feat(EC2): Add new check for security group port restrictions (#4594)

prowler-cloud · Aug 16, 2024 · 49ff901 · 49ff901
1 parent e7d0d49
commit 49ff901
Show file tree

Hide file tree

Showing 9 changed files with 618 additions and 1 deletion.
diff --git a/docs/tutorials/configuration_file.md b/docs/tutorials/configuration_file.md
@@ -18,6 +18,7 @@ The following list includes all the AWS checks with configurable variables that
 | `ec2_elastic_ip_shodan`                                       | `shodan_api_key`                                 | String          |
 | `ec2_securitygroup_with_many_ingress_egress_rules`            | `max_security_group_rules`                       | Integer         |
 | `ec2_instance_older_than_specific_days`                       | `max_ec2_instance_age_in_days`                   | Integer         |
+| `ec2_securitygroup_allow_ingress_from_internet_to_high_risk_tcp_ports`| `ec2_sg_high_risk_ports`                 | List of Integer |
 | `vpc_endpoint_connections_trust_boundaries`                   | `trusted_account_ids`                            | List of Strings |
 | `vpc_endpoint_services_allowed_principals_trust_boundaries`   | `trusted_account_ids`                            | List of Strings |
 | `cloudwatch_log_group_retention_policy_specific_days_enabled` | `log_group_retention_days`                       | Integer         |
@@ -126,6 +127,21 @@ aws:
     [
         "amazon-elb"
     ]
+  # aws.ec2_securitygroup_allow_ingress_from_internet_to_high_risk_tcp_ports
+  ec2_sg_high_risk_ports:
+    [
+        25,
+        110,
+        135,
+        143,
+        445,
+        3000,
+        4333,
+        5000,
+        5500,
+        8080,
+        8088,
+    ]
 
   # AWS VPC Configuration (vpc_endpoint_connections_trust_boundaries, vpc_endpoint_services_allowed_principals_trust_boundaries)
   # Single account environment: No action required. The AWS account number will be automatically added by the checks.

diff --git a/prowler/config/config.yaml b/prowler/config/config.yaml
@@ -41,6 +41,21 @@ aws:
     [
         "amazon-elb"
     ]
+  # aws.ec2_securitygroup_allow_ingress_from_internet_to_high_risk_tcp_ports
+  ec2_sg_high_risk_ports:
+    [
+        25,
+        110,
+        135,
+        143,
+        445,
+        3000,
+        4333,
+        5000,
+        5500,
+        8080,
+        8088,
+    ]
 
   # AWS VPC Configuration (vpc_endpoint_connections_trust_boundaries, vpc_endpoint_services_allowed_principals_trust_boundaries)
   # Single account environment: No action required. The AWS account number will be automatically added by the checks.

