Merge branch 'main' of https://github.com/sarika-subram/service-scree…

…ner-v2

Screener.py

@@ -102,7 +102,13 @@ def scanByService(service, regions, filters):
 
         GLOBALRESOURCES = Config.get(globalKey, [])
         if len(GLOBALRESOURCES) > 0:
-            contexts[service[0]]['GLOBAL'] = GLOBALRESOURCES
+            garr = {}
+            ginfo = {}
+            for identifier, obj in GLOBALRESOURCES.items():
+                garr[identifier] = obj['results']
+                ginfo[identifier] = obj['info']
+
+            contexts[service[0]]['GLOBAL'] = arr
 
         time_end = time.time()
         scanned = Config.get(scannedKey)

frameworks/Framework.py

@@ -100,6 +100,9 @@ def formatTitle(self, title):
         return '<h3>' + title + '</h3>'
 
     def getContent(self, _m):
+        if len(_m) == 0:
+            return
+
         serv, check = _m.split(".")
         if check == '$length':
             cnt = self.getResourceCount(serv)

frameworks/FrameworkPageBuilder.py

@@ -6,7 +6,7 @@
 from frameworks.WAFS.WAFS import WAFS
 from frameworks.MSR.MSR import MSR
 from frameworks.CIS.CIS import CIS
-from frameworks.CIS.CIS import NIST
+from frameworks.NIST.NIST import NIST
 
 class FrameworkPageBuilder(PageBuilder):
     COMPLIANCE_STATUS = ["Not available", "Compliant", "Need Attention"]

frameworks/NIST/map.json

@@ -96,7 +96,7 @@
             "2": ["ec2.SGDefaultDisallowTraffic"],
             "3": ["ec2.EBSInUse", "ec2.EBSEncrypted"],
             "4": ["ec2.EC2Active"],
-            "5": [""],
+            "5": [],
             "6": [],
             "7": ["ec2.EBSEncrypted"],
             "8": ["ec2.ASGIMDSv2"],
@@ -297,7 +297,7 @@
             "22": [],
             "23": [],
             "24": ["rds.DefaultMasterAdmin"],
-            "25": ["rdsDefaultMasterAdmin"],
+            "25": ["rds.DefaultMasterAdmin"],
             "26": [],
             "27": ["rds.StorageEncrypted"],
             "34": [],
@@ -331,7 +331,7 @@
             "13": ["s3.BucketLifecycle"],
             "14": ["s3.BucketVersioning"],
             "15": ["s3.ObjectLock"],
-            "17": ["ServerSideEncrypted", "s3.SSEWithKMS"],
+            "17": ["s3.ServerSideEncrypted", "s3.SSEWithKMS"],
             "19": [],
             "20": ["s3.MFADelete"]
         },

frameworks/SSB/map.json

@@ -3,7 +3,7 @@
     "originator": "AWS",
     "shortname": "SSB",
     "fullname": "AWS Startup Security Baseline",
-    "description": "The AWS Startup Security Baseline (SSB) is a set of controls that create a minimum foundation for businesses to build securely on AWS without decreasing their agility. These controls form the basis of your security posture and are focused on securing credentials, enabling logging and visibility, managing contact information, and implementing basic data boundaries.<br><br>The controls in this guide are designed with early startups in mind, mitigating the most common security risks without requiring significant effort. Many startups begin their journey in the AWS Cloud with a single AWS account. As organizations grow, they migrate to multi-account architectures. The guidance in this guide is designed for single-account architectures, but it helps you set up security controls that are easily migrated or modified as you transition to a multi-account architecture.<br><br>The controls in the AWS SSB are separated into two categories: account and workload. Account controls help keep your AWS account secure. It includes recommendations for setting up user access, policies, and permissions, and it includes recommendations for how to monitor your account for unauthorized or potentially malicious activity. Workload controls help secure your resources and code in the cloud, such as applications, backend processes, and data. It includes recommendations such as encryption and reducing the scope of access.",
+    "description": "The AWS Startup Security Baseline (SSB) is a set of controls that create a minimum foundation for businesses to build securely on AWS without decreasing their agility. These controls form the basis of your security posture and are focused on securing credentials, enabling logging and visibility, managing contact information, and implementing basic data boundaries.<br><br>The controls in this guide are designed with early startups in mind, mitigating the most common security risks without requiring significant effort. Many startups begin their journey in the AWS Cloud with a single AWS account. As organizations grow, they migrate to multi-account architectures. The guidance in this guide is designed for single-account architectures, but it helps you set up security controls that are easily migrated or modified as you transition to a multi-account architecture.<br><br>The controls in the AWS SSB are separated into two categories: account and workload. Account controls help keep your AWS account secure. It includes recommendations for setting up user access, policies, and permissions, and it includes recommendations for how to monitor your account for unauthorized or potentially malicious activity. Workload controls help secure your resources and code in the cloud, such as applications, backend processes, and data. It includes recommendations such as encryption and reducing the scope of access. You can find guides/information on this workshop: https://catalog.workshops.aws/startup-security-baseline/en-US to learn more about it",
     "_": "https://docs.aws.amazon.com/prescriptive-guidance/latest/aws-startup-security-baseline/welcome.html",
     "emptyCheckDefaultMsg": ""
   },

services/cloudfront/drivers/cloudfrontDist.py

@@ -51,6 +51,9 @@ def _checkDeprecatedSSL(self):
             if not 'CustomOriginConfig' in y:
                 continue
 
