Skip to content

Commit

Permalink
fix(inspector2): Ensure Inspector2 is enabled for ECR, EC2, Lambda an…
Browse files Browse the repository at this point in the history 
…d Lambda Code (#5066)

Co-authored-by: Mario Rodriguez Lopez <[email protected]>
Co-authored-by: Sergio <[email protected]>
  • Loading branch information
@prowler-bot @MarioRgzLpz @MrCloudSec
3 people authored Sep 17, 2024
1 parent e57a460 commit 7c3a0a0
Show file tree
Hide file tree
Showing 6 changed files with 146 additions and 28 deletions.
18 changes: 10 additions & 8 deletions ...oviders/aws/services/inspector2/inspector2_is_enabled/inspector2_is_enabled.metadata.json
View file
Original file line number Diff line number Diff line change
@@ -1,29 +1,31 @@
{
"Provider": "aws",
"CheckID": "inspector2_is_enabled",
"CheckTitle": "Check if Inspector2 is enabled",
"CheckTitle": "Check if Inspector2 is enabled for Amazon EC2 instances, ECR container images and Lambda functions.",
"CheckAliases": [
"inspector2_findings_exist"
],
"CheckType": [],
"CheckType": [
"Software and Configuration Checks/AWS Security Best Practices"
],
"ServiceName": "inspector2",
"SubServiceName": "",
"ResourceIdTemplate": "arn:aws:inspector2:region:account-id/detector-id",
"Severity": "medium",
"ResourceType": "Other",
"Description": "Check if Inspector2 is enabled",
"ResourceType": "AwsAccount",
"Description": "Ensure that the new version of Amazon Inspector is enabled in order to help you improve the security and compliance of your AWS cloud environment. Amazon Inspector 2 is a vulnerability management solution that continually scans scans your Amazon EC2 instances, ECR container images, and Lambda functions to identify software vulnerabilities and instances of unintended network exposure.",
"Risk": "Without using AWS Inspector, you may not be aware of all the security vulnerabilities in your AWS resources, which could lead to unauthorized access, data breaches, or other security incidents.",
"RelatedUrl": "https://docs.aws.amazon.com/inspector/latest/user/findings-understanding.html",
"Remediation": {
"Code": {
"CLI": "aws inspector2 enable",
"CLI": "aws inspector2 enable --resource-types 'EC2' 'ECR' 'LAMBDA' 'LAMBDA_CODE'",
"NativeIaC": "",
"Other": "https://www.trendmicro.com/cloudoneconformity/knowledge-base/aws/Inspector/amazon-inspector-findings.html",
"Other": "https://www.trendmicro.com/cloudoneconformity/knowledge-base/aws/Inspector2/enable-amazon-inspector2.html",
"Terraform": ""
},
"Recommendation": {
"Text": "Enable Inspector2",
"Url": "https://docs.aws.amazon.com/inspector/latest/user/what-is-inspector.html"
"Text": "Enable Amazon Inspector 2 for your AWS account.",
"Url": "https://docs.aws.amazon.com/inspector/latest/user/getting_started_tutorial.html"
}
},
"Categories": [],
Expand Down
54 changes: 37 additions & 17 deletions prowler/providers/aws/services/inspector2/inspector2_is_enabled/inspector2_is_enabled.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -17,25 +17,45 @@ def execute(self):
report.region = inspector.region
if inspector.status == "ENABLED":
report.status = "PASS"
report.status_extended = "Inspector2 is enabled."
findings.append(report)
else:
if inspector2_client.audit_info.ignore_unused_services:
funtions_in_region = False
ec2_in_region = False
for function in awslambda_client.functions.values():
if function.region == inspector.region:
funtions_in_region = True
for instance in ec2_client.instances:
if instance == inspector.region:
ec2_in_region = True
if not inspector2_client.audit_info.ignore_unused_services or (
funtions_in_region
or ecr_client.registries[inspector.region].repositories
report.status_extended = "Inspector2 is enabled for EC2 instances, ECR container images, Lambda functions and code."
funtions_in_region = False
ec2_in_region = False
for function in awslambda_client.functions.values():
if function.region == inspector.region:
funtions_in_region = True
for instance in ec2_client.instances:
if instance == inspector.region:
ec2_in_region = True
failed_services = []

if inspector.ec2_status != "ENABLED" and (
not inspector2_client.audit_info.ignore_unused_services
or ec2_in_region
):
failed_services.append("EC2")
if inspector.ecr_status != "ENABLED" and (
not inspector2_client.audit_info.ignore_unused_services
or ecr_client.registries[inspector.region].repositories
):
failed_services.append("ECR")
if inspector.lambda_status != "ENABLED" and (
not inspector2_client.audit_info.ignore_unused_services
or funtions_in_region
):
failed_services.append("Lambda")
if inspector.lambda_code_status != "ENABLED" and (
not inspector2_client.audit_info.ignore_unused_services
or funtions_in_region
):
failed_services.append("Lambda Code")

