pmh_only/bp-check
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Add feature : Secrets Manager bp check

Browse Source
This commit is contained in:
Juwon 2024-08-07 11:36:11 +09:00 committed by skyuecx0630
parent f16a8fe911
commit 746c6a98df
1 changed files with 53 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

57
services/secrets_manager.py
View File

@ -1,23 +1,72 @@
from models import RuleCheckResult from models import RuleCheckResult
import boto3 import boto3
import datetime
from dateutil.tz import tzlocal
# client = boto3.client("") client = boto3.client("secretsmanager")
def secretsmanager_rotation_enabled_check(): def secretsmanager_rotation_enabled_check():
compliant_resources = []
non_compliant_resources = []
secrets = client.list_secrets()["SecretList"]
for secret in secrets:
if secret["RotationEnabled"] == True:
compliant_resources.append(secret["ARN"])
else:
non_compliant_resources.append(secret["ARN"])
return RuleCheckResult( return RuleCheckResult(
passed=False, compliant_resources=[], non_compliant_resources=[] passed=not non_compliant_resources,
compliant_resources=compliant_resources,
non_compliant_resources=non_compliant_resources,
) )
def secretsmanager_scheduled_rotation_success_check(): def secretsmanager_scheduled_rotation_success_check():
compliant_resources = []
non_compliant_resources = []
secrets = client.list_secrets()["SecretList"]
for secret in secrets:
if secret["RotationEnabled"] == True:
now = datetime.datetime.now(tz=tzlocal())
rotation_period = datetime.timedelta(
days=secret["RotationRules"]["AutomaticallyAfterDays"] + 2
) # 최대 2일 지연 가능 (aws)
elapsed_time_after_rotation = now - secret["LastRotatedDate"]
if elapsed_time_after_rotation > rotation_period:
non_compliant_resources.append(secret["ARN"])
else:
compliant_resources.append(secret["ARN"])
return RuleCheckResult( return RuleCheckResult(
passed=False, compliant_resources=[], non_compliant_resources=[] passed=not non_compliant_resources,
compliant_resources=compliant_resources,
non_compliant_resources=non_compliant_resources,
) )
def secretsmanager_secret_periodic_rotation(): def secretsmanager_secret_periodic_rotation():
compliant_resources = []
non_compliant_resources = []
secrets = client.list_secrets()["SecretList"]
for secret in secrets:
if secret["RotationEnabled"] == True:
now = datetime.datetime.now(tz=tzlocal())
elapsed_time_after_rotation = now - secret["LastRotatedDate"]
if elapsed_time_after_rotation > datetime.timedelta(days=90):
non_compliant_resources.append(secret["ARN"])
else:
compliant_resources.append(secret["ARN"])
return RuleCheckResult( return RuleCheckResult(
passed=False, compliant_resources=[], non_compliant_resources=[] passed=not non_compliant_resources,
compliant_resources=compliant_resources,
non_compliant_resources=non_compliant_resources,
) )