diff --git a/prowler/providers/aws/services/elasticbeanstalk/elasticbeanstalk_environment_enhanced_health_reporting/__init__.py b/prowler/providers/aws/services/elasticbeanstalk/elasticbeanstalk_environment_enhanced_health_reporting/__init__.py new file mode 100644 index 0000000000..e69de29bb2 diff --git a/prowler/providers/aws/services/elasticbeanstalk/elasticbeanstalk_environment_enhanced_health_reporting/elasticbeanstalk_environment_enhanced_health_reporting.metadata.json b/prowler/providers/aws/services/elasticbeanstalk/elasticbeanstalk_environment_enhanced_health_reporting/elasticbeanstalk_environment_enhanced_health_reporting.metadata.json new file mode 100644 index 0000000000..9f8c71ae28 --- /dev/null +++ b/prowler/providers/aws/services/elasticbeanstalk/elasticbeanstalk_environment_enhanced_health_reporting/elasticbeanstalk_environment_enhanced_health_reporting.metadata.json @@ -0,0 +1,34 @@ +{ + "Provider": "aws", + "CheckID": "elasticbeanstalk_environment_enhanced_health_reporting", + "CheckTitle": "Elastic Beanstalk environments should have enhanced health reporting enabled", + "CheckType": [ + "Software and Configuration Checks/AWS Security Best Practices" + ], + "ServiceName": "elasticbeanstalk", + "SubServiceName": "", + "ResourceIdTemplate": "arn:aws:elasticbeanstalk:{region}:{account-id}:environment/{environment-id}", + "Severity": "low", + "ResourceType": "AwsElasticBeanstalkEnvironment", + "Description": "This control checks whether enhanced health reporting is enabled for your AWS Elastic Beanstalk environments.", + "Risk": "Without enhanced health reporting, you may face delays in detecting and responding to issues in your Elastic Beanstalk environment, affecting application availability and performance.", + "RelatedUrl": "https://docs.aws.amazon.com/config/latest/developerguide/beanstalk-enhanced-health-reporting-enabled.html", + "Remediation": { + "Code": { + "CLI": "aws elasticbeanstalk update-environment --environment-id --option-settings Namespace=aws:elasticbeanstalk:healthreporting:system,OptionName=EnhancedHealthReporting,Value=enabled", + "NativeIaC": "", + "Other": "https://docs.aws.amazon.com/securityhub/latest/userguide/elasticbeanstalk-controls.html#elasticbeanstalk-1", + "Terraform": "" + }, + "Recommendation": { + "Text": "Enable enhanced health reporting in your Elastic Beanstalk environments for better monitoring and faster issue detection.", + "Url": "https://docs.aws.amazon.com/elasticbeanstalk/latest/dg/health-enhanced-enable.html#health-enhanced-enable-console" + } + }, + "Categories": [ + "logging" + ], + "DependsOn": [], + "RelatedTo": [], + "Notes": "" +} diff --git a/prowler/providers/aws/services/elasticbeanstalk/elasticbeanstalk_environment_enhanced_health_reporting/elasticbeanstalk_environment_enhanced_health_reporting.py b/prowler/providers/aws/services/elasticbeanstalk/elasticbeanstalk_environment_enhanced_health_reporting/elasticbeanstalk_environment_enhanced_health_reporting.py new file mode 100644 index 0000000000..0e6b0f570c --- /dev/null +++ b/prowler/providers/aws/services/elasticbeanstalk/elasticbeanstalk_environment_enhanced_health_reporting/elasticbeanstalk_environment_enhanced_health_reporting.py @@ -0,0 +1,25 @@ +from prowler.lib.check.models import Check, Check_Report_AWS +from prowler.providers.aws.services.elasticbeanstalk.elasticbeanstalk_client import ( + elasticbeanstalk_client, +) + + +class elasticbeanstalk_environment_enhanced_health_reporting(Check): + def execute(self): + findings = [] + for environment in elasticbeanstalk_client.environments.values(): + report = Check_Report_AWS(self.metadata()) + report.region = environment.region + report.resource_id = environment.name + report.resource_arn = environment.arn + report.resource_tags = environment.tags + report.status = "PASS" + report.status_extended = f"Elastic Beanstalk environment {environment.name} has enhanced health reporting enabled." + + if environment.health_reporting != "enhanced": + report.status = "FAIL" + report.status_extended = f"Elastic Beanstalk environment {environment.name} does not have enhanced health reporting enabled." + + findings.append(report) + + return findings diff --git a/tests/providers/aws/services/elasticbeanstalk/elasticbeanstalk_environment_enhanced_health_reporting/elasticbeanstalk_environment_enhanced_health_reporting_test.py b/tests/providers/aws/services/elasticbeanstalk/elasticbeanstalk_environment_enhanced_health_reporting/elasticbeanstalk_environment_enhanced_health_reporting_test.py new file mode 100644 index 0000000000..2716bb9c03 --- /dev/null +++ b/tests/providers/aws/services/elasticbeanstalk/elasticbeanstalk_environment_enhanced_health_reporting/elasticbeanstalk_environment_enhanced_health_reporting_test.py @@ -0,0 +1,146 @@ +from unittest import mock + +import botocore +from boto3 import client +from moto import mock_aws + +from prowler.providers.aws.services.elasticbeanstalk.elasticbeanstalk_service import ( + ElasticBeanstalk, +) +from tests.providers.aws.utils import AWS_REGION_EU_WEST_1, set_mocked_aws_provider + +make_api_call = botocore.client.BaseClient._make_api_call + + +def mock_make_api_call(self, operation_name, kwarg): + if operation_name == "DescribeConfigurationSettings": + if kwarg["EnvironmentName"] == "test-env-using-basic-health-reporting": + return { + "ConfigurationSettings": [ + { + "OptionSettings": [ + { + "Namespace": "aws:elasticbeanstalk:healthreporting:system", + "OptionName": "SystemType", + "Value": "basic", + }, + ], + } + ] + } + if kwarg["EnvironmentName"] == "test-env-using-enhanced-health-reporting": + return { + "ConfigurationSettings": [ + { + "OptionSettings": [ + { + "Namespace": "aws:elasticbeanstalk:healthreporting:system", + "OptionName": "SystemType", + "Value": "enhanced", + }, + ], + } + ] + } + + return make_api_call(self, operation_name, kwarg) + + +class Test_elasticbeanstalk_environment_enhanced_health_reporting: + @mock_aws + def test_elasticbeanstalk_no_environments(self): + elasticbeanstalk_client = client( + "elasticbeanstalk", region_name=AWS_REGION_EU_WEST_1 + ) + elasticbeanstalk_client.create_application(ApplicationName="test-app") + + aws_provider = set_mocked_aws_provider([AWS_REGION_EU_WEST_1]) + + with mock.patch( + "prowler.providers.common.provider.Provider.get_global_provider", + return_value=aws_provider, + ), mock.patch( + "prowler.providers.aws.services.elasticbeanstalk.elasticbeanstalk_environment_enhanced_health_reporting.elasticbeanstalk_environment_enhanced_health_reporting.elasticbeanstalk_client", + new=ElasticBeanstalk(aws_provider), + ): + from prowler.providers.aws.services.elasticbeanstalk.elasticbeanstalk_environment_enhanced_health_reporting.elasticbeanstalk_environment_enhanced_health_reporting import ( + elasticbeanstalk_environment_enhanced_health_reporting, + ) + + check = elasticbeanstalk_environment_enhanced_health_reporting() + result = check.execute() + assert len(result) == 0 + + @mock_aws + @mock.patch("botocore.client.BaseClient._make_api_call", new=mock_make_api_call) + def test_elasticbeanstalk_environment_cloudwatch_not_enabled(self): + elasticbeanstalk_client = client( + "elasticbeanstalk", region_name=AWS_REGION_EU_WEST_1 + ) + elasticbeanstalk_client.create_application(ApplicationName="test-app") + environment = elasticbeanstalk_client.create_environment( + ApplicationName="test-app", + EnvironmentName="test-env-using-enhanced-health-reporting", + ) + + aws_provider = set_mocked_aws_provider([AWS_REGION_EU_WEST_1]) + + with mock.patch( + "prowler.providers.common.provider.Provider.get_global_provider", + return_value=aws_provider, + ), mock.patch( + "prowler.providers.aws.services.elasticbeanstalk.elasticbeanstalk_environment_enhanced_health_reporting.elasticbeanstalk_environment_enhanced_health_reporting.elasticbeanstalk_client", + new=ElasticBeanstalk(aws_provider), + ): + from prowler.providers.aws.services.elasticbeanstalk.elasticbeanstalk_environment_enhanced_health_reporting.elasticbeanstalk_environment_enhanced_health_reporting import ( + elasticbeanstalk_environment_enhanced_health_reporting, + ) + + check = elasticbeanstalk_environment_enhanced_health_reporting() + result = check.execute() + assert len(result) == 1 + assert result[0].status == "PASS" + assert ( + result[0].status_extended + == "Elastic Beanstalk environment test-env-using-enhanced-health-reporting has enhanced health reporting enabled." + ) + assert result[0].resource_id == environment["EnvironmentName"] + assert result[0].resource_arn == environment["EnvironmentArn"] + assert result[0].region == AWS_REGION_EU_WEST_1 + + @mock_aws + @mock.patch("botocore.client.BaseClient._make_api_call", new=mock_make_api_call) + def test_elasticbeanstalk_environment_cloudwatch_enabled(self): + elasticbeanstalk_client = client( + "elasticbeanstalk", region_name=AWS_REGION_EU_WEST_1 + ) + elasticbeanstalk_client.create_application(ApplicationName="test-app") + environment = elasticbeanstalk_client.create_environment( + ApplicationName="test-app", + EnvironmentName="test-env-using-basic-health-reporting", + ) + + aws_provider = set_mocked_aws_provider([AWS_REGION_EU_WEST_1]) + + with mock.patch( + "prowler.providers.common.provider.Provider.get_global_provider", + return_value=aws_provider, + ), mock.patch( + "prowler.providers.aws.services.elasticbeanstalk.elasticbeanstalk_environment_enhanced_health_reporting.elasticbeanstalk_environment_enhanced_health_reporting.elasticbeanstalk_client", + new=ElasticBeanstalk(aws_provider), + ): + from prowler.providers.aws.services.elasticbeanstalk.elasticbeanstalk_environment_enhanced_health_reporting.elasticbeanstalk_environment_enhanced_health_reporting import ( + elasticbeanstalk_environment_enhanced_health_reporting, + ) + + check = elasticbeanstalk_environment_enhanced_health_reporting() + result = check.execute() + assert len(result) == 1 + assert result[0].status == "FAIL" + assert ( + result[0].status_extended + == "Elastic Beanstalk environment test-env-using-basic-health-reporting does not have enhanced health reporting enabled." + ) + assert result[0].resource_id == environment["EnvironmentName"] + assert result[0].resource_arn == environment["EnvironmentArn"] + assert result[0].region == AWS_REGION_EU_WEST_1