ghndrx/prowler
1
0
Fork 0
mirror of https://github.com/ghndrx/prowler.git synced 2026-02-10 06:45:08 +00:00
Code Issues Packages Projects Releases Wiki Activity

feat(aws): add 2 new Amazon EKS checks from CIS (#3439)

Browse Source 
Co-authored-by: Pepe Fagoaga <pepe@prowler.com>
This commit is contained in:
Sergio Garcia
2024-02-27 17:48:56 +01:00
committed by GitHub
parent 6d44eea11c
commit 354677bc7a
13 changed files with 362 additions and 33 deletions
Download Patch File Download Diff File Expand all files Collapse all files

15
tests/providers/aws/services/eks/eks_cluster_kms_cmk_encryption_in_secrets_enabled/eks_cluster_kms_cmk_encryption_in_secrets_enabled_test.py
View File

@@ -2,12 +2,15 @@ from re import search
from unittest import mock
from prowler.providers.aws.services.eks.eks_service import EKSCluster
AWS_REGION = "eu-west-1"
AWS_ACCOUNT_NUMBER = "123456789012"
from tests.providers.aws.audit_info_utils import (
AWS_ACCOUNT_NUMBER,
AWS_REGION_EU_WEST_1,
)
cluster_name = "cluster_test"
cluster_arn = f"arn:aws:eks:{AWS_REGION}:{AWS_ACCOUNT_NUMBER}:cluster/{cluster_name}"
cluster_arn = (
f"arn:aws:eks:{AWS_REGION_EU_WEST_1}:{AWS_ACCOUNT_NUMBER}:cluster/{cluster_name}"
)
class Test_eks_cluster_kms_cmk_encryption_in_secrets_enabled:
@@ -33,7 +36,7 @@ class Test_eks_cluster_kms_cmk_encryption_in_secrets_enabled:
EKSCluster(
name=cluster_name,
arn=cluster_arn,
region=AWS_REGION,
region=AWS_REGION_EU_WEST_1,
encryptionConfig=False,
)
)
@@ -64,7 +67,7 @@ class Test_eks_cluster_kms_cmk_encryption_in_secrets_enabled:
EKSCluster(
name=cluster_name,
arn=cluster_arn,
region=AWS_REGION,
region=AWS_REGION_EU_WEST_1,
encryptionConfig=True,
)
)

96
tests/providers/aws/services/eks/eks_cluster_network_policy_enabled/eks_cluster_network_policy_enabled_test.py Normal file
View File

@@ -0,0 +1,96 @@
from unittest import mock
from prowler.providers.aws.services.eks.eks_service import EKSCluster
from tests.providers.aws.audit_info_utils import (
AWS_ACCOUNT_NUMBER,
AWS_REGION_EU_WEST_1,
)
cluster_name = "cluster_test"
cluster_arn = (
f"arn:aws:eks:{AWS_REGION_EU_WEST_1}:{AWS_ACCOUNT_NUMBER}:cluster/{cluster_name}"
)
class Test_eks_cluster_network_policy_enabled:
def test_no_clusters(self):
eks_client = mock.MagicMock
eks_client.clusters = []
with mock.patch(
"prowler.providers.aws.services.eks.eks_service.EKS",
eks_client,
):
from prowler.providers.aws.services.eks.eks_cluster_network_policy_enabled.eks_cluster_network_policy_enabled import (
eks_cluster_network_policy_enabled,
)
check = eks_cluster_network_policy_enabled()
result = check.execute()
assert len(result) == 0
def test_cluster_without_sg(self):
eks_client = mock.MagicMock
eks_client.clusters = []
eks_client.clusters.append(
EKSCluster(
name=cluster_name,
arn=cluster_arn,
region=AWS_REGION_EU_WEST_1,
logging=None,
)
)
with mock.patch(
"prowler.providers.aws.services.eks.eks_service.EKS",
eks_client,
):
from prowler.providers.aws.services.eks.eks_cluster_network_policy_enabled.eks_cluster_network_policy_enabled import (
eks_cluster_network_policy_enabled,
)
check = eks_cluster_network_policy_enabled()
result = check.execute()
assert len(result) == 1
assert result[0].status == "FAIL"
assert (
result[0].status_extended
== f"EKS cluster {cluster_name} does not have a Network Policy. Cluster security group ID is not set."
)
assert result[0].resource_id == cluster_name
assert result[0].resource_arn == cluster_arn
assert result[0].resource_tags == []
assert result[0].region == AWS_REGION_EU_WEST_1
def test_cluster_with_sg(self):
eks_client = mock.MagicMock
eks_client.clusters = []
eks_client.clusters.append(
EKSCluster(
name=cluster_name,
arn=cluster_arn,
region=AWS_REGION_EU_WEST_1,
logging=None,
security_group_id="sg-123456789",
)
)
with mock.patch(
"prowler.providers.aws.services.eks.eks_service.EKS",
eks_client,
):
from prowler.providers.aws.services.eks.eks_cluster_network_policy_enabled.eks_cluster_network_policy_enabled import (
eks_cluster_network_policy_enabled,
)
check = eks_cluster_network_policy_enabled()
result = check.execute()
assert len(result) == 1
assert result[0].status == "PASS"
assert (
result[0].status_extended
== f"EKS cluster {cluster_name} has a Network Policy with the security group sg-123456789."
)
assert result[0].resource_id == cluster_name
assert result[0].resource_arn == cluster_arn
assert result[0].resource_tags == []
assert result[0].region == AWS_REGION_EU_WEST_1

