feat(opensearch): add CLI remediation

prowler/providers/aws/services/opensearch/opensearch_domain_data_nodes_fault_tolerant/opensearch_domain_data_nodes_fault_tolerant.metadata.json

@@ -0,0 +1,32 @@
+{
+  "Provider": "aws",
+  "CheckID": "opensearch_domain_data_nodes_fault_tolerant",
+  "CheckTitle": "OpenSearch Domain should have at least three data nodes and have multiple Availability Zones",
+  "CheckType": [],
+  "ServiceName": "opensearch",
+  "SubServiceName": "",
+  "ResourceIdTemplate": "arn:partition:es:region:account-id:domain/resource-id",
+  "Severity": "medium",
+  "ResourceType": "AwsOpenSearchServiceDomain",
+  "Description": "An OpenSearch domain requires at least three data nodes and should be distributed across multiple Availability Zones to ensure high availability and fault tolerance.",
+  "Risk": "Without at least three data nodes and distribution across multiple Availability Zones, the OpenSearch domain risks service disruptions and data loss during failures.",
+  "RelatedUrl": "https://docs.aws.amazon.com/opensearch-service/latest/developerguide/createupdatedomains.html#createdomains",
+  "Remediation": {
+    "Code": {
+      "CLI": "aws es update-elasticsearch-domain-config --region <region> --domain-name <name> --elasticsearch-cluster-config InstanceCount=3,ZoneAwarenessEnabled=true",
+      "NativeIaC": "",
+      "Other": "https://docs.aws.amazon.com/securityhub/latest/userguide/opensearch-controls.html#opensearch-6",
+      "Terraform": ""
+    },
+    "Recommendation": {
+      "Text": "Configure the OpenSearch domain with at least three data nodes to ensure high availability and fault tolerance.",
+      "Url": "https://docs.aws.amazon.com/opensearch-service/latest/developerguide/managedomains-multiaz.html"
+    }
+  },
+  "Categories": [
+    "redundancy"
+  ],
+  "DependsOn": [],
+  "RelatedTo": [],
+  "Notes": ""
+}

prowler/providers/aws/services/opensearch/opensearch_domain_data_nodes_fault_tolerant/opensearch_domain_data_nodes_fault_tolerant.py

@@ -0,0 +1,31 @@
+from prowler.lib.check.models import Check, Check_Report_AWS
+from prowler.providers.aws.services.opensearch.opensearch_client import (
+    opensearch_client,
+)
+
+
+class opensearch_domain_data_nodes_fault_tolerant(Check):
+    def execute(self):
+        findings = []
+        for domain in opensearch_client.opensearch_domains:
+            report = Check_Report_AWS(self.metadata())
+            report.resource_id = domain.name
+            report.resource_arn = domain.arn
+            report.region = domain.region
+            report.resource_tags = domain.tags
+            report.status = "PASS"
+            report.status_extended = f"Opensearch domain {domain.name} has {domain.data_nodes_count} data nodes and zone awareness enabled."
+
+            if domain.data_nodes_count < 3 and not domain.zone_awareness:
+                report.status = "FAIL"
+                report.status_extended = f"Opensearch domain {domain.name} does not have at least 3 data nodes and does not have zone awareness enabled, which is recommended for fault tolerance."
+            elif domain.data_nodes_count < 3:
+                report.status = "FAIL"
+                report.status_extended = f"Opensearch domain {domain.name} does not have at least 3 data nodes, which is recommended for fault tolerance."
+            elif not domain.zone_awareness:
+                report.status = "FAIL"
+                report.status_extended = f"Opensearch domain {domain.name} does not have zone awareness enabled, which is recommended for fault tolerance."
+
+            findings.append(report)
+
+        return findings

prowler/providers/aws/services/opensearch/opensearch_domain_master_nodes_fault_tolerant/opensearch_domain_master_nodes_fault_tolerant.metadata.json

