-
Notifications
You must be signed in to change notification settings - Fork 1.5k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
feat(aws): New CloudTrail, DLM, DocumentDB, EC2, Account and Support checks #2675
Merged
jfagoagas
merged 62 commits into
prowler-cloud:master
from
jit-contrib:PR_Add_AWS_rules
Oct 17, 2023
Merged
Changes from 61 commits
Commits
Show all changes
62 commits
Select commit
Hold shift + click to select a range
361b9d8
Fix PR comments
jit-contrib 8acf8d7
Apply PR suggestion to ec2_ebs_snapshots_exists
jit-contrib 0cafc33
Remove tests of reverted rules
jit-contrib d616ebb
Add new account rule
jit-contrib e421e1d
Fix cloudtrail test
jit-contrib 21f86ba
Fix ec2_ebs_snapshots_exists test
jit-contrib 4b744ac
Fix cloudtrail_management_exist_with_multi_region_enabled test
jit-contrib 61539b1
Fix cloudtrail_management_exist_with_multi_region_enabled test
jit-contrib a4b806b
Fix cloudtrail_management_exist_with_multi_region_enabled test
jit-contrib b5be6a0
Add support_plan_subscribed rule
jit-contrib 5b553a2
Update prowler/providers/aws/services/account/account_maintain_differ…
jit-contrib bccbd48
Update prowler/providers/aws/services/account/account_maintain_differ…
jit-contrib d11f1b7
Update prowler/providers/aws/services/account/account_maintain_differ…
jit-contrib 67d8eea
Update prowler/providers/aws/services/account/account_maintain_differ…
jit-contrib d149679
Update prowler/providers/aws/services/support/support_service.py
jit-contrib 438329c
Update rule name from dlm_ebs_snapshot_policy_exists to dlm_ebs_lifec…
jit-contrib 2998e02
Update cloudtrail_management_exist_with_multi_region_enabled metadata
jit-contrib f21a208
Update dlm_ebs_lifecycle_policy_exists metadata
jit-contrib 235fc7a
Update rule name from dlm_ebs_snapshot_policy_exists to dlm_ebs_snaps…
jit-contrib d55b221
Update prowler/providers/aws/services/dlm/dlm_client.py
jit-contrib e7ecfa4
Update prowler/providers/aws/services/dlm/dlm_service.py
jit-contrib 5d9add4
Update prowler/providers/aws/services/dlm/dlm_service.py
jit-contrib edfc48a
Update prowler/providers/aws/services/dlm/dlm_service.py
jit-contrib 6ba133b
Update prowler/providers/aws/services/documentdb/documentdb_service.py
jit-contrib afefeb2
Update prowler/providers/aws/services/documentdb/documentdb_service.py
jit-contrib bde924d
Update prowler/providers/aws/services/documentdb/documentdb_instance_…
jit-contrib a93e3af
Fix dlm service and rules
jit-contrib d1f5e0c
Add missing dlm rule
jit-contrib 1137099
Merge support service into trustadvisor service
jit-contrib fc316e5
Add missing metadata information to documentdb rule
jit-contrib a79dd77
Add missing metadata to ec2_ebs_snapshots_exists.metadata.json
jit-contrib 10d75da
Add missing metadata to documentdb_instance_storage_encrypted.metadat…
jit-contrib b4193eb
Fix ec2_service.py marking Snapshot volume attribute as Optional
jit-contrib 317bea3
Update poetry.lock file with the master one
jit-contrib 139cfcd
Move Business logic from account_maintain_different_contact_details_t…
jit-contrib db9a0ce
Fix arn into documentdb_instance_storage_encrypted/documentdb_instanc…
jit-contrib e511bea
Remove poetry.lock
jit-contrib 3173aca
Add Remmediation.Text, Risk and RelatedUrl to dlm_ebs_snapshot_lifecy…
jit-contrib df94e9e
Add docdb filter to documentdb_service
jit-contrib 86a7723
Update prowler/providers/aws/services/dlm/dlm_ebs_snapshot_lifecycle_…
jit-contrib eb384cc
Revert changes done to poetry.lock
jit-contrib 64794e8
Apply account PR review comments
jit-contrib a02a62b
Add missing metadata to cloudtrail_management_exist_with_multi_region…
jit-contrib 787d0c4
Fix trustedadvisor_support_plan_subscribed based on PR comments and d…
jit-contrib 337ff9f
Apply PR comments to discussions outcome to dlm_ebs_snapshot_lifecycl…
jit-contrib 863016a
fix(account): Improve logic and add tests
jfagoagas 8814be0
fix(cloudtrail_multi_region_enabled_logging_management_events): Handl…
