Opt-in regions for GuardDuty solution (#224)

* update get regions logic * type ignore * type ignore * type ignore * update 404 link * temp fix for cmk rotation * update cfct template links * Update safety.yml switch from "check" to "scan" ("check" deprecated as of may 2024) * Update safety.yml adding api key * updating safety.yml * updating safety.yml * updating safety.yml * updating safety.yml * updating safety.yml * listregion perms * update permissions for listregions * add logger messages * autoenable ALL; default TRUE governed regions only * update pEnabledRegions * add logging * temp re-order operations for bug * test fix for regional sts endpoint issue * temp perm mods for apsoutheast4 * update fix for all opt-in regions * testing updates to policy for opt-in * final updates for opt-in regions to work * linter fixes * remove unneeded condition statement * remove unneeded condition statement * fix condition statement * troubleshooting policy conditions * troubleshooting policy * troubleshooting policy * adding each region specifically in perms * final updates to kms+s3 perms * update safety cli file * update safety cli file * update safety cli file * update safety cli file * update2 safety cli file * update3 safety cli file * update4 safety cli file * update4 safety cli file * update5 safety cli file * update6 safety cli file * update7 safety cli file * update8 safety cli file * update 9 safety cli file
aws-samples · Jun 24, 2024 · a40dc08 · a40dc08
1 parent 24bdb8b
commit a40dc08
Show file tree

Hide file tree

Showing 30 changed files with 237 additions and 206 deletions.
diff --git a/.github/workflows/safety.yml b/.github/workflows/safety.yml
@@ -59,9 +59,6 @@ jobs:
       - name: Safety scan
         env:
           API_KEY: ${{secrets.SAFETY_API_KEY}}
-          TEST_VAR: ${{secrets.TEST_SECRET}}
         run: |
-          echo "test variable:"
-          echo "$TEST_VAR" 
           poetry run pip install safety
           poetry run safety --key "$API_KEY" --stage cicd scan
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -141,7 +141,7 @@ Updated [Firewall Manager](https://github.com/aws-samples/aws-security-reference
 
 ### Changed<!-- omit in toc -->
 
-- Updated [CfCT template](aws_sra_examples/solutions/common/common_cfct_setup/templates/customizations-for-aws-control-tower.template) to resolve issue #137.
+- Updated [CfCT template](aws_sra_examples/solutions/common/common_cfct_setup/templates/) to resolve issue #137.
 
 ## 2023-05-05
 
@@ -171,7 +171,7 @@ Updated [Firewall Manager](https://github.com/aws-samples/aws-security-reference
 
 ### Changed<!-- omit in toc -->
 
-- Updated the [customizations-for-aws-control-tower.template](aws_sra_examples/solutions/common/common_cfct_setup/templates/customizations-for-aws-control-tower.template) to the latest version v2.5.0 and added Checkov suppressions.
+- Updated the [customizations-for-aws-control-tower.template](aws_sra_examples/solutions/common/common_cfct_setup/templates/) to the latest version v2.5.0 and added Checkov suppressions.
 
 ## 2022-07-29
 
@@ -198,7 +198,7 @@ Updated [Firewall Manager](https://github.com/aws-samples/aws-security-reference
 
 - Added Checkov Lambda Function suppressions for CKV_AWS_115 (Reserved Concurrent Executions) and CKV_AWS_117 (Run within a VPC) to all solution templates with Lambda Function configurations.
 - Updated Lambda python files to fix mypy finding for log_level to always be a string value.
-- Updated the [customizations-for-aws-control-tower.template](aws_sra_examples/solutions/common/common_cfct_setup/templates/customizations-for-aws-control-tower.template) to the latest version v2.4.0 and added Checkov suppressions.
+- Updated the [customizations-for-aws-control-tower.template](aws_sra_examples/solutions/common/common_cfct_setup/templates/) to the latest version v2.4.0 and added Checkov suppressions.
 - Updated pyproject.toml dependencies to the latest versions.
 - Updated [Macie](aws_sra_examples/solutions/macie/macie_org) solution to increase retries and handle API errors when creating existing members.
 - Updated [EC2 Default EBS Encryption](aws_sra_examples/solutions/ec2/ec2_default_ebs_encryption) to include default string value for the pExcludeEC2DefaultEBSEncryptionTags parameter.

diff --git a/aws_sra_examples/solutions/ami_bakery/ami_bakery_org/lambda/src/common.py b/aws_sra_examples/solutions/ami_bakery/ami_bakery_org/lambda/src/common.py
@@ -1,10 +1,12 @@
+# type: ignore
 """This script includes common functions.
 
