ghndrx/prowler
1
0
Fork 0
mirror of https://github.com/ghndrx/prowler.git synced 2026-02-10 14:55:00 +00:00
Code Issues Packages Projects Releases Wiki Activity

feat(ec2): New check ec2_instance_detailed_monitoring_enabled (#2735)

Browse Source 
Co-authored-by: Vysakh <venugopal.vysakh@gmail.com>
Co-authored-by: Pepe Fagoaga <pepe@verica.io>
This commit is contained in:
vysakh-devopspace
2023-08-16 16:31:06 +04:00
committed by GitHub
parent 5a107c58bb
commit 54a9f412e8
5 changed files with 213 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

0
prowler/providers/aws/services/ec2/ec2_instance_detailed_monitoring_enabled/__init__.py Normal file
View File

32
prowler/providers/aws/services/ec2/ec2_instance_detailed_monitoring_enabled/ec2_instance_detailed_monitoring_enabled.metadata.json Normal file
View File

@@ -0,0 +1,32 @@
{
"Provider": "aws",
"CheckID": "ec2_instance_detailed_monitoring_enabled",
"CheckTitle": "Check if EC2 instances have detailed monitoring enabled.",
"CheckType": [
"Infrastructure Security"
],
"ServiceName": "ec2",
"SubServiceName": "",
"ResourceIdTemplate": "arn:partition:service:region:account-id:resource-id",
"Severity": "low",
"ResourceType": "AwsEc2Instance",
"Description": "Check if EC2 instances have detailed monitoring enabled.",
"Risk": "Enabling detailed monitoring provides enhanced monitoring and granular insights into EC2 instance metrics. Not having detailed monitoring enabled may limit the ability to troubleshoot performance issues effectively.",
"RelatedUrl": "https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/using-cloudwatch-new.html",
"Remediation": {
"Code": {
"CLI": "https://www.trendmicro.com/cloudoneconformity/knowledge-base/aws/EC2/instance-detailed-monitoring.html",
"NativeIaC": "https://www.trendmicro.com/cloudoneconformity/knowledge-base/aws/EC2/instance-detailed-monitoring.html",
"Other": "https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/using-cloudwatch-new.html#enable-detailed-monitoring-instance",
"Terraform": "https://docs.bridgecrew.io/docs/ensure-that-detailed-monitoring-is-enabled-for-ec2-instances#terraform"
},
"Recommendation": {
"Text": "Enable detailed monitoring for EC2 instances to gain better insights into performance metrics.",
"Url": "https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/using-cloudwatch-new.html#enable-detailed-monitoring-instance"
}
},
"Categories": [],
"DependsOn": [],
"RelatedTo": [],
"Notes": ""
}

24
prowler/providers/aws/services/ec2/ec2_instance_detailed_monitoring_enabled/ec2_instance_detailed_monitoring_enabled.py Normal file
View File

@@ -0,0 +1,24 @@
from prowler.lib.check.models import Check, Check_Report_AWS
from prowler.providers.aws.services.ec2.ec2_client import ec2_client
class ec2_instance_detailed_monitoring_enabled(Check):
def execute(self):
findings = []
for instance in ec2_client.instances:
report = Check_Report_AWS(self.metadata())
report.region = instance.region
report.resource_id = instance.id
report.resource_arn = instance.arn
report.resource_tags = instance.tags
report.status = "PASS"
report.status_extended = (
f"EC2 Instance {instance.id} has detailed monitoring enabled."
)
if instance.monitoring_state != "enabled":
report.status = "FAIL"
report.status_extended = f"EC2 Instance {instance.id} does not have detailed monitoring enabled."
findings.append(report)
return findings

7
prowler/providers/aws/services/ec2/ec2_service.py
View File

@@ -56,6 +56,7 @@ class EC2(AWSService):
public_ip = None public_ip = None
private_ip = None private_ip = None
instance_profile = None instance_profile = None
monitoring_state = "disabled"
if "MetadataOptions" in instance: if "MetadataOptions" in instance:
http_tokens = instance["MetadataOptions"]["HttpTokens"] http_tokens = instance["MetadataOptions"]["HttpTokens"]
http_endpoint = instance["MetadataOptions"][ http_endpoint = instance["MetadataOptions"][
@@ -67,6 +68,10 @@ class EC2(AWSService):
): ):
public_dns = instance["PublicDnsName"] public_dns = instance["PublicDnsName"]
public_ip = instance["PublicIpAddress"] public_ip = instance["PublicIpAddress"]
if "Monitoring" in instance:
monitoring_state = instance.get(
"Monitoring", {"State": "disabled"}
).get("State", "disabled")
if "PrivateIpAddress" in instance: if "PrivateIpAddress" in instance:
private_ip = instance["PrivateIpAddress"] private_ip = instance["PrivateIpAddress"]
if "IamInstanceProfile" in instance: if "IamInstanceProfile" in instance:
@@ -88,6 +93,7 @@ class EC2(AWSService):
http_tokens=http_tokens, http_tokens=http_tokens,
http_endpoint=http_endpoint, http_endpoint=http_endpoint,
instance_profile=instance_profile, instance_profile=instance_profile,
monitoring_state=monitoring_state,
tags=instance.get("Tags"), tags=instance.get("Tags"),
) )
) )
@@ -407,6 +413,7 @@ class Instance(BaseModel):
user_data: Optional[str] user_data: Optional[str]
http_tokens: Optional[str] http_tokens: Optional[str]
http_endpoint: Optional[str] http_endpoint: Optional[str]
monitoring_state: str
instance_profile: Optional[dict] instance_profile: Optional[dict]
tags: Optional[list] = [] tags: Optional[list] = []

