linting fixes

aws-samples · Sep 3, 2024 · 6d5a0bd · 6d5a0bd
1 parent 2c7d3b6
commit 6d5a0bd
Show file tree

Hide file tree

Showing 5 changed files with 65 additions and 77 deletions.
diff --git a/aws_sra_examples/solutions/security_lake/security_lake_org/lambda/src/security_lake.py b/aws_sra_examples/solutions/security_lake/security_lake_org/lambda/src/security_lake.py
@@ -445,11 +445,11 @@ def get_org_configuration(sl_client: SecurityLakeClient) -> tuple:
         tuple: (bool, dict)
     """
     try:
-        org_configruations = sl_client.get_data_lake_organization_configuration()
-        if org_configruations["autoEnableNewAccount"]:
-            return True, org_configruations["autoEnableNewAccount"]
+        org_configurations = sl_client.get_data_lake_organization_configuration()
+        if org_configurations["autoEnableNewAccount"]:
+            return True, org_configurations["autoEnableNewAccount"]
         else:
-            return False, org_configruations
+            return False, org_configurations
     except ClientError as e:
         error_code = e.response["Error"]["Code"]
         if error_code == "ResourceNotFoundException":
@@ -483,18 +483,18 @@ def create_organization_configuration(sl_client: SecurityLakeClient, regions: li
             create_organization_configuration(sl_client, regions, org_sources, source_version, retry + 1)
 
 
-def set_sources_to_disable(org_configruations: list, region: str) -> list:
+def set_sources_to_disable(org_configurations: list, region: str) -> list:
     """Update Security Lake.
 
     Args:
-        org_configruations: list of configurations
+        org_configurations: list of configurations
         region: AWS region
 
     Returns:
         list: list of sources to disable
     """
     sources_to_disable = []
-    for configuration in org_configruations:
+    for configuration in org_configurations:
         if configuration["region"] == region:
             for source in configuration["sources"]:
                 sources_to_disable.append(source)
@@ -503,7 +503,7 @@ def set_sources_to_disable(org_configruations: list, region: str) -> list:
 
 
 def update_organization_configuration(
-    sl_client: SecurityLakeClient, regions: list, org_sources: list, source_version: str, exisiting_org_configuration: list
+    sl_client: SecurityLakeClient, regions: list, org_sources: list, source_version: str, existing_org_configuration: list
 ) -> None:
     """Update Security Lake organization configuration.
 
@@ -512,35 +512,35 @@ def update_organization_configuration(
         regions: list of AWS regions
         org_sources: list of AWS log and event sources
         source_version: version of log source
-        exisiting_org_configuration: list of existing configurations
+        existing_org_configuration: list of existing configurations
 
     Raises:
         ClientError: If there is an issue interacting with the AWS API
     """
-    delete_organization_configuration(sl_client, exisiting_org_configuration)
+    delete_organization_configuration(sl_client, existing_org_configuration)
     sources: List[AwsLogSourceResourceTypeDef] = [{"sourceName": source, "sourceVersion": source_version} for source in org_sources]
-    autoenable_config: List[DataLakeAutoEnableNewAccountConfigurationTypeDef] = []
-    for regioin in regions:
-        region_config: DataLakeAutoEnableNewAccountConfigurationTypeDef = {"region": regioin, "sources": sources}
-        autoenable_config.append(region_config)
-    response = sl_client.create_data_lake_organization_configuration(autoEnableNewAccount=autoenable_config)
+    auto_enable_config: List[DataLakeAutoEnableNewAccountConfigurationTypeDef] = []
+    for region in regions:
+        region_config: DataLakeAutoEnableNewAccountConfigurationTypeDef = {"region": region, "sources": sources}
+        auto_enable_config.append(region_config)
+    response = sl_client.create_data_lake_organization_configuration(autoEnableNewAccount=auto_enable_config)
     api_call_details = {"API_Call": "securitylake:CreateDataLakeOrganizationConfiguration", "API_Response": response}
     LOGGER.info(api_call_details)
 
 
-def delete_organization_configuration(sl_client: SecurityLakeClient, exisiting_org_configuration: list) -> None:
+def delete_organization_configuration(sl_client: SecurityLakeClient, existing_org_configuration: list) -> None:
     """Delete Security Lake organization configuration.
 
