Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Feature/plugin/ebs default ebs encryption #300

Closed
wants to merge 16 commits into from
Closed

Feature/plugin/ebs default ebs encryption #300

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
16 commits
Select commit Hold shift + click to select a range
c155a29
resync with forked master
Apr 6, 2020
f7598de
resyncing once again
Apr 6, 2020
a58b723
addition of plugin 'ebsEncryptionEnabledByDefault'
mtskillman Jul 13, 2020
f923c5f
update to exports.js in line with previous commit
mtskillman Jul 13, 2020
7bdc721
update to plugin, unit tests in progress now
mtskillman Jul 14, 2020
979851d
addition of 'none' as a potential target encryption level. addition o…
mtskillman Jul 15, 2020
9739f54
addition of unit test that ensures that check fails on 'encryption le…
mtskillman Jul 15, 2020
7068847
Merge remote-tracking branch 'aqua/master'
hauboldj Jul 20, 2020
8940466
Merge remote-tracking branch 'aqua/master'
hauboldj Aug 4, 2020
21b65bb
Merge branch 'master' into feature/plugin/ebs-default-ebs-encryption
hauboldj Aug 4, 2020
69f0cd8
rather than resource being 'N/A', resource is now returned as being t…
mtskillman Aug 6, 2020
2de1d28
addition of error messages; should there be errors, region will be re…
mtskillman Aug 6, 2020
5d8912c
Revert "rather than resource being 'N/A', resource is now returned as…
mtskillman Aug 12, 2020
31612e0
added logic such that predefined aws aliases are handled appropriately
mtskillman Aug 12, 2020
35761b2
Merge remote-tracking branch 'aqua/master'
hauboldj Sep 1, 2020
9468a6b
Merge branch 'master' into feature/plugin/ebs-default-ebs-encryption
hauboldj Sep 8, 2020
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
6 changes: 6 additions & 0 deletions collectors/aws/collector.js
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -248,6 +248,12 @@ var calls = {
property: 'Tags',
paginate: 'NextToken',
},
getEbsEncryptionByDefault: {
property: 'EbsEncryptionByDefault'
},
getEbsDefaultKmsKeyId: {
property: 'KmsKeyId'
},
},
ECR: {
describeRepositories: {
Expand Down
1 change: 1 addition & 0 deletions exports.js
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -72,6 +72,7 @@ module.exports = {
'encryptedAmi' : require(__dirname + '/plugins/aws/ec2/encryptedAmi.js'),
'instanceIamRole' : require(__dirname + '/plugins/aws/ec2/instanceIamRole.js'),
'ebsEncryptionEnabled' : require(__dirname + '/plugins/aws/ec2/ebsEncryptionEnabled.js'),
'ebsEncryptionEnabledByDefault' : require(__dirname + '/plugins/aws/ec2/ebsEncryptionEnabledByDefault.js'),
'ebsSnapshotPrivate' : require(__dirname + '/plugins/aws/ec2/ebsSnapshotPrivate.js'),
'natMultiAz' : require(__dirname + '/plugins/aws/ec2/natMultiAz.js'),
'defaultVpcInUse' : require(__dirname + '/plugins/aws/ec2/defaultVpcInUse.js'),
Expand Down
136 changes: 136 additions & 0 deletions plugins/aws/ec2/ebsEncryptionEnabledByDefault.js
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,136 @@
var async = require('async');
var helpers = require('../../../helpers/aws');

const encryptionLevelMap = {
none: 0,
sse: 1,
awskms: 2,
awscmk: 3,
externalcmk: 4,
cloudhsm: 5,
0: 'none',
1: 'sse',
2: 'awskms',
3: 'awscmk',
4: 'externalcmk',
5: 'cloudhsm',
};