@@ -0,0 +1,32 @@
+{
+  "Provider": "aws",
+  "CheckID": "opensearch_domain_master_nodes_fault_tolerant",
+  "CheckTitle": "OpenSearch Service Domain should have at least three dedicated master nodes",
+  "CheckType": [],
+  "ServiceName": "opensearch",
+  "SubServiceName": "",
+  "ResourceIdTemplate": "arn:partition:es:region:account-id:domain/resource-id",
+  "Severity": "medium",
+  "ResourceType": "AwsOpenSearchServiceDomain",
+  "Description": "OpenSearch Service uses dedicated master nodes to increase cluster stability. A minimum of three dedicated master nodes is recommended to ensure high availability.",
+  "Risk": "If a master node fails, the cluster may become unavailable.",
+  "RelatedUrl": "https://docs.aws.amazon.com/opensearch-service/latest/developerguide/managedomains-dedicatedmasternodes.html#dedicatedmasternodes-number",
+  "Remediation": {
+    "Code": {
+      "CLI": "aws es update-elasticsearch-domain-config --region <region> --domain-name <name> --elasticsearch-cluster-config DedicatedMasterEnabled=true,DedicatedMasterType='<instance_type>',DedicatedMasterCount=3",
+      "NativeIaC": "",
+      "Other": "https://docs.aws.amazon.com/securityhub/latest/userguide/opensearch-controls.html#opensearch-11",
+      "Terraform": ""
+    },
+    "Recommendation": {
+      "Text": "Ensure that your OpenSearch Service domain has at least three dedicated master nodes",
+      "Url": "https://docs.aws.amazon.com/opensearch-service/latest/developerguide/managedomains-dedicatedmasternodes.html#dedicatedmasternodes-number"
+    }
+  },
+  "Categories": [
+    "redundancy"
+  ],
+  "DependsOn": [],
+  "RelatedTo": [],
+  "Notes": ""
+}

prowler/providers/aws/services/opensearch/opensearch_domain_master_nodes_fault_tolerant/opensearch_domain_master_nodes_fault_tolerant.py

@@ -0,0 +1,26 @@
+from prowler.lib.check.models import Check, Check_Report_AWS
+from prowler.providers.aws.services.opensearch.opensearch_client import (
+    opensearch_client,
+)
+
+
+class opensearch_domain_master_nodes_fault_tolerant(Check):
+    def execute(self):
+        findings = []
+        for domain in opensearch_client.opensearch_domains:
+            if getattr(domain, "dedicated_master_enabled", False):
+                report = Check_Report_AWS(self.metadata())
+                report.resource_id = domain.name
+                report.resource_arn = domain.arn
+                report.region = domain.region
+                report.resource_tags = domain.tags
+                report.status = "PASS"
+                report.status_extended = f"Opensearch domain {domain.name} has {domain.dedicated_master_count} dedicated master nodes, which guarantees fault tolerance on the master nodes."
+
+                if domain.dedicated_master_count < 3:
+                    report.status = "FAIL"
+                    report.status_extended = f"Opensearch domain {domain.name} does not have at least 3 dedicated master nodes."
+
+                findings.append(report)
+
+        return findings

prowler/providers/aws/services/opensearch/opensearch_service.py

@@ -8,7 +8,6 @@ from prowler.lib.scan_filters.scan_filters import is_resource_filtered
 from prowler.providers.aws.lib.service.service import AWSService
 
 
-################################ OpenSearch
 class OpenSearchService(AWSService):
     def __init__(self, provider):
         # Call AWSService's __init__
@@ -123,13 +122,35 @@ class OpenSearchService(AWSService):
                     .get("SAMLOptions", {})
                     .get("Enabled", False)
                 )
-                domain.update_available = describe_domain["DomainStatus"][
-                    "ServiceSoftwareOptions"
-                ]["UpdateAvailable"]
+                domain.update_available = (
+                    describe_domain["DomainStatus"]
+                    .get("ServiceSoftwareOptions", {})
+                    .get("UpdateAvailable", False)
+                )
                 domain.version = describe_domain["DomainStatus"]["EngineVersion"]
                 domain.advanced_settings_enabled = describe_domain["DomainStatus"][
                     "AdvancedSecurityOptions"
-                ]["Enabled"]
+                ].get("Enabled", False)
+                domain.dedicated_master_enabled = (
+                    describe_domain["DomainStatus"]
+                    .get("ClusterConfig", {})
+                    .get("DedicatedMasterEnabled", False)
+                )
+                domain.dedicated_master_count = (
+                    describe_domain["DomainStatus"]
+                    .get("ClusterConfig", {})
+                    .get("DedicatedMasterCount", 0)
+                )
+                domain.data_nodes_count = (
+                    describe_domain["DomainStatus"]
+                    .get("ClusterConfig", {})
+                    .get("InstanceCount", 0)
+                )
+                domain.zone_awareness = (
+                    describe_domain["DomainStatus"]
+                    .get("ClusterConfig", {})
+                    .get("ZoneAwarenessEnabled", False)
+                )
         except Exception as error:
             logger.error(
                 f"{regional_client.region} -- {error.__class__.__name__}[{error.__traceback__.tb_lineno}]: {error}"
@@ -171,5 +192,9 @@ class OpenSearchDomain(BaseModel):
     saml_enabled: bool = None
     update_available: bool = None
     version: str = None
-    tags: Optional[list] = []
     advanced_settings_enabled: bool = None
+    dedicated_master_enabled: Optional[bool]
+    dedicated_master_count: Optional[int]
+    data_nodes_count: Optional[int]
+    zone_awareness: Optional[bool]
+    tags: Optional[list] = []

