ben.carrasco/prowler
1
0
Fork 0
mirror of https://github.com/prowler-cloud/prowler.git synced 2026-01-25 02:08:11 +00:00
Code Issues Packages Projects Releases Wiki Activity

fix: tests

Browse Source
This commit is contained in:
Pepe Fagoaga
2024-04-17 09:07:18 +02:00
parent 006fbf7328
commit 63d052915a
9 changed files with 349 additions and 886 deletions
Download Patch File Download Diff File Expand all files Collapse all files

35
prowler/providers/aws/services/awslambda/awslambda_function_not_directly_publicly_accessible_via_elbv2/awslambda_function_not_directly_publicly_accessible_via_elbv2.py
View File

@@ -6,24 +6,25 @@ from prowler.providers.aws.services.elbv2.elbv2_client import elbv2_client
class awslambda_function_not_directly_publicly_accessible_via_elbv2(Check):
def execute(self):
findings = []
public_lambda_functions = {}
for target_group in elbv2_client.target_groups:
print(target_group)
if target_group.target_type == "lambda":
public_lambda_functions[target_group.target] = target_group.lbdns
if awslambda_client.functions:
public_lambda_functions = {}
for target_group in elbv2_client.target_groups:
if target_group.target_type == "lambda":
print(target_group)
public_lambda_functions[target_group.target] = target_group.arn
for function in awslambda_client.functions.values():
report = Check_Report_AWS(self.metadata())
report.region = function.region
report.resource_id = function.name
report.resource_arn = function.arn
report.resource_tags = function.tags
report.status = "PASS"
report.status_extended = f"Lambda function {function.name} is not behind a internet facing load balancer."
for function in awslambda_client.functions.values():
report = Check_Report_AWS(self.metadata())
report.region = function.region
report.resource_id = function.name
report.resource_arn = function.arn
report.resource_tags = function.tags
report.status = "PASS"
report.status_extended = f"Lambda function {function.name} is not behind an Internet facing Load Balancer."
if function.arn in public_lambda_functions:
report.status = "FAIL"
report.status_extended = f"Lambda function {function.name} is behind a internet facing load balancer {function.arn}."
findings.append(report)
if function.arn in public_lambda_functions:
report.status = "FAIL"
report.status_extended = f"Lambda function {function.name} is behind an Internet facing Load Balancer through target group {public_lambda_functions[function.arn]}."
findings.append(report)
return findings

39
prowler/providers/aws/services/ec2/ec2_instance_not_directly_publicly_accessible_via_elb/ec2_instance_not_directly_publicly_accessible_via_elb.py
View File

@@ -6,26 +6,25 @@ from prowler.providers.aws.services.elb.elb_client import elb_client
class ec2_instance_not_directly_publicly_accessible_via_elb(Check):
def execute(self):
findings = []
public_instances = {}
if ec2_client.instances:
public_instances = {}
for lb in elb_client.loadbalancers:
if lb.scheme == "internet-facing" and len(lb.security_groups) > 0:
for instance in lb.instances:
public_instances[instance] = lb
for lb in elb_client.loadbalancers:
if lb.scheme == "internet-facing" and len(lb.security_groups) > 0:
for instance in lb.instances:
public_instances[instance] = lb
for instance in ec2_client.instances:
if instance.state != "terminated":
report = Check_Report_AWS(self.metadata())
report.region = instance.region
report.resource_id = instance.id
report.resource_arn = instance.arn
report.resource_tags = instance.tags
report.status = "PASS"
report.status_extended = f"EC2 Instance {instance.id} is not behind an Internet facing Classic Load Balancer."
for instance in ec2_client.instances:
if instance.state != "terminated":
report = Check_Report_AWS(self.metadata())
report.region = instance.region
report.resource_id = instance.id
report.resource_arn = instance.arn
report.resource_tags = instance.tags
report.status = "PASS"
report.status_extended = f"EC2 Instance {instance.id} is not behind a internet facing classic load balancer."
# if the instanceId of the public lb is the same as the instances that are active, fail
if instance.id in public_instances:
report.status = "FAIL"
report.status_extended = f"EC2 Instance {instance.id} is behind a internet facing classic load balancer {public_instances[instance.id].dns}."
findings.append(report)
if instance.id in public_instances:
report.status = "FAIL"
report.status_extended = f"EC2 Instance {instance.id} is behind an Internet facing Classic Load Balancer {public_instances[instance.id].dns}."
findings.append(report)
return findings

36
prowler/providers/aws/services/ec2/ec2_instance_not_directly_publicly_accessible_via_elbv2/ec2_instance_not_directly_publicly_accessible_via_elbv2.py
View File

@@ -6,25 +6,25 @@ from prowler.providers.aws.services.elbv2.elbv2_client import elbv2_client
class ec2_instance_not_directly_publicly_accessible_via_elbv2(Check):
def execute(self):
findings = []
public_instances = {}
if ec2_client.instances:
public_instances = {}
for tg in elbv2_client.target_groups:
if tg.target_type == "instance":
public_instances[tg.target] = tg.lbdns
for tg in elbv2_client.target_groups:
if tg.target_type == "instance":
public_instances[tg.target] = tg.arn
for instance in ec2_client.instances:
if instance.state != "terminated":
report = Check_Report_AWS(self.metadata())
report.region = instance.region
report.resource_id = instance.id
report.resource_arn = instance.arn
report.resource_tags = instance.tags
report.status = "PASS"
report.status_extended = f"EC2 Instance {instance.id} is not behind a internet facing load balancer."
for instance in ec2_client.instances:
if instance.state != "terminated":
report = Check_Report_AWS(self.metadata())
report.region = instance.region
report.resource_id = instance.id
report.resource_arn = instance.arn
report.resource_tags = instance.tags
report.status = "PASS"
report.status_extended = f"EC2 Instance {instance.id} is not behind an Internet facing Load Balancer."
# if the instanceId of the public lb is the same as the instances that are active, fail
if instance.id in public_instances:
report.status = "FAIL"
report.status_extended = f"EC2 Instance {instance.id} is behind a internet facing load balancer {public_instances[instance.id]}."
findings.append(report)
if instance.id in public_instances:
report.status = "FAIL"
report.status_extended = f"EC2 Instance {instance.id} is behind an Internet facing Load Balancer through target group {public_instances[instance.id]}."
findings.append(report)
return findings

155
tests/providers/aws/services/awslambda/awslambda_function_not_directly_publicly_accessible_via_elbv2/awslambda_function_not_directly_publicly_accessible_via_elbv2.py
View File

