Merge pull request #2023 from aquasecurity/bundles_sync/29_05

syncing with saas

Author: alphadev4

collectors/aws/ec2/describeSnapshots.js

@@ -8,6 +8,7 @@ var helpers = require(__dirname + '/../../../helpers/aws');
 module.exports = function(AWSConfig, collection, retries, callback) {
     var ec2 = new AWS.EC2(AWSConfig);
     var sts = new AWS.STS(AWSConfig);
+    var paginating = false;
 
     helpers.makeCustomCollectorCall(sts, 'getCallerIdentity', {}, retries, null, null, null, function(stsErr, stsData) {
         if (stsErr || !stsData.Account) {
@@ -16,6 +17,7 @@ module.exports = function(AWSConfig, collection, retries, callback) {
         }
 
         var params = {
+            MaxResults: 1000,
             Filters: [
                 {
                     Name: 'owner-id',
@@ -32,13 +34,36 @@ module.exports = function(AWSConfig, collection, retries, callback) {
             ]
         };
 
-        helpers.makeCustomCollectorCall(ec2, 'describeSnapshots', params, retries, null, null, null, function(err, data) {
+        var paginateCb = function(err, data) {
             if (err) {
                 collection.ec2.describeSnapshots[AWSConfig.region].err = err;
-            } else {
-                collection.ec2.describeSnapshots[AWSConfig.region].data = data.Snapshots;
+            } else if (data) {
+                if (paginating && data.Snapshots && data.Snapshots.length &&
+                    collection.ec2.describeSnapshots[AWSConfig.region].data &&
+                    collection.ec2.describeSnapshots[AWSConfig.region].data.length) {
+                    collection.ec2.describeSnapshots[AWSConfig.region].data = collection.ec2.describeSnapshots[AWSConfig.region].data.concat(data.Snapshots);
+                } else if (!paginating) {
+                    collection.ec2.describeSnapshots[AWSConfig.region].data = data.Snapshots;
+                }
+                if (data.NextToken &&
+                    collection.ec2.describeSnapshots[AWSConfig.region].data &&
+                    collection.ec2.describeSnapshots[AWSConfig.region].data.length) {
+                    paginating = true;
+                    return execute(data.NextToken);
+                }
             }
+
             callback();
-        });
+        };
+        function execute(nextToken) { // eslint-disable-line no-inner-declarations
+            var localParams = JSON.parse(JSON.stringify(params || {}));
+            if (nextToken) localParams['NextToken'] = nextToken;
+            if (nextToken) {
+                helpers.makeCustomCollectorCall(ec2, 'describeSnapshots', localParams, retries, null, null, null, paginateCb);
+            } else {
+                helpers.makeCustomCollectorCall(ec2, 'describeSnapshots', params, retries, null, null, null, paginateCb);
+            }
+        }
+        execute();
     });
-};
+};

exports.js

@@ -53,6 +53,7 @@ module.exports = {
         'workgroupEnforceConfiguration' : require(__dirname + '/plugins/aws/athena/workgroupEnforceConfiguration.js'),
 
         'customModelInVpc'              :require(__dirname + '/plugins/aws/bedrock/customModelInVpc.js'),
+        'bedrockInUse'                  :require(__dirname + '/plugins/aws/bedrock/bedrockInUse.js'),
         'privateCustomModel'            :require(__dirname + '/plugins/aws/bedrock/privateCustomModel.js'),
         'customModelHasTags'            :require(__dirname + '/plugins/aws/bedrock/customModelHasTags.js'),
         'modelInvocationLoggingEnabled' :require(__dirname + '/plugins/aws/bedrock/modelInvocationLoggingEnabled.js'),
@@ -725,7 +726,7 @@ module.exports = {
 
         'workspacePublicAccessDisabled' : require(__dirname + '/plugins/azure/machinelearning/workspacePublicAccessDisabled.js'),
         'workspaceLoggingEnabled'       : require(__dirname + '/plugins/azure/machinelearning/workspaceLoggingEnabled.js'),
-        'mlWorkspaceHasTags'              : require(__dirname + '/plugins/azure/machinelearning/mlWorkspaceHasTags.js'),
+        'mlWorkspaceHasTags'            : require(__dirname + '/plugins/azure/machinelearning/mlWorkspaceHasTags.js'),
 
