From 45cfe4e41196d152ba833c1136ef94ba60c52e1a Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Pedro=20Mart=C3=ADn?= Date: Mon, 22 Jun 2026 15:30:15 +0200 Subject: [PATCH] feat(aws): add transfer_server_pqc_ssh_kex_enabled check (#11315) Co-authored-by: Hugo P.Brito --- contrib/k8s/helm/prowler-api/values.yaml | 7 + .../cli/tutorials/configuration_file.mdx | 1 + prowler/CHANGELOG.md | 1 + ...itected_framework_security_pillar_aws.json | 1 + prowler/compliance/aws/ccc_aws.json | 1 + prowler/compliance/aws/ens_rd2022_aws.json | 6 +- .../aws/fedramp_moderate_revision_4_aws.json | 2 + prowler/compliance/aws/ffiec_aws.json | 1 + .../aws/gxp_21_cfr_part_11_aws.json | 1 + prowler/compliance/aws/iso27001_2013_aws.json | 3 +- .../compliance/aws/kisa_isms_p_2023_aws.json | 2 + .../aws/kisa_isms_p_2023_korean_aws.json | 2 + .../aws/nist_800_171_revision_2_aws.json | 1 + .../aws/nist_800_53_revision_5_aws.json | 2 + .../aws/rbi_cyber_security_framework_aws.json | 1 + .../compliance/aws/secnumcloud_3.2_aws.json | 1 + prowler/compliance/csa_ccm_4.0.json | 2 + prowler/config/config.yaml | 8 + .../__init__.py | 0 ...r_server_pqc_ssh_kex_enabled.metadata.json | 43 ++++ .../transfer_server_pqc_ssh_kex_enabled.py | 50 ++++ .../aws/services/transfer/transfer_service.py | 4 + ...ransfer_server_pqc_ssh_kex_enabled_test.py | 215 ++++++++++++++++++ .../transfer/transfer_service_test.py | 5 + 24 files changed, 357 insertions(+), 3 deletions(-) create mode 100644 prowler/providers/aws/services/transfer/transfer_server_pqc_ssh_kex_enabled/__init__.py create mode 100644 prowler/providers/aws/services/transfer/transfer_server_pqc_ssh_kex_enabled/transfer_server_pqc_ssh_kex_enabled.metadata.json create mode 100644 prowler/providers/aws/services/transfer/transfer_server_pqc_ssh_kex_enabled/transfer_server_pqc_ssh_kex_enabled.py create mode 100644 tests/providers/aws/services/transfer/transfer_server_pqc_ssh_kex_enabled/transfer_server_pqc_ssh_kex_enabled_test.py diff --git a/contrib/k8s/helm/prowler-api/values.yaml b/contrib/k8s/helm/prowler-api/values.yaml index 0395c6f704..72c4b26088 100644 --- a/contrib/k8s/helm/prowler-api/values.yaml +++ b/contrib/k8s/helm/prowler-api/values.yaml @@ -438,6 +438,13 @@ mainConfig: # Minimum number of Availability Zones that an ELBv2 must be in elbv2_min_azs: 2 + # AWS Post-Quantum SSH Key Exchange Configuration + # aws.transfer_server_pqc_ssh_kex_enabled + transfer_pqc_ssh_allowed_policies: + - "TransferSecurityPolicy-2025-03" + - "TransferSecurityPolicy-FIPS-2025-03" + - "TransferSecurityPolicy-AS2Restricted-2025-07" + # AWS Secrets Configuration # Patterns to ignore in the secrets checks diff --git a/docs/user-guide/cli/tutorials/configuration_file.mdx b/docs/user-guide/cli/tutorials/configuration_file.mdx index caf8853a1b..4b918c869f 100644 --- a/docs/user-guide/cli/tutorials/configuration_file.mdx +++ b/docs/user-guide/cli/tutorials/configuration_file.mdx @@ -67,6 +67,7 @@ The following list includes all the AWS checks with configurable variables that | `secretsmanager_secret_rotated_periodically` | `max_days_secret_unrotated` | Integer | | `ssm_document_secrets` | `secrets_ignore_patterns` | List of Strings | | `trustedadvisor_premium_support_plan_subscribed` | `verify_premium_support_plans` | Boolean | +| `transfer_server_pqc_ssh_kex_enabled` | `transfer_pqc_ssh_allowed_policies` | List of Strings | | `dynamodb_table_cross_account_access` | `trusted_account_ids` | List of Strings | | `eventbridge_bus_cross_account_access` | `trusted_account_ids` | List of Strings | | `eventbridge_schema_registry_cross_account_access` | `trusted_account_ids` | List of Strings | diff --git a/prowler/CHANGELOG.md b/prowler/CHANGELOG.md