Merge branch 'main' into terraform-stack

Author: cyphronix

.github/workflows/safety.yml

@@ -1,7 +1,7 @@
 name: safety - Python Dependency Check
 
 on:
-  pull_request:
+  pull_request_target:
     branches:
       - main
   push:
@@ -54,9 +54,11 @@ jobs:
         if: steps.cached-poetry-no-dev-dependencies.outputs.cache-hit != 'true'
         run: poetry install --only main --no-root
       #----------------------------------------------
-      # Run Safety check
+      # Run Safety scan
       #----------------------------------------------
-      - name: Safety check
+      - name: Safety scan
+        env:
+          API_KEY: ${{secrets.SAFETY_API_KEY}}
         run: |
           poetry run pip install safety
-          poetry run safety check
+          poetry run safety --key "$API_KEY" --stage cicd scan

CHANGELOG.md

@@ -141,7 +141,7 @@ Updated [Firewall Manager](https://github.com/aws-samples/aws-security-reference
 
 ### Changed<!-- omit in toc -->
 
-- Updated [CfCT template](aws_sra_examples/solutions/common/common_cfct_setup/templates/customizations-for-aws-control-tower.template) to resolve issue #137.
+- Updated [CfCT template](aws_sra_examples/solutions/common/common_cfct_setup/templates/) to resolve issue #137.
 
 ## 2023-05-05
 
@@ -171,7 +171,7 @@ Updated [Firewall Manager](https://github.com/aws-samples/aws-security-reference
 
 ### Changed<!-- omit in toc -->
 
-- Updated the [customizations-for-aws-control-tower.template](aws_sra_examples/solutions/common/common_cfct_setup/templates/customizations-for-aws-control-tower.template) to the latest version v2.5.0 and added Checkov suppressions.
+- Updated the [customizations-for-aws-control-tower.template](aws_sra_examples/solutions/common/common_cfct_setup/templates/) to the latest version v2.5.0 and added Checkov suppressions.
 
 ## 2022-07-29
 
@@ -198,7 +198,7 @@ Updated [Firewall Manager](https://github.com/aws-samples/aws-security-reference
 
 - Added Checkov Lambda Function suppressions for CKV_AWS_115 (Reserved Concurrent Executions) and CKV_AWS_117 (Run within a VPC) to all solution templates with Lambda Function configurations.
 - Updated Lambda python files to fix mypy finding for log_level to always be a string value.
-- Updated the [customizations-for-aws-control-tower.template](aws_sra_examples/solutions/common/common_cfct_setup/templates/customizations-for-aws-control-tower.template) to the latest version v2.4.0 and added Checkov suppressions.
+- Updated the [customizations-for-aws-control-tower.template](aws_sra_examples/solutions/common/common_cfct_setup/templates/) to the latest version v2.4.0 and added Checkov suppressions.
 - Updated pyproject.toml dependencies to the latest versions.
 - Updated [Macie](aws_sra_examples/solutions/macie/macie_org) solution to increase retries and handle API errors when creating existing members.
 - Updated [EC2 Default EBS Encryption](aws_sra_examples/solutions/ec2/ec2_default_ebs_encryption) to include default string value for the pExcludeEC2DefaultEBSEncryptionTags parameter.

aws_sra_examples/solutions/ami_bakery/ami_bakery_org/lambda/src/common.py

@@ -1,10 +1,12 @@
+# type: ignore
 """This script includes common functions.
 
 Version: 1.0
 
 Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
 SPDX-License-Identifier: MIT-0
 """
+
 from __future__ import annotations
 
 import logging
@@ -176,25 +178,9 @@ def get_enabled_regions(customer_regions: str, control_tower_regions_only: bool
     elif control_tower_regions_only:
         region_list = get_control_tower_regions()
     else:
-        default_available_regions = [
-            "ap-northeast-1",
-            "ap-northeast-2",
-            "ap-northeast-3",
-            "ap-south-1",
-            "ap-southeast-1",
-            "ap-southeast-2",
-            "ca-central-1",
-            "eu-central-1",
-            "eu-north-1",
-            "eu-west-1",
-            "eu-west-2",
-            "eu-west-3",
-            "sa-east-1",
-            "us-east-1",
-            "us-east-2",
-            "us-west-1",
-            "us-west-2",
-        ]
+        default_available_regions = []
+        for region in boto3.client("account").list_regions(RegionOptStatusContains=["ENABLED", "ENABLED_BY_DEFAULT"])["Regions"]:
+            default_available_regions.append(region["RegionName"])
         LOGGER.info({"Default_Available_Regions": default_available_regions})
         region_list = default_available_regions
 

aws_sra_examples/solutions/ami_bakery/ami_bakery_org/templates/sra-ami-bakery-org-configuration.yaml

