Skip to content

Commit

Permalink
Merge pull request #2068 from AkhtarAmir/FS-AWS/GuarddutyEKSProtection
Browse files Browse the repository at this point in the history
FS-AWS/GuarddutyEKSProtection
  • Loading branch information
alphadev4 authored Sep 18, 2024
2 parents e7c84d2 + 761e882 commit 20b6be2
Show file tree
Hide file tree
Showing 3 changed files with 249 additions and 0 deletions.
1 change: 1 addition & 0 deletions exports.js
Original file line number Diff line number Diff line change
Expand Up @@ -597,6 +597,7 @@ module.exports = {
'organizationInvite' : require(__dirname + '/plugins/aws/organizations/organizationInvite.js'),

'guardDutyEnabled' : require(__dirname + '/plugins/aws/guardduty/guarddutyEnabled.js'),
'eksProtectionEnabled' : require(__dirname + '/plugins/aws/guardduty/eksProtectionEnabled.js'),
'guardDutyMaster' : require(__dirname + '/plugins/aws/guardduty/guarddutyMaster.js'),
'noActiveFindings' : require(__dirname + '/plugins/aws/guardduty/noActiveFindings'),
's3ProtectionEnabled' : require(__dirname + '/plugins/aws/guardduty/s3ProtectionEnabled.js'),
Expand Down
72 changes: 72 additions & 0 deletions plugins/aws/guardduty/eksProtectionEnabled.js
Original file line number Diff line number Diff line change
@@ -0,0 +1,72 @@
var async = require('async');
var helpers = require('../../../helpers/aws');

module.exports = {
title: 'EKS GuardDuty Enabled',
category: 'GuardDuty',
domain: 'Management and Governance',
severity: 'Medium',
description: 'Ensures that GuardDuty protection is enabled for EKS clusters.' ,
more_info: 'Enabling GuardDuty EKS protection helps detect potential security threats in your EKS clusters by monitoring audit logs, user activities, and control plane operations. It provides enhanced security by offering proactive threat detection and automated alerting for suspicious activities and security issues within your AWS environment.',
recommended_action: 'Enable GuardDuty EKS protection for all AWS accounts.',
link: 'https://docs.aws.amazon.com/guardduty/latest/ug/kubernetes-protection.html',
apis: ['GuardDuty:listDetectors', 'GuardDuty:getDetector', 'STS:getCallerIdentity'],
realtime_triggers: ['guardduty:CreateDetector', 'guardduty:UpdateDetector', 'guardduty:DeleteDetector'],

run: function(cache, settings, callback) {
var results = [];
var source = {};

var acctRegion = helpers.defaultRegion(settings);
var awsOrGov = helpers.defaultPartition(settings);
var accountId = helpers.addSource(cache, source, ['sts', 'getCallerIdentity', acctRegion, 'data']);

var regions = helpers.regions(settings);

async.each(regions.guardduty, function(region, rcb) {
var listDetectors = helpers.addSource(cache, source, ['guardduty', 'listDetectors', region]);

if (!listDetectors) return rcb();

if (listDetectors.err || !listDetectors.data) {
helpers.addResult(results, 3, 'Unable to list GuardDuty detectors: ' + helpers.addError(listDetectors), region);
return rcb();
}

if (!listDetectors.data || !listDetectors.data.length) {
helpers.addResult(results, 0, 'No GuardDuty detectors found', region);
return rcb();
}

listDetectors.data.forEach(function(detectorId) {

var getDetector = helpers.addSource(cache, source, ['guardduty', 'getDetector', region, detectorId]);

if (!getDetector) return;

if (getDetector.err || !getDetector.data) {
helpers.addResult(results, 3, 'Unable to get GuardDuty detector: ' + helpers.addError(getDetector),region);
return;
}

var detector = getDetector.data;
var resource = 'arn:' + awsOrGov + ':guardduty:' + region + ':' + accountId + ':detector/' + detector.detectorId;

if (detector.DataSources &&
detector.DataSources.Kubernetes &&
detector.DataSources.Kubernetes.AuditLogs &&
detector.DataSources.Kubernetes.AuditLogs.Status &&
detector.DataSources.Kubernetes.AuditLogs.Status.toLowerCase() === 'disabled'){
helpers.addResult(results, 2, 'GuardDuty EKS protection is disabled', region, resource);
} else {
helpers.addResult(results, 0, 'GuardDuty EKS protection is enabled', region, resource);
}

