-
Notifications
You must be signed in to change notification settings - Fork 16
/
configuration.py
208 lines (184 loc) · 6.08 KB
/
configuration.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
# MetaHub Configurations
# ---------------------------------- #
# Security Hub Configurations #
# ---------------------------------- #
# Default filters for Security Hub
sh_default_filters = {"RecordState": ["ACTIVE"], "WorkflowStatus": ["NEW"]}
# Enrichment fields for Security Hub when using the option --enrich-findings
# Choose from: tags, config, account, cloudtrail, associations, impact
sh_enrich_with = [
"tags",
"config",
"account",
"cloudtrail",
"associations",
"impact",
]
# ---------------------------------- #
# Impact Configurations #
# ---------------------------------- #
# Impact Scoring Defintion File
path_yaml_impact = "lib/config/impact.yaml"
# Severity Values for impact scoring calculation
findings_severity_value = {
"CRITICAL": 4,
"HIGH": 3,
"MEDIUM": 1,
"LOW": 0.5,
"INFORMATIONAL": 0,
}
# Days to consider a resource (key) unrotated
days_to_consider_unrotated = 90
# ---------------------------------- #
# Impact: Access Configurations #
# ---------------------------------- #
# List of AWS accounts ids that are trusted and not considered as external.
# This is used in check untrusted_principal for policies.
trusted_accounts = []
# Dangerous IAM actions that should be considered as a finding if used in a policy
dangerous_iam_actions = [
"iam:CreatePolicyVersion",
"iam:SetDefaultPolicyVersion",
"iam:PassRole",
"iam:CreateAccessKey",
"iam:CreateLoginProfile",
"iam:UpdateLoginProfile",
"iam:AttachUserPolicy",
"iam:AttachGroupPolicy",
"iam:AttachRolePolicy",
"iam:PutGroupPolicy",
"iam:PutRolePolicy",
"iam:PutUserPolicy",
"iam:AddUserToGroup",
"iam:UpdateAssumeRolePolicy",
]
# ---------------------------------- #
# Impact: Environment Configurations #
# ---------------------------------- #
# You can define the environment by tags, account id or account alias.
# You can define how many environments you want, then assign each environment a value in the file: lib/config/impact.yaml
environments = {
"production": {
"tags": {
"Environment": ["Production", "production", "prd"],
"environment": ["Production", "production", "prd"],
"Env": ["Production", "production", "prd"],
"env": ["Production", "production", "prd"],
},
"account": {
"account_ids": ["123456789012"],
"account_aliases": ["production", "prod"],
},
},
"staging": {
"tags": {
"Environment": ["Staging", "staging", "stg"],
"environment": ["Staging", "staging", "stg"],
"Env": ["Staging", "staging", "stg"],
"env": ["Staging", "staging", "stg"],
},
"account": {
"account_ids": ["123456789012"],
"account_aliases": ["staging", "stg"],
},
},
"development": {
"tags": {
"Environment": ["Development", "development", "dev"],
"environment": ["Development", "development", "dev"],
"Env": ["Development", "development", "dev"],
"env": ["Development", "development", "dev"],
},
"account": {
"account_ids": ["123456789012"],
"account_aliases": ["development", "dev"],
},
},
}
# ---------------------------------- #
# Impact: Application Configurations #
# ---------------------------------- #
# https://aws.amazon.com/blogs/aws/new-myapplications-in-the-aws-management-console-simplifies-managing-your-application-resources/
# You can define the application by tags, account id or account alias.
# You can define how many appliactions you want, then assign each application a value in the file: lib/config/impact.yaml
applications = {
"app1": {
"tags": {
"awsApplication": [
"arn:aws:resource-groups:eu-west-1:123456789012:group/app1/0c8vpbjkzeeffsz2cqgxpae7b2"
],
},
"account": {
"account_ids": ["123456789012"],
"account_aliases": ["app1"],
},
},
"app2": {
"tags": {
"awsApplication": [
"arn:aws:resource-groups:eu-west-1:123456789012:group/app2/0c8vpbjkzeeffsz2cqgxpae7b2"
],
},
"account": {
"account_ids": ["123456789012"],
"account_aliases": ["app2"],
},
},
}
# ---------------------------------- #
# Impact: Owner Configurations #
# ---------------------------------- #
# You can define the owner by tags, account id or account alias.
# You can define how owner you want, then assign each owner a value in the file: lib/config/impact.yaml
owners = {
"owner1": {
"tags": {
"Owner": ["owner1"],
"owner": ["owner1"],
},
"account": {
"account_ids": ["123456789012"],
"account_aliases": ["owner1"],
},
},
"owner2": {
"tags": {
"Owner": ["owner2"],
"owner": ["owner2"],
},
"account": {
"account_ids": ["123456789012"],
"account_aliases": ["owner2"],
},
},
}
# ---------------------------------- #
# Output Configurations #
# ---------------------------------- #
# Columns
# You can define the columns that will be displayed in the output HTML, CSV AND XLSX.
# You can also use `--output-config-columns` and `--output-tags-columns` to override these values.
# If you want all fields as columns, comment the following lines.
config_columns = ["public_ip"]
tag_columns = ["Name", "Owner"]
account_columns = ["Alias"]
impact_columns = [
"score",
"exposure",
"access",
"encryption",
"status",
"environment",
"application",
]
# Decide if you want to output as part of the findings the whole json resource policy
output_resource_policy = True
# Output directory
outputs_dir = "outputs/"
# Output file name date format
outputs_time_str = "%Y%m%d-%H%M%S"
# ---------------------------------- #
# Other Configurations #
# ---------------------------------- #
# Assume role duration in seconds
assume_role_duration = 3600