From 262e0893b5e81712b6e3cf58410fe308714219c6 Mon Sep 17 00:00:00 2001 From: Daniel Barranquero Date: Wed, 30 Oct 2024 12:53:43 +0100 Subject: [PATCH 1/6] chore(dms): add redis tls enabled to the service --- prowler/providers/aws/services/dms/dms_service.py | 4 ++++ tests/providers/aws/services/dms/dms_service_test.py | 4 ++++ 2 files changed, 8 insertions(+) diff --git a/prowler/providers/aws/services/dms/dms_service.py b/prowler/providers/aws/services/dms/dms_service.py index a424c230376..089ed3d9abf 100644 --- a/prowler/providers/aws/services/dms/dms_service.py +++ b/prowler/providers/aws/services/dms/dms_service.py @@ -71,6 +71,9 @@ def _describe_endpoints(self, regional_client): id=endpoint["EndpointIdentifier"], region=regional_client.region, ssl_mode=endpoint.get("SslMode", False), + redis_tls_enabled=endpoint.get("RedisSettings", {}).get( + "SslSecurityProtocol", "plaintext" + ), ) except Exception as error: logger.error( @@ -94,6 +97,7 @@ class Endpoint(BaseModel): region: str ssl_mode: str tags: Optional[list] + redis_tls_enabled: Optional[str] class RepInstance(BaseModel): diff --git a/tests/providers/aws/services/dms/dms_service_test.py b/tests/providers/aws/services/dms/dms_service_test.py index 7a13e8a872f..9f0982645aa 100644 --- a/tests/providers/aws/services/dms/dms_service_test.py +++ b/tests/providers/aws/services/dms/dms_service_test.py @@ -44,6 +44,9 @@ def mock_make_api_call(self, operation_name, kwargs): "EndpointIdentifier": DMS_ENDPOINT_NAME, "EndpointArn": DMS_ENDPOINT_ARN, "SslMode": "require", + "RedisSettings": { + "SslSecurityProtocol": "ssl-encryption", + }, } ] } @@ -121,6 +124,7 @@ def test_describe_endpoints(self): assert len(dms.endpoints) == 1 assert dms.endpoints[DMS_ENDPOINT_ARN].id == DMS_ENDPOINT_NAME assert dms.endpoints[DMS_ENDPOINT_ARN].ssl_mode == "require" + assert dms.endpoints[DMS_ENDPOINT_ARN].redis_tls_enabled == "ssl-encryption" def test_list_tags(self): aws_provider = set_mocked_aws_provider() From 779e26b96f377d7d62e6f6ec22e72f8a26f4d42b Mon Sep 17 00:00:00 2001 From: Daniel Barranquero Date: Wed, 30 Oct 2024 12:55:01 +0100 Subject: [PATCH 2/6] feat(dms): add check code and metadata --- .../__init__.py | 0 ...s_endpoint_redis_tls_enabled.metadata.json | 32 +++++++++++++ .../dms_endpoint_redis_tls_enabled.py | 45 +++++++++++++++++++ 3 files changed, 77 insertions(+) create mode 100644 prowler/providers/aws/services/dms/dms_endpoint_redis_tls_enabled/__init__.py create mode 100644 prowler/providers/aws/services/dms/dms_endpoint_redis_tls_enabled/dms_endpoint_redis_tls_enabled.metadata.json create mode 100644 prowler/providers/aws/services/dms/dms_endpoint_redis_tls_enabled/dms_endpoint_redis_tls_enabled.py diff --git a/prowler/providers/aws/services/dms/dms_endpoint_redis_tls_enabled/__init__.py b/prowler/providers/aws/services/dms/dms_endpoint_redis_tls_enabled/__init__.py new file mode 100644 index 00000000000..e69de29bb2d diff --git a/prowler/providers/aws/services/dms/dms_endpoint_redis_tls_enabled/dms_endpoint_redis_tls_enabled.metadata.json b/prowler/providers/aws/services/dms/dms_endpoint_redis_tls_enabled/dms_endpoint_redis_tls_enabled.metadata.json new file mode 100644 index 00000000000..b476132fdef --- /dev/null +++ b/prowler/providers/aws/services/dms/dms_endpoint_redis_tls_enabled/dms_endpoint_redis_tls_enabled.metadata.json @@ -0,0 +1,32 @@ +{ + "Provider": "aws", + "CheckID": "dms_endpoint_redis_tls_enabled", + "CheckTitle": "Check if DMS endpoints for Redis OSS have TLS enabled.", + "CheckType": [ + "Software and Configuration Checks/AWS Security Best Practices" + ], + "ServiceName": "dms", + "SubServiceName": "", + "ResourceIdTemplate": "arn:aws:dms:region:account-id:endpoint/endpoint-id", + "Severity": "medium", + "ResourceType": "AwsDmsEndpoint", + "Description": "This control checks whether an AWS DMS endpoint for Redis OSS is configured with a TLS connection. The control fails if the endpoint doesn't have TLS enabled.", + "Risk": "Without TLS, data transmitted between databases may be vulnerable to interception or eavesdropping, increasing the risk of data breaches and other security incidents.", + "RelatedUrl": "https://docs.aws.amazon.com/dms/latest/userguide/CHAP_Source.Redis.html", + "Remediation": { + "Code": { + "CLI": "aws dms modify-endpoint --endpoint-arn --redis-settings '{'SslSecurityProtocol': 'ssl-encryption'}'", + "NativeIaC": "", + "Other": "https://docs.aws.amazon.com/securityhub/latest/userguide/dms-controls.html#dms-12", + "Terraform": "" + }, + "Recommendation": { + "Text": "Enable TLS for DMS endpoints for Redis OSS to ensure encrypted communication during data