mirror of
https://github.com/ghndrx/prowler.git
synced 2026-02-10 14:55:00 +00:00
feat(compliance): Loader and Execute (#1465)
This commit is contained in:
Pepe Fagoaga
@@ -2,7 +2,9 @@
|
||||
"Provider": "aws",
|
||||
"CheckID": "ec2_ami_public",
|
||||
"CheckTitle": "Ensure there are no EC2 AMIs set as Public.",
|
||||
"CheckType": ["Infrastructure Security"],
|
||||
"CheckType": [
|
||||
"Infrastructure Security"
|
||||
],
|
||||
"ServiceName": "ec2",
|
||||
"SubServiceName": "ami",
|
||||
"ResourceIdTemplate": "arn:partition:service:region:account-id:resource-id",
|
||||
@@ -30,6 +32,5 @@
|
||||
},
|
||||
"DependsOn": [],
|
||||
"RelatedTo": [],
|
||||
"Notes": "",
|
||||
"Compliance": []
|
||||
"Notes": ""
|
||||
}
|
||||
|
||||
@@ -6,7 +6,7 @@ class ec2_ami_public(Check):
|
||||
def execute(self):
|
||||
findings = []
|
||||
for image in ec2_client.images:
|
||||
report = Check_Report(self.metadata)
|
||||
report = Check_Report(self.metadata())
|
||||
report.region = image.region
|
||||
report.resource_id = image.id
|
||||
report.status = "PASS"
|
||||
|
||||
@@ -2,7 +2,9 @@
|
||||
"Provider": "aws",
|
||||
"CheckID": "ec2_ebs_default_encryption",
|
||||
"CheckTitle": "Check if EBS Default Encryption is activated.",
|
||||
"CheckType": ["Data Protection"],
|
||||
"CheckType": [
|
||||
"Data Protection"
|
||||
],
|
||||
"ServiceName": "ec2",
|
||||
"SubServiceName": "ebs",
|
||||
"ResourceIdTemplate": "arn:partition:service:region:account-id:resource-id",
|
||||
@@ -30,6 +32,5 @@
|
||||
},
|
||||
"DependsOn": [],
|
||||
"RelatedTo": [],
|
||||
"Notes": "",
|
||||
"Compliance": []
|
||||
"Notes": ""
|
||||
}
|
||||
|
||||
@@ -6,7 +6,7 @@ class ec2_ebs_default_encryption(Check):
|
||||
def execute(self):
|
||||
findings = []
|
||||
for ebs_encryption in ec2_client.ebs_encryption_by_default:
|
||||
report = Check_Report(self.metadata)
|
||||
report = Check_Report(self.metadata())
|
||||
report.region = ebs_encryption.region
|
||||
report.resource_id = "EBS Default Encryption"
|
||||
report.status = "FAIL"
|
||||
|
||||
@@ -2,7 +2,9 @@
|
||||
"Provider": "aws",
|
||||
"CheckID": "ec2_ebs_public_snapshot",
|
||||
"CheckTitle": "Ensure there are no EBS Snapshots set as Public.",
|
||||
"CheckType": ["Data Protection"],
|
||||
"CheckType": [
|
||||
"Data Protection"
|
||||
],
|
||||
"ServiceName": "ec2",
|
||||
"SubServiceName": "snapshot",
|
||||
"ResourceIdTemplate": "arn:partition:service:region:account-id:resource-id",
|
||||
@@ -30,6 +32,5 @@
|
||||
},
|
||||
"DependsOn": [],
|
||||
"RelatedTo": [],
|
||||
"Notes": "",
|
||||
"Compliance": []
|
||||
"Notes": ""
|
||||
}
|
||||
|
||||
@@ -6,7 +6,7 @@ class ec2_ebs_public_snapshot(Check):
|
||||
def execute(self):
|
||||
findings = []
|
||||
for snapshot in ec2_client.snapshots:
|
||||
report = Check_Report(self.metadata)
|
||||
report = Check_Report(self.metadata())
|
||||
report.region = snapshot.region
|
||||
if not snapshot.public:
|
||||
report.status = "PASS"
|
||||
|
||||
@@ -2,7 +2,9 @@
|
||||
"Provider": "aws",
|
||||
"CheckID": "ec2_ebs_snapshots_encrypted",
|
||||
"CheckTitle": "Check if EBS snapshots are encrypted.",
|
||||
"CheckType": ["Data Protection"],
|
||||
"CheckType": [
|
||||
"Data Protection"
|
||||
],
|
||||
"ServiceName": "ec2",
|
||||
"SubServiceName": "snapshot",
|
||||
"ResourceIdTemplate": "arn:partition:service:region:account-id:resource-id",
|
||||
@@ -30,6 +32,5 @@
|
||||
},
|
||||
"DependsOn": [],
|
||||
"RelatedTo": [],
|
||||
"Notes": "",
|
||||
"Compliance": []
|
||||
"Notes": ""
|
||||
}
|
||||
|
||||
@@ -6,7 +6,7 @@ class ec2_ebs_snapshots_encrypted(Check):
|
||||
def execute(self):
|
||||
findings = []
|
||||
for snapshot in ec2_client.snapshots:
|
||||
report = Check_Report(self.metadata)
|
||||
report = Check_Report(self.metadata())
|
||||
report.region = snapshot.region
|
||||
if snapshot.encrypted:
|
||||
report.status = "PASS"
|
||||
|
||||
@@ -2,7 +2,9 @@
|
||||
"Provider": "aws",
|
||||
"CheckID": "ec2_ebs_volume_encryption",
|
||||
"CheckTitle": "Ensure there are no EBS Volumes unencrypted.",
|
||||
"CheckType": ["Data Protection"],
|
||||
"CheckType": [
|
||||
"Data Protection"
|
||||
],
|
||||
"ServiceName": "ec2",
|
||||
"SubServiceName": "volume",
|
||||
"ResourceIdTemplate": "arn:partition:service:region:account-id:resource-id",
|
||||
@@ -30,6 +32,5 @@
|
||||
},
|
||||
"DependsOn": [],
|
||||
"RelatedTo": [],
|
||||
"Notes": "",
|
||||
"Compliance": []
|
||||
"Notes": ""
|
||||
}
|
||||
|
||||
@@ -6,7 +6,7 @@ class ec2_ebs_volume_encryption(Check):
|
||||
def execute(self):
|
||||
findings = []
|
||||
for volume in ec2_client.volumes:
|
||||
report = Check_Report(self.metadata)
|
||||
report = Check_Report(self.metadata())
|
||||
report.region = volume.region
|
||||
report.resource_id = volume.id
|
||||
if volume.encrypted:
|
||||
|
||||
@@ -2,7 +2,9 @@
|
||||
"Provider": "aws",
|
||||
"CheckID": "ec2_elastic_ip_shodan",
|
||||
"CheckTitle": "Check if any of the Elastic or Public IP are in Shodan (requires Shodan API KEY).",
|
||||
"CheckType": ["Infrastructure Security"],
|
||||
"CheckType": [
|
||||
"Infrastructure Security"
|
||||
],
|
||||
"ServiceName": "ec2",
|
||||
"SubServiceName": "",
|
||||
"ResourceIdTemplate": "arn:partition:service:region:account-id:resource-id",
|
||||
@@ -30,6 +32,5 @@
|
||||
},
|
||||
"DependsOn": [],
|
||||
"RelatedTo": [],
|
||||
"Notes": "",
|
||||
"Compliance": []
|
||||
"Notes": ""
|
||||
}
|
||||
|
||||
@@ -13,7 +13,7 @@ class ec2_elastic_ip_shodan(Check):
|
||||
if shodan_api_key:
|
||||
api = shodan.Shodan(shodan_api_key)
|
||||
for eip in ec2_client.elastic_ips:
|
||||
report = Check_Report(self.metadata)
|
||||
report = Check_Report(self.metadata())
|
||||
