prowler
prowler copied to clipboard
prowler-cloud
feat(rds): Add RDS certificate expiration check
Context
Ensure that the SSL/TLS certificates configured for your Amazon RDS are not expired.
Description
Check RDS certificate validity and inform if the certificate will expire soon. Certificate rotation takes coordination between the application and RDS.
For default RDS Cert and customer override RDS Cert with an expiration greater than 3 months the check will PASS.
For default RDS Cert and customer override RDS Cert with less than 3 months the check will FAIL with a severity of medium.
For default RDS Cert and customer override RDS Cert that are expired the check will FAIL with a severity of critical.
License
By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.
Competing with https://github.com/prowler-cloud/prowler/pull/4003 and https://github.com/prowler-cloud/prowler/pull/4004
Recommended to merge this first as RDS cert rds-ca-2019 will be expiring August 22nd 2024.
Not sure why pr-lint-test 3.9 failed. I ran the test several times on my machine and it was successful.
prowler-py3.10) # pytest -n auto -vvv -s -x tests/providers/aws/services/rds/rds_instance_no_public_access
================================================================= test session starts =================================================================
platform linux -- Python 3.10.12, pytest-8.2.0, pluggy-1.5.0 -- /root/.cache/pypoetry/virtualenvs/prowler-_7q4EYpC-py3.10/bin/python
cachedir: .pytest_cache
Using --randomly-seed=2455016802
rootdir: /config/data/prowler
configfile: pyproject.toml
plugins: anyio-4.3.0, dash-2.17.0, cov-5.0.0, env-1.1.3, randomly-3.15.0, xdist-3.6.1
4 workers [5 items]
scheduling tests via LoadScheduling
tests/providers/aws/services/rds/rds_instance_no_public_access/rds_instance_no_public_access_test.py::Test_rds_instance_no_public_access::test_rds_instance_public_with_public_sg
tests/providers/aws/services/rds/rds_instance_no_public_access/rds_instance_no_public_access_test.py::Test_rds_instance_no_public_access::test_rds_instance_public_with_filtered_sg
tests/providers/aws/services/rds/rds_instance_no_public_access/rds_instance_no_public_access_test.py::Test_rds_instance_no_public_access::test_rds_instance_public
tests/providers/aws/services/rds/rds_instance_no_public_access/rds_instance_no_public_access_test.py::Test_rds_instance_no_public_access::test_rds_instance_private
[gw3] PASSED tests/providers/aws/services/rds/rds_instance_no_public_access/rds_instance_no_public_access_test.py::Test_rds_instance_no_public_access::test_rds_instance_public
[gw0] PASSED tests/providers/aws/services/rds/rds_instance_no_public_access/rds_instance_no_public_access_test.py::Test_rds_instance_no_public_access::test_rds_instance_private
[gw2] PASSED tests/providers/aws/services/rds/rds_instance_no_public_access/rds_instance_no_public_access_test.py::Test_rds_instance_no_public_access::test_rds_instance_public_with_filtered_sg
[gw1] PASSED tests/providers/aws/services/rds/rds_instance_no_public_access/rds_instance_no_public_access_test.py::Test_rds_instance_no_public_access::test_rds_instance_public_with_public_sg
tests/providers/aws/services/rds/rds_instance_no_public_access/rds_instance_no_public_access_test.py::Test_rds_instance_no_public_access::test_rds_no_instances
[gw1] PASSED tests/providers/aws/services/rds/rds_instance_no_public_access/rds_instance_no_public_access_test.py::Test_rds_instance_no_public_access::test_rds_no_instances
================================================================= 5 passed in 15.72s ==================================================================
Reviewed further, synced master branch back into my fork and then rebased this commit in and the PR Lint 3.9 succeeded. https://github.com/madereddy/prowler/actions/runs/9100128819/job/25014246558
============================= test session starts ==============================
platform linux -- Python 3.9.19, pytest-8.2.0, pluggy-1.5.0
Using --randomly-seed=4172765213
rootdir: /home/runner/work/prowler/prowler
configfile: pyproject.toml
plugins: anyio-4.3.0, randomly-3.15.0, env-1.1.3, dash-2.17.0, cov-5.0.0, xdist-3.6.1
created: 4/4 workers
4 workers [3167 items]
........................................................................ [ 2%]
........................................................................ [ 4%]
........................................................................ [ 6%]
........................................................................ [ 9%]
........................................................................ [ 11%]
........................................................................ [ 13%]
........................................................................ [ 15%]
........................................................................ [ 18%]
........................................................................ [ 20%]
........................................................................ [ 22%]
........................................................................ [ 25%]
........................................................................ [ 27%]
........................................................................ [ 29%]
........................................................................ [ 31%]
........................................................................ [ 34%]
........................................................................ [ 36%]
........................................................................ [ 38%]
........................................................................ [ 40%]
........................................................................ [ 43%]
