bp-check/services/cloudfront.py

from models import RuleCheckResult
import boto3


client = boto3.client("cloudfront")


def cloudfront_accesslogs_enabled():
    compliant_resources = []
    non_compliant_resources = []
    distributions = client.list_distributions()["DistributionList"]["Items"]

    for distribution in distributions:
        distribution = client.get_distribution(Id=distribution["Id"])["Distribution"]
        if (
            "Logging" in distribution["DistributionConfig"]
            and distribution["DistributionConfig"]["Logging"]["Enabled"] == True
        ):
            compliant_resources.append(distribution["ARN"])
        else:
            non_compliant_resources.append(distribution["ARN"])

    return RuleCheckResult(
        passed=not non_compliant_resources,
        compliant_resources=compliant_resources,
        non_compliant_resources=non_compliant_resources,
    )


def cloudfront_associated_with_waf():
    compliant_resources = []
    non_compliant_resources = []
    distributions = client.list_distributions()["DistributionList"]["Items"]

    for distribution in distributions:
        distribution = client.get_distribution(Id=distribution["Id"])["Distribution"]

        if "WebACLId" in distribution["DistributionConfig"] and distribution["DistributionConfig"]["WebACLId"] != "":
            compliant_resources.append(distribution["ARN"])
        else:
            non_compliant_resources.append(distribution["ARN"])

    return RuleCheckResult(
        passed=not non_compliant_resources,
        compliant_resources=compliant_resources,
        non_compliant_resources=non_compliant_resources,
    )


def cloudfront_default_root_object_configured():
    compliant_resources = []
    non_compliant_resources = []
    distributions = client.list_distributions()["DistributionList"]["Items"]

    for distribution in distributions:
        distribution = client.get_distribution(Id=distribution["Id"])["Distribution"]

        if distribution["DistributionConfig"]["DefaultRootObject"] != "":
            compliant_resources.append(distribution["ARN"])
        else:
            non_compliant_resources.append(distribution["ARN"])

    return RuleCheckResult(
        passed=not non_compliant_resources,
        compliant_resources=compliant_resources,
        non_compliant_resources=non_compliant_resources,
    )


def cloudfront_no_deprecated_ssl_protocols():
    compliant_resources = []
    non_compliant_resources = []
    distributions = client.list_distributions()["DistributionList"]["Items"]

    for distribution in distributions:
        distribution = client.get_distribution(Id=distribution["Id"])["Distribution"]

        for origin in distribution["DistributionConfig"]["Origins"]["Items"]:
            if (
                "CustomOriginConfig" in origin
                and "SSLv3" in origin["CustomOriginConfig"]["OriginSslProtocols"]["Items"]
            ):

                non_compliant_resources.append(distribution["ARN"])
                break
        else:
            compliant_resources.append(distribution["ARN"])

    return RuleCheckResult(
        passed=not non_compliant_resources,
        compliant_resources=compliant_resources,
        non_compliant_resources=non_compliant_resources,
    )


def cloudfront_s3_origin_access_control_enabled():
    compliant_resources = []
    non_compliant_resources = []
    distributions = client.list_distributions()["DistributionList"]

    for distribution in distributions["Items"]:
        for origin in distribution["Origins"]["Items"]:
            if "S3OriginConfig" in origin and origin["OriginAccessControlId"] == "":
                non_compliant_resources.append(distribution["Id"])
                break
        else:
            compliant_resources.append(distribution["Id"])

    return RuleCheckResult(
        passed=not non_compliant_resources,
        compliant_resources=compliant_resources,
        non_compliant_resources=non_compliant_resources,
    )


def cloudfront_viewer_policy_https():
    compliant_resources = []
    non_compliant_resources = []
    distributions = client.list_distributions()["DistributionList"]["Items"]

    for distribution in distributions:
        distribution = client.get_distribution(Id=distribution["Id"])["Distribution"]

        if distribution["DistributionConfig"]["DefaultCacheBehavior"]["ViewerProtocolPolicy"] != "allow-all":
            for behavior in distribution["DistributionConfig"]["CacheBehaviors"]["Items"]:
                if behavior["ViewerProtocolPolicy"] == "allow-all":
                    non_compliant_resources.append(distribution["ARN"])
                    break
            else:
                compliant_resources.append(distribution["ARN"])
        else:
            non_compliant_resources.append(distribution["ARN"])

    return RuleCheckResult(
        passed=not non_compliant_resources,
        compliant_resources=compliant_resources,
        non_compliant_resources=non_compliant_resources,
    )