github.com/khulnasoft-lab/defsec@v1.0.5-0.20230827010352-5e9f46893d95/internal/adapters/cloud/aws/ec2/vpc.go (about) 1 package ec2 2 3 import ( 4 "github.com/aws/aws-sdk-go-v2/aws" 5 ec2api "github.com/aws/aws-sdk-go-v2/service/ec2" 6 "github.com/aws/aws-sdk-go-v2/service/ec2/types" 7 "github.com/khulnasoft-lab/defsec/pkg/concurrency" 8 "github.com/khulnasoft-lab/defsec/pkg/providers/aws/ec2" 9 defsecTypes "github.com/khulnasoft-lab/defsec/pkg/types" 10 ) 11 12 func (a *adapter) getSecurityGroups() (securityGroups []ec2.SecurityGroup, err error) { 13 14 a.Tracker().SetServiceLabel("Discovering security groups...") 15 16 var apiSecurityGroups []types.SecurityGroup 17 var input ec2api.DescribeSecurityGroupsInput 18 19 for { 20 output, err := a.client.DescribeSecurityGroups(a.Context(), &input) 21 if err != nil { 22 return nil, err 23 } 24 apiSecurityGroups = append(apiSecurityGroups, output.SecurityGroups...) 25 a.Tracker().SetTotalResources(len(apiSecurityGroups)) 26 if output.NextToken == nil { 27 break 28 } 29 input.NextToken = output.NextToken 30 } 31 32 a.Tracker().SetServiceLabel("Adapting security groups...") 33 return concurrency.Adapt(apiSecurityGroups, a.RootAdapter, a.adaptSecurityGroup), nil 34 } 35 36 func (a *adapter) getNetworkACLs() (nacls []ec2.NetworkACL, err error) { 37 38 a.Tracker().SetServiceLabel("Discovering network ACLs...") 39 var apiNetworkACLs []types.NetworkAcl 40 var input ec2api.DescribeNetworkAclsInput 41 42 for { 43 output, err := a.client.DescribeNetworkAcls(a.Context(), &input) 44 if err != nil { 45 return nil, err 46 } 47 apiNetworkACLs = append(apiNetworkACLs, output.NetworkAcls...) 48 a.Tracker().SetTotalResources(len(apiNetworkACLs)) 49 if output.NextToken == nil { 50 break 51 } 52 input.NextToken = output.NextToken 53 } 54 a.Tracker().SetServiceLabel("Adapting network ACLs...") 55 return concurrency.Adapt(apiNetworkACLs, a.RootAdapter, a.adaptNetworkACL), nil 56 } 57 58 func (a *adapter) getVPCs() (defaultVpcs []ec2.VPC, err error) { 59 60 a.Tracker().SetServiceLabel("Discovering VPCs...") 61 var apiVPCs []types.Vpc 62 var input ec2api.DescribeVpcsInput 63 64 for { 65 output, err := a.client.DescribeVpcs(a.Context(), &input) 66 if err != nil { 67 return nil, err 68 } 69 apiVPCs = append(apiVPCs, output.Vpcs...) 70 a.Tracker().SetTotalResources(len(apiVPCs)) 71 if output.NextToken == nil { 72 break 73 } 74 input.NextToken = output.NextToken 75 } 76 77 a.Tracker().SetServiceLabel("Adapting VPCs...") 78 return concurrency.Adapt(apiVPCs, a.RootAdapter, a.adaptVPC), nil 79 } 80 81 func (a *adapter) adaptSecurityGroup(apiSecurityGroup types.SecurityGroup) (*ec2.SecurityGroup, error) { 82 83 sgMetadata := a.CreateMetadata("security-group/" + *apiSecurityGroup.GroupId) 84 85 sg := &ec2.SecurityGroup{ 86 Metadata: sgMetadata, 87 IsDefault: defsecTypes.BoolDefault(apiSecurityGroup.GroupName != nil && *apiSecurityGroup.GroupName == "default", sgMetadata), 88 Description: defsecTypes.String(aws.ToString(apiSecurityGroup.Description), sgMetadata), 89 VPCID: defsecTypes.StringDefault("", sgMetadata), 90 } 91 92 if apiSecurityGroup.VpcId != nil { 93 sg.VPCID = defsecTypes.String(*apiSecurityGroup.VpcId, sgMetadata) 94 } 95 96 for _, ingress := range apiSecurityGroup.IpPermissions { 97 98 for _, ipRange := range ingress.IpRanges { 99 sg.IngressRules = append(sg.IngressRules, ec2.SecurityGroupRule{ 100 Metadata: sgMetadata, 101 Description: defsecTypes.String(aws.ToString(ipRange.Description), sgMetadata), 102 CIDRs: []defsecTypes.StringValue{defsecTypes.String(aws.ToString(ipRange.CidrIp), sgMetadata)}, 103 }) 104 } 105 } 106 107 for _, egress := range apiSecurityGroup.IpPermissions { 108 109 for _, ipRange := range egress.IpRanges { 110 sg.EgressRules = append(sg.EgressRules, ec2.SecurityGroupRule{ 111 Metadata: sgMetadata, 112 Description: defsecTypes.String(aws.ToString(ipRange.Description), sgMetadata), 113 CIDRs: []defsecTypes.StringValue{defsecTypes.String(aws.ToString(ipRange.CidrIp), sgMetadata)}, 114 }) 115 } 116 } 117 118 return sg, nil 119 120 } 121 122 func (a *adapter) adaptNetworkACL(apiNacl types.