InvenTag Production Safety & Security Validation
This document provides comprehensive information about InvenTag's enterprise-grade production safety and security validation features.
🛡️ Overview
InvenTag includes three core components for production safety and security:
- ReadOnlyAccessValidator - Comprehensive security validation and audit logging
- ProductionSafetyMonitor - Enterprise-grade error handling and monitoring
- ComplianceManager - Unified compliance orchestration and reporting
These components work together to ensure secure, monitored, and compliant AWS operations with comprehensive audit trails.
🔐 ReadOnlyAccessValidator
The ReadOnlyAccessValidator ensures all AWS operations are read-only and provides detailed audit logging for compliance requirements.
Key Features
- Operation Classification: Automatic detection of read-only vs. mutating operations
- Security Enforcement: Blocks all non-read-only operations to ensure system integrity
- Compliance Standards: Built-in support for SOC2, ISO27001 compliance frameworks
- Audit Trail Generation: Detailed logging of all operations for compliance documentation
- Risk Assessment: Automatic risk level assessment for all AWS operations
- Identity Validation: AWS identity type detection and validation
Usage Examples
Basic Security Validation
from inventag.compliance import ReadOnlyAccessValidator, ComplianceStandard
# Initialize validator with compliance standard
validator = ReadOnlyAccessValidator(ComplianceStandard.GENERAL)
# Validate operations before execution
result = validator.validate_operation("ec2", "describe_instances")
if result.is_valid:
print(f"✓ Operation approved: {result.validation_message}")
print(f"Risk level: {result.risk_level}")
else:
print(f"✗ Operation blocked: {result.validation_message}")
print(f"Risk level: {result.risk_level}")
# View compliance notes
for note in result.compliance_notes:
print(f" • {note}")
AWS Permissions Validation
# Validate current AWS credentials have appropriate permissions
permissions_result = validator.validate_aws_permissions()
print(f"Overall status: {permissions_result['overall_status']}")
for check in permissions_result['permission_checks']:
print(f" {check['service']}:{check['operation']} - {check['status']}")
Compliance Reporting
# Generate comprehensive compliance report
compliance_report = validator.generate_compliance_report()
print(f"Compliance Score: {compliance_report.compliance_score}%")
print(f"Total Operations: {compliance_report.total_operations}")
print(f"Read-Only Operations: {compliance_report.read_only_operations}")
print(f"Blocked Operations: {compliance_report.mutating_operations_blocked}")
# Security findings
for finding in compliance_report.security_findings:
print(f" {finding['severity']}: {finding['title']}")
# Save report to file
validator.save_compliance_report(compliance_report, "compliance_report.json")
Supported Compliance Standards
- General: General production safety compliance
- SOC2: Service Organization Control 2
- ISO27001: International security management standard
- CUSTOM: Custom compliance requirements
Operation Classification
The validator uses multiple methods to classify operations:
- Explicit Whitelists: Known safe operations for each AWS service
- Pattern Matching: Common read-only patterns (describe_, list_, get_)
- Mutating Detection: Known dangerous patterns (create_, delete_, modify_)
- Unknown Blocking: Any unrecognized operation is blocked
🚨 ProductionSafetyMonitor
The ProductionSafetyMonitor provides enterprise-grade error handling, monitoring, and graceful degradation capabilities.