+            if y['CustomOriginConfig']['OriginProtocolPolicy'] == 'http-only':
+                continue
+
             if 'SSLv3' in y['CustomOriginConfig']['OriginSslProtocols']['Items']:
                 self.results['DeprecatedSSLProtocol'] = [-1, '']
                 break

services/cloudwatch/cloudwatch.reporter.json

@@ -155,7 +155,7 @@
 			"[CIS Cloudwatch Guide 12]<https://docs.aws.amazon.com/securityhub/latest/userguide/cloudwatch-controls.html#cloudwatch-12>"
 		]
 	},
-	"trailWOMASecGroup13": {
+	"trailWOMARouteTable13": {
 		"category": "O",
 		"^description": "CIS recommends that you create a metric filter and alarm for changes to route tables. Monitoring these changes helps ensure that all VPC traffic flows through an expected path.",
 		"shortDesc": "Create alarm: Route Table changes",
@@ -168,7 +168,7 @@
 			"[CIS Cloudwatch Guide 13]<https://docs.aws.amazon.com/securityhub/latest/userguide/cloudwatch-controls.html#cloudwatch-13>"
 		]
 	},
-	"trailWOMAGateway14": {
+	"trailWOMAVPC14": {
 		"category": "O",
 		"^description": "CIS recommends that you create a metric filter and alarm for changes to VPCs. Monitoring these changes helps ensure that authentication and authorization controls remain intact.",
 		"shortDesc": "Create alarm: VPC Changes",
@@ -233,4 +233,4 @@
 			"[CIS Cloudwatch Guide 16]<https://docs.aws.amazon.com/securityhub/latest/userguide/cloudwatch-controls.html#cloudwatch-16>"
 		]
 	}
-}
+}

services/dashboard/DashboardPageBuilder.py

@@ -85,6 +85,8 @@ def buildContentDetail_dashboard(self):
         donutR = {} 
         dataSetsL = {}
         dataSetsR = {}
+        filterDonutL = {}
+        filterDonutR = {}
 
         regions = self.regions
         services = self.services
@@ -111,13 +113,22 @@ def buildContentDetail_dashboard(self):
                 donutL[region] += hri
                 donutR[serv] += hri
 
+        for region, cnt in donutL.items():
+            if cnt > 0:
+                filterDonutL[region] = cnt
+
+        for serv, cnt in donutR.items():
+            if cnt > 0:
+                filterDonutR[serv] = cnt
+
+
         # card = self.generateCard(pid=pid, html=html, cardClass='danger', title='No. Criticality', titleBadge='', collapse=False, noPadding=False)
 
-        html = self.generateDonutPieChart(donutL, 'hriByRegion', 'doughnut')
+        html = self.generateDonutPieChart(filterDonutL, 'hriByRegion', 'doughnut')
         card = self.generateCard(pid=self.getHtmlId('chartServRegion'), html=html, cardClass='warning', title='High Risk - Group by Region', titleBadge='', collapse=True, noPadding=False)
         items = [[card, '']]
 
-        html = self.generateDonutPieChart(donutR, 'hriByService', 'pie')
+        html = self.generateDonutPieChart(filterDonutR, 'hriByService', 'pie')
         card = self.generateCard(pid=self.getHtmlId('pieHriByService'), html=html, cardClass='warning', title='High Risk - Group by Service', titleBadge='', collapse=True, noPadding=False)
         items.append([card, ''])
 

services/efs/drivers/EfsDriver.py

@@ -9,12 +9,12 @@ def __init__(self, efs, efs_client):
         self.results = {}
         self.init()
 
-    def __check_encrypted(self):
+    def _checkEncrypted(self):
         self.results['EncryptedAtRest'] = [1, 'Enabled']
         if self.efs['Encrypted'] != 1:
             self.results['EncryptedAtRest'] = [-1, 'Disabled']
 
-    def __check_lifecycle_configuration(self):
+    def _checkLifecycle_configuration(self):
         self.results['Lifecycle'] = [1, 'Enabled']
         efs_id = self.efs['FileSystemId']
 
@@ -25,7 +25,7 @@ def __check_lifecycle_configuration(self):
         if len(life_cycle['LifecyclePolicies']) == 0:
             self.results['EnabledLifecycle'] = [-1, 'Disabled']
 
-    def __check_backup_policy(self):
+    def _checkBackupPolicy(self):
         self.results['AutomatedBackup'] = [1, 'Enabled']
         efs_id = self.efs['FileSystemId']
 
@@ -34,4 +34,4 @@ def __check_backup_policy(self):
         )
 
         if backup['BackupPolicy']['Status'] == 'DISABLED':
-            self.results['AutomatedBackup'] = [-1, 'Disabled']
+            self.results['AutomatedBackup'] = [-1, 'Disabled']