ghndrx/prowler
1
0
Fork 0
mirror of https://github.com/ghndrx/prowler.git synced 2026-02-11 07:15:15 +00:00
Code Issues Packages Projects Releases Wiki Activity

feat(): Sagemaker service and checks (#1490)

Browse Source 
Co-authored-by: sergargar <sergio@verica.io>
This commit is contained in:
Nacho Rivera
2022-11-17 12:56:36 +01:00
committed by GitHub
parent 67b5de205b
commit daa299c7a6
54 changed files with 1805 additions and 470 deletions
Download Patch File Download Diff File Expand all files Collapse all files

0
providers/aws/services/sagemaker/sagemaker_notebook_instance_encryption_enabled/__init__.py Normal file
View File

35
providers/aws/services/sagemaker/sagemaker_notebook_instance_encryption_enabled/sagemaker_notebook_instance_encryption_enabled.metadata.json Normal file
View File

@@ -0,0 +1,35 @@
{
"Provider": "aws",
"CheckID": "sagemaker_notebook_instance_encryption_enabled",
"CheckTitle": "Check if Amazon SageMaker Notebook instances have data encryption enabled",
"CheckType": [],
"ServiceName": "sagemaker",
"SubServiceName": "",
"ResourceIdTemplate": "arn:aws:sagemaker:region:account-id:notebook-instance",
"Severity": "medium",
"ResourceType": "AwsSageMakerNotebookInstance",
"Description": "Check if Amazon SageMaker Notebook instances have data encryption enabled",
"Risk": "Data exfiltration could happen if information is not protected. KMS keys provide additional security level to IAM policies.",
"RelatedUrl": "https://docs.aws.amazon.com/sagemaker/latest/dg/key-management.html",
"Remediation": {
"Code": {
"CLI": "https://www.trendmicro.com/cloudoneconformity/knowledge-base/aws/SageMaker/notebook-data-encrypted.html",
"NativeIaC": "",
"Other": "https://www.trendmicro.com/cloudoneconformity/knowledge-base/aws/SageMaker/notebook-data-encrypted.html",
"Terraform": "https://docs.bridgecrew.io/docs/bc_aws_general_40#fix---buildtime"
},
"Recommendation": {
"Text": "Specify AWS KMS keys to use for input and output from S3 and EBS.",
"Url": "https://docs.aws.amazon.com/sagemaker/latest/dg/key-management.html"
}
},
"Categories": [],
"Tags": {
"Tag1Key": "value",
"Tag2Key": "value"
},
"DependsOn": [],
"RelatedTo": [],
"Notes": "",
"Compliance": []
}

21
providers/aws/services/sagemaker/sagemaker_notebook_instance_encryption_enabled/sagemaker_notebook_instance_encryption_enabled.py Normal file
View File

@@ -0,0 +1,21 @@
from lib.check.models import Check, Check_Report
from providers.aws.services.sagemaker.sagemaker_client import sagemaker_client
class sagemaker_notebook_instance_encryption_enabled(Check):
def execute(self):
findings = []
for notebook_instance in sagemaker_client.sagemaker_notebook_instances:
report = Check_Report(self.metadata)
report.region = notebook_instance.region
report.resource_id = notebook_instance.name
report.resource_arn = notebook_instance.arn
report.status = "PASS"
report.status_extended = f"Sagemaker notebook instance {notebook_instance.name} has data encryption enabled"
if not notebook_instance.kms_key_id:
report.status = "FAIL"
report.status_extended = f"Sagemaker notebook instance {notebook_instance.name} has data encryption disabled"
findings.append(report)
return findings

82
providers/aws/services/sagemaker/sagemaker_notebook_instance_encryption_enabled/sagemaker_notebook_instance_encryption_enabled_test.py Normal file
View File

@@ -0,0 +1,82 @@
from re import search
from unittest import mock
from uuid import uuid4
from providers.aws.services.sagemaker.sagemaker_service import NotebookInstance
AWS_REGION = "eu-west-1"
AWS_ACCOUNT_NUMBER = "123456789012"
test_notebook_instance = "test-notebook-instance"
notebook_instance_arn = f"arn:aws:sagemaker:{AWS_REGION}:{AWS_ACCOUNT_NUMBER}:notebook-instance/{test_notebook_instance}"
kms_key = str(uuid4())
class Test_sagemaker_notebook_instance_encryption_enabled:
def test_no_instances(self):
sagemaker_client = mock.MagicMock
sagemaker_client.sagemaker_notebook_instances = []
with mock.patch(
"providers.aws.services.sagemaker.sagemaker_service.SageMaker",
sagemaker_client,
):
from providers.aws.services.sagemaker.sagemaker_notebook_instance_encryption_enabled.sagemaker_notebook_instance_encryption_enabled import (
sagemaker_notebook_instance_encryption_enabled,
)
check = sagemaker_notebook_instance_encryption_enabled()
result = check.execute()
assert len(result) == 0
def test_instance_with_kms_key(self):
sagemaker_client = mock.MagicMock
sagemaker_client.sagemaker_notebook_instances = []
sagemaker_client.sagemaker_notebook_instances.append(
NotebookInstance(
name=test_notebook_instance,
arn=notebook_instance_arn,
region=AWS_REGION,
kms_key_id=kms_key,
)
)
with mock.patch(
"providers.aws.services.sagemaker.sagemaker_service.SageMaker",
sagemaker_client,
):
from providers.aws.services.sagemaker.sagemaker_notebook_instance_encryption_enabled.sagemaker_notebook_instance_encryption_enabled import (
sagemaker_notebook_instance_encryption_enabled,
)
check = sagemaker_notebook_instance_encryption_enabled()
result = check.execute()
assert len(result) == 1
assert result[0].status == "PASS"
assert search("has data encryption enabled", result[0].status_extended)
assert result[0].resource_id == test_notebook_instance
assert result[0].resource_arn == notebook_instance_arn
def test_instance_no_kms_key(self):
sagemaker_client = mock.MagicMock
sagemaker_client.sagemaker_notebook_instances = []
sagemaker_client.sagemaker_notebook_instances.append(
NotebookInstance(
name=test_notebook_instance,
arn=notebook_instance_arn,
region=AWS_REGION,
)
)
with mock.patch(
"providers.aws.services.sagemaker.sagemaker_service.SageMaker",
sagemaker_client,
):
from providers.aws.services.sagemaker.sagemaker_notebook_instance_encryption_enabled.sagemaker_notebook_instance_encryption_enabled import (
sagemaker_notebook_instance_encryption_enabled,
)
check = sagemaker_notebook_instance_encryption_enabled()
result = check.execute()
assert len(result) == 1
assert result[0].status == "FAIL"
assert search("has data encryption disabled", result[0].status_extended)
assert result[0].resource_id == test_notebook_instance
assert result[0].resource_arn == notebook_instance_arn