forked from prowler-cloud/prowler
-
Notifications
You must be signed in to change notification settings - Fork 0
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Improve publicly accessible checks to include targets of ELBs prowler…
…-cloud#3237 Wrote checks for EC2, Lambda, and ECS to make sure they are not behind any public facing ALBs and ELBs in VPCs that have no security groups
- Loading branch information
Showing
19 changed files
with
1,570 additions
and
0 deletions.
There are no files selected for viewing
Empty file.
32 changes: 32 additions & 0 deletions
32
...ble_via_elbv2/awslambda_function_not_directly_publicly_accessible_via_elbv2.metadata.json
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,32 @@ | ||
{ | ||
"Provider": "aws", | ||
"CheckID": "awslambda_function_not_directly_publicly_accessible_via_elbv2", | ||
"CheckTitle": "Check if Lambda functions have public application load balancer ahead of them.", | ||
"CheckType": [], | ||
"ServiceName": "lambda", | ||
"SubServiceName": "", | ||
"ResourceIdTemplate": "arn:partition:lambda:region:account-id:function/function-name", | ||
"Severity": "critical", | ||
"ResourceType": "AwsLambdaFunction", | ||
"Description": "Check if Lambda functions have public application load balancer ahead of them.", | ||
"Risk": "Publicly accessible services could expose sensitive data to bad actors.", | ||
"RelatedUrl": "https://docs.aws.amazon.com/lambda/latest/dg/access-control-resource-based.html", | ||
"Remediation": { | ||
"Code": { | ||
"CLI": "https://www.trendmicro.com/cloudoneconformity/knowledge-base/aws/Lambda/function-exposed.html", | ||
"NativeIaC": "https://www.trendmicro.com/cloudoneconformity/knowledge-base/aws/Lambda/function-exposed.html", | ||
"Other": "", | ||
"Terraform": "https://www.trendmicro.com/cloudoneconformity/knowledge-base/aws/Lambda/function-exposed.html" | ||
}, | ||
"Recommendation": { | ||
"Text": "Place security groups around public load balancers", | ||
"Url": "https://docs.aws.amazon.com/lambda/latest/dg/access-control-resource-based.html" | ||
} | ||
}, | ||
"Categories": [ | ||
"internet-exposed" | ||
], | ||
"DependsOn": [], | ||
"RelatedTo": [], | ||
"Notes": "" | ||
} |
28 changes: 28 additions & 0 deletions
28
...cly_accessible_via_elbv2/awslambda_function_not_directly_publicly_accessible_via_elbv2.py
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,28 @@ | ||
from prowler.lib.check.models import Check, Check_Report_AWS | ||
from prowler.providers.aws.services.awslambda.awslambda_client import awslambda_client | ||
from prowler.providers.aws.services.elbv2.elbv2_client import elbv2_client | ||
|
||
|
||
class awslambda_function_not_directly_publicly_accessible_via_elbv2(Check): | ||
def execute(self): | ||
findings = [] | ||
public_lambda_functions = {} | ||
|
||
for target_group in elbv2_client.target_groups: | ||
if target_group.target_type == "lambda": | ||
public_lambda_functions[target_group.target] = target_group.lbdns | ||
|
||
for function in awslambda_client.functions.values(): | ||
report = Check_Report_AWS(self.metadata()) | ||
report.region = function.region | ||
report.resource_id = function.name | ||
report.resource_arn = function.arn | ||
report.resource_tags = function.tags | ||
report.status = "PASS" | ||
report.status_extended = f"Lambda function {function.name} is not behind a internet facing load balancer." | ||
|
||
if function.arn in public_lambda_functions: | ||
report.status = "FAIL" | ||
report.status_extended = f"Lambda function {function.name} is behind a internet facing load balancer {function.arn}." | ||
findings.append(report) | ||
return findings |
Empty file.
