From e8cc0e66840f263369ed0548296249dc36d597e4 Mon Sep 17 00:00:00 2001 From: Nacho Rivera Date: Wed, 29 Mar 2023 09:13:43 +0200 Subject: [PATCH] fix(delete check): delete check ec2_securitygroup_in_use_without_ingress_filtering (#2148) --- docs/tutorials/aws/v2_to_v3_checks_mapping.md | 1 - docs/tutorials/pentesting.md | 3 +- poetry.lock | 8 +- prowler/compliance/aws/ens_rd2022_aws.json | 2 +- .../__init__.py | 0 ...se_without_ingress_filtering.metadata.json | 34 ---- ...ygroup_in_use_without_ingress_filtering.py | 28 --- ...p_in_use_without_ingress_filtering_test.py | 191 ------------------ 8 files changed, 6 insertions(+), 261 deletions(-) delete mode 100644 prowler/providers/aws/services/ec2/ec2_securitygroup_in_use_without_ingress_filtering/__init__.py delete mode 100644 prowler/providers/aws/services/ec2/ec2_securitygroup_in_use_without_ingress_filtering/ec2_securitygroup_in_use_without_ingress_filtering.metadata.json delete mode 100644 prowler/providers/aws/services/ec2/ec2_securitygroup_in_use_without_ingress_filtering/ec2_securitygroup_in_use_without_ingress_filtering.py delete mode 100644 tests/providers/aws/services/ec2/ec2_securitygroup_in_use_without_ingress_filtering/ec2_securitygroup_in_use_without_ingress_filtering_test.py diff --git a/docs/tutorials/aws/v2_to_v3_checks_mapping.md b/docs/tutorials/aws/v2_to_v3_checks_mapping.md index ab0330c7..2d8652d2 100644 --- a/docs/tutorials/aws/v2_to_v3_checks_mapping.md +++ b/docs/tutorials/aws/v2_to_v3_checks_mapping.md @@ -113,7 +113,6 @@ checks_v3_to_v2_mapping = { "ec2_securitygroup_allow_wide_open_public_ipv4": "extra778", "ec2_securitygroup_default_restrict_traffic": "check43", "ec2_securitygroup_from_launch_wizard": "extra7173", - "ec2_securitygroup_in_use_without_ingress_filtering": "extra74", "ec2_securitygroup_not_used": "extra75", "ec2_securitygroup_with_many_ingress_egress_rules": "extra777", "ecr_repositories_lifecycle_policy_enabled": "extra7194", diff --git a/docs/tutorials/pentesting.md b/docs/tutorials/pentesting.md index 69542b76..b34a1d0e 100644 --- a/docs/tutorials/pentesting.md +++ b/docs/tutorials/pentesting.md @@ -33,9 +33,8 @@ Several checks analyse resources that are exposed to the Internet, these are: - ec2_instance_internet_facing_with_instance_profile - ec2_instance_public_ip - ec2_networkacl_allow_ingress_any_port -- ec2_securitygroup_allow_ingress_from_internet_to_any_port - ec2_securitygroup_allow_wide_open_public_ipv4 -- ec2_securitygroup_in_use_without_ingress_filtering +- ec2_securitygroup_allow_ingress_from_internet_to_any_port - ecr_repositories_not_publicly_accessible - eks_control_plane_endpoint_access_restricted - eks_endpoints_not_publicly_accessible diff --git a/poetry.lock b/poetry.lock index 07a1191e..13c40f70 100644 --- a/poetry.lock +++ b/poetry.lock @@ -1,4 +1,4 @@ -# This file is automatically @generated by Poetry and should not be changed by hand. +# This file is automatically @generated by Poetry 1.4.0 and should not be changed by hand. [[package]] name = "about-time" @@ -2432,14 +2432,14 @@ contextlib2 = ">=0.5.5" [[package]] name = "setuptools" -version = "67.6.0" +version = "67.6.1" description = "Easily download, build, install, upgrade, and uninstall Python packages" category = "dev" optional = false python-versions = ">=3.7" files = [ - {file = "setuptools-67.6.0-py3-none-any.whl", hash = "sha256:b78aaa36f6b90a074c1fa651168723acbf45d14cb1196b6f02c0fd07f17623b2"}, - {file = "setuptools-67.6.0.tar.gz", hash = "sha256:2ee892cd5f29f3373097f5a814697e397cf3ce313616df0af11231e2ad118077"}, + {file = "setuptools-67.6.1-py3-none-any.whl", hash = "sha256:e728ca814a823bf7bf60162daf9db95b93d532948c4c0bea762ce62f60189078"}, + {file = "setuptools-67.6.1.tar.gz", hash = "sha256:257de92a9d50a60b8e22abfcbb771571fde0dbf3ec234463212027a4eeecbe9a"}, ] [package.extras] diff --git a/prowler/compliance/aws/ens_rd2022_aws.json b/prowler/compliance/aws/ens_rd2022_aws.json index e59b86bc..adbea12b 100644 --- a/prowler/compliance/aws/ens_rd2022_aws.json +++ b/prowler/compliance/aws/ens_rd2022_aws.json @@ -1626,7 +1626,7 @@ } ], "Checks": [ - "ec2_securitygroup_in_use_without_ingress_filtering" + "ec2_securitygroup_allow_ingress_from_internet_to_any_port" ] }, { diff --git a/prowler/providers/aws/services/ec2/ec2_securitygroup_in_use_without_ingress_filtering/__init__.py b/prowler/providers/aws/services/ec2/ec2_securitygroup_in_use_without_ingress_filtering/__init__.py deleted file mode 100644 index e69de29b..00000000 diff --git a/prowler/providers/aws/services/ec2/ec2_securitygroup_in_use_without_ingress_filtering/ec2_securitygroup_in_use_without_ingress_filtering.metadata.json b/prowler/providers/aws/services/ec2/ec2_securitygroup_in_use_without_ingress_filtering/ec2_securitygroup_in_use_without_ingress_filtering.metadata.json deleted file mode 100644 index 4e49482b..00000000 --- a/prowler/providers/aws/services/ec2/ec2_securitygroup_in_use_without_ingress_filtering/ec2_securitygroup_in_use_without_ingress_filtering.metadata.json +++ /dev/null @@ -1,34 +0,0 @@ -{ - "Provider": "aws", - "CheckID": "ec2_securitygroup_in_use_without_ingress_filtering", - "CheckTitle": "Ensure there are no Security Groups without ingress filtering being used.", - "CheckType": [ - "Infrastructure Security" - ], - "ServiceName": "ec2", - "SubServiceName": "securitygroup", - "ResourceIdTemplate": "arn:partition:service:region:account-id:resource-id", - "Severity": "high", - "ResourceType": "AwsEc2SecurityGroup", - "Description": "Ensure there are no Security Groups without ingress filtering being used.", - "Risk": "If Security groups are not filtering traffic appropriately the attack surface is increased.", - "RelatedUrl": "", - "Remediation": { - "Code": { - "CLI": "", - "NativeIaC": "", - "Other": "", - "Terraform": "" - }, - "Recommendation": { - "Text": "You can grant access to a specific CIDR range or to another security group in your VPC or in a peer VPC.", - "Url": "https://docs.aws.amazon.com/vpc/latest/userguide/VPC_SecurityGroups.html" - } - }, - "Categories": [ - "internet-exposed" - ], - "DependsOn": [], - "RelatedTo": [], - "Notes": "" -} diff --git a/prowler/providers/aws/services/ec2/ec2_securitygroup_in_use_without_ingress_filtering/ec2_securitygroup_in_use_without_ingress_filtering.py b/prowler/providers/aws/services/ec2/ec2_securitygroup_in_use_without_ingress_filtering/ec2_securitygroup_in_use_without_ingress_filtering.py deleted file mode 100644 index 134df7d7..00000000 --- a/prowler/providers/aws/services/ec2/ec2_securitygroup_in_use_without_ingress_filtering/ec2_securitygroup_in_use_without_ingress_filtering.py +++ /dev/null @@ -1,28 +0,0 @@ -from prowler.lib.check.models import Check, Check_Report_AWS -from prowler.providers.aws.services.ec2.ec2_client import ec2_client -from prowler.providers.aws.services.ec2.lib.security_groups import check_security_group - - -class ec2_securitygroup_in_use_without_ingress_filtering(Check): - def execute(self): - findings = [] - for security_group in ec2_client.security_groups: - report = Check_Report_AWS(self.metadata()) - report.region = security_group.region - report.resource_id = security_group.id - report.resource_arn = security_group.arn - report.resource_tags = security_group.tags - report.status = "PASS" - report.status_extended = f"Security group {security_group.name} ({security_group.id}) has ingress filtering." - for ingress_rule in security_group.ingress_rules: - if check_security_group(ingress_rule, "-1"): - report.status = "FAIL" - if len(security_group.network_interfaces) > 0: - report.status_extended = f"Security group {security_group.name} ({security_group.id}) has no ingress filtering and it is being used." - else: - report.status_extended = f"Security group {security_group.name} ({security_group.id}) has no ingress filtering and it is not being used." - break - - findings.append(report) - - return findings diff --git a/tests/providers/aws/services/ec2/ec2_securitygroup_in_use_without_ingress_filtering/ec2_securitygroup_in_use_without_ingress_filtering_test.py b/tests/providers/aws/services/ec2/ec2_securitygroup_in_use_without_ingress_filtering/ec2_securitygroup_in_use_without_ingress_filtering_test.py deleted file mode 100644 index 88a3d166..00000000 --- a/tests/providers/aws/services/ec2/ec2_securitygroup_in_use_without_ingress_filtering/ec2_securitygroup_in_use_without_ingress_filtering_test.py +++ /dev/null @@ -1,191 +0,0 @@ -from re import search -from unittest import mock - -from boto3 import client, resource -from moto import mock_ec2 - -AWS_REGION = "us-east-1" -EXAMPLE_AMI_ID = "ami-12c6146b" - - -class Test_ec2_securitygroup_in_use_without_ingress_filtering: - @mock_ec2 - def test_ec2_default_sgs(self): - # Create EC2 Mocked Resources - ec2_client = client("ec2", region_name=AWS_REGION) - ec2_client.create_vpc(CidrBlock="10.0.0.0/16") - - from prowler.providers.aws.lib.audit_info.audit_info import current_audit_info - from prowler.providers.aws.services.ec2.ec2_service import EC2 - - current_audit_info.audited_partition = "aws" - current_audit_info.audited_regions = ["eu-west-1", "us-east-1"] - - with mock.patch( - "prowler.providers.aws.services.ec2.ec2_securitygroup_in_use_without_ingress_filtering.ec2_securitygroup_in_use_without_ingress_filtering.ec2_client", - new=EC2(current_audit_info), - ): - # Test Check - from prowler.providers.aws.services.ec2.ec2_securitygroup_in_use_without_ingress_filtering.ec2_securitygroup_in_use_without_ingress_filtering import ( - ec2_securitygroup_in_use_without_ingress_filtering, - ) - - check = ec2_securitygroup_in_use_without_ingress_filtering() - result = check.execute() - - # One default sg per region - assert len(result) == 3 - # All are compliant by default - assert result[0].status == "PASS" - - @mock_ec2 - def test_ec2_unused_public_default_sg(self): - # Create EC2 Mocked Resources - ec2_client = client("ec2", region_name=AWS_REGION) - ec2_client.create_vpc(CidrBlock="10.0.0.0/16") - default_sg_id = ec2_client.describe_security_groups(GroupNames=["default"])[ - "SecurityGroups" - ][0]["GroupId"] - ec2_client.authorize_security_group_ingress( - GroupId=default_sg_id, - IpPermissions=[ - { - "IpProtocol": "-1", - "IpRanges": [{"CidrIp": "0.0.0.0/0"}], - } - ], - ) - - from prowler.providers.aws.lib.audit_info.audit_info import current_audit_info - from prowler.providers.aws.services.ec2.ec2_service import EC2 - - current_audit_info.audited_partition = "aws" - current_audit_info.audited_regions = ["eu-west-1", "us-east-1"] - - with mock.patch( - "prowler.providers.aws.services.ec2.ec2_securitygroup_in_use_without_ingress_filtering.ec2_securitygroup_in_use_without_ingress_filtering.ec2_client", - new=EC2(current_audit_info), - ): - # Test Check - from prowler.providers.aws.services.ec2.ec2_securitygroup_in_use_without_ingress_filtering.ec2_securitygroup_in_use_without_ingress_filtering import ( - ec2_securitygroup_in_use_without_ingress_filtering, - ) - - check = ec2_securitygroup_in_use_without_ingress_filtering() - result = check.execute() - - # One default sg per region - assert len(result) == 3 - # Search changed sg - for sg in