From 54fefccfa1b0f04154de3072aad5812b1e2663f6 Mon Sep 17 00:00:00 2001 From: abdullahaslam306 Date: Tue, 25 Oct 2022 23:19:44 +0500 Subject: [PATCH 01/20] init --- collectors/aws/wafv2/GetWebACLForResource.js | 25 ++++++++++++++++++++ helpers/aws/api.js | 25 ++++++++++++++++++++ 2 files changed, 50 insertions(+) create mode 100644 collectors/aws/wafv2/GetWebACLForResource.js diff --git a/collectors/aws/wafv2/GetWebACLForResource.js b/collectors/aws/wafv2/GetWebACLForResource.js new file mode 100644 index 0000000000..384247b4fa --- /dev/null +++ b/collectors/aws/wafv2/GetWebACLForResource.js @@ -0,0 +1,25 @@ +var AWS = require('aws-sdk'); +var async = require('async'); +var helpers = require(__dirname + '/../../../helpers/aws'); + +module.exports = function(AWSConfig, collection, retries, callback) { + var cognito = new AWS.CognitoIdentityServiceProvider(AWSConfig); + var wafv2 = new AWS.WAFV2(AWSConfig); + async.eachLimit(collection.cognitoidentityserviceprovider.describeUserPool[AWSConfig.region].data, 15, function(lb, cb){ + collection.cognitoidentityserviceprovider.describeUserPool[AWSConfig.region][lb.Id] = {}; + var params = { + 'ResourceArn':lb.Id + }; + + helpers.makeCustomCollectorCall(cognito, 'describeUserPool', params, retries, null, null, null, function(err, data) { + if (err) { + collection.cognitoidentityserviceprovider.describeUserPool[AWSConfig.region][lb.Id].err = err; + } + collection.cognitoidentityserviceprovider.describeUserPool[AWSConfig.region][lb.Id].data = data.UserPool; + cb(); + }); + + }, function(){ + callback(); + }); +}; \ No newline at end of file diff --git a/helpers/aws/api.js b/helpers/aws/api.js index 132291505d..2ddd541bd9 100644 --- a/helpers/aws/api.js +++ b/helpers/aws/api.js @@ -186,6 +186,18 @@ var calls = { paginate: 'nextToken' } }, + CognitoIdentityServiceProvider: { + listUserPools: { + property: 'UserPools', + paginate: 'NextToken', + params: { + MaxResults: 60 + } + }, + describeUserPool:{ + property: 'UserPool', + } + }, CodePipeline: { listPipelines: { property: 'pipelines', @@ -1514,6 +1526,13 @@ var postcalls = [ enabled: true } }, + CognitoIdentityServiceProvider: { + describeUserPool: { + reliesOnService: 'cognitoidentityserviceprovider', + reliesOnCall: 'listUserPools', + override: true + } + }, EC2: { describeSubnets: { reliesOnService: 'ec2', @@ -2044,7 +2063,13 @@ var postcalls = [ reliesOnService: 'wafv2', reliesOnCall: 'listWebACLs', override: true + }, + GetWebACLForResource: { + reliesOnService: 'cognitoidentityserviceprovider', + reliesOnCall: 'describeUserPool', + override: true } + }, GuardDuty: { getDetector: { From c7243598cec349cf0e8ae539b76471c9d36fcaaa Mon Sep 17 00:00:00 2001 From: abdullahaslam306 Date: Wed, 26 Oct 2022 00:53:12 +0500 Subject: [PATCH 02/20] plugin cognito have waf enabled --- collectors/aws/wafv2/GetWebACLForResource.js | 25 -------- collectors/aws/wafv2/getWebACLForResource.js | 28 +++++++++ exports.js | 2 + helpers/aws/api.js | 7 +-- helpers/aws/api_multipart.js | 5 ++ helpers/aws/regions.js | 4 ++ plugins/aws/cognito/cognitoHasWafEnabled.js | 62 ++++++++++++++++++++ 7 files changed, 103 insertions(+), 30 deletions(-) delete mode 100644 collectors/aws/wafv2/GetWebACLForResource.js create mode 100644 collectors/aws/wafv2/getWebACLForResource.js create mode 100644 plugins/aws/cognito/cognitoHasWafEnabled.js diff --git a/collectors/aws/wafv2/GetWebACLForResource.js b/collectors/aws/wafv2/GetWebACLForResource.js deleted file mode 100644 index 384247b4fa..0000000000 --- a/collectors/aws/wafv2/GetWebACLForResource.js +++ /dev/null @@ -1,25 +0,0 @@ -var AWS = require('aws-sdk'); -var async = require('async'); -var helpers = require(__dirname + '/../../../helpers/aws'); - -module.exports = function(AWSConfig, collection, retries, callback) { - var cognito = new AWS.CognitoIdentityServiceProvider(AWSConfig); - var wafv2 = new AWS.WAFV2(AWSConfig); - async.eachLimit(collection.cognitoidentityserviceprovider.describeUserPool[AWSConfig.region].data, 15, function(lb, cb){ - collection.cognitoidentityserviceprovider.describeUserPool[AWSConfig.region][lb.Id] = {}; - var params = { - 'ResourceArn':lb.Id - }; - - helpers.makeCustomCollectorCall(cognito, 'describeUserPool', params, retries, null, null, null, function(err, data) { - if (err) { - collection.cognitoidentityserviceprovider.describeUserPool[AWSConfig.region][lb.Id].err = err; - } - collection.cognitoidentityserviceprovider.describeUserPool[AWSConfig.region][lb.Id].data = data.UserPool; - cb(); - }); - - }, function(){ - callback(); - }); -}; \ No newline at end of file diff --git a/collectors/aws/wafv2/getWebACLForResource.js b/collectors/aws/wafv2/getWebACLForResource.js new file mode 100644 index 0000000000..cde7e89f06 --- /dev/null +++ b/collectors/aws/wafv2/getWebACLForResource.js @@ -0,0 +1,28 @@ +var AWS = require('aws-sdk'); +var async = require('async'); +var helpers = require(__dirname + '/../../../helpers/aws'); + +module.exports = function(AWSConfig, collection, retries, callback) { + + var wafv2 = new AWS.WAFV2(AWSConfig); + + if (!collection.sts.getCallerIdentity || !collection.sts.getCallerIdentity['us-east-1'].data) return callback(); + + async.eachLimit(collection.cognitoidentityserviceprovider.listUserPools[AWSConfig.region].data, 15, function(up, cb){ + collection.wafv2.getWebACLForResource[AWSConfig.region][up.Id] = {}; + var params = { + 'ResourceArn':`arn:aws:cognito-idp:${AWSConfig.region}:${collection.sts.getCallerIdentity['us-east-1'].data}:userpool/${up.Id}` + }; + + helpers.makeCustomCollectorCall(wafv2, 'getWebACLForResource', params, retries, null, null, null, function(err, data) { + if (err) { + collection.wafv2.getWebACLForResource[AWSConfig.region][up.Id].err = err; + } + collection.wafv2.getWebACLForResource[AWSConfig.region][up.Id].data = data; + cb(); + }); + + }, function(){ + callback(); + }); +}; \ No newline at end of file diff --git a/exports.js b/exports.js index a9bf74beef..cf571d4c35 100644 --- a/exports.js +++ b/exports.js @@ -588,6 +588,8 @@ module.exports = { 'ecsContainerInsightsEnabled' : require(__dirname + '/plugins/aws/ecs/ecsContainerInsightsEnabled.js'), 'ecsClustersHaveTags' : require(__dirname + '/plugins/aws/ecs/ecsClustersHaveTags.js'), + + 'cognitoHasWafEnabled' : require(__dirname + '/plugins/aws/cognito/cognitoHasWafEnabled.js') }, azure : { 'fileServiceEncryption' : require(__dirname + '/plugins/azure/storageaccounts/fileServiceEncryption.js'), diff --git a/helpers/aws/api.js b/helpers/aws/api.js index 2ddd541bd9..70a5e4c4f1 100644 --- a/helpers/aws/api.js +++ b/helpers/aws/api.js @@ -193,9 +193,6 @@ var calls = { params: { MaxResults: 60 } - }, - describeUserPool:{ - property: 'UserPool', } }, CodePipeline: { @@ -2064,9 +2061,9 @@ var postcalls = [ reliesOnCall: 'listWebACLs', override: true }, - GetWebACLForResource: { + getWebACLForResource: { reliesOnService: 'cognitoidentityserviceprovider', - reliesOnCall: 'describeUserPool', + reliesOnCall: 'listUserPools', override: true } diff --git a/helpers/aws/api_multipart.js b/helpers/aws/api_multipart.js index 16c6bad067..86867062c0 100644 --- a/helpers/aws/api_multipart.js +++ b/helpers/aws/api_multipart.js @@ -1704,6 +1704,11 @@ var postcalls = [ reliesOnCall: 'listWebACLs', override: true, rateLimit: 600 + }, + getWebACLForResource: { + reliesOnService: 'cognitoidentityserviceprovider', + reliesOnCall: 'listUserPools', + override: true } }, ECS: { diff --git a/helpers/aws/regions.js b/helpers/aws/regions.js index bb14677b08..d2bfed416d 100644 --- a/helpers/aws/regions.js +++ b/helpers/aws/regions.js @@ -47,6 +47,10 @@ module.exports = { cloudformation: [...regions, ...newRegions], cloudtrail: [...regions, ...newRegions], cloudwatchlogs: [...regions, ...newRegions], + cognitoidentityserviceprovider: [ 'us-east-1', 'us-east-2', 'us-west-1', 'us-west-2', 'ca-central-1','eu-central-1', + 'eu-west-1','eu-west-2', 'eu-west-3','eu-north-1', 'eu-south-1','ap-northeast-1','ap-northeast-2', + 'ap-southeast-1','ap-northeast-3', 'ap-south-1', 'sa-east-1', 'me-south-1' + ], comprehend: ['us-east-1', 'us-east-2', 'us-west-2', 'eu-central-1', 'eu-west-2', 'eu-west-1', 'ap-southeast-1', 'ap-northeast-1', 'ap-southeast-2', 'ap-northeast-2', 'ap-south-1', 'ca-central-1'], diff --git a/plugins/aws/cognito/cognitoHasWafEnabled.js b/plugins/aws/cognito/cognitoHasWafEnabled.js new file mode 100644 index 0000000000..e788fff273 --- /dev/null +++ b/plugins/aws/cognito/cognitoHasWafEnabled.js @@ -0,0 +1,62 @@ +var async = require('async'); +var helpers = require('../../../helpers/aws'); + +module.exports = { + title: 'EKS Cluster Has Tags', + category: 'EKS', + domain: 'Containers', + description: 'Ensure that AWS EKS Clusters have tags associated.', + more_info: 'Tags help you to group resources together that are related to or associated with each other. It is a best practice to tag cloud resources to better organize and gain visibility into their usage.', + link: 'https://docs.aws.amazon.com/eks/latest/userguide/eks-using-tags.html', + recommended_action: 'Modify EKS Cluster and add tags.', + apis: ['CognitoIdentityServiceProvider:listUserPools', 'WAFV2:getWebACLForResource', 'STS:getCallerIdentity'], + + run: function(cache, settings, callback) { + var results = []; + var source = {}; + var regions = helpers.regions(settings); + + var acctRegion = helpers.defaultRegion(settings); + var awsOrGov = helpers.defaultPartition(settings); + var accountId = helpers.addSource(cache, source, ['sts', 'getCallerIdentity', acctRegion, 'data']); + + async.each(regions.cognitoidentityserviceprovider, function(region, rcb) { + var userPools = helpers.addSource(cache, source, + ['cognitoidentityserviceprovider', 'listUserPools', region]); + + + if (!userPools) return rcb(); + + if (userPools.err || !userPools.data){ + helpers.addResult(results, 3, 'Unable to query api: ' + helpers.addError(userPools), region); + return rcb(); + } + if (!userPools.data.length){ + helpers.addResult(results, 0, 'No User pool found', region); + return rcb(); + } + for (let userPool of userPools.data) { + var webACLResource = helpers.addSource(cache, source, + ['wafv2', 'getWebACLForResource', region, userPool.Id]); + + + if (!webACLResource || webACLResource.err || !webACLResource.data){ + helpers.addResult(results, 3, + 'Unable to query for wafv2: ' + helpers.addError(webACLResource), region); + + return rcb(); + } + var arn = 'arn:' + awsOrGov + ':cognito-idp:' + region + ':' + accountId + ':userpool/' + userPool.Id; + if (webACLResource.data.WebACL){ + helpers.addResult(results, 0, 'User pool has WAFV2 enabled', region, arn); + } else { + helpers.addResult(results, 2, 'User pool does not have WAFV2 enabled', region, arn); + } + } + + rcb(); + }, function() { + callback(null, results, source); + }); + } +}; From 100c573cb9d4188c2526c2db1e814b02d6ca26ef Mon Sep 17 00:00:00 2001 From: abdullahaslam306 Date: Wed, 26 Oct 2022 01:20:18 +0500 Subject: [PATCH 03/20] unit tests tests --- plugins/aws/cognito/cognitoHasWafEnabled.js | 1 - .../aws/cognito/cognitoHasWafEnabled.spec.js | 100 ++++++++++++++++++ 2 files changed, 100 insertions(+), 1 deletion(-) create mode 100644 plugins/aws/cognito/cognitoHasWafEnabled.spec.js diff --git a/plugins/aws/cognito/cognitoHasWafEnabled.js b/plugins/aws/cognito/cognitoHasWafEnabled.js index e788fff273..9266524bea 100644 --- a/plugins/aws/cognito/cognitoHasWafEnabled.js +++ b/plugins/aws/cognito/cognitoHasWafEnabled.js @@ -39,7 +39,6 @@ module.exports = { var webACLResource = helpers.addSource(cache, source, ['wafv2', 'getWebACLForResource', region, userPool.Id]); - if (!webACLResource || webACLResource.err || !webACLResource.data){ helpers.addResult(results, 3, 'Unable to query for wafv2: ' + helpers.addError(webACLResource), region); diff --git a/plugins/aws/cognito/cognitoHasWafEnabled.spec.js b/plugins/aws/cognito/cognitoHasWafEnabled.spec.js new file mode 100644 index 0000000000..630f45e644 --- /dev/null +++ b/plugins/aws/cognito/cognitoHasWafEnabled.spec.js @@ -0,0 +1,100 @@ +var expect = require('chai').expect; +var cognitoHasWafEnabled = require('./cognitoHasWafEnabled'); + +const listUserPools = [ + { + Id: 'us-east-1_cbDh8sCFGH', + Name: 'test', + LambdaConfig: {} + } +]; + +const createCache = (poolList, waf) => { + return { + cognitoidentityserviceprovider: { + listUserPools: { + 'us-east-1': { + err: null, + data: poolList + } + }, + }, + sts: { + getCallerIdentity: { + 'us-east-1': { + data: '101363884315' + } + } + }, + wafv2: { + getWebACLForResource: { + 'us-east-1':{ + 'us-east-1_cbDh8sCFGH': { + err: null, + data: waf + } + } + } + } + + } +}; + +describe('cognitoHasWafEnabled', function () { + describe('run', function () { + it('should give unknown result if unable to list user pools', function (done) { + const callback = (err, results) => { + expect(results.length).to.equal(1); + expect(results[0].status).to.equal(3); + done() + }; + + const cache = createCache(null, null); + cognitoHasWafEnabled.run(cache, {}, callback); + }); + + it('should give passing result if User pool not found.', function (done) { + const callback = (err, results) => { + expect(results.length).to.equal(1); + expect(results[0].status).to.equal(0); + done(); + }; + const cache = createCache([], null); + cognitoHasWafEnabled.run(cache, {}, callback); + }); + + it('should give unknown result if unable to query WAFV2 getWebACLForResource api', function (done) { + const callback = (err, results) => { + expect(results.length).to.equal(1); + expect(results[0].status).to.equal(3); + done(); + }; + + const cache = createCache([listUserPools[0]], null); + cognitoHasWafEnabled.run(cache, {}, callback); + }); + + it('should give passing result if User pool has WAF enabled', function (done) { + const callback = (err, results) => { + expect(results.length).to.equal(1); + expect(results[0].status).to.equal(0); + done(); + }; + + const cache = createCache([listUserPools[0]], { WebACL: {'Name': 'abc'}}); + cognitoHasWafEnabled.run(cache, {}, callback); + }); + + it('should give failing result if User pool does not have WAF enabled', function (done) { + const callback = (err, results) => { + expect(results.length).to.equal(1); + expect(results[0].status).to.equal(2); + done(); + }; + + const cache = createCache([listUserPools[0]], { WebACL: null}); + cognitoHasWafEnabled.run(cache, {}, callback); + }); + + }); +}); \ No newline at end of file From ba2a432a8bab237df2e3f3e036362deb7658d4f9 Mon Sep 17 00:00:00 2001 From: abdullahaslam306 Date: Thu, 27 Oct 2022 00:00:27 +0500 Subject: [PATCH 04/20] regions added --- helpers/aws/regions_china.js | 1 + helpers/aws/regions_gov.js | 1 + 2 files changed, 2 insertions(+) diff --git a/helpers/aws/regions_china.js b/helpers/aws/regions_china.js index 884739949d..94b709399c 100644 --- a/helpers/aws/regions_china.js +++ b/helpers/aws/regions_china.js @@ -11,6 +11,7 @@ module.exports = { all: regions, optin: [], accessanalyzer: [], + cognitoidentityserviceprovider: ['cn-north-1'], acm: [], apigateway: regions, athena: [], diff --git a/helpers/aws/regions_gov.js b/helpers/aws/regions_gov.js index c4ee8c4bbd..28621756b7 100644 --- a/helpers/aws/regions_gov.js +++ b/helpers/aws/regions_gov.js @@ -25,6 +25,7 @@ module.exports = { cloudwatchlogs: regions, cloudformation: regions, comprehend: ['us-gov-west-1'], + cognitoidentityserviceprovider: ['us-gov-west-1'], configservice: regions, dlm: regions, dms: regions, From e925899f1daa6e3dc70910e742b3dee636ae4688 Mon Sep 17 00:00:00 2001 From: abdullahaslam306 Date: Thu, 27 Oct 2022 00:07:44 +0500 Subject: [PATCH 05/20] messages added in spec file --- plugins/aws/cognito/cognitoHasWafEnabled.js | 2 +- plugins/aws/cognito/cognitoHasWafEnabled.spec.js | 5 +++++ 2 files changed, 6 insertions(+), 1 deletion(-) diff --git a/plugins/aws/cognito/cognitoHasWafEnabled.js b/plugins/aws/cognito/cognitoHasWafEnabled.js index 9266524bea..03185fb64b 100644 --- a/plugins/aws/cognito/cognitoHasWafEnabled.js +++ b/plugins/aws/cognito/cognitoHasWafEnabled.js @@ -41,7 +41,7 @@ module.exports = { if (!webACLResource || webACLResource.err || !webACLResource.data){ helpers.addResult(results, 3, - 'Unable to query for wafv2: ' + helpers.addError(webACLResource), region); + 'Unable to query for wafv2 api: ' + helpers.addError(webACLResource), region); return rcb(); } diff --git a/plugins/aws/cognito/cognitoHasWafEnabled.spec.js b/plugins/aws/cognito/cognitoHasWafEnabled.spec.js index 630f45e644..e424ec46eb 100644 --- a/plugins/aws/cognito/cognitoHasWafEnabled.spec.js +++ b/plugins/aws/cognito/cognitoHasWafEnabled.spec.js @@ -46,6 +46,7 @@ describe('cognitoHasWafEnabled', function () { const callback = (err, results) => { expect(results.length).to.equal(1); expect(results[0].status).to.equal(3); + expect(results[0].message).to.include('Unable to query api'); done() }; @@ -57,6 +58,7 @@ describe('cognitoHasWafEnabled', function () { const callback = (err, results) => { expect(results.length).to.equal(1); expect(results[0].status).to.equal(0); + expect(results[0].message).to.include('No User pool found'); done(); }; const cache = createCache([], null); @@ -67,6 +69,7 @@ describe('cognitoHasWafEnabled', function () { const callback = (err, results) => { expect(results.length).to.equal(1); expect(results[0].status).to.equal(3); + expect(results[0].message).to.include('Unable to query for wafv2 api'); done(); }; @@ -78,6 +81,7 @@ describe('cognitoHasWafEnabled', function () { const callback = (err, results) => { expect(results.length).to.equal(1); expect(results[0].status).to.equal(0); + expect(results[0].message).to.include('User pool has WAFV2 enabled'); done(); }; @@ -89,6 +93,7 @@ describe('cognitoHasWafEnabled', function () { const callback = (err, results) => { expect(results.length).to.equal(1); expect(results[0].status).to.equal(2); + expect(results[0].message).to.include('User pool does not have WAFV2 enabled'); done(); }; From f62e45f50cf27a5faa01488b147d7006d1d057c9 Mon Sep 17 00:00:00 2001 From: alphadev4 <113519745+alphadev4@users.noreply.github.com> Date: Thu, 27 Oct 2022 13:10:41 +0500 Subject: [PATCH 06/20] Update plugins/aws/cognito/cognitoHasWafEnabled.js --- plugins/aws/cognito/cognitoHasWafEnabled.js | 1 - 1 file changed, 1 deletion(-) diff --git a/plugins/aws/cognito/cognitoHasWafEnabled.js b/plugins/aws/cognito/cognitoHasWafEnabled.js index 03185fb64b..04d98797e5 100644 --- a/plugins/aws/cognito/cognitoHasWafEnabled.js +++ b/plugins/aws/cognito/cognitoHasWafEnabled.js @@ -24,7 +24,6 @@ module.exports = { var userPools = helpers.addSource(cache, source, ['cognitoidentityserviceprovider', 'listUserPools', region]); - if (!userPools) return rcb(); if (userPools.err || !userPools.data){ From 2fcf3191ba64d78173a4a48d952746963db00a17 Mon Sep 17 00:00:00 2001 From: alphadev4 <113519745+alphadev4@users.noreply.github.com> Date: Thu, 27 Oct 2022 13:17:22 +0500 Subject: [PATCH 07/20] Update plugins/aws/cognito/cognitoHasWafEnabled.js --- plugins/aws/cognito/cognitoHasWafEnabled.js | 1 - 1 file changed, 1 deletion(-) diff --git a/plugins/aws/cognito/cognitoHasWafEnabled.js b/plugins/aws/cognito/cognitoHasWafEnabled.js index 04d98797e5..a100c14422 100644 --- a/plugins/aws/cognito/cognitoHasWafEnabled.js +++ b/plugins/aws/cognito/cognitoHasWafEnabled.js @@ -41,7 +41,6 @@ module.exports = { if (!webACLResource || webACLResource.err || !webACLResource.data){ helpers.addResult(results, 3, 'Unable to query for wafv2 api: ' + helpers.addError(webACLResource), region); - return rcb(); } var arn = 'arn:' + awsOrGov + ':cognito-idp:' + region + ':' + accountId + ':userpool/' + userPool.Id; From 43d569aba4edc181bbfa57e9b67f9c5ceb50745d Mon Sep 17 00:00:00 2001 From: abdullahaslam306 Date: Sat, 29 Oct 2022 19:24:37 +0500 Subject: [PATCH 08/20] message and regions added in spec files --- plugins/aws/cognito/cognitoHasWafEnabled.js | 19 +++++++++++-------- .../aws/cognito/cognitoHasWafEnabled.spec.js | 5 +++++ 2 files changed, 16 insertions(+), 8 deletions(-) diff --git a/plugins/aws/cognito/cognitoHasWafEnabled.js b/plugins/aws/cognito/cognitoHasWafEnabled.js index 03185fb64b..28de1c6a3b 100644 --- a/plugins/aws/cognito/cognitoHasWafEnabled.js +++ b/plugins/aws/cognito/cognitoHasWafEnabled.js @@ -2,13 +2,13 @@ var async = require('async'); var helpers = require('../../../helpers/aws'); module.exports = { - title: 'EKS Cluster Has Tags', - category: 'EKS', - domain: 'Containers', - description: 'Ensure that AWS EKS Clusters have tags associated.', - more_info: 'Tags help you to group resources together that are related to or associated with each other. It is a best practice to tag cloud resources to better organize and gain visibility into their usage.', - link: 'https://docs.aws.amazon.com/eks/latest/userguide/eks-using-tags.html', - recommended_action: 'Modify EKS Cluster and add tags.', + title: 'COgnito UserPool Has WAF Enabled', + category: 'CognitoIdentityServiceProvider', + domain: 'Identity Service Provider', + description: 'Ensure that Cognito UserPool has WAF enabled.', + more_info: 'Enabling WAF allows control over requests to the load balancer, allowing or denying traffic based off rules in the Web ACL.', + link: 'https://docs.aws.amazon.com/cognito/latest/developerguide/user-pool-waf.html', + recommended_action: '1. Enter the Cognito service. 2. Enter user pools and enable WAF from properties ', apis: ['CognitoIdentityServiceProvider:listUserPools', 'WAFV2:getWebACLForResource', 'STS:getCallerIdentity'], run: function(cache, settings, callback) { @@ -36,6 +36,9 @@ module.exports = { return rcb(); } for (let userPool of userPools.data) { + + if (!userPool.Id) continue; + var webACLResource = helpers.addSource(cache, source, ['wafv2', 'getWebACLForResource', region, userPool.Id]); @@ -43,7 +46,7 @@ module.exports = { helpers.addResult(results, 3, 'Unable to query for wafv2 api: ' + helpers.addError(webACLResource), region); - return rcb(); + continue; } var arn = 'arn:' + awsOrGov + ':cognito-idp:' + region + ':' + accountId + ':userpool/' + userPool.Id; if (webACLResource.data.WebACL){ diff --git a/plugins/aws/cognito/cognitoHasWafEnabled.spec.js b/plugins/aws/cognito/cognitoHasWafEnabled.spec.js index e424ec46eb..05aa61c73a 100644 --- a/plugins/aws/cognito/cognitoHasWafEnabled.spec.js +++ b/plugins/aws/cognito/cognitoHasWafEnabled.spec.js @@ -46,6 +46,7 @@ describe('cognitoHasWafEnabled', function () { const callback = (err, results) => { expect(results.length).to.equal(1); expect(results[0].status).to.equal(3); + expect(results[0].region).to.equal('us-east-1'); expect(results[0].message).to.include('Unable to query api'); done() }; @@ -58,6 +59,7 @@ describe('cognitoHasWafEnabled', function () { const callback = (err, results) => { expect(results.length).to.equal(1); expect(results[0].status).to.equal(0); + expect(results[0].region).to.equal('us-east-1'); expect(results[0].message).to.include('No User pool found'); done(); }; @@ -69,6 +71,7 @@ describe('cognitoHasWafEnabled', function () { const callback = (err, results) => { expect(results.length).to.equal(1); expect(results[0].status).to.equal(3); + expect(results[0].region).to.equal('us-east-1'); expect(results[0].message).to.include('Unable to query for wafv2 api'); done(); }; @@ -81,6 +84,7 @@ describe('cognitoHasWafEnabled', function () { const callback = (err, results) => { expect(results.length).to.equal(1); expect(results[0].status).to.equal(0); + expect(results[0].region).to.equal('us-east-1'); expect(results[0].message).to.include('User pool has WAFV2 enabled'); done(); }; @@ -93,6 +97,7 @@ describe('cognitoHasWafEnabled', function () { const callback = (err, results) => { expect(results.length).to.equal(1); expect(results[0].status).to.equal(2); + expect(results[0].region).to.equal('us-east-1'); expect(results[0].message).to.include('User pool does not have WAFV2 enabled'); done(); }; From f8b4822df6cc95787dabc02eaaf4b3857048be35 Mon Sep 17 00:00:00 2001 From: abdullahaslam306 Date: Sat, 29 Oct 2022 19:26:00 +0500 Subject: [PATCH 09/20] id updated --- plugins/aws/cognito/cognitoHasWafEnabled.spec.js | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/plugins/aws/cognito/cognitoHasWafEnabled.spec.js b/plugins/aws/cognito/cognitoHasWafEnabled.spec.js index 05aa61c73a..734ac03dcb 100644 --- a/plugins/aws/cognito/cognitoHasWafEnabled.spec.js +++ b/plugins/aws/cognito/cognitoHasWafEnabled.spec.js @@ -22,7 +22,7 @@ const createCache = (poolList, waf) => { sts: { getCallerIdentity: { 'us-east-1': { - data: '101363884315' + data: '11111222222' } } }, From dc4cc5c9faaba3beded0e3f6559f88a0b9fc4003 Mon Sep 17 00:00:00 2001 From: alphadev4 <113519745+alphadev4@users.noreply.github.com> Date: Mon, 31 Oct 2022 12:49:45 +0500 Subject: [PATCH 10/20] Update plugins/aws/cognito/cognitoHasWafEnabled.js --- plugins/aws/cognito/cognitoHasWafEnabled.js | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/plugins/aws/cognito/cognitoHasWafEnabled.js b/plugins/aws/cognito/cognitoHasWafEnabled.js index e34ddaefcb..3f99e6fbd4 100644 --- a/plugins/aws/cognito/cognitoHasWafEnabled.js +++ b/plugins/aws/cognito/cognitoHasWafEnabled.js @@ -2,7 +2,7 @@ var async = require('async'); var helpers = require('../../../helpers/aws'); module.exports = { - title: 'COgnito UserPool Has WAF Enabled', + title: 'Cognito User Pool Has WAF Enabled', category: 'CognitoIdentityServiceProvider', domain: 'Identity Service Provider', description: 'Ensure that Cognito UserPool has WAF enabled.', From 800ca1f643ceda556ba8a79c110d6c6a400a0a03 Mon Sep 17 00:00:00 2001 From: alphadev4 <113519745+alphadev4@users.noreply.github.com> Date: Mon, 31 Oct 2022 12:52:53 +0500 Subject: [PATCH 11/20] Update plugins/aws/cognito/cognitoHasWafEnabled.js --- plugins/aws/cognito/cognitoHasWafEnabled.js | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/plugins/aws/cognito/cognitoHasWafEnabled.js b/plugins/aws/cognito/cognitoHasWafEnabled.js index 3f99e6fbd4..9d2c82b68e 100644 --- a/plugins/aws/cognito/cognitoHasWafEnabled.js +++ b/plugins/aws/cognito/cognitoHasWafEnabled.js @@ -5,7 +5,7 @@ module.exports = { title: 'Cognito User Pool Has WAF Enabled', category: 'CognitoIdentityServiceProvider', domain: 'Identity Service Provider', - description: 'Ensure that Cognito UserPool has WAF enabled.', + description: 'Ensure that Cognito User Pool has WAF enabled.', more_info: 'Enabling WAF allows control over requests to the load balancer, allowing or denying traffic based off rules in the Web ACL.', link: 'https://docs.aws.amazon.com/cognito/latest/developerguide/user-pool-waf.html', recommended_action: '1. Enter the Cognito service. 2. Enter user pools and enable WAF from properties ', From e87d84b28103d40819215ecd36d2bf69d278fdf0 Mon Sep 17 00:00:00 2001 From: alphadev4 <113519745+alphadev4@users.noreply.github.com> Date: Mon, 31 Oct 2022 12:54:19 +0500 Subject: [PATCH 12/20] Apply suggestions from code review --- plugins/aws/cognito/cognitoHasWafEnabled.js | 2 -- 1 file changed, 2 deletions(-) diff --git a/plugins/aws/cognito/cognitoHasWafEnabled.js b/plugins/aws/cognito/cognitoHasWafEnabled.js index 9d2c82b68e..73318723d3 100644 --- a/plugins/aws/cognito/cognitoHasWafEnabled.js +++ b/plugins/aws/cognito/cognitoHasWafEnabled.js @@ -35,7 +35,6 @@ module.exports = { return rcb(); } for (let userPool of userPools.data) { - if (!userPool.Id) continue; var webACLResource = helpers.addSource(cache, source, @@ -44,7 +43,6 @@ module.exports = { if (!webACLResource || webACLResource.err || !webACLResource.data){ helpers.addResult(results, 3, 'Unable to query for wafv2 api: ' + helpers.addError(webACLResource), region); - continue; } var arn = 'arn:' + awsOrGov + ':cognito-idp:' + region + ':' + accountId + ':userpool/' + userPool.Id; From 8b37b0df158fe4825e9430e2a0691ffd3d071ae3 Mon Sep 17 00:00:00 2001 From: abdullahaslam306 Date: Tue, 1 Nov 2022 14:14:12 +0500 Subject: [PATCH 13/20] changes --- ...bACLForResource.js => getWebACLForCognitoResource.js} | 0 helpers/aws/api.js | 9 +-------- helpers/aws/api_multipart.js | 2 +- helpers/aws/regions_china.js | 2 +- plugins/aws/cognito/cognitoHasWafEnabled.js | 4 ++-- plugins/aws/cognito/cognitoHasWafEnabled.spec.js | 2 +- 6 files changed, 6 insertions(+), 13 deletions(-) rename collectors/aws/wafv2/{getWebACLForResource.js => getWebACLForCognitoResource.js} (100%) diff --git a/collectors/aws/wafv2/getWebACLForResource.js b/collectors/aws/wafv2/getWebACLForCognitoResource.js similarity index 100% rename from collectors/aws/wafv2/getWebACLForResource.js rename to collectors/aws/wafv2/getWebACLForCognitoResource.js diff --git a/helpers/aws/api.js b/helpers/aws/api.js index 70a5e4c4f1..1b8819cb10 100644 --- a/helpers/aws/api.js +++ b/helpers/aws/api.js @@ -1523,13 +1523,6 @@ var postcalls = [ enabled: true } }, - CognitoIdentityServiceProvider: { - describeUserPool: { - reliesOnService: 'cognitoidentityserviceprovider', - reliesOnCall: 'listUserPools', - override: true - } - }, EC2: { describeSubnets: { reliesOnService: 'ec2', @@ -2061,7 +2054,7 @@ var postcalls = [ reliesOnCall: 'listWebACLs', override: true }, - getWebACLForResource: { + getWebACLForCognitoResource: { reliesOnService: 'cognitoidentityserviceprovider', reliesOnCall: 'listUserPools', override: true diff --git a/helpers/aws/api_multipart.js b/helpers/aws/api_multipart.js index 86867062c0..ce84a19509 100644 --- a/helpers/aws/api_multipart.js +++ b/helpers/aws/api_multipart.js @@ -1705,7 +1705,7 @@ var postcalls = [ override: true, rateLimit: 600 }, - getWebACLForResource: { + getWebACLForCognitoResource: { reliesOnService: 'cognitoidentityserviceprovider', reliesOnCall: 'listUserPools', override: true diff --git a/helpers/aws/regions_china.js b/helpers/aws/regions_china.js index 94b709399c..adad7f30f1 100644 --- a/helpers/aws/regions_china.js +++ b/helpers/aws/regions_china.js @@ -11,7 +11,7 @@ module.exports = { all: regions, optin: [], accessanalyzer: [], - cognitoidentityserviceprovider: ['cn-north-1'], + cognitoidentityserviceprovider: regions, acm: [], apigateway: regions, athena: [], diff --git a/plugins/aws/cognito/cognitoHasWafEnabled.js b/plugins/aws/cognito/cognitoHasWafEnabled.js index e34ddaefcb..e65bc5e7ca 100644 --- a/plugins/aws/cognito/cognitoHasWafEnabled.js +++ b/plugins/aws/cognito/cognitoHasWafEnabled.js @@ -9,7 +9,7 @@ module.exports = { more_info: 'Enabling WAF allows control over requests to the load balancer, allowing or denying traffic based off rules in the Web ACL.', link: 'https://docs.aws.amazon.com/cognito/latest/developerguide/user-pool-waf.html', recommended_action: '1. Enter the Cognito service. 