Skip to content

Commit

Permalink
Merge pull request #2023 from aquasecurity/bundles_sync/29_05
Browse files Browse the repository at this point in the history 
syncing with saas
  • Loading branch information
@alphadev4
alphadev4 committed May 28, 2024
2 parents 74a3d05 + 033b005 commit 0679196
Show file tree
Hide file tree
Showing 24 changed files with 395 additions and 141 deletions.
35 changes: 30 additions & 5 deletions collectors/aws/ec2/describeSnapshots.js
View file
Original file line number Diff line number Diff line change
Expand Up @@ -8,6 +8,7 @@ var helpers = require(__dirname + '/../../../helpers/aws');
module.exports = function(AWSConfig, collection, retries, callback) {
var ec2 = new AWS.EC2(AWSConfig);
var sts = new AWS.STS(AWSConfig);
var paginating = false;

helpers.makeCustomCollectorCall(sts, 'getCallerIdentity', {}, retries, null, null, null, function(stsErr, stsData) {
if (stsErr || !stsData.Account) {
Expand All @@ -16,6 +17,7 @@ module.exports = function(AWSConfig, collection, retries, callback) {
}

var params = {
MaxResults: 1000,
Filters: [
{
Name: 'owner-id',
Expand All @@ -32,13 +34,36 @@ module.exports = function(AWSConfig, collection, retries, callback) {
]
};

helpers.makeCustomCollectorCall(ec2, 'describeSnapshots', params, retries, null, null, null, function(err, data) {
var paginateCb = function(err, data) {
if (err) {
collection.ec2.describeSnapshots[AWSConfig.region].err = err;
} else {
collection.ec2.describeSnapshots[AWSConfig.region].data = data.Snapshots;
} else if (data) {
if (paginating && data.Snapshots && data.Snapshots.length &&
collection.ec2.describeSnapshots[AWSConfig.region].data &&
collection.ec2.describeSnapshots[AWSConfig.region].data.length) {
collection.ec2.describeSnapshots[AWSConfig.region].data = collection.ec2.describeSnapshots[AWSConfig.region].data.concat(data.Snapshots);
} else if (!paginating) {
collection.ec2.describeSnapshots[AWSConfig.region].data = data.Snapshots;
}
if (data.NextToken &&
collection.ec2.describeSnapshots[AWSConfig.region].data &&
collection.ec2.describeSnapshots[AWSConfig.region].data.length) {
paginating = true;
return execute(data.NextToken);
}
}

callback();
});
};
function execute(nextToken) { // eslint-disable-line no-inner-declarations
var localParams = JSON.parse(JSON.stringify(params || {}));
if (nextToken) localParams['NextToken'] = nextToken;
if (nextToken) {
helpers.makeCustomCollectorCall(ec2, 'describeSnapshots', localParams, retries, null, null, null, paginateCb);
} else {
helpers.makeCustomCollectorCall(ec2, 'describeSnapshots', params, retries, null, null, null, paginateCb);
}
}
execute();
});
};
};
3 changes: 2 additions & 1 deletion exports.js
View file
Original file line number Diff line number Diff line change
Expand Up @@ -53,6 +53,7 @@ module.exports = {
'workgroupEnforceConfiguration' : require(__dirname + '/plugins/aws/athena/workgroupEnforceConfiguration.js'),

'customModelInVpc' :require(__dirname + '/plugins/aws/bedrock/customModelInVpc.js'),
'bedrockInUse' :require(__dirname + '/plugins/aws/bedrock/bedrockInUse.js'),
'privateCustomModel' :require(__dirname + '/plugins/aws/bedrock/privateCustomModel.js'),
'customModelHasTags' :require(__dirname + '/plugins/aws/bedrock/customModelHasTags.js'),
'modelInvocationLoggingEnabled' :require(__dirname + '/plugins/aws/bedrock/modelInvocationLoggingEnabled.js'),
Expand Down Expand Up @@ -725,7 +726,7 @@ module.exports = {

'workspacePublicAccessDisabled' : require(__dirname + '/plugins/azure/machinelearning/workspacePublicAccessDisabled.js'),
'workspaceLoggingEnabled' : require(__dirname + '/plugins/azure/machinelearning/workspaceLoggingEnabled.js'),
'mlWorkspaceHasTags' : require(__dirname + '/plugins/azure/machinelearning/mlWorkspaceHasTags.js'),
'mlWorkspaceHasTags' : require(__dirname + '/plugins/azure/machinelearning/mlWorkspaceHasTags.js'),


