aquasecurity · AkhtarAmir · Aug 12, 2020 · Aug 13, 2020 · Aug 14, 2020 · Aug 14, 2020
diff --git a/exports.js b/exports.js
@@ -79,6 +79,7 @@ module.exports = {
         'vpcEndpointAcceptance'         : require(__dirname + '/plugins/aws/ec2/vpcEndpointAcceptance'),
         'ebsEncryptedSnapshots'         : require(__dirname + '/plugins/aws/ec2/ebsEncryptedSnapshots.js'),
         'ec2MetadataOptions'             : require(__dirname + '/plugins/aws/ec2/ec2MetadataOptions.js'),
+        'openCustomPorts'               : require(__dirname + '/plugins/aws/ec2/openCustomPorts.js'),
 
         'efsEncryptionEnabled'          : require(__dirname + '/plugins/aws/efs/efsEncryptionEnabled.js'),
 

diff --git a/plugins/aws/ec2/openCustomPorts.js b/plugins/aws/ec2/openCustomPorts.js
@@ -0,0 +1,91 @@
+var async = require('async');
+var helpers = require('../../../helpers/aws');
+
+module.exports = {
+    title: 'Open Custom Ports',
+    category: 'EC2',
+    description: 'Ensures that the defined ports are not exposed publicly',
+    more_info: 'Security groups should be used to restrict access to ports from known networks.',
+    link: 'https://docs.aws.amazon.com/vpc/latest/userguide/VPC_SecurityGroups.html',
+    recommended_action: 'Modify the security group to ensure the ports are not exposed publicly.',
+    apis: ['EC2:describeSecurityGroups'],
+    settings: {
+        open_port_allowed_list: {
+            name: 'EC2 Allowed Open Ports',
+            description: 'A comma-delimited list of ports that indicates open ports allowed for any connection',
+            regex: '[a-zA-Z0-9,]',
+            default: [80, 443]
+        }
+    },
+
+    run: function(cache, settings, callback) {
+        var results = [];
+        var source = {};
+        var regions = helpers.regions(settings);
+
+        var allowed_open_ports = settings.open_port_allowed_list || this.settings.open_port_allowed_list.default;
+
+        async.each(regions.ec2, function(region, rcb){
+            var describeSecurityGroups = helpers.addSource(cache, source,
+                ['ec2', 'describeSecurityGroups', region]);
+            if (!describeSecurityGroups) return rcb();
+            if (describeSecurityGroups.err || !describeSecurityGroups.data) {
+                helpers.addResult(results, 3,
+                    'Unable to query for security groups: ' + helpers.addError(describeSecurityGroups), region);
+                return rcb();
+            }
+
+            if (!describeSecurityGroups.data.length) {
+                helpers.addResult(results, 0, 'No security groups found', region);
+                return rcb();
+            }
+
+            // Loop through each security group
+            for (var g in describeSecurityGroups.data) {
+                var group = describeSecurityGroups.data[g];
+                var resource = group.GroupId;
+                var openPorts = [];
+
+                if (!group.IpPermissions) continue;
+
+                // Loop through each ip permissions in a security group
+                for (var p in group.IpPermissions) {
+                    var permission = group.IpPermissions[p];
+
+                    // Loop through each ip range for an ip permissions list
+                    for (var r in permission.IpRanges) {
+                        var range = permission.IpRanges[r];
+
+                        if (range.CidrIp && range.CidrIp === '0.0.0.0/0') {
+                            var portRange = permission.ToPort - permission.FromPort;
+
+                            // Check for all the ports in port range
+                            for (let p=0; p <= portRange; p++) {
+                                var port = permission.FromPort + p;
+
+                                if (!allowed_open_ports.includes(port)) {
+                                    var openPort = permission.IpProtocol.toUpperCase() + ' port ' + port;
+                                    if (openPorts.indexOf(openPort) === -1) openPorts.push(openPort);
+                                }
+                            }
+                        }
+                    }
+                }
+
+                if (openPorts.length) {
+                    helpers.addResult(results, 2,
+                        'Security group ' + group.GroupName + ' has: ' + openPorts.join(' , ') + ' open to 0.0.0.0/0', 
+                        region, resource);
+                } else {
+                    helpers.addResult(results, 0,
+                        'Security group: ' + group.GroupName + ' has no open ports',
+                        region, resource);
+                }
+            }
+
+            rcb();
+        }, function(){
+            callback(null, results, source);
+        });
+    }
+};
diff --git a/plugins/aws/ec2/openCustomPorts.spec.js b/plugins/aws/ec2/openCustomPorts.spec.js
@@ -0,0 +1,169 @@
+var expect = require('chai').expect;
+const openCustomPorts = require('./openCustomPorts');
