in src/securityhub_enabler.py [0:0]
def process_security_standards(sh_client, partition, region, account):
LOGGER.info(f"Processing Security Standards for Account {account} "
f"in {region}")
enabled_check = boto3.client('ec2').describe_regions(
RegionNames=[
region
]
)['Regions'][0]['OptInStatus']
if enabled_check == 'not-opted-in':
LOGGER.info(f"{region} is not opted in.")
return
# AWS Standard ARNs
aws_standard_arn = (f"arn:{partition}:securityhub:{region}::standards/"
f"aws-foundational-security-best-practices/v/1.0.0")
aws_subscription_arn = (f"arn:{partition}:securityhub:{region}:{account}:"
f"subscription/aws-foundational-security-best-practices"
f"/v/1.0.0")
LOGGER.info(f"ARN: {aws_standard_arn}")
# CIS Standard ARNs
cis_standard_arn = (f"arn:{partition}:securityhub:::ruleset/"
f"cis-aws-foundations-benchmark/v/1.2.0")
cis_subscription_arn = (f"arn:{partition}:securityhub:{region}:{account}:"
f"subscription/cis-aws-foundations-benchmark"
f"/v/1.2.0")
LOGGER.info(f"ARN: {cis_standard_arn}")
# PCI Standard ARNs
pci_standard_arn = (f"arn:{partition}:securityhub:{region}::standards/"
f"pci-dss/v/3.2.1")
pci_subscription_arn = (f"arn:{partition}:securityhub:{region}:{account}:"
f"subscription/pci-dss/v/3.2.1")
LOGGER.info(f"ARN: {pci_standard_arn}")
# Check for Enabled Standards
aws_standard_enabled = False
cis_standard_enabled = False
pci_standard_enabled = False
enabled_standards = sh_client.get_enabled_standards()
LOGGER.info(f"Account {account} in {region}. "
f"Enabled Standards: {enabled_standards}")
for item in enabled_standards["StandardsSubscriptions"]:
if aws_standard_arn in item["StandardsArn"]:
aws_standard_enabled = True
if cis_standard_arn in item["StandardsArn"]:
cis_standard_enabled = True
if pci_standard_arn in item["StandardsArn"]:
pci_standard_enabled = True
# Enable AWS Standard
if os.environ['aws_standard'] == 'Yes':
if aws_standard_enabled:
LOGGER.info(f"AWS Foundational Security Best Practices v1.0.0 "
f"Security Standard is already enabled in Account "
f"{account} in {region}")
else:
try:
sh_client.batch_enable_standards(
StandardsSubscriptionRequests=[
{
'StandardsArn': aws_standard_arn
}
])
LOGGER.info(f"Enabled AWS Foundational Security Best Practices "
f"v1.0.0 Security Standard in Account {account} in "
f"{region}")
except Exception as e:
LOGGER.info(f"Failed to enable AWS Foundational Security Best Practices v1.0.0 Security Standard in"
f"Account {account} in {region}")
# Disable AWS Standard
else:
if not aws_standard_enabled:
LOGGER.info(f"AWS Foundational Security Best Practices v1.0.0 "
f"Security Standard is already disabled in Account "
f"{account} in {region}")
else:
try:
sh_client.batch_disable_standards(
StandardsSubscriptionArns=[aws_subscription_arn])
LOGGER.info(f"Disabled AWS Foundational Security Best Practices "
f"v1.0.0 Security Standard in Account {account} in "
f"{region}")
except Exception as e:
LOGGER.info(f"Failed to disable AWS Foundational Security Best Practices v1.0.0 Security Standard in"
f"Account {account} in {region}")
# Enable CIS Standard
if os.environ['cis_standard'] == 'Yes':
if cis_standard_enabled:
LOGGER.info(f"CIS AWS Foundations Benchmark v1.2.0 Security "
f"Standard is already enabled in Account {account} "
f"in {region}")
else:
try:
sh_client.batch_enable_standards(
StandardsSubscriptionRequests=[
{
'StandardsArn': cis_standard_arn
}
])
LOGGER.info(f"Enabled CIS AWS Foundations Benchmark v1.2.0 "
f"Security Standard in Account {account} in {region}")
except Exception as e:
LOGGER.info(f"Failed to enable CIS AWS Foundations Benchmark v1.2.0 "
f"Security Standard in Account {account} in {region}")
# Disable CIS Standard
else:
if not cis_standard_enabled:
LOGGER.info(f"CIS AWS Foundations Benchmark v1.2.0 Security "
f"Standard is already disabled in Account {account} "
f"in {region}")
else:
try:
sh_client.batch_disable_standards(
StandardsSubscriptionArns=[cis_subscription_arn])
LOGGER.info(f"Disabled CIS AWS Foundations Benchmark v1.2.0 "
f"Security Standard in Account {account} in {region}")
except Exception as e:
LOGGER.info(f"Failed to disable CIS AWS Foundations Benchmark v1.2.0 "
f"Security Standard in Account {account} in {region}")
# Enable PCI Standard
if os.environ['pci_standard'] == 'Yes':
if pci_standard_enabled:
LOGGER.info(f"PCI DSS v3.2.1 Security Standard is already "
f"enabled in Account {account} in {region}")
else:
try:
sh_client.batch_enable_standards(
StandardsSubscriptionRequests=[
{
'StandardsArn': pci_standard_arn
}
])
LOGGER.info(f"Enabled PCI DSS v3.2.1 Security Standard "
f"in Account {account} in {region}")
except Exception as e:
LOGGER.info(f"Failed to enable PCI DSS v3.2.1 Security Standard "
f"in Account {account} in {region}")
# Disable PCI Standard
else:
if not pci_standard_enabled:
LOGGER.info(f"PCI DSS v3.2.1 Security Standard is already "
f"disabled in Account {account} in {region}")
else:
try:
sh_client.batch_disable_standards(
StandardsSubscriptionArns=[pci_subscription_arn])
LOGGER.info(f"Disabled PCI DSS v3.2.1 Security Standard "
f"in Account {account} in {region}")
except Exception as e:
LOGGER.info(f"Failed to disablee PCI DSS v3.2.1 Security Standard "
f"in Account {account} in {region}")