@@ -1,155 +0,0 @@
from unittest import mock
from boto3 import client, resource
from re import search
from prowler.providers.aws.services.awslambda.awslambda_service import Function
from mock import patch
from tests.providers.aws.audit_info_utils import (
AWS_ACCOUNT_NUMBER,
AWS_REGION_US_EAST_1,
AWS_REGION_US_EAST_1_AZA,
AWS_REGION_US_EAST_1_AZB,
set_mocked_aws_audit_info,
)
from moto import mock_aws
# Mock generate_regional_clients()
def mock_generate_regional_clients(service, audit_info):
regional_client = audit_info.audit_session.client(
service, region_name=AWS_REGION_US_EAST_1
)
regional_client.region = AWS_REGION_US_EAST_1
return {AWS_REGION_US_EAST_1: regional_client}
# Patch every AWS call using Boto3 and generate_regional_clients to have 1 client
@patch(
"prowler.providers.aws.lib.service.service.generate_regional_clients",
new=mock_generate_regional_clients,
)
class Test_awslambda_function_not_directly_publicly_accessible_via_elbv2:
@mock_aws
def test_no_functions(self):
from prowler.providers.aws.services.elbv2.elbv2_service import ELBv2
lambda_client = mock.MagicMock
lambda_client.functions = {}
with mock.patch(
"prowler.providers.aws.lib.audit_info.audit_info.current_audit_info",
set_mocked_aws_audit_info(),
), mock.patch(
"prowler.providers.aws.services.awslambda.awslambda_function_not_directly_publicly_accessible_via_elbv2.awslambda_function_not_directly_publicly_accessible_via_elbv2.awslambda_client",
new=lambda_client,
), mock.patch(
"prowler.providers.aws.services.awslambda.awslambda_function_not_directly_publicly_accessible_via_elbv2.awslambda_function_not_directly_publicly_accessible_via_elbv2.elbv2_client",
new=ELBv2(set_mocked_aws_audit_info()),
):
# Test Check
from prowler.providers.aws.services.awslambda.awslambda_function_not_directly_publicly_accessible_via_elbv2.awslambda_function_not_directly_publicly_accessible_via_elbv2 import (
awslambda_function_not_directly_publicly_accessible_via_elbv2,
)
check = awslambda_function_not_directly_publicly_accessible_via_elbv2()
result = check.execute()
assert len(result) == 0
@mock_aws
def test_function_elbv2_public(self):
# Lambda client
lambda_client = mock.MagicMock
function_name = "test-lambda"
function_runtime = "nodejs4.3"
function_arn = f"arn:aws:lambda:{AWS_REGION_US_EAST_1}:{AWS_ACCOUNT_NUMBER}:function/{function_name}"
lambda_client.functions = {
"function_name": Function(
name=function_name,
security_groups=[],
arn=function_arn,
region=AWS_REGION_US_EAST_1,
runtime=function_runtime,
)
}
# ALB Client
conn = client("elbv2", region_name=AWS_REGION_US_EAST_1)
ec2 = resource("ec2", region_name=AWS_REGION_US_EAST_1)
security_group = ec2.create_security_group(
GroupName="a-security-group", Description="First One"
)
vpc = ec2.create_vpc(CidrBlock="172.28.7.0/24", InstanceTenancy="default")
subnet1 = ec2.create_subnet(
VpcId=vpc.id,
CidrBlock="172.28.7.192/26",
AvailabilityZone=AWS_REGION_US_EAST_1_AZA,
)
subnet2 = ec2.create_subnet(
VpcId=vpc.id,
CidrBlock="172.28.7.0/26",
AvailabilityZone=AWS_REGION_US_EAST_1_AZB,
)
lb = conn.create_load_balancer(
Name="my-lb",
Subnets=[subnet1.id, subnet2.id],
SecurityGroups=[security_group.id],
Scheme="internet-facing",
Type="application",
)["LoadBalancers"][0]
target_group = conn.create_target_group(
Name="a-target",
HealthCheckEnabled=True,
HealthCheckProtocol="HTTP",
HealthCheckPath="/",
HealthCheckIntervalSeconds=35,
HealthCheckTimeoutSeconds=5,
HealthyThresholdCount=5,
UnhealthyThresholdCount=2,
TargetType="lambda",
)["TargetGroups"][0]
target_group_arn = target_group["TargetGroupArn"]
conn.register_targets(
TargetGroupArn=target_group_arn,
Targets=[
{"Id": function_arn},
],
)
conn.create_listener(
LoadBalancerArn=lb["LoadBalancerArn"],
Protocol="HTTP",
DefaultActions=[{"Type": "forward", "TargetGroupArn": target_group_arn}],
)
from prowler.providers.aws.services.elbv2.elbv2_service import ELBv2
with mock.patch(
"prowler.providers.aws.lib.audit_info.audit_info.current_audit_info",
set_mocked_aws_audit_info(),
), mock.patch(
"prowler.providers.aws.services.awslambda.awslambda_function_not_directly_publicly_accessible_via_elbv2.awslambda_function_not_directly_publicly_accessible_via_elbv2.awslambda_client",
new=lambda_client,
), mock.patch(
"prowler.providers.aws.services.awslambda.awslambda_function_not_directly_publicly_accessible_via_elbv2.awslambda_function_not_directly_publicly_accessible_via_elbv2.elbv2_client",
new=ELBv2(set_mocked_aws_audit_info()),
):
# Test Check
from prowler.providers.aws.services.awslambda.awslambda_function_not_directly_publicly_accessible_via_elbv2.awslambda_function_not_directly_publicly_accessible_via_elbv2 import (
awslambda_function_not_directly_publicly_accessible_via_elbv2,
)
check = awslambda_function_not_directly_publicly_accessible_via_elbv2()
result = check.execute()
assert len(result) == 1
assert result[0].status == "FAIL"
assert search(
"is behind a internet facing load balancer",
result[0].status_extended,
)

190
tests/providers/aws/services/awslambda/awslambda_function_not_directly_publicly_accessible_via_elbv2/awslambda_function_not_directly_publicly_accessible_via_elbv2_test.py
View File