'minimumTlsVersion' : require(__dirname + '/plugins/azure/redisCache/minimumTlsVersion.js'),
Expand Down
4 changes: 4 additions & 0 deletions helpers/aws/api.js
View file
Original file line number Diff line number Diff line change
Expand Up @@ -1449,6 +1449,10 @@ var calls = {
describeDBClusters: {
property: 'DBClusters',
paginate: 'Marker'
},
describeDBInstances: {
property: 'DBInstances',
paginate: 'Marker'
}
},
Organizations: {
Expand Down
4 changes: 4 additions & 0 deletions helpers/aws/api_multipart.js
View file
Original file line number Diff line number Diff line change
Expand Up @@ -838,6 +838,10 @@ var calls = [
describeDBClusters: {
property: 'DBClusters',
paginate: 'Marker'
},
describeDBInstances: {
property: 'DBInstances',
paginate: 'Marker'
}
},
Organizations: {
Expand Down
52 changes: 52 additions & 0 deletions plugins/aws/bedrock/bedrockInUse.js
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,52 @@
var async = require('async');
var helpers = require('../../../helpers/aws');

module.exports = {
title: 'AWS Bedrock In Use',
category: 'AI & ML',
domain: 'Machine Learning',
severity: 'Low',
description: 'Ensures that AWS Bedrock service is in use within your AWS account.',
more_info: 'AWS Bedrock provides access to high-performing foundation models from leading AI startups and Amazon through a unified API, enabling easy experimentation, customization, and deployment of generative AI applications with robust security and privacy features.',
link: 'https://docs.aws.amazon.com/bedrock/latest/userguide/what-is-bedrock.html',
recommended_action: 'Use Bedrock service to utilize top foundation models with strong security and customization.',
apis: ['Bedrock:listCustomModels'],
realtime_triggers: ['bedrock:DeleteCustomModel'],

run: function(cache, settings, callback) {
var results = [];
var source = {};
var regions = helpers.regions(settings);

async.each(regions.bedrock, function(region, rcb){
var listCustomModels = helpers.addSource(cache, source,
['bedrock', 'listCustomModels', region]);

if (!listCustomModels) return rcb();

if (listCustomModels.err && listCustomModels.err.message.includes('Unknown operation')) {
helpers.addResult(results, 0,
'Custom model service is not available in this region', region);
return rcb();
}

if (listCustomModels.err || !listCustomModels.data) {
helpers.addResult(results, 3,
`Unable to query for Bedrock custom model list: ${helpers.addError(listCustomModels)}`, region);
return rcb();
}

if (!listCustomModels.data.length) {
helpers.addResult(results, 2, 'Bedrock service is not in use', region);
return rcb();
} else {
helpers.addResult(results, 0, 'Bedrock service is in use', region);
return rcb();

}

}, function(){
callback(null, results, source);
});
}
};
73 changes: 73 additions & 0 deletions plugins/aws/bedrock/bedrockInUse.spec.js
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,73 @@
var expect = require('chai').expect;
const bedrockInUse = require('./bedrockInUse');

const listCustomModels = [
{
"modelArn": "arn:aws:bedrock:us-east-1:11223344:custom-model/amazon.titan-text-lite-v1:0:4k/2ytyyx8nid0h",
"modelName": "model2",
"creationTime": "2023-11-29T10:45:43.056000+00:00",
"baseModelArn": "arn:aws:bedrock:us-east-1::foundation-model/amazon.titan-text-lite-v1:0:4k",
"baseModelName": ""
},
{
"modelArn": "arn:aws:bedrock:us-east-1:11223344:custom-model/amazon.titan-text-lite-v1:0:4k/vjqsydtdhkpz",
"modelName": "testmodel2",
"creationTime": "2023-11-28T11:29:18.655000+00:00",
"baseModelArn": "arn:aws:bedrock:us-east-1::foundation-model/amazon.titan-text-lite-v1:0:4k",
"baseModelName": ""
}
];


const createCache = (listModels) => {
return {
bedrock: {
listCustomModels: {
'us-east-1': {
err: null,
data: listModels
}
},
}
};
};


describe('bedrockInUse', function () {
describe('run', function () {
it('should PASS if Bedrock service is in use', function (done) {
const cache = createCache([listCustomModels[0]]);
bedrockInUse.run(cache, {}, (err, results) => {
expect(results.length).to.equal(1);
expect(results[0].status).to.equal(0);
expect(results[0].region).to.equal('us-east-1');
expect(results[0].message).to.include('Bedrock service is in use')
done();
});
});