});

rcb();
}, function(){
callback(null, results, source);
});
}
};
176 changes: 176 additions & 0 deletions plugins/aws/guardduty/eksProtectionEnabled.spec.js
Original file line number Diff line number Diff line change
@@ -0,0 +1,176 @@
var expect = require('chai').expect;
var eksProtectionEnabled = require('./eksProtectionEnabled');

const listDetectors = [
"6cc45a4adb18e50f5ba51f6800db03d8"
];

const getDetector = [
{
"CreatedAt": "2021-11-16T15:54:17.530Z",
"FindingPublishingFrequency": "SIX_HOURS",
"ServiceRole": "arn:aws:iam::000011112222:role/aws-service-role/guardduty.amazonaws.com/AWSServiceRoleForAmazonGuardDuty",
"Status": "ENABLED",
"UpdatedAt": "2021-12-01T14:13:59.029Z",
"DataSources": {
"CloudTrail": {
"Status": "ENABLED"
},
"DNSLogs": {
"Status": "ENABLED"
},
"FlowLogs": {
"Status": "ENABLED"
},
"S3Logs": {
"Status": "ENABLED"
},
"Kubernetes": {
"AuditLogs": {
"Status": "ENABLED"
}
}
},
"Tags": {}
},
{
"CreatedAt": "2021-11-16T15:54:17.530Z",
"FindingPublishingFrequency": "SIX_HOURS",
"ServiceRole": "arn:aws:iam::000011112222:role/aws-service-role/guardduty.amazonaws.com/AWSServiceRoleForAmazonGuardDuty",
"Status": "ENABLED",
"UpdatedAt": "2021-12-01T14:13:59.029Z",
"DataSources": {
"CloudTrail": {
"Status": "ENABLED"
},
"DNSLogs": {
"Status": "ENABLED"
},
"FlowLogs": {
"Status": "ENABLED"
},
"S3Logs": {
"Status": "DISABLED"
},
"Kubernetes": {
"AuditLogs": {
"Status": "DISABLED"
}
}
},
"Tags": {}
}
];

const createCache = (listDetectors, getDetector) => {
let detectorId = (listDetectors.length) ? listDetectors[0] : null;
return {
guardduty: {
listDetectors: {
'us-east-1': {
data: listDetectors
},
},
getDetector: {
'us-east-1': {
[detectorId]: {
data: getDetector
}
}
}
}
};
};

const createErrorCache = () => {
return {
guardduty: {
listDetectors: {
'us-east-1': {
err: {
message: 'error desribing cache clusters'
},
},
},
},
};
};

const createNullCache = () => {
return {
guardduty: {
listDetectors: {
'us-east-1': null
}
}
};
};


describe('eksProtectionEnabled', function () {
describe('run', function () {
it('should FAIL if GuardDuty EKS protection is diabled', function (done) {
const cache = createCache(listDetectors, getDetector[1],);
eksProtectionEnabled.run(cache, {}, (err, results) => {
expect(results.length).to.equal(1);
expect(results[0].status).to.equal(2);
expect(results[0].region).to.equal('us-east-1');
expect(results[0].message).to.include('GuardDuty EKS protection is disabled');
done();
});
});

it('should PASS if GuardDuty EKS protection is enabled', function (done) {
const cache = createCache(listDetectors, getDetector[0]);
eksProtectionEnabled.run(cache, {}, (err, results) => {
expect(results.length).to.equal(1);
expect(results[0].status).to.equal(0);
expect(results[0].region).to.equal('us-east-1');
expect(results[0].message).to.include('GuardDuty EKS protection is enabled');
done();
});
});

it('should PASS if no detectors found', function (done) {
const cache = createCache([]);
eksProtectionEnabled.run(cache, {}, (err, results) => {
expect(results.length).to.equal(1);
expect(results[0].status).to.equal(0);
expect(results[0].region).to.equal('us-east-1');
expect(results[0].message).to.include('No GuardDuty detectors found');
done();
});
});

it('should UNKNOWN unable to list GuardDuty detector', function (done) {
const cache = createErrorCache();
eksProtectionEnabled.run(cache, {}, (err, results) => {
expect(results.length).to.equal(1);
expect(results[0].status).to.equal(3);
expect(results[0].region).to.equal('us-east-1');
expect(results[0].message).to.include('Unable to list GuardDuty detectors:');
done();
});
});

it('should UNKNOWN unable to get GuardDuty detector', function (done) {
const cache = createCache([listDetectors]);
eksProtectionEnabled.run(cache, {}, (err, results) => {
expect(results.length).to.equal(1);
expect(results[0].status).to.equal(3);
expect(results[0].region).to.equal('us-east-1');
expect(results[0].message).to.include('Unable to get GuardDuty detector: ');
done();
});
});

it('should not return any result if list dectectors response not found', function (done) {
const cache = createNullCache();
eksProtectionEnabled.run(cache, {}, (err, results) => {
expect(results.length).to.equal(0);
done();
});
});
});
});

0 comments on commit 20b6be2

Please sign in to comment.