --git a/hammer/reporting-remediation/reporting/create_redshift_logging_issue_tickets.py b/hammer/reporting-remediation/reporting/create_redshift_logging_issue_tickets.py index cb412c6d..124f58e7 100644 --- a/hammer/reporting-remediation/reporting/create_redshift_logging_issue_tickets.py +++ b/hammer/reporting-remediation/reporting/create_redshift_logging_issue_tickets.py @@ -36,13 +36,34 @@ def create_tickets_redshift_logging(self): cluster_id = issue.issue_id region = issue.issue_details.region tags = issue.issue_details.tags + + in_temp_whitelist = self.config.redshift_logging.in_temp_whitelist(account_id, issue.issue_id) # issue has been already reported if issue.timestamps.reported is not None: owner = issue.jira_details.owner bu = issue.jira_details.business_unit product = issue.jira_details.product - if issue.status in [IssueStatus.Resolved, IssueStatus.Whitelisted]: + if (in_temp_whitelist or issue.status in [IssueStatus.Tempwhitelist]) and issue.timestamps.temp_whitelisted is None: + logging.debug(f"Redshift cluster logging '{cluster_id}' is added to temporary whitelist items.") + + comment = (f"Redshift cluster logging '{cluster_id}' issue " + f"in '{account_name} / {account_id}' account, {region} " + f"region added to temporary whitelist items.") + jira.update_issue( + ticket_id=issue.jira_details.ticket, + comment=comment + ) + + slack.report_issue( + msg=f"{comment}" + f"{' (' + jira.ticket_url(issue.jira_details.ticket) + ')' if issue.jira_details.ticket else ''}", + owner=owner, + account_id=account_id, + bu=bu, product=product, + ) + IssueOperations.set_status_temp_whitelisted(ddb_table, issue) + elif issue.status in [IssueStatus.Resolved, IssueStatus.Whitelisted]: logging.debug(f"Closing {issue.status.value} Redshift logging '{cluster_id}' issue") comment = (f"Closing {issue.status.value} Redshift cluster logging '{cluster_id}' issue " diff --git a/hammer/reporting-remediation/reporting/create_redshift_public_access_issue_tickets.py b/hammer/reporting-remediation/reporting/create_redshift_public_access_issue_tickets.py index d7875154..1e14262d 100644 --- a/hammer/reporting-remediation/reporting/create_redshift_public_access_issue_tickets.py +++ b/hammer/reporting-remediation/reporting/create_redshift_public_access_issue_tickets.py @@ -36,16 +36,40 @@ def create_tickets_redshift_public_access(self): cluster_id = issue.issue_id region = issue.issue_details.region tags = issue.issue_details.tags + + in_temp_whitelist = self.config.redshift_public_access.in_temp_whitelist(account_id, issue.issue_id) # issue has been already reported if issue.timestamps.reported is not None: owner = issue.jira_details.owner bu = issue.jira_details.business_unit product = issue.jira_details.product - if issue.status in [IssueStatus.Resolved, IssueStatus.Whitelisted]: - logging.debug(f"Closing {issue.status.value} Redshift publicly accessible cluster '{cluster_id}' issue") + if (in_temp_whitelist or issue.status in [IssueStatus.Tempwhitelist]) and issue.timestamps.temp_whitelisted is None: + logging.debug(f"Redshift publicly accessible cluster issue '{cluster_id}' " + f"is added to temporary whitelist items.") + + comment = (f"Redshift publicly accessible cluster '{cluster_id}' issue " + f"in '{account_name} / {account_id}' account, {region} " + f"region added to temporary whitelist items.") + jira.update_issue( + ticket_id=issue.jira_details.ticket, + comment=comment + ) + + slack.report_issue( + msg=f"{comment}" + f"{' (' + jira.ticket_url(issue.jira_details.ticket) + ')' if issue.jira_details.ticket else ''}", + owner=owner, + account_id=account_id, + bu=bu, product=product, + ) + IssueOperations.set_status_temp_whitelisted(ddb_table, issue) + elif issue.status in [IssueStatus.Resolved, IssueStatus.Whitelisted]: + logging.debug(f"Closing {issue.status.value} Redshift publicly accessible " + f"cluster '{cluster_id}' issue") - comment = (f"Closing {issue.status.value} Redshift publicly accessible cluster '{cluster_id}' issue " + comment = (f"Closing {issue.status.value} Redshift publicly accessible cluster " + f"'{cluster_id}' issue " f"in '{account_name} / {account_id}' account, '{region}' region") if issue.status == IssueStatus.Whitelisted: # Adding label with "whitelisted" to jira ticket. @@ -86,7 +110,8 @@ def create_tickets_redshift_public_access(self): f"*Region*: {region}\n" f"*Redshift Cluster ID*: {cluster_id}\n") - if self.config.redshift_public_access.remediation: + if self.config.redshift_public_access.remediation \ + and not (in_temp_whitelist or issue.status in [IssueStatus.Tempwhitelist]): auto_remediation_date = (self.config.now + self.config.redshift_public_access.issue_retention_date).date() issue_description += f"\n{{color:red}}*Auto-Remediation Date*: {auto_remediation_date}{{color}}\n\n" diff --git a/hammer/reporting-remediation/reporting/create_redshift_unencrypted_cluster_issue_tickets.py b/hammer/reporting-remediation/reporting/create_redshift_unencrypted_cluster_issue_tickets.py index 61ecd3be..5ff96a4e 100644 --- a/hammer/reporting-remediation/reporting/create_redshift_unencrypted_cluster_issue_tickets.py +++ b/hammer/reporting-remediation/reporting/create_redshift_unencrypted_cluster_issue_tickets.py @@ -36,13 +36,36 @@ def create_tickets_redshift_unencrypted_cluster(self): cluster_id = issue.issue_id region = issue.issue_details.region tags = issue.issue_details.tags + + in_temp_whitelist = self.config.redshiftEncrypt.in_temp_whitelist(account_id, issue.issue_id) # issue has been already reported if issue.timestamps.reported is not None: owner = issue.jira_details.owner bu = issue.jira_details.business_unit product = issue.jira_details.product - if issue.status in [IssueStatus.Resolved, IssueStatus.Whitelisted]: + if (in_temp_whitelist or issue.status in [IssueStatus.Tempwhitelist])\ + and issue.timestamps.temp_whitelisted is None: + logging.debug(f"Redshift unencrypted cluster issue '{cluster_id}' " + f"is added to temporary whitelist items.") + + comment = (f"Redshift unencrypted cluster '{cluster_id}' issue " + f"in '{account_name} / {account_id}' account, {region} " + f"region is added to temporary whitelist items.") + jira.update_issue( + ticket_id=issue.jira_details.ticket, + comment=comment + ) + + slack.report_issue( + msg=f"{comment}" + f"{' (' + jira.ticket_url(issue.jira_details.ticket) + ')' if issue.jira_details.ticket else ''}", + owner=owner, + account_id=account_id, + bu=bu, product=product, + ) + IssueOperations.set_status_temp_whitelisted(ddb_table, issue) + elif issue.status in [IssueStatus.Resolved, IssueStatus.Whitelisted]: logging.debug(f"Closing {issue.status.value} Redshift unencrypted cluster '{cluster_id}' issue") comment = (f"Closing {issue.status.value} Redshift unencrypted cluster '{cluster_id}' issue " @@ -88,7 +111,8 @@ def create_tickets_redshift_unencrypted_cluster(self): issue_description += JiraOperations.build_tags_table(tags) - if self.config.redshiftEncrypt.remediation: + if self.config.redshiftEncrypt.remediation \ + and not (in_temp_whitelist or issue.status in [IssueStatus.Tempwhitelist]): auto_remediation_date = (self.config.now + self.config.redshiftEncrypt.issue_retention_date).date() issue_description += f"\n{{color:red}}*Auto-Remediation Date*: {auto_remediation_date}{{color}}\n\n" diff --git a/hammer/reporting-remediation/reporting/create_s3_unencrypted_bucket_issue_tickets.py b/hammer/reporting-remediation/reporting/create_s3_unencrypted_bucket_issue_tickets.py index f8b2fdb5..c9e314d8 100644 --- a/hammer/reporting-remediation/reporting/create_s3_unencrypted_bucket_issue_tickets.py +++ b/hammer/reporting-remediation/reporting/create_s3_unencrypted_bucket_issue_tickets.py @@ -35,13 +35,34 @@ def create_tickets_s3_unencrypted_buckets(self): for issue in issues: bucket_name = issue.issue_id tags = issue.issue_details.tags + + in_temp_whitelist = self.config.s3Encrypt.in_temp_whitelist(account_id, issue.issue_id) # issue has been already