Merge pull request #1614 from rdegraaf/feature/1584-aws-ebs-encryption

Feature/1584 aws ebs encryption
nccgroup · Mar 7, 2024 · 7a6e3c7 · 7a6e3c7
2 parents 631cd70 + 68e9199
commit 7a6e3c7
Show file tree

Hide file tree

Showing 11 changed files with 138 additions and 3 deletions.
diff --git a/ScoutSuite/output/data/html/partials/aws/services.ec2.regions.id.regional_settings.html b/ScoutSuite/output/data/html/partials/aws/services.ec2.regions.id.regional_settings.html
@@ -0,0 +1,26 @@
+<!-- EC2 regional settings partial -->
+<script id="services.ec2.regions.id.regional_settings.partial" type="text/x-handlebars-template">
+    <div id="resource-name" class="list-group-item active">
+        <h4 class="list-group-item-heading">{{region}}</h4>
+    </div>
+    <div class="list-group-item">
+        <h4 class="list-group-item-heading">Regional settings</h4>
+        <ul>
+            <li class="list-group-item-text">Encryption enabled for EBS Volumes by default: <span id="ec2.regions.{{region}}.regional_settings.{{@key}}.NoDefaultEBSEncryption"><samp>{{ebs_encryption_default}}</samp></span></li>
+            <li class="list-group-item-text">Default encryption key: <span id="ec2.regions.{{region}}.regional_settings.{{@key}}.ebs_default_encryption_key"><samp>{{ebs_default_encryption_key_id}}</samp></span></li>
+        </ul>
+    </div>
+</script>
+
+<script>
+    Handlebars.registerPartial("services.ec2.regions.id.regional_settings", $("#services\\.ec2\\.regions\\.id\\.regional_settings\\.partial").html());
+</script>
+
+<!-- Single region template -->
+<!-- **UNTESTED**  Intended for details popups.  Not used at this time. -->
+<script id="single_ec2_region-template" type="text/x-handlebars-template">
+    {{> modal-template template='services.ec2.regions.id.regional_settings'}}
+</script>
+<script>
+    var single_ec2_region_template = Handlebars.compile($("#single_ec2_region-template").html());
+</script>
diff --git a/ScoutSuite/providers/aws/facade/ec2.py b/ScoutSuite/providers/aws/facade/ec2.py
@@ -218,4 +218,20 @@ async def get_route_tables(self, region):
             return route_tables
         except Exception as e:
             print_exception('Failed to get route tables: {}'.format(e))
-            return []
+            return []
+
+    async def get_ebs_encryption(self, region):
+        ec2_client = AWSFacadeUtils.get_client('ec2', self.session, region)
+        try:
+            encryption_settings = await run_concurrently(lambda: ec2_client.get_ebs_encryption_by_default())
+            return encryption_settings
+        except Exception as e:
+            print_exception(f'Failed to retrieve EBS encryption settings: {e}')
+
+    async def get_ebs_default_encryption_key(self, region):
+        ec2_client = AWSFacadeUtils.get_client('ec2', self.session, region)
+        try:
+            encryption_key = await run_concurrently(lambda: ec2_client.get_ebs_default_kms_key_id())
+            return encryption_key
+        except Exception as e:
+            print_exception(f'Failed to retrieve EBS encryption key ID: {e}')
diff --git a/ScoutSuite/providers/aws/metadata.json b/ScoutSuite/providers/aws/metadata.json
@@ -213,6 +213,10 @@
                 "images": {
                     "cols": 2,
                     "path": "services.ec2.regions.id.images"
+                },
+                "regional_settings": {
+                    "cols": 2,
+                    "path": "services.ec2.regions.id.regional_settings"
                 }
             },
             "summaries": {

diff --git a/ScoutSuite/providers/aws/resources/ec2/base.py b/ScoutSuite/providers/aws/resources/ec2/base.py
@@ -3,14 +3,16 @@
 from ScoutSuite.providers.aws.resources.ec2.volumes import Volumes
 from ScoutSuite.providers.aws.resources.ec2.vpcs import Ec2Vpcs
 from ScoutSuite.providers.aws.resources.regions import Regions
+from ScoutSuite.providers.aws.resources.ec2.regional_settings import RegionalSettings
 
 
 class EC2(Regions):
     _children = [
         (Ec2Vpcs, 'vpcs'),
         (AmazonMachineImages, 'images'),
         (Snapshots, 'snapshots'),
-        (Volumes, 'volumes')
+        (Volumes, 'volumes'),
+        (RegionalSettings, 'regional_settings')
     ]
 
     def __init__(self, facade):
@@ -26,7 +28,7 @@ async def fetch_all(self, regions=None, excluded_regions=None, partition_name='a
                 sum([len(vpc['security_groups']) for vpc in self['regions'][region]['vpcs'].values()])
             self['regions'][region]['network_interfaces_count'] =\
                 sum([len(vpc['network_interfaces']) for vpc in self['regions'][region]['vpcs'].values()])
-        
+
         self['instances_count'] =\
             sum([region['instances_count'] for region in self['regions'].values()])
         self['security_groups_count'] =\

