aquasecurity · AkhtarAmir · Aug 12, 2020 · Aug 13, 2020 · Aug 14, 2020 · Aug 14, 2020
diff --git a/exports.js b/exports.js
@@ -89,8 +89,9 @@ module.exports = {
         'crossVpcPublicPrivate'         : require(__dirname + '/plugins/aws/ec2/crossVpcPublicPrivate.js'),
         'vpcEndpointAcceptance'         : require(__dirname + '/plugins/aws/ec2/vpcEndpointAcceptance'),
         'ebsEncryptedSnapshots'         : require(__dirname + '/plugins/aws/ec2/ebsEncryptedSnapshots.js'),
+        'ec2MetadataOptions'             : require(__dirname + '/plugins/aws/ec2/ec2MetadataOptions.js'),
+        'openCustomPorts'               : require(__dirname + '/plugins/aws/ec2/openCustomPorts.js'),
         'ebsUnusedVolumes'              : require(__dirname + '/plugins/aws/ec2/ebsUnusedVolumes.js'),
-        'ec2MetadataOptions'            : require(__dirname + '/plugins/aws/ec2/ec2MetadataOptions.js'),
 
         'efsEncryptionEnabled'          : require(__dirname + '/plugins/aws/efs/efsEncryptionEnabled.js'),
 

diff --git a/plugins/aws/ec2/openCustomPorts.js b/plugins/aws/ec2/openCustomPorts.js
@@ -0,0 +1,128 @@
+var async = require('async');
+var helpers = require('../../../helpers/aws');
+
+module.exports = {
+    title: 'Open Custom Ports',
+    category: 'EC2',
+    description: 'Ensures that the defined ports are not exposed publicly',
+    more_info: 'Security groups should be used to restrict access to ports from known networks.',
+    link: 'https://docs.aws.amazon.com/vpc/latest/userguide/VPC_SecurityGroups.html',
+    recommended_action: 'Modify the security group to ensure the ports are not exposed publicly.',
+    apis: ['EC2:describeSecurityGroups'],
+    settings: {
+        open_port_allowed_list: {
+            name: 'EC2 Allowed Open Ports',
+            description: 'A comma-delimited list of ports that indicates open ports allowed for any connection',
+            regex: '[a-zA-Z0-9,:]',
+            default: 'tcp:80,tcp:443'
+        }
+    },
+
+    run: function(cache, settings, callback) {
+        var results = [];
+        var source = {};
+        var regions = helpers.regions(settings);
+        var awsOrGov = helpers.defaultPartition(settings);
+
+        var allowed_open_ports = settings.open_port_allowed_list || this.settings.open_port_allowed_list.default;
+        allowed_open_ports = allowed_open_ports.split(',');
+
+        var ports = {};
+        allowed_open_ports.forEach(port => {
+            var [protocol, portNo] = port.split(':');
+            if (ports[protocol]) {
+                ports[protocol].push(Number(portNo));
+            } else {
+                ports[protocol] = [Number(portNo)];
+            }
+        });
+
+        async.each(regions.ec2, function(region, rcb){
+            var describeSecurityGroups = helpers.addSource(cache, source,
+                ['ec2', 'describeSecurityGroups', region]);
+
+            if (!describeSecurityGroups) return rcb();
+
+            if (describeSecurityGroups.err || !describeSecurityGroups.data) {
+                helpers.addResult(results, 3,
+                    `Unable to query for security groups: ${helpers.addError(describeSecurityGroups)}`, region);
+                return rcb();
+            }
+
+            if (!describeSecurityGroups.data.length) {
+                helpers.addResult(results, 0, 'No security groups found', region);
+                return rcb();
+            }
+
+            // Loop through each security group
+            for (var g in describeSecurityGroups.data) {
+                var group = describeSecurityGroups.data[g];
+                var resource = `arn:${awsOrGov}:ec2:${region}:${group.OwnerId}:security-group/${group.GroupId}`;
+
+                if (!group.IpPermissions) continue;
+
+                var cidrIps = [];
+
+                // Loop through each ip permissions in a security group
+                IpPermissionsLoop:
+                for (var p in group.IpPermissions) {
+                    var permission = group.IpPermissions[p];
+
+                    // Loop through each ip range for an ip permissions list
+                    IpRangesLoop:
+                    for (var r in permission.IpRanges) {
+                        var range = permission.IpRanges[r];
+
+                        if (range.CidrIp && range.CidrIp === '0.0.0.0/0') {
+                            var allowedPorts = ports[permission.IpProtocol] || [];
+                            var portRange = permission.ToPort - permission.FromPort;
+                            // Check for all the ports in port range
+                            for (let p=0; p <= portRange; p++) {
+                                var port = permission.FromPort + p;
+
+                                if (!allowedPorts.includes(port)) {
+                                    if (!cidrIps.length) cidrIps.push(range.CidrIp);
+                                    break IpRangesLoop;
+                                }
+                            }
+                        }
+                    }
+
+
+                    for (var l in permission.Ipv6Ranges) {
+                        var rangeV6 = permission.Ipv6Ranges[l];
+
+                        if (rangeV6.CidrIpv6 && rangeV6.CidrIpv6 === '::/0') {
+                            var allowedV6Ports = ports[permission.IpProtocol] || [];
+                            var portRangeV6 = permission.ToPort - permission.FromPort;
+
+                            // Check for all the ports in port range
+                            for (let p=0; p <= portRangeV6; p++) {
+                                var portV6 = permission.FromPort + p;
+
+                                if (!allowedV6Ports.includes(portV6)) {
+                                    cidrIps.push(rangeV6.CidrIpv6);
+                                    break IpPermissionsLoop;