reported if issue.timestamps.reported is not None: owner = issue.issue_details.owner bu = issue.jira_details.business_unit product = issue.jira_details.product - if issue.status in [IssueStatus.Resolved, IssueStatus.Whitelisted]: + if (in_temp_whitelist or issue.status in [IssueStatus.Tempwhitelist]) and issue.timestamps.temp_whitelisted is None: + logging.debug(f"S3 bucket unencrypted issue '{bucket_name}' " + f"is added to temporary whitelist items.") + + comment = (f"S3 bucket unencrypted '{bucket_name}' issue " + f"in '{account_name} / {account_id}' account is added to temporary whitelist items.") + jira.update_issue( + ticket_id=issue.jira_details.ticket, + comment=comment + ) + + slack.report_issue( + msg=f"{comment}" + f"{' (' + jira.ticket_url(issue.jira_details.ticket) + ')' if issue.jira_details.ticket else ''}", + owner=owner, + account_id=account_id, + bu=bu, product=product, + ) + IssueOperations.set_status_temp_whitelisted(ddb_table, issue) + elif issue.status in [IssueStatus.Resolved, IssueStatus.Whitelisted]: logging.debug(f"Closing {issue.status.value} S3 bucket '{bucket_name}' unencrypted issue") comment = (f"Closing {issue.status.value} S3 bucket '{bucket_name}' unencrypted issue " @@ -113,8 +134,10 @@ def create_tickets_s3_unencrypted_buckets(self): f"*Bucket Owner*: {owner}\n" f"\n") - auto_remediation_date = (self.config.now + self.config.s3Encrypt.issue_retention_date).date() - issue_description += f"\n{{color:red}}*Auto-Remediation Date*: {auto_remediation_date}{{color}}\n\n" + if self.config.s3Encrypt.remediation \ + and not (in_temp_whitelist or issue.status in [IssueStatus.Tempwhitelist]): + auto_remediation_date = (self.config.now + self.config.s3Encrypt.issue_retention_date).date() + issue_description += f"\n{{color:red}}*Auto-Remediation Date*: {auto_remediation_date}{{color}}\n\n" issue_description += JiraOperations.build_tags_table(tags) diff --git a/hammer/reporting-remediation/reporting/create_s3bucket_acl_issue_tickets.py b/hammer/reporting-remediation/reporting/create_s3bucket_acl_issue_tickets.py index 8fad3747..15afb083 100755 --- a/hammer/reporting-remediation/reporting/create_s3bucket_acl_issue_tickets.py +++ b/hammer/reporting-remediation/reporting/create_s3bucket_acl_issue_tickets.py @@ -42,13 +42,34 @@ def create_tickets_s3buckets(self): for issue in issues: bucket_name = issue.issue_id tags = issue.issue_details.tags + + in_temp_whitelist = self.config.s3acl.in_temp_whitelist(account_id, issue.issue_id) # issue has been already reported if issue.timestamps.reported is not None: owner = issue.issue_details.owner bu = issue.jira_details.business_unit product = issue.jira_details.product - if issue.status in [IssueStatus.Resolved, IssueStatus.Whitelisted]: + if (in_temp_whitelist or issue.status in [IssueStatus.Tempwhitelist]) and issue.timestamps.temp_whitelisted is None: + logging.debug(f"S3 bucket public ACL issue '{bucket_name}' " + f"is added to temporary whitelist items.") + + comment = (f"S3 bucket public ACL '{bucket_name}' issue " + f"in '{account_name} / {account_id}' account is added to temporary whitelist items.") + jira.update_issue( + ticket_id=issue.jira_details.ticket, + comment=comment + ) + + slack.report_issue( + msg=f"{comment}" + f"{' (' + jira.ticket_url(issue.jira_details.ticket) + ')' if issue.jira_details.ticket else ''}", + owner=owner, + account_id=account_id, + bu=bu, product=product, + ) + IssueOperations.set_status_temp_whitelisted(ddb_table, issue) + elif issue.status in [IssueStatus.Resolved, IssueStatus.Whitelisted]: logging.debug(f"Closing {issue.status.value} S3 bucket '{bucket_name}' public ACL issue") comment = (f"Closing {issue.status.value} S3 bucket '{bucket_name}' public ACL issue " @@ -118,8 +139,10 @@ def create_tickets_s3buckets(self): f"*Bucket Owner*: {owner}\n" f"\n") - auto_remediation_date = (self.config.now + self.config.s3acl.issue_retention_date).date() - issue_description += f"\n{{color:red}}*Auto-Remediation