Check for federated identity providers (#83)

david-dearden-ssc · web-flow · commit 375a96ac39c2 · 2024-12-11T08:17:17.000-08:00
Update existing lambdas to check for federated identity providers and adjust the compliance annotation accordingly.
diff --git a/arch/lza_extensions/customizations/GCGuardrailsRoles.yaml b/arch/lza_extensions/customizations/GCGuardrailsRoles.yaml
@@ -247,15 +247,9 @@ Resources:
         Statement:
           - Sid: AllowIAMQueries
             Action:
-              - "iam:GenerateCredentialReport"
-              - "iam:GetAccountPasswordPolicy"
-              - "iam:GetCredentialReport"
-              - "iam:GetLoginProfile"
-              - "iam:GetRole"
-              - "iam:GetUser"
-              - "iam:ListAttachedRolePolicies"
-              - "iam:ListMFADevices"
-              - "iam:ListUsers"
+              - "iam:Generate*"
+              - "iam:Get*"
+              - "iam:List*"
               - "iam:Simulate*"
             Resource: "*"
             Effect: Allow
diff --git a/arch/templates/AuditAccountAuditManager.yaml b/arch/templates/AuditAccountAuditManager.yaml
@@ -69,7 +69,7 @@ Resources:
             Effect: Allow
           - Sid: AllowIAM
             Action:
-              - "iam:ListRoles"
+              - "iam:List*"
             Resource: "*"
             Effect: Allow
       PolicyName: gc_setup_amresources_lambda_execution_role_policy
diff --git a/arch/templates/AuditAccountPreRequisitesPart1.yaml b/arch/templates/AuditAccountPreRequisitesPart1.yaml
@@ -201,15 +201,9 @@ Resources:
             Effect: Allow
           - Sid: AllowIAMQueries
             Action:
-              - "iam:GenerateCredentialReport"
-              - "iam:GetAccountPasswordPolicy"
-              - "iam:GetCredentialReport"
-              - "iam:GetLoginProfile"
-              - "iam:GetRole"
-              - "iam:GetUser"
-              - "iam:ListAttachedRolePolicies"
-              - "iam:ListMFADevices"
-              - "iam:ListUsers"
+              - "iam:Generate*"
+              - "iam:Get*"
+              - "iam:List*"
               - "iam:Simulate*"
             Resource: "*"
             Effect: Allow
diff --git a/arch/templates/AuditAccountPreRequisitesPartN.yaml b/arch/templates/AuditAccountPreRequisitesPartN.yaml
@@ -95,7 +95,7 @@ Resources:
     Properties:
       ServiceToken: !Sub "arn:aws:lambda:${AWS::Region}:${AWS::AccountId}:function:${OrganizationName}aws_lambda_permissions_setup"
       UpdateVariable: QVdTb21lCg8
-      TriggerProperty: 31
+      TriggerProperty: 32
     DependsOn:
       - LambdaPermissionsLambda
 
diff --git a/arch/templates/main.yaml b/arch/templates/main.yaml
@@ -212,7 +212,7 @@ Resources:
     Type: Custom::InvokeCustomLambda
     Condition: DeployRoles
     Properties:
-      Version: 31
+      Version: 32
       ServiceToken: !GetAtt CreateRoleLambda.Arn
       TrustPrincipal: !Sub arn:${AWS::Partition}:iam::${AuditAccountID}:root
       SwitchRole: !Ref AcceleratorRole
@@ -337,7 +337,7 @@ Resources:
     Type: Custom::InvokeCustomLambda
     Condition: DeployRoles
     Properties:
-      Version: 31
+      Version: 32
       ServiceToken: !GetAtt CreateRoleLambda.Arn
       TrustPrincipal: !Sub arn:${AWS::Partition}:iam::${AuditAccountID}:root
       SwitchRole: !Ref AcceleratorRole
@@ -1175,15 +1175,9 @@ Resources:
         Statement:
           - Sid: AllowIAMQueries
             Action:
-              - "iam:GenerateCredentialReport"
-              - "iam:GetAccountPasswordPolicy"
-              - "iam:GetCredentialReport"
-              - "iam:GetLoginProfile"
-              - "iam:GetRole"
-              - "iam:GetUser"
-              - "iam:ListAttachedRolePolicies"
-              - "iam:ListMFADevices"
-              - "iam:ListUsers"
+              - "iam:Generate*"
+              - "iam:Get*"
+              - "iam:List*"
               - "iam:Simulate*"
             Resource: "*"
             Effect: Allow
diff --git a/src/lambda/gc01_check_federated_users_mfa/app.py b/src/lambda/gc01_check_federated_users_mfa/app.py
@@ -1,6 +1,7 @@
 """ GC01 - Check Federated Users MFA
     https://canada-ca.github.io/cloud-guardrails/EN/01_Protect-Root-Account.html
 """
+
 import json
 import logging
 
