ghndrx/prowler
1
0
Fork 0
mirror of https://github.com/ghndrx/prowler.git synced 2026-02-10 14:55:00 +00:00
Code Issues Packages Projects Releases Wiki Activity

fix(ec2_instance_imdsv2_enabled ): verify if metadata service is disabled (#2978)

Browse Source 
Co-authored-by: Sergio Garcia <sergargar1@gmail.com>
This commit is contained in:
ToastyCat
2023-10-30 21:16:25 +01:00
committed by GitHub
parent 373ce0ad04
commit bb543cb5db
3 changed files with 64 additions and 10 deletions
Download Patch File Download Diff File Expand all files Collapse all files

59
tests/providers/aws/services/ec2/ec2_instance_imdsv2_enabled/ec2_instance_imdsv2_enabled_test.py
View File

@@ -117,7 +117,7 @@ class Test_ec2_instance_imdsv2_enabled:
)
@mock_ec2
def test_one_uncompliant_ec2(self):
def test_one_uncompliant_ec2_metadata_server_disabled(self):
ec2 = resource("ec2", region_name=AWS_REGION)
instance = ec2.create_instances(
ImageId=EXAMPLE_AMI_ID,
@@ -151,13 +151,62 @@ class Test_ec2_instance_imdsv2_enabled:
result = check.execute()
assert len(result) == 1
assert result[0].status == "FAIL"
assert result[0].status == "PASS"
assert result[0].region == AWS_REGION
# Moto fills instance tags with None
assert result[0].resource_tags is None
assert search(
f"EC2 Instance {instance.id} has IMDSv2 disabled or not required",
result[0].status_extended,
assert (
result[0].status_extended
== f"EC2 Instance {instance.id} has metadata service disabled."
)
assert result[0].resource_id == instance.id
assert (
result[0].resource_arn
== f"arn:{current_audit_info.audited_partition}:ec2:{AWS_REGION}:{current_audit_info.audited_account}:instance/{instance.id}"
)
@mock_ec2
def test_one_uncompliant_ec2_metadata_server_enabled(self):
ec2 = resource("ec2", region_name=AWS_REGION)
instance = ec2.create_instances(
ImageId=EXAMPLE_AMI_ID,
MinCount=1,
MaxCount=1,
MetadataOptions={
"HttpTokens": "optional",
"HttpEndpoint": "enabled",
},
)[0]
from prowler.providers.aws.services.ec2.ec2_service import EC2
current_audit_info = self.set_mocked_audit_info()
with mock.patch(
"prowler.providers.aws.lib.audit_info.audit_info.current_audit_info",
new=current_audit_info,
), mock.patch(
"prowler.providers.aws.services.ec2.ec2_instance_imdsv2_enabled.ec2_instance_imdsv2_enabled.ec2_client",
new=EC2(current_audit_info),
) as service_client:
from prowler.providers.aws.services.ec2.ec2_instance_imdsv2_enabled.ec2_instance_imdsv2_enabled import (
ec2_instance_imdsv2_enabled,
)
service_client.instances[0].http_endpoint = "enabled"
service_client.instances[0].http_tokens = "optional"
check = ec2_instance_imdsv2_enabled()
result = check.execute()
assert len(result) == 1
assert result[0].status == "FAIL"
assert result[0].region == AWS_REGION
# Moto fills instance tags with None
assert result[0].resource_tags is None
assert (
result[0].status_extended
== f"EC2 Instance {instance.id} has IMDSv2 disabled or not required."
)
assert result[0].resource_id == instance.id
assert (

10
tests/providers/aws/services/guardduty/guardduty_is_enabled/guardduty_is_enabled_test.py
View File

@@ -143,8 +143,8 @@ class Test_:
guardduty_client.detectors = []
guardduty_client.detectors.append(
Detector(
id=detector_id,
arn=detector_arn,
id=DETECTOR_ID,
arn=DETECTOR_ARN,
region=AWS_REGION,
)
)
@@ -162,8 +162,8 @@ class Test_:
assert result[0].status == "WARNING"
assert (
result[0].status_extended
== f"GuardDuty detector {detector_id} not configured."
== f"GuardDuty detector {DETECTOR_ID} not configured."
)
assert result[0].resource_id == detector_id
assert result[0].resource_arn == detector_arn
assert result[0].resource_id == DETECTOR_ID
assert result[0].resource_arn == DETECTOR_ARN
assert result[0].region == AWS_REGION