-
-
Save ashvinishinde-tudip/79a445af4a1ca2adbb5241f5df7cce44 to your computer and use it in GitHub Desktop.
{ | |
"DoNotify": "false", | |
"PassPercent": "70", | |
"1": { | |
"Title": "Create a group with administrative permission.", | |
"Points": "10", | |
"Interval": "30", | |
"Max": "30", | |
"Assessments": { | |
"API": "AWS", | |
"Service": "IAM", | |
"Method": "step_one_check", | |
"Code": [ | |
"def step_one_check(handles,points)\n", | |
" iam = handles[0]\n", | |
" ret_hash = { :done => false, :score => 0 }\n", | |
" resp = iam.list_groups\n", | |
" groups = resp.groups\n", | |
" if groups!=[]\n", | |
" groups.each do |group|\n", | |
" group_name = group.group_name\n", | |
" resp1 = iam.list_attached_group_policies({group_name: group_name})\n", | |
" attached_policies = resp1.attached_policies\n", | |
" if attached_policies!=[]\n", | |
" attached_policies.each do |policy|\n", | |
" policy_name = policy.policy_name\n", | |
" if (policy_name.include? 'SystemAdministrator') || (policy_name.include? 'AdministratorAccess')\n", | |
" ret_hash = { :done => true, :score => points, :message => 'User group is created with administrative permission'}\n", | |
" else\n", | |
" ret_hash[:message] = \"Attached permissions is not Administrative permission\"\n", | |
" end\n", | |
" break if ret_hash[:done]\n", | |
" end\n", | |
" else\n", | |
" ret_hash[:message] = \"Administrative permission is not given to User group\"\n", | |
" end\n", | |
" end\n", | |
" else\n", | |
" ret_hash[:message] = \"User group is not created\"\n", | |
" end\n", | |
" return ret_hash\n", | |
"end"] | |
} | |
}, | |
"2": { | |
"Title": "Create IAM role with appropriate permissions.", | |
"Points": "20", | |
"Interval": "30", | |
"Max": "30", | |
"Assessments": { | |
"API": "AWS", | |
"Service": "IAM", | |
"Method": "step_two_check", | |
"Code": [ | |
"def step_two_check(handles,points)\n", | |
" iam = handles[0]\n", | |
" getScore = 0\n", | |
" putScore = 0\n", | |
" listScore = 0\n", | |
" ret_hash = { :done => false, :score => 0 }\n", | |
" resp = iam.list_roles\n", | |
" roles = resp.roles\n", | |
" if roles!=[]\n", | |
" roles.each do |role|\n", | |
" if role.assume_role_policy_document.include? 'ec2.amazonaws.com'\n", | |
" msg3 = 'Created an Amazon EC2 AWS Service role '\n", | |
" resp1 = iam.list_role_policies({role_name: role.role_name})\n", | |
" policies = resp1.policy_names\n", | |
" if policies!= []\n", | |
" policies.each do |policy|\n", | |
" permissions = iam.get_role_policy({role_name: role.role_name, policy_name: policy}).policy_document\n", | |
" if permissions.include? 's3'\n", | |
" if permissions.include? 'Get'\n", | |
" getScore = 5\n", | |
" end\n", | |
" if permissions.include? 'Put'\n", | |
" putScore = 5\n", | |
" end\n", | |
" if permissions.include? 'List'\n", | |
" listScore = 5\n", | |
" end\n", | |
" else\n", | |
" ret_hash[:message] = \"S3 permissions not found\"\n", | |
" end\n", | |
" break if ret_hash[:done]\n", | |
" end\n", | |
" else\n", | |
" ret_hash[:message] = \"Policies are not attached\"\n", | |
" end\n", | |
" points = getScore + putScore + listScore +5\n", | |
" if points == 20\n", | |
" ret_hash = { :done => true, :score => points, :message => 'Role created with all required permissions'}\n", | |
" end\n", | |
" if points > 0 and points < 20\n", | |
" ret_hash = { :done => true, :score => points, :message => 'Role created but some permissions are missing'}\n", | |
