ElectricEye is a multi-cloud, multi-SaaS Python CLI tool for Asset Management, Security Posture Management & Attack Surface Monitoring supporting 100s of services and evaluations to harden your CSP & SaaS environments with controls mapped to over 20 industry, regulatory, and best practice controls frameworks
Primarily, this PR is to address #292 to add Snowflake to the list of SaaS Security Posture Management checks in ElectricEye, which I did. Albeit, only somewhat, I don't have access to an Enterprise Account and cannot evaluate any of the encryption-related checks and will not do so blindly in good faith (and to save myself asspain in the future).
Additionally, as is the tradition, whenever I am dicking around with the code I want to eek out some small performance improvements, bugfixes, and mess around with Outputs and some experimental features -- much like how I added same-account session creation and even came up with the idea of using a TOML file.
Breaking Changes
Updated OCSF outputs for ocsf_stdout and ocsf_kdf to 1.4.0 from 1.1.0
Retired DisruptOps/Firemon Cloud Defense output
Retired --create-insights option from the Controller, removed the old code that it called to create AWS Security Hub Insights
Bugfixes
Fixed normalization of base_event as well as resources.cloud_partition, resources.region, cloud.account.uid, and cloud.region for non-AWS checks that have placeholder ASFF values for Account, Region, and Partition
Fixed the --list-controls arg to display finding titles in a JSON list
Fixed the fake "aws-global-*" regions from displaying in OCSF outputs
Fixed the architecture diagram to make it a lot more self-explanatory and less busy
Fixed several mismatches where print and logger.* were used
Added missing types and fixed missing types within EEAuditor and CloudUtils for easier debugging - mostly for me
Fixed an issue where several duplicate boto3.Session() objects were created due to improper nesting
Fixed an issue where your default AWS session wouldn't be used if you did not include an argument for electric_eye_role_name in the TOML or experimental --args feature
Fixed an issue where assessment targets could be errantly called despite specifying one with -t -- notably ServiceNow was called when evaluating AWS
Fixed failing/passing logic in several AWS Glue, Amazon ECR, and AWS S3 checks due to improper exception handling or just me being an absolute bonehead
Features & Improvements
Snowflake supported with 21 checks - primarily for User & Account-level best practices. This includes adding HTML report iconography, compliance control mappings, documentation, control objectives, and screenshots.
Added support for OCSF 1.4.0 Compliance Findings output as ocsf_v1_4_0
Improved performance of EEAuditor notably for AWS checks
Improved the performance of AWS Glue, Amazon ECR, and AWS S3 checks while fixing logic evaluation bugs
Improved the usage of logging and default to INFO - this can make it a bit chatty so in the future I will have to change it I am sure - that will be a larger project I don't want to dick with right now
Improved type-hinting, especially for complex types like Azure, Snowflake, and AWS objects for auth and cursors
Improved typing and processing of several args in CloudUtils
Added several "single-dash"/shorthand commands for args where they didn't exist before such as -tp for --toml-path or -of for --output-file
Minor documentation updates for Setup
Experimental
Added an argument -ut / --use-toml to decide when to read from the TOML configuration file or use externally provided details
Added an argument --args which allows you to provide escaped JSON when -ut is set to False, this will call a new function in CloudUtils to process the configuration details from a JSON object instead of the TOML. This is a WIP and only AWS and Snowflake are ported with minimal documentation. The concept is to make it easier to run ElectricEye within Docker or another orchestrator, especially for providing several Accounts/Regions/Compartments to execute in parallel instead of in series.
Primarily, this PR is to address #292 to add Snowflake to the list of SaaS Security Posture Management checks in ElectricEye, which I did. Albeit, only somewhat, I don't have access to an Enterprise Account and cannot evaluate any of the encryption-related checks and will not do so blindly in good faith (and to save myself asspain in the future).
Additionally, as is the tradition, whenever I am dicking around with the code I want to eek out some small performance improvements, bugfixes, and mess around with Outputs and some experimental features -- much like how I added same-account session creation and even came up with the idea of using a TOML file.
Breaking Changes
ocsf_stdoutandocsf_kdfto 1.4.0 from 1.1.0--create-insightsoption from the Controller, removed the old code that it called to create AWS Security Hub InsightsBugfixes
base_eventas well asresources.cloud_partition,resources.region,cloud.account.uid, andcloud.regionfor non-AWS checks that have placeholder ASFF values for Account, Region, and Partition--list-controlsarg to display finding titles in a JSON listprintandlogger.*were usedEEAuditorandCloudUtilsfor easier debugging - mostly for meboto3.Session()objects were created due to improper nestingelectric_eye_role_namein the TOML or experimental--argsfeature-t-- notably ServiceNow was called when evaluating AWSFeatures & Improvements
ocsf_v1_4_0EEAuditornotably for AWS checksINFO- this can make it a bit chatty so in the future I will have to change it I am sure - that will be a larger project I don't want to dick with right nowCloudUtils-tpfor--toml-pathor-offor--output-fileExperimental
-ut/--use-tomlto decide when to read from the TOML configuration file or use externally provided details--argswhich allows you to provide escaped JSON when-utis set toFalse, this will call a new function inCloudUtilsto process the configuration details from a JSON object instead of the TOML. This is a WIP and only AWS and Snowflake are ported with minimal documentation. The concept is to make it easier to run ElectricEye within Docker or another orchestrator, especially for providing several Accounts/Regions/Compartments to execute in parallel instead of in series.