feat(CloudFront): Service and Checks (#1470)

providers/aws/services/cloudfront/cloudfront_distributions_https_enabled/cloudfront_distributions_https_enabled.metadata.json

@@ -0,0 +1,35 @@
+{
+  "Provider": "aws",
+  "CheckID": "cloudfront_distributions_https_enabled",
+  "CheckTitle": "Check if CloudFront distributions are set to HTTPS.",
+  "CheckType": [""],
+  "ServiceName": "cloudfront",
+  "SubServiceName": "",
+  "ResourceIdTemplate": "arn:partition:cloudfront:region:account-id:distribution/resource-id",
+  "Severity": "medium",
+  "ResourceType": "AwsCloudFrontDistribution",
+  "Description": "Check if CloudFront distributions are set to HTTPS.",
+  "Risk": "If not enabled sensitive information in transit is not protected. Surveillance and other threats are risks may exists.",
+  "RelatedUrl": "https://docs.aws.amazon.com/IAM/latest/UserGuide/what-is-access-analyzer.html",
+  "Remediation": {
+    "Code": {
+      "CLI": "https://www.trendmicro.com/cloudoneconformity/knowledge-base/aws/CloudFront/security-policy.html",
+      "NativeIaC": "https://docs.bridgecrew.io/docs/networking_32#cloudformation",
+      "Other": "",
+      "Terraform": "https://docs.bridgecrew.io/docs/networking_32#terraform"
+    },
+    "Recommendation": {
+      "Text": "Use HTTPS everywhere possible. It will enforce privacy and protect against account hijacking and other threats.",
+      "Url": "https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/using-https.html"
+    }
+  },
+  "Categories": [],
+  "Tags": {
+    "Tag1Key": "value",
+    "Tag2Key": "value"
+  },
+  "DependsOn": [],
+  "RelatedTo": [],
+  "Notes": "",
+  "Compliance": []
+}

providers/aws/services/cloudfront/cloudfront_distributions_https_enabled/cloudfront_distributions_https_enabled.py

@@ -0,0 +1,38 @@
+from lib.check.models import Check, Check_Report
+from providers.aws.services.cloudfront.cloudfront_client import cloudfront_client
+from providers.aws.services.cloudfront.cloudfront_service import ViewerProtocolPolicy
+
+
+class cloudfront_distributions_https_enabled(Check):
+    def execute(self):
+        findings = []
+        for distribution in cloudfront_client.distributions.values():
+            report = Check_Report(self.metadata)
+            report.region = distribution.region
+            report.resource_arn = distribution.arn
+            report.resource_id = distribution.id
+            if (
+                distribution.default_cache_config.viewer_protocol_policy
+                == ViewerProtocolPolicy.allow_all
+            ):
+                report.status = "FAIL"
+                report.status_extended = f"CloudFront Distribution {distribution.id} viewers can use HTTP or HTTPS"
+            elif (
+                distribution.default_cache_config.viewer_protocol_policy
+                == ViewerProtocolPolicy.redirect_to_https
+            ):
+                report.status = "PASS"
+                report.status_extended = (
+                    f"CloudFront Distribution {distribution.id} has redirect to HTTPS"
+                )
+            elif (
+                distribution.default_cache_config.viewer_protocol_policy
+                == ViewerProtocolPolicy.https_only
+            ):
+                report.status = "PASS"
+                report.status_extended = (
+                    f"CloudFront Distribution {distribution.id} has HTTPS only"
+                )
+            findings.append(report)
+
+        return findings

providers/aws/services/cloudfront/cloudfront_distributions_https_enabled/cloudfront_distributions_https_enabled_test.py

