-
Notifications
You must be signed in to change notification settings - Fork 1.4k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We鈥檒l occasionally send you account related emails.
Already on GitHub? Sign in to your account
feat(internet-exposed): New public exposed checks #3801
Closed
Closed
Changes from all commits
Commits
Show all changes
7 commits
Select commit
Hold shift + click to select a range
0b55244
debugging lambda test for albs
abant07 860f1d0
debugging awslambda test case for public alb check
abant07 006fbf7
chore: general fixes
jfagoagas 63d0529
fix: tests
jfagoagas da6d821
review PR
sergargar 69c6d59
solve comment
sergargar 7c8727f
fix(elbv2): Add public attribute to TargetGroups
jfagoagas File filter
Filter by extension
Conversations
Failed to load comments.
Jump to
Jump to file
Failed to load files.
Diff view
Diff view
There are no files selected for viewing
Empty file.
32 changes: 32 additions & 0 deletions
32
...ble_via_elbv2/awslambda_function_not_directly_publicly_accessible_via_elbv2.metadata.json
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,32 @@ | ||
{ | ||
"Provider": "aws", | ||
"CheckID": "awslambda_function_not_directly_publicly_accessible_via_elbv2", | ||
"CheckTitle": "Check if Lambda functions have public application load balancer ahead of them.", | ||
"CheckType": [], | ||
"ServiceName": "lambda", | ||
"SubServiceName": "", | ||
"ResourceIdTemplate": "arn:partition:lambda:region:account-id:function/function-name", | ||
"Severity": "critical", | ||
"ResourceType": "AwsLambdaFunction", | ||
"Description": "Check if Lambda functions have public application load balancer ahead of them.", | ||
"Risk": "Publicly accessible services could expose sensitive data to bad actors.", | ||
"RelatedUrl": "https://docs.aws.amazon.com/lambda/latest/dg/access-control-resource-based.html", | ||
"Remediation": { | ||
"Code": { | ||
"CLI": "https://www.trendmicro.com/cloudoneconformity/knowledge-base/aws/Lambda/function-exposed.html", | ||
"NativeIaC": "", | ||
"Other": "", | ||
"Terraform": "" | ||
}, | ||
"Recommendation": { | ||
"Text": "Place security groups around public load balancers", | ||
"Url": "https://docs.aws.amazon.com/lambda/latest/dg/access-control-resource-based.html" | ||
} | ||
}, | ||
"Categories": [ | ||
"internet-exposed" | ||
], | ||
"DependsOn": [], | ||
"RelatedTo": [], | ||
"Notes": "" | ||
} |
29 changes: 29 additions & 0 deletions
29
...cly_accessible_via_elbv2/awslambda_function_not_directly_publicly_accessible_via_elbv2.py
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,29 @@ | ||
from prowler.lib.check.models import Check, Check_Report_AWS | ||
from prowler.providers.aws.services.awslambda.awslambda_client import awslambda_client | ||
from prowler.providers.aws.services.elbv2.elbv2_client import elbv2_client | ||
|
||
|
||
class awslambda_function_not_directly_publicly_accessible_via_elbv2(Check): | ||
def execute(self): | ||
findings = [] | ||
|
||
if awslambda_client.functions: | ||
public_lambda_functions = {} | ||
for target_group in elbv2_client.target_groups: | ||
if target_group.public and target_group.target_type == "lambda": | ||
public_lambda_functions[target_group.target] = target_group.arn | ||
|
||
for function in awslambda_client.functions.values(): | ||
report = Check_Report_AWS(self.metadata()) | ||
report.region = function.region | ||
report.resource_id = function.name | ||
report.resource_arn = function.arn | ||
report.resource_tags = function.tags | ||
report.status = "PASS" | ||
report.status_extended = f"Lambda function {function.name} is not behind an Internet facing Load Balancer." | ||
|
||
if function.arn in public_lambda_functions: | ||
report.status = "FAIL" | ||
report.status_extended = f"Lambda function {function.name} is behind an Internet facing Load Balancer through target group {public_lambda_functions[function.arn]}." | ||
findings.append(report) | ||
return findings |
Empty file.