jfagoagas 59c567a
fix(dlm_ebs_snapshot_lifecycle_policy_exists): Add tests and improve …
jfagoagas b26d4f4
handle account error
sergargar ff7af95
fix(documentdb_instance_storage_encrypted): Add tests, tags and remov…
jfagoagas 60c229e
fix(account): Handle ResourceNotFoundException
jfagoagas 3ade3e1
fix(account): Handle ResourceNotFoundException
jfagoagas 2f10718
fix(ec2_ebs_snapshots_exists): rename check and add tests
jfagoagas b9d9aa0
chore(ec2_ebs_volume_snapshots_exists): rename
jfagoagas 36d179a
fix(trustedadvisor_premium_support_plan_subscribed): Fix service and …
jfagoagas a55e896
fix(account): typo
jfagoagas 0180cac
fix(trustedadvisor_premium_support_plan_subscribed): Fix check, servi…
jfagoagas 3a92404
check dlm only if snapshots
sergargar 6d4115a
test(dlm_ebs_snapshot_lifecycle_policy_exists): add tests
jfagoagas a40e8c7
fix(documentdb): tests
jfagoagas d471d1a
fix(dlm): tests
jfagoagas 01c55c8
fix(dlm): tests
jfagoagas File filter
Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Empty file.
32 changes: 32 additions & 0 deletions
32
...count_maintain_different_contact_details_to_security_billing_and_operations.metadata.json
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,32 @@ | ||
{ | ||
"Provider": "aws", | ||
"CheckID": "account_maintain_different_contact_details_to_security_billing_and_operations", | ||
"CheckTitle": "Maintain different contact details to security, billing and operations.", | ||
"CheckType": [ | ||
"IAM" | ||
], | ||
"ServiceName": "account", | ||
"SubServiceName": "", | ||
"ResourceIdTemplate": "arn:partition:access-recorder:region:account-id:recorder/resource-id", | ||
"Severity": "medium", | ||
"ResourceType": "Other", | ||
"Description": "Maintain different contact details to security, billing and operations.", | ||
"Risk": "Ensure contact email and telephone details for AWS accounts are current and map to more than one individual in your organization. An AWS account supports a number of contact details; and AWS will use these to contact the account owner if activity judged to be in breach of Acceptable Use Policy. If an AWS account is observed to be behaving in a prohibited or suspicious manner; AWS will attempt to contact the account owner by email and phone using the contact details listed. If this is unsuccessful and the account behavior needs urgent mitigation; proactive measures may be taken; including throttling of traffic between the account exhibiting suspicious behavior and the AWS API endpoints and the Internet. This will result in impaired service to and from the account in question.", | ||
"RelatedUrl": "https://docs.aws.amazon.com/accounts/latest/reference/manage-acct-update-contact.html", | ||
"Remediation": { | ||
"Code": { | ||
"CLI": "", | ||
"NativeIaC": "", | ||
"Other": "https://docs.bridgecrew.io/docs/iam_18-maintain-contact-details#aws-console", | ||
"Terraform": "" | ||
}, | ||
"Recommendation": { | ||
"Text": "Using the Billing and Cost Management console complete contact details.", | ||
"Url": "https://docs.aws.amazon.com/accounts/latest/reference/manage-acct-update-contact.html" | ||
} | ||
}, | ||
"Categories": [], | ||
"DependsOn": [], | ||
"RelatedTo": [], | ||
"Notes": "" | ||
} |
27 changes: 27 additions & 0 deletions
27
...erations/account_maintain_different_contact_details_to_security_billing_and_operations.py
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,27 @@ | ||
from prowler.lib.check.models import Check, Check_Report_AWS | ||
from prowler.providers.aws.services.account.account_client import account_client | ||
|
||
|
||
class account_maintain_different_contact_details_to_security_billing_and_operations( | ||
Check | ||
): | ||
def execute(self): | ||
report = Check_Report_AWS(self.metadata()) | ||
report.region = account_client.region | ||
report.resource_id = account_client.audited_account | ||
report.resource_arn = account_client.audited_account_arn | ||
|
||
if ( | ||
