ghndrx/prowler
1
0
Fork 0
mirror of https://github.com/ghndrx/prowler.git synced 2026-02-10 14:55:00 +00:00
Code Issues Packages Projects Releases Wiki Activity

feat(regions): add regions to resources (#1285)

Browse Source
This commit is contained in:
Sergio Garcia
2022-08-04 07:35:13 -04:00
committed by GitHub
parent 6e58991986
commit a796545da5
26 changed files with 568 additions and 740 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
.pre-commit-config.yaml
View File

@@ -55,7 +55,7 @@ repos:
language: system language: system
- id: safety - id: safety
name: bandit name: safety
description: 'Safety is a tool that checks your installed dependencies for known security vulnerabilities' description: 'Safety is a tool that checks your installed dependencies for known security vulnerabilities'
entry: bash -c 'safety check' entry: bash -c 'safety check'
language: system language: system

6
lib/outputs/outputs.py
View File

@@ -42,6 +42,7 @@ def report(check_findings, output_options, audit_info):
csv_fields, csv_fields,
) )
if check_findings:
for finding in check_findings: for finding in check_findings:
# Print findings by stdout # Print findings by stdout
color = set_report_color(finding.status) color = set_report_color(finding.status)
@@ -53,6 +54,7 @@ def report(check_findings, output_options, audit_info):
print( print(
f"\t{color}{finding.status}{Style.RESET_ALL} {finding.region}: {finding.status_extended}" f"\t{color}{finding.status}{Style.RESET_ALL} {finding.region}: {finding.status_extended}"
) )
if file_descriptors: if file_descriptors:
# sending the finding to input options # sending the finding to input options
@@ -89,6 +91,10 @@ def report(check_findings, output_options, audit_info):
send_to_security_hub( send_to_security_hub(
finding.region, finding_output, audit_info.audit_session finding.region, finding_output, audit_info.audit_session
) )
else: # No service resources in the whole account
color = set_report_color("PASS")
if not output_options.is_quiet:
print(f"{color}PASS{Style.RESET_ALL} There are no resources.")
if file_descriptors: if file_descriptors:
# Close all file descriptors # Close all file descriptors

6
providers/aws/aws_provider.py
View File

@@ -309,7 +309,7 @@ def get_organizations_metadata(
def generate_regional_clients(service, audit_info): def generate_regional_clients(service, audit_info):
regional_clients = [] regional_clients = {}
# Get json locally # Get json locally
f = open_file(aws_services_json_file) f = open_file(aws_services_json_file)
data = parse_json_file(f) data = parse_json_file(f)
@@ -323,8 +323,8 @@ def generate_regional_clients(service, audit_info):
for region in regions: for region in regions:
regional_client = audit_info.audit_session.client(service, region_name=region) regional_client = audit_info.audit_session.client(service, region_name=region)
regional_client.region = region regional_client.region = region
regional_clients.append(regional_client) regional_clients[region] = regional_client
# regional_clients.append(regional_client)
return regional_clients return regional_clients

18
providers/aws/services/ec2/ec2_ebs_public_snapshot/ec2_ebs_public_snapshot.py
View File

@@ -5,17 +5,12 @@ from providers.aws.services.ec2.ec2_service import ec2_client
class ec2_ebs_public_snapshot(Check): class ec2_ebs_public_snapshot(Check):
def execute(self): def execute(self):
findings = [] findings = []
for regional_client in ec2_client.regional_clients: for snapshot in ec2_client.snapshots:
region = regional_client.region
if regional_client.snapshots:
for snapshot in regional_client.snapshots:
report = Check_Report(self.metadata) report = Check_Report(self.metadata)
report.region = region report.region = snapshot.region
if not snapshot.public: if not snapshot.public:
report.status = "PASS" report.status = "PASS"
report.status_extended = ( report.status_extended = f"EBS Snapshot {snapshot.id} is not Public"
f"EBS Snapshot {snapshot.id} is not Public"
)
report.resource_id = snapshot.id report.resource_id = snapshot.id
else: else:
report.status = "FAIL" report.status = "FAIL"
@@ -24,12 +19,5 @@ class ec2_ebs_public_snapshot(Check):
) )
report.resource_id = snapshot.id report.resource_id = snapshot.id
findings.append(report) findings.append(report)
else:
report = Check_Report(self.metadata)
report.status = "PASS"
report.status_extended = "There are no EC2 EBS snapshots"
report.region = region
findings.append(report)
return findings return findings

22
providers/aws/services/ec2/ec2_ebs_snapshots_encrypted/ec2_ebs_snapshots_encrypted.py
View File

@@ -5,31 +5,17 @@ from providers.aws.services.ec2.ec2_service import ec2_client
class ec2_ebs_snapshots_encrypted(Check): class ec2_ebs_snapshots_encrypted(Check):
def execute(self): def execute(self):
findings = [] findings = []
for regional_client in ec2_client.regional_clients: for snapshot in ec2_client.snapshots:
region = regional_client.region
if regional_client.snapshots:
for snapshot in regional_client.snapshots:
report = Check_Report(self.metadata) report = Check_Report(self.metadata)
report.region = region report.region = snapshot.region
if snapshot.encrypted: if snapshot.encrypted:
report.status = "PASS" report.status = "PASS"
report.status_extended = ( report.status_extended = f"EBS Snapshot {snapshot.id} is encrypted"
f"EBS Snapshot {snapshot.id} is encrypted"
)
report.resource_id = snapshot.id report.resource_id = snapshot.id
else: else:
report.status = "FAIL" report.status = "FAIL"
report.status_extended = ( report.status_extended = f"EBS Snapshot {snapshot.id} is unencrypted"
f"EBS Snapshot {snapshot.id} is unencrypted"
)
report.resource_id = snapshot.id report.resource_id = snapshot.id
findings.append(report) findings.append(report)
else:
report = Check_Report(self.metadata)
report.status = "PASS"
report.status_extended = "There are no EC2 EBS snapshots"
report.region = region
findings.append(report)
return findings return findings