     Args:
         sl_client: boto3 client
-        exisiting_org_configuration: list of existing configurations
+        existing_org_configuration: list of existing configurations
 
     Raises:
         ClientError: If there is an issue interacting with the AWS API
     """
-    sources_to_disable = exisiting_org_configuration
+    sources_to_disable = existing_org_configuration
     if sources_to_disable:
-        delete_response = sl_client.delete_data_lake_organization_configuration(autoEnableNewAccount=exisiting_org_configuration)
+        delete_response = sl_client.delete_data_lake_organization_configuration(autoEnableNewAccount=existing_org_configuration)
         api_call_details = {"API_Call": "securitylake:DeleteDataLakeOrganizationConfiguration", "API_Response": delete_response}
         LOGGER.info(api_call_details)
 
@@ -693,7 +693,7 @@ def create_subscribers(
 
 
 def update_subscriber(
-    sl_client: SecurityLakeClient, subscriber_id: str, source_types: list, external_id: str, principal: str, subscriber_name: str, source_verison: str
+    sl_client: SecurityLakeClient, subscriber_id: str, source_types: list, external_id: str, principal: str, subscriber_name: str, source_version: str
 ) -> str:
     """Update Security Lake subscriber.
 
@@ -704,7 +704,7 @@ def update_subscriber(
         external_id: external id
         principal: AWS account id
         subscriber_name: subscriber name
-        source_verison: source version
+        source_version: source version
 
     Returns:
         str: Resource share ARN
@@ -713,7 +713,7 @@ def update_subscriber(
         ValueError: if subscriber not created
     """
     subscriber_sources: Sequence[LogSourceResourceTypeDef] = [
-        {"awsLogSource": {"sourceName": source, "sourceVersion": source_verison}} for source in source_types
+        {"awsLogSource": {"sourceName": source, "sourceVersion": source_version}} for source in source_types
     ]
     base_delay = 1
     max_delay = 3
@@ -894,7 +894,7 @@ def create_table_in_data_catalog(
                 LOGGER.info(f"Table '{table_name}' already exists in {region} region.")
                 continue
             if error_code == "AccessDeniedException":
-                LOGGER.info("'AccessDeniedException' error occured. Review and update Lake Formation permission(s)")
+                LOGGER.info("'AccessDeniedException' error occurred. Review and update Lake Formation permission(s)")
                 LOGGER.info("Skipping...")
                 continue
             else:

diff --git a/.../security_lake/security_lake_org/templates/sra-security-lake-meta-store-manager-role.yaml b/.../security_lake/security_lake_org/templates/sra-security-lake-meta-store-manager-role.yaml
@@ -21,18 +21,18 @@ Metadata:
       - Label:
           default: Role Properties
         Parameters:
-          - pSRASecurityLakeMetastoreManagerRoleName
+          - pSRASecurityLakeMetaStoreManagerRoleName
 
     ParameterLabels:
-      pSRASecurityLakeMetastoreManagerRoleName:
-        default: Security Lake Metastore Manager Role Name
+      pSRASecurityLakeMetaStoreManagerRoleName:
+        default: SecurityLakeMetaStoreManager Role Name
 
 Parameters:
-  pSRASecurityLakeMetastoreManagerRoleName:
+  pSRASecurityLakeMetaStoreManagerRoleName:
     AllowedPattern: '^[\w+=,.@-]{1,64}$'
     ConstraintDescription: Max 64 alphanumeric characters. Also special characters supported [+, =, ., @, -]
     Default: AmazonSecurityLakeMetaStoreManagerV2
-    Description: Security Lake Metastore Manager Role 
+    Description: SecurityLakeMetaStoreManagerRole 
     Type: String
   pSRASolutionName:
     AllowedValues: [sra-security-lake-org]
@@ -44,7 +44,7 @@ Resources:
   rSecurityLakeMetaStoreManagerRole:
     Type: AWS::IAM::Role
     Properties:
-      RoleName: !Ref pSRASecurityLakeMetastoreManagerRoleName
+      RoleName: !Ref pSRASecurityLakeMetaStoreManagerRoleName
       AssumeRolePolicyDocument:
         Version: '2012-10-17'
         Statement:
@@ -54,7 +54,7 @@ Resources:
           Action: sts:AssumeRole
       Path: '/service-role/'
       ManagedPolicyArns:
-      - !Sub arn:${AWS::Partition}:iam::${AWS::Partition}:policy/service-role/AmazonSecurityLakeMetastoreManager
+      - !Sub arn:${AWS::Partition}:iam::${AWS::Partition}:policy/service-role/AmazonSecurityLakeMetaStoreManager
       Policies:
         - PolicyName: sra-security-lake-org-kms-policy
           PolicyDocument:

diff --git a/...s/security_lake/security_lake_org/templates/sra-security-lake-org-configuration-role.yaml b/...s/security_lake/security_lake_org/templates/sra-security-lake-org-configuration-role.yaml
@@ -104,7 +104,7 @@ Resources:
             Statement:
               - Sid: AllowPutLakeFormationSettings
                 Effect: Allow
-                Action: lakeformation:PutDatalakeSettings
+                Action: lakeformation:PutDataLakeSettings
                 Resource: "*"
                 Condition:
                   ForAnyValue:StringEquals:
@@ -140,13 +140,13 @@ Resources:
           PolicyDocument:
             Version: 2012-10-17
             Statement:
-              - Sid: AllowLambdaunctionConfigurationActions
+              - Sid: AllowLambdaFunctionConfigurationActions
                 Effect: Allow
                 Action:
                   - lambda:GetFunctionConfiguration
                   - lambda:UpdateFunctionConfiguration
                 Resource: "arn:aws:lambda:*:*:function:AmazonSecurityLake*"
-              - Sid: AllowlambdaListEventSourceMappings
+              - Sid: AllowLambdaListEventSourceMappings
                 Effect: Allow
                 Action:
                   - lambda:ListEventSourceMappings

diff --git a/...utions/security_lake/security_lake_org/templates/sra-security-lake-org-configuration.yaml b/...utions/security_lake/security_lake_org/templates/sra-security-lake-org-configuration.yaml
@@ -53,8 +53,7 @@ Metadata:
           - pAuditAccountQuerySubscriberPrefix
           - pAuditAccountQuerySubscriberExternalId
           - pDisableSecurityLake
-          - pSRASecurityLakeMetastoreManagerRoleName
-          - pKmsKeyStackSetId
+          - pSRASecurityLakeMetatoreManagerRoleName
           - pCreateResourceLink
           - pSecurityLakeOrgKeyAlias
 