tests/providers/aws/services/opensearch/opensearch_domain_data_nodes_fault_tolerant/opensearch_domain_data_nodes_fault_tolerant_test.py

@@ -0,0 +1,164 @@
+from unittest import mock
+
+from boto3 import client
+from moto import mock_aws
+
+from tests.providers.aws.utils import AWS_REGION_EU_WEST_1, set_mocked_aws_provider
+
+domain_name = "test-domain"
+
+
+class Test_opensearch_domain_data_nodes_fault_tolerant:
+    @mock_aws
+    def test_no_domains(self):
+        aws_provider = set_mocked_aws_provider([AWS_REGION_EU_WEST_1])
+
+        from prowler.providers.aws.services.opensearch.opensearch_service import (
+            OpenSearchService,
+        )
+
+        with mock.patch(
+            "prowler.providers.common.provider.Provider.get_global_provider",
+            return_value=aws_provider,
+        ), mock.patch(
+            "prowler.providers.aws.services.opensearch.opensearch_domain_data_nodes_fault_tolerant.opensearch_domain_data_nodes_fault_tolerant.opensearch_client",
+            new=OpenSearchService(aws_provider),
+        ):
+            from prowler.providers.aws.services.opensearch.opensearch_domain_data_nodes_fault_tolerant.opensearch_domain_data_nodes_fault_tolerant import (
+                opensearch_domain_data_nodes_fault_tolerant,
+            )
+
+            check = opensearch_domain_data_nodes_fault_tolerant()
+            result = check.execute()
+            assert len(result) == 0
+
+    @mock_aws
+    def test_domain_with_one_data_node(self):
+        opensearch_client = client("opensearch", region_name=AWS_REGION_EU_WEST_1)
+        domain_arn = opensearch_client.create_domain(
+            DomainName=domain_name,
+            ClusterConfig={
+                "InstanceCount": 1,
+                "InstanceType": "m3.medium.search",
+                "ZoneAwarenessEnabled": True,
+            },
+            TagList=[
+                {"Key": "test", "Value": "test"},
+            ],
+        )["DomainStatus"]["ARN"]
+
+        aws_provider = set_mocked_aws_provider([AWS_REGION_EU_WEST_1])
+
+        from prowler.providers.aws.services.opensearch.opensearch_service import (
+            OpenSearchService,
+        )
+
+        with mock.patch(
+            "prowler.providers.common.provider.Provider.get_global_provider",
+            return_value=aws_provider,
+        ), mock.patch(
+            "prowler.providers.aws.services.opensearch.opensearch_domain_data_nodes_fault_tolerant.opensearch_domain_data_nodes_fault_tolerant.opensearch_client",
+            new=OpenSearchService(aws_provider),
+        ):
+            from prowler.providers.aws.services.opensearch.opensearch_domain_data_nodes_fault_tolerant.opensearch_domain_data_nodes_fault_tolerant import (
+                opensearch_domain_data_nodes_fault_tolerant,
+            )
+
+            check = opensearch_domain_data_nodes_fault_tolerant()
+            result = check.execute()
+            assert len(result) == 1
+            assert result[0].status == "FAIL"
+            assert (
+                result[0].status_extended
+                == f"Opensearch domain {domain_name} does not have at least 3 data nodes, which is recommended for fault tolerance."
+            )
+            assert result[0].resource_id == domain_name
+            assert result[0].resource_arn == domain_arn
+            assert result[0].region == AWS_REGION_EU_WEST_1
+            assert result[0].resource_tags == [{"Key": "test", "Value": "test"}]
+
+    @mock_aws
+    def test_domain_with_three_data_nodes_and_not_zone_awaraness(self):
+        opensearch_client = client("opensearch", region_name=AWS_REGION_EU_WEST_1)
+        domain_arn = opensearch_client.create_domain(
+            DomainName=domain_name,
+            ClusterConfig={
+                "InstanceCount": 3,