Date*: {auto_remediation_date}{{color}}\n\n" + if self.config.s3acl.remediation \ + and not (in_temp_whitelist or issue.status in [IssueStatus.Tempwhitelist]): + auto_remediation_date = (self.config.now + self.config.s3acl.issue_retention_date).date() + issue_description += f"\n{{color:red}}*Auto-Remediation Date*: {auto_remediation_date}{{color}}\n\n" issue_description += JiraOperations.build_tags_table(tags) diff --git a/hammer/reporting-remediation/reporting/create_s3bucket_policy_issue_tickets.py b/hammer/reporting-remediation/reporting/create_s3bucket_policy_issue_tickets.py index b4411daa..cc03c58c 100755 --- a/hammer/reporting-remediation/reporting/create_s3bucket_policy_issue_tickets.py +++ b/hammer/reporting-remediation/reporting/create_s3bucket_policy_issue_tickets.py @@ -39,13 +39,34 @@ def create_tickets_s3buckets(self): bucket_name = issue.issue_id tags = issue.issue_details.tags policy = issue.issue_details.policy + + in_temp_whitelist = self.config.s3policy.in_temp_whitelist(account_id, issue.issue_id) # issue has been already reported if issue.timestamps.reported is not None: owner = issue.issue_details.owner bu = issue.jira_details.business_unit product = issue.jira_details.product - if issue.status in [IssueStatus.Resolved, IssueStatus.Whitelisted]: + if (issue.status in [IssueStatus.Tempwhitelist] or in_temp_whitelist) and issue.timestamps.temp_whitelisted is None: + logging.debug(f"S3 bucket public policy issue '{bucket_name}' " + f"is added to temporary whitelist items.") + + comment = (f"S3 bucket public policy '{bucket_name}' issue " + f"in '{account_name} / {account_id}' account is added to temporary whitelist items.") + jira.update_issue( + ticket_id=issue.jira_details.ticket, + comment=comment + ) + + slack.report_issue( + msg=f"{comment}" + f"{' (' + jira.ticket_url(issue.jira_details.ticket) + ')' if issue.jira_details.ticket else ''}", + owner=owner, + account_id=account_id, + bu=bu, product=product, + ) + IssueOperations.set_status_temp_whitelisted(ddb_table, issue) + elif issue.status in [IssueStatus.Resolved, IssueStatus.Whitelisted]: logging.debug(f"Closing {issue.status.value} S3 bucket '{bucket_name}' public policy issue") comment = (f"Closing {issue.status.value} S3 bucket '{bucket_name}' public policy " @@ -122,8 +143,10 @@ def create_tickets_s3buckets(self): f"*Bucket Owner*: {owner}\n" f"\n") - auto_remediation_date = (self.config.now + self.config.s3policy.issue_retention_date).date() - issue_description += f"\n{{color:red}}*Auto-Remediation Date*: {auto_remediation_date}{{color}}\n\n" + if self.config.s3policy.remediation \ + and not (in_temp_whitelist or issue.status in [IssueStatus.Tempwhitelist]): + auto_remediation_date = (self.config.now + self.config.s3policy.issue_retention_date).date() + issue_description += f"\n{{color:red}}*Auto-Remediation Date*: {auto_remediation_date}{{color}}\n\n" issue_description += JiraOperations.build_tags_table(tags) diff --git a/hammer/reporting-remediation/reporting/create_security_groups_tickets.py b/hammer/reporting-remediation/reporting/create_security_groups_tickets.py index 5d4578e3..29d54605 100755 --- a/hammer/reporting-remediation/reporting/create_security_groups_tickets.py +++ b/hammer/reporting-remediation/reporting/create_security_groups_tickets.py @@ -287,13 +287,36 @@ def create_tickets_securitygroups(self): group_region = issue.issue_details.region group_vpc_id = issue.issue_details.vpc_id tags = issue.issue_details.tags + + in_temp_whitelist = self.config.sg.in_temp_whitelist(account_id, issue.issue_id) # issue has been already reported if issue.timestamps.reported is not None: owner = issue.jira_details.owner bu = issue.jira_details.business_unit product = issue.jira_details.product - if issue.status in [IssueStatus.Resolved, IssueStatus.Whitelisted]: + if (in_temp_whitelist or issue.status in [IssueStatus.Tempwhitelist]) \ + and issue.timestamps.temp_whitelisted is None: + logging.debug(f"Insecure security