" end\n", | |
" else\n", | |
" ret_hash[:message] = \"Role is not Amazon ec2 service role\"\n", | |
" end\n", | |
" break if ret_hash[:done]\n", | |
" end\n", | |
" else\n", | |
" ret_hash[:message] = \"Amazon ec2 service role is not created\"\n", | |
" end\n", | |
" return ret_hash\n", | |
" end"] | |
} | |
}, | |
"3": { | |
"Title": "Require Virtual MFA for administrator users.", | |
"Points": "10", | |
"Interval": "30", | |
"Max": "30", | |
"Assessments": { | |
"API": "AWS", | |
"Service": "IAM", | |
"Method": "step_three_check", | |
"Code": [ | |
"def step_three_check(handles,points)\n", | |
" iam = handles[0]\n", | |
" count = 0\n", | |
" arn = \"\"\n", | |
" ret_hash = { :done => false, :score => 0 }\n", | |
" resp = iam.list_users.users\n", | |
" if resp.count > 1\n", | |
" resp = iam.list_virtual_mfa_devices\n", | |
" virtual_mfa_devices = resp.virtual_mfa_devices\n", | |
" virtual_mfa_devices.each do |device|\n", | |
" arn = device.user.arn\n", | |
" if !arn.include? 'awsstudent'\n", | |
" count = count +1\n", | |
" end\n", | |
" end\n", | |
" if count == 1\n", | |
" ret_hash = { :done => true, :score => 5, :message => 'Enabled Virtual MFA device for first administrator users'}\n", | |
" elsif count == 2\n", | |
" ret_hash = { :done => true, :score => points, :message => 'Enabled virtual MFA device for both administrator user'}\n", | |
" else\n", | |
" ret_hash = { :done => true, :score => 0, :message => 'Virtual MFA device is not Enabled for administrator user'}\n", | |
" end\n", | |
" else\n", | |
" ret_hash[:message] = \"Administrator Users are not created yet\"\n", | |
" end\n", | |
" return ret_hash\n", | |
"end"] | |
} | |
}, | |
"4": { | |
"Title": "Log all API calls.", | |
"Points": "10", | |
"Interval": "30", | |
"Max": "30", | |
"Assessments": { | |
"API": "AWS", | |
"Service": "CloudTrail", | |
"Method": "step_four_check", | |
"Code": [ | |
"def step_four_check(handles,points)\n", | |
" cloud_trail = handles[0]\n", | |
" ret_hash = { :done => false, :score => 0 }\n", | |
" resp = cloud_trail.describe_trails\n", | |
" trail_list = resp.trail_list\n", | |
" trail_list.each do |list|\n", | |
" trail_name = list.name\n", | |
" if !trail_name.include? 'qltrail-lab-'\n", | |
" ret_hash = { :done => true, :score => points, :message => 'Successfully Created CloudTrail to log all API calls'}\n", | |
" else\n", | |
" ret_hash[:message] = \"CloudTrail not created yet\"\n", | |
" end\n", | |
" break if ret_hash[:done]\n", | |
" end\n", | |
" return ret_hash\n", | |
"end"] | |
} | |
}, | |
"5": { | |
"Title": "Create load balancers for web tier and app tier.", | |
"Points": "20", | |
"Interval": "30", | |
"Max": "30", | |
"Assessments": { | |
"API": "AWS", | |
"Service": "ElasticLoadBalancing", | |
"Method": "step_five_check", | |
"Code": [ | |
"def step_five_check(handles,points)\n", | |
" elb = handles[0]\n", | |
" resp = elb.describe_load_balancers.load_balancer_descriptions\n", | |
" if resp!=[]\n", | |
" appTireScore = 0\n", | |
" webTireScore = 0\n", | |
" internalScheme = 0\n", | |
" externalScheme = 0\n", | |
" total=0\n", | |
" resp.each do |load|\n", | |
" if load.load_balancer_name.downcase == 'web-elb'\n", | |
" webTireScore = 5\n", | |
" if load.scheme == 'internet-facing'\n", | |
" externalScheme = 5\n", | |
" end\n", | |
" end\n", | |
