def evaluate_compliance()

in python/CLOUDTRAIL_ENABLED_V2/CLOUDTRAIL_ENABLED_V2.py [0:0]

• 39 lines of code
• 32 McCabe index (conditional complexity)

def evaluate_compliance(event, configuration_item, valid_rule_parameters):
    """Form the evaluation(s) to be return to Config Rules

    Return either:
    None -- when no result needs to be displayed
    a string -- either COMPLIANT, NON_COMPLIANT or NOT_APPLICABLE
    a dictionary -- the evaluation dictionary, usually built by build_evaluation_from_config_item()
    a list of dictionary -- a list of evaluation dictionary , usually built by build_evaluation()

    Keyword arguments:
    event -- the event variable given in the lambda handler
    configuration_item -- the configurationItem dictionary in the invokingEvent
    valid_rule_parameters -- the output of the evaluate_parameters() representing validated parameters of the Config Rule

    Advanced Notes:
    1 -- if a resource is deleted and generate a configuration change with ResourceDeleted status, the Boilerplate code will put a NOT_APPLICABLE on this resource automatically.
    2 -- if a None or a list of dictionary is returned, the old evaluation(s) which are not returned in the new evaluation list are returned as NOT_APPLICABLE by the Boilerplate code
    3 -- if None or an empty string, list or dict is returned, the Boilerplate code will put a "shadow" evaluation to feedback that the evaluation took place properly
    """

    ct_client = get_client('cloudtrail', event)
    trail_list = get_all_trails(ct_client)
    if not trail_list:
        return None

    for trail in trail_list:
        print(trail)
        if valid_rule_parameters['GlobalResourcesBoolean'] and not trail['IncludeGlobalServiceEvents']:
            continue
        if valid_rule_parameters['MultiRegionBoolean'] and not trail['IsMultiRegionTrail']:
            continue
        if valid_rule_parameters['LFIBoolean'] and not trail['LogFileValidationEnabled']:
            continue
        if valid_rule_parameters['MultiRegionBoolean'] and not trail['IsMultiRegionTrail']:
            continue
        if valid_rule_parameters['S3BucketName'] and trail['S3BucketName'] != valid_rule_parameters['S3BucketName']:
            continue
        if valid_rule_parameters['EncryptedBoolean'] and 'KmsKeyId' not in trail:
            continue
        if valid_rule_parameters['EncryptedBoolean'] and valid_rule_parameters['KMSKeyArn'] and valid_rule_parameters['KMSKeyArn'] != trail['KmsKeyId']:
            continue

        try:
            trail_status = ct_client.get_trail_status(Name=trail['Name'])
        except:
            continue        
        if not trail_status['IsLogging']:
            continue        
        if 'LatestDeliveryError' in trail_status:
            continue
        if valid_rule_parameters['ManagementEventBoolean'] or valid_rule_parameters['S3DataEventBoolean'] or valid_rule_parameters['LambdaEventBoolean']:
            trail_selector = ct_client.get_event_selectors(TrailName=trail['Name'])['EventSelectors'][0]
        if valid_rule_parameters['ManagementEventBoolean'] and (not trail_selector['IncludeManagementEvents'] or trail_selector['ReadWriteType'] != 'All'):
            continue
        if valid_rule_parameters['S3DataEventBoolean'] and (not trail_selector['DataResources'] or check_data_event(trail_selector['DataResources'], 'AWS::S3::Object', 'arn:aws:s3')):
            continue
        if valid_rule_parameters['LambdaEventBoolean'] and (not trail_selector['DataResources'] or check_data_event(trail_selector['DataResources'], 'AWS::Lambda::Function', 'arn:aws:lambda')):
            continue
        return 'COMPLIANT'
    return 'NON_COMPLIANT'