feat(ec2): New check ec2_instance_detailed_monitoring_enabled (#2735)

Co-authored-by: Vysakh <venugopal.vysakh@gmail.com> Co-authored-by: Pepe Fagoaga <pepe@verica.io>
2026-02-10 06:45:08 +00:00 · 2023-08-16 16:31:06 +04:00
parent 5a107c58bb
commit 54a9f412e8
5 changed files with 213 additions and 0 deletions
--- a/prowler/providers/aws/services/ec2/ec2_instance_detailed_monitoring_enabled/init.py
+++ b/prowler/providers/aws/services/ec2/ec2_instance_detailed_monitoring_enabled/init.py
--- a/prowler/providers/aws/services/ec2/ec2_instance_detailed_monitoring_enabled/ec2_instance_detailed_monitoring_enabled.metadata.json
+++ b/prowler/providers/aws/services/ec2/ec2_instance_detailed_monitoring_enabled/ec2_instance_detailed_monitoring_enabled.metadata.json
@@ -0,0 +1,32 @@
+{
+  "Provider": "aws",
+  "CheckID": "ec2_instance_detailed_monitoring_enabled",
+  "CheckTitle": "Check if EC2 instances have detailed monitoring enabled.",
+  "CheckType": [
+    "Infrastructure Security"
+  ],
+  "ServiceName": "ec2",
+  "SubServiceName": "",
+  "ResourceIdTemplate": "arn:partition:service:region:account-id:resource-id",
+  "Severity": "low",
+  "ResourceType": "AwsEc2Instance",
+  "Description": "Check if EC2 instances have detailed monitoring enabled.",
+  "Risk": "Enabling detailed monitoring provides enhanced monitoring and granular insights into EC2 instance metrics. Not having detailed monitoring enabled may limit the ability to troubleshoot performance issues effectively.",
+  "RelatedUrl": "https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/using-cloudwatch-new.html",
+  "Remediation": {
+    "Code": {
+      "CLI": "https://www.trendmicro.com/cloudoneconformity/knowledge-base/aws/EC2/instance-detailed-monitoring.html",
+      "NativeIaC": "https://www.trendmicro.com/cloudoneconformity/knowledge-base/aws/EC2/instance-detailed-monitoring.html",
+      "Other": "https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/using-cloudwatch-new.html#enable-detailed-monitoring-instance",
+      "Terraform": "https://docs.bridgecrew.io/docs/ensure-that-detailed-monitoring-is-enabled-for-ec2-instances#terraform"
+    },
+    "Recommendation": {
+      "Text": "Enable detailed monitoring for EC2 instances to gain better insights into performance metrics.",
+      "Url": "https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/using-cloudwatch-new.html#enable-detailed-monitoring-instance"
+    }
+  },
+  "Categories": [],
+  "DependsOn": [],
+  "RelatedTo": [],
+  "Notes": ""
+}
--- a/prowler/providers/aws/services/ec2/ec2_instance_detailed_monitoring_enabled/ec2_instance_detailed_monitoring_enabled.py
+++ b/prowler/providers/aws/services/ec2/ec2_instance_detailed_monitoring_enabled/ec2_instance_detailed_monitoring_enabled.py
@@ -0,0 +1,24 @@
+from prowler.lib.check.models import Check, Check_Report_AWS
+from prowler.providers.aws.services.ec2.ec2_client import ec2_client
+
+
+class ec2_instance_detailed_monitoring_enabled(Check):
+    def execute(self):
+        findings = []
+        for instance in ec2_client.instances:
+            report = Check_Report_AWS(self.metadata())
+            report.region = instance.region
+            report.resource_id = instance.id
+            report.resource_arn = instance.arn
+            report.resource_tags = instance.tags
+            report.status = "PASS"
+            report.status_extended = (
+                f"EC2 Instance {instance.id} has detailed monitoring enabled."
+            )
+            if instance.monitoring_state != "enabled":
+                report.status = "FAIL"
+                report.status_extended = f"EC2 Instance {instance.id} does not have detailed monitoring enabled."
