forked from PaloAltoNetworks/Prisma-Enhanced-Remediation
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathPC-AWS-S3-29.py
68 lines (54 loc) · 1.41 KB
/
PC-AWS-S3-29.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
"""
Remediate Prisma Policy:
PC-AWS-S3-29: AWS S3 buckets are accessible to public
Description:
Removes S3 bucket public access at the bucket level.
Required Permissions:
- s3:PutBucketPublicAccessBlock
Sample IAM Policy:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "S3Permissions",
"Action": [
"s3:PutBucketPublicAccessBlock"
],
"Effect": "Allow",
"Resource": "*"
}
]
}
"""
import boto3
from botocore.exceptions import ClientError
def remediate(session, alert, lambda_context):
"""
Main Function invoked by index_prisma.py
"""
bucket_name = alert['resource_id']
region = alert['region']
account = alert['account']['account_number']
s3 = session.client('s3', region_name=region)
try:
bucket_acl = s3.get_bucket_acl(Bucket=bucket_name)
except ClientError as e:
print(e.response['Error']['Message'])
return
# Remove public access at bucket level
try:
response = s3.put_public_access_block(
Bucket=bucket_name,
PublicAccessBlockConfiguration={
'BlockPublicAcls': True,
'IgnorePublicAcls': True,
'BlockPublicPolicy': True,
'RestrictPublicBuckets': True
},
ExpectedBucketOwner=account
)
except ClientError as e:
print(e.response['Error']['Message'])
else:
print('Public access removed from S3 bucket {}.'.format(bucket_name))
return