@@ -43,10 +44,7 @@ def get_assume_role_credentials(role_arn):
     """
     sts_client = boto3.client("sts")
     try:
-        assume_role_response = sts_client.assume_role(
-            RoleArn=role_arn,
-            RoleSessionName="configLambdaExecution"
-        )
+        assume_role_response = sts_client.assume_role(RoleArn=role_arn, RoleSessionName="configLambdaExecution")
         return assume_role_response["Credentials"]
     except botocore.exceptions.ClientError as ex:
         # Scrub error message for any internal account info leaks
@@ -73,6 +71,7 @@ def evaluate_parameters(rule_parameters):
     """
     return rule_parameters
 
+
 # This generate an evaluation for config
 def build_evaluation(
     resource_id,
@@ -96,12 +95,28 @@ def build_evaluation(
     eval_cc["ComplianceResourceType"] = resource_type
     eval_cc["ComplianceResourceId"] = resource_id
     eval_cc["ComplianceType"] = compliance_type
-    eval_cc["OrderingTimestamp"] = str(
-        json.loads(event["invokingEvent"])["notificationCreationTime"]
-    )
+    eval_cc["OrderingTimestamp"] = str(json.loads(event["invokingEvent"])["notificationCreationTime"])
     return eval_cc
 
 
+def account_has_federated_users(iam_client) -> bool:
+    response = iam_client.list_open_id_connect_providers()
+    if not response:
+        raise Exception("Request to list OIDC providers returned an invalid response")
+    providers = response.get("OpenIDConnectProviderList", [])
+    if providers:
+        return True
+
+    response = iam_client.list_saml_providers()
+    if not response:
+        raise Exception("Request to list SAML providers returned an invalid response")
+    providers = response.get("SAMLProviderList", [])
+    if providers:
+        return True
+
+    return False
+
+
 def lambda_handler(event, context):
     """This function is the main entry point for Lambda.
     Keyword arguments:
@@ -138,22 +153,17 @@ def lambda_handler(event, context):
     else:
         AUDIT_ACCOUNT_ID = ""
 
-    AWS_CONFIG_CLIENT = get_client("config", event)
-
-    # is this a scheduled invokation?
-    if is_scheduled_notification(invoking_event["messageType"]):
-        # yes, proceed
-        # Update AWS Config with the evaluation result
-        evaluations = [
-            build_evaluation(
-                AWS_ACCOUNT_ID,
-                "COMPLIANT",
-                event,
-                DEFAULT_RESOURCE_TYPE,
-                "Dependent on the compliance of Federated IdP"
-            )
-        ]
-        AWS_CONFIG_CLIENT.put_evaluations(
-            Evaluations=evaluations,
-            ResultToken=event["resultToken"]
-        )
+    if not is_scheduled_notification(invoking_event["messageType"]):
+        return
+
+    aws_config_client = get_client("config", event)
+    aws_iam_client = get_client("iam", event)
+
+    annotation = (
+        "Dependent on the compliance of the Federated IdP."
+        if account_has_federated_users(aws_iam_client)
+        else "No federated IdP found."
+    )
+
+    evaluations = [build_evaluation(AWS_ACCOUNT_ID, "COMPLIANT", event, DEFAULT_RESOURCE_TYPE, annotation)]
+    aws_config_client.put_evaluations(Evaluations=evaluations, ResultToken=event["resultToken"])
diff --git a/src/lambda/gc01_check_mfa_digital_policy/app.py b/src/lambda/gc01_check_mfa_digital_policy/app.py
@@ -1,6 +1,7 @@
 """ GC01 - Check Federated Users MFA
     https://canada-ca.github.io/cloud-guardrails/EN/01_Protect-Root-Account.html
 """
+
 import json
 import logging
 