14
providers/aws/services/ec2/ec2_instance_public_ip/ec2_instance_public_ip.py
View File

@@ -5,12 +5,9 @@ from providers.aws.services.ec2.ec2_service import ec2_client
class ec2_instance_public_ip(Check): class ec2_instance_public_ip(Check):
def execute(self): def execute(self):
findings = [] findings = []
for regional_client in ec2_client.regional_clients: for instance in ec2_client.instances:
region = regional_client.region
if regional_client.instances:
for instance in regional_client.instances:
report = Check_Report(self.metadata) report = Check_Report(self.metadata)
report.region = region report.region = instance.region
if instance.public_ip: if instance.public_ip:
report.status = "FAIL" report.status = "FAIL"
report.status_extended = f"EC2 instance {instance.id} has a Public IP: {instance.public_ip} ({instance.public_dns})." report.status_extended = f"EC2 instance {instance.id} has a Public IP: {instance.public_ip} ({instance.public_dns})."
@@ -22,12 +19,5 @@ class ec2_instance_public_ip(Check):
) )
report.resource_id = instance.id report.resource_id = instance.id
findings.append(report) findings.append(report)
else:
report = Check_Report(self.metadata)
report.status = "PASS"
report.status_extended = "There are no EC2 instances."
report.region = region
findings.append(report)
return findings return findings

26
providers/aws/services/ec2/ec2_networkacl_allow_ingress_tcp_port_22/ec2_networkacl_allow_ingress_tcp_port_22.py
View File

@@ -6,40 +6,32 @@ class ec2_networkacl_allow_ingress_tcp_port_22(Check):
def execute(self): def execute(self):
findings = [] findings = []
check_port = 22 check_port = 22
for regional_client in ec2_client.regional_clients: for network_acl in ec2_client.network_acls:
region = regional_client.region
if regional_client.network_acls:
for network_acl in regional_client.network_acls:
public = False public = False
report = Check_Report(self.metadata) report = Check_Report(self.metadata)
report.region = region report.region = network_acl.region
for entry in network_acl.entries: for entry in network_acl.entries:
if ( if (
entry["CidrBlock"] == "0.0.0.0/0" entry["CidrBlock"] == "0.0.0.0/0"
and entry["RuleAction"] == "allow" and entry["RuleAction"] == "allow"
and not entry["Egress"] and not entry["Egress"]
and "PortRange" in entry
and entry["Protocol"] == "6" # 6 relates to tcp protocol
): ):
if ( if entry["Protocol"] == "-1":
public = True
elif (
entry["PortRange"]["From"] == check_port entry["PortRange"]["From"] == check_port
and entry["PortRange"]["To"] == check_port and entry["PortRange"]["To"] == check_port
and entry["Protocol"] == "6"
): ):
public = True public = True
report.status = "FAIL"
report.status_extended = f"Network ACL {network_acl.id} has SSH port 22 open to the Internet."
report.resource_id = network_acl.id
if not public: if not public:
report.status = "PASS" report.status = "PASS"
report.status_extended = f"Network ACL {network_acl.id} has not SSH port 22 open to the Internet." report.status_extended = f"Network ACL {network_acl.id} has not SSH port 22 open to the Internet."
report.resource_id = network_acl.id report.resource_id = network_acl.id
findings.append(report)
else: else:
report = Check_Report(self.metadata) report.status = "FAIL"
report.status = "PASS" report.status_extended = f"Network ACL {network_acl.id} has SSH port 22 open to the Internet."
report.status_extended = "There are no EC2 network acls." report.resource_id = network_acl.id
report.region = region
findings.append(report) findings.append(report)
return findings return findings

26
providers/aws/services/ec2/ec2_networkacl_allow_ingress_tcp_port_3389/ec2_networkacl_allow_ingress_tcp_port_3389.py
View File

@@ -6,40 +6,32 @@ class ec2_networkacl_allow_ingress_tcp_port_3389(Check):
def execute(self): def execute(self):
findings = [] findings = []
check_port = 3389 check_port = 3389
for regional_client in ec2_client.regional_clients: for network_acl in ec2_client.network_acls:
region = regional_client.region
if regional_client.network_acls:
for network_acl in regional_client.network_acls:
public = False public = False
report = Check_Report(self.metadata) report = Check_Report(self.metadata)
report.region = region report.region = network_acl.region
for entry in network_acl.entries: for entry in network_acl.entries:
if ( if (
entry["CidrBlock"] == "0.0.0.0/0" entry["CidrBlock"] == "0.0.0.0/0"
and entry["RuleAction"] == "allow" and entry["RuleAction"] == "allow"
and not entry["Egress"] and not entry["Egress"]
and "PortRange" in entry
and entry["Protocol"] == "6" # 6 relates to tcp protocol
): ):
if ( if entry["Protocol"] == "-1":
public = True
elif (
entry["PortRange"]["From"] == check_port entry["PortRange"]["From"] == check_port
and entry["PortRange"]["To"] == check_port and entry["PortRange"]["To"] == check_port
and entry["Protocol"] == "6"
): ):
public = True public = True
report.status = "FAIL"
report.status_extended = f"Network ACL {network_acl.id} has Microsoft RDP port 3389 open to the Internet."
report.resource_id = network_acl.id
if not public: if not public:
report.status = "PASS" report.status = "PASS"
report.status_extended = f"Network ACL {network_acl.id} has not Microsoft RDP port 3389 open to the Internet." report.status_extended = f"Network ACL {network_acl.id} has not Microsoft RDP port 3389 open to the Internet."
report.resource_id = network_acl.id report.resource_id = network_acl.id
findings.append(report)
else: else:
report = Check_Report(self.metadata) report.status = "FAIL"
report.status = "PASS" report.status_extended = f"Network ACL {network_acl.id} has Microsoft RDP port 3389 open to the Internet."
report.status_extended = "There are no EC2 network acls." report.resource_id = network_acl.id
report.region = region
findings.append(report) findings.append(report)
return findings return findings

