Merge pull request #724 from 0xdabbad00/check_access_analyzer_is_enabled

0xdabbad00 · web-flow · commit 5e14cf4610f2 · 2020-06-19T15:36:20.000-06:00
Check for access analyzer enabled
diff --git a/audit_config.yaml b/audit_config.yaml
@@ -376,4 +376,10 @@ EC2_IMDSV2_NOT_ENFORCED:
   title: IMDSv2 not enforced
   description: The original metadata service that allows EC2s to assume IAM roles could allow an attacker to take over that role if they were able to find an SSRF vulnerability or proxy functionality on the instance. IMDSv2 should be enforced and not optional.
   severity: Medium
-  group: EC2
+  group: EC2
+
+ACCESSANALYZER_OFF:
+  title: Access Analyzer off
+  description: Access Analyzer is a free service that can tell you when resources are public or shared with unexpected accounts.
+  severity: Medium
+  group: AccessAnalyzer
diff --git a/collect_commands.yaml b/collect_commands.yaml
@@ -394,3 +394,5 @@
 - Service: route53
   Request: list-hosted-zones-by-vpc
   Custom_collection: True
+- Service: accessanalyzer
+  Request: list-analyzers
diff --git a/shared/audit.py b/shared/audit.py
@@ -208,6 +208,21 @@ def audit_guardduty(findings, region):
         findings.add(Finding(region, "GUARDDUTY_OFF", None, None))
 
 
+def audit_accessanalyzer(findings, region):
+    analyzer_list_json = query_aws(
+        region.account, "accessanalzyer-list-analyzers", region
+    )
+    if not analyzer_list_json:
+        # Access Analyzer must not exist in this region (or the collect data is old)
+        return
+    is_enabled = False
+    for analyzer in analyzer_list_json["analyzers"]:
+        if analyzer["status"] == "ACTIVE":
+            is_enabled = True
+    if not is_enabled:
+        findings.add(Finding(region, "ACCESSANALYZER_OFF", None, None))
+
+
 def audit_iam(findings, region):
     # By calling the code to find the admins, we'll excercise the code that finds problems.
     find_admins_in_account(region, findings)
@@ -755,10 +770,10 @@ def audit_ec2(findings, region):
             if instance.get("State", {}).get("Name", "") == "terminated":
                 # Ignore EC2's that are off
                 continue
-            
+
             # Check for IMDSv2 enforced
-            if instance.get("MetadataOptions", {}).get('HttpEndpoint', '') == 'enabled':
-                if instance["MetadataOptions"].get('HttpTokens', '') == 'optional':
+            if instance.get("MetadataOptions", {}).get("HttpEndpoint", "") == "enabled":
+                if instance["MetadataOptions"].get("HttpTokens", "") == "optional":
                     findings.add(
                         Finding(
                             region,
@@ -771,7 +786,6 @@ def audit_ec2(findings, region):
                         )
                     )
 
-
             # Check for old instances
             if instance.get("LaunchTime", "") != "":
                 MAX_RESOURCE_AGE_DAYS = 365
@@ -1120,6 +1134,7 @@ def audit(accounts):
                     audit_cloudfront(findings, region)
                     audit_s3_block_policy(findings, region)
                 audit_guardduty(findings, region)
+                audit_accessanalyzer(findings, region)
                 audit_ebs_snapshots(findings, region)
                 audit_rds_snapshots(findings, region)
                 audit_rds(findings, region)
