From eb514e0331e9d36abae30bac854963f4bfb62b1f Mon Sep 17 00:00:00 2001 From: Markus Bergholz Date: Mon, 1 Mar 2021 20:04:03 +0100 Subject: [PATCH 01/18] add wafv2 permissions --- aws/policy/security-services.yaml | 42 +++++++++++++++++++++++++++++++ 1 file changed, 42 insertions(+) diff --git a/aws/policy/security-services.yaml b/aws/policy/security-services.yaml index 43d8f135..b0f4154e 100644 --- a/aws/policy/security-services.yaml +++ b/aws/policy/security-services.yaml @@ -87,6 +87,48 @@ Statement: - waf:UpdateSqlInjectionMatchSet - waf:UpdateWebACL - waf:UpdateXssMatchSet + - wafv2:ListRuleGroups + - wafv2:ListWebACLs + - wafv2:AssociateWebACL + - wafv2:DeleteRuleGroup + - wafv2:CreateRuleGroup + - wafv2:PutFirewallManagerRuleGroups + - wafv2:GetWebACLForResource + - wafv2:GetLoggingConfiguration + - wafv2:DeleteWebACL + - wafv2:GetRateBasedStatementManagedKeys + - wafv2:ListLoggingConfigurations + - wafv2:GetIPSet + - wafv2:CreateWebACL + - wafv2:CreateRegexPatternSet + - wafv2:ListIPSets + - wafv2:GetWebACL + - wafv2:UpdateRegexPatternSet + - wafv2:GetRuleGroup + - wafv2:CreateIPSet + - wafv2:ListAvailableManagedRuleGroups + - wafv2:ListRegexPatternSets + - wafv2:PutPermissionPolicy + - wafv2:DeleteIPSet + - wafv2:DescribeManagedRuleGroup + - wafv2:UntagResource + - wafv2:GetRegexPatternSet + - wafv2:GetPermissionPolicy + - wafv2:CheckCapacity + - wafv2:TagResource + - wafv2:ListResourcesForWebACL + - wafv2:DeleteLoggingConfiguration + - wafv2:ListTagsForResource + - wafv2:PutLoggingConfiguration + - wafv2:DisassociateWebACL + - wafv2:UpdateWebACL + - wafv2:UpdateRuleGroup + - wafv2:DeletePermissionPolicy + - wafv2:DeleteRegexPatternSet + - wafv2:GetSampledRequests + - wafv2:DeleteFirewallManagerRuleGroups + - wafv2:DisassociateFirewallManager + - wafv2:UpdateIPSet" - inspector:ListAssessmentTargets - inspector:CreateResourceGroup - inspector:CreateAssessmentTarget From 4e166e8a6fa3594f8d35a93c49171cfa026d5cb0 Mon Sep 17 00:00:00 2001 From: Markus Bergholz Date: Tue, 2 Mar 2021 08:23:02 +0100 Subject: [PATCH 02/18] reduce wafv2 permissions --- aws/policy/security-services.yaml | 12 ------------ 1 file changed, 12 deletions(-) diff --git a/aws/policy/security-services.yaml b/aws/policy/security-services.yaml index b0f4154e..e8009326 100644 --- a/aws/policy/security-services.yaml +++ b/aws/policy/security-services.yaml @@ -100,32 +100,20 @@ Statement: - wafv2:ListLoggingConfigurations - wafv2:GetIPSet - wafv2:CreateWebACL - - wafv2:CreateRegexPatternSet - wafv2:ListIPSets - wafv2:GetWebACL - - wafv2:UpdateRegexPatternSet - wafv2:GetRuleGroup - wafv2:CreateIPSet - wafv2:ListAvailableManagedRuleGroups - - wafv2:ListRegexPatternSets - - wafv2:PutPermissionPolicy - wafv2:DeleteIPSet - wafv2:DescribeManagedRuleGroup - - wafv2:UntagResource - - wafv2:GetRegexPatternSet - - wafv2:GetPermissionPolicy - wafv2:CheckCapacity - - wafv2:TagResource - wafv2:ListResourcesForWebACL - wafv2:DeleteLoggingConfiguration - - wafv2:ListTagsForResource - wafv2:PutLoggingConfiguration - wafv2:DisassociateWebACL - wafv2:UpdateWebACL - wafv2:UpdateRuleGroup - - wafv2:DeletePermissionPolicy - - wafv2:DeleteRegexPatternSet - - wafv2:GetSampledRequests - wafv2:DeleteFirewallManagerRuleGroups - wafv2:DisassociateFirewallManager - wafv2:UpdateIPSet" From 84f4168bdfa0999cca1b35c1acd7f03e8b7fcf9f Mon Sep 17 00:00:00 2001 From: Markus Bergholz Date: Tue, 2 Mar 2021 08:24:32 +0100 Subject: [PATCH 03/18] add wafv2 to AllowRegionalRestrictedResourceActionsWhichIncurFees sid --- aws/policy/security-services.yaml | 64 ++++++++++++++++--------------- 1 file changed, 34 insertions(+), 30 deletions(-) diff --git a/aws/policy/security-services.yaml b/aws/policy/security-services.yaml index e8009326..010d3831 100644 --- a/aws/policy/security-services.yaml +++ b/aws/policy/security-services.yaml @@ -27,6 +27,40 @@ Statement: Resource: - 'arn:aws:iam::{{ aws_account_id }}:role/ansible_lambda_role' + - Sid: AllowRegionalRestrictedResourceActionsWhichIncurFees + Effect: Allow + Action: + - wafv2:ListRuleGroups + - wafv2:ListWebACLs + - wafv2:AssociateWebACL + - wafv2:DeleteRuleGroup + - wafv2:CreateRuleGroup + - wafv2:PutFirewallManagerRuleGroups + - wafv2:GetWebACLForResource + - wafv2:GetLoggingConfiguration + - wafv2:DeleteWebACL + - wafv2:GetRateBasedStatementManagedKeys + - wafv2:ListLoggingConfigurations + - wafv2:GetIPSet + - wafv2:CreateWebACL + - wafv2:ListIPSets + - wafv2:GetWebACL + - wafv2:GetRuleGroup + - wafv2:CreateIPSet + - wafv2:ListAvailableManagedRuleGroups + - wafv2:DeleteIPSet + - wafv2:DescribeManagedRuleGroup + - wafv2:CheckCapacity + - wafv2:ListResourcesForWebACL + - wafv2:DeleteLoggingConfiguration + - wafv2:PutLoggingConfiguration + - wafv2:DisassociateWebACL + - wafv2:UpdateWebACL + - wafv2:UpdateRuleGroup + - wafv2:DeleteFirewallManagerRuleGroups + - wafv2:DisassociateFirewallManager + - wafv2:UpdateIPSet + - Sid: AllowRegionalUnrestrictedResourceActionsWhichIncurNoFees Effect: Allow Action: @@ -87,36 +121,6 @@ Statement: - waf:UpdateSqlInjectionMatchSet - waf:UpdateWebACL - waf:UpdateXssMatchSet - - wafv2:ListRuleGroups - - wafv2:ListWebACLs - - wafv2:AssociateWebACL - - wafv2:DeleteRuleGroup - - wafv2:CreateRuleGroup - - wafv2:PutFirewallManagerRuleGroups - - wafv2:GetWebACLForResource - - wafv2:GetLoggingConfiguration - - wafv2:DeleteWebACL - - wafv2:GetRateBasedStatementManagedKeys - - wafv2:ListLoggingConfigurations - - wafv2:GetIPSet - - wafv2:CreateWebACL - - wafv2:ListIPSets - - wafv2:GetWebACL - - wafv2:GetRuleGroup - - wafv2:CreateIPSet - - wafv2:ListAvailableManagedRuleGroups - - wafv2:DeleteIPSet - - wafv2:DescribeManagedRuleGroup - - wafv2:CheckCapacity - - wafv2:ListResourcesForWebACL - - wafv2:DeleteLoggingConfiguration - - wafv2:PutLoggingConfiguration - - wafv2:DisassociateWebACL - - wafv2:UpdateWebACL - - wafv2:UpdateRuleGroup - - wafv2:DeleteFirewallManagerRuleGroups - - wafv2:DisassociateFirewallManager - - wafv2:UpdateIPSet" - inspector:ListAssessmentTargets - inspector:CreateResourceGroup - inspector:CreateAssessmentTarget From ed6fcfe71c0b24cd914b5a4a236fd66a7b9b9132 Mon Sep 17 00:00:00 2001 From: Markus Bergholz Date: Thu, 11 Mar 2021 13:18:53 +0100 Subject: [PATCH 04/18] add draft WafV2IpSetRegionl terminator class --- aws/terminator/security_services.py | 21 +++++++++++++++++++++ 1 file changed, 21 insertions(+) diff --git a/aws/terminator/security_services.py b/aws/terminator/security_services.py index 5e101a7f..1132d685 100644 --- a/aws/terminator/security_services.py +++ b/aws/terminator/security_services.py @@ -265,6 +265,27 @@ def terminate(self): self.client.delete_regex_pattern_set(RegexPatternSetId=self.id, ChangeToken=self.change_token) +class WafV2IpSetRegionl(Terminator): + @staticmethod + def create(credentials): + return Terminator._create(credentials, WafV2IpSet, 'wafv2', lambda client: client.list_ip_sets(Scope='REGIONAL')['IPSets']) + + @property + def id(self): + return self.instance['Id'] + + @property + def name(self): + return self.instance['Name'] + + @property + def lock_token(self): + return self.instance['LockToken'] + + def terminate(self): + self.client.delete_ip_set(Id=self.id, Name=self.name, LockToken=self.lock_token, Scope='REGIONAL') + + class InspectorAssessmentTemplate(DbTerminator): @staticmethod def create(credentials): From d66fc66e227927aac93ae9bf5255037faad2fe2b Mon Sep 17 00:00:00 2001 From: Markus Bergholz Date: Thu, 11 Mar 2021 13:22:21 +0100 Subject: [PATCH 05/18] fix undefined variable --- aws/terminator/security_services.