report.region = eip.region
|
||||
if eip.public_ip:
|
||||
try:
|
||||
|
||||
@@ -2,7 +2,9 @@
|
||||
"Provider": "aws",
|
||||
"CheckID": "ec2_elastic_ip_unassgined",
|
||||
"CheckTitle": "Check if there is any unassigned Elastic IP.",
|
||||
"CheckType": ["Infrastructure Security"],
|
||||
"CheckType": [
|
||||
"Infrastructure Security"
|
||||
],
|
||||
"ServiceName": "ec2",
|
||||
"SubServiceName": "AwsElasticIPs",
|
||||
"ResourceIdTemplate": "arn:partition:service:region:account-id:resource-id",
|
||||
@@ -30,6 +32,5 @@
|
||||
},
|
||||
"DependsOn": [],
|
||||
"RelatedTo": [],
|
||||
"Notes": "",
|
||||
"Compliance": []
|
||||
"Notes": ""
|
||||
}
|
||||
|
||||
@@ -6,7 +6,7 @@ class ec2_elastic_ip_unassgined(Check):
|
||||
def execute(self):
|
||||
findings = []
|
||||
for eip in ec2_client.elastic_ips:
|
||||
report = Check_Report(self.metadata)
|
||||
report = Check_Report(self.metadata())
|
||||
report.region = eip.region
|
||||
if eip.public_ip:
|
||||
report.resource_id = eip.public_ip
|
||||
|
||||
@@ -2,7 +2,9 @@
|
||||
"Provider": "aws",
|
||||
"CheckID": "ec2_instance_imdsv2_enabled",
|
||||
"CheckTitle": "Check if EC2 Instance Metadata Service Version 2 (IMDSv2) is Enabled and Required.",
|
||||
"CheckType": ["Infrastructure Security"],
|
||||
"CheckType": [
|
||||
"Infrastructure Security"
|
||||
],
|
||||
"ServiceName": "ec2",
|
||||
"SubServiceName": "",
|
||||
"ResourceIdTemplate": "arn:partition:service:region:account-id:resource-id",
|
||||
@@ -30,6 +32,5 @@
|
||||
},
|
||||
"DependsOn": [],
|
||||
"RelatedTo": [],
|
||||
"Notes": "",
|
||||
"Compliance": []
|
||||
"Notes": ""
|
||||
}
|
||||
|
||||
@@ -6,7 +6,7 @@ class ec2_instance_imdsv2_enabled(Check):
|
||||
def execute(self):
|
||||
findings = []
|
||||
for instance in ec2_client.instances:
|
||||
report = Check_Report(self.metadata)
|
||||
report = Check_Report(self.metadata())
|
||||
report.region = instance.region
|
||||
report.resource_id = instance.id
|
||||
report.status = "FAIL"
|
||||
|
||||
@@ -2,7 +2,9 @@
|
||||
"Provider": "aws",
|
||||
"CheckID": "ec2_instance_internet_facing_with_instance_profile",
|
||||
"CheckTitle": "Check for internet facing EC2 instances with Instance Profiles attached.",
|
||||
"CheckType": ["Infrastructure Security"],
|
||||
"CheckType": [
|
||||
"Infrastructure Security"
|
||||
],
|
||||
"ServiceName": "ec2",
|
||||
"SubServiceName": "",
|
||||
"ResourceIdTemplate": "arn:partition:service:region:account-id:resource-id",
|
||||
@@ -30,6 +32,5 @@
|
||||
},
|
||||
"DependsOn": [],
|
||||
"RelatedTo": [],
|
||||
"Notes": "",
|
||||
"Compliance": []
|
||||
"Notes": ""
|
||||
}
|
||||
|
||||
@@ -6,7 +6,7 @@ class ec2_instance_internet_facing_with_instance_profile(Check):
|
||||
def execute(self):
|
||||
findings = []
|
||||
for instance in ec2_client.instances:
|
||||
report = Check_Report(self.metadata)
|
||||
report = Check_Report(self.metadata())
|
||||
report.region = instance.region
|
||||
report.resource_id = instance.id
|
||||
report.status = "PASS"
|
||||
|
||||
@@ -2,7 +2,9 @@
|
||||
"Provider": "aws",
|
||||
"CheckID": "ec2_instance_managed_by_ssm",
|
||||
"CheckTitle": "Check if EC2 instances are managed by Systems Manager.",
|
||||
"CheckType": ["Infrastructure Security"],
|
||||
"CheckType": [
|
||||
"Infrastructure Security"
|
||||
],
|
||||
"ServiceName": "ec2",
|
||||
"SubServiceName": "instance",
|
||||
"ResourceIdTemplate": "arn:partition:service:region:account-id:resource-id",
|
||||
@@ -30,6 +32,5 @@
|
||||
},
|
||||
"DependsOn": [],
|
||||
"RelatedTo": [],
|
||||
"Notes": "",
|
||||
"Compliance": []
|
||||
"Notes": ""
|
||||
}
|
||||
|
||||
@@ -7,7 +7,7 @@ class ec2_instance_managed_by_ssm(Check):
|
||||
def execute(self):
|
||||
findings = []
|
||||
for instance in ec2_client.instances:
|
||||
report = Check_Report(self.metadata)
|
||||
report = Check_Report(self.metadata())
|
||||
report.region = instance.region
|
||||
if not ssm_client.managed_instances.get(instance.id):
|
||||
report.status = "FAIL"
|
||||
|
||||
@@ -2,7 +2,9 @@
|
||||
"Provider": "aws",
|
||||
"CheckID": "ec2_instance_older_than_specific_days",
|
||||
"CheckTitle": "Check EC2 Instances older than specific days.",
|
||||
"CheckType": ["Infrastructure Security"],
|
||||
"CheckType": [
|
||||
"Infrastructure Security"
|
||||
],
|
||||
"ServiceName": "ec2",
|
||||
"SubServiceName": "",
|
||||
"ResourceIdTemplate": "arn:partition:service:region:account-id:resource-id",
|
||||
@@ -30,6 +32,5 @@
|
||||
},
|
||||
"DependsOn": [],
|
||||
"RelatedTo": [],
|
||||
"Notes": "",
|
||||
"Compliance": []
|
||||
"Notes": ""
|
||||
}
|
||||
|
||||
@@ -10,7 +10,7 @@ class ec2_instance_older_than_specific_days(Check):
|
||||
findings = []
|
||||
max_ec2_instance_age_in_days = get_config_var("max_ec2_instance_age_in_days")
|
||||
for instance in ec2_client.instances:
|
||||
report = Check_Report(self.metadata)
|
||||
report = Check_Report(self.metadata())
|
||||
report.region = instance.region
|
||||
report.resource_id = instance.id
|
||||
report.status = "PASS"
|
||||
|
||||
@@ -32,6 +32,5 @@
|
||||
},
|
||||
"DependsOn": [],
|
||||
"RelatedTo": [],
|
||||
"Notes": "",
|
||||
"Compliance": []
|
||||
"Notes": ""
|
||||
}
|
||||
|
||||
@@ -6,7 +6,7 @@ class ec2_instance_profile_attached(Check):
|
||||
def execute(self):
|
||||
findings = []
|
||||
for instance in ec2_client.instances:
|
||||
report = Check_Report(self.metadata)
|
||||
report = Check_Report(self.metadata())
|
||||
report.region = instance.region
|
||||
report.resource_id = instance.id
|
||||
report.status = "FAIL"
|
||||
|
||||
@@ -2,7 +2,9 @@
|
||||
"Provider": "aws",
|
||||
"CheckID": "ec2_instance_public_ip",
|
||||
"CheckTitle": "Check for EC2 Instances with Public IP.",
|