migration.", + "Url": "https://docs.aws.amazon.com/dms/latest/userguide/CHAP_Target.Redis.html#CHAP_Target.Redis.EndpointSettings" + } + }, + "Categories": [], + "DependsOn": [], + "RelatedTo": [], + "Notes": "" +} diff --git a/prowler/providers/aws/services/dms/dms_endpoint_redis_tls_enabled/dms_endpoint_redis_tls_enabled.py b/prowler/providers/aws/services/dms/dms_endpoint_redis_tls_enabled/dms_endpoint_redis_tls_enabled.py new file mode 100644 index 00000000000..198c4e8f21e --- /dev/null +++ b/prowler/providers/aws/services/dms/dms_endpoint_redis_tls_enabled/dms_endpoint_redis_tls_enabled.py @@ -0,0 +1,45 @@ +from typing import List + +from prowler.lib.check.models import Check, Check_Report_AWS +from prowler.providers.aws.services.dms.dms_client import dms_client + + +class dms_endpoint_redis_tls_enabled(Check): + """ + Check if AWS DMS Endpoints for Redis OSS have TLS enabled. + + This class verifies whether each AWS DMS Endpoint configured for Redis OSS has TLS enabled + by checking the `TlsEnabled` property in the endpoint's configuration. The check ensures that + TLS is enabled to secure data in transit, preventing unauthorized access and ensuring data integrity. + """ + + def execute(self) -> List[Check_Report_AWS]: + """ + Execute the DMS Redis TLS enabled check. + + Iterates over all DMS Endpoints and generates a report indicating whether + each Redis OSS endpoint has TLS enabled. + + Returns: + List[Check_Report_AWS]: A list of report objects with the results of the check. + """ + findings = [] + for endpoint_arn, endpoint in dms_client.endpoints.items(): + report = Check_Report_AWS(self.metadata()) + report.resource_id = endpoint.id + report.resource_arn = endpoint_arn + report.region = endpoint.region + report.resource_tags = endpoint.tags + report.status = "FAIL" + report.status_extended = ( + f"DMS Endpoint '{endpoint.id}' for Redis OSS does not have TLS enabled." + ) + if endpoint.redis_tls_enabled == "ssl-encryption": + report.status = "PASS" + report.status_extended = ( + f"DMS Endpoint '{endpoint.id}' for Redis OSS has TLS enabled." + ) + + findings.append(report) + + return findings From 4e4ff41aed461388ded1a3ac112d3ec3b749b1a7 Mon Sep 17 00:00:00 2001 From: Daniel Barranquero Date: Wed, 30 Oct 2024 12:57:02 +0100 Subject: [PATCH 3/6] feat(rds): add unit tests --- .../dms_endpoint_redis_tls_enabled_test.py | 208 ++++++++++++++++++ 1 file changed, 208 insertions(+) create mode 100644 tests/providers/aws/services/dms/dms_endpoint_redis_tls_enabled/dms_endpoint_redis_tls_enabled_test.py diff --git a/tests/providers/aws/services/dms/dms_endpoint_redis_tls_enabled/dms_endpoint_redis_tls_enabled_test.py b/tests/providers/aws/services/dms/dms_endpoint_redis_tls_enabled/dms_endpoint_redis_tls_enabled_test.py new file mode 100644 index 00000000000..09ae50376f6 --- /dev/null +++ b/tests/providers/aws/services/dms/dms_endpoint_redis_tls_enabled/dms_endpoint_redis_tls_enabled_test.py @@ -0,0 +1,208 @@ +from unittest import mock + +import botocore +from boto3 import client +from moto import mock_aws + +from tests.providers.aws.utils import ( + AWS_ACCOUNT_NUMBER, + AWS_REGION_US_EAST_1, + set_mocked_aws_provider, +) + +make_api_call = botocore.client.BaseClient._make_api_call + +DMS_ENDPOINT_NAME = "dms-endpoint" +DMS_ENDPOINT_ARN = f"arn:aws:dms:{AWS_REGION_US_EAST_1}:{AWS_ACCOUNT_NUMBER}:endpoint:{DMS_ENDPOINT_NAME}" +DMS_INSTANCE_NAME = "rep-instance" +DMS_INSTANCE_ARN = ( + f"arn:aws:dms:{AWS_REGION_US_EAST_1}:{AWS_ACCOUNT_NUMBER}:rep:{DMS_INSTANCE_NAME}" +) + + +def mock_make_api_call_enabled(self, operation_name, kwarg): + if operation_name == "DescribeEndpoints": + return { + "Endpoints": [ + { + "EndpointIdentifier": DMS_ENDPOINT_NAME, + "EndpointArn": DMS_ENDPOINT_ARN, + "SslMode": "require", + "RedisSettings": { + "SslSecurityProtocol": "ssl-encryption", + }, + } + ] + } + elif operation_name == "ListTagsForResource": + if kwarg["ResourceArn"] == DMS_INSTANCE_ARN: + return { + "TagList": [ + {"Key": "Name", "Value": "rep-instance"}, + {"Key": "Owner", "Value": "admin"}, + ] + } + elif kwarg["ResourceArn"] == DMS_ENDPOINT_ARN: + return { + "TagList": [ + {"Key": "Name", "Value": "dms-endpoint"}, + {"Key": "Owner", "Value": "admin"}, + ] + } + return make_api_call(self, operation_name, kwarg) + + +def mock_make_api_call_not_enabled(self, operation_name, kwarg): + if operation_name == "DescribeEndpoints": + return { + "Endpoints": [ + { + "EndpointIdentifier": DMS_ENDPOINT_NAME, + "EndpointArn": DMS_ENDPOINT_ARN, + "SslMode": "require", + "RedisSettings": { + "SslSecurityProtocol": "plaintext", + }, + } + ] + } + elif operation_name == "ListTagsForResource": + if kwarg["ResourceArn"] == DMS_INSTANCE_ARN: + return { + "TagList": [ + {"Key": "Name", "Value": "rep-instance"}, + {"Key": "Owner", "Value": "admin"}, + ] + } + elif