result: - if sg.resource_id == default_sg_id: - assert sg.status == "FAIL" - assert search( - "has no ingress filtering and it is not being used", - sg.status_extended, - ) - assert ( - sg.resource_arn - == f"arn:{current_audit_info.audited_partition}:ec2:{AWS_REGION}:{current_audit_info.audited_account}:security-group/{default_sg_id}" - ) - - @mock_ec2 - def test_ec2_used_public_default_sg(self): - # Create EC2 Mocked Resources - ec2_client = client("ec2", region_name=AWS_REGION) - ec2_client.create_vpc(CidrBlock="10.0.0.0/16") - default_sg_id = ec2_client.describe_security_groups(GroupNames=["default"])[ - "SecurityGroups" - ][0]["GroupId"] - ec2_client.authorize_security_group_ingress( - GroupId=default_sg_id, - IpPermissions=[ - { - "IpProtocol": "-1", - "IpRanges": [{"CidrIp": "0.0.0.0/0"}], - } - ], - ) - ec2 = resource("ec2", region_name=AWS_REGION) - ec2.create_instances( - ImageId=EXAMPLE_AMI_ID, - MinCount=1, - MaxCount=1, - SecurityGroupIds=[ - default_sg_id, - ], - ) - from prowler.providers.aws.lib.audit_info.audit_info import current_audit_info - from prowler.providers.aws.services.ec2.ec2_service import EC2 - - current_audit_info.audited_partition = "aws" - current_audit_info.audited_regions = ["eu-west-1", "us-east-1"] - - with mock.patch( - "prowler.providers.aws.services.ec2.ec2_securitygroup_in_use_without_ingress_filtering.ec2_securitygroup_in_use_without_ingress_filtering.ec2_client", - new=EC2(current_audit_info), - ): - # Test Check - from prowler.providers.aws.services.ec2.ec2_securitygroup_in_use_without_ingress_filtering.ec2_securitygroup_in_use_without_ingress_filtering import ( - ec2_securitygroup_in_use_without_ingress_filtering, - ) - - check = ec2_securitygroup_in_use_without_ingress_filtering() - result = check.execute() - - # One default sg per region - assert len(result) == 3 - # Search changed sg - for sg in result: - if sg.resource_id == default_sg_id: - assert sg.status == "FAIL" - assert search( - "has no ingress filtering and it is being used", - sg.status_extended, - ) - assert ( - sg.resource_arn - == f"arn:{current_audit_info.audited_partition}:ec2:{AWS_REGION}:{current_audit_info.audited_account}:security-group/{default_sg_id}" - ) - - @mock_ec2 - def test_ec2_private_default_sg(self): - # Create EC2 Mocked Resources - ec2_client = client("ec2", region_name=AWS_REGION) - ec2_client.create_vpc(CidrBlock="10.0.0.0/16") - default_sg_id = ec2_client.describe_security_groups(GroupNames=["default"])[ - "SecurityGroups" - ][0]["GroupId"] - - from prowler.providers.aws.lib.audit_info.audit_info import current_audit_info - from prowler.providers.aws.services.ec2.ec2_service import EC2 - - current_audit_info.audited_partition = "aws" - current_audit_info.audited_regions = ["eu-west-1", "us-east-1"] - - with mock.patch( - "prowler.providers.aws.services.ec2.ec2_securitygroup_in_use_without_ingress_filtering.ec2_securitygroup_in_use_without_ingress_filtering.ec2_client", - new=EC2(current_audit_info), - ): - # Test Check - from prowler.providers.aws.services.ec2.ec2_securitygroup_in_use_without_ingress_filtering.ec2_securitygroup_in_use_without_ingress_filtering import ( - ec2_securitygroup_in_use_without_ingress_filtering, - ) - - check = ec2_securitygroup_in_use_without_ingress_filtering() - result = check.execute() - - # One default sg per region - assert len(result) == 3 - # Search changed sg - for sg in result: - if sg.resource_id == default_sg_id: - assert sg.status == "PASS" - assert search( - "has ingress filtering", - sg.status_extended, - ) - assert ( - sg.resource_arn - == f"arn:{current_audit_info.audited_partition}:ec2:{AWS_REGION}:{current_audit_info.audited_account}:security-group/{default_sg_id}" - )