Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

feat(Kafka): New Kafka AWS checks #4021

Merged
merged 25 commits into from
May 22, 2024
Merged

feat(Kafka): New Kafka AWS checks #4021

merged 25 commits into from
May 22, 2024

Conversation

puchy22
Copy link
Contributor

@puchy22 puchy22 commented May 16, 2024
edited

Context

New checks to cover basic security best practices for Apache Kafka service managed by AWS.

  • kafka_cluster_enhanced_monitoring_enabled
  • kafka_cluster_in_transit_encryption_enabled
  • kafka_cluster_is_public
  • kafka_cluster_mutual_tls_authentication_enabled
  • kafka_cluster_unrestricted_access_disabled
  • kafka_cluster_encryption_at_rest_uses_cmk

Description

Added new checks with metadata and respective unit testing

License

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.

@github-actions github-actions bot added the provider/aws Issues/PRs related with the AWS provider label May 16, 2024
@puchy22 puchy22 marked this pull request as ready for review May 20, 2024 09:12
@puchy22 puchy22 requested review from a team as code owners May 20, 2024 09:12
puchy22 added 14 commits May 20, 2024 12:00
@puchy22
feat(kafka): New check for encryption at rest use CMK
22f13bf
@puchy22
feat(kafka): New check for better monitoring
c72029d
@puchy22
feat(kafka): New check for encrypt in transit with TLS
3dbb6af
@puchy22
feat(kafka): New check to ensure a cluster is not public
f21e0b6
@puchy22
feat(kafka): New check for TLS auth
cd5283f
@puchy22
feat(kafka): New check for unauthorized access
3d19acb
@puchy22
chore(kafka): Rename check
f2879b4
@puchy22
test(kafka): Change name test
350c369
@puchy22
test(kafka): New test for all types of encryption in transit
f8e6e4c
@puchy22
test(kafka): New tests for public and not public cluster
d5d8343
@puchy22
test(kafka): New tests for mutual TLS auth
60731c0
@puchy22
test(kafka): New tests for unauth access
3fa2ec4
@puchy22
feat(kafka): New check and testing to ensure using CMK encryption at …
e71adc0 
…rest
@puchy22
feat(kafka): Update the number of checks and services
f826e15
@github-actions github-actions bot added documentation provider/azure Issues/PRs related with the Azure provider provider/gcp Issues/PRs related with the Google Cloud Platform provider provider/kubernetes Issues/PRs related with the Kubernetes provider labels May 20, 2024
@codecov Codecov
Copy link

codecov bot commented May 20, 2024
edited

Codecov Report

All modified and coverable lines are covered by tests ✅

Project coverage is 86.33%. Comparing base (73b3484) to head (9eb9a23).
Report is 25 commits behind head on master.

Additional details and impacted files 
@@            Coverage Diff             @@
##           master    #4021      +/-   ##
==========================================
- Coverage   86.51%   86.33%   -0.18%     
==========================================
  Files         776      789      +13     
  Lines       24163    24707     +544     
==========================================
+ Hits        20904    21332     +428     
- Misses       3259     3375     +116

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

@jfagoagas jfagoagas removed documentation provider/aws Issues/PRs related with the AWS provider provider/azure Issues/PRs related with the Azure provider labels May 20, 2024
@jfagoagas jfagoagas removed provider/gcp Issues/PRs related with the Google Cloud Platform provider provider/kubernetes Issues/PRs related with the Kubernetes provider labels May 20, 2024
@github-actions github-actions bot added the provider/aws Issues/PRs related with the AWS provider label May 20, 2024
sergargar
sergargar reviewed May 20, 2024
View reviewed changes
...kafka/kafka_cluster_encryption_at_rest_uses_cmk/kafka_cluster_encryption_at_rest_uses_cmk.py
report.resource_arn = arn_cluster
report.resource_tags = cluster.tags
report.status = "FAIL"
report.status_extended = f"Kafka cluster '{cluster.name}' does not have encryption at rest enabled with a CMK."
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Would it be interesting to put a FAIL if it is encrypted with another type of key?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

There is only two types of managers or AWS or CUSTOMER, if the manager is AWS it FAIL and if is CUSTOMER like is reflected on check it will PASS. https://boto3.amazonaws.com/v1/documentation/api/latest/reference/services/kms/client/describe_key.html

sergargar
sergargar reviewed May 20, 2024
View reviewed changes
...kafka/kafka_cluster_enhanced_monitoring_enabled/kafka_cluster_enhanced_monitoring_enabled.py
f"Kafka cluster '{cluster.name}' has enhanced monitoring enabled."
)

if cluster.enhanced_monitoring == "DEFAULT":
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Which are the possible values here?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

'DEFAULT'|'PER_BROKER'|'PER_TOPIC_PER_BROKER'|'PER_TOPIC_PER_PARTITION'

I only put DEFAULT as FAIL because every other method is an enhance over default monitoring.

sergargar
sergargar reviewed May 20, 2024
View reviewed changes
...ster_in_transit_encryption_enabled/kafka_cluster_in_transit_encryption_enabled.metadata.json Outdated
"RelatedUrl": "https://docs.aws.amazon.com/msk/latest/developerguide/msk-encryption.html",
"Remediation": {
"Code": {
"CLI": "",
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
"CLI": "",
"CLI": "https://docs.prowler.com/checks/aws/general-policies/bc_aws_general_32/#cli",

sergargar
sergargar reviewed May 20, 2024
View reviewed changes
...a/kafka_cluster_in_transit_encryption_enabled/kafka_cluster_in_transit_encryption_enabled.py Outdated
report.resource_arn = arn_cluster
report.resource_tags = cluster.tags
report.status = "FAIL"
report.status_extended = f"Kafka cluster '{cluster.name}' does not have encryption in transit enabled"
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Please add a final dot in all the statuses extended.

sergargar
sergargar reviewed May 20, 2024
View reviewed changes
prowler/providers/aws/services/kafka/kafka_cluster_is_public/kafka_cluster_is_public.py Outdated
report.resource_tags = cluster.tags
report.status = "FAIL"
report.status_extended = (
f"Kafka cluster '{cluster.name}' does not have public access disabled."
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
f"Kafka cluster '{cluster.name}' does not have public access disabled."
f"Kafka cluster '{cluster.name}' is publicly accessible."

sergargar
sergargar reviewed May 20, 2024
View reviewed changes
...luster_unrestricted_access_disabled/kafka_cluster_unrestricted_access_disabled.metadata.json Outdated
{
"Provider": "aws",
"CheckID": "kafka_cluster_unrestricted_access_disabled",
"CheckTitle": "Ensure Kafka Cluster is not publicly accessible",
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Is not this confusing with the check kafka_cluster_is_public?

@sergargar sergargar self-assigned this May 20, 2024
sergargar
sergargar previously approved these changes May 21, 2024
View reviewed changes
Copy link
Member

@sergargar sergargar left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Good job @puchy22 !!

@sergargar sergargar self-requested a review May 22, 2024 12:40
@sergargar sergargar merged commit 0e71756 into prowler-cloud:master May 22, 2024
10 of 11 checks passed
@puchy22 puchy22 deleted the kafka_aws_checks branch May 31, 2024 09:20
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@sergargar sergargar sergargar approved these changes

Assignees

@sergargar sergargar

Labels
provider/aws Issues/PRs related with the AWS provider
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
3 participants
@puchy22 @sergargar @jfagoagas