jongogogo · mshri14 · Mar 4, 2020 · Mar 4, 2020 · Mar 4, 2020 · jongogogo
diff --git a/python/SECURITYHUB_ENABLED/SECURITYHUB_ENABLED.py b/python/SECURITYHUB_ENABLED/SECURITYHUB_ENABLED.py
@@ -0,0 +1,73 @@
+# Copyright 2017-2019 Amazon.com, Inc. or its affiliates. All Rights Reserved.
+#
+# Licensed under the Apache License, Version 2.0 (the "License"). You may
+# not use this file except in compliance with the License. A copy of the License is located at
+#
+#        http://aws.amazon.com/apache2.0/
+#
+# or in the "license" file accompanying this file. This file is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for
+# the specific language governing permissions and limitations under the License.
+
+'''
+#####################################
+##           Gherkin               ##
+#####################################
+
+Rule Name:
+  SECURITYHUB_ENABLED
+
+Description:
+  Checks whether SecurityHub is enabled. The rule is NON_COMPLIANT if SecurityHub is not enabled.
+
+Rationale:
+   AWS Security Hub gives you a comprehensive view of your high-priority security alerts,
+   and compliance status across AWS accounts.
+
+Indicative Severity:
+  Medium
+
+Trigger:
+  Periodic
+
+Reports on:
+  AWS::::Account
+
+Rule Parameters:
+  None
+
+Scenarios:
+  Scenario: 1
+    Given: SecurityHub is enabled.
+     Then: Return COMPLIANT
+
+  Scenario: 2
+    Given: SecurityHub is not enabled.
+     Then: Return NON_COMPLIANT with Annotation
+'''
+
+from rdklib import Evaluator, Evaluation, ConfigRule, ComplianceType
+
+RESOURCE_TYPE = 'AWS::::Account'
+
+class SECURITYHUB_ENABLED(ConfigRule):
+    def evaluate_periodic(self, event, client_factory, valid_rule_parameters):
+        client = client_factory.build_client('securityhub')
+        is_securityhub_enabled = True
+        try:
+            response = client.describe_hub()
+        except:
+            is_securityhub_enabled = False
+        if is_securityhub_enabled:
+            print('HubArn:' + response['HubArn'])
+            print('SecurityHub Enabled.')
+            return [Evaluation(ComplianceType.COMPLIANT, event['accountId'], RESOURCE_TYPE)]
+        print('HubArn: None')
+        print('SecurityHub NOT Enabled.')
+        return [Evaluation(ComplianceType.NON_COMPLIANT, event['accountId'], RESOURCE_TYPE,
+                           'AWS SecurityHub is not enabled.')]
+
+def lambda_handler(event, context):
+    my_rule = SECURITYHUB_ENABLED()
+    evaluator = Evaluator(my_rule)
+    return evaluator.handle(event, context)
diff --git a/python/SECURITYHUB_ENABLED/SECURITYHUB_ENABLED_test.py b/python/SECURITYHUB_ENABLED/SECURITYHUB_ENABLED_test.py
@@ -0,0 +1,69 @@
+# Copyright 2017-2019 Amazon.com, Inc. or its affiliates. All Rights Reserved.
+#
+# Licensed under the Apache License, Version 2.0 (the "License"). You may
+# not use this file except in compliance with the License. A copy of the License is located at
+#
+#        http://aws.amazon.com/apache2.0/
+#
+# or in the "license" file accompanying this file. This file is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for
+# the specific language governing permissions and limitations under the License.
+
+import unittest
+from mock import patch, MagicMock
+from rdklib import Evaluation, ComplianceType
+import rdklibtest
+
+##############
+# Parameters #
+##############
+
+# Define the default resource to report to Config Rules
+RESOURCE_TYPE = 'AWS::::Account'
+
+#############
+# Main Code #
+#############
+
+MODULE = __import__('SECURITYHUB_ENABLED')
+RULE = MODULE.SECURITYHUB_ENABLED()
+
+CLIENT_FACTORY = MagicMock()
+
+SECURITYHUB_CLIENT_MOCK = MagicMock()
+
+MOCK_SECURITYHUB_ENABLED = {
+    "HubArn": "arn:aws:securityhub:ap-southeast-1:632747342146:hub/default",
+    "SubscribedAt": "2020-03-03T04:54:41.610Z"
+    }
+
+MOCK_EVENT = {
+    "accountId": "632747342146"
+    }
+
+def mock_get_client(client_name, *args, **kwargs):
+    if client_name == 'securityhub':
+        return SECURITYHUB_CLIENT_MOCK
+    raise Exception("Attempting to create an unknown client")
+
+def my_side_effect():
+    raise Exception("An error occurred (InvalidAccessException) when calling the DescribeHub operation: AccountId: 632747342146 is not enabled for securityhub. Currentstate: false")
+
+@patch.object(CLIENT_FACTORY, 'build_client', MagicMock(side_effect=mock_get_client))
+class ComplianceTest(unittest.TestCase):
+
+    def test_evaluate_periodic_1_compliant(self):
+        SECURITYHUB_CLIENT_MOCK.describe_hub.return_value = MOCK_SECURITYHUB_ENABLED
+        response = RULE.evaluate_periodic(MOCK_EVENT, CLIENT_FACTORY, {})
+        resp_expected = [
+            Evaluation(ComplianceType.COMPLIANT, '632747342146', RESOURCE_TYPE)
+        ]
+        rdklibtest.assert_successful_evaluation(self, response, resp_expected, 1)
+
+    def test_evaluate_periodic_2_non_compliant(self):
+        SECURITYHUB_CLIENT_MOCK.describe_hub.side_effect = my_side_effect
+        response = RULE.evaluate_periodic(MOCK_EVENT, CLIENT_FACTORY, {})
+        resp_expected = [
+            Evaluation(ComplianceType.NON_COMPLIANT, '632747342146', RESOURCE_TYPE, 'AWS SecurityHub is not enabled.')
+        ]
+        rdklibtest.assert_successful_evaluation(self, response, resp_expected, 1)
diff --git a/python/SECURITYHUB_ENABLED/parameters.json b/python/SECURITYHUB_ENABLED/parameters.json
@@ -0,0 +1,12 @@
+{
+  "Version": "1.0",
+  "Parameters": {
+    "RuleName": "SECURITYHUB_ENABLED",
+    "SourceRuntime": "python3.6-lib",
+    "CodeKey": "SECURITYHUB_ENABLED.zip",
+    "InputParameters": "{}",
+    "OptionalParameters": "{}",
+    "SourcePeriodic": "One_Hour"
+  },
+  "Tags": "[]"
+}