search

joshlarsen / aws-recon

Multi-threaded AWS inventory collection tool with a focus on security-relevant resources and metadata.
https://archive.darkbit.io/resources
MIT License
529 stars 49 forks source link

Collect EMR Security Configuration Information #150

Closed PercussiveElbow closed 2 years ago

PercussiveElbow commented 2 years ago

I noticed the EMR collection does not gather information on EMR Security Configurations at present and have added support for this.

Collecting these configurations would be useful as they indicate whether various security features are enforced on a given EMR cluster, e.g. transit and at-rest encryption.

Example of information returned

 {
    "account": "123456789",
    "service": "EMR",
    "region": "eu-west-2",
    "resource": {
      "EncryptionConfiguration": {
        "InTransitEncryptionConfiguration": {
          "TLSCertificateConfiguration": {
            "CertificateProviderType": "PEM",
            "S3Object": "s3://test123/Test123.zip"
          }
        },
        "AtRestEncryptionConfiguration": {
          "S3EncryptionConfiguration": {
            "EncryptionMode": "SSE-S3"
          },
          "LocalDiskEncryptionConfiguration": {
            "EncryptionKeyProviderType": "AwsKms",
            "AwsKmsKey": "arn:aws:kms:eu-west-2:123456789:alias/1234-5678",
            "EnableEbsEncryption": true
          }
        },
        "EnableInTransitEncryption": true,
        "EnableAtRestEncryption": true
      },
      "AuthenticationConfiguration": {
        "KerberosConfiguration": {
          "Provider": "ClusterDedicatedKdc",
          "ClusterDedicatedKdcConfiguration": {
            "TicketLifetimeInHours": 24
          }
        }
      },
      "type": "security_configuration",
      "arn": "arn:aws:emr:eu-west-2:123456789:security-configuration/TestSecConfig"
    },
    "timestamp": "2022-02-28 00:17:47 UTC"
  }

References to applied security configurations are already returned in the security_configuration field in EMR cluster objects.

No ARN format existed for this data structure, so I've followed the solution for similar objects in the code. (i.e. made one up)

If there are any issues with this PR please do let me know. Also, thanks for this gem - it is incredibly useful.

joshlarsen commented 2 years ago

Hey @PercussiveElbow, thanks for the PR. I think this is a good addition. One small request though, list_security_configurations returns a pageable response. If you could adjust your new block to match the list_clusters pattern that handles paging, that would be great.

Thanks!

PercussiveElbow commented 2 years ago

Updated now to match that format, let me know if anything else needs done. Thanks!