Find trust boundaries in VPC endpoint services

README.md

@@ -14,6 +14,7 @@
 - [Forensics Ready Checks](#forensics-ready-checks)
 - [GDPR Checks](#gdpr-checks)
 - [HIPAA Checks](#hipaa-checks)
+- [Trust Boundaries Checks](#trust-boundaries-checks)
 - [Add Custom Checks](#add-custom-checks)
 - [Third Party Integrations](#third-party-integrations)
 - [Full list of checks and groups](/LIST_OF_CHECKS_AND_GROUPS.md)
@@ -41,6 +42,7 @@ It covers hardening and security best practices for all AWS regions related to t
 - Forensics related group of checks [forensics-ready]
 - GDPR [gdpr] Read more [here](#gdpr-checks)
 - HIPAA [hipaa] Read more [here](#hipaa-checks)
+- Trust Boundaries [trustboundaries] Read more [here](#trustboundaries-checks)
 
 
 For a comprehensive list and resolution look at the guide on the link above.
@@ -421,6 +423,47 @@ The `hipaa` group of checks uses existing and extra checks. To get a HIPAA repor
 ./prowler -g hipaa
 ```
 
+## Trust Boundaries Checks
+### Definition and Terms
+The term "trust boundary" is originating from the threat modelling process and the most popular contributor Adam Shostack and author of "Threat Modeling: Designing for Security" defines it as following ([reference](https://adam.shostack.org/uncover.html)):
+
+> Trust boundaries are perhaps the most subjective of all: these represent the border between trusted and untrusted elements. Trust is complex. You might trust your mechanic with your car, your dentist with your teeth, and your banker with your money, but you probably don't trust your dentist to change your spark plugs.
+
+AWS is made to be flexible for service links within and between different AWS accounts, we all know that.
+
+This group of checks helps to analyse a particular AWS account (subject) on existing links to other AWS accounts across various AWS services, in order to identify untrusted links.
+
+### Run 
+To give it a quick shot just call:
+```sh
+./prowler -g trustboundaries
+```
+### Scenarios
+Currently this check group supports two different scenarios:
+  1. Single account environment: no action required, the configuration is happening automatically for you.
+  2. Multi account environment: in case you environment has multiple trusted and known AWS accounts you maybe want to append them manually to [groups/group16_trustboundaries](groups/group16_trustboundaries) as a space separated list into `GROUP_TRUSTBOUNDARIES_TRUSTED_ACCOUNT_IDS` variable, then just run prowler.
+
+### Coverage
+Current coverage of Amazon Web Service (AWS) taken from [here](https://docs.aws.amazon.com/whitepapers/latest/aws-overview/introduction.html):
+| Topic                           | Service    | Trust Boundary                                                            |
+|---------------------------------|------------|---------------------------------------------------------------------------|
+| Networking and Content Delivery | Amazon VPC | VPC endpoints connections ([extra786](checks/check_extra786))             |
+|                                 |            | VPC endpoints whitelisted principals ([extra787](checks/check_extra787))  |
+
+All ideas or recommendations to extend this group are very welcome [here](https://github.com/toniblyx/prowler/issues/new/choose).
+
+### Detailed Explanation of the Concept
+The diagrams depict two common scenarios, single account and multi account environments.
+Every circle represents one AWS account.
+The dashed line represents the trust boundary, that separates trust and untrusted AWS accounts.
+The arrow simply describes the direction of the trust, however the data can potentially flow in both directions.
+
+Single Account environment assumes that only the AWS account subject to this analysis is trusted. However there is a chance that two VPCs are existing within that one AWS account which are still trusted as a self reference.
+![single-account-environment](/docs/images/prowler-single-account-environment.png)
+
+Multi Account environments assumes a minimum of two trusted or known accounts. For this particular example all trusted and known accounts will be tested. Therefore `GROUP_TRUSTBOUNDARIES_TRUSTED_ACCOUNT_IDS` variable in [groups/group16_trustboundaries](groups/group16_trustboundaries) should include all trusted accounts Account #A, Account #B, Account #C, and Account #D in order to finally raise Account #E and Account #F for being untrusted or unknown.
+![multi-account-environment](/docs/images/prowler-multi-account-environment.png)
+
 ## Add Custom Checks
 
 In order to add any new check feel free to create a new extra check in the extras group or other group. To do so, you will need to follow these steps:

checks/check_extra789

@@ -0,0 +1,57 @@
+#!/usr/bin/env bash
+
+# Prowler - the handy cloud security tool (copyright 2020) by Toni de la Fuente
+#
+# Licensed under the Apache License, Version 2.0 (the "License"); you may not
+# use this file except in compliance with the License. You may obtain a copy
+# of the License at http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software distributed
+# under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR
+# CONDITIONS OF ANY KIND, either express or implied. See the License for the
+# specific language governing permissions and limitations under the License.
+
+CHECK_ID_extra789="7.89"
+CHECK_TITLE_extra789="[extra789] Find trust boundaries in VPC endpoint services connections"
