Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

feat(elasticache): add check elasticache_redis_cluster_auth_enabled #4830

Merged
merged 27 commits into from
Sep 20, 2024
Merged

feat(elasticache): add check elasticache_redis_cluster_auth_enabled #4830

Show file tree
Hide file tree
Changes from 19 commits
Commits
Show all changes
27 commits
Select commit Hold shift + click to select a range
a328b02
fix(elasticache): fixed error in metadata description
HugoPBrito Aug 21, 2024
d1dd13a
fix(elasticache): fixed error in metadata checktitle
HugoPBrito Aug 21, 2024
e8f0a3d
fix(elasticache): fixed error in metadata recommendation-text
HugoPBrito Aug 21, 2024
2a1fb68
feat(elasticache): expanded cluster model and testing
HugoPBrito Aug 21, 2024
412f688
feat(elasticache): Added check logic and testing
HugoPBrito Aug 21, 2024
63efb1c
feat(aws): Correction of check results message
HugoPBrito Aug 22, 2024
aad2ec8
fix(elasticache): changed error in metadata description
HugoPBrito Aug 22, 2024
0f7b95e
feat(elasticache): title and description changed in metadata
HugoPBrito Aug 27, 2024
a0b289e
feat(elasticache): resolved most comments
HugoPBrito Aug 27, 2024
6b01746
feat(elasticache): changed check name and minor modifications
HugoPBrito Aug 27, 2024
c08ef95
feat(elasticache): renewed logic and updated model and testing
HugoPBrito Aug 27, 2024
a7b8000
feat(elasticache): resolved comments
HugoPBrito Aug 29, 2024
48f6f6d
feat(elasticache): improved logic and adapted testing
HugoPBrito Aug 30, 2024
79603de
fix(elasticache): handled error in replication groups with several pa…
HugoPBrito Aug 30, 2024
4faddef
fix(elasticache): minor correction
HugoPBrito Aug 30, 2024
81ebc75
chore(elasticache): Only iterate one nodegroup
HugoPBrito Aug 30, 2024
7bcaee8
fix(elasticache): restored previous commit due to better error preven…
HugoPBrito Aug 30, 2024
a18b7ad
Merge branch 'master' into PRWLR-4509-elasti-cache-redis-oss-replicat…
HugoPBrito Sep 16, 2024
003c82a
feat(elasticache): resolved comments
HugoPBrito Sep 17, 2024
66aeb8f
Merge branch 'master' into PRWLR-4509-elasti-cache-redis-oss-replicat…
HugoPBrito Sep 18, 2024
25958b6
fix(elasticache): fix automatic failover
HugoPBrito Sep 18, 2024
dd3363a
chore:stage changes
HugoPBrito Sep 18, 2024
9dc0b9e
feat(elasticache): resolved comments
HugoPBrito Sep 19, 2024
73ec237
chore: enhance check and metadata
MrCloudSec Sep 19, 2024
3fb54a8
fix(elasticache): fixed mistaken arn and tested in real infraestructure
HugoPBrito Sep 20, 2024
42b2cdd
fix: remove print
MrCloudSec Sep 20, 2024
97440d0
fix: update resource type
MrCloudSec Sep 20, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
6 changes: 3 additions & 3 deletions ...e_redis_cluster_multi_az_enabled/elasticache_redis_cluster_multi_az_enabled.metadata.json
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,14 +1,14 @@
{
"Provider": "aws",
"CheckID": "elasticache_redis_cluster_multi_az_enabled",
"CheckTitle": "Ensure Elasticache Elasticache Redis cache cluster has Multi-AZ enabled.",
"CheckTitle": "Ensure Elasticache Redis cache cluster has Multi-AZ enabled.",
"CheckType": [],
"ServiceName": "elasticache",
"SubServiceName": "",
"ResourceIdTemplate": "arn:partition:service:region:account-id:resource-id",
"Severity": "medium",
"ResourceType": "AWSElastiCacheClusters",
"Description": "Ensure Elasticache Elasticache Redis cache cluster has Multi-AZ enabled.",
"Description": "Ensure Elasticache Redis cache cluster has Multi-AZ enabled.",
"Risk": "Ensure that your Amazon ElastiCache Redis cache clusters has Multi-AZ enabled.",
"RelatedUrl": "https://www.trendmicro.com/cloudoneconformity-staging/knowledge-base/aws/ElastiCache/elasticache-multi-az.html#",
"Remediation": {
Expand All @@ -19,7 +19,7 @@
"Terraform": "https://docs.prowler.com/checks/aws/general-policies/ensure-aws-elasticache-redis-cluster-with-multi-az-automatic-failover-feature-set-to-enabled/"
},
"Recommendation": {
"Text": "Ensure Elasticache Elasticache Redis cache cluster has Multi-AZ enabled.",
"Text": "Ensure Elasticache Redis cache cluster has Multi-AZ enabled.",
"Url": "https://www.trendmicro.com/cloudoneconformity-staging/knowledge-base/aws/ElastiCache/elasticache-multi-az.html#"
}
},
Expand Down
Empty file added ...ers/aws/services/elasticache/elasticache_redis_replication_group_auth_enabled/__init__.py
View file
Open in desktop
Empty file.
34 changes: 34 additions & 0 deletions ...ication_group_auth_enabled/elasticache_redis_replication_group_auth_enabled.metadata.json
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,34 @@
{
"Provider": "aws",
"CheckID": "elasticache_redis_replication_group_auth_enabled",
"CheckTitle": "Ensure Elasticache Elasticache Redis replication groups of earlier versions should have Redis OSS AUTH enabled.",
"CheckType": [
"Software and Configuration Checks",
"Industry and Regulatory Standards",
"NIST 800-53 Controls "
HugoPBrito marked this conversation as resolved.
Show resolved Hide resolved
],
"ServiceName": "elasticache",
"SubServiceName": "",
"ResourceIdTemplate": "arn:partition:service:region:account-id:resource-id",
"Severity": "medium",
"ResourceType": "AWSElastiCacheReplicationGroup",
MrCloudSec marked this conversation as resolved.
Show resolved Hide resolved
"Description": "Ensure Elasticache Redis replication groups of earlier versions use Redis OSS AUTH.",
"Risk": "Without Redis AUTH enabled, your ElastiCache (Redis) instance is vulnerable to unauthorized access and potential data breaches.",
"RelatedUrl": "https://docs.aws.amazon.com/AmazonElastiCache/latest/red-ug/auth.html",
"Remediation": {
"Code": {
"CLI": "",
"NativeIaC": "",
"Other": "https://docs.aws.amazon.com/securityhub/latest/userguide/elasticache-controls.html#elasticache-6",
"Terraform": ""
},
"Recommendation": {
"Text": "Enable Redis AUTH to require authentication before accessing your Redis instance, and for Redis 6.0 and later, consider implementing Role-Based Access Control (RBAC) for enhanced security.",
"Url": "https://docs.aws.amazon.com/AmazonElastiCache/latest/red-ug/auth.html#auth-modifyng-token"
}
},
"Categories": [],
"DependsOn": [],
"RelatedTo": [],
"Notes": ""
}
34 changes: 34 additions & 0 deletions ..._redis_replication_group_auth_enabled/elasticache_redis_replication_group_auth_enabled.py
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,34 @@
from packaging import version