2. Enter user pools and enable WAF from properties ', - apis: ['CognitoIdentityServiceProvider:listUserPools', 'WAFV2:getWebACLForResource', 'STS:getCallerIdentity'], + apis: ['CognitoIdentityServiceProvider:listUserPools', 'WAFV2:getWebACLForCognitoResource', 'STS:getCallerIdentity'], run: function(cache, settings, callback) { var results = []; @@ -39,7 +39,7 @@ module.exports = { if (!userPool.Id) continue; var webACLResource = helpers.addSource(cache, source, - ['wafv2', 'getWebACLForResource', region, userPool.Id]); + ['wafv2', 'getWebACLForCognitoResource', region, userPool.Id]); if (!webACLResource || webACLResource.err || !webACLResource.data){ helpers.addResult(results, 3, diff --git a/plugins/aws/cognito/cognitoHasWafEnabled.spec.js b/plugins/aws/cognito/cognitoHasWafEnabled.spec.js index 734ac03dcb..c3626af1b2 100644 --- a/plugins/aws/cognito/cognitoHasWafEnabled.spec.js +++ b/plugins/aws/cognito/cognitoHasWafEnabled.spec.js @@ -27,7 +27,7 @@ const createCache = (poolList, waf) => { } }, wafv2: { - getWebACLForResource: { + getWebACLForCognitoResource: { 'us-east-1':{ 'us-east-1_cbDh8sCFGH': { err: null, From 2d04e6d05f954c7808716cf04c4f62cd9e8f09db Mon Sep 17 00:00:00 2001 From: abdullahaslam306 Date: Tue, 1 Nov 2022 14:21:47 +0500 Subject: [PATCH 14/20] collector updated --- collectors/aws/wafv2/getWebACLForCognitoResource.js | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/collectors/aws/wafv2/getWebACLForCognitoResource.js b/collectors/aws/wafv2/getWebACLForCognitoResource.js index cde7e89f06..f7dbea7a62 100644 --- a/collectors/aws/wafv2/getWebACLForCognitoResource.js +++ b/collectors/aws/wafv2/getWebACLForCognitoResource.js @@ -9,16 +9,16 @@ module.exports = function(AWSConfig, collection, retries, callback) { if (!collection.sts.getCallerIdentity || !collection.sts.getCallerIdentity['us-east-1'].data) return callback(); async.eachLimit(collection.cognitoidentityserviceprovider.listUserPools[AWSConfig.region].data, 15, function(up, cb){ - collection.wafv2.getWebACLForResource[AWSConfig.region][up.Id] = {}; + collection.wafv2.getWebACLForCognitoResource[AWSConfig.region][up.Id] = {}; var params = { 'ResourceArn':`arn:aws:cognito-idp:${AWSConfig.region}:${collection.sts.getCallerIdentity['us-east-1'].data}:userpool/${up.Id}` }; helpers.makeCustomCollectorCall(wafv2, 'getWebACLForResource', params, retries, null, null, null, function(err, data) { if (err) { - collection.wafv2.getWebACLForResource[AWSConfig.region][up.Id].err = err; + collection.wafv2.getWebACLForCognitoResource[AWSConfig.region][up.Id].err = err; } - collection.wafv2.getWebACLForResource[AWSConfig.region][up.Id].data = data; + collection.wafv2.getWebACLForCognitoResource[AWSConfig.region][up.Id].data = data; cb(); }); From d08da48899e8c67618df4ae59f8db68cfd02b931 Mon Sep 17 00:00:00 2001 From: abdullahaslam306 Date: Tue, 1 Nov 2022 14:25:47 +0500 Subject: [PATCH 15/20] plugin names changed --- ...ForCognitoResource.js => getWebACLForCognitoUserPool.js} | 6 +++--- helpers/aws/api.js | 2 +- helpers/aws/api_multipart.js | 2 +- plugins/aws/cognito/cognitoHasWafEnabled.js | 4 ++-- plugins/aws/cognito/cognitoHasWafEnabled.spec.js | 2 +- 5 files changed, 8 insertions(+), 8 deletions(-) rename collectors/aws/wafv2/{getWebACLForCognitoResource.js => getWebACLForCognitoUserPool.js} (83%) diff --git a/collectors/aws/wafv2/getWebACLForCognitoResource.js b/collectors/aws/wafv2/getWebACLForCognitoUserPool.js similarity index 83% rename from collectors/aws/wafv2/getWebACLForCognitoResource.js rename to collectors/aws/wafv2/getWebACLForCognitoUserPool.js index f7dbea7a62..0ef0ceb713 100644 --- a/collectors/aws/wafv2/getWebACLForCognitoResource.js +++ b/collectors/aws/wafv2/getWebACLForCognitoUserPool.js @@ -9,16 +9,16 @@ module.exports = function(AWSConfig, collection, retries, callback) { if (!collection.sts.getCallerIdentity || !collection.sts.getCallerIdentity['us-east-1'].data) return callback(); async.eachLimit(collection.cognitoidentityserviceprovider.listUserPools[AWSConfig.region].data, 15, function(up, cb){ - collection.wafv2.getWebACLForCognitoResource[AWSConfig.region][up.Id] = {}; + collection.wafv2.getWebACLForCognitoUserPool[AWSConfig.region][up.Id] = {}; var params = { 'ResourceArn':`arn:aws:cognito-idp:${AWSConfig.region}:${collection.sts.getCallerIdentity['us-east-1'].data}:userpool/${up.Id}` }; helpers.makeCustomCollectorCall(wafv2, 'getWebACLForResource', params, retries, null, null, null, function(err, data) { if (err) { - collection.wafv2.getWebACLForCognitoResource[AWSConfig.region][up.Id].err = err; + collection.wafv2.getWebACLForCognitoUserPool[AWSConfig.region][up.Id].err = err; } - collection.wafv2.getWebACLForCognitoResource[AWSConfig.region][up.Id].data = data; + collection.wafv2.getWebACLForCognitoUserPool[AWSConfig.region][up.Id].data = data; cb(); }); diff --git a/helpers/aws/api.js b/helpers/aws/api.js index 1b8819cb10..beaa771196 100644 --- a/helpers/aws/api.js +++ b/helpers/aws/api.js @@ -2054,7 +2054,7 @@ var postcalls = [ reliesOnCall: 'listWebACLs', override: true }, - getWebACLForCognitoResource: { + getWebACLForCognitoUserPool: { reliesOnService: 'cognitoidentityserviceprovider', reliesOnCall: 'listUserPools', override: true diff --git a/helpers/aws/api_multipart.js b/helpers/aws/api_multipart.js index ce84a19509..c453c0c78a 100644 --- a/helpers/aws/api_multipart.js +++ b/helpers/aws/api_multipart.js @@ -1705,7 +1705,7 @@ var postcalls = [ override: true, rateLimit: 600 }, - getWebACLForCognitoResource: { + getWebACLForCognitoUserPool: { reliesOnService: 'cognitoidentityserviceprovider', reliesOnCall: 'listUserPools', override: true diff --git a/plugins/aws/cognito/cognitoHasWafEnabled.js b/plugins/aws/cognito/cognitoHasWafEnabled.js index d1509e889e..783ad6f12c 100644 --- a/plugins/aws/cognito/cognitoHasWafEnabled.js +++ b/plugins/aws/cognito/cognitoHasWafEnabled.js @@ -9,7 +9,7 @@ module.exports = { more_info: 'Enabling WAF allows control over requests to the load balancer, allowing or denying traffic based off rules in the Web ACL.', link: 'https://docs.aws.amazon.com/cognito/latest/developerguide/user-pool-waf.html', recommended_action: '1. Enter the Cognito service. 