if failed_services:
report.status = "FAIL"
report.status_extended = "Inspector2 is not enabled."
findings.append(report)
report.status_extended = f"Inspector2 is not enabled for the following services: {', '.join(failed_services)}."
findings.append(report)
else:
report.status = "FAIL"
report.status_extended = "Inspector2 is not enabled."
findings.append(report)

return findings
11 changes: 11 additions & 0 deletions prowler/providers/aws/services/inspector2/inspector2_service.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -20,11 +20,18 @@ def __batch_get_account_status__(self, regional_client):
batch_get_account_status = regional_client.batch_get_account_status(
accountIds=[self.audited_account]
)["accounts"][0]
resourceStates = batch_get_account_status.get("resourceState")
self.inspectors.append(
Inspector(
id="Inspector2",
arn=f"arn:{self.audited_partition}:inspector2:{regional_client.region}:{self.audited_account}:inspector2",
status=batch_get_account_status.get("state").get("status"),
ec2_status=resourceStates.get("ec2", {}).get("status"),
ecr_status=resourceStates.get("ecr", {}).get("status"),
lambda_status=resourceStates.get("lambda", {}).get("status"),
lambda_code_status=resourceStates.get("lambdaCode", {}).get(
"status"
),
region=regional_client.region,
)
)
Expand Down Expand Up @@ -59,4 +66,8 @@ class Inspector(BaseModel):
arn: str
region: str
status: str
ec2_status: str
ecr_status: str
lambda_status: str
lambda_code_status: str
active_findings: bool = False
16 changes: 16 additions & 0 deletions ...ices/inspector2/inspector2_active_findings_exist/inspector2_active_findings_exist_test.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -28,6 +28,10 @@ def test_enabled_no_finding(self):
id=AWS_ACCOUNT_NUMBER,
arn=f"arn:aws:inspector2:{AWS_REGION_EU_WEST_1}:{AWS_ACCOUNT_NUMBER}:inspector2",
status="ENABLED",
ec2_status="ENABLED",
ecr_status="DISABLED",
lambda_status="DISABLED",
lambda_code_status="ENABLED",
region=AWS_REGION_EU_WEST_1,
active_findings=False,
)
Expand Down Expand Up @@ -80,6 +84,10 @@ def test_enabled_with_no_active_finding(self):
arn=f"arn:aws:inspector2:{AWS_REGION_EU_WEST_1}:{AWS_ACCOUNT_NUMBER}:inspector2",
region=AWS_REGION_EU_WEST_1,
status="ENABLED",
ec2_status="ENABLED",
ecr_status="DISABLED",
lambda_status="DISABLED",
lambda_code_status="ENABLED",
active_findings=False,
)
]
Expand Down Expand Up @@ -131,6 +139,10 @@ def test_enabled_with_active_finding(self):
arn=f"arn:aws:inspector2:{AWS_REGION_EU_WEST_1}:{AWS_ACCOUNT_NUMBER}:inspector2",
region=AWS_REGION_EU_WEST_1,
status="ENABLED",
ec2_status="ENABLED",
ecr_status="DISABLED",
lambda_status="DISABLED",
lambda_code_status="ENABLED",
active_findings=True,
)
]
Expand Down Expand Up @@ -191,6 +203,10 @@ def test_inspector2_disabled_ignoring(self):
id=AWS_ACCOUNT_NUMBER,
arn=f"arn:aws:inspector2:{AWS_REGION_EU_WEST_1}:{AWS_ACCOUNT_NUMBER}:inspector2",
status="DISABLED",
ec2_status="ENABLED",
ecr_status="DISABLED",
lambda_status="DISABLED",
lambda_code_status="ENABLED",
region=AWS_REGION_EU_WEST_1,
active_findings=False,
)
Expand Down
66 changes: 63 additions & 3 deletions tests/providers/aws/services/inspector2/inspector2_is_enabled/inspector2_is_enabled_test.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -33,8 +33,11 @@ def test_inspector2_disabled(self):
id=AWS_ACCOUNT_NUMBER,
arn=f"arn:aws:inspector2:{AWS_REGION_EU_WEST_1}:{AWS_ACCOUNT_NUMBER}:inspector2",
status="DISABLED",
ec2_status="DISABLED",
ecr_status="DISABLED",
lambda_status="DISABLED",
lambda_code_status="DISABLED",
region=AWS_REGION_EU_WEST_1,
findings=[],
)
]
current_audit_info = set_mocked_aws_audit_info([AWS_REGION_EU_WEST_1])
Expand Down Expand Up @@ -79,8 +82,11 @@ def test_enabled_no_finding(self):
id=AWS_ACCOUNT_NUMBER,
arn=f"arn:aws:inspector2:{AWS_REGION_EU_WEST_1}:{AWS_ACCOUNT_NUMBER}:inspector2",
status="ENABLED",
ec2_status="ENABLED",
ecr_status="ENABLED",
lambda_status="ENABLED",
lambda_code_status="ENABLED",
region=AWS_REGION_EU_WEST_1,
findings=[],
)
]
current_audit_info = set_mocked_aws_audit_info([AWS_REGION_EU_WEST_1])
Expand All @@ -103,7 +109,61 @@ def test_enabled_no_finding(self):

