From 54a9f412e84d60e0dad175b31b56cbc4f966d089 Mon Sep 17 00:00:00 2001 From: vysakh-devopspace <135362393+vysakh-devopspace@users.noreply.github.com> Date: Wed, 16 Aug 2023 16:31:06 +0400 Subject: [PATCH] feat(ec2): New check ec2_instance_detailed_monitoring_enabled (#2735) Co-authored-by: Vysakh Co-authored-by: Pepe Fagoaga --- .../__init__.py | 0 ..._detailed_monitoring_enabled.metadata.json | 32 ++++ ...c2_instance_detailed_monitoring_enabled.py | 24 +++ .../providers/aws/services/ec2/ec2_service.py | 7 + ...stance_detailed_monitoring_enabled_test.py | 150 ++++++++++++++++++ 5 files changed, 213 insertions(+) create mode 100644 prowler/providers/aws/services/ec2/ec2_instance_detailed_monitoring_enabled/__init__.py create mode 100644 prowler/providers/aws/services/ec2/ec2_instance_detailed_monitoring_enabled/ec2_instance_detailed_monitoring_enabled.metadata.json create mode 100644 prowler/providers/aws/services/ec2/ec2_instance_detailed_monitoring_enabled/ec2_instance_detailed_monitoring_enabled.py create mode 100644 tests/providers/aws/services/ec2/ec2_instance_detailed_monitoring_enabled/ec2_instance_detailed_monitoring_enabled_test.py diff --git a/prowler/providers/aws/services/ec2/ec2_instance_detailed_monitoring_enabled/__init__.py b/prowler/providers/aws/services/ec2/ec2_instance_detailed_monitoring_enabled/__init__.py new file mode 100644 index 00000000..e69de29b diff --git a/prowler/providers/aws/services/ec2/ec2_instance_detailed_monitoring_enabled/ec2_instance_detailed_monitoring_enabled.metadata.json b/prowler/providers/aws/services/ec2/ec2_instance_detailed_monitoring_enabled/ec2_instance_detailed_monitoring_enabled.metadata.json new file mode 100644 index 00000000..e653ea2f --- /dev/null +++ b/prowler/providers/aws/services/ec2/ec2_instance_detailed_monitoring_enabled/ec2_instance_detailed_monitoring_enabled.metadata.json @@ -0,0 +1,32 @@ +{ + "Provider": "aws", + "CheckID": "ec2_instance_detailed_monitoring_enabled", + "CheckTitle": "Check if EC2 instances have detailed monitoring enabled.", + "CheckType": [ + "Infrastructure Security" + ], + "ServiceName": "ec2", + "SubServiceName": "", + "ResourceIdTemplate": "arn:partition:service:region:account-id:resource-id", + "Severity": "low", + "ResourceType": "AwsEc2Instance", + "Description": "Check if EC2 instances have detailed monitoring enabled.", + "Risk": "Enabling detailed monitoring provides enhanced monitoring and granular insights into EC2 instance metrics. Not having detailed monitoring enabled may limit the ability to troubleshoot performance issues effectively.", + "RelatedUrl": "https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/using-cloudwatch-new.html", + "Remediation": { + "Code": { + "CLI": "https://www.trendmicro.com/cloudoneconformity/knowledge-base/aws/EC2/instance-detailed-monitoring.html", + "NativeIaC": "https://www.trendmicro.com/cloudoneconformity/knowledge-base/aws/EC2/instance-detailed-monitoring.html", + "Other": "https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/using-cloudwatch-new.html#enable-detailed-monitoring-instance", + "Terraform": "https://docs.bridgecrew.io/docs/ensure-that-detailed-monitoring-is-enabled-for-ec2-instances#terraform" + }, + "Recommendation": { + "Text": "Enable detailed monitoring for EC2 instances to gain better insights into performance metrics.", + "Url": "https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/using-cloudwatch-new.html#enable-detailed-monitoring-instance" + } + }, + "Categories": [], + "DependsOn": [], + "RelatedTo": [], + "Notes": "" +} \ No newline at end of file diff --git a/prowler/providers/aws/services/ec2/ec2_instance_detailed_monitoring_enabled/ec2_instance_detailed_monitoring_enabled.py b/prowler/providers/aws/services/ec2/ec2_instance_detailed_monitoring_enabled/ec2_instance_detailed_monitoring_enabled.py