Feature/quarantine issues list

deployment/configs/temp_whitelist_issues_list.json

@@ -0,0 +1,91 @@
+{
+	"__comment__": "Contains dictionary with security issues to quarantine (list of issues skipped now and will remediate in future) grouped by issue type and accounts. Put your account id as a key for desired security issue type and put a list with issues to ignore as a value.",
+	"cloudtrails": {
+		"__comment__": "Detects issues with CloudTrail (logging disabled or has issues with permissions). Key - account id, values - AWS regions.",
+		"123456789012": ["eu-west-1", "us-east-2"]
+	},
+	"user_inactivekeys": {
+		"__comment__": "Detects IAM users with inactive access keys (not used more that definite number of days). Key - account id, values - IAM user names or access key ids.",
+		"123456789012": ["user1", "user2", "AKIAI6UV5TCF3NA223T1", "AKIAIG7Y36NN5DWX4NO3"]
+	},
+	"user_keysrotation": {
+		"__comment__": "Detects IAM users expired access keys (created earlier than definite number of days). Key - account id, values - IAM user names or access key ids.",
+		"123456789012": ["user1", "user2", "AKIAI6UV5TCF3NA223T1", "AKIAIG7Y36NN5DWX4NO3"]
+	},
+	"s3_bucket_acl": {
+		"__comment__": "Detects S3 buckets with public ACL (with AllUsers/AuthenticatedUsers groups in Grantee). Key - account id, values - S3 bucket names.",
+		"123456789012": ["public-site-bucket", "public-bucket-available-via-cloudfront"]
+	},
+	"s3_bucket_policy": {
+		"__comment__": "Detects S3 buckets with public policy ('Allow' statements with '*' in Principal and not restricted by IP). Key - account id, values - S3 bucket names.",
+		"123456789012": ["public-site-bucket", "public-bucket-available-via-cloudfront"]
+	},
+	"secgrp_unrestricted_access": {
+		"__comment__": "Detects security groups with world-wide open ports from the list. Key - account id, values - 1) security group ID or 2) VPC ID + security group Name separated by colon.",
+		"123456789012": ["sg-7c124307", "sg-2132a25b", "vpc-a372f3ca:default"]
+	},
+	"ebs_unencrypted_volume": {
+		"__comment__": "Detects unencrypted EBS volumes. Key - account id, values - volume ids.",
+		"123456789012": ["vol-04ddaf8f2aef1b1f4", "vol-004156f485f6d57c7"]
+	},
+	"ebs_public_snapshot": {
+		"__comment__": "Detects public EBS snapshots (with group 'all' in 'CreateVolumePermissions'). Key - account id, values - snapshot ids.",
+		"123456789012": ["snap-027927dbf368b3746", "snap-087534caad1ef1d0a"]
+	},
+	"rds_public_snapshot":{
+		"__comment__": "Detects public RDS snapshots (with 'all' in 'restore' attribute). Key - account id, values - snapshot ARNs.",
+		"123456789012": ["arn:aws:rds:eu-central-1:123456789012:snapshot:public", "arn:aws:rds:eu-west-1:123456789012:snapshot:rds:snapshot1"]
+	},
+	"ec2_public_ami": {
+		"__comment__": "Detects public AMI issues (with 'all' in 'restore' attribute). Key - account id, values - AMI IDs.",
+		"123456789012": [""]
+	},
+    "sqs_public_access":{
+		"__comment__": "Detects public SQS polices (with 'all' in 'restore' attribute). Key - account id, values - SQS names.",
+		"123456789012": [""]
+	},
+    "s3_encryption": {
+		"__comment__": "Detects Unencrypted s3 buckets (with 'all' in 'restore' attribute). Key - account id, values - S3 bucket names.",
+		"123456789012": [""]
+	},
+    "rds_encryption": {
+		"__comment__": "Detects unencrypted RDS instances (with 'all' in 'restore' attribute). Key - account id, values - Instance ARNs.",
+		"123456789012": [""]
+	},
+	"redshift_public_access":{
+		"__comment__": "Detects publicly accessible Redshift Clusters.",
+		"123456789012": ["test-cluster"]
+	},
+	"redshift_encryption":{
+		"__comment__": "Detects unencrypted clusters.",
+		"123456789012": ["test-cluster"]
+	},
+	"ecs_privileged_access":{
+		"__comment__": "Detects ECS task definitions which are not enabled logging - task definitions ARNs.",
+		"1234567890123": ["arn:aws:ecs:us-east-1:1234567890123:task-definition/dev-admin:2993"]
+	},
+    "ecs_logging":{
+		"__comment__": "Detects ECS task definitions which are not enabled logging - task definitions ARNs.",
+		"1234567890123": ["arn:aws:ecs:us-east-1:1234567890123:task-definition/test-admin:2993"]
+	},
+	"ecs_external_image_source":{
+		"__comment__": "Detects ECS task definitions which are configured with external image source - task definitions ARNs.",
+		"1234567890123": ["arn:aws:ecs:us-east-1:1234567890123:task-definition/test-admin:2993"]
+	},
+    "redshift_logging": {
+		"__comment__": "Detects Redshift clusters which are audit logging is not enabled.",
+		"123456789012": ["test-cluster"]
+    },
+    "es_domain_logging": {
+      "__comment__": "Detects Elasticsearch domains which are not enabled logging - domain ARNs.",
+	    "1234567890123": ["arn:aws:es:us-east-2:1234567890123:domain/new-domain"]
+    },
+    "es_unencrypted_domain": {
+      "__comment__": "Detects Unencrypted Elasticsearch domains - domain ARNs.",
+		  "1234567890123": ["arn:aws:es:us-east-2:1234567890123:domain/new-domain"]
+    },
+    "es_public_access_domain": {
+      "__comment__": "Detects Unencrypted Elasticsearch publicly accessible domains - domain ARNs.",
+	  	"1234567890123": ["arn:aws:es:us-east-2:1234567890123:domain/new-domain"]
+    }
+}

