-
Notifications
You must be signed in to change notification settings - Fork 1.5k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
feat(elasticbeanstalk): add new check elasticbeanstalk_enhanced_health_reporting_enabled
#5348
Merged
sergargar
merged 13 commits into
master
from
PRWLR-4510-elastic-beanstalk-environments-should-have-enhanced-health-reporting-enabled
Oct 11, 2024
Merged
Changes from 12 commits
Commits
Show all changes
13 commits
Select commit
Hold shift + click to select a range
1c72536
feat(elasticbeanstalk): Add new service elasticbeanstalk
MarioRgzLpz 7d329c9
fix: typo
sergargar 7f64d1f
chore(elasticbeanstalk): Add list tags for resource method
MarioRgzLpz 1fb8aa1
chore(elasticbeanstalk): Add list tags for resource method
MarioRgzLpz 6502829
fix(elasticbeanstalk): Run precommit and fix typo
MarioRgzLpz 8799389
fix(elasticbeanstalk): Add call to list tags for resource
MarioRgzLpz f6bb72c
fix(elasticbeanstalk): Undo the Optional changes in environment model…
MarioRgzLpz 56e1742
Merge branch 'master' into PRWLR-4315-create-new-service-for-elastic-…
sergargar fab3060
chore(elasticbeanstalk): Rename attributes and add new test for metho…
MarioRgzLpz befe4ee
fix(elasticbeanstalk): Merge master
MarioRgzLpz 67f5f05
feat(elasticbeanstalk): Add check logic with respective unit tests. A…
MarioRgzLpz 60bbf30
Merge branch 'master' into PRWLR-4510-elastic-beanstalk-environments-…
MarioRgzLpz 3441ccc
chore: revision
sergargar File filter
Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
There are no files selected for viewing
Empty file.
34 changes: 34 additions & 0 deletions
34
...health_reporting_enabled/elasticbeanstalk_enhanced_health_reporting_enabled.metadata.json
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,34 @@ | ||
{ | ||
"Provider": "aws", | ||
"CheckID": "elasticbeanstalk_enhanced_health_reporting_enabled", | ||
"CheckTitle": "Elastic Beanstalk environments should have enhanced health reporting enabled", | ||
"CheckType": [ | ||
"Software and Configuration Checks/AWS Security Best Practices" | ||
], | ||
"ServiceName": "elasticbeanstalk", | ||
"SubServiceName": "", | ||
"ResourceIdTemplate": "arn:aws:elasticbeanstalk:{region}:{account-id}:environment/{environment-id}", | ||
"Severity": "low", | ||
"ResourceType": "AwsElasticBeanstalkEnvironment", | ||
"Description": "This control checks whether enhanced health reporting is enabled for your AWS Elastic Beanstalk environments.", | ||
"Risk": "Without enhanced health reporting, you may face delays in detecting and responding to issues in your Elastic Beanstalk environment, affecting application availability and performance.", | ||
"RelatedUrl": "https://docs.aws.amazon.com/config/latest/developerguide/beanstalk-enhanced-health-reporting-enabled.html", | ||
"Remediation": { | ||
"Code": { | ||
"CLI": "aws elasticbeanstalk update-environment --environment-id <environment-id> --option-settings Namespace=aws:elasticbeanstalk:healthreporting:system,OptionName=EnhancedHealthReporting,Value=enabled", | ||
"NativeIaC": "", | ||
"Other": "https://docs.aws.amazon.com/securityhub/latest/userguide/elasticbeanstalk-controls.html#elasticbeanstalk-1", | ||
"Terraform": "" | ||
}, | ||
"Recommendation": { | ||
"Text": "Enable enhanced health reporting in your Elastic Beanstalk environments for better monitoring and faster issue detection.", | ||
"Url": "https://docs.aws.amazon.com/elasticbeanstalk/latest/dg/health-enhanced-enable.html#health-enhanced-enable-console" | ||
} | ||
}, | ||
"Categories": [ | ||
"logging" | ||
], | ||
"DependsOn": [], | ||
"RelatedTo": [], | ||
"Notes": "" | ||
} |
28 changes: 28 additions & 0 deletions
28
...k_enhanced_health_reporting_enabled/elasticbeanstalk_enhanced_health_reporting_enabled.py
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change | ||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|
@@ -0,0 +1,28 @@ | ||||||||||||
from prowler.lib.check.models import Check, Check_Report_AWS | ||||||||||||
from prowler.providers.aws.services.elasticbeanstalk.elasticbeanstalk_client import ( | ||||||||||||
elasticbeanstalk_client, | ||||||||||||
) | ||||||||||||
|
||||||||||||
|
||||||||||||
class elasticbeanstalk_enhanced_health_reporting_enabled(Check): | ||||||||||||
def execute(self): | ||||||||||||
findings = [] | ||||||||||||
for environment in elasticbeanstalk_client.environments.values(): | ||||||||||||
report = Check_Report_AWS(self.metadata()) | ||||||||||||
report.region = environment.region | ||||||||||||
report.resource_id = environment.name | ||||||||||||
report.resource_arn = environment.arn | ||||||||||||
report.resource_tags = environment.tags | ||||||||||||
report.status = "PASS" | ||||||||||||
report.status_extended = f"Elastic Beanstalk environment {environment.name} has enhanced health reporting enabled." | ||||||||||||
|
||||||||||||
if ( | ||||||||||||
environment.health_reporting is None | ||||||||||||
or environment.health_reporting != "enhanced" | ||||||||||||
): | ||||||||||||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more.
