diff --git a/permissions/prowler-additions-policy.json b/permissions/prowler-additions-policy.json index eb140e7c095..c6e48eb8596 100644 --- a/permissions/prowler-additions-policy.json +++ b/permissions/prowler-additions-policy.json @@ -4,6 +4,8 @@ { "Action": [ "account:Get*", + "amplify:ListApps", + "amplify:ListBranches", "appstream:Describe*", "appstream:List*", "backup:List*", diff --git a/permissions/templates/cloudformation/prowler-scan-role.yml b/permissions/templates/cloudformation/prowler-scan-role.yml index a7d91b00719..1cc45b45e03 100644 --- a/permissions/templates/cloudformation/prowler-scan-role.yml +++ b/permissions/templates/cloudformation/prowler-scan-role.yml @@ -99,6 +99,8 @@ Resources: Effect: Allow Action: - "account:Get*" + - "amplify:ListApps" + - "amplify:ListBranches" - "appstream:Describe*" - "appstream:List*" - "backup:List*" diff --git a/prowler/CHANGELOG.md b/prowler/CHANGELOG.md index 5730cc4a1ea..29a9a308ff9 100644 --- a/prowler/CHANGELOG.md +++ b/prowler/CHANGELOG.md @@ -2,6 +2,12 @@ All notable changes to the **Prowler SDK** are documented in this file. +## [5.33.0] (Prowler UNRELEASED) + +### 🚀 Added + +- `batch_job_definition_no_secrets` check for AWS provider to detect plaintext secrets in Batch job definitions environment variables or command parameters +- `amplify_app_no_secrets_in_environment` check for AWS provider to detect plaintext secrets in Amplify app environment variables, branch environment variables, and build settings (build spec) ## [5.32.1] (Prowler UNRELEASED) ### 🐞 Fixed diff --git a/prowler/providers/aws/services/amplify/__init__.py b/prowler/providers/aws/services/amplify/__init__.py new file mode 100644 index 00000000000..8b137891791 --- /dev/null +++ b/prowler/providers/aws/services/amplify/__init__.py @@ -0,0 +1 @@ + diff --git a/prowler/providers/aws/services/amplify/amplify_app_no_secrets_in_environment/__init__.py b/prowler/providers/aws/services/amplify/amplify_app_no_secrets_in_environment/__init__.py new file mode 100644 index 00000000000..8b137891791 --- /dev/null +++ b/prowler/providers/aws/services/amplify/amplify_app_no_secrets_in_environment/__init__.py @@ -0,0 +1 @@ + diff --git a/prowler/providers/aws/services/amplify/amplify_app_no_secrets_in_environment/amplify_app_no_secrets_in_environment.metadata.json b/prowler/providers/aws/services/amplify/amplify_app_no_secrets_in_environment/amplify_app_no_secrets_in_environment.metadata.json new file mode 100644 index 00000000000..1a5c209fcb9 --- /dev/null +++ b/prowler/providers/aws/services/amplify/amplify_app_no_secrets_in_environment/amplify_app_no_secrets_in_environment.metadata.json @@ -0,0 +1,42 @@ +{ + "Provider": "aws", + "CheckID": "amplify_app_no_secrets_in_environment", + "CheckTitle": "Amplify app has no sensitive credentials in environment variables or build settings", + "CheckType": [ + "Software and Configuration Checks/AWS Security Best Practices", + "TTPs/Credential Access", + "Effects/Data Exposure", + "Sensitive Data Identifications/Security" + ], + "ServiceName": "amplify", + "SubServiceName": "", + "ResourceIdTemplate": "arn:partition:amplify:region:account-id:apps/app-id", + "Severity": "high", + "ResourceType": "AwsAmplifyApp", + "ResourceGroup": "security", + "Description": "AWS Amplify apps and their branches are inspected for hardcoded secrets, such as API keys, tokens, or passwords embedded in environment variables or build settings (buildSpec).", + "Risk": "Plaintext secrets in Amplify app environment variables or build configurations can be viewed by anyone with read access to the Amplify console, or may leak during the build process, exposing downstream resources and integrations.", + "RelatedUrl": "", + "AdditionalURLs": [ + "https://docs.aws.amazon.com/amplify/latest/userguide/environment-variables.html", + "https://docs.prowler.com/developer-guide/secret-scanning-checks" + ], + "Remediation": { + "Code": { + "CLI": "aws amplify update-app --app-id --environment-variables ", + "NativeIaC": "", + "Other": "1. Access the AWS Amplify console.\n2. Navigate to your app settings, choose Environment variables, and check if any secrets are stored in plaintext.\n3. For actual secrets, migrate them to environment secrets or AWS Secrets Manager / Parameter Store and reference them securely during the build phase.\n4. Clean the variables or buildSpec configuration.", + "Terraform": "" + }, + "Recommendation": { + "Text": "Avoid storing secrets in plaintext environment variables or build specifications for AWS Amplify apps. Store sensitive settings securely in AWS Systems Manager Parameter Store or AWS Secrets Manager.", + "Url": "https://hub.prowler.com/check/amplify_app_no_secrets_in_environment" + } + }, + "Categories": [ + "secrets" + ], + "DependsOn": [], + "RelatedTo": [], + "Notes": "" +} diff --git a/prowler/providers/aws/services/amplify/amplify_app_no_secrets_in_environment/amplify_app_no_secrets_in_environment.py b/prowler/providers/aws/services/amplify/amplify_app_no_secrets_in_environment/amplify_app_no_secrets_in_environment.py new file mode 100644 index 00000000000..33175c724fd --- /dev/null +++ b/prowler/providers/aws/services/amplify/amplify_app_no_secrets_in_environment/amplify_app_no_secrets_in_environment.py @@ -0,0 +1,105 @@ +import json + +from prowler.lib.check.models import Check, Check_Report_AWS +from prowler.lib.utils.utils import ( + SecretsScanError, + annotate_verified_secrets, + detect_secrets_scan_batch, +) +from prowler.providers.aws.services.amplify.amplify_client import amplify_client + + +class amplify_app_no_secrets_in_environment(Check): + """Check that AWS Amplify apps contain no hardcoded secrets in their environment variables or build settings.""" + + def execute(self) -> list[Check_Report_AWS]: + findings = [] + secrets_ignore_patterns = amplify_client.audit_config.get( + "secrets_ignore_patterns", [] + ) + validate = amplify_client.audit_config.get("secrets_validate", False) + apps = list(amplify_client.apps.values()) + line_context_by_app = {} + + payloads_list = [] + for app_index, app in enumerate(apps): + payload, line_context = _build_app_payload(app) + line_context_by_app[app_index] = line_context + if payload: + payloads_list.append((app_index, payload)) + + scan_error = None + try: + batch_results = detect_secrets_scan_batch( + payloads_list, + excluded_secrets=secrets_ignore_patterns, + validate=validate, + ) + except SecretsScanError as error: + batch_results = {} + scan_error = error + + for app_index, app in enumerate(apps): + report = Check_Report_AWS(metadata=self.metadata(), resource=app) + report.resource_tags = app.tags + report.status = "PASS" + report.status_extended = f"No secrets found in Amplify app {app.name} environment variables or build settings." + + line_context = line_context_by_app.get(app_index, {}) + if line_context: + if scan_error: + report.status = "MANUAL" + report.status_extended = ( + f"Could not scan Amplify app {app.name} environment variables " + f"for secrets: {scan_error}; manual review is required." + ) + findings.append(report) + continue + + detect_secrets_output = batch_results.get(app_index) + if detect_secrets_output: + secrets_string = ", ".join( + [ + f"{secret['type']} in {line_context.get(secret['line_number'], 'environment variables/build settings')}" + for secret in detect_secrets_output + ] + ) + report.status = "FAIL" + report.status_extended = ( + f"Potential {'secrets' if len(detect_secrets_output) > 1 else 'secret'} " + f"found in Amplify app {app.name} environment variables or build settings -> {secrets_string}." + ) + annotate_verified_secrets(report, detect_secrets_output) + + findings.append(report) + return findings + + +def _build_app_payload(app) -> tuple[str, dict[int, str]]: + """Build a line-oriented scan payload and map each line to a field context.""" + lines = [] + line_context = {} + + def add_line(context: str, value: str) -> None: + if value is None: + return + lines.append(json.dumps({context: value})) + line_context[len(lines)] = context + + # App environment variables + for var_name, var_value in app.environment_variables.items(): + add_line(f"app environment variable '{var_name}'", var_value) + + # App buildSpec + if app.build_spec: + for idx, line in enumerate(app.build_spec.splitlines(), start=1): + add_line(f"app buildSpec line {idx}", line) + + # Branch environment variables + for branch in app.branches: + for var_name, var_value in branch.environment_variables.items(): + add_line( + f"branch '{branch.name}' environment variable '{var_name}'", var_value + ) + + return "\n".join(lines), line_context diff --git a/prowler/providers/aws/services/amplify/amplify_client.py b/prowler/providers/aws/services/amplify/amplify_client.py new file mode 100644 index 00000000000..9d69c68424a --- /dev/null +++ b/prowler/providers/aws/services/amplify/amplify_client.py @@ -0,0 +1,4 @@ +from prowler.providers.aws.services.amplify.amplify_service import Amplify +from prowler.providers.common.provider import Provider + +amplify_client = Amplify(Provider.get_global_provider()) diff --git a/prowler/providers/aws/services/amplify/amplify_service.py b/prowler/providers/aws/services/amplify/amplify_service.py new file mode 100644 index 00000000000..d22eeecbb10 --- /dev/null +++ b/prowler/providers/aws/services/amplify/amplify_service.py @@ -0,0 +1,95 @@ +from botocore.exceptions import ClientError +from pydantic.v1 import BaseModel, Field + +from prowler.lib.logger import logger +from prowler.lib.scan_filters.scan_filters import is_resource_filtered +from prowler.providers.aws.lib.service.service import AWSService + + +class Branch(BaseModel): + """Represents an AWS Amplify App Branch.""" + + name: str + arn: str + environment_variables: dict = Field(default_factory=dict) + + +class App(BaseModel): + """Represents an AWS Amplify App.""" + + id: str + name: str + arn: str + region: str + environment_variables: dict = Field(default_factory=dict) + build_spec: str = "" + branches: list[Branch] = Field(default_factory=list) + tags: list[dict] = Field(default_factory=list) + + +class Amplify(AWSService): + """AWS Amplify service class.""" + + def __init__(self, provider): + super().__init__(__class__.__name__, provider) + self.apps = {} + self.__threading_call__(self._list_apps) + if self.apps: + self.__threading_call__(self._list_branches, self.apps.values()) + + def _list_apps(self, regional_client) -> None: + logger.info("Amplify - Listing apps...") + try: + list_apps_paginator = regional_client.get_paginator("list_apps") + for page in list_apps_paginator.paginate(): + for app in page.get("apps", []): + app_id = app.get("appId") + app_name = app.get("name") + app_arn = app.get("appArn") + if not self.audit_resources or is_resource_filtered( + app_arn, self.audit_resources + ): + tags = app.get("tags", {}) + tags_list = [tags] if tags else [] + self.apps[app_arn] = App( + id=app_id, + name=app_name, + arn=app_arn, + region=regional_client.region, + environment_variables=app.get("environmentVariables", {}), + build_spec=app.get("buildSpec", ""), + tags=tags_list, + ) + except ClientError as error: + logger.error( + f"{regional_client.region} -- {error.