Rough draft of function.

Architecture.md

@@ -68,4 +68,3 @@ Naming Convention: `fcm-reporting-[functionname]`
 
 
 
-

sample/fcm-analysis-EbsEncryptionByDefault/EbsEncryptionByDefault.py

@@ -1,23 +1,92 @@
 #! /usr/bin/env python3
-import logging
+import boto3
 import json
+import logging
 import os
+import re
 
 logger = logging.getLogger('FCM')
 
+def determine_compliance(detail):
+    return
+
+def report(compliant, detail):
+    return
+
+def remediate(detail):
+    return
+
 def lambda_handler(event, context):
+    init_logger()
+
+    if isinstance(event, (str, )):
+        event = json.loads(event)
+    body = json.loads(event['Records'][0]['body'])
+    detail = body.get('detail', {})
+    logger.debug(f'Inbound event: {json.dumps(event, default=str)}')
+    logger.debug(f'Inbound body: {json.dumps(body, default=str)}')
+    logger.debug(f'Inbound detail: {json.dumps(detail, default=str)}')
+    if prevent_loop(detail):
+        logger.info('Probable loop detected. Exiting.')
+        return {}
+
+    # For now, we're just going to turn it back on.
+    compliant = determine_compliance(detail)
+    report(compliant, detail)
+    if not compliant:
+        remediate(detail)
+    return True
+    
+
+
+def init_logger():
     global logger
     try:
         logger.setLevel(os.environ['LOGLEVEL'])
     except:
         logger.setLevel('DEBUG')
-        logger.warn('Logging level not set or set to invalid value.')
-    logger.debug(f'Inbound event: {json.dumps(event, default=str)}')
-    return { 'msg': 'Hello!' }
+        logger.warning('Logging level not set or set to invalid value.')
+
+def prevent_loop(detail):
+    arn = r'^arn:aws:sts::\d{12}:assumed-role/fcm-'
+    useragent = r'exec-env/AWS_Lambda'
+
+    if re.search(arn, detail.get('userIdentity', {}).get('arn', '')):
+        # We're in an fcm assumed role
+        if re.search(useragent, detail.get('userAgent', '')):
+            return True
+    return False
+
+
+
+
 
 if __name__ == "__main__":
+    # For testing only:
     handler = logging.StreamHandler()
     formatter = logging.Formatter('%(asctime)s - %(name)s - %(levelname)s - %(message)s')
     handler.setFormatter(formatter)
     logger.addHandler(handler)
-    lambda_handler(event = { 'test': 'true' }, context={})
+
+    event = {
+    "Records": [
+        {
+            "messageId": "39647048-eb52-4393-a39a-fda3a8d3fdfc",
+            "receiptHandle": "AQEBXWJnH5nZjA5CYGceVCf/S8Rxy0MK0leslGeCZy5BNzejyqUNfmItzpc2D8AiapnByQk5AmR1UDMtfm6eptnEuKerBebtw0zJDXa/ed5joiWYKo8v2evl8Kun8dj77MRr70vsVqXenvSY5neNUSmtwKcnfNpsxL1qBYA7fatI/xLSOy08i4C8jsntJLA93Xag1IN0/+xiuzkYoBHm5oFf24Ed1EZ5izKJsWjKQc9bAzd4EKSuUXbNpFjW8WWDcr1c9Sdi6NS0F2P/qFRNinwCYRENicQZ5KSNISxqZgLe+nBfQRipn1kGMMNsgBfGgonOakkFB7KI1GGXFspxEYIPrIcUUJt7XwYKgvqUOF/gKezOdAPpVOSoAYkVdV4BjWxCTbw8L03wuDsqe0ihanB6oE/6GTachRsPg0WiSQcq2tw=",
+            "body": "{\"version\":\"0\",\"id\":\"8e098047-456d-45b1-9ac4-2c2571bafcbd\",\"detail-type\":\"AWS API Call via CloudTrail\",\"source\":\"aws.ec2\",\"account\":\"082012130604\",\"time\":\"2019-09-26T19:37:50Z\",\"region\":\"us-east-2\",\"resources\":[],\"detail\":{\"eventVersion\":\"1.05\",\"userIdentity\":{\"type\":\"Root\",\"principalId\":\"082012130604\",\"arn\":\"arn:aws:iam::082012130604:root\",\"accountId\":\"082012130604\",\"accessKeyId\":\"ASIARGGCNZUWBA2LEEP3\",\"sessionContext\":{\"sessionIssuer\":{},\"webIdFederationData\":{},\"attributes\":{\"mfaAuthenticated\":\"true\",\"creationDate\":\"2019-09-26T13:53:54Z\"}}},\"eventTime\":\"2019-09-26T19:37:50Z\",\"eventSource\":\"ec2.amazonaws.com\",\"eventName\":\"DisableEbsEncryptionByDefault\",\"awsRegion\":\"us-east-2\",\"sourceIPAddress\":\"99.56.213.129\",\"userAgent\":\"console.ec2.amazonaws.com\",\"requestParameters\":{\"DisableEbsEncryptionByDefaultRequest\":{}},\"responseElements\":{\"DisableEbsEncryptionByDefaultResponse\":{\"xmlns\":\"http://ec2.amazonaws.com/doc/2016-11-15/\",\"ebsEncryptionByDefault\":false,\"requestId\":\"5e6d6a10-a7b9-4e55-9dd3-c04ec7db7198\"}},\"requestID\":\"5e6d6a10-a7b9-4e55-9dd3-c04ec7db7198\",\"eventID\":\"014d99f8-ac9b-41c6-8d8a-a7bb1dffd20a\",\"eventType\":\"AwsApiCall\"}}",
+            "attributes": {
+                "ApproximateReceiveCount": "1",
+                "SentTimestamp": "1569526676382",
+                "SenderId": "AIDAJQR6QDGQ7PATMSYEY",
+                "ApproximateFirstReceiveTimestamp": "1569526676385"
+            },
+            "messageAttributes": {},
+            "md5OfBody": "41bfacdf79a8139308b1790eac435955",
+            "eventSource": "aws:sqs",
+            "eventSourceARN": "arn:aws:sqs:us-east-2:082012130604:fcm-analysis-EbsEncryptionByDefault",
+            "awsRegion": "us-east-2"
+        }
+    ]
+}
+
+    lambda_handler(event = event, context={})

