-
Notifications
You must be signed in to change notification settings - Fork 1k
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Merge pull request #1614 from rdegraaf/feature/1584-aws-ebs-encryption
Feature/1584 aws ebs encryption
- Loading branch information
Showing
11 changed files
with
138 additions
and
3 deletions.
There are no files selected for viewing
26 changes: 26 additions & 0 deletions
26
ScoutSuite/output/data/html/partials/aws/services.ec2.regions.id.regional_settings.html
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,26 @@ | ||
<!-- EC2 regional settings partial --> | ||
<script id="services.ec2.regions.id.regional_settings.partial" type="text/x-handlebars-template"> | ||
<div id="resource-name" class="list-group-item active"> | ||
<h4 class="list-group-item-heading">{{region}}</h4> | ||
</div> | ||
<div class="list-group-item"> | ||
<h4 class="list-group-item-heading">Regional settings</h4> | ||
<ul> | ||
<li class="list-group-item-text">Encryption enabled for EBS Volumes by default: <span id="ec2.regions.{{region}}.regional_settings.{{@key}}.NoDefaultEBSEncryption"><samp>{{ebs_encryption_default}}</samp></span></li> | ||
<li class="list-group-item-text">Default encryption key: <span id="ec2.regions.{{region}}.regional_settings.{{@key}}.ebs_default_encryption_key"><samp>{{ebs_default_encryption_key_id}}</samp></span></li> | ||
</ul> | ||
</div> | ||
</script> | ||
|
||
<script> | ||
Handlebars.registerPartial("services.ec2.regions.id.regional_settings", $("#services\\.ec2\\.regions\\.id\\.regional_settings\\.partial").html()); | ||
</script> | ||
|
||
<!-- Single region template --> | ||
<!-- **UNTESTED** Intended for details popups. Not used at this time. --> | ||
<script id="single_ec2_region-template" type="text/x-handlebars-template"> | ||
{{> modal-template template='services.ec2.regions.id.regional_settings'}} | ||
</script> | ||
<script> | ||
var single_ec2_region_template = Handlebars.compile($("#single_ec2_region-template").html()); | ||
</script> |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
20 changes: 20 additions & 0 deletions
20
ScoutSuite/providers/aws/resources/ec2/regional_settings.py
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,20 @@ | ||
from ScoutSuite.providers.aws.resources.base import AWSResources | ||
from ScoutSuite.providers.aws.facade.base import AWSFacade | ||
from ScoutSuite.providers.aws.utils import get_name, format_arn | ||
|
||
|
||
class RegionalSettings(AWSResources): | ||
def __init__(self, facade: AWSFacade, region: str): | ||
super().__init__(facade) | ||
self.region = region | ||
self.partition = facade.partition | ||
self.service = 'ec2' | ||
self.resource_type = 'regional_setting' | ||
|
||
async def fetch_all(self): | ||
# These settings are associated directly with the service+region, not with any resource. | ||
# However, ScoutSuite seems to assume that every setting is tied to a resource so we make | ||
# up a fake resource to hold them. | ||
self[0] = {} | ||
self[0]['ebs_encryption_default'] = (await self.facade.ec2.get_ebs_encryption(self.region))['EbsEncryptionByDefault'] | ||
self[0]['ebs_default_encryption_key_id'] = (await self.facade.ec2.get_ebs_default_encryption_key(self.region))['KmsKeyId'] |
19 changes: 19 additions & 0 deletions
19
ScoutSuite/providers/aws/rules/findings/ec2-ebs-default-encryption-disabled.json
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,19 @@ | ||
{ | ||
"description": "EBS Encryption By Default Is Disabled", | ||
"rationale": "Enabling EBS encryption by default ensures that all EBS Volumes created in the region are encrypted even if the operator neglects to opt into encryption when creating a Volume.", | ||
"remediation": "Enable encryption by default for EBS volumes in all regions.", | ||
"references": [ | ||
"https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/EBSEncryption.html#encryption-by-default" | ||
], | ||
"dashboard_name": "Regions", | ||
"path": "ec2.regions.id.regional_settings.id", | ||
"conditions": [ | ||
"and", | ||
[ | ||
"ebs_encryption_default", | ||
"false", | ||
"" | ||
] | ||
], | ||
"id_suffix": "NoDefaultEBSEncryption" | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
1 change: 1 addition & 0 deletions
1
tests/data/rule-configs/ec2-ebs-default-encryption-disabled.json
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1 @@ | ||
ec2.json |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
5 changes: 5 additions & 0 deletions
5
tests/data/rule-results/ec2-ebs-default-encryption-disabled.json
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,5 @@ | ||
[ | ||
"ec2.regions.ap-northeast-2.regional_settings.0.NoDefaultEBSEncryption", | ||
"ec2.regions.ap-south-1.regional_settings.0.NoDefaultEBSEncryption", | ||
"ec2.regions.eu-central-1.regional_settings.0.NoDefaultEBSEncryption" | ||
] |