@@ -1,22 +1,21 @@
from re import search
from unittest import mock
from boto3 import client, resource
from mock import patch
from moto import mock_aws
from tests.providers.aws.audit_info_utils import (
from tests.providers.aws.utils import (
AWS_ACCOUNT_NUMBER,
AWS_REGION_US_EAST_1,
AWS_REGION_US_EAST_1_AZA,
AWS_REGION_US_EAST_1_AZB,
set_mocked_aws_audit_info,
set_mocked_aws_provider,
)
# Mock generate_regional_clients()
def mock_generate_regional_clients(service, audit_info):
regional_client = audit_info.audit_session.client(
def mock_generate_regional_clients(provider, service):
regional_client = provider._session.current_session.client(
service, region_name=AWS_REGION_US_EAST_1
)
regional_client.region = AWS_REGION_US_EAST_1
@@ -25,7 +24,7 @@ def mock_generate_regional_clients(service, audit_info):
# Patch every AWS call using Boto3 and generate_regional_clients to have 1 client
@patch(
"prowler.providers.aws.lib.service.service.generate_regional_clients",
"prowler.providers.aws.aws_provider.AwsProvider.generate_regional_clients",
new=mock_generate_regional_clients,
)
class Test_awslambda_function_not_directly_publicly_accessible_via_elbv2:
@@ -37,14 +36,14 @@ class Test_awslambda_function_not_directly_publicly_accessible_via_elbv2:
lambda_client.functions = {}
with mock.patch(
"prowler.providers.aws.lib.audit_info.audit_info.current_audit_info",
set_mocked_aws_audit_info(),
"prowler.providers.common.common.get_global_provider",
return_value=set_mocked_aws_provider(),
), mock.patch(
"prowler.providers.aws.services.awslambda.awslambda_function_not_directly_publicly_accessible_via_elbv2.awslambda_function_not_directly_publicly_accessible_via_elbv2.awslambda_client",
"prowler.providers.aws.services.awslambda.awslambda_function_no_secrets_in_variables.awslambda_function_no_secrets_in_variables.awslambda_client",
new=lambda_client,
), mock.patch(
"prowler.providers.aws.services.awslambda.awslambda_function_not_directly_publicly_accessible_via_elbv2.awslambda_function_not_directly_publicly_accessible_via_elbv2.elbv2_client",
new=ELBv2(set_mocked_aws_audit_info()),
new=ELBv2(set_mocked_aws_provider()),
):
# Test Check
from prowler.providers.aws.services.awslambda.awslambda_function_not_directly_publicly_accessible_via_elbv2.awslambda_function_not_directly_publicly_accessible_via_elbv2 import (
@@ -56,6 +55,161 @@ class Test_awslambda_function_not_directly_publicly_accessible_via_elbv2:
assert len(result) == 0
@mock_aws
def test_function_without_elbv2(self):
from prowler.providers.aws.services.awslambda.awslambda_service import Function
# Lambda client
lambda_client = mock.MagicMock
function_name = "test-lambda"
function_runtime = "nodejs4.3"
function_arn = f"arn:aws:lambda:{AWS_REGION_US_EAST_1}:{AWS_ACCOUNT_NUMBER}:function/{function_name}"
lambda_client.functions = {
"function_name": Function(
name=function_name,
security_groups=[],
arn=function_arn,
region=AWS_REGION_US_EAST_1,
runtime=function_runtime,
)
}
from prowler.providers.aws.services.elbv2.elbv2_service import ELBv2
with mock.patch(
"prowler.providers.common.common.get_global_provider",
return_value=set_mocked_aws_provider(),
), mock.patch(
"prowler.providers.aws.services.awslambda.awslambda_function_not_directly_publicly_accessible_via_elbv2.awslambda_function_not_directly_publicly_accessible_via_elbv2.awslambda_client",
new=lambda_client,
), mock.patch(
"prowler.providers.aws.services.awslambda.awslambda_function_not_directly_publicly_accessible_via_elbv2.awslambda_function_not_directly_publicly_accessible_via_elbv2.elbv2_client",
new=ELBv2(set_mocked_aws_provider()),
):
# Test Check
from prowler.providers.aws.services.awslambda.awslambda_function_not_directly_publicly_accessible_via_elbv2.awslambda_function_not_directly_publicly_accessible_via_elbv2 import (
awslambda_function_not_directly_publicly_accessible_via_elbv2,
)
check = awslambda_function_not_directly_publicly_accessible_via_elbv2()
result = check.execute()
assert len(result) == 1
assert result[0].status == "PASS"
assert (
result[0].status_extended
== f"Lambda function {function_name} is not behind an Internet facing Load Balancer."
)
assert result[0].region == AWS_REGION_US_EAST_1
assert result[0].resource_id == function_name
assert result[0].resource_arn == function_arn
assert result[0].resource_tags == []
@mock_aws
def test_function_elbv2_internal(self):
from prowler.providers.aws.services.awslambda.awslambda_service import Function
# Lambda client
lambda_client = mock.MagicMock
function_name = "test-lambda"
function_runtime = "nodejs4.3"
function_arn = f"arn:aws:lambda:{AWS_REGION_US_EAST_1}:{AWS_ACCOUNT_NUMBER}:function/{function_name}"
lambda_client.functions = {
"function_name": Function(
name=function_name,
security_groups=[],
arn=function_arn,
region=AWS_REGION_US_EAST_1,
runtime=function_runtime,
)
}
# ALB Client
conn = client("elbv2", region_name=AWS_REGION_US_EAST_1)
ec2 = resource("ec2", region_name=AWS_REGION_US_EAST_1)
security_group = ec2.create_security_group(
GroupName="a-security-group", Description="First One"
)
vpc = ec2.create_vpc(CidrBlock="172.28.7.0/24", InstanceTenancy="default")
subnet1 = ec2.create_subnet(
VpcId=vpc.id,
CidrBlock="172.28.7.192/26",
AvailabilityZone=AWS_REGION_US_EAST_1_AZA,
)
subnet2 = ec2.create_subnet(
VpcId=vpc.id,
CidrBlock="172.28.7.0/26",
AvailabilityZone=AWS_REGION_US_EAST_1_AZB,
)
lb = conn.create_load_balancer(
Name="my-lb",
Subnets=[subnet1.id, subnet2.id],
SecurityGroups=[security_group.id],
Scheme="internal",
Type="application",
)["LoadBalancers"][0]
target_group = conn.create_target_group(
Name="a-target",
HealthCheckEnabled=True,
HealthCheckProtocol="HTTP",
HealthCheckPath="/",
HealthCheckIntervalSeconds=35,
HealthCheckTimeoutSeconds=5,
HealthyThresholdCount=5,
UnhealthyThresholdCount=2,
TargetType="lambda",
)["TargetGroups"][0]
target_group_arn = target_group["TargetGroupArn"]
conn.register_targets(
TargetGroupArn=target_group_arn,
Targets=[
{"Id": function_arn},
],
)
conn.create_listener(
LoadBalancerArn=lb["LoadBalancerArn"],
Protocol="HTTP",
DefaultActions=[{"Type": "forward", "TargetGroupArn": target_group_arn}],
)
from prowler.providers.aws.services.elbv2.elbv2_service import ELBv2
with mock.patch(
"prowler.providers.common.common.get_global_provider",
return_value=set_mocked_aws_provider(),
), mock.patch(
"prowler.providers.aws.services.awslambda.awslambda_function_not_directly_publicly_accessible_via_elbv2.awslambda_function_not_directly_publicly_accessible_via_elbv2.awslambda_client",
new=lambda_client,
), mock.patch(
"prowler.providers.aws.services.awslambda.awslambda_function_not_directly_publicly_accessible_via_elbv2.awslambda_function_not_directly_publicly_accessible_via_elbv2.elbv2_client",
new=ELBv2(set_mocked_aws_provider()),
):
# Test Check
from prowler.providers.aws.services.awslambda.awslambda_function_not_directly_publicly_accessible_via_elbv2.awslambda_function_not_directly_publicly_accessible_via_elbv2 import (
awslambda_function_not_directly_publicly_accessible_via_elbv2,
)
check = awslambda_function_not_directly_publicly_accessible_via_elbv2()
result = check.execute()
assert len(result) == 1
assert result[0].status == "PASS"
assert (
result[0].status_extended
== f"Lambda function {function_name} is not behind an Internet facing Load Balancer."
)
assert result[0].region == AWS_REGION_US_EAST_1
assert result[0].resource_id == function_name
assert result[0].resource_arn == function_arn
assert result[0].resource_tags == []
@mock_aws
def test_function_elbv2_public(self):
from prowler.providers.aws.services.awslambda.awslambda_service import Function
@@ -133,14 +287,14 @@ class Test_awslambda_function_not_directly_publicly_accessible_via_elbv2:
from prowler.providers.aws.services.elbv2.elbv2_service import ELBv2
with mock.patch(
"prowler.providers.aws.lib.audit_info.audit_info.current_audit_info",
set_mocked_aws_audit_info(),
"prowler.providers.common.common.get_global_provider",
return_value=set_mocked_aws_provider(),
), mock.patch(
"prowler.providers.aws.services.awslambda.awslambda_function_not_directly_publicly_accessible_via_elbv2.awslambda_function_not_directly_publicly_accessible_via_elbv2.awslambda_client",
new=lambda_client,
), mock.patch(
"prowler.providers.aws.services.awslambda.awslambda_function_not_directly_publicly_accessible_via_elbv2.awslambda_function_not_directly_publicly_accessible_via_elbv2.elbv2_client",
new=ELBv2(set_mocked_aws_audit_info()),
new=ELBv2(set_mocked_aws_provider()),
):
# Test Check
from prowler.providers.aws.services.awslambda.awslambda_function_not_directly_publicly_accessible_via_elbv2.awslambda_function_not_directly_publicly_accessible_via_elbv2 import (
@@ -152,7 +306,11 @@ class Test_awslambda_function_not_directly_publicly_accessible_via_elbv2:
assert len(result) == 1
assert result[0].status == "FAIL"
assert search(
"is behind a internet facing load balancer",
result[0].status_extended,
assert (
result[0].status_extended
== f"Lambda function {function_name} is behind an Internet facing Load Balancer through target group {target_group_arn}."
)
assert result[0].region == AWS_REGION_US_EAST_1
assert result[0].resource_id == function_name
assert result[0].resource_arn == function_arn
assert result[0].resource_tags == []

310
tests/providers/aws/services/ec2/ec2_instance_not_directly_publicly_accessible_via_elb/ec2_instance_not_directly_publicly_accessible_via_elb.py
View File