@@ -75,12 +74,10 @@ Metadata:
     ParameterLabels:
       pCreateResourceLink:
         default: Create Resource Link
-      pKmsKeyStackSetId:
-        default: KMS key stackset id
       pSecurityLakeOrgKeyAlias:
         default: Security Lake KMS Key Alias
-      pSRASecurityLakeMetastoreManagerRoleName:
-        default: Security Lake Metastore Manager Role 
+      pSRASecurityLakeMetaStoreManagerRoleName:
+        default: SecurityLakeMetastoreManagerRole 
       pCloudTrailManagementEvents:
         default: CloudTrail - Management events
       pSourceVersion:
@@ -154,24 +151,18 @@ Parameters:
     Default: 'true'
     Description: Indicates whether to create a resource link for shared resources in Audit (Security Tooling) account
     Type: String
-  pKmsKeyStackSetId:
-    AllowedPattern: '^sra-security-lake-org-kms-key(?::\S+)?$'
-    ConstraintDescription: Max 64 alphanumeric characters. Also special characters supported [_, -]
-    Default: "sra-security-lake-org-kms-key"
-    Description: The name of the KMS Key StackSet
-    Type: String
   pSecurityLakeOrgKeyAlias:
     AllowedPattern: '^[a-zA-Z0-9/_-]+$'
     ConstraintDescription:
       The alias must be string of 1-256 characters. It can contain only alphanumeric characters, forward slashes (/), underscores (_), and dashes (-).
     Default: sra-security-lake-org-key
     Description: Security Lake KMS Key Alias
     Type: String
-  pSRASecurityLakeMetastoreManagerRoleName:
+  pSRASecurityLakeMetaStoreManagerRoleName:
     AllowedPattern: '^[\w+=,.@-]{1,64}$'
     ConstraintDescription: Max 64 alphanumeric characters. Also special characters supported [+, =, ., @, -]
     Default: AmazonSecurityLakeMetaStoreManagerV2
-    Description: Security Lake Metastore Manager Role 
+    Description: SecurityLakeMetastoreManagerRole 
     Type: String
   pSourceVersion:
     AllowedValues: [2.0]
@@ -184,63 +175,63 @@ Parameters:
     ConstraintDescription: 'Enter "ALL" or a comma-separated list of AWS account numbers without spaces, e.g., "123456789012,234567890123" to create log source. Leave empty to skip log source creation'
     Description:
       Accounts to ingest CloudTrail - Management events from. Choose ALL to enable for all accounts in your AWS Organization. To choose the accounts enter a comma
-      seperated list of the AWS Account numbers.  Leave empty to skip log source creation.
+      separated list of the AWS Account numbers.  Leave empty to skip log source creation.
     Type: CommaDelimitedList
     Default: 'ALL'
   pCloudTrailLambdaDataEvents:
     AllowedPattern: '^($|ALL|(\d{12})(,\s*\d{12})*)$'
     ConstraintDescription: 'Enter "ALL" or a comma-separated list of AWS account numbers without spaces, e.g., "123456789012,234567890123" to create log source. Leave empty to skip log source creation'
     Description:
       Accounts to ingest CloudTrail - Lambda Data events from. Choose ALL to enable for all accounts in your AWS Organization. To choose the accounts enter a comma
-      seperated list of the AWS Account numbers.  Leave empty to skip log source creation.
+      separated list of the AWS Account numbers.  Leave empty to skip log source creation.
     Type: CommaDelimitedList
     Default: 'ALL'
   pCloudTrailS3DataEvents:
     AllowedPattern: '^($|ALL|(\d{12})(,\s*\d{12})*)$'
     ConstraintDescription: 'Enter "ALL" or a comma-separated list of AWS account numbers without spaces, e.g., "123456789012,234567890123" to create log source. Leave empty to skip log source creation'
     Description:
       Accounts to ingest CloudTrail - S3 Data events from. Choose ALL to enable for all accounts in your AWS Organization. To choose the accounts enter a comma
-      seperated list of the AWS Account numbers.  Leave empty to skip log source creation.
+      separated list of the AWS Account numbers.  Leave empty to skip log source creation.
     Type: CommaDelimitedList
     Default: ''
   pSecurityHubFindings:
     AllowedPattern: '^($|ALL|(\d{12})(,\s*\d{12})*)$'
     ConstraintDescription: 'Enter "ALL" or a comma-separated list of AWS account numbers without spaces, e.g., "123456789012,234567890123" to create log source. Leave empty to skip log source creation'
     Description:
       Accounts to ingest SecurityHub Findings from. Choose ALL to enable for all accounts in your AWS Organization. To choose the accounts enter a comma
-      seperated list of the AWS Account numbers.  Leave empty to skip log source creation.
+      separated list of the AWS Account numbers.  Leave empty to skip log source creation.
     Type: CommaDelimitedList
     Default: 'ALL'
   pVpcFlowLogs:
