Added GenerateConformanceSpreadsheet.ps1 to generate spreadsheet of non-compliant resources
This commit is contained in:
parent
53e290bd48
commit
04492a9b76
1 changed files with 157 additions and 0 deletions
157
GenerateConformanceSpreadsheet.ps1
Normal file
157
GenerateConformanceSpreadsheet.ps1
Normal file
|
@ -0,0 +1,157 @@
|
|||
# Used for generating a spreadsheet of non-compliant resources for a given conformance pack
|
||||
#
|
||||
# Use:
|
||||
# Returns a CSV for all the non-compliant resources for the given comformance pack in the context of the logged in user
|
||||
# .\GenerateConformanceSpreadsheet.ps1 -conformancePack OrgConformsPack-uk-gov-xxxxxxxx
|
||||
|
||||
Param (
|
||||
[string]$conformancePack
|
||||
)
|
||||
|
||||
|
||||
$currentAccountId = (Invoke-Expression "aws sts get-caller-identity" | ConvertFrom-Json).Account
|
||||
$accountName = (Invoke-Expression "aws organizations describe-account --account-id $currentAccountId" | ConvertFrom-Json).Account.Name
|
||||
|
||||
$UniqueIdTypes = @("AGPA", "AIDA", "AKIA", "ANPA", "AROA", "ASCA")
|
||||
$arn = $true
|
||||
|
||||
function GetInfoFromUniqueId($target) {
|
||||
$uniqueIdType = "$($target.Substring(0,4))"
|
||||
|
||||
switch($uniqueIdType){
|
||||
# "ABIA" { $command="" }
|
||||
# "ACCA" { $command="" }
|
||||
"AGPA" { $command="list-groups"
|
||||
$types="Groups"
|
||||
$type="Group" }
|
||||
"AIDA" { $command="list-users"
|
||||
$types="Users"
|
||||
$type="User" }
|
||||
# "AIPA" { $command="" }
|
||||
# "AKIA" { $command="" }
|
||||
"ANPA" { $command="list-policies"
|
||||
$types="Policies"
|
||||
$type="Policy" }
|
||||
# "ANVA" { $command="" }
|
||||
# "APKA" { $command="" }
|
||||
"AROA" { $command="list-roles"
|
||||
$types="Roles"
|
||||
$type="Role" }
|
||||
# "ASCA" { $command="list-server-certificates"
|
||||
# $types="ServerCertificateMetadataList" }
|
||||
# "ASIA" { $command="" }
|
||||
default { Write-Output "Invalid 'target' value."; return}
|
||||
}
|
||||
|
||||
$env:Path = [System.Environment]::GetEnvironmentVariable("Path","Machine")
|
||||
$awsCommand = "aws iam $command"
|
||||
Invoke-Expression $awsCommand -OutVariable succOut -ErrorVariable errOut 2>&1 >$null
|
||||
|
||||
if ($errOut -ne $null) {
|
||||
Write-Output "$($errOut[1].ToString())"
|
||||
return
|
||||
}
|
||||
else {
|
||||
$returnedObjects = ($succOut | ConvertFrom-Json).$types
|
||||
}
|
||||
|
||||
$selectedObject = $returnedObjects | Where-Object {$_."$($type)Id" -eq $target}
|
||||
|
||||
if ($selectedObject -eq $null) {
|
||||
Write-Output "Unique ID '$target' not found"
|
||||
return
|
||||
}
|
||||
|
||||
if ($json) {
|
||||
return $selectedObject | ConvertTo-Json
|
||||
}
|
||||
if ($name) {
|
||||
return $selectedObject."$($type)Name"
|
||||
}
|
||||
if ($arn) {
|
||||
return $selectedObject.Arn
|
||||
}
|
||||
if ($id) {
|
||||
return $selectedObject."$($type)Id"
|
||||
}
|
||||
}
|
||||
|
||||
function GenerateCSV($conformancePack) {
|
||||
$awsCommand = "aws configservice get-conformance-pack-compliance-details --conformance-pack-name $conformancePack --filters ComplianceType=NON_COMPLIANT"
|
||||
$returnedObjects = Invoke-Expression $awsCommand | ConvertFrom-Json
|
||||
|
||||