function getEncryptionLevel(kmsKey) {
if (kmsKey.Origin === 'AWS_KMS') {
if (kmsKey.KeyManager === 'AWS') {
return 2;
} else if (kmsKey.KeyManager === 'CUSTOMER') {
return 3;
}
}
if (kmsKey.Origin === 'EXTERNAL') {
return 4;
}
if (kmsKey.Origin === 'AWS_CLOUDHSM') {
return 5;
}
}

module.exports = {
title: 'EBS Encryption Enabled By Default',
category: 'EC2',
description: 'Ensure the setting for Encryption by default is enabled',
more_info: 'An AWS account may be configured such that, for a particular region(s), it will be mandatory that new EBS volumes and snapshot copies are encrypted.',
link: 'https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/EBSEncryption.html#encryption-by-default',
recommended_action: 'Enable EBS Encryption by Default',
apis: ['EC2:getEbsEncryptionByDefault', 'EC2:getEbsDefaultKmsKeyId', 'KMS:describeKey', 'KMS:listKeys', 'KMS:listAliases'],
settings: {
ebs_encryption_level: {
name: 'EBS Minimum Encryption Level',
description: 'In order (lowest to highest) none=no encryption; awskms=AWS-managed KMS; awscmk=Customer managed KMS; externalcmk=Customer managed externally sourced KMS; cloudhsm=Customer managed CloudHSM sourced KMS',
regex: '^(none|awskms|awscmk|externalcmk|cloudhsm)$',
default: 'awskms',
},
},


run: function(cache, settings, callback) {
var results = [];
var source = {};
var regions = helpers.regions(settings);
var targetEncryptionLevel = encryptionLevelMap[settings.ebs_encryption_level || this.settings.ebs_encryption_level.default];

async.each(regions.ec2, function(region, rcb){
var getEbsEncryptionByDefault = helpers.addSource(cache, source,
['ec2', 'getEbsEncryptionByDefault', region]);
var getEbsDefaultKmsKeyId = helpers.addSource(cache, source,
['ec2', 'getEbsDefaultKmsKeyId', region]);

if (!getEbsEncryptionByDefault) return rcb();
if (!getEbsDefaultKmsKeyId) return rcb();

if (getEbsEncryptionByDefault.err) {
helpers.addResult(results, 3,
'Unable to query for ebs encryption by default: ' + helpers.addError(getEbsEncryptionByDefault), region);
return rcb();
}

if (getEbsDefaultKmsKeyId.err) {
helpers.addResult(results, 3,
'Unable to query for ebs default kms key id: ' + helpers.addError(getEbsDefaultKmsKeyId), region);
return rcb();
}

if (!getEbsEncryptionByDefault.data && targetEncryptionLevel !== 0) {
helpers.addResult(results, 2,
'encryption by default is disabled, and the settings indicate that "none" is not the desired encryption level. enabling of "EBS encryption by default" is required', region);
return rcb();
}
var kmsKeyId = "";
var isPredefinedAlias = false;
if (getEbsDefaultKmsKeyId.data.split('/')[0] === 'alias') {
var listAliases = helpers.addSource(cache, source, ['kms', 'listAliases', region]);
if (listAliases.err || !listAliases.data) {
helpers.addResult(results, 3, 'Unable to query for list aliases: ' + helpers.addError(listAliases), region);
return rcb();
}
listAliases.data.forEach(function(alias){
if (alias.AliasName === getEbsDefaultKmsKeyId.data) {
if (alias.hasOwnProperty('TargetKeyId')) {
kmsKeyId = alias.TargetKeyId;
}
else {
isPredefinedAlias = true;
}
}
});
} else {
kmsKeyId = getEbsDefaultKmsKeyId.data.split('/')[1];
}
var encryptionLevel;
if (!isPredefinedAlias) {
var describeKey = helpers.addSource(cache, source, ['kms', 'describeKey', region, kmsKeyId]);
if (!describeKey) return rcb();
if (describeKey.err || !describeKey.data) {
helpers.addResult(results, 3,
'Unable to query for describe key: ' + helpers.addError(describeKey), region);
return rcb();
}
encryptionLevel = getEncryptionLevel(describeKey.data.KeyMetadata);
}
else {
encryptionLevel = 2; //awskms
}