__class__.__name__}[{error.__traceback__.tb_lineno}]: {error}" + ) + except Exception as error: + logger.error( + f"{regional_client.region} -- {error.__class__.__name__}[{error.__traceback__.tb_lineno}]: {error}" + ) + + def _list_branches(self, app: App) -> None: + logger.info(f"Amplify - Listing branches for app {app.name}...") + try: + regional_client = self.regional_clients[app.region] + list_branches_paginator = regional_client.get_paginator("list_branches") + for page in list_branches_paginator.paginate(appId=app.id): + for branch in page.get("branches", []): + branch_name = branch.get("branchName") + branch_arn = branch.get("branchArn") + app.branches.append( + Branch( + name=branch_name, + arn=branch_arn, + environment_variables=branch.get("environmentVariables", {}), + ) + ) + except ClientError as error: + logger.error( + f"{app.region} -- {error.__class__.__name__}[{error.__traceback__.tb_lineno}]: {error}" + ) + except Exception as error: + logger.error( + f"{app.region} -- {error.__class__.__name__}[{error.__traceback__.tb_lineno}]: {error}" + ) diff --git a/prowler/providers/aws/services/batch/__init__.py b/prowler/providers/aws/services/batch/__init__.py new file mode 100644 index 00000000000..1282aadb75b --- /dev/null +++ b/prowler/providers/aws/services/batch/__init__.py @@ -0,0 +1 @@ +# AWS Batch Service diff --git a/prowler/providers/aws/services/batch/batch_client.py b/prowler/providers/aws/services/batch/batch_client.py new file mode 100644 index 00000000000..8c0d2e22de9 --- /dev/null +++ b/prowler/providers/aws/services/batch/batch_client.py @@ -0,0 +1,4 @@ +from prowler.providers.aws.services.batch.batch_service import Batch +from prowler.providers.common.provider import Provider + +batch_client = Batch(Provider.get_global_provider()) diff --git a/prowler/providers/aws/services/batch/batch_job_definition_no_secrets/__init__.py b/prowler/providers/aws/services/batch/batch_job_definition_no_secrets/__init__.py new file mode 100644 index 00000000000..ba521c717e3 --- /dev/null +++ b/prowler/providers/aws/services/batch/batch_job_definition_no_secrets/__init__.py @@ -0,0 +1 @@ +# batch_job_definition_no_secrets init diff --git a/prowler/providers/aws/services/batch/batch_job_definition_no_secrets/batch_job_definition_no_secrets.metadata.json b/prowler/providers/aws/services/batch/batch_job_definition_no_secrets/batch_job_definition_no_secrets.metadata.json new file mode 100644 index 00000000000..045f089dc4a --- /dev/null +++ b/prowler/providers/aws/services/batch/batch_job_definition_no_secrets/batch_job_definition_no_secrets.metadata.json @@ -0,0 +1,42 @@ +{ + "Provider": "aws", + "CheckID": "batch_job_definition_no_secrets", + "CheckTitle": "AWS Batch job definitions have no secrets in container properties environment variables or commands", + "CheckType": [ + "Software and Configuration Checks/AWS Security Best Practices", + "TTPs/Credential Access", + "Effects/Data Exposure", + "Sensitive Data Identifications/Security" + ], + "ServiceName": "batch", + "SubServiceName": "", + "ResourceIdTemplate": "arn:partition:batch:region:account-id:job-definition/job-definition-name:revision", + "Severity": "high", + "ResourceType": "AwsBatchJobDefinition", + "ResourceGroup": "security", + "Description": "AWS Batch job definitions are inspected for hardcoded secrets, such as API keys, tokens, or passwords embedded in container environment variables or command parameters.", + "Risk": "Plaintext secrets in AWS Batch job definitions can be viewed by anyone with read access to the Batch service, or may leak during job execution, exposing downstream resources and integrations.", + "RelatedUrl": "", + "AdditionalURLs": [ + "https://docs.aws.amazon.com/batch/latest/userguide/job_definitions.html", + "https://docs.prowler.com/developer-guide/secret-scanning-checks" + ], + "Remediation": { + "Code": { + "CLI": "aws batch register-job-definition --job-definition-name --type container --container-properties ", + "NativeIaC": "", + "Other": "1. Access the AWS Batch console.\n2. Navigate to Job definitions, select your active job definition, and check if any secrets are stored in environment variables or command parameters.\n3. Create a new revision of the job definition without plaintext secrets.