@@ -1,310 +0,0 @@
from unittest import mock
from boto3 import client, resource
from moto import mock_aws
from tests.providers.aws.audit_info_utils import (
AWS_REGION_EU_WEST_1,
AWS_REGION_EU_WEST_1_AZA,
AWS_REGION_US_EAST_1,
set_mocked_aws_audit_info,
)
EXAMPLE_AMI_ID = "ami-12c6146b"
class Test_ec2_instance_not_directly_publicly_accessible_via_elb:
@mock_aws
def test_ec2_no_public_elbs(self):
from prowler.providers.aws.services.ec2.ec2_service import EC2
current_audit_info = set_mocked_aws_audit_info(
[AWS_REGION_EU_WEST_1, AWS_REGION_US_EAST_1]
)
with mock.patch(
"prowler.providers.aws.lib.audit_info.audit_info.current_audit_info",
new=current_audit_info,
), mock.patch(
"prowler.providers.aws.services.ec2.ec2_instance_not_directly_publicly_accessible_via_elb.ec2_instance_not_directly_publicly_accessible_via_elb.ec2_client",
new=EC2(current_audit_info),
):
# Test Check
from prowler.providers.aws.services.ec2.ec2_instance_not_directly_publicly_accessible_via_elb.ec2_instance_not_directly_publicly_accessible_via_elb import (
ec2_instance_not_directly_publicly_accessible_via_elb,
)
check = ec2_instance_not_directly_publicly_accessible_via_elb()
findings = check.execute()
assert len(findings) == 0
@mock_aws
def test_ec2_behind_public_elb(self):
elb = client("elb", region_name=AWS_REGION_EU_WEST_1)
ec2 = resource("ec2", region_name=AWS_REGION_EU_WEST_1)
security_group = ec2.create_security_group(
GroupName="sg01", Description="Test security group sg01"
)
elb.create_load_balancer(
LoadBalancerName="my-lb",
Listeners=[
{"Protocol": "tcp", "LoadBalancerPort": 80, "InstancePort": 8080},
{"Protocol": "http", "LoadBalancerPort": 81, "InstancePort": 9000},
],
AvailabilityZones=[AWS_REGION_EU_WEST_1_AZA],
Scheme="internet-facing",
SecurityGroups=[security_group.id],
)
security_group_instance = ec2.create_security_group(
GroupName="sg01_instance",
Description="Test security group for EC2 instance",
)
iam = client("iam", "us-west-1")
profile_name = "fake_profile"
_ = iam.create_instance_profile(
InstanceProfileName=profile_name,
)
ec2 = resource("ec2", region_name=AWS_REGION_US_EAST_1)
vpc = ec2.create_vpc(CidrBlock="10.0.0.0/16")
subnet = ec2.create_subnet(VpcId=vpc.id, CidrBlock="10.0.0.0/18")
instance = ec2.create_instances(
ImageId=EXAMPLE_AMI_ID,
MinCount=1,
MaxCount=1,
IamInstanceProfile={"Name": profile_name},
NetworkInterfaces=[
{
"DeviceIndex": 0,
"SubnetId": subnet.id,
"AssociatePublicIpAddress": False,
"Groups": [
security_group_instance.id
], # Assign instance to its own security group
}
],
)[0]
# Register the instance with the load balancer
elb.register_instances_with_load_balancer(
LoadBalancerName="my-lb",
Instances=[
{"InstanceId": instance.id},
],
)
from prowler.providers.aws.services.ec2.ec2_service import EC2
from prowler.providers.aws.services.elb.elb_service import ELB
current_audit_info = set_mocked_aws_audit_info(
[AWS_REGION_EU_WEST_1, AWS_REGION_US_EAST_1]
)
with mock.patch(
"prowler.providers.aws.lib.audit_info.audit_info.current_audit_info",
new=current_audit_info,
), mock.patch(
"prowler.providers.aws.services.ec2.ec2_instance_not_directly_publicly_accessible_via_elb.ec2_instance_not_directly_publicly_accessible_via_elb.ec2_client",
new=EC2(current_audit_info),
), mock.patch(
"prowler.providers.aws.services.ec2.ec2_instance_not_directly_publicly_accessible_via_elb.ec2_instance_not_directly_publicly_accessible_via_elb.elb_client",
new=ELB(current_audit_info),
):
# Test Check
from prowler.providers.aws.services.ec2.ec2_instance_not_directly_publicly_accessible_via_elb.ec2_instance_not_directly_publicly_accessible_via_elb import (
ec2_instance_not_directly_publicly_accessible_via_elb,
)
check = ec2_instance_not_directly_publicly_accessible_via_elb()
findings = check.execute()
assert len(findings) == 1
assert findings[0].status == "FAIL"
assert (
findings[0].status_extended
== f"EC2 Instance {instance.id} is behind a internet facing classic load balancer my-lb.us-east-1.elb.amazonaws.com."
)
@mock_aws
def test_ec2_behind_internal_elb(self):
elb = client("elb", region_name=AWS_REGION_EU_WEST_1)
ec2 = resource("ec2", region_name=AWS_REGION_EU_WEST_1)
security_group = ec2.create_security_group(
GroupName="sg01", Description="Test security group sg01"
)
elb.create_load_balancer(
LoadBalancerName="my-lb",
Listeners=[
{"Protocol": "tcp", "LoadBalancerPort": 80, "InstancePort": 8080},
{"Protocol": "http", "LoadBalancerPort": 81, "InstancePort": 9000},
],
AvailabilityZones=[AWS_REGION_EU_WEST_1_AZA],
Scheme="internal",
SecurityGroups=[security_group.id],
)
security_group_instance = ec2.create_security_group(
GroupName="sg01_instance",
Description="Test security group for EC2 instance",
)
iam = client("iam", "us-west-1")
profile_name = "fake_profile"
_ = iam.create_instance_profile(
InstanceProfileName=profile_name,
)
ec2 = resource("ec2", region_name=AWS_REGION_US_EAST_1)
