How to use list_firewall_rule_group_associations method in localstack

Best Python code snippet using localstack_python

Amazon_Route53_Resolver_Auditor.py

Source:Amazon_Route53_Resolver_Auditor.py

...166        vpcId = str(vpcs["VpcId"])167        vpcArn = f"arn:{awsPartition}:ec2:{awsRegion}:{awsAccountId}vpc/{vpcId}"168        # Check for Firewall Associations filtered by VPC ID. 169        # If any empty list is returned there is not any170        r = route53resolver.list_firewall_rule_group_associations(VpcId=vpcId)171        # this is a failing check due to empty list comprehension172        if not r["FirewallRuleGroupAssociations"]:173            finding = {174                "SchemaVersion": "2018-10-08",175                "Id": vpcArn + "/route53resolver-dnsfw-associated-check",176                "ProductArn": f"arn:{awsPartition}:securityhub:{awsRegion}:{awsAccountId}:product/{awsAccountId}/default",177                "GeneratorId": vpcArn,178                "AwsAccountId": awsAccountId,179                "Types": ["Software and Configuration Checks/AWS Security Best Practices"],180                "FirstObservedAt": iso8601Time,181                "CreatedAt": iso8601Time,182                "UpdatedAt": iso8601Time,183                "Severity": {"Label": "MEDIUM"},184                "Confidence": 99,185                "Title": "[Route53Resolver.2] VPCs should have Route 53 Resolver DNS Firewalls associated",186                "Description": f"VPC {vpcId} does not have a Route 53 Resolve DNS Firewall associated with it. With Route 53 Resolver DNS Firewall, you can filter and regulate outbound DNS traffic for your virtual private cloud (VPC). To do this, you create reusable collections of filtering rules in DNS Firewall rule groups, associate the rule groups to your VPC, and then monitor activity in DNS Firewall logs and metrics. Based on the activity, you can adjust the behavior of DNS Firewall accordingly. Refer to the remediation instructions if this configuration is not intended.",187                "Remediation": {188                    "Recommendation": {189                        "Text": "For more information on setting up DNS Firewall refer to the Getting started with Route 53 Resolver DNS Firewall section of the Amazon Route 53 Developer Guide",190                        "Url": "https://docs.aws.amazon.com/Route53/latest/DeveloperGuide/resolver-dns-firewall-getting-started.html",191                    }192                },193                "ProductFields": {"Product Name": "ElectricEye"},194                "Resources": [195                    {196                        "Type": "AwsEc2Vpc",197                        "Id": vpcArn,198                        "Partition": awsPartition,199                        "Region": awsRegion,200                        "Details": {201                            "AwsEc2Vpc": {202                                "State": "available"203                            }204                        }205                    }206                ],207                "Compliance": {208                    "Status": "FAILED",209                    "RelatedRequirements": [210                        "NIST CSF DE.AE-2",211                        "NIST SP 800-53 AU-6",212                        "NIST SP 800-53 CA-7",213                        "NIST SP 800-53 IR-4",214                        "NIST SP 800-53 SI-4",215                        "AICPA TSC CC7.2",216                        "ISO 27001:2013 A.12.4.1",217                        "ISO 27001:2013 A.16.1.1",218                        "ISO 27001:2013 A.16.1.4"219                    ]220                },221                "Workflow": {"Status": "NEW"},222                "RecordState": "ACTIVE",223            }224            yield finding225        else:226            finding = {227                "SchemaVersion": "2018-10-08",228                "Id": vpcArn + "/route53resolver-dnsfw-associated-check",229                "ProductArn": f"arn:{awsPartition}:securityhub:{awsRegion}:{awsAccountId}:product/{awsAccountId}/default",230                "GeneratorId": vpcArn,231                "AwsAccountId": awsAccountId,232                "Types": ["Software and Configuration Checks/AWS Security Best Practices"],233                "FirstObservedAt": iso8601Time,234                "CreatedAt": iso8601Time,235                "UpdatedAt": iso8601Time,236                "Severity": {"Label": "INFORMATIONAL"},237                "Confidence": 99,238                "Title": "[Route53Resolver.2] VPCs should have Route 53 Resolver DNS Firewalls associated",239                "Description": f"VPC {vpcId} does not have a Route 53 Resolve DNS Firewall associated with it. With Route 53 Resolver DNS Firewall, you can filter and regulate outbound DNS traffic for your virtual private cloud (VPC). To do this, you create reusable collections of filtering rules in DNS Firewall rule groups, associate the rule groups to your VPC, and then monitor activity in DNS Firewall logs and metrics. Based on the activity, you can adjust the behavior of DNS Firewall accordingly. Refer to the remediation instructions if this