chore(acm): Improve near-expiration certificates check (#4207)

Co-authored-by: Sergio <sergio@prowler.com>
prowler-cloud · Jun 7, 2024 · 1a225c3 · 1a225c3
1 parent 1d64ca4
commit 1a225c3
Show file tree

Hide file tree

Showing 10 changed files with 849 additions and 217 deletions.
diff --git a/docs/tutorials/configuration_file.md b/docs/tutorials/configuration_file.md
diff --git a/docs/tutorials/scan-unused-services.md b/docs/tutorials/scan-unused-services.md
@@ -11,6 +11,12 @@ prowler <provider> --scan-unused-services
 
 ## Services that are ignored
 ### AWS
+#### ACM
+You can have certificates in ACM that is not in use by any AWS resource.
+Prowler will check if every certificate is going to expire soon, if this certificate is not in use by default it is not going to be check if it is expired, is going to expire soon or it is good.
+
+- `acm_certificates_expiration_check`
+
 #### Athena
 When you create an AWS Account, Athena will create a default primary workgroup for you.
 Prowler will check if that workgroup is enabled and if it is being used by checking if there were queries in the last 45 days.

diff --git a/prowler/config/config.yaml b/prowler/config/config.yaml
@@ -262,10 +262,16 @@ aws:
       "LookupEvents",
       "Search",
     ]
+
+  # AWS RDS Configuration
   # aws.rds_instance_backup_enabled
   # Whether to check RDS instance replicas or not
   check_rds_instance_replicas: False
 
+  # AWS ACM Configuration
+  # aws.acm_certificates_expiration_check
+  days_to_expire_threshold: 7
+
 # Azure Configuration
 azure:
   # Azure Network Configuration

diff --git a/...s/aws/services/acm/acm_certificates_expiration_check/acm_certificates_expiration_check.py b/...s/aws/services/acm/acm_certificates_expiration_check/acm_certificates_expiration_check.py
@@ -1,33 +1,36 @@
 from prowler.lib.check.models import Check, Check_Report_AWS
 from prowler.providers.aws.services.acm.acm_client import acm_client
 
-DAYS_TO_EXPIRE_THRESHOLD = 7
-
 
 class acm_certificates_expiration_check(Check):
     def execute(self):
         findings = []
         for certificate in acm_client.certificates:
-            report = Check_Report_AWS(self.metadata())
-            report.region = certificate.region
-            if certificate.expiration_days > DAYS_TO_EXPIRE_THRESHOLD:
-                report.status = "PASS"
-                report.status_extended = f"ACM Certificate {certificate.id} for {certificate.name} expires in {certificate.expiration_days} days."
-                report.resource_id = certificate.id
-                report.resource_details = certificate.name
-                report.resource_arn = certificate.arn
-                report.resource_tags = certificate.tags
-            else:
-                report.status = "FAIL"
-                if certificate.expiration_days < 0:
-                    report.status_extended = f"ACM Certificate {certificate.id} for {certificate.name} has expired ({abs(certificate.expiration_days)} days ago)."
+            if certificate.in_use or acm_client.provider.scan_unused_services:
+                report = Check_Report_AWS(self.metadata())
+                report.region = certificate.region
+                if certificate.expiration_days > acm_client.audit_config.get(
+                    "days_to_expire_threshold", 7
+                ):
+                    report.status = "PASS"
+                    report.status_extended = f"ACM Certificate {certificate.id} for {certificate.name} expires in {certificate.expiration_days} days."
+                    report.resource_id = certificate.id
+                    report.resource_details = certificate.name
+                    report.resource_arn = certificate.arn
+                    report.resource_tags = certificate.tags
                 else:
-                    report.status_extended = f"ACM Certificate {certificate.id} for {certificate.name} is about to expire in {certificate.expiration_days} days."
+                    report.status = "FAIL"
+                    if certificate.expiration_days < 0:
+                        report.status_extended = f"ACM Certificate {certificate.id} for {certificate.name} has expired ({abs(certificate.expiration_days)} days ago)."
+                        report.check_metadata.Severity = "high"
+                    else:
+                        report.status_extended = f"ACM Certificate {certificate.id} for {certificate.name} is about to expire in {certificate.expiration_days} days."
+                        report.check_metadata.Severity = "medium"
 