14
providers/aws/services/ec2/ec2_securitygroup_allow_ingress_from_internet_to_any_port/ec2_securitygroup_allow_ingress_from_internet_to_any_port.py
View File

@@ -5,13 +5,10 @@ from providers.aws.services.ec2.ec2_service import check_security_group, ec2_cli
class ec2_securitygroup_allow_ingress_from_internet_to_any_port(Check): class ec2_securitygroup_allow_ingress_from_internet_to_any_port(Check):
def execute(self): def execute(self):
findings = [] findings = []
for regional_client in ec2_client.regional_clients: for security_group in ec2_client.security_groups:
region = regional_client.region
if regional_client.security_groups:
for security_group in regional_client.security_groups:
public = False public = False
report = Check_Report(self.metadata) report = Check_Report(self.metadata)
report.region = region report.region = security_group.region
# Loop through every security group's ingress rule and check it # Loop through every security group's ingress rule and check it
for ingress_rule in security_group.ingress_rules: for ingress_rule in security_group.ingress_rules:
public = check_security_group(ingress_rule, "-1") public = check_security_group(ingress_rule, "-1")
@@ -25,12 +22,5 @@ class ec2_securitygroup_allow_ingress_from_internet_to_any_port(Check):
report.status_extended = f"Security group {security_group.name} ({security_group.id}) has not all ports open to the Internet." report.status_extended = f"Security group {security_group.name} ({security_group.id}) has not all ports open to the Internet."
report.resource_id = security_group.id report.resource_id = security_group.id
findings.append(report) findings.append(report)
else:
report = Check_Report(self.metadata)
report.status = "PASS"
report.status_extended = "There are no EC2 security groups."
report.region = region
findings.append(report)
return findings return findings

14
providers/aws/services/ec2/ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_22/ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_22.py
View File

@@ -6,13 +6,10 @@ class ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_22(Check):
def execute(self): def execute(self):
findings = [] findings = []
check_ports = [22] check_ports = [22]
for regional_client in ec2_client.regional_clients: for security_group in ec2_client.security_groups:
region = regional_client.region
if regional_client.security_groups:
for security_group in regional_client.security_groups:
public = False public = False
report = Check_Report(self.metadata) report = Check_Report(self.metadata)
report.region = region report.region = security_group.region
# Loop through every security group's ingress rule and check it # Loop through every security group's ingress rule and check it
for ingress_rule in security_group.ingress_rules: for ingress_rule in security_group.ingress_rules:
public = check_security_group(ingress_rule, "tcp", check_ports) public = check_security_group(ingress_rule, "tcp", check_ports)
@@ -26,12 +23,5 @@ class ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_22(Check):
report.status_extended = f"Security group {security_group.name} ({security_group.id}) has not SSH port 22 open to the Internet." report.status_extended = f"Security group {security_group.name} ({security_group.id}) has not SSH port 22 open to the Internet."
report.resource_id = security_group.id report.resource_id = security_group.id
findings.append(report) findings.append(report)
else:
report = Check_Report(self.metadata)
report.status = "PASS"
report.status_extended = "There are no EC2 security groups."
report.region = region
findings.append(report)
return findings return findings

17
providers/aws/services/ec2/ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_3389/ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_3389.py
View File

@@ -1,37 +1,26 @@
from lib.check.models import Check, Check_Report from lib.check.models import Check, Check_Report
from providers.aws.services.ec2.ec2_service import check_security_group, ec2_client from providers.aws.services.ec2.ec2_service import check_security_group, ec2_client
class ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_3389(Check): class ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_3389(Check):
def execute(self): def execute(self):
findings = [] findings = []
check_ports = [3389] check_ports = [3389]
for regional_client in ec2_client.regional_clients: for security_group in ec2_client.security_groups:
region = regional_client.region
if regional_client.security_groups:
for security_group in regional_client.security_groups:
public = False public = False
report = Check_Report(self.metadata) report = Check_Report(self.metadata)
report.region = region report.region = security_group.region
# Loop through every security group's ingress rule and check it # Loop through every security group's ingress rule and check it
for ingress_rule in security_group.ingress_rules: for ingress_rule in security_group.ingress_rules:
public = check_security_group(ingress_rule, "tcp", check_ports) public = check_security_group(ingress_rule, "tcp", check_ports)
# Check # Check
if public: if public:
report.status = "FAIL" report.status = "FAIL"
report.status_extended = f"Security group {security_group.name} ({security_group.id}) has not Microsoft RDP port 3389 open to the Internet." report.status_extended = f"Security group {security_group.name} ({security_group.id}) has Microsoft RDP port 3389 open to the Internet."
report.resource_id = security_group.id report.resource_id = security_group.id
else: else:
report.status = "PASS" report.status = "PASS"
report.status_extended = f"Security group {security_group.name} ({security_group.id}) has not Microsoft RDP port 3389 open to the Internet." report.status_extended = f"Security group {security_group.name} ({security_group.id}) has not Microsoft RDP port 3389 open to the Internet."
report.resource_id = security_group.id report.resource_id = security_group.id
findings.append(report) findings.append(report)
else:
report = Check_Report(self.metadata)
report.status = "PASS"
report.status_extended = "There are no EC2 security groups."
report.region = region
findings.append(report)
return findings return findings