 
         'minimumTlsVersion'             : require(__dirname + '/plugins/azure/redisCache/minimumTlsVersion.js'),

helpers/aws/api.js

@@ -1449,6 +1449,10 @@ var calls = {
         describeDBClusters: {
             property: 'DBClusters',
             paginate: 'Marker'
+        },
+        describeDBInstances: {
+            property: 'DBInstances',
+            paginate: 'Marker'
         }
     },
     Organizations: {

helpers/aws/api_multipart.js

@@ -838,6 +838,10 @@ var calls = [
             describeDBClusters: {
                 property: 'DBClusters',
                 paginate: 'Marker'
+            },
+            describeDBInstances: {
+                property: 'DBInstances',
+                paginate: 'Marker'
             }
         },
         Organizations: {

plugins/aws/bedrock/bedrockInUse.js

@@ -0,0 +1,52 @@
+var async = require('async');
+var helpers = require('../../../helpers/aws');
+
+module.exports = {
+    title: 'AWS Bedrock In Use',
+    category: 'AI & ML',
+    domain: 'Machine Learning',
+    severity: 'Low',
+    description: 'Ensures that AWS Bedrock service is in use within your AWS account.',
+    more_info: 'AWS Bedrock provides access to high-performing foundation models from leading AI startups and Amazon through a unified API, enabling easy experimentation, customization, and deployment of generative AI applications with robust security and privacy features.',
+    link: 'https://docs.aws.amazon.com/bedrock/latest/userguide/what-is-bedrock.html',
+    recommended_action: 'Use Bedrock service to utilize top foundation models with strong security and customization.',
+    apis: ['Bedrock:listCustomModels'],
+    realtime_triggers: ['bedrock:DeleteCustomModel'],
+
+    run: function(cache, settings, callback) {
+        var results = [];
+        var source = {};
+        var regions = helpers.regions(settings);
+
+        async.each(regions.bedrock, function(region, rcb){
+            var listCustomModels = helpers.addSource(cache, source,
+                ['bedrock', 'listCustomModels', region]);
+
+            if (!listCustomModels) return rcb();
+
+            if (listCustomModels.err && listCustomModels.err.message.includes('Unknown operation')) {
+                helpers.addResult(results, 0,
+                    'Custom model service is not available in this region', region);
+                return rcb();
+            }
+
+            if (listCustomModels.err || !listCustomModels.data) {
+                helpers.addResult(results, 3,
+                    `Unable to query for Bedrock custom model list: ${helpers.addError(listCustomModels)}`, region);
+                return rcb();
+            }
+
+            if (!listCustomModels.data.length) {
+                helpers.addResult(results, 2, 'Bedrock service is not in use', region);
+                return rcb();
+            } else {
+                helpers.addResult(results, 0, 'Bedrock service is in use', region);
+                return rcb();
+
+            }
+
+        }, function(){
+            callback(null, results, source);
+        });
+    }
+};

plugins/aws/bedrock/bedrockInUse.spec.js

@@ -0,0 +1,73 @@
+var expect = require('chai').expect;
+const bedrockInUse = require('./bedrockInUse');
+
+const listCustomModels = [
+    {
+        "modelArn": "arn:aws:bedrock:us-east-1:11223344:custom-model/amazon.titan-text-lite-v1:0:4k/2ytyyx8nid0h",
+        "modelName": "model2",
+        "creationTime": "2023-11-29T10:45:43.056000+00:00",
+        "baseModelArn": "arn:aws:bedrock:us-east-1::foundation-model/amazon.titan-text-lite-v1:0:4k",
+        "baseModelName": ""
+    },
+    {
+        "modelArn": "arn:aws:bedrock:us-east-1:11223344:custom-model/amazon.titan-text-lite-v1:0:4k/vjqsydtdhkpz",
+        "modelName": "testmodel2",
+        "creationTime": "2023-11-28T11:29:18.655000+00:00",
+        "baseModelArn": "arn:aws:bedrock:us-east-1::foundation-model/amazon.titan-text-lite-v1:0:4k",
+        "baseModelName": ""
+    }
+];
+
+
+const createCache = (listModels) => {
+    return {
+        bedrock: {
+            listCustomModels: {
+                'us-east-1': {
+                    err: null,
+                    data: listModels
+                }
+            },
+        }
+    };
+};
+
+
+describe('bedrockInUse', function () {
+    describe('run', function () {
+        it('should PASS if Bedrock service is in use', function (done) {
+            const cache = createCache([listCustomModels[0]]);
+            bedrockInUse.run(cache, {}, (err, results) => {
+                expect(results.length).to.equal(1);
+                expect(results[0].status).to.equal(0);
+                expect(results[0].region).to.equal('us-east-1');
+                expect(results[0].message).to.include('Bedrock service is in use')
+                done();
+            });
+        });
+
+        it('should FAIL if Bedrock service is not in use', function (done) {
+            const cache = createCache([]);
+            bedrockInUse.run(cache, {}, (err, results) => {
+                expect(results.length).to.equal(1);
+                expect(results[0].status).to.equal(2);
+                expect(results[0].region).to.equal('us-east-1');
+                expect(results[0].message).to.include('Bedrock service is not in use')
+                done();
+            });
+        });
+
+
+        it('should UNKNOWN if unable to query Bedrock custom model', function (done) {
+            const cache = createCache(null, null);
+            bedrockInUse.run(cache, {}, (err, results) => {
+                expect(results.length).to.equal(1);
+                expect(results[0].status).to.equal(3);
+                expect(results[0].region).to.equal('us-east-1');
+                expect(results[0].message).to.include('Unable to query for Bedrock custom model list')
+                done();
+            });
+        });
+
+    });
+});

