Patch: Merge pull request #48 from reflexivesecurity/automated-multia…

…ccount-refactor

Automated - Multi Account Update

README.md

@@ -18,7 +18,7 @@ rules:
 or add it directly to your Terraform:  
 ```
 module "s3-bucket-acl-public-access" {
-  source            = "git::https://github.com/cloudmitigator/reflex-aws-s3-bucket-acl-public-access.git?ref=latest"
+  source            = "git::https://github.com/reflexivesecurity/reflex-aws-s3-bucket-acl-public-access.git?ref=latest"
   sns_topic_arn     = module.central-sns-topic.arn
   reflex_kms_key_id = module.reflex-kms-key.key_id
 }
@@ -33,4 +33,4 @@ This rule has no configuration options.
 If you are interested in contributing, please review [our contribution guide](https://docs.cloudmitigator.com/about/contributing.html).
 
 ## License
-This Reflex rule is made available under the MPL 2.0 license. For more information view the [LICENSE](https://github.com/cloudmitigator/reflex-aws-s3-bucket-acl-public-access/blob/master/LICENSE) 
+This Reflex rule is made available under the MPL 2.0 license. For more information view the [LICENSE](https://github.com/reflexivesecurity/reflex-aws-s3-bucket-acl-public-access/blob/master/LICENSE) 

source/reflex_aws_s3_bucket_acl_public_access.py

@@ -4,7 +4,7 @@
 import os
 
 import boto3
-from reflex_core import AWSRule
+from reflex_core import AWSRule, subscription_confirmation
 
 
 class S3BucketAclPublicAccess(AWSRule):
@@ -32,8 +32,7 @@ def resource_compliant(self):
 
     def is_create_bucket(self):
         if "x-amz-acl" in self.event["detail"]["requestParameters"].keys():
-            for acl in self.event["detail"]["requestParameters"][
-                    "x-amz-acl"]:
+            for acl in self.event["detail"]["requestParameters"]["x-amz-acl"]:
                 if acl in self.non_compliant_acl_list:
                     return False
             return True
@@ -45,30 +44,45 @@ def is_put_bucket_acl(self):
                 if acl in self.non_compliant_acl_list:
                     return False
             return True
-        if isinstance(self.event["detail"]["requestParameters"][
-                            "AccessControlPolicy"]["AccessControlList"][
-                            "Grant"], list):
+        if isinstance(
+            self.event["detail"]["requestParameters"]["AccessControlPolicy"][
+                "AccessControlList"
+            ]["Grant"],
+            list,
+        ):
             for grant in self.event["detail"]["requestParameters"][
-                    "AccessControlPolicy"]["AccessControlList"]["Grant"]:
+                "AccessControlPolicy"
+            ]["AccessControlList"]["Grant"]:
                 if grant["Grantee"]["xsi:type"] == "Group":
                     return False
-        if isinstance(self.event["detail"]["requestParameters"][
-                            "AccessControlPolicy"]["AccessControlList"][
-                            "Grant"], dict):
-            grant = self.event["detail"]["requestParameters"][
-                "AccessControlPolicy"]["AccessControlList"]["Grant"]
+        if isinstance(
+            self.event["detail"]["requestParameters"]["AccessControlPolicy"][
+                "AccessControlList"
+            ]["Grant"],
+            dict,
+        ):
+            grant = self.event["detail"]["requestParameters"]["AccessControlPolicy"][
+                "AccessControlList"
+            ]["Grant"]
             if grant["Grantee"]["xsi:type"] == "Group":
                 return False
             return True
         return True
 
     def get_remediation_message(self):
         """ Returns a message about the remediation action that occurred """
-        return f"The S3 bucket {self.bucket_name} contains an ACL that " \
-               f"grants Public Access "
+        return (
+            f"The S3 bucket {self.bucket_name} contains an ACL that "
+            f"grants Public Access "
+        )
 
 
 def lambda_handler(event, _):
     """ Handles the incoming event """
-    rule = S3BucketAclPublicAccess(json.loads(event["Records"][0]["body"]))
+    print(event)
+    event_payload = json.loads(event["Records"][0]["body"])
+    if subscription_confirmation.is_subscription_confirmation(event_payload):
+        subscription_confirmation.confirm_subscription(event_payload)
+        return
+    rule = S3BucketAclPublicAccess(event_payload)
     rule.run_compliance_rule()

terraform/assume_role/assume_role.tf

@@ -0,0 +1,8 @@
+data "aws_caller_identity" "current" {}
+module "assume_role" {
+  source = "git::https://github.com/reflexivesecurity/reflex-engine.git//modules/sqs_lambda/modules/iam_assume_role?ref=v2.1.0"
+
+  function_name             = "S3BucketAclPublicAccess"
+  lambda_execution_role_arn = "arn:aws:iam::${var.parent_account}:role/ReflexS3BucketAclPublicAccessLambdaExecution"
+
+}

terraform/assume_role/variables.tf

@@ -0,0 +1,5 @@
+variable "parent_account" {
+  description = "Account id of parent forwarded account."
+  type        = string
+}
+

terraform/cwe/main.tf

@@ -1,5 +1,5 @@
 module "cwe" {
-  source      = "git::https://github.com/cloudmitigator/reflex-engine.git//modules/cwe?ref=v2.0.1"
+  source      = "git::https://github.com/reflexivesecurity/reflex-engine.git//modules/cwe?ref=v2.1.0"
   name        = "S3BucketAclPublicAccess"
   description = "Detect when a bucket has ACL rules that grant public access."
 

terraform/sqs_lambda/sqs_lambda.tf

@@ -1,5 +1,5 @@
 module "sqs_lambda" {
-  source = "git::https://github.com/cloudmitigator/reflex-engine.git//modules/sqs_lambda?ref=v2.0.1"
+  source = "git::https://github.com/reflexivesecurity/reflex-engine.git//modules/sqs_lambda?ref=v2.1.0"
 
   cloudwatch_event_rule_id  = var.cloudwatch_event_rule_id
   cloudwatch_event_rule_arn = var.cloudwatch_event_rule_arn