prowler-cloud · jfagoagas · Apr 2, 2024 · Apr 2, 2024 · Apr 16, 2024 · Apr 17, 2024
@@ -0,0 +1,32 @@
+{
+  "Provider": "aws",
+  "CheckID": "awslambda_function_not_directly_publicly_accessible_via_elbv2",
+  "CheckTitle": "Check if Lambda functions have public application load balancer ahead of them.",
+  "CheckType": [],
+  "ServiceName": "lambda",
+  "SubServiceName": "",
+  "ResourceIdTemplate": "arn:partition:lambda:region:account-id:function/function-name",
+  "Severity": "critical",
+  "ResourceType": "AwsLambdaFunction",
+  "Description": "Check if Lambda functions have public application load balancer ahead of them.",
+  "Risk": "Publicly accessible services could expose sensitive data to bad actors.",
+  "RelatedUrl": "https://docs.aws.amazon.com/lambda/latest/dg/access-control-resource-based.html",
+  "Remediation": {
+    "Code": {
+      "CLI": "https://www.trendmicro.com/cloudoneconformity/knowledge-base/aws/Lambda/function-exposed.html",
+      "NativeIaC": "",
+      "Other": "",
+      "Terraform": ""
+    },
+    "Recommendation": {
+      "Text": "Place security groups around public load balancers",
+      "Url": "https://docs.aws.amazon.com/lambda/latest/dg/access-control-resource-based.html"
+    }
+  },
+  "Categories": [
+    "internet-exposed"
+  ],
+  "DependsOn": [],
+  "RelatedTo": [],
+  "Notes": ""
+}
@@ -0,0 +1,29 @@
+from prowler.lib.check.models import Check, Check_Report_AWS
+from prowler.providers.aws.services.awslambda.awslambda_client import awslambda_client
+from prowler.providers.aws.services.elbv2.elbv2_client import elbv2_client
+
+
+class awslambda_function_not_directly_publicly_accessible_via_elbv2(Check):
+    def execute(self):
+        findings = []
+
+        if awslambda_client.functions:
+            public_lambda_functions = {}
+            for target_group in elbv2_client.target_groups:
+                if target_group.public and target_group.target_type == "lambda":
+                    public_lambda_functions[target_group.target] = target_group.arn
+
+            for function in awslambda_client.functions.values():
+                report = Check_Report_AWS(self.metadata())
+                report.region = function.region
+                report.resource_id = function.name
+                report.resource_arn = function.arn
+                report.resource_tags = function.tags
+                report.status = "PASS"
+                report.status_extended = f"Lambda function {function.name} is not behind an Internet facing Load Balancer."
+
+                if function.arn in public_lambda_functions:
+                    report.status = "FAIL"
+                    report.status_extended = f"Lambda function {function.name} is behind an Internet facing Load Balancer through target group {public_lambda_functions[function.arn]}."
+                findings.append(report)
+        return findings
@@ -0,0 +1,34 @@
+{
+  "Provider": "aws",
+  "CheckID": "ec2_instance_not_directly_publicly_accessible_via_elb",
+  "CheckTitle": "Check for EC2 instances behind internet facing classic load balancers.",
+  "CheckType": [
+    "Infrastructure Security"
+  ],
+  "ServiceName": "ec2",
+  "SubServiceName": "",
+  "ResourceIdTemplate": "arn:partition:service:region:account-id:resource-id",
+  "Severity": "medium",
+  "ResourceType": "AwsEc2Instance",
+  "Description": "Check for EC2 instances behind internet facing classic load balancers.",
+  "Risk": "Exposing an EC2 to a classic load balancer that is internet facing can lead to comprimisation",
+  "RelatedUrl": "",
+  "Remediation": {
+    "Code": {
+      "CLI": "",
+      "NativeIaC": "",
+      "Other": "",
+      "Terraform": ""
+    },
+    "Recommendation": {
+      "Text": "Apply security groups to classic load balancers",
+      "Url": ""
+    }
+  },
+  "Categories": [
+    "internet-exposed"
+  ],
+  "DependsOn": [],
+  "RelatedTo": [],
+  "Notes": ""
+}
@@ -0,0 +1,30 @@
+from prowler.lib.check.models import Check, Check_Report_AWS
+from prowler.providers.aws.services.ec2.ec2_client import ec2_client
+from prowler.providers.aws.services.elb.elb_client import elb_client
+
+
+class ec2_instance_not_directly_publicly_accessible_via_elb(Check):
+    def execute(self):
+        findings = []
+        if ec2_client.instances:
+            public_instances = {}
+            for lb in elb_client.loadbalancers:
+                if lb.scheme == "internet-facing" and len(lb.security_groups) > 0:
+                    for instance in lb.instances:
+                        public_instances[instance] = lb
+
+            for instance in ec2_client.instances:
+                if instance.state != "terminated":
+                    report = Check_Report_AWS(self.metadata())
+                    report.region = instance.region
+                    report.resource_id = instance.id
+                    report.resource_arn = instance.arn
+                    report.resource_tags = instance.tags
+                    report.status = "PASS"
+                    report.status_extended = f"EC2 Instance {instance.id} is not behind an Internet facing Classic Load Balancer."