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/aws/terminator/security_services.py b/aws/terminator/security_services.py index 1132d685..9ccf62a1 100644 --- a/aws/terminator/security_services.py +++ b/aws/terminator/security_services.py @@ -268,7 +268,7 @@ def terminate(self): class WafV2IpSetRegionl(Terminator): @staticmethod def create(credentials): - return Terminator._create(credentials, WafV2IpSet, 'wafv2', lambda client: client.list_ip_sets(Scope='REGIONAL')['IPSets']) + return Terminator._create(credentials, WafV2IpSetRegionl, 'wafv2', lambda client: client.list_ip_sets(Scope='REGIONAL')['IPSets']) @property def id(self): From 7eb5d45cf9dcf25191d4a2606fe3d79aad371780 Mon Sep 17 00:00:00 2001 From: Markus Bergholz Date: Thu, 11 Mar 2021 19:18:00 +0100 Subject: [PATCH 06/18] Update aws/terminator/security_services.py Co-authored-by: Mark Chappell --- aws/terminator/security_services.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/aws/terminator/security_services.py b/aws/terminator/security_services.py index 9ccf62a1..3a7efa17 100644 --- a/aws/terminator/security_services.py +++ b/aws/terminator/security_services.py @@ -265,7 +265,7 @@ def terminate(self): self.client.delete_regex_pattern_set(RegexPatternSetId=self.id, ChangeToken=self.change_token) -class WafV2IpSetRegionl(Terminator): +class WafV2IpSet(DbTerminator): @staticmethod def create(credentials): return Terminator._create(credentials, WafV2IpSetRegionl, 'wafv2', lambda client: client.list_ip_sets(Scope='REGIONAL')['IPSets']) From 00c2bd5e357a35597997e5c1d5515c65c22c8875 Mon Sep 17 00:00:00 2001 From: Markus Bergholz Date: Thu, 11 Mar 2021 19:18:16 +0100 Subject: [PATCH 07/18] Update aws/terminator/security_services.py Co-authored-by: Mark Chappell --- aws/terminator/security_services.py | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/aws/terminator/security_services.py b/aws/terminator/security_services.py index 3a7efa17..b690e858 100644 --- a/aws/terminator/security_services.py +++ b/aws/terminator/security_services.py @@ -268,7 +268,9 @@ def terminate(self): class WafV2IpSet(DbTerminator): @staticmethod def create(credentials): - return Terminator._create(credentials, WafV2IpSetRegionl, 'wafv2', lambda client: client.list_ip_sets(Scope='REGIONAL')['IPSets']) + regional = DbTerminator._create(credentials, WafV2IpSet, 'wafv2', lambda client: client.list_ip_sets(Scope='REGIONAL')['IPSets']) + cloudfront = DbTerminator._create(credentials, WafV2IpSet, 'wafv2', lambda client: client.list_ip_sets(Scope='CLOUDFRONT')['IPSets']) + return regional + cloudfront @property def id(self): From 163387824276f132a308bbf2a749126d8641afbe Mon Sep 17 00:00:00 2001 From: Markus Bergholz Date: Thu, 11 Mar 2021 20:24:55 +0100 Subject: [PATCH 08/18] add WafV2RuleGroup and kept scope information --- aws/terminator/security_services.py | 43 ++++++++++++++++++++++++++++- 1 file changed, 42 insertions(+), 1 deletion(-) diff --git a/aws/terminator/security_services.py b/aws/terminator/security_services.py index b690e858..d790eb9a 100644 --- a/aws/terminator/security_services.py +++ b/aws/terminator/security_services.py @@ -269,7 +269,13 @@ class WafV2IpSet(DbTerminator): @staticmethod def create(credentials): regional = DbTerminator._create(credentials, WafV2IpSet, 'wafv2', lambda client: client.list_ip_sets(Scope='REGIONAL')['IPSets']) + for item in regionl: + item.update({"Scope":"REGIONAL"}) + cloudfront = DbTerminator._create(credentials, WafV2IpSet, 'wafv2', lambda client: client.list_ip_sets(Scope='CLOUDFRONT')['IPSets']) + for item in cloudfront: + item.update({"Scope":"CLOUDFRONT"}) + return regional + cloudfront @property @@ -284,10 +290,45 @@ def name(self): def lock_token(self): return