\n4. Use secure methods like AWS Systems Manager Parameter Store or AWS Secrets Manager to inject secrets into the container.", + "Terraform": "" + }, + "Recommendation": { + "Text": "Avoid storing secrets in plaintext environment variables or command parameters for AWS Batch job definitions. Store sensitive settings securely in AWS Systems Manager Parameter Store or AWS Secrets Manager.", + "Url": "https://hub.prowler.com/check/batch_job_definition_no_secrets" + } + }, + "Categories": [ + "secrets" + ], + "DependsOn": [], + "RelatedTo": [], + "Notes": "" +} diff --git a/prowler/providers/aws/services/batch/batch_job_definition_no_secrets/batch_job_definition_no_secrets.py b/prowler/providers/aws/services/batch/batch_job_definition_no_secrets/batch_job_definition_no_secrets.py new file mode 100644 index 00000000000..1b0cc6b56c4 --- /dev/null +++ b/prowler/providers/aws/services/batch/batch_job_definition_no_secrets/batch_job_definition_no_secrets.py @@ -0,0 +1,119 @@ +import json + +from prowler.lib.check.models import Check, Check_Report_AWS +from prowler.lib.utils.utils import ( + SecretsScanError, + annotate_verified_secrets, + detect_secrets_scan_batch, +) +from prowler.providers.aws.services.batch.batch_client import batch_client + + +class batch_job_definition_no_secrets(Check): + """Check that AWS Batch job definitions contain no hardcoded secrets in their environment variables or command parameters.""" + + def execute(self) -> list[Check_Report_AWS]: + """Scans Batch job definitions for secrets. + + Uses `detect_secrets_scan_batch` to scan the environment variables and + command parameters of Batch job definitions. If `SecretsScanError` is raised, + the scan is skipped and the check returns a MANUAL report. Otherwise, it returns + a list of `Check_Report_AWS` with a status of PASS (no secrets found) or FAIL + (secrets found). + + Returns: + list[Check_Report_AWS]: A list of check reports. + """ + findings = [] + secrets_ignore_patterns = batch_client.audit_config.get( + "secrets_ignore_patterns", [] + ) + validate = batch_client.audit_config.get("secrets_validate", False) + job_definitions = list(batch_client.job_definitions.values()) + line_context_by_jd = {} + + payloads_list = [] + for jd_index, jd in enumerate(job_definitions): + payload, line_context = _build_job_definition_payload(jd) + line_context_by_jd[jd_index] = line_context + if payload: + payloads_list.append((jd_index, payload)) + + scan_error = None + try: + batch_results = detect_secrets_scan_batch( + payloads_list, + excluded_secrets=secrets_ignore_patterns, + validate=validate, + ) + except SecretsScanError as error: + batch_results = {} + scan_error = error + + for jd_index, jd in enumerate(job_definitions): + report = Check_Report_AWS(metadata=self.metadata(), resource=jd) + report.resource_id = f"{jd.name}:{jd.revision}" + report.resource_tags = jd.tags + report.status = "PASS" + report.status_extended = ( + f"No secrets found in Batch job definition {jd.name}." + ) + + line_context = line_context_by_jd.get(jd_index, {}) + if line_context: + if scan_error: + report.status = "MANUAL" + report.status_extended = ( + f"Could not scan Batch job definition {jd.name} " + f"for secrets: {scan_error}; manual review is required." + ) + findings.append(report) + continue + + detect_secrets_output = batch_results.get(jd_index) + if detect_secrets_output: + secrets_string = ", ".join( + [ + f"{secret['type']} in {line_context.get(secret['line_number'], 'environment variables/commands')}" + for secret in detect_secrets_output + ] + ) + report.status = "FAIL" + report.status_extended = ( + f"Potential {'secrets' if len(detect_secrets_output) > 1 else 'secret'} " + f"found in Batch job definition {jd.name} -> {secrets_string}." + ) + annotate_verified_secrets(report, detect_secrets_output) + + findings.append(report) + return findings + + +def _build_job_definition_payload(jd) -> tuple[str, dict[int, str]]: + """Build a line-oriented scan payload and map each line to a field context.""" + lines = [] + line_context = {} + + def add_line(context: str, value: str) -> None: + if not isinstance(value, str) or not value: + return + lines.append(json.dumps({context: value})) + line_context[len(lines)] = context + + for container in jd.containers: + # Scan environment variables + for env_var in container.environment: + name = env_var.get("name", "") + value = env_var.get("value", "") + add_line( + f"container '{container.name}' environment variable '{name}'", value + ) + + # Scan command + for idx, cmd_part in enumerate(container.command): + add_line( + f"container '{container.name}' command parameter at index {idx}", + cmd_part, + ) + + return "\n".join(lines), line_context diff --git a/prowler/providers/aws/services/batch/batch_service.py b/prowler/providers/aws/services/batch/batch_service.py new file mode 100644 index 00000000000..ac7b4d50417 --- /dev/null +++ b/prowler/providers/aws/services/batch/batch_service.py @@ -0,0 +1,125 @@ +from botocore.exceptions import ClientError +from pydantic.v1 import BaseModel, Field + +from prowler.lib.logger import logger +from prowler.lib.scan_filters.scan_filters import is_resource_filtered +from prowler.providers.aws.lib.service.service import AWSService + + +class JobDefinitionContainer(BaseModel): + """Represents a container within a Batch Job Definition.""" + + name: str + environment: list[dict] = Field(default_factory=list) + command: list[str] = Field(default_factory=list) + + +class JobDefinition(BaseModel): + """Represents an AWS Batch Job Definition.""" + + name: str + arn: str + revision: int + region: str + containers: list[JobDefinitionContainer] = Field(default_factory=list) + tags: list[dict] = Field(default_factory=list) + + +class Batch(AWSService): + """AWS Batch service class.""" + + def __init__(self, provider): + super().__init__(__class__.__name__, provider) + self.job_definitions = {} + self.