@@ -0,0 +1,148 @@
+from unittest import mock
+
+from moto.core import DEFAULT_ACCOUNT_ID
+
+from providers.aws.services.cloudfront.cloudfront_service import (
+    DefaultCacheConfigBehaviour,
+    Distribution,
+    ViewerProtocolPolicy,
+)
+
+DISTRIBUTION_ID = "E27LVI50CSW06W"
+DISTRIBUTION_ARN = (
+    f"arn:aws:cloudfront::{DEFAULT_ACCOUNT_ID}:distribution/{DISTRIBUTION_ID}"
+)
+REGION = "eu-west-1"
+
+
+class Test_cloudfront_distributions_https_enabled:
+    def test_no_distributions(self):
+        cloudfront_client = mock.MagicMock
+        cloudfront_client.distributions = {}
+        with mock.patch(
+            "providers.aws.services.cloudfront.cloudfront_service.CloudFront",
+            new=cloudfront_client,
+        ):
+            # Test Check
+            from providers.aws.services.cloudfront.cloudfront_distributions_https_enabled.cloudfront_distributions_https_enabled import (
+                cloudfront_distributions_https_enabled,
+            )
+
+            check = cloudfront_distributions_https_enabled()
+            result = check.execute()
+
+            assert len(result) == 0
+
+    def test_one_distribution_https_disabled(self):
+        cloudfront_client = mock.MagicMock
+        cloudfront_client.distributions = {
+            "DISTRIBUTION_ID": Distribution(
+                arn=DISTRIBUTION_ARN,
+                id=DISTRIBUTION_ID,
+                region=REGION,
+                origins=[],
+                default_cache_config=DefaultCacheConfigBehaviour(
+                    realtime_log_config_arn="",
+                    viewer_protocol_policy=ViewerProtocolPolicy.allow_all,
+                    field_level_encryption_id="",
+                ),
+            )
+        }
+
+        with mock.patch(
+            "providers.aws.services.cloudfront.cloudfront_service.CloudFront",
+            new=cloudfront_client,
+        ):
+            # Test Check
+            from providers.aws.services.cloudfront.cloudfront_distributions_https_enabled.cloudfront_distributions_https_enabled import (
+                cloudfront_distributions_https_enabled,
+            )
+
+            check = cloudfront_distributions_https_enabled()
+            result = check.execute()
+
+            assert len(result) == 1
+            assert result[0].region == REGION
+            assert result[0].resource_arn == DISTRIBUTION_ARN
+            assert result[0].resource_id == DISTRIBUTION_ID
+            assert result[0].status == "FAIL"
+            assert (
+                result[0].status_extended
+                == f"CloudFront Distribution {DISTRIBUTION_ID} viewers can use HTTP or HTTPS"
+            )
+
+    def test_one_distribution_https_redirect(self):
+        cloudfront_client = mock.MagicMock
+        cloudfront_client.distributions = {
+            "DISTRIBUTION_ID": Distribution(
+                arn=DISTRIBUTION_ARN,
+                id=DISTRIBUTION_ID,
+                region=REGION,
+                origins=[],
+                default_cache_config=DefaultCacheConfigBehaviour(
+                    realtime_log_config_arn="",
+                    viewer_protocol_policy=ViewerProtocolPolicy.redirect_to_https,
+                    field_level_encryption_id="",
+                ),
+            )
+        }
+
+        with mock.patch(
+            "providers.aws.services.cloudfront.cloudfront_service.CloudFront",
+            new=cloudfront_client,
+        ):
+            # Test Check
+            from providers.aws.services.cloudfront.cloudfront_distributions_https_enabled.cloudfront_distributions_https_enabled import (
+                cloudfront_distributions_https_enabled,
+            )
+
+            check = cloudfront_distributions_https_enabled()
+            result = check.execute()
+
+            assert len(result) == 1
+            assert result[0].region == REGION
+            assert result[0].resource_arn == DISTRIBUTION_ARN
+            assert result[0].resource_id == DISTRIBUTION_ID
+            assert result[0].status == "PASS"
+            assert (
+                result[0].status_extended
+                == f"CloudFront Distribution {DISTRIBUTION_ID} has redirect to HTTPS"
+            )
+
+    def test_one_distribution_https_only(self):
+        cloudfront_client = mock.MagicMock
+        cloudfront_client.distributions = {
+            "DISTRIBUTION_ID": Distribution(
+                arn=DISTRIBUTION_ARN,
+                id=DISTRIBUTION_ID,
+                region=REGION,
+                origins=[],
+                default_cache_config=DefaultCacheConfigBehaviour(
+                    realtime_log_config_arn="",
+                    viewer_protocol_policy=ViewerProtocolPolicy.https_only,
+                    field_level_encryption_id="",
+                ),
+            )
+        }
+
+        with mock.patch(
+            "providers.aws.services.cloudfront.cloudfront_service.CloudFront",
+            new=cloudfront_client,
+        ):
+            # Test Check
+            from providers.aws.services.cloudfront.cloudfront_distributions_https_enabled.cloudfront_distributions_https_enabled import (
+                cloudfront_distributions_https_enabled,
+            )
+
+            check = cloudfront_distributions_https_enabled()
+            result = check.execute()
+
+            assert len(result) == 1
+            assert result[0].region == REGION
+            assert result[0].resource_arn == DISTRIBUTION_ARN
+            assert result[0].resource_id == DISTRIBUTION_ID
+            assert result[0].status == "PASS"
+            assert (
+                result[0].status_extended
+                == f"CloudFront Distribution {DISTRIBUTION_ID} has HTTPS only"
+            )