diff --git a/...ices/ec2/ec2_securitygroup_allow_ingress_from_internet_to_high_risk_tcp_ports/__init__.py b/...ices/ec2/ec2_securitygroup_allow_ingress_from_internet_to_high_risk_tcp_ports/__init__.py
diff --git a/..._ports/ec2_securitygroup_allow_ingress_from_internet_to_high_risk_tcp_ports.metadata.json b/..._ports/ec2_securitygroup_allow_ingress_from_internet_to_high_risk_tcp_ports.metadata.json
@@ -0,0 +1,34 @@
+{
+  "Provider": "aws",
+  "CheckID": "ec2_securitygroup_allow_ingress_from_internet_to_high_risk_tcp_ports",
+  "CheckTitle": "Ensure no security groups allow ingress from 0.0.0.0/0 or ::/0 to high risk ports.",
+  "CheckType": [
+    "Infrastructure Security"
+  ],
+  "ServiceName": "ec2",
+  "SubServiceName": "securitygroup",
+  "ResourceIdTemplate": "arn:partition:service:region:account-id:resource-id",
+  "Severity": "critical",
+  "ResourceType": "AwsEc2SecurityGroup",
+  "Description": "Ensure no security groups allow ingress from 0.0.0.0/0 or ::/0 to ports 25(SMTP), 110(POP3), 135(RCP), 143(IMAP), 445(CIFS), 3000(Go, Node.js, and Ruby web developemnt frameworks), 4333(ahsp), 5000(Python web development frameworks), 5500(fcp-addr-srvr1), 8080(proxy), 8088(legacy HTTP port).",
+  "Risk": "If Security groups are not properly configured the attack surface is increased.",
+  "RelatedUrl": "",
+  "Remediation": {
+    "Code": {
+      "CLI": "",
+      "NativeIaC": "",
+      "Other": "",
+      "Terraform": ""
+    },
+    "Recommendation": {
+      "Text": "Use a Zero Trust approach. Narrow ingress traffic as much as possible. Consider north-south as well as east-west traffic.",
+      "Url": "https://docs.aws.amazon.com/vpc/latest/userguide/VPC_SecurityGroups.html"
+    }
+  },
+  "Categories": [
+    "internet-exposed"
+  ],
+  "DependsOn": [],
+  "RelatedTo": [],
+  "Notes": ""
+}
diff --git a/...gh_risk_tcp_ports/ec2_securitygroup_allow_ingress_from_internet_to_high_risk_tcp_ports.py b/...gh_risk_tcp_ports/ec2_securitygroup_allow_ingress_from_internet_to_high_risk_tcp_ports.py
@@ -0,0 +1,50 @@
+from prowler.lib.check.models import Check, Check_Report_AWS
+from prowler.providers.aws.services.ec2.ec2_client import ec2_client
+from prowler.providers.aws.services.ec2.ec2_securitygroup_allow_ingress_from_internet_to_all_ports import (
+    ec2_securitygroup_allow_ingress_from_internet_to_all_ports,
+)
+from prowler.providers.aws.services.ec2.lib.security_groups import check_security_group
+from prowler.providers.aws.services.vpc.vpc_client import vpc_client
+
+
+class ec2_securitygroup_allow_ingress_from_internet_to_high_risk_tcp_ports(Check):
+    def execute(self):
+        findings = []
+        for security_group_arn, security_group in ec2_client.security_groups.items():
+            # Check if ignoring flag is set and if the VPC and the SG is in use
+            if ec2_client.provider.scan_unused_services or (
+                security_group.vpc_id in vpc_client.vpcs
+                and vpc_client.vpcs[security_group.vpc_id].in_use
+                and len(security_group.network_interfaces) > 0
+            ):
+                check_ports = ec2_client.audit_config.get(
+                    "ec2_high_risk_ports",
+                    [25, 110, 135, 143, 445, 3000, 4333, 5000, 5500, 8080, 8088],
+                )
+                for port in check_ports:
+                    report = Check_Report_AWS(self.metadata())
+                    report.region = security_group.region
+                    report.resource_details = security_group.name
+                    report.resource_id = security_group.id
+                    report.resource_arn = security_group_arn
+                    report.resource_tags = security_group.tags
+                    report.status = "PASS"
+                    report.status_extended = f"Security group {security_group.name} ({security_group.id}) does not have port {port} open to the Internet."
+                    # only proceed if check "..._to_all_ports" did not run or did not FAIL to avoid to report open ports twice
+                    if not ec2_client.is_failed_check(
+                        ec2_securitygroup_allow_ingress_from_internet_to_all_ports.__name__,
+                        security_group_arn,
+                    ):
+                        # Loop through every security group's ingress rule and check it
+                        for ingress_rule in security_group.ingress_rules:
+                            if check_security_group(
+                                ingress_rule, "tcp", [port], any_address=True
+                            ):
+                                report.status = "FAIL"
+                                report.status_extended = f"Security group {security_group.name} ({security_group.id}) has port {port} (high risk port) open to the Internet."
+                                break
+                    else:
+                        report.status_extended = f"Security group {security_group.name} ({security_group.id}) has all ports open to the Internet and therefore was not checked against port {port}."
+                    findings.append(report)
+
+        return findings
diff --git a/tests/config/config_test.py b/tests/config/config_test.py
@@ -79,6 +79,19 @@ def mock_prowler_get_latest_release(_, **kwargs):
     "max_ec2_instance_age_in_days": 180,
     "ec2_allowed_interface_types": ["api_gateway_managed", "vpc_endpoint"],
     "ec2_allowed_instance_owners": ["amazon-elb"],
+    "ec2_sg_high_risk_ports": [
+        25,
+        110,
+        135,
+        143,
+        445,
+        3000,
+        4333,
+        5000,
+        5500,
+        8080,
+        8088,
+    ],
     "trusted_account_ids": [],
     "log_group_retention_days": 365,
     "max_idle_disconnect_timeout_in_seconds": 600,

diff --git a/tests/config/fixtures/config.yaml b/tests/config/fixtures/config.yaml
@@ -41,6 +41,21 @@ aws:
     [
         "amazon-elb"
     ]
+  # aws.ec2_securitygroup_allow_ingress_from_internet_to_high_risk_tcp_ports
+  ec2_sg_high_risk_ports:
+    [
+        25,
+        110,
+        135,
+        143,
+        445,
+        3000,
+        4333,
+        5000,
+        5500,
+        8080,
+        8088,
+    ]
 
   # AWS VPC Configuration (vpc_endpoint_connections_trust_boundaries, vpc_endpoint_services_allowed_principals_trust_boundaries)
   # Single account environment: No action required. The AWS account number will be automatically added by the checks.

diff --git a/tests/config/fixtures/config_old.yaml b/tests/config/fixtures/config_old.yaml
@@ -92,4 +92,3 @@ eks_required_log_types:
       "controllerManager",
       "scheduler",
   ]
-
Original file line number	Diff line number	Diff line change
Expand Up		@@ -92,4 +92,3 @@ eks_required_log_types:
		"controllerManager",
		"scheduler",
		]