Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

alb security groups plugin #1555

Open
wants to merge 9 commits into
base: master
Choose a base branch
from
Open
Show file tree
Hide file tree
Changes from 5 commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
1 change: 1 addition & 0 deletions exports.js
Original file line number Diff line number Diff line change
Expand Up @@ -270,6 +270,7 @@ module.exports = {
'elbv2HasTags' : require(__dirname + '/plugins/aws/elbv2/elbv2HasTags.js'),
'elbv2DeprecatedSslPolicies' : require(__dirname + '/plugins/aws/elbv2/elbv2DeprecatedSslPolicies.js'),
'elbv2InsecureCiphers' : require(__dirname + '/plugins/aws/elbv2/elbv2InsecureCiphers.js'),
'albSecurityGroup' : require(__dirname + '/plugins/aws/elbv2/albSecurityGroup'),

'elasticacheDefaultPorts' : require(__dirname + '/plugins/aws/elasticache/elasticacheDefaultPorts.js'),

Expand Down
53 changes: 53 additions & 0 deletions plugins/aws/elbv2/albSecurityGroup.js
Original file line number Diff line number Diff line change
@@ -0,0 +1,53 @@
var async = require('async');
var helpers = require('../../../helpers/aws');

module.exports = {
title: 'ALB Associated With Security Group',
alphadev4 marked this conversation as resolved.
Show resolved Hide resolved
category: 'ELBv2',
domain: 'Content Delivery',
description: 'Ensure Application Load Balancers are associated with security group.',
alphadev4 marked this conversation as resolved.
Show resolved Hide resolved
more_info: 'It is a security best practice to always have application load balancers associated with security groups to avoid any data loss or unauthorized access.',
link: 'https://docs.aws.amazon.com/elasticloadbalancing/latest/application/load-balancer-update-security-groups.html',
recommended_action: 'Modify Application Load Balancer and Add Security Groups',
alphadev4 marked this conversation as resolved.
Show resolved Hide resolved
apis: ['ELBv2:describeLoadBalancers'],

run: function(cache, settings, callback) {
var results = [];
var source = {};
var regions = helpers.regions(settings);

async.each(regions.elbv2, function(region, rcb){
var describeLoadBalancers = helpers.addSource(cache, source,
['elbv2', 'describeLoadBalancers', region]);

if (!describeLoadBalancers) return rcb();

if (describeLoadBalancers.err || !describeLoadBalancers.data) {
helpers.addResult(results, 3,
'Unable to query for load balancers: ' + helpers.addError(describeLoadBalancers),
region);
return rcb();
}

if (!describeLoadBalancers.data.length) {
helpers.addResult(results, 0, 'No load balancers found', region);
return rcb();
}

for (let alb of describeLoadBalancers.data){

if (!alb.LoadBalancerArn || (!alb.Type && alb.Type.toLowerCase() === 'application')) continue;
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
if (!alb.LoadBalancerArn || (!alb.Type && alb.Type.toLowerCase() === 'application')) continue;
if (!alb.LoadBalancerArn || (!alb.Type && alb.Type.toLowerCase() === 'application')) continue;

This check will break if loadBalancerArn exists and type doesn't, is it supposed to be 'alb.Type && alb.Type.toLowerCase()'?


if (alb.SecurityGroups && alb.SecurityGroups.length){
helpers.addResult(results, 0, 'Application Load Balancer has security group associated', region,alb.LoadBalancerArn);
alphadev4 marked this conversation as resolved.
Show resolved Hide resolved
} else {
helpers.addResult(results, 2, 'Application Load Balancer does not have security group associated', region,alb.LoadBalancerArn);
alphadev4 marked this conversation as resolved.
Show resolved Hide resolved
}
}

rcb();
}, function(){
callback(null, results, source);
});
}
};
124 changes: 124 additions & 0 deletions plugins/aws/elbv2/albSecurityGroup.spec.js
Original file line number Diff line number Diff line change
@@ -0,0 +1,124 @@
var expect = require('chai').expect;
const albSecurityGroup = require('./albSecurityGroup');