index 124bdab8b1..b479000569 100644 --- a/prowler/CHANGELOG.md +++ b/prowler/CHANGELOG.md @@ -42,6 +42,7 @@ All notable changes to the **Prowler SDK** are documented in this file. - DORA (Digital Operational Resilience Act, Regulation (EU) 2022/2554) compliance coverage for the GCP provider, mapping existing GCP checks across the five DORA pillars [(#11642)](https://github.com/prowler-cloud/prowler/pull/11642) - DORA (Digital Operational Resilience Act, Regulation (EU) 2022/2554) compliance coverage for the Cloudflare provider, mapping existing Cloudflare edge/network checks across the applicable DORA pillars [(#11645)](https://github.com/prowler-cloud/prowler/pull/11645) - DORA (Digital Operational Resilience Act, Regulation (EU) 2022/2554) compliance coverage for the AlibabaCloud provider, mapping existing AlibabaCloud checks across the applicable DORA pillars [(#11646)](https://github.com/prowler-cloud/prowler/pull/11646) +- `transfer_server_pqc_ssh_kex_enabled` check for AWS provider to verify Transfer Family servers use a post-quantum hybrid SSH key exchange security policy [(#11315)](https://github.com/prowler-cloud/prowler/pull/11315) ### 🔄 Changed diff --git a/prowler/compliance/aws/aws_well_architected_framework_security_pillar_aws.json b/prowler/compliance/aws/aws_well_architected_framework_security_pillar_aws.json index 94c50eb68a..e99760d8be 100644 --- a/prowler/compliance/aws/aws_well_architected_framework_security_pillar_aws.json +++ b/prowler/compliance/aws/aws_well_architected_framework_security_pillar_aws.json @@ -1151,6 +1151,7 @@ "elb_insecure_ssl_ciphers", "elb_ssl_listeners", "elbv2_insecure_ssl_ciphers", + "transfer_server_pqc_ssh_kex_enabled", "elbv2_ssl_listeners", "s3_bucket_secure_transport_policy" ] diff --git a/prowler/compliance/aws/ccc_aws.json b/prowler/compliance/aws/ccc_aws.json index d1a20ee3d0..298b803c1c 100644 --- a/prowler/compliance/aws/ccc_aws.json +++ b/prowler/compliance/aws/ccc_aws.json @@ -49,6 +49,7 @@ "elb_insecure_ssl_ciphers", "elb_ssl_listeners", "elbv2_insecure_ssl_ciphers", + "transfer_server_pqc_ssh_kex_enabled", "elbv2_ssl_listeners", "elbv2_nlb_tls_termination_enabled", "s3_bucket_secure_transport_policy", diff --git a/prowler/compliance/aws/ens_rd2022_aws.json b/prowler/compliance/aws/ens_rd2022_aws.json index f6c574daef..850ffb6850 100644 --- a/prowler/compliance/aws/ens_rd2022_aws.json +++ b/prowler/compliance/aws/ens_rd2022_aws.json @@ -2366,7 +2366,8 @@ } ], "Checks": [ - "elbv2_insecure_ssl_ciphers" + "elbv2_insecure_ssl_ciphers", + "transfer_server_pqc_ssh_kex_enabled" ] }, { @@ -2389,7 +2390,8 @@ } ], "Checks": [ - "elbv2_insecure_ssl_ciphers" + "elbv2_insecure_ssl_ciphers", + "transfer_server_pqc_ssh_kex_enabled" ] }, { diff --git a/prowler/compliance/aws/fedramp_moderate_revision_4_aws.json b/prowler/compliance/aws/fedramp_moderate_revision_4_aws.json index c914a58b2c..1090931bf5 100644 --- a/prowler/compliance/aws/fedramp_moderate_revision_4_aws.json +++ b/prowler/compliance/aws/fedramp_moderate_revision_4_aws.json @@ -1145,6 +1145,7 @@ "Checks": [ "apigateway_restapi_client_certificate_enabled", "elbv2_insecure_ssl_ciphers", + "transfer_server_pqc_ssh_kex_enabled", "elb_ssl_listeners", "opensearch_service_domains_node_to_node_encryption_enabled", "s3_bucket_secure_transport_policy" @@ -1164,6 +1165,7 @@ "Checks": [ "apigateway_restapi_client_certificate_enabled", "elbv2_insecure_ssl_ciphers", + "transfer_server_pqc_ssh_kex_enabled", "elb_ssl_listeners", "opensearch_service_domains_node_to_node_encryption_enabled", "s3_bucket_secure_transport_policy" diff --git a/prowler/compliance/aws/ffiec_aws.json b/prowler/compliance/aws/ffiec_aws.json index 