15
providers/aws/services/ec2/ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_mysql_3306/ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_mysql_3306.py
View File

@@ -1,18 +1,14 @@
from lib.check.models import Check, Check_Report from lib.check.models import Check, Check_Report
from providers.aws.services.ec2.ec2_service import check_security_group, ec2_client from providers.aws.services.ec2.ec2_service import check_security_group, ec2_client
class ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_mysql_3306(Check): class ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_mysql_3306(Check):
def execute(self): def execute(self):
findings = [] findings = []
check_ports = [3306] check_ports = [3306]
for regional_client in ec2_client.regional_clients: for security_group in ec2_client.security_groups:
region = regional_client.region
if regional_client.security_groups:
for security_group in regional_client.security_groups:
public = False public = False
report = Check_Report(self.metadata) report = Check_Report(self.metadata)
report.region = region report.region = security_group.region
# Loop through every security group's ingress rule and check it # Loop through every security group's ingress rule and check it
for ingress_rule in security_group.ingress_rules: for ingress_rule in security_group.ingress_rules:
public = check_security_group(ingress_rule, "tcp", check_ports) public = check_security_group(ingress_rule, "tcp", check_ports)
@@ -26,12 +22,5 @@ class ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_mysql_3306(Check
report.status_extended = f"Security group {security_group.name} ({security_group.id}) has not MySQL port 3306 open to the Internet." report.status_extended = f"Security group {security_group.name} ({security_group.id}) has not MySQL port 3306 open to the Internet."
report.resource_id = security_group.id report.resource_id = security_group.id
findings.append(report) findings.append(report)
else:
report = Check_Report(self.metadata)
report.status = "PASS"
report.status_extended = "There are no EC2 security groups."
report.region = region
findings.append(report)
return findings return findings

15
providers/aws/services/ec2/ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_oracle_1521_2483/ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_oracle_1521_2483.py
View File

@@ -1,18 +1,14 @@
from lib.check.models import Check, Check_Report from lib.check.models import Check, Check_Report
from providers.aws.services.ec2.ec2_service import check_security_group, ec2_client from providers.aws.services.ec2.ec2_service import check_security_group, ec2_client
class ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_oracle_1521_2483(Check): class ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_oracle_1521_2483(Check):
def execute(self): def execute(self):
findings = [] findings = []
check_ports = [1521, 2483] check_ports = [1521, 2483]
for regional_client in ec2_client.regional_clients: for security_group in ec2_client.security_groups:
region = regional_client.region
if regional_client.security_groups:
for security_group in regional_client.security_groups:
public = False public = False
report = Check_Report(self.metadata) report = Check_Report(self.metadata)
report.region = region report.region = security_group.region
# Loop through every security group's ingress rule and check it # Loop through every security group's ingress rule and check it
for ingress_rule in security_group.ingress_rules: for ingress_rule in security_group.ingress_rules:
public = check_security_group(ingress_rule, "tcp", check_ports) public = check_security_group(ingress_rule, "tcp", check_ports)
@@ -26,12 +22,5 @@ class ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_oracle_1521_2483
report.status_extended = f"Security group {security_group.name} ({security_group.id}) has not Oracle ports 1521 and 2483 open to the Internet." report.status_extended = f"Security group {security_group.name} ({security_group.id}) has not Oracle ports 1521 and 2483 open to the Internet."
report.resource_id = security_group.id report.resource_id = security_group.id
findings.append(report) findings.append(report)
else:
report = Check_Report(self.metadata)
report.status = "PASS"
report.status_extended = "There are no EC2 security groups."
report.region = region
findings.append(report)
return findings return findings