2. Enter user pools and enable WAF from properties ', - apis: ['CognitoIdentityServiceProvider:listUserPools', 'WAFV2:getWebACLForCognitoResource', 'STS:getCallerIdentity'], + apis: ['CognitoIdentityServiceProvider:listUserPools', 'WAFV2:getWebACLForCognitoUserPool', 'STS:getCallerIdentity'], run: function(cache, settings, callback) { var results = []; @@ -38,7 +38,7 @@ module.exports = { if (!userPool.Id) continue; var webACLResource = helpers.addSource(cache, source, - ['wafv2', 'getWebACLForCognitoResource', region, userPool.Id]); + ['wafv2', 'getWebACLForCognitoUserPool', region, userPool.Id]); if (!webACLResource || webACLResource.err || !webACLResource.data){ helpers.addResult(results, 3, diff --git a/plugins/aws/cognito/cognitoHasWafEnabled.spec.js b/plugins/aws/cognito/cognitoHasWafEnabled.spec.js index c3626af1b2..64cc568584 100644 --- a/plugins/aws/cognito/cognitoHasWafEnabled.spec.js +++ b/plugins/aws/cognito/cognitoHasWafEnabled.spec.js @@ -27,7 +27,7 @@ const createCache = (poolList, waf) => { } }, wafv2: { - getWebACLForCognitoResource: { + getWebACLForCognitoUserPool: { 'us-east-1':{ 'us-east-1_cbDh8sCFGH': { err: null, From 6061fe4d1704ae92e947b617f299b4f8bccd1786 Mon Sep 17 00:00:00 2001 From: abdullahaslam306 Date: Tue, 1 Nov 2022 14:28:34 +0500 Subject: [PATCH 16/20] api added --- helpers/aws/api_multipart.js | 11 ++++++++++- 1 file changed, 10 insertions(+), 1 deletion(-) diff --git a/helpers/aws/api_multipart.js b/helpers/aws/api_multipart.js index c453c0c78a..5d59cd1af0 100644 --- a/helpers/aws/api_multipart.js +++ b/helpers/aws/api_multipart.js @@ -1111,7 +1111,16 @@ var calls = [ property: 'infrastructureConfigurationSummaryList', paginate: 'nextToken' } - } + }, + CognitoIdentityServiceProvider: { + listUserPools: { + property: 'UserPools', + paginate: 'NextToken', + params: { + MaxResults: 60 + } + }, + }, } ]; From 72e81c8ec77f8b375a4489e054501f199352a546 Mon Sep 17 00:00:00 2001 From: alphadev4 <113519745+alphadev4@users.noreply.github.com> Date: Tue, 1 Nov 2022 15:24:38 +0500 Subject: [PATCH 17/20] Update plugins/aws/cognito/cognitoHasWafEnabled.js --- plugins/aws/cognito/cognitoHasWafEnabled.js | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/plugins/aws/cognito/cognitoHasWafEnabled.js b/plugins/aws/cognito/cognitoHasWafEnabled.js index 783ad6f12c..c51059d01a 100644 --- a/plugins/aws/cognito/cognitoHasWafEnabled.js +++ b/plugins/aws/cognito/cognitoHasWafEnabled.js @@ -8,7 +8,7 @@ module.exports = { description: 'Ensure that Cognito User Pool has WAF enabled.', more_info: 'Enabling WAF allows control over requests to the load balancer, allowing or denying traffic based off rules in the Web ACL.', link: 'https://docs.aws.amazon.com/cognito/latest/developerguide/user-pool-waf.html', - recommended_action: '1. Enter the Cognito service. 2. Enter user pools and enable WAF from properties ', + recommended_action: '1. Enter the Cognito service. 2. Enter user pools and enable WAF from properties', apis: ['CognitoIdentityServiceProvider:listUserPools', 'WAFV2:getWebACLForCognitoUserPool', 'STS:getCallerIdentity'], run: function(cache, settings, callback) { From 603d07a2668a778d10e6e39be7dc87021449e776 Mon Sep 17 00:00:00 2001 From: abdullahaslam306 Date: Tue, 1 Nov 2022 17:17:15 +0500 Subject: [PATCH 18/20] messages updated --- plugins/aws/cognito/cognitoHasWafEnabled.js | 17 +++++++++-------- .../aws/cognito/cognitoHasWafEnabled.spec.js | 10 +++++----- 2 files changed, 14 insertions(+), 13 deletions(-) diff --git a/plugins/aws/cognito/cognitoHasWafEnabled.js b/plugins/aws/cognito/cognitoHasWafEnabled.js index 783ad6f12c..d898d63f1b 100644 --- a/plugins/aws/cognito/cognitoHasWafEnabled.js +++ b/plugins/aws/cognito/cognitoHasWafEnabled.js @@ -3,10 +3,10 @@ var helpers = require('../../../helpers/aws'); module.exports = { title: 'Cognito User Pool Has WAF Enabled', - category: 'CognitoIdentityServiceProvider', + category: 'Cognito', domain: 'Identity Service Provider', description: 'Ensure that Cognito User Pool has WAF enabled.', - more_info: 'Enabling WAF allows control over requests to the load balancer, allowing or denying traffic based off rules in the Web ACL.', + more_info: 'Enabling WAF allows control over unwanted requests to your hosted UI and Amazon Cognito API service endpoints, allowing or denying traffic based off rules in the Web ACL.', link: 'https://docs.aws.amazon.com/cognito/latest/developerguide/user-pool-waf.html', recommended_action: '1. Enter the Cognito service. 2. Enter user pools and enable WAF from properties ', apis: ['CognitoIdentityServiceProvider:listUserPools', 'WAFV2:getWebACLForCognitoUserPool', 'STS:getCallerIdentity'], @@ -27,29 +27,30 @@ module.exports = { if (!userPools) return rcb(); if (userPools.err || !userPools.data){ - helpers.addResult(results, 3, 'Unable to query api: ' + helpers.addError(userPools), region); + helpers.addResult(results, 3, 'Unable to query Cognito user pools: ' + helpers.addError(userPools), region); return rcb(); } if (!userPools.data.length){ - helpers.addResult(results, 0, 'No User pool found', region); + helpers.addResult(results, 0, 'No Cognito user pools found', region); return rcb(); } for (let userPool of userPools.data) { if (!userPool.Id) continue; + + var arn = 'arn:' + awsOrGov + ':cognito-idp:' + region + ':' + accountId + ':userpool/' + userPool.Id; var webACLResource = helpers.addSource(cache, source, ['wafv2', 'getWebACLForCognitoUserPool', region, userPool.Id]); if (!webACLResource || webACLResource.err || !webACLResource.data){ helpers.addResult(results, 3, - 'Unable to query for wafv2 api: ' + helpers.addError(webACLResource), region); + 'Unable to get WebACL resource for cognito user pool: ' + helpers.addError(webACLResource), region, arn); continue; } - var arn = 'arn:' + awsOrGov + ':cognito-idp:' + region + ':' + accountId + ':userpool/' + userPool.Id; if (webACLResource.data.WebACL){ - helpers.addResult(results, 0, 'User pool has WAFV2 enabled', region, arn); + helpers.addResult(results, 0, 'Cognito User pool has WAFV2 enabled', region, arn); } else { - helpers.addResult(results, 2, 'User pool does not have WAFV2 enabled', region, arn); + helpers.addResult(results, 2, 'Cognito User pool does not have WAFV2 enabled', region, arn); } } diff --git a/plugins/aws/cognito/cognitoHasWafEnabled.spec.js b/plugins/aws/cognito/cognitoHasWafEnabled.spec.js index 64cc568584..c41594eeb2 100644 --- a/plugins/aws/cognito/cognitoHasWafEnabled.spec.js +++ b/plugins/aws/cognito/cognitoHasWafEnabled.spec.js @@ -47,7 +47,7 @@ describe('cognitoHasWafEnabled', function () { expect(results.length).to.equal(1); expect(results[0].status).to.equal(3); expect(results[0].region).to.equal('us-east-1'); - expect(results[0].message).to.include('Unable