+
+const securityGroups = [
+    {
+        "Description": "Allows SSh access to developer",
+        "GroupName": "spec-test-sg",
+        "IpPermissions": [{
+            "FromPort": 25,
+            "IpProtocol": "tcp",
+            "IpRanges": [
+                {
+                    "CidrIp": "0.0.0.0/0"
+                }
+            ],
+            "Ipv6Ranges": [
+                {
+                    "CidrIpv6": "::/0"
+                }
+            ],
+            "PrefixListIds": [],
+            "ToPort": 30,
+            "UserIdGroupPairs": []
+        }],
+        "OwnerId": "12345654321",
+        "GroupId": "sg-0b5f2771716acfee4",
+        "IpPermissionsEgress": [
+            {
+                "FromPort": 25,
+                "IpProtocol": "tcp",
+                "IpRanges": [
+                    {
+                        "CidrIp": "0.0.0.0/0"
+                    }
+                ],
+                "Ipv6Ranges": [
+                    {
+                        "CidrIpv6": "::/0"
+                    }
+                ],
+                "PrefixListIds": [],
+                "ToPort": 25,
+                "UserIdGroupPairs": []
+            }
+        ],
+        "VpcId": "vpc-99de2fe4"
+    },
+    {
+        "Description": "launch-wizard-1 created 2020-08-10T14:28:09.271+05:00",
+        "GroupName": "launch-wizard-1",
+        "IpPermissions": [
+            {
+                "FromPort": 80,
+                "IpProtocol": "tcp",
+                "IpRanges": [
+                    {
+                        "CidrIp": "0.0.0.0/0"
+                    }
+                ],
+                "Ipv6Ranges": [],
+                "PrefixListIds": [],
+                "ToPort": 80,
+                "UserIdGroupPairs": []
+            }
+        ],
+        "OwnerId": "12345654321",
+        "GroupId": "sg-0ff1642cae23c309a",
+        "IpPermissionsEgress": [
+            {
+                "IpProtocol": "-1",
+                "IpRanges": [
+                    {
+                        "CidrIp": "0.0.0.0/0"
+                    }
+                ],
+                "Ipv6Ranges": [],
+                "PrefixListIds": [],
+                "UserIdGroupPairs": []
+            }
+        ],
+        "VpcId": "vpc-99de2fe4"
+    }
+]
+
+const createCache = (groups) => {
+    return {
+        ec2: {
+            describeSecurityGroups: {
+                'us-east-1': {
+                    data: groups
+                },
+            },
+        },
+    };
+};
+
+const createErrorCache = () => {
+    return {
+        ec2: {
+            describeSecurityGroups: {
+                'us-east-1': {
+                    err: {
+                        message: 'error describing cloudformation stacks'
+                    },
+                },
+            },
+        },
+    };
+};
+
+const createNullCache = () => {
+    return {
+        ec2: {
+            describeSecurityGroups: {
+                'us-east-1': null,
+            },
+        },
+    };
+};
+
+describe('openCustomPorts', function () {
+    describe('run', function () {
+
+        it('should not return any results if unable to fetch any security groups description', function (done) {
+            const cache = createNullCache();
+            openCustomPorts.run(cache, {}, (err, results) => {
+                expect(results.length).to.equal(0);
+                done();
+            });
+        });
+
+        it('should UNKNOWN if error occurs while fetching any security groups description', function (done) {
+            const cache = createErrorCache();
+            openCustomPorts.run(cache, {}, (err, results) => {
+                expect(results.length).to.equal(1);
+                expect(results[0].status).to.equal(3);
+                done();
+            });
+        });
+
+        it('should PASS if no security groups are present', function (done) {
+            const cache = createCache([]);
+            openCustomPorts.run(cache, {}, (err, results) => {
+                expect(results.length).to.equal(1);
+                expect(results[0].status).to.equal(0);
+                done();
+            });
+        });
+
+        it('should FAIL if any public open port is found', function (done) {
+            const cache = createCache([securityGroups[0]]);
+            openCustomPorts.run(cache, {}, (err, results) => {
+                expect(results.length).to.equal(1);
+                expect(results[0].status).to.equal(2);
+                done();
+            });
+        });
+
+        it('should PASS if no public open port is found', function (done) {
+            const cache = createCache([securityGroups[1]]);
+            openCustomPorts.run(cache, {}, (err, results) => {
+                expect(results.length).to.equal(1);
+                expect(results[0].status).to.equal(0);
+                done();
+            });
+        });
+
+    });
+});