2024-08-14 01:05:06 +00:00
|
|
|
from models import RuleCheckResult, RuleChecker
|
|
|
|
|
from functools import cached_property
|
2024-08-05 02:30:34 +00:00
|
|
|
import boto3
|
2024-08-14 01:05:06 +00:00
|
|
|
from datetime import datetime, timedelta
|
2024-08-07 02:36:11 +00:00
|
|
|
from dateutil.tz import tzlocal
|
2024-08-05 02:30:34 +00:00
|
|
|
|
|
|
|
|
|
2024-08-14 01:05:06 +00:00
|
|
|
class SecretsManagerRuleChecker(RuleChecker):
|
|
|
|
|
def __init__(self):
|
|
|
|
|
self.client = boto3.client("secretsmanager")
|
2024-08-05 02:30:34 +00:00
|
|
|
|
2024-08-14 01:05:06 +00:00
|
|
|
@cached_property
|
|
|
|
|
def secrets(self):
|
|
|
|
|
return self.client.list_secrets()["SecretList"]
|
2024-08-05 02:30:34 +00:00
|
|
|
|
2024-08-14 01:05:06 +00:00
|
|
|
def secretsmanager_rotation_enabled_check(self):
|
|
|
|
|
compliant_resources = []
|
|
|
|
|
non_compliant_resources = []
|
2024-08-07 02:36:11 +00:00
|
|
|
|
2024-08-14 01:05:06 +00:00
|
|
|
for secret in self.secrets:
|
|
|
|
|
if secret.get("RotationEnabled", False):
|
2024-08-07 02:36:11 +00:00
|
|
|
compliant_resources.append(secret["ARN"])
|
|
|
|
|
else:
|
2024-08-14 01:05:06 +00:00
|
|
|
non_compliant_resources.append(secret["ARN"])
|
2024-08-07 02:36:11 +00:00
|
|
|
|
2024-08-14 01:05:06 +00:00
|
|
|
return RuleCheckResult(
|
|
|
|
|
passed=not non_compliant_resources,
|
|
|
|
|
compliant_resources=compliant_resources,
|
|
|
|
|
non_compliant_resources=non_compliant_resources,
|
|
|
|
|
)
|
|
|
|
|
|
|
|
|
|
def secretsmanager_scheduled_rotation_success_check(self):
|
|
|
|
|
compliant_resources = []
|
|
|
|
|
non_compliant_resources = []
|
|
|
|
|
|
|
|
|
|
for secret in self.secrets:
|
|
|
|
|
if secret.get("RotationEnabled", False):
|
|
|
|
|
if "LastRotatedDate" not in secret:
|
|
|
|
|
non_compliant_resources.append(secret["ARN"])
|
|
|
|
|
continue
|
|
|
|
|
|
|
|
|
|
now = datetime.now(tz=tzlocal())
|
|
|
|
|
rotation_period = timedelta(
|
|
|
|
|
days=secret["RotationRules"]["AutomaticallyAfterDays"] + 2
|
|
|
|
|
) # 최대 2일 지연 가능 (aws)
|
|
|
|
|
elapsed_time_after_rotation = now - secret["LastRotatedDate"]
|
|
|
|
|
|
|
|
|
|
if elapsed_time_after_rotation > rotation_period:
|
|
|
|
|
non_compliant_resources.append(secret["ARN"])
|
|
|
|
|
else:
|
|
|
|
|
compliant_resources.append(secret["ARN"])
|
|
|
|
|
|
|
|
|
|
return RuleCheckResult(
|
|
|
|
|
passed=not non_compliant_resources,
|
|
|
|
|
compliant_resources=compliant_resources,
|
|
|
|
|
non_compliant_resources=non_compliant_resources,
|
|
|
|
|
)
|
|
|
|
|
|
|
|
|
|
def secretsmanager_secret_periodic_rotation(self):
|
|
|
|
|
compliant_resources = []
|
|
|
|
|
non_compliant_resources = []
|
|
|
|
|
|
|
|
|
|
for secret in self.secrets:
|
|
|
|
|
if secret.get("RotationEnabled") == True:
|
|
|
|
|
if "LastRotatedDate" not in secret:
|
|
|
|
|
non_compliant_resources.append(secret["ARN"])
|
|
|
|
|
continue
|
|
|
|
|
|
|
|
|
|
now = datetime.now(tz=tzlocal())
|
|
|
|
|
elapsed_time_after_rotation = now - secret["LastRotatedDate"]
|
|
|
|
|
|
|
|
|
|
if elapsed_time_after_rotation > timedelta(days=90):
|
|
|
|
|
non_compliant_resources.append(secret["ARN"])
|
|
|
|
|
else:
|
|
|
|
|
compliant_resources.append(secret["ARN"])
|
|
|
|
|
|
|
|
|
|
return RuleCheckResult(
|
|
|
|
|
passed=not non_compliant_resources,
|
|
|
|
|
compliant_resources=compliant_resources,
|
|
|
|
|
non_compliant_resources=non_compliant_resources,
|
|
|
|
|
)
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
rule_checker = SecretsManagerRuleChecker
|