vpc = ec2.create_vpc(CidrBlock="10.0.0.0/16")
subnet = ec2.create_subnet(VpcId=vpc.id, CidrBlock="10.0.0.0/18")
instance = ec2.create_instances(
ImageId=EXAMPLE_AMI_ID,
MinCount=1,
MaxCount=1,
IamInstanceProfile={"Name": profile_name},
NetworkInterfaces=[
{
"DeviceIndex": 0,
"SubnetId": subnet.id,
"AssociatePublicIpAddress": False,
"Groups": [
security_group_instance.id
], # Assign instance to its own security group
}
],
)[0]
# Register the instance with the load balancer
elb.register_instances_with_load_balancer(
LoadBalancerName="my-lb",
Instances=[
{"InstanceId": instance.id},
],
)
from prowler.providers.aws.services.ec2.ec2_service import EC2
from prowler.providers.aws.services.elb.elb_service import ELB
current_audit_info = set_mocked_aws_audit_info(
[AWS_REGION_EU_WEST_1, AWS_REGION_US_EAST_1]
)
with mock.patch(
"prowler.providers.aws.lib.audit_info.audit_info.current_audit_info",
new=current_audit_info,
), mock.patch(
"prowler.providers.aws.services.ec2.ec2_instance_not_directly_publicly_accessible_via_elb.ec2_instance_not_directly_publicly_accessible_via_elb.ec2_client",
new=EC2(current_audit_info),
), mock.patch(
"prowler.providers.aws.services.ec2.ec2_instance_not_directly_publicly_accessible_via_elb.ec2_instance_not_directly_publicly_accessible_via_elb.elb_client",
new=ELB(current_audit_info),
):
# Test Check
from prowler.providers.aws.services.ec2.ec2_instance_not_directly_publicly_accessible_via_elb.ec2_instance_not_directly_publicly_accessible_via_elb import (
ec2_instance_not_directly_publicly_accessible_via_elb,
)
check = ec2_instance_not_directly_publicly_accessible_via_elb()
findings = check.execute()
assert len(findings) == 1
assert findings[0].status == "PASS"
assert (
findings[0].status_extended
== f"EC2 Instance {instance.id} is not behind a internet facing classic load balancer."
)
@mock_aws
def test_two_ec2_behind_public_elb(self):
elb = client("elb", region_name=AWS_REGION_EU_WEST_1)
ec2 = resource("ec2", region_name=AWS_REGION_EU_WEST_1)
security_group = ec2.create_security_group(
GroupName="sg01", Description="Test security group sg01"
)
elb.create_load_balancer(
LoadBalancerName="my-lb",
Listeners=[
{"Protocol": "tcp", "LoadBalancerPort": 80, "InstancePort": 8080},
{"Protocol": "http", "LoadBalancerPort": 81, "InstancePort": 9000},
],
AvailabilityZones=[AWS_REGION_EU_WEST_1_AZA],
Scheme="internet-facing",
SecurityGroups=[security_group.id],
)
security_group_instance = ec2.create_security_group(
GroupName="sg01_instance",
Description="Test security group for EC2 instance",
)
iam = client("iam", "us-west-1")
profile_name = "fake_profile"
iam.create_instance_profile(
InstanceProfileName=profile_name,
)
ec2 = resource("ec2", region_name=AWS_REGION_US_EAST_1)
vpc = ec2.create_vpc(CidrBlock="10.0.0.0/16")
subnet = ec2.create_subnet(VpcId=vpc.id, CidrBlock="10.0.0.0/18")
# Create two EC2 instances
instances = ec2.create_instances(
ImageId=EXAMPLE_AMI_ID,
MinCount=2,
MaxCount=2,
IamInstanceProfile={"Name": profile_name},
NetworkInterfaces=[
{
"DeviceIndex": 0,
"SubnetId": subnet.id,
"AssociatePublicIpAddress": False,
"Groups": [
security_group_instance.id
], # Assign instance to its own security group
}
],
)
# Register the instances with the load balancer
elb.register_instances_with_load_balancer(
LoadBalancerName="my-lb",
Instances=[{"InstanceId": instance.id} for instance in instances],
)
from prowler.providers.aws.services.ec2.ec2_service import EC2
from prowler.providers.aws.services.elb.elb_service import ELB
current_audit_info = set_mocked_aws_audit_info(
[AWS_REGION_EU_WEST_1, AWS_REGION_US_EAST_1]
)
with mock.patch(
"prowler.providers.aws.lib.audit_info.audit_info.current_audit_info",
new=current_audit_info,
), mock.patch(
"prowler.providers.aws.services.ec2.ec2_instance_not_directly_publicly_accessible_via_elb.ec2_instance_not_directly_publicly_accessible_via_elb.ec2_client",
new=EC2(current_audit_info),
), mock.patch(
"prowler.providers.aws.services.ec2.ec2_instance_not_directly_publicly_accessible_via_elb.ec2_instance_not_directly_publicly_accessible_via_elb.elb_client",
new=ELB(current_audit_info),
):
# Test Check
from prowler.providers.aws.services.ec2.ec2_instance_not_directly_publicly_accessible_via_elb.ec2_instance_not_directly_publicly_accessible_via_elb import (
ec2_instance_not_directly_publicly_accessible_via_elb,
)
check = ec2_instance_not_directly_publicly_accessible_via_elb()
findings = check.execute()
assert len(findings) == 2
assert findings[0].status == "FAIL"
assert (
findings[0].status_extended
== f"EC2 Instance {instances[0].id} is behind a internet facing classic load balancer my-lb.us-east-1.elb.amazonaws.com."
)
assert findings[1].status == "FAIL"
assert (
findings[1].status_extended
== f"EC2 Instance {instances[1].id} is behind a internet facing classic load balancer my-lb.us-east-1.elb.amazonaws.com."
)

