-
Notifications
You must be signed in to change notification settings - Fork 1.5k
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
feat(elasticbeanstalk): add new check `elasticbeanstalk_enhanced_heal…
…th_reporting_enabled` (#5348) Co-authored-by: Sergio <[email protected]>
- Loading branch information
1 parent
3ace449
commit a6db526
Showing
4 changed files
with
205 additions
and
0 deletions.
There are no files selected for viewing
Empty file.
34 changes: 34 additions & 0 deletions
34
...ced_health_reporting/elasticbeanstalk_environment_enhanced_health_reporting.metadata.json
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,34 @@ | ||
| { | ||
| "Provider": "aws", | ||
| "CheckID": "elasticbeanstalk_environment_enhanced_health_reporting", | ||
| "CheckTitle": "Elastic Beanstalk environments should have enhanced health reporting enabled", | ||
| "CheckType": [ | ||
| "Software and Configuration Checks/AWS Security Best Practices" | ||
| ], | ||
| "ServiceName": "elasticbeanstalk", | ||
| "SubServiceName": "", | ||
| "ResourceIdTemplate": "arn:aws:elasticbeanstalk:{region}:{account-id}:environment/{environment-id}", | ||
| "Severity": "low", | ||
| "ResourceType": "AwsElasticBeanstalkEnvironment", | ||
| "Description": "This control checks whether enhanced health reporting is enabled for your AWS Elastic Beanstalk environments.", | ||
| "Risk": "Without enhanced health reporting, you may face delays in detecting and responding to issues in your Elastic Beanstalk environment, affecting application availability and performance.", | ||
| "RelatedUrl": "https://docs.aws.amazon.com/config/latest/developerguide/beanstalk-enhanced-health-reporting-enabled.html", | ||
| "Remediation": { | ||
| "Code": { | ||
| "CLI": "aws elasticbeanstalk update-environment --environment-id <environment-id> --option-settings Namespace=aws:elasticbeanstalk:healthreporting:system,OptionName=EnhancedHealthReporting,Value=enabled", | ||
| "NativeIaC": "", | ||
| "Other": "https://docs.aws.amazon.com/securityhub/latest/userguide/elasticbeanstalk-controls.html#elasticbeanstalk-1", | ||
| "Terraform": "" | ||
| }, | ||
| "Recommendation": { | ||
| "Text": "Enable enhanced health reporting in your Elastic Beanstalk environments for better monitoring and faster issue detection.", | ||
| "Url": "https://docs.aws.amazon.com/elasticbeanstalk/latest/dg/health-enhanced-enable.html#health-enhanced-enable-console" | ||
| } | ||
| }, | ||
| "Categories": [ | ||
| "logging" | ||
| ], | ||
| "DependsOn": [], | ||
| "RelatedTo": [], | ||
| "Notes": "" | ||
| } |
25 changes: 25 additions & 0 deletions
25
...nment_enhanced_health_reporting/elasticbeanstalk_environment_enhanced_health_reporting.py
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,25 @@ | ||
| from prowler.lib.check.models import Check, Check_Report_AWS | ||
| from prowler.providers.aws.services.elasticbeanstalk.elasticbeanstalk_client import ( | ||
| elasticbeanstalk_client, | ||
| ) | ||
|
|
||
|
|
||
| class elasticbeanstalk_environment_enhanced_health_reporting(Check): | ||
| def execute(self): | ||
| findings = [] | ||
| for environment in elasticbeanstalk_client.environments.values(): | ||
| report = Check_Report_AWS(self.metadata()) | ||
| report.region = environment.region | ||
| report.resource_id = environment.name | ||
| report.resource_arn = environment.arn | ||
| report.resource_tags = environment.tags | ||
| report.status = "PASS" | ||
