From 5768221e8d54a4ca4c9c8b026dfabcfa37bfd2f7 Mon Sep 17 00:00:00 2001 From: amichaiy Date: Mon, 26 Jul 2021 17:12:21 +0300 Subject: [PATCH 1/2] Added bot ssm_document_set_private.py --- bots/ssm_document_set_private.py | 38 ++++++++++++++++++++++++++++++++ 1 file changed, 38 insertions(+) create mode 100644 bots/ssm_document_set_private.py diff --git a/bots/ssm_document_set_private.py b/bots/ssm_document_set_private.py new file mode 100644 index 0000000..51f5358 --- /dev/null +++ b/bots/ssm_document_set_private.py @@ -0,0 +1,38 @@ +""" +## ssm_document_set_private +What it does: removes all aws account that can access the file except of the one that pass as a param. +Note that the account ID's should be separated by column. +Usage: ssm_document_set_private AccountIdToAdd=, +Example: ssm_document_set_private +Limitations: None +""" + +from botocore.exceptions import ClientError + + +PARAM_NAME = "AccountIdToAdd" + + +def run_action(boto_session, rule, entity, params): + client = boto_session.client('ssm') + document_name = entity['name'] + + # check if there is any accountId to add.. + # If there is no account id then return empty list. + account_to_add = params[PARAM_NAME].split(',') if PARAM_NAME in params.keys() else [] + + text_output = '' + try: + response = client.modify_document_permission( + Name=document_name, + PermissionType='Share', + AccountIdsToAdd=account_to_add, # add the account that passes as a param. + AccountIdsToRemove=['All'] # removes all account id (sets the document to private). + ) + + text_output = f'Removed all account id access except from: {account_to_add}' \ + if response['ResponseMetadata']['HTTPStatusCode'] == 200 else 'Unexpected error' + except ClientError as error: + text_output = f'Unexpected error: {error}' + + return text_output From 40d021f6c59b508f9c87f733e5d3089e30f81630 Mon Sep 17 00:00:00 2001 From: amichaiy Date: Mon, 26 Jul 2021 17:23:12 +0300 Subject: [PATCH 2/2] Added permissions to template.yml and documentation to Bots.md --- bots/Bots.md | 8 ++++++++ template.yml | 1 + 2 files changed, 9 insertions(+) diff --git a/bots/Bots.md b/bots/Bots.md index 7bdd0eb..fc07575 100644 --- a/bots/Bots.md +++ b/bots/Bots.md @@ -41,6 +41,7 @@ - [lambda\_enable\_active\_tracing](#lambda_enable_active_tracing) - [mark\_for\_stop\_ec2\_resource](#mark_for_stop_ec2_resource) - [rds\_quarantine\_instance](#rds_quarantine_instance) + [ssm\_document\_set\_private](#ssm_document_set_private) - [s3\_allow\_ssl\_only](#s3_allow_ssl_only) - [s3\_block\_all\_public\_access](#s3_block_all_public_access) - [s3\_delete\_acls](#s3_delete_acls) @@ -466,6 +467,13 @@ Limitations: Instance needs to be "Available" in order to update. If it's in "backing up" state, this will fail (Might not work with Aurora since it's in a cluster) +## ssm\_document\_set\_private +What it does: removes all aws account that can access the file except of the one that pass as a param. +Note that the account ID's should be separated by column. +Usage: ssm_document_set_private AccountIdToAdd=, +Example: ssm_document_set_private +Limitations: None + ##s3\_allow\_ssl\_only What it does: force s3 bucket to accept only ssl requests Usage: AUTO: s3_enforce_ssl_data_encryption diff --git a/template.yml b/template.yml index fec66a2..6c99408 100644 --- a/template.yml +++ b/template.yml @@ -165,6 +165,7 @@ Resources: - logs:PutMetricFilter # For cloudwatch_create_metric_filter - logs:CreateLogGroup # For cloudtrail_send_to_cloudwatch - rds:ModifyDBInstance # For rds_quarantine_instance + - ssm:ModifyDocumentPermission # For ssm_document_set_private - s3:CreateBucket # For create_cloudtrail - s3:DeleteBucket # For s3_delete_bucket - s3:DeleteBucketPolicy # For s3_delete_permissions