Skip to content

Add ECS Security Analysis feature #1

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
wants to merge 18 commits into from
Closed

Add ECS Security Analysis feature #1

wants to merge 18 commits into from

Conversation

nzuresh
Copy link
Owner

@nzuresh nzuresh commented Sep 26, 2025

🔒 ECS Security Analysis Feature

Overview

This PR introduces comprehensive security analysis capabilities for ECS clusters, providing vulnerability assessment, compliance checking, and security recommendations.

✨ Features Added

Core Security Analysis

  • Cluster Security Assessment: Comprehensive analysis of ECS cluster configurations
  • Compliance Frameworks: Support for AWS Foundational, PCI-DSS, HIPAA, SOC2
  • Security Recommendations: Actionable remediation guidance with implementation steps
  • Multi-format Reporting: Summary, detailed, JSON, and executive report formats

Security Coverage Areas

  • 🌐 Network Security: VPC, security groups, load balancer configurations
  • 🐳 Container Security: Runtime configurations, image security, privilege analysis
  • 🔐 IAM Security: Task/execution roles, least privilege compliance
  • 🔑 Secrets Management: Hardcoded secrets detection, AWS Secrets Manager integration
  • 📊 Monitoring & Logging: Container Insights, CloudWatch logging, audit trails

📁 Files Added/Modified

Core Implementation

  • awslabs/ecs_mcp_server/api/security_analysis.py - Security analysis API endpoints
  • awslabs/ecs_mcp_server/modules/security_analysis.py - Security analysis logic
  • awslabs/ecs_mcp_server/main.py - Module registration

Testing & Validation

  • tests/unit/api/test_security_analysis_api.py - API unit tests
  • tests/unit/modules/test_security_analysis_module.py - Module unit tests
  • tests/integ/mcp-inspector/scenarios/03_security_analysis_tools/ - Integration tests
  • tests/llm_testing/scenarios/07_security_analysis_scenario/ - LLM testing scenarios

Documentation & Tools

  • SECURITY_ANALYSIS_CHECKS.md - Security checks documentation
  • test_security_manual.py - Manual testing script
  • pyproject.toml - Added pre-commit dependency

🚀 Usage Examples

# List available clusters
ecs_security_analysis_tool(action="list_clusters", parameters={"region": "us-east-1"})

# Comprehensive security analysis
ecs_security_analysis_tool(action="analyze_cluster_security", 
                          parameters={"cluster_name": "my-cluster"})

# Get high-priority recommendations
ecs_security_analysis_tool(action="get_security_recommendations",
                          parameters={"cluster_name": "my-cluster", 
                                    "severity_filter": "High", "limit": 5})

# Generate executive report
ecs_security_analysis_tool(action="generate_security_report",
                          parameters={"cluster_name": "my-cluster", 
                                    "format": "executive"})

Suresh Natarajan added 18 commits September 26, 2025 17:08
Add ECS Security Analysis feature
b841681 
- Add security_analysis API module with comprehensive security assessment capabilities
- Add security_analysis module with cluster analysis, compliance checks, and reporting
- Add integration tests for security analysis tools
- Add LLM testing scenarios for security analysis
- Add unit tests for security analysis API and modules
- Update main.py to register security_analysis module
- Add pre-commit dependency to pyproject.toml
- Add security analysis documentation and manual test script
Fix formatting issues with ruff format
6920d68
Fix CodeQL security warning: sanitize input in _format_resource_name …
4d05eb5 
…function
fix: resolve Bandit security warning in test file
96ef484
fix: resolve CodeQL URL substring sanitization warnings
69be964
fix: improve URL validation to resolve CodeQL substring sanitization …
aa83cea 
…warnings
fix: remove trailing whitespace and add newlines to shell scripts
00dcee3
fix: make shell scripts executable and ensure proper end-of-file newl…
38cee3b 
…ines
fix: replace substring URL validation with robust pattern matching
18dd150 
- Replace broad substring checks with exact count() validation
- Add protocol validation to prevent URL confusion attacks
- Use specific pattern matching instead of generic 'in' checks
- Addresses CodeQL 'Incomplete URL substring sanitization' warnings

Changes:
- ECR image detection: Use startswith() + count() validation
- Docker Hub detection: Use count() for exact pattern matching
- Image tag validation: Use count() instead of 'in' operator
- Maintain functionality while improving security posture
fix: remove trailing whitespace from security analysis file
1fcfea7
Apply ruff formatting
d66ff65
fix: make test script executable and add end-of-file newline
9c43d42
fix: add missing end-of-file newlines
2f7a991
Fix CodeQL security issues: Replace vulnerable URL substring checks w…
3aecc18 
…ith secure regex validation