||||
"CheckType": ["Infrastructure Security"],
|
||||
"CheckType": [
|
||||
"Infrastructure Security"
|
||||
],
|
||||
"ServiceName": "ec2",
|
||||
"SubServiceName": "instance",
|
||||
"ResourceIdTemplate": "arn:partition:service:region:account-id:resource-id",
|
||||
@@ -30,6 +32,5 @@
|
||||
},
|
||||
"DependsOn": [],
|
||||
"RelatedTo": [],
|
||||
"Notes": "",
|
||||
"Compliance": []
|
||||
"Notes": ""
|
||||
}
|
||||
|
||||
@@ -6,7 +6,7 @@ class ec2_instance_public_ip(Check):
|
||||
def execute(self):
|
||||
findings = []
|
||||
for instance in ec2_client.instances:
|
||||
report = Check_Report(self.metadata)
|
||||
report = Check_Report(self.metadata())
|
||||
report.region = instance.region
|
||||
if instance.public_ip:
|
||||
report.status = "FAIL"
|
||||
|
||||
@@ -2,7 +2,9 @@
|
||||
"Provider": "aws",
|
||||
"CheckID": "ec2_instance_secrets_user_data",
|
||||
"CheckTitle": "Find secrets in EC2 User Data.",
|
||||
"CheckType": ["IAM"],
|
||||
"CheckType": [
|
||||
"IAM"
|
||||
],
|
||||
"ServiceName": "ec2",
|
||||
"SubServiceName": "",
|
||||
"ResourceIdTemplate": "arn:partition:access-analyzer:region:account-id:analyzer/resource-id",
|
||||
@@ -30,7 +32,5 @@
|
||||
},
|
||||
"DependsOn": [],
|
||||
"RelatedTo": [],
|
||||
"Notes": "",
|
||||
"Compliance": [
|
||||
]
|
||||
"Notes": ""
|
||||
}
|
||||
|
||||
@@ -13,7 +13,7 @@ class ec2_instance_secrets_user_data(Check):
|
||||
def execute(self):
|
||||
findings = []
|
||||
for instance in ec2_client.instances:
|
||||
report = Check_Report(self.metadata)
|
||||
report = Check_Report(self.metadata())
|
||||
report.region = instance.region
|
||||
report.resource_id = instance.id
|
||||
|
||||
|
||||
@@ -1,8 +1,12 @@
|
||||
{
|
||||
"Provider": "aws",
|
||||
"CheckID": "ec2_network_acls_allow_ingress_any_port",
|
||||
"CheckID": "ec2_networkacl_allow_ingress_any_port",
|
||||
"CheckTitle": "Ensure no Network ACLs allow ingress from 0.0.0.0/0 to any port.",
|
||||
"CheckType": ["Software and Configuration Checks", "Industry and Regulatory Standards", "CIS AWS Foundations Benchmark"],
|
||||
"CheckType": [
|
||||
"Software and Configuration Checks",
|
||||
"Industry and Regulatory Standards",
|
||||
"CIS AWS Foundations Benchmark"
|
||||
],
|
||||
"ServiceName": "ec2",
|
||||
"SubServiceName": "networkacl",
|
||||
"ResourceIdTemplate": "arn:partition:service:region:account-id:resource-id",
|
||||
@@ -30,6 +34,5 @@
|
||||
},
|
||||
"DependsOn": [],
|
||||
"RelatedTo": [],
|
||||
"Notes": "Infrastructure Security",
|
||||
"Compliance": []
|
||||
"Notes": "Infrastructure Security"
|
||||
}
|
||||
@@ -3,13 +3,13 @@ from providers.aws.services.ec2.ec2_client import ec2_client
|
||||
from providers.aws.services.ec2.lib.network_acls import check_network_acl
|
||||
|
||||
|
||||
class ec2_network_acls_allow_ingress_any_port(Check):
|
||||
class ec2_networkacl_allow_ingress_any_port(Check):
|
||||
def execute(self):
|
||||
findings = []
|
||||
tcp_protocol = "-1"
|
||||
check_port = 0
|
||||
for network_acl in ec2_client.network_acls:
|
||||
report = Check_Report(self.metadata)
|
||||
report = Check_Report(self.metadata())
|
||||
report.region = network_acl.region
|
||||
report.resource_id = network_acl.id
|
||||
# If some entry allows it, that ACL is not securely configured
|
||||
@@ -6,7 +6,7 @@ from moto import mock_ec2
|
||||
AWS_REGION = "us-east-1"
|
||||
|
||||
|
||||
class Test_ec2_network_acls_allow_ingress_any_port:
|
||||
class ec2_networkacl_allow_ingress_any_port:
|
||||
@mock_ec2
|
||||
def test_ec2_default_nacls(self):
|
||||
|
||||
@@ -16,15 +16,15 @@ class Test_ec2_network_acls_allow_ingress_any_port:
|
||||
current_audit_info.audited_partition = "aws"
|
||||
|
||||
with mock.patch(
|
||||
"providers.aws.services.ec2.ec2_network_acls_allow_ingress_any_port.ec2_network_acls_allow_ingress_any_port.ec2_client",
|
||||
"providers.aws.services.ec2.ec2_networkacl_allow_ingress_any_port.ec2_networkacl_allow_ingress_any_port.ec2_client",
|
||||
new=EC2(current_audit_info),
|
||||
):
|
||||
# Test Check
|
||||
from providers.aws.services.ec2.ec2_network_acls_allow_ingress_any_port.ec2_network_acls_allow_ingress_any_port import (
|
||||
ec2_network_acls_allow_ingress_any_port,
|
||||
from providers.aws.services.ec2.ec2_networkacl_allow_ingress_any_port.ec2_networkacl_allow_ingress_any_port import (
|
||||
ec2_networkacl_allow_ingress_any_port,
|
||||
)
|
||||
|
||||
check = ec2_network_acls_allow_ingress_any_port()
|
||||
check = ec2_networkacl_allow_ingress_any_port()
|
||||
result = check.execute()
|
||||
|
||||
# One default nacl per region
|
||||
@@ -39,15 +39,15 @@ class Test_ec2_network_acls_allow_ingress_any_port:
|
||||
current_audit_info.audited_partition = "aws"
|
||||
|
||||
with mock.patch(
|
||||
"providers.aws.services.ec2.ec2_network_acls_allow_ingress_any_port.ec2_network_acls_allow_ingress_any_port.ec2_client",
|
||||
"providers.aws.services.ec2.ec2_networkacl_allow_ingress_any_port.ec2_networkacl_allow_ingress_any_port.ec2_client",
|
||||
new=EC2(current_audit_info),
|
||||
):
|
||||
# Test Check
|
||||
from providers.aws.services.ec2.ec2_network_acls_allow_ingress_any_port.ec2_network_acls_allow_ingress_any_port import (
|
||||
ec2_network_acls_allow_ingress_any_port,
|
||||
from providers.aws.services.ec2.ec2_networkacl_allow_ingress_any_port.ec2_networkacl_allow_ingress_any_port import (
|
||||
ec2_networkacl_allow_ingress_any_port,
|
||||
)
|
||||
|
||||
check = ec2_network_acls_allow_ingress_any_port()
|
||||
check = ec2_networkacl_allow_ingress_any_port()
|
||||
result = check.execute()
|
||||
|
||||
# One default sg per region
|
||||
@@ -83,15 +83,15 @@ class Test_ec2_network_acls_allow_ingress_any_port:
|
||||
current_audit_info.audited_partition = "aws"