new file mode 100644 index 00000000..b03b6787 --- /dev/null +++ b/prowler/providers/aws/services/ec2/ec2_instance_detailed_monitoring_enabled/ec2_instance_detailed_monitoring_enabled.py @@ -0,0 +1,24 @@ +from prowler.lib.check.models import Check, Check_Report_AWS +from prowler.providers.aws.services.ec2.ec2_client import ec2_client + + +class ec2_instance_detailed_monitoring_enabled(Check): + def execute(self): + findings = [] + for instance in ec2_client.instances: + report = Check_Report_AWS(self.metadata()) + report.region = instance.region + report.resource_id = instance.id + report.resource_arn = instance.arn + report.resource_tags = instance.tags + report.status = "PASS" + report.status_extended = ( + f"EC2 Instance {instance.id} has detailed monitoring enabled." + ) + if instance.monitoring_state != "enabled": + report.status = "FAIL" + report.status_extended = f"EC2 Instance {instance.id} does not have detailed monitoring enabled." + + findings.append(report) + + return findings diff --git a/prowler/providers/aws/services/ec2/ec2_service.py b/prowler/providers/aws/services/ec2/ec2_service.py index 4fdcfcbb..548f7929 100644 --- a/prowler/providers/aws/services/ec2/ec2_service.py +++ b/prowler/providers/aws/services/ec2/ec2_service.py @@ -56,6 +56,7 @@ class EC2(AWSService): public_ip = None private_ip = None instance_profile = None + monitoring_state = "disabled" if "MetadataOptions" in instance: http_tokens = instance["MetadataOptions"]["HttpTokens"] http_endpoint = instance["MetadataOptions"][ @@ -67,6 +68,10 @@ class EC2(AWSService): ): public_dns = instance["PublicDnsName"] public_ip = instance["PublicIpAddress"] + if "Monitoring" in instance: + monitoring_state = instance.get( + "Monitoring", {"State": "disabled"} + ).get("State", "disabled") if "PrivateIpAddress" in instance: private_ip = instance["PrivateIpAddress"] if "IamInstanceProfile" in instance: @@ -88,6 +93,7 @@ class EC2(AWSService): http_tokens=http_tokens, http_endpoint=http_endpoint, instance_profile=instance_profile, + monitoring_state=monitoring_state, tags=instance.get("Tags"), ) ) @@ -407,6 +413,7 @@ class Instance(BaseModel): user_data: Optional[str] http_tokens: Optional[str] http_endpoint: Optional[str] + monitoring_state: str instance_profile: Optional[dict] tags: Optional[list] = [] diff --git a/tests/providers/aws/services/ec2/ec2_instance_detailed_monitoring_enabled/ec2_instance_detailed_monitoring_enabled_test.py b/tests/providers/aws/services/ec2/ec2_instance_detailed_monitoring_enabled/ec2_instance_detailed_monitoring_enabled_test.py new file mode 100644 index 00000000..1946c00a --- /dev/null +++ b/tests/providers/aws/services/ec2/ec2_instance_detailed_monitoring_enabled/ec2_instance_detailed_monitoring_enabled_test.py @@ -0,0 +1,150 @@ +from unittest import mock + +from boto3 import resource, session +from moto import mock_ec2 + +from prowler.providers.aws.lib.audit_info.models import AWS_Audit_Info +from prowler.providers.common.models import Audit_Metadata + +AWS_REGION = "us-east-1" +EXAMPLE_AMI_ID = "ami-12c6146b" +AWS_ACCOUNT_NUMBER = "123456789012" + + +class Test_ec2_instance_detailed_monitoring_enabled: + def set_mocked_audit_info(self): + audit_info = AWS_Audit_Info( + session_config=None, + original_session=None, + audit_session=session.Session( + profile_name=None, + botocore_session=None, + ), + audited_account=AWS_ACCOUNT_NUMBER, + audited_account_arn=f"arn:aws:iam::{AWS_ACCOUNT_NUMBER}:root", + audited_user_id=None, + audited_partition="aws", + audited_identity_arn=None, + profile=None, + profile_region=None, + credentials=None, + assumed_role_info=None, + audited_regions=["us-east-1", "eu-west-1"], + organizations_metadata=None, + audit_resources=None, + mfa_enabled=False, + audit_metadata=Audit_Metadata( + services_scanned=0, + expected_checks=[], + completed_checks=0, + audit_progress=0, + ), + ) + + return