self.instance['LockToken'] + @property + def scope(self): + return self.instance['Scope'] + def terminate(self): - self.client.delete_ip_set(Id=self.id, Name=self.name, LockToken=self.lock_token, Scope='REGIONAL') + self.client.delete_ip_set(Id=self.id, Name=self.name, LockToken=self.lock_token, Scope=self.scope) +class WafV2RuleGroup(DbTerminator): + @staticmethod + def create(credentials): + regional = DbTerminator._create(credentials, WafV2RuleGroup, 'wafv2', lambda client: client.list_rule_groups(Scope='REGIONAL')['RuleGroups']) + for item in regionl: + item.update({"Scope":"REGIONAL"}) + + cloudfront = DbTerminator._create(credentials, WafV2RuleGroup, 'wafv2', lambda client: client.list_rule_groups(Scope='CLOUDFRONT')['RuleGroups']) + for item in cloudfront: + item.update({"Scope":"CLOUDFRONT"}) + return regional + cloudfront + + @property + def id(self): + return self.instance['Id'] + + @property + def name(self): + return self.instance['Name'] + + @property + def lock_token(self): + return self.instance['LockToken'] + + @property + def scope(self): + return self.instance['Scope'] + + def terminate(self): + self.client.delete_rule_group(Id=self.id, Name=self.name, LockToken=self.lock_token, Scope=self.scope) + class InspectorAssessmentTemplate(DbTerminator): @staticmethod def create(credentials): From b75d66161af713bed6ca5b5e8caa817cc761c84a Mon Sep 17 00:00:00 2001 From: Markus Bergholz Date: Thu, 11 Mar 2021 20:29:10 +0100 Subject: [PATCH 09/18] add WafV2 class --- aws/terminator/security_services.py | 47 +++++++++++------------------ 1 file changed, 17 insertions(+), 30 deletions(-) diff --git a/aws/terminator/security_services.py b/aws/terminator/security_services.py index d790eb9a..6704673c 100644 --- a/aws/terminator/security_services.py +++ b/aws/terminator/security_services.py @@ -265,19 +265,7 @@ def terminate(self): self.client.delete_regex_pattern_set(RegexPatternSetId=self.id, ChangeToken=self.change_token) -class WafV2IpSet(DbTerminator): - @staticmethod - def create(credentials): - regional = DbTerminator._create(credentials, WafV2IpSet, 'wafv2', lambda client: client.list_ip_sets(Scope='REGIONAL')['IPSets']) - for item in regionl: - item.update({"Scope":"REGIONAL"}) - - cloudfront = DbTerminator._create(credentials, WafV2IpSet, 'wafv2', lambda client: client.list_ip_sets(Scope='CLOUDFRONT')['IPSets']) - for item in cloudfront: - item.update({"Scope":"CLOUDFRONT"}) - - return regional + cloudfront - +class WafV2(DbTerminator): @property def id(self): return self.instance['Id'] @@ -294,11 +282,25 @@ def lock_token(self): def scope(self): return self.instance['Scope'] + +class WafV2IpSet(WafV2): + @staticmethod + def create(credentials): + regional = DbTerminator._create(credentials, WafV2IpSet, 'wafv2', lambda client: client.list_ip_sets(Scope='REGIONAL')['IPSets']) + for item in regionl: + item.update({"Scope":"REGIONAL"}) + + cloudfront = DbTerminator._create(credentials, WafV2IpSet, 'wafv2', lambda client: client.list_ip_sets(Scope='CLOUDFRONT')['IPSets']) + for item in cloudfront: + item.update({"Scope":"CLOUDFRONT"}) + + return regional + cloudfront + def terminate(self): self.client.delete_ip_set(Id=self.id, Name=self.name, LockToken=self.lock_token, Scope=self.scope) -class WafV2RuleGroup(DbTerminator): +class WafV2RuleGroup(WafV2): @staticmethod def create(credentials): regional = DbTerminator._create(credentials, WafV2RuleGroup, 'wafv2', lambda client: client.list_rule_groups(Scope='REGIONAL')['RuleGroups']) @@ -310,25 +312,10 @@ def create(credentials): item.update({"Scope":"CLOUDFRONT"}) return regional + cloudfront - @property - def id(self): - return self.instance['Id'] - - @property - def name(self): - return self.instance['Name'] - - @property - def