|
||||
|
||||
with mock.patch(
|
||||
"providers.aws.services.ec2.ec2_network_acls_allow_ingress_any_port.ec2_network_acls_allow_ingress_any_port.ec2_client",
|
||||
"providers.aws.services.ec2.ec2_networkacl_allow_ingress_any_port.ec2_networkacl_allow_ingress_any_port.ec2_client",
|
||||
new=EC2(current_audit_info),
|
||||
):
|
||||
# Test Check
|
||||
from providers.aws.services.ec2.ec2_network_acls_allow_ingress_any_port.ec2_network_acls_allow_ingress_any_port import (
|
||||
ec2_network_acls_allow_ingress_any_port,
|
||||
from providers.aws.services.ec2.ec2_networkacl_allow_ingress_any_port.ec2_networkacl_allow_ingress_any_port import (
|
||||
ec2_networkacl_allow_ingress_any_port,
|
||||
)
|
||||
|
||||
check = ec2_network_acls_allow_ingress_any_port()
|
||||
check = ec2_networkacl_allow_ingress_any_port()
|
||||
result = check.execute()
|
||||
|
||||
# One default sg per region + default of new VPC + new NACL
|
||||
@@ -128,15 +128,15 @@ class Test_ec2_network_acls_allow_ingress_any_port:
|
||||
current_audit_info.audited_partition = "aws"
|
||||
|
||||
with mock.patch(
|
||||
"providers.aws.services.ec2.ec2_network_acls_allow_ingress_any_port.ec2_network_acls_allow_ingress_any_port.ec2_client",
|
||||
"providers.aws.services.ec2.ec2_networkacl_allow_ingress_any_port.ec2_networkacl_allow_ingress_any_port.ec2_client",
|
||||
new=EC2(current_audit_info),
|
||||
):
|
||||
# Test Check
|
||||
from providers.aws.services.ec2.ec2_network_acls_allow_ingress_any_port.ec2_network_acls_allow_ingress_any_port import (
|
||||
ec2_network_acls_allow_ingress_any_port,
|
||||
from providers.aws.services.ec2.ec2_networkacl_allow_ingress_any_port.ec2_networkacl_allow_ingress_any_port import (
|
||||
ec2_networkacl_allow_ingress_any_port,
|
||||
)
|
||||
|
||||
check = ec2_network_acls_allow_ingress_any_port()
|
||||
check = ec2_networkacl_allow_ingress_any_port()
|
||||
result = check.execute()
|
||||
|
||||
# One default sg per region + default of new VPC + new NACL
|
||||
@@ -2,7 +2,9 @@
|
||||
"Provider": "aws",
|
||||
"CheckID": "ec2_networkacl_allow_ingress_tcp_port_22",
|
||||
"CheckTitle": "Ensure no Network ACLs allow ingress from 0.0.0.0/0 to SSH port 22",
|
||||
"CheckType": ["Infrastructure Security"],
|
||||
"CheckType": [
|
||||
"Infrastructure Security"
|
||||
],
|
||||
"ServiceName": "ec2",
|
||||
"SubServiceName": "networkacl",
|
||||
"ResourceIdTemplate": "arn:partition:service:region:account-id:resource-id",
|
||||
@@ -30,17 +32,5 @@
|
||||
},
|
||||
"DependsOn": [],
|
||||
"RelatedTo": [],
|
||||
"Notes": "",
|
||||
"Compliance": [
|
||||
{
|
||||
"Control": [
|
||||
"4.5"
|
||||
],
|
||||
"Framework": "CIS-AWS",
|
||||
"Group": [
|
||||
"level2"
|
||||
],
|
||||
"Version": "1.4"
|
||||
}
|
||||
]
|
||||
"Notes": ""
|
||||
}
|
||||
|
||||
@@ -9,7 +9,7 @@ class ec2_networkacl_allow_ingress_tcp_port_22(Check):
|
||||
tcp_protocol = "6"
|
||||
check_port = 22
|
||||
for network_acl in ec2_client.network_acls:
|
||||
report = Check_Report(self.metadata)
|
||||
report = Check_Report(self.metadata())
|
||||
report.region = network_acl.region
|
||||
# If some entry allows it, that ACL is not securely configured
|
||||
if not check_network_acl(network_acl.entries, tcp_protocol, check_port):
|
||||
|
||||
@@ -2,7 +2,9 @@
|
||||
"Provider": "aws",
|
||||
"CheckID": "ec2_networkacl_allow_ingress_tcp_port_3389",
|
||||
"CheckTitle": "Ensure no Network ACLs allow ingress from 0.0.0.0/0 to Microsoft RDP port 3389",
|
||||
"CheckType": ["Infrastructure Security"],
|
||||
"CheckType": [
|
||||
"Infrastructure Security"
|
||||
],
|
||||
"ServiceName": "ec2",
|
||||
"SubServiceName": "networkacl",
|
||||
"ResourceIdTemplate": "arn:partition:service:region:account-id:resource-id",
|
||||
@@ -30,17 +32,5 @@
|
||||
},
|
||||
"DependsOn": [],
|
||||
"RelatedTo": [],
|
||||
"Notes": "",
|
||||
"Compliance": [
|
||||
{
|
||||
"Control": [
|
||||
"4.6"
|
||||
],
|
||||
"Framework": "CIS-AWS",
|
||||
"Group": [
|
||||
"level2"
|
||||
],
|
||||
"Version": "1.4"
|
||||
}
|
||||
]
|
||||
"Notes": ""
|
||||
}
|
||||
|
||||
@@ -9,7 +9,7 @@ class ec2_networkacl_allow_ingress_tcp_port_3389(Check):
|
||||
tcp_protocol = "6"
|
||||
check_port = 3389
|
||||
for network_acl in ec2_client.network_acls:
|
||||
report = Check_Report(self.metadata)
|
||||
report = Check_Report(self.metadata())
|
||||
report.region = network_acl.region
|
||||
# If some entry allows it, that ACL is not securely configured
|
||||
if not check_network_acl(network_acl.entries, tcp_protocol, check_port):
|
||||
|
||||
@@ -2,7 +2,9 @@
|
||||
"Provider": "aws",
|
||||
"CheckID": "ec2_securitygroup_allow_ingress_from_internet_to_any_port",
|
||||
"CheckTitle": "Ensure no security groups allow ingress from 0.0.0.0/0 or ::/0 to any port.",
|
||||
"CheckType": ["Infrastructure Security"],
|
||||
"CheckType": [
|
||||
"Infrastructure Security"
|
||||
],
|
||||
"ServiceName": "ec2",
|
||||
"SubServiceName": "securitygroup",
|
||||
"ResourceIdTemplate": "arn:partition:service:region:account-id:resource-id",
|
||||
@@ -30,6 +32,5 @@
|
||||
},
|
||||
"DependsOn": [],
|
||||
"RelatedTo": [],
|
||||
"Notes": "",
|
||||
"Compliance": []
|
||||
"Notes": ""
|
||||
}
|
||||
|
||||
@@ -7,7 +7,7 @@ class ec2_securitygroup_allow_ingress_from_internet_to_any_port(Check):
|
||||
def execute(self):
|
||||
findings = []
|
||||
for security_group in ec2_client.security_groups:
|
||||
report = Check_Report(self.metadata)
|
||||
report = Check_Report(self.metadata())
|
||||
report.region = security_group.region
|
||||
report.status = "PASS"
|
||||
report.status_extended = f"Security group {security_group.name} ({security_group.id}) has not all ports open to the Internet."