     AllowedPattern: '^($|ALL|(\d{12})(,\s*\d{12})*)$'
     ConstraintDescription: 'Enter "ALL" or a comma-separated list of AWS account numbers without spaces, e.g., "123456789012,234567890123" to create log source. Leave empty to skip log source creation'
     Description:
       Accounts to ingest VPC Flow Logs from. Choose ALL to enable for all accounts in your AWS Organization. To choose the accounts enter a comma
-      seperated list of the AWS Account numbers.  Leave empty to skip log source creation.
+      separated list of the AWS Account numbers.  Leave empty to skip log source creation.
     Type: CommaDelimitedList
     Default: 'ALL'
   pWafLogs:
     AllowedPattern: '^($|ALL|(\d{12})(,\s*\d{12})*)$'
     ConstraintDescription: 'Enter "ALL" or a comma-separated list of AWS account numbers without spaces, e.g., "123456789012,234567890123" to create log source. Leave empty to skip log source creation'
     Description:
       Accounts to ingest WAFv2 Logs from. Choose ALL to enable for all accounts in your AWS Organization. To choose the accounts enter a comma
-      seperated list of the AWS Account numbers.  Leave empty to skip log source creation.
+      separated list of the AWS Account numbers.  Leave empty to skip log source creation.
     Type: CommaDelimitedList
     Default: ''
   pRoute53Logs:
     AllowedPattern: '^($|ALL|(\d{12})(,\s*\d{12})*)$'
     ConstraintDescription: 'Enter "ALL" or a comma-separated list of AWS account numbers without spaces, e.g., "123456789012,234567890123" to create log source. Leave empty to skip log source creation'
     Description:
       Accounts to ingest Amazon Route 53 resolver query logs from. Choose ALL to enable for all accounts in your AWS Organization. To choose the accounts enter a comma
-      seperated list of the AWS Account numbers.  Leave empty to skip log source creation.
+      separated list of the AWS Account numbers.  Leave empty to skip log source creation.
     Type: CommaDelimitedList
     Default: 'ALL'
   pEksAuditLogs:
     AllowedPattern: '^($|ALL|(\d{12})(,\s*\d{12})*)$'
     ConstraintDescription: 'Enter "ALL" or a comma-separated list of AWS account numbers without spaces, e.g., "123456789012,234567890123" to create log source. Leave empty to skip log source creation'
     Description:
       Accounts to ingest Amazon EKS Audit Logs from. Choose ALL to enable for all accounts in your AWS Organization. To choose the accounts enter a comma
-      seperated list of the AWS Account numbers.  Leave empty to skip log source creation.
+      separated list of the AWS Account numbers.  Leave empty to skip log source creation.
     Type: CommaDelimitedList
     Default: 'ALL'
   pControlTowerRegionsOnly:
@@ -463,7 +454,6 @@ Resources:
                 Action: cloudformation:ListStackInstances
                 Resource: 
                   - !Sub arn:${AWS::Partition}:cloudformation:${AWS::Region}:${AWS::AccountId}:stackset/AWSControlTowerBP-*
-                  - !Sub arn:${AWS::Partition}:cloudformation:${AWS::Region}:${AWS::AccountId}:stackset/${pKmsKeyStackSetId}
         - PolicyName: sra-security-lake-org-policy-securitylake
           PolicyDocument:
             Version: 2012-10-17
@@ -641,8 +631,7 @@ Resources:
               - ','
               - !Ref pOrgConfigurationSources
           DISABLE_SECURITY_LAKE: !Ref pDisableSecurityLake
-          META_STORE_MANAGER_ROLE_NAME: !Ref pSRASecurityLakeMetastoreManagerRoleName
-          KMS_STACKSET_ID: !Ref pKmsKeyStackSetId
+          META_STORE_MANAGER_ROLE_NAME: !Ref pSRASecurityLakeMetaStoreManagerRoleName
           CREATE_RESOURCE_LINK: !Ref pCreateResourceLink
           KEY_ALIAS: !Ref pSecurityLakeOrgKeyAlias
       Tags:
@@ -655,7 +644,7 @@ Resources:
       Content:
         S3Bucket: !Ref pSRAStagingS3BucketName
         S3Key: !Sub ${pSRASolutionName}/layer_code/${pSRASolutionName}-layer.zip
-      Description: Boto3 version 1.34.153 layer to enable newer API of Security Lake  # todo
+      Description: Boto3 version 1.35.10 layer to enable newer API of Security Lake
       LayerName: !Sub ${pSecurityLakeOrgLambdaFunctionName}-updated-boto3-layer
 
   rSecurityLakeOrgLambdaCustomResource:
@@ -707,8 +696,7 @@ Resources:
           - ','
           - !Ref pOrgConfigurationSources
       DISABLE_SECURITY_LAKE: !Ref pDisableSecurityLake
-      META_STORE_MANAGER_ROLE_NAME: !Ref pSRASecurityLakeMetastoreManagerRoleName
-      KMS_STACKSET_ID: !Ref pKmsKeyStackSetId
+      META_STORE_MANAGER_ROLE_NAME: !Ref pSRASecurityLakeMetaStoreManagerRoleName
       CREATE_RESOURCE_LINK: !Ref pCreateResourceLink
       KEY_ALIAS: !Ref pSecurityLakeOrgKeyAlias