Key Features
- Graceful Degradation: Intelligent error handling with automatic recovery strategies
- Circuit Breaker Pattern: Prevents cascade failures with automatic service protection
- Performance Monitoring: Real-time CPU, memory, and disk utilization tracking
- CloudTrail Integration: Comprehensive audit trail visibility and event correlation
- Error Categorization: Severity-based error classification with user impact assessment
- Threshold Monitoring: Configurable alerting for error rates and performance metrics
Usage Examples
Basic Error Handling
from inventag.compliance import ProductionSafetyMonitor
# Initialize monitor with configuration
monitor = ProductionSafetyMonitor(
enable_cloudtrail=True,
enable_performance_monitoring=True,
error_threshold=10,
performance_threshold_cpu=80.0,
performance_threshold_memory=80.0
)
# Handle errors with graceful degradation
try:
# Your AWS operation here
result = some_aws_operation()
except Exception as e:
error_context = monitor.handle_error(
error=e,
operation="describe_instances",
service="ec2",
resource_arn="arn:aws:ec2:us-east-1:123456789012:instance/i-1234567890abcdef0"
)
print(f"Error severity: {error_context.severity}")
print(f"User impact: {error_context.user_impact}")
print(f"Recovery action: {error_context.recovery_action}")
Performance Monitoring
# Start background performance monitoring
monitor.start_performance_monitoring()
# Record operations for monitoring
start_time = time.time()
try:
# Your operation
result = aws_operation()
success = True
except Exception:
success = False
finally:
duration = time.time() - start_time
monitor.record_operation("describe_instances", "ec2", duration, success)
# Get monitoring summary
summary = monitor.get_monitoring_summary()
print(f"Total operations: {summary['total_operations']}")
print(f"Total errors: {summary['total_errors']}")
print(f"Error rate: {summary['total_errors'] / summary['total_operations'] * 100:.1f}%")
CloudTrail Integration
from datetime import datetime, timezone, timedelta
# Integrate with CloudTrail for audit visibility
end_time = datetime.now(timezone.utc)
start_time = end_time - timedelta(hours=1)
cloudtrail_events = monitor.integrate_cloudtrail_events(start_time, end_time)
print(f"Retrieved {len(cloudtrail_events)} CloudTrail events")
for event in cloudtrail_events[:5]: # Show first 5
print(f" {event.event_time}: {event.event_name} by {event.user_identity.get('userName', 'Unknown')}")
Security Validation Report
# Generate comprehensive security validation report
security_report = monitor.generate_security_validation_report(validation_period_hours=24)
print(f"Risk Score: {security_report.risk_score}/100")
print(f"Total Operations: {security_report.total_operations}")
print(f"Failed Operations: {security_report.failed_operations}")
print(f"Blocked Operations: {security_report.blocked_operations}")
# Security findings
for finding in security_report.security_findings:
print(f" {finding['severity']}: {finding['title']}")
print(f" {finding['description']}")
print(f" Recommendation: {finding['recommendation']}")
Error Severity Levels
- CRITICAL: System cannot proceed, immediate intervention required
- HIGH: Operation may fail, significant functionality affected
- MEDIUM: Operation may be retried, minimal user impact
- LOW: Operation continues with degraded functionality
- INFO: Informational messages, no impact
Circuit Breaker States
- CLOSED: Normal operation, requests pass through
- OPEN: Too many failures, requests are blocked
- HALF-OPEN: Testing if service has recovered
🎯 ComplianceManager
The ComplianceManager provides unified orchestration of security validation and production monitoring.
Key Features
- Unified Interface: Single point of control for all compliance activities
- Integrated Monitoring: Combines security validation with production monitoring
- Comprehensive Reporting: Executive-level compliance reports with detailed metrics
- Dashboard Data: Real-time compliance dashboard data generation
- Audit Management: Automated audit log cleanup and retention management
Usage Examples
Basic Compliance Management
from inventag.compliance import (
ComplianceManager,
ComplianceConfiguration,
ComplianceStandard
)
# Configure compliance management
config = ComplianceConfiguration(
compliance_standard=ComplianceStandard.GENERAL,
enable_security_validation=True,
enable_production_monitoring=True,
enable_cloudtrail_integration=True,
error_threshold=10,
performance_threshold_cpu=80.0,
performance_threshold_memory=80.0
)
# Initialize compliance manager
manager = ComplianceManager(config)
Operation Validation and Monitoring
# Validate and monitor operations in one call
result = manager.validate_and_monitor_operation(
service="ec2",
operation="describe_instances",
resource_arn="arn:aws:ec2:us-east-1:123456789012:instance/*",
