-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathreflex_aws_cloudfront_viewier_tls_protocol.py
62 lines (50 loc) · 2.04 KB
/
reflex_aws_cloudfront_viewier_tls_protocol.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
""" Module for CloudfrontViewerTlsProtocol """
import json
import os
import boto3
from reflex_core import AWSRule, subscription_confirmation
class CloudfrontViewerTlsProtocol(AWSRule):
"""
A reflex rule to detect that Cloudfront distribution viewer certificates meet a minimum TLS version.
"""
viewer_protocol_versions = [
"TLSv1.2_2018",
"TLSv1.1_2016",
"TLSv1_2016",
"TLSv1",
]
viewer_protocol_versions_allowed = [
"TLSv1.2_2018",
"TLSv1.1_2016",
]
viewer_protocol_versions_not_allowed = [
"TLSv1_2016",
"TLSv1",
]
def __init__(self, event):
super().__init__(event)
def extract_event_data(self, event):
""" Extract required event data """
self.distribution_id = event["detail"]["responseElements"]["distribution"]["id"]
self.protocol_version = event["detail"]["responseElements"]["distribution"][
"distributionConfig"
]["viewerCertificate"]["minimumProtocolVersion"]
def resource_compliant(self):
"""
Determine if the resource is compliant with your rule.
Return True if it is compliant, and False if it is not.
"""
return self.protocol_version in self.viewer_protocol_versions_allowed
def get_remediation_message(self):
""" Returns a message about the remediation action that occurred """
protocols = ", ".join(self.viewer_protocol_versions_allowed)
return f"Cloudfront distribution {self.distribution_id} viewer certificate protocol version of {self.protocol_version} does not meet the the minimum requirements. Allowed values are {protocols}."
def lambda_handler(event, _):
""" Handles the incoming event """
print(event)
event_payload = json.loads(event["Records"][0]["body"])
if subscription_confirmation.is_subscription_confirmation(event_payload):
subscription_confirmation.confirm_subscription(event_payload)
return
rule = CloudfrontViewerTlsProtocol(event_payload)
rule.run_compliance_rule()