pmh_only/bp-check
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Check API GW rules

Browse Source
This commit is contained in:
EC2 Default User 2024-08-13 02:45:07 +00:00 committed by skyuecx0630
parent 92f9bd375c
commit 4854f11021
1 changed files with 133 additions and 126 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

259
services/api_gw.py
View File

@ -2,181 +2,188 @@ from models import RuleCheckResult
import boto3 import boto3
v2_client = boto3.client('apigatewayv2') v1_client = boto3.client("apigateway")
v1_client = boto3.client('apigateway') v2_client = boto3.client("apigatewayv2")
wafv2_client = boto3.client('wafv2')
def api_gwv2_access_logs_enabled(): def api_gwv2_access_logs_enabled():
apis = v2_client.get_apis() apis = v2_client.get_apis()
compliant_resources=[] compliant_resources = []
non_compliant_resources=[] non_compliant_resources = []
if 'Items' in apis:
for api in apis['Items']: for api in apis["Items"]:
stages = v2_client.get_stages( stages = v2_client.get_stages(
ApiId=api['ApiId'], ApiId=api["ApiId"],
) )
if 'Items' not in stages: continue
noncompliant_stage_names = [ non_compliant_resources += [
stage['StageName'] f"{api['Name']} / {stage['StageName']}"
for stage in stages['Items'] for stage in stages["Items"]
if 'AccessLogSettings' not in stage if "AccessLogSettings" not in stage
] ]
if noncompliant_stage_names:
identity = api['Name'] + " | " + ", ".join(noncompliant_stage_names) compliant_resources += list(
non_compliant_resources.append(identity) set([f"{api['Name']} / {stage['StageName']}" for stage in stages["Items"]])
else: - set(non_compliant_resources)
compliant_resources.append(api['name']) )
return RuleCheckResult( return RuleCheckResult(
passed=not non_compliant_resources, passed=not non_compliant_resources,
compliant_resources=compliant_resources, compliant_resources=compliant_resources,
non_compliant_resources=non_compliant_resources non_compliant_resources=non_compliant_resources,
) )
def api_gwv2_authorization_type_configured(): def api_gwv2_authorization_type_configured():
apis = v2_client.get_apis() apis = v2_client.get_apis()
compliant_resources=[] compliant_resources = []
non_compliant_resources=[] non_compliant_resources = []
if 'Items' in apis:
for api in apis['Items']: for api in apis["Items"]:
response = v2_client.get_routes( response = v2_client.get_routes(
ApiId=api['ApiId'], ApiId=api["ApiId"],
) )
noncomplaint_routes = [
route['RouteKey'] non_compliant_resources += [
for route in response['Items'] f"{api['Name']} / {route['RouteKey']}"
if route['AuthorizationType'] == "NONE" for route in response["Items"]
] if route["AuthorizationType"] == "NONE"
if noncomplaint_routes: ]
identity = api['Name'] + " | " + ', '.join(noncomplaint_routes)
non_compliant_resources.append(identity) compliant_resources += list(
else: set([f"{api['Name']} / {route['RouteKey']}" for route in response["Items"]])
compliant_resources.append(api['Name']) - set(non_compliant_resources)
)
return RuleCheckResult( return RuleCheckResult(
passed=not non_compliant_resources, passed=not non_compliant_resources,
compliant_resources=compliant_resources, compliant_resources=compliant_resources,
non_compliant_resources=non_compliant_resources non_compliant_resources=non_compliant_resources,
) )
def api_gw_associated_with_waf(): def api_gw_associated_with_waf():
apis = v1_client.get_rest_apis() apis = v1_client.get_rest_apis()
compliant_resources=[] compliant_resources = []
non_compliant_resources=[] non_compliant_resources = []
if 'items' in apis:
for api in apis['items']: for api in apis["items"]:
stages = v1_client.get_stages( stages = v1_client.get_stages(
restApiId=api['id'], restApiId=api["id"],
) )
if 'item' in stages:
for stage in stages['item']: for stage in stages["item"]:
stage_arn = f"arn:aws:apigateway:{v1_client.meta.region_name}::/restapis/{api['id']}/stages/{stage['stageName']}" stage_arn = f"arn:aws:apigateway:{v1_client.meta.region_name}::/restapis/{api['id']}/stages/{stage['stageName']}"
response = wafv2_client.get_web_acl_for_resource(
ResourceArn=stage_arn if "webAclArn" in stage:
) compliant_resources.append(stage_arn)
if 'WebACL' in response: compliant_resources.append(stage_arn) else:
else: non_compliant_resources.append(stage_arn) non_compliant_resources.append(stage_arn)
return RuleCheckResult( return RuleCheckResult(
passed=not non_compliant_resources, passed=not non_compliant_resources,
compliant_resources=compliant_resources, compliant_resources=compliant_resources,
non_compliant_resources=non_compliant_resources non_compliant_resources=non_compliant_resources,
) )
def api_gw_cache_enabled_and_encrypted(): def api_gw_cache_enabled_and_encrypted():
apis = v1_client.get_rest_apis() apis = v1_client.get_rest_apis()
compliant_resources=[] compliant_resources = []
non_compliant_resources=[] non_compliant_resources = []
if 'items' in apis:
for api in apis['items']: for api in apis["items"]:
stages = v1_client.get_stages( stages = v1_client.get_stages(
restApiId=api['id'], restApiId=api["id"],
)
non_compliant_resources += [
