diff --git a/Screener.py b/Screener.py index e745dce..63ab0ab 100644 --- a/Screener.py +++ b/Screener.py @@ -102,7 +102,13 @@ def scanByService(service, regions, filters): GLOBALRESOURCES = Config.get(globalKey, []) if len(GLOBALRESOURCES) > 0: - contexts[service[0]]['GLOBAL'] = GLOBALRESOURCES + garr = {} + ginfo = {} + for identifier, obj in GLOBALRESOURCES.items(): + garr[identifier] = obj['results'] + ginfo[identifier] = obj['info'] + + contexts[service[0]]['GLOBAL'] = arr time_end = time.time() scanned = Config.get(scannedKey) diff --git a/frameworks/Framework.py b/frameworks/Framework.py index 6ba10be..221c512 100644 --- a/frameworks/Framework.py +++ b/frameworks/Framework.py @@ -100,6 +100,9 @@ def formatTitle(self, title): return '

' + title + '

' def getContent(self, _m): + if len(_m) == 0: + return + serv, check = _m.split(".") if check == '$length': cnt = self.getResourceCount(serv) diff --git a/frameworks/FrameworkPageBuilder.py b/frameworks/FrameworkPageBuilder.py index d34da39..3983eb8 100644 --- a/frameworks/FrameworkPageBuilder.py +++ b/frameworks/FrameworkPageBuilder.py @@ -6,7 +6,7 @@ from frameworks.WAFS.WAFS import WAFS from frameworks.MSR.MSR import MSR from frameworks.CIS.CIS import CIS -from frameworks.CIS.CIS import NIST +from frameworks.NIST.NIST import NIST class FrameworkPageBuilder(PageBuilder): COMPLIANCE_STATUS = ["Not available", "Compliant", "Need Attention"] diff --git a/frameworks/NIST/map.json b/frameworks/NIST/map.json index 8d2da65..da26a03 100644 --- a/frameworks/NIST/map.json +++ b/frameworks/NIST/map.json @@ -96,7 +96,7 @@ "2": ["ec2.SGDefaultDisallowTraffic"], "3": ["ec2.EBSInUse", "ec2.EBSEncrypted"], "4": ["ec2.EC2Active"], - "5": [""], + "5": [], "6": [], "7": ["ec2.EBSEncrypted"], "8": ["ec2.ASGIMDSv2"], @@ -297,7 +297,7 @@ "22": [], "23": [], "24": ["rds.DefaultMasterAdmin"], - "25": ["rdsDefaultMasterAdmin"], + "25": ["rds.DefaultMasterAdmin"], "26": [], "27": ["rds.StorageEncrypted"], "34": [], @@ -331,7 +331,7 @@ "13": ["s3.BucketLifecycle"], "14": ["s3.BucketVersioning"], "15": ["s3.ObjectLock"], - "17": ["ServerSideEncrypted", "s3.SSEWithKMS"], + "17": ["s3.ServerSideEncrypted", "s3.SSEWithKMS"], "19": [], "20": ["s3.MFADelete"] }, diff --git a/frameworks/SSB/map.json b/frameworks/SSB/map.json index a4dac84..4207e0a 100644 --- a/frameworks/SSB/map.json +++ b/frameworks/SSB/map.json @@ -3,7 +3,7 @@ "originator": "AWS", "shortname": "SSB", "fullname": "AWS Startup Security Baseline", - "description": "The AWS Startup Security Baseline (SSB) is a set of controls that create a minimum foundation for businesses to build securely on AWS without decreasing their agility. These controls form the basis of your security posture and are focused on securing credentials, enabling logging and visibility, managing contact information, and implementing basic data boundaries.

The controls in this guide are designed with early startups in mind, mitigating the most common security risks without requiring significant effort. Many startups begin their journey in the AWS Cloud with a single AWS account. As organizations grow, they migrate to multi-account architectures. The guidance in this guide is designed for single-account architectures, but it helps you set up security controls that are easily migrated or modified as you transition to a multi-account architecture.

The controls in the AWS SSB are separated into two categories: account and workload. Account controls help keep your AWS account secure. It includes recommendations for setting up user access, policies, and permissions, and it includes recommendations for how to monitor your account for unauthorized or potentially malicious activity. Workload controls help secure your resources and code in the cloud, such as applications, backend processes, and data. It includes recommendations such as encryption and reducing the scope of access.", + "description": "The AWS Startup Security Baseline (SSB) is a set of controls that create a minimum foundation for businesses to build securely on AWS without decreasing their agility. These controls form the basis of your security posture and are focused on securing credentials, enabling logging and visibility, managing contact information, and implementing basic data boundaries.

The controls in this guide are designed with early startups in mind, mitigating the most common security risks without requiring significant effort. Many startups begin their journey in the AWS Cloud with a single AWS account. As organizations grow, they migrate to multi-account architectures. The guidance in this guide is designed for single-account architectures, but it helps you set up security controls that are easily migrated or modified as you transition to a multi-account architecture.

