in security_hub_correlation_cdk/lambdas/create_sh_finding/create_sh_finding.py [0:0]
def check_sh_unrestrict_sg(sh_resource, ddbtable):
sh_unrestrict_sg = 'Software and Configuration Checks/Industry and Regulatory Standards/AWS-Foundational-Security-Best-Practices'
sh_unrestrict_sg_string = 'aws-foundational-security-best-practices/v/1.0.0/EC2.18'
try:
sh_unrestrict_sg_payload = ddbtable.query(
IndexName= DYNAMODB_GSI_TYPE,
KeyConditionExpression=Key('ResourceId').eq(sh_resource) & Key('Types').eq(sh_unrestrict_sg)
)
if sh_unrestrict_sg_payload['Count'] >= 1:
if sh_unrestrict_sg_string in sh_unrestrict_sg_payload['Items'][0]['GeneratorId']:
logger.info('Found Security Hub finding for Security Group allowing unrestricted incoming ports for {}.'.format(sh_resource))
return sh_unrestrict_sg_payload
except ClientError as error_handle:
logger.error(error_handle.dynamodb_match['Error']['Code'])