150
tests/providers/aws/services/ec2/ec2_instance_detailed_monitoring_enabled/ec2_instance_detailed_monitoring_enabled_test.py Normal file
View File

@@ -0,0 +1,150 @@
from unittest import mock
from boto3 import resource, session
from moto import mock_ec2
from prowler.providers.aws.lib.audit_info.models import AWS_Audit_Info
from prowler.providers.common.models import Audit_Metadata
AWS_REGION = "us-east-1"
EXAMPLE_AMI_ID = "ami-12c6146b"
AWS_ACCOUNT_NUMBER = "123456789012"
class Test_ec2_instance_detailed_monitoring_enabled:
def set_mocked_audit_info(self):
audit_info = AWS_Audit_Info(
session_config=None,
original_session=None,
audit_session=session.Session(
profile_name=None,
botocore_session=None,
),
audited_account=AWS_ACCOUNT_NUMBER,
audited_account_arn=f"arn:aws:iam::{AWS_ACCOUNT_NUMBER}:root",
audited_user_id=None,
audited_partition="aws",
audited_identity_arn=None,
profile=None,
profile_region=None,
credentials=None,
assumed_role_info=None,
audited_regions=["us-east-1", "eu-west-1"],
organizations_metadata=None,
audit_resources=None,
mfa_enabled=False,
audit_metadata=Audit_Metadata(
services_scanned=0,
expected_checks=[],
completed_checks=0,
audit_progress=0,
),
)
return audit_info
@mock_ec2
def test_ec2_no_instances(self):
from prowler.providers.aws.services.ec2.ec2_service import EC2
current_audit_info = self.set_mocked_audit_info()
with mock.patch(
"prowler.providers.aws.lib.audit_info.audit_info.current_audit_info",
new=current_audit_info,
), mock.patch(
"prowler.providers.aws.services.ec2.ec2_instance_detailed_monitoring_enabled.ec2_instance_detailed_monitoring_enabled.ec2_client",
new=EC2(current_audit_info),
):
# Test Check
from prowler.providers.aws.services.ec2.ec2_instance_detailed_monitoring_enabled.ec2_instance_detailed_monitoring_enabled import (
ec2_instance_detailed_monitoring_enabled,
)
check = ec2_instance_detailed_monitoring_enabled()
result = check.execute()
assert len(result) == 0
@mock_ec2
def test_instance_with_enhanced_monitoring_disabled(self):
ec2 = resource("ec2", region_name=AWS_REGION)
instance = ec2.create_instances(
ImageId=EXAMPLE_AMI_ID,
MinCount=1,
MaxCount=1,
Monitoring={"Enabled": False},
)[0]
from prowler.providers.aws.services.ec2.ec2_service import EC2
current_audit_info = self.set_mocked_audit_info()
with mock.patch(
"prowler.providers.aws.lib.audit_info.audit_info.current_audit_info",
new=current_audit_info,
), mock.patch(
"prowler.providers.aws.services.ec2.ec2_instance_detailed_monitoring_enabled.ec2_instance_detailed_monitoring_enabled.ec2_client",
new=EC2(current_audit_info),
):
from prowler.providers.aws.services.ec2.ec2_instance_detailed_monitoring_enabled.ec2_instance_detailed_monitoring_enabled import (
ec2_instance_detailed_monitoring_enabled,
)
check = ec2_instance_detailed_monitoring_enabled()
result = check.execute()
assert len(result) == 1
assert result[0].status == "FAIL"
assert (
result[0].status_extended
== f"EC2 Instance {instance.id} does not have detailed monitoring enabled."
)
assert result[0].resource_id == instance.id
assert (
result[0].resource_arn
== f"arn:{current_audit_info.audited_partition}:ec2:{AWS_REGION}:{current_audit_info.audited_account}:instance/{instance.id}"
)
@mock_ec2
def test_instance_with_enhanced_monitoring_enabled(self):
ec2 = resource("ec2", region_name=AWS_REGION)
instance = ec2.create_instances(
ImageId=EXAMPLE_AMI_ID,
MinCount=1,
MaxCount=1,
Monitoring={"Enabled": True},
)[0]
from prowler.providers.aws.services.ec2.ec2_service import EC2
current_audit_info = self.set_mocked_audit_info()
with mock.patch(
"prowler.providers.aws.lib.audit_info.audit_info.current_audit_info",
new=current_audit_info,
), mock.patch(
"prowler.providers.aws.services.ec2.ec2_instance_detailed_monitoring_enabled.ec2_instance_detailed_monitoring_enabled.ec2_client",
new=EC2(current_audit_info),
) as ec2_client:
# Moto does not handle the Monitoring key in the instances, so we have to update it manually
ec2_client.instances[0].monitoring_state = "enabled"
from prowler.providers.aws.services.ec2.ec2_instance_detailed_monitoring_enabled.ec2_instance_detailed_monitoring_enabled import (
ec2_instance_detailed_monitoring_enabled,
)
check = ec2_instance_detailed_monitoring_enabled()
result = check.execute()
assert len(result) == 1
assert result[0].status == "PASS"
assert (
result[0].status_extended
== f"EC2 Instance {instance.id} has detailed monitoring enabled."
)
assert result[0].resource_id == instance.id
assert (
result[0].resource_arn
== f"arn:{current_audit_info.audited_partition}:ec2:{AWS_REGION}:{current_audit_info.audited_account}:instance/{instance.id}"
)