34 changes: 34 additions & 0 deletions
34
...ly_accessible_via_elb/ec2_instance_not_directly_publicly_accessible_via_elb.metadata.json
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,34 @@ | ||
{ | ||
"Provider": "aws", | ||
"CheckID": "ec2_instance_not_directly_publicly_accessible_via_elb", | ||
"CheckTitle": "Check for EC2 instances behind internet facing classic load balancers.", | ||
"CheckType": [ | ||
"Infrastructure Security" | ||
], | ||
"ServiceName": "ec2", | ||
"SubServiceName": "", | ||
"ResourceIdTemplate": "arn:partition:service:region:account-id:resource-id", | ||
"Severity": "medium", | ||
"ResourceType": "AwsEc2Instance", | ||
"Description": "Check for EC2 instances behind internet facing classic load balancers.", | ||
"Risk": "Exposing an EC2 to a classic load balancer that is internet facing can lead to comprimisation", | ||
"RelatedUrl": "", | ||
"Remediation": { | ||
"Code": { | ||
"CLI": "", | ||
"NativeIaC": "", | ||
"Other": "", | ||
"Terraform": "" | ||
}, | ||
"Recommendation": { | ||
"Text": "Apply security groups to classic load balancers", | ||
"Url": "" | ||
} | ||
}, | ||
"Categories": [ | ||
"internet-exposed" | ||
], | ||
"DependsOn": [], | ||
"RelatedTo": [], | ||
"Notes": "" | ||
} |
31 changes: 31 additions & 0 deletions
31
...ctly_publicly_accessible_via_elb/ec2_instance_not_directly_publicly_accessible_via_elb.py
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,31 @@ | ||
from prowler.lib.check.models import Check, Check_Report_AWS | ||
from prowler.providers.aws.services.ec2.ec2_client import ec2_client | ||
from prowler.providers.aws.services.elb.elb_client import elb_client | ||
|
||
|
||
class ec2_instance_not_directly_publicly_accessible_via_elb(Check): | ||
def execute(self): | ||
findings = [] | ||
public_instances = {} | ||
|
||
for lb in elb_client.loadbalancers: | ||
if lb.scheme == "internet-facing" and len(lb.security_groups) > 0: | ||
for instance in lb.instances: | ||
public_instances[instance] = lb | ||
|
||
for instance in ec2_client.instances: | ||
if instance.state != "terminated": | ||
report = Check_Report_AWS(self.metadata()) | ||
report.region = instance.region | ||
report.resource_id = instance.id | ||
report.resource_arn = instance.arn | ||
report.resource_tags = instance.tags | ||
report.status = "PASS" | ||
report.status_extended = f"EC2 Instance {instance.id} is not behind a internet facing classic load balancer." | ||
|
||
# if the instanceId of the public lb is the same as the instances that are active, fail | ||
if instance.id in public_instances: | ||
report.status = "FAIL" | ||
report.status_extended = f"EC2 Instance {instance.id} is behind a internet facing classic load balancer {public_instances[instance.id].dns}." | ||
findings.append(report) | ||
return findings |
Empty file.
34 changes: 34 additions & 0 deletions
34
...ccessible_via_elbv2/ec2_instance_not_directly_publicly_accessible_via_elbv2.metadata.json
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,34 @@ | ||
{ | ||
"Provider": "aws", | ||
"CheckID": "ec2_instance_not_directly_publicly_accessible_via_elbv2", | ||
"CheckTitle": "Check for EC2 instances behind internet facing ALB/NLB/GLB.", | ||
"CheckType": [ | ||
"Infrastructure Security" | ||
], | ||
"ServiceName": "ec2", | ||
"SubServiceName": "", | ||
"ResourceIdTemplate": "arn:partition:service:region:account-id:resource-id", | ||
"Severity": "medium", | ||
"ResourceType": "AwsEc2Instance", | ||
"Description": "Check for EC2 instances behind internet facing ALB/NLB/GLB.", | ||
"Risk": "Exposing an EC2 to a ALB/NLB/GLB that is internet facing can lead to comprimisation", | ||
"RelatedUrl": "", | ||
"Remediation": { | ||
"Code": { | ||
"CLI": "", | ||
"NativeIaC": "", | ||
"Other": "", | ||
"Terraform": "" | ||
}, | ||
"Recommendation": { | ||
"Text": "Apply security groups to load balancers", | ||
"Url": "" | ||
} | ||
}, | ||
"Categories": [ | ||
"internet-exposed" | ||
], | ||
"DependsOn": [], | ||
"RelatedTo": [], | ||
"Notes": "" | ||
} |
30 changes: 30 additions & 0 deletions
30
..._publicly_accessible_via_elbv2/ec2_instance_not_directly_publicly_accessible_via_elbv2.py
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,30 @@ | ||
from prowler.lib.check.models import Check, Check_Report_AWS | ||
from prowler.providers.aws.services.ec2.ec2_client import ec2_client | ||
from prowler.providers.aws.services.elbv2.elbv2_client import elbv2_client | ||
|
||
|
||
class ec2_instance_not_directly_publicly_accessible_via_elbv2(Check): | ||
def execute(self): | ||
findings = [] | ||
public_instances = {} | ||
|
||
for tg in elbv2_client.target_groups: | ||
if tg.target_type == "instance": | ||
public_instances[tg.target] = tg.lbdns | ||
|
||
for instance in ec2_client.instances: | ||
if instance.state != "terminated": | ||
report = Check_Report_AWS(self.metadata()) | ||
report.region = instance.region | ||
report.resource_id = instance.id | ||
report.resource_arn = instance.arn | ||
report.resource_tags = instance.tags | ||
report.status = "PASS" | ||
report.status_extended = f"EC2 Instance {instance.id} is not behind a internet facing load balancer." | ||
|
||
# if the instanceId of the public lb is the same as the instances that are active, fail | ||
if instance.id in public_instances: | ||
report.status = "FAIL" | ||
report.status_extended = f"EC2 Instance {instance.id} is behind a internet facing load balancer {public_instances[instance.id]}." | ||
findings.append(report) | ||
return findings |
Empty file.