+
+                    if instance.id in public_instances:
+                        report.status = "FAIL"
+                        report.status_extended = f"EC2 Instance {instance.id} is behind an Internet facing Classic Load Balancer {public_instances[instance.id].dns}."
+                    findings.append(report)
+        return findings
@@ -0,0 +1,34 @@
+{
+  "Provider": "aws",
+  "CheckID": "ec2_instance_not_directly_publicly_accessible_via_elbv2",
+  "CheckTitle": "Check for EC2 instances behind internet facing ALB/NLB/GLB.",
+  "CheckType": [
+    "Infrastructure Security"
+  ],
+  "ServiceName": "ec2",
+  "SubServiceName": "",
+  "ResourceIdTemplate": "arn:partition:service:region:account-id:resource-id",
+  "Severity": "medium",
+  "ResourceType": "AwsEc2Instance",
+  "Description": "Check for EC2 instances behind internet facing ALB/NLB/GLB.",
+  "Risk": "Exposing an EC2 to a ALB/NLB/GLB that is internet facing can lead to comprimisation",
+  "RelatedUrl": "",
+  "Remediation": {
+    "Code": {
+      "CLI": "",
+      "NativeIaC": "",
+      "Other": "",
+      "Terraform": ""
+    },
+    "Recommendation": {
+      "Text": "Apply security groups to load balancers",
+      "Url": ""
+    }
+  },
+  "Categories": [
+    "internet-exposed"
+  ],
+  "DependsOn": [],
+  "RelatedTo": [],
+  "Notes": ""
+}
@@ -0,0 +1,30 @@
+from prowler.lib.check.models import Check, Check_Report_AWS
+from prowler.providers.aws.services.ec2.ec2_client import ec2_client
+from prowler.providers.aws.services.elbv2.elbv2_client import elbv2_client
+
+
+class ec2_instance_not_directly_publicly_accessible_via_elbv2(Check):
+    def execute(self):
+        findings = []
+        if ec2_client.instances:
+            public_instances = {}
+
+            for tg in elbv2_client.target_groups:
+                if tg.public and tg.target_type == "instance":
+                    public_instances[tg.target] = tg.arn
+
+            for instance in ec2_client.instances:
+                if instance.state != "terminated":
+                    report = Check_Report_AWS(self.metadata())
+                    report.region = instance.region
+                    report.resource_id = instance.id
+                    report.resource_arn = instance.arn
+                    report.resource_tags = instance.tags
+                    report.status = "PASS"
+                    report.status_extended = f"EC2 Instance {instance.id} is not behind an Internet facing Load Balancer."
+
+                    if instance.id in public_instances:
+                        report.status = "FAIL"
+                        report.status_extended = f"EC2 Instance {instance.id} is behind an Internet facing Load Balancer through target group {public_instances[instance.id]}."