" if load.load_balancer_name.downcase == 'app-elb'\n", | |
" appTireScore = 5\n", | |
" if load.scheme == 'internal'\n", | |
" internalScheme = 5\n", | |
" end\n", | |
" end\n", | |
" end\n", | |
" total = appTireScore + webTireScore + internalScheme + externalScheme\n", | |
" if appTireScore == 5 && webTireScore == 5\n", | |
" if internalScheme == 5 && externalScheme == 5\n", | |
" ret_hash = { :done => true, :score => total, :message => 'ELB Created for both web and app tiers'}\n", | |
" elsif internalScheme == 5 && externalScheme == 0\n", | |
" ret_hash = { :done => true, :score => total, :message => 'Created 2 elb but scheme of web-elb is wrong'}\n", | |
" elsif internalScheme == 0 && externalScheme == 5\n", | |
" ret_hash = { :done => true, :score => total, :message => 'Created 2 elb but scheme of app-elb is wrong'}\n", | |
" else\n", | |
" ret_hash = { :done => true, :score => total, :message => 'app-elb and web-elb is created but scheme of both elb is wrong'}\n", | |
" end\n", | |
" elsif appTireScore == 5 && webTireScore == 0\n", | |
" if internalScheme == 5\n", | |
" ret_hash = { :done => true, :score => total, :message => 'app-elb is created with correct scheme, but failed to create web-elb'}\n", | |
" else\n", | |
" ret_hash = { :done => true, :score => total, :message => 'app-elb is created but scheme of app-elb is wrong and also failed to create web-elb'}\n", | |
" end\n", | |
" elsif appTireScore == 0 && webTireScore == 5\n", | |
" if externalScheme == 5\n", | |
" ret_hash = { :done => true, :score => total, :message => 'web-elb is created with correct scheme, but failed to create app-elb'}\n", | |
" else\n", | |
" ret_hash = { :done => true, :score => total, :message => 'web-elb is created but scheme of web-elb is wrong and also failed to create app-elb'}\n", | |
" end\n", | |
" else\n", | |
" ret_hash = { :done => true, :score => 0, :message => 'No valid ELB found'}\n", | |
" end\n", | |
" else\n", | |
" ret_hash = { :done => true, :score => 0, :message => 'Load balancer not created yet'}\n", | |
" end\n", | |
" return ret_hash\n", | |
"end"] | |
} | |
}, | |
"6": { | |
"Title": "Computing capacity for web and application tiers are auto scalable.", | |
"Points": "30", | |
"Interval": "30", | |
"Max": "30", | |
"Assessments": { | |
"API": "AWS", | |
"Service": ["AutoScaling"], | |
"Method": "step_six_check", | |
"Code": [ | |
"def step_six_check(handles,points)\n", | |
" auto_scaling = handles[0]\n", | |
" auto_scaling_groups = auto_scaling.describe_auto_scaling_groups.auto_scaling_groups\n", | |
" if auto_scaling_groups != []\n", | |
" isAppAutoDone = false\n", | |
" isWebAutoDone = false\n", | |
" webAutoScale = 0\n", | |
" webElb = 0\n", | |
" webMinScore = 0\n", | |
" webMaxScore = 0\n", | |
" appAutoScale = 0\n", | |
" appElb = 0\n", | |
" appMinScore = 0\n", | |
" appMaxScore = 0\n", | |
" total= 0\n", | |
" ret_hash = { :done => false, :score => 0 }\n", | |
" auto_scaling_groups.each do |group|\n", | |
" if group.auto_scaling_group_name.downcase == 'webtier'\n", | |
" isWebAutoDone = true\n", | |
" webAutoScale = 5\n", | |
" elbArray=group.load_balancer_names\n", | |
" if elbArray != []\n", | |
" elbArray.each do |elbName|\n", | |
" if elbName.downcase == 'web-elb'\n", | |
" webElb = 5\n", | |
" end\n", | |
" end\n", | |
" end\n", | |
" if group.min_size == 2\n", | |
" webMinScore = 3\n", | |
" end\n", | |