108
tests/providers/aws/services/ec2/ec2_instance_not_directly_publicly_accessible_via_elb/ec2_instance_not_directly_publicly_accessible_via_elb_test.py
View File

@@ -3,14 +3,15 @@ from unittest import mock
from boto3 import client, resource
from moto import mock_aws
from tests.providers.aws.audit_info_utils import (
from tests.providers.aws.utils import (
AWS_REGION_EU_WEST_1,
AWS_REGION_EU_WEST_1_AZA,
AWS_REGION_US_EAST_1,
set_mocked_aws_audit_info,
set_mocked_aws_provider,
)
EXAMPLE_AMI_ID = "ami-12c6146b"
LOAD_BALANCER_DNS = f"my-lb.{AWS_REGION_US_EAST_1}.elb.amazonaws.com"
class Test_ec2_instance_not_directly_publicly_accessible_via_elb:
@@ -18,16 +19,16 @@ class Test_ec2_instance_not_directly_publicly_accessible_via_elb:
def test_ec2_no_public_elbs(self):
from prowler.providers.aws.services.ec2.ec2_service import EC2
current_audit_info = set_mocked_aws_audit_info(
aws_provider = set_mocked_aws_provider(
[AWS_REGION_EU_WEST_1, AWS_REGION_US_EAST_1]
)
with mock.patch(
"prowler.providers.aws.lib.audit_info.audit_info.current_audit_info",
new=current_audit_info,
"prowler.providers.common.common.get_global_provider",
return_value=aws_provider,
), mock.patch(
"prowler.providers.aws.services.ec2.ec2_instance_not_directly_publicly_accessible_via_elb.ec2_instance_not_directly_publicly_accessible_via_elb.ec2_client",
new=EC2(current_audit_info),
new=EC2(aws_provider),
):
# Test Check
from prowler.providers.aws.services.ec2.ec2_instance_not_directly_publicly_accessible_via_elb.ec2_instance_not_directly_publicly_accessible_via_elb import (
@@ -100,19 +101,19 @@ class Test_ec2_instance_not_directly_publicly_accessible_via_elb:
from prowler.providers.aws.services.ec2.ec2_service import EC2
from prowler.providers.aws.services.elb.elb_service import ELB
current_audit_info = set_mocked_aws_audit_info(
aws_provider = set_mocked_aws_provider(
[AWS_REGION_EU_WEST_1, AWS_REGION_US_EAST_1]
)
with mock.patch(
"prowler.providers.aws.lib.audit_info.audit_info.current_audit_info",
new=current_audit_info,
"prowler.providers.common.common.get_global_provider",
return_value=aws_provider,
), mock.patch(
"prowler.providers.aws.services.ec2.ec2_instance_not_directly_publicly_accessible_via_elb.ec2_instance_not_directly_publicly_accessible_via_elb.ec2_client",
new=EC2(current_audit_info),
new=EC2(aws_provider),
), mock.patch(
"prowler.providers.aws.services.ec2.ec2_instance_not_directly_publicly_accessible_via_elb.ec2_instance_not_directly_publicly_accessible_via_elb.elb_client",
new=ELB(current_audit_info),
new=ELB(aws_provider),
):
# Test Check
from prowler.providers.aws.services.ec2.ec2_instance_not_directly_publicly_accessible_via_elb.ec2_instance_not_directly_publicly_accessible_via_elb import (
@@ -120,13 +121,20 @@ class Test_ec2_instance_not_directly_publicly_accessible_via_elb:
)
check = ec2_instance_not_directly_publicly_accessible_via_elb()
findings = check.execute()
assert len(findings) == 1
assert findings[0].status == "FAIL"
result = check.execute()
assert len(result) == 1
assert result[0].status == "FAIL"
assert (
findings[0].status_extended
== f"EC2 Instance {instance.id} is behind a internet facing classic load balancer my-lb.us-east-1.elb.amazonaws.com."
result[0].status_extended
== f"EC2 Instance {instance.id} is behind an Internet facing Classic Load Balancer {LOAD_BALANCER_DNS}."
)
assert result[0].region == AWS_REGION_US_EAST_1
assert result[0].resource_id == instance.id
assert (
result[0].resource_arn
== f"arn:{aws_provider.identity.partition}:ec2:{AWS_REGION_US_EAST_1}:{aws_provider.identity.account}:instance/{instance.id}"
)
assert result[0].resource_tags is None
@mock_aws
def test_ec2_behind_internal_elb(self):
@@ -189,19 +197,19 @@ class Test_ec2_instance_not_directly_publicly_accessible_via_elb:
from prowler.providers.aws.services.ec2.ec2_service import EC2
from prowler.providers.aws.services.elb.elb_service import ELB
current_audit_info = set_mocked_aws_audit_info(
aws_provider = set_mocked_aws_provider(
[AWS_REGION_EU_WEST_1, AWS_REGION_US_EAST_1]
)
with mock.patch(
"prowler.providers.aws.lib.audit_info.audit_info.current_audit_info",
new=current_audit_info,
"prowler.providers.common.common.get_global_provider",
return_value=aws_provider,
), mock.patch(
"prowler.providers.aws.services.ec2.ec2_instance_not_directly_publicly_accessible_via_elb.ec2_instance_not_directly_publicly_accessible_via_elb.ec2_client",
new=EC2(current_audit_info),
new=EC2(aws_provider),
), mock.patch(
"prowler.providers.aws.services.ec2.ec2_instance_not_directly_publicly_accessible_via_elb.ec2_instance_not_directly_publicly_accessible_via_elb.elb_client",
new=ELB(current_audit_info),
new=ELB(aws_provider),
):
# Test Check
from prowler.providers.aws.services.ec2.ec2_instance_not_directly_publicly_accessible_via_elb.ec2_instance_not_directly_publicly_accessible_via_elb import (
@@ -209,13 +217,19 @@ class Test_ec2_instance_not_directly_publicly_accessible_via_elb:
)
check = ec2_instance_not_directly_publicly_accessible_via_elb()
findings = check.execute()
assert len(findings) == 1
assert findings[0].status == "PASS"
result = check.execute()
assert result[0].status == "PASS"
assert (
findings[0].status_extended
== f"EC2 Instance {instance.id} is not behind a internet facing classic load balancer."
result[0].status_extended
== f"EC2 Instance {instance.id} is not behind an Internet facing Classic Load Balancer."
)
assert result[0].region == AWS_REGION_US_EAST_1
assert result[0].resource_id == instance.id
assert (
result[0].resource_arn
== f"arn:{aws_provider.identity.partition}:ec2:{AWS_REGION_US_EAST_1}:{aws_provider.identity.account}:instance/{instance.id}"
)
assert result[0].resource_tags is None
@mock_aws
def test_two_ec2_behind_public_elb(self):
@@ -277,19 +291,19 @@ class Test_ec2_instance_not_directly_publicly_accessible_via_elb:
from prowler.providers.aws.services.ec2.ec2_service import EC2
from prowler.providers.aws.services.elb.elb_service import ELB
current_audit_info = set_mocked_aws_audit_info(
aws_provider = set_mocked_aws_provider(
[AWS_REGION_EU_WEST_1, AWS_REGION_US_EAST_1]
)
with mock.patch(
"prowler.providers.aws.lib.audit_info.audit_info.current_audit_info",
new=current_audit_info,
"prowler.providers.common.common.get_global_provider",
return_value=aws_provider,
), mock.patch(
"prowler.providers.aws.services.ec2.ec2_instance_not_directly_publicly_accessible_via_elb.ec2_instance_not_directly_publicly_accessible_via_elb.ec2_client",
new=EC2(current_audit_info),
new=EC2(aws_provider),
), mock.patch(
"prowler.providers.aws.services.ec2.ec2_instance_not_directly_publicly_accessible_via_elb.ec2_instance_not_directly_publicly_accessible_via_elb.elb_client",
new=ELB(current_audit_info),
new=ELB(aws_provider),
):
# Test Check
from prowler.providers.aws.services.ec2.ec2_instance_not_directly_publicly_accessible_via_elb.ec2_instance_not_directly_publicly_accessible_via_elb import (
@@ -297,15 +311,31 @@ class Test_ec2_instance_not_directly_publicly_accessible_via_elb:
)
check = ec2_instance_not_directly_publicly_accessible_via_elb()
findings = check.execute()
assert len(findings) == 2
assert findings[0].status == "FAIL"
result = check.execute()
assert len(result) == 2
assert result[0].status == "FAIL"
assert (
findings[0].status_extended
== f"EC2 Instance {instances[0].id} is behind a internet facing classic load balancer my-lb.us-east-1.elb.amazonaws.com."
result[0].status_extended
== f"EC2 Instance {instances[0].id} is behind an Internet facing Classic Load Balancer {LOAD_BALANCER_DNS}."
)
assert findings[1].status == "FAIL"
assert result[0].region == AWS_REGION_US_EAST_1
assert result[0].resource_id == instances[0].id
assert (
findings[1].status_extended
== f"EC2 Instance {instances[1].id} is behind a internet facing classic load balancer my-lb.us-east-1.elb.amazonaws.com."
result[0].resource_arn
== f"arn:{aws_provider.identity.partition}:ec2:{AWS_REGION_US_EAST_1}:{aws_provider.identity.account}:instance/{instances[0].id}"
)
assert result[0].resource_tags is None
assert result[1].status == "FAIL"
assert (
result[1].status_extended
== f"EC2 Instance {instances[1].id} is behind an Internet facing Classic Load Balancer {LOAD_BALANCER_DNS}."
)
assert result[1].region == AWS_REGION_US_EAST_1
assert result[1].resource_id == instances[1].id
assert (
result[1].resource_arn
== f"arn:{aws_provider.identity.partition}:ec2:{AWS_REGION_US_EAST_1}:{aws_provider.identity.account}:instance/{instances[1].id}"
)
assert result[1].resource_tags is None

275
tests/providers/aws/services/ec2/ec2_instance_not_directly_publicly_accessible_via_elbv2/ec2_instance_not_directly_publicly_accessible_via_elbv2.py
View File

