Halaman utama Jelajahi Bantuan
Daftar Masuk
AFS
/
xdr-terraform-modules
2
0
Fork 0
Berkas Masalah 0 Permintaan Tarik 0 Wiki
Pohon: eaf3fd67b0
Ranting Tag
xdr-terraform-m...
/
base
/
account_standards
/
files
/
cloudtrail_status_check.py

cloudtrail_status_check.py 2.2 KB
Riwayat Mentahan

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475 
  1. import os
    2. 

  2. import boto3
    3. 

  3. 

  4. 

  5. def answer_no(x): return True if str(x).lower() in [
    6. 

  6.     '0', 'no', 'false'] else False
    7. 

  7. 

  8. 

  9. def answer_yes(x): return True if str(x).lower() in [
    10. 

  10.     '1', 'yes', 'true'] else False
    11. 

  11. 

  12. 

  13. def send_notifications(message):
    14. 

  14.     # TODO
    15. 

  15.     return True
    16. 

  16. 

  17. 

  18. def is_bucket_not_public(bucket_name):
    19. 

  19.     s3 = boto3.client('s3')
    20. 

  20.     bucket_acl = s3.get_bucket_acl(Bucket=bucket_name)
    21. 

  21. 

  22.     # If there is a permission attached with any value for AllUsers,
    23. 

  23.     # it means the bucket is public
    24. 

  24.     # We don't need to check if the permission any of
    25. 

  25.     # READ|WRITE|READ_ACP|WRITE_ACP|FULL_CONTROL
    26. 

  26.     for grantee in bucket_acl['Grants']:
    27. 

  27.         if grantee['Grantee']['Type'] == 'Group' \
    28. 

  28.                 and grantee['Grantee']['URI'] == 'http://acs.amazonaws.com/groups/global/AllUsers':
    29. 

  29.             return False
    30. 

  30.     return True
    31. 

  31. 

  32. 

  33. def lambda_handler(event, context):
    34. 

  34.     rc = 1
    35. 

  35.     message_body = 'Chekcing trails'
    36. 

  36.     print message_body
    37. 

  37. 

  38.     cloudtrail = boto3.client('cloudtrail')
    39. 

  39.     trails = cloudtrail.describe_trails()
    40. 

  40. 

  41.     for trail in trails['trailList']:
    42. 

  42.         notification = 'Checking ' + trail['Name']
    43. 

  43.         print notification
    44. 

  44.         message_body += notification + "\n"
    45. 

  45. 

  46.         if trail['IsMultiRegionTrail'] \
    47. 

  47.                 and ('KmsKeyId' in trail and trail['KmsKeyId'] != '') \
    48. 

  48.                 and trail['IncludeGlobalServiceEvents'] \
    49. 

  49.                 and trail['LogFileValidationEnabled']:
    50. 

  50. 

  51.             notification = trail['Name'] + ' is OK'
    52. 

  52.             print notification
    53. 

  53.             message_body += notification + "\n"
    54. 

  54.             rc = 0
    55. 

  55.         else:
    56. 

  56.             notification = trail['Name'] + \
    57. 

  57.                 ' does not match with the requirements'
    58. 

  58.             print notification
    59. 

  59.             message_body += notification + "\n"
    60. 

  60. 

  61.         if not is_bucket_not_public(trail['S3BucketName']):
    62. 

  62.             rc = 1
    63. 

  63.             notification = trail['Name'] + \
    64. 

  64.                 "\'s bucket has public access."
    65. 

  65.             print notification
    66. 

  66.             message_body += notification + "\n"
    67. 

  67. 

  68.     if rc == 1 and ('DRY_RUN' in os.environ and answer_no(os.environ['DRY_RUN'])):
    69. 

  69.         send_notifications(message_body)
    70. 

  70.         exit(rc)
    71. 

  71. 

  72. # if __name__ == "__main__":
    73. 

  73. #    event = 1
    74. 

  74. #    context = 1
    75. 

  75. #    lambda_handler(event, context)
    76.