kwarg["ResourceArn"] == DMS_ENDPOINT_ARN: + return { + "TagList": [ + {"Key": "Name", "Value": "dms-endpoint"}, + {"Key": "Owner", "Value": "admin"}, + ] + } + return make_api_call(self, operation_name, kwarg) + + +class Test_dms_endpoint_redis_tls_enabled: + @mock_aws + def test_no_dms_endpoints(self): + dms_client = client("dms", region_name=AWS_REGION_US_EAST_1) + dms_client.endpoints = {} + + from prowler.providers.aws.services.dms.dms_service import DMS + + aws_provider = set_mocked_aws_provider([AWS_REGION_US_EAST_1]) + + with mock.patch( + "prowler.providers.common.provider.Provider.get_global_provider", + return_value=aws_provider, + ), mock.patch( + "prowler.providers.aws.services.dms.dms_endpoint_redis_tls_enabled.dms_endpoint_redis_tls_enabled.dms_client", + new=DMS(aws_provider), + ): + # Test Check + from prowler.providers.aws.services.dms.dms_endpoint_redis_tls_enabled.dms_endpoint_redis_tls_enabled import ( + dms_endpoint_redis_tls_enabled, + ) + + check = dms_endpoint_redis_tls_enabled() + result = check.execute() + + assert len(result) == 0 + + @mock_aws + def test_dms_mongodb_auth_mecanism_not_enabled(self): + with mock.patch( + "botocore.client.BaseClient._make_api_call", + new=mock_make_api_call_not_enabled, + ): + + from prowler.providers.aws.services.dms.dms_service import DMS + + aws_provider = set_mocked_aws_provider([AWS_REGION_US_EAST_1]) + + with mock.patch( + "prowler.providers.common.provider.Provider.get_global_provider", + return_value=aws_provider, + ), mock.patch( + "prowler.providers.aws.services.dms.dms_endpoint_redis_tls_enabled.dms_endpoint_redis_tls_enabled.dms_client", + new=DMS(aws_provider), + ): + # Test Check + from prowler.providers.aws.services.dms.dms_endpoint_redis_tls_enabled.dms_endpoint_redis_tls_enabled import ( + dms_endpoint_redis_tls_enabled, + ) + + check = dms_endpoint_redis_tls_enabled() + result = check.execute() + + assert len(result) == 1 + assert result[0].status == "FAIL" + assert result[0].status_extended == ( + "DMS Endpoint 'dms-endpoint' for Redis OSS does not have TLS enabled." + ) + assert result[0].resource_id == "dms-endpoint" + assert ( + result[0].resource_arn + == "arn:aws:dms:us-east-1:123456789012:endpoint:dms-endpoint" + ) + assert result[0].resource_tags == [ + { + "Key": "Name", + "Value": "dms-endpoint", + }, + { + "Key": "Owner", + "Value": "admin", + }, + ] + assert result[0].region == "us-east-1" + + @mock_aws + def test_dms_mongodb_auth_mecanism_enabled(self): + with mock.patch( + "botocore.client.BaseClient._make_api_call", + new=mock_make_api_call_enabled, + ): + + from prowler.providers.aws.services.dms.dms_service import DMS + + aws_provider = set_mocked_aws_provider([AWS_REGION_US_EAST_1]) + + with mock.patch( + "prowler.providers.common.provider.Provider.get_global_provider", + return_value=aws_provider, + ), mock.patch( + "prowler.providers.aws.services.dms.dms_endpoint_redis_tls_enabled.dms_endpoint_redis_tls_enabled.dms_client", + new=DMS(aws_provider), + ): + # Test Check + from prowler.providers.aws.services.dms.dms_endpoint_redis_tls_enabled.dms_endpoint_redis_tls_enabled import ( + dms_endpoint_redis_tls_enabled, + ) + + check = dms_endpoint_redis_tls_enabled() + result = check.execute() + + assert len(result) == 1 + assert result[0].status == "PASS" + assert result[0].status_extended == ( + "DMS Endpoint 'dms-endpoint' for Redis OSS has TLS enabled." + ) + assert result[0].resource_id == "dms-endpoint" + assert ( + result[0].resource_arn + == "arn:aws:dms:us-east-1:123456789012:endpoint:dms-endpoint" + ) + assert result[0].resource_tags == [ + { + "Key": "Name", + "Value": "dms-endpoint", + }, + { + "Key": "Owner", + "Value": "admin", + }, + ] + assert result[0].region == "us-east-1" From 42a579dee86e6b795661873b495d7b2b4b42bb8d Mon Sep 17 00:00:00 2001 From: Daniel Barranquero Date: Thu, 31 Oct 2024 12:15:29 +0100 Subject: [PATCH 4/6] chore(dms): made suggested changes to verify the endpoint is redis --- .../dms_endpoint_redis_tls_enabled.py | 31 +++++---- .../providers/aws/services/dms/dms_service.py | 2 + .../dms_endpoint_redis_tls_enabled_test.py | 63 +++++++++++++++++++ .../aws/services/dms/dms_service_test.py | 2 + 4 files changed, 82 insertions(+), 16 deletions(-) diff --git a/prowler/providers/aws/services/dms/dms_endpoint_redis_tls_enabled/dms_endpoint_redis_tls_enabled.py b/prowler/providers/aws/services/dms/dms_endpoint_redis_tls_enabled/dms_endpoint_redis_tls_enabled.py index 198c4e8f21e..35c4a639287 100644 --- a/prowler/providers/aws/services/dms/dms_endpoint_redis_tls_enabled/dms_endpoint_redis_tls_enabled.py +++ b/prowler/providers/aws/services/dms/dms_endpoint_redis_tls_enabled/dms_endpoint_redis_tls_enabled.py @@ -25,21 +25,20 @@ def