search

prowler-cloud / prowler

Prowler is an Open Source Security tool for AWS, Azure, GCP and Kubernetes to do security assessments, audits, incident response, compliance, continuous monitoring, hardening and forensics readiness. Includes CIS, NIST 800, NIST CSF, CISA, FedRAMP, PCI-DSS, GDPR, HIPAA, FFIEC, SOC2, GXP, Well-Architected Security, ENS and more
https://prowler.com
Apache License 2.0
10.55k stars 1.51k forks source link

Add new check `dms_endpoint_use_ssl` #4878

Open puchy22 opened 2 weeks ago

puchy22 commented 2 weeks ago

New feature motivation

SSL/TLS connections provide encryption for data in transit between DMS replication instances and your databases. This ensures that the data is protected from eavesdropping and tampering during migration. Enabling SSL also includes certificate validation, which verifies that connections are made to the intended database instance by checking its server certificate.

Reference: https://docs.aws.amazon.com/securityhub/latest/userguide/dms-controls.html#dms-9

Solution Proposed

Create a new check to ensure that DMS endpoints is using SSL. Things to add:

Describe alternatives you've considered

No alternative.

Additional context

No response

LefterisXefteris commented 1 week ago 
from prowler.lib.check.models import Check, Check_Report_AWS
from prowler.providers.aws.services.dms.dms_client import dms_client

class dms_endpoint_ssl_enabled(Check):
    def execute(self):
        findings = []
        for endpoint_arn, endpoint in dms_client.endpoints.items():
            report = Check_Report_AWS(self.metadata())
            report.resource_id = endpoint_arn
            report.resource_arn = endpoint_arn
            report.region = endpoint.region

            if endpoint.ssl_mode == 'none':
                report.status = "FAIL"
                report.status_extended = f"DMS Endpoint {endpoint_arn} is not using SSL."
            else:
                report.status = "PASS"
                report.status_extended = f"DMS Endpoint {endpoint_arn} is using SSL with mode: {endpoint.ssl_mode}."

            findings.append(report)

        return findings
jfagoagas commented 1 week ago

Hello @LefterisXefteris, do you want to tackle this issue? I can assign it to you if you want to start working on it.

Thank you for your interest!

LefterisXefteris commented 1 week ago

Hello @jfagoagas i will happily handle this. thank you!

LefterisXefteris commented 1 week ago

Hello!

I am currently testing the ssl_endpoint_enabled check. However, I encounter some problems with the dms_services class. I think I might need to add an endpoint class in there, inheriting from BaseModel, as well as a def __describe_endpoints__(self, regional_client): pass method in there. I might need some help implementing this. Would you be able to enlighten me with this method?

Thank you.

LefterisXefteris commented 1 week ago

Sorry i accidentally type the un assign me button next to my name. could you please assign me again?

jfagoagas commented 1 week ago

Hello!

I am currently testing the ssl_endpoint_enabled check. However, I encounter some problems with the dms_services class. I think I might need to add an endpoint class in there, inheriting from BaseModel, as well as a def describe_endpoints(self, regional_client): pass method in there. I might need some help implementing this. Would you be able to enlighten me with this method?

Thank you.

For sure, we can help you! Regarding the solution proposed, which parts did you manage to complete?

Did you check the referenced documentation, our developer guide should be sufficient but if not we can always jump into a call in the Prowler Community Slack. You can use the following link https://join.slack.com/t/prowler-workspace/shared_invite/zt-2luugg3ld-_MlE692tRwAZoMMrZ1sV7w to join if you are not there yet.