5 سال پیش · 1d4049c6e2
--- a/Roles.md
+++ b/Roles.md
@@ -1,12 +1,21 @@
 
				-# FCM Roles
			
 
				+# FCM Roles and Policies
			
 
				 
			
 
				 There are a number of roles required.
			
 
				 
			
 
				-# All Accounts
			
 
				+## Roles
			
 
				+### All Accounts
			
 
				 `fcm-analysis-[functionname]` - Permissions for the function, can be assumed by the master account `fcm-lambda-analysis-[functionname]`.
			
 
				 `fcm-remediation-[functionname]` - Permissions for the function, can be assumed by the master account `fcm-lambda-remediation-[functionname].
			
 
				 
			
 
				-# Master Account
			
 
				+### Master Account
			
 
				 Master account has all of the "All Accounts" roles, plus:
			
 
				 `fcm-lambda-analysis-[functionname]` - Allows basic FCM lambda access and the ability to assumerole into the above roles in all accounts.
			
 
				 `fcm-lambda-remediation-[functionname]` - Allows basic FCM lambda access and the ability to assumerole into the above roles in all accounts.
			
 
				+
			
 
				+## Policies
			
 
				+
			
 
				+### All Accounts
			
 
				+
			
 
				+### Master Account
			
 
				+`fcm-lambda-base` - Basic lambda functionality (cloudwatch log groups, etc)
			
 
				+
			
--- a/sample/TODO.md
+++ b/sample/TODO.md
@@ -1,5 +1,9 @@
 
				 # Overall
			
 
				 * Add second account
			
 
				+* Add health detection (CloudWatch Alarms? CloudWatch Dashboard?)
			
 
				+  - Not enough memory in lambda function
			
 
				+  - Lambda function timing out
			
 
				+  - dead letter warnings
			
 
				 
			
 
				 # KMS
			
 
				 * Figure out exactly what actions cloudwatch needs. `kms:*` is too permissive.
			
--- a/sample/fcm-analysis-EbsEncryptionByDefault/EbsEncryptionByDefault.py
+++ b/sample/fcm-analysis-EbsEncryptionByDefault/EbsEncryptionByDefault.py
@@ -14,11 +14,27 @@ def determine_compliance(ec2client, detail):
 
				     logger.debug('Determined to be compliant')
			
 
				     return True
			
 
				 
			
 
				-def report(compliant, detail):
			
 
				-    return
			
 
				+def report(sqsclient, compliant, function_name, detail):
			
 
				+    output = {
			
 
				+                'plugin': function_name,
			
 
				+                'compliant': compliant,
			
 
				+                'trigger': detail
			
 
				+            }
			
 
				+    logger.debug(f'Sending report: {json.dumps(output, default=str)}')
			
 
				+    # TODO - Actually report
			
 
				+
			
 
				+
			
 
				+def remediate(sqsclient, account, region):
			
 
				+    output = {
			
 
				+                'account': account,
			
 
				+                'region': region
			
 
				+            }
			
 
				+    logger.debug(f'Sending remediation request to queue: {json.dumps(output, default=str)}')
			
 
				+    response = sqsclient.send_message(
			
 
				+                QueueUrl = 'https://sqs.us-east-2.amazonaws.com/082012130604/fcm-remediation-EbsEncryptionByDefault',
			
 
				+                MessageBody = json.dumps(output)
			
 
				+            )
			
 
				 
			
 
				-def remediate(detail):
			
 
				-    return
			
 
				 
			
 
				 def lambda_handler(event, context):
			
 
				     init_logger()
			
@@ -37,13 +53,15 @@ def lambda_handler(event, context):
 
				 
			
 
				     account = body['account']
			
 
				     region  = body['region']
			
 
				+    function_name = str(context.function_name)
			
 
				+    logger.debug(f'Determined function name is: "{function_name}"')
			
 
				 
			
 
				     # Get a session on the destination account
			
 
				     logger.info(f'Assuming role into account {account} in region {region}')
			
 
				     client = boto3.client('sts')
			
 
				     assumed_role_obj = client.assume_role(
			
 
				-            RoleArn=f'arn:aws:iam::{account}:role/fcm/fcm-analysis-EbsEncryptionByDefault',
			
 
				-            RoleSessionName='fcm-analysis-EbsEncryptionByDefault',
			
 
				+            RoleArn=f'arn:aws:iam::{account}:role/fcm/{function_name}',
			
 
				+            RoleSessionName=function_name,
			
 
				             DurationSeconds=900
			
 
				         )
			
 
				     credentials = assumed_role_obj['Credentials']
			
@@ -55,11 +73,13 @@ def lambda_handler(event, context):
 
				             aws_session_token = credentials['SessionToken'],
			
 
				             region_name = region
			
 
				             )
			
 
				+    logger.debug(f'Creating local account sqsclient')
			
 
				+    sqsclient = boto3.client('sqs')
			
 
				 
			
 
				     compliant = determine_compliance(ec2client, detail)
			
 
				-    report(compliant, detail)
			
 
				+    report(sqsclient, compliant, function_name, detail)
			
 
				     if not compliant:
			
 
				-        remediate(detail)
			
 
				+        remediate(sqsclient, account, region)
			
 
				     return True
			
 
				 
			
 
				 
			
@@ -71,6 +91,7 @@ def init_logger():
 
				         logger.setLevel('DEBUG')
			
 
				         logger.warning('Logging level not set or set to invalid value.')
			
 
				 
			
 
				+
			
 
				 def prevent_loop(detail):
			
 
				     arn = r'^arn:aws:sts::\d{12}:assumed-role/fcm-'
			
 
				     useragent = r'exec-env/AWS_Lambda'
			
@@ -82,9 +103,6 @@ def prevent_loop(detail):
 
				     return False
			
 
				 
			
 
				 
			
 
				-
			
 
				-
			
 
				-
			
 
				 if __name__ == "__main__":
			
 
				     # For testing only:
			
 
				     handler = logging.StreamHandler()