 Version: 1.0
 
 Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
 SPDX-License-Identifier: MIT-0
 """
+
 from __future__ import annotations
 
 import logging
@@ -176,25 +178,9 @@ def get_enabled_regions(customer_regions: str, control_tower_regions_only: bool
     elif control_tower_regions_only:
         region_list = get_control_tower_regions()
     else:
-        default_available_regions = [
-            "ap-northeast-1",
-            "ap-northeast-2",
-            "ap-northeast-3",
-            "ap-south-1",
-            "ap-southeast-1",
-            "ap-southeast-2",
-            "ca-central-1",
-            "eu-central-1",
-            "eu-north-1",
-            "eu-west-1",
-            "eu-west-2",
-            "eu-west-3",
-            "sa-east-1",
-            "us-east-1",
-            "us-east-2",
-            "us-west-1",
-            "us-west-2",
-        ]
+        default_available_regions = []
+        for region in boto3.client("account").list_regions(RegionOptStatusContains=["ENABLED", "ENABLED_BY_DEFAULT"])["Regions"]:
+            default_available_regions.append(region["RegionName"])
         LOGGER.info({"Default_Available_Regions": default_available_regions})
         region_list = default_available_regions
 

diff --git a/...mples/solutions/ami_bakery/ami_bakery_org/templates/sra-ami-bakery-org-configuration.yaml b/...mples/solutions/ami_bakery/ami_bakery_org/templates/sra-ami-bakery-org-configuration.yaml
@@ -447,6 +447,17 @@ Resources:
                 Effect: Allow
                 Action: sqs:SendMessage
                 Resource: !GetAtt rAMIBakeryOrgDLQ.Arn
+
+        - PolicyName: sra-ami-bakery-org-policy-acct
+          PolicyDocument:
+            Version: 2012-10-17
+            Statement:
+              - Sid: AcctListRegions
+                Effect: Allow
+                Action:
+                  - account:ListRegions
+                Resource: '*'
+
       Tags:
         - Key: sra-solution
           Value: !Ref pSRASolutionName

diff --git a/...mples/solutions/config/config_conformance_pack_org/scripts/list_config_recorder_status.py b/...mples/solutions/config/config_conformance_pack_org/scripts/list_config_recorder_status.py
@@ -1,3 +1,4 @@
+# type: ignore
 """Get a list of accounts that do not have AWS Config enabled.
 
 The purpose of this script is to check if AWS Config is enabled in each AWS account and region within an AWS Control
@@ -12,6 +13,7 @@
 Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
 SPDX-License-Identifier: MIT-0
 """
+
 from __future__ import annotations
 
 import logging
@@ -125,25 +127,9 @@ def get_enabled_regions(control_tower_regions_only: bool = False) -> list:  # no
     if control_tower_regions_only:
         region_list = get_control_tower_regions()
     else:
-        default_available_regions = [
-            "ap-northeast-1",
-            "ap-northeast-2",
-            "ap-northeast-3",
-            "ap-south-1",
-            "ap-southeast-1",
-            "ap-southeast-2",
-            "ca-central-1",
-            "eu-central-1",
-            "eu-north-1",
-            "eu-west-1",
-            "eu-west-2",
-            "eu-west-3",
-            "sa-east-1",
-            "us-east-1",
-            "us-east-2",
-            "us-west-1",
-            "us-west-2",
-        ]
+        default_available_regions = []
+        for region in boto3.client("account").list_regions(RegionOptStatusContains=["ENABLED", "ENABLED_BY_DEFAULT"])["Regions"]:
+            default_available_regions.append(region["RegionName"])
         LOGGER.info({"Default_Available_Regions": default_available_regions})
         region_list = default_available_regions
 

diff --git a/aws_sra_examples/solutions/config/config_org/lambda/src/common.py b/aws_sra_examples/solutions/config/config_org/lambda/src/common.py
@@ -1,10 +1,12 @@
+# type: ignore
 """This script includes common functions.
 
 Version: 1.0
 
 Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
 SPDX-License-Identifier: MIT-0
 """
+
 from __future__ import annotations
 
 import logging
@@ -129,25 +131,9 @@ def get_enabled_regions(customer_regions: str, control_tower_regions_only: bool
     elif control_tower_regions_only:
         region_list = get_control_tower_regions()
     else:
-        default_available_regions = [
-            "ap-northeast-1",
-            "ap-northeast-2",
-            "ap-northeast-3",
-            "ap-south-1",
-            "ap-southeast-1",
-            "ap-southeast-2",
-            "ca-central-1",
-            "eu-central-1",
-            "eu-north-1",
-            "eu-west-1",
-            "eu-west-2",
-            "eu-west-3",
-            "sa-east-1",
-            "us-east-1",
-            "us-east-2",
-            "us-west-1",
-            "us-west-2",
-        ]
+        default_available_regions = []
+        for region in boto3.client("account").list_regions(RegionOptStatusContains=["ENABLED", "ENABLED_BY_DEFAULT"])["Regions"]:
+            default_available_regions.append(region["RegionName"])
         LOGGER.info({"Default_Available_Regions": default_available_regions})
         region_list = default_available_regions
 