operation_func=lambda: ec2_client.describe_instances()
)
print(f"Validation passed: {result['validation_passed']}")
print(f"Operation successful: {result['operation_successful']}")
print(f"Duration: {result['duration']:.2f}s")
if result.get('error_context'):
print(f"Error handled: {result['error_context'].recovery_action}")
Compliance Status Assessment
# Get current compliance status
status = manager.assess_compliance_status()
print(f"Overall Compliance: {'✓ COMPLIANT' if status.is_compliant else '✗ NON-COMPLIANT'}")
print(f"Compliance Score: {status.compliance_score:.1f}%")
print(f"Risk Score: {status.risk_score:.1f}/100")
print(f"Total Operations: {status.total_operations}")
print(f"Blocked Operations: {status.blocked_operations}")
# Recommendations
for rec in status.recommendations:
print(f" • {rec}")
Comprehensive Compliance Reporting
# Generate comprehensive compliance report
report = manager.generate_comprehensive_compliance_report()
# Executive summary
exec_summary = report['executive_summary']
print(f"Overall Status: {exec_summary['overall_compliance']}")
print(f"Compliance Score: {exec_summary['compliance_score']}")
print(f"Risk Level: {exec_summary['risk_level']}")
# Key findings
for finding in exec_summary.get('key_findings', []):
print(f" • {finding}")
# Immediate actions
for action in exec_summary.get('immediate_actions', []):
print(f" • {action}")
# Save comprehensive report
report_filename = f"compliance_report_{int(time.time())}.json"
manager.save_compliance_report(report, report_filename)
print(f"Report saved to: {report_filename}")
Dashboard Data Generation
# Get real-time dashboard data
dashboard_data = manager.get_compliance_dashboard_data()
print(f"Overall Status: {dashboard_data['overall_status']}")
print(f"Compliance Score: {dashboard_data['compliance_score']:.1f}%")
print(f"Risk Score: {dashboard_data['risk_score']:.1f}/100")
# Metrics
metrics = dashboard_data['metrics']
print(f"Success Rate: {metrics['success_rate']:.1f}%")
print(f"Total Operations: {metrics['total_operations']}")
print(f"Error Rate: {metrics['error_rate']:.1f}%")
# Status indicators
status_indicators = dashboard_data['status_indicators']
print(f"Security Validation: {status_indicators['security_validation']}")
print(f"Production Monitoring: {status_indicators['production_monitoring']}")
print(f"CloudTrail Integration: {status_indicators['cloudtrail_integration']}")
🔧 Configuration Options
ComplianceConfiguration
from inventag.compliance import ComplianceConfiguration, ComplianceStandard
config = ComplianceConfiguration(
# Compliance standard to follow
compliance_standard=ComplianceStandard.GENERAL,
# Enable/disable components
enable_security_validation=True,
enable_production_monitoring=True,
enable_cloudtrail_integration=True,
# Error handling thresholds
error_threshold=10, # Max errors before alerting
circuit_breaker_threshold=5, # Failures before circuit opens
circuit_breaker_timeout=300, # Seconds before retry
# Performance monitoring thresholds
performance_threshold_cpu=80.0, # CPU usage percentage
performance_threshold_memory=80.0, # Memory usage percentage
performance_threshold_disk=90.0, # Disk usage percentage
# Monitoring intervals
performance_monitoring_interval=30, # Seconds between checks
cloudtrail_lookup_interval=300, # Seconds between CloudTrail queries
# Audit log management
audit_log_retention_days=30, # Days to keep audit logs
max_audit_entries=10000, # Maximum audit entries in memory
# Report generation
include_performance_metrics=True, # Include performance data in reports
include_cloudtrail_events=True, # Include CloudTrail data in reports
generate_executive_summary=True # Generate executive summary
)
📊 Monitoring and Alerting
Performance Metrics
The system tracks various performance metrics:
- CPU Usage: Real-time CPU utilization percentage
- Memory Usage: Memory utilization and available memory
- Disk Usage: Disk space utilization
- Operation Duration: Time taken for each AWS operation
- Error Rates: Percentage of failed operations
- Success Rates: Percentage of successful operations
Alerting Thresholds
Configurable thresholds trigger alerts:
- Error Threshold: Maximum number of errors before alerting
- Performance Thresholds: CPU, memory, disk usage limits
- Circuit Breaker: Failure count before opening circuit
- Operation Duration: Maximum acceptable operation time
Log Files
The system generates several log files:
inventag_production.log: General production logsinventag_errors.log: Error-specific logsinventag_metrics.log: Performance metricsinventag_security_audit.log: Security audit trail
🚀 Integration Examples
CI/CD Pipeline Integration
from inventag.compliance import ComplianceManager, ComplianceConfiguration
def run_compliance_check():
"""Run compliance check in CI/CD pipeline."""