execute(self) -> List[Check_Report_AWS]: """ findings = [] for endpoint_arn, endpoint in dms_client.endpoints.items(): - report = Check_Report_AWS(self.metadata()) - report.resource_id = endpoint.id - report.resource_arn = endpoint_arn - report.region = endpoint.region - report.resource_tags = endpoint.tags - report.status = "FAIL" - report.status_extended = ( - f"DMS Endpoint '{endpoint.id}' for Redis OSS does not have TLS enabled." - ) - if endpoint.redis_tls_enabled == "ssl-encryption": - report.status = "PASS" - report.status_extended = ( - f"DMS Endpoint '{endpoint.id}' for Redis OSS has TLS enabled." - ) - - findings.append(report) + if endpoint.engine_name == "redis": + report = Check_Report_AWS(self.metadata()) + report.resource_id = endpoint.id + report.resource_arn = endpoint_arn + report.region = endpoint.region + report.resource_tags = endpoint.tags + report.status = "FAIL" + report.status_extended = f"DMS Endpoint '{endpoint.id}' for Redis OSS does not have TLS enabled." + if endpoint.redis_tls_enabled == "ssl-encryption": + report.status = "PASS" + report.status_extended = ( + f"DMS Endpoint '{endpoint.id}' for Redis OSS has TLS enabled." + ) + + findings.append(report) return findings diff --git a/prowler/providers/aws/services/dms/dms_service.py b/prowler/providers/aws/services/dms/dms_service.py index 089ed3d9abf..9c960214380 100644 --- a/prowler/providers/aws/services/dms/dms_service.py +++ b/prowler/providers/aws/services/dms/dms_service.py @@ -74,6 +74,7 @@ def _describe_endpoints(self, regional_client): redis_tls_enabled=endpoint.get("RedisSettings", {}).get( "SslSecurityProtocol", "plaintext" ), + engine_name=endpoint["EngineName"], ) except Exception as error: logger.error( @@ -98,6 +99,7 @@ class Endpoint(BaseModel): ssl_mode: str tags: Optional[list] redis_tls_enabled: Optional[str] + engine_name: Optional[str] class RepInstance(BaseModel): diff --git a/tests/providers/aws/services/dms/dms_endpoint_redis_tls_enabled/dms_endpoint_redis_tls_enabled_test.py b/tests/providers/aws/services/dms/dms_endpoint_redis_tls_enabled/dms_endpoint_redis_tls_enabled_test.py index 09ae50376f6..b0b7920a53e 100644 --- a/tests/providers/aws/services/dms/dms_endpoint_redis_tls_enabled/dms_endpoint_redis_tls_enabled_test.py +++ b/tests/providers/aws/services/dms/dms_endpoint_redis_tls_enabled/dms_endpoint_redis_tls_enabled_test.py @@ -20,6 +20,39 @@ ) +def mock_make_api_call_enabled_not_redis(self, operation_name, kwarg): + if operation_name == "DescribeEndpoints": + return { + "Endpoints": [ + { + "EndpointIdentifier": DMS_ENDPOINT_NAME, + "EndpointArn": DMS_ENDPOINT_ARN, + "SslMode": "require", + "RedisSettings": { + "SslSecurityProtocol": "ssl-encryption", + }, + "EngineName": "oracle", + } + ] + } + elif operation_name == "ListTagsForResource": + if kwarg["ResourceArn"] == DMS_INSTANCE_ARN: + return { + "TagList": [ + {"Key": "Name", "Value": "rep-instance"}, + {"Key": "Owner", "Value": "admin"}, + ] + } + elif kwarg["ResourceArn"] == DMS_ENDPOINT_ARN: + return { + "TagList": [ + {"Key": "Name", "Value": "dms-endpoint"}, + {"Key": "Owner", "Value": "admin"}, + ] + } + return make_api_call(self, operation_name, kwarg) + + def mock_make_api_call_enabled(self, operation_name, kwarg): if operation_name == "DescribeEndpoints": return { @@ -31,6 +64,7 @@ def mock_make_api_call_enabled(self, operation_name, kwarg): "RedisSettings": { "SslSecurityProtocol": "ssl-encryption", }, + "EngineName": "redis", } ] } @@ -63,6 +97,7 @@ def mock_make_api_call_not_enabled(self, operation_name, kwarg): "RedisSettings": { "SslSecurityProtocol": "plaintext", }, + "EngineName": "redis", } ] } @@ -111,6 +146,34 @@ def test_no_dms_endpoints(self): assert len(result) == 0 + @mock_aws + def test_dms_not_mongodb_auth_mecanism_enabled(self): + with mock.patch( + "botocore.client.BaseClient._make_api_call", + new=mock_make_api_call_enabled_not_redis, + ): + + from prowler.providers.aws.services.dms.dms_service import DMS + + aws_provider = set_mocked_aws_provider([AWS_REGION_US_EAST_1]) + + with mock.patch( + "prowler.providers.common.provider.Provider.get_global_provider", + return_value=aws_provider, + ), mock.patch( + "prowler.providers.aws.services.dms.dms_endpoint_redis_tls_enabled.dms_endpoint_redis_tls_enabled.dms_client", + new=DMS(aws_provider), + ): + # Test Check + from prowler.providers.aws.services.dms.dms_endpoint_redis_tls_enabled.dms_endpoint_redis_tls_enabled import ( + dms_endpoint_redis_tls_enabled, + ) + + check = dms_endpoint_redis_tls_enabled() + result = check.execute() + + assert len(result) == 0 + @mock_aws def test_dms_mongodb_auth_mecanism_not_enabled(self): with mock.patch( diff --git a/tests/providers/aws/services/dms/dms_service_test.py