119 lines
3.9 KiB
Python
119 lines
3.9 KiB
Python
from models import RuleCheckResult
|
|
import boto3
|
|
|
|
|
|
client = boto3.client("efs")
|
|
ec2_client = boto3.client("ec2")
|
|
|
|
|
|
def efs_access_point_enforce_root_directory():
|
|
access_points = client.describe_access_points()["AccessPoints"]
|
|
compliant_resource = []
|
|
non_compliant_resources = []
|
|
|
|
for access_point in access_points:
|
|
if access_point["RootDirectory"]["Path"] != "/":
|
|
compliant_resource.append(access_point["AccessPointArn"])
|
|
else:
|
|
non_compliant_resources.append(access_point["AccessPointArn"])
|
|
|
|
return RuleCheckResult(
|
|
passed=not non_compliant_resources,
|
|
compliant_resources=compliant_resource,
|
|
non_compliant_resources=non_compliant_resources,
|
|
)
|
|
|
|
|
|
def efs_access_point_enforce_user_identity():
|
|
access_points = client.describe_access_points()["AccessPoints"]
|
|
compliant_resource = []
|
|
non_compliant_resources = []
|
|
|
|
for access_point in access_points:
|
|
if "PosixUser" in access_point:
|
|
compliant_resource.append(access_point["AccessPointArn"])
|
|
else:
|
|
non_compliant_resources.append(access_point["AccessPointArn"])
|
|
|
|
return RuleCheckResult(
|
|
passed=not non_compliant_resources,
|
|
compliant_resources=compliant_resource,
|
|
non_compliant_resources=non_compliant_resources,
|
|
)
|
|
|
|
|
|
def efs_automatic_backups_enabled():
|
|
file_systems = client.describe_file_systems()["FileSystems"]
|
|
compliant_resource = []
|
|
non_compliant_resources = []
|
|
|
|
for file_system in file_systems:
|
|
response = client.describe_backup_policy(
|
|
FileSystemId=file_system["FileSystemId"]
|
|
)
|
|
if response["BackupPolicy"]["Status"] == "ENABLED":
|
|
compliant_resource.append(file_system["FileSystemArn"])
|
|
else:
|
|
non_compliant_resources.append(file_system["FileSystemArn"])
|
|
|
|
return RuleCheckResult(
|
|
passed=not non_compliant_resources,
|
|
compliant_resources=compliant_resource,
|
|
non_compliant_resources=non_compliant_resources,
|
|
)
|
|
|
|
|
|
def efs_encrypted_check():
|
|
file_systems = client.describe_file_systems()["FileSystems"]
|
|
compliant_resource = []
|
|
non_compliant_resources = []
|
|
|
|
for file_system in file_systems:
|
|
if file_system["Encrypted"] == True:
|
|
compliant_resource.append(file_system["FileSystemArn"])
|
|
else:
|
|
non_compliant_resources.append(file_system["FileSystemArn"])
|
|
|
|
return RuleCheckResult(
|
|
passed=not non_compliant_resources,
|
|
compliant_resources=compliant_resource,
|
|
non_compliant_resources=non_compliant_resources,
|
|
)
|
|
|
|
|
|
def efs_mount_target_public_accessible():
|
|
file_systems = client.describe_file_systems()["FileSystems"]
|
|
compliant_resource = []
|
|
non_compliant_resources = []
|
|
|
|
for file_system in file_systems:
|
|
mount_targets = client.describe_mount_targets(
|
|
FileSystemId=file_system["FileSystemId"]
|
|
)["MountTargets"]
|
|
for mount_target in mount_targets:
|
|
subnet_id = mount_target["SubnetId"]
|
|
routes = ec2_client.describe_route_tables(
|
|
Filters=[{"Name": "association.subnet-id", "Values": [subnet_id]}]
|
|
)["RouteTables"][0]["Routes"]
|
|
|
|
for route in routes:
|
|
if (
|
|
"DestinationCidrBlock" in route
|
|
and route["DestinationCidrBlock"] == "0.0.0.0/0"
|
|
and "GatewayId" in route
|
|
and route["GatewayId"].startswith("igw-")
|
|
):
|
|
non_compliant_resources.append(file_system["FileSystemArn"])
|
|
break
|
|
else:
|
|
compliant_resource.append(file_system["FileSystemArn"])
|
|
|
|
compliant_resource = list(set(compliant_resource))
|
|
non_compliant_resources = list(set(non_compliant_resources))
|
|
|
|
return RuleCheckResult(
|
|
passed=not non_compliant_resources,
|
|
compliant_resources=compliant_resource,
|
|
non_compliant_resources=non_compliant_resources,
|
|
)
|