+
+            findings.append(report)
+
+        return findings
--- a/prowler/providers/aws/services/ec2/ec2_service.py
+++ b/prowler/providers/aws/services/ec2/ec2_service.py
@@ -56,6 +56,7 @@ class EC2(AWSService):
                            public_ip = None
                            private_ip = None
                            instance_profile = None
+                            monitoring_state = "disabled"
                            if "MetadataOptions" in instance:
                                http_tokens = instance["MetadataOptions"]["HttpTokens"]
                                http_endpoint = instance["MetadataOptions"][
@@ -67,6 +68,10 @@ class EC2(AWSService):
                            ):
                                public_dns = instance["PublicDnsName"]
                                public_ip = instance["PublicIpAddress"]
+                            if "Monitoring" in instance:
+                                monitoring_state = instance.get(
+                                    "Monitoring", {"State": "disabled"}
+                                ).get("State", "disabled")
                            if "PrivateIpAddress" in instance:
                                private_ip = instance["PrivateIpAddress"]
                            if "IamInstanceProfile" in instance:
@@ -88,6 +93,7 @@ class EC2(AWSService):
                                    http_tokens=http_tokens,
                                    http_endpoint=http_endpoint,
                                    instance_profile=instance_profile,
+                                    monitoring_state=monitoring_state,
                                    tags=instance.get("Tags"),
                                )
                            )
@@ -407,6 +413,7 @@ class Instance(BaseModel):
    user_data: Optional[str]
    http_tokens: Optional[str]
    http_endpoint: Optional[str]
+    monitoring_state: str
    instance_profile: Optional[dict]
    tags: Optional[list] = []

--- a/tests/providers/aws/services/ec2/ec2_instance_detailed_monitoring_enabled/ec2_instance_detailed_monitoring_enabled_test.py
+++ b/tests/providers/aws/services/ec2/ec2_instance_detailed_monitoring_enabled/ec2_instance_detailed_monitoring_enabled_test.py
@@ -0,0 +1,150 @@
+from unittest import mock
+
+from boto3 import resource, session
+from moto import mock_ec2
+
+from prowler.providers.aws.lib.audit_info.models import AWS_Audit_Info
+from prowler.providers.common.models import Audit_Metadata
+
+AWS_REGION = "us-east-1"
+EXAMPLE_AMI_ID = "ami-12c6146b"
+AWS_ACCOUNT_NUMBER = "123456789012"
+
+
+class Test_ec2_instance_detailed_monitoring_enabled:
+    def set_mocked_audit_info(self):
+        audit_info = AWS_Audit_Info(
+            session_config=None,
+            original_session=None,
+            audit_session=session.Session(
+                profile_name=None,
+                botocore_session=None,
+            ),
+            audited_account=AWS_ACCOUNT_NUMBER,
+            audited_account_arn=f"arn:aws:iam::{AWS_ACCOUNT_NUMBER}:root",
+            audited_user_id=None,
+            audited_partition="aws",
+            audited_identity_arn=None,
+            profile=None,
+            profile_region=None,
+            credentials=None,
+            assumed_role_info=None,
+            audited_regions=["us-east-1", "eu-west-1"],
+            organizations_metadata=None,
+            audit_resources=None,
+            mfa_enabled=False,
+            audit_metadata=Audit_Metadata(
+                services_scanned=0,
+                expected_checks=[],
+                completed_checks=0,
+                audit_progress=0,
+            ),
+        )
+
+        return audit_info
+
+    @mock_ec2
+    def test_ec2_no_instances(self):
+        from prowler.providers.aws.services.ec2.ec2_service import EC2
+
+        current_audit_info = self.set_mocked_audit_info()
+
+        with mock.patch(
+            "prowler.providers.aws.lib.audit_info.audit_info.current_audit_info",
+            new=current_audit_info,
+        ), mock.patch(