configuration is not intended.",240                "Remediation": {241                    "Recommendation": {242                        "Text": "For more information on setting up DNS Firewall refer to the Getting started with Route 53 Resolver DNS Firewall section of the Amazon Route 53 Developer Guide",243                        "Url": "https://docs.aws.amazon.com/Route53/latest/DeveloperGuide/resolver-dns-firewall-getting-started.html",244                    }245                },246                "ProductFields": {"Product Name": "ElectricEye"},247                "Resources": [248                    {249                        "Type": "AwsEc2Vpc",250                        "Id": vpcArn,251                        "Partition": awsPartition,252                        "Region": awsRegion,253                        "Details": {254                            "AwsEc2Vpc": {255                                "State": "available"256                            }257                        }258                    }259                ],260                "Compliance": {261                    "Status": "PASSED",262                    "RelatedRequirements": [263                        "NIST CSF DE.AE-2",264                        "NIST SP 800-53 AU-6",265                        "NIST SP 800-53 CA-7",266                        "NIST SP 800-53 IR-4",267                        "NIST SP 800-53 SI-4",268                        "AICPA TSC CC7.2",269                        "ISO 27001:2013 A.12.4.1",270                        "ISO 27001:2013 A.16.1.1",271                        "ISO 27001:2013 A.16.1.4"272                    ]273                },274                "Workflow": {"Status": "RESOLVED"},275                "RecordState": "ARCHIVED"276            }277            yield finding278@registry.register_check("route53resolver")279def vpc_route53_resolver_dnssec_validation_check(cache: dict, awsAccountId: str, awsRegion: str, awsPartition: str) -> dict:280    """[Route53Resolver.3] Consider enabling DNSSEC validation in your VPC for Route 53 Public Zones"""281    # ISO Time282    iso8601Time = datetime.datetime.utcnow().replace(tzinfo=datetime.timezone.utc).isoformat()283    # Create a list of VPCs that have DNSSEC Validation enabled, as we cannot filter284    dnssecVpcs = []285    for r in route53resolver.list_resolver_dnssec_configs()["ResolverDnssecConfigs"]:286        if r["ValidationStatus"] == "ENABLED":287            dnssecVpcs.append(r["ResourceId"])288        else:289            continue290    # Loop the VPCs in Cache291    for vpcs in describe_vpcs(cache=cache)["Vpcs"]:292        vpcId = str(vpcs["VpcId"])293        vpcArn = f"arn:{awsPartition}:ec2:{awsRegion}:{awsAccountId}vpc/{vpcId}"294        # This is a failing check as the VPC is not in the list of "dnssecVpcs"295        if vpcId not in dnssecVpcs:296            finding = {297                "SchemaVersion": "2018-10-08",298                "Id": vpcArn + "/route53resolver-dnssec-validation-check",299                "ProductArn": f"arn:{awsPartition}:securityhub:{awsRegion}:{awsAccountId}:product/{awsAccountId}/default",300                "GeneratorId": vpcArn,301                "AwsAccountId": awsAccountId,302                "Types": ["Software and Configuration Checks/AWS Security Best Practices"],303                "FirstObservedAt": iso8601Time,304                "CreatedAt": iso8601Time,305                "UpdatedAt": iso8601Time,306                "Severity": {"Label": "LOW"},307                "Confidence": 99,308                "Title": "[Route53Resolver.3] Consider enabling DNSSEC validation in your VPC for Route 53 Public Zones",309                "Description": f"VPC {vpcId} does not have DNS Security (DNSSEC) validation enabled. When you enable DNSSEC validation for a virtual private cloud (VPC) in Amazon Route 53, DNSSEC signatures are cryptographically checked to ensure that the response was not tampered with. Refer to the remediation instructions if you want to consider enabling this.",310                "Remediation": {311                    "Recommendation": {312                        "Text": "For more information on setting up DNSSEC validation refer to the Enabling DNSSEC validation in Amazon Route 53 section of the Amazon Route 53 Developer Guide",313                        "Url": "https://docs.aws.amazon.com/Route53/latest/DeveloperGuide/resolver-dnssec-validation.html",314                    }315                },316                "ProductFields": {"Product Name": "ElectricEye"},317                "Resources": [318                    {319                        "Type": "AwsEc2Vpc",320                        "Id": vpcArn,321                        "Partition": awsPartition,322                        "Region": awsRegion,323                        "Details": {324                            "AwsEc2Vpc": {325                                "State": "available"326                            }327                        }328                    }329                ],330                "Compliance": {331                    "Status": "FAILED",332                    "RelatedRequirements": [333                        "NIST CSF PR.DS-2",334                        "NIST SP 800-53 SC-8",335                        "NIST SP 800-53 SC-11",336                        "NIST SP 800-53 SC-12",337                        "AICPA TSC CC6.1",338                        "ISO 27001:2013 A.8.2.3",339                        "ISO 27001:2013 A.13.1.1",340                        "ISO 27001:2013 A.13.2.1",341                        "ISO 27001:2013 A.13.2.3",342                        "ISO 27001:2013 A.14.1.2",343                        "ISO 27001:2013 A.14.1.3"344                    ]345                },346                "Workflow": {"Status": "NEW"},347                "RecordState": "ACTIVE",348            }349            yield finding350        else:351            finding = {352                "SchemaVersion": "2018-10-08",353                "Id": vpcArn + "/route53resolver-dnssec-validation-check",354                "ProductArn": f"arn:{awsPartition}:securityhub:{awsRegion}:{awsAccountId}:product/{awsAccountId}/default",355                "GeneratorId": vpcArn,356                "AwsAccountId": awsAccountId,357                "Types": ["Software and Configuration Checks/AWS Security Best Practices"],358                "FirstObservedAt": iso8601Time,359                "CreatedAt": iso8601Time,360                "UpdatedAt": iso8601Time,361                "Severity": {"Label": "INFORMATIONAL"},362                "Confidence": 99,363                "Title": "[Route53Resolver.3] Consider enabling DNSSEC validation in your VPC for Route 53 Public Zones",364                "Description": f"VPC {vpcId} has DNS Security (DNSSEC) validation enabled.",365                "Remediation": {366                    "Recommendation": {367                        "Text": "For more information on setting up DNSSEC validation refer to the Enabling DNSSEC validation in Amazon Route 53 section of the Amazon Route 53 Developer Guide",368                        "Url": "https://docs.aws.amazon.com/Route53/latest/DeveloperGuide/resolver-dnssec-validation.html",369                    }370                },371                "ProductFields": {"Product Name": "ElectricEye"},372                "Resources": [373                    {374                        "Type": "AwsEc2Vpc",375                        "Id": vpcArn,376                        "Partition": awsPartition,377                        "Region": awsRegion,378                        "Details": {379                            "AwsEc2Vpc": {380                                "State": "available"381                            }382                        }383                    }384                ],385                "Compliance": {386                    "Status": "PASSED",387                    "RelatedRequirements": [388                        "NIST CSF PR.DS-2",389                        "NIST SP 800-53 SC-8",390                        "NIST SP 800-53 SC-11",391                        "NIST SP 800-53 SC-12",392                        "AICPA TSC CC6.1",393                        "ISO 27001:2013 A.8.2.3",394                        "ISO 27001:2013 A.13.1.1",395                        "ISO 27001:2013 A.13.2.1",396                        "ISO 27001:2013 A.13.2.3",397                        "ISO 27001:2013 A.14.1.2",398                        "ISO 27001:2013 A.14.1.3"399                    ]400                },401                "Workflow": {"Status": "PASSED"},402                "RecordState": "ARCHIVED"403            }404            yield finding405@registry.register_check("route53resolver")406def vpc_route53_resolver_firewall_fail_open_check(cache: dict, awsAccountId: str, awsRegion: str, awsPartition: str) -> dict:407    """[Route53Resolver.4] VPCs with Route 53 Resolver DNS Firewalls associated should be configured to Fail Open"""408    # ISO Time409    iso8601Time = datetime.datetime.utcnow().replace(tzinfo=datetime.timezone.utc).isoformat()410    # Loop the VPCs in Cache411    for vpcs in describe_vpcs(cache=cache)["Vpcs"]:412        vpcId = str(vpcs["VpcId"])413        vpcArn = f"arn:{awsPartition}:ec2:{awsRegion}:{awsAccountId}vpc/{vpcId}"414        # Check for Firewall Associations filtered by VPC ID. 415        # If any empty list is returned there is not any416        r = route53resolver.list_firewall_rule_group_associations(VpcId=vpcId)417        # We will not generate failing findings on FAIL OPEN for VPCs without 418        # a DNSFW as it is redundant to the "no firewall" finding419        if not r["FirewallRuleGroupAssociations"]:420            continue421        else:422            config = route53resolver.get_firewall_config(ResourceId=vpcId)["FirewallConfig"]423            # This is a failing check, no Fail Open424            if config["FirewallFailOpen"] == "DISABLED":425                finding = {426                    "SchemaVersion": "2018-10-08",427                    "Id": vpcArn + "/route53resolver-dnsfw-failopen-check",428                    "ProductArn": f"arn:{awsPartition}:securityhub:{awsRegion}:{awsAccountId}:product/{awsAccountId}/default",429                    "GeneratorId": vpcArn,430                    "AwsAccountId": awsAccountId,...