const loadBalancers = [
{
"LoadBalancerArn": "arn:aws:elasticloadbalancing:us-east-1:111122223333:loadbalancer/app/test-lb-43/8e680c7bace394a7",
"DNSName": "test-lb-43-148538634.us-east-1.elb.amazonaws.com",
"CanonicalHostedZoneId": "Z35SXDOTRQ7X7K",
"CreatedTime": "2020-08-30T22:55:21.030Z",
"LoadBalancerName": "test-lb-43",
"Scheme": "internet-facing",
"VpcId": "vpc-99de2fe4",
"State": {
"Code": "active"
},
"Type": "application",
"SecurityGroups": [
"sg-06cccc47e5b3e1ee9"
],
"IpAddressType": "ipv4"
},
{
"LoadBalancerArn": "arn:aws:elasticloadbalancing:us-east-1:111122223333:loadbalancer/app/test-lb-43/8e680c7bace394a8",
"DNSName": "test-lb-43-148538634.us-east-1.elb.amazonaws.com",
"CanonicalHostedZoneId": "Z35SXDOTRQ7X7K",
"CreatedTime": "2020-08-30T22:55:21.030Z",
"LoadBalancerName": "test-lb-43",
"Scheme": "internet-facing",
"VpcId": "vpc-99de2fe4",
"State": {
"Code": "active"
},
"Type": "application",
"SecurityGroups": [],
"IpAddressType": "ipv4"
}
];


const createCache = (elbv2) => {
return {
elbv2:{
describeLoadBalancers: {
'us-east-1': {
data: elbv2
},
},
},
};
};

const createErrorCache = () => {
return {
elbv2: {
describeLoadBalancers: {
'us-east-1': {
err: {
message: 'error describing load balancers'
},
},
},
}
};
};

const createNullCache = () => {
return {
elbv2: {
describeLoadBalancers: {
'us-east-1': null,
},
},
};
};

describe('albSecurityGroup', function () {
describe('run', function () {
it('should PASS if load balancer has security groups associated', function (done) {
const cache = createCache([loadBalancers[0]]);
albSecurityGroup.run(cache, {}, (err, results) => {
expect(results.length).to.equal(1);
expect(results[0].status).to.equal(0);
expect(results[0].region).to.equal('us-east-1');
expect(results[0].message).include('Application Load Balancer has security group associated');
done();
});
});

it('should FAIL if load balancer does not have security groups associated', function (done) {
const cache = createCache([loadBalancers[1]]);
albSecurityGroup.run(cache, {}, (err, results) => {
expect(results.length).to.equal(1);
expect(results[0].status).to.equal(2);
expect(results[0].region).to.equal('us-east-1');
expect(results[0].message).include('Application Load Balancer does not have security group associated');
done();
});
});

it('should UNKNOWN if error while describing load balancers', function (done) {
const cache = createErrorCache();
albSecurityGroup.run(cache, {}, (err, results) => {
expect(results.length).to.equal(1);
expect(results[0].status).to.equal(3);
expect(results[0].region).to.equal('us-east-1');
expect(results[0].message).include('Unable to query for load balancers:');
done();
});
});

it('should PASS if no load balancer found', function (done) {
const cache = createCache([]);
albSecurityGroup.run(cache, {}, (err, results) => {
expect(results.length).to.equal(1);
expect(results[0].status).to.equal(0);
expect(results[0].region).to.equal('us-east-1');
expect(results[0].message).include('No load balancers found');
done();
});
});


});
});
2 changes: 1 addition & 1 deletion plugins/aws/lambda/lambdaOldRuntimes.spec.js
Original file line number Diff line number Diff line change
Expand Up @@ -5,7 +5,7 @@ const listFunctions = [
{
"FunctionName": "test-lambda",
"FunctionArn": "arn:aws:lambda:us-east-1:000011112222:function:test-lambda",
"Runtime": "nodejs12.x",
"Runtime": "nodejs16.x",
"Role": "arn:aws:iam::000011112222:role/lambda-role",
"Handler": "index.handler",
"TracingConfig": { "Mode": "PassThrough" }
Expand Down