bp-check/services/cloudfront.py

from models import RuleCheckResult, RuleChecker
from functools import cached_property
import boto3


class CloudFrontRuleChecker(RuleChecker):
    def __init__(self):
        self.client = boto3.client("cloudfront")

    @cached_property
    def distributions(self):
        return self.client.list_distributions()["DistributionList"].get("Items", [])

    @cached_property
    def distribution_details(self):
        responses = [
            self.client.get_distribution(Id=distribution["Id"])["Distribution"]
            for distribution in self.distributions
        ]
        return {
            distribution["Id"]: response
            for distribution, response in zip(self.distributions, responses)
        }

    def cloudfront_accesslogs_enabled(self):
        compliant_resources = []
        non_compliant_resources = []

        for distribution in self.distributions:
            distribution = self.distribution_details[distribution["Id"]]
            if (
                "Logging" in distribution["DistributionConfig"]
                and distribution["DistributionConfig"]["Logging"]["Enabled"] == True
            ):
                compliant_resources.append(distribution["ARN"])
            else:
                non_compliant_resources.append(distribution["ARN"])

        return RuleCheckResult(
            passed=not non_compliant_resources,
            compliant_resources=compliant_resources,
            non_compliant_resources=non_compliant_resources,
        )

    def cloudfront_associated_with_waf(self):
        compliant_resources = []
        non_compliant_resources = []

        for distribution in self.distributions:
            if "WebACLId" in distribution and distribution["WebACLId"] != "":
                compliant_resources.append(distribution["ARN"])
            else:
                non_compliant_resources.append(distribution["ARN"])

        return RuleCheckResult(
            passed=not non_compliant_resources,
            compliant_resources=compliant_resources,
            non_compliant_resources=non_compliant_resources,
        )

    def cloudfront_default_root_object_configured(self):
        compliant_resources = []
        non_compliant_resources = []

        for distribution in self.distributions:
            distribution = self.distribution_details[distribution["Id"]]

            if distribution["DistributionConfig"]["DefaultRootObject"] != "":
                compliant_resources.append(distribution["ARN"])
            else:
                non_compliant_resources.append(distribution["ARN"])

        return RuleCheckResult(
            passed=not non_compliant_resources,
            compliant_resources=compliant_resources,
            non_compliant_resources=non_compliant_resources,
        )

    def cloudfront_no_deprecated_ssl_protocols(self):
        compliant_resources = []
        non_compliant_resources = []

        for distribution in self.distributions:
            for origin in distribution["Origins"]["Items"]:
                if (
                    "CustomOriginConfig" in origin
                    and origin["CustomOriginConfig"]["OriginProtocolPolicy"]
                    in ["https-only", "match-viewer"]
                    and "SSLv3"
                    in origin["CustomOriginConfig"]["OriginSslProtocols"]["Items"]
                ):

                    non_compliant_resources.append(distribution["ARN"])
                    break
            else:
                compliant_resources.append(distribution["ARN"])

        return RuleCheckResult(
            passed=not non_compliant_resources,
            compliant_resources=compliant_resources,
            non_compliant_resources=non_compliant_resources,
        )

    def cloudfront_s3_origin_access_control_enabled(self):
        compliant_resources = []
        non_compliant_resources = []

        for distribution in self.distributions:
            for origin in distribution["Origins"]["Items"]:
                if "S3OriginConfig" in origin and origin["OriginAccessControlId"] == "":
                    non_compliant_resources.append(distribution["ARN"])
                    break
            else:
                compliant_resources.append(distribution["ARN"])

        return RuleCheckResult(
            passed=not non_compliant_resources,
            compliant_resources=compliant_resources,
            non_compliant_resources=non_compliant_resources,
        )

    def cloudfront_viewer_policy_https(self):
        compliant_resources = []
        non_compliant_resources = []

        for distribution in self.distributions:
            if (
                distribution["DefaultCacheBehavior"]["ViewerProtocolPolicy"]
                == "allow-all"
            ):
                non_compliant_resources.append(distribution["ARN"])
                continue

            allow_alls = [
                behavior
                for behavior in distribution["CacheBehaviors"]["Items"]
                if behavior["ViewerProtocolPolicy"] == "allow-all"
            ]
            if allow_alls:
                non_compliant_resources.append(distribution["ARN"])
                continue

            compliant_resources.append(distribution["ARN"])

        return RuleCheckResult(
            passed=not non_compliant_resources,
            compliant_resources=compliant_resources,
            non_compliant_resources=non_compliant_resources,
        )


rule_checker = CloudFrontRuleChecker
Refactor to cache AWS resources 2024-08-14 01:05:06 +00:00			`from models import RuleCheckResult, RuleChecker`
			`from functools import cached_property`
Initial commit 2024-08-05 02:30:34 +00:00			`import boto3`


