From bb543cb5db671c97e76217f975b1c82df83acac5 Mon Sep 17 00:00:00 2001 From: ToastyCat <56387033+therealtoastycat@users.noreply.github.com> Date: Mon, 30 Oct 2023 21:16:25 +0100 Subject: [PATCH] fix(ec2_instance_imdsv2_enabled ): verify if metadata service is disabled (#2978) Co-authored-by: Sergio Garcia --- .../ec2_instance_imdsv2_enabled.py | 5 ++ .../ec2_instance_imdsv2_enabled_test.py | 59 +++++++++++++++++-- .../guardduty_is_enabled_test.py | 10 ++-- 3 files changed, 64 insertions(+), 10 deletions(-) diff --git a/prowler/providers/aws/services/ec2/ec2_instance_imdsv2_enabled/ec2_instance_imdsv2_enabled.py b/prowler/providers/aws/services/ec2/ec2_instance_imdsv2_enabled/ec2_instance_imdsv2_enabled.py index d9c9408a..2e316be6 100644 --- a/prowler/providers/aws/services/ec2/ec2_instance_imdsv2_enabled/ec2_instance_imdsv2_enabled.py +++ b/prowler/providers/aws/services/ec2/ec2_instance_imdsv2_enabled/ec2_instance_imdsv2_enabled.py @@ -24,6 +24,11 @@ class ec2_instance_imdsv2_enabled(Check): report.status_extended = ( f"EC2 Instance {instance.id} has IMDSv2 enabled and required." ) + elif instance.http_endpoint == "disabled": + report.status = "PASS" + report.status_extended = ( + f"EC2 Instance {instance.id} has metadata service disabled." + ) findings.append(report) diff --git a/tests/providers/aws/services/ec2/ec2_instance_imdsv2_enabled/ec2_instance_imdsv2_enabled_test.py b/tests/providers/aws/services/ec2/ec2_instance_imdsv2_enabled/ec2_instance_imdsv2_enabled_test.py index b64896e0..957aeb6c 100644 --- a/tests/providers/aws/services/ec2/ec2_instance_imdsv2_enabled/ec2_instance_imdsv2_enabled_test.py +++ b/tests/providers/aws/services/ec2/ec2_instance_imdsv2_enabled/ec2_instance_imdsv2_enabled_test.py @@ -117,7 +117,7 @@ class Test_ec2_instance_imdsv2_enabled: ) @mock_ec2 - def test_one_uncompliant_ec2(self): + def test_one_uncompliant_ec2_metadata_server_disabled(self): ec2 = resource("ec2", region_name=AWS_REGION) instance = ec2.create_instances( ImageId=EXAMPLE_AMI_ID, @@ -151,13 +151,62 @@ class Test_ec2_instance_imdsv2_enabled: result = check.execute() assert len(result) == 1 - assert result[0].status == "FAIL" + assert result[0].status == "PASS" assert result[0].region == AWS_REGION # Moto fills instance tags with None assert result[0].resource_tags is None - assert search( - f"EC2 Instance {instance.id} has IMDSv2 disabled or not required", - result[0].status_extended, + assert ( + result[0].status_extended + == f"EC2 Instance {instance.id} has metadata service disabled." + ) + assert result[0].resource_id == instance.id + assert ( + result[0].resource_arn + == f"arn:{current_audit_info.audited_partition}:ec2:{AWS_REGION}:{current_audit_info.audited_account}:instance/{instance.id}" + ) + + @mock_ec2 + def test_one_uncompliant_ec2_metadata_server_enabled(self): + ec2 = resource("ec2", region_name=AWS_REGION) + instance = ec2.create_instances( + ImageId=EXAMPLE_AMI_ID, + MinCount=1, + MaxCount=1, + MetadataOptions={ + "HttpTokens": "optional", + "HttpEndpoint": "enabled", + }, + )[0] + + from prowler.providers.aws.services.ec2.ec2_service import EC2 + + current_audit_info = self.set_mocked_audit_info() + + with mock.patch( + "prowler.providers.aws.lib.audit_info.audit_info.current_audit_info", + new=current_audit_info, + ), mock.patch( + "prowler.providers.aws.services.ec2.ec2_instance_imdsv2_enabled.ec2_instance_imdsv2_enabled.ec2_client", + new=EC2(current_audit_info), + ) as service_client: + from prowler.providers.aws.services.ec2.ec2_instance_imdsv2_enabled.ec2_instance_imdsv2_enabled import ( + ec2_instance_imdsv2_enabled, + ) + + service_client.instances[0].http_endpoint = "enabled" + service_client.instances[0].http_tokens = "optional" + + check = ec2_instance_imdsv2_enabled() + result = check.execute() + + assert len(result) == 1 + assert result[0].status == "FAIL" + assert result[0].region == AWS_REGION + # Moto fills instance tags with None + assert result[0].resource_tags is None + assert ( + result[0].status_extended + == f"EC2 Instance {instance.id} has IMDSv2 disabled or not required." ) assert result[0].resource_id == instance.id assert ( diff --git a/tests/providers/aws/services/guardduty/guardduty_is_enabled/guardduty_is_enabled_test.py b/tests/providers/aws/services/guardduty/guardduty_is_enabled/guardduty_is_enabled_test.py index 8ca4e7c3..1718947b 100644 --- a/tests/providers/aws/services/guardduty/guardduty_is_enabled/guardduty_is_enabled_test.py +++ b/tests/providers/aws/services/guardduty/guardduty_is_enabled/guardduty_is_enabled_test.py @@ -143,8 +143,8 @@ class Test_: guardduty_client.detectors = [] guardduty_client.detectors.append( Detector( - id=detector_id, - arn=detector_arn, + id=DETECTOR_ID, + arn=DETECTOR_ARN, region=AWS_REGION, ) ) @@ -162,8 +162,8 @@ class Test_: assert result[0].status == "WARNING" assert ( result[0].status_extended - == f"GuardDuty detector {detector_id} not configured." + == f"GuardDuty detector {DETECTOR_ID} not configured." ) - assert result[0].resource_id == detector_id - assert result[0].resource_arn == detector_arn + assert result[0].resource_id == DETECTOR_ID + assert result[0].resource_arn == DETECTOR_ARN assert result[0].region == AWS_REGION