dome9 / cloud-bots Goto Github PK

Error when using without quotes

"Name": "appserver1", "Remediation": "tag_ec2_resource", "Execution status": "failed", "Bot message": "Error while executing function tag_ec2_resource. Error: Tag \"env prod exec_function_arn=arn:aw s:lambda:us-east-1:xxxxxxxxxxx:function:Dome9CloudBots\" does not follow formatting - skipping\n \nFor more details please see the CloudWatch logs. \n"}]}

Success when using quotes

"Name": "appserver1", "Remediation": "tag_ec2_resource", "Execution status": "passed", "Bot message": "Instance tagged: i-072ba365262894913 \nKey: env | Value: prod \n"}]}

Invoking this cloudbot from one of the "Ensure a log metric filter and alarm exist for XYZ configuration changes" from the AWS CIS 1.4.0 benchmark. There is no entity being passed, since this is an absence of metric.

But the script expects that it receives an entity['region'] and entity['cloudWatchLogsLogGroupArn']

how is this cloud bot meant to be invoked?

When the config_enable bot creates the Config bucket it uses the S3 ServiceResource's create_bucket() method:

result = s3_resource.create_bucket(...)

It then refers to that result as if it were a call the the S3 Client's create_bucket() method:

responseCode = result['ResponseMetadata']['HTTPStatusCode']

This is invalid, as the S3 Resource returns an instance of s3.Bucket, not a dict, so it throws a ClientError: TypeError: 's3.Bucket ' object is not subscriptable.

In fact it does not need to check the result since we already know that the create_bucket() must have succeeded if the execution reaches that line.

The principal arn string below reference CloudGuard's AWS account but does not work in China Org/Region. Please include update for AWS China. Thanks.

    "Action": "sns:Publish",
    "Principal": {
        "AWS": "arn:aws:iam::634729597623:root"
    },

Limitations: IPv6 is not supported

Title says it all. Thanks!

Dear Developer,

For readability and Search Engine Optimization (SEO) it would be great if you could do the followings:

• Please provide relevant "Topics"

Environment topic examples:
azure, aws, gcp
Functionality topic examples:
build, deploy, staging, operate, terraform, ansible, helm, android, cloudguardIaaS, management, gaia, threat-prevention, identity-awareness, smp, iot, cloudguard-connect, cloudguard-dome9, malware, evasion

Hey guys, when activating the s3_only_allow_ssl bot I'm getting a KeyError: 'Statement'

doing a little digging, I can see that
policy_bucket = s3_client.get_bucket_policy(Bucket=entity['name'])

returns back a response element, but it does not have a property 'Statement'

'Statement' is instead found under 'Policy'

when i look at policy_bucket['Policy'] the results are a string

so I think maybe this needs to be something like

policy_bucket = s3_client.get_bucket_policy(Bucket=entity['name'])
policy = json.loads(policy_bucket['Policy'])

In short, this whole script seems to be keying off a field that has been moved.

When implementing the vpc_turn_on_flow_logs bot, the Dome9 UI and portal refers to the traffic_type parameter at index 0 and the destination at index 1

The python code refers to these parameters in the reverse order

DESTINATION_INDEX = 0 TRAFFIC_TYPE_INDEX = 1

This results in the destination value being used for the 'traffic_type' key and failing the value checks and skipping.

elif key == 'traffic_type': if value.upper() == 'ALL': traffic_type = 'ALL' text_output = text_output + 'The traffic_type to be logged is ALL\n' elif value.upper() == 'ACCEPT': traffic_type = 'ACCEPT' text_output = text_output + 'The traffic_type to be logged is ACCEPT\n' elif value.upper() == 'REJECT': traffic_type = 'REJECT' text_output = text_output + 'The traffic_type to be logged is REJECT\n' else: text_output = text_output + 'Traffic_type not set to ALL, ACCEPT, or REJECT. Those are the only three supported traffic_types. Skipping\n' + usage return text_output

Please remove hyphen from above line

When the cloudbot ''s3_enable_logging'' is invoked and it does not find an s3 bucket to use as target bucket for server access logs, it tries to create a new s3 bucket with ACLs enabled.

This creates an error as AWS no longer allows the creation of an s3 bucket with ACLs enabled by default.
"(InvalidBucketAclWithObjectOwnership) when calling the CreateBucket operation: Bucket cannot have ACLs set with ObjectOwnership's BucketOwnerEnforced setting"

"s3_enable_logging.py"
ACL='log-delivery-write'

AWS recommends creating the bucket with a bucket policy instead:
https://docs.aws.amazon.com/AmazonS3/latest/userguide/enable-server-access-logging.html#grant-log-delivery-permissions-general.

code in question:
https://github.com/dome9/cloud-bots/blob/master/bots/s3_enable_logging.py