Suggested change
|
||||||||||||
report.status = "FAIL" | ||||||||||||
report.status_extended = f"Elastic Beanstalk environment {environment.name} does not have enhanced health reporting enabled." | ||||||||||||
|
||||||||||||
findings.append(report) | ||||||||||||
|
||||||||||||
return findings |
146 changes: 146 additions & 0 deletions
146
...anced_health_reporting_enabled/elasticbeanstalk_enhanced_health_reporting_enabled_test.py
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,146 @@ | ||
from unittest import mock | ||
|
||
import botocore | ||
from boto3 import client | ||
from moto import mock_aws | ||
|
||
from prowler.providers.aws.services.elasticbeanstalk.elasticbeanstalk_service import ( | ||
ElasticBeanstalk, | ||
) | ||
from tests.providers.aws.utils import AWS_REGION_EU_WEST_1, set_mocked_aws_provider | ||
|
||
make_api_call = botocore.client.BaseClient._make_api_call | ||
|
||
|
||
def mock_make_api_call(self, operation_name, kwarg): | ||
if operation_name == "DescribeConfigurationSettings": | ||
if kwarg["EnvironmentName"] == "test-env-using-basic-health-reporting": | ||
return { | ||
"ConfigurationSettings": [ | ||
{ | ||
"OptionSettings": [ | ||
{ | ||
"Namespace": "aws:elasticbeanstalk:healthreporting:system", | ||
"OptionName": "SystemType", | ||
"Value": "basic", | ||
}, | ||
], | ||
} | ||
] | ||
} | ||
if kwarg["EnvironmentName"] == "test-env-using-enhanced-health-reporting": | ||
return { | ||
"ConfigurationSettings": [ | ||
{ | ||
"OptionSettings": [ | ||
{ | ||
"Namespace": "aws:elasticbeanstalk:healthreporting:system", | ||
"OptionName": "SystemType", | ||
"Value": "enhanced", | ||
}, | ||
], | ||
} | ||
] | ||
} | ||
|
||
return make_api_call(self, operation_name, kwarg) | ||
|
||
|
||
class Test_elasticbeanstalk_enhanced_health_reporting_enabled: | ||
@mock_aws | ||
def test_elasticbeanstalk_no_environments(self): | ||
elasticbeanstalk_client = client( | ||
"elasticbeanstalk", region_name=AWS_REGION_EU_WEST_1 | ||
) | ||
elasticbeanstalk_client.create_application(ApplicationName="test-app") | ||
|
||
aws_provider = set_mocked_aws_provider([AWS_REGION_EU_WEST_1]) | ||
|
||
with mock.patch( | ||
"prowler.providers.common.provider.Provider.get_global_provider", | ||
return_value=aws_provider, | ||
), mock.patch( | ||
"prowler.providers.aws.services.elasticbeanstalk.elasticbeanstalk_enhanced_health_reporting_enabled.elasticbeanstalk_enhanced_health_reporting_enabled.elasticbeanstalk_client", | ||
new=ElasticBeanstalk(aws_provider), | ||
): | ||
from prowler.providers.aws.services.elasticbeanstalk.elasticbeanstalk_enhanced_health_reporting_enabled.elasticbeanstalk_enhanced_health_reporting_enabled import ( | ||
elasticbeanstalk_enhanced_health_reporting_enabled, | ||
) | ||
|
||
check = elasticbeanstalk_enhanced_health_reporting_enabled() | ||
result = check.execute() | ||
assert len(result) == 0 | ||
|
||
@mock_aws | ||
@mock.patch("botocore.client.BaseClient._make_api_call", new=mock_make_api_call) | ||
def test_elasticbeanstalk_environment_cloudwatch_not_enabled(self): | ||
elasticbeanstalk_client = client( | ||
"elasticbeanstalk", region_name=AWS_REGION_EU_WEST_1 | ||
) | ||
elasticbeanstalk_client.create_application(ApplicationName="test-app") | ||