audit_info + + @mock_ec2 + def test_ec2_no_instances(self): + from prowler.providers.aws.services.ec2.ec2_service import EC2 + + current_audit_info = self.set_mocked_audit_info() + + with mock.patch( + "prowler.providers.aws.lib.audit_info.audit_info.current_audit_info", + new=current_audit_info, + ), mock.patch( + "prowler.providers.aws.services.ec2.ec2_instance_detailed_monitoring_enabled.ec2_instance_detailed_monitoring_enabled.ec2_client", + new=EC2(current_audit_info), + ): + # Test Check + from prowler.providers.aws.services.ec2.ec2_instance_detailed_monitoring_enabled.ec2_instance_detailed_monitoring_enabled import ( + ec2_instance_detailed_monitoring_enabled, + ) + + check = ec2_instance_detailed_monitoring_enabled() + result = check.execute() + + assert len(result) == 0 + + @mock_ec2 + def test_instance_with_enhanced_monitoring_disabled(self): + ec2 = resource("ec2", region_name=AWS_REGION) + instance = ec2.create_instances( + ImageId=EXAMPLE_AMI_ID, + MinCount=1, + MaxCount=1, + Monitoring={"Enabled": False}, + )[0] + + from prowler.providers.aws.services.ec2.ec2_service import EC2 + + current_audit_info = self.set_mocked_audit_info() + + with mock.patch( + "prowler.providers.aws.lib.audit_info.audit_info.current_audit_info", + new=current_audit_info, + ), mock.patch( + "prowler.providers.aws.services.ec2.ec2_instance_detailed_monitoring_enabled.ec2_instance_detailed_monitoring_enabled.ec2_client", + new=EC2(current_audit_info), + ): + from prowler.providers.aws.services.ec2.ec2_instance_detailed_monitoring_enabled.ec2_instance_detailed_monitoring_enabled import ( + ec2_instance_detailed_monitoring_enabled, + ) + + check = ec2_instance_detailed_monitoring_enabled() + result = check.execute() + + assert len(result) == 1 + assert result[0].status == "FAIL" + assert ( + result[0].status_extended + == f"EC2 Instance {instance.id} does not have detailed monitoring enabled." + ) + assert result[0].resource_id == instance.id + assert ( + result[0].resource_arn + == f"arn:{current_audit_info.audited_partition}:ec2:{AWS_REGION}:{current_audit_info.audited_account}:instance/{instance.id}" + ) + + @mock_ec2 + def test_instance_with_enhanced_monitoring_enabled(self): + ec2 = resource("ec2", region_name=AWS_REGION) + instance = ec2.create_instances( + ImageId=EXAMPLE_AMI_ID, + MinCount=1, + MaxCount=1, + Monitoring={"Enabled": True}, + )[0] + + from prowler.providers.aws.services.ec2.ec2_service import EC2 + + current_audit_info = self.set_mocked_audit_info() + + with mock.patch( + "prowler.providers.aws.lib.audit_info.audit_info.current_audit_info", + new=current_audit_info, + ), mock.patch( + "prowler.providers.aws.services.ec2.ec2_instance_detailed_monitoring_enabled.ec2_instance_detailed_monitoring_enabled.ec2_client", + new=EC2(current_audit_info), + ) as ec2_client: + # Moto does not handle the Monitoring key in the instances, so we have to update it manually + ec2_client.instances[0].monitoring_state = "enabled" + + from prowler.providers.aws.services.ec2.ec2_instance_detailed_monitoring_enabled.ec2_instance_detailed_monitoring_enabled import ( + ec2_instance_detailed_monitoring_enabled, + ) + + check = ec2_instance_detailed_monitoring_enabled() + result = check.execute() + + assert len(result) == 1 + assert result[0].status == "PASS" + assert ( + result[0].status_extended + == f"EC2 Instance {instance.id} has detailed monitoring enabled." + ) + assert result[0].resource_id == instance.id + assert ( + result[0].resource_arn + == f"arn:{current_audit_info.audited_partition}:ec2:{AWS_REGION}:{current_audit_info.audited_account}:instance/{instance.id}" + )