+                                }
+                            }
+                        }
+                    }
+                }
+
+                if (!cidrIps.length) {
+                    helpers.addResult(results, 0,
+                        `Security group "${group.GroupName}" does not have ports open to 0.0.0.0/0`, 
+                        region, resource);
+                } else {
+                    helpers.addResult(results, 2,
+                        `Security group "${group.GroupName}" has ports open to ${cidrIps.join(', ')}`,
+                        region, resource);
+                }
+            }
+
+            rcb();
+        }, function(){
+            callback(null, results, source);
+        });
+    }
+};
diff --git a/plugins/aws/ec2/openCustomPorts.spec.js b/plugins/aws/ec2/openCustomPorts.spec.js
@@ -0,0 +1,167 @@
+var expect = require('chai').expect;
+const openCustomPorts = require('./openCustomPorts');
+
+const securityGroups = [
+    {
+        "Description": "Allows SSh access to developer",
+        "GroupName": "spec-test-sg",
+        "IpPermissions": [{
+            "FromPort": 25,
+            "IpProtocol": "tcp",
+            "IpRanges": [
+                {
+                    "CidrIp": "0.0.0.0/0"
+                }
+            ],
+            "Ipv6Ranges": [
+                {
+                    "CidrIpv6": "::/0"
+                }
+            ],
+            "PrefixListIds": [],
+            "ToPort": 30,
+            "UserIdGroupPairs": []
+        }],
+        "OwnerId": "12345654321",
+        "GroupId": "sg-0b5f2771716acfee4",
+        "IpPermissionsEgress": [
+            {
+                "FromPort": 25,
+                "IpProtocol": "tcp",
+                "IpRanges": [
+                    {
+                        "CidrIp": "0.0.0.0/0"
+                    }
+                ],
+                "Ipv6Ranges": [
+                    {
+                        "CidrIpv6": "::/0"
+                    }
+                ],
+                "PrefixListIds": [],
+                "ToPort": 25,
+                "UserIdGroupPairs": []
+            }
+        ],
+        "VpcId": "vpc-99de2fe4"
+    },
+    {
+        "Description": "launch-wizard-1 created 2020-08-10T14:28:09.271+05:00",
+        "GroupName": "launch-wizard-1",
+        "IpPermissions": [
+            {
+                "FromPort": 80,
+                "IpProtocol": "tcp",
+                "IpRanges": [
+                    {
+                        "CidrIp": "0.0.0.0/0"
+                    }
+                ],
+                "Ipv6Ranges": [],
+                "PrefixListIds": [],
+                "ToPort": 80,
+                "UserIdGroupPairs": []
+            }
+        ],
+        "OwnerId": "12345654321",
+        "GroupId": "sg-0ff1642cae23c309a",
+        "IpPermissionsEgress": [
+            {
+                "IpProtocol": "-1",
+                "IpRanges": [
+                    {
+                        "CidrIp": "0.0.0.0/0"
+                    }
+                ],
+                "Ipv6Ranges": [],
+                "PrefixListIds": [],
+                "UserIdGroupPairs": []
+            }
+        ],
+        "VpcId": "vpc-99de2fe4"
+    }
+]
+
+const createCache = (groups) => {
+    return {
+        ec2: {
+            describeSecurityGroups: {
+                'us-east-1': {
+                    data: groups
+                },
+            },
+        },
+    };
+};
+
+const createErrorCache = () => {
+    return {
+        ec2: {
+            describeSecurityGroups: {
+                'us-east-1': {
+                    err: {
+                        message: 'error describing security groups'
+                    },
+                },
+            },
+        },
+    };
+};
+
+const createNullCache = () => {
+    return {
+        ec2: {
+            describeSecurityGroups: {
+                'us-east-1': null,
+            },
+        },
+    };
+};
+
+describe('openCustomPorts', function () {
+    describe('run', function () {
+        it('should FAIL if security group has open ports', function (done) {
+            const cache = createCache([securityGroups[0]]);
+            openCustomPorts.run(cache, {}, (err, results) => {
+                expect(results.length).to.equal(1);
+                expect(results[0].status).to.equal(2);
+                done();
+            });
+        });
+
+        it('should PASS if no security group does not have open ports', function (done) {
+            const cache = createCache([securityGroups[1]]);
+            openCustomPorts.run(cache, {}, (err, results) => {
+                expect(results.length).to.equal(1);
+                expect(results[0].status).to.equal(0);
+                done();
+            });
+        });
+
+        it('should PASS if no security groups found', function (done) {
+            const cache = createCache([]);
+            openCustomPorts.run(cache, {}, (err, results) => {
+                expect(results.length).to.equal(1);
+                expect(results[0].status).to.equal(0);
+                done();
+            });
+        });
+
+        it('should UNKNOWN if unable to describe security groups', function (done) {
+            const cache = createErrorCache();
+            openCustomPorts.run(cache, {}, (err, results) => {
+                expect(results.length).to.equal(1);
+                expect(results[0].status).to.equal(3);
+                done();
+            });
+        });
+
+        it('should not return any results if describe security groups response not found', function (done) {
+            const cache = createNullCache();
+            openCustomPorts.run(cache, {}, (err, results) => {
+                expect(results.length).to.equal(0);
+                done();
+            });
+        });
+    });
+});