Permalink
Cannot retrieve contributors at this time
Name already in use
A tag already exists with the provided branch name. Many Git commands accept both tag and branch names, so creating this branch may cause unexpected behavior. Are you sure you want to create this branch?
AWS_Auditing_Framework/cis_benchmark.py
Go to fileThis commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
77 lines (63 sloc)
2.82 KB
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#cis bench marking module | |
import boto3 | |
def check_iam_password_policy(iam_client): | |
try: | |
password_policy = iam_client.get_account_password_policy() | |
print("IAM Password Policy:") | |
print(password_policy['PasswordPolicy']) | |
except iam_client.exceptions.NoSuchEntityException: | |
print("No IAM Password Policy found.") | |
def check_root_account_mfa(iam_client): | |
root_account = iam_client.get_account_summary() | |
if root_account['SummaryMap']['AccountMFAEnabled'] > 0: | |
print("MFA is enabled on the root account.") | |
else: | |
print("MFA is NOT enabled on the root account.") | |
def check_root_account_access_keys(iam_client): | |
root_account = iam_client.get_account_summary() | |
if root_account['SummaryMap']['AccountAccessKeysPresent'] == 0: | |
print("No access keys exist for the root account.") | |
else: | |
print("Access keys exist for the root account.") | |
def check_iam_user_mfa(iam_client): | |
users = iam_client.list_users() | |
for user in users['Users']: | |
mfa_devices = iam_client.list_mfa_devices(UserName=user['UserName']) | |
if not mfa_devices['MFADevices']: | |
print(f"User {user['UserName']} does NOT have MFA enabled.") | |
else: | |
print(f"User {user['UserName']} has MFA enabled.") | |
def check_unused_iam_access_keys(iam_client): | |
users = iam_client.list_users() | |
for user in users['Users']: | |
access_keys = iam_client.list_access_keys(UserName=user['UserName']) | |
for key in access_keys['AccessKeyMetadata']: | |
last_used = iam_client.get_access_key_last_used(AccessKeyId=key['AccessKeyId']) | |
if 'LastUsedDate' in last_used['AccessKeyLastUsed']: | |
print(f"Access Key {key['AccessKeyId']} for user {user['UserName']} was last used on {last_used['AccessKeyLastUsed']['LastUsedDate']}.") | |
else: | |
print(f"Access Key {key['AccessKeyId']} for user {user['UserName']} has NEVER been used.") | |
def perform_cis_benchmark(): | |
# Initialize a boto3 session | |
session = boto3.Session(profile_name='cloudgoat') | |
# Initialize IAM client | |
iam_client = session.client('iam') | |
# Perform CIS benchmark checks | |
print("Performing CIS Benchmark Checks:\n") | |
print("1. Ensure IAM password policy is configured") | |
check_iam_password_policy(iam_client) | |
print("-" * 60) | |
print("2. Ensure root account has MFA enabled") | |
check_root_account_mfa(iam_client) | |
print("-" * 60) | |
print("3. Ensure no root account access keys exist") | |
check_root_account_access_keys(iam_client) | |
print("-" * 60) | |
print("4. Ensure all IAM users have MFA enabled") | |
check_iam_user_mfa(iam_client) | |
print("-" * 60) | |
print("5. Ensure no unused IAM access keys exist") | |
check_unused_iam_access_keys(iam_client) | |
print("-" * 60) | |
if __name__ == "__main__": | |
perform_cis_benchmark() |