b/tests/providers/aws/services/dms/dms_service_test.py index 9f0982645aa..875cbea4b52 100644 --- a/tests/providers/aws/services/dms/dms_service_test.py +++ b/tests/providers/aws/services/dms/dms_service_test.py @@ -47,6 +47,7 @@ def mock_make_api_call(self, operation_name, kwargs): "RedisSettings": { "SslSecurityProtocol": "ssl-encryption", }, + "EngineName": "neptune", } ] } @@ -125,6 +126,7 @@ def test_describe_endpoints(self): assert dms.endpoints[DMS_ENDPOINT_ARN].id == DMS_ENDPOINT_NAME assert dms.endpoints[DMS_ENDPOINT_ARN].ssl_mode == "require" assert dms.endpoints[DMS_ENDPOINT_ARN].redis_tls_enabled == "ssl-encryption" + assert dms.endpoints[DMS_ENDPOINT_ARN].engine_name == "neptune" def test_list_tags(self): aws_provider = set_mocked_aws_provider() From 7409ca5c16d014079f6a3dc3ccf3dd6085802697 Mon Sep 17 00:00:00 2001 From: Daniel Barranquero Date: Tue, 5 Nov 2024 19:45:40 +0100 Subject: [PATCH 5/6] chore(dms): made suggested changes --- .../__init__.py | 0 ..._transit_encryption_enabled.metadata.json} | 4 +- ...nt_redis_in_transit_encryption_enabled.py} | 14 +++---- .../providers/aws/services/dms/dms_service.py | 4 +- ...dis_in_transit_encryption_enabled_test.py} | 38 +++++++++---------- .../aws/services/dms/dms_service_test.py | 2 +- 6 files changed, 30 insertions(+), 32 deletions(-) rename prowler/providers/aws/services/dms/{dms_endpoint_redis_tls_enabled => dms_endpoint_redis_in_transit_encryption_enabled}/__init__.py (100%) rename prowler/providers/aws/services/dms/{dms_endpoint_redis_tls_enabled/dms_endpoint_redis_tls_enabled.metadata.json => dms_endpoint_redis_in_transit_encryption_enabled/dms_endpoint_redis_in_transit_encryption_enabled.metadata.json} (90%) rename prowler/providers/aws/services/dms/{dms_endpoint_redis_tls_enabled/dms_endpoint_redis_tls_enabled.py => dms_endpoint_redis_in_transit_encryption_enabled/dms_endpoint_redis_in_transit_encryption_enabled.py} (78%) rename tests/providers/aws/services/dms/{dms_endpoint_redis_tls_enabled/dms_endpoint_redis_tls_enabled_test.py => dms_endpoint_redis_in_transit_encryption_enabled/dms_endpoint_redis_in_transit_encryption_enabled_test.py} (84%) diff --git a/prowler/providers/aws/services/dms/dms_endpoint_redis_tls_enabled/__init__.py b/prowler/providers/aws/services/dms/dms_endpoint_redis_in_transit_encryption_enabled/__init__.py similarity index 100% rename from prowler/providers/aws/services/dms/dms_endpoint_redis_tls_enabled/__init__.py rename to prowler/providers/aws/services/dms/dms_endpoint_redis_in_transit_encryption_enabled/__init__.py diff --git a/prowler/providers/aws/services/dms/dms_endpoint_redis_tls_enabled/dms_endpoint_redis_tls_enabled.metadata.json b/prowler/providers/aws/services/dms/dms_endpoint_redis_in_transit_encryption_enabled/dms_endpoint_redis_in_transit_encryption_enabled.metadata.json similarity index 90% rename from prowler/providers/aws/services/dms/dms_endpoint_redis_tls_enabled/dms_endpoint_redis_tls_enabled.metadata.json rename to prowler/providers/aws/services/dms/dms_endpoint_redis_in_transit_encryption_enabled/dms_endpoint_redis_in_transit_encryption_enabled.metadata.json index b476132fdef..471b27aee4a 100644 --- a/prowler/providers/aws/services/dms/dms_endpoint_redis_tls_enabled/dms_endpoint_redis_tls_enabled.metadata.json +++ b/prowler/providers/aws/services/dms/dms_endpoint_redis_in_transit_encryption_enabled/dms_endpoint_redis_in_transit_encryption_enabled.metadata.json @@ -1,7 +1,7 @@ { "Provider": "aws", - "CheckID": "dms_endpoint_redis_tls_enabled", - "CheckTitle": "Check if DMS endpoints for Redis OSS have TLS enabled.", + "CheckID": "dms_endpoint_redis_in_transit_encryption_enabled", + "CheckTitle": "Check if DMS endpoints for Redis OSS are encrypted in transit.", "CheckType": [ "Software and Configuration Checks/AWS Security Best Practices" ], diff --git a/prowler/providers/aws/services/dms/dms_endpoint_redis_tls_enabled/dms_endpoint_redis_tls_enabled.py b/prowler/providers/aws/services/dms/dms_endpoint_redis_in_transit_encryption_enabled/dms_endpoint_redis_in_transit_encryption_enabled.py similarity index 78% rename from prowler/providers/aws/services/dms/dms_endpoint_redis_tls_enabled/dms_endpoint_redis_tls_enabled.py rename to prowler/providers/aws/services/dms/dms_endpoint_redis_in_transit_encryption_enabled/dms_endpoint_redis_in_transit_encryption_enabled.py index 35c4a639287..ab02af95d5c 100644 --- a/prowler/providers/aws/services/dms/dms_endpoint_redis_tls_enabled/dms_endpoint_redis_tls_enabled.py +++ b/prowler/providers/aws/services/dms/dms_endpoint_redis_in_transit_encryption_enabled/dms_endpoint_redis_in_transit_encryption_enabled.py @@ -4,11 +4,11 @@ from prowler.providers.aws.services.dms.dms_client import dms_client -class