environment = elasticbeanstalk_client.create_environment( | ||
ApplicationName="test-app", | ||
EnvironmentName="test-env-using-enhanced-health-reporting", | ||
) | ||
|
||
aws_provider = set_mocked_aws_provider([AWS_REGION_EU_WEST_1]) | ||
|
||
with mock.patch( | ||
"prowler.providers.common.provider.Provider.get_global_provider", | ||
return_value=aws_provider, | ||
), mock.patch( | ||
"prowler.providers.aws.services.elasticbeanstalk.elasticbeanstalk_enhanced_health_reporting_enabled.elasticbeanstalk_enhanced_health_reporting_enabled.elasticbeanstalk_client", | ||
new=ElasticBeanstalk(aws_provider), | ||
): | ||
from prowler.providers.aws.services.elasticbeanstalk.elasticbeanstalk_enhanced_health_reporting_enabled.elasticbeanstalk_enhanced_health_reporting_enabled import ( | ||
elasticbeanstalk_enhanced_health_reporting_enabled, | ||
) | ||
|
||
check = elasticbeanstalk_enhanced_health_reporting_enabled() | ||
result = check.execute() | ||
assert len(result) == 1 | ||
assert result[0].status == "PASS" | ||
assert ( | ||
result[0].status_extended | ||
== "Elastic Beanstalk environment test-env-using-enhanced-health-reporting has enhanced health reporting enabled." | ||
) | ||
assert result[0].resource_id == environment["EnvironmentName"] | ||
assert result[0].resource_arn == environment["EnvironmentArn"] | ||
assert result[0].region == AWS_REGION_EU_WEST_1 | ||
|
||
@mock_aws | ||
@mock.patch("botocore.client.BaseClient._make_api_call", new=mock_make_api_call) | ||
def test_elasticbeanstalk_environment_cloudwatch_enabled(self): | ||
elasticbeanstalk_client = client( | ||
"elasticbeanstalk", region_name=AWS_REGION_EU_WEST_1 | ||
) | ||
elasticbeanstalk_client.create_application(ApplicationName="test-app") | ||
environment = elasticbeanstalk_client.create_environment( | ||
ApplicationName="test-app", | ||
EnvironmentName="test-env-using-basic-health-reporting", | ||
) | ||
|
||
aws_provider = set_mocked_aws_provider([AWS_REGION_EU_WEST_1]) | ||
|
||
with mock.patch( | ||
"prowler.providers.common.provider.Provider.get_global_provider", | ||
return_value=aws_provider, | ||
), mock.patch( | ||
"prowler.providers.aws.services.elasticbeanstalk.elasticbeanstalk_enhanced_health_reporting_enabled.elasticbeanstalk_enhanced_health_reporting_enabled.elasticbeanstalk_client", | ||
new=ElasticBeanstalk(aws_provider), | ||
): | ||
from prowler.providers.aws.services.elasticbeanstalk.elasticbeanstalk_enhanced_health_reporting_enabled.elasticbeanstalk_enhanced_health_reporting_enabled import ( | ||
elasticbeanstalk_enhanced_health_reporting_enabled, | ||
) | ||
|
||
check = elasticbeanstalk_enhanced_health_reporting_enabled() | ||
result = check.execute() | ||
assert len(result) == 1 | ||
assert result[0].status == "FAIL" | ||
assert ( | ||
result[0].status_extended | ||
== "Elastic Beanstalk environment test-env-using-basic-health-reporting does not have enhanced health reporting enabled." | ||
) | ||
assert result[0].resource_id == environment["EnvironmentName"] | ||
assert result[0].resource_arn == environment["EnvironmentArn"] | ||
assert result[0].region == AWS_REGION_EU_WEST_1 |
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.