@@ -447,6 +447,17 @@ Resources:
                 Effect: Allow
                 Action: sqs:SendMessage
                 Resource: !GetAtt rAMIBakeryOrgDLQ.Arn
+
+        - PolicyName: sra-ami-bakery-org-policy-acct
+          PolicyDocument:
+            Version: 2012-10-17
+            Statement:
+              - Sid: AcctListRegions
+                Effect: Allow
+                Action:
+                  - account:ListRegions
+                Resource: '*'
+
       Tags:
         - Key: sra-solution
           Value: !Ref pSRASolutionName

aws_sra_examples/solutions/config/config_conformance_pack_org/scripts/list_config_recorder_status.py

@@ -1,3 +1,4 @@
+# type: ignore
 """Get a list of accounts that do not have AWS Config enabled.
 
 The purpose of this script is to check if AWS Config is enabled in each AWS account and region within an AWS Control
@@ -12,6 +13,7 @@
 Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
 SPDX-License-Identifier: MIT-0
 """
+
 from __future__ import annotations
 
 import logging
@@ -125,25 +127,9 @@ def get_enabled_regions(control_tower_regions_only: bool = False) -> list:  # no
     if control_tower_regions_only:
         region_list = get_control_tower_regions()
     else:
-        default_available_regions = [
-            "ap-northeast-1",
-            "ap-northeast-2",
-            "ap-northeast-3",
-            "ap-south-1",
-            "ap-southeast-1",
-            "ap-southeast-2",
-            "ca-central-1",
-            "eu-central-1",
-            "eu-north-1",
-            "eu-west-1",
-            "eu-west-2",
-            "eu-west-3",
-            "sa-east-1",
-            "us-east-1",
-            "us-east-2",
-            "us-west-1",
-            "us-west-2",
-        ]
+        default_available_regions = []
+        for region in boto3.client("account").list_regions(RegionOptStatusContains=["ENABLED", "ENABLED_BY_DEFAULT"])["Regions"]:
+            default_available_regions.append(region["RegionName"])
         LOGGER.info({"Default_Available_Regions": default_available_regions})
         region_list = default_available_regions
 

aws_sra_examples/solutions/config/config_org/lambda/src/common.py

@@ -1,10 +1,12 @@
+# type: ignore
 """This script includes common functions.
 
 Version: 1.0
 
 Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
 SPDX-License-Identifier: MIT-0
 """
+
 from __future__ import annotations
 
 import logging
@@ -129,25 +131,9 @@ def get_enabled_regions(customer_regions: str, control_tower_regions_only: bool
     elif control_tower_regions_only:
         region_list = get_control_tower_regions()
     else:
-        default_available_regions = [
-            "ap-northeast-1",
-            "ap-northeast-2",
-            "ap-northeast-3",
-            "ap-south-1",
-            "ap-southeast-1",
-            "ap-southeast-2",
-            "ca-central-1",
-            "eu-central-1",
-            "eu-north-1",
-            "eu-west-1",
-            "eu-west-2",
-            "eu-west-3",
-            "sa-east-1",
-            "us-east-1",
-            "us-east-2",
-            "us-west-1",
-            "us-west-2",
-        ]
+        default_available_regions = []
+        for region in boto3.client("account").list_regions(RegionOptStatusContains=["ENABLED", "ENABLED_BY_DEFAULT"])["Regions"]:
+            default_available_regions.append(region["RegionName"])
         LOGGER.info({"Default_Available_Regions": default_available_regions})
         region_list = default_available_regions
 

aws_sra_examples/solutions/config/config_org/templates/sra-config-org-configuration.yaml

@@ -474,6 +474,17 @@ Resources:
                 Effect: Allow
                 Action: sqs:SendMessage
                 Resource: !GetAtt rConfigOrgDLQ.Arn
+
+        - PolicyName: sra-config-org-policy-acct
+          PolicyDocument:
+            Version: 2012-10-17
+            Statement:
+              - Sid: AcctListRegions
+                Effect: Allow
+                Action:
+                  - account:ListRegions
+                Resource: '*'
+
       Tags:
         - Key: sra-solution
           Value: !Ref pSRASolutionName

aws_sra_examples/solutions/detective/detective_org/lambda/src/common.py

@@ -1,10 +1,12 @@
+# type: ignore
 """This script includes common functions.
 