|
||||
|
||||
@@ -2,7 +2,9 @@
|
||||
"Provider": "aws",
|
||||
"CheckID": "ec2_securitygroup_allow_ingress_from_internet_to_port_mongodb_27017_27018",
|
||||
"CheckTitle": "Ensure no security groups allow ingress from 0.0.0.0/0 or ::/0 to MongoDB ports 27017 and 27018.",
|
||||
"CheckType": ["Infrastructure Security"],
|
||||
"CheckType": [
|
||||
"Infrastructure Security"
|
||||
],
|
||||
"ServiceName": "ec2",
|
||||
"SubServiceName": "securitygroup",
|
||||
"ResourceIdTemplate": "arn:partition:service:region:account-id:resource-id",
|
||||
@@ -30,6 +32,5 @@
|
||||
},
|
||||
"DependsOn": [],
|
||||
"RelatedTo": [],
|
||||
"Notes": "",
|
||||
"Compliance": []
|
||||
"Notes": ""
|
||||
}
|
||||
|
||||
@@ -8,7 +8,7 @@ class ec2_securitygroup_allow_ingress_from_internet_to_port_mongodb_27017_27018(
|
||||
findings = []
|
||||
check_ports = [27017, 27018]
|
||||
for security_group in ec2_client.security_groups:
|
||||
report = Check_Report(self.metadata)
|
||||
report = Check_Report(self.metadata())
|
||||
report.region = security_group.region
|
||||
report.resource_id = security_group.id
|
||||
report.status = "PASS"
|
||||
|
||||
@@ -2,7 +2,9 @@
|
||||
"Provider": "aws",
|
||||
"CheckID": "ec2_securitygroup_allow_ingress_from_internet_to_tcp_ftp_port_20_21",
|
||||
"CheckTitle": "Ensure no security groups allow ingress from 0.0.0.0/0 or ::/0 to FTP ports 20 or 21.",
|
||||
"CheckType": ["Infrastructure Security"],
|
||||
"CheckType": [
|
||||
"Infrastructure Security"
|
||||
],
|
||||
"ServiceName": "ec2",
|
||||
"SubServiceName": "securitygroup",
|
||||
"ResourceIdTemplate": "arn:partition:service:region:account-id:resource-id",
|
||||
@@ -30,17 +32,5 @@
|
||||
},
|
||||
"DependsOn": [],
|
||||
"RelatedTo": [],
|
||||
"Notes": "",
|
||||
"Compliance": [
|
||||
{
|
||||
"Control": [
|
||||
"4.1"
|
||||
],
|
||||
"Framework": "CIS-AWS",
|
||||
"Group": [
|
||||
"level2"
|
||||
],
|
||||
"Version": "1.4"
|
||||
}
|
||||
]
|
||||
"Notes": ""
|
||||
}
|
||||
|
||||
@@ -8,7 +8,7 @@ class ec2_securitygroup_allow_ingress_from_internet_to_tcp_ftp_port_20_21(Check)
|
||||
findings = []
|
||||
check_ports = [20, 21]
|
||||
for security_group in ec2_client.security_groups:
|
||||
report = Check_Report(self.metadata)
|
||||
report = Check_Report(self.metadata())
|
||||
report.region = security_group.region
|
||||
report.status = "PASS"
|
||||
report.status_extended = f"Security group {security_group.name} ({security_group.id}) has not FTP ports 20 and 21 open to the Internet."
|
||||
|
||||
@@ -2,7 +2,9 @@
|
||||
"Provider": "aws",
|
||||
"CheckID": "ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_22",
|
||||
"CheckTitle": "Ensure no security groups allow ingress from 0.0.0.0/0 or ::/0 to SSH port 22.",
|
||||
"CheckType": ["Infrastructure Security"],
|
||||
"CheckType": [
|
||||
"Infrastructure Security"
|
||||
],
|
||||
"ServiceName": "ec2",
|
||||
"SubServiceName": "securitygroup",
|
||||
"ResourceIdTemplate": "arn:partition:service:region:account-id:resource-id",
|
||||
@@ -30,17 +32,5 @@
|
||||
},
|
||||
"DependsOn": [],
|
||||
"RelatedTo": [],
|
||||
"Notes": "",
|
||||
"Compliance": [
|
||||
{
|
||||
"Control": [
|
||||
"4.1"
|
||||
],
|
||||
"Framework": "CIS-AWS",
|
||||
"Group": [
|
||||
"level2"
|
||||
],
|
||||
"Version": "1.4"
|
||||
}
|
||||
]
|
||||
"Notes": ""
|
||||
}
|
||||
|
||||
@@ -8,7 +8,7 @@ class ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_22(Check):
|
||||
findings = []
|
||||
check_ports = [22]
|
||||
for security_group in ec2_client.security_groups:
|
||||
report = Check_Report(self.metadata)
|
||||
report = Check_Report(self.metadata())
|
||||
report.region = security_group.region
|
||||
report.status = "PASS"
|
||||
report.status_extended = f"Security group {security_group.name} ({security_group.id}) has not SSH port 22 open to the Internet."
|
||||
|
||||
@@ -2,7 +2,9 @@
|
||||
"Provider": "aws",
|
||||
"CheckID": "ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_3389",
|
||||
"CheckTitle": "Ensure no security groups allow ingress from 0.0.0.0/0 or ::/0 to port 3389.",
|
||||
"CheckType": ["Infrastructure Security"],
|
||||
"CheckType": [
|
||||
"Infrastructure Security"
|
||||
],
|
||||
"ServiceName": "ec2",
|
||||
"SubServiceName": "securitygroup",
|
||||
"ResourceIdTemplate": "arn:partition:service:region:account-id:resource-id",
|
||||
@@ -30,17 +32,5 @@
|
||||
},
|
||||
"DependsOn": [],
|
||||
"RelatedTo": [],
|
||||
"Notes": "",
|
||||
"Compliance": [
|
||||
{
|
||||
"Control": [
|
||||
"4.2"
|
||||
],
|
||||
"Framework": "CIS-AWS",
|
||||
"Group": [
|
||||
"level2"
|
||||
],
|
||||
"Version": "1.4"
|
||||
}
|
||||
]
|
||||
"Notes": ""
|
||||
}
|
||||
|
||||
@@ -8,7 +8,7 @@ class ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_3389(Check):
|
||||
findings = []
|
||||
check_ports = [3389]
|
||||
for security_group in ec2_client.security_groups:
|
||||
report = Check_Report(self.metadata)
|
||||
report = Check_Report(self.metadata())
|
||||
report.region = security_group.region
|
||||
report.status = "PASS"
|
||||
report.status_extended = f"Security group {security_group.name} ({security_group.id}) has not Microsoft RDP port 3389 open to the Internet."