deployment/configs/whitelist.json

@@ -36,7 +36,7 @@
 		"__comment__": "Detects public RDS snapshots (with 'all' in 'restore' attribute). Key - account id, values - snapshot ARNs.",
 		"123456789012": ["arn:aws:rds:eu-central-1:123456789012:snapshot:public", "arn:aws:rds:eu-west-1:123456789012:snapshot:rds:snapshot1"]
 	},
-	"public_ami_issues": {
+	"ec2_public_ami": {
 	},
     "sqs_public_access":{
 		"__comment__": "Detects public SQS polices (with 'all' in 'restore' attribute). Key - account id, values - SQS ARNs.",

hammer/identification/lambdas/ami-public-access-issues-identification/describe_public_ami_issues.py

@@ -58,7 +58,10 @@ def lambda_handler(event, context):
                     issue.issue_details.tags = ami.tags
                     issue.issue_details.name = ami.name
                     issue.issue_details.region = region
-                    if config.publicAMIs.in_whitelist(account_id, ami.id):
+
+                    if config.publicAMIs.in_temp_whitelist(account_id, ami.id):
+                        issue.status = IssueStatus.Tempwhitelist
+                    elif config.publicAMIs.in_whitelist(account_id, ami.id):
                         issue.status = IssueStatus.Whitelisted
                     else:
                         issue.status = IssueStatus.Open

hammer/identification/lambdas/cloudtrails-issues-identification/describe_cloudtrails.py

@@ -56,7 +56,10 @@ def lambda_handler(event, context):
                 issue.issue_details.disabled = checker.disabled
                 issue.issue_details.delivery_errors = checker.delivery_errors
                 issue.add_trails(checker.trails)
-                if config.cloudtrails.in_whitelist(account_id, region):
+
+                if config.cloudtrails.in_temp_whitelist(account_id, region):
+                    issue.status = IssueStatus.Tempwhitelist
+                elif config.cloudtrails.in_whitelist(account_id, region):
                     issue.status = IssueStatus.Whitelisted
                 else:
                     issue.status = IssueStatus.Open

hammer/identification/lambdas/ebs-public-snapshots-identification/describe_ebs_public_snapshots.py

@@ -57,7 +57,10 @@ def lambda_handler(event, context):
                     issue.issue_details.region = snapshot.account.region
                     issue.issue_details.volume_id = snapshot.volume_id
                     issue.issue_details.tags = snapshot.tags
-                    if config.ebsSnapshot.in_whitelist(account_id, snapshot.id):
+
+                    if config.ebsSnapshot.in_temp_whitelist(account_id, snapshot.id):
+                        issue.status = IssueStatus.Tempwhitelist
+                    elif config.ebsSnapshot.in_whitelist(account_id, snapshot.id):
                         issue.status = IssueStatus.Whitelisted
                     else:
                         issue.status = IssueStatus.Open

hammer/identification/lambdas/ebs-unencrypted-volume-identification/describe_ebs_unencrypted_volumes.py