........................................................................ [ 45%]
........................................................................ [ 47%]
........................................................................ [ 50%]
........................................................................ [ 52%]
........................................................................ [ 54%]
........................................................................ [ 56%]
........................................................................ [ 59%]
........................................................................ [ 61%]
........................................................................ [ 63%]
........................................................................ [ 65%]
........................................................................ [ 68%]
........................................................................ [ 70%]
........................................................................ [ 72%]
........................................................................ [ 75%]
........................................................................ [ 77%]
........................................................................ [ 79%]
........................................................................ [ 81%]
........................................................................ [ 84%]
........................................................................ [ 86%]
........................................................................ [ 88%]
........................................................................ [ 90%]
........................................................................ [ 93%]
........................................................................ [ 95%]
........................................................................ [ 97%]
....................................................................... [100%]
=============================== warnings summary ===============================
tests/providers/azure/services/defender/defender_auto_provisioning_log_analytics_agent_vms_on/defender_auto_provisioning_log_analytics_agent_vms_on_test.py::Test_defender_auto_provisioning_log_analytics_agent_vms_on::test_defender_auto_provisioning_log_analytics_on
/home/runner/.cache/pypoetry/virtualenvs/prowler-MpuilnhB-py3.9/lib/python3.9/site-packages/azure/mgmt/security/v2023_01_01/models/_models_py3.py:91: DeprecationWarning: invalid escape sequence \
"""A plan's extension properties.
tests/providers/azure/services/defender/defender_auto_provisioning_log_analytics_agent_vms_on/defender_auto_provisioning_log_analytics_agent_vms_on_test.py::Test_defender_auto_provisioning_log_analytics_agent_vms_on::test_defender_auto_provisioning_log_analytics_on
/home/runner/.cache/pypoetry/virtualenvs/prowler-MpuilnhB-py3.9/lib/python3.9/site-packages/azure/mgmt/security/v2023_01_01/models/_models_py3.py:144: DeprecationWarning: invalid escape sequence \
"""
tests/providers/azure/services/defender/defender_auto_provisioning_log_analytics_agent_vms_on/defender_auto_provisioning_log_analytics_agent_vms_on_test.py::Test_defender_auto_provisioning_log_analytics_agent_vms_on::test_defender_auto_provisioning_log_analytics_on
/home/runner/.cache/pypoetry/virtualenvs/prowler-MpuilnhB-py3.9/lib/python3.9/site-packages/azure/mgmt/security/v2023_01_01/models/_models_py3.py:236: DeprecationWarning: invalid escape sequence \
"""Microsoft Defender for Cloud is provided in two pricing tiers: free and standard. The standard
-- Docs: https://docs.pytest.org/en/stable/how-to/capture-warnings.html
---------- coverage: platform linux, python 3.9.19-final-0 -----------
Coverage XML written to file coverage.xml
================= 3167 passed, 3 warnings in 886.53s (0:14:46) =================
Codecov Report
Attention: Patch coverage is 93.33333% with 5 lines in your changes missing coverage. Please review.
Project coverage is 86.65%. Comparing base (
73b3484) to head (da92604). Report is 448 commits behind head on master.
| Files | Patch % | Lines |
|---|---|---|
| ..._expiration/rds_instance_certificate_expiration.py | 95.08% | 3 Missing :warning: |
| prowler/providers/aws/services/rds/rds_service.py | 85.71% | 2 Missing :warning: |
Additional details and impacted files
@@ Coverage Diff @@
## master #4002 +/- ##
==========================================
+ Coverage 86.51% 86.65% +0.14%
==========================================
Files 776 777 +1
Lines 24163 24238 +75
==========================================
+ Hits 20904 21003 +99
+ Misses 3259 3235 -24
:umbrella: View full report in Codecov by Sentry.
:loudspeaker: Have feedback on the report? Share it here.
![codecov[bot] avatar](https://avatars.githubusercontent.com/in/254?v=4 "Published by a pub.dev verified publisher"){kind=small}
Codecov Report
Attention: Patch coverage is
96.96970%with2 linesin your changes are missing coverage. Please review.Project coverage is 86.50%. Comparing base (
45ccd7e) to head (7e391db). Report is 17 commits behind head on master.Files Patch % Lines prowler/providers/aws/services/rds/rds_service.py 85.71% 2 Missing ⚠️ Additional details and impacted files
☔ View full report in Codecov by Sentry. 📢 Have feedback on the report? Share it here.
@jfagoagas @sergargar Looking at the codecov report, I see that changes I made have more coverage, but indirectly the ec2 service is going down by about 5.47%. Is there anything I need to do to fix this?
Hi @madereddy , I have added the case of RDS Certificates that expires in less than a month the check will FAIL with a severity of high.