+                "InstanceType": "m3.medium.search",
+                "ZoneAwarenessEnabled": False,
+            },
+            TagList=[{"Key": "test", "Value": "test"}],
+        )["DomainStatus"]["ARN"]
+
+        aws_provider = set_mocked_aws_provider([AWS_REGION_EU_WEST_1])
+
+        from prowler.providers.aws.services.opensearch.opensearch_service import (
+            OpenSearchService,
+        )
+
+        with mock.patch(
+            "prowler.providers.common.provider.Provider.get_global_provider",
+            return_value=aws_provider,
+        ), mock.patch(
+            "prowler.providers.aws.services.opensearch.opensearch_domain_data_nodes_fault_tolerant.opensearch_domain_data_nodes_fault_tolerant.opensearch_client",
+            new=OpenSearchService(aws_provider),
+        ):
+            from prowler.providers.aws.services.opensearch.opensearch_domain_data_nodes_fault_tolerant.opensearch_domain_data_nodes_fault_tolerant import (
+                opensearch_domain_data_nodes_fault_tolerant,
+            )
+
+            check = opensearch_domain_data_nodes_fault_tolerant()
+            result = check.execute()
+            assert len(result) == 1
+            assert result[0].status == "FAIL"
+            assert (
+                result[0].status_extended
+                == f"Opensearch domain {domain_name} does not have zone awareness enabled, which is recommended for fault tolerance."
+            )
+            assert result[0].resource_id == domain_name
+            assert result[0].resource_arn == domain_arn
+            assert result[0].region == AWS_REGION_EU_WEST_1
+            assert result[0].resource_tags == [{"Key": "test", "Value": "test"}]
+
+    @mock_aws
+    def test_domain_with_three_data_nodes_and_zone_awaraness(self):
+        opensearch_client = client("opensearch", region_name=AWS_REGION_EU_WEST_1)
+        domain_arn = opensearch_client.create_domain(
+            DomainName=domain_name,
+            ClusterConfig={
+                "InstanceCount": 3,
+                "InstanceType": "m3.medium.search",
+                "ZoneAwarenessEnabled": True,
+            },
+            TagList=[{"Key": "test", "Value": "test"}],
+        )["DomainStatus"]["ARN"]
+
+        aws_provider = set_mocked_aws_provider([AWS_REGION_EU_WEST_1])
+
+        from prowler.providers.aws.services.opensearch.opensearch_service import (
+            OpenSearchService,
+        )
+
+        with mock.patch(
+            "prowler.providers.common.provider.Provider.get_global_provider",
+            return_value=aws_provider,
+        ), mock.patch(
+            "prowler.providers.aws.services.opensearch.opensearch_domain_data_nodes_fault_tolerant.opensearch_domain_data_nodes_fault_tolerant.opensearch_client",
+            new=OpenSearchService(aws_provider),
+        ):
+            from prowler.providers.aws.services.opensearch.opensearch_domain_data_nodes_fault_tolerant.opensearch_domain_data_nodes_fault_tolerant import (
+                opensearch_domain_data_nodes_fault_tolerant,
+            )
+
+            check = opensearch_domain_data_nodes_fault_tolerant()
+            result = check.execute()
+            assert len(result) == 1
+            assert result[0].status == "PASS"
+            assert (
+                result[0].status_extended
+                == f"Opensearch domain {domain_name} has 3 data nodes and zone awareness enabled."
+            )
+            assert result[0].resource_id == domain_name
+            assert result[0].resource_arn == domain_arn
+            assert result[0].region == AWS_REGION_EU_WEST_1
+            assert result[0].resource_tags == [{"Key": "test", "Value": "test"}]

tests/providers/aws/services/opensearch/opensearch_domain_master_nodes_fault_tolerant/opensearch_domain_master_nodes_fault_tolerant_test.py