98
tests/providers/aws/services/eks/eks_cluster_private_nodes_enabled/eks_cluster_private_nodes_enabled_test.py Normal file
View File

@@ -0,0 +1,98 @@
from unittest import mock
from prowler.providers.aws.services.eks.eks_service import EKSCluster
from tests.providers.aws.audit_info_utils import (
AWS_ACCOUNT_NUMBER,
AWS_REGION_EU_WEST_1,
)
cluster_name = "cluster_test"
cluster_arn = (
f"arn:aws:eks:{AWS_REGION_EU_WEST_1}:{AWS_ACCOUNT_NUMBER}:cluster/{cluster_name}"
)
class Test_eks_cluster_private_nodes_enabled:
def test_no_clusters(self):
eks_client = mock.MagicMock
eks_client.clusters = []
with mock.patch(
"prowler.providers.aws.services.eks.eks_service.EKS",
eks_client,
):
from prowler.providers.aws.services.eks.eks_cluster_private_nodes_enabled.eks_cluster_private_nodes_enabled import (
eks_cluster_private_nodes_enabled,
)
check = eks_cluster_private_nodes_enabled()
result = check.execute()
assert len(result) == 0
def test_cluster_with_private_nodes(self):
eks_client = mock.MagicMock
eks_client.clusters = []
eks_client.clusters.append(
EKSCluster(
name=cluster_name,
arn=cluster_arn,
region=AWS_REGION_EU_WEST_1,
logging=None,
public_access_cidrs=["203.0.113.5/32"],
endpoint_private_access=True,
)
)
with mock.patch(
"prowler.providers.aws.services.eks.eks_service.EKS",
eks_client,
):
from prowler.providers.aws.services.eks.eks_cluster_private_nodes_enabled.eks_cluster_private_nodes_enabled import (
eks_cluster_private_nodes_enabled,
)
check = eks_cluster_private_nodes_enabled()
result = check.execute()
assert len(result) == 1
assert result[0].status == "PASS"
assert (
result[0].status_extended
== f"EKS cluster {cluster_name} is created with private nodes."
)
assert result[0].resource_id == cluster_name
assert result[0].resource_arn == cluster_arn
assert result[0].resource_tags == []
assert result[0].region == AWS_REGION_EU_WEST_1
def test_endpoint_without_private_nodes(self):
eks_client = mock.MagicMock
eks_client.clusters = []
eks_client.clusters.append(
EKSCluster(
name=cluster_name,
arn=cluster_arn,
region=AWS_REGION_EU_WEST_1,
logging=None,
endpoint_private_access=False,
)
)
with mock.patch(
"prowler.providers.aws.services.eks.eks_service.EKS",
eks_client,
):
from prowler.providers.aws.services.eks.eks_cluster_private_nodes_enabled.eks_cluster_private_nodes_enabled import (
eks_cluster_private_nodes_enabled,
)
check = eks_cluster_private_nodes_enabled()
result = check.execute()
assert len(result) == 1
assert result[0].status == "FAIL"
assert (
result[0].status_extended
== f"Cluster endpoint private access is not enabled for EKS cluster {cluster_name}."
)
assert result[0].resource_id == cluster_name
assert result[0].resource_arn == cluster_arn
assert result[0].resource_tags == []
assert result[0].region == AWS_REGION_EU_WEST_1

