YNACL Checks

aws-samples · Apr 30, 2024 · d6b4b83 · d6b4b83
1 parent 73561da
commit d6b4b83
Show file tree

Hide file tree

Showing 4 changed files with 81 additions and 0 deletions.
diff --git a/services/ec2/Ec2.py b/services/ec2/Ec2.py
@@ -21,6 +21,7 @@
 from services.ec2.drivers.Ec2AutoScaling import Ec2AutoScaling
 from services.ec2.drivers.Ec2EbsSnapshot import Ec2EbsSnapshot
 from services.ec2.drivers.Ec2Vpc import Ec2Vpc
+from services.ec2.drivers.Ec2NACL import Ec2NACL
 
 class Ec2(Service):
     def __init__(self, region):
@@ -322,6 +323,17 @@ def getFlowLogs(self):
             flowLogList = flowLogList + result.get('FlowLogs')
 
         return flowLogList
+
+    def getNetworkACLs(self):
+        result = self.ec2Client.describe_network_acls()
+
+        networkACLs = result.get('NetworkAcls')
+        while result.get('NextToken') is not None:
+            result = self.ec2Client.describe_network_acls(
+                NextToken = result.get('NextToken')
+            )
+            networkACLs = networkACLs + result.get('NetworkAcls')
+        return networkACLs
 
     def advise(self):
         objs = {}
@@ -457,5 +469,14 @@ def advise(self):
             obj = Ec2Vpc(vpc, flowLogs, self.ec2Client)
             obj.run(self.__class__)
             objs[f"VPC::{vpc['VpcId']}"] = obj.getInfo()
+
+        # NACL Checks
+        nacls = self.getNetworkACLs()
+        for nacl in nacls:
+            print(f"... (NACL::Network ACL) inspecting {nacl['NetworkAclId']}")
+            obj = Ec2NACL(nacl, self.ec2Client)
+            obj.run(self.__class__)
+            objs[f"NACL::{nacl['NetworkAclId']}"] = obj.getInfo()
+
 
         return objs
diff --git a/services/ec2/drivers/Ec2NACL.py b/services/ec2/drivers/Ec2NACL.py
@@ -0,0 +1,33 @@
+import boto3
+import botocore
+
+from services.Evaluator import Evaluator
+
+class Ec2NACL(Evaluator):
+    def __init__(self, nacl, ec2Client):
+        super().__init__()
+        self.nacl = nacl
+        self.ec2Client = ec2Client
+        self.init()
+        return
+
+    def _checkNACLAssociation(self):
+        if not self.nacl['Associations']:
+            self.results['NACLAssociated'] = [-1, self.nacl['NetworkAclId']]
+
+        return
+
+    def _checkNACLIngressSensitivePort(self):
+        sensitivePort = [22, 3389]
+        for entry in self.nacl['Entries']:
+            if entry['RuleAction'] == 'allow' and entry['Egress'] == False:
+                if ('CidrBlock' in entry and entry['CidrBlock'] == '0.0.0.0/0') or ('Ipv6CidrBlock' in entry and entry['Ipv6CidrBlock'] == '::/0'):
+                    if 'PortRange' in entry:
+                        portFrom = entry['PortRange']['From']
+                        portTo = entry['PortRange']['To']
+                        for port in sensitivePort:
+                            if portFrom <= port and portTo >= port:
+                                self.results['NACLSensitivePort'] = [-1, self.nacl['NetworkAclId']]
+                                return
+
+        return
diff --git a/services/ec2/ec2.reporter.json b/services/ec2/ec2.reporter.json
@@ -650,5 +650,31 @@
         "ref": [
             "[Amazon Elastic Compute Cloud controls]<https://docs.aws.amazon.com/securityhub/latest/userguide/ec2-controls.html#ec2-6>"
         ]
+    },
+    "NACLAssociated": {
+        "category": "O",
+        "^description": "You have {$COUNT} Network ACL has no subnet association. Remove unused Network ACL to improve operation efficiency.",  
+        "downtime": 0,
+        "slowness": 0,
+        "additionalCost": 0,
+        "criticality": "L",
+        "needFullTest": 0,
+        "shortDesc": "Remove unused Network ACL",
+        "ref": [
+            "[Control traffic to subnets using network ACLs]<https://docs.aws.amazon.com/vpc/latest/userguide/vpc-network-acls.html>"
+        ]
+    },
+    "NACLSensitivePort": {
+        "category": "S",
+        "^description": "You have {$COUNT} Network ACL has unrestricted ingress access to SSH/RDP port. Remove ingress access for the sensitive port",  
+        "downtime": 0,
+        "slowness": 0,
+        "additionalCost": 0,
+        "criticality": "H",
+        "needFullTest": 0,
+        "shortDesc": "Remove unrestricted ingress access to sensitive port",
+        "ref": [
+            "[Amazon Elastic Compute Cloud controls]<https://docs.aws.amazon.com/securityhub/latest/userguide/ec2-controls.html#ec2-21>"
+        ]
     }
 }
diff --git a/utils/Config.py b/utils/Config.py
@@ -58,6 +58,7 @@ class Config:
         'ec2instance': ['DICT', 'ec2InstanceData', 'InstanceId'],
         'ec2secgroup': ['DICT', 'secGroup', 'GroupId'],
         'ec2vpc': ['DICT', 'vpc', 'VpcId'],
+        'ec2nacl': ['DICT', 'nacl', 'NetworkAclId'],
         'efsdriver': ['DICT', 'efs', 'FileSystemId'],
         'ekscommon': ['ATTR', 'cluster'],
         'elasticachememcached': ['DICT', 'cluster', 'ARN'],