| report.status_extended = f"Elastic Beanstalk environment {environment.name} has enhanced health reporting enabled." | ||
|
|
||
| if environment.health_reporting != "enhanced": | ||
| report.status = "FAIL" | ||
| report.status_extended = f"Elastic Beanstalk environment {environment.name} does not have enhanced health reporting enabled." | ||
|
|
||
| findings.append(report) | ||
|
|
||
| return findings |
146 changes: 146 additions & 0 deletions
146
..._enhanced_health_reporting/elasticbeanstalk_environment_enhanced_health_reporting_test.py
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,146 @@ | ||
| from unittest import mock | ||
|
|
||
| import botocore | ||
| from boto3 import client | ||
| from moto import mock_aws | ||
|
|
||
| from prowler.providers.aws.services.elasticbeanstalk.elasticbeanstalk_service import ( | ||
| ElasticBeanstalk, | ||
| ) | ||
| from tests.providers.aws.utils import AWS_REGION_EU_WEST_1, set_mocked_aws_provider | ||
|
|
||
| make_api_call = botocore.client.BaseClient._make_api_call | ||
|
|
||
|
|
||
| def mock_make_api_call(self, operation_name, kwarg): | ||
| if operation_name == "DescribeConfigurationSettings": | ||
| if kwarg["EnvironmentName"] == "test-env-using-basic-health-reporting": | ||
| return { | ||
| "ConfigurationSettings": [ | ||
| { | ||
| "OptionSettings": [ | ||
| { | ||
| "Namespace": "aws:elasticbeanstalk:healthreporting:system", | ||
| "OptionName": "SystemType", | ||
| "Value": "basic", | ||
| }, | ||
| ], | ||
| } | ||
| ] | ||
| } | ||
| if kwarg["EnvironmentName"] == "test-env-using-enhanced-health-reporting": | ||
| return { | ||
| "ConfigurationSettings": [ | ||
| { | ||
| "OptionSettings": [ | ||
| { | ||
| "Namespace": "aws:elasticbeanstalk:healthreporting:system", | ||
| "OptionName": "SystemType", | ||
| "Value": "enhanced", | ||
| }, | ||
| ], | ||
| } | ||
| ] | ||
| } | ||
|
|
||
| return make_api_call(self, operation_name, kwarg) | ||
|
|
||
|
|
||
| class Test_elasticbeanstalk_environment_enhanced_health_reporting: | ||
| @mock_aws | ||
| def test_elasticbeanstalk_no_environments(self): | ||
| elasticbeanstalk_client = client( | ||
| "elasticbeanstalk", region_name=AWS_REGION_EU_WEST_1 | ||
| ) | ||
| elasticbeanstalk_client.create_application(ApplicationName="test-app") | ||
|
|
||
| aws_provider = set_mocked_aws_provider([AWS_REGION_EU_WEST_1]) | ||
|
|
||
| with mock.patch( | ||
| "prowler.providers.common.provider.Provider.get_global_provider", | ||
| return_value=aws_provider, | ||
| ), mock.patch( | ||
| "prowler.providers.aws.services.elasticbeanstalk.elasticbeanstalk_environment_enhanced_health_reporting.elasticbeanstalk_environment_enhanced_health_reporting.elasticbeanstalk_client", | ||
| new=ElasticBeanstalk(aws_provider), | ||
| ): | ||
| from prowler.providers.aws.services.elasticbeanstalk.elasticbeanstalk_environment_enhanced_health_reporting.elasticbeanstalk_environment_enhanced_health_reporting import ( | ||
| elasticbeanstalk_environment_enhanced_health_reporting, | ||
| ) | ||
|
|
||
| check = elasticbeanstalk_environment_enhanced_health_reporting() | ||
| result = check.execute() | ||
| assert len(result) == 0 | ||
|
|
||
| @mock_aws | ||
| @mock.patch("botocore.client.BaseClient._make_api_call", new=mock_make_api_call) | ||
| def test_elasticbeanstalk_environment_cloudwatch_not_enabled(self): | ||
| elasticbeanstalk_client = client( | ||