27
tests/providers/aws/services/eks/eks_control_plane_endpoint_access_restricted/eks_control_plane_endpoint_access_restricted_test.py
View File

@@ -2,12 +2,15 @@ from re import search
from unittest import mock
from prowler.providers.aws.services.eks.eks_service import EKSCluster
AWS_REGION = "eu-west-1"
AWS_ACCOUNT_NUMBER = "123456789012"
from tests.providers.aws.audit_info_utils import (
AWS_ACCOUNT_NUMBER,
AWS_REGION_EU_WEST_1,
)
cluster_name = "cluster_test"
cluster_arn = f"arn:aws:eks:{AWS_REGION}:{AWS_ACCOUNT_NUMBER}:cluster/{cluster_name}"
cluster_arn = (
f"arn:aws:eks:{AWS_REGION_EU_WEST_1}:{AWS_ACCOUNT_NUMBER}:cluster/{cluster_name}"
)
class Test_eks_control_plane_endpoint_access_restricted:
@@ -33,7 +36,7 @@ class Test_eks_control_plane_endpoint_access_restricted:
EKSCluster(
name=cluster_name,
arn=cluster_arn,
region=AWS_REGION,
region=AWS_REGION_EU_WEST_1,
logging=None,
endpoint_public_access=False,
endpoint_private_access=True,
@@ -60,7 +63,7 @@ class Test_eks_control_plane_endpoint_access_restricted:
assert result[0].resource_id == cluster_name
assert result[0].resource_arn == cluster_arn
assert result[0].resource_tags == []
assert result[0].region == AWS_REGION
assert result[0].region == AWS_REGION_EU_WEST_1
def test_control_plane_access_restricted(self):
eks_client = mock.MagicMock
@@ -69,7 +72,7 @@ class Test_eks_control_plane_endpoint_access_restricted:
EKSCluster(
name=cluster_name,
arn=cluster_arn,
region=AWS_REGION,
region=AWS_REGION_EU_WEST_1,
logging=None,
endpoint_public_access=True,
endpoint_private_access=False,
@@ -96,7 +99,7 @@ class Test_eks_control_plane_endpoint_access_restricted:
assert result[0].resource_id == cluster_name
assert result[0].resource_arn == cluster_arn
assert result[0].resource_tags == []
assert result[0].region == AWS_REGION
assert result[0].region == AWS_REGION_EU_WEST_1
def test_control_plane_public(self):
eks_client = mock.MagicMock
@@ -105,7 +108,7 @@ class Test_eks_control_plane_endpoint_access_restricted:
EKSCluster(
name=cluster_name,
arn=cluster_arn,
region=AWS_REGION,
region=AWS_REGION_EU_WEST_1,
logging=None,
endpoint_public_access=True,
endpoint_private_access=False,
@@ -132,7 +135,7 @@ class Test_eks_control_plane_endpoint_access_restricted:
assert result[0].resource_id == cluster_name
assert result[0].resource_arn == cluster_arn
assert result[0].resource_tags == []
assert result[0].region == AWS_REGION
assert result[0].region == AWS_REGION_EU_WEST_1
def test_control_plane_public_and_private(self):
eks_client = mock.MagicMock
@@ -141,7 +144,7 @@ class Test_eks_control_plane_endpoint_access_restricted:
EKSCluster(
name=cluster_name,
arn=cluster_arn,
region=AWS_REGION,
region=AWS_REGION_EU_WEST_1,
logging=None,
endpoint_public_access=True,
endpoint_private_access=True,
@@ -168,4 +171,4 @@ class Test_eks_control_plane_endpoint_access_restricted:
assert result[0].resource_id == cluster_name
assert result[0].resource_arn == cluster_arn
assert result[0].resource_tags == []
assert result[0].region == AWS_REGION
assert result[0].region == AWS_REGION_EU_WEST_1