+                    findings.append(report)
+        return findings
@@ -37,6 +37,11 @@ def __describe_load_balancers__(self, regional_client):
                                     policies=listener["PolicyNames"],
                                 )
                             )
+
+                        instance_ids = []
+                        for id in elb["Instances"]:
+                            instance_ids.append(id["InstanceId"])
+
                         self.loadbalancers.append(
                             LoadBalancer(
                                 name=elb["LoadBalancerName"],
@@ -45,6 +50,8 @@ def __describe_load_balancers__(self, regional_client):
                                 region=regional_client.region,
                                 scheme=elb["Scheme"],
                                 listeners=listeners,
+                                security_groups=elb["SecurityGroups"],
+                                instances=instance_ids,
                             )
                         )
 
@@ -98,3 +105,5 @@ class LoadBalancer(BaseModel):
     access_logs: Optional[bool]
     listeners: list[Listener]
     tags: Optional[list] = []
+    security_groups: list[str]
+    instances: list[str]
@@ -16,6 +16,8 @@ def __init__(self, provider):
         self.loadbalancersv2 = []
         self.__threading_call__(self.__describe_load_balancers__)
         self.listeners = []
+        self.target_groups = []
+        self.__threading_call__(self.__describe_target_groups__)
         self.__threading_call__(self.__describe_listeners__)
         self.__threading_call__(self.__describe_load_balancer_attributes__)
         self.__threading_call__(self.__describe_rules__)
@@ -40,6 +42,7 @@ def __describe_load_balancers__(self, regional_client):
                             arn=elbv2["LoadBalancerArn"],
                             type=elbv2["Type"],
                             listeners=[],
+                            security_groups=elbv2["SecurityGroups"],
                         )
                         if "DNSName" in elbv2:
                             lb.dns = elbv2["DNSName"]
@@ -51,6 +54,64 @@ def __describe_load_balancers__(self, regional_client):
                 f"{regional_client.region} -- {error.__class__.__name__}[{error.__traceback__.tb_lineno}]: {error}"
             )
 
+    def __describe_target_groups__(self, regional_client):
+        logger.info("ELBv2 - Describing target groups...")
+        try:
+            for lb in self.loadbalancersv2:
+                try:
+                    if (
+                        lb.scheme == "internet-facing"
+                        and lb.type == "application"
+                        and len(lb.security_groups) > 0
+                    ):
+                        describe_target_groups_paginator = (
+                            regional_client.get_paginator("describe_target_groups")
+                        )
+                        for page in describe_target_groups_paginator.paginate(
+                            LoadBalancerArn=lb.arn
+                        ):
+                            for target_group in page["TargetGroups"]:
+                                for (
+                                    target_health
+                                ) in regional_client.describe_target_health(
+                                    TargetGroupArn=target_group["TargetGroupArn"]
+                                )[
+                                    "TargetHealthDescriptions"
+                                ]:
+                                    tg = TargetGroups(
+                                        name=target_group["TargetGroupName"],
+                                        arn=target_group["TargetGroupArn"],
+                                        target_type=target_group["TargetType"],
+                                        target=target_health["Target"]["Id"],
+                                        public=(
+                                            True
+                                            if lb.scheme == "internet-facing"
+                                            and lb.type == "application"
+                                            and len(lb.security_groups) > 0
+                                            else False
+                                        ),
+                                    )
+                                    if "DNSName" in lb:
+                                        tg.lbdns = lb.dns
+                                    self.target_groups.append(tg)
+                except ClientError as error:
+                    if error.response["Error"]["Code"] == "LoadBalancerNotFound":
+                        logger.warning(
+                            f"{error.__class__.__name__}[{error.__traceback__.tb_lineno}]: {error}"
+                        )
+                    else:
+                        logger.error(
+                            f"{regional_client.region} -- {error.__class__.__name__}[{error.__traceback__.tb_lineno}]: {error}"
+                        )
+                except Exception as error:
+                    logger.error(
+                        f"{regional_client.region} -- {error.__class__.__name__}[{error.__traceback__.tb_lineno}]: {error}"
+                    )
+        except Exception as error:
+            logger.error(
+                f"{regional_client.region} -- {error.__class__.__name__}[{error.__traceback__.tb_lineno}]: {error}"
+            )
+
     def __describe_listeners__(self, regional_client):
         logger.info("ELBv2 - Describing listeners...")
         try:
@@ -235,3 +296,12 @@ class LoadBalancerv2(BaseModel):
     listeners: list[Listenerv2]
     scheme: Optional[str]
     tags: Optional[list] = []
+    security_groups: list[str]
+
+
+class TargetGroups(BaseModel):
+    name: str
+    arn: str
+    target_type: str
+    target: str
+    lbdns: Optional[str]