Best Python code snippet using localstack_python
Amazon_Route53_Resolver_Auditor.py
Source:Amazon_Route53_Resolver_Auditor.py
...166 vpcId = str(vpcs["VpcId"])167 vpcArn = f"arn:{awsPartition}:ec2:{awsRegion}:{awsAccountId}vpc/{vpcId}"168 # Check for Firewall Associations filtered by VPC ID. 169 # If any empty list is returned there is not any170 r = route53resolver.list_firewall_rule_group_associations(VpcId=vpcId)171 # this is a failing check due to empty list comprehension172 if not r["FirewallRuleGroupAssociations"]:173 finding = {174 "SchemaVersion": "2018-10-08",175 "Id": vpcArn + "/route53resolver-dnsfw-associated-check",176 "ProductArn": f"arn:{awsPartition}:securityhub:{awsRegion}:{awsAccountId}:product/{awsAccountId}/default",177 "GeneratorId": vpcArn,178 "AwsAccountId": awsAccountId,179 "Types": ["Software and Configuration Checks/AWS Security Best Practices"],180 "FirstObservedAt": iso8601Time,181 "CreatedAt": iso8601Time,182 "UpdatedAt": iso8601Time,183 "Severity": {"Label": "MEDIUM"},184 "Confidence": 99,185 "Title": "[Route53Resolver.2] VPCs should have Route 53 Resolver DNS Firewalls associated",186 "Description": f"VPC {vpcId} does not have a Route 53 Resolve DNS Firewall associated with it. With Route 53 Resolver DNS Firewall, you can filter and regulate outbound DNS traffic for your virtual private cloud (VPC). To do this, you create reusable collections of filtering rules in DNS Firewall rule groups, associate the rule groups to your VPC, and then monitor activity in DNS Firewall logs and metrics. Based on the activity, you can adjust the behavior of DNS Firewall accordingly. Refer to the remediation instructions if this configuration is not intended.",187 "Remediation": {188 "Recommendation": {189 "Text": "For more information on setting up DNS Firewall refer to the Getting started with Route 53 Resolver DNS Firewall section of the Amazon Route 53 Developer Guide",190 "Url": "https://docs.aws.amazon.com/Route53/latest/DeveloperGuide/resolver-dns-firewall-getting-started.html",191 }192 },193 "ProductFields": {"Product Name": "ElectricEye"},194 "Resources": [195 {196 "Type": "AwsEc2Vpc",197 "Id": vpcArn,198 "Partition": awsPartition,199 "Region": awsRegion,200 "Details": {201 "AwsEc2Vpc": {202 "State": "available"203 }204 }205 }206 ],207 "Compliance": {208 "Status": "FAILED",209 "RelatedRequirements": [210 "NIST CSF DE.AE-2",211 "NIST SP 800-53 AU-6",212 "NIST SP 800-53 CA-7",213 "NIST SP 800-53 IR-4",214 "NIST SP 800-53 SI-4",215 "AICPA TSC CC7.2",216 "ISO 27001:2013 A.12.4.1",217 "ISO 27001:2013 A.16.1.1",218 "ISO 27001:2013 A.16.1.4"219 ]220 },221 "Workflow": {"Status": "NEW"},222 "RecordState": "ACTIVE",223 }224 yield finding225 else:226 finding = {227 "SchemaVersion": "2018-10-08",228 "Id": vpcArn + "/route53resolver-dnsfw-associated-check",229 "ProductArn": f"arn:{awsPartition}:securityhub:{awsRegion}:{awsAccountId}:product/{awsAccountId}/default",230 "GeneratorId": vpcArn,231 "AwsAccountId": awsAccountId,232 "Types": ["Software and Configuration Checks/AWS Security Best Practices"],233 "FirstObservedAt": iso8601Time,234 "CreatedAt": iso8601Time,235 "UpdatedAt": iso8601Time,236 "Severity": {"Label": "INFORMATIONAL"},237 "Confidence": 99,238 "Title": "[Route53Resolver.2] VPCs should have Route 53 Resolver DNS Firewalls associated",239 "Description": f"VPC {vpcId} does not have a Route 53 Resolve DNS Firewall associated with it. With Route 53 Resolver DNS Firewall, you can filter and regulate outbound DNS traffic for your virtual private cloud (VPC). To do this, you create reusable collections of filtering rules in DNS Firewall rule groups, associate the rule groups to your VPC, and then monitor