Refactor to cache AWS resources 2024-08-14 01:05:06 +00:00			`class CloudFrontRuleChecker(RuleChecker):`
			`def __init__(self):`
			`self.client = boto3.client("cloudfront")`
Initial commit 2024-08-05 02:30:34 +00:00
Refactor to cache AWS resources 2024-08-14 01:05:06 +00:00			`@cached_property`
			`def distributions(self):`
Handle exceptions gracefully 2024-08-14 04:21:46 +00:00			`return self.client.list_distributions()["DistributionList"].get("Items", [])`
Initial commit 2024-08-05 02:30:34 +00:00
Refactor to cache AWS resources 2024-08-14 01:05:06 +00:00			`@cached_property`
			`def distribution_details(self):`
			`responses = [`
			`self.client.get_distribution(Id=distribution["Id"])["Distribution"]`
			`for distribution in self.distributions`
			`]`
			`return {`
			`distribution["Id"]: response`
			`for distribution, response in zip(self.distributions, responses)`
			`}`
Add feature : CloudFront bp check 2024-08-07 11:40:35 +00:00
Refactor to cache AWS resources 2024-08-14 01:05:06 +00:00			`def cloudfront_accesslogs_enabled(self):`
			`compliant_resources = []`
			`non_compliant_resources = []`
Add feature : CloudFront bp check 2024-08-07 11:40:35 +00:00
Refactor to cache AWS resources 2024-08-14 01:05:06 +00:00			`for distribution in self.distributions:`
			`distribution = self.distribution_details[distribution["Id"]]`
			`if (`
			`"Logging" in distribution["DistributionConfig"]`
			`and distribution["DistributionConfig"]["Logging"]["Enabled"] == True`
			`):`
			`compliant_resources.append(distribution["ARN"])`
			`else:`
			`non_compliant_resources.append(distribution["ARN"])`
Initial commit 2024-08-05 02:30:34 +00:00
Refactor to cache AWS resources 2024-08-14 01:05:06 +00:00			`return RuleCheckResult(`
			`passed=not non_compliant_resources,`
			`compliant_resources=compliant_resources,`
			`non_compliant_resources=non_compliant_resources,`
			`)`
Initial commit 2024-08-05 02:30:34 +00:00
Refactor to cache AWS resources 2024-08-14 01:05:06 +00:00			`def cloudfront_associated_with_waf(self):`
			`compliant_resources = []`
			`non_compliant_resources = []`
Add feature : CloudFront bp check 2024-08-07 11:40:35 +00:00
Refactor to cache AWS resources 2024-08-14 01:05:06 +00:00			`for distribution in self.distributions:`
			`if "WebACLId" in distribution and distribution["WebACLId"] != "":`
			`compliant_resources.append(distribution["ARN"])`
			`else:`
			`non_compliant_resources.append(distribution["ARN"])`
Add feature : CloudFront bp check 2024-08-07 11:40:35 +00:00
Refactor to cache AWS resources 2024-08-14 01:05:06 +00:00			`return RuleCheckResult(`
			`passed=not non_compliant_resources,`
			`compliant_resources=compliant_resources,`
			`non_compliant_resources=non_compliant_resources,`
			`)`
Add feature : CloudFront bp check 2024-08-07 11:40:35 +00:00
Refactor to cache AWS resources 2024-08-14 01:05:06 +00:00			`def cloudfront_default_root_object_configured(self):`
			`compliant_resources = []`
			`non_compliant_resources = []`
Initial commit 2024-08-05 02:30:34 +00:00
Refactor to cache AWS resources 2024-08-14 01:05:06 +00:00			`for distribution in self.distributions:`
			`distribution = self.distribution_details[distribution["Id"]]`
Initial commit 2024-08-05 02:30:34 +00:00
Refactor to cache AWS resources 2024-08-14 01:05:06 +00:00			`if distribution["DistributionConfig"]["DefaultRootObject"] != "":`
			`compliant_resources.append(distribution["ARN"])`
			`else:`
			`non_compliant_resources.append(distribution["ARN"])`
Add feature : CloudFront bp check 2024-08-07 11:40:35 +00:00
Refactor to cache AWS resources 2024-08-14 01:05:06 +00:00			`return RuleCheckResult(`
			`passed=not non_compliant_resources,`
			`compliant_resources=compliant_resources,`
			`non_compliant_resources=non_compliant_resources,`
			`)`