35 changes: 35 additions & 0 deletions
35
...cessible_via_elbv2/ecs_container_not_directly_publicly_accessible_via_elbv2.metadata.json
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,35 @@ | ||
{ | ||
"Provider": "aws", | ||
"CheckID": "ecs_container_not_directly_publicly_accessible_via_elbv2", | ||
"CheckTitle": "Check for internet facing ALBs in front of a ECS container", | ||
"CheckType": [ | ||
"Data Protection" | ||
], | ||
"ServiceName": "ecs", | ||
"SubServiceName": "", | ||
"ResourceIdTemplate": "arn:partition:service:region:account-id:resource-id", | ||
"Severity": "critical", | ||
"ResourceType": "AwsEcsService", | ||
"Description": "Check if the load balancer in front of the ECS container is public, and if so, check if it has security groups to have a firewall", | ||
"Risk": "Having your ECS containers public with no security groups are prone to be comprimised", | ||
"RelatedUrl": "", | ||
"Remediation": { | ||
"Code": { | ||
"CLI": "", | ||
"NativeIaC": "", | ||
"Other": "", | ||
"Terraform": "" | ||
}, | ||
"Recommendation": { | ||
"Text": "Place security groups on your ECS containers", | ||
"Url": "" | ||
} | ||
}, | ||
"Categories": [ | ||
"internet-facing" | ||
], | ||
"DependsOn": [], | ||
"RelatedTo": [], | ||
"Notes": "" | ||
} | ||
|
30 changes: 30 additions & 0 deletions
30
...publicly_accessible_via_elbv2/ecs_container_not_directly_publicly_accessible_via_elbv2.py
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,30 @@ | ||
from prowler.lib.check.models import Check, Check_Report_AWS | ||
from prowler.providers.aws.services.ecs.ecs_client import ecs_client | ||
from prowler.providers.aws.services.elbv2.elbv2_client import elbv2_client | ||
|
||
|
||
class ecs_container_not_directly_publicly_accessible_via_elbv2(Check): | ||
def execute(self): | ||
findings = [] | ||
public_instances = {} | ||
|
||
for tg in elbv2_client.target_groups: | ||
if tg.target_type == "ip": | ||
public_instances[tg.target] = tg.lbdns | ||
|
||
for container in ecs_client.containers: | ||
report = Check_Report_AWS(self.metadata()) | ||
report.resource_arn = container.arn | ||
report.resource_tags = container.tags | ||
report.status = "PASS" | ||
report.status_extended = f"ECS container {container.arn} is not behind any internet facing load balancer." | ||
|
||
# if the container private ip of the public lb is the same as the instances that are active, fail | ||
if container.ipv4 in public_instances: | ||
report.status = "FAIL" | ||
report.status_extended = f"ECS container {container.arn} is behind a internet facing load balancer {public_instances[container.ipv4]}." | ||
elif container.ipv6 in public_instances: | ||
report.status = "FAIL" | ||
report.status_extended = f"ECS container {container.arn} is behind a internet facing load balancer {public_instances[container.ipv6]}." | ||
findings.append(report) | ||
return findings |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Oops, something went wrong.