23ab8953b6..ad5ff3068f 100644 --- a/prowler/compliance/aws/ffiec_aws.json +++ b/prowler/compliance/aws/ffiec_aws.json @@ -487,6 +487,7 @@ "Checks": [ "apigateway_restapi_client_certificate_enabled", "elbv2_insecure_ssl_ciphers", + "transfer_server_pqc_ssh_kex_enabled", "elb_ssl_listeners", "s3_bucket_secure_transport_policy" ] diff --git a/prowler/compliance/aws/gxp_21_cfr_part_11_aws.json b/prowler/compliance/aws/gxp_21_cfr_part_11_aws.json index 39534c4fdc..29b21c3a69 100644 --- a/prowler/compliance/aws/gxp_21_cfr_part_11_aws.json +++ b/prowler/compliance/aws/gxp_21_cfr_part_11_aws.json @@ -266,6 +266,7 @@ "ec2_ebs_default_encryption", "efs_encryption_at_rest_enabled", "elbv2_insecure_ssl_ciphers", + "transfer_server_pqc_ssh_kex_enabled", "elb_ssl_listeners", "opensearch_service_domains_encryption_at_rest_enabled", "opensearch_service_domains_node_to_node_encryption_enabled", diff --git a/prowler/compliance/aws/iso27001_2013_aws.json b/prowler/compliance/aws/iso27001_2013_aws.json index ad31ea0af4..4709458f8b 100644 --- a/prowler/compliance/aws/iso27001_2013_aws.json +++ b/prowler/compliance/aws/iso27001_2013_aws.json @@ -35,7 +35,8 @@ ], "Checks": [ "elb_insecure_ssl_ciphers", - "elbv2_insecure_ssl_ciphers" + "elbv2_insecure_ssl_ciphers", + "transfer_server_pqc_ssh_kex_enabled" ] }, { diff --git a/prowler/compliance/aws/kisa_isms_p_2023_aws.json b/prowler/compliance/aws/kisa_isms_p_2023_aws.json index d172e615dd..526c656c5a 100644 --- a/prowler/compliance/aws/kisa_isms_p_2023_aws.json +++ b/prowler/compliance/aws/kisa_isms_p_2023_aws.json @@ -2040,6 +2040,7 @@ "elb_ssl_listeners", "elb_ssl_listeners_use_acm_certificate", "elbv2_insecure_ssl_ciphers", + "transfer_server_pqc_ssh_kex_enabled", "elbv2_nlb_tls_termination_enabled", "elbv2_ssl_listeners", "glue_data_catalogs_connection_passwords_encryption_enabled", @@ -3090,6 +3091,7 @@ "elb_ssl_listeners_use_acm_certificate", "elbv2_desync_mitigation_mode", "elbv2_insecure_ssl_ciphers", + "transfer_server_pqc_ssh_kex_enabled", "elbv2_internet_facing", "elbv2_listeners_underneath", "elbv2_logging_enabled", diff --git a/prowler/compliance/aws/kisa_isms_p_2023_korean_aws.json b/prowler/compliance/aws/kisa_isms_p_2023_korean_aws.json index 1748d96442..1cc50d15af 100644 --- a/prowler/compliance/aws/kisa_isms_p_2023_korean_aws.json +++ b/prowler/compliance/aws/kisa_isms_p_2023_korean_aws.json @@ -2042,6 +2042,7 @@ "elb_ssl_listeners", "elb_ssl_listeners_use_acm_certificate", "elbv2_insecure_ssl_ciphers", + "transfer_server_pqc_ssh_kex_enabled", "elbv2_nlb_tls_termination_enabled", "elbv2_ssl_listeners", "glue_data_catalogs_connection_passwords_encryption_enabled", @@ -3093,6 +3094,7 @@ "elb_ssl_listeners_use_acm_certificate", "elbv2_desync_mitigation_mode", "elbv2_insecure_ssl_ciphers", + "transfer_server_pqc_ssh_kex_enabled", "elbv2_internet_facing", "elbv2_listeners_underneath", "elbv2_logging_enabled", diff --git a/prowler/compliance/aws/nist_800_171_revision_2_aws.json b/prowler/compliance/aws/nist_800_171_revision_2_aws.json index 8e28ee383d..35b67d75b0 100644 --- a/prowler/compliance/aws/nist_800_171_revision_2_aws.json +++ b/prowler/compliance/aws/nist_800_171_revision_2_aws.json @@ -653,6 +653,7 @@ "apigateway_restapi_client_certificate_enabled", "ec2_ebs_volume_encryption", "elbv2_insecure_ssl_ciphers", + "transfer_server_pqc_ssh_kex_enabled", "opensearch_service_domains_node_to_node_encryption_enabled", "s3_bucket_default_encryption", "s3_bucket_secure_transport_policy" diff --git a/prowler/compliance/aws/nist_800_53_revision_5_aws.json b/prowler/compliance/aws/nist_800_53_revision_5_aws.json index 858df01fd9..ac25515f93 100644 --- a/prowler/compliance/aws/nist_800_53_revision_5_aws.json +++ b/prowler/compliance/aws/nist_800_53_revision_5_aws.json @@ -5262,6 +5262,7 @@ "Checks": [ "apigateway_restapi_client_certificate_enabled", "elbv2_insecure_ssl_ciphers", + "transfer_server_pqc_ssh_kex_enabled", "elb_ssl_listeners", "opensearch_service_domains_node_to_node_encryption_enabled", "s3_bucket_secure_transport_policy" @@ -5549,6 +5550,7 @@ ], "Checks": [ "elbv2_insecure_ssl_ciphers", + "transfer_server_pqc_ssh_kex_enabled", "elb_ssl_listeners" ] }, diff --git a/prowler/compliance/aws/rbi_cyber_security_framework_aws.json b/prowler/compliance/aws/rbi_cyber_security_framework_aws.json index b4566a8929..22c3774959 100644 --- a/prowler/compliance/aws/rbi_cyber_security_framework_aws.json +++ b/prowler/compliance/aws/rbi_cyber_security_framework_aws.json @@ -40,6 +40,7 @@ "ec2_instance_public_ip", "efs_encryption_at_rest_enabled", "elbv2_insecure_ssl_ciphers", + "transfer_server_pqc_ssh_kex_enabled", "elb_ssl_listeners", "ec2_ebs_default_encryption", "emr_cluster_master_nodes_no_public_ip", diff --git a/prowler/compliance/aws/secnumcloud_3.2_aws.json b/prowler/compliance/aws/secnumcloud_3.2_aws.json index 1e157b47c7..794de281de 100644 --- a/prowler/compliance/aws/secnumcloud_3.2_aws.json +++ b/prowler/compliance/aws/secnumcloud_3.2_aws.json @@ -474,6 +474,7 @@ "elbv2_ssl_listeners", "elb_insecure_ssl_ciphers", "elbv2_insecure_ssl_ciphers", + "transfer_server_pqc_ssh_kex_enabled", "redshift_cluster_in_transit_encryption_enabled", "elasticache_redis_cluster_in_transit_encryption_enabled", "dynamodb_accelerator_cluster_in_transit_encryption_enabled", diff --git a/prowler/compliance/csa_ccm_4.0.json b/prowler/compliance/csa_ccm_4.0.json index 57f1a67758..b6bb382cda 100644 --- a/prowler/compliance/csa_ccm_4.0.json +++ b/prowler/compliance/csa_ccm_4.0.json @@ -1602,6 +1602,7 @@ "cloudfront_distributions_origin_traffic_encrypted", "cloudfront_distributions_custom_ssl_certificate", "transfer_server_in_transit_encryption_enabled", + "transfer_server_pqc_ssh_kex_enabled", "sagemaker_notebook_instance_encryption_enabled", "sagemaker_training_jobs_volume_and_output_encryption_enabled", "workspaces_volume_encryption_enabled", @@ -1785,6 +1786,7 @@ "acm_certificates_with_secure_key_algorithms", "elb_insecure_ssl_ciphers", "elbv2_insecure_ssl_ciphers", + "transfer_server_pqc_ssh_kex_enabled", "cloudfront_distributions_using_deprecated_ssl_protocols" ], "azure": [ diff --git a/prowler/config/config.yaml b/prowler/config/config.yaml index 28f07c2051..f9dda5dc92 100644 --- a/prowler/config/config.yaml +++ b/prowler/config/config.yaml @@ -380,6 +380,14 @@ aws: # Minimum number of Availability Zones that an ELBv2 must be in elbv2_min_azs: 2 + # AWS Post-Quantum SSH Key Exchange Configuration + # aws.transfer_server_pqc_ssh_kex_enabled + # Allowed AWS Transfer Family security policies with post-quantum SSH key exchange + transfer_pqc_ssh_allowed_policies: + - "TransferSecurityPolicy-2025-03" + - "TransferSecurityPolicy-FIPS-2025-03" + - "TransferSecurityPolicy-AS2Restricted-2025-07" + # AWS Elasticache Configuration # aws.elasticache_redis_cluster_backup_enabled # Minimum number of days that a Redis cluster must have backups retention period diff --git a/prowler/providers/aws/services/transfer/transfer_server_pqc_ssh_kex_enabled/__init__.py b/prowler/providers/aws/services/transfer/transfer_server_pqc_ssh_kex_enabled/__init__.py new file mode 100644 index 0000000000..e69de29bb2 diff --git a/prowler/providers/aws/services/transfer/transfer_server_pqc_ssh_kex_enabled/transfer_server_pqc_ssh_kex_enabled.metadata.json b/prowler/providers/aws/services/transfer/transfer_server_pqc_ssh_kex_enabled/transfer_server_pqc_ssh_kex_enabled.metadata.json