sample/lambda.fcm-analysis-EbsEncryptionByDefault.tf

@@ -30,7 +30,7 @@ resource "aws_iam_policy" "fcm-analysis-EbsEncryptionByDefault" {
         {
             "Effect": "Allow",
             "Action": "logs:CreateLogGroup",
-            "Resource": "
+            "Resource": "arn:aws:logs:us-east-2:082012130604:log-group:*"
         },
         {
             "Effect": "Allow",
@@ -38,12 +38,10 @@ resource "aws_iam_policy" "fcm-analysis-EbsEncryptionByDefault" {
                 "logs:CreateLogStream",
                 "logs:PutLogEvents"
             ],
-            "Resource": [
-                "arn:aws:logs:us-east-2:082012130604:log-group:/aws/lambda/*"
-            ]
+            "Resource": "arn:aws:logs:us-east-2:082012130604:log-group:/aws/lambda/*"
         },
         {
-            "Sid": "RequiredLambdaAccess",
+            "Sid": "FCMRequiredAccess",
             "Effect": "Allow",
             "Action": [
                 "kms:Decrypt",
@@ -53,6 +51,14 @@ resource "aws_iam_policy" "fcm-analysis-EbsEncryptionByDefault" {
                 "sqs:GetQueueAttributes"
             ],
             "Resource": "*"
+         },
+         {
+            "Sid": "FunctionSpecificAccess",
+            "Effect": "Allow",
+            "Action": [
+                "ec2:GetEbsEncryptionByDefault"
+            ],
+            "Resource": "*"
          }
     ]
 }
@@ -76,6 +82,8 @@ resource "aws_lambda_function" "fcm-analysis-EbsEncryptionByDefault" {
   source_code_hash = "${data.archive_file.fcm-analysis-EbsEncryptionByDefault.output_base64sha256}"
 
   runtime = "python3.7"
+  memory_size = 128 # 64MB increments
+  timeout = 30 # Seconds
 
   environment {
     variables = {

sample/sqs.tf

@@ -63,17 +63,20 @@ resource "aws_sns_topic_subscription" "fcm-analysis-EbsEncryptionByDefault1" {
   topic_arn = "${aws_sns_topic.fcm-input-DisableEbsEncryptionByDefault.arn}"
   protocol  = "sqs"
   endpoint  = "${aws_sqs_queue.fcm-analysis-EbsEncryptionByDefault.arn}"
+  raw_message_delivery = true # don't add extra sns metadata
 }
 
 resource "aws_sns_topic_subscription" "fcm-analysis-EbsEncryptionByDefault2" {
   topic_arn = "${aws_sns_topic.fcm-input-EnableEbsEncryptionByDefault.arn}"
   protocol  = "sqs"
   endpoint  = "${aws_sqs_queue.fcm-analysis-EbsEncryptionByDefault.arn}"
+  raw_message_delivery = true # don't add extra sns metadata
 }
 
 resource "aws_sns_topic_subscription" "fcm-analysis-EbsEncryptionByDefault3" {
   topic_arn = "${aws_sns_topic.fcm-custom-EbsEncryptionByDefault.arn}"
   protocol  = "sqs"
   endpoint  = "${aws_sqs_queue.fcm-analysis-EbsEncryptionByDefault.arn}"
+  raw_message_delivery = true # don't add extra sns metadata
 }