-                report.resource_id = certificate.id
-                report.resource_details = certificate.name
-                report.resource_arn = certificate.arn
-                report.resource_tags = certificate.tags
+                    report.resource_id = certificate.id
+                    report.resource_details = certificate.name
+                    report.resource_arn = certificate.arn
+                    report.resource_tags = certificate.tags
 
-            findings.append(report)
+                findings.append(report)
         return findings
diff --git a/prowler/providers/aws/services/acm/acm_service.py b/prowler/providers/aws/services/acm/acm_service.py
@@ -50,6 +50,7 @@ def __list_certificates__(self, regional_client):
                                 id=certificate["CertificateArn"].split("/")[-1],
                                 type=certificate["Type"],
                                 expiration_days=certificate_expiration_time,
+                                in_use=certificate.get("InUse", False),
                                 transparency_logging=False,
                                 region=regional_client.region,
                             )
@@ -99,5 +100,6 @@ class Certificate(BaseModel):
     type: str
     tags: Optional[list] = []
     expiration_days: int
+    in_use: bool
     transparency_logging: Optional[bool]
     region: str
diff --git a/tests/config/config_test.py b/tests/config/config_test.py
@@ -24,10 +24,12 @@ def mock_prowler_get_latest_release(_, **kwargs):
     return response
 
