Add feature: EC2 bp check

2024-08-07 17:06:38 +09:00 · 2024-08-07 17:06:38 +09:00 · 2a92f6ee05
commit 2a92f6ee05
parent 2c7f90455d
1 changed files with 143 additions and 10 deletions
--- a/services/ec2.py
+++ b/services/ec2.py
@ -2,58 +2,191 @@ from models import RuleCheckResult
 import boto3
-# client = boto3.client("")
+client = boto3.client("ec2")
 autoscaling_client = boto3.client("autoscaling")
 ssm_client = boto3.client("ssm")
 def autoscaling_launch_template():
    compliant_resources = []
    non_compliant_resources = []
    asgs = autoscaling_client.describe_auto_scaling_groups()["AutoScalingGroups"]
    for asg in asgs:
        if "LaunchTemplate" in asg["MixedInstancesPolicy"]:
            compliant_resources.append(asg["AutoScalingGroupARN"])
        else:
            non_compliant_resources.append(asg["AutoScalingGroupARN"])
    return RuleCheckResult(
-        passed=False, compliant_resources=[], non_compliant_resources=[]
+        passed=not non_compliant_resources,
        compliant_resources=compliant_resources,
        non_compliant_resources=non_compliant_resources,
    )
 def ec2_ebs_encryption_by_default():
    compliant_resources = []
    non_compliant_resources = []
    ebses = client.describe_volumes()["Volumes"]
    for ebs in ebses:
        if ebs["Encrypted"] == True:
            compliant_resources.append(ebs["VolumeId"])
        else:
            non_compliant_resources.append(ebs["VolumeId"])
    return RuleCheckResult(
-        passed=False, compliant_resources=[], non_compliant_resources=[]
+        passed=not non_compliant_resources,
        compliant_resources=compliant_resources,
        non_compliant_resources=non_compliant_resources,
    )
 def ec2_imdsv2_check():
    compliant_resources = []
    non_compliant_resources = []
    reservations = client.describe_instances()["Reservations"]
    for reservation in reservations:
        for instance in reservation["Instances"]:
            if instance["State"]["Name"] == "terminated":
                continue
            if instance["MetadataOptions"]["HttpTokens"] == "required":
                compliant_resources.append(instance["InstanceId"])
            else:
                non_compliant_resources.append(instance["InstanceId"])
    return RuleCheckResult(
-        passed=False, compliant_resources=[], non_compliant_resources=[]
+        passed=not non_compliant_resources,
        compliant_resources=compliant_resources,
        non_compliant_resources=non_compliant_resources,
    )
 def ec2_instance_detailed_monitoring_enabled():
    compliant_resources = []
    non_compliant_resources = []
    reservations = client.describe_instances()["Reservations"]
    for reservation in reservations:
        for instance in reservation["Instances"]:
            if instance["State"]["Name"] == "terminated":
                continue
            if instance["Monitoring"]["State"] == "enabled":
                compliant_resources.append(instance["InstanceId"])
            else:
                non_compliant_resources.append(instance["InstanceId"])
    return RuleCheckResult(
-        passed=False, compliant_resources=[], non_compliant_resources=[]
+        passed=not non_compliant_resources,
        compliant_resources=compliant_resources,
        non_compliant_resources=non_compliant_resources,
    )
 def ec2_instance_managed_by_systems_manager():
    compliant_resources = []
    non_compliant_resources = []
    reservations = client.describe_instances()["Reservations"]
    informations = ssm_client.describe_instance_information()["InstanceInformationList"]
    managed_instance_ids = [i["InstanceId"] for i in informations if i["PingStatus"]]
    for reservation in reservations:
        for instance in reservation["Instances"]:
            if instance["State"]["Name"] == "terminated":
                continue
            if instance["InstanceId"] in managed_instance_ids:
                compliant_resources.append(instance["InstanceId"])
            else:
                non_compliant_resources.append(instance["InstanceId"])
    return RuleCheckResult(
-        passed=False, compliant_resources=[], non_compliant_resources=[]
+        passed=not non_compliant_resources,
        compliant_resources=compliant_resources,
        non_compliant_resources=non_compliant_resources,
    )
 def ec2_instance_profile_attached():
    compliant_resources = []
    non_compliant_resources = []
    reservations = client.describe_instances()["Reservations"]
    for reservation in reservations:
        for instance in reservation["Instances"]:
            if instance["State"]["Name"] == "terminated":
                continue
            if "IamInstanceProfile" in instance:
                compliant_resources.append(instance["InstanceId"])
            else:
                non_compliant_resources.append(instance["InstanceId"])
    return RuleCheckResult(
-        passed=False, compliant_resources=[], non_compliant_resources=[]
+        passed=not non_compliant_resources,
        compliant_resources=compliant_resources,
        non_compliant_resources=non_compliant_resources,
    )
 def ec2_no_amazon_key_pair():
    compliant_resources = []
    non_compliant_resources = []
    reservations = client.describe_instances()["Reservations"]
    for reservation in reservations:
        for instance in reservation["Instances"]:
            if instance["State"]["Name"] == "terminated":
                continue
            if "KeyName" in instance:
                compliant_resources.append(instance["InstanceId"])
            else:
                non_compliant_resources.append(instance["InstanceId"])
    return RuleCheckResult(
-        passed=False, compliant_resources=[], non_compliant_resources=[]
+        passed=not non_compliant_resources,
        compliant_resources=compliant_resources,
        non_compliant_resources=non_compliant_resources,
    )
 def ec2_stopped_instance():
    compliant_resources = []
    non_compliant_resources = []
    reservations = client.describe_instances()["Reservations"]
    for reservation in reservations:
        for instance in reservation["Instances"]:
            if instance["State"]["Name"] == "terminated":
                continue
            if instance["State"]["Name"] != "stopped":
                compliant_resources.append(instance["InstanceId"])
            else:
                non_compliant_resources.append(instance["InstanceId"])
    return RuleCheckResult(
-        passed=False, compliant_resources=[], non_compliant_resources=[]
+        passed=not non_compliant_resources,
        compliant_resources=compliant_resources,
        non_compliant_resources=non_compliant_resources,
    )
 def ec2_token_hop_limit_check():
    compliant_resources = []
    non_compliant_resources = []
    reservations = client.describe_instances()["Reservations"]
    for reservation in reservations:
        for instance in reservation["Instances"]:
            if instance["State"]["Name"] == "terminated":
                continue
            if instance["MetadataOptions"]["HttpPutResponseHopLimit"] < 2:
                compliant_resources.append(instance["InstanceId"])
            else:
                non_compliant_resources.append(instance["InstanceId"])
    return RuleCheckResult(
-        passed=False, compliant_resources=[], non_compliant_resources=[]
+        passed=not non_compliant_resources,
        compliant_resources=compliant_resources,
        non_compliant_resources=non_compliant_resources,
    )