add-impact-application

README.md

@@ -185,6 +185,10 @@ The following are the impact criteria that MetaHub evaluates by default:
 | 🟢 development        |    0%     | It is a development resource.                    |
 | 🔵 unknown            |     -     | The resource couldn't be checked for enviroment. |
 
+## Application
+
+**Application** evaluates the application that the affected resource is part of. MetaHub relies on the AWS [myApplications](https://docs.aws.amazon.com/awsconsolehelpdocs/latest/gsg/aws-myApplications.html) feature, which relies on the Tag `awsApplication`, but you can extend this functionality based on your context for example by defining other tags you use for defining applications or services (like `Service` or any other), or by relying on account id or alias. You can define your application definitions and strategy in the configuration file (See [Customizing Configuration](#customizing-configuration)).
+
 ## Findings Soring
 
 As part of the impact score calculation, we also evaluate the total ammount of security findings and their severities affecting the resource. We use the following formula to calculate this metric:

lib/config/configuration.py

@@ -35,6 +35,13 @@
     "INFORMATIONAL": 0,
 }
 
+# Days to consider a resource (key) unrotated
+days_to_consider_unrotated = 90
+
+# ---------------------------------- #
+# Impact: Access Configurations      #
+# ---------------------------------- #
+
 # List of AWS accounts ids that are trusted and not considered as external.
 # This is used in check untrusted_principal for policies.
 trusted_accounts = []
@@ -57,10 +64,9 @@
     "iam:UpdateAssumeRolePolicy",
 ]
 
-# Days to consider a resource (key) unrotated
-days_to_consider_unrotated = 90
-
-# Environment Definition
+# ---------------------------------- #
+# Impact: Environment Configurations #
+# ---------------------------------- #
 # You can define the environment by tags, account id or account alias.
 # You can define how many environments you want, then assign each environment a value in the file: lib/config/impact.yaml
 
@@ -103,6 +109,23 @@
     },
 }
 
+# ---------------------------------- #
+# Impact: Application Configurations #
+# ---------------------------------- #
+# https://aws.amazon.com/blogs/aws/new-myapplications-in-the-aws-management-console-simplifies-managing-your-application-resources/
+# You can define the application by tags, account id or account alias.
+# You can define how many appliactions you want, then assign each application a value in the file: lib/config/impact.yaml
+
+applications = {
+    "app-example": {
+        "tags": {
+            "awsApplication": [
+                "arn:aws:resource-groups:eu-west-1:123456789012:group/app-example/1c8vpbjkzeeffsz2cqgxpae7b2"
+            ],
+        },
+    },
+}
+
 # ---------------------------------- #
 # Output Configurations              #
 # ---------------------------------- #
@@ -111,10 +134,18 @@
 # You can define the columns that will be displayed in the output HTML, CSV AND XLSX.
 # You can also use `--output-config-columns` and `--output-tags-columns` to override these values.
 # If you want all fields as columns, comment the following lines.
-config_columns = ["public"]
+config_columns = []
 tag_columns = ["Name", "Owner"]
-account_columns = ["AccountAlias"]
-impact_columns = ["score", "exposure", "access", "encryption", "status", "environment"]
+account_columns = ["Alias"]
+impact_columns = [
+    "score",
+    "exposure",
+    "access",
+    "encryption",
+    "status",
+    "environment",
+    "application",
+]
 
 # Decide if you want to output as part of the findings the whole json resource policy
 output_resource_policy = True

lib/config/impact.yaml

@@ -79,3 +79,11 @@ environment:
         score: 0
     # - unknown:
     #     score: 0
+
+application:
+  weight: 15
+  values:
+    - app-example:
+        score: 1
+    # - unknown:
+    #     score: 0

lib/impact/application.py

@@ -0,0 +1,28 @@
+from lib.config.configuration import applications
+
+
+class Application:
+    def __init__(self, logger):
+        self.logger = logger
+
+    def get_application(self, resource_arn, resource_values):
+        self.logger.info("Calculating application for resource: %s", resource_arn)
+
+        def check_tags(environment_definition):
+            resource_tags = resource_values.get("tags", {})
+            if resource_tags:
+                for tag_key, tag_values in environment_definition.items():
+                    for tag_value in tag_values:
+                        if (
+                            tag_key in resource_tags
+                            and resource_tags[tag_key] == tag_value
+                        ):
+                            return True, {tag_key: tag_value}
+            return False, False
+
+        for app in applications:
+            tags_matched, tags_details = check_tags(applications[app].get("tags", {}))
+            if tags_matched:
+                return {app: {"tags": tags_details}}
+
+        return {"unknown": {}}

lib/impact/impact.py

@@ -4,6 +4,7 @@
 
 from lib.config.configuration import findings_severity_value, path_yaml_impact
 from lib.impact.access import Access
+from lib.impact.application import Application
 from lib.impact.encryption import Encryption
 from lib.impact.environment import Environment
 from lib.impact.exposure import Exposure
@@ -181,6 +182,7 @@ def generate_impact_checks(self, resource_arn, resource_values):
             "encryption": {},
             "status": {},
             "environment": {},
+            "application": {},
             "score": {},
         }
         impact_dict["exposure"].update(
@@ -198,4 +200,7 @@ def generate_impact_checks(self, resource_arn, resource_values):
         impact_dict["environment"].update(
             Environment(self.logger).get_environment(resource_arn, resource_values)
         )
+        impact_dict["application"].update(
+            Application(self.logger).get_application(resource_arn, resource_values)
+        )
         return impact_dict