group issue '{group_name} / {group_id}' " + f"is added to temporary whitelist items.") + + comment = (f"Insecure security group '{group_name} / {group_id}' issue " + f"in '{account_name} / {account_id}' account, {group_region} " + f"region is added to temporary whitelist items.") + jira.update_issue( + ticket_id=issue.jira_details.ticket, + comment=comment + ) + + slack.report_issue( + msg=f"{comment}" + f"{' (' + jira.ticket_url(issue.jira_details.ticket) + ')' if issue.jira_details.ticket else ''}", + owner=owner, + account_id=account_id, + bu=bu, product=product, + ) + IssueOperations.set_status_temp_whitelisted(ddb_table, issue) + elif issue.status in [IssueStatus.Resolved, IssueStatus.Whitelisted]: logging.debug(f"Closing {issue.status.value} security group '{group_name} / {group_id}' issue") comment = (f"Closing {issue.status.value} security group '{group_name} / {group_id}' issue " @@ -517,7 +540,8 @@ def create_tickets_securitygroups(self): f"{threat}" f"{account_details}") - if status == RestrictionStatus.OpenCompletely: + if (status == RestrictionStatus.OpenCompletely) \ + and not (in_temp_whitelist or issue.status in [IssueStatus.Tempwhitelist]): auto_remediation_date = (self.config.now + self.config.sg.issue_retention_date).date() issue_description += f"\n{{color:red}}*Auto-Remediation Date*: {auto_remediation_date}{{color}}\n\n" diff --git a/hammer/reporting-remediation/reporting/create_sqs_policy_issue_tickets.py b/hammer/reporting-remediation/reporting/create_sqs_policy_issue_tickets.py index 2f452024..3ba02043 100644 --- a/hammer/reporting-remediation/reporting/create_sqs_policy_issue_tickets.py +++ b/hammer/reporting-remediation/reporting/create_sqs_policy_issue_tickets.py @@ -41,13 +41,36 @@ def create_tickets_sqs_policy(self): queue_region = issue.issue_details.region tags = issue.issue_details.tags policy = issue.issue_details.policy + + in_temp_whitelist = self.config.sqspolicy.in_temp_whitelist(account_id, issue.issue_id) # issue has been already reported if issue.timestamps.reported is not None: owner = issue.issue_details.owner bu = issue.jira_details.business_unit product = issue.jira_details.product - if issue.status in [IssueStatus.Resolved, IssueStatus.Whitelisted]: + if (in_temp_whitelist or issue.status in [IssueStatus.Tempwhitelist]) \ + and issue.timestamps.temp_whitelisted is None: + logging.debug(f"SQS queue public policy issue '{queue_name}' " + f"is added to temporary whitelist items.") + + comment = (f"SQS queue public policy '{queue_name}' issue " + f"in '{account_name} / {account_id}' account, {queue_region} " + f"region is added to temporary whitelist items.") + jira.update_issue( + ticket_id=issue.jira_details.ticket, + comment=comment + ) + + slack.report_issue( + msg=f"{comment}" + f"{' (' + jira.ticket_url(issue.jira_details.ticket) + ')' if issue.jira_details.ticket else ''}", + owner=owner, + account_id=account_id, + bu=bu, product=product, + ) + IssueOperations.set_status_temp_whitelisted(ddb_table, issue) + elif issue.status in [IssueStatus.Resolved, IssueStatus.Whitelisted]: logging.debug(f"Closing {issue.status.value} SQS queue '{queue_name}' public policy issue") comment = (f"Closing {issue.status.value} SQS queue '{queue_name}' public policy " @@ -125,9 +148,10 @@ def create_tickets_sqs_policy(self): f"*SQS queue name*: {queue_name}\n" f"*SQS queue region*: {queue_region}\n" f"\n") - - auto_remediation_date = (self.config.now + self.config.sqspolicy.issue_retention_date).date() - issue_description += f"\n{{color:red}}*Auto-Remediation Date*: {auto_remediation_date}{{color}}\n\n" + if self.config.sqspolicy.remediation \ + and not (in_temp_whitelist or issue.status in [IssueStatus.Tempwhitelist]): + auto_remediation_date = (self.config.now + self.config.sqspolicy.issue_retention_date).date() + issue_description += f"\n{{color:red}}*Auto-Remediation Date*: {auto_remediation_date}{{color}}\n\n" issue_description += JiraOperations.build_tags_table(tags)