lock_token(self): - return self.instance['LockToken'] - - @property - def scope(self): - return self.instance['Scope'] - def terminate(self): self.client.delete_rule_group(Id=self.id, Name=self.name, LockToken=self.lock_token, Scope=self.scope) + class InspectorAssessmentTemplate(DbTerminator): @staticmethod def create(credentials): From eb923c848220baf57fff6a74e8cda0bbce667082 Mon Sep 17 00:00:00 2001 From: Markus Bergholz Date: Thu, 11 Mar 2021 20:35:14 +0100 Subject: [PATCH 10/18] fix linting --- aws/terminator/security_services.py | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/aws/terminator/security_services.py b/aws/terminator/security_services.py index 6704673c..6411327b 100644 --- a/aws/terminator/security_services.py +++ b/aws/terminator/security_services.py @@ -288,11 +288,11 @@ class WafV2IpSet(WafV2): def create(credentials): regional = DbTerminator._create(credentials, WafV2IpSet, 'wafv2', lambda client: client.list_ip_sets(Scope='REGIONAL')['IPSets']) for item in regionl: - item.update({"Scope":"REGIONAL"}) + item.update({"Scope": "REGIONAL"}) cloudfront = DbTerminator._create(credentials, WafV2IpSet, 'wafv2', lambda client: client.list_ip_sets(Scope='CLOUDFRONT')['IPSets']) for item in cloudfront: - item.update({"Scope":"CLOUDFRONT"}) + item.update({"Scope": "CLOUDFRONT"}) return regional + cloudfront @@ -305,11 +305,11 @@ class WafV2RuleGroup(WafV2): def create(credentials): regional = DbTerminator._create(credentials, WafV2RuleGroup, 'wafv2', lambda client: client.list_rule_groups(Scope='REGIONAL')['RuleGroups']) for item in regionl: - item.update({"Scope":"REGIONAL"}) + item.update({"Scope": "REGIONAL"}) cloudfront = DbTerminator._create(credentials, WafV2RuleGroup, 'wafv2', lambda client: client.list_rule_groups(Scope='CLOUDFRONT')['RuleGroups']) for item in cloudfront: - item.update({"Scope":"CLOUDFRONT"}) + item.update({"Scope": "CLOUDFRONT"}) return regional + cloudfront def terminate(self): From 603c4d256862ea2bee8227123f7e10030c17f1bd Mon Sep 17 00:00:00 2001 From: Markus Bergholz Date: Thu, 11 Mar 2021 20:44:56 +0100 Subject: [PATCH 11/18] add abstract methods and fix undefined variables --- aws/terminator/security_services.py | 12 ++++++++++-- 1 file changed, 10 insertions(+), 2 deletions(-) diff --git a/aws/terminator/security_services.py b/aws/terminator/security_services.py index 6411327b..974825c0 100644 --- a/aws/terminator/security_services.py +++ b/aws/terminator/security_services.py @@ -282,12 +282,20 @@ def lock_token(self): def scope(self): return self.instance['Scope'] + @abc.abstractmethod + def terminate(self): + """Terminate or delete the AWS resource.""" + + @abc.abstractmethod + def create(self): + """List the existing AWS resource.""" + class WafV2IpSet(WafV2): @staticmethod def create(credentials): regional = DbTerminator._create(credentials, WafV2IpSet, 'wafv2', lambda client: client.list_ip_sets(Scope='REGIONAL')['IPSets']) - for item in regionl: + for item in regional: item.update({"Scope": "REGIONAL"}) cloudfront = DbTerminator._create(credentials, WafV2IpSet, 'wafv2', lambda client: client.list_ip_sets(Scope='CLOUDFRONT')['IPSets']) @@ -304,7 +312,7 @@ class WafV2RuleGroup(WafV2): @staticmethod def create(credentials): regional = DbTerminator._create(credentials, WafV2RuleGroup, 'wafv2', lambda client: client.list_rule_groups(Scope='REGIONAL')['RuleGroups']) - for item in regionl: + for item in regional: item.update({"Scope": "REGIONAL"}) cloudfront = DbTerminator._create(credentials, WafV2RuleGroup, 'wafv2', lambda client: client.list_rule_groups(Scope='CLOUDFRONT')['RuleGroups']) From 89eace241946164ed33bcff644415b9fe8f4e4e3 Mon Sep 17 00:00:00 2001 From: Markus Bergholz Date: Thu, 11 Mar 2021 20:51:55 +0100 Subject: [PATCH 12/18] remove