dms_endpoint_redis_tls_enabled(Check): +class dms_endpoint_redis_in_transit_encryption_enabled(Check): """ Check if AWS DMS Endpoints for Redis OSS have TLS enabled. - This class verifies whether each AWS DMS Endpoint configured for Redis OSS has TLS enabled + This class verifies whether each AWS DMS Endpoint configured for Redis OSS is encrypted in transit by checking the `TlsEnabled` property in the endpoint's configuration. The check ensures that TLS is enabled to secure data in transit, preventing unauthorized access and ensuring data integrity. """ @@ -18,7 +18,7 @@ def execute(self) -> List[Check_Report_AWS]: Execute the DMS Redis TLS enabled check. Iterates over all DMS Endpoints and generates a report indicating whether - each Redis OSS endpoint has TLS enabled. + each Redis OSS endpoint is encrypted in transit. Returns: List[Check_Report_AWS]: A list of report objects with the results of the check. @@ -32,12 +32,10 @@ def execute(self) -> List[Check_Report_AWS]: report.region = endpoint.region report.resource_tags = endpoint.tags report.status = "FAIL" - report.status_extended = f"DMS Endpoint '{endpoint.id}' for Redis OSS does not have TLS enabled." - if endpoint.redis_tls_enabled == "ssl-encryption": + report.status_extended = f"DMS Endpoint '{endpoint.id}' for Redis OSS is not encrypted in transit." + if endpoint.redis_ssl_protocol == "ssl-encryption": report.status = "PASS" - report.status_extended = ( - f"DMS Endpoint '{endpoint.id}' for Redis OSS has TLS enabled." - ) + report.status_extended = f"DMS Endpoint '{endpoint.id}' for Redis OSS is encrypted in transit." findings.append(report) diff --git a/prowler/providers/aws/services/dms/dms_service.py b/prowler/providers/aws/services/dms/dms_service.py index 50e027e0af1..43384d06b43 100644 --- a/prowler/providers/aws/services/dms/dms_service.py +++ b/prowler/providers/aws/services/dms/dms_service.py @@ -71,7 +71,7 @@ def _describe_endpoints(self, regional_client): id=endpoint["EndpointIdentifier"], region=regional_client.region, ssl_mode=endpoint.get("SslMode", False), - redis_tls_enabled=endpoint.get("RedisSettings", {}).get( + redis_ssl_protocol=endpoint.get("RedisSettings", {}).get( "SslSecurityProtocol", "plaintext" ), mongodb_auth_type=endpoint.get("MongoDbSettings", {}).get( @@ -104,7 +104,7 @@ class Endpoint(BaseModel): region: str ssl_mode: str tags: Optional[list] - redis_tls_enabled: Optional[str] + redis_ssl_protocol: Optional[str] mongodb_auth_type: str neptune_iam_auth_enabled: bool = False engine_name: str diff --git a/tests/providers/aws/services/dms/dms_endpoint_redis_tls_enabled/dms_endpoint_redis_tls_enabled_test.py b/tests/providers/aws/services/dms/dms_endpoint_redis_in_transit_encryption_enabled/dms_endpoint_redis_in_transit_encryption_enabled_test.py similarity index 84% rename from tests/providers/aws/services/dms/dms_endpoint_redis_tls_enabled/dms_endpoint_redis_tls_enabled_test.py rename to tests/providers/aws/services/dms/dms_endpoint_redis_in_transit_encryption_enabled/dms_endpoint_redis_in_transit_encryption_enabled_test.py index b0b7920a53e..471aa818123 100644 --- a/tests/providers/aws/services/dms/dms_endpoint_redis_tls_enabled/dms_endpoint_redis_tls_enabled_test.py +++ b/tests/providers/aws/services/dms/dms_endpoint_redis_in_transit_encryption_enabled/dms_endpoint_redis_in_transit_encryption_enabled_test.py @@ -119,7 +119,7 @@ def mock_make_api_call_not_enabled(self, operation_name, kwarg): return make_api_call(self, operation_name, kwarg) -class Test_dms_endpoint_redis_tls_enabled: +class Test_dms_endpoint_redis_in_transit_encryption_enabled: @mock_aws def test_no_dms_endpoints(self): dms_client = client("dms", region_name=AWS_REGION_US_EAST_1) @@ -133,15 +133,15 @@ def test_no_dms_endpoints(self): "prowler.providers.common.provider.Provider.get_global_provider", return_value=aws_provider, ), mock.patch( - "prowler.providers.aws.services.dms.dms_endpoint_redis_tls_enabled.dms_endpoint_redis_tls_enabled.dms_client", + "prowler.providers.aws.services.dms.dms_endpoint_redis_in_transit_encryption_enabled.dms_endpoint_redis_in_transit_encryption_enabled.dms_client", new=DMS(aws_provider), ): # Test Check - from prowler.providers.aws.services.dms.dms_endpoint_redis_tls_enabled.dms_endpoint_redis_tls_enabled import ( - dms_endpoint_redis_tls_enabled, + from prowler.providers.aws.services.dms.dms_endpoint_redis_in_transit_encryption_enabled.dms_endpoint_redis_in_transit_encryption_enabled import ( + dms_endpoint_redis_in_transit_encryption_enabled, ) - check = dms_endpoint_redis_tls_enabled() + check = dms_endpoint_redis_in_transit_encryption_enabled() result = check.execute() assert len(result) == 0 @@ -161,15 +161,15 @@ def