prowler-cloud · sergargar · Oct 11, 2024 · Oct 8, 2024 · Oct 8, 2024 · Oct 8, 2024
diff --git a/.../services/elasticbeanstalk/elasticbeanstalk_enhanced_health_reporting_enabled/__init__.py b/.../services/elasticbeanstalk/elasticbeanstalk_enhanced_health_reporting_enabled/__init__.py
diff --git a/...health_reporting_enabled/elasticbeanstalk_enhanced_health_reporting_enabled.metadata.json b/...health_reporting_enabled/elasticbeanstalk_enhanced_health_reporting_enabled.metadata.json
@@ -0,0 +1,34 @@
+{
+  "Provider": "aws",
+  "CheckID": "elasticbeanstalk_enhanced_health_reporting_enabled",
-  "CheckID": "elasticbeanstalk_enhanced_health_reporting_enabled",
+  "CheckID": "elasticbeanstalk_environment_enhanced_health_reporting",
-  "CheckID": "elasticbeanstalk_enhanced_health_reporting_enabled",
+  "CheckID": "elasticbeanstalk_environment_enhanced_health_reporting",
+  "CheckTitle": "Elastic Beanstalk environments should have enhanced health reporting enabled",
+  "CheckType": [
+    "Software and Configuration Checks/AWS Security Best Practices"
+  ],
+  "ServiceName": "elasticbeanstalk",
+  "SubServiceName": "",
+  "ResourceIdTemplate": "arn:aws:elasticbeanstalk:{region}:{account-id}:environment/{environment-id}",
+  "Severity": "low",
+  "ResourceType": "AwsElasticBeanstalkEnvironment",
+  "Description": "This control checks whether enhanced health reporting is enabled for your AWS Elastic Beanstalk environments.",
+  "Risk": "Without enhanced health reporting, you may face delays in detecting and responding to issues in your Elastic Beanstalk environment, affecting application availability and performance.",
+  "RelatedUrl": "https://docs.aws.amazon.com/config/latest/developerguide/beanstalk-enhanced-health-reporting-enabled.html",
+  "Remediation": {
+    "Code": {
+      "CLI": "aws elasticbeanstalk update-environment --environment-id <environment-id> --option-settings Namespace=aws:elasticbeanstalk:healthreporting:system,OptionName=EnhancedHealthReporting,Value=enabled",
+      "NativeIaC": "",
+      "Other": "https://docs.aws.amazon.com/securityhub/latest/userguide/elasticbeanstalk-controls.html#elasticbeanstalk-1",
+      "Terraform": ""
+    },
+    "Recommendation": {
+      "Text": "Enable enhanced health reporting in your Elastic Beanstalk environments for better monitoring and faster issue detection.",
+      "Url": "https://docs.aws.amazon.com/elasticbeanstalk/latest/dg/health-enhanced-enable.html#health-enhanced-enable-console"
+    }
+  },
+  "Categories": [
+    "logging"
+  ],
+  "DependsOn": [],
+  "RelatedTo": [],
+  "Notes": ""
+}
diff --git a/...k_enhanced_health_reporting_enabled/elasticbeanstalk_enhanced_health_reporting_enabled.py b/...k_enhanced_health_reporting_enabled/elasticbeanstalk_enhanced_health_reporting_enabled.py
@@ -0,0 +1,28 @@
+from prowler.lib.check.models import Check, Check_Report_AWS
+from prowler.providers.aws.services.elasticbeanstalk.elasticbeanstalk_client import (
+    elasticbeanstalk_client,
+)
+
+
+class elasticbeanstalk_enhanced_health_reporting_enabled(Check):
+    def execute(self):
+        findings = []
+        for environment in elasticbeanstalk_client.environments.values():
+            report = Check_Report_AWS(self.metadata())
+            report.region = environment.region
+            report.resource_id = environment.name
+            report.resource_arn = environment.arn
+            report.resource_tags = environment.tags
+            report.status = "PASS"
+            report.status_extended = f"Elastic Beanstalk environment {environment.name} has enhanced health reporting enabled."