len(account_client.contact_phone_numbers) | ||
== account_client.number_of_contacts | ||
and len(account_client.contact_names) == account_client.number_of_contacts | ||
# This is because the primary contact has no email field | ||
and len(account_client.contact_emails) | ||
== account_client.number_of_contacts - 1 | ||
): | ||
report.status = "PASS" | ||
report.status_extended = "SECURITY, BILLING and OPERATIONS contacts found and they are different between each other and between ROOT contact." | ||
else: | ||
report.status = "FAIL" | ||
report.status_extended = "SECURITY, BILLING and OPERATIONS contacts not found or they are not different between each other and between ROOT contact." | ||
return [report] |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -1,11 +1,100 @@ | ||
################## Account | ||
from typing import Optional | ||
from venv import logger | ||
|
||
from botocore.client import ClientError | ||
from pydantic import BaseModel | ||
|
||
from prowler.providers.aws.lib.service.service import AWSService | ||
|
||
|
||
class Account(AWSService): | ||
def __init__(self, audit_info): | ||
# Call AWSService's __init__ | ||
super().__init__(__class__.__name__, audit_info) | ||
self.number_of_contacts = 4 | ||
self.contact_base = self.__get_contact_information__() | ||
self.contacts_billing = self.__get_alternate_contact__("BILLING") | ||
self.contacts_security = self.__get_alternate_contact__("SECURITY") | ||
self.contacts_operations = self.__get_alternate_contact__("OPERATIONS") | ||
|
||
# Set of contact phone numbers | ||
self.contact_phone_numbers = { | ||
self.contact_base.phone_number, | ||
self.contacts_billing.phone_number, | ||
self.contacts_security.phone_number, | ||
self.contacts_operations.phone_number, | ||
} | ||
|
||
# Set of contact names | ||
self.contact_names = { | ||
self.contact_base.name, | ||
self.contacts_billing.name, | ||
self.contacts_security.name, | ||
self.contacts_operations.name, | ||
} | ||
|
||
# Set of contact emails | ||
self.contact_emails = { | ||
self.contacts_billing.email, | ||
self.contacts_security.email, | ||
self.contacts_operations.email, | ||
} | ||
|
||
def __get_contact_information__(self): | ||
try: | ||
primary_account_contact = self.client.get_contact_information()[ | ||
"ContactInformation" | ||
] | ||
|
||
return Contact( | ||
type="PRIMARY", | ||
name=primary_account_contact.get("FullName"), | ||
phone_number=primary_account_contact.get("PhoneNumber"), | ||
) | ||
except Exception as error: | ||
logger.error( | ||
f"{self.region} -- {error.__class__.__name__}[{error.__traceback__.tb_lineno}]: {error}" | ||
) | ||
return Contact(type="PRIMARY") | ||
|
||
def __get_alternate_contact__(self, contact_type: str): | ||
try: | ||
account_contact = self.client.get_alternate_contact( | ||
AlternateContactType=contact_type | ||
)["AlternateContact"] | ||
|
||
return Contact( | ||
type=contact_type, | ||
email=account_contact.get("EmailAddress"), | ||
name=account_contact.get("Name"), | ||
phone_number=account_contact.get("PhoneNumber"), | ||
) | ||
|
||
except ClientError as error: | ||
if ( | ||
error.response["Error"]["Code"] == "ResourceNotFoundException" | ||
and error.response["Error"]["Message"] | ||
== "No contact of the inputted alternate contact type found." | ||
): | ||
logger.warning( | ||
f"{self.region} -- {error.__class__.__name__}[{error.__traceback__.tb_lineno}]: {error}" | ||
) | ||
return Contact( | ||
type=contact_type, | ||
) | ||
|
||
except Exception as error: | ||
logger.error( | ||
f"{self.region} -- {error.__class__.__name__}[{error.__traceback__.tb_lineno}]: {error}" | ||
) | ||
return Contact( | ||
type=contact_type, | ||
) | ||
|
||
|
||
### This service don't need boto3 calls | ||
class Contact(BaseModel): | ||
type: str | ||
email: Optional[str] | ||
name: Optional[str] | ||
phone_number: Optional[str] |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Empty file.