__threading_call__(self._describe_job_definitions) + + def _describe_job_definitions(self, regional_client) -> None: + logger.info("Batch - Describing Job Definitions...") + try: + describe_job_definitions_paginator = regional_client.get_paginator( + "describe_job_definitions" + ) + for page in describe_job_definitions_paginator.paginate(status="ACTIVE"): + for job_definition in page.get("jobDefinitions", []): + job_definition_arn = job_definition.get("jobDefinitionArn") + job_definition_name = job_definition.get("jobDefinitionName") + if not self.audit_resources or is_resource_filtered( + job_definition_arn, self.audit_resources + ): + containers = [] + + # 1. Single container job definition + if "containerProperties" in job_definition: + container_props = job_definition["containerProperties"] + containers.append( + JobDefinitionContainer( + name="containerProperties", + environment=container_props.get("environment", []), + command=container_props.get("command", []), + ) + ) + + # 2. Multi-node parallel job definition + if "nodeProperties" in job_definition: + node_props = job_definition["nodeProperties"] + for idx, range_prop in enumerate( + node_props.get("nodeRangeProperties", []) + ): + if "container" in range_prop: + container_props = range_prop["container"] + containers.append( + JobDefinitionContainer( + name=f"nodeRangeProperties[{idx}].container", + environment=container_props.get( + "environment", [] + ), + command=container_props.get("command", []), + ) + ) + + # 3. EKS container definition + if "eksProperties" in job_definition: + eks_props = job_definition["eksProperties"] + pod_props = eks_props.get("podProperties", {}) + for idx, container in enumerate( + pod_props.get("containers", []) + ): + command_and_args = list( + container.get("command", []) + ) + list(container.get("args", [])) + env_list = [] + for env_var in container.get("env", []): + if "name" in env_var and "value" in env_var: + env_list.append( + { + "name": env_var["name"], + "value": env_var["value"], + } + ) + containers.append( + JobDefinitionContainer( + name=f"eksProperties.podProperties.containers[{idx}]", + environment=env_list, + command=command_and_args, + ) + ) + + tags = job_definition.get("tags", {}) + tags_list = [tags] if tags else [] + + self.job_definitions[job_definition_arn] = JobDefinition( + name=job_definition_name, + arn=job_definition_arn, + revision=job_definition.get("revision"), + region=regional_client.region, + containers=containers, + tags=tags_list, + ) + except ClientError as error: + logger.error( + f"{regional_client.region} -- {error.__class__.__name__}[{error.__traceback__.tb_lineno}]: {error}" + ) + except Exception as error: + logger.error( + f"{regional_client.region} -- {error.__class__.__name__}[{error.__traceback__.tb_lineno}]: {error}" + ) diff --git a/tests/providers/aws/services/amplify/__init__.py b/tests/providers/aws/services/amplify/__init__.py new file mode 100644 index 00000000000..8b137891791 --- /dev/null +++ b/tests/providers/aws/services/amplify/__init__.py @@ -0,0 +1 @@ + diff --git a/tests/providers/aws/services/amplify/amplify_app_no_secrets_in_environment/__init__.py b/tests/providers/aws/services/amplify/amplify_app_no_secrets_in_environment/__init__.py new file mode 100644 index 00000000000..8b137891791 --- /dev/null +++ b/tests/providers/aws/services/amplify/amplify_app_no_secrets_in_environment/__init__.py @@ -0,0 +1 @@ + diff --git a/tests/providers/aws/services/amplify/amplify_app_no_secrets_in_environment/amplify_app_no_secrets_in_environment_test.py b/tests/providers/aws/services/amplify/amplify_app_no_secrets_in_environment/amplify_app_no_secrets_in_environment_test.py new file mode 100644 index 00000000000..b96d479bae3 --- /dev/null +++ b/tests/providers/aws/services/amplify/amplify_app_no_secrets_in_environment/amplify_app_no_secrets_in_environment_test.py @@ -0,0 +1,180 @@ +from unittest import mock + +from prowler.providers.aws.services.amplify.amplify_service import App, Branch +from tests.providers.aws.utils import ( + AWS_ACCOUNT_NUMBER, + AWS_REGION_US_EAST_1, + set_mocked_aws_provider, +) + +# Construct the fake JWT token using string concatenation to avoid detection by secret scanners. +FAKE_JWT = ( + "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9." + "eyJzdWIiOiIxMjM0NTY3ODkwIn0." + "dozjgNryP4J3jVmNHl0w5N_XgL0n3I9PlFUP0THsR8U" +) + + +class Test_amplify_app_no_secrets_in_environment: + def test_no_apps(self): + amplify_client = mock.MagicMock() + amplify_client.apps = {} + amplify_client.audit_config = {"secrets_ignore_patterns": []} + + result = _execute_check(amplify_client) + + assert len(result) == 0 + + def test_app_with_no_secrets(self): + app = _build_app( + environment_variables={"key1": "val1"}, + build_spec="version: 1\nfrontend:\n phases:\n build:\n commands:\n - echo hello", + branches=[ + Branch( + name="main", + arn=f"arn:aws:amplify:{AWS_REGION_US_EAST_1}:{AWS_ACCOUNT_NUMBER}:apps/app-12345/branches/main", + environment_variables={"branch_key": "branch_val"}, + ) + ], + ) + amplify_client = mock.MagicMock() + amplify_client.apps = {app.arn: app} + amplify_client.audit_config = {"secrets_ignore_patterns": []} + + result = _execute_check(amplify_client) + + assert len(result) == 1 + assert result[0].status == "PASS" + assert ( + result[0].status_extended + == "No secrets found in Amplify app test-app environment variables or build settings." + ) + assert result[0].region == AWS_REGION_US_EAST_1 + assert result[0].resource_id == "app-12345" + assert result[0].resource_arn == app.arn + + def