forked from aquasecurity/trivy
-
Notifications
You must be signed in to change notification settings - Fork 0
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Merge pull request #4 from aquasecurity/owen-add-ec2
add ec2 rules and structs
- Loading branch information
Showing
631 changed files
with
243,446 additions
and
217 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -1,9 +1,11 @@ | ||
package aws | ||
|
||
import ( | ||
"github.com/aquasecurity/defsec/provider/aws/ec2" | ||
"github.com/aquasecurity/defsec/provider/aws/s3" | ||
) | ||
|
||
type AWS struct { | ||
S3 s3.S3 | ||
S3 s3.S3 | ||
EC2 ec2.EC2 | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,5 @@ | ||
package ec2 | ||
|
||
type EC2 struct { | ||
Instances []Instance | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,31 @@ | ||
package ec2 | ||
|
||
import ( | ||
"github.com/aquasecurity/defsec/definition" | ||
"github.com/owenrumney/squealer/pkg/squealer" | ||
) | ||
|
||
type Instance struct { | ||
*definition.Metadata | ||
MetadataOptions MetadataOptions | ||
UserData definition.StringValue | ||
} | ||
|
||
type MetadataOptions struct { | ||
*definition.Metadata | ||
HttpTokens definition.StringValue | ||
HttpEndpoint definition.StringValue | ||
} | ||
|
||
func (i *Instance) RequiresIMDSToken() bool { | ||
return i.MetadataOptions.HttpTokens.EqualTo("required") | ||
} | ||
|
||
func (i *Instance) HasHTTPEndpointDisabled() bool { | ||
return i.MetadataOptions.HttpEndpoint.EqualTo("disabled") | ||
} | ||
|
||
func (i *Instance) HasSensitiveInformationInUserData() bool { | ||
scanner := squealer.NewStringScanner() | ||
return scanner.Scan(i.UserData.Value).TransgressionFound | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,45 @@ | ||
package ec2 | ||
|
||
import ( | ||
"fmt" | ||
|
||
"github.com/aquasecurity/defsec/infra" | ||
"github.com/aquasecurity/defsec/provider" | ||
"github.com/aquasecurity/defsec/result" | ||
"github.com/aquasecurity/defsec/rules" | ||
"github.com/aquasecurity/defsec/severity" | ||
) | ||
|
||
var CheckIMDSAccessRequiresToken = rules.RuleDef{ | ||
|
||
Provider: provider.AWSProvider, | ||
Service: "ec2", | ||
ShortCode: "enforce-http-token-imds", | ||
Summary: "aws_instance should activate session tokens for Instance Metadata Service.", | ||
Impact: "Instance metadata service can be interacted with freely", | ||
Resolution: "Enable HTTP token requirement for IMDS", | ||
Explanation: ` | ||
IMDS v2 (Instance Metadata Service) introduced session authentication tokens which improve security when talking to IMDS. | ||
By default <code>aws_instance</code> resource sets IMDS session auth tokens to be optional. | ||
To fully protect IMDS you need to enable session tokens by using <code>metadata_options</code> block and its <code>http_tokens</code> variable set to <code>required</code>. | ||
`, | ||
|
||
Links: []string{ | ||
"https://aws.amazon.com/blogs/security/defense-in-depth-open-firewalls-reverse-proxies-ssrf-vulnerabilities-ec2-instance-metadata-service", | ||
}, | ||
|
||
Severity: severity.High, | ||
CheckFunc: func(context *infra.Context) []*result.Result { | ||
|
||
var results []*result.Result | ||
for _, instance := range context.AWS.EC2.Instances { | ||
if !instance.RequiresIMDSToken() && !instance.HasHTTPEndpointDisabled() { | ||
results = append(results, &result.Result{ | ||
Description: fmt.Sprintf("Instance '%s' does not require IMDS access to require a token", instance.Reference), | ||
Location: instance.MetadataOptions.HttpTokens.Range, | ||
}) | ||
} | ||
} | ||
return results | ||
}, | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,41 @@ | ||
package ec2 | ||
|
||
import ( | ||
"fmt" | ||
|
||
"github.com/aquasecurity/defsec/infra" | ||
"github.com/aquasecurity/defsec/provider" | ||
"github.com/aquasecurity/defsec/result" | ||
"github.com/aquasecurity/defsec/rules" | ||
"github.com/aquasecurity/defsec/severity" | ||
) | ||
|
||
var CheckNoSecretsInUserData = rules.RuleDef{ | ||
|
||
Provider: provider.AWSProvider, | ||
Service: "ec2", | ||
ShortCode: "no-secrets-in-user-data", | ||
Summary: "User data for EC2 instances must not contain sensitive AWS keys", | ||
Impact: "User data is visible through the AWS Management console", | ||
Resolution: "Remove sensitive data from the EC2 instance user-data", | ||
Explanation: ` | ||
EC2 instance data is used to pass start up information into the EC2 instance. This userdata must not contain access key credentials. Instead use an IAM Instance Profile assigned to the instance to grant access to other AWS Services. | ||
`, | ||
Links: []string{ | ||
"https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/instancedata-add-user-data.html", | ||
}, | ||
Severity: severity.Critical, | ||
CheckFunc: func(context *infra.Context) []*result.Result { | ||
|
||
var results []*result.Result | ||
for _, instance := range context.AWS.EC2.Instances { | ||
if instance.HasSensitiveInformationInUserData() { | ||
results = append(results, &result.Result{ | ||
Description: fmt.Sprintf("Instance '%s' has potentially sensitive information in its user data", instance.Reference), | ||
Location: instance.UserData.Range, | ||
}) | ||
} | ||
} | ||
return results | ||
}, | ||
} |
Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.
Oops, something went wrong.
Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.
Oops, something went wrong.
Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.
Oops, something went wrong.
Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.
Oops, something went wrong.
Oops, something went wrong.