Anthropic-Cybersecurity-Skills/skills/configuring-microsegmentation-for-zero-trust/scripts/agent.py

#!/usr/bin/env python3
"""Microsegmentation audit agent for zero trust network enforcement."""

import json
import os
import sys
import argparse
from datetime import datetime

try:
    import requests
    requests.packages.urllib3.disable_warnings()
except ImportError:
    print("Install: pip install requests")
    sys.exit(1)


def audit_aws_security_groups(session):
    """Audit AWS security groups for microsegmentation compliance."""
    import boto3
    ec2 = session.client("ec2")
    findings = []
    for sg in ec2.describe_security_groups()["SecurityGroups"]:
        for rule in sg.get("IpPermissions", []):
            for ip_range in rule.get("IpRanges", []):
                cidr = ip_range.get("CidrIp", "")
                if cidr == "0.0.0.0/0":
                    findings.append({
                        "sg_id": sg["GroupId"],
                        "sg_name": sg.get("GroupName", ""),
                        "port": rule.get("FromPort", "all"),
                        "cidr": cidr,
                        "severity": "HIGH",
                        "recommendation": "Restrict to specific CIDR blocks",
                    })
                elif "/" in cidr:
                    prefix = int(cidr.split("/")[1])
                    if prefix < 24:
                        findings.append({
                            "sg_id": sg["GroupId"],
                            "sg_name": sg.get("GroupName", ""),
                            "port": rule.get("FromPort", "all"),
                            "cidr": cidr,
                            "severity": "MEDIUM",
                            "recommendation": f"Narrow CIDR from /{prefix} to /32 or workload-specific range",
                        })
    return findings


def check_illumio_workloads(base_url, api_key, org_id):
    """Check Illumio workload segmentation status."""
    headers = {"Authorization": f"Bearer {api_key}", "Content-Type": "application/json"}
    try:
        resp = requests.get(f"{base_url}/api/v2/orgs/{org_id}/workloads",
                            headers=headers, verify=not os.environ.get("SKIP_TLS_VERIFY", "").lower() == "true", timeout=30)  # Set SKIP_TLS_VERIFY=true for self-signed certs in lab environments
        resp.raise_for_status()
        workloads = resp.json()
        return [{
            "hostname": w.get("hostname", ""),
            "enforcement_mode": w.get("enforcement_mode", ""),
            "visibility_level": w.get("visibility_level", ""),
            "online": w.get("online", False),
        } for w in workloads[:20]]
    except Exception as e:
        return [{"error": str(e)}]


def generate_segmentation_policy(app_tiers):
    """Generate microsegmentation policy recommendations."""
    policies = []
    for tier in app_tiers:
        policies.append({
            "tier": tier["name"],
            "allowed_inbound": tier.get("inbound_from", []),
            "allowed_ports": tier.get("ports", []),
            "deny_default": True,
            "enforcement": "block",
        })
    return {
        "principle": "Zero Trust — deny all, allow by exception",
        "policies": policies,
        "example_tiers": [
            {"name": "web", "inbound_from": ["load-balancer"], "ports": [443]},
            {"name": "app", "inbound_from": ["web"], "ports": [8080]},
            {"name": "db", "inbound_from": ["app"], "ports": [5432]},
        ],
    }


def run_audit(profile=None, region="us-east-1"):
    """Execute microsegmentation audit."""
    import boto3
    session = boto3.Session(profile_name=profile, region_name=region)
    print(f"\n{'='*60}")
    print(f"  MICROSEGMENTATION ZERO TRUST AUDIT")
    print(f"  Generated: {datetime.utcnow().isoformat()} UTC")
    print(f"{'='*60}\n")

    sg_findings = audit_aws_security_groups(session)
    print(f"--- SECURITY GROUP FINDINGS ({len(sg_findings)}) ---")
    for f in sg_findings[:15]:
        print(f"  [{f['severity']}] {f['sg_id']} ({f['sg_name']}): port {f['port']} from {f['cidr']}")

    policy = generate_segmentation_policy([])
    print(f"\n--- RECOMMENDED SEGMENTATION MODEL ---")
    print(f"  Principle: {policy['principle']}")
    for tier in policy["example_tiers"]:
        print(f"  {tier['name']}: allow from {tier['inbound_from']} on ports {tier['ports']}")

    return {"sg_findings": sg_findings, "policy": policy}


def main():
    parser = argparse.ArgumentParser(description="Microsegmentation Audit Agent")
    parser.add_argument("--profile", help="AWS CLI profile")
    parser.add_argument("--region", default="us-east-1", help="AWS region")
    parser.add_argument("--audit", action="store_true", help="Run audit")
    parser.add_argument("--output", help="Save report to JSON file")
    args = parser.parse_args()

    if args.audit:
        report = run_audit(args.profile, args.region)
        if args.output:
            with open(args.output, "w") as f:
                json.dump(report, f, indent=2, default=str)
            print(f"\n[+] Report saved to {args.output}")
    else:
        parser.print_help()


if __name__ == "__main__":
    main()