71
providers/aws/services/ec2/ec2_service.py
View File

@@ -13,18 +13,22 @@ class EC2:
self.session = audit_info.audit_session self.session = audit_info.audit_session
self.audited_account = audit_info.audited_account self.audited_account = audit_info.audited_account
self.regional_clients = generate_regional_clients(self.service, audit_info) self.regional_clients = generate_regional_clients(self.service, audit_info)
self.instances = []
self.__threading_call__(self.__describe_instances__) self.__threading_call__(self.__describe_instances__)
self.security_groups = []
self.__threading_call__(self.__describe_security_groups__) self.__threading_call__(self.__describe_security_groups__)
self.network_acls = []
self.__threading_call__(self.__describe_network_acls__) self.__threading_call__(self.__describe_network_acls__)
self.snapshots = []
self.__threading_call__(self.__describe_snapshots__) self.__threading_call__(self.__describe_snapshots__)
self.__threading_call__(self.__get_snapshot_public__) self.__get_snapshot_public__()
def __get_session__(self): def __get_session__(self):
return self.session return self.session
def __threading_call__(self, call): def __threading_call__(self, call):
threads = [] threads = []
for regional_client in self.regional_clients: for regional_client in self.regional_clients.values():
threads.append(threading.Thread(target=call, args=(regional_client,))) threads.append(threading.Thread(target=call, args=(regional_client,)))
for t in threads: for t in threads:
t.start() t.start()
@@ -37,7 +41,6 @@ class EC2:
describe_instances_paginator = regional_client.get_paginator( describe_instances_paginator = regional_client.get_paginator(
"describe_instances" "describe_instances"
) )
instances = []
for page in describe_instances_paginator.paginate(): for page in describe_instances_paginator.paginate():
for reservation in page["Reservations"]: for reservation in page["Reservations"]:
for instance in reservation["Instances"]: for instance in reservation["Instances"]:
@@ -45,9 +48,10 @@ class EC2:
"PublicDnsName" in instance "PublicDnsName" in instance
and "PublicIpAddress" in instance and "PublicIpAddress" in instance
): ):
instances.append( self.instances.append(
Instance( Instance(
instance["InstanceId"], instance["InstanceId"],
regional_client.region,
instance["InstanceType"], instance["InstanceType"],
instance["ImageId"], instance["ImageId"],
instance["LaunchTime"], instance["LaunchTime"],
@@ -58,9 +62,10 @@ class EC2:
) )
) )
else: else:
instances.append( self.instances.append(
Instance( Instance(
instance["InstanceId"], instance["InstanceId"],
regional_client.region,
instance["InstanceType"], instance["InstanceType"],
instance["ImageId"], instance["ImageId"],
instance["LaunchTime"], instance["LaunchTime"],
@@ -74,9 +79,6 @@ class EC2:
logger.error( logger.error(
f"{regional_client.region} -- {error.__class__.__name__}: {error}" f"{regional_client.region} -- {error.__class__.__name__}: {error}"
) )
regional_client.instances = []
else:
regional_client.instances = instances
def __describe_security_groups__(self, regional_client): def __describe_security_groups__(self, regional_client):
logger.info("EC2 - Describing Security Groups...") logger.info("EC2 - Describing Security Groups...")
@@ -84,12 +86,12 @@ class EC2:
describe_security_groups_paginator = regional_client.get_paginator( describe_security_groups_paginator = regional_client.get_paginator(
"describe_security_groups" "describe_security_groups"
) )
security_groups = []
for page in describe_security_groups_paginator.paginate(): for page in describe_security_groups_paginator.paginate():
for sg in page["SecurityGroups"]: for sg in page["SecurityGroups"]:
security_groups.append( self.security_groups.append(
SecurityGroup( SecurityGroup(
sg["GroupName"], sg["GroupName"],
regional_client.region,
sg["GroupId"], sg["GroupId"],
sg["IpPermissions"], sg["IpPermissions"],
sg["IpPermissionsEgress"], sg["IpPermissionsEgress"],
@@ -99,9 +101,6 @@ class EC2:
logger.error( logger.error(
f"{regional_client.region} -- {error.__class__.__name__}: {error}" f"{regional_client.region} -- {error.__class__.__name__}: {error}"
) )
regional_client.security_groups = []
else:
regional_client.security_groups = security_groups
def __describe_network_acls__(self, regional_client): def __describe_network_acls__(self, regional_client):
logger.info("EC2 - Describing Security Groups...") logger.info("EC2 - Describing Security Groups...")
@@ -109,19 +108,19 @@ class EC2:
describe_network_acls_paginator = regional_client.get_paginator( describe_network_acls_paginator = regional_client.get_paginator(
"describe_network_acls" "describe_network_acls"
) )
network_acls = []
for page in describe_network_acls_paginator.paginate(): for page in describe_network_acls_paginator.paginate():
for nacl in page["NetworkAcls"]: for nacl in page["NetworkAcls"]:
network_acls.append( self.network_acls.append(
NetworkACL(nacl["NetworkAclId"], nacl["Entries"]) NetworkACL(
nacl["NetworkAclId"],
regional_client.region,
nacl["Entries"],
)
) )
except Exception as error: except Exception as error:
logger.error( logger.error(
f"{regional_client.region} -- {error.__class__.__name__}: {error}" f"{regional_client.region} -- {error.__class__.__name__}: {error}"
) )
regional_client.network_acls = []
else:
regional_client.network_acls = network_acls
def __describe_snapshots__(self, regional_client): def __describe_snapshots__(self, regional_client):
logger.info("EC2 - Describing Snapshots...") logger.info("EC2 - Describing Snapshots...")
@@ -129,7 +128,6 @@ class EC2:
describe_snapshots_paginator = regional_client.get_paginator( describe_snapshots_paginator = regional_client.get_paginator(
"describe_snapshots" "describe_snapshots"
) )
snapshots = []
encrypted = False encrypted = False
for page in describe_snapshots_paginator.paginate( for page in describe_snapshots_paginator.paginate(
OwnerIds=[self.audited_account] OwnerIds=[self.audited_account]
@@ -137,20 +135,21 @@ class EC2:
for snapshot in page["Snapshots"]: for snapshot in page["Snapshots"]:
if snapshot["Encrypted"]: if snapshot["Encrypted"]:
encrypted = True encrypted = True
snapshots.append(Snapshot(snapshot["SnapshotId"], encrypted)) self.snapshots.append(
Snapshot(
snapshot["SnapshotId"], regional_client.region, encrypted
)
)
except Exception as error: except Exception as error:
logger.error( logger.error(
f"{regional_client.region} -- {error.__class__.__name__}: {error}" f"{regional_client.region} -- {error.__class__.__name__}: {error}"
) )
regional_client.snapshots = []
else:
regional_client.snapshots = snapshots
def __get_snapshot_public__(self, regional_client): def __get_snapshot_public__(self):
logger.info("EC2 - Get snapshots encryption...") logger.info("EC2 - Get snapshots encryption...")
try: try:
if hasattr(regional_client, "snapshots"): for snapshot in self.snapshots:
for snapshot in regional_client.snapshots: regional_client = self.regional_clients[snapshot.region]
snapshot_public = regional_client.describe_snapshot_attribute( snapshot_public = regional_client.describe_snapshot_attribute(
Attribute="createVolumePermission", SnapshotId=snapshot.id Attribute="createVolumePermission", SnapshotId=snapshot.id
) )
@@ -159,14 +158,13 @@ class EC2:
if permission["Group"] == "all": if permission["Group"] == "all":
snapshot.public = True snapshot.public = True
except Exception as error: except Exception as error:
logger.error( logger.error(f"{error.__class__.__name__}: {error}")
f"{regional_client.region} -- {error.__class__.__name__}: {error}"
)
@dataclass @dataclass
class Instance: class Instance:
id: str id: str
region: str
type: str type: str
image_id: str image_id: str
launch_time: str launch_time: str
@@ -178,6 +176,7 @@ class Instance:
def __init__( def __init__(
self, self,
id, id,
region,
type, type,
image_id, image_id,
launch_time, launch_time,
@@ -187,6 +186,7 @@ class Instance:
public_ip, public_ip,
): ):
self.id = id self.id = id
self.region = region
self.type = type self.type = type
self.image_id = image_id self.image_id = image_id
self.launch_time = launch_time self.launch_time = launch_time
@@ -199,11 +199,13 @@ class Instance:
@dataclass @dataclass
class Snapshot: class Snapshot:
id: str id: str
region: str
encrypted: bool encrypted: bool
public: bool public: bool
def __init__(self, id, encrypted): def __init__(self, id, region, encrypted):
self.id = id self.id = id
self.region = region
self.encrypted = encrypted self.encrypted = encrypted
self.public = False self.public = False
@@ -211,12 +213,14 @@ class Snapshot:
@dataclass @dataclass
class SecurityGroup: class SecurityGroup:
name: str name: str
region: str
id: str id: str
ingress_rules: list[dict] ingress_rules: list[dict]
egress_rules: list[dict] egress_rules: list[dict]
def __init__(self, name, id, ingress_rules, egress_rules): def __init__(self, name, region, id, ingress_rules, egress_rules):
self.name = name self.name = name
self.region = region
self.id = id self.id = id
self.ingress_rules = ingress_rules self.ingress_rules = ingress_rules
self.egress_rules = egress_rules self.egress_rules = egress_rules
@@ -227,8 +231,9 @@ class NetworkACL:
id: str id: str
entries: list[dict] entries: list[dict]
def __init__(self, id, entries): def __init__(self, id, region, entries):
self.id = id self.id = id
self.region = region
self.entries = entries self.entries = entries