@@ -43,10 +44,7 @@ def get_assume_role_credentials(role_arn):
     """
     sts_client = boto3.client("sts")
     try:
-        assume_role_response = sts_client.assume_role(
-            RoleArn=role_arn,
-            RoleSessionName="configLambdaExecution"
-        )
+        assume_role_response = sts_client.assume_role(RoleArn=role_arn, RoleSessionName="configLambdaExecution")
         return assume_role_response["Credentials"]
     except botocore.exceptions.ClientError as ex:
         # Scrub error message for any internal account info leaks
@@ -73,6 +71,7 @@ def evaluate_parameters(rule_parameters):
     """
     return rule_parameters
 
+
 # This generate an evaluation for config
 def build_evaluation(
     resource_id,
@@ -96,12 +95,28 @@ def build_evaluation(
     eval_cc["ComplianceResourceType"] = resource_type
     eval_cc["ComplianceResourceId"] = resource_id
     eval_cc["ComplianceType"] = compliance_type
-    eval_cc["OrderingTimestamp"] = str(
-        json.loads(event["invokingEvent"])["notificationCreationTime"]
-    )
+    eval_cc["OrderingTimestamp"] = str(json.loads(event["invokingEvent"])["notificationCreationTime"])
     return eval_cc
 
 
+def account_has_federated_users(iam_client) -> bool:
+    response = iam_client.list_open_id_connect_providers()
+    if not response:
+        raise Exception("Request to list OIDC providers returned an invalid response")
+    providers = response.get("OpenIDConnectProviderList", [])
+    if providers:
+        return True
+
+    response = iam_client.list_saml_providers()
+    if not response:
+        raise Exception("Request to list SAML providers returned an invalid response")
+    providers = response.get("SAMLProviderList", [])
+    if providers:
+        return True
+
+    return False
+
+
 def lambda_handler(event, context):
     """This function is the main entry point for Lambda.
     Keyword arguments:
@@ -110,7 +125,6 @@ def lambda_handler(event, context):
     """
     logger.debug("Received event: %s", event)
 
-    global AWS_CONFIG_CLIENT
     global AWS_ACCOUNT_ID
     global EXECUTION_ROLE_NAME
     global AUDIT_ACCOUNT_ID
@@ -138,22 +152,17 @@ def lambda_handler(event, context):
     else:
         AUDIT_ACCOUNT_ID = ""
 
-    AWS_CONFIG_CLIENT = get_client("config", event)
-
-    # is this a scheduled invokation?
-    if is_scheduled_notification(invoking_event["messageType"]):
-        # yes, proceed
-        # Update AWS Config with the evaluation result
-        evaluations = [
-            build_evaluation(
-                AWS_ACCOUNT_ID,
-                "COMPLIANT",
-                event,
-                DEFAULT_RESOURCE_TYPE,
-                "Dependent on the compliance of Federated IdP"
-            )
-        ]
-        AWS_CONFIG_CLIENT.put_evaluations(
-            Evaluations=evaluations,
-            ResultToken=event["resultToken"]
-        )
+    if not is_scheduled_notification(invoking_event["messageType"]):
+        return
+
+    aws_config_client = get_client("config", event)
+    aws_iam_client = get_client("iam", event)
+
+    annotation = (
+        "Dependent on the compliance of the Federated IdP."
+        if account_has_federated_users(aws_iam_client)
+        else "No federated IdP found."
+    )
+
+    evaluations = [build_evaluation(AWS_ACCOUNT_ID, "COMPLIANT", event, DEFAULT_RESOURCE_TYPE, annotation)]
+    aws_config_client.put_evaluations(Evaluations=evaluations, ResultToken=event["resultToken"])
diff --git a/src/lambda/gc03_check_endpoint_access_config/app.py b/src/lambda/gc03_check_endpoint_access_config/app.py
@@ -94,8 +94,22 @@ def build_evaluation(resource_id, compliance_type, event, resource_type=DEFAULT_
     return eval_cc
 