f"arn:aws:apigateway:{v1_client.meta.region_name}::/restapis/{api['id']}/stages/{stage['stageName']}"
for stage in stages["item"]
if not "*/*" in stage["methodSettings"]
or (
not stage["methodSettings"]["*/*"]["cachingEnabled"]
or not stage["methodSettings"]["*/*"]["cacheDataEncrypted"]
) )
if 'item' in stages: ]
non_compliant_resources.extend([ compliant_resources += list(
set(
[
f"arn:aws:apigateway:{v1_client.meta.region_name}::/restapis/{api['id']}/stages/{stage['stageName']}" f"arn:aws:apigateway:{v1_client.meta.region_name}::/restapis/{api['id']}/stages/{stage['stageName']}"
for stage in stages['item'] for stage in stages["item"]
if not stage['methodSettings'] ]
]) )
non_compliant_resources.extend([ - set(non_compliant_resources)
f"arn:aws:apigateway:{v1_client.meta.region_name}::/restapis/{api['id']}/stages/{stage['stageName']}" )
for stage in stages['item']
for _,settings in stage['methodSettings'].items()
if not settings['cachingEnabled']
or not settings['cacheDataEncrypted']
])
compliant_resources.extend([
f"arn:aws:apigateway:{v1_client.meta.region_name}::/restapis/{api['id']}/stages/{stage['stageName']}"
for stage in stages['item']
for _,settings in stage['methodSettings'].items()
if settings['cachingEnabled']
and settings['cacheDataEncrypted']
])
return RuleCheckResult( return RuleCheckResult(
passed=not non_compliant_resources, passed=not non_compliant_resources,
compliant_resources=compliant_resources, compliant_resources=compliant_resources,
non_compliant_resources=non_compliant_resources non_compliant_resources=non_compliant_resources,
) )
def api_gw_execution_logging_enabled(): def api_gw_execution_logging_enabled():
apis = v1_client.get_rest_apis() apis = v1_client.get_rest_apis()
compliant_resources=[] compliant_resources = []
non_compliant_resources=[] non_compliant_resources = []
if 'items' in apis: for api in apis["items"]:
for api in apis['items']: stages = v1_client.get_stages(
stages = v1_client.get_stages( restApiId=api["id"],
restApiId=api['id'], )
non_compliant_resources += [
f"arn:aws:apigateway:{v1_client.meta.region_name}::/restapis/{api['id']}/stages/{stage['stageName']}"
for stage in stages["item"]
if not "*/*" in stage["methodSettings"]
or (
not "loggingLevel" in stage["methodSettings"]["*/*"]
or stage["methodSettings"]["*/*"]["loggingLevel"] == "OFF"
) )
if 'item' in stages: ]
non_compliant_resources.extend([ compliant_resources += list(
set(
[
f"arn:aws:apigateway:{v1_client.meta.region_name}::/restapis/{api['id']}/stages/{stage['stageName']}" f"arn:aws:apigateway:{v1_client.meta.region_name}::/restapis/{api['id']}/stages/{stage['stageName']}"
for stage in stages['item'] for stage in stages["item"]
if not stage['methodSettings'] ]
]) )
non_compliant_resources.extend([ - set(non_compliant_resources)
f"arn:aws:apigateway:{v1_client.meta.region_name}::/restapis/{api['id']}/stages/{stage['stageName']}" )
for stage in stages['item']
for _,settings in stage['methodSettings'].items()
if not (settings['loggingLevel'] == "INFO"
or settings['loggingLevel'] == "ERROR")
])
compliant_resources.extend([
f"arn:aws:apigateway:{v1_client.meta.region_name}::/restapis/{api['id']}/stages/{stage['stageName']}"
for stage in stages['item']
for _,settings in stage['methodSettings'].items()
if settings['loggingLevel'] == "INFO"
or settings['loggingLevel'] == "ERROR"
])
return RuleCheckResult( return RuleCheckResult(
passed=not non_compliant_resources, passed=not non_compliant_resources,
compliant_resources=compliant_resources, compliant_resources=compliant_resources,
non_compliant_resources=non_compliant_resources non_compliant_resources=non_compliant_resources,
) )
def api_gw_xray_enabled(): def api_gw_xray_enabled():
apis = v1_client.get_rest_apis() apis = v1_client.get_rest_apis()
compliant_resources=[] compliant_resources = []
non_compliant_resources=[] non_compliant_resources = []
if 'items' in apis: for api in apis["items"]:
for api in apis['items']: stages = v1_client.get_stages(
stages = v1_client.get_stages( restApiId=api["id"],
restApiId=api['id'], )
non_compliant_resources += [
f"arn:aws:apigateway:{v1_client.meta.region_name}::/restapis/{api['id']}/stages/{stage['stageName']}"
for stage in stages["item"]
if not stage["tracingEnabled"]
]
compliant_resources += list(
set(
[
f"arn:aws:apigateway:{v1_client.meta.region_name}::/restapis/{api['id']}/stages/{stage['stageName']}"
for stage in stages["item"]
]
) )
if 'item' in stages: - set(non_compliant_resources)
non_compliant_resources.extend([ )
f"arn:aws:apigateway:{v1_client.meta.region_name}::/restapis/{api['id']}/stages/{stage['stageName']}"
for stage in stages['item']
if not stage['tracingEnabled']
])
compliant_resources.extend([
f"arn:aws:apigateway:{v1_client.meta.region_name}::/restapis/{api['id']}/stages/{stage['stageName']}"
for stage in stages['item']
if stage['tracingEnabled']
])
return RuleCheckResult( return RuleCheckResult(
passed=not non_compliant_resources, passed=not non_compliant_resources,
compliant_resources=compliant_resources, compliant_resources=compliant_resources,
non_compliant_resources=non_compliant_resources non_compliant_resources=non_compliant_resources,
) )