|
||||
|
||||
@@ -2,7 +2,9 @@
|
||||
"Provider": "aws",
|
||||
"CheckID": "ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_cassandra_7199_9160_8888",
|
||||
"CheckTitle": "Ensure no security groups allow ingress from 0.0.0.0/0 or ::/0 to Cassandra ports 7199 or 9160 or 8888.",
|
||||
"CheckType": ["Infrastructure Security"],
|
||||
"CheckType": [
|
||||
"Infrastructure Security"
|
||||
],
|
||||
"ServiceName": "ec2",
|
||||
"SubServiceName": "securitygroup",
|
||||
"ResourceIdTemplate": "arn:partition:service:region:account-id:resource-id",
|
||||
@@ -30,6 +32,5 @@
|
||||
},
|
||||
"DependsOn": [],
|
||||
"RelatedTo": [],
|
||||
"Notes": "",
|
||||
"Compliance": []
|
||||
"Notes": ""
|
||||
}
|
||||
|
||||
@@ -10,7 +10,7 @@ class ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_cassandra_7199_9
|
||||
findings = []
|
||||
check_ports = [7199, 9160, 8888]
|
||||
for security_group in ec2_client.security_groups:
|
||||
report = Check_Report(self.metadata)
|
||||
report = Check_Report(self.metadata())
|
||||
report.region = security_group.region
|
||||
report.resource_id = security_group.id
|
||||
report.status = "PASS"
|
||||
|
||||
@@ -2,7 +2,9 @@
|
||||
"Provider": "aws",
|
||||
"CheckID": "ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_elasticsearch_kibana_9200_9300_5601",
|
||||
"CheckTitle": "Ensure no security groups allow ingress from 0.0.0.0/0 or ::/0 to Elasticsearch/Kibana ports.",
|
||||
"CheckType": ["Infrastructure Security"],
|
||||
"CheckType": [
|
||||
"Infrastructure Security"
|
||||
],
|
||||
"ServiceName": "ec2",
|
||||
"SubServiceName": "securitygroup",
|
||||
"ResourceIdTemplate": "arn:partition:service:region:account-id:resource-id",
|
||||
@@ -30,6 +32,5 @@
|
||||
},
|
||||
"DependsOn": [],
|
||||
"RelatedTo": [],
|
||||
"Notes": "",
|
||||
"Compliance": []
|
||||
"Notes": ""
|
||||
}
|
||||
|
||||
@@ -10,7 +10,7 @@ class ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_elasticsearch_ki
|
||||
findings = []
|
||||
check_ports = [9200, 9300, 5601]
|
||||
for security_group in ec2_client.security_groups:
|
||||
report = Check_Report(self.metadata)
|
||||
report = Check_Report(self.metadata())
|
||||
report.region = security_group.region
|
||||
report.resource_id = security_group.id
|
||||
report.status = "PASS"
|
||||
|
||||
@@ -2,7 +2,9 @@
|
||||
"Provider": "aws",
|
||||
"CheckID": "ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_kafka_9092",
|
||||
"CheckTitle": "Ensure no security groups allow ingress from 0.0.0.0/0 or ::/0 to Kafka port 9092.",
|
||||
"CheckType": ["Infrastructure Security"],
|
||||
"CheckType": [
|
||||
"Infrastructure Security"
|
||||
],
|
||||
"ServiceName": "ec2",
|
||||
"SubServiceName": "securitygroup",
|
||||
"ResourceIdTemplate": "arn:partition:service:region:account-id:resource-id",
|
||||
@@ -30,6 +32,5 @@
|
||||
},
|
||||
"DependsOn": [],
|
||||
"RelatedTo": [],
|
||||
"Notes": "",
|
||||
"Compliance": []
|
||||
"Notes": ""
|
||||
}
|
||||
|
||||
@@ -8,7 +8,7 @@ class ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_kafka_9092(Check
|
||||
findings = []
|
||||
check_ports = [9092]
|
||||
for security_group in ec2_client.security_groups:
|
||||
report = Check_Report(self.metadata)
|
||||
report = Check_Report(self.metadata())
|
||||
report.region = security_group.region
|
||||
report.resource_id = security_group.id
|
||||
report.status = "PASS"
|
||||
|
||||
@@ -2,7 +2,9 @@
|
||||
"Provider": "aws",
|
||||
"CheckID": "ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_memcached_11211",
|
||||
"CheckTitle": "Ensure no security groups allow ingress from 0.0.0.0/0 or ::/0 to Memcached port 11211.",
|
||||
"CheckType": ["Infrastructure Security"],
|
||||
"CheckType": [
|
||||
"Infrastructure Security"
|
||||
],
|
||||
"ServiceName": "ec2",
|
||||
"SubServiceName": "securitygroup",
|
||||
"ResourceIdTemplate": "arn:partition:service:region:account-id:resource-id",
|
||||
@@ -30,6 +32,5 @@
|
||||
},
|
||||
"DependsOn": [],
|
||||
"RelatedTo": [],
|
||||
"Notes": "",
|
||||
"Compliance": []
|
||||
"Notes": ""
|
||||
}
|
||||
|
||||
@@ -8,7 +8,7 @@ class ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_memcached_11211(
|
||||
findings = []
|
||||
check_ports = [11211]
|
||||
for security_group in ec2_client.security_groups:
|
||||
report = Check_Report(self.metadata)
|
||||
report = Check_Report(self.metadata())
|
||||
report.region = security_group.region
|
||||
report.resource_id = security_group.id
|
||||
report.status = "PASS"
|
||||
|
||||
@@ -2,7 +2,9 @@
|
||||
"Provider": "aws",
|
||||
"CheckID": "ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_mysql_3306",
|
||||
"CheckTitle": "Ensure no security groups allow ingress from 0.0.0.0/0 or ::/0 to MySQL port 3306.",
|
||||
"CheckType": ["Infrastructure Security"],
|
||||
"CheckType": [
|
||||
"Infrastructure Security"
|
||||
],
|
||||
"ServiceName": "ec2",
|
||||
"SubServiceName": "securitygroups",
|
||||
"ResourceIdTemplate": "arn:partition:service:region:account-id:resource-id",
|
||||
@@ -30,6 +32,5 @@
|
||||
},
|
||||
"DependsOn": [],
|
||||
"RelatedTo": [],
|
||||
"Notes": "",
|
||||
"Compliance": []
|
||||
"Notes": ""
|
||||
}
|
||||
|
||||
@@ -8,7 +8,7 @@ class ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_mysql_3306(Check
|
||||
findings = []
|
||||
check_ports = [3306]
|
||||
for security_group in ec2_client.security_groups:
|
||||
report = Check_Report(self.metadata)
|
||||
report = Check_Report(self.metadata())
|
||||
report.region = security_group.region
|
||||
report.resource_id = security_group.id
|
||||
report.status = "PASS"
|
||||
|
||||
@@ -1,9 +1,10 @@
|
||||
{
|
||||
"Provider": "aws",
|
||||
|
||||
"CheckID": "ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_oracle_1521_2483",
|
||||
"CheckTitle": "Ensure no security groups allow ingress from 0.0.0.0/0 or ::/0 to Oracle ports 1521 or 2483.",
|