abstract create method --- aws/terminator/security_services.py | 4 ---- 1 file changed, 4 deletions(-) diff --git a/aws/terminator/security_services.py b/aws/terminator/security_services.py index 974825c0..f8c1f759 100644 --- a/aws/terminator/security_services.py +++ b/aws/terminator/security_services.py @@ -286,10 +286,6 @@ def scope(self): def terminate(self): """Terminate or delete the AWS resource.""" - @abc.abstractmethod - def create(self): - """List the existing AWS resource.""" - class WafV2IpSet(WafV2): @staticmethod From efe14bf818e5d9bafa7f8657695eced306bcec35 Mon Sep 17 00:00:00 2001 From: Markus Bergholz Date: Thu, 11 Mar 2021 20:58:42 +0100 Subject: [PATCH 13/18] add WafV2WebAcl class --- aws/terminator/security_services.py | 16 ++++++++++++++++ 1 file changed, 16 insertions(+) diff --git a/aws/terminator/security_services.py b/aws/terminator/security_services.py index f8c1f759..1608120d 100644 --- a/aws/terminator/security_services.py +++ b/aws/terminator/security_services.py @@ -320,6 +320,22 @@ def terminate(self): self.client.delete_rule_group(Id=self.id, Name=self.name, LockToken=self.lock_token, Scope=self.scope) +class WafV2WebAcl(WafV2): + @staticmethod + def create(credentials): + regional = DbTerminator._create(credentials, WafV2WebAcl, 'wafv2', lambda client: client.list_web_acls(Scope='REGIONAL')['WebACLs']) + for item in regional: + item.update({"Scope": "REGIONAL"}) + + cloudfront = DbTerminator._create(credentials, WafV2WebAcl, 'wafv2', lambda client: client.list_web_acls(Scope='CLOUDFRONT')['WebACLs']) + for item in cloudfront: + item.update({"Scope": "CLOUDFRONT"}) + return regional + cloudfront + + def terminate(self): + self.client.delete_web_acl(Id=self.id, Name=self.name, LockToken=self.lock_token, Scope=self.scope) + + class InspectorAssessmentTemplate(DbTerminator): @staticmethod def create(credentials): From 22dd03f88c77571c7aa1800fb6a1b15a32c1f805 Mon Sep 17 00:00:00 2001 From: Markus Bergholz Date: Fri, 12 Mar 2021 08:59:12 +0100 Subject: [PATCH 14/18] add resource and missing action --- aws/policy/security-services.yaml | 3 +++ 1 file changed, 3 insertions(+) diff --git a/aws/policy/security-services.yaml b/aws/policy/security-services.yaml index 010d3831..81caa130 100644 --- a/aws/policy/security-services.yaml +++ b/aws/policy/security-services.yaml @@ -29,6 +29,8 @@ Statement: - Sid: AllowRegionalRestrictedResourceActionsWhichIncurFees Effect: Allow + Resource: + - 'arn:aws:wafv2:{{ aws_region }}:{{ aws_account_id }}:*' Action: - wafv2:ListRuleGroups - wafv2:ListWebACLs @@ -60,6 +62,7 @@ Statement: - wafv2:DeleteFirewallManagerRuleGroups - wafv2:DisassociateFirewallManager - wafv2:UpdateIPSet + - wafv2:TagResource - Sid: AllowRegionalUnrestrictedResourceActionsWhichIncurNoFees Effect: Allow From 9e4eea3c62641f9c692154fb1165023cd0171f61 Mon Sep 17 00:00:00 2001 From: Markus Bergholz Date: Fri, 12 Mar 2021 09:02:22 +0100 Subject: [PATCH 15/18] add alb setwebacl action --- aws/policy/compute.yaml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/aws/policy/compute.yaml b/aws/policy/compute.yaml index a5e465e4..83501287 100644 --- a/aws/policy/compute.yaml +++ b/aws/policy/compute.yaml @@ -175,6 +175,7 @@ Statement: - elasticloadbalancing:ModifyLoadBalancerAttributes - elasticloadbalancing:RegisterTargets - elasticloadbalancing:SetSecurityGroups + - elasticloadbalancing:SetWebACL - elasticfilesystem:DescribeFileSystems - elasticfilesystem:DescribeMountTargets - elasticfilesystem:DescribeMountTargetSecurityGroups @@ -183,7 +184,7 @@ Statement: - elasticfilesystem:CreateMountTarget - elasticfilesystem:CreateTags - elasticfilesystem:DeleteFileSystem - - elasticfilesystem:DeleteMountTarget + - elasticfilesystem:DeleteMountTarget Resource: - 'arn:aws:autoscaling:{{ aws_region }}:{{ aws_account_id }}:launchConfiguration:*' - 'arn:aws:autoscaling:{{ aws_region }}:{{ aws_account_id }}:autoScalingGroup:*' From 5c78df51294edafc0e6426f31a3fdd7c1ed053aa Mon Sep 17 00:00:00 2001 From: Markus Bergholz Date: Fri, 12 Mar 2021 09:07:24 +0100 Subject: [PATCH 16/18] fix linting --- aws/policy/compute.