+            "prowler.providers.aws.services.ec2.ec2_instance_detailed_monitoring_enabled.ec2_instance_detailed_monitoring_enabled.ec2_client",
+            new=EC2(current_audit_info),
+        ):
+            # Test Check
+            from prowler.providers.aws.services.ec2.ec2_instance_detailed_monitoring_enabled.ec2_instance_detailed_monitoring_enabled import (
+                ec2_instance_detailed_monitoring_enabled,
+            )
+
+            check = ec2_instance_detailed_monitoring_enabled()
+            result = check.execute()
+
+            assert len(result) == 0
+
+    @mock_ec2
+    def test_instance_with_enhanced_monitoring_disabled(self):
+        ec2 = resource("ec2", region_name=AWS_REGION)
+        instance = ec2.create_instances(
+            ImageId=EXAMPLE_AMI_ID,
+            MinCount=1,
+            MaxCount=1,
+            Monitoring={"Enabled": False},
+        )[0]
+
+        from prowler.providers.aws.services.ec2.ec2_service import EC2
+
+        current_audit_info = self.set_mocked_audit_info()
+
+        with mock.patch(
+            "prowler.providers.aws.lib.audit_info.audit_info.current_audit_info",
+            new=current_audit_info,
+        ), mock.patch(
+            "prowler.providers.aws.services.ec2.ec2_instance_detailed_monitoring_enabled.ec2_instance_detailed_monitoring_enabled.ec2_client",
+            new=EC2(current_audit_info),
+        ):
+            from prowler.providers.aws.services.ec2.ec2_instance_detailed_monitoring_enabled.ec2_instance_detailed_monitoring_enabled import (
+                ec2_instance_detailed_monitoring_enabled,
+            )
+
+            check = ec2_instance_detailed_monitoring_enabled()
+            result = check.execute()
+
+            assert len(result) == 1
+            assert result[0].status == "FAIL"
+            assert (
+                result[0].status_extended
+                == f"EC2 Instance {instance.id} does not have detailed monitoring enabled."
+            )
+            assert result[0].resource_id == instance.id
+            assert (
+                result[0].resource_arn
+                == f"arn:{current_audit_info.audited_partition}:ec2:{AWS_REGION}:{current_audit_info.audited_account}:instance/{instance.id}"
+            )
+
+    @mock_ec2
+    def test_instance_with_enhanced_monitoring_enabled(self):
+        ec2 = resource("ec2", region_name=AWS_REGION)
+        instance = ec2.create_instances(
+            ImageId=EXAMPLE_AMI_ID,
+            MinCount=1,
+            MaxCount=1,
+            Monitoring={"Enabled": True},
+        )[0]
+
+        from prowler.providers.aws.services.ec2.ec2_service import EC2
+
+        current_audit_info = self.set_mocked_audit_info()
+
+        with mock.patch(
+            "prowler.providers.aws.lib.audit_info.audit_info.current_audit_info",
+            new=current_audit_info,
+        ), mock.patch(
+            "prowler.providers.aws.services.ec2.ec2_instance_detailed_monitoring_enabled.ec2_instance_detailed_monitoring_enabled.ec2_client",
+            new=EC2(current_audit_info),
+        ) as ec2_client:
+            # Moto does not handle the Monitoring key in the instances, so we have to update it manually
+            ec2_client.instances[0].monitoring_state = "enabled"
+
+            from prowler.providers.aws.services.ec2.ec2_instance_detailed_monitoring_enabled.ec2_instance_detailed_monitoring_enabled import (
+                ec2_instance_detailed_monitoring_enabled,
+            )
+
+            check = ec2_instance_detailed_monitoring_enabled()
+            result = check.execute()
+
+            assert len(result) == 1
+            assert result[0].status == "PASS"
+            assert (
+                result[0].status_extended
+                == f"EC2 Instance {instance.id} has detailed monitoring enabled."
+            )
+            assert result[0].resource_id == instance.id
+            assert (
+                result[0].resource_arn
+                == f"arn:{current_audit_info.audited_partition}:ec2:{AWS_REGION}:{current_audit_info.audited_account}:instance/{instance.id}"
+            )