-
Notifications
You must be signed in to change notification settings - Fork 1.5k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
feat(ec2): add checks for EC2 instances with exposed ports to the internet #4029
Conversation
Codecov ReportAll modified and coverable lines are covered by tests ✅
Additional details and impacted files@@ Coverage Diff @@
## master #4029 +/- ##
==========================================
+ Coverage 86.37% 86.62% +0.25%
==========================================
Files 789 812 +23
Lines 24706 25396 +690
==========================================
+ Hits 21340 22000 +660
- Misses 3366 3396 +30 ☔ View full report in Codecov by Sentry. |
...s/ec2/ec2_instance_ssh_port_exposed_to_internet/ec2_instance_ssh_port_exposed_to_internet.py
Outdated
Show resolved
Hide resolved
ec2_instance_ssh_port_exposed_to_internet
checkec2_instance_port_ssh_exposed_to_internet
check
ec2_instance_port_ssh_exposed_to_internet
check
You can check the documentation for this PR here -> SaaS Documentation |
...stance_port_sqlserver_exposed_to_internet/ec2_instance_port_sqlserver_exposed_to_internet.py
Outdated
Show resolved
Hide resolved
You can check the documentation for this PR here -> SaaS Documentation |
You can check the documentation for this PR here -> SaaS Documentation |
...stance_port_cassandra_exposed_to_internet/ec2_instance_port_cassandra_exposed_to_internet.py
Outdated
Show resolved
Hide resolved
) = get_instance_public_status( | ||
vpc_client.vpc_subnets, instance, "Cassandra" | ||
) | ||
break |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This break
only aborts the for ingress_rule in sg.ingress_rules:
loop, is that on purpose or do we need to add more checks to exit the outer loops?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This comment applies to all the checks within this PR.
...rt_kerberos_exposed_to_internet/ec2_instance_port_kerberos_exposed_to_internet.metadata.json
Outdated
Show resolved
Hide resolved
You can check the documentation for this PR here -> SaaS Documentation |
) = get_instance_public_status( | ||
vpc_client.vpc_subnets, instance, "Cassandra" | ||
) | ||
break |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Review the comment about the loop break.
You can check the documentation for this PR here -> SaaS Documentation |
You can check the documentation for this PR here -> SaaS Documentation |
You can check the documentation for this PR here -> SaaS Documentation |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Description
Add checks
ec2_instance_port_X_exposed_to_internet
to check if there are EC2 Instances exposed to the internet through the specific port.EC2 Instances with exposed port open to the Internet will be flagged as FAIL with a severity of medium if the instance has no public IP, high if the instance has a public IP but is in a private subnet, and critical if the instance has a public IP and is in a public subnet.
License
By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.