Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

ELBv2 Target Groups Security Rules #1512

Open
wants to merge 2 commits into
base: develop
Choose a base branch
from
Open

ELBv2 Target Groups Security Rules #1512

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
d5aba20
ELBv2 Target Groups Security Rules
emayuri-godaddy Mar 15, 2023
9534fcd
Using get_non_provider_id to populate target_group_id
emayuri-godaddy Mar 24, 2023
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
4 changes: 4 additions & 0 deletions ScoutSuite/providers/aws/facade/elbv2.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -64,3 +64,7 @@ async def _get_and_set_load_balancer_tags(self, load_balancer: dict, region: str
async def get_listeners(self, region: str, load_balancer_arn: str):
return await AWSFacadeUtils.get_all_pages(
'elbv2', region, self.session, 'describe_listeners', 'Listeners', LoadBalancerArn=load_balancer_arn)

async def get_target_groups(self, region: str, load_balancer_arn: str):
return await AWSFacadeUtils.get_all_pages(
'elbv2', region, self.session, 'describe_target_groups', 'TargetGroups', LoadBalancerArn=load_balancer_arn)
4 changes: 3 additions & 1 deletion ScoutSuite/providers/aws/resources/elbv2/load_balancers.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -2,11 +2,13 @@
from ScoutSuite.providers.aws.resources.base import AWSCompositeResources
from ScoutSuite.providers.utils import get_non_provider_id
from .listeners import Listeners
from .target_groups import TargetGroups


class LoadBalancers(AWSCompositeResources):
_children = [
(Listeners, 'listeners')
(Listeners, 'listeners'),
(TargetGroups, 'target_groups')
]

def __init__(self, facade: AWSFacade, region: str, vpc: str):
Expand Down
21 changes: 21 additions & 0 deletions ScoutSuite/providers/aws/resources/elbv2/target_groups.py
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,21 @@
from ScoutSuite.providers.aws.facade.base import AWSFacade
from ScoutSuite.providers.aws.resources.base import AWSResources
from ScoutSuite.providers.utils import get_non_provider_id


class TargetGroups(AWSResources):
def __init__(self, facade: AWSFacade, region: str, load_balancer_arn: str):
super().__init__(facade)
self.region = region
self.load_balancer_arn = load_balancer_arn

async def fetch_all(self):
target_groups = await self.facade.elbv2.get_target_groups(self.region, self.load_balancer_arn)
for raw_target_group in target_groups:
arn, target_group = self._parse_target_groups(raw_target_group)
self[arn] = target_group

def _parse_target_groups(self, raw_target_group):
raw_target_group.pop('LoadBalancerArns')
target_group_id = get_non_provider_id(raw_target_group['TargetGroupArn'])
return target_group_id, raw_target_group
30 changes: 30 additions & 0 deletions ScoutSuite/providers/aws/rules/findings/elbv2-target-group-allowing-cleartext.json
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,30 @@
{
"description": "Target Group associated with Load Balancer allowing Clear Text (HTTP) Communication",
"rationale": "Use of a secure protocol (HTTPS or SSL) is best practice for encrypted communication. Target group associated with a load balancer using an unencrypted protocol can be vulnerable to eavesdropping and man-in-the-middle attacks.",
"references": [
"https://docs.aws.amazon.com/elasticloadbalancing/latest/classic/elb-https-load-balancers.html",
"https://docs.aws.amazon.com/elasticloadbalancing/latest/application/create-target-group.html"
],
"dashboard_name": "Load Balancer Target Groups",
"display_path": "elbv2.regions.id.vpcs.id.lbs.id",
"path": "elbv2.regions.id.vpcs.id.lbs.id.target_groups.id",
"conditions": [
"and",
[
"elbv2.regions.id.vpcs.id.lbs.id.target_groups.id.Protocol",
"containNoneOf",
[
"HTTPS",
"SSL"
]
],
[
"elbv2.regions.id.vpcs.id.lbs.id.target_groups.id.TargetType",
"containAtLeastOneOf",
[
"ip",
"instance"
]
]
]
}
6 changes: 6 additions & 0 deletions ScoutSuite/providers/aws/rules/rulesets/default.json
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -424,6 +424,12 @@
"level": "warning"
}
],
"elbv2-target-group-allowing-cleartext.json": [
{
"enabled": true,
"level": "danger"
}
],
"iam-assume-role-lacks-external-id-and-mfa.json": [
{
"enabled": true,
Expand Down
6 changes: 6 additions & 0 deletions ScoutSuite/providers/aws/rules/rulesets/detailed.json
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -445,6 +445,12 @@
"level": "warning"
}
],
"elbv2-target-group-allowing-cleartext.json": [
{
"enabled": true,
"level": "danger"
}
],
"iam-assume-role-lacks-external-id-and-mfa.json": [
{
"enabled": true,
Expand Down