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/aws/policy/compute.yaml b/aws/policy/compute.yaml index 83501287..0ef28016 100644 --- a/aws/policy/compute.yaml +++ b/aws/policy/compute.yaml @@ -184,7 +184,7 @@ Statement: - elasticfilesystem:CreateMountTarget - elasticfilesystem:CreateTags - elasticfilesystem:DeleteFileSystem - - elasticfilesystem:DeleteMountTarget + - elasticfilesystem:DeleteMountTarget Resource: - 'arn:aws:autoscaling:{{ aws_region }}:{{ aws_account_id }}:launchConfiguration:*' - 'arn:aws:autoscaling:{{ aws_region }}:{{ aws_account_id }}:autoScalingGroup:*' From d76f1fae4a4b98a650835d9ee99e8cc0c07486b1 Mon Sep 17 00:00:00 2001 From: Markus Bergholz Date: Mon, 15 Mar 2021 22:53:10 +0100 Subject: [PATCH 17/18] fix update dict --- aws/terminator/security_services.py | 14 ++++++++------ 1 file changed, 8 insertions(+), 6 deletions(-) diff --git a/aws/terminator/security_services.py b/aws/terminator/security_services.py index 1608120d..503a5feb 100644 --- a/aws/terminator/security_services.py +++ b/aws/terminator/security_services.py @@ -292,11 +292,11 @@ class WafV2IpSet(WafV2): def create(credentials): regional = DbTerminator._create(credentials, WafV2IpSet, 'wafv2', lambda client: client.list_ip_sets(Scope='REGIONAL')['IPSets']) for item in regional: - item.update({"Scope": "REGIONAL"}) + item["Scope"] = "REGIONAL" cloudfront = DbTerminator._create(credentials, WafV2IpSet, 'wafv2', lambda client: client.list_ip_sets(Scope='CLOUDFRONT')['IPSets']) for item in cloudfront: - item.update({"Scope": "CLOUDFRONT"}) + item["Scope"] = "CLOUDFRONT" return regional + cloudfront @@ -309,11 +309,12 @@ class WafV2RuleGroup(WafV2): def create(credentials): regional = DbTerminator._create(credentials, WafV2RuleGroup, 'wafv2', lambda client: client.list_rule_groups(Scope='REGIONAL')['RuleGroups']) for item in regional: - item.update({"Scope": "REGIONAL"}) + item["Scope"] = "REGIONAL" cloudfront = DbTerminator._create(credentials, WafV2RuleGroup, 'wafv2', lambda client: client.list_rule_groups(Scope='CLOUDFRONT')['RuleGroups']) for item in cloudfront: - item.update({"Scope": "CLOUDFRONT"}) + item["Scope"] = "CLOUDFRONT" + return regional + cloudfront def terminate(self): @@ -325,11 +326,12 @@ class WafV2WebAcl(WafV2): def create(credentials): regional = DbTerminator._create(credentials, WafV2WebAcl, 'wafv2', lambda client: client.list_web_acls(Scope='REGIONAL')['WebACLs']) for item in regional: - item.update({"Scope": "REGIONAL"}) + item["Scope"] = "REGIONAL" cloudfront = DbTerminator._create(credentials, WafV2WebAcl, 'wafv2', lambda client: client.list_web_acls(Scope='CLOUDFRONT')['WebACLs']) for item in cloudfront: - item.update({"Scope": "CLOUDFRONT"}) + item["Scope"] = "CLOUDFRONT" + return regional + cloudfront def terminate(self): From 40b43d777b7fdb401445a736d6ee8a877f7853f5 Mon Sep 17 00:00:00 2001 From: Markus Bergholz Date: Wed, 17 Mar 2021 16:14:46 +0100 Subject: [PATCH 18/18] fix errors --- aws/terminator/security_services.py | 57 +++++++++++++++-------------- 1 file changed, 30 insertions(+), 27 deletions(-) diff --git a/aws/terminator/security_services.py b/aws/terminator/security_services.py index 503a5feb..ea8bfb1d 100644 --- a/aws/terminator/security_services.py +++ b/aws/terminator/security_services.py @@ -287,55 +287,58 @@ def terminate(self): """Terminate or delete the AWS resource.""" -class WafV2IpSet(WafV2): +class