 
-config_aws = {
+old_config_aws = {
     "shodan_api_key": None,
     "max_security_group_rules": 50,
     "max_ec2_instance_age_in_days": 180,
+    "ec2_allowed_interface_types": ["api_gateway_managed", "vpc_endpoint"],
+    "ec2_allowed_instance_owners": ["amazon-elb"],
     "trusted_account_ids": [],
     "log_group_retention_days": 365,
     "max_idle_disconnect_timeout_in_seconds": 600,
@@ -59,14 +61,231 @@ def mock_prowler_get_latest_release(_, **kwargs):
     "organizations_enabled_regions": [],
     "organizations_trusted_delegated_administrators": [],
     "check_rds_instance_replicas": False,
-    "ec2_allowed_interface_types": [
-        "api_gateway_managed",
-        "vpc_endpoint",
-    ],
+    "days_to_expire_threshold": 7,
+}
+config_aws = {
+    "mute_non_default_regions": False,
+    "max_unused_access_keys_days": 45,
+    "max_console_access_days": 45,
+    "shodan_api_key": None,
+    "max_security_group_rules": 50,
+    "max_ec2_instance_age_in_days": 180,
+    "ec2_allowed_interface_types": ["api_gateway_managed", "vpc_endpoint"],
     "ec2_allowed_instance_owners": ["amazon-elb"],
+    "trusted_account_ids": [],
+    "log_group_retention_days": 365,
+    "max_idle_disconnect_timeout_in_seconds": 600,
+    "max_disconnect_timeout_in_seconds": 300,
+    "max_session_duration_seconds": 36000,
+    "obsolete_lambda_runtimes": [
+        "java8",
+        "go1.x",
+        "provided",
+        "python3.6",
+        "python2.7",
+        "python3.7",
+        "nodejs4.3",
+        "nodejs4.3-edge",
+        "nodejs6.10",
+        "nodejs",
+        "nodejs8.10",
+        "nodejs10.x",
+        "nodejs12.x",
+        "nodejs14.x",
+        "dotnet5.0",
+        "dotnetcore1.0",
+        "dotnetcore2.0",
+        "dotnetcore2.1",
+        "dotnetcore3.1",
+        "ruby2.5",
+        "ruby2.7",
+    ],
+    "organizations_enabled_regions": [],
+    "organizations_trusted_delegated_administrators": [],
+    "ecr_repository_vulnerability_minimum_severity": "MEDIUM",
+    "verify_premium_support_plans": True,
+    "threat_detection_privilege_escalation_threshold": 0.1,
+    "threat_detection_privilege_escalation_minutes": 1440,
+    "threat_detection_privilege_escalation_actions": [
+        "AddPermission",
+        "AddRoleToInstanceProfile",
+        "AddUserToGroup",
+        "AssociateAccessPolicy",
+        "AssumeRole",
+        "AttachGroupPolicy",
+        "AttachRolePolicy",
+        "AttachUserPolicy",
+        "ChangePassword",
+        "CreateAccessEntry",
+        "CreateAccessKey",
+        "CreateDevEndpoint",
+        "CreateEventSourceMapping",
+        "CreateFunction",
+        "CreateGroup",
+        "CreateJob",
+        "CreateKeyPair",
+        "CreateLoginProfile",
+        "CreatePipeline",
+        "CreatePolicyVersion",
+        "CreateRole",
+        "CreateStack",
+        "DeleteRolePermissionsBoundary",
+        "DeleteRolePolicy",
+        "DeleteUserPermissionsBoundary",
+        "DeleteUserPolicy",
+        "DetachRolePolicy",
+        "DetachUserPolicy",
+        "GetCredentialsForIdentity",
+        "GetId",
+        "GetPolicyVersion",
+        "GetUserPolicy",
+        "Invoke",
+        "ModifyInstanceAttribute",
+        "PassRole",
+        "PutGroupPolicy",
+        "PutPipelineDefinition",
+        "PutRolePermissionsBoundary",
+        "PutRolePolicy",
+        "PutUserPermissionsBoundary",
+        "PutUserPolicy",
+        "ReplaceIamInstanceProfileAssociation",
+        "RunInstances",
+        "SetDefaultPolicyVersion",
+        "UpdateAccessKey",
+        "UpdateAssumeRolePolicy",
+        "UpdateDevEndpoint",
+        "UpdateEventSourceMapping",
+        "UpdateFunctionCode",
+        "UpdateJob",
+        "UpdateLoginProfile",
+    ],
+    "threat_detection_enumeration_threshold": 0.1,
+    "threat_detection_enumeration_minutes": 1440,
+    "threat_detection_enumeration_actions": [
+        "DescribeAccessEntry",
+        "DescribeAccountAttributes",
+        "DescribeAvailabilityZones",
+        "DescribeBundleTasks",
+        "DescribeCarrierGateways",
+        "DescribeClientVpnRoutes",
+        "DescribeCluster",
+        "DescribeDhcpOptions",
+        "DescribeFlowLogs",
+        "DescribeImages",
+        "DescribeInstanceAttribute",
+        "DescribeInstanceInformation",
+        "DescribeInstanceTypes",
+        "DescribeInstances",
+        "DescribeInstances",
+        "DescribeKeyPairs",
+        "DescribeLogGroups",
+        "DescribeLogStreams",
+        "DescribeOrganization",
+        "DescribeRegions",
+        "DescribeSecurityGroups",
+        "DescribeSnapshotAttribute",
+        "DescribeSnapshotTierStatus",
+        "DescribeSubscriptionFilters",
+        "DescribeTransitGatewayMulticastDomains",
+        "DescribeVolumes",
+        "DescribeVolumesModifications",
+        "DescribeVpcEndpointConnectionNotifications",
+        "DescribeVpcs",
+        "GetAccount",
+        "GetAccountAuthorizationDetails",
+        "GetAccountSendingEnabled",
+        "GetBucketAcl",
+        "GetBucketLogging",
+        "GetBucketPolicy",
+        "GetBucketReplication",
+        "GetBucketVersioning",
+        "GetCallerIdentity",
+        "GetCertificate",
+        "GetConsoleScreenshot",
+        "GetCostAndUsage",
+        "GetDetector",
+        "GetEbsDefaultKmsKeyId",
+        "GetEbsEncryptionByDefault",
+        "GetFindings",
+        "GetFlowLogsIntegrationTemplate",
+        "GetIdentityVerificationAttributes",
+        "GetInstances",
+        "GetIntrospectionSchema",
+        "GetLaunchTemplateData",
+        "GetLaunchTemplateData",
+        "GetLogRecord",
+        "GetParameters",
+        "GetPolicyVersion",
+        "GetPublicAccessBlock",
+        "GetQueryResults",
+        "GetRegions",
+        "GetSMSAttributes",
+        "GetSMSSandboxAccountStatus",
+        "GetSendQuota",
+        "GetTransitGatewayRouteTableAssociations",
+        "GetUserPolicy",
+        "HeadObject",
+        "ListAccessKeys",
+        "ListAccounts",
+        "ListAllMyBuckets",
+        "ListAssociatedAccessPolicies",
+        "ListAttachedUserPolicies",
+        "ListClusters",
+        "ListDetectors",
+        "ListDomains",
+        "ListFindings",
+        "ListHostedZones",
+        "ListIPSets",
+        "ListIdentities",
+        "ListInstanceProfiles",
+        "ListObjects",
+        "ListOrganizationalUnitsForParent",
+        "ListOriginationNumbers",
+        "ListPolicyVersions",
+        "ListRoles",
+        "ListRoles",
+        "ListRules",
+        "ListServiceQuotas",
+        "ListSubscriptions",
+        "ListTargetsByRule",
+        "ListTopics",
+        "ListUsers",
+        "LookupEvents",
+        "Search",
+    ],
+    "check_rds_instance_replicas": False,
+    "days_to_expire_threshold": 7,
+}
+
+config_azure = {
+    "shodan_api_key": None,
+    "php_latest_version": "8.2",
+    "python_latest_version": "3.12",
+    "java_latest_version": "17",
 }
 