34 changes: 34 additions & 0 deletions
34
...ly_accessible_via_elb/ec2_instance_not_directly_publicly_accessible_via_elb.metadata.json
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,34 @@ | ||
{ | ||
"Provider": "aws", | ||
"CheckID": "ec2_instance_not_directly_publicly_accessible_via_elb", | ||
"CheckTitle": "Check for EC2 instances behind internet facing classic load balancers.", | ||
"CheckType": [ | ||
"Infrastructure Security" | ||
], | ||
"ServiceName": "ec2", | ||
"SubServiceName": "", | ||
"ResourceIdTemplate": "arn:partition:service:region:account-id:resource-id", | ||
"Severity": "medium", | ||
"ResourceType": "AwsEc2Instance", | ||
"Description": "Check for EC2 instances behind internet facing classic load balancers.", | ||
"Risk": "Exposing an EC2 to a classic load balancer that is internet facing can lead to comprimisation", | ||
"RelatedUrl": "", | ||
"Remediation": { | ||
"Code": { | ||
"CLI": "", | ||
"NativeIaC": "", | ||
"Other": "", | ||
"Terraform": "" | ||
}, | ||
"Recommendation": { | ||
"Text": "Apply security groups to classic load balancers", | ||
"Url": "" | ||
} | ||
}, | ||
"Categories": [ | ||
"internet-exposed" | ||
], | ||
"DependsOn": [], | ||
"RelatedTo": [], | ||
"Notes": "" | ||
} |
30 changes: 30 additions & 0 deletions
30
...ctly_publicly_accessible_via_elb/ec2_instance_not_directly_publicly_accessible_via_elb.py
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,30 @@ | ||
from prowler.lib.check.models import Check, Check_Report_AWS | ||
from prowler.providers.aws.services.ec2.ec2_client import ec2_client | ||
from prowler.providers.aws.services.elb.elb_client import elb_client | ||
|
||
|
||
class ec2_instance_not_directly_publicly_accessible_via_elb(Check): | ||
def execute(self): | ||
findings = [] | ||
if ec2_client.instances: | ||
public_instances = {} | ||
for lb in elb_client.loadbalancers: | ||
if lb.scheme == "internet-facing" and len(lb.security_groups) > 0: | ||
for instance in lb.instances: | ||
public_instances[instance] = lb | ||
|
||
for instance in ec2_client.instances: | ||
if instance.state != "terminated": | ||
report = Check_Report_AWS(self.metadata()) | ||
report.region = instance.region | ||
report.resource_id = instance.id | ||
report.resource_arn = instance.arn | ||
report.resource_tags = instance.tags | ||
report.status = "PASS" | ||
report.status_extended = f"EC2 Instance {instance.id} is not behind an Internet facing Classic Load Balancer." | ||
|
||
if instance.id in public_instances: | ||
report.status = "FAIL" | ||
report.status_extended = f"EC2 Instance {instance.id} is behind an Internet facing Classic Load Balancer {public_instances[instance.id].dns}." | ||
findings.append(report) | ||
return findings |
Empty file.
34 changes: 34 additions & 0 deletions
34
...ccessible_via_elbv2/ec2_instance_not_directly_publicly_accessible_via_elbv2.metadata.json
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,34 @@ | ||
{ | ||
"Provider": "aws", | ||
"CheckID": "ec2_instance_not_directly_publicly_accessible_via_elbv2", | ||
"CheckTitle": "Check for EC2 instances behind internet facing ALB/NLB/GLB.", | ||
"CheckType": [ | ||
"Infrastructure Security" | ||
], | ||
"ServiceName": "ec2", | ||
"SubServiceName": "", | ||
"ResourceIdTemplate": "arn:partition:service:region:account-id:resource-id", | ||
"Severity": "medium", | ||
"ResourceType": "AwsEc2Instance", | ||
"Description": "Check for EC2 instances behind internet facing ALB/NLB/GLB.", | ||
"Risk": "Exposing an EC2 to a ALB/NLB/GLB that is internet facing can lead to comprimisation", | ||
"RelatedUrl": "", | ||
"Remediation": { | ||
"Code": { | ||
"CLI": "", | ||
"NativeIaC": "", | ||
"Other": "", | ||
"Terraform": "" | ||
Comment on lines
+16
to
+21
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Complete this. There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. There is no information |
||
}, | ||
"Recommendation": { | ||
"Text": "Apply security groups to load balancers", | ||
"Url": "" | ||
} | ||
}, | ||
"Categories": [ | ||
"internet-exposed" | ||
], | ||
"DependsOn": [], | ||
"RelatedTo": [], | ||
"Notes": "" | ||
} |
30 changes: 30 additions & 0 deletions
30
..._publicly_accessible_via_elbv2/ec2_instance_not_directly_publicly_accessible_via_elbv2.py
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,30 @@ | ||
from prowler.lib.check.models import Check, Check_Report_AWS | ||
from prowler.providers.aws.services.ec2.ec2_client import ec2_client | ||
from prowler.providers.aws.services.elbv2.elbv2_client import elbv2_client | ||
|
||
|
||
class ec2_instance_not_directly_publicly_accessible_via_elbv2(Check): | ||
def execute(self): | ||
findings = [] | ||
if ec2_client.instances: | ||
public_instances = {} | ||
|
||
for tg in elbv2_client.target_groups: | ||
if tg.public and tg.target_type == "instance": | ||
public_instances[tg.target] = tg.arn | ||
|
||
for instance in ec2_client.instances: | ||
if instance.state != "terminated": | ||
report = Check_Report_AWS(self.metadata()) | ||
report.region = instance.region | ||
report.resource_id = instance.id | ||
report.resource_arn = instance.arn | ||
report.resource_tags = instance.tags | ||
report.status = "PASS" | ||
report.status_extended = f"EC2 Instance {instance.id} is not behind an Internet facing Load Balancer." | ||
|
||
if instance.id in public_instances: | ||
report.status = "FAIL" | ||
report.status_extended = f"EC2 Instance {instance.id} is behind an Internet facing Load Balancer through target group {public_instances[instance.id]}." | ||
findings.append(report) | ||
return findings |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Oops, something went wrong.
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Complete this.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
There is no information