feat(EC2): add EC2 tests and checks (#1482)

Co-authored-by: sergargar <sergio@verica.io>

providers/aws/services/ec2/ec2_instance_secrets_user_data/ec2_instance_secrets_user_data.metadata.json

@@ -0,0 +1,36 @@
+{
+  "Provider": "aws",
+  "CheckID": "ec2_instance_secrets_user_data",
+  "CheckTitle": "Find secrets in EC2 User Data.",
+  "CheckType": ["IAM"],
+  "ServiceName": "ec2",
+  "SubServiceName": "",
+  "ResourceIdTemplate": "arn:partition:access-analyzer:region:account-id:analyzer/resource-id",
+  "Severity": "critical",
+  "ResourceType": "AwsEc2Instance",
+  "Description": "Find secrets in EC2 User Data.",
+  "Risk": "Secrets hardcoded into instance user data can be used by malware and bad actors to gain lateral access to other services.",
+  "RelatedUrl": "",
+  "Remediation": {
+    "Code": {
+      "CLI": "https://docs.bridgecrew.io/docs/bc_aws_secrets_1#cli-command",
+      "NativeIaC": "https://docs.bridgecrew.io/docs/bc_aws_secrets_1#cloudformation",
+      "Other": "",
+      "Terraform": "https://docs.bridgecrew.io/docs/bc_aws_secrets_1#terraform"
+    },
+    "Recommendation": {
+      "Text": "Implement automated detective control (e.g. using tools like Prowler) to scan accounts for passwords and secrets. Use secrets manager service to store and retrieve passwords and secrets.",
+      "Url": "https://docs.aws.amazon.com/secretsmanager/latest/userguide/tutorials_basic.html"
+    }
+  },
+  "Categories": [],
+  "Tags": {
+    "Tag1Key": "value",
+    "Tag2Key": "value"
+  },
+  "DependsOn": [],
+  "RelatedTo": [],
+  "Notes": "",
+  "Compliance": [
+  ]
+}

providers/aws/services/ec2/ec2_instance_secrets_user_data/ec2_instance_secrets_user_data.py

@@ -0,0 +1,48 @@
+import os
+import tempfile
+from base64 import b64decode
+
+from detect_secrets import SecretsCollection
+from detect_secrets.settings import default_settings
+
+from lib.check.models import Check, Check_Report
+from providers.aws.services.ec2.ec2_client import ec2_client
+
+
+class ec2_instance_secrets_user_data(Check):
+    def execute(self):
+        findings = []
+        for instance in ec2_client.instances:
+            report = Check_Report(self.metadata)
+            report.region = instance.region
+            report.resource_id = instance.id
+
+            if instance.user_data:
+                temp_user_data_file = tempfile.NamedTemporaryFile(delete=False)
+                user_data = b64decode(instance.user_data).decode("utf-8")
+
+                temp_user_data_file.write(
+                    bytes(user_data, encoding="raw_unicode_escape")
+                )
+                temp_user_data_file.close()
+                secrets = SecretsCollection()
+                with default_settings():
+                    secrets.scan_file(temp_user_data_file.name)
+
+                if secrets.json():
+                    report.status = "FAIL"
+                    report.status_extended = f"Potential secret found in EC2 instance {instance.id} User Data."
+                else:
+                    report.status = "PASS"
+                    report.status_extended = (
+                        f"No secrets found in EC2 instance {instance.id} User Data."
+                    )
+
+                os.remove(temp_user_data_file.name)
+            else:
+                report.status = "PASS"
+                report.status_extended = f"No secrets found in EC2 instance {instance.id} since User Data is empty."
+
+            findings.append(report)
+
+        return findings

providers/aws/services/ec2/ec2_instance_secrets_user_data/ec2_instance_secrets_user_data_test.py

