feat(ec2): Amazon EC2 Instances Should Not Use Multiple ENIs

[MarioRgzLpz]

Context

Using multiple ENIs can lead to increased network security complexity and unintended network paths, particularly in instances with multiple subnets. I added a new check that helps ensure that instances are not overly complex or exposed to additional network risks.

Checks whether an Amazon EC2 instance uses multiple Elastic Network Interfaces (ENIs) or Elastic Fabric Adapters (EFAs). The control passes if the instance is using a single network adapter.

Description

Change ec2_service to add a new attribute network interfaces to Instance model saving ENIs ids to check type. Added the check logic in ec2_instance_multiple_eni. Added tests for service and check.

Checklist

• Are there new checks included in this PR? Yes
  • If so, do we need to update permissions for the provider? No
• Review if the code is being covered by tests.
• Review if code is being documented following this specification https://github.com/google/styleguide/blob/gh-pages/pyguide.md#38-comments-and-docstrings
• Review if backport is needed.

License

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.

[MrCloudSec]

Suggested change

	for eni in instance.get("NetworkInterfaces"):
	for eni in instance.get("NetworkInterfaces, []"):

[MrCloudSec]

Why not trunk here?

[MarioRgzLpz]

SecurityHub recommendation is to check only for multiple EFAs or interfaces. Thats because a trunk ENI is used to increase the number of ENIs you can attach to a instance. For more information look at the first paragraph here https://docs.aws.amazon.com/AmazonECS/latest/developerguide/container-instance-eni.html and at the AWSVPC trunking section here https://docs.aws.amazon.com/AmazonECS/latest/developerguide/ecs-account-settings.html. I don't know if there should be a limit to trunk ENIs maybe we have to discuss that.

[MrCloudSec]

Can we then ignore trunk ENIs in the check? So the user do not get confused when seeing the status extended since he is not going to be able to delete those trunk ENIs.

[MarioRgzLpz]

Why aren't you able to delete trunk ENIs? Looked for it in the docs but didn't find it. Still I think is a good idea to ignore trunk ENIs since they only add noise and no real value to the provided information.

[MrCloudSec]

We saw that trunks are normal interfaces with a specific option so I would count it as an ENI too.

[MrCloudSec]

Suggested change

	"CheckID": "ec2_instance_multiple_eni",
	"CheckID": "ec2_instance_uses_single_eni",

[MrCloudSec]

Can you prettify this message please?

[MarioRgzLpz]

What do you mean by prettify? Should I add global attributes for the instance id and enis ids?

[MrCloudSec]

Something like:

"EC2 Instance i-0123456789abcdef0 uses only one ENI: (EFAs: ['eni-2'], Trunks: ['eni-1', 'eni-3'].)"

[codecov]

Codecov Report

All modified and coverable lines are covered by tests ✅

Project coverage is 88.98%. Comparing base (c0c5996) to head (b6fce74).
Report is 1206 commits behind head on master.

Additional details and impacted files

@@            Coverage Diff             @@
##           master    #4935      +/-   ##
==========================================
+ Coverage   88.94%   88.98%   +0.04%     
==========================================
  Files         951      955       +4     
  Lines       29182    29295     +113     
==========================================
+ Hits        25956    26069     +113     
  Misses       3226     3226              

Components	Coverage Δ
prowler	88.98% <100.00%> (+0.04%)	⬆️
api	∅ <ø> (∅)