feature/104 | Added ElasticSearch Exposed Domain plugin, spec file (#310

) * Added ElasticSearch Exposed Domain plugin, spec file * Accommodated requested PR changes
aquasecurity · Sep 21, 2020 · 759a23f · 759a23f
1 parent 5bab5b1
commit 759a23f
Show file tree

Hide file tree

Showing 3 changed files with 403 additions and 0 deletions.
diff --git a/exports.js b/exports.js
@@ -118,6 +118,7 @@ module.exports = {
         'esPublicEndpoint'              : require(__dirname + '/plugins/aws/es/esPublicEndpoint.js'),
         'esRequireIAMAuth'              : require(__dirname + '/plugins/aws/es/esRequireIAMAuth.js'),
         'esEncryptedDomain'             : require(__dirname + '/plugins/aws/es/esEncryptedDomain.js'),
+        'esExposedDomain'               : require(__dirname + '/plugins/aws/es/esExposedDomain.js'),
         'esNodeToNodeEncryption'        : require(__dirname + '/plugins/aws/es/esNodeToNodeEncryption.js'),
         'esLoggingEnabled'              : require(__dirname + '/plugins/aws/es/esLoggingEnabled.js'),
         'esUpgradeAvailable'            : require(__dirname + '/plugins/aws/es/esUpgradeAvailable.js'),

diff --git a/plugins/aws/es/esExposedDomain.js b/plugins/aws/es/esExposedDomain.js
@@ -0,0 +1,86 @@
+var async = require('async');
+var helpers = require('../../../helpers/aws');
+
+module.exports = {
+    title: 'ElasticSearch Exposed Domain',
+    category: 'ES',
+    description: 'Ensures ElasticSearch domains are not publicly exposed to all AWS accounts',
+    more_info: 'ElasticSearch domains should not be publicly exposed to all AWS accounts.',
+    link: 'https://aws.amazon.com/blogs/database/set-access-control-for-amazon-elasticsearch-service/',
+    recommended_action: 'Update elasticsearch domain to set access control.',
+    apis: ['ES:listDomainNames', 'ES:describeElasticsearchDomain'],
+
+    run: function(cache, settings, callback) {
+        var results = [];
+        var source = {};
+        var regions = helpers.regions(settings);
+
+        async.each(regions.es, function(region, rcb) {
+            var listDomainNames = helpers.addSource(cache, source,
+                ['es', 'listDomainNames', region]);
+
+            if (!listDomainNames) return rcb();
+
+            if (listDomainNames.err || !listDomainNames.data) {
+                helpers.addResult(
+                    results, 3,
+                    'Unable to query for ES domains: ' + helpers.addError(listDomainNames), region);
+                return rcb();
+            }
+
+            if (!listDomainNames.data.length){
+                helpers.addResult(results, 0, 'No ES domains found', region);
+                return rcb();
+            }
+
+            listDomainNames.data.forEach(function(domain){
+                var describeElasticsearchDomain = helpers.addSource(cache, source,
+                    ['es', 'describeElasticsearchDomain', region, domain.DomainName]);
+                var resource = domain.ARN;
+
+                if (!describeElasticsearchDomain ||
+                    describeElasticsearchDomain.err ||
+                    !describeElasticsearchDomain.data || 
+                    !describeElasticsearchDomain.data.DomainStatus) {
+                    helpers.addResult(
+                        results, 3,
+                        'Unable to query for ES domain config: ' + helpers.addError(describeElasticsearchDomain), region, resource);
+                }
+
+                var goodStatements = [];
+
+                if (describeElasticsearchDomain.data.DomainStatus.AccessPolicies) {
+                    var accessPolicies = JSON.parse(describeElasticsearchDomain.data.DomainStatus.AccessPolicies);
+
+                    if (accessPolicies.Statement && accessPolicies.Statement.length) {
+                        accessPolicies.Statement.forEach(statement => {
+                            if (statement.Principal && statement.Principal.AWS && statement.Principal.AWS != '*') {
+                                goodStatements.push(statement);
+                            }
+                        });
+
+                        if (goodStatements.length === accessPolicies.Statement.length) {
+                            helpers.addResult(results, 0,
+                                'Domain :' + domain.DomainName + ': is not exposed to all AWS accounts',
+                                region, resource);
+                        } else {
+                            helpers.addResult(results, 2,
+                                'Domain :' + domain.DomainName + ': is exposed to all AWS accounts',
+                                region, resource);
+                        }
+                    } else {
+                        helpers.addResult(results, 2,
+                            'No statement found for access policies', region, resource);
+                    }
+                } else {
+                    helpers.addResult(results, 2,
+                        'No access policy found', region, resource);
+                }
+            });
+
+            rcb();
+        }, function() {
+            callback(null, results, source);
+        });
+    }
+};