activity in DNS Firewall logs and metrics. Based on the activity, you can adjust the behavior of DNS Firewall accordingly. Refer to the remediation instructions if this configuration is not intended.",240 "Remediation": {241 "Recommendation": {242 "Text": "For more information on setting up DNS Firewall refer to the Getting started with Route 53 Resolver DNS Firewall section of the Amazon Route 53 Developer Guide",243 "Url": "https://docs.aws.amazon.com/Route53/latest/DeveloperGuide/resolver-dns-firewall-getting-started.html",244 }245 },246 "ProductFields": {"Product Name": "ElectricEye"},247 "Resources": [248 {249 "Type": "AwsEc2Vpc",250 "Id": vpcArn,251 "Partition": awsPartition,252 "Region": awsRegion,253 "Details": {254 "AwsEc2Vpc": {255 "State": "available"256 }257 }258 }259 ],260 "Compliance": {261 "Status": "PASSED",262 "RelatedRequirements": [263 "NIST CSF DE.AE-2",264 "NIST SP 800-53 AU-6",265 "NIST SP 800-53 CA-7",266 "NIST SP 800-53 IR-4",267 "NIST SP 800-53 SI-4",268 "AICPA TSC CC7.2",269 "ISO 27001:2013 A.12.4.1",270 "ISO 27001:2013 A.16.1.1",271 "ISO 27001:2013 A.16.1.4"272 ]273 },274 "Workflow": {"Status": "RESOLVED"},275 "RecordState": "ARCHIVED"276 }277 yield finding278@registry.register_check("route53resolver")279def vpc_route53_resolver_dnssec_validation_check(cache: dict, awsAccountId: str, awsRegion: str, awsPartition: str) -> dict:280 """[Route53Resolver.3] Consider enabling DNSSEC validation in your VPC for Route 53 Public Zones"""281 # ISO Time282 iso8601Time = datetime.datetime.utcnow().replace(tzinfo=datetime.timezone.utc).isoformat()283 # Create a list of VPCs that have DNSSEC Validation enabled, as we cannot filter284 dnssecVpcs = []285 for r in route53resolver.list_resolver_dnssec_configs()["ResolverDnssecConfigs"]:286 if r["ValidationStatus"] == "ENABLED":287 dnssecVpcs.append(r["ResourceId"])288 else:289 continue290 # Loop the VPCs in Cache291 for vpcs in describe_vpcs(cache=cache)["Vpcs"]:292 vpcId = str(vpcs["VpcId"])293 vpcArn = f"arn:{awsPartition}:ec2:{awsRegion}:{awsAccountId}vpc/{vpcId}"294 # This is a failing check as the VPC is not in the list of "dnssecVpcs"295 if vpcId not in dnssecVpcs:296 finding = {297 "SchemaVersion": "2018-10-08",298 "Id": vpcArn + "/route53resolver-dnssec-validation-check",299 "ProductArn": f"arn:{awsPartition}:securityhub:{awsRegion}:{awsAccountId}:product/{awsAccountId}/default",300 "GeneratorId": vpcArn,301 "AwsAccountId": awsAccountId,302 "Types": ["Software and Configuration Checks/AWS Security Best Practices"],303 "FirstObservedAt": iso8601Time,304 "CreatedAt": iso8601Time,305 "UpdatedAt": iso8601Time,306 "Severity": {"Label": "LOW"},307 "Confidence": 99,308 "Title": "[Route53Resolver.3] Consider enabling DNSSEC validation in your VPC for Route 53 Public Zones",309 "Description": f"VPC {vpcId} does not have DNS Security (DNSSEC) validation enabled. When you enable DNSSEC validation for a virtual private cloud (VPC) in Amazon Route 53, DNSSEC signatures are cryptographically checked to ensure that the response was not tampered with. Refer to the remediation instructions if you want to consider enabling this.",310 "Remediation": {311 "Recommendation": {312 "Text": "For more information on setting up DNSSEC validation refer to the Enabling DNSSEC validation in Amazon Route 53 section of the Amazon Route 53 Developer Guide",313 "Url": "https://docs.aws.amazon.com/Route53/latest/DeveloperGuide/resolver-dnssec-validation.html",314 }315 },316 "ProductFields": {"Product Name": "ElectricEye"},317 "Resources": [318 {319 "Type": "AwsEc2Vpc",320 "Id": vpcArn,321 "Partition": awsPartition,322 "Region": awsRegion,323 "Details": {324 "AwsEc2Vpc": {325 "State": "available"326 }327 }328 }329 ],330 "Compliance": {331 "Status": "FAILED",332 "RelatedRequirements": [333 "NIST CSF PR.DS-2",334 "NIST SP 800-53 SC-8",335 "NIST SP 800-53 SC-11",336 "NIST SP 800-53 SC-12",337 "AICPA TSC CC6.1",338 "ISO 27001:2013 A.8.2.3",339 "ISO 27001:2013 A.13.1.1",340 "ISO 27001:2013 A.13.2.1",341 "ISO 27001:2013 A.13.2.3",342 "ISO 27001:2013 A.14.1.2",343 "ISO 27001:2013 A.14.1.3"344 ]345 },346 "Workflow": {"Status": "NEW"},347 "RecordState": "ACTIVE",348 }349 yield finding350 else:351 finding = {352 "SchemaVersion": "2018-10-08",353 "Id": vpcArn + "/route53resolver-dnssec-validation-check",354 "ProductArn": f"arn:{awsPartition}:securityhub:{awsRegion}:{awsAccountId}:product/{awsAccountId}/default",355 "GeneratorId": vpcArn,356 "AwsAccountId": awsAccountId,357 "Types": ["Software and Configuration Checks/AWS Security Best Practices"],358 "FirstObservedAt": iso8601Time,359 "CreatedAt": iso8601Time,360 "UpdatedAt": iso8601Time,361 "Severity": {"Label": "INFORMATIONAL"},362 "Confidence": 99,363 "Title": "[Route53Resolver.3] Consider enabling DNSSEC validation in your VPC for Route 53 Public Zones",364 "Description": f"VPC {vpcId} has DNS Security (DNSSEC) validation enabled.",365 "Remediation": {366 "Recommendation": {367 "Text": "For more information on setting up DNSSEC validation refer to the Enabling DNSSEC validation in Amazon Route 53 section of the Amazon Route 53 Developer Guide",368 "Url": "https://docs.aws.amazon.com/Route53/latest/DeveloperGuide/resolver-dnssec-validation.html",369 }370 },371 "ProductFields": {"Product Name": "ElectricEye"},372 "Resources": [373 {374 "Type": "AwsEc2Vpc",375 "Id": vpcArn,376 "Partition": awsPartition,377 "Region": awsRegion,378 "Details": {379 "AwsEc2Vpc": {380 "State": "available"381 }382 }383 }384 ],385 "Compliance": {386 "Status": "PASSED",387 "RelatedRequirements": [388 "NIST CSF PR.DS-2",389 "NIST SP 800-53 SC-8",390 "NIST SP 800-53 SC-11",391 "NIST SP 800-53 SC-12",392 "AICPA TSC CC6.1",393 "ISO 27001:2013 A.8.2.3",394 "ISO 27001:2013 A.13.1.1",395 "ISO 27001:2013 A.13.2.1",396 "ISO 27001:2013 A.13.2.3",397 "ISO 27001:2013 A.14.1.2",398 "ISO 27001:2013 A.14.1.3"399 ]400 },401 "Workflow": {"Status": "PASSED"},402 "RecordState": "ARCHIVED"403 }404 yield finding405@registry.register_check("route53resolver")406def vpc_route53_resolver_firewall_fail_open_check(cache: dict, awsAccountId: str, awsRegion: str, awsPartition: str) -> dict:407 """[Route53Resolver.4] VPCs with Route 53 Resolver DNS Firewalls associated should be configured to Fail Open"""408 # ISO Time409 iso8601Time = datetime.datetime.utcnow().replace(tzinfo=datetime.timezone.utc).isoformat()410 # Loop the VPCs in Cache411 for vpcs in describe_vpcs(cache=cache)["Vpcs"]:412 vpcId = str(vpcs["VpcId"])413 vpcArn = f"arn:{awsPartition}:ec2:{awsRegion}:{awsAccountId}vpc/{vpcId}"414 # Check for Firewall Associations filtered by VPC ID. 415 # If any empty list is returned there is not any416 r = route53resolver.list_firewall_rule_group_associations(VpcId=vpcId)417 # We will not generate failing findings on FAIL OPEN for VPCs without 418 # a DNSFW as it is redundant to the "no firewall" finding419 if not r["FirewallRuleGroupAssociations"]:420 continue421 else:422 config = route53resolver.get_firewall_config(ResourceId=vpcId)["FirewallConfig"]423 # This is a failing check, no Fail Open424 if config["FirewallFailOpen"] == "DISABLED":425 finding = {426 "SchemaVersion": "2018-10-08",427 "Id": vpcArn + "/route53resolver-dnsfw-failopen-check",428 "ProductArn": f"arn:{awsPartition}:securityhub:{awsRegion}:{awsAccountId}:product/{awsAccountId}/default",429 "GeneratorId": vpcArn,430 "AwsAccountId": awsAccountId,...