config = ComplianceConfiguration(
compliance_standard=ComplianceStandard.GENERAL,
enable_security_validation=True,
enable_production_monitoring=True,
error_threshold=5 # Strict threshold for CI/CD
)
manager = ComplianceManager(config)
# Run your AWS operations with compliance monitoring
try:
# Your AWS operations here
result = manager.validate_and_monitor_operation(
service="ec2",
operation="describe_instances"
)
if not result['validation_passed']:
print("❌ Compliance check failed - operation blocked")
exit(1)
except Exception as e:
print(f"❌ Compliance check failed with error: {e}")
exit(1)
# Generate compliance report
report = manager.generate_comprehensive_compliance_report()
# Check compliance score
compliance_score = report['executive_summary']['compliance_score']
if compliance_score < 95.0: # Require 95% compliance for CI/CD
print(f"❌ Compliance score too low: {compliance_score}%")
exit(1)
print(f"✅ Compliance check passed: {compliance_score}% compliant")
return True
if __name__ == "__main__":
run_compliance_check()
Monitoring Dashboard Integration
import json
from inventag.compliance import ComplianceManager
def get_dashboard_metrics():
"""Get metrics for monitoring dashboard."""
manager = ComplianceManager()
# Get real-time dashboard data
dashboard_data = manager.get_compliance_dashboard_data()
# Format for monitoring system (e.g., Prometheus, Grafana)
metrics = {
"inventag_compliance_score": dashboard_data['compliance_score'],
"inventag_risk_score": dashboard_data['risk_score'],
"inventag_total_operations": dashboard_data['metrics']['total_operations'],
"inventag_error_rate": dashboard_data['metrics']['error_rate'],
"inventag_success_rate": dashboard_data['metrics']['success_rate'],
"inventag_blocked_operations": dashboard_data['metrics']['blocked_operations']
}
return metrics
# Example usage with Prometheus
def export_to_prometheus():
"""Export metrics to Prometheus."""
metrics = get_dashboard_metrics()
# Write metrics in Prometheus format
with open('/var/lib/prometheus/node-exporter/inventag_metrics.prom', 'w') as f:
for metric_name, value in metrics.items():
f.write(f"{metric_name} {value}\n")
🔍 Troubleshooting
Common Issues
Security Validation Failures
Issue: Operations are being blocked unexpectedly Solution: Check the operation classification and add to whitelist if needed
# Debug operation classification
validator = ReadOnlyAccessValidator()
result = validator.validate_operation("service", "operation")
print(f"Operation type: {result.operation_type}")
print(f"Risk level: {result.risk_level}")
print(f"Validation message: {result.validation_message}")
Performance Monitoring Issues
Issue: High CPU/memory usage alerts Solution: Adjust thresholds or investigate resource usage
# Check current performance metrics
monitor = ProductionSafetyMonitor()
summary = monitor.get_monitoring_summary()
print(f"Current thresholds: CPU={summary['performance_thresholds']['cpu']}%")
print(f"Current thresholds: Memory={summary['performance_thresholds']['memory']}%")
CloudTrail Integration Problems
Issue: CloudTrail events not being retrieved Solution: Check IAM permissions and CloudTrail configuration
# Test CloudTrail access
from datetime import datetime, timezone, timedelta
monitor = ProductionSafetyMonitor(enable_cloudtrail=True)
end_time = datetime.now(timezone.utc)
start_time = end_time - timedelta(minutes=5)
try:
events = monitor.integrate_cloudtrail_events(start_time, end_time)
print(f"Successfully retrieved {len(events)} events")
except Exception as e:
print(f"CloudTrail integration failed: {e}")
Debug Mode
Enable debug logging for troubleshooting:
import logging
# Enable debug logging
logging.basicConfig(level=logging.DEBUG)
# Initialize components with debug logging
validator = ReadOnlyAccessValidator()
monitor = ProductionSafetyMonitor()
manager = ComplianceManager()
📋 Best Practices
Security Best Practices
- Always validate operations before execution
- Use appropriate compliance standards for your environment
- Monitor audit logs regularly for security events
- Set appropriate thresholds for your environment
- Regularly review compliance reports for security findings
Performance Best Practices
- Monitor system resources during operations
- Set realistic performance thresholds based on your environment
- Use circuit breakers to prevent cascade failures
- Implement graceful degradation for error scenarios
- Regular cleanup of audit logs and metrics
Compliance Best Practices
- Generate regular compliance reports for audit purposes
- Maintain audit trails for all operations
- Review security findings and implement recommendations
- Keep compliance configurations up to date
- Test compliance checks in non-production environments first
📞 Support
For issues related to production safety and security validation:
- Check the troubleshooting section above
- Review log files for detailed error information
- Test in non-production environments first
- Verify IAM permissions are correctly configured
- Check AWS service limits and quotas
🔄 Updates and Maintenance
This documentation is maintained alongside the codebase. Any changes to security validation or production monitoring features will be reflected here with version updates.
For the latest information, always refer to the source code and inline documentation.