||||
"CheckType": ["Infrastructure Security"],
|
||||
"CheckType": [
|
||||
"Infrastructure Security"
|
||||
],
|
||||
"ServiceName": "ec2",
|
||||
"SubServiceName": "securitygroup",
|
||||
"ResourceIdTemplate": "arn:partition:service:region:account-id:resource-id",
|
||||
@@ -31,6 +32,5 @@
|
||||
},
|
||||
"DependsOn": [],
|
||||
"RelatedTo": [],
|
||||
"Notes": "",
|
||||
"Compliance": []
|
||||
"Notes": ""
|
||||
}
|
||||
|
||||
@@ -8,7 +8,7 @@ class ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_oracle_1521_2483
|
||||
findings = []
|
||||
check_ports = [1521, 2483]
|
||||
for security_group in ec2_client.security_groups:
|
||||
report = Check_Report(self.metadata)
|
||||
report = Check_Report(self.metadata())
|
||||
report.region = security_group.region
|
||||
report.resource_id = security_group.id
|
||||
report.status = "PASS"
|
||||
|
||||
@@ -2,7 +2,9 @@
|
||||
"Provider": "aws",
|
||||
"CheckID": "ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_postgres_5432",
|
||||
"CheckTitle": "Ensure no security groups allow ingress from 0.0.0.0/0 or ::/0 to Postgres port 5432.",
|
||||
"CheckType": ["Infrastructure Security"],
|
||||
"CheckType": [
|
||||
"Infrastructure Security"
|
||||
],
|
||||
"ServiceName": "ec2",
|
||||
"SubServiceName": "securitygroup",
|
||||
"ResourceIdTemplate": "arn:partition:service:region:account-id:resource-id",
|
||||
@@ -30,6 +32,5 @@
|
||||
},
|
||||
"DependsOn": [],
|
||||
"RelatedTo": [],
|
||||
"Notes": "",
|
||||
"Compliance": []
|
||||
"Notes": ""
|
||||
}
|
||||
|
||||
@@ -8,7 +8,7 @@ class ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_postgres_5432(Ch
|
||||
findings = []
|
||||
check_ports = [5432]
|
||||
for security_group in ec2_client.security_groups:
|
||||
report = Check_Report(self.metadata)
|
||||
report = Check_Report(self.metadata())
|
||||
report.region = security_group.region
|
||||
report.resource_id = security_group.id
|
||||
report.status = "PASS"
|
||||
|
||||
@@ -2,7 +2,9 @@
|
||||
"Provider": "aws",
|
||||
"CheckID": "ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_redis_6379",
|
||||
"CheckTitle": "Ensure no security groups allow ingress from 0.0.0.0/0 or ::/0 to Redis port 6379.",
|
||||
"CheckType": ["Infrastructure Security"],
|
||||
"CheckType": [
|
||||
"Infrastructure Security"
|
||||
],
|
||||
"ServiceName": "ec2",
|
||||
"SubServiceName": "securitygroup",
|
||||
"ResourceIdTemplate": "arn:partition:service:region:account-id:resource-id",
|
||||
@@ -30,6 +32,5 @@
|
||||
},
|
||||
"DependsOn": [],
|
||||
"RelatedTo": [],
|
||||
"Notes": "",
|
||||
"Compliance": []
|
||||
"Notes": ""
|
||||
}
|
||||
|
||||
@@ -8,7 +8,7 @@ class ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_redis_6379(Check
|
||||
findings = []
|
||||
check_ports = [6379]
|
||||
for security_group in ec2_client.security_groups:
|
||||
report = Check_Report(self.metadata)
|
||||
report = Check_Report(self.metadata())
|
||||
report.region = security_group.region
|
||||
report.resource_id = security_group.id
|
||||
report.status = "PASS"
|
||||
|
||||
@@ -2,7 +2,9 @@
|
||||
"Provider": "aws",
|
||||
"CheckID": "ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_sql_server_1433_1434",
|
||||
"CheckTitle": "Ensure no security groups allow ingress from 0.0.0.0/0 or ::/0 to Windows SQL Server ports 1433 or 1434.",
|
||||
"CheckType": ["Infrastructure Security"],
|
||||
"CheckType": [
|
||||
"Infrastructure Security"
|
||||
],
|
||||
"ServiceName": "ec2",
|
||||
"SubServiceName": "securitygroup",
|
||||
"ResourceIdTemplate": "arn:partition:service:region:account-id:resource-id",
|
||||
@@ -30,6 +32,5 @@
|
||||
},
|
||||
"DependsOn": [],
|
||||
"RelatedTo": [],
|
||||
"Notes": "",
|
||||
"Compliance": []
|
||||
"Notes": ""
|
||||
}
|
||||
|
||||
@@ -10,7 +10,7 @@ class ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_sql_server_1433_
|
||||
findings = []
|
||||
check_ports = [1433, 1434]
|
||||
for security_group in ec2_client.security_groups:
|
||||
report = Check_Report(self.metadata)
|
||||
report = Check_Report(self.metadata())
|
||||
report.region = security_group.region
|
||||
report.resource_id = security_group.id
|
||||
report.status = "PASS"
|
||||
|
||||
@@ -2,7 +2,9 @@
|
||||
"Provider": "aws",
|
||||
"CheckID": "ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_telnet_23",
|
||||
"CheckTitle": "Ensure no security groups allow ingress from 0.0.0.0/0 or ::/0 to Telnet port 23.",
|
||||
"CheckType": ["Infrastructure Security"],
|
||||
"CheckType": [
|
||||
"Infrastructure Security"
|
||||
],
|
||||
"ServiceName": "ec2",
|
||||
"SubServiceName": "securitygroup",
|
||||
"ResourceIdTemplate": "arn:partition:service:region:account-id:resource-id",
|
||||
@@ -30,6 +32,5 @@
|
||||
},
|
||||
"DependsOn": [],
|
||||
"RelatedTo": [],
|
||||
"Notes": "",
|
||||
"Compliance": []
|
||||
"Notes": ""
|
||||
}
|
||||
|
||||
@@ -8,7 +8,7 @@ class ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_telnet_23(Check)
|
||||
findings = []
|
||||
check_ports = [23]
|
||||
for security_group in ec2_client.security_groups:
|
||||
report = Check_Report(self.metadata)
|
||||
report = Check_Report(self.metadata())
|
||||
report.region = security_group.region
|
||||
report.resource_id = security_group.id
|
||||
report.status = "PASS"
|
||||
|
||||
@@ -1,8 +1,10 @@
|
||||
{
|
||||
"Provider": "aws",
|
||||
"CheckID": "ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_kafka_9092",
|
||||
"CheckID": "ec2_securitygroup_allow_wide_open_public_ipv4",
|
||||
"CheckTitle": "Ensure no security groups allow ingress from 0.0.0.0/0 or ::/0 to Kafka port 9092.",
|
||||
"CheckType": ["Infrastructure Security"],
|
||||
"CheckType": [
|
||||
"Infrastructure Security"
|
||||
],
|
||||
"ServiceName": "ec2",
|
||||
"SubServiceName": "securitygroup",
|
||||
"ResourceIdTemplate": "arn:partition:service:region:account-id:resource-id",
|
||||
