1. Merge attack surface summaries for all DB services

2. Create base for elasticache attack surface 3. Fix ALB summary
nccgroup · Nov 17, 2017 · f9431e1 · f9431e1
1 parent 15cb7eb
commit f9431e1
Show file tree

Hide file tree

Showing 3 changed files with 25 additions and 4 deletions.
diff --git a/AWSScout2/configs/data/metadata.json b/AWSScout2/configs/data/metadata.json
@@ -353,6 +353,15 @@
         }
     },
     "database": {
+        "summaries": {
+            "external attack surface": {
+                "cols": 1,
+                "path": "service_groups.database.summaries.external_attack_surface",
+                "callbacks": [
+                    [ "merge", {"attribute": "external_attack_surface"} ]
+                ]
+            }
+        },
         "elasticache": {
             "resources": {
                 "clusters": {
@@ -361,7 +370,8 @@
                     "cols": 2,
                     "path": "services.elasticache.regions.id.vpcs.id.clusters",
                     "callbacks": [
-                        [ "match_security_groups_and_resources_callback", {"status_path": ["CacheClusterStatus"], "sg_list_attribute_name": ["SecurityGroups"], "sg_id_attribute_name": "SecurityGroupId"} ]
+                        [ "match_security_groups_and_resources_callback", {"status_path": ["CacheClusterStatus"], "sg_list_attribute_name": ["SecurityGroups"], "sg_id_attribute_name": "SecurityGroupId"} ],
+                        [ "get_db_attack_surface", {} ]
                     ]
                 },
                 "parameter_groups": {

diff --git a/...output/data/html/summaries/service_groups.database.summaries.external_attack_surface.html b/...output/data/html/summaries/service_groups.database.summaries.external_attack_surface.html
@@ -0,0 +1,6 @@
+
+<!-- Template for network attack surface -->
+<script id="service_groups.database.summaries.external_attack_surface.details.template" type="text/x-handlebars-template">
+  {{> attack_surface service = 'Database'}}
+</script>
+
diff --git a/AWSScout2/rules/preprocessing.py b/AWSScout2/rules/preprocessing.py
@@ -81,7 +81,6 @@ def process_metadata_callbacks(aws_config):
         if 'summaries' in aws_config['metadata'][service_group]:
             for summary in aws_config['metadata'][service_group]['summaries']:
                     current_path = [ 'services', service ]
-                    print('Summary :: %s' % summary)
                     for callback in aws_config['metadata'][service_group]['summaries'][summary]['callbacks']:
                         callback_name = callback[0]
                         callback_args = copy.deepcopy(callback[1])
@@ -673,6 +672,12 @@ def get_db_attack_surface(aws_config, current_config, path, current_path, db_id,
         listeners = [ current_config['Endpoint']['Port'] ]
         security_groups = current_config['VpcSecurityGroups']
         security_group_to_attack_surface(aws_config, service_config['external_attack_surface'], public_dns, current_path, [g['VpcSecurityGroupId'] for g in security_groups], listeners)
+    elif 'ConfigurationEndpoint' in current_config:
+        public_dns = current_config['ConfigurationEndpoint']['Address'].replace('.cfg', '') # TODO : get the proper addresss
+        listeners = [ current_config['ConfigurationEndpoint']['Port'] ]
+        security_groups = current_config['SecurityGroups']
+        security_group_to_attack_surface(aws_config, service_config['external_attack_surface'], public_dns, current_path, [g['SecurityGroupId'] for g in security_groups], listeners)
+        # TODO :: Get Redis endpoint information
 
 
 
@@ -691,11 +696,11 @@ def get_lb_attack_surface(aws_config, current_config, path, current_path, elb_id
     elif current_path[1] == 'elbv2' and current_config['Scheme'] == 'internet-facing':
         vpc_id = current_path[5]
         elb_config['external_attack_surface'][public_dns] = {'protocols': {}}
-        security_groups = current_config['security_groups']
+        security_groups = [g['GroupId'] for g in current_config['security_groups']]
         listeners = []
         for listener in current_config['listeners']:
             listeners.append(listener)
-        security_group_to_attack_surface(aws_config, elb_config['external_attack_surface'], public_dns, current_path, [g['GroupId'] for g in security_groups], 'GroupId', listeners)
+        security_group_to_attack_surface(aws_config, elb_config['external_attack_surface'], public_dns, current_path, security_groups, listeners)
     elif current_config['Scheme'] == 'internet-facing':
         # Classic ELbs do not have a security group, lookup listeners instead
         public_dns = current_config['DNSName']