+
+            if (
+                environment.health_reporting is None
+                or environment.health_reporting != "enhanced"
+            ):
-            if (
-                environment.health_reporting is None
-                or environment.health_reporting != "enhanced"
-            ):
+            if environment.health_reporting != "enhanced":
-            if (
-                environment.health_reporting is None
-                or environment.health_reporting != "enhanced"
-            ):
+            if environment.health_reporting != "enhanced":
+                report.status = "FAIL"
+                report.status_extended = f"Elastic Beanstalk environment {environment.name} does not have enhanced health reporting enabled."
+
+            findings.append(report)
+
+        return findings
diff --git a/...anced_health_reporting_enabled/elasticbeanstalk_enhanced_health_reporting_enabled_test.py b/...anced_health_reporting_enabled/elasticbeanstalk_enhanced_health_reporting_enabled_test.py
@@ -0,0 +1,146 @@
+from unittest import mock
+
+import botocore
+from boto3 import client
+from moto import mock_aws
+
+from prowler.providers.aws.services.elasticbeanstalk.elasticbeanstalk_service import (
+    ElasticBeanstalk,
+)
+from tests.providers.aws.utils import AWS_REGION_EU_WEST_1, set_mocked_aws_provider
+
+make_api_call = botocore.client.BaseClient._make_api_call
+
+
+def mock_make_api_call(self, operation_name, kwarg):
+    if operation_name == "DescribeConfigurationSettings":
+        if kwarg["EnvironmentName"] == "test-env-using-basic-health-reporting":
+            return {
+                "ConfigurationSettings": [
+                    {
+                        "OptionSettings": [
+                            {
+                                "Namespace": "aws:elasticbeanstalk:healthreporting:system",
+                                "OptionName": "SystemType",
+                                "Value": "basic",
+                            },
+                        ],
+                    }
+                ]
+            }
+        if kwarg["EnvironmentName"] == "test-env-using-enhanced-health-reporting":
+            return {
+                "ConfigurationSettings": [
+                    {
+                        "OptionSettings": [
+                            {
+                                "Namespace": "aws:elasticbeanstalk:healthreporting:system",
+                                "OptionName": "SystemType",
+                                "Value": "enhanced",
+                            },
+                        ],
+                    }
+                ]
+            }
+
+    return make_api_call(self, operation_name, kwarg)
+
+
+class Test_elasticbeanstalk_enhanced_health_reporting_enabled:
+    @mock_aws
+    def test_elasticbeanstalk_no_environments(self):
+        elasticbeanstalk_client = client(
+            "elasticbeanstalk", region_name=AWS_REGION_EU_WEST_1
+        )
+        elasticbeanstalk_client.create_application(ApplicationName="test-app")
+
+        aws_provider = set_mocked_aws_provider([AWS_REGION_EU_WEST_1])
+
+        with mock.patch(
+            "prowler.providers.common.provider.Provider.get_global_provider",
+            return_value=aws_provider,
+        ), mock.patch(
+            "prowler.providers.aws.services.elasticbeanstalk.elasticbeanstalk_enhanced_health_reporting_enabled.elasticbeanstalk_enhanced_health_reporting_enabled.elasticbeanstalk_client",
+            new=ElasticBeanstalk(aws_provider),
+        ):
+            from prowler.providers.aws.services.elasticbeanstalk.elasticbeanstalk_enhanced_health_reporting_enabled.elasticbeanstalk_enhanced_health_reporting_enabled import (
+                elasticbeanstalk_enhanced_health_reporting_enabled,
+            )
+
+            check = elasticbeanstalk_enhanced_health_reporting_enabled()
+            result = check.execute()
