Added AWS 'RDS IAN DB Authentication Enabled' plugin and test cases (#…

…561)
aquasecurity · Mar 26, 2021 · 192ffc0 · 192ffc0
1 parent 0ea1e9e
commit 192ffc0
Show file tree

Hide file tree

Showing 3 changed files with 150 additions and 0 deletions.
diff --git a/exports.js b/exports.js
@@ -239,6 +239,7 @@ module.exports = {
         'kmsDefaultKeyUsage'            : require(__dirname + '/plugins/aws/kms/kmsDefaultKeyUsage.js'),
         'kmsAppTierCmk'                 : require(__dirname + '/plugins/aws/kms/kmsAppTierCmk.js'),
 
+        'iamDbAuthenticationEnabled'    : require(__dirname + '/plugins/aws/rds/iamDbAuthenticationEnabled.js'),
         'rdsAutomatedBackups'           : require(__dirname + '/plugins/aws/rds/rdsAutomatedBackups.js'),
         'rdsEncryptionEnabled'          : require(__dirname + '/plugins/aws/rds/rdsEncryptionEnabled.js'),
         'rdsCmkEncryptionEnabled'       : require(__dirname + '/plugins/aws/rds/rdsCmkEncryptionEnabled.js'),

diff --git a/plugins/aws/rds/iamDbAuthenticationEnabled.js b/plugins/aws/rds/iamDbAuthenticationEnabled.js
@@ -0,0 +1,57 @@
+var async = require('async');
+var helpers = require('../../../helpers/aws');
+
+module.exports = {
+    title: 'RDS IAM Database Authentication Enabled',
+    category: 'RDS',
+    description: 'Ensures IAM Database Authentication is enabled for RDS database instances to manage database access',
+    more_info: 'AWS Identity and Access Management (IAM) can be used to authenticate to your RDS DB instances.',
+    link: 'https://docs.aws.amazon.com/neptune/latest/userguide/iam-auth.html',
+    recommended_action: 'Modify the PostgreSQL and MySQL type RDS instances to enable IAM database authentication.',
+    apis: ['RDS:describeDBInstances'],
+
+    run: function(cache, settings, callback) {
+        var results = [];
+        var source = {};
+        var regions = helpers.regions(settings);
+
+        async.each(regions.rds, function(region, rcb) {
+            var describeDBInstances = helpers.addSource(cache, source,
+                ['rds', 'describeDBInstances', region]);
+
+            if (!describeDBInstances) return rcb();
+
+            if (describeDBInstances.err || !describeDBInstances.data) {
+                helpers.addResult(results, 3,
+                    `Unable to query for RDS instances: ${helpers.addError(describeDBInstances)}`, region);
+                return rcb();
+            }
+
+            if (!describeDBInstances.data.length) {
+                helpers.addResult(results, 0, 'No RDS instances found', region);
+                return rcb();
+            }
+
+            describeDBInstances.data.forEach(instance => {
+                if (!instance.DBInstanceArn || !instance.Engine) return;
+
+                if (['postgres', 'mysql'].includes(instance.Engine)) {
+                    if (instance.IAMDatabaseAuthenticationEnabled) {
+                        helpers.addResult(results, 0,
+                            'RDS instance has IAM Database Authentication enabled', region, instance.DBInstanceArn);
+                    } else {
+                        helpers.addResult(results, 2,
+                            'RDS instance does not have IAM Database Authentication enabled', region, instance.DBInstanceArn);
+                    }
+                } else {
+                    helpers.addResult(results, 0,
+                        `RDS instance engine type ${instance.Engine} does not support IAM database authentication`, region, instance.DBInstanceArn);
+                }
+            });
+
+            rcb();
+        }, function() {
+            callback(null, results, source);
+        });
+    }
+};
diff --git a/plugins/aws/rds/iamDbAuthenticationEnabled.spec.js b/plugins/aws/rds/iamDbAuthenticationEnabled.spec.js
@@ -0,0 +1,92 @@
+const expect = require('chai').expect;
+var iamDbAuthenticationEnabled = require('./iamDbAuthenticationEnabled');
+
+const describeDBInstances = [
+    {
+        "DBInstanceArn": "arn:aws:rds:ap-south-1:111222333444:db:database-1",
+        "IAMDatabaseAuthenticationEnabled": true,
+        "Engine": "postgres",
+    },
+    {
+        "DBInstanceArn": "arn:aws:rds:ap-south-1:111222333444:db:database-1",
+        "IAMDatabaseAuthenticationEnabled": false,
+        "Engine": "postgres",
+    }
+];
+
+const createCache = (clusterData, clusterErr) => {
+    return {
+        rds: {
+            describeDBInstances: {
+                'us-east-1': {
+                    data: clusterData,
+                    err: clusterErr
+                }
+            }
+        }
+    };
+};
+
+const createNullCache = () => {
+    return {
+        rds: {
+            describeDBInstances: {
+                'us-east-1': null
+            }
+        }
+    };
+};
+
+describe('iamDbAuthenticationEnabled', function () {
+    describe('run', function () {
+
+        it('should PASS if RDS instance has IAM Database Authentication enabled', function (done) {
+            const cache = createCache([describeDBInstances[0]]);
+            iamDbAuthenticationEnabled.run(cache, {}, (err, results) => {
+                expect(results.length).to.equal(1);
+                expect(results[0].status).to.equal(0);
+                expect(results[0].region).to.equal('us-east-1');
+                done();
+            });
+        });
+
+        it('should FAIL if RDS instance does not have IAM Database Authentication enabled', function (done) {
+            const cache = createCache([describeDBInstances[1]]);
+            iamDbAuthenticationEnabled.run(cache, {}, (err, results) => {
+                expect(results.length).to.equal(1);
+                expect(results[0].status).to.equal(2);
+                expect(results[0].region).to.equal('us-east-1');
+                done();
+            });
+        });
+
+        it('should PASS if no RDS instances found', function (done) {
+            const cache = createCache([]);
+            iamDbAuthenticationEnabled.run(cache, {}, (err, results) => {
+                expect(results.length).to.equal(1);
+                expect(results[0].status).to.equal(0);
+                expect(results[0].region).to.equal('us-east-1');
+                done();
+            });
+        });
+
+        it('should UNKNOWN if unable to describe RDS instances', function (done) {
+            const cache = createCache([], { message: 'Unable to describe instances' });
+            iamDbAuthenticationEnabled.run(cache, {}, (err, results) => {
+                expect(results.length).to.equal(1);
+                expect(results[0].status).to.equal(3);
+                expect(results[0].region).to.equal('us-east-1');
+                done();
+            });
+        });
+
+
+        it('should not return anything if describe DB instances response not found', function (done) {
+            const cache = createNullCache();
+            iamDbAuthenticationEnabled.run(cache, {}, (err, results) => {
+                expect(results.length).to.equal(0);
+                done();
+            });
+        });
+    });
+});