plugins/aws/ec2/appTierInstanceIamRole.js

@@ -11,7 +11,7 @@ module.exports = {
     more_info: 'EC2 instances should have IAM roles configured with necessary permission to access other AWS services',
     link: 'https://aws.amazon.com/blogs/security/new-attach-an-aws-iam-role-to-an-existing-amazon-ec2-instance-by-using-the-aws-cli/',
     recommended_action: 'Modify EC2 instances to attach IAM roles with required IAM policies',
-    apis: ['EC2:describeInstances', 'EC2:describeTags', 'IAM:listRoles', 'IAM:listRolePolicies', 'IAM:listAttachedRolePolicies'],
+    apis: ['EC2:describeInstances', 'IAM:listRoles', 'IAM:listRolePolicies', 'IAM:listAttachedRolePolicies'],
     settings: {
         ec2_app_tier_tag_key: {
             name: 'EC2 App-Tier Tag Key',
@@ -71,14 +71,8 @@ module.exports = {
                     var resource = `arn:${awsOrGov}:ec2:${region}:${accountId}:instance/${entry.InstanceId}`;
 
                     var tagFound = false;
-                    for (let t in describeTags.data) {
-                        let tag = describeTags.data[t];
-
-                        if (tag.ResourceId && tag.ResourceId === entry.InstanceId &&
-                            tag.Key && tag.Key === config.ec2_app_tier_tag_key) {
-                            tagFound = true;
-                            break;
-                        }
+                    if (entry.Tags && entry.Tags.length) {
+                        tagFound = entry.Tags.find(tag => tag.Key === config.ec2_app_tier_tag_key);
                     }
 
                     if (!tagFound) {
@@ -93,7 +87,7 @@ module.exports = {
                     } else {
                         var roleNameArr = entry.IamInstanceProfile.Arn.split('/');
                         var roleName = roleNameArr[roleNameArr.length-1];
-                        
+
                         // Get managed policies attached to role
                         var listAttachedRolePolicies = helpers.addSource(cache, source,
                             ['iam', 'listAttachedRolePolicies', region, roleName]);
@@ -136,10 +130,10 @@ module.exports = {
                         }
                     }
                 }
-                
+
                 cb();
             });
-            
+
             return rcb();
         }, function(){
             callback(null, results, source);

plugins/aws/ec2/webTierInstanceIamRole.js

@@ -11,7 +11,7 @@ module.exports = {
     more_info: 'EC2 instances should have IAM roles configured with necessary permission to access other AWS services',
     link: 'https://aws.amazon.com/blogs/security/new-attach-an-aws-iam-role-to-an-existing-amazon-ec2-instance-by-using-the-aws-cli/',
     recommended_action: 'Modify EC2 instances to attach IAM roles with required IAM policies',
-    apis: ['EC2:describeInstances', 'EC2:describeTags', 'IAM:listRoles', 'IAM:listRolePolicies', 'IAM:listAttachedRolePolicies'],
+    apis: ['EC2:describeInstances', 'IAM:listRoles', 'IAM:listRolePolicies', 'IAM:listAttachedRolePolicies'],
     settings: {
         ec2_web_tier_tag_key: {
             name: 'EC2 Web-Tier Tag Key',
@@ -71,14 +71,8 @@ module.exports = {
                     var resource = `arn:${awsOrGov}:ec2:${region}:${accountId}:instance/${entry.InstanceId}`;
 
                     var tagFound = false;
-                    for (let t in describeTags.data) {
-                        let tag = describeTags.data[t];
-
-                        if (tag.ResourceId && tag.ResourceId === entry.InstanceId &&
-                            tag.Key && tag.Key === config.ec2_web_tier_tag_key) {
-                            tagFound = true;
-                            break;
-                        }
+                    if (entry.Tags && entry.Tags.length) {
+                        tagFound = entry.Tags.find(tag => tag.Key === config.ec2_web_tier_tag_key);
                     }
 