+CHECK_SCORED_extra789="NOT_SCORED"
+CHECK_TYPE_extra789="EXTRA"
+CHECK_ALTERNATE_extra789="extra789"
+
+extra789(){
+    TRUSTED_ACCOUNT_IDS=$( echo "${ACCOUNT_NUM} ${GROUP_TRUSTBOUNDARIES_TRUSTED_ACCOUNT_IDS}" | xargs )
+
+    for regx in ${REGIONS}; do
+        ENDPOINT_SERVICES_IDS=$(${AWSCLI} ec2 describe-vpc-endpoint-services \
+                                ${PROFILE_OPT} \
+                                --query "ServiceDetails[?Owner=='${ACCOUNT_NUM}'].ServiceId" \
+                                --region ${regx} \
+                                --output text | xargs
+                                )
+
+        for ENDPOINT_SERVICE_ID in ${ENDPOINT_SERVICES_IDS}; do
+
+            ENDPOINT_CONNECTION_LIST=$(${AWSCLI} ec2 describe-vpc-endpoint-connections \
+                                        ${PROFILE_OPT} \
+                                        --query "VpcEndpointConnections[?VpcEndpointState=='available'].VpcEndpointOwner" \
+                                        --region ${regx} \
+                                        --output text | xargs
+                                        )
+
+            for ENDPOINT_CONNECTION in ${ENDPOINT_CONNECTION_LIST}; do
+                for ACCOUNT_ID in ${TRUSTED_ACCOUNT_IDS}; do
+                    if [[ "${ACCOUNT_ID}" == "${ENDPOINT_CONNECTION}" ]]; then
+                        textPass "${regx}: Found trusted account in VPC endpoint service connection ${ENDPOINT_CONNECTION}" "${regx}"
+                        # Algorithm: 
+                        # Remove all trusted ACCOUNT_IDs from ENDPOINT_CONNECTION_LIST.
+                        # As a result, the ENDPOINT_CONNECTION_LIST finally contains only unknown/untrusted account ids.
+                        ENDPOINT_CONNECTION_LIST=("${ENDPOINT_CONNECTION_LIST[@]/$ENDPOINT_CONNECTION}") # remove hit from whitelist
+                    fi
+                done
+            done
+
+            for UNTRUSTED_CONNECTION in ${ENDPOINT_CONNECTION_LIST}; do
+                textFail "${regx}: Found untrusted account in VPC endpoint service connection ${UNTRUSTED_CONNECTION}" "${regx}"
+            done
+        done  
+    done
+}

checks/check_extra790

@@ -0,0 +1,60 @@
+#!/usr/bin/env bash
+
+# Prowler - the handy cloud security tool (copyright 2020) by Toni de la Fuente
+#
+# Licensed under the Apache License, Version 2.0 (the "License"); you may not
+# use this file except in compliance with the License. You may obtain a copy
+# of the License at http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software distributed
+# under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR
+# CONDITIONS OF ANY KIND, either express or implied. See the License for the
+# specific language governing permissions and limitations under the License.
+
+CHECK_ID_extra790="7.90"
+CHECK_TITLE_extra790="[extra790] Find trust boundaries in VPC endpoint services whitelisted principles"
+CHECK_SCORED_extra790="NOT_SCORED"
+CHECK_TYPE_extra790="EXTRA"
+CHECK_ALTERNATE_extra790="extra790"
+
+extra790(){
+    TRUSTED_ACCOUNT_IDS=$( echo "${ACCOUNT_NUM} ${GROUP_TRUSTBOUNDARIES_TRUSTED_ACCOUNT_IDS}" | xargs )
+
+    for regx in ${REGIONS}; do
+        ENDPOINT_SERVICES_IDS=$(${AWSCLI} ec2 describe-vpc-endpoint-services \
+                                ${PROFILE_OPT} \
+                                --query "ServiceDetails[?Owner=='${ACCOUNT_NUM}'].ServiceId" \
+                                --region ${regx} \
+                                --output text | xargs
+                                )
+
+        for ENDPOINT_SERVICE_ID in ${ENDPOINT_SERVICES_IDS}; do
+            ENDPOINT_PERMISSIONS_LIST=$(${AWSCLI} ec2 describe-vpc-endpoint-service-permissions \
+                                        ${PROFILE_OPT} \
+                                        --service-id ${ENDPOINT_SERVICE_ID} \
+                                        --query "AllowedPrincipals[*].Principal" \
+                                        --region ${regx} \
+                                        --output text | xargs
+                                        )
+
+            for ENDPOINT_PERMISSION in ${ENDPOINT_PERMISSIONS_LIST}; do
+                # Take only account id from ENDPOINT_PERMISSION: arn:aws:iam::965406151242:root
+                ENDPOINT_PERMISSION_ACCOUNT_ID=$(echo ${ENDPOINT_PERMISSION} | cut -d':' -f5 | xargs)
+
+                for ACCOUNT_ID in ${TRUSTED_ACCOUNT_IDS}; do
+                    if [[ "${ACCOUNT_ID}" == "${ENDPOINT_PERMISSION_ACCOUNT_ID}" ]]; then
+                        textPass "${regx}: Found trusted account in VPC endpoint service permission ${ENDPOINT_PERMISSION}" "${regx}"
+                        # Algorithm: 
+                        # Remove all trusted ACCOUNT_IDs from ENDPOINT_PERMISSIONS_LIST.
+                        # As a result, the ENDPOINT_PERMISSIONS_LIST finally contains only unknown/untrusted account ids.
+                        ENDPOINT_PERMISSIONS_LIST=("${ENDPOINT_PERMISSIONS_LIST[@]/$ENDPOINT_PERMISSION}") 
+                    fi
+                done
+            done
+
+            for UNTRUSTED_PERMISSION in ${ENDPOINT_PERMISSIONS_LIST}; do
+                textFail "${regx}: Found untrusted account in VPC endpoint service permission ${UNTRUSTED_PERMISSION}" "${regx}"
+            done
+        done  
+    done
+}