@@ -0,0 +1,170 @@
+from unittest import mock
+
+from boto3 import resource
+from moto import mock_ec2
+
+AWS_REGION = "us-east-1"
+EXAMPLE_AMI_ID = "ami-12c6146b"
+
+
+class Test_ec2_instance_secrets_user_data:
+    @mock_ec2
+    def test_no_ec2(self):
+
+        from providers.aws.lib.audit_info.audit_info import current_audit_info
+        from providers.aws.services.ec2.ec2_service import EC2
+
+        current_audit_info.audited_partition = "aws"
+
+        with mock.patch(
+            "providers.aws.services.ec2.ec2_instance_secrets_user_data.ec2_instance_secrets_user_data.ec2_client",
+            new=EC2(current_audit_info),
+        ):
+            # Test Check
+            from providers.aws.services.ec2.ec2_instance_secrets_user_data.ec2_instance_secrets_user_data import (
+                ec2_instance_secrets_user_data,
+            )
+
+            check = ec2_instance_secrets_user_data()
+            result = check.execute()
+
+            assert len(result) == 0
+
+    @mock_ec2
+    def test_one_ec2_with_no_secrets(self):
+
+        ec2 = resource("ec2", region_name=AWS_REGION)
+        instance = ec2.create_instances(
+            ImageId=EXAMPLE_AMI_ID,
+            MinCount=1,
+            MaxCount=1,
+            UserData="This is some user_data",
+        )[0]
+
+        from providers.aws.lib.audit_info.audit_info import current_audit_info
+        from providers.aws.services.ec2.ec2_service import EC2
+
+        current_audit_info.audited_partition = "aws"
+
+        with mock.patch(
+            "providers.aws.services.ec2.ec2_instance_secrets_user_data.ec2_instance_secrets_user_data.ec2_client",
+            new=EC2(current_audit_info),
+        ):
+            from providers.aws.services.ec2.ec2_instance_secrets_user_data.ec2_instance_secrets_user_data import (
+                ec2_instance_secrets_user_data,
+            )
+
+            check = ec2_instance_secrets_user_data()
+            result = check.execute()
+
+            assert len(result) == 1
+            assert result[0].status == "PASS"
+            assert (
+                result[0].status_extended
+                == f"No secrets found in EC2 instance {instance.id} User Data."
+            )
+            assert result[0].resource_id == instance.id
+
+    @mock_ec2
+    def test_one_ec2_with_secrets(self):
+
+        ec2 = resource("ec2", region_name=AWS_REGION)
+        instance = ec2.create_instances(
+            ImageId=EXAMPLE_AMI_ID,
+            MinCount=1,
+            MaxCount=1,
+            UserData="DB_PASSWORD=foobar123",
+        )[0]
+
+        from providers.aws.lib.audit_info.audit_info import current_audit_info
+        from providers.aws.services.ec2.ec2_service import EC2
+
+        current_audit_info.audited_partition = "aws"
+
+        with mock.patch(
+            "providers.aws.services.ec2.ec2_instance_secrets_user_data.ec2_instance_secrets_user_data.ec2_client",
+            new=EC2(current_audit_info),
+        ):
+            from providers.aws.services.ec2.ec2_instance_secrets_user_data.ec2_instance_secrets_user_data import (
+                ec2_instance_secrets_user_data,
+            )
+
+            check = ec2_instance_secrets_user_data()
+            result = check.execute()
+
+            assert len(result) == 1
+            assert result[0].status == "FAIL"
+            assert (
+                result[0].status_extended
+                == f"Potential secret found in EC2 instance {instance.id} User Data."
+            )
+            assert result[0].resource_id == instance.id
+
+    @mock_ec2
+    def test_one_ec2_file_with_secrets(self):
+        # Include launch_configurations to check
+        f = open(
+            "providers/aws/services/ec2/ec2_instance_secrets_user_data/fixtures/fixture",
+            "r",
+        )
+        secrets = f.read()
+        ec2 = resource("ec2", region_name=AWS_REGION)
+        instance = ec2.create_instances(
+            ImageId=EXAMPLE_AMI_ID, MinCount=1, MaxCount=1, UserData=secrets
+        )[0]
+
+        from providers.aws.lib.audit_info.audit_info import current_audit_info
+        from providers.aws.services.ec2.ec2_service import EC2
+
+        current_audit_info.audited_partition = "aws"
+
+        with mock.patch(
+            "providers.aws.services.ec2.ec2_instance_secrets_user_data.ec2_instance_secrets_user_data.ec2_client",
+            new=EC2(current_audit_info),
+        ):
+            from providers.aws.services.ec2.ec2_instance_secrets_user_data.ec2_instance_secrets_user_data import (
+                ec2_instance_secrets_user_data,
+            )
+
+            check = ec2_instance_secrets_user_data()
+            result = check.execute()
+
+            assert len(result) == 1
+            assert result[0].status == "FAIL"
+            assert (
+                result[0].status_extended
+                == f"Potential secret found in EC2 instance {instance.id} User Data."
+            )
+            assert result[0].resource_id == instance.id
+
+    @mock_ec2
+    def test_one_launch_configurations_without_user_data(self):
+
+        ec2 = resource("ec2", region_name=AWS_REGION)
+        instance = ec2.create_instances(
+            ImageId=EXAMPLE_AMI_ID, MinCount=1, MaxCount=1, UserData=""
+        )[0]
+
+        from providers.aws.lib.audit_info.audit_info import current_audit_info
+        from providers.aws.services.ec2.ec2_service import EC2
+
+        current_audit_info.audited_partition = "aws"
+
+        with mock.patch(
+            "providers.aws.services.ec2.ec2_instance_secrets_user_data.ec2_instance_secrets_user_data.ec2_client",
+            new=EC2(current_audit_info),
+        ):
+            from providers.aws.services.ec2.ec2_instance_secrets_user_data.ec2_instance_secrets_user_data import (
+                ec2_instance_secrets_user_data,
+            )
+
+            check = ec2_instance_secrets_user_data()
+            result = check.execute()
+
+            assert len(result) == 1
+            assert result[0].status == "PASS"
+            assert (
+                result[0].status_extended
+                == f"No secrets found in EC2 instance {instance.id} since User Data is empty."
+            )
+            assert result[0].resource_id == instance.id

providers/aws/services/ec2/ec2_instance_secrets_user_data/fixtures/fixture

@@ -0,0 +1,4 @@
+DB_PASSWORD=foobar123
+DB_USER=foo
+API_KEY=12345abcd
+SERVICE_PASSWORD=bbaabb45