assert len(result) == 1
assert result[0].status == "PASS"
assert result[0].status_extended == "Inspector2 is enabled."
assert (
result[0].status_extended
== "Inspector2 is enabled for EC2 instances, ECR container images, Lambda functions and code."
)
assert result[0].resource_id == AWS_ACCOUNT_NUMBER
assert (
result[0].resource_arn
== f"arn:aws:inspector2:{AWS_REGION_EU_WEST_1}:{AWS_ACCOUNT_NUMBER}:inspector2"
)
assert result[0].region == AWS_REGION_EU_WEST_1

def test_enabled_finding(self):
inspector2_client = mock.MagicMock
inspector2_client.audit_info = set_mocked_aws_audit_info([AWS_REGION_EU_WEST_1])
inspector2_client.audited_account = AWS_ACCOUNT_NUMBER
inspector2_client.audited_account_arn = (
f"arn:aws:iam::{AWS_ACCOUNT_NUMBER}:root"
)
inspector2_client.region = AWS_REGION_EU_WEST_1
inspector2_client.inspectors = [
Inspector(
id=AWS_ACCOUNT_NUMBER,
arn=f"arn:aws:inspector2:{AWS_REGION_EU_WEST_1}:{AWS_ACCOUNT_NUMBER}:inspector2",
status="ENABLED",
ec2_status="ENABLED",
ecr_status="DISABLED",
lambda_status="DISABLED",
lambda_code_status="ENABLED",
region=AWS_REGION_EU_WEST_1,
)
]
current_audit_info = set_mocked_aws_audit_info([AWS_REGION_EU_WEST_1])

with mock.patch(
"prowler.providers.aws.lib.audit_info.audit_info.current_audit_info",
new=current_audit_info,
):
with mock.patch(
"prowler.providers.aws.services.inspector2.inspector2_is_enabled.inspector2_is_enabled.inspector2_client",
new=inspector2_client,
):
# Test Check
from prowler.providers.aws.services.inspector2.inspector2_is_enabled.inspector2_is_enabled import (
inspector2_is_enabled,
)

check = inspector2_is_enabled()
result = check.execute()

assert len(result) == 1
assert result[0].status == "FAIL"
assert (
result[0].status_extended
== "Inspector2 is not enabled for the following services: ECR, Lambda."
)
assert result[0].resource_id == AWS_ACCOUNT_NUMBER
assert (
result[0].resource_arn
Expand Down
9 changes: 9 additions & 0 deletions tests/providers/aws/services/inspector2/inspector2_service_test.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -41,6 +41,11 @@ def mock_make_api_call(self, operation_name, kwargs):
"errorMessage": "string",
"status": "ENABLED",
},
"lambdaCode": {
"errorCode": "ALREADY_ENABLED",
"errorMessage": "string",
"status": "ENABLED",
},
},
"state": {
"errorCode": "ALREADY_ENABLED",
Expand Down Expand Up @@ -104,6 +109,10 @@ def test__batch_get_account_status__(self):
assert inspector2.inspectors[0].id == "Inspector2"
assert inspector2.inspectors[0].region == AWS_REGION_EU_WEST_1
assert inspector2.inspectors[0].status == "ENABLED"
assert inspector2.inspectors[0].ec2_status == "ENABLED"
assert inspector2.inspectors[0].ecr_status == "ENABLED"
assert inspector2.inspectors[0].lambda_status == "ENABLED"
assert inspector2.inspectors[0].lambda_code_status == "ENABLED"

def test__list_active_findings__(self):
audit_info = set_mocked_aws_audit_info([AWS_REGION_EU_WEST_1])
Expand Down

0 comments on commit 7c3a0a0

Please sign in to comment.