diff --git a/aws_sra_examples/solutions/config/config_org/templates/sra-config-org-configuration.yaml b/aws_sra_examples/solutions/config/config_org/templates/sra-config-org-configuration.yaml
@@ -474,6 +474,17 @@ Resources:
                 Effect: Allow
                 Action: sqs:SendMessage
                 Resource: !GetAtt rConfigOrgDLQ.Arn
+
+        - PolicyName: sra-config-org-policy-acct
+          PolicyDocument:
+            Version: 2012-10-17
+            Statement:
+              - Sid: AcctListRegions
+                Effect: Allow
+                Action:
+                  - account:ListRegions
+                Resource: '*'
+
       Tags:
         - Key: sra-solution
           Value: !Ref pSRASolutionName

diff --git a/aws_sra_examples/solutions/detective/detective_org/lambda/src/common.py b/aws_sra_examples/solutions/detective/detective_org/lambda/src/common.py
@@ -1,10 +1,12 @@
+# type: ignore
 """This script includes common functions.
 
 Version: 1.0
 
 Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
 SPDX-License-Identifier: MIT-0
 """
+
 from __future__ import annotations
 
 import logging
@@ -129,25 +131,9 @@ def get_enabled_regions(customer_regions: str, control_tower_regions_only: bool
     elif control_tower_regions_only:
         region_list = get_control_tower_regions()
     else:
-        default_available_regions = [
-            "ap-northeast-1",
-            "ap-northeast-2",
-            "ap-northeast-3",
-            "ap-south-1",
-            "ap-southeast-1",
-            "ap-southeast-2",
-            "ca-central-1",
-            "eu-central-1",
-            "eu-north-1",
-            "eu-west-1",
-            "eu-west-2",
-            "eu-west-3",
-            "sa-east-1",
-            "us-east-1",
-            "us-east-2",
-            "us-west-1",
-            "us-west-2",
-        ]
+        default_available_regions = []
+        for region in boto3.client("account").list_regions(RegionOptStatusContains=["ENABLED", "ENABLED_BY_DEFAULT"])["Regions"]:
+            default_available_regions.append(region["RegionName"])
         LOGGER.info({"Default_Available_Regions": default_available_regions})
         region_list = default_available_regions
 

diff --git a/...examples/solutions/detective/detective_org/templates/sra-detective-org-configuration.yaml b/...examples/solutions/detective/detective_org/templates/sra-detective-org-configuration.yaml
@@ -379,6 +379,17 @@ Resources:
                 Effect: Allow
                 Action: sqs:SendMessage
                 Resource: !GetAtt rDetectiveOrgDLQ.Arn
+
+        - PolicyName: sra-detective-org-policy-acct
+          PolicyDocument:
+            Version: 2012-10-17
+            Statement:
+              - Sid: AcctListRegions
+                Effect: Allow
+                Action:
+                  - account:ListRegions
+                Resource: '*'
+
       Tags:
         - Key: sra-solution
           Value: !Ref pSRASolutionName

diff --git a/aws_sra_examples/solutions/ec2/ec2_default_ebs_encryption/lambda/src/app.py b/aws_sra_examples/solutions/ec2/ec2_default_ebs_encryption/lambda/src/app.py
@@ -1,3 +1,4 @@
+# type: ignore
 """The purpose of this script is to configure the EC2 EBS default encryption within each account and region.
 
 Version: 1.1
@@ -7,6 +8,7 @@
 Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
 SPDX-License-Identifier: MIT-0
 """
+
 from __future__ import annotations
 
 import json
@@ -121,25 +123,9 @@ def get_enabled_regions(customer_regions: str = None, control_tower_regions_only
     elif control_tower_regions_only:
         region_list = get_control_tower_regions()
     else:
-        default_available_regions = [
-            "ap-northeast-1",
-            "ap-northeast-2",
-            "ap-northeast-3",
-            "ap-south-1",
-            "ap-southeast-1",
-            "ap-southeast-2",
-            "ca-central-1",
-            "eu-central-1",
-            "eu-north-1",
-            "eu-west-1",
-            "eu-west-2",
-            "eu-west-3",
-            "sa-east-1",
-            "us-east-1",
-            "us-east-2",
-            "us-west-1",
-            "us-west-2",
-        ]
+        default_available_regions = []
+        for region in boto3.client("account").list_regions(RegionOptStatusContains=["ENABLED", "ENABLED_BY_DEFAULT"])["Regions"]:
+            default_available_regions.append(region["RegionName"])
         LOGGER.info({"Default_Available_Regions": default_available_regions})
         region_list = default_available_regions
 