34 changes: 34 additions & 0 deletions
34
...management_events/cloudtrail_multi_region_enabled_logging_management_events.metadata.json
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,34 @@ | ||
{ | ||
"Provider": "aws", | ||
"CheckID": "cloudtrail_multi_region_enabled_logging_management_events", | ||
"CheckTitle": "Ensure CloudTrail logging management events in All Regions", | ||
"CheckType": [ | ||
"CIS AWS Foundations Benchmark" | ||
], | ||
"ServiceName": "cloudtrail", | ||
"SubServiceName": "", | ||
"ResourceIdTemplate": "arn:partition:service:region:account-id:resource-id", | ||
"Severity": "low", | ||
"ResourceType": "AwsCloudTrailTrail", | ||
"Description": "Ensure CloudTrail logging management events in All Regions", | ||
"Risk": "AWS CloudTrail enables governance, compliance, operational auditing, and risk auditing of your AWS account. To meet FTR requirements, you must have management events enabled for all AWS accounts and in all regions and aggregate these logs into an Amazon Simple Storage Service (Amazon S3) bucket owned by a separate AWS account.", | ||
"RelatedUrl": "https://docs.bridgecrew.io/docs/logging_14", | ||
"Remediation": { | ||
"Code": { | ||
"CLI": "aws cloudtrail update-trail --name <trail_name> --is-multi-region-trail", | ||
"NativeIaC": "", | ||
"Other": "https://docs.bridgecrew.io/docs/logging_14", | ||
"Terraform": "https://docs.bridgecrew.io/docs/logging_14#terraform" | ||
}, | ||
"Recommendation": { | ||
"Text": "Enable CloudTrail logging management events in All Regions", | ||
"Url": "https://docs.bridgecrew.io/docs/logging_14" | ||
} | ||
}, | ||
"Categories": [ | ||
"forensics-ready" | ||
], | ||
"DependsOn": [], | ||
"RelatedTo": [], | ||
"Notes": "" | ||
} |
54 changes: 54 additions & 0 deletions
54
...ed_logging_management_events/cloudtrail_multi_region_enabled_logging_management_events.py
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,54 @@ | ||
from prowler.lib.check.models import Check, Check_Report_AWS | ||
from prowler.providers.aws.services.cloudtrail.cloudtrail_client import ( | ||
cloudtrail_client, | ||
) | ||
|
||
|
||
class cloudtrail_multi_region_enabled_logging_management_events(Check): | ||
def execute(self): | ||
findings = [] | ||
report = Check_Report_AWS(self.metadata()) | ||
report.status = "FAIL" | ||
report.status_extended = ( | ||
"No trail found with multi-region enabled and logging management events." | ||
) | ||
report.region = cloudtrail_client.region | ||
report.resource_id = cloudtrail_client.audited_account | ||
report.resource_arn = cloudtrail_client.audited_account_arn | ||
|
||
for trail in cloudtrail_client.trails: | ||
if trail.is_logging: | ||
if trail.is_multiregion: | ||
for event in trail.data_events: | ||
# Classic event selectors | ||
if not event.is_advanced: | ||
# Check if trail has IncludeManagementEvents and ReadWriteType is All | ||
if ( | ||
event.event_selector["ReadWriteType"] == "All" | ||
and event.event_selector["IncludeManagementEvents"] | ||
): | ||
report.region = trail.region | ||
report.resource_id = trail.name | ||
report.resource_arn = trail.arn | ||
report.resource_tags = trail.tags | ||
report.status = "PASS" | ||
report.status_extended = f"Trail {trail.name} from home region {trail.home_region} is multi-region, is logging and have management events enabled." | ||
|
||
# Advanced event selectors | ||
elif event.is_advanced: | ||
if event.event_selector.get( | ||
"Name" | ||
) == "Management events selector" and all( | ||
[ | ||
field["Field"] != "readOnly" | ||
for field in event.event_selector["FieldSelectors"] | ||
] | ||
): | ||
report.region = trail.region | ||
report.resource_id = trail.name | ||
report.resource_arn = trail.arn | ||
report.resource_tags = trail.tags | ||
report.status = "PASS" | ||
report.status_extended = f"Trail {trail.name} from home region {trail.home_region} is multi-region, is logging and have management events enabled." | ||
findings.append(report) | ||
return findings |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Empty file.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,4 @@ | ||
from prowler.providers.aws.lib.audit_info.audit_info import current_audit_info | ||
from prowler.providers.aws.services.dlm.dlm_service import DLM | ||
|
||
dlm_client = DLM(current_audit_info) |
Empty file.
