in utility_scripts/configureCMK.py [0:0]
def process_stacks(stackname):
paginator = cloudformation_client.get_paginator('list_stack_resources')
response_iterator = paginator.paginate(
StackName=stackname,
PaginationConfig={
'MaxItems': 10000#,
}
)
for response in response_iterator:
lambda_resources = filter(lambda x: x["ResourceType"] == "AWS::Lambda::Function",response["StackResourceSummaries"])
for lambda_func in lambda_resources:
lambda_client.update_function_configuration(FunctionName=lambda_func["PhysicalResourceId"],KMSKeyArn=args.cmk_arn)
print(f"Updated function {lambda_func['PhysicalResourceId']} in stack {stackname}")
lambda_configuration = lambda_client.get_function_configuration(FunctionName=lambda_func["PhysicalResourceId"])
role_name = lambda_configuration["Role"].split("/")[-1]
assign_role(role_name)
ssm_parameters = filter(lambda x: x["ResourceType"] == "AWS::SSM::Parameter",response["StackResourceSummaries"])
for parameter in ssm_parameters:
parameter_name = parameter["PhysicalResourceId"]
parameter_response = ssm_client.get_parameter(
Name=parameter_name,
WithDecryption=True
)
parameter_value = parameter_response['Parameter']['Value']
description = parameter_response['Parameter']["Description"] if "Decription" in parameter_response['Parameter'] else ""
ssm_client.put_parameter(
Name=parameter_name,
Description=description,
Value=parameter_value,
Type='SecureString',
KeyId=args.cmk_arn,
Overwrite=True,
)
s3_buckets = filter(lambda x: x["ResourceType"] == "AWS::S3::Bucket",response["StackResourceSummaries"])
for bucket in s3_buckets:
s3_client.put_bucket_encryption(
Bucket=bucket["PhysicalResourceId"],
ServerSideEncryptionConfiguration={
'Rules': [
{
'ApplyServerSideEncryptionByDefault': {
'SSEAlgorithm': 'aws:kms',
'KMSMasterKeyID': args.cmk_arn
}
},
]
}
)
print(f"Encryption set for {bucket['PhysicalResourceId']}")
s3_client.put_bucket_logging(
Bucket=bucket["PhysicalResourceId"],
BucketLoggingStatus={
'LoggingEnabled': {
'TargetBucket': args.target_s3_bucket,
'TargetPrefix': bucket["PhysicalResourceId"] + '/'
}
}
)
print(f"Access Logs set for {bucket['PhysicalResourceId']}")
ddb_tables = filter(lambda x: x["ResourceType"] == "AWS::DynamoDB::Table",response["StackResourceSummaries"])
for table in ddb_tables:
table_description = ddb_client.describe_table(TableName = table["PhysicalResourceId"])
if('SSEDescription' not in table_description["Table"] or 'KMSMasterKeyArn' not in table_description["Table"]['SSEDescription'] or table_description["Table"]['SSEDescription']['KMSMasterKeyArn']!= args.cmk_arn ):
ddb_client.update_table(
TableName = table["PhysicalResourceId"],
SSESpecification ={
'Enabled': True,
'SSEType': 'KMS',
'KMSMasterKeyId': args.cmk_arn
}
)
kinesis_streams = filter(lambda x: x["ResourceType"] == "AWS::KinesisFirehose::DeliveryStream",response["StackResourceSummaries"])
for stream in kinesis_streams:
stream_response = kinesis_client.describe_delivery_stream(
DeliveryStreamName=stream["PhysicalResourceId"])
if('KeyType' not in stream_response['DeliveryStreamDescription']['DeliveryStreamEncryptionConfiguration']
or ( stream_response['DeliveryStreamDescription']['DeliveryStreamEncryptionConfiguration']['KeyType'] != "CUSTOMER_MANAGED_CMK"
and stream_response['DeliveryStreamDescription']['DeliveryStreamEncryptionConfiguration']['KeyARN'] != args.cmk_arn)):
kinesis_client.start_delivery_stream_encryption(
DeliveryStreamName=stream["PhysicalResourceId"],
DeliveryStreamEncryptionConfigurationInput={
'KeyARN': args.cmk_arn,
'KeyType': 'CUSTOMER_MANAGED_CMK'})
role_resources = filter(lambda x: 'LambdaRole' in x["LogicalResourceId"] or x["LogicalResourceId"] in cmk_roles_logical_ids , response["StackResourceSummaries"])
for role_resource in role_resources:
print(f"role_resource: {role_resource['PhysicalResourceId']}")
cmk_roles_physical_ids.append(role_resource["PhysicalResourceId"])
assign_role(role_resource["PhysicalResourceId"])