to query api'); + expect(results[0].message).to.include('Unable to query Cognito user pools:'); done() }; @@ -60,7 +60,7 @@ describe('cognitoHasWafEnabled', function () { expect(results.length).to.equal(1); expect(results[0].status).to.equal(0); expect(results[0].region).to.equal('us-east-1'); - expect(results[0].message).to.include('No User pool found'); + expect(results[0].message).to.include('No Cognito user pools found'); done(); }; const cache = createCache([], null); @@ -72,7 +72,7 @@ describe('cognitoHasWafEnabled', function () { expect(results.length).to.equal(1); expect(results[0].status).to.equal(3); expect(results[0].region).to.equal('us-east-1'); - expect(results[0].message).to.include('Unable to query for wafv2 api'); + expect(results[0].message).to.include('Unable to get WebACL resource for cognito user pool'); done(); }; @@ -85,7 +85,7 @@ describe('cognitoHasWafEnabled', function () { expect(results.length).to.equal(1); expect(results[0].status).to.equal(0); expect(results[0].region).to.equal('us-east-1'); - expect(results[0].message).to.include('User pool has WAFV2 enabled'); + expect(results[0].message).to.include('Cognito User pool has WAFV2 enabled'); done(); }; @@ -98,7 +98,7 @@ describe('cognitoHasWafEnabled', function () { expect(results.length).to.equal(1); expect(results[0].status).to.equal(2); expect(results[0].region).to.equal('us-east-1'); - expect(results[0].message).to.include('User pool does not have WAFV2 enabled'); + expect(results[0].message).to.include('Cognito User pool does not have WAFV2 enabled'); done(); }; From 0787a001325080f8725677b8b8f5886fc6ac5b92 Mon Sep 17 00:00:00 2001 From: AkhtarAmir <31914988+AkhtarAmir@users.noreply.github.com> Date: Tue, 1 Nov 2022 17:31:15 +0500 Subject: [PATCH 19/20] Apply suggestions from code review Co-authored-by: alphadev4 <113519745+alphadev4@users.noreply.github.com> --- helpers/aws/api.js | 1 - plugins/aws/cognito/cognitoHasWafEnabled.js | 10 ++++++---- plugins/aws/cognito/cognitoHasWafEnabled.spec.js | 4 ++-- 3 files changed, 8 insertions(+), 7 deletions(-) diff --git a/helpers/aws/api.js b/helpers/aws/api.js index 7497e18119..12dd2b6b19 100644 --- a/helpers/aws/api.js +++ b/helpers/aws/api.js @@ -2067,7 +2067,6 @@ var postcalls = [ reliesOnCall: 'listUserPools', override: true } - }, GuardDuty: { getDetector: { diff --git a/plugins/aws/cognito/cognitoHasWafEnabled.js b/plugins/aws/cognito/cognitoHasWafEnabled.js index dc9b49b12c..eba7741dd7 100644 --- a/plugins/aws/cognito/cognitoHasWafEnabled.js +++ b/plugins/aws/cognito/cognitoHasWafEnabled.js @@ -4,11 +4,11 @@ var helpers = require('../../../helpers/aws'); module.exports = { title: 'Cognito User Pool Has WAF Enabled', category: 'Cognito', - domain: 'Identity Service Provider', + domain: 'Identity and Access Management', description: 'Ensure that Cognito User Pool has WAF enabled.', more_info: 'Enabling WAF allows control over unwanted requests to your hosted UI and Amazon Cognito API service endpoints, allowing or denying traffic based off rules in the Web ACL.', link: 'https://docs.aws.amazon.com/cognito/latest/developerguide/user-pool-waf.html', - recommended_action: '1. Enter the Cognito service. 2. Enter user pools and enable WAF from properties', + recommended_action: '1. Enter the Cognito service. 2. Enter user pools and enable WAF from properties.', apis: ['CognitoIdentityServiceProvider:listUserPools', 'WAFV2:getWebACLForCognitoUserPool', 'STS:getCallerIdentity'], run: function(cache, settings, callback) { @@ -30,10 +30,12 @@ module.exports = { helpers.addResult(results, 3, 'Unable to query Cognito user pools: ' + helpers.addError(userPools), region); return rcb(); } + if (!userPools.data.length){ helpers.addResult(results, 0, 'No Cognito user pools found', region); return rcb(); } + for (let userPool of userPools.data) { if (!userPool.Id) continue; @@ -48,9 +50,9 @@ module.exports = { continue; } if (webACLResource.data.WebACL){ - helpers.addResult(results, 0, 'Cognito User pool has WAFV2 enabled', region, arn); + helpers.addResult(results, 0, 'User pool has WAFV2 enabled', region, arn); } else { - helpers.addResult(results, 2, 'Cognito User pool does not have WAFV2 enabled', region, arn); + helpers.addResult(results, 2, 'User pool does not have WAFV2 enabled', region, arn); } } diff --git a/plugins/aws/cognito/cognitoHasWafEnabled.spec.js b/plugins/aws/cognito/cognitoHasWafEnabled.spec.js index c41594eeb2..50e7f79dc8 100644 --- a/plugins/aws/cognito/cognitoHasWafEnabled.spec.js +++ b/plugins/aws/cognito/cognitoHasWafEnabled.spec.js @@ -85,7 +85,7 @@ describe('cognitoHasWafEnabled', function () { expect(results.length).to.equal(1); expect(results[0].status).to.equal(0); expect(results[0].region).to.equal('us-east-1'); - expect(results[0].message).to.include('Cognito User pool has WAFV2 enabled'); + expect(results[0].message).to.include('User pool has WAFV2 enabled'); done(); }; @@ -98,7 +98,7 @@ describe('cognitoHasWafEnabled', function () { expect(results.length).to.equal(1); expect(results[0].status).to.equal(2); expect(results[0].region).to.equal('us-east-1'); - expect(results[0].message).to.include('Cognito User pool does not have WAFV2 enabled'); + expect(results[0].message).to.include('User pool does not have WAFV2 enabled'); done(); }; From 61933e2f176cbf727bf1082cb7bcdd0c0fcbbc88 Mon Sep 17 00:00:00 2001 From: AkhtarAmir <31914988+AkhtarAmir@users.noreply.github.com> Date: Tue, 1 Nov 2022 17:32:06 +0500 Subject: [PATCH 20/20] Apply suggestions from code review --- plugins/aws/cognito/cognitoHasWafEnabled.js | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/plugins/aws/cognito/cognitoHasWafEnabled.js b/plugins/aws/cognito/cognitoHasWafEnabled.js index eba7741dd7..f045eab37b 100644 --- a/plugins/aws/cognito/cognitoHasWafEnabled.js +++ b/plugins/aws/cognito/cognitoHasWafEnabled.js @@ -2,7 +2,7 @@ var async = require('async'); var helpers = require('../../../helpers/aws'); module.exports = { - title: 'Cognito User Pool Has WAF Enabled', + title: 'Cognito User Pool WAF Enabled', category: 'Cognito', domain: 'Identity and Access Management', description: 'Ensure that Cognito User Pool has WAF enabled.',