diff --git a/ScoutSuite/providers/aws/resources/ec2/regional_settings.py b/ScoutSuite/providers/aws/resources/ec2/regional_settings.py
@@ -0,0 +1,20 @@
+from ScoutSuite.providers.aws.resources.base import AWSResources
+from ScoutSuite.providers.aws.facade.base import AWSFacade
+from ScoutSuite.providers.aws.utils import get_name, format_arn
+
+
+class RegionalSettings(AWSResources):
+    def __init__(self, facade: AWSFacade, region: str):
+        super().__init__(facade)
+        self.region = region
+        self.partition = facade.partition
+        self.service = 'ec2'
+        self.resource_type = 'regional_setting'
+
+    async def fetch_all(self):
+        # These settings are associated directly with the service+region, not with any resource.
+        # However, ScoutSuite seems to assume that every setting is tied to a resource so we make 
+        # up a fake resource to hold them.
+        self[0] = {}
+        self[0]['ebs_encryption_default'] = (await self.facade.ec2.get_ebs_encryption(self.region))['EbsEncryptionByDefault']
+        self[0]['ebs_default_encryption_key_id'] = (await self.facade.ec2.get_ebs_default_encryption_key(self.region))['KmsKeyId']
diff --git a/ScoutSuite/providers/aws/rules/findings/ec2-ebs-default-encryption-disabled.json b/ScoutSuite/providers/aws/rules/findings/ec2-ebs-default-encryption-disabled.json
@@ -0,0 +1,19 @@
+{
+    "description": "EBS Encryption By Default Is Disabled",
+    "rationale": "Enabling EBS encryption by default ensures that all EBS Volumes created in the region are encrypted even if the operator neglects to opt into encryption when creating a Volume.",
+    "remediation": "Enable encryption by default for EBS volumes in all regions.",
+    "references": [
+        "https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/EBSEncryption.html#encryption-by-default"
+    ],
+    "dashboard_name": "Regions",
+    "path": "ec2.regions.id.regional_settings.id",
+    "conditions": [
+        "and",
+        [
+            "ebs_encryption_default",
+            "false",
+            ""
+        ]
+    ],
+    "id_suffix": "NoDefaultEBSEncryption"
+}
diff --git a/ScoutSuite/providers/aws/rules/rulesets/default.json b/ScoutSuite/providers/aws/rules/rulesets/default.json
@@ -142,6 +142,12 @@
                 "level": "danger"
             }
         ],
+        "ec2-ebs-default-encryption-disabled.json": [
+            {
+                "enabled": true,
+                "level": "warning"
+            }
+        ],
         "ec2-instance-in-security-group.json": [
             {
                 "args": [

diff --git a/ScoutSuite/providers/aws/rules/rulesets/detailed.json b/ScoutSuite/providers/aws/rules/rulesets/detailed.json
@@ -142,6 +142,12 @@
                 "level": "danger"
             }
         ],
+        "ec2-ebs-default-encryption-disabled.json": [
+            {
+                "enabled": true,
+                "level": "warning"
+            }
+        ],
         "ec2-instance-in-security-group.json": [
             {
                 "args": [

diff --git a/tests/data/rule-configs/ec2-ebs-default-encryption-disabled.json b/tests/data/rule-configs/ec2-ebs-default-encryption-disabled.json
@@ -0,0 +1 @@
+ec2.json
diff --git a/tests/data/rule-configs/ec2.json b/tests/data/rule-configs/ec2.json
@@ -7,6 +7,12 @@
                 "ap-northeast-2": {
                     "instances_count": 0,
                     "region": "ap-northeast-2",
+                    "regional_settings": {
+                        "0": {
+                            "ebs_default_encryption_key_id": "alias/aws/ebs",
+                            "ebs_encryption_default": false
+                        }
+                    },
                     "security_groups_count": 1,
                     "snapshots": {},
                     "snapshots_count": 0,
@@ -59,6 +65,12 @@
                 "ap-south-1": {
                     "instances_count": 0,
                     "region": "ap-south-1",
+                    "regional_settings": {
+                        "0": {
+                            "ebs_default_encryption_key_id": "alias/aws/ebs",
+                            "ebs_encryption_default": false
+                        }
+                    },
                     "security_groups_count": 1,
                     "snapshots": {},
                     "snapshots_count": 0,
@@ -108,6 +120,12 @@
                 "eu-central-1": {
                     "instances_count": 0,
                     "region": "eu-central-1",
+                    "regional_settings": {
+                        "0": {
+                            "ebs_default_encryption_key_id": "alias/aws/ebs",
+                            "ebs_encryption_default": false
+                        }
+                    },
                     "security_groups_count": 1,
                     "snapshots": {},
                     "snapshots_count": 0,
@@ -146,6 +164,12 @@
                 "eu-west-1": {
                     "instances_count": 35,
                     "region": "eu-west-1",
+                    "regional_settings": {
+                        "0": {
+                            "ebs_default_encryption_key_id": "arn:aws:kms:us-east-1:123456789012:key/12345678-90ab-cdef-1234-567890abcdef",
+                            "ebs_encryption_default": true
+                        }
+                    },
                     "security_groups_count": 30,
                     "vpcs": {
                         "vpc-eu111111": {
@@ -248,6 +272,12 @@
                 "sa-east-1": {
                     "instances_count": 0,
                     "region": "sa-east-1",
+                    "regional_settings": {
+                        "0": {
+                            "ebs_default_encryption_key_id": "arn:aws:kms:us-east-1:123456789012:key/12345678-90ab-cdef-1234-567890abcdef",
+                            "ebs_encryption_default": true
+                        }
+                    },
                     "security_groups_count": 1,
                     "snapshots": {},
                     "snapshots_count": 0,

diff --git a/tests/data/rule-results/ec2-ebs-default-encryption-disabled.json b/tests/data/rule-results/ec2-ebs-default-encryption-disabled.json
@@ -0,0 +1,5 @@
+[
+    "ec2.regions.ap-northeast-2.regional_settings.0.NoDefaultEBSEncryption",
+    "ec2.regions.ap-south-1.regional_settings.0.NoDefaultEBSEncryption",
+    "ec2.regions.eu-central-1.regional_settings.0.NoDefaultEBSEncryption"
+]