@@ -0,0 +1,152 @@
+from unittest import mock
+
+from boto3 import client
+from moto import mock_aws
+
+from tests.providers.aws.utils import AWS_REGION_EU_WEST_1, set_mocked_aws_provider
+
+domain_name = "test-domain"
+
+
+class Test_opensearch_domain_master_nodes_fault_tolerant:
+    @mock_aws
+    def test_no_domains(self):
+        aws_provider = set_mocked_aws_provider([AWS_REGION_EU_WEST_1])
+
+        from prowler.providers.aws.services.opensearch.opensearch_service import (
+            OpenSearchService,
+        )
+
+        with mock.patch(
+            "prowler.providers.common.provider.Provider.get_global_provider",
+            return_value=aws_provider,
+        ), mock.patch(
+            "prowler.providers.aws.services.opensearch.opensearch_domain_master_nodes_fault_tolerant.opensearch_domain_master_nodes_fault_tolerant.opensearch_client",
+            new=OpenSearchService(aws_provider),
+        ):
+            from prowler.providers.aws.services.opensearch.opensearch_domain_master_nodes_fault_tolerant.opensearch_domain_master_nodes_fault_tolerant import (
+                opensearch_domain_master_nodes_fault_tolerant,
+            )
+
+            check = opensearch_domain_master_nodes_fault_tolerant()
+            result = check.execute()
+            assert len(result) == 0
+
+    @mock_aws
+    def test_domain_no_master_nodes_enabled(self):
+        opensearch_client = client("opensearch", region_name=AWS_REGION_EU_WEST_1)
+        opensearch_client.create_domain(
+            DomainName=domain_name,
+            ClusterConfig={
+                "DedicatedMasterEnabled": False,
+            },
+        )
+
+        aws_provider = set_mocked_aws_provider([AWS_REGION_EU_WEST_1])
+
+        from prowler.providers.aws.services.opensearch.opensearch_service import (
+            OpenSearchService,
+        )
+
+        with mock.patch(
+            "prowler.providers.common.provider.Provider.get_global_provider",
+            return_value=aws_provider,
+        ), mock.patch(
+            "prowler.providers.aws.services.opensearch.opensearch_domain_master_nodes_fault_tolerant.opensearch_domain_master_nodes_fault_tolerant.opensearch_client",
+            new=OpenSearchService(aws_provider),
+        ):
+            from prowler.providers.aws.services.opensearch.opensearch_domain_master_nodes_fault_tolerant.opensearch_domain_master_nodes_fault_tolerant import (
+                opensearch_domain_master_nodes_fault_tolerant,
+            )
+
+            check = opensearch_domain_master_nodes_fault_tolerant()
+            result = check.execute()
+            assert len(result) == 0
+
+    @mock_aws
+    def test_domain_with_one_master_node(self):
+        opensearch_client = client("opensearch", region_name=AWS_REGION_EU_WEST_1)
+        domain_arn = opensearch_client.create_domain(
+            DomainName=domain_name,
+            ClusterConfig={
+                "DedicatedMasterEnabled": True,
+                "DedicatedMasterCount": 1,
+                "DedicatedMasterType": "m3.medium.search",
+            },
+            TagList=[
+                {"Key": "test", "Value": "test"},
+            ],
+        )["DomainStatus"]["ARN"]
+
+        aws_provider = set_mocked_aws_provider([AWS_REGION_EU_WEST_1])
+
+        from prowler.providers.aws.services.opensearch.opensearch_service import (
+            OpenSearchService,
+        )
+
+        with mock.patch(
+            "prowler.providers.common.provider.Provider.get_global_provider",
+            return_value=aws_provider,
+        ), mock.patch(
+            "prowler.providers.aws.services.opensearch.opensearch_domain_master_nodes_fault_tolerant.opensearch_domain_master_nodes_fault_tolerant.opensearch_client",
+            new=OpenSearchService(aws_provider),
+        ):
+            from prowler.providers.aws.services.opensearch.opensearch_domain_master_nodes_fault_tolerant.opensearch_domain_master_nodes_fault_tolerant import (
+                opensearch_domain_master_nodes_fault_tolerant,
+            )
+
+            check = opensearch_domain_master_nodes_fault_tolerant()
+            result = check.execute()
+            assert len(result) == 1
+            assert result[0].status == "FAIL"
+            assert (
+                result[0].status_extended
+                == f"Opensearch domain {domain_name} does not have at least 3 dedicated master nodes."
+            )
+            assert result[0].resource_id == domain_name
+            assert result[0].resource_arn == domain_arn
+            assert result[0].region == AWS_REGION_EU_WEST_1
+            assert result[0].resource_tags == [{"Key": "test", "Value": "test"}]
+
+    @mock_aws
+    def test_domain_with_three_master_nodes(self):
+        opensearch_client = client("opensearch", region_name=AWS_REGION_EU_WEST_1)
+        domain_arn = opensearch_client.create_domain(
+            DomainName=domain_name,
+            ClusterConfig={
+                "DedicatedMasterEnabled": True,
+                "DedicatedMasterCount": 3,
+                "DedicatedMasterType": "m3.medium.search",
+            },
+            TagList=[{"Key": "test", "Value": "test"}],
+        )["DomainStatus"]["ARN"]
+
+        aws_provider = set_mocked_aws_provider([AWS_REGION_EU_WEST_1])
+
+        from prowler.providers.aws.services.opensearch.opensearch_service import (
+            OpenSearchService,
+        )
+
+        with mock.patch(
+            "prowler.providers.common.provider.Provider.get_global_provider",
+            return_value=aws_provider,
+        ), mock.patch(
+            "prowler.providers.aws.services.opensearch.opensearch_domain_master_nodes_fault_tolerant.opensearch_domain_master_nodes_fault_tolerant.opensearch_client",
+            new=OpenSearchService(aws_provider),
+        ):
+            from prowler.providers.aws.services.opensearch.opensearch_domain_master_nodes_fault_tolerant.opensearch_domain_master_nodes_fault_tolerant import (
+                opensearch_domain_master_nodes_fault_tolerant,
+            )
+
+            check = opensearch_domain_master_nodes_fault_tolerant()
+            result = check.execute()
+            assert len(result) == 1
+            assert result[0].status == "PASS"
+            assert (
+                result[0].status_extended
+                == f"Opensearch domain {domain_name} has 3 dedicated master nodes, which guarantees fault tolerance on the master nodes."
+            )
+            assert result[0].resource_id == domain_name
+            assert result[0].resource_arn == domain_arn
+            assert result[0].region == AWS_REGION_EU_WEST_1
+            assert result[0].resource_tags == [{"Key": "test", "Value": "test"}]

