prowler icon indicating copy to clipboard operation
prowler copied to clipboard

Published 20 hours ago verified publisher icon prowler-cloud

feat(internet-exposed): Improve publicly accessible checks to include targets of ELBs

Open abant07 opened this issue 9 months ago • 8 comments

Context

Fixes https://github.com/prowler-cloud/prowler/issues/3237

Currently, we are checking if resources are internet facing and then flagging it as a failed test to the user, however, there is possibility that the user has configured security groups for their resources but have forgotten to configure for their load balancers. This can potentially be a security threat as anyone from the internet can access their load balancer and have the ability to hack their resources.

Description

No dependencies have been added, however, I have added 2 checks for EC2, 1 check for Lambda, and 1 check for ECS to make sure that ELBs and ELBv2s are either internal or if they are internet facing they should have security groups.

New checks:

  • awslambda_function_not_directly_publicly_accessible_via_elbv2
  • ecs_container_not_directly_publicly_accessible_via_elbv2
  • ec2_instance_not_directly_publicly_accessible_via_elb
  • ec2_instance_not_directly_publicly_accessible_via_elbv2

To-Do:

  • [ ] Verify ALB/ELB and Instance/Lambda security group and ports
  • [ ] Include the target groups in the ALB/ELB object

License

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.

abant07 avatar May 13 '24 17:05 abant07

Sure! Thanks for the feedback. Is there anything else that is incorrect that i need to fix?

Thanks

abant07 avatar May 21 '24 15:05 abant07

Ok @puchy22

I believe I have corrected everything, let me know if there is something I missed.

abant07 avatar May 22 '24 00:05 abant07

@puchy22 Is there a way I can run a linting script to fix the linting error?

abant07 avatar May 22 '24 08:05 abant07

Hi @abant07, thanks for your amazing work and for responding so quickly. Now I check the new changes introduced. For linters we recommend using pre-commit which is a tool that is configured for the repo.

Check our developer documentation to see how to install the project with everything you need to develop: https://docs.prowler.com/projects/prowler-open-source/en/latest/developer-guide/introduction/#contributing-with-your-code-or-fixes-to-prowler

puchy22 avatar May 22 '24 09:05 puchy22

Yes @puchy22 I have linted the code, and it seems to be passing the checks better. thanks for the help

abant07 avatar May 22 '24 09:05 abant07

Codecov Report

Attention: Patch coverage is 87.19512% with 21 lines in your changes missing coverage. Please review.

Project coverage is 86.33%. Comparing base (eb7f56f) to head (258262c). Report is 108 commits behind head on master.

:exclamation: Current head 258262c differs from pull request most recent head a3f4c0f

Please upload reports for the commit a3f4c0f to get more accurate results.

Files Patch % Lines
prowler/providers/aws/services/ecs/ecs_service.py 45.16% 17 Missing :warning:
...wler/providers/aws/services/elbv2/elbv2_service.py 86.66% 4 Missing :warning:
Additional details and impacted files 
@@            Coverage Diff             @@
##           master    #3985      +/-   ##
==========================================
+ Coverage   86.27%   86.33%   +0.06%     
==========================================
  Files         790      787       -3     
  Lines       24729    24762      +33     
==========================================
+ Hits        21335    21379      +44     
+ Misses       3394     3383      -11

:umbrella: View full report in Codecov by Sentry.
:loudspeaker: Have feedback on the report? Share it here.

codecov[bot] avatar May 22 '24 10:05 codecov[bot]

Hey @puchy22

I fixed all the edits from your feedback, the only thing that I am uncertain how to do and I might need assistance from you is checking the firewalls of ECS

Thanks

abant07 avatar May 23 '24 01:05 abant07

After much internal testing, we have found that these checks are very sensitive to false positives/negatives. Therefore, we will use all this PR work to improve the existing public exposed checks. The checks that are gonna be modified to improve this are:

  • awslambda_function_not_publicly_accessible
  • ec2_instance_port_*checks.
  • NEW ecs_container_not_publicly_accessible
  • rds_instance_no_public_access

Anyway, thanks for all your work, it will help us to improve our checks in the near future. Thank you for your help with Prowler, we will let you know when these new features are available. 🚀 🚀

puchy22 avatar Jul 18 '24 16:07 puchy22