 
-def account_has_federated_entra_id_users() -> bool:
-    return True
+def account_has_federated_users(iam_client) -> bool:
+    response = iam_client.list_open_id_connect_providers()
+    if not response:
+        raise Exception("Request to list OIDC providers returned an invalid response")
+    providers = response.get("OpenIDConnectProviderList", [])
+    if providers:
+        return True
+
+    response = iam_client.list_saml_providers()
+    if not response:
+        raise Exception("Request to list SAML providers returned an invalid response")
+    providers = response.get("SAMLProviderList", [])
+    if providers:
+        return True
+
+    return False
 
 
 def lambda_handler(event, context):
@@ -126,9 +140,10 @@ def lambda_handler(event, context):
     # parse parameters
     AWS_ACCOUNT_ID = event["accountId"]
     AWS_CONFIG_CLIENT = get_client("config", event)
+    aws_iam_client = get_client("iam", event)
 
     annotation = "Configuration for devices and policies are implemented."
-    if account_has_federated_entra_id_users():
+    if account_has_federated_users(aws_iam_client):
         annotation = f"{annotation} Dependent on the compliance of the Federated IdP."
     evaluations.append(build_evaluation(AWS_ACCOUNT_ID, "COMPLIANT", event, DEFAULT_RESOURCE_TYPE, annotation))
     logger.info(annotation)
diff --git a/src/lambda/gc03_check_trusted_devices_admin_access/app.py b/src/lambda/gc03_check_trusted_devices_admin_access/app.py
@@ -251,8 +251,22 @@ def ip_is_within_ranges(ip_addr: str, ip_cidr_ranges: list[str]) -> bool:
     return False
 
 
-def account_has_federated_entra_id_users() -> bool:
-    return True
+def account_has_federated_users(iam_client) -> bool:
+    response = iam_client.list_open_id_connect_providers()
+    if not response:
+        raise Exception("Request to list OIDC providers returned an invalid response")
+    providers = response.get("OpenIDConnectProviderList", [])
+    if providers:
+        return True
+
+    response = iam_client.list_saml_providers()
+    if not response:
+        raise Exception("Request to list SAML providers returned an invalid response")
+    providers = response.get("SAMLProviderList", [])
+    if providers:
+        return True
+
+    return False
 
 
 def lambda_handler(event, context):
@@ -292,10 +306,13 @@ def lambda_handler(event, context):
     AWS_S3_CLIENT = boto3.client("s3")
     AWS_CLOUDTRAIL_CLIENT = get_client("cloudtrail", event)
     AWS_ORGANIZATIONS_CLIENT = get_client("organizations", event)
+    aws_iam_client = get_client("iam", event)
 
     if AWS_ACCOUNT_ID != get_organizations_mgmt_account_id():
         # We're not in the Management Account
-        logger.info("Cloud Trail events not checked in account %s as this is not the Management Account", AWS_ACCOUNT_ID)
+        logger.info(
+            "Cloud Trail events not checked in account %s as this is not the Management Account", AWS_ACCOUNT_ID
+        )
         return
 
     file_param_name = "s3ObjectPath"
@@ -328,18 +345,18 @@ def lambda_handler(event, context):
         ct_event = json.loads(lookup_event.get("CloudTrailEvent", "{}"))
 
         if not ip_is_within_ranges(ct_event["sourceIPAddress"], vpn_ip_ranges):
-            annotation = f"Cloud Trail Event '{ct_event.get("EventId", "")}' has a source IP address OUTSIDE of the allowed ranges."
+            annotation = f"Cloud Trail Event '{ct_event.get("eventID", "")}' has a source IP address OUTSIDE of the allowed ranges."
         else:
             num_compliant_rules = num_compliant_rules + 1
-            annotation = f"Cloud Trail Event '{ct_event.get("EventId", "")}' has a source IP address inside of the allowed ranges."
-            if account_has_federated_entra_id_users():
+            annotation = f"Cloud Trail Event '{ct_event.get("eventID", "")}' has a source IP address inside of the allowed ranges."
+            if account_has_federated_users(aws_iam_client):
                 annotation = f"{annotation} Dependent on the compliance of the Federated IdP."
         logger.info(annotation)
 
     if len(cloud_trail_events) == num_compliant_rules:
-        annotation = "All Cloud Trail Events are within the allowed source IP address ranges or are dependant on the federated identity provider."
-        if account_has_federated_entra_id_users():
-            annotation = f"{annotation} Dependent on the compliance of the Federated IdP."
+        annotation = "All Cloud Trail Events are within the allowed source IP address ranges."
+        if account_has_federated_users(aws_iam_client):
+            annotation = f"All Cloud Trail Events are within the allowed source IP address ranges or are dependant on the federated identity provider."
         evaluations.append(build_evaluation(AWS_ACCOUNT_ID, "COMPLIANT", event, DEFAULT_RESOURCE_TYPE, annotation))
     else:
         annotation = "NOT all Cloud Trail Events are within the allowed source IP address ranges."