-config_azure = {"shodan_api_key": None}
+config_gcp = {"shodan_api_key": None}
+
+config_kubernetes = {
+    "audit_log_maxbackup": 10,
+    "audit_log_maxsize": 100,
+    "audit_log_maxage": 30,
+    "apiserver_strong_ciphers": [
+        "TLS_AES_128_GCM_SHA256",
+        "TLS_AES_256_GCM_SHA384",
+        "TLS_CHACHA20_POLY1305_SHA256",
+    ],
+    "kubelet_strong_ciphers": [
+        "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256",
+        "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256",
+        "TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305",
+        "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384",
+        "TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305",
+        "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384",
+        "TLS_RSA_WITH_AES_256_GCM_SHA384",
+        "TLS_RSA_WITH_AES_128_GCM_SHA256",
+    ],
+}
 
 
 class Test_Config:
@@ -131,22 +350,25 @@ def test_load_and_validate_config_file_aws(self):
         path = pathlib.Path(os.path.dirname(os.path.realpath(__file__)))
         config_test_file = f"{path}/fixtures/config.yaml"
         provider = "aws"
-
+        print(load_and_validate_config_file(provider, config_test_file))
         assert load_and_validate_config_file(provider, config_test_file) == config_aws
 
     def test_load_and_validate_config_file_gcp(self):
         path = pathlib.Path(os.path.dirname(os.path.realpath(__file__)))
         config_test_file = f"{path}/fixtures/config.yaml"
         provider = "gcp"
 
-        assert load_and_validate_config_file(provider, config_test_file) is None
+        assert load_and_validate_config_file(provider, config_test_file) == config_gcp
 
     def test_load_and_validate_config_file_kubernetes(self):
         path = pathlib.Path(os.path.dirname(os.path.realpath(__file__)))
         config_test_file = f"{path}/fixtures/config.yaml"
         provider = "kubernetes"
-
-        assert load_and_validate_config_file(provider, config_test_file) is None
+        print(load_and_validate_config_file(provider, config_test_file))
+        assert (
+            load_and_validate_config_file(provider, config_test_file)
+            == config_kubernetes
+        )
 
     def test_load_and_validate_config_file_azure(self):
         path = pathlib.Path(os.path.dirname(os.path.realpath(__file__)))
@@ -158,8 +380,8 @@ def test_load_and_validate_config_file_azure(self):
     def test_load_and_validate_config_file_old_format(self):
         path = pathlib.Path(os.path.dirname(os.path.realpath(__file__)))
         config_test_file = f"{path}/fixtures/config_old.yaml"
-
-        assert load_and_validate_config_file("aws", config_test_file) == config_aws
+        print(load_and_validate_config_file("aws", config_test_file))
+        assert load_and_validate_config_file("aws", config_test_file) == old_config_aws
         assert load_and_validate_config_file("gcp", config_test_file) == {}
         assert load_and_validate_config_file("azure", config_test_file) == {}
         assert load_and_validate_config_file("kubernetes", config_test_file) == {}