" if group.max_size >= 4\n", | |
" webMaxScore = 2\n", | |
" end\n", | |
" end\n", | |
" if group.auto_scaling_group_name.downcase == 'apptier'\n", | |
" isAppAutoDone = true\n", | |
" appAutoScale = 5\n", | |
" elbArray=group.load_balancer_names\n", | |
" elbArray.each do |elbName|\n", | |
" if elbName.downcase == 'app-elb'\n", | |
" appElb = 5\n", | |
" end\n", | |
" end\n", | |
" if group.min_size == 2\n", | |
" appMinScore = 3\n", | |
" end\n", | |
" if group.max_size >= 4\n", | |
" appMaxScore = 2\n", | |
" end\n", | |
" end\n", | |
" break if (isAppAutoDone && isWebAutoDone)\n", | |
" end\n", | |
" total= webAutoScale + webElb + webMinScore + webMaxScore + appAutoScale + appElb + appMinScore + appMaxScore\n", | |
" if total == 30\n", | |
" ret_hash = { :done => true, :score => total, :message => 'Both Auto scalling groups are created and configured successfuly'}\n", | |
" elsif total < 30 && total > 0\n", | |
" ret_hash = { :done => true, :score => total, :message => 'Auto scalling group is created, but not configured correctly'}\n", | |
" else\n", | |
" ret_hash = { :done => true, :score => total, :message => 'No valid Auto scalling group is created'}\n", | |
" end\n", | |
" else\n", | |
" ret_hash = { :done => true, :score => total, :message => 'No valid Auto scalling group is created'}\n", | |
" end\n", | |
" return ret_hash\n", | |
"end"] | |
} | |
} | |
} |
after adding "Resources" and "Properties" I am getting different error
"Template format error: [/Resources/1] Every Resources object must contain a Type member"
{ "Resources": { "1": { "Properties": { "Title": "Create a group with administrative permission.", "Points": "10", "Interval": "30", "Max": "30", "Assessments": { "API": "AWS", "Service": "IAM", "Method": "step_one_check", "Code": [ "def step_one_check(handles,points)\n", " iam = handles[0]\n", " ret_hash = { :done => false, :score => 0 }\n", " resp = iam.list_groups\n", " groups = resp.groups\n", " if groups!=[]\n", " groups.each do |group|\n", " group_name = group.group_name\n", " resp1 = iam.list_attached_group_policies({group_name: group_name})\n", " attached_policies = resp1.attached_policies\n", " if attached_policies!=[]\n", " attached_policies.each do |policy|\n", " policy_name = policy.policy_name\n", " if (policy_name.include? 'SystemAdministrator') || (policy_name.include? 'AdministratorAccess')\n", " ret_hash = { :done => true, :score => points, :message => 'User group is created with administrative permission'}\n", " else\n", " ret_hash[:message] = \"Attached permissions is not Administrative permission\"\n", " end\n", " break if ret_hash[:done]\n", " end\n", " else\n", " ret_hash[:message] = \"Administrative permission is not given to User group\"\n", " end\n", " end\n", " else\n", " ret_hash[:message] = \"User group is not created\"\n", " end\n", " return ret_hash\n", "end"] } } },
I would like to know what are the pre-requisites to run this script?
because I can not see any VPC, public subnets or private subnets
if possible can you please share your CloudFormer of the above script
Sorry Sir
I am don't know Java script. I have tried to upload this script as it is in aws but I am getting error.
"Template validation error: Invalid template property or properties [1, 2, 3, DoNotify, 4, PassPercent, 5, 6]"
do I have to remove quotation marks?
could you please let me know which quotation mark need to be remove