test_app_with_secrets_in_app_variables(self): + app = _build_app( + environment_variables={"db_pass": FAKE_JWT}, + build_spec="", + branches=[], + ) + amplify_client = mock.MagicMock() + amplify_client.apps = {app.arn: app} + amplify_client.audit_config = {"secrets_ignore_patterns": []} + + result = _execute_check(amplify_client) + + assert len(result) == 1 + assert result[0].status == "FAIL" + assert "app environment variable 'db_pass'" in result[0].status_extended + + def test_app_with_secrets_in_branch_variables(self): + app = _build_app( + environment_variables={}, + build_spec="", + branches=[ + Branch( + name="dev", + arn=f"arn:aws:amplify:{AWS_REGION_US_EAST_1}:{AWS_ACCOUNT_NUMBER}:apps/app-12345/branches/dev", + environment_variables={"api_key": FAKE_JWT}, + ) + ], + ) + amplify_client = mock.MagicMock() + amplify_client.apps = {app.arn: app} + amplify_client.audit_config = {"secrets_ignore_patterns": []} + + result = _execute_check(amplify_client) + + assert len(result) == 1 + assert result[0].status == "FAIL" + assert ( + "branch 'dev' environment variable 'api_key'" in result[0].status_extended + ) + + def test_app_with_secrets_in_build_spec(self): + app = _build_app( + environment_variables={}, + build_spec=f"version: 1\nfrontend:\n phases:\n build:\n commands:\n - export JWT={FAKE_JWT}", + branches=[], + ) + amplify_client = mock.MagicMock() + amplify_client.apps = {app.arn: app} + amplify_client.audit_config = {"secrets_ignore_patterns": []} + + result = _execute_check(amplify_client) + + assert len(result) == 1 + assert result[0].status == "FAIL" + assert "app buildSpec line 6" in result[0].status_extended + + def test_app_scan_error_marks_manual(self): + from prowler.lib.utils.utils import SecretsScanError + + app = _build_app( + environment_variables={"key1": "val1"}, + build_spec="version: 1", + branches=[], + ) + amplify_client = mock.MagicMock() + amplify_client.apps = {app.arn: app} + amplify_client.audit_config = {"secrets_ignore_patterns": []} + + aws_provider = set_mocked_aws_provider([AWS_REGION_US_EAST_1]) + with ( + mock.patch( + "prowler.providers.common.provider.Provider.get_global_provider", + return_value=aws_provider, + ), + mock.patch( + "prowler.providers.aws.services.amplify.amplify_app_no_secrets_in_environment.amplify_app_no_secrets_in_environment.detect_secrets_scan_batch", + side_effect=SecretsScanError("Scanner failure"), + ), + ): + result = _execute_check(amplify_client) + + assert len(result) == 1 + assert result[0].status == "MANUAL" + assert ( + "Could not scan Amplify app test-app environment variables for secrets: Scanner failure" + in result[0].status_extended + ) + + +def _build_app(environment_variables: dict, build_spec: str, branches: list) -> App: + app_id = "app-12345" + app_name = "test-app" + app_arn = ( + f"arn:aws:amplify:{AWS_REGION_US_EAST_1}:" f"{AWS_ACCOUNT_NUMBER}:apps/{app_id}" + ) + return App( + id=app_id, + name=app_name, + arn=app_arn, + region=AWS_REGION_US_EAST_1, + environment_variables=environment_variables, + build_spec=build_spec, + branches=branches, + tags=[], + ) + + +def _execute_check(amplify_client): + aws_provider = set_mocked_aws_provider([AWS_REGION_US_EAST_1]) + with ( + mock.patch( + "prowler.providers.common.provider.Provider.get_global_provider", + return_value=aws_provider, + ), + mock.patch( + "prowler.providers.aws.services.amplify.amplify_app_no_secrets_in_environment.amplify_app_no_secrets_in_environment.amplify_client", + amplify_client, + ), + ): + from prowler.providers.aws.services.amplify.amplify_app_no_secrets_in_environment.amplify_app_no_secrets_in_environment import ( + amplify_app_no_secrets_in_environment, + ) + + check = amplify_app_no_secrets_in_environment() + return check.execute() diff --git a/tests/providers/aws/services/amplify/amplify_service_test.py b/tests/providers/aws/services/amplify/amplify_service_test.py new file mode 100644 index 00000000000..90ff5b67ab0 --- /dev/null +++ b/tests/providers/aws/services/amplify/amplify_service_test.py @@ -0,0 +1,91 @@ +from unittest.mock import patch + +import botocore +from moto import mock_aws + +from prowler.providers.aws.services.amplify.amplify_service import Amplify, App, Branch +from tests.providers.aws.utils import ( + AWS_ACCOUNT_NUMBER, + AWS_REGION_US_EAST_1, + set_mocked_aws_provider, +) + +app_id = "app-12345" +app_name = "test-app" +app_arn = f"arn:aws:amplify:{AWS_REGION_US_EAST_1}:{AWS_ACCOUNT_NUMBER}:apps/{app_id}" +branch_name = "main" +branch_arn = f"{app_arn}/branches/{branch_name}" + +app_environment_variables = {"app_key": "app_val"} +branch_environment_variables = {"branch_key": "branch_val"} +build_spec = "version: 1" +app_tags = {"tag_key": "tag_val"} + +make_api_call = botocore.client.BaseClient._make_api_call + + +def mock_make_api_call(self, operation_name, kwarg): + if operation_name == "ListApps": + return { + "apps": [ + { + "appId": app_id, + "name": app_name, + "appArn": app_arn, + "environmentVariables": app_environment_variables, + "buildSpec": build_spec, + "tags": app_tags, + } + ] + } + if operation_name == "ListBranches": + return { + "branches": [ + { + "branchArn": branch_arn, + "branchName": branch_name, + "environmentVariables": branch_environment_variables, + } + ] + } + return make_api_call(self, operation_name, kwarg) + + +def mock_generate_regional_clients(provider, service): + regional_client = provider._session.current_session.client( + service, region_name=AWS_REGION_US_EAST_1 + ) + regional_client.region = AWS_REGION_US_EAST_1 + return {AWS_REGION_US_EAST_1: regional_client} + + +@patch("botocore.client.BaseClient._make_api_call", new=mock_make_api_call) +@patch( + "prowler.providers.aws.aws_provider.AwsProvider.generate_regional_clients", + new=mock_generate_regional_clients, +) +class TestAmplifyService: + @mock_aws + def test_amplify_service(self): + amplify = Amplify(set_mocked_aws_provider([AWS_REGION_US_EAST_1])) + + assert amplify.session.