RegionalWafV2IpSet(WafV2): @staticmethod def create(credentials): - regional = DbTerminator._create(credentials, WafV2IpSet, 'wafv2', lambda client: client.list_ip_sets(Scope='REGIONAL')['IPSets']) - for item in regional: - item["Scope"] = "REGIONAL" + return DbTerminator._create(credentials, RegionalWafV2IpSet, 'wafv2', lambda client: client.list_ip_sets(Scope='REGIONAL')['IPSets']) + + def terminate(self): + self.client.delete_ip_set(Id=self.id, Name=self.name, LockToken=self.lock_token, Scope='REGIONAL') - cloudfront = DbTerminator._create(credentials, WafV2IpSet, 'wafv2', lambda client: client.list_ip_sets(Scope='CLOUDFRONT')['IPSets']) - for item in cloudfront: - item["Scope"] = "CLOUDFRONT" - return regional + cloudfront +class CloudfrontWafV2IpSet(WafV2): + @staticmethod + def create(credentials): + return DbTerminator._create(credentials, CloudfrontWafV2IpSet, 'wafv2', lambda client: client.list_ip_sets(Scope='CLOUDFRONT')['IPSets']) def terminate(self): - self.client.delete_ip_set(Id=self.id, Name=self.name, LockToken=self.lock_token, Scope=self.scope) + self.client.delete_ip_set(Id=self.id, Name=self.name, LockToken=self.lock_token, Scope='CLOUDFRONT') -class WafV2RuleGroup(WafV2): +class RegionalWafV2RuleGroup(WafV2): @staticmethod def create(credentials): - regional = DbTerminator._create(credentials, WafV2RuleGroup, 'wafv2', lambda client: client.list_rule_groups(Scope='REGIONAL')['RuleGroups']) - for item in regional: - item["Scope"] = "REGIONAL" + return DbTerminator._create(credentials, RegionalWafV2RuleGroup, 'wafv2', lambda client: client.list_rule_groups(Scope='REGIONAL')['RuleGroups']) + + def terminate(self): + self.client.delete_rule_group(Id=self.id, Name=self.name, LockToken=self.lock_token, Scope='REGIONAL') - cloudfront = DbTerminator._create(credentials, WafV2RuleGroup, 'wafv2', lambda client: client.list_rule_groups(Scope='CLOUDFRONT')['RuleGroups']) - for item in cloudfront: - item["Scope"] = "CLOUDFRONT" - return regional + cloudfront +class CloudfrontWafV2RuleGroup(WafV2): + @staticmethod + def create(credentials): + return DbTerminator._create(credentials, CloudfrontWafV2RuleGroup, 'wafv2', lambda client: client.list_rule_groups(Scope='CLOUDFRONT')['RuleGroups']) def terminate(self): - self.client.delete_rule_group(Id=self.id, Name=self.name, LockToken=self.lock_token, Scope=self.scope) + self.client.delete_rule_group(Id=self.id, Name=self.name, LockToken=self.lock_token, Scope='CLOUDFRONT') -class WafV2WebAcl(WafV2): +class RegionalWafV2WebAcl(WafV2): @staticmethod def create(credentials): - regional = DbTerminator._create(credentials, WafV2WebAcl, 'wafv2', lambda client: client.list_web_acls(Scope='REGIONAL')['WebACLs']) - for item in regional: - item["Scope"] = "REGIONAL" + return DbTerminator._create(credentials, RegionalWafV2WebAcl, 'wafv2', lambda client: client.list_web_acls(Scope='REGIONAL')['WebACLs']) + + def terminate(self): + self.client.delete_web_acl(Id=self.id, Name=self.name, LockToken=self.lock_token, Scope='REGIONAL') - cloudfront = DbTerminator._create(credentials, WafV2WebAcl, 'wafv2', lambda client: client.list_web_acls(Scope='CLOUDFRONT')['WebACLs']) - for item in cloudfront: - item["Scope"] = "CLOUDFRONT" - return regional + cloudfront +class CloudfrontWafV2WebAcl(WafV2): + @staticmethod + def create(credentials): + return DbTerminator._create(credentials, CloudfrontWafV2WebAcl, 'wafv2', lambda client: client.list_web_acls(Scope='CLOUDFRONT')['WebACLs']) def terminate(self): - self.client.delete_web_acl(Id=self.id, Name=self.name, LockToken=self.lock_token, Scope=self.scope) + self.client.delete_web_acl(Id=self.id, Name=self.name, LockToken=self.lock_token, Scope='CLOUDFRONT') class InspectorAssessmentTemplate(DbTerminator):