__init__.pyi
Source:__init__.pyi
1"""2Main interface for route53resolver service.3Usage::4 ```python5 import boto36 from mypy_boto3_route53resolver import (7 Client,8 ListFirewallConfigsPaginator,9 ListFirewallDomainListsPaginator,10 ListFirewallDomainsPaginator,11 ListFirewallRuleGroupAssociationsPaginator,12 ListFirewallRuleGroupsPaginator,13 ListFirewallRulesPaginator,14 ListResolverConfigsPaginator,15 ListResolverDnssecConfigsPaginator,16 ListResolverEndpointIpAddressesPaginator,17 ListResolverEndpointsPaginator,18 ListResolverQueryLogConfigAssociationsPaginator,19 ListResolverQueryLogConfigsPaginator,20 ListResolverRuleAssociationsPaginator,21 ListResolverRulesPaginator,22 ListTagsForResourcePaginator,23 Route53ResolverClient,24 )25 session = boto3.Session()26 client: Route53ResolverClient = boto3.client("route53resolver")27 session_client: Route53ResolverClient = session.client("route53resolver")28 list_firewall_configs_paginator: ListFirewallConfigsPaginator = client.get_paginator("list_firewall_configs")29 list_firewall_domain_lists_paginator: ListFirewallDomainListsPaginator = client.get_paginator("list_firewall_domain_lists")30 list_firewall_domains_paginator: ListFirewallDomainsPaginator = client.get_paginator("list_firewall_domains")31 list_firewall_rule_group_associations_paginator: ListFirewallRuleGroupAssociationsPaginator = client.get_paginator("list_firewall_rule_group_associations")32 list_firewall_rule_groups_paginator: ListFirewallRuleGroupsPaginator = client.get_paginator("list_firewall_rule_groups")33 list_firewall_rules_paginator: ListFirewallRulesPaginator = client.get_paginator("list_firewall_rules")34 list_resolver_configs_paginator: ListResolverConfigsPaginator = client.get_paginator("list_resolver_configs")35 list_resolver_dnssec_configs_paginator: ListResolverDnssecConfigsPaginator = client.get_paginator("list_resolver_dnssec_configs")36 list_resolver_endpoint_ip_addresses_paginator: ListResolverEndpointIpAddressesPaginator = client.get_paginator("list_resolver_endpoint_ip_addresses")37 list_resolver_endpoints_paginator: ListResolverEndpointsPaginator = client.get_paginator("list_resolver_endpoints")38 list_resolver_query_log_config_associations_paginator: ListResolverQueryLogConfigAssociationsPaginator = client.get_paginator("list_resolver_query_log_config_associations")39 list_resolver_query_log_configs_paginator: ListResolverQueryLogConfigsPaginator = client.get_paginator("list_resolver_query_log_configs")40 list_resolver_rule_associations_paginator: ListResolverRuleAssociationsPaginator = client.get_paginator("list_resolver_rule_associations")41 list_resolver_rules_paginator: ListResolverRulesPaginator = client.get_paginator("list_resolver_rules")42 list_tags_for_resource_paginator: ListTagsForResourcePaginator = client.get_paginator("list_tags_for_resource")43 ```44"""45from .client import Route53ResolverClient46from .paginator import (47 ListFirewallConfigsPaginator,48 ListFirewallDomainListsPaginator,49 ListFirewallDomainsPaginator,50 ListFirewallRuleGroupAssociationsPaginator,51 ListFirewallRuleGroupsPaginator,52 ListFirewallRulesPaginator,53 ListResolverConfigsPaginator,54 ListResolverDnssecConfigsPaginator,55 ListResolverEndpointIpAddressesPaginator,56 ListResolverEndpointsPaginator,57 ListResolverQueryLogConfigAssociationsPaginator,58 ListResolverQueryLogConfigsPaginator,59 ListResolverRuleAssociationsPaginator,60 ListResolverRulesPaginator,61 ListTagsForResourcePaginator,62)63Client = Route53ResolverClient64__all__ = (65 "Client",66 "ListFirewallConfigsPaginator",67 "ListFirewallDomainListsPaginator",68 "ListFirewallDomainsPaginator",69 "ListFirewallRuleGroupAssociationsPaginator",70 "ListFirewallRuleGroupsPaginator",71 "ListFirewallRulesPaginator",72 "ListResolverConfigsPaginator",73 "ListResolverDnssecConfigsPaginator",74 "ListResolverEndpointIpAddressesPaginator",75 "ListResolverEndpointsPaginator",76 "ListResolverQueryLogConfigAssociationsPaginator",77 "ListResolverQueryLogConfigsPaginator",78 "ListResolverRuleAssociationsPaginator",79 "ListResolverRulesPaginator",80 "ListTagsForResourcePaginator",81 "Route53ResolverClient",...
Learn to execute automation testing from scratch with LambdaTest Learning Hub. Right from setting up the prerequisites to run your first automation test, to following best practices and diving deeper into advanced test scenarios. LambdaTest Learning Hubs compile a list of step-by-step guides to help you be proficient with different test automation frameworks i.e. Selenium, Cypress, TestNG etc.
You could also refer to video tutorials over LambdaTest YouTube channel to get step by step demonstration from industry experts.
Get 100 minutes of automation test minutes FREE!!