$collection = $returnedObjects
|
||||
|
||||
while ($returnedObjects.NextToken -ne $null) {
|
||||
$nextTokenCommand = $awsCommand + " --next-token " + $returnedObjects.NextToken
|
||||
$returnedObjects = Invoke-Expression $nextTokenCommand | ConvertFrom-Json
|
||||
$collection.ConformancePackRuleEvaluationResults += $returnedObjects.ConformancePackRuleEvaluationResults
|
||||
}
|
||||
|
||||
$NewObject = @()
|
||||
|
||||
$discoveredConfigRules = @()
|
||||
|
||||
foreach($object in $collection.ConformancePackRuleEvaluationResults) {
|
||||
if ($discoveredConfigRules.Contains($object.EvaluationResultIdentifier.EvaluationResultQualifier.ConfigRuleName)) {
|
||||
($NewObject | Where-Object {$_.ConfigRuleName -eq $object.EvaluationResultIdentifier.EvaluationResultQualifier.ConfigRuleName}).ResourceDetails += [PSCustomObject]@{
|
||||
ResourceNo = ($NewObject | Where-Object {$_.ConfigRuleName -eq $object.EvaluationResultIdentifier.EvaluationResultQualifier.ConfigRuleName}).ResourceDetails.Count + 1
|
||||
ResourceId = $object.EvaluationResultIdentifier.EvaluationResultQualifier.ResourceId
|
||||
Annotation = $object.Annotation
|
||||
ResourceType =$object.EvaluationResultIdentifier.EvaluationResultQualifier.ResourceType
|
||||
}
|
||||
}
|
||||
else {
|
||||
$discoveredConfigRules += $object.EvaluationResultIdentifier.EvaluationResultQualifier.ConfigRuleName
|
||||
$ResourceDetails = [PSCustomObject]@{
|
||||
ResourceNo = 1
|
||||
ResourceId = $object.EvaluationResultIdentifier.EvaluationResultQualifier.ResourceId
|
||||
Annotation = $object.Annotation
|
||||
ResourceType = $object.EvaluationResultIdentifier.EvaluationResultQualifier.ResourceType
|
||||
}
|
||||
$NewObject += [PSCustomObject]@{
|
||||
RuleNo = $discoveredConfigRules.Count
|
||||
ConfigRuleName = $object.EvaluationResultIdentifier.EvaluationResultQualifier.ConfigRuleName
|
||||
ResourceDetails = @($ResourceDetails)
|
||||
Resolution = ""
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
$csvExportObject = @()
|
||||
|
||||
foreach($rule in $NewObject) {
|
||||
$csvExportObject += [PSCustomObject]@{
|
||||
RuleNo = $rule.RuleNo
|
||||
ConfigRuleName = $rule.ConfigRuleName
|
||||
ResourceNo = ""
|
||||
ResourceId = ""
|
||||
ResourceType = ""
|
||||
Annotation = ""
|
||||
Resolution = ""
|
||||
}
|
||||
foreach ($resource in $rule.ResourceDetails) {
|
||||
if ($UniqueIdTypes.Contains($resource.ResourceId.Substring(0,4))) {
|
||||
$TrueResourceId = "$($resource.ResourceId)" + " " + "($(GetInfoFromUniqueId($resource.ResourceId)))"
|
||||
}
|
||||
else {
|
||||
$TrueResourceId = $resource.ResourceId
|
||||
}
|
||||
$csvExportObject += [PSCustomObject]@{
|
||||
RuleNo = ""
|
||||
ConfigRuleName = ""
|
||||
ResourceNo = $resource.ResourceNo
|
||||
ResourceId = $TrueResourceId
|
||||
Annotation = $Resource.Annotation
|
||||
ResourceType = $Resource.ResourceType
|
||||
Resolution = ""
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
return $csvExportObject
|
||||
}
|
||||
|
||||
$date = Get-Date -Format "yyyy-MM-dd_HH-mm-ss"
|
||||
$csvString = $conformancePack + "_" + $accountName + "-" + $date + ".csv"
|
||||
GenerateCSV($conformancePack) | Export-Csv -NoTypeInformation $csvString
|
Loading…
Reference in a new issue