The controls in the AWS SSB are separated into two categories: account and workload. Account controls help keep your AWS account secure. It includes recommendations for setting up user access, policies, and permissions, and it includes recommendations for how to monitor your account for unauthorized or potentially malicious activity. Workload controls help secure your resources and code in the cloud, such as applications, backend processes, and data. It includes recommendations such as encryption and reducing the scope of access. You can find guides/information on this workshop: https://catalog.workshops.aws/startup-security-baseline/en-US to learn more about it", "_": "https://docs.aws.amazon.com/prescriptive-guidance/latest/aws-startup-security-baseline/welcome.html", "emptyCheckDefaultMsg": "" }, diff --git a/services/cloudfront/drivers/cloudfrontDist.py b/services/cloudfront/drivers/cloudfrontDist.py index 3117ba3..de4162d 100644 --- a/services/cloudfront/drivers/cloudfrontDist.py +++ b/services/cloudfront/drivers/cloudfrontDist.py @@ -51,6 +51,9 @@ def _checkDeprecatedSSL(self): if not 'CustomOriginConfig' in y: continue + if y['CustomOriginConfig']['OriginProtocolPolicy'] == 'http-only': + continue + if 'SSLv3' in y['CustomOriginConfig']['OriginSslProtocols']['Items']: self.results['DeprecatedSSLProtocol'] = [-1, ''] break diff --git a/services/cloudwatch/cloudwatch.reporter.json b/services/cloudwatch/cloudwatch.reporter.json index 0a2ccd5..69b1c49 100644 --- a/services/cloudwatch/cloudwatch.reporter.json +++ b/services/cloudwatch/cloudwatch.reporter.json @@ -155,7 +155,7 @@ "[CIS Cloudwatch Guide 12]" ] }, - "trailWOMASecGroup13": { + "trailWOMARouteTable13": { "category": "O", "^description": "CIS recommends that you create a metric filter and alarm for changes to route tables. Monitoring these changes helps ensure that all VPC traffic flows through an expected path.", "shortDesc": "Create alarm: Route Table changes", @@ -168,7 +168,7 @@ "[CIS Cloudwatch Guide 13]" ] }, - "trailWOMAGateway14": { + "trailWOMAVPC14": { "category": "O", "^description": "CIS recommends that you create a metric filter and alarm for changes to VPCs. Monitoring these changes helps ensure that authentication and authorization controls remain intact.", "shortDesc": "Create alarm: VPC Changes", @@ -233,4 +233,4 @@ "[CIS Cloudwatch Guide 16]" ] } -} \ No newline at end of file +} diff --git a/services/dashboard/DashboardPageBuilder.py b/services/dashboard/DashboardPageBuilder.py index 6de26e1..7b6c886 100644 --- a/services/dashboard/DashboardPageBuilder.py +++ b/services/dashboard/DashboardPageBuilder.py @@ -85,6 +85,8 @@ def buildContentDetail_dashboard(self): donutR = {} dataSetsL = {} dataSetsR = {} + filterDonutL = {} + filterDonutR = {} regions = self.regions services = self.services @@ -111,13 +113,22 @@ def buildContentDetail_dashboard(self): donutL[region] += hri donutR[serv] += hri + for region, cnt in donutL.items(): + if cnt > 0: + filterDonutL[region] = cnt + + for serv, cnt in donutR.items(): + if cnt > 0: + filterDonutR[serv] = cnt + + # card = self.generateCard(pid=pid, html=html, cardClass='danger', title='No. Criticality', titleBadge='', collapse=False, noPadding=False) - html = self.generateDonutPieChart(donutL, 'hriByRegion', 'doughnut') + html = self.generateDonutPieChart(filterDonutL, 'hriByRegion', 'doughnut') card = self.generateCard(pid=self.getHtmlId('chartServRegion'), html=html, cardClass='warning', title='High Risk - Group by Region', titleBadge='', collapse=True, noPadding=False) items = [[card, '']] - html = self.generateDonutPieChart(donutR, 'hriByService', 'pie') + html = self.generateDonutPieChart(filterDonutR, 'hriByService', 'pie') card = self.generateCard(pid=self.getHtmlId('pieHriByService'), html=html, cardClass='warning', title='High Risk - Group by Service', titleBadge='', collapse=True, noPadding=False) items.append([card, '']) diff --git a/services/efs/drivers/EfsDriver.py b/services/efs/drivers/EfsDriver.py index 2e4944a..f6d5ccd 100644 --- a/services/efs/drivers/EfsDriver.py +++ b/services/efs/drivers/EfsDriver.py @@ -9,12 +9,12 @@ def __init__(self, efs, efs_client): self.results = {} self.init() - def __check_encrypted(self): + def _checkEncrypted(self): self.results['EncryptedAtRest'] = [1, 'Enabled'] if self.efs['Encrypted'] != 1: self.results['EncryptedAtRest'] = [-1, 'Disabled'] - def __check_lifecycle_configuration(self): + def _checkLifecycle_configuration(self): self.results['Lifecycle'] = [1, 'Enabled'] efs_id = self.efs['FileSystemId'] @@ -25,7 +25,7 @@ def __check_lifecycle_configuration(self): if len(life_cycle['LifecyclePolicies']) == 0: self.results['EnabledLifecycle'] = [-1, 'Disabled'] - def __check_backup_policy(self): + def _checkBackupPolicy(self): self.results['AutomatedBackup'] = [1, 'Enabled'] efs_id = self.efs['FileSystemId'] @@ -34,4 +34,4 @@ def __check_backup_policy(self): ) if backup['BackupPolicy']['Status'] == 'DISABLED': - self.results['AutomatedBackup'] = [-1, 'Disabled'] \ No newline at end of file + self.results['AutomatedBackup'] = [-1, 'Disabled']