@@ -30,6 +32,5 @@
|
||||
},
|
||||
"DependsOn": [],
|
||||
"RelatedTo": [],
|
||||
"Notes": "",
|
||||
"Compliance": []
|
||||
"Notes": ""
|
||||
}
|
||||
|
||||
@@ -9,7 +9,7 @@ class ec2_securitygroup_allow_wide_open_public_ipv4(Check):
|
||||
findings = []
|
||||
cidr_treshold = 24
|
||||
for security_group in ec2_client.security_groups:
|
||||
report = Check_Report(self.metadata)
|
||||
report = Check_Report(self.metadata())
|
||||
report.region = security_group.region
|
||||
report.resource_id = security_group.id
|
||||
report.status = "PASS"
|
||||
|
||||
@@ -2,7 +2,9 @@
|
||||
"Provider": "aws",
|
||||
"CheckID": "ec2_securitygroup_default_restrict_traffic",
|
||||
"CheckTitle": "Ensure the default security group of every VPC restricts all traffic.",
|
||||
"CheckType": ["Infrastructure Security"],
|
||||
"CheckType": [
|
||||
"Infrastructure Security"
|
||||
],
|
||||
"ServiceName": "ec2",
|
||||
"SubServiceName": "securitygroup",
|
||||
"ResourceIdTemplate": "arn:partition:service:region:account-id:resource-id",
|
||||
@@ -30,6 +32,5 @@
|
||||
},
|
||||
"DependsOn": [],
|
||||
"RelatedTo": [],
|
||||
"Notes": "",
|
||||
"Compliance": []
|
||||
"Notes": ""
|
||||
}
|
||||
|
||||
@@ -7,7 +7,7 @@ class ec2_securitygroup_default_restrict_traffic(Check):
|
||||
def execute(self):
|
||||
findings = []
|
||||
for security_group in ec2_client.security_groups:
|
||||
report = Check_Report(self.metadata)
|
||||
report = Check_Report(self.metadata())
|
||||
report.region = security_group.region
|
||||
report.resource_id = security_group.id
|
||||
# Find default security group
|
||||
|
||||
@@ -2,7 +2,9 @@
|
||||
"Provider": "aws",
|
||||
"CheckID": "ec2_securitygroup_from_launch_wizard",
|
||||
"CheckTitle": "Security Groups created by EC2 Launch Wizard.",
|
||||
"CheckType": ["Infrastructure Security"],
|
||||
"CheckType": [
|
||||
"Infrastructure Security"
|
||||
],
|
||||
"ServiceName": "ec2",
|
||||
"SubServiceName": "securitygroup",
|
||||
"ResourceIdTemplate": "arn:partition:service:region:account-id:resource-id",
|
||||
@@ -30,6 +32,5 @@
|
||||
},
|
||||
"DependsOn": [],
|
||||
"RelatedTo": [],
|
||||
"Notes": "",
|
||||
"Compliance": []
|
||||
"Notes": ""
|
||||
}
|
||||
|
||||
@@ -6,7 +6,7 @@ class ec2_securitygroup_from_launch_wizard(Check):
|
||||
def execute(self):
|
||||
findings = []
|
||||
for security_group in ec2_client.security_groups:
|
||||
report = Check_Report(self.metadata)
|
||||
report = Check_Report(self.metadata())
|
||||
report.region = security_group.region
|
||||
report.resource_id = security_group.id
|
||||
report.status = "PASS"
|
||||
|
||||
@@ -1,8 +1,10 @@
|
||||
{
|
||||
"Provider": "aws",
|
||||
"CheckID": "ec2_securitygroup_with_many_ingress_egress_rules",
|
||||
"CheckID": "ec2_securitygroup_in_use_without_ingress_filtering",
|
||||
"CheckTitle": "Ensure there are no Security Groups without ingress filtering being used.",
|
||||
"CheckType": ["Infrastructure Security"],
|
||||
"CheckType": [
|
||||
"Infrastructure Security"
|
||||
],
|
||||
"ServiceName": "ec2",
|
||||
"SubServiceName": "securitygroup",
|
||||
"ResourceIdTemplate": "arn:partition:service:region:account-id:resource-id",
|
||||
@@ -30,6 +32,5 @@
|
||||
},
|
||||
"DependsOn": [],
|
||||
"RelatedTo": [],
|
||||
"Notes": "",
|
||||
"Compliance": []
|
||||
"Notes": ""
|
||||
}
|
||||
|
||||
@@ -7,7 +7,7 @@ class ec2_securitygroup_in_use_without_ingress_filtering(Check):
|
||||
def execute(self):
|
||||
findings = []
|
||||
for security_group in ec2_client.security_groups:
|
||||
report = Check_Report(self.metadata)
|
||||
report = Check_Report(self.metadata())
|
||||
report.region = security_group.region
|
||||
report.resource_id = security_group.id
|
||||
report.status = "PASS"
|
||||
|
||||
@@ -2,7 +2,9 @@
|
||||
"Provider": "aws",
|
||||
"CheckID": "ec2_securitygroup_not_used",
|
||||
"CheckTitle": "Ensure there are no Security Groups not being used.",
|
||||
"CheckType": ["Infrastructure Security"],
|
||||
"CheckType": [
|
||||
"Infrastructure Security"
|
||||
],
|
||||
"ServiceName": "ec2",
|
||||
"SubServiceName": "securitygroup",
|
||||
"ResourceIdTemplate": "arn:partition:service:region:account-id:resource-id",
|
||||
@@ -30,6 +32,5 @@
|
||||
},
|
||||
"DependsOn": [],
|
||||
"RelatedTo": [],
|
||||
"Notes": "",
|
||||
"Compliance": []
|
||||
"Notes": ""
|
||||
}
|
||||
|
||||
@@ -6,7 +6,7 @@ class ec2_securitygroup_not_used(Check):
|
||||
def execute(self):
|
||||
findings = []
|
||||
for security_group in ec2_client.security_groups:
|
||||
report = Check_Report(self.metadata)
|
||||
report = Check_Report(self.metadata())
|
||||
report.region = security_group.region
|
||||
report.resource_id = security_group.id
|
||||
report.status = "PASS"
|
||||
|
||||
@@ -2,7 +2,9 @@
|
||||
"Provider": "aws",
|
||||
"CheckID": "ec2_securitygroup_with_many_ingress_egress_rules",
|
||||
"CheckTitle": "Find security groups with more than 50 ingress or egress rules.",
|
||||
"CheckType": ["Infrastructure Security"],
|
||||
"CheckType": [
|
||||
"Infrastructure Security"
|
||||
],
|
||||
"ServiceName": "ec2",
|
||||
"SubServiceName": "securitygroup",
|
||||
"ResourceIdTemplate": "arn:partition:service:region:account-id:resource-id",
|
||||
@@ -30,6 +32,5 @@
|
||||
},
|
||||
"DependsOn": [],
|
||||
"RelatedTo": [],
|
||||
"Notes": "",
|
||||
"Compliance": []
|
||||
"Notes": ""
|
||||
}
|
||||
|
||||
@@ -8,7 +8,7 @@ class ec2_securitygroup_with_many_ingress_egress_rules(Check):
|
||||
findings = []
|
||||
max_security_group_rules = get_config_var("max_security_group_rules")
|
||||
for security_group in ec2_client.security_groups:
|
||||
report = Check_Report(self.metadata)
|
||||
report = Check_Report(self.metadata())
|
||||
report.region = security_group.region
|
||||
report.resource_id = security_group.id
|
||||
report.status = "PASS"
|
||||
|
||||
Reference in New Issue
Block a user