8
providers/aws/services/iam/iam_administrator_access_with_mfa/iam_administrator_access_with_mfa.py
View File

@@ -7,7 +7,6 @@ class iam_administrator_access_with_mfa(Check):
findings = [] findings = []
response = iam_client.groups response = iam_client.groups
if response:
for group in response: for group in response:
report = Check_Report(self.metadata) report = Check_Report(self.metadata)
report.resource_id = group.name report.resource_id = group.name
@@ -54,11 +53,4 @@ class iam_administrator_access_with_mfa(Check):
report.status_extended = f"Group {group.name} has no policies." report.status_extended = f"Group {group.name} has no policies."
findings.append(report) findings.append(report)
else:
report = Check_Report(self.metadata)
report.status = "PASS"
report.status_extended = "There is no IAM groups."
report.region = iam_client.region
findings.append(report)
return findings return findings

1
providers/aws/services/iam/iam_avoid_root_usage/iam_avoid_root_usage.py
View File

@@ -11,7 +11,6 @@ class iam_avoid_root_usage(Check):
findings = [] findings = []
response = iam_client.credential_report response = iam_client.credential_report
if response:
for user in response: for user in response:
if user["user"] == "<root_account>": if user["user"] == "<root_account>":
report = Check_Report(self.metadata) report = Check_Report(self.metadata)

7
providers/aws/services/iam/iam_disable_30_days_credentials/iam_disable_30_days_credentials.py
View File

@@ -11,7 +11,6 @@ class iam_disable_30_days_credentials(Check):
findings = [] findings = []
response = iam_client.users response = iam_client.users
if response:
for user in response: for user in response:
report = Check_Report(self.metadata) report = Check_Report(self.metadata)
report.resource_id = user.name report.resource_id = user.name
@@ -42,11 +41,5 @@ class iam_disable_30_days_credentials(Check):
# Append report # Append report
findings.append(report) findings.append(report)
else:
report = Check_Report(self.metadata)
report.status = "PASS"
report.status_extended = "There is no IAM users."
report.region = iam_client.region
findings.append(report)
return findings return findings

7
providers/aws/services/iam/iam_disable_90_days_credentials/iam_disable_90_days_credentials.py
View File

@@ -11,7 +11,6 @@ class iam_disable_90_days_credentials(Check):
findings = [] findings = []
response = iam_client.users response = iam_client.users
if response:
for user in response: for user in response:
report = Check_Report(self.metadata) report = Check_Report(self.metadata)
report.region = iam_client.region report.region = iam_client.region
@@ -42,11 +41,5 @@ class iam_disable_90_days_credentials(Check):
) )
# Append report # Append report
findings.append(report) findings.append(report)
else:
report = Check_Report(self.metadata)
report.status = "PASS"
report.status_extended = "There is no IAM users."
report.region = iam_client.region
findings.append(report)
return findings return findings

1
providers/aws/services/iam/iam_root_mfa_enabled/iam_root_mfa_enabled.py
View File

@@ -6,7 +6,6 @@ class iam_root_mfa_enabled(Check):
def execute(self) -> Check_Report: def execute(self) -> Check_Report:
findings = [] findings = []
if iam_client.credential_report:
for user in iam_client.credential_report: for user in iam_client.credential_report:
if user["user"] == "<root_account>": if user["user"] == "<root_account>":
report = Check_Report(self.metadata) report = Check_Report(self.metadata)

11
providers/aws/services/iam/iam_rotate_access_key_90_days/iam_rotate_access_key_90_days.py
View File

