Performance and Recursion (#57)

* readme * move-configurations * ignoring-unknow-from-impact * fix-cloudfront-parsing * make-instances-drilling * caching-associated-resources-and-drilling-recursion * readme * readme * more-tags
gabrielsoltz · Nov 18, 2023 · 54ab282 · 54ab282
1 parent 5df3607
commit 54ab282
Show file tree

Hide file tree

Showing 11 changed files with 678 additions and 489 deletions.
diff --git a/README.md b/README.md
diff --git a/lib/AwsHelpers.py b/lib/AwsHelpers.py
@@ -7,8 +7,10 @@
     ProfileNotFound,
 )
 
+from lib.config.configuration import assume_role_duration
 
-def assume_role(logger, aws_account_number, role_name, duration=3600):
+
+def assume_role(logger, aws_account_number, role_name, duration=assume_role_duration):
     """
     Assumes the provided role in each account and returns the session
     :param aws_account_number: AWS Account Number

diff --git a/lib/config/configuration.py b/lib/config/configuration.py
@@ -53,18 +53,18 @@
 # tag_ENVIRONMENT = {"TAG-KEY": ["TAG-VALUE1", "TAG-VALUE1", "TAG-VALUE3"]}
 tags_production = {
     "Environment": ["Production", "production", "prd"],
-    "Env": ["production"],
-    "environment": ["prd"],
+    "Env": ["Production", "production", "prd"],
+    "environment": ["Production", "production", "prd"],
 }
 tags_staging = {
     "Environment": ["Staging", "staging", "stg"],
-    "Env": ["stg"],
-    "environment": ["stg"],
+    "Env": ["Staging", "staging", "stg"],
+    "environment": ["Staging", "staging", "stg"],
 }
 tags_development = {
     "Environment": ["Development", "development", "dev"],
-    "Env": ["dev"],
-    "environment": ["dev"],
+    "Env": ["Development", "development", "dev"],
+    "environment": ["Development", "development", "dev"],
 }
 
 
@@ -83,3 +83,16 @@
 
 # Decide if you want to output as part of the findings the whole json resource policy
 output_resource_policy = True
+
+# Output directory
+outputs_dir = "outputs/"
+
+# Output file name date format
+outputs_time_str = "%Y%m%d-%H%M%S"
+
+# ---------------------------------- #
+# Other Configurations               #
+# ---------------------------------- #
+
+# Assume role duration in seconds
+assume_role_duration = 3600
diff --git a/lib/config/impact.yaml b/lib/config/impact.yaml
@@ -17,8 +17,8 @@ status:
         score: 1
     - not-running:
         score: 0
-    - unknown:
-        score: 0
+    # - unknown:
+    #     score: 0
 
 exposure:
   weight: 25
@@ -33,8 +33,8 @@ exposure:
         score: 0.1
     - restricted:
         score: 0
-    - unknown:
-        score: 0
+    # - unknown:
+    #     score: 0
 
 access:
   weight: 25
@@ -55,8 +55,8 @@ access:
         score: 0.1
     - restricted:
         score: 0
-    - unknown:
-        score: 0
+    # - unknown:
+    #     score: 0
 
 encryption:
   weight: 10
@@ -65,8 +65,8 @@ encryption:
         score: 1
     - encrypted:
         score: 0
-    - unknown:
-        score: 0
+    # - unknown:
+    #     score: 0
 
 environment:
   weight: 15
@@ -77,5 +77,5 @@ environment:
         score: 0.3
     - development:
         score: 0
-    - unknown:
-        score: 0
+    # - unknown:
+    #     score: 0
diff --git a/lib/context/context.py b/lib/context/context.py
@@ -11,12 +11,21 @@
 
 
 class Context:
-    def __init__(self, logger, finding, mh_filters_config, mh_filters_tags, mh_role):
+    def __init__(
+        self,
+        logger,
+        finding,
+        mh_filters_config,
+        mh_filters_tags,
+        mh_role,
+        cached_associated_resources,
+    ):
         self.logger = logger
         self.parse_finding(finding)
         self.get_session(mh_role)
         self.mh_filters_config = mh_filters_config
         self.mh_filters_tags = mh_filters_tags
+        self.cached_associated_resources = cached_associated_resources
         # Move to Config:
         self.drilled_down = True
 
@@ -95,7 +104,7 @@ def get_context_config(self):
         # Execute Drilled
         if self.drilled_down:
             try:
-                hnld.execute_drilled_metachecks()
+                hnld.execute_drilled_metachecks(self.cached_associated_resources)
             except (AttributeError, Exception) as err:
                 if "should return None" in str(err):
                     self.logger.info(

diff --git a/lib/context/resources/AwsCloudFrontDistribution.py b/lib/context/resources/AwsCloudFrontDistribution.py
@@ -38,7 +38,7 @@ def parse_finding(self, finding, drilled):
         self.resource_id = (
             finding["Resources"][0]["Id"].split("/")[-1]
             if not drilled
-            else drilled.split("/")[-11]
+            else drilled.split("/")[-1]
         )
         self.resource_arn = finding["Resources"][0]["Id"] if not drilled else drilled
 

diff --git a/lib/context/resources/AwsEc2Instance.py b/lib/context/resources/AwsEc2Instance.py
@@ -41,8 +41,12 @@ def parse_finding(self, finding, drilled):
         self.account = finding["AwsAccountId"]
         self.partition = finding["Resources"][0]["Id"].split(":")[1]
         self.resource_type = finding["Resources"][0]["Type"]
-        self.resource_arn = finding["Resources"][0]["Id"]
-        self.resource_id = finding["Resources"][0]["Id"].split("/")[1]
+        self.resource_id = (
+            finding["Resources"][0]["Id"].split("/")[-1]
+            if not drilled
+            else drilled.split("/")[-1]
+        )
+        self.resource_arn = finding["Resources"][0]["Id"] if not drilled else drilled
 
     # Describe Functions