@@ -59,7 +59,10 @@ def lambda_handler(event, context):
                     issue.issue_details.state = volume.state
                     issue.issue_details.attachments = volume.attachments
                     issue.issue_details.tags = volume.tags
-                    if config.ebsVolume.in_whitelist(account_id, volume.id):
+
+                    if config.ebsVolume.in_temp_whitelist(account_id, volume.id):
+                        issue.status = IssueStatus.Tempwhitelist
+                    elif config.ebsVolume.in_whitelist(account_id, volume.id):
                         issue.status = IssueStatus.Whitelisted
                     else:
                         issue.status = IssueStatus.Open

hammer/identification/lambdas/ecs-external-image-source-issues-identification/describe_ecs_external_image_source_issues.py

@@ -58,7 +58,10 @@ def lambda_handler(event, context):
                     issue.issue_details.tags = task_definition.tags
                     issue.issue_details.container_image_details = task_definition.container_image_details
                     issue.issue_details.region = task_definition.account.region
-                    if config.ecs_external_image_source.in_whitelist(account_id, task_definition.name):
+
+                    if config.ecs_external_image_source.in_temp_whitelist(account_id, task_definition.name):
+                        issue.status = IssueStatus.Tempwhitelist
+                    elif config.ecs_external_image_source.in_whitelist(account_id, task_definition.name):
                         issue.status = IssueStatus.Whitelisted
                     else:
                         issue.status = IssueStatus.Open

hammer/identification/lambdas/ecs-logging-issues-identification/describe_ecs_logging_issues.py

@@ -59,7 +59,9 @@ def lambda_handler(event, context):
                     issue.issue_details.disabled_logging_container_names = task_definition.disabled_logging_container_names
                     issue.issue_details.tags = task_definition.tags
 
-                    if config.ecs_logging.in_whitelist(account_id, task_definition.name):
+                    if config.ecs_logging.in_temp_whitelist(account_id, task_definition.name):
+                        issue.status = IssueStatus.Tempwhitelist
+                    elif config.ecs_logging.in_whitelist(account_id, task_definition.name):
                         issue.status = IssueStatus.Whitelisted
                     else:
                         issue.status = IssueStatus.Open

hammer/identification/lambdas/ecs-privileged-access-issues-identification/describe_ecs_privileged_access_issues.py

@@ -58,7 +58,9 @@ def lambda_handler(event, context):
                     issue.issue_details.tags = task_definition.tags
                     issue.issue_details.privileged_container_names = task_definition.privileged_container_names
                     issue.issue_details.region = task_definition.account.region
-                    if config.ecs_privileged_access.in_whitelist(account_id, task_definition.name):
+                    if config.ecs_privileged_access.in_temp_whitelist(account_id, task_definition.name):
+                        issue.status = IssueStatus.Tempwhitelist
+                    elif config.ecs_privileged_access.in_whitelist(account_id, task_definition.name):
                         issue.status = IssueStatus.Whitelisted
                     else:
                         issue.status = IssueStatus.Open

hammer/identification/lambdas/elasticsearch-domain-logging-issues-identification/describe_elasticsearch_domains_logging_issues.py

@@ -59,7 +59,9 @@ def lambda_handler(event, context):
                     issue.issue_details.arn = domain.arn
                     issue.issue_details.tags = domain.tags
 
-                    if config.esLogging.in_whitelist(account_id, domain.name):
+                    if config.esLogging.in_temp_whitelist(account_id, domain.name):
+                        issue.status = IssueStatus.Tempwhitelist
+                    elif config.esLogging.in_whitelist(account_id, domain.name):
                         issue.status = IssueStatus.Whitelisted
                     else:
                         issue.status = IssueStatus.Open

hammer/identification/lambdas/elasticsearch-public-access-domain-identification/describe_elasticsearch_public_access_domains.py

