dome9 / cloud-bots Goto Github PK
View Code? Open in Web Editor NEWAutomation and remediation bots for Dome9's (Continuous) Compliance Engine
License: BSD 3-Clause "New" or "Revised" License
Automation and remediation bots for Dome9's (Continuous) Compliance Engine
License: BSD 3-Clause "New" or "Revised" License
Error when using without quotes
"Name": "appserver1", "Remediation": "tag_ec2_resource", "Execution status": "failed", "Bot message": "Error while executing function tag_ec2_resource. Error: Tag \"env prod exec_function_arn=arn:aw s:lambda:us-east-1:xxxxxxxxxxx:function:Dome9CloudBots\" does not follow formatting - skipping\n \nFor more details please see the CloudWatch logs. \n"}]}
Success when using quotes
"Name": "appserver1", "Remediation": "tag_ec2_resource", "Execution status": "passed", "Bot message": "Instance tagged: i-072ba365262894913 \nKey: env | Value: prod \n"}]}
Invoking this cloudbot from one of the "Ensure a log metric filter and alarm exist for XYZ configuration changes" from the AWS CIS 1.4.0 benchmark. There is no entity being passed, since this is an absence of metric.
But the script expects that it receives an entity['region'] and entity['cloudWatchLogsLogGroupArn']
how is this cloud bot meant to be invoked?
When the config_enable bot creates the Config bucket it uses the S3 ServiceResource's create_bucket() method:
result = s3_resource.create_bucket(...)
It then refers to that result as if it were a call the the S3 Client's create_bucket() method:
responseCode = result['ResponseMetadata']['HTTPStatusCode']
This is invalid, as the S3 Resource returns an instance of s3.Bucket, not a dict, so it throws a ClientError: TypeError: 's3.Bucket ' object is not subscriptable.
In fact it does not need to check the result since we already know that the create_bucket() must have succeeded if the execution reaches that line.
The principal arn string below reference CloudGuard's AWS account but does not work in China Org/Region. Please include update for AWS China. Thanks.
Line 51 in fd8064f
"Action": "sns:Publish",
"Principal": {
"AWS": "arn:aws:iam::634729597623:root"
},
Limitations: IPv6 is not supported
Title says it all. Thanks!
Dear Developer,
For readability and Search Engine Optimization (SEO) it would be great if you could do the followings:
Environment topic examples:
azure, aws, gcp
Functionality topic examples:
build, deploy, staging, operate, terraform, ansible, helm, android, cloudguardIaaS, management, gaia, threat-prevention, identity-awareness, smp, iot, cloudguard-connect, cloudguard-dome9, malware, evasion
Hey guys, when activating the s3_only_allow_ssl bot I'm getting a KeyError: 'Statement'
doing a little digging, I can see that
policy_bucket = s3_client.get_bucket_policy(Bucket=entity['name'])
returns back a response element, but it does not have a property 'Statement'
'Statement' is instead found under 'Policy'
when i look at policy_bucket['Policy'] the results are a string
so I think maybe this needs to be something like
policy_bucket = s3_client.get_bucket_policy(Bucket=entity['name'])
policy = json.loads(policy_bucket['Policy'])
In short, this whole script seems to be keying off a field that has been moved.
When implementing the vpc_turn_on_flow_logs bot, the Dome9 UI and portal refers to the traffic_type parameter at index 0 and the destination at index 1
The python code refers to these parameters in the reverse order
DESTINATION_INDEX = 0 TRAFFIC_TYPE_INDEX = 1
This results in the destination value being used for the 'traffic_type' key and failing the value checks and skipping.
elif key == 'traffic_type': if value.upper() == 'ALL': traffic_type = 'ALL' text_output = text_output + 'The traffic_type to be logged is ALL\n' elif value.upper() == 'ACCEPT': traffic_type = 'ACCEPT' text_output = text_output + 'The traffic_type to be logged is ACCEPT\n' elif value.upper() == 'REJECT': traffic_type = 'REJECT' text_output = text_output + 'The traffic_type to be logged is REJECT\n' else: text_output = text_output + 'Traffic_type not set to ALL, ACCEPT, or REJECT. Those are the only three supported traffic_types. Skipping\n' + usage return text_output
Line 124 in 48768b4
Please remove hyphen from above line
When the cloudbot ''s3_enable_logging'' is invoked and it does not find an s3 bucket to use as target bucket for server access logs, it tries to create a new s3 bucket with ACLs enabled.
This creates an error as AWS no longer allows the creation of an s3 bucket with ACLs enabled by default.
"(InvalidBucketAclWithObjectOwnership) when calling the CreateBucket operation: Bucket cannot have ACLs set with ObjectOwnership's BucketOwnerEnforced setting"
"s3_enable_logging.py"
ACL='log-delivery-write'
AWS recommends creating the bucket with a bucket policy instead:
https://docs.aws.amazon.com/AmazonS3/latest/userguide/enable-server-access-logging.html#grant-log-delivery-permissions-general.
code in question:
https://github.com/dome9/cloud-bots/blob/master/bots/s3_enable_logging.py
A declarative, efficient, and flexible JavaScript library for building user interfaces.
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. ๐๐๐
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google โค๏ธ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.