def evaluate_compliance()

in scripts/elb_is_secure.py [0:0]

• 32 lines of code
• 7 McCabe index (conditional complexity)

def evaluate_compliance(configuration_item, rule_parameters):
    load_balancer_arn = configuration_item['configuration']['loadBalancerArn']
    desired_port = rule_parameters['DesiredPort']
    desired_protocol = rule_parameters['DesiredProtocol']

    listeners_obj = elb.describe_listeners(LoadBalancerArn=load_balancer_arn)

    print(json.dumps(listeners_obj))

    for listener in listeners_obj['Listeners']:
        if desired_protocol != listener['Protocol']:
            return {
                'compliance_type': 'NON_COMPLIANT',
                'annotation': 'Insecure %s protocol being used for the load balancer' % listener['Protocol']
            }
        if int(desired_port) != listener['Port']:
            return {
                'compliance_type': 'NON_COMPLIANT',
                'annotation': '%s port being used for the load balancer rather than %s' % (listener['Port'], desired_port)
            }
        if len(listener['Certificates']) < 1:
            return {
                'compliance_type': 'NON_COMPLIANT',
                'annotation': 'Does not have a SSL Cert installed'
            }
        for cert in listener['Certificates']:
            if 'CertificateArn' not in cert:
                return {
                    'compliance_type': 'NON_COMPLIANT',
                    'annotation': 'Invalid SSL Cert installed - no ARN found'
                }

    return {
        'compliance_type': 'COMPLIANT',
        'annotation': 'Load balancer is secure'
    }