pmh_only/bp-check
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Check API GW rules

Browse Source
This commit is contained in:
EC2 Default User 2024-08-13 02:45:07 +00:00 committed by skyuecx0630
parent 92f9bd375c
commit 4854f11021
1 changed files with 133 additions and 126 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

203
services/api_gw.py
View File

@ -2,34 +2,35 @@ from models import RuleCheckResult
import boto3
v2_client = boto3.client('apigatewayv2')
v1_client = boto3.client('apigateway')
wafv2_client = boto3.client('wafv2')
v1_client = boto3.client("apigateway")
v2_client = boto3.client("apigatewayv2")
def api_gwv2_access_logs_enabled():
apis = v2_client.get_apis()
compliant_resources = []
non_compliant_resources = []
if 'Items' in apis:
for api in apis['Items']:
for api in apis["Items"]:
stages = v2_client.get_stages(
ApiId=api['ApiId'],
ApiId=api["ApiId"],
)
if 'Items' not in stages: continue
noncompliant_stage_names = [
stage['StageName']
for stage in stages['Items']
if 'AccessLogSettings' not in stage
non_compliant_resources += [
f"{api['Name']} / {stage['StageName']}"
for stage in stages["Items"]
if "AccessLogSettings" not in stage
]
if noncompliant_stage_names:
identity = api['Name'] + " | " + ", ".join(noncompliant_stage_names)
non_compliant_resources.append(identity)
else:
compliant_resources.append(api['name'])
compliant_resources += list(
set([f"{api['Name']} / {stage['StageName']}" for stage in stages["Items"]])
- set(non_compliant_resources)
)
return RuleCheckResult(
passed=not non_compliant_resources,
compliant_resources=compliant_resources,
non_compliant_resources=non_compliant_resources
non_compliant_resources=non_compliant_resources,
)
@ -37,25 +38,27 @@ def api_gwv2_authorization_type_configured():
apis = v2_client.get_apis()
compliant_resources = []
non_compliant_resources = []
if 'Items' in apis:
for api in apis['Items']:
for api in apis["Items"]:
response = v2_client.get_routes(
ApiId=api['ApiId'],
ApiId=api["ApiId"],
)
noncomplaint_routes = [
route['RouteKey']
for route in response['Items']
if route['AuthorizationType'] == "NONE"
non_compliant_resources += [
f"{api['Name']} / {route['RouteKey']}"
for route in response["Items"]
if route["AuthorizationType"] == "NONE"
]
if noncomplaint_routes:
identity = api['Name'] + " | " + ', '.join(noncomplaint_routes)
non_compliant_resources.append(identity)
else:
compliant_resources.append(api['Name'])
compliant_resources += list(
set([f"{api['Name']} / {route['RouteKey']}" for route in response["Items"]])
- set(non_compliant_resources)
)
return RuleCheckResult(
passed=not non_compliant_resources,
compliant_resources=compliant_resources,
non_compliant_resources=non_compliant_resources
non_compliant_resources=non_compliant_resources,
)
@ -63,23 +66,24 @@ def api_gw_associated_with_waf():
apis = v1_client.get_rest_apis()
compliant_resources = []
non_compliant_resources = []
if 'items' in apis:
for api in apis['items']:
for api in apis["items"]:
stages = v1_client.get_stages(
restApiId=api['id'],
restApiId=api["id"],
)
if 'item' in stages:
for stage in stages['item']:
for stage in stages["item"]:
stage_arn = f"arn:aws:apigateway:{v1_client.meta.region_name}::/restapis/{api['id']}/stages/{stage['stageName']}"
response = wafv2_client.get_web_acl_for_resource(
ResourceArn=stage_arn
)
if 'WebACL' in response: compliant_resources.append(stage_arn)
else: non_compliant_resources.append(stage_arn)
if "webAclArn" in stage:
compliant_resources.append(stage_arn)
else:
non_compliant_resources.append(stage_arn)
return RuleCheckResult(
passed=not non_compliant_resources,
compliant_resources=compliant_resources,
non_compliant_resources=non_compliant_resources
non_compliant_resources=non_compliant_resources,
)
@ -87,35 +91,35 @@ def api_gw_cache_enabled_and_encrypted():
apis = v1_client.get_rest_apis()
compliant_resources = []
non_compliant_resources = []
if 'items' in apis:
for api in apis['items']:
for api in apis["items"]:
stages = v1_client.get_stages(
restApiId=api['id'],