17
tests/providers/aws/services/eks/eks_control_plane_logging_all_types_enabled/eks_control_plane_logging_all_types_enabled_test.py
View File

@@ -5,12 +5,15 @@ from prowler.providers.aws.services.eks.eks_service import (
EKSCluster,
EKSClusterLoggingEntity,
)
AWS_REGION = "eu-west-1"
AWS_ACCOUNT_NUMBER = "123456789012"
from tests.providers.aws.audit_info_utils import (
AWS_ACCOUNT_NUMBER,
AWS_REGION_EU_WEST_1,
)
cluster_name = "cluster_test"
cluster_arn = f"arn:aws:eks:{AWS_REGION}:{AWS_ACCOUNT_NUMBER}:cluster/{cluster_name}"
cluster_arn = (
f"arn:aws:eks:{AWS_REGION_EU_WEST_1}:{AWS_ACCOUNT_NUMBER}:cluster/{cluster_name}"
)
class Test_eks_control_plane_logging_all_types_enabled:
@@ -36,7 +39,7 @@ class Test_eks_control_plane_logging_all_types_enabled:
EKSCluster(
name=cluster_name,
arn=cluster_arn,
region=AWS_REGION,
region=AWS_REGION_EU_WEST_1,
logging=None,
)
)
@@ -67,7 +70,7 @@ class Test_eks_control_plane_logging_all_types_enabled:
EKSCluster(
name=cluster_name,
arn=cluster_arn,
region=AWS_REGION,
region=AWS_REGION_EU_WEST_1,
logging=EKSClusterLoggingEntity(
types=["api", "audit", "authenticator", "controllerManager"],
enabled=True,
@@ -101,7 +104,7 @@ class Test_eks_control_plane_logging_all_types_enabled:
EKSCluster(
name=cluster_name,
arn=cluster_arn,
region=AWS_REGION,
region=AWS_REGION_EU_WEST_1,
logging=EKSClusterLoggingEntity(
types=[
"api",

19
tests/providers/aws/services/eks/eks_endpoints_not_publicly_accessible/eks_endpoints_not_publicly_accessible_test.py
View File

@@ -2,12 +2,15 @@ from re import search
from unittest import mock
from prowler.providers.aws.services.eks.eks_service import EKSCluster
AWS_REGION = "eu-west-1"
AWS_ACCOUNT_NUMBER = "123456789012"
from tests.providers.aws.audit_info_utils import (
AWS_ACCOUNT_NUMBER,
AWS_REGION_EU_WEST_1,
)
cluster_name = "cluster_test"
cluster_arn = f"arn:aws:eks:{AWS_REGION}:{AWS_ACCOUNT_NUMBER}:cluster/{cluster_name}"
cluster_arn = (
f"arn:aws:eks:{AWS_REGION_EU_WEST_1}:{AWS_ACCOUNT_NUMBER}:cluster/{cluster_name}"
)
class Test_eks_endpoints_not_publicly_accessible:
@@ -33,7 +36,7 @@ class Test_eks_endpoints_not_publicly_accessible:
EKSCluster(
name=cluster_name,
arn=cluster_arn,
region=AWS_REGION,
region=AWS_REGION_EU_WEST_1,
logging=None,
endpoint_public_access=True,
endpoint_private_access=False,
@@ -59,7 +62,7 @@ class Test_eks_endpoints_not_publicly_accessible:
assert result[0].resource_id == cluster_name
assert result[0].resource_arn == cluster_arn
assert result[0].resource_tags == []
assert result[0].region == AWS_REGION
assert result[0].region == AWS_REGION_EU_WEST_1
def test_endpoint_not_public_access(self):
eks_client = mock.MagicMock
@@ -68,7 +71,7 @@ class Test_eks_endpoints_not_publicly_accessible:
EKSCluster(
name=cluster_name,
arn=cluster_arn,
region=AWS_REGION,
region=AWS_REGION_EU_WEST_1,
logging=None,
endpoint_public_access=False,
endpoint_private_access=True,
@@ -94,4 +97,4 @@ class Test_eks_endpoints_not_publicly_accessible:
assert result[0].resource_id == cluster_name
assert result[0].resource_arn == cluster_arn
assert result[0].resource_tags == []
assert result[0].region == AWS_REGION
assert result[0].region == AWS_REGION_EU_WEST_1