@@ -11,7 +11,6 @@ class iam_rotate_access_key_90_days(Check):
findings = [] findings = []
response = iam_client.credential_report response = iam_client.credential_report
if response:
for user in response: for user in response:
report = Check_Report(self.metadata) report = Check_Report(self.metadata)
report.region = iam_client.region report.region = iam_client.region
@@ -51,13 +50,9 @@ class iam_rotate_access_key_90_days(Check):
report.status_extended = f"User {user['user']} has not rotated access key 2 in over 90 days ({access_key_2_last_rotated.days} days)." report.status_extended = f"User {user['user']} has not rotated access key 2 in over 90 days ({access_key_2_last_rotated.days} days)."
if not old_access_keys: if not old_access_keys:
report.status = "PASS" report.status = "PASS"
report.status_extended = f"User {user['user']} has access keys not older than 90 days." report.status_extended = (
findings.append(report) f"User {user['user']} has access keys not older than 90 days."
else: )
report = Check_Report(self.metadata)
report.status = "PASS"
report.status_extended = "There is no IAM users."
report.region = iam_client.region
findings.append(report) findings.append(report)
return findings return findings

7
providers/aws/services/iam/iam_user_hardware_mfa_enabled/iam_user_hardware_mfa_enabled.py
View File

@@ -7,7 +7,6 @@ class iam_user_hardware_mfa_enabled(Check):
findings = [] findings = []
response = iam_client.users response = iam_client.users
if response:
for user in response: for user in response:
report = Check_Report(self.metadata) report = Check_Report(self.metadata)
report.resource_id = user.name report.resource_id = user.name
@@ -31,11 +30,5 @@ class iam_user_hardware_mfa_enabled(Check):
f"User {user.name} has not any type of MFA enabled." f"User {user.name} has not any type of MFA enabled."
) )
findings.append(report) findings.append(report)
else:
report = Check_Report(self.metadata)
report.status = "PASS"
report.status_extended = "There is no IAM users."
report.region = iam_client.region
findings.append(report)
return findings return findings

8
providers/aws/services/iam/iam_user_mfa_enabled_console_access/iam_user_mfa_enabled_console_access.py
View File

@@ -6,8 +6,6 @@ class iam_user_mfa_enabled_console_access(Check):
def execute(self) -> Check_Report: def execute(self) -> Check_Report:
findings = [] findings = []
response = iam_client.credential_report response = iam_client.credential_report
if response:
for user in response: for user in response:
report = Check_Report(self.metadata) report = Check_Report(self.metadata)
report.resource_id = user["user"] report.resource_id = user["user"]
@@ -26,11 +24,5 @@ class iam_user_mfa_enabled_console_access(Check):
f"User {user['user']} has not Console Password enabled." f"User {user['user']} has not Console Password enabled."
) )
findings.append(report) findings.append(report)
else:
report = Check_Report(self.metadata)
report.status = "PASS"
report.status_extended = "There is no IAM users."
report.region = iam_client.region
findings.append(report)
return findings return findings

9
providers/aws/services/iam/iam_user_two_active_access_key/iam_user_two_active_access_key.py
View File

@@ -6,8 +6,6 @@ class iam_user_two_active_access_key(Check):
def execute(self) -> Check_Report: def execute(self) -> Check_Report:
findings = [] findings = []
response = iam_client.credential_report response = iam_client.credential_report
if response:
for user in response: for user in response:
report = Check_Report(self.metadata) report = Check_Report(self.metadata)
report.resource_id = user["user"] report.resource_id = user["user"]
@@ -21,18 +19,11 @@ class iam_user_two_active_access_key(Check):
report.status_extended = ( report.status_extended = (
f"User {user['user']} has 2 active access keys." f"User {user['user']} has 2 active access keys."
) )
findings.append(report)
else: else:
report.status = "PASS" report.status = "PASS"
report.status_extended = ( report.status_extended = (
f"User {user['user']} has not 2 active access keys." f"User {user['user']} has not 2 active access keys."
) )
findings.append(report) findings.append(report)
else:
report = Check_Report(self.metadata)
report.status = "PASS"
report.status_extended = "There is no IAM users."
report.region = iam_client.region
findings.append(report)
return findings return findings

13
providers/aws/services/s3/s3_bucket_object_versioning/s3_bucket_object_versioning.py
View File

@@ -5,12 +5,9 @@ from providers.aws.services.s3.s3_service import s3_client
class s3_bucket_object_versioning(Check): class s3_bucket_object_versioning(Check):
def execute(self): def execute(self):
findings = [] findings = []
for regional_client in s3_client.regional_clients: for bucket in s3_client.buckets:
region = regional_client.region
if regional_client.buckets:
for bucket in regional_client.buckets:
report = Check_Report(self.metadata) report = Check_Report(self.metadata)
report.region = region report.region = bucket.region
report.resource_id = bucket.name report.resource_id = bucket.name
if bucket.versioning: if bucket.versioning:
report.status = "PASS" report.status = "PASS"
@@ -23,11 +20,5 @@ class s3_bucket_object_versioning(Check):
f"S3 Bucket {bucket.name} has versioning disabled." f"S3 Bucket {bucket.name} has versioning disabled."
) )
findings.append(report) findings.append(report)
else:
report = Check_Report(self.metadata)
report.status = "PASS"
report.status_extended = "There are no S3 buckets."
report.region = region
findings.append(report)
return findings return findings

21
providers/aws/services/s3/s3_bucket_server_access_logging_enabled/s3_bucket_server_access_logging_enabled.py
View File