34 changes: 34 additions & 0 deletions
34
...s_snapshot_lifecycle_policy_exists/dlm_ebs_snapshot_lifecycle_policy_exists.metadata.json
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,34 @@ | ||
{ | ||
"Provider": "aws", | ||
"CheckID": "dlm_ebs_snapshot_lifecycle_policy_exists", | ||
"CheckTitle": "Ensure EBS Snapshot lifecycle policies are defined.", | ||
"CheckType": [ | ||
"Data Protection" | ||
], | ||
"ServiceName": "dlm", | ||
"SubServiceName": "ebs", | ||
"ResourceIdTemplate": "arn:aws:iam::account-id:resource-id", | ||
"Severity": "medium", | ||
"ResourceType": "Other", | ||
"Description": "Ensure EBS Snapshot lifecycle policies are defined.", | ||
"Risk": "With AWS DLM service, you can manage the lifecycle of your EBS volume snapshots. By automating the EBS volume backup management using lifecycle policies, you can protect your EBS data by enforcing a regular backup schedule, retain backups as required by auditors or internal compliance.", | ||
"RelatedUrl": "https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/snapshot-lifecycle.html#dlm-elements", | ||
"Remediation": { | ||
"Code": { | ||
"CLI": "aws dlm create-lifecycle-policy --region <region> --execution-role-arn <execution-role-arn> --description <description> --state ENABLED --policy-details file://lifecycle-policy-config.json", | ||
"NativeIaC": "", | ||
"Other": "https://www.trendmicro.com/cloudoneconformity/knowledge-base/aws/DLM/ebs-snapshot-automation.html", | ||
"Terraform": "" | ||
}, | ||
"Recommendation": { | ||
"Text": "To use Amazon Data Lifecycle Manager (DLM) service to manage the lifecycle of your EBS volume snapshots, you have to tag your AWS EBS volumes and create data lifecycle policies via Amazon DLM.", | ||
"Url": "https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/snapshot-lifecycle.html#dlm-elements" | ||
} | ||
}, | ||
"Categories": [ | ||
"forensics-ready" | ||
], | ||
"DependsOn": [], | ||
"RelatedTo": [], | ||
"Notes": "" | ||
} |
24 changes: 24 additions & 0 deletions
24
.../dlm/dlm_ebs_snapshot_lifecycle_policy_exists/dlm_ebs_snapshot_lifecycle_policy_exists.py
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,24 @@ | ||
from prowler.lib.check.models import Check, Check_Report_AWS | ||
from prowler.providers.aws.services.dlm.dlm_client import dlm_client | ||
from prowler.providers.aws.services.ec2.ec2_client import ec2_client | ||
|
||
|
||
class dlm_ebs_snapshot_lifecycle_policy_exists(Check): | ||
def execute(self): | ||
findings = [] | ||
for region in dlm_client.lifecycle_policies: | ||
if ( | ||
region in ec2_client.regions_with_snapshots | ||
and ec2_client.regions_with_snapshots[region] | ||
): | ||
report = Check_Report_AWS(self.metadata()) | ||
report.status = "FAIL" | ||
report.status_extended = "No EBS Snapshot lifecycle policies found." | ||
report.region = region | ||
report.resource_id = dlm_client.audited_account | ||
report.resource_arn = dlm_client.audited_account_arn | ||
if dlm_client.lifecycle_policies[region]: | ||
report.status = "PASS" | ||
report.status_extended = "EBS snapshot lifecycle policies found." | ||
findings.append(report) | ||
return findings |
Oops, something went wrong.
Oops, something went wrong.
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Create a contact object with all the contacts instead of using a list of Nones in the case the contacts are not set