__class__.__name__ == "Session" + assert amplify.service == "amplify" + assert len(amplify.apps) == 1 + assert isinstance(amplify.apps[app_arn], App) + + app = amplify.apps[app_arn] + assert app.id == app_id + assert app.name == app_name + assert app.arn == app_arn + assert app.region == AWS_REGION_US_EAST_1 + assert app.environment_variables == app_environment_variables + assert app.build_spec == build_spec + assert app.tags == [app_tags] + + assert len(app.branches) == 1 + branch = app.branches[0] + assert isinstance(branch, Branch) + assert branch.name == branch_name + assert branch.arn == branch_arn + assert branch.environment_variables == branch_environment_variables diff --git a/tests/providers/aws/services/batch/__init__.py b/tests/providers/aws/services/batch/__init__.py new file mode 100644 index 00000000000..508bc7453d6 --- /dev/null +++ b/tests/providers/aws/services/batch/__init__.py @@ -0,0 +1 @@ +# AWS Batch tests init diff --git a/tests/providers/aws/services/batch/batch_job_definition_no_secrets/__init__.py b/tests/providers/aws/services/batch/batch_job_definition_no_secrets/__init__.py new file mode 100644 index 00000000000..a2d9f0c69c3 --- /dev/null +++ b/tests/providers/aws/services/batch/batch_job_definition_no_secrets/__init__.py @@ -0,0 +1 @@ +# batch_job_definition_no_secrets test init diff --git a/tests/providers/aws/services/batch/batch_job_definition_no_secrets/batch_job_definition_no_secrets_test.py b/tests/providers/aws/services/batch/batch_job_definition_no_secrets/batch_job_definition_no_secrets_test.py new file mode 100644 index 00000000000..893e8233065 --- /dev/null +++ b/tests/providers/aws/services/batch/batch_job_definition_no_secrets/batch_job_definition_no_secrets_test.py @@ -0,0 +1,173 @@ +from unittest import mock + +from prowler.providers.aws.services.batch.batch_service import ( + JobDefinition, + JobDefinitionContainer, +) +from tests.providers.aws.utils import ( + AWS_ACCOUNT_NUMBER, + AWS_REGION_US_EAST_1, + set_mocked_aws_provider, +) + + +class Test_batch_job_definition_no_secrets: + def test_no_job_definitions(self): + batch_client = mock.MagicMock() + batch_client.job_definitions = {} + batch_client.audit_config = {"secrets_ignore_patterns": []} + + result = _execute_check(batch_client) + + assert len(result) == 0 + + def test_job_definition_no_secrets(self): + jd = _build_job_definition( + containers=[ + JobDefinitionContainer( + name="containerProperties", + environment=[{"name": "env_key", "value": "env_val"}], + command=["echo", "hello"], + ) + ] + ) + batch_client = mock.MagicMock() + batch_client.job_definitions = {jd.arn: jd} + batch_client.audit_config = {"secrets_ignore_patterns": []} + + result = _execute_check(batch_client) + + assert len(result) == 1 + assert result[0].status == "PASS" + assert ( + result[0].status_extended + == f"No secrets found in Batch job definition {jd.name}." + ) + assert result[0].region == AWS_REGION_US_EAST_1 + assert result[0].resource_id == f"{jd.name}:{jd.revision}" + assert result[0].resource_arn == jd.arn + + def test_job_definition_with_secrets_in_env(self): + jd = _build_job_definition( + containers=[ + JobDefinitionContainer( + name="containerProperties", + environment=[ + { + "name": "db_pass", + "value": "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIn0.dozjgNryP4J3jVmNHl0w5N_XgL0n3I9PlFUP0THsR8U", + } + ], + command=["echo", "hello"], + ) + ] + ) + batch_client = mock.MagicMock() + batch_client.job_definitions = {jd.arn: jd} + batch_client.audit_config = {"secrets_ignore_patterns": []} + + result = _execute_check(batch_client) + + assert len(result) == 1 + assert result[0].status == "FAIL" + assert ( + "container 'containerProperties' environment variable 'db_pass'" + in result[0].status_extended + ) + + def test_job_definition_with_secrets_in_command(self): + jd = _build_job_definition( + containers=[ + JobDefinitionContainer( + name="containerProperties", + environment=[], + command=[ + "export JWT=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIn0.dozjgNryP4J3jVmNHl0w5N_XgL0n3I9PlFUP0THsR8U" + ], + ) + ] + ) + batch_client = mock.MagicMock() + batch_client.job_definitions = {jd.arn: jd} + batch_client.audit_config = {"secrets_ignore_patterns": []} + + result = _execute_check(batch_client) + + assert len(result) == 1 + assert result[0].status == "FAIL" + assert ( + "container 'containerProperties' command parameter at index 0" + in result[0].status_extended + ) + + def test_job_definition_scan_error_marks_manual(self): + from prowler.lib.utils.utils import SecretsScanError + + jd = _build_job_definition( + containers=[ + JobDefinitionContainer( + name="containerProperties", + environment=[{"name": "env_key", "value": "env_val"}], + command=["echo", "hello"], + ) + ] + ) + batch_client = mock.MagicMock() + batch_client.job_definitions = {jd.arn: jd} + batch_client.audit_config = {"secrets_ignore_patterns": []} + + aws_provider = set_mocked_aws_provider([AWS_REGION_US_EAST_1]) + with ( + mock.patch( + "prowler.providers.common.provider.Provider.get_global_provider", + return_value=aws_provider, + ), + mock.patch( + "prowler.providers.aws.services.batch.batch_job_definition_no_secrets.batch_job_definition_no_secrets.detect_secrets_scan_batch", + side_effect=SecretsScanError("Scanner failure"), + ), + ): + result = _execute_check(batch_client) + + assert len(result) == 1 + assert result[0].status == "MANUAL" + assert ( + f"Could not scan Batch job definition {jd.name} for secrets: Scanner failure; manual review is required." + in result[0].status_extended + ) + + +def _build_job_definition(containers: list) -> JobDefinition: + jd_name = "test-job-def" + jd_arn = ( + f"arn:aws:batch:{AWS_REGION_US_EAST_1}:" + f"{AWS_ACCOUNT_NUMBER}:job-definition/{jd_name}:1" + ) + return JobDefinition( + name=jd_name, + arn=jd_arn, + revision=1, + region=AWS_REGION_US_EAST_1, + containers=containers, + tags=[], + ) + + +def _execute_check(batch_client): + aws_provider = set_mocked_aws_provider([AWS_REGION_US_EAST_1]) + with ( + mock.patch( + "prowler.providers.common.provider.Provider.get_global_provider", + return_value=aws_provider, + ), + mock.patch( + "prowler.providers.aws.services.batch.batch_job_definition_no_secrets.batch_job_definition_no_secrets.batch_client", + batch_client, + ), + ): + from prowler.providers.aws.services.batch.batch_job_definition_no_secrets.batch_job_definition_no_secrets import ( + batch_job_definition_no_secrets, + ) + + check = batch_job_definition_no_secrets() + return check.execute() diff --git a/tests/providers/aws/services/batch/batch_service_test.py b/tests/providers/aws/services/batch/batch_service_test.py new file mode 100644 index 00000000000..3c9bfb30d8b --- /dev/null +++ b/tests/providers/aws/services/batch/batch_service_test.py @@ -0,0 +1,127 @@ +from unittest.mock import patch + +import botocore +from moto import mock_aws + +from prowler.providers.aws.services.batch.batch_service import ( + Batch, + JobDefinition, + JobDefinitionContainer, +) +from tests.providers.aws.utils import ( + AWS_ACCOUNT_NUMBER, + AWS_REGION_US_EAST_1, + set_mocked_aws_provider, +) + +jd_name = "test-job-def" +jd_arn = f"arn:aws:batch:{AWS_REGION_US_EAST_1}:{AWS_ACCOUNT_NUMBER}:job-definition/{jd_name}:1" +jd_revision = 1 +jd_tags = {"tag_key": "tag_val"} + +make_api_call = botocore.client.BaseClient._make_api_call + + +def mock_make_api_call(self, operation_name, kwarg): + if operation_name == "DescribeJobDefinitions": + return { + "jobDefinitions": [ + { + "jobDefinitionName": jd_name, + "jobDefinitionArn": jd_arn, + "revision": jd_revision, + "status": "ACTIVE", + "type": "container", + "containerProperties": { + "image": "ubuntu", + "command": ["echo", "hello"], + "environment": [{"name": "env_key", "value": "env_val"}], + }, + "nodeProperties": { + "numNodes": 2, + "mainNode": 0, + "nodeRangeProperties": [ + { + "targetNodes": "0:", + "container": { + "image": "alpine", + "command": ["sh", "-c"], + "environment": [ + {"name": "node_env", "value": "node_val"} + ], + }, + } + ], + }, + "eksProperties": { + "podProperties": { + "containers": [ + { + "name": "eks-container", + "image": "nginx", + "command": ["nginx"], + "args": ["-g", "daemon off;"], + "env": [{"name": "eks_env", "value": "eks_val"}], + } + ] + } + }, + "tags": jd_tags, + } + ] + } + return make_api_call(self, operation_name, kwarg) + + +def mock_generate_regional_clients(provider, service): + regional_client = provider._session.current_session.client( + service, region_name=AWS_REGION_US_EAST_1 + ) + regional_client.region = AWS_REGION_US_EAST_1 + return {AWS_REGION_US_EAST_1: regional_client} + + +@patch("botocore.client.BaseClient._make_api_call", new=mock_make_api_call) +@patch( + "prowler.providers.aws.aws_provider.AwsProvider.generate_regional_clients", + new=mock_generate_regional_clients, +) +class TestBatchService: + @mock_aws + def test_batch_service(self): + batch = Batch(set_mocked_aws_provider([AWS_REGION_US_EAST_1])) + + assert batch.session.__class__.__name__ == "Session" + assert batch.service == "batch" + assert len(batch.job_definitions) == 1 + assert isinstance(batch.job_definitions[jd_arn], JobDefinition) + + jd = batch.job_definitions[jd_arn] + assert jd.name == jd_name + assert jd.arn == jd_arn + assert jd.revision == jd_revision + assert jd.region == AWS_REGION_US_EAST_1 + assert jd.tags == [jd_tags] + + assert len(jd.containers) == 3 + + # 1. containerProperties container + c1 = jd.containers[0] + assert isinstance(c1, JobDefinitionContainer) + assert c1.name == "containerProperties" + assert c1.environment == [{"name": "env_key", "value": "env_val"}] + assert c1.command == ["echo", "hello"] + + # 2. nodeProperties container + c2 = jd.containers[1] + assert isinstance(c2, JobDefinitionContainer) + assert c2.name == "nodeRangeProperties[0].container" + assert c2.environment == [{"name": "node_env", "value": "node_val"}] + assert c2.command == ["sh", "-c"] + + # 3. eksProperties container + c3 = jd.containers[2] + assert isinstance(c3, JobDefinitionContainer) + assert c3.name == "eksProperties.podProperties.containers[0]" + assert c3.environment == [{"name": "eks_env", "value": "eks_val"}] + assert c3.command == ["nginx", "-g", "daemon off;"]