+            assert len(result) == 0
+
+    @mock_aws
+    @mock.patch("botocore.client.BaseClient._make_api_call", new=mock_make_api_call)
+    def test_elasticbeanstalk_environment_cloudwatch_not_enabled(self):
+        elasticbeanstalk_client = client(
+            "elasticbeanstalk", region_name=AWS_REGION_EU_WEST_1
+        )
+        elasticbeanstalk_client.create_application(ApplicationName="test-app")
+        environment = elasticbeanstalk_client.create_environment(
+            ApplicationName="test-app",
+            EnvironmentName="test-env-using-enhanced-health-reporting",
+        )
+
+        aws_provider = set_mocked_aws_provider([AWS_REGION_EU_WEST_1])
+
+        with mock.patch(
+            "prowler.providers.common.provider.Provider.get_global_provider",
+            return_value=aws_provider,
+        ), mock.patch(
+            "prowler.providers.aws.services.elasticbeanstalk.elasticbeanstalk_enhanced_health_reporting_enabled.elasticbeanstalk_enhanced_health_reporting_enabled.elasticbeanstalk_client",
+            new=ElasticBeanstalk(aws_provider),
+        ):
+            from prowler.providers.aws.services.elasticbeanstalk.elasticbeanstalk_enhanced_health_reporting_enabled.elasticbeanstalk_enhanced_health_reporting_enabled import (
+                elasticbeanstalk_enhanced_health_reporting_enabled,
+            )
+
+            check = elasticbeanstalk_enhanced_health_reporting_enabled()
+            result = check.execute()
+            assert len(result) == 1
+            assert result[0].status == "PASS"
+            assert (
+                result[0].status_extended
+                == "Elastic Beanstalk environment test-env-using-enhanced-health-reporting has enhanced health reporting enabled."
+            )
+            assert result[0].resource_id == environment["EnvironmentName"]
+            assert result[0].resource_arn == environment["EnvironmentArn"]
+            assert result[0].region == AWS_REGION_EU_WEST_1
+
+    @mock_aws
+    @mock.patch("botocore.client.BaseClient._make_api_call", new=mock_make_api_call)
+    def test_elasticbeanstalk_environment_cloudwatch_enabled(self):
+        elasticbeanstalk_client = client(
+            "elasticbeanstalk", region_name=AWS_REGION_EU_WEST_1
+        )
+        elasticbeanstalk_client.create_application(ApplicationName="test-app")
+        environment = elasticbeanstalk_client.create_environment(
+            ApplicationName="test-app",
+            EnvironmentName="test-env-using-basic-health-reporting",
+        )
+
+        aws_provider = set_mocked_aws_provider([AWS_REGION_EU_WEST_1])
+
+        with mock.patch(
+            "prowler.providers.common.provider.Provider.get_global_provider",
+            return_value=aws_provider,
+        ), mock.patch(
+            "prowler.providers.aws.services.elasticbeanstalk.elasticbeanstalk_enhanced_health_reporting_enabled.elasticbeanstalk_enhanced_health_reporting_enabled.elasticbeanstalk_client",
+            new=ElasticBeanstalk(aws_provider),
+        ):
+            from prowler.providers.aws.services.elasticbeanstalk.elasticbeanstalk_enhanced_health_reporting_enabled.elasticbeanstalk_enhanced_health_reporting_enabled import (
+                elasticbeanstalk_enhanced_health_reporting_enabled,
+            )
+
+            check = elasticbeanstalk_enhanced_health_reporting_enabled()
+            result = check.execute()
+            assert len(result) == 1
+            assert result[0].status == "FAIL"
+            assert (
+                result[0].status_extended
+                == "Elastic Beanstalk environment test-env-using-basic-health-reporting does not have enhanced health reporting enabled."
+            )
+            assert result[0].resource_id == environment["EnvironmentName"]
+            assert result[0].resource_arn == environment["EnvironmentArn"]
+            assert result[0].region == AWS_REGION_EU_WEST_1