awsenergylabelerlib

=================== awsenergylabelerlib

Project energy labeling accounts and landing zone based on findings of Security Hub in AWS cloud.

• Documentation: https://awsenergylabelerlib.readthedocs.org/en/latest

Development Workflow

The workflow supports the following steps

• lint
• test
• build
• document
• upload
• graph

These actions are supported out of the box by the corresponding scripts under _CI/scripts directory with sane defaults based on best practices. Sourcing setup_aliases.ps1 for windows powershell or setup_aliases.sh in bash on Mac or Linux will provide with handy aliases for the shell of all those commands prepended with an underscore.

The bootstrap script creates a .venv directory inside the project directory hosting the virtual environment. It uses pipenv for that. It is called by all other scripts before they do anything. So one could simple start by calling _lint and that would set up everything before it tried to actually lint the project

Once the code is ready to be delivered the _tag script should be called accepting one of three arguments, patch, minor, major following the semantic versioning scheme. So for the initial delivery one would call

$ _tag --minor

which would bump the version of the project to 0.1.0 tag it in git and do a push and also ask for the change and automagically update HISTORY.rst with the version and the change provided.

So the full workflow after git is initialized is:

• repeat as necessary (of course it could be test - code - lint :) )

  • code
  • lint
  • test

• commit and push

• develop more through the code-lint-test cycle

• tag (with the appropriate argument)

• build

• upload (if you want to host your package in pypi)

• document (of course this could be run at any point)

Important Information

This template is based on pipenv. In order to be compatible with requirements.txt so the actual created package can be used by any part of the existing python ecosystem some hacks were needed. So when building a package out of this do not simple call

$ python setup.py sdist bdist_egg

as this will produce an unusable artifact with files missing. Instead use the provided build and upload scripts that create all the necessary files in the artifact.

Project Features

• TODO

History

0.0.1 (09-11-2021)

• First code creation

0.1.0 (09-11-2021)

• Initial pypi release.

0.1.1 (09-11-2021)

• Exposed main object to the root of the package.

0.2.0 (26-11-2021)

• Fixed labaling algorithms, added retries to finding retrieval and implemented proper exception handling.

0.2.1 (02-12-2021)

• Updated number of days open to 999 days
• Account data now includes details on number of findings per severity

0.2.2 (06-12-2021)

• Improved error handling
• Allow/deny specific regions

0.2.3 (06-12-2021)

• Added requests dependency

0.2.4 (10-12-2021)

• A finding exposes now more fields: resources, record_state, description, remediation

0.2.5 (10-12-2021)

• Compliance fields added to a Security Hub Finding

0.3.0 (14-12-2021)

• Changed the structure of the measurement data

0.4.0 (28-01-2022)

• Introduced single account mode which opportunistically gets findings from SecurityHub

0.4.1 (01-02-2022)

• Edited the filter to only include FAILED findings so NOT_AVAILABLE aren't counted as findings anymore

0.4.2 (02-03-2022)

• Suppressed findings are no longer counted into the calculation.
• Framework validation works as expected now.

0.4.3 (04-03-2022)

• Filtered out Archived findings.

0.4.4 (04-03-2022)

• Filtered out archived findings.

0.4.5 (04-03-2022)

• No duplicates anymore, unique findings only.

1.0.0 (14-03-2022)

• Complete redesign of the api and many optimisations of retrieving findings and calculating labels.

1.0.1 (14-03-2022)

• Cached some calculations to prevent duplications and standardized on default labels with properly retrieved values.

1.1.0 (17-03-2022)

• Implemented client side finding filtering.

1.1.1 (19-05-2022)

• Fix to strip leading slash in S3 destination path

1.1.2 (23-08-2022)

• Fix bug related to exporting resources data

1.2.0 (09-09-2022)

• Removed pandas dependency in favor of native python functionality.

1.2.1 (26-09-2022)

• Fixed timestamp bug
• Fixed bug where accounts without findings got an F

1.2.2 (26-09-2022)

• Fixed timestamp bug
• Fixed bug where accounts without findings got an F

2.0.0 (25-10-2022)

• Removed "CIS" from default frameworks, fixed a bug with required region for security hub service.

2.0.1 (25-10-2022)

• Set appropriate logging level for unsuccessful retrieval of account alias.

2.0.2 (02-11-2022)

• Fixes parsing for dates for inspector findings by implementing auto datetime parsing.

3.0.0 (02-11-2022)

• Implements the concept of a Zone to not require full Organizations access rights.

3.1.0 (16-11-2022)

• Implemented support for metadata, seperated critical and high findings in the report and implemented support for CIS 1.4 findings.

3.2.0 (06-03-2023)

• Bump dependencies.

3.2.1 (10-03-2023)

• Updated dependencies

3.2.2 (11-04-2023)

• Convert Dataclasses to Frozen for compatibility with latest python.

3.2.3 (13-04-2023)

• Changed from dataclass to normal.

3.2.4 (24-04-2023)

• Writing to S3 now does not attempt to write to a temporary file first, accomodating read-only filesystems when only writing to S3.

4.0.0 (06-06-2023)

• Implement support for finding consolidation.

5.0.0 (01-12-2023)

• Remove alias functionality since it was not working properly.

5.0.1 (01-12-2023)

• Fix upload mechanism and bump dependency versions.