Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

feat(internet-exposed): New public exposed checks #3801

Open
wants to merge 7 commits into
base: master
Choose a base branch
from
Open

feat(internet-exposed): New public exposed checks #3801

wants to merge 7 commits into from

Conversation

jfagoagas
Copy link
Member

@jfagoagas jfagoagas commented Apr 17, 2024
edited

Context

Thanks to @abant07 for this work! 👏

Fixes #3237

Description

New checks:

  • awslambda_function_not_directly_publicly_accessible_via_elbv2
  • ec2_instance_not_directly_publicly_accessible_via_elb
  • ec2_instance_not_directly_publicly_accessible_via_elbv2

To-Do:

  • Verify ALB/ELB and Instance/Lambda security group and ports
  • Include the target groups in the ALB/ELB object

License

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.

@jfagoagas jfagoagas requested review from a team as code owners April 17, 2024 08:03
@github-actions github-actions bot added the provider/aws Issues/PRs related with the AWS provider label Apr 17, 2024
@jfagoagas jfagoagas mentioned this pull request Apr 17, 2024
Closed
jfagoagas
jfagoagas commented Apr 17, 2024
View reviewed changes
prowler/providers/aws/services/elbv2/elbv2_service.py Outdated
Comment on lines 62 to 66
if (
lb.scheme == "internet-facing"
and lb.type == "application"
and len(lb.security_groups) > 0
):
Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'd store all with a check of public if this condition is met.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Done

jfagoagas
jfagoagas commented Apr 17, 2024
View reviewed changes
...y_accessible_via_elbv2/ec2_instance_not_directly_publicly_accessible_via_elbv2.metadata.json
Comment on lines +16 to +21
"Remediation": {
"Code": {
"CLI": "",
"NativeIaC": "",
"Other": "",
"Terraform": ""
Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Complete this.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

There is no information

jfagoagas
jfagoagas commented Apr 17, 2024
View reviewed changes
...licly_accessible_via_elb/ec2_instance_not_directly_publicly_accessible_via_elb.metadata.json
Comment on lines +16 to +21
"Remediation": {
"Code": {
"CLI": "",
"NativeIaC": "",
"Other": "",
"Terraform": ""
Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Complete this.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

There is no information

jfagoagas
jfagoagas commented Apr 17, 2024
View reviewed changes
...ssible_via_elbv2/awslambda_function_not_directly_publicly_accessible_via_elbv2.metadata.json Outdated
Comment on lines 14 to 20
"Remediation": {
"Code": {
"CLI": "https://www.trendmicro.com/cloudoneconformity/knowledge-base/aws/Lambda/function-exposed.html",
"NativeIaC": "https://www.trendmicro.com/cloudoneconformity/knowledge-base/aws/Lambda/function-exposed.html",
"Other": "",
"Terraform": "https://www.trendmicro.com/cloudoneconformity/knowledge-base/aws/Lambda/function-exposed.html"
},
Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Review this.

@codecov Codecov
Copy link

codecov bot commented Apr 17, 2024
edited

Codecov Report

Attention: Patch coverage is 95.49550% with 5 lines in your changes are missing coverage. Please review.

Project coverage is 85.63%. Comparing base (6fd7135) to head (7c8727f).
Report is 6 commits behind head on master.

Files Patch % Lines
...wler/providers/aws/services/elbv2/elbv2_service.py 83.87% 5 Missing ⚠️
Additional details and impacted files 
@@            Coverage Diff             @@
##           master    #3801      +/-   ##
==========================================
+ Coverage   85.61%   85.63%   +0.01%     
==========================================
  Files         731      740       +9     
  Lines       22659    22919     +260     
==========================================
+ Hits        19400    19626     +226     
- Misses       3259     3293      +34

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

@jfagoagas jfagoagas added the no-merge Please, DO NOT MERGE this PR. label Apr 18, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@sergargar sergargar sergargar left review comments

At least 1 approving review is required to merge this pull request.

Assignees
No one assigned
Labels
no-merge Please, DO NOT MERGE this PR. provider/aws Issues/PRs related with the AWS provider
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Improve publicly accessible checks to include targets of ELBs
3 participants
@jfagoagas @sergargar @abant07