Fix false alert and remove unneeded API calls
This commit is contained in:
parent
8a0f93b221
commit
24c13eff59
@ -33,9 +33,7 @@ def cloudfront_associated_with_waf():
|
|||||||
distributions = client.list_distributions()["DistributionList"]["Items"]
|
distributions = client.list_distributions()["DistributionList"]["Items"]
|
||||||
|
|
||||||
for distribution in distributions:
|
for distribution in distributions:
|
||||||
distribution = client.get_distribution(Id=distribution["Id"])["Distribution"]
|
if "WebACLId" in distribution and distribution["WebACLId"] != "":
|
||||||
|
|
||||||
if "WebACLId" in distribution["DistributionConfig"] and distribution["DistributionConfig"]["WebACLId"] != "":
|
|
||||||
compliant_resources.append(distribution["ARN"])
|
compliant_resources.append(distribution["ARN"])
|
||||||
else:
|
else:
|
||||||
non_compliant_resources.append(distribution["ARN"])
|
non_compliant_resources.append(distribution["ARN"])
|
||||||
@ -73,11 +71,10 @@ def cloudfront_no_deprecated_ssl_protocols():
|
|||||||
distributions = client.list_distributions()["DistributionList"]["Items"]
|
distributions = client.list_distributions()["DistributionList"]["Items"]
|
||||||
|
|
||||||
for distribution in distributions:
|
for distribution in distributions:
|
||||||
distribution = client.get_distribution(Id=distribution["Id"])["Distribution"]
|
for origin in distribution["Origins"]["Items"]:
|
||||||
|
|
||||||
for origin in distribution["DistributionConfig"]["Origins"]["Items"]:
|
|
||||||
if (
|
if (
|
||||||
"CustomOriginConfig" in origin
|
"CustomOriginConfig" in origin
|
||||||
|
and origin["CustomOriginConfig"]["OriginProtocolPolicy"] in ["https-only", "match-viewer"]
|
||||||
and "SSLv3" in origin["CustomOriginConfig"]["OriginSslProtocols"]["Items"]
|
and "SSLv3" in origin["CustomOriginConfig"]["OriginSslProtocols"]["Items"]
|
||||||
):
|
):
|
||||||
|
|
||||||
@ -101,10 +98,10 @@ def cloudfront_s3_origin_access_control_enabled():
|
|||||||
for distribution in distributions["Items"]:
|
for distribution in distributions["Items"]:
|
||||||
for origin in distribution["Origins"]["Items"]:
|
for origin in distribution["Origins"]["Items"]:
|
||||||
if "S3OriginConfig" in origin and origin["OriginAccessControlId"] == "":
|
if "S3OriginConfig" in origin and origin["OriginAccessControlId"] == "":
|
||||||
non_compliant_resources.append(distribution["Id"])
|
non_compliant_resources.append(distribution["ARN"])
|
||||||
break
|
break
|
||||||
else:
|
else:
|
||||||
compliant_resources.append(distribution["Id"])
|
compliant_resources.append(distribution["ARN"])
|
||||||
|
|
||||||
return RuleCheckResult(
|
return RuleCheckResult(
|
||||||
passed=not non_compliant_resources,
|
passed=not non_compliant_resources,
|
||||||
@ -119,17 +116,20 @@ def cloudfront_viewer_policy_https():
|
|||||||
distributions = client.list_distributions()["DistributionList"]["Items"]
|
distributions = client.list_distributions()["DistributionList"]["Items"]
|
||||||
|
|
||||||
for distribution in distributions:
|
for distribution in distributions:
|
||||||
distribution = client.get_distribution(Id=distribution["Id"])["Distribution"]
|
if distribution["DefaultCacheBehavior"]["ViewerProtocolPolicy"] == "allow-all":
|
||||||
|
|
||||||
if distribution["DistributionConfig"]["DefaultCacheBehavior"]["ViewerProtocolPolicy"] != "allow-all":
|
|
||||||
for behavior in distribution["DistributionConfig"]["CacheBehaviors"]["Items"]:
|
|
||||||
if behavior["ViewerProtocolPolicy"] == "allow-all":
|
|
||||||
non_compliant_resources.append(distribution["ARN"])
|
|
||||||
break
|
|
||||||
else:
|
|
||||||
compliant_resources.append(distribution["ARN"])
|
|
||||||
else:
|
|
||||||
non_compliant_resources.append(distribution["ARN"])
|
non_compliant_resources.append(distribution["ARN"])
|
||||||
|
continue
|
||||||
|
|
||||||
|
allow_alls = [
|
||||||
|
behavior
|
||||||
|
for behavior in distribution["CacheBehaviors"]["Items"]
|
||||||
|
if behavior["ViewerProtocolPolicy"] == "allow-all"
|
||||||
|
]
|
||||||
|
if allow_alls:
|
||||||
|
non_compliant_resources.append(distribution["ARN"])
|
||||||
|
continue
|
||||||
|
|
||||||
|
compliant_resources.append(distribution["ARN"])
|
||||||
|
|
||||||
return RuleCheckResult(
|
return RuleCheckResult(
|
||||||
passed=not non_compliant_resources,
|
passed=not non_compliant_resources,
|
||||||
|
Loading…
Reference in New Issue
Block a user