tests/providers/aws/services/opensearch/opensearch_service_test.py

@@ -67,6 +67,12 @@ def mock_make_api_call(self, operation_name, kwarg):
                 "VPCOptions": {
                     "VPCId": "test-vpc-id",
                 },
+                "ClusterConfig": {
+                    "DedicatedMasterEnabled": True,
+                    "DedicatedMasterCount": 1,
+                    "InstanceCount": 3,
+                    "ZoneAwarenessEnabled": True,
+                },
                 "CognitoOptions": {"Enabled": True},
                 "EncryptionAtRestOptions": {"Enabled": True},
                 "NodeToNodeEncryptionOptions": {"Enabled": True},
@@ -80,6 +86,7 @@ def mock_make_api_call(self, operation_name, kwarg):
                 "ServiceSoftwareOptions": {"UpdateAvailable": True},
                 "DomainEndpointOptions": {"EnforceHTTPS": True},
                 "AdvancedSecurityOptions": {
+                    "Enabled": True,
                     "InternalUserDatabaseEnabled": True,
                     "SAMLOptions": {"Enabled": True},
                 },
@@ -171,6 +178,10 @@ class Test_OpenSearchService_Service:
         assert opensearch.opensearch_domains[0].saml_enabled
         assert opensearch.opensearch_domains[0].update_available
         assert opensearch.opensearch_domains[0].version == "opensearch-version1"
+        assert opensearch.opensearch_domains[0].dedicated_master_enabled
+        assert opensearch.opensearch_domains[0].dedicated_master_count == 1
+        assert opensearch.opensearch_domains[0].data_nodes_count == 3
+        assert opensearch.opensearch_domains[0].zone_awareness
         assert opensearch.opensearch_domains[0].tags == [
             {"Key": "test", "Value": "test"},
         ]