feat(ec2): improve EC2 Security Groups checks logic by checking if any instance is attached

[sergargar]

Description

Improve EC2 Security Groups checks logic by checking if any instance is attached.

• ec2_securitygroup_allow_ingress_from_internet_to_any_port
• ec2_securitygroup_allow_ingress_from_internet_to_port_mongodb_27017_27018
• ec2_securitygroup_allow_ingress_from_internet_to_tcp_ftp_port_20_21
• ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_22
• ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_3389
• ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_cassandra_7199_9160_8888
• ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_elasticsearch_kibana_9200_9300_5601
• ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_kafka_9092
• ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_memcached_11211
• ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_mysql_3306
• ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_oracle_1521_2483
• ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_postgres_5432
• ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_redis_6379
• ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_sql_server_1433_1434
• ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_telnet_23
• ec2_securitygroup_allow_ingress_from_internet_to_tcp_udp_port_kerberos_88
• ec2_securitygroup_allow_ingress_from_internet_to_tcp_udp_port_ldap_389_636
• ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_cifs_139_445
• ec2_securitygroup_allow_ingress_from_internet_to_custom_tcp_port

Also changing the severity with the following cases:

1. medium -> Security group XXX has SSH port 22 open to the Internet but it is not attached.
2. high -> EC2 Instance XXX has SSH exposed to 0.0.0.0/0 on private ip address XXX.
3. high -> EC2 Instance XXX has SSH exposed to 0.0.0.0/0 on public ip address XXX.
4. critical -> EC2 Instance XXX has SSH exposed to 0.0.0.0/0 on public ip address XXX within public subnet XXX.

License

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.

[sergargar]

Please @jfagoagas, review if the logic and functions used for the first check is correct in order to do the same for the rest of the checks.

[codecov]

Codecov Report

All modified and coverable lines are covered by tests ✅

Project coverage is 85.54%. Comparing base (a138d29) to head (b8c7c44).
Report is 21 commits behind head on master.

Additional details and impacted files

@@            Coverage Diff             @@
##           master    #3852      +/-   ##
==========================================
+ Coverage   85.46%   85.54%   +0.07%     
==========================================
  Files         737      741       +4     
  Lines       22811    22915     +104     
==========================================
+ Hits        19496    19602     +106     
+ Misses       3315     3313       -2     

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.