			`def cloudfront_no_deprecated_ssl_protocols(self):`
			`compliant_resources = []`
			`non_compliant_resources = []`

			`for distribution in self.distributions:`
			`for origin in distribution["Origins"]["Items"]:`
			`if (`
			`"CustomOriginConfig" in origin`
			`and origin["CustomOriginConfig"]["OriginProtocolPolicy"]`
			`in ["https-only", "match-viewer"]`
			`and "SSLv3"`
			`in origin["CustomOriginConfig"]["OriginSslProtocols"]["Items"]`
			`):`

			`non_compliant_resources.append(distribution["ARN"])`
			`break`
			`else:`
			`compliant_resources.append(distribution["ARN"])`

			`return RuleCheckResult(`
			`passed=not non_compliant_resources,`
			`compliant_resources=compliant_resources,`
			`non_compliant_resources=non_compliant_resources,`
			`)`

			`def cloudfront_s3_origin_access_control_enabled(self):`
			`compliant_resources = []`
			`non_compliant_resources = []`

			`for distribution in self.distributions:`
			`for origin in distribution["Origins"]["Items"]:`
			`if "S3OriginConfig" in origin and origin["OriginAccessControlId"] == "":`
			`non_compliant_resources.append(distribution["ARN"])`
			`break`
			`else:`
			`compliant_resources.append(distribution["ARN"])`

			`return RuleCheckResult(`
			`passed=not non_compliant_resources,`
			`compliant_resources=compliant_resources,`
			`non_compliant_resources=non_compliant_resources,`
			`)`

			`def cloudfront_viewer_policy_https(self):`
			`compliant_resources = []`
			`non_compliant_resources = []`

			`for distribution in self.distributions:`
Add feature : CloudFront bp check 2024-08-07 11:40:35 +00:00			`if (`
Refactor to cache AWS resources 2024-08-14 01:05:06 +00:00			`distribution["DefaultCacheBehavior"]["ViewerProtocolPolicy"]`
			`== "allow-all"`
Add feature : CloudFront bp check 2024-08-07 11:40:35 +00:00			`):`
			`non_compliant_resources.append(distribution["ARN"])`
Refactor to cache AWS resources 2024-08-14 01:05:06 +00:00			`continue`

			`allow_alls = [`
			`behavior`
			`for behavior in distribution["CacheBehaviors"]["Items"]`
			`if behavior["ViewerProtocolPolicy"] == "allow-all"`
			`]`
			`if allow_alls:`
Fix false alert and remove unneeded API calls 2024-08-08 02:08:43 +00:00			`non_compliant_resources.append(distribution["ARN"])`
Refactor to cache AWS resources 2024-08-14 01:05:06 +00:00			`continue`
Initial commit 2024-08-05 02:30:34 +00:00
Refactor to cache AWS resources 2024-08-14 01:05:06 +00:00			`compliant_resources.append(distribution["ARN"])`
Fix false alert and remove unneeded API calls 2024-08-08 02:08:43 +00:00
Refactor to cache AWS resources 2024-08-14 01:05:06 +00:00			`return RuleCheckResult(`
			`passed=not non_compliant_resources,`
			`compliant_resources=compliant_resources,`
			`non_compliant_resources=non_compliant_resources,`
			`)`
Fix false alert and remove unneeded API calls 2024-08-08 02:08:43 +00:00
Add feature : CloudFront bp check 2024-08-07 11:40:35 +00:00
Refactor to cache AWS resources 2024-08-14 01:05:06 +00:00			`rule_checker = CloudFrontRuleChecker`