@@ -5,25 +5,20 @@ from providers.aws.services.s3.s3_service import s3_client
class s3_bucket_server_access_logging_enabled(Check): class s3_bucket_server_access_logging_enabled(Check):
def execute(self): def execute(self):
findings = [] findings = []
for regional_client in s3_client.regional_clients: for bucket in s3_client.buckets:
region = regional_client.region
if regional_client.buckets:
for bucket in regional_client.buckets:
report = Check_Report(self.metadata) report = Check_Report(self.metadata)
report.region = region report.region = bucket.region
report.resource_id = bucket.name report.resource_id = bucket.name
if bucket.logging: if bucket.logging:
report.status = "PASS" report.status = "PASS"
report.status_extended = f"S3 Bucket {bucket.name} has server access logging enabled." report.status_extended = (
f"S3 Bucket {bucket.name} has server access logging enabled."
)
else: else:
report.status = "FAIL" report.status = "FAIL"
report.status_extended = f"S3 Bucket {bucket.name} has server access logging disabled." report.status_extended = (
findings.append(report) f"S3 Bucket {bucket.name} has server access logging disabled."
else: )
report = Check_Report(self.metadata)
report.status = "PASS"
report.status_extended = "There are no S3 buckets."
report.region = region
findings.append(report) findings.append(report)
return findings return findings

59
providers/aws/services/s3/s3_service.py
View File

@@ -10,9 +10,10 @@ class S3:
def __init__(self, audit_info): def __init__(self, audit_info):
self.service = "s3" self.service = "s3"
self.session = audit_info.audit_session self.session = audit_info.audit_session
self.client = self.session.client(self.service)
self.audited_account = audit_info.audited_account self.audited_account = audit_info.audited_account
self.regional_clients = generate_regional_clients(self.service, audit_info) self.regional_clients = generate_regional_clients(self.service, audit_info)
self.__threading_call__(self.__list_buckets__) self.buckets = self.__list_buckets__()
self.__threading_call__(self.__get_bucket_versioning__) self.__threading_call__(self.__get_bucket_versioning__)
self.__threading_call__(self.__get_bucket_logging__) self.__threading_call__(self.__get_bucket_logging__)
@@ -21,43 +22,34 @@ class S3:
def __threading_call__(self, call): def __threading_call__(self, call):
threads = [] threads = []
for regional_client in self.regional_clients: for bucket in self.buckets:
threads.append(threading.Thread(target=call, args=(regional_client,))) threads.append(threading.Thread(target=call, args=(bucket,)))
for t in threads: for t in threads:
t.start() t.start()
for t in threads: for t in threads:
t.join() t.join()
def __list_buckets__(self, regional_client): def __list_buckets__(self):
logger.info("S3 - Listing buckets...") logger.info("S3 - Listing buckets...")
try: try:
list_buckets = regional_client.list_buckets()
buckets = [] buckets = []
list_buckets = self.client.list_buckets()
for bucket in list_buckets["Buckets"]: for bucket in list_buckets["Buckets"]:
try: bucket_region = self.client.get_bucket_location(Bucket=bucket["Name"])[
bucket_region = regional_client.get_bucket_location( "LocationConstraint"
Bucket=bucket["Name"] ]
)["LocationConstraint"] if not bucket_region: # If us-east-1, bucket_region is none
if regional_client.region == bucket_region or ( buckets.append(Bucket(bucket["Name"], "us-east-1"))
regional_client.region == "us-east-1" and not bucket_region else:
): # If us-east-1, bucket_region is none buckets.append(Bucket(bucket["Name"], bucket_region))
buckets.append(Bucket(bucket["Name"])) return buckets
except Exception as error: except Exception as error:
if error.__class__.__name__ != "NoSuchBucket": logger.error(f"{bucket_region} -- {error.__class__.__name__}: {error}")
logger.error(
f"{regional_client.region} -- {error.__class__.__name__}: {error}"
)
regional_client.buckets = buckets
except Exception as error:
logger.error(
f"{regional_client.region} -- {error.__class__.__name__}: {error}"
)
def __get_bucket_versioning__(self, regional_client): def __get_bucket_versioning__(self, bucket):
logger.info("S3 - Get buckets versioning...") logger.info("S3 - Get buckets versioning...")
try: try:
if hasattr(regional_client, "buckets"): regional_client = self.regional_clients[bucket.region]
for bucket in regional_client.buckets:
bucket_versioning = regional_client.get_bucket_versioning( bucket_versioning = regional_client.get_bucket_versioning(
Bucket=bucket.name Bucket=bucket.name
) )
@@ -65,18 +57,13 @@ class S3:
if "Enabled" == bucket_versioning["Status"]: if "Enabled" == bucket_versioning["Status"]:
bucket.versioning = True bucket.versioning = True
except Exception as error: except Exception as error:
logger.error( logger.error(f"{bucket.region} -- {error.__class__.__name__}: {error}")
f"{regional_client.region} -- {error.__class__.__name__}: {error}"
)
def __get_bucket_logging__(self, regional_client): def __get_bucket_logging__(self, bucket):
logger.info("S3 - Get buckets logging...") logger.info("S3 - Get buckets logging...")
try: try:
if hasattr(regional_client, "buckets"): regional_client = self.regional_clients[bucket.region]
for bucket in regional_client.buckets: bucket_logging = regional_client.get_bucket_logging(Bucket=bucket.name)
bucket_logging = regional_client.get_bucket_logging(
Bucket=bucket.name
)
if "LoggingEnabled" in bucket_logging: if "LoggingEnabled" in bucket_logging:
bucket.logging = True bucket.logging = True
except Exception as error: except Exception as error:
@@ -90,11 +77,13 @@ class Bucket:
name: str name: str
versioning: bool versioning: bool
logging: bool logging: bool
region: str
def __init__(self, name): def __init__(self, name, region):
self.name = name self.name = name
self.versioning = False self.versioning = False
self.logging = False self.logging = False
self.region = region
s3_client = S3(current_audit_info) s3_client = S3(current_audit_info)