test_dms_not_mongodb_auth_mecanism_enabled(self): "prowler.providers.common.provider.Provider.get_global_provider", return_value=aws_provider, ), mock.patch( - "prowler.providers.aws.services.dms.dms_endpoint_redis_tls_enabled.dms_endpoint_redis_tls_enabled.dms_client", + "prowler.providers.aws.services.dms.dms_endpoint_redis_in_transit_encryption_enabled.dms_endpoint_redis_in_transit_encryption_enabled.dms_client", new=DMS(aws_provider), ): # Test Check - from prowler.providers.aws.services.dms.dms_endpoint_redis_tls_enabled.dms_endpoint_redis_tls_enabled import ( - dms_endpoint_redis_tls_enabled, + from prowler.providers.aws.services.dms.dms_endpoint_redis_in_transit_encryption_enabled.dms_endpoint_redis_in_transit_encryption_enabled import ( + dms_endpoint_redis_in_transit_encryption_enabled, ) - check = dms_endpoint_redis_tls_enabled() + check = dms_endpoint_redis_in_transit_encryption_enabled() result = check.execute() assert len(result) == 0 @@ -189,21 +189,21 @@ def test_dms_mongodb_auth_mecanism_not_enabled(self): "prowler.providers.common.provider.Provider.get_global_provider", return_value=aws_provider, ), mock.patch( - "prowler.providers.aws.services.dms.dms_endpoint_redis_tls_enabled.dms_endpoint_redis_tls_enabled.dms_client", + "prowler.providers.aws.services.dms.dms_endpoint_redis_in_transit_encryption_enabled.dms_endpoint_redis_in_transit_encryption_enabled.dms_client", new=DMS(aws_provider), ): # Test Check - from prowler.providers.aws.services.dms.dms_endpoint_redis_tls_enabled.dms_endpoint_redis_tls_enabled import ( - dms_endpoint_redis_tls_enabled, + from prowler.providers.aws.services.dms.dms_endpoint_redis_in_transit_encryption_enabled.dms_endpoint_redis_in_transit_encryption_enabled import ( + dms_endpoint_redis_in_transit_encryption_enabled, ) - check = dms_endpoint_redis_tls_enabled() + check = dms_endpoint_redis_in_transit_encryption_enabled() result = check.execute() assert len(result) == 1 assert result[0].status == "FAIL" assert result[0].status_extended == ( - "DMS Endpoint 'dms-endpoint' for Redis OSS does not have TLS enabled." + "DMS Endpoint 'dms-endpoint' for Redis OSS is not encrypted in transit." ) assert result[0].resource_id == "dms-endpoint" assert ( @@ -237,21 +237,21 @@ def test_dms_mongodb_auth_mecanism_enabled(self): "prowler.providers.common.provider.Provider.get_global_provider", return_value=aws_provider, ), mock.patch( - "prowler.providers.aws.services.dms.dms_endpoint_redis_tls_enabled.dms_endpoint_redis_tls_enabled.dms_client", + "prowler.providers.aws.services.dms.dms_endpoint_redis_in_transit_encryption_enabled.dms_endpoint_redis_in_transit_encryption_enabled.dms_client", new=DMS(aws_provider), ): # Test Check - from prowler.providers.aws.services.dms.dms_endpoint_redis_tls_enabled.dms_endpoint_redis_tls_enabled import ( - dms_endpoint_redis_tls_enabled, + from prowler.providers.aws.services.dms.dms_endpoint_redis_in_transit_encryption_enabled.dms_endpoint_redis_in_transit_encryption_enabled import ( + dms_endpoint_redis_in_transit_encryption_enabled, ) - check = dms_endpoint_redis_tls_enabled() + check = dms_endpoint_redis_in_transit_encryption_enabled() result = check.execute() assert len(result) == 1 assert result[0].status == "PASS" assert result[0].status_extended == ( - "DMS Endpoint 'dms-endpoint' for Redis OSS has TLS enabled." + "DMS Endpoint 'dms-endpoint' for Redis OSS is encrypted in transit." ) assert result[0].resource_id == "dms-endpoint" assert ( diff --git a/tests/providers/aws/services/dms/dms_service_test.py b/tests/providers/aws/services/dms/dms_service_test.py index ef011988a7e..94474a8fbe3 100644 --- a/tests/providers/aws/services/dms/dms_service_test.py +++ b/tests/providers/aws/services/dms/dms_service_test.py @@ -131,7 +131,7 @@ def test_describe_endpoints(self): assert len(dms.endpoints) == 1 assert dms.endpoints[DMS_ENDPOINT_ARN].id == DMS_ENDPOINT_NAME assert dms.endpoints[DMS_ENDPOINT_ARN].ssl_mode == "require" - assert dms.endpoints[DMS_ENDPOINT_ARN].redis_tls_enabled == "ssl-encryption" + assert dms.endpoints[DMS_ENDPOINT_ARN].redis_ssl_protocol == "ssl-encryption" assert dms.endpoints[DMS_ENDPOINT_ARN].mongodb_auth_type == "password" assert dms.endpoints[DMS_ENDPOINT_ARN].neptune_iam_auth_enabled assert dms.endpoints[DMS_ENDPOINT_ARN].engine_name == "neptune" From 02248437ea97723fdc53bde90b9bda1a4120a60a Mon Sep 17 00:00:00 2001 From: Sergio Date: Wed, 6 Nov 2024 09:35:53 -0500 Subject: [PATCH 6/6] chore: revision --- .../dms_endpoint_redis_in_transit_encryption_enabled.py | 4 ++-- prowler/providers/aws/services/dms/dms_service.py | 2 +- .../dms_endpoint_redis_in_transit_encryption_enabled_test.py | 4 ++-- .../dms_endpoint_ssl_enabled_test.py | 4 ++++ 4 files changed, 9 insertions(+), 5 deletions(-) diff --git a/prowler/providers/aws/services/dms/dms_endpoint_redis_in_transit_encryption_enabled/dms_endpoint_redis_in_transit_encryption_enabled.py b/prowler/providers/aws/services/dms/dms_endpoint_redis_in_transit_encryption_enabled/dms_endpoint_redis_in_transit_encryption_enabled.py index ab02af95d5c..84ef3a888f1 100644 --- a/prowler/providers/aws/services/dms/dms_endpoint_redis_in_transit_encryption_enabled/dms_endpoint_redis_in_transit_encryption_enabled.py +++ b/prowler/providers/aws/services/dms/dms_endpoint_redis_in_transit_encryption_enabled/dms_endpoint_redis_in_transit_encryption_enabled.py @@ -32,10 +32,10 @@ def execute(self) -> List[Check_Report_AWS]: report.region = endpoint.region report.resource_tags = endpoint.tags report.status = "FAIL" - report.status_extended = f"DMS Endpoint '{endpoint.id}' for Redis OSS is not encrypted in transit." + report.status_extended = f"DMS Endpoint {endpoint.id} for Redis OSS is not encrypted in transit." if endpoint.redis_ssl_protocol == "ssl-encryption": report.status = "PASS" - report.status_extended = f"DMS Endpoint '{endpoint.id}' for Redis OSS is encrypted in transit." + report.status_extended = f"DMS Endpoint {endpoint.id} for Redis OSS is encrypted in transit." findings.append(report) diff --git a/prowler/providers/aws/services/dms/dms_service.py b/prowler/providers/aws/services/dms/dms_service.py index 43384d06b43..a539a6417d9 100644 --- a/prowler/providers/aws/services/dms/dms_service.py +++ b/prowler/providers/aws/services/dms/dms_service.py @@ -104,7 +104,7 @@ class Endpoint(BaseModel): region: str ssl_mode: str tags: Optional[list] - redis_ssl_protocol: Optional[str] + redis_ssl_protocol: str mongodb_auth_type: str neptune_iam_auth_enabled: bool = False engine_name: str diff --git a/tests/providers/aws/services/dms/dms_endpoint_redis_in_transit_encryption_enabled/dms_endpoint_redis_in_transit_encryption_enabled_test.py b/tests/providers/aws/services/dms/dms_endpoint_redis_in_transit_encryption_enabled/dms_endpoint_redis_in_transit_encryption_enabled_test.py index 471aa818123..639b5c5bcbb 100644 --- a/tests/providers/aws/services/dms/dms_endpoint_redis_in_transit_encryption_enabled/dms_endpoint_redis_in_transit_encryption_enabled_test.py +++ b/tests/providers/aws/services/dms/dms_endpoint_redis_in_transit_encryption_enabled/dms_endpoint_redis_in_transit_encryption_enabled_test.py @@ -203,7 +203,7 @@ def test_dms_mongodb_auth_mecanism_not_enabled(self): assert len(result) == 1 assert result[0].status == "FAIL" assert result[0].status_extended == ( - "DMS Endpoint 'dms-endpoint' for Redis OSS is not encrypted in transit." + "DMS Endpoint dms-endpoint for Redis OSS is not encrypted in transit." ) assert result[0].resource_id == "dms-endpoint" assert ( @@ -251,7 +251,7 @@ def test_dms_mongodb_auth_mecanism_enabled(self): assert len(result) == 1 assert result[0].status == "PASS" assert result[0].status_extended == ( - "DMS Endpoint 'dms-endpoint' for Redis OSS is encrypted in transit." + "DMS Endpoint dms-endpoint for Redis OSS is encrypted in transit." ) assert result[0].resource_id == "dms-endpoint" assert ( diff --git a/tests/providers/aws/services/dms/dms_endpoint_ssl_enabled_test/dms_endpoint_ssl_enabled_test.py b/tests/providers/aws/services/dms/dms_endpoint_ssl_enabled_test/dms_endpoint_ssl_enabled_test.py index c320b02131c..7dc11c9a25b 100644 --- a/tests/providers/aws/services/dms/dms_endpoint_ssl_enabled_test/dms_endpoint_ssl_enabled_test.py +++ b/tests/providers/aws/services/dms/dms_endpoint_ssl_enabled_test/dms_endpoint_ssl_enabled_test.py @@ -33,6 +33,7 @@ def test_dms_endpoint_ssl_none(self): id="test-endpoint-no-ssl", mongodb_auth_type="no", engine_name="test-engine", + redis_ssl_protocol="plaintext", region=AWS_REGION_US_EAST_1, ssl_mode="none", tags=[{"Key": "Name", "Value": "test-endpoint-no-ssl"}], @@ -81,6 +82,7 @@ def test_dms_endpoint_ssl_require(self): id="test-endpoint-ssl-require", mongodb_auth_type="no", engine_name="test-engine", + redis_ssl_protocol="plaintext", region=AWS_REGION_US_EAST_1, ssl_mode="require", tags=[{"Key": "Name", "Value": "test-endpoint-ssl-require"}], @@ -126,6 +128,7 @@ def test_dms_endpoint_ssl_verify_ca(self): id="test-endpoint-ssl-verify-ca", engine_name="test-engine", mongodb_auth_type="no", + redis_ssl_protocol="plaintext", region=AWS_REGION_US_EAST_1, ssl_mode="verify-ca", tags=[{"Key": "Name", "Value": "test-endpoint-ssl-verify-ca"}], @@ -171,6 +174,7 @@ def test_dms_endpoint_ssl_verify_full(self): id="test-endpoint-ssl-verify-full", mongodb_auth_type="no", engine_name="test-engine", + redis_ssl_protocol="plaintext", region=AWS_REGION_US_EAST_1, ssl_mode="verify-full", tags=[{"Key": "Name", "Value": "test-endpoint-ssl-verify-full"}],