- Replace insecure '.dkr.ecr.' and '.amazonaws.com/' substring checks with proper regex validation
- Add _is_valid_ecr_image() method using strict ECR URI pattern matching
- Prevent URL substring sanitization bypass vulnerabilities
- Maintain backward compatibility with existing functionality
Fix pre-commit hook issues: formatting and line length
bb75f1b 
- Break long regex pattern into multiple lines to fix E501 line length error
- Fix trailing whitespace and end-of-file issues across test files
- All pre-commit hooks now pass successfully
- CodeQL security issues remain fixed with proper ECR validation
Fix additional CodeQL security issue: Secure Docker Hub image validation
04998f9 
- Replace vulnerable Docker Hub validation logic with secure regex patterns
- Add _is_docker_hub_image() method with proper pattern matching
- Prevent bypass attempts for Docker Hub image detection
- Fix line length issues and ensure all pre-commit hooks pass
- Comprehensive validation for both explicit and implicit Docker Hub formats
Comprehensive CodeQL security fixes: Eliminate all substring sanitiza…
193c018 
…tion vulnerabilities

- Replace all vulnerable startswith() patterns with secure regex validation
- Add secure helper methods: _is_https_url(), _is_latest_tag()
- Fix Docker Hub validation to use only regex patterns (no startswith)
- Secure ECR validation with comprehensive regex patterns
- Replace vulnerable count() and endswith() patterns with regex
- Secure ARN validation for AWS services (Secrets Manager, SSM, IGW)
- All pre-commit hooks passing
- Comprehensive protection against URL substring sanitization attacks
Complete resource naming consistency fix across all security findings
62cdc85 
- Fixed all 54+ inconsistent f-string resource formatting patterns
- Standardized all resource names to use _format_resource_name() method
- Ensured uniform 'Resource Type: Resource Name' format throughout
- Applied bulk fixes using sed for efficiency across resource types:
  * Services, Clusters, Task Definitions, Container Instances
  * VPCs, Security Groups, Load Balancers, Target Groups
  * EFS/FSx Volumes, ECR Repositories, Subnets, Route Tables
- All pre-commit hooks passing ✅
- Python syntax validation passing ✅
- 96 consistent resource name calls now in place
- Zero inconsistent patterns remaining
- Provides uniform user experience for security analysis output
nzuresh pushed a commit that referenced this pull request Oct 1, 2025
feat: Add comprehensive ECS service security analysis
e8c540b 
This is PR #2 in the sequential security analysis implementation series.

Features:
- Complete service security analysis with analyze_service_security() method
- Network security analysis:
  - Public IP assignment detection (High severity)
  - Security groups validation and excessive SG detection
  - Service Connect namespace configuration checks
- Platform configuration analysis:
  - Fargate platform version pinning recommendations
  - Service Connect security validation
- Tag security analysis:
  - Sensitive data detection in tag keys and values
  - Structured data identification in tags
- Service health monitoring:
  - Unusual task count detection (potential DDoS indicators)
  - Zero running tasks detection (potential security incidents)
- Bulk analysis support:
  - get_service_list() for service discovery
  - analyze_multiple_services() for batch analysis
- Multi-framework compliance mapping (SOC2, HIPAA, PCI-DSS)
- Consistent error handling and resource naming

This PR adds ~325 lines of focused service analysis functionality,
building on the core framework from PR #1. Each security check includes
detailed recommendations and compliance framework mappings.

Builds on: PR #1 (Core Infrastructure + Basic Cluster Analysis)
Next: PR #3 (Task Definition Security Analysis)
@nzuresh nzuresh closed this Oct 1, 2025
@nzuresh nzuresh deleted the security-analysis-feature branch October 1, 2025 20:08
nzuresh pushed a commit that referenced this pull request Oct 2, 2025
feat: Add minimal security analysis implementation
e9fe531 
- Add SecurityAnalyzer class with basic ECS security analysis
- Add analyze_ecs_security API endpoint with parameter validation
- Add comprehensive unit tests with 100% coverage
- Implement progressive PR approach (255 lines total)

Files added/modified:
- awslabs/ecs_mcp_server/modules/security_analysis.py (76 lines)
- awslabs/ecs_mcp_server/api/security_analysis.py (88 lines)
- tests/unit/test_security_analysis.py (91 lines)

This is PR #1 of the progressive implementation approach.
All validation checks pass: ruff format, ruff check, pytest.
nzuresh pushed a commit that referenced this pull request Oct 2, 2025
feat: Add minimal security analysis implementation
e5c7cc1 
- Add SecurityAnalyzer class with basic ECS security analysis
- Add analyze_ecs_security API endpoint with parameter validation
- Add comprehensive unit tests with 100% coverage
- Implement progressive PR approach (255 lines total)

Files added/modified:
- awslabs/ecs_mcp_server/modules/security_analysis.py (76 lines)
- awslabs/ecs_mcp_server/api/security_analysis.py (88 lines)
- tests/unit/test_security_analysis.py (91 lines)

This is PR #1 of the progressive implementation approach.
All validation checks pass: ruff format, ruff check, pytest.
nzuresh pushed a commit that referenced this pull request Oct 5, 2025
test: Add comprehensive test coverage for security analysis foundation
f895c9c 
- Add 23 new comprehensive tests (35 total tests now)
- Test multiple clusters and regions handling
- Test partial success scenarios and complex error cases
- Test edge cases: empty responses, malformed data, timeouts
- Test summary structure and recommendation validation
- Test logging behavior and duplicate handling
- Maintain 100% code coverage