new file mode 100644 index 0000000000..773c85b7ab --- /dev/null +++ b/prowler/providers/aws/services/transfer/transfer_server_pqc_ssh_kex_enabled/transfer_server_pqc_ssh_kex_enabled.metadata.json @@ -0,0 +1,43 @@ +{ + "Provider": "aws", + "CheckID": "transfer_server_pqc_ssh_kex_enabled", + "CheckTitle": "AWS Transfer Family server uses a post-quantum hybrid SSH key exchange security policy", + "CheckType": [ + "Software and Configuration Checks/AWS Security Best Practices" + ], + "ServiceName": "transfer", + "SubServiceName": "", + "ResourceIdTemplate": "", + "Severity": "low", + "ResourceType": "AwsTransferServer", + "ResourceGroup": "network", + "Description": "**AWS Transfer Family servers** (SFTP, FTPS, AS2) are assessed for use of an approved **post-quantum (PQ) hybrid SSH key exchange security policy**. Servers whose `SecurityPolicyName` is not in the configured allowlist of PQ-ready Transfer Family security policies leave file-transfer sessions exposed to **harvest-now, decrypt-later** attacks.", + "Risk": "Without a PQ-ready security policy, SSH/SFTP traffic captured today can be stored and decrypted in the future once a **cryptographically relevant quantum computer** is available. This threatens long-term **confidentiality** of transferred files, credentials, and metadata.", + "RelatedUrl": "", + "AdditionalURLs": [ + "https://docs.aws.amazon.com/transfer/latest/userguide/post-quantum-security-policies.html", + "https://docs.aws.amazon.com/transfer/latest/userguide/security-policies.html", + "https://aws.amazon.com/security/post-quantum-cryptography/", + "https://csrc.nist.gov/projects/post-quantum-cryptography" + ], + "Remediation": { + "Code": { + "CLI": "aws transfer update-server --server-id --security-policy-name TransferSecurityPolicy-2025-03", + "NativeIaC": "```yaml\nResources:\n :\n Type: AWS::Transfer::Server\n Properties:\n Protocols:\n - SFTP\n SecurityPolicyName: TransferSecurityPolicy-2025-03 # FIX: post-quantum hybrid SSH KEX policy\n```", + "Other": "1. In the AWS Console, go to AWS Transfer Family > Servers\n2. Select the server and choose Edit on the Additional details panel\n3. Set Cryptographic algorithm options (Security policy) to TransferSecurityPolicy-2025-03 (or another approved PQ policy)\n4. Save the changes", + "Terraform": "```hcl\nresource \"aws_transfer_server\" \"\" {\n protocols = [\"SFTP\"]\n security_policy_name = \"TransferSecurityPolicy-2025-03\" # FIX: post-quantum hybrid SSH KEX policy\n endpoint_type = \"PUBLIC\"\n}\n```" + }, + "Recommendation": { + "Text": "Migrate AWS Transfer Family servers to a **post-quantum security policy** (e.g., `TransferSecurityPolicy-2025-03`, `TransferSecurityPolicy-FIPS-2025-03`, `TransferSecurityPolicy-AS2Restricted-2025-07`) that adds ML-KEM hybrid SSH key exchange. Avoid deprecated `*-PQ-SSH-Experimental-2023-04` policies. Review allowed policies regularly as AWS publishes new PQ-ready options.", + "Url": "https://hub.prowler.com/check/transfer_server_pqc_ssh_kex_enabled" + } + }, + "Categories": [ + "encryption" + ], + "DependsOn": [], + "RelatedTo": [ + "transfer_server_in_transit_encryption_enabled" + ], + "Notes": "" +} diff --git a/prowler/providers/aws/services/transfer/transfer_server_pqc_ssh_kex_enabled/transfer_server_pqc_ssh_kex_enabled.py b/prowler/providers/aws/services/transfer/transfer_server_pqc_ssh_kex_enabled/transfer_server_pqc_ssh_kex_enabled.py new file mode 100644 index 0000000000..a7d70df2df --- /dev/null +++ b/prowler/providers/aws/services/transfer/transfer_server_pqc_ssh_kex_enabled/transfer_server_pqc_ssh_kex_enabled.py @@ -0,0 +1,50 @@ +from prowler.lib.check.models import