ben.carrasco/prowler
1
0
Fork 0
mirror of https://github.com/prowler-cloud/prowler.git synced 2026-05-06 08:47:18 +00:00
Code Issues Packages Projects Releases Wiki Activity

fix(attack-surface): restore ec2-imdsv1 category alignment (#10998)

Browse Source
This commit is contained in:
Daniel Barranquero
2026-05-05 16:42:47 +02:00
committed by GitHub
parent 369d6cecc1
commit aa759ab6b7
5 changed files with 9 additions and 4 deletions
Download Patch File Download Diff File Expand all files Collapse all files
api/src/backend/tasks/jobs/scan.py
+3 -2
View File
@@ -202,8 +202,9 @@ def _get_attack_surface_mapping_from_provider(provider_type: str) -> dict:
"iam_inline_policy_allows_privilege_escalation", "iam_inline_policy_allows_privilege_escalation",
}, },
"ec2-imdsv1": { "ec2-imdsv1": {
"ec2_instance_imdsv2_enabled" "ec2_instance_imdsv2_enabled",
}, # AWS only - IMDSv1 enabled findings "ec2_instance_account_imdsv2_enabled",
}, # AWS only - instance-level IMDSv1 exposure and account IMDS defaults
} }
for category_name, check_ids in attack_surface_check_mappings.items(): for category_name, check_ids in attack_surface_check_mappings.items():
if check_ids is None: if check_ids is None:
api/src/backend/tasks/tests/test_scan.py
+1
View File
@@ -3853,6 +3853,7 @@ class TestAggregateAttackSurface:
in result["privilege-escalation"] in result["privilege-escalation"]
) )
assert "ec2_instance_imdsv2_enabled" in result["ec2-imdsv1"] assert "ec2_instance_imdsv2_enabled" in result["ec2-imdsv1"]
assert "ec2_instance_account_imdsv2_enabled" in result["ec2-imdsv1"]
@patch("tasks.jobs.scan.AttackSurfaceOverview.objects.bulk_create") @patch("tasks.jobs.scan.AttackSurfaceOverview.objects.bulk_create")
@patch("tasks.jobs.scan.Finding.all_objects.filter") @patch("tasks.jobs.scan.Finding.all_objects.filter")
prowler/CHANGELOG.md
+1
View File
@@ -18,6 +18,7 @@ All notable changes to the **Prowler SDK** are documented in this file.
- Azure compliance entries for legacy Network Watcher flow log controls now use retirement-aware guidance and point new deployments to VNet flow logs [(#10937)](https://github.com/prowler-cloud/prowler/pull/10937) - Azure compliance entries for legacy Network Watcher flow log controls now use retirement-aware guidance and point new deployments to VNet flow logs [(#10937)](https://github.com/prowler-cloud/prowler/pull/10937)
- AWS CodeBuild service now batches `BatchGetProjects` and `BatchGetBuilds` calls per region (up to 100 items per call) to reduce API call volume and prevent throttling-induced false positives in `codebuild_project_not_publicly_accessible` [(#10639)](https://github.com/prowler-cloud/prowler/pull/10639) - AWS CodeBuild service now batches `BatchGetProjects` and `BatchGetBuilds` calls per region (up to 100 items per call) to reduce API call volume and prevent throttling-induced false positives in `codebuild_project_not_publicly_accessible` [(#10639)](https://github.com/prowler-cloud/prowler/pull/10639)
- `display_compliance_table` dispatch switched from substring `in` checks to `startswith` to prevent false matches between similarly named frameworks (e.g. `cisa` vs `cis`) [(#10301)](https://github.com/prowler-cloud/prowler/pull/10301) - `display_compliance_table` dispatch switched from substring `in` checks to `startswith` to prevent false matches between similarly named frameworks (e.g. `cisa` vs `cis`) [(#10301)](https://github.com/prowler-cloud/prowler/pull/10301)
- Restore the `ec2-imdsv1` category for EC2 IMDS checks to keep Attack Surface and findings filters aligned [(#10998)](https://github.com/prowler-cloud/prowler/pull/10998)
### 🐞 Fixed ### 🐞 Fixed
prowler/providers/aws/services/ec2/ec2_instance_account_imdsv2_enabled/ec2_instance_account_imdsv2_enabled.metadata.json
+2 -1
View File
@@ -34,7 +34,8 @@
} }
}, },
"Categories": [ "Categories": [
"secrets" "secrets",
"ec2-imdsv1"
], ],
"DependsOn": [], "DependsOn": [],
"RelatedTo": [], "RelatedTo": [],
prowler/providers/aws/services/ec2/ec2_instance_imdsv2_enabled/ec2_instance_imdsv2_enabled.metadata.json
+2 -1
View File
@@ -36,7 +36,8 @@
}, },
"Categories": [ "Categories": [
"identity-access", "identity-access",
"secrets" "secrets",
"ec2-imdsv1"
], ],
"DependsOn": [], "DependsOn": [],
"RelatedTo": [], "RelatedTo": [],