__init__.pyi

Source:__init__.pyi

1"""2Main interface for route53resolver service.3Usage::4    ```python5    import boto36    from mypy_boto3_route53resolver import (7        Client,8        ListFirewallConfigsPaginator,9        ListFirewallDomainListsPaginator,10        ListFirewallDomainsPaginator,11        ListFirewallRuleGroupAssociationsPaginator,12        ListFirewallRuleGroupsPaginator,13        ListFirewallRulesPaginator,14        ListResolverConfigsPaginator,15        ListResolverDnssecConfigsPaginator,16        ListResolverEndpointIpAddressesPaginator,17        ListResolverEndpointsPaginator,18        ListResolverQueryLogConfigAssociationsPaginator,19        ListResolverQueryLogConfigsPaginator,20        ListResolverRuleAssociationsPaginator,21        ListResolverRulesPaginator,22        ListTagsForResourcePaginator,23        Route53ResolverClient,24    )25    session = boto3.Session()26    client: Route53ResolverClient = boto3.client("route53resolver")27    session_client: Route53ResolverClient = session.client("route53resolver")28    list_firewall_configs_paginator: ListFirewallConfigsPaginator = client.get_paginator("list_firewall_configs")29    list_firewall_domain_lists_paginator: ListFirewallDomainListsPaginator = client.get_paginator("list_firewall_domain_lists")30    list_firewall_domains_paginator: ListFirewallDomainsPaginator = client.get_paginator("list_firewall_domains")31    list_firewall_rule_group_associations_paginator: ListFirewallRuleGroupAssociationsPaginator = client.get_paginator("list_firewall_rule_group_associations")32    list_firewall_rule_groups_paginator: ListFirewallRuleGroupsPaginator = client.get_paginator("list_firewall_rule_groups")33    list_firewall_rules_paginator: ListFirewallRulesPaginator = client.get_paginator("list_firewall_rules")34    list_resolver_configs_paginator: ListResolverConfigsPaginator = client.get_paginator("list_resolver_configs")35    list_resolver_dnssec_configs_paginator: ListResolverDnssecConfigsPaginator = client.get_paginator("list_resolver_dnssec_configs")36    list_resolver_endpoint_ip_addresses_paginator: ListResolverEndpointIpAddressesPaginator = client.get_paginator("list_resolver_endpoint_ip_addresses")37    list_resolver_endpoints_paginator: ListResolverEndpointsPaginator = client.get_paginator("list_resolver_endpoints")38    list_resolver_query_log_config_associations_paginator: ListResolverQueryLogConfigAssociationsPaginator = client.get_paginator("list_resolver_query_log_config_associations")39    list_resolver_query_log_configs_paginator: ListResolverQueryLogConfigsPaginator = client.get_paginator("list_resolver_query_log_configs")40    list_resolver_rule_associations_paginator: ListResolverRuleAssociationsPaginator = client.get_paginator("list_resolver_rule_associations")41    list_resolver_rules_paginator: ListResolverRulesPaginator = client.get_paginator("list_resolver_rules")42    list_tags_for_resource_paginator: ListTagsForResourcePaginator = client.get_paginator("list_tags_for_resource")43    ```44"""45from .client import Route53ResolverClient46from .paginator import (47    ListFirewallConfigsPaginator,48    ListFirewallDomainListsPaginator,49    ListFirewallDomainsPaginator,50    ListFirewallRuleGroupAssociationsPaginator,51    ListFirewallRuleGroupsPaginator,52    ListFirewallRulesPaginator,53    ListResolverConfigsPaginator,54    ListResolverDnssecConfigsPaginator,55    ListResolverEndpointIpAddressesPaginator,56    ListResolverEndpointsPaginator,57    ListResolverQueryLogConfigAssociationsPaginator,58    ListResolverQueryLogConfigsPaginator,59    ListResolverRuleAssociationsPaginator,60    ListResolverRulesPaginator,61    ListTagsForResourcePaginator,62)63Client = Route53ResolverClient64__all__ = (65    "Client",66    "ListFirewallConfigsPaginator",67    "ListFirewallDomainListsPaginator",68    "ListFirewallDomainsPaginator",69    "ListFirewallRuleGroupAssociationsPaginator",70    "ListFirewallRuleGroupsPaginator",71    "ListFirewallRulesPaginator",72    "ListResolverConfigsPaginator",73    "ListResolverDnssecConfigsPaginator",74    "ListResolverEndpointIpAddressesPaginator",75    "ListResolverEndpointsPaginator",76    "ListResolverQueryLogConfigAssociationsPaginator",77    "ListResolverQueryLogConfigsPaginator",78    "ListResolverRuleAssociationsPaginator",79    "ListResolverRulesPaginator",80    "ListTagsForResourcePaginator",81    "Route53ResolverClient",...

Automation Testing Tutorials

Learn to execute automation testing from scratch with LambdaTest Learning Hub. Right from setting up the prerequisites to run your first automation test, to following best practices and diving deeper into advanced test scenarios. LambdaTest Learning Hubs compile a list of step-by-step guides to help you be proficient with different test automation frameworks i.e. Selenium, Cypress, TestNG etc.