def lambda_handler()

in lambda/guardduty_to_acl_lambda.py [0:0]

• 43 lines of code
• 11 McCabe index (conditional complexity)

def lambda_handler(event, context):

    logger.info("log -- Event: %s " % json.dumps(event))

    try:
        if 'Recon:EC2/PortProbe' in event["detail"]["type"]:
            HostIp = []
            FindingID = event["detail"]["id"]
            remoteIpDetail = find_values('remoteIpDetails', json.dumps(event))
            Region = event["region"]
            SubnetId = event["detail"]["resource"]["instanceDetails"]["networkInterfaces"][0]["subnetId"]
            for i in event["detail"]["service"]["action"]["portProbeAction"]["portProbeDetails"]:
                HostIp.append(str(i["remoteIpDetails"]["ipAddressV4"]))
            instanceID = event["detail"]["resource"]["instanceDetails"]["instanceId"]
            NetworkAclId = get_netacl_id(subnet_id=SubnetId)
        else:
            HostIp = []
            FindingID = event["detail"]["id"]
            Region = event["region"]
            instanceID = find_values('instanceId', json.dumps(event))
            SubnetId = find_values('subnetId', json.dumps(event))
            remoteIpDetail = find_values('remoteIpDetails', json.dumps(event))
            if not remoteIpDetail or not SubnetId:
                pass
            else:
                HostIp.append((remoteIpDetail)[0]["ipAddressV4"])
                NetworkAclId = get_netacl_id(subnet_id=SubnetId[0])


        if len(HostIp) > 0 and NetworkAclId:
            logger.info("log -- gd2acl attempting to process finding data: instanceID: %s - SubnetId: %s - RemoteHostIp: %s" % (instanceID[0], SubnetId[0], HostIp))
            update_counter = 0

            # Update VPC NACL
            for ip in HostIp:
                response = update_nacl(netacl_id=NetworkAclId, host_ip=ip, region=Region)
                if response is True:
                    update_counter = update_counter + 1

            # Update WAF IP Sets
            if update_counter > 0:
                logger.info('log -- adding Regional and CloudFront WAF IP set entry for host, %s from CloudFront Ip set %s and REGION IP set %s.' % (HostIp, CLOUDFRONT_IP_SET, REGIONAL_IP_SET))
                waf_update_ip_sets()

            #Send Notification
            admin_notify(str(HostIp), event["detail"]["type"], NetworkAclId, Region, str(instanceID), str(FindingID))

            logger.info("log -- processing GuardDuty finding completed successfully")

        else:
            logger.warning("log -- unable to determine required info from finding - instanceID: %s, SubnetId: %s, RemoteIp: %s" % (instanceID, SubnetId, HostIp))
            pass

    except Exception as e:
        logger.error('log -- something went wrong.')
        raise