@@ -321,7 +307,7 @@ def process_accounts(event: Union[CloudFormationCustomResourceEvent, dict], para
         if is_account_with_exclude_tags(account, params):
             continue
 
-        if event.get("local_testing") == "true" or event.get("ResourceProperties", {}).get("local_testing") == "true":  # type: ignore
+        if event.get("local_testing") == "true" or event.get("ResourceProperties", {}).get("local_testing") == "true":
             local_testing(account, params)
         else:
             sns_message = {"Action": params["action"], "AccountId": account["Id"]}

diff --git a/...es/solutions/ec2/ec2_default_ebs_encryption/templates/sra-ec2-default-ebs-encryption.yaml b/...es/solutions/ec2/ec2_default_ebs_encryption/templates/sra-ec2-default-ebs-encryption.yaml
@@ -397,6 +397,17 @@ Resources:
                 Action: sqs:SendMessage
                 Resource: !GetAtt rEC2DefaultEBSEncryptionDLQ.Arn
 
+        - PolicyName: sra-ec2-default-ebs-encryption-policy-acct
+          PolicyDocument:
+            Version: 2012-10-17
+            Statement:
+              - Sid: AcctListRegions
+                Effect: Allow
+                Action:
+                  - account:ListRegions
+                Resource: '*'
+
+
       Tags:
         - Key: sra-solution
           Value: !Ref pSRASolutionName

diff --git a/aws_sra_examples/solutions/guardduty/guardduty_org/lambda/src/app.py b/aws_sra_examples/solutions/guardduty/guardduty_org/lambda/src/app.py
@@ -12,6 +12,7 @@
 Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
 SPDX-License-Identifier: MIT-0
 """
+
 from __future__ import annotations
 
 import json
@@ -44,7 +45,7 @@
 PRINCIPAL_NAME = "malware-protection.guardduty.amazonaws.com"
 SERVICE_NAME = "guardduty.amazonaws.com"
 UNEXPECTED = "Unexpected!"
-MAX_RUN_COUNT = 30  # 5 minute wait = 30 x 10 seconds
+MAX_RUN_COUNT = 60  # 5 minute wait = 30 x 10 seconds
 SLEEP_SECONDS = 10
 BOTO3_CONFIG = Config(retries={"max_attempts": 10, "mode": "standard"})
 

diff --git a/aws_sra_examples/solutions/guardduty/guardduty_org/lambda/src/common.py b/aws_sra_examples/solutions/guardduty/guardduty_org/lambda/src/common.py
@@ -1,10 +1,12 @@
+# type: ignore
 """This script includes common functions.
 
 Version: 1.1
 
 Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
 SPDX-License-Identifier: MIT-0
 """
+
 from __future__ import annotations
 
 import logging
@@ -51,6 +53,9 @@ def assume_role(role: str, role_session_name: str, account: str = None, session:
     Returns:
         Session object for the specified AWS account
     """
+    # set regional endpoint environment variable to account for potential opt-in regions
+    os.environ["AWS_STS_REGIONAL_ENDPOINTS"] = "regional"
+
     if not session:
         session = boto3.Session()
     sts_client: STSClient = session.client("sts", config=BOTO3_CONFIG)
@@ -143,25 +148,9 @@ def get_enabled_regions(customer_regions: str, control_tower_regions_only: bool
     elif control_tower_regions_only:
         region_list = get_control_tower_regions()
     else:
-        default_available_regions = [
-            "ap-northeast-1",
-            "ap-northeast-2",
-            "ap-northeast-3",
-            "ap-south-1",
-            "ap-southeast-1",
-            "ap-southeast-2",
-            "ca-central-1",
-            "eu-central-1",
-            "eu-north-1",
-            "eu-west-1",
-            "eu-west-2",
-            "eu-west-3",
-            "sa-east-1",
-            "us-east-1",
-            "us-east-2",
-            "us-west-1",
-            "us-west-2",
-        ]
+        default_available_regions = []
+        for region in boto3.client("account").list_regions(RegionOptStatusContains=["ENABLED", "ENABLED_BY_DEFAULT"])["Regions"]:
+            default_available_regions.append(region["RegionName"])
         LOGGER.info({"Default_Available_Regions": default_available_regions})
         region_list = default_available_regions