@@ -59,7 +59,10 @@ def lambda_handler(event, context):
                     issue.issue_details.arn = domain.arn
                     issue.issue_details.tags = domain.tags
                     issue.issue_details.policy = domain.policy
-                    if config.esPublicAccess.in_whitelist(account_id, domain.name):
+
+                    if config.esPublicAccess.in_temp_whitelist(account_id, domain.name):
+                        issue.status = IssueStatus.Tempwhitelist
+                    elif config.esPublicAccess.in_whitelist(account_id, domain.name):
                         issue.status = IssueStatus.Whitelisted
                     else:
                         issue.status = IssueStatus.Open

hammer/identification/lambdas/elasticsearch-unencrypted-domain-identification/describe_elasticsearch_unencrypted_domains.py

@@ -61,7 +61,9 @@ def lambda_handler(event, context):
                     issue.issue_details.encrypted_at_rest = domain.encrypted_at_rest
                     issue.issue_details.encrypted_at_transit = domain.encrypted_at_transit
 
-                    if config.esEncrypt.in_whitelist(account_id, domain.name):
+                    if config.esEncrypt.in_temp_whitelist(account_id, domain.name):
+                        issue.status = IssueStatus.Tempwhitelist
+                    elif config.esEncrypt.in_whitelist(account_id, domain.name):
                         issue.status = IssueStatus.Whitelisted
                     else:
                         issue.status = IssueStatus.Open

hammer/identification/lambdas/iam-keyrotation-issues-identification/describe_iam_key_rotation.py

@@ -56,7 +56,12 @@ def lambda_handler(event, context):
                 issue = IAMKeyRotationIssue(account_id, key.id)
                 issue.issue_details.username = user.id
                 issue.issue_details.create_date = key.create_date.isoformat()
-                if config.iamUserKeysRotation.in_whitelist(account_id, key.id) or config.iamUserKeysRotation.in_whitelist(account_id, user.id):
+
+                if config.iamUserKeysRotation.in_temp_whitelist(account_id, key.id) \
+                        or config.iamUserKeysRotation.in_temp_whitelist(account_id, user.id):
+                    issue.status = IssueStatus.Tempwhitelist
+                elif config.iamUserKeysRotation.in_whitelist(account_id, key.id) \
+                        or config.iamUserKeysRotation.in_whitelist(account_id, user.id):
                     issue.status = IssueStatus.Whitelisted
                 else:
                     issue.status = IssueStatus.Open

hammer/identification/lambdas/iam-user-inactive-keys-identification/describe_iam_accesskey_details.py

@@ -57,7 +57,12 @@ def lambda_handler(event, context):
                 issue.issue_details.username = user.id
                 issue.issue_details.last_used = key.last_used.isoformat()
                 issue.issue_details.create_date = key.create_date.isoformat()
-                if config.iamUserInactiveKeys.in_whitelist(account_id, key.id) or config.iamUserInactiveKeys.in_whitelist(account_id, user.id):
+
+                if config.iamUserInactiveKeys.in_temp_whitelist(account_id, key.id) \
+                        or config.iamUserInactiveKeys.in_temp_whitelist(account_id, user.id):
+                    issue.status = IssueStatus.Tempwhitelist
+                elif config.iamUserInactiveKeys.in_whitelist(account_id, key.id) \
+                        or config.iamUserInactiveKeys.in_whitelist(account_id, user.id):
                     issue.status = IssueStatus.Whitelisted
                 else:
                     issue.status = IssueStatus.Open

hammer/identification/lambdas/rds-public-snapshots-identification/describe_rds_public_snapshots.py

@@ -59,7 +59,10 @@ def lambda_handler(event, context):
                 issue.issue_details.region = snapshot.account.region
                 issue.issue_details.engine = snapshot.engine
                 issue.issue_details.tags = snapshot.tags
-                if config.rdsSnapshot.in_whitelist(account_id, snapshot.id):
+
+                if config.rdsSnapshot.in_temp_whitelist(account_id, snapshot.id):
+                    issue.status = IssueStatus.Tempwhitelist
+                elif config.rdsSnapshot.in_whitelist(account_id, snapshot.id):
                     issue.status = IssueStatus.Whitelisted
                 else:
                     issue.status = IssueStatus.Open

hammer/identification/lambdas/rds-unencrypted-instance-identification/describe_rds_instance_encryption.py

