feat(EC2): add EC2 tests and checks (#1482)

Co-authored-by: sergargar <sergio@verica.io>

providers/aws/services/ec2/ec2_ebs_snapshots_encrypted/ec2_ebs_snapshots_encrypted.metadata.json

@@ -13,10 +13,10 @@
   "RelatedUrl": "",
   "Remediation": {
     "Code": {
-      "CLI": "",
-      "NativeIaC": "",
-      "Other": "",
-      "Terraform": ""
+      "CLI": "aws ec2 --region <REGION> enable-ebs-encryption-by-default",
+      "NativeIaC": "https://docs.bridgecrew.io/docs/general_3-encrypt-eps-volume#cloudformation",
+      "Other": "https://docs.bridgecrew.io/docs/general_3-encrypt-eps-volume#aws-console",
+      "Terraform": "https://docs.bridgecrew.io/docs/general_3-encrypt-eps-volume#terraform"
     },
     "Recommendation": {
       "Text": "Encrypt all EBS Snapshot and Enable Encryption by default. You can configure your AWS account to enforce the encryption of the new EBS volumes and snapshot copies that you create. For example; Amazon EBS encrypts the EBS volumes created when you launch an instance and the snapshots that you copy from an unencrypted snapshot.",

providers/aws/services/ec2/ec2_ebs_snapshots_encrypted/ec2_ebs_snapshots_encrypted.py

@@ -10,11 +10,11 @@ class ec2_ebs_snapshots_encrypted(Check):
             report.region = snapshot.region
             if snapshot.encrypted:
                 report.status = "PASS"
-                report.status_extended = f"EBS Snapshot {snapshot.id} is encrypted"
+                report.status_extended = f"EBS Snapshot {snapshot.id} is encrypted."
                 report.resource_id = snapshot.id
             else:
                 report.status = "FAIL"
-                report.status_extended = f"EBS Snapshot {snapshot.id} is unencrypted"
+                report.status_extended = f"EBS Snapshot {snapshot.id} is unencrypted."
                 report.resource_id = snapshot.id
             findings.append(report)
 

providers/aws/services/ec2/ec2_ebs_snapshots_encrypted/ec2_ebs_snapshots_encrypted_test.py

@@ -0,0 +1,102 @@
+from unittest import mock
+
+from boto3 import resource
+from moto import mock_ec2
+
+AWS_REGION = "us-east-1"
+
+
+class Test_ec2_ebs_snapshots_encrypted:
+    @mock_ec2
+    def test_ec2_default_snapshots(self):
+
+        from providers.aws.lib.audit_info.audit_info import current_audit_info
+        from providers.aws.services.ec2.ec2_service import EC2
+
+        current_audit_info.audited_partition = "aws"
+
+        with mock.patch(
+            "providers.aws.services.ec2.ec2_ebs_snapshots_encrypted.ec2_ebs_snapshots_encrypted.ec2_client",
+            new=EC2(current_audit_info),
+        ):
+            # Test Check
+            from providers.aws.services.ec2.ec2_ebs_snapshots_encrypted.ec2_ebs_snapshots_encrypted import (
+                ec2_ebs_snapshots_encrypted,
+            )
+
+            check = ec2_ebs_snapshots_encrypted()
+            result = check.execute()
+
+            # Default snapshots
+            assert len(result) == 1345
+
+    @mock_ec2
+    def test_ec2_unencrypted_snapshot(self):
+        # Create EC2 Mocked Resources
+        ec2 = resource("ec2", region_name=AWS_REGION)
+        volume = ec2.create_volume(Size=80, AvailabilityZone=f"{AWS_REGION}a")
+        snapshot = volume.create_snapshot(Description="testsnap")
+
+        from providers.aws.lib.audit_info.audit_info import current_audit_info
+        from providers.aws.services.ec2.ec2_service import EC2
+
+        current_audit_info.audited_partition = "aws"
+
+        with mock.patch(
+            "providers.aws.services.ec2.ec2_ebs_snapshots_encrypted.ec2_ebs_snapshots_encrypted.ec2_client",
+            new=EC2(current_audit_info),
+        ):
+            # Test Check
+            from providers.aws.services.ec2.ec2_ebs_snapshots_encrypted.ec2_ebs_snapshots_encrypted import (
+                ec2_ebs_snapshots_encrypted,
+            )
+
+            check = ec2_ebs_snapshots_encrypted()
+            results = check.execute()
+
+            # Default snapshots + 1 created
+            assert len(results) == 1346
+
+            for snap in results:
+                if snap.resource_id == snapshot.id:
+                    assert snap.status == "FAIL"
+                    assert (
+                        snap.status_extended
+                        == f"EBS Snapshot {snapshot.id} is unencrypted."
+                    )
+
+    @mock_ec2
+    def test_ec2_encrypted_snapshot(self):
+        # Create EC2 Mocked Resources
+        ec2 = resource("ec2", region_name=AWS_REGION)
+        snapshot = volume = ec2.create_volume(
+            Size=80, AvailabilityZone=f"{AWS_REGION}a", Encrypted=True
+        )
+        snapshot = volume.create_snapshot(Description="testsnap")
+        from providers.aws.lib.audit_info.audit_info import current_audit_info
+        from providers.aws.services.ec2.ec2_service import EC2
+
+        current_audit_info.audited_partition = "aws"
+
+        with mock.patch(
+            "providers.aws.services.ec2.ec2_ebs_snapshots_encrypted.ec2_ebs_snapshots_encrypted.ec2_client",
+            new=EC2(current_audit_info),
+        ):
+            # Test Check
+            from providers.aws.services.ec2.ec2_ebs_snapshots_encrypted.ec2_ebs_snapshots_encrypted import (
+                ec2_ebs_snapshots_encrypted,
+            )
+
+            check = ec2_ebs_snapshots_encrypted()
+            results = check.execute()
+
+            # Default snapshots + 1 created
+            assert len(results) == 1346
+
+            for snap in results:
+                if snap.resource_id == snapshot.id:
+                    assert snap.status == "PASS"
+                    assert (
+                        snap.status_extended
+                        == f"EBS Snapshot {snapshot.id} is encrypted."
+                    )