@@ -1,275 +0,0 @@
from unittest import mock
from re import search
from boto3 import client, resource
from moto import mock_aws
from tests.providers.aws.audit_info_utils import (
AWS_REGION_EU_WEST_1,
AWS_REGION_EU_WEST_1_AZA,
AWS_REGION_EU_WEST_1_AZB,
AWS_REGION_US_EAST_1,
set_mocked_aws_audit_info,
)
EXAMPLE_AMI_ID = "ami-12c6146b"
class Test_ec2_instance_not_directly_publicly_accessible_via_elbv2:
@mock_aws
def test_no_elbsv2(self):
from prowler.providers.aws.services.elbv2.elbv2_service import ELBv2
with mock.patch(
"prowler.providers.aws.lib.audit_info.audit_info.current_audit_info",
new=set_mocked_aws_audit_info([AWS_REGION_EU_WEST_1, AWS_REGION_US_EAST_1]),
), mock.patch(
"prowler.providers.aws.services.elbv2.elbv2_insecure_ssl_ciphers.elbv2_insecure_ssl_ciphers.elbv2_client",
new=ELBv2(
set_mocked_aws_audit_info([AWS_REGION_EU_WEST_1, AWS_REGION_US_EAST_1])
),
):
# Test Check
from prowler.providers.aws.services.elbv2.elbv2_insecure_ssl_ciphers.elbv2_insecure_ssl_ciphers import (
elbv2_insecure_ssl_ciphers,
)
check = elbv2_insecure_ssl_ciphers()
result = check.execute()
assert len(result) == 0
@mock_aws
def test_ec2_behind_public_elbv2(self):
conn = client("elbv2", region_name=AWS_REGION_EU_WEST_1)
ec2 = resource("ec2", region_name=AWS_REGION_EU_WEST_1)
security_group = ec2.create_security_group(
GroupName="a-security-group", Description="First One"
)
vpc = ec2.create_vpc(CidrBlock="172.28.7.0/24", InstanceTenancy="default")
subnet1 = ec2.create_subnet(
VpcId=vpc.id,
CidrBlock="172.28.7.192/26",
AvailabilityZone=AWS_REGION_EU_WEST_1_AZA,
)
subnet2 = ec2.create_subnet(
VpcId=vpc.id,
CidrBlock="172.28.7.0/26",
AvailabilityZone=AWS_REGION_EU_WEST_1_AZB,
)
lb = conn.create_load_balancer(
Name="my-lb",
Subnets=[subnet1.id, subnet2.id],
SecurityGroups=[security_group.id],
Scheme="internet-facing",
Type="application",
)["LoadBalancers"][0]
target_group = conn.create_target_group(
Name="a-target",
Protocol="HTTP",
Port=80,
VpcId=vpc.id,
HealthCheckProtocol="HTTP",
HealthCheckPath="/",
HealthCheckIntervalSeconds=30,
HealthCheckTimeoutSeconds=5,
HealthyThresholdCount=5,
UnhealthyThresholdCount=2,
TargetType="instance",
)["TargetGroups"][0]
target_group_arn = target_group["TargetGroupArn"]
security_group_instance = ec2.create_security_group(
GroupName="sg01_instance",
Description="Test security group for EC2 instance",
)
iam = client("iam", "us-west-1")
profile_name = "fake_profile"
iam.create_instance_profile(
InstanceProfileName=profile_name,
)
vpc = ec2.create_vpc(CidrBlock="10.0.0.0/16")
subnet = ec2.create_subnet(VpcId=vpc.id, CidrBlock="10.0.0.0/18")
instance = ec2.create_instances(
ImageId=EXAMPLE_AMI_ID,
MinCount=1,
MaxCount=1,
IamInstanceProfile={"Name": profile_name},
NetworkInterfaces=[
{
"DeviceIndex": 0,
"SubnetId": subnet.id,
"AssociatePublicIpAddress": False,
"Groups": [security_group_instance.id],
}
],
)[0]
conn.register_targets(
TargetGroupArn=target_group_arn,
Targets=[
{"Id": instance.id},
],
)
conn.create_listener(
LoadBalancerArn=lb["LoadBalancerArn"],
Protocol="HTTP",
Port=80,
DefaultActions=[{"Type": "forward", "TargetGroupArn": target_group_arn}],
)
from prowler.providers.aws.services.ec2.ec2_service import EC2
from prowler.providers.aws.services.elbv2.elbv2_service import ELBv2
with mock.patch(
"prowler.providers.aws.lib.audit_info.audit_info.current_audit_info",
new=set_mocked_aws_audit_info([AWS_REGION_EU_WEST_1, AWS_REGION_US_EAST_1]),
), mock.patch(
"prowler.providers.aws.services.ec2.ec2_instance_not_directly_publicly_accessible_via_elbv2.ec2_instance_not_directly_publicly_accessible_via_elbv2.ec2_client",
new=EC2(
set_mocked_aws_audit_info([AWS_REGION_EU_WEST_1, AWS_REGION_US_EAST_1])
),
), mock.patch(
"prowler.providers.aws.services.ec2.ec2_instance_not_directly_publicly_accessible_via_elbv2.ec2_instance_not_directly_publicly_accessible_via_elbv2.elbv2_client",
new=ELBv2(
set_mocked_aws_audit_info([AWS_REGION_EU_WEST_1, AWS_REGION_US_EAST_1])
),
):
# Test Check
from prowler.providers.aws.services.ec2.ec2_instance_not_directly_publicly_accessible_via_elbv2.ec2_instance_not_directly_publicly_accessible_via_elbv2 import (
ec2_instance_not_directly_publicly_accessible_via_elbv2,
)
check = ec2_instance_not_directly_publicly_accessible_via_elbv2()
findings = check.execute()
assert len(findings) == 1
assert findings[0].status == "FAIL"
assert search(
"is behind a internet facing load balancer",
findings[0].status_extended,
)
@mock_aws
def test_ec2_behind_private_elbv2(self):
conn = client("elbv2", region_name=AWS_REGION_EU_WEST_1)
ec2 = resource("ec2", region_name=AWS_REGION_EU_WEST_1)
security_group = ec2.create_security_group(
GroupName="a-security-group", Description="First One"
)
vpc = ec2.create_vpc(CidrBlock="172.28.7.0/24", InstanceTenancy="default")
subnet1 = ec2.create_subnet(
VpcId=vpc.id,
CidrBlock="172.28.7.192/26",
AvailabilityZone=AWS_REGION_EU_WEST_1_AZA,
)
subnet2 = ec2.create_subnet(
VpcId=vpc.id,
CidrBlock="172.28.7.0/26",
AvailabilityZone=AWS_REGION_EU_WEST_1_AZB,
)
lb = conn.create_load_balancer(
Name="my-lb",
Subnets=[subnet1.id, subnet2.id],
SecurityGroups=[security_group.id],
Scheme="internal",
Type="application",
)["LoadBalancers"][0]
target_group = conn.create_target_group(
Name="a-target",
Protocol="HTTP",
Port=80,
VpcId=vpc.id,
HealthCheckProtocol="HTTP",
HealthCheckPath="/",
HealthCheckIntervalSeconds=30,
HealthCheckTimeoutSeconds=5,
HealthyThresholdCount=5,
UnhealthyThresholdCount=2,
TargetType="instance",
)["TargetGroups"][0]
target_group_arn = target_group["TargetGroupArn"]
security_group_instance = ec2.create_security_group(
GroupName="sg01_instance",
Description="Test security group for EC2 instance",
)
iam = client("iam", "us-west-1")
profile_name = "fake_profile"
iam.create_instance_profile(
InstanceProfileName=profile_name,
)
vpc = ec2.create_vpc(CidrBlock="10.0.0.0/16")
subnet = ec2.create_subnet(VpcId=vpc.id, CidrBlock="10.0.0.0/18")
instance = ec2.create_instances(
ImageId=EXAMPLE_AMI_ID,
MinCount=1,
MaxCount=1,
IamInstanceProfile={"Name": profile_name},
NetworkInterfaces=[
{
"DeviceIndex": 0,
"SubnetId": subnet.id,
"AssociatePublicIpAddress": False,
"Groups": [security_group_instance.id],
}
],
)[0]
conn.register_targets(
TargetGroupArn=target_group_arn,
Targets=[
{"Id": instance.id},
],
)
conn.create_listener(
LoadBalancerArn=lb["LoadBalancerArn"],
Protocol="HTTP",
Port=80,
DefaultActions=[{"Type": "forward", "TargetGroupArn": target_group_arn}],
)
from prowler.providers.aws.services.ec2.ec2_service import EC2
from prowler.providers.aws.services.elbv2.elbv2_service import ELBv2
with mock.patch(
"prowler.providers.aws.lib.audit_info.audit_info.current_audit_info",
new=set_mocked_aws_audit_info([AWS_REGION_EU_WEST_1, AWS_REGION_US_EAST_1]),
), mock.patch(
"prowler.providers.aws.services.ec2.ec2_instance_not_directly_publicly_accessible_via_elbv2.ec2_instance_not_directly_publicly_accessible_via_elbv2.ec2_client",
new=EC2(
set_mocked_aws_audit_info([AWS_REGION_EU_WEST_1, AWS_REGION_US_EAST_1])
),
), mock.patch(
"prowler.providers.aws.services.ec2.ec2_instance_not_directly_publicly_accessible_via_elbv2.ec2_instance_not_directly_publicly_accessible_via_elbv2.elbv2_client",
new=ELBv2(
set_mocked_aws_audit_info([AWS_REGION_EU_WEST_1, AWS_REGION_US_EAST_1])
),
):
# Test Check
from prowler.providers.aws.services.ec2.ec2_instance_not_directly_publicly_accessible_via_elbv2.ec2_instance_not_directly_publicly_accessible_via_elbv2 import (
ec2_instance_not_directly_publicly_accessible_via_elbv2,
)
check = ec2_instance_not_directly_publicly_accessible_via_elbv2()
findings = check.execute()
assert len(findings) == 1
assert findings[0].status == "PASS"
assert search(
"is not behind a internet facing load balancer.",
findings[0].status_extended,
)