from prowler.lib.check.models import Check, Check_Report_AWS
from prowler.providers.aws.services.elasticache.elasticache_client import (
elasticache_client,
)


class elasticache_redis_replication_group_auth_enabled(Check):
def execute(self):
findings = []
for repl_group in elasticache_client.replication_groups.values():
report = Check_Report_AWS(self.metadata())
report.region = repl_group.region
report.resource_id = repl_group.id
report.resource_arn = repl_group.arn
report.resource_tags = repl_group.tags

for cluster in repl_group.member_clusters:
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Please, can you show in the status extended the member clusters that are not compliant (if any).

if version.parse(cluster.engine_version) < version.parse("6.0"):
if not cluster.auth_token_enabled:
report.status = "FAIL"
report.status_extended = f"Elasticache Redis replication group {repl_group.id}(v{cluster.engine_version}) does not have AUTH enabled."

else:
report.status = "PASS"
report.status_extended = f"Elasticache Redis replication group {repl_group.id}(v{cluster.engine_version}) does have AUTH enabled."
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
report.status_extended = f"Elasticache Redis replication group {repl_group.id}(v{cluster.engine_version}) does have AUTH enabled."
report.status_extended = f"Elasticache Redis replication group {repl_group.id}(v{cluster.engine_version}) has all member clusters with AUTH enabled."

else:
report.status = "MANUAL"
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Can member cluster have different versions?

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

If not, leave it as it is.