| "elasticbeanstalk", region_name=AWS_REGION_EU_WEST_1 | ||
| ) | ||
| elasticbeanstalk_client.create_application(ApplicationName="test-app") | ||
| environment = elasticbeanstalk_client.create_environment( | ||
| ApplicationName="test-app", | ||
| EnvironmentName="test-env-using-enhanced-health-reporting", | ||
| ) | ||
|
|
||
| aws_provider = set_mocked_aws_provider([AWS_REGION_EU_WEST_1]) | ||
|
|
||
| with mock.patch( | ||
| "prowler.providers.common.provider.Provider.get_global_provider", | ||
| return_value=aws_provider, | ||
| ), mock.patch( | ||
| "prowler.providers.aws.services.elasticbeanstalk.elasticbeanstalk_environment_enhanced_health_reporting.elasticbeanstalk_environment_enhanced_health_reporting.elasticbeanstalk_client", | ||
| new=ElasticBeanstalk(aws_provider), | ||
| ): | ||
| from prowler.providers.aws.services.elasticbeanstalk.elasticbeanstalk_environment_enhanced_health_reporting.elasticbeanstalk_environment_enhanced_health_reporting import ( | ||
| elasticbeanstalk_environment_enhanced_health_reporting, | ||
| ) | ||
|
|
||
| check = elasticbeanstalk_environment_enhanced_health_reporting() | ||
| result = check.execute() | ||
| assert len(result) == 1 | ||
| assert result[0].status == "PASS" | ||
| assert ( | ||
| result[0].status_extended | ||
| == "Elastic Beanstalk environment test-env-using-enhanced-health-reporting has enhanced health reporting enabled." | ||
| ) | ||
| assert result[0].resource_id == environment["EnvironmentName"] | ||
| assert result[0].resource_arn == environment["EnvironmentArn"] | ||
| assert result[0].region == AWS_REGION_EU_WEST_1 | ||
|
|
||
| @mock_aws | ||
| @mock.patch("botocore.client.BaseClient._make_api_call", new=mock_make_api_call) | ||
| def test_elasticbeanstalk_environment_cloudwatch_enabled(self): | ||
| elasticbeanstalk_client = client( | ||
| "elasticbeanstalk", region_name=AWS_REGION_EU_WEST_1 | ||
| ) | ||
| elasticbeanstalk_client.create_application(ApplicationName="test-app") | ||
| environment = elasticbeanstalk_client.create_environment( | ||
| ApplicationName="test-app", | ||
| EnvironmentName="test-env-using-basic-health-reporting", | ||
| ) | ||
|
|
||
| aws_provider = set_mocked_aws_provider([AWS_REGION_EU_WEST_1]) | ||
|
|
||
| with mock.patch( | ||
| "prowler.providers.common.provider.Provider.get_global_provider", | ||
| return_value=aws_provider, | ||
| ), mock.patch( | ||
| "prowler.providers.aws.services.elasticbeanstalk.elasticbeanstalk_environment_enhanced_health_reporting.elasticbeanstalk_environment_enhanced_health_reporting.elasticbeanstalk_client", | ||
| new=ElasticBeanstalk(aws_provider), | ||
| ): | ||
| from prowler.providers.aws.services.elasticbeanstalk.elasticbeanstalk_environment_enhanced_health_reporting.elasticbeanstalk_environment_enhanced_health_reporting import ( | ||
| elasticbeanstalk_environment_enhanced_health_reporting, | ||
| ) | ||
|
|
||
| check = elasticbeanstalk_environment_enhanced_health_reporting() | ||
| result = check.execute() | ||
| assert len(result) == 1 | ||
| assert result[0].status == "FAIL" | ||
| assert ( | ||
| result[0].status_extended | ||
| == "Elastic Beanstalk environment test-env-using-basic-health-reporting does not have enhanced health reporting enabled." | ||
| ) | ||
| assert result[0].resource_id == environment["EnvironmentName"] | ||
| assert result[0].resource_arn == environment["EnvironmentArn"] | ||
| assert result[0].region == AWS_REGION_EU_WEST_1 |