 Version: 1.0
 
 Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
 SPDX-License-Identifier: MIT-0
 """
+
 from __future__ import annotations
 
 import logging
@@ -129,25 +131,9 @@ def get_enabled_regions(customer_regions: str, control_tower_regions_only: bool
     elif control_tower_regions_only:
         region_list = get_control_tower_regions()
     else:
-        default_available_regions = [
-            "ap-northeast-1",
-            "ap-northeast-2",
-            "ap-northeast-3",
-            "ap-south-1",
-            "ap-southeast-1",
-            "ap-southeast-2",
-            "ca-central-1",
-            "eu-central-1",
-            "eu-north-1",
-            "eu-west-1",
-            "eu-west-2",
-            "eu-west-3",
-            "sa-east-1",
-            "us-east-1",
-            "us-east-2",
-            "us-west-1",
-            "us-west-2",
-        ]
+        default_available_regions = []
+        for region in boto3.client("account").list_regions(RegionOptStatusContains=["ENABLED", "ENABLED_BY_DEFAULT"])["Regions"]:
+            default_available_regions.append(region["RegionName"])
         LOGGER.info({"Default_Available_Regions": default_available_regions})
         region_list = default_available_regions
 

aws_sra_examples/solutions/detective/detective_org/templates/sra-detective-org-configuration.yaml

@@ -379,6 +379,17 @@ Resources:
                 Effect: Allow
                 Action: sqs:SendMessage
                 Resource: !GetAtt rDetectiveOrgDLQ.Arn
+
+        - PolicyName: sra-detective-org-policy-acct
+          PolicyDocument:
+            Version: 2012-10-17
+            Statement:
+              - Sid: AcctListRegions
+                Effect: Allow
+                Action:
+                  - account:ListRegions
+                Resource: '*'
+
       Tags:
         - Key: sra-solution
           Value: !Ref pSRASolutionName

aws_sra_examples/solutions/ec2/ec2_default_ebs_encryption/lambda/src/app.py

@@ -1,3 +1,4 @@
+# type: ignore
 """The purpose of this script is to configure the EC2 EBS default encryption within each account and region.
 
 Version: 1.1
@@ -7,6 +8,7 @@
 Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
 SPDX-License-Identifier: MIT-0
 """
+
 from __future__ import annotations
 
 import json
@@ -121,25 +123,9 @@ def get_enabled_regions(customer_regions: str = None, control_tower_regions_only
     elif control_tower_regions_only:
         region_list = get_control_tower_regions()
     else:
-        default_available_regions = [
-            "ap-northeast-1",
-            "ap-northeast-2",
-            "ap-northeast-3",
-            "ap-south-1",
-            "ap-southeast-1",
-            "ap-southeast-2",
-            "ca-central-1",
-            "eu-central-1",
-            "eu-north-1",
-            "eu-west-1",
-            "eu-west-2",
-            "eu-west-3",
-            "sa-east-1",
-            "us-east-1",
-            "us-east-2",
-            "us-west-1",
-            "us-west-2",
-        ]
+        default_available_regions = []
+        for region in boto3.client("account").list_regions(RegionOptStatusContains=["ENABLED", "ENABLED_BY_DEFAULT"])["Regions"]:
+            default_available_regions.append(region["RegionName"])
         LOGGER.info({"Default_Available_Regions": default_available_regions})
         region_list = default_available_regions
 
@@ -321,7 +307,7 @@ def process_accounts(event: Union[CloudFormationCustomResourceEvent, dict], para
         if is_account_with_exclude_tags(account, params):
             continue
 
-        if event.get("local_testing") == "true" or event.get("ResourceProperties", {}).get("local_testing") == "true":  # type: ignore
+        if event.get("local_testing") == "true" or event.get("ResourceProperties", {}).get("local_testing") == "true":
             local_testing(account, params)
         else:
             sns_message = {"Action": params["action"], "AccountId": account["Id"]}

aws_sra_examples/solutions/ec2/ec2_default_ebs_encryption/templates/sra-ec2-default-ebs-encryption.yaml

@@ -397,6 +397,17 @@ Resources:
                 Action: sqs:SendMessage
                 Resource: !GetAtt rEC2DefaultEBSEncryptionDLQ.Arn
 
+        - PolicyName: sra-ec2-default-ebs-encryption-policy-acct
+          PolicyDocument:
+            Version: 2012-10-17
+            Statement:
+              - Sid: AcctListRegions
+                Effect: Allow
+                Action:
+                  - account:ListRegions
+                Resource: '*'
+
+
       Tags:
         - Key: sra-solution
           Value: !Ref pSRASolutionName