                     if (!tagFound) {
@@ -93,7 +87,7 @@ module.exports = {
                     } else {
                         var roleNameArr = entry.IamInstanceProfile.Arn.split('/');
                         var roleName = roleNameArr[roleNameArr.length-1];
-                        
+
                         // Get managed policies attached to role
                         var listAttachedRolePolicies = helpers.addSource(cache, source,
                             ['iam', 'listAttachedRolePolicies', region, roleName]);
@@ -136,10 +130,10 @@ module.exports = {
                         }
                     }
                 }
-                
+
                 cb();
             });
-            
+
             return rcb();
         }, function(){
             callback(null, results, source);

plugins/aws/elbv2/elbv2TLSVersionCipherEnabled.js

@@ -5,9 +5,9 @@ module.exports = {
     title: 'ELBv2 TLS Version and Cipher Header Disabled',
     category: 'ELBv2',
     domain: 'Content Delivery',
-    severity: 'Medium',
+    severity: 'low',
     description: 'Ensures that AWS ELBv2 load balancers does not have TLS version and cipher headers enabled.',
-    more_info: 'Disabling TLS version and cipher headers mitigates potential information leakage risks and aligns with security best practices, ensuring that sensitive details are not exposed to unauthorized parties.',
+    more_info: 'TLS Version and Cipher Header provides information about the specific TLS version and cipher suite used during the establishment of the secure connection. Enabling the header might leak the sensitive information about the encryption protocols and algorithms being used',
     link: 'https://docs.aws.amazon.com/elasticloadbalancing/latest/application/application-load-balancers.html',
     recommended_action: 'Update ELBv2 load balancer traffic configuration to disable TLS version and cipher headers',
     apis: ['ELBv2:describeLoadBalancers', 'ELBv2:describeLoadBalancerAttributes'],

plugins/aws/kms/kmsKeyRotation.js

@@ -111,6 +111,12 @@ module.exports = {
                     return;
                 }
 
+                if (describeKeyData.KeyMetadata && describeKeyData.KeyMetadata.KeySpec && describeKeyData.KeyMetadata.KeySpec !== 'SYMMETRIC_DEFAULT') {
+                    noCmks = false;
+                    helpers.addResult(results, 0, `Key rotation is not available for ${describeKeyData.KeyMetadata.KeySpec} key type`, region, kmsKey.KeyArn);
+                    return;
+                }
+
                 var getKeyRotationStatus = helpers.addSource(cache, source,
                     ['kms', 'getKeyRotationStatus', region, kmsKey.KeyId]);
 

plugins/aws/kms/kmsKeyRotation.spec.js

@@ -23,7 +23,8 @@ const describeKey = [
             KeyState: "Enabled", 
             KeyUsage: "ENCRYPT_DECRYPT", 
             MultiRegion: false, 
-            Origin: "AWS_KMS"
+            Origin: "AWS_KMS",
+            KeySpec: "HMAC_512",
         }
     },
     {
@@ -42,7 +43,8 @@ const describeKey = [
             KeyState: "Enabled", 
             KeyUsage: "ENCRYPT_DECRYPT", 
             MultiRegion: false, 
-            Origin: "AWS_KMS"
+            Origin: "AWS_KMS",
+            KeySpec: "SYMMETRIC_DEFAULT",
         }
     },
     {
@@ -61,7 +63,8 @@ const describeKey = [
             KeyState: "PendingDeletion", 
             KeyUsage: "ENCRYPT_DECRYPT", 
             MultiRegion: false, 
-            Origin: "AWS_KMS"
+            Origin: "AWS_KMS",
+            KeySpec: "SYMMETRIC_DEFAULT",
         }
     }
 ]
@@ -250,5 +253,16 @@ describe('kmsKeyRotation', function () {
                 done();
             });
         });
+
+        it('should not pass if key rotation is not avaible for KMS ', function (done) {
+            const cache = createCache([listKeys], describeKey[0], keyPolicy[0], keyRotationStatus[0]);
+            kmsKeyRotation.run(cache, {}, (err, results) => {
+                expect(results.length).to.equal(1);
+                expect(results[0].status).to.equal(0);
+                expect(results[0].region).to.equal('us-east-1');
+                expect(results[0].message).to.include('Key rotation is not available for HMAC_512 key type');
+                done();
+            });
+        });
     });
 });