diff --git a/account-data/demo/us-east-1/accessanalzyer-list-analyzers.json b/account-data/demo/us-east-1/accessanalzyer-list-analyzers.json new file mode 100644 index 000000000..55ce4da8b --- /dev/null +++ b/account-data/demo/us-east-1/accessanalzyer-list-analyzers.json @@ -0,0 +1,14 @@ +{ + "analyzers": [ + { + "arn": "arn:aws:access-analyzer:us-east-1:000000000000:analyzer/default", + "createdAt": "2020-06-19T21:20:04Z", + "lastResourceAnalyzed": "arn:aws:sqs:us-east-1:000000000000:test", + "lastResourceAnalyzedAt": "2020-06-19T21:20:04.664Z", + "name": "default", + "status": "ACTIVE", + "tags": {}, + "type": "ACCOUNT" + } + ] +} diff --git a/account-data/demo/us-east-1/elbv2-describe-load-balancer-attributes/arn%3Aaws%3Aelasticloadbalancing%3Aus-east-1%3A123456789012%3Aloadbalancer%2Fapp%2Fdemo%2Fqwerty b/account-data/demo/us-east-1/elbv2-describe-load-balancer-attributes/arn%3Aaws%3Aelasticloadbalancing%3Aus-east-1%3A123456789012%3Aloadbalancer%2Fapp%2Fdemo%2Fqwerty new file mode 100644 index 000000000..afde4c8eb --- /dev/null +++ b/account-data/demo/us-east-1/elbv2-describe-load-balancer-attributes/arn%3Aaws%3Aelasticloadbalancing%3Aus-east-1%3A123456789012%3Aloadbalancer%2Fapp%2Fdemo%2Fqwerty @@ -0,0 +1,32 @@ +{ + "Attributes": [ + { + "Key": "access_logs.s3.enabled", + "Value": "false" + }, + { + "Key": "access_logs.s3.bucket", + "Value": "" + }, + { + "Key": "access_logs.s3.prefix", + "Value": "" + }, + { + "Key": "idle_timeout.timeout_seconds", + "Value": "60" + }, + { + "Key": "deletion_protection.enabled", + "Value": "false" + }, + { + "Key": "routing.http2.enabled", + "Value": "true" + }, + { + "Key": "routing.http.drop_invalid_header_fields.enabled", + "Value": "false" + } + ] +} \ No newline at end of file diff --git a/audit_config.yaml b/audit_config.yaml index a3a25f9b1..6eca1fcae 100644 --- a/audit_config.yaml +++ b/audit_config.yaml @@ -382,4 +382,10 @@ ACCESSANALYZER_OFF: title: Access Analyzer off description: Access Analyzer is a free service that can tell you when resources are public or shared with unexpected accounts. severity: Medium - group: AccessAnalyzer \ No newline at end of file + group: AccessAnalyzer + +REQUEST_SMUGGLING: + title: Request smuggling not denied + description: "HTTP request smuggling is possible against ALBs, as described here: https://99designs.com/blog/engineering/request-smuggling/" + severity: Low + group: ELB \ No newline at end of file diff --git a/cloudmapper.py b/cloudmapper.py index 178f280a7..ee38bedb2 100755 --- a/cloudmapper.py +++ b/cloudmapper.py @@ -30,7 +30,7 @@ import pkgutil import importlib -__version__ = "2.9.0" +__version__ = "2.9.1" def show_help(commands): diff --git a/collect_commands.yaml b/collect_commands.yaml index 094630911..0aaaf5e8d 100644 --- a/collect_commands.yaml +++ b/collect_commands.yaml @@ -152,6 +152,11 @@ Parameters: - Name: TargetGroupArn Value: elbv2-describe-target-groups/*|.TargetGroups[].TargetGroupArn +- Service: elbv2 + Request: describe-load-balancer-attributes + Parameters: + - Name: LoadBalancerArn + Value: elbv2-describe-load-balancers.json|.LoadBalancers[].LoadBalancerArn - Service: elbv2 Request: describe-tags Parameters: diff --git a/requirements.txt b/requirements.txt index ac563715b..d20a6f703 100644 --- a/requirements.txt +++ b/requirements.txt @@ -19,7 +19,7 @@ mock==4.0.2 netaddr==0.7.19 nose==1.3.7 pandas==1.0.4 -parliament==0.4.14 +parliament==0.5.0 policyuniverse==1.1.0.1 pycodestyle==2.5.0 pyflakes==2.2.0 diff --git a/shared/audit.py b/shared/audit.py index 3b2e5916d..47714e7b9 100644 --- a/shared/audit.py +++ b/shared/audit.py @@ -834,6 +834,25 @@ def audit_ec2(findings, region): ) +def audit_elbv2(findings, region): + json_blob = query_aws(region.account, "elbv2-describe-load-balancers", region) + + for load_balancer in json_blob.get("LoadBalancers", []): + arn = load_balancer["LoadBalancerArn"] + + # Check attributes + attributes_json = get_parameter_file( + region, "elbv2", "describe-load-balancer-attributes", arn + ) + + for attribute in attributes_json.get("Attributes", []): + if ( + attribute["Key"] == "routing.http.drop_invalid_header_fields.enabled" + and attribute["Value"] == "false" + ): + findings.add(Finding(region, "REQUEST_SMUGGLING", arn)) + + def audit_sg(findings, region): # TODO Check if security groups allow large CIDR range (ex. 1.2.3.4/3) # TODO Check if an SG restricts IPv4 and then opens IPv6 or vice versa. @@ -1143,6 +1162,7 @@ def audit(accounts): audit_redshift(findings, region) audit_es(findings, region) audit_ec2(findings, region) + audit_elbv2(findings, region) audit_sg(findings, region) audit_lambda(findings, region) audit_glacier(findings, region) diff --git a/tests/unit/test_audit.py b/tests/unit/test_audit.py index efe71f7e0..926e484fb 100644 --- a/tests/unit/test_audit.py +++ b/tests/unit/test_audit.py @@ -46,7 +46,8 @@ def test_audit(self): "EC2_OLD", "IAM_UNEXPECTED_S3_EXFIL_PRINCIPAL", "IAM_LINTER", - "EC2_IMDSV2_NOT_ENFORCED" + "EC2_IMDSV2_NOT_ENFORCED", + "REQUEST_SMUGGLING" ] ), )