@@ -59,7 +59,10 @@ def lambda_handler(event, context):
                 issue.issue_details.region = instance.account.region
                 issue.issue_details.engine = instance.engine
                 issue.issue_details.tags = instance.tags
-                if config.rdsEncrypt.in_whitelist(account_id, instance.id):
+
+                if config.rdsEncrypt.in_temp_whitelist(account_id, instance.id):
+                    issue.status = IssueStatus.Tempwhitelist
+                elif config.rdsEncrypt.in_whitelist(account_id, instance.id):
                     issue.status = IssueStatus.Whitelisted
                 else:
                     issue.status = IssueStatus.Open

hammer/identification/lambdas/redshift-audit-logging-issues-identification/describe_redshift_logging_issues.py

@@ -56,7 +56,10 @@ def lambda_handler(event, context):
                     issue = RedshiftLoggingIssue(account_id, cluster.name)
                     issue.issue_details.tags = cluster.tags
                     issue.issue_details.region = cluster.account.region
-                    if config.redshift_logging.in_whitelist(account_id, cluster.name):
+
+                    if config.redshift_logging.in_temp_whitelist(account_id, cluster.name):
+                        issue.status = IssueStatus.Tempwhitelist
+                    elif config.redshift_logging.in_whitelist(account_id, cluster.name):
                         issue.status = IssueStatus.Whitelisted
                     else:
                         issue.status = IssueStatus.Open

hammer/identification/lambdas/redshift-cluster-public-access-identification/describe_redshift_cluster_public_access.py

@@ -56,7 +56,10 @@ def lambda_handler(event, context):
                     issue = RedshiftPublicAccessIssue(account_id, cluster.name)
                     issue.issue_details.tags = cluster.tags
                     issue.issue_details.region = cluster.account.region
-                    if config.redshift_public_access.in_whitelist(account_id, cluster.name):
+
+                    if config.redshift_public_access.in_temp_whitelist(account_id, cluster.name):
+                        issue.status = IssueStatus.Tempwhitelist
+                    elif config.redshift_public_access.in_whitelist(account_id, cluster.name):
                         issue.status = IssueStatus.Whitelisted
                     else:
                         issue.status = IssueStatus.Open

hammer/identification/lambdas/redshift-unencrypted-cluster-identification/describe_redshift_encryption.py

@@ -56,7 +56,10 @@ def lambda_handler(event, context):
                     issue = RedshiftEncryptionIssue(account_id, cluster.name)
                     issue.issue_details.tags = cluster.tags
                     issue.issue_details.region = cluster.account.region
-                    if config.redshiftEncrypt.in_whitelist(account_id, cluster.name):
+
+                    if config.redshiftEncrypt.in_temp_whitelist(account_id, cluster.name):
+                        issue.status = IssueStatus.Tempwhitelist
+                    elif config.redshiftEncrypt.in_whitelist(account_id, cluster.name):
                         issue.status = IssueStatus.Whitelisted
                     else:
                         issue.status = IssueStatus.Open

hammer/identification/lambdas/requirements.txt

@@ -1,2 +1 @@
-boto3==1.9.42
 requests

hammer/identification/lambdas/s3-acl-issues-identification/describe_s3_bucket_acl.py

@@ -55,7 +55,10 @@ def lambda_handler(event, context):
                 issue.issue_details.owner = bucket.owner
                 issue.issue_details.public_acls = bucket.get_public_acls()
                 issue.issue_details.tags = bucket.tags
-                if config.s3acl.in_whitelist(account_id, bucket.name):
+
+                if config.s3acl.in_temp_whitelist(account_id, bucket.name):
+                    issue.status = IssueStatus.Tempwhitelist
+                elif config.s3acl.in_whitelist(account_id, bucket.name):
                     issue.status = IssueStatus.Whitelisted
                 else:
                     issue.status = IssueStatus.Open

hammer/identification/lambdas/s3-policy-issues-identification/describe_s3_bucket_policy.py

@@ -55,7 +55,10 @@ def lambda_handler(event, context):
                 issue.issue_details.owner = bucket.owner
                 issue.issue_details.tags = bucket.tags
                 issue.issue_details.policy = bucket.policy
-                if config.s3policy.in_whitelist(account_id, bucket.name):
+
+                if config.s3policy.in_temp_whitelist(account_id, bucket.name):
+                    issue.status = IssueStatus.Tempwhitelist
+                elif config.s3policy.in_whitelist(account_id, bucket.name):
                     issue.status = IssueStatus.Whitelisted
                 else:
                     issue.status = IssueStatus.Open