Check, Check_Report_AWS +from prowler.providers.aws.services.transfer.transfer_client import transfer_client + +PQC_TRANSFER_POLICIES_DEFAULT = [ + "TransferSecurityPolicy-2025-03", + "TransferSecurityPolicy-FIPS-2025-03", + "TransferSecurityPolicy-AS2Restricted-2025-07", +] + + +class transfer_server_pqc_ssh_kex_enabled(Check): + """Verify that every AWS Transfer Family server uses a post-quantum security policy. + + A Transfer Family server PASSES when its ``SecurityPolicyName`` is in the + configured allowlist of policies that enable hybrid ML-KEM SSH key exchange. + """ + + def execute(self) -> list[Check_Report_AWS]: + """Check whether Transfer Family servers use approved PQ SSH KEX policies. + + Iterates through discovered AWS Transfer Family servers and compares each + server's ``SecurityPolicyName`` with the configured allowlist of + post-quantum hybrid SSH key exchange security policies. + + Returns: + list[Check_Report_AWS]: A list of reports for each Transfer Family + server, including the evaluated security policy context. + """ + findings = [] + pqc_policies = transfer_client.audit_config.get( + "transfer_pqc_ssh_allowed_policies", PQC_TRANSFER_POLICIES_DEFAULT + ) + for server in transfer_client.servers.values(): + report = Check_Report_AWS(metadata=self.metadata(), resource=server) + policy = server.security_policy_name or "" + if server.security_policy_name in pqc_policies: + report.status = "PASS" + report.status_extended = ( + f"Transfer Server {server.id} uses post-quantum security policy " + f"{policy}." + ) + else: + report.status = "FAIL" + report.status_extended = ( + f"Transfer Server {server.id} uses security policy {policy}, " + "which does not enable post-quantum hybrid SSH key exchange." + ) + findings.append(report) + + return findings diff --git a/prowler/providers/aws/services/transfer/transfer_service.py b/prowler/providers/aws/services/transfer/transfer_service.py index f86e195a31..968b0c9e60 100644 --- a/prowler/providers/aws/services/transfer/transfer_service.py +++ b/prowler/providers/aws/services/transfer/transfer_service.py @@ -46,6 +46,9 @@ class Transfer(AWSService): ) for protocol in server_description.get("Protocols", []): server.protocols.append(Protocol(protocol)) + server.security_policy_name = server_description.get( + "SecurityPolicyName", "" + ) server.tags = server_description.get("Tags", []) except Exception as error: logger.error( @@ -65,4 +68,5 @@ class Server(BaseModel): id: str region: str protocols: List[Protocol] = Field(default_factory=list) + security_policy_name: str = "" tags: List[Dict[str, str]] = Field(default_factory=list) diff --git a/tests/providers/aws/services/transfer/transfer_server_pqc_ssh_kex_enabled/transfer_server_pqc_ssh_kex_enabled_test.py b/tests/providers/aws/services/transfer/transfer_server_pqc_ssh_kex_enabled/transfer_server_pqc_ssh_kex_enabled_test.py new file mode 100644 index 0000000000..d1a098f0ad --- /dev/null +++ b/tests/providers/aws/services/transfer/transfer_server_pqc_ssh_kex_enabled/transfer_server_pqc_ssh_kex_enabled_test.py @@ -0,0 +1,215 @@ +from unittest import mock +from unittest.mock import patch + +import botocore +from moto import mock_aws + +from tests.providers.aws.utils import ( + AWS_ACCOUNT_NUMBER, + AWS_REGION_US_EAST_1, + set_mocked_aws_provider, +) + +SERVER_ID = "s-01234567890abcdef" +SERVER_ARN = ( + f"arn:aws:transfer:{AWS_REGION_US_EAST_1}:{AWS_ACCOUNT_NUMBER}:server/{SERVER_ID}" +) + +make_api_call = botocore.client.BaseClient._make_api_call + + +def _make_describe_server_mock(security_policy_name: str): + def _mock(self, operation_name, kwarg): + if operation_name == "ListServers": + return { + "Servers": [ + { + "Arn": SERVER_ARN, + "ServerId": SERVER_ID, + } + ] + } + if operation_name == "DescribeServer": + return { + "Server": { + "Arn": SERVER_ARN, + "ServerId": SERVER_ID, + "Protocols": ["SFTP"], + "SecurityPolicyName": security_policy_name, + } + } + return make_api_call(self, operation_name, kwarg) + + return _mock + + +mock_pqc = _make_describe_server_mock("TransferSecurityPolicy-2025-03") +mock_fips_pqc = _make_describe_server_mock("TransferSecurityPolicy-FIPS-2025-03") +mock_classical = _make_describe_server_mock("TransferSecurityPolicy-2024-01") +mock_no_policy = _make_describe_server_mock("") + + +class Test_transfer_server_pqc_ssh_kex_enabled: + @mock_aws + def test_no_servers(self): + from prowler.providers.aws.services.transfer.transfer_service import Transfer + + aws_provider = set_mocked_aws_provider([AWS_REGION_US_EAST_1]) + + with mock.patch( + "prowler.providers.common.provider.Provider.get_global_provider", + return_value=aws_provider, + ): + with mock.patch( + "prowler.providers.aws.services.transfer.transfer_server_pqc_ssh_kex_enabled.transfer_server_pqc_ssh_kex_enabled.transfer_client", + new=Transfer(aws_provider), + ): + from prowler.providers.aws.services.transfer.transfer_server_pqc_ssh_kex_enabled.transfer_server_pqc_ssh_kex_enabled import ( + transfer_server_pqc_ssh_kex_enabled, + ) + + check = transfer_server_pqc_ssh_kex_enabled() + result = check.execute() + + assert len(result) == 0 + + @patch("botocore.client.BaseClient._make_api_call", new=mock_pqc) + @mock_aws + def test_pq_policy(self): + from prowler.providers.aws.services.transfer.transfer_service import Transfer + + aws_provider = set_mocked_aws_provider([AWS_REGION_US_EAST_1]) + + with mock.patch( + "prowler.providers.common.provider.Provider.get_global_provider", + return_value=aws_provider, + ): + with mock.patch( + "prowler.providers.aws.services.transfer.transfer_server_pqc_ssh_kex_enabled.transfer_server_pqc_ssh_kex_enabled.transfer_client", + new=Transfer(aws_provider), + ): + from prowler.providers.aws.services.transfer.transfer_server_pqc_ssh_kex_enabled.transfer_server_pqc_ssh_kex_enabled import ( + transfer_server_pqc_ssh_kex_enabled, + ) + + check = transfer_server_pqc_ssh_kex_enabled() + result = check.execute() + + assert len(result) == 1 + assert result[0].status == "PASS" + assert "TransferSecurityPolicy-2025-03" in result[0].status_extended + assert result[0].resource_id == SERVER_ID + assert result[0].resource_arn == SERVER_ARN + assert result[0].region == AWS_REGION_US_EAST_1 + + @patch("botocore.client.BaseClient._make_api_call", new=mock_fips_pqc) + @mock_aws + def test_fips_pq_policy(self): + from prowler.providers.aws.services.transfer.transfer_service import Transfer + + aws_provider = set_mocked_aws_provider([AWS_REGION_US_EAST_1]) + + with mock.patch( + "prowler.providers.common.provider.Provider.get_global_provider", + return_value=aws_provider, + ): + with mock.patch( + "prowler.providers.aws.services.transfer.transfer_server_pqc_ssh_kex_enabled.transfer_server_pqc_ssh_kex_enabled.transfer_client", + new=Transfer(aws_provider), + ): + from prowler.providers.aws.services.transfer.transfer_server_pqc_ssh_kex_enabled.transfer_server_pqc_ssh_kex_enabled import ( + transfer_server_pqc_ssh_kex_enabled, + ) + + check = transfer_server_pqc_ssh_kex_enabled() + result = check.execute() + + assert len(result) == 1 + assert result[0].status == "PASS" + assert "FIPS-2025-03" in result[0].status_extended + + @patch("botocore.client.BaseClient._make_api_call", new=mock_classical) + @mock_aws + def test_classical_policy(self): + from prowler.providers.aws.services.transfer.transfer_service import Transfer + + aws_provider = set_mocked_aws_provider([AWS_REGION_US_EAST_1]) + + with mock.patch( + "prowler.providers.common.provider.Provider.get_global_provider", + return_value=aws_provider, + ): + with mock.patch( + "prowler.providers.aws.services.transfer.transfer_server_pqc_ssh_kex_enabled.transfer_server_pqc_ssh_kex_enabled.transfer_client", + new=Transfer(aws_provider), + ): + from prowler.providers.aws.services.transfer.transfer_server_pqc_ssh_kex_enabled.transfer_server_pqc_ssh_kex_enabled import ( + transfer_server_pqc_ssh_kex_enabled, + ) + + check = transfer_server_pqc_ssh_kex_enabled() + result = check.execute() + + assert len(result) == 1 + assert result[0].status == "FAIL" + assert "TransferSecurityPolicy-2024-01" in result[0].status_extended + assert "does not enable post-quantum" in result[0].status_extended + + @patch("botocore.client.BaseClient._make_api_call", new=mock_no_policy) + @mock_aws + def test_missing_policy(self): + from prowler.providers.aws.services.transfer.transfer_service import Transfer + + aws_provider = set_mocked_aws_provider([AWS_REGION_US_EAST_1]) + + with mock.patch( + "prowler.providers.common.provider.Provider.get_global_provider", + return_value=aws_provider, + ): + with mock.patch( + "prowler.providers.aws.services.transfer.transfer_server_pqc_ssh_kex_enabled.transfer_server_pqc_ssh_kex_enabled.transfer_client", + new=Transfer(aws_provider), + ): + from prowler.providers.aws.services.transfer.transfer_server_pqc_ssh_kex_enabled.transfer_server_pqc_ssh_kex_enabled import ( + transfer_server_pqc_ssh_kex_enabled, + ) + + check = transfer_server_pqc_ssh_kex_enabled() + result = check.execute() + + assert len(result) == 1 + assert result[0].status == "FAIL" + assert "" in result[0].status_extended + + @patch("botocore.client.BaseClient._make_api_call", new=mock_classical) + @mock_aws + def test_configurable_allowlist(self): + from prowler.providers.aws.services.transfer.transfer_service import Transfer + + aws_provider = set_mocked_aws_provider( + [AWS_REGION_US_EAST_1], + audit_config={ + "transfer_pqc_ssh_allowed_policies": [ + "TransferSecurityPolicy-2025-03", + "TransferSecurityPolicy-2024-01", + ] + }, + ) + + with mock.patch( + "prowler.providers.common.provider.Provider.get_global_provider", + return_value=aws_provider, + ): + with mock.patch( + "prowler.providers.aws.services.transfer.transfer_server_pqc_ssh_kex_enabled.transfer_server_pqc_ssh_kex_enabled.transfer_client", + new=Transfer(aws_provider), + ): + from prowler.providers.aws.services.transfer.transfer_server_pqc_ssh_kex_enabled.transfer_server_pqc_ssh_kex_enabled import ( + transfer_server_pqc_ssh_kex_enabled, + ) + + check = transfer_server_pqc_ssh_kex_enabled() + result = check.execute() + + assert len(result) == 1 + assert result[0].status == "PASS" diff --git a/tests/providers/aws/services/transfer/transfer_service_test.py b/tests/providers/aws/services/transfer/transfer_service_test.py index 61a963ab09..7a08e66c92 100644 --- a/tests/providers/aws/services/transfer/transfer_service_test.py +++ b/tests/providers/aws/services/transfer/transfer_service_test.py @@ -35,6 +35,7 @@ def mock_make_api_call(self, operation_name, kwarg): "Arn": SERVER_ARN, "ServerId": SERVER_ID, "Protocols": ["SFTP"], + "SecurityPolicyName": "TransferSecurityPolicy-2025-03", "Tags": [{"Key": "key", "Value": "value"}], } } @@ -83,3 +84,7 @@ class Test_transfer_service: assert transfer.servers[SERVER_ARN].region == "us-east-1" assert transfer.servers[SERVER_ARN].tags == [{"Key": "key", "Value": "value"}] assert transfer.servers[SERVER_ARN].protocols[0] == Protocol.SFTP + assert ( + transfer.servers[SERVER_ARN].security_policy_name + == "TransferSecurityPolicy-2025-03" + )