it('should FAIL if Bedrock service is not in use', function (done) {
const cache = createCache([]);
bedrockInUse.run(cache, {}, (err, results) => {
expect(results.length).to.equal(1);
expect(results[0].status).to.equal(2);
expect(results[0].region).to.equal('us-east-1');
expect(results[0].message).to.include('Bedrock service is not in use')
done();
});
});


it('should UNKNOWN if unable to query Bedrock custom model', function (done) {
const cache = createCache(null, null);
bedrockInUse.run(cache, {}, (err, results) => {
expect(results.length).to.equal(1);
expect(results[0].status).to.equal(3);
expect(results[0].region).to.equal('us-east-1');
expect(results[0].message).to.include('Unable to query for Bedrock custom model list')
done();
});
});

});
});
18 changes: 6 additions & 12 deletions plugins/aws/ec2/appTierInstanceIamRole.js
View file
Original file line number Diff line number Diff line change
Expand Up @@ -11,7 +11,7 @@ module.exports = {
more_info: 'EC2 instances should have IAM roles configured with necessary permission to access other AWS services',
link: 'https://aws.amazon.com/blogs/security/new-attach-an-aws-iam-role-to-an-existing-amazon-ec2-instance-by-using-the-aws-cli/',
recommended_action: 'Modify EC2 instances to attach IAM roles with required IAM policies',
apis: ['EC2:describeInstances', 'EC2:describeTags', 'IAM:listRoles', 'IAM:listRolePolicies', 'IAM:listAttachedRolePolicies'],
apis: ['EC2:describeInstances', 'IAM:listRoles', 'IAM:listRolePolicies', 'IAM:listAttachedRolePolicies'],
settings: {
ec2_app_tier_tag_key: {
name: 'EC2 App-Tier Tag Key',
Expand Down Expand Up @@ -71,14 +71,8 @@ module.exports = {
var resource = `arn:${awsOrGov}:ec2:${region}:${accountId}:instance/${entry.InstanceId}`;

var tagFound = false;
for (let t in describeTags.data) {
let tag = describeTags.data[t];

if (tag.ResourceId && tag.ResourceId === entry.InstanceId &&
tag.Key && tag.Key === config.ec2_app_tier_tag_key) {
tagFound = true;
break;
}
if (entry.Tags && entry.Tags.length) {
tagFound = entry.Tags.find(tag => tag.Key === config.ec2_app_tier_tag_key);
}

if (!tagFound) {
Expand All @@ -93,7 +87,7 @@ module.exports = {
} else {
var roleNameArr = entry.IamInstanceProfile.Arn.split('/');
var roleName = roleNameArr[roleNameArr.length-1];

// Get managed policies attached to role
var listAttachedRolePolicies = helpers.addSource(cache, source,
['iam', 'listAttachedRolePolicies', region, roleName]);
Expand Down Expand Up @@ -136,10 +130,10 @@ module.exports = {
}
}
}

cb();
});

return rcb();
}, function(){
callback(null, results, source);
Expand Down
18 changes: 6 additions & 12 deletions plugins/aws/ec2/webTierInstanceIamRole.js
View file
Original file line number Diff line number Diff line change
Expand Up @@ -11,7 +11,7 @@ module.exports = {
more_info: 'EC2 instances should have IAM roles configured with necessary permission to access other AWS services',
link: 'https://aws.amazon.com/blogs/security/new-attach-an-aws-iam-role-to-an-existing-amazon-ec2-instance-by-using-the-aws-cli/',
recommended_action: 'Modify EC2 instances to attach IAM roles with required IAM policies',
apis: ['EC2:describeInstances', 'EC2:describeTags', 'IAM:listRoles', 'IAM:listRolePolicies', 'IAM:listAttachedRolePolicies'],
apis: ['EC2:describeInstances', 'IAM:listRoles', 'IAM:listRolePolicies', 'IAM:listAttachedRolePolicies'],
settings: {
ec2_web_tier_tag_key: {
name: 'EC2 Web-Tier Tag Key',
Expand Down Expand Up @@ -71,14 +71,8 @@ module.exports = {
var resource = `arn:${awsOrGov}:ec2:${region}:${accountId}:instance/${entry.InstanceId}`;

var tagFound = false;
for (let t in describeTags.data) {
let tag = describeTags.data[t];

if (tag.ResourceId && tag.ResourceId === entry.InstanceId &&
tag.Key && tag.Key === config.ec2_web_tier_tag_key) {
tagFound = true;
break;
}
if (entry.Tags && entry.Tags.length) {
tagFound = entry.Tags.find(tag => tag.Key === config.ec2_web_tier_tag_key);
}

if (!tagFound) {
Expand All @@ -93,7 +87,7 @@ module.exports = {
} else {
var roleNameArr = entry.IamInstanceProfile.Arn.split('/');
var roleName = roleNameArr[roleNameArr.length-1];

