in aws_sra_examples/solutions/securityhub/securityhub_enabler_acct/lambda/src/app.py [0:0]
def process_security_standards(sh_client, partition, region, account):
"""
Configure the security standards
:param sh_client: SecurityHub boto3 client
:param partition: AWS partition
:param region: region to configure
:param account: account to configure
:return: None
"""
logger.info(f"Processing Security Standards for Account {account} " f"in {region}")
# AWS Standard ARNs
aws_standard_arn = (
f"arn:{partition}:securityhub:{region}::standards/"
f"aws-foundational-security-best-practices/v/{SBP_STANDARD_VERSION}"
)
aws_subscription_arn = (
f"arn:{partition}:securityhub:{region}:{account}:"
f"subscription/aws-foundational-security-best-practices"
f"/v/{SBP_STANDARD_VERSION}"
)
logger.debug(f"ARN: {aws_standard_arn}")
# CIS Standard ARNs
cis_standard_arn = (
f"arn:{partition}:securityhub:::ruleset/"
f"cis-aws-foundations-benchmark/v/{CIS_STANDARD_VERSION}"
)
cis_subscription_arn = (
f"arn:{partition}:securityhub:{region}:{account}:"
f"subscription/cis-aws-foundations-benchmark"
f"/v/{CIS_STANDARD_VERSION}"
)
logger.debug(f"ARN: {cis_standard_arn}")
# PCI Standard ARNs
pci_standard_arn = (
f"arn:{partition}:securityhub:{region}::standards/" f"pci-dss/v/{PCI_STANDARD_VERSION}"
)
pci_subscription_arn = (
f"arn:{partition}:securityhub:{region}:{account}:"
f"subscription/pci-dss/v/{PCI_STANDARD_VERSION}"
)
logger.debug(f"ARN: {pci_standard_arn}")
# Check for Enabled Standards
aws_standard_enabled = False
cis_standard_enabled = False
pci_standard_enabled = False
enabled_standards = sh_client.get_enabled_standards()
logger.info(
f"Account {account} in {region}. " f"Enabled Standards: {enabled_standards}"
)
for item in enabled_standards["StandardsSubscriptions"]:
if aws_standard_arn in item["StandardsArn"]:
aws_standard_enabled = True
if cis_standard_arn in item["StandardsArn"]:
cis_standard_enabled = True
if pci_standard_arn in item["StandardsArn"]:
pci_standard_enabled = True
# Enable AWS Standard
if ENABLE_SBP_STANDARD:
if aws_standard_enabled:
logger.info(
f"AWS Foundational Security Best Practices "
f"Security Standard is already enabled in Account "
f"{account} in {region}"
)
else:
try:
sh_client.batch_enable_standards(
StandardsSubscriptionRequests=[{"StandardsArn": aws_standard_arn}]
)
logger.info(
f"Enabled AWS Foundational Security Best Practices "
f"Security Standard in Account {account} in "
f"{region}"
)
except Exception as error:
logger.info(
f"Failed to enable AWS Foundational Security Best Practices "
f"Security Standard in Account {account} in "
f"{region} - {error}"
)
# Disable AWS Standard
else:
if not aws_standard_enabled:
logger.info(
f"AWS Foundational Security Best Practices v{SBP_STANDARD_VERSION} "
f"Security Standard is already disabled in Account "
f"{account} in {region}"
)
else:
try:
sh_client.batch_disable_standards(
StandardsSubscriptionArns=[aws_subscription_arn]
)
logger.info(
f"Disabled AWS Foundational Security Best Practices "
f"v{SBP_STANDARD_VERSION} Security Standard in Account {account} in "
f"{region}"
)
except Exception as error:
logger.info(
f"Failed to disable AWS Foundational Security Best Practices "
f"Security Standard in Account {account} in "
f"{region} - {error}"
)
# Enable CIS Standard
if ENABLE_CIS_STANDARD:
if cis_standard_enabled:
logger.info(
f"CIS AWS Foundations Benchmark Security "
f"Standard is already enabled in Account {account} "
f"in {region}"
)
else:
try:
sh_client.batch_enable_standards(
StandardsSubscriptionRequests=[{"StandardsArn": cis_standard_arn}]
)
logger.info(
f"Enabled CIS AWS Foundations Benchmark "
f"Security Standard in Account {account} in {region}"
)
except Exception as error:
logger.info(
f"Failed to enable CIS AWS Foundations Benchmark "
f"Security Standard in Account {account} in "
f"{region} - {error}"
)
# Disable CIS Standard
else:
if not cis_standard_enabled:
logger.info(
f"CIS AWS Foundations Benchmark Security "
f"Standard is already disabled in Account {account} "
f"in {region}"
)
else:
try:
sh_client.batch_disable_standards(
StandardsSubscriptionArns=[cis_subscription_arn]
)
logger.info(
f"Disabled CIS AWS Foundations Benchmark "
f"Security Standard in Account {account} in {region}"
)
except Exception as error:
logger.info(
f"Failed to disable CIS AWS Foundations Benchmark "
f"Security Standard in Account {account} in "
f"{region} - {error}"
)
# Enable PCI Standard
if ENABLE_PCI_STANDARD:
if pci_standard_enabled:
logger.info(
f"PCI DSS v3.2.1 Security Standard is already "
f"enabled in Account {account} in {region}"
)
else:
try:
sh_client.batch_enable_standards(
StandardsSubscriptionRequests=[{"StandardsArn": pci_standard_arn}]
)
logger.info(
f"Enabled PCI DSS Security Standard "
f"in Account {account} in {region}"
)
except Exception as error:
logger.info(
f"Failed to enable PCI DSS Security Standard "
f"Security Standard in Account {account} in "
f"{region} - {error}"
)
# Disable PCI Standard
else:
if not pci_standard_enabled:
logger.info(
f"PCI DSS Security Standard is already "
f"disabled in Account {account} in {region}"
)
else:
try:
sh_client.batch_disable_standards(
StandardsSubscriptionArns=[pci_subscription_arn]
)
logger.info(
f"Disabled PCI DSS Security Standard "
f"in Account {account} in {region}"
)
except Exception as error:
logger.info(
f"Failed to disable PCI DSS Security Standard "
f"Security Standard in Account {account} in "
f"{region} - {error}"
)