-
Notifications
You must be signed in to change notification settings - Fork 34
/
Copy pathAWS-IAM-018.py
159 lines (121 loc) · 3.34 KB
/
AWS-IAM-018.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
"""
Remediate Prisma Policy:
AWS:IAM-018 IAM Support Role Check
Description:
The best security practice is to assign the least privilege available for access control to a user's role
to manage incidents with AWS Support. "AWSSupportAccess" is the default policy for AWS.
Required Permissions:
- iam:AttachRolePolicy
- iam:CreateRole
- iam:CreateUser
- iam:GetPolicy
Sample IAM Policy:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "IAMPermissions",
"Action": [
"iam:AttachRolePolicy",
"iam:CreateRole",
"iam:CreateUser",
"iam:GetPolicy"
],
"Effect": "Allow",
"Resource": "*"
}
]
}
"""
import json
import boto3
from botocore.exceptions import ClientError
from time import sleep
# Options:
#
# Default User, Role and Policy
#
support_role_name = 'AWSSupportRole'
support_user_name = 'AWSSupportUser'
support_policy_arn = 'arn:aws:iam::aws:policy/AWSSupportAccess'
def remediate(session, alert, lambda_context):
"""
Main Function invoked by index_prisma.py
"""
region = alert['region']
iam = session.client('iam', region_name=region)
try:
policy = iam.get_policy(PolicyArn = support_policy_arn)['Policy']
except ClientError as e:
print(e.response['Error']['Message'])
return 'fail'
if policy['AttachmentCount'] <= 0:
# Create IAM User
user_arn = new_iam_user(iam)
# Create IAM Role
role_arn = new_iam_role(iam, user_arn) if (user_arn != 'fail') else 'fail'
# Result
if role_arn != 'fail':
print('A Support Role has been created to manage incidents with AWS Support.')
else:
print('Failed to create a Support Role to manage incidents with AWS Support.')
else:
print('AWS Support policy has one or more attachments: {}'.format(support_policy_arn))
return
def new_iam_user(iam):
"""
Create new Support IAM User
"""
try:
user = iam.create_user(
Path = '/',
UserName = support_user_name
)
except ClientError as e:
print(e.response['Error']['Message'])
return 'fail'
else:
user_arn = user['User']['Arn']
print('New IAM Support User created: {}'.format(user_arn))
sleep(10) # Wait for IAM resource to be available. >> Gotta be a better way.. { wait? get? }.
return user_arn
def new_iam_role(iam, user_arn):
"""
Create new Support IAM Role and attach AWS Managed Policy
"""
try:
role = iam.create_role(
Path = '/',
RoleName = support_role_name,
AssumeRolePolicyDocument = json.dumps(Template.RolePolicy(user_arn))
)
except ClientError as e:
print(e.response['Error']['Message'])
return 'fail'
else:
role_arn = role['Role']['Arn']
print('New IAM Support Role created: {}'.format(role_arn))
try:
result = iam.attach_role_policy(
RoleName = support_role_name,
PolicyArn = support_policy_arn
)
except ClientError as e:
print(e.response['Error']['Message'])
return 'fail'
return role_arn
class Template():
def RolePolicy(user_arn):
Policy = {
'Version': '2008-10-17',
'Statement': [
{
'Effect': 'Allow',
'Principal': {
'AWS': user_arn
},
'Action': 'sts:AssumeRole'
}
]
}
return Policy