if (encryptionLevel < targetEncryptionLevel) {
helpers.addResult(results, 2,
encryptionLevelMap[encryptionLevel].concat(' is the level of encryption, which is less than the target level, ', encryptionLevelMap[targetEncryptionLevel], ' raising level of encryption is required'), region);
return rcb();
} else {
helpers.addResult(results, 0,
encryptionLevelMap[encryptionLevel].concat(' is the level of encryption, which is greater than or equal to the target level, ', encryptionLevelMap[targetEncryptionLevel]), region);
return rcb();
}

rcb();
}, function(){
callback(null, results, source);
});
}
};
120 changes: 120 additions & 0 deletions plugins/aws/ec2/ebsEncryptionEnabledByDefault.spec.js
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,120 @@
var expect = require('chai').expect;
var ebsEncryptionEnabledByDefault = require('./ebsEncryptionEnabledByDefault');

const createCache = (boolValue) => {
return {
ec2: {
getEbsEncryptionByDefault: {
'us-east-1': {
data: boolValue,
},
'us-east-2': {
data: boolValue,
},
},
getEbsDefaultKmsKeyId: {
'us-east-1': {
data: 'foo/0987dcba-09fe-87dc-65ba-ab0987654321',
},
'us-east-2': {
data: 'alias/aws/ebs',
},
},
},
kms: {
describeKey: {
'us-east-1': {
'0987dcba-09fe-87dc-65ba-ab0987654321': {
data: {
KeyMetadata: {
Origin: 'AWS_KMS',
KeyManager: 'CUSTOMER',
},
}
},
},
'us-east-2': {
'1234abcd-12ab-34cd-56ef-1234567890ab': {
data: {
KeyMetadata: {
Origin: 'AWS_KMS',
KeyManager: 'AWS',
},
},
},
},
},
listAliases: {
'us-east-1': {
data: [],
},
'us-east-2': {
data: [{
AliasName: 'alias/aws/ebs', TargetKeyId: '1234abcd-12ab-34cd-56ef-1234567890ab'
}],
},
},
listKeys: {
'us-east-1': {
data: [
{
'KeyId': '0987dcba-09fe-87dc-65ba-ab0987654321',
'KeyArn': 'arn:aws:kms:us-east-1:0123456789101:key/0987dcba-09fe-87dc-65ba-ab0987654321'
}
]
},
'us-east-2': {
data: [
{
'KeyId': '1234abcd-12ab-34cd-56ef-1234567890ab',
'KeyArn': 'arn:aws:kms:us-east-2:0123456789101:key/1234abcd-12ab-34cd-56ef-1234567890ab'
}
]
},
},
},
};
};


describe('ebsEncryptionEnabledByDefault', function () {
describe('run', function () {
it('should FAIL if ebs encryption by default is disabled', function (done) {
const cache = createCache(false);
const settings = {};

ebsEncryptionEnabledByDefault.run(cache, settings, (err, results) => {
expect(results.length).to.equal(2);
expect(results[0].status).to.equal(2);
expect(results[1].status).to.equal(2);
done();
});
});

it('should PASS if ebs encryption by default is enabled, with detail on "encryption level"', function (done) {
const cache = createCache(true);
const settings = {};

ebsEncryptionEnabledByDefault.run(cache, settings, (err, results) => {
expect(results.length).to.equal(2);
expect(results[0].status).to.equal(0);
expect(results[1].status).to.equal(0);
done();
});
});

it('should FAIL if ebs encryption level is "lower" than target encryption level', function (done) {
const cache = createCache(true);
const settings = {
ebs_encryption_level: 'cloudhsm',
};

ebsEncryptionEnabledByDefault.run(cache, settings, (err, results) => {
expect(results.length).to.equal(2);
expect(results[0].status).to.equal(2);
expect(results[1].status).to.equal(2);
done();
});
});
});
});