// Get managed policies attached to role
var listAttachedRolePolicies = helpers.addSource(cache, source,
['iam', 'listAttachedRolePolicies', region, roleName]);
Expand Down Expand Up @@ -136,10 +130,10 @@ module.exports = {
}
}
}

cb();
});

return rcb();
}, function(){
callback(null, results, source);
Expand Down
4 changes: 2 additions & 2 deletions plugins/aws/elbv2/elbv2TLSVersionCipherEnabled.js
View file
Original file line number Diff line number Diff line change
Expand Up @@ -5,9 +5,9 @@ module.exports = {
title: 'ELBv2 TLS Version and Cipher Header Disabled',
category: 'ELBv2',
domain: 'Content Delivery',
severity: 'Medium',
severity: 'low',
description: 'Ensures that AWS ELBv2 load balancers does not have TLS version and cipher headers enabled.',
more_info: 'Disabling TLS version and cipher headers mitigates potential information leakage risks and aligns with security best practices, ensuring that sensitive details are not exposed to unauthorized parties.',
more_info: 'TLS Version and Cipher Header provides information about the specific TLS version and cipher suite used during the establishment of the secure connection. Enabling the header might leak the sensitive information about the encryption protocols and algorithms being used',
link: 'https://docs.aws.amazon.com/elasticloadbalancing/latest/application/application-load-balancers.html',
recommended_action: 'Update ELBv2 load balancer traffic configuration to disable TLS version and cipher headers',
apis: ['ELBv2:describeLoadBalancers', 'ELBv2:describeLoadBalancerAttributes'],
Expand Down
6 changes: 6 additions & 0 deletions plugins/aws/kms/kmsKeyRotation.js
View file
Original file line number Diff line number Diff line change
Expand Up @@ -111,6 +111,12 @@ module.exports = {
return;
}

if (describeKeyData.KeyMetadata && describeKeyData.KeyMetadata.KeySpec && describeKeyData.KeyMetadata.KeySpec !== 'SYMMETRIC_DEFAULT') {
noCmks = false;
helpers.addResult(results, 0, `Key rotation is not available for ${describeKeyData.KeyMetadata.KeySpec} key type`, region, kmsKey.KeyArn);
return;
}

var getKeyRotationStatus = helpers.addSource(cache, source,
['kms', 'getKeyRotationStatus', region, kmsKey.KeyId]);

Expand Down
20 changes: 17 additions & 3 deletions plugins/aws/kms/kmsKeyRotation.spec.js
View file
Original file line number Diff line number Diff line change
Expand Up @@ -23,7 +23,8 @@ const describeKey = [
KeyState: "Enabled",
KeyUsage: "ENCRYPT_DECRYPT",
MultiRegion: false,
Origin: "AWS_KMS"
Origin: "AWS_KMS",
KeySpec: "HMAC_512",
}
},
{
Expand All @@ -42,7 +43,8 @@ const describeKey = [
KeyState: "Enabled",
KeyUsage: "ENCRYPT_DECRYPT",
MultiRegion: false,
Origin: "AWS_KMS"
Origin: "AWS_KMS",
KeySpec: "SYMMETRIC_DEFAULT",
}
},
{
Expand All @@ -61,7 +63,8 @@ const describeKey = [
KeyState: "PendingDeletion",
KeyUsage: "ENCRYPT_DECRYPT",
MultiRegion: false,
Origin: "AWS_KMS"
Origin: "AWS_KMS",
KeySpec: "SYMMETRIC_DEFAULT",
}
}
]
Expand Down Expand Up @@ -250,5 +253,16 @@ describe('kmsKeyRotation', function () {
done();
});
});

it('should not pass if key rotation is not avaible for KMS ', function (done) {
const cache = createCache([listKeys], describeKey[0], keyPolicy[0], keyRotationStatus[0]);
kmsKeyRotation.run(cache, {}, (err, results) => {
expect(results.length).to.equal(1);
expect(results[0].status).to.equal(0);
expect(results[0].region).to.equal('us-east-1');
expect(results[0].message).to.include('Key rotation is not available for HMAC_512 key type');
done();
});
});
});
});
Loading

0 comments on commit 0679196

Please sign in to comment.