87
tests/providers/aws/services/ec2/ec2_instance_not_directly_publicly_accessible_via_elbv2/ec2_instance_not_directly_publicly_accessible_via_elbv2_test.py
View File

@@ -1,15 +1,14 @@
from re import search
from unittest import mock
from boto3 import client, resource
from moto import mock_aws
from tests.providers.aws.audit_info_utils import (
from tests.providers.aws.utils import (
AWS_REGION_EU_WEST_1,
AWS_REGION_EU_WEST_1_AZA,
AWS_REGION_EU_WEST_1_AZB,
AWS_REGION_US_EAST_1,
set_mocked_aws_audit_info,
set_mocked_aws_provider,
)
EXAMPLE_AMI_ID = "ami-12c6146b"
@@ -20,14 +19,16 @@ class Test_ec2_instance_not_directly_publicly_accessible_via_elbv2:
def test_no_elbsv2(self):
from prowler.providers.aws.services.elbv2.elbv2_service import ELBv2
aws_provider = set_mocked_aws_provider(
[AWS_REGION_EU_WEST_1, AWS_REGION_US_EAST_1]
)
with mock.patch(
"prowler.providers.aws.lib.audit_info.audit_info.current_audit_info",
new=set_mocked_aws_audit_info([AWS_REGION_EU_WEST_1, AWS_REGION_US_EAST_1]),
"prowler.providers.common.common.get_global_provider",
return_value=aws_provider,
), mock.patch(
"prowler.providers.aws.services.elbv2.elbv2_insecure_ssl_ciphers.elbv2_insecure_ssl_ciphers.elbv2_client",
new=ELBv2(
set_mocked_aws_audit_info([AWS_REGION_EU_WEST_1, AWS_REGION_US_EAST_1])
),
new=ELBv2(aws_provider),
):
# Test Check
from prowler.providers.aws.services.elbv2.elbv2_insecure_ssl_ciphers.elbv2_insecure_ssl_ciphers import (
@@ -128,19 +129,19 @@ class Test_ec2_instance_not_directly_publicly_accessible_via_elbv2:
from prowler.providers.aws.services.ec2.ec2_service import EC2
from prowler.providers.aws.services.elbv2.elbv2_service import ELBv2
aws_provider = set_mocked_aws_provider(
[AWS_REGION_EU_WEST_1, AWS_REGION_US_EAST_1]
)
with mock.patch(
"prowler.providers.aws.lib.audit_info.audit_info.current_audit_info",
new=set_mocked_aws_audit_info([AWS_REGION_EU_WEST_1, AWS_REGION_US_EAST_1]),
"prowler.providers.common.common.get_global_provider",
return_value=aws_provider,
), mock.patch(
"prowler.providers.aws.services.ec2.ec2_instance_not_directly_publicly_accessible_via_elbv2.ec2_instance_not_directly_publicly_accessible_via_elbv2.ec2_client",
new=EC2(
set_mocked_aws_audit_info([AWS_REGION_EU_WEST_1, AWS_REGION_US_EAST_1])
),
new=EC2(aws_provider),
), mock.patch(
"prowler.providers.aws.services.ec2.ec2_instance_not_directly_publicly_accessible_via_elbv2.ec2_instance_not_directly_publicly_accessible_via_elbv2.elbv2_client",
new=ELBv2(
set_mocked_aws_audit_info([AWS_REGION_EU_WEST_1, AWS_REGION_US_EAST_1])
),
new=ELBv2(aws_provider),
):
# Test Check
from prowler.providers.aws.services.ec2.ec2_instance_not_directly_publicly_accessible_via_elbv2.ec2_instance_not_directly_publicly_accessible_via_elbv2 import (
@@ -148,14 +149,21 @@ class Test_ec2_instance_not_directly_publicly_accessible_via_elbv2:
)
check = ec2_instance_not_directly_publicly_accessible_via_elbv2()
findings = check.execute()
result = check.execute()
assert len(findings) == 1
assert findings[0].status == "FAIL"
assert search(
"is behind a internet facing load balancer",
findings[0].status_extended,
assert len(result) == 1
assert result[0].status == "FAIL"
assert (
result[0].status_extended
== f"EC2 Instance {instance.id} is behind an Internet facing Load Balancer through target group {target_group_arn}."
)
assert result[0].region == AWS_REGION_EU_WEST_1
assert result[0].resource_id == instance.id
assert (
result[0].resource_arn
== f"arn:{aws_provider.identity.partition}:ec2:{AWS_REGION_EU_WEST_1}:{aws_provider.identity.account}:instance/{instance.id}"
)
assert result[0].resource_tags is None
@mock_aws
def test_ec2_behind_private_elbv2(self):
@@ -246,19 +254,19 @@ class Test_ec2_instance_not_directly_publicly_accessible_via_elbv2:
from prowler.providers.aws.services.ec2.ec2_service import EC2
from prowler.providers.aws.services.elbv2.elbv2_service import ELBv2
aws_provider = set_mocked_aws_provider(
[AWS_REGION_EU_WEST_1, AWS_REGION_US_EAST_1]
)
with mock.patch(
"prowler.providers.aws.lib.audit_info.audit_info.current_audit_info",
new=set_mocked_aws_audit_info([AWS_REGION_EU_WEST_1, AWS_REGION_US_EAST_1]),
"prowler.providers.common.common.get_global_provider",
return_value=aws_provider,
), mock.patch(
"prowler.providers.aws.services.ec2.ec2_instance_not_directly_publicly_accessible_via_elbv2.ec2_instance_not_directly_publicly_accessible_via_elbv2.ec2_client",
new=EC2(
set_mocked_aws_audit_info([AWS_REGION_EU_WEST_1, AWS_REGION_US_EAST_1])
),
new=EC2(aws_provider),
), mock.patch(
"prowler.providers.aws.services.ec2.ec2_instance_not_directly_publicly_accessible_via_elbv2.ec2_instance_not_directly_publicly_accessible_via_elbv2.elbv2_client",
new=ELBv2(
set_mocked_aws_audit_info([AWS_REGION_EU_WEST_1, AWS_REGION_US_EAST_1])
),
new=ELBv2(aws_provider),
):
# Test Check
from prowler.providers.aws.services.ec2.ec2_instance_not_directly_publicly_accessible_via_elbv2.ec2_instance_not_directly_publicly_accessible_via_elbv2 import (
@@ -266,11 +274,18 @@ class Test_ec2_instance_not_directly_publicly_accessible_via_elbv2:
)
check = ec2_instance_not_directly_publicly_accessible_via_elbv2()
findings = check.execute()
result = check.execute()
assert len(findings) == 1
assert findings[0].status == "PASS"
assert search(
"is not behind a internet facing load balancer.",
findings[0].status_extended,
assert len(result) == 1
assert result[0].status == "PASS"
assert (
result[0].status_extended
== f"EC2 Instance {instance.id} is not behind an Internet facing Load Balancer."
)
assert result[0].region == AWS_REGION_EU_WEST_1
assert result[0].resource_id == instance.id
assert (
result[0].resource_arn
== f"arn:{aws_provider.identity.partition}:ec2:{AWS_REGION_EU_WEST_1}:{aws_provider.identity.account}:instance/{instance.id}"
)
assert result[0].resource_tags is None