This PR extends PR #1 with comprehensive test coverage as per the
revised implementation plan (split implementation + comprehensive tests).
nzuresh pushed a commit that referenced this pull request Oct 5, 2025
feat: Add basic cluster security analysis
fe05539 
Implements PR #1 of the security integration feature:
- Foundation for ECS security analysis
- Basic cluster security checks (Container Insights, execute command, cluster status)
- IAM security validation (service-linked roles)
- Logging security checks (CloudWatch logging)

Components:
- DataAdapter: Collects ECS cluster data using existing ecs_api_operation
- SecurityAnalyzer: Analyzes security configurations and generates recommendations
- FastMCP tool registration with comprehensive docstrings and prompt patterns

Features:
- Automatic cluster discovery when no cluster names provided
- Detailed security recommendations with remediation steps
- Summary statistics by severity and category
- Comprehensive error handling and logging

Testing:
- 14 unit tests with 95% code coverage
- Tests for data collection, security checks, error handling, and integration
- All quality checks passing (ruff, pyright, pytest)

Requirements: 7.1, 8.1
nzuresh pushed a commit that referenced this pull request Oct 5, 2025
feat: Add IAM security analysis (PR #2)
9e8dc12 
- Add collect_task_definitions() method to DataAdapter using existing utilities
- Enhance _analyze_cluster_iam_security() for service-linked role validation
- Add _analyze_iam_security() for task IAM role and policy validation
  - Detects wildcard permissions (High severity)
  - Checks for custom execution roles (Medium severity)
  - Identifies cross-account role usage (Medium severity)
- Add 16 comprehensive tests for IAM security (6 new test classes)
- Enhance quality-check.sh with:
  - Comprehensive coding pattern validation (10 key patterns)
  - Pre-commit integration
  - Diff coverage validation (90%+ requirement)
- 94% test coverage for security_analysis.py (exceeds 90% requirement)
- All quality checks passing (ruff, pyright, pre-commit)

This is a stacked PR on top of PR #1 (feature/pr1-basic-cluster-security)

Requirements: 4.1, 8.1
nzuresh pushed a commit that referenced this pull request Oct 5, 2025
feat: Add IAM security analysis (PR #2)
37371c6 
- Add collect_task_definitions() method to DataAdapter using existing utilities
- Enhance _analyze_cluster_iam_security() for service-linked role validation
- Add _analyze_iam_security() for task IAM role and policy validation
  - Detects wildcard permissions (High severity)
  - Checks for custom execution roles (Medium severity)
  - Identifies cross-account role usage (Medium severity)
- Add 16 comprehensive tests for IAM security (6 new test classes)
- 94% test coverage for security_analysis.py (exceeds 90% requirement)
- All quality checks passing (ruff, pyright, pre-commit)

This is a stacked PR on top of PR #1 (feature/pr1-basic-cluster-security)

Requirements: 4.1, 8.1
nzuresh pushed a commit that referenced this pull request Oct 6, 2025
feat: Add IAM security analysis (PR #2)
314e868 
- Add collect_task_definitions() method to DataAdapter using existing utilities
- Enhance _analyze_cluster_iam_security() for service-linked role validation
- Add _analyze_iam_security() for task IAM role and policy validation
  - Detects wildcard permissions (High severity)
  - Checks for custom execution roles (Medium severity)
  - Identifies cross-account role usage (Medium severity)
- Add 16 comprehensive tests for IAM security (6 new test classes)
- 94% test coverage for security_analysis.py (exceeds 90% requirement)
- All quality checks passing (ruff, pyright, pre-commit)

This is a stacked PR on top of PR #1 (feature/pr1-basic-cluster-security)

Requirements: 4.1, 8.1
nzuresh pushed a commit that referenced this pull request Oct 7, 2025
feat(security): add cluster-level IAM security analysis
2be4552 
Add comprehensive IAM security checks for ECS clusters:
- Service-linked role verification for ECS Exec operations
- Service-linked role validation for capacity providers
- General IAM configuration review recommendations

Implementation details:
- Added _analyze_cluster_iam_security() method (~145 lines)
- Integrated IAM checks into security analysis workflow
- Updated module documentation with IAM security features
- Added 9 comprehensive test cases with 95%+ coverage

Security checks:
- Verifies AWSServiceRoleForECS exists for ECS Exec
- Validates service-linked role for Auto Scaling integration
- Provides IAM best practices and least privilege guidance
- Includes remediation steps with AWS CLI commands

Test coverage:
- Parameterized tests for various IAM configurations
- Service-linked role recommendation validation
- IAM category summary verification
- All required fields validation

Closes: Requirement 1.2 (IAM Security Analysis)
Related: PR #1 (Foundation), PR #2 (Enhanced Cluster Security)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@nzuresh