-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathworkloadsecurityconnector_aws.py
172 lines (153 loc) · 6.63 KB
/
workloadsecurityconnector_aws.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
#!/usr/bin/env python3
import json
import urllib3
import boto3
from botocore.exceptions import ClientError
from boto3 import Session
f = open("config.json", "r+")
configObj = json.loads(f.read())
f.close()
headers = {
"Content-Type": "application/json",
"api-secret-key": configObj["c1wsApiKey"],
"api-version": "v1"
}
def buildRequestBody():
data = {
"displayName": getConfigValue("awsDisplayName") if checkConfKeyExists("awsDisplayName") else "",
"accountId": getConfigValue("awsAccountId") if checkConfKeyExists("awsAccountId") else "",
"accountAlias": getConfigValue("awsDisplayName") if checkConfKeyExists("awsDisplayName") else "",
"useInstanceRole": getConfigValue("useInstanceRole") if checkConfKeyExists("useInstanceRole") else False,
"workspacesEnabled": getConfigValue("workspacesEnabled") if checkConfKeyExists("workspacesEnabled") else False
}
return data
def selectConnectorOptions():
print("\n\t1. Use an Instance Role\n\t2. Use a Cross-Account Role\n\t3. Use Access and Secret Keys")
option = input("\nChoose an option to connect your AWS Account - ")
return option
def checkConfKeyExists(configKey):
return configKey in configObj.keys()
def getConfigValue(configKey):
return configObj[configKey]
def createIAMUser():
try:
iamClient = boto3.client('iam')
iamResponse = iamClient.create_user(
Path='/',
UserName='CloudOneWorkloadSecurityConnectorUser',
Tags=[
{
'Key': 'Owner',
'Value': 'TrendMicro'
},
{
'Key': 'Product',
'Value': 'CloudOneWorkloadSecurity'
},
{
"Key": "Name",
"Value": "CloudOneWorkloadSecurityConnectorUser"
}
]
)
iamPolicyResponse = iamClient.create_policy(
PolicyName='CloudOneWorkloadSecurityConnectorPolicy',
Path='/',
PolicyDocument='{"Version":"2012-10-17","Statement":[{"Effect":"Allow","Action":["ec2:DescribeInstances","ec2:DescribeImages","ec2:DescribeRegions","ec2:DescribeVpcs","ec2:DescribeSubnets","ec2:DescribeTags","workspaces:DescribeWorkspaces","workspaces:DescribeWorkspaceDirectories","workspaces:DescribeWorkspaceBundles"],"Resource":"*"}]}',
Description='Policy for the AWS Connector for Trend Micro Cloud One Workload Security'
)
iamClient.attach_user_policy(
UserName=iamResponse["User"]["UserName"],
PolicyArn=iamPolicyResponse["Policy"]["Arn"]
)
return iamResponse["User"]["UserName"]
except ClientError as err:
print("\n\nError: " + str(err))
print("\n\nExiting..\n\n")
return False
def createAccessKeyForIAMUser(username):
iamClient = boto3.client('iam')
iamResponse = iamClient.create_access_key(
UserName=username
)
return iamResponse["AccessKey"]["AccessKeyId"], iamResponse["AccessKey"]["SecretAccessKey"]
def getAwsAccessSecretKeys(data):
accessKey = ""
secretKey = ""
print("\n\t1. Create a new AWS User Access Key and Secret credentials\n\t2. Use an existing credentials from the local workspace\n\t3. Manually enter an Access and Secret Key")
option = input("\nChoose an option to get credentials for your AWS Account - ")
if option == "1":
username = createIAMUser()
if username:
accessKey, secretKey = createAccessKeyForIAMUser(username)
elif option == "2":
print("\n\tChecking for aws credentials/config file in the current user directory, if it exists...")
session = Session()
credentials = session.get_credentials()
# Credentials are refreshable, so accessing your access key / secret key
# separately can lead to a race condition. Use this to get an actual matched
# set.
current_credentials = credentials.get_frozen_credentials()
# I would not recommend actually printing these. Generally unsafe.
accessKey = current_credentials.access_key
secretKey = current_credentials.secret_key
if accessKey and secretKey:
print("\nLocal credentials accepted.")
elif option == "3":
accessKey = str(input("\n\tAWS Access Key : "))
secretKey = str(input("\n\tAWS Secret Key : "))
else:
print("\n\nError: Invalid choice input")
if accessKey and secretKey:
data.update({"accessKey": accessKey})
data.update({"secretKey": secretKey})
return data
else:
return ""
def postAwsConnector(data):
http = urllib3.PoolManager()
r = http.request("POST", configObj["dsmHost"] + "/api/awsconnectors", headers=headers, body=json.dumps(data))
if r.status == 200:
print("\n\nSuccess: AWS Connector created.")
print("\n\nExiting..\n\n")
else:
print(str(r.data))
def main():
print("\n\nCloud One Workload Security - AWS Connector Configurator tool\n==================================================================")
data = buildRequestBody()
option = selectConnectorOptions()
if option == "1":
if checkConfKeyExists("useInstanceRole"):
if not getConfigValue("useInstanceRole"):
confirmation = input("\nuseInstanceRole flag is set to false in config.json. Do you want to enable 'useInstanceRole'? [Y/n] - ")
if confirmation.lower() == "y":
data.update({"useInstanceRole": True})
else:
data = None
else:
print("\nNo 'useInstanceRole' flag mentioned in config.json")
data = None
elif option == "2":
if checkConfKeyExists("crossAccountRoleArn"):
data.update({"crossAccountRoleArn": getConfigValue("crossAccountRoleArn")})
else:
print("\nNo Cross-Account Access Role ARN mentioned in config.json")
data = None
elif option == "3":
data = getAwsAccessSecretKeys(data)
else:
print("\n\nInvalid choice. Try again.")
print("\n\nExiting..\n\n")
if data:
if not data["workspacesEnabled"]:
confirmation = input("\nAre you sure to proceed without connecting your AWS Workspaces to this connector? [Y/n] - ")
if confirmation.lower() == "n":
data["workspacesEnabled"] = True
else:
print("\nSkipping AWS Workspaces...")
postAwsConnector(data)
else:
print("\n\nError: Missing or incorrect data parameters used for the tool.")
print("\n\nExiting..\n\n")
if __name__ == "__main__":
main()