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

As far as I'm concerned, every node must have the exact same version inside a replication group.

report.status_extended = f"Elasticache Redis replication group {repl_group.id}(v{cluster.engine_version}) does not have to use AUTH, but it should have Redis ACL configured."

findings.append(report)

return findings
84 changes: 55 additions & 29 deletions prowler/providers/aws/services/elasticache/elasticache_service.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -41,6 +41,10 @@
auto_minor_version_upgrade=cache_cluster.get(
"AutoMinorVersionUpgrade", False
),
engine_version=cache_cluster.get("EngineVersion", "0.0"),
auth_token_enabled=cache_cluster.get(
"AuthTokenEnabled", False
),
)
except Exception as error:
logger.error(
Expand Down Expand Up @@ -85,35 +89,53 @@
for repl_group in regional_client.describe_replication_groups()[
"ReplicationGroups"
]:
try:
replication_arn = repl_group["ARN"]
if not self.audit_resources or (
is_resource_filtered(replication_arn, self.audit_resources)
):
self.replication_groups[replication_arn] = ReplicationGroup(
id=repl_group["ReplicationGroupId"],
arn=replication_arn,
region=regional_client.region,
status=repl_group["Status"],
snapshot_retention=repl_group.get(
"SnapshotRetentionLimit", 0
),
encrypted=repl_group.get("AtRestEncryptionEnabled", False),
transit_encryption=repl_group.get(
"TransitEncryptionEnabled", False
),
multi_az=repl_group.get("MultiAZ", "disabled"),
auto_minor_version_upgrade=repl_group.get(
"AutoMinorVersionUpgrade", False
),
automatic_failover=repl_group.get(
"AutomaticFailoverStatus", "disabled"
),
replication_arn = repl_group["ARN"]
if not self.audit_resources or (
is_resource_filtered(replication_arn, self.audit_resources)
):
try:
replication_arn = repl_group["ARN"]
if not self.audit_resources or (
is_resource_filtered(replication_arn, self.audit_resources)
):
member_clusters = repl_group.get("MemberClusters", [])
cluster_list = []
for cluster in member_clusters:
cluster_list.append(

Check warning on line 104 in prowler/providers/aws/services/elasticache/elasticache_service.py

View check run for this annotation

Codecov / codecov/patch

prowler/providers/aws/services/elasticache/elasticache_service.py#L104 

Added line #L104 was not covered by tests
self.clusters[
f"arn:aws:elasticache:{regional_client.region}:{self.audited_account}:cluster:{cluster}"
]
)
self.replication_groups[replication_arn] = ReplicationGroup(
id=repl_group["ReplicationGroupId"],
arn=replication_arn,
region=regional_client.region,
status=repl_group["Status"],
snapshot_retention=repl_group.get(
"SnapshotRetentionLimit", 0
),
encrypted=repl_group.get(
"AtRestEncryptionEnabled", False
),
transit_encryption=repl_group.get(
"TransitEncryptionEnabled", False
),
multi_az=repl_group.get("MultiAZ", "disabled"),
auto_minor_version_upgrade=repl_group.get(
"AutoMinorVersionUpgrade", False
),
auth_token_enabled=repl_group.get(
"AuthTokenEnabled", False
),
automatic_failover=repl_group.get(
"AutomaticFailoverStatus", "disabled"
),
member_clusters=cluster_list,
)
except Exception as error:
logger.error(

Check warning on line 136 in prowler/providers/aws/services/elasticache/elasticache_service.py

View check run for this annotation

Codecov / codecov/patch

prowler/providers/aws/services/elasticache/elasticache_service.py#L135-L136 

Added lines #L135 - L136 were not covered by tests
f"{regional_client.region} -- {error.__class__.__name__}[{error.__traceback__.tb_lineno}]: {error}"
)
except Exception as error:
logger.error(
f"{regional_client.region} -- {error.__class__.__name__}[{error.__traceback__.tb_lineno}]: {error}"
)
except Exception as error:
logger.error(
f"{regional_client.region} -- {error.__class__.__name__}[{error.__traceback__.tb_lineno}]: {error}"
Expand Down Expand Up @@ -167,6 +189,8 @@
subnets: list = []
tags: Optional[list]
auto_minor_version_upgrade: bool = False
engine_version: Optional[str]
auth_token_enabled: Optional[bool]


class ReplicationGroup(BaseModel):
Expand All @@ -179,5 +203,7 @@
transit_encryption: bool
multi_az: str
tags: Optional[list]
auto_minor_version_upgrade: bool
auto_minor_version_upgrade: bool = False
auth_token_enabled: Optional[bool]
automatic_failover: str
member_clusters: Optional[list[Cluster]]
Loading
Loading