Merge pull request #110 from dome9/SR-285-ssm_document_set_private

ssm_document_set_private

bots/Bots.md

@@ -41,6 +41,7 @@
   - [lambda\_enable\_active\_tracing](#lambda_enable_active_tracing)
   - [mark\_for\_stop\_ec2\_resource](#mark_for_stop_ec2_resource)
   - [rds\_quarantine\_instance](#rds_quarantine_instance)
+    [ssm\_document\_set\_private](#ssm_document_set_private)
   - [s3\_allow\_ssl\_only](#s3_allow_ssl_only)
   - [s3\_block\_all\_public\_access](#s3_block_all_public_access)
   - [s3\_delete\_acls](#s3_delete_acls)
@@ -467,6 +468,13 @@ Limitations: Instance needs to be "Available" in order to update. If
 it's in "backing up" state, this will fail  
 (Might not work with Aurora since it's in a cluster)
 
+## ssm\_document\_set\_private
+What it does: removes all aws account that can access the file except of the one that pass as a param.
+Note that the account ID's should be separated by column.
+Usage: ssm_document_set_private AccountIdToAdd=<account_id_1>,<account_id_2>
+Example: ssm_document_set_private
+Limitations: None
+
 ##s3\_allow\_ssl\_only
 What it does: force s3 bucket to accept only ssl requests
 Usage: AUTO: s3_enforce_ssl_data_encryption

bots/ssm_document_set_private.py

@@ -0,0 +1,38 @@
+"""
+## ssm_document_set_private
+What it does: removes all aws account that can access the file except of the one that pass as a param.
+Note that the account ID's should be separated by column.
+Usage: ssm_document_set_private AccountIdToAdd=<account_id_1>,<account_id_2>
+Example: ssm_document_set_private
+Limitations: None
+"""
+
+from botocore.exceptions import ClientError
+
+
+PARAM_NAME = "AccountIdToAdd"
+
+
+def run_action(boto_session, rule, entity, params):
+    client = boto_session.client('ssm')
+    document_name = entity['name']
+
+    # check if there is any accountId to add..
+    # If there is no account id then return empty list.
+    account_to_add = params[PARAM_NAME].split(',') if PARAM_NAME in params.keys() else []
+
+    text_output = ''
+    try:
+        response = client.modify_document_permission(
+            Name=document_name,
+            PermissionType='Share',
+            AccountIdsToAdd=account_to_add,  # add the account that passes as a param.
+            AccountIdsToRemove=['All']  # removes all account id (sets the document to private).
+        )
+
+        text_output = f'Removed all account id access except from: {account_to_add}' \
+            if response['ResponseMetadata']['HTTPStatusCode'] == 200 else 'Unexpected error'
+    except ClientError as error:
+        text_output = f'Unexpected error: {error}'
+
+    return text_output

template.yml

@@ -165,6 +165,7 @@ Resources:
                 - logs:PutMetricFilter # For cloudwatch_create_metric_filter
                 - logs:CreateLogGroup # For cloudtrail_send_to_cloudwatch
                 - rds:ModifyDBInstance # For rds_quarantine_instance
+                - ssm:ModifyDocumentPermission # For ssm_document_set_private
                 - s3:CreateBucket # For create_cloudtrail
                 - s3:DeleteBucket # For s3_delete_bucket
                 - s3:DeleteBucketPolicy # For s3_delete_permissions