restApiId=api["id"],
)
if 'item' in stages:
non_compliant_resources.extend([
non_compliant_resources += [
f"arn:aws:apigateway:{v1_client.meta.region_name}::/restapis/{api['id']}/stages/{stage['stageName']}"
for stage in stages['item']
if not stage['methodSettings']
])
non_compliant_resources.extend([
for stage in stages["item"]
if not "*/*" in stage["methodSettings"]
or (
not stage["methodSettings"]["*/*"]["cachingEnabled"]
or not stage["methodSettings"]["*/*"]["cacheDataEncrypted"]
)
]
compliant_resources += list(
set(
[
f"arn:aws:apigateway:{v1_client.meta.region_name}::/restapis/{api['id']}/stages/{stage['stageName']}"
for stage in stages['item']
for _,settings in stage['methodSettings'].items()
if not settings['cachingEnabled']
or not settings['cacheDataEncrypted']
])
compliant_resources.extend([
f"arn:aws:apigateway:{v1_client.meta.region_name}::/restapis/{api['id']}/stages/{stage['stageName']}"
for stage in stages['item']
for _,settings in stage['methodSettings'].items()
if settings['cachingEnabled']
and settings['cacheDataEncrypted']
])
for stage in stages["item"]
]
)
- set(non_compliant_resources)
)
return RuleCheckResult(
passed=not non_compliant_resources,
compliant_resources=compliant_resources,
non_compliant_resources=non_compliant_resources
non_compliant_resources=non_compliant_resources,
)
@ -123,35 +127,34 @@ def api_gw_execution_logging_enabled():
apis = v1_client.get_rest_apis()
compliant_resources = []
non_compliant_resources = []
if 'items' in apis:
for api in apis['items']:
for api in apis["items"]:
stages = v1_client.get_stages(
restApiId=api['id'],
restApiId=api["id"],
)
if 'item' in stages:
non_compliant_resources.extend([
non_compliant_resources += [
f"arn:aws:apigateway:{v1_client.meta.region_name}::/restapis/{api['id']}/stages/{stage['stageName']}"
for stage in stages['item']
if not stage['methodSettings']
])
non_compliant_resources.extend([
for stage in stages["item"]
if not "*/*" in stage["methodSettings"]
or (
not "loggingLevel" in stage["methodSettings"]["*/*"]
or stage["methodSettings"]["*/*"]["loggingLevel"] == "OFF"
)
]
compliant_resources += list(
set(
[
f"arn:aws:apigateway:{v1_client.meta.region_name}::/restapis/{api['id']}/stages/{stage['stageName']}"
for stage in stages['item']
for _,settings in stage['methodSettings'].items()
if not (settings['loggingLevel'] == "INFO"
or settings['loggingLevel'] == "ERROR")
])
compliant_resources.extend([
f"arn:aws:apigateway:{v1_client.meta.region_name}::/restapis/{api['id']}/stages/{stage['stageName']}"
for stage in stages['item']
for _,settings in stage['methodSettings'].items()
if settings['loggingLevel'] == "INFO"
or settings['loggingLevel'] == "ERROR"
])
for stage in stages["item"]
]
)
- set(non_compliant_resources)
)
return RuleCheckResult(
passed=not non_compliant_resources,
compliant_resources=compliant_resources,
non_compliant_resources=non_compliant_resources
non_compliant_resources=non_compliant_resources,
)
@ -159,24 +162,28 @@ def api_gw_xray_enabled():
apis = v1_client.get_rest_apis()
compliant_resources = []
non_compliant_resources = []
if 'items' in apis:
for api in apis['items']:
for api in apis["items"]:
stages = v1_client.get_stages(
restApiId=api['id'],
restApiId=api["id"],
)
if 'item' in stages:
non_compliant_resources.extend([
non_compliant_resources += [
f"arn:aws:apigateway:{v1_client.meta.region_name}::/restapis/{api['id']}/stages/{stage['stageName']}"
for stage in stages['item']
if not stage['tracingEnabled']
])
compliant_resources.extend([
for stage in stages["item"]
if not stage["tracingEnabled"]
]
compliant_resources += list(
set(
[
f"arn:aws:apigateway:{v1_client.meta.region_name}::/restapis/{api['id']}/stages/{stage['stageName']}"
for stage in stages['item']
if stage['tracingEnabled']
])
for stage in stages["item"]
]
)
- set(non_compliant_resources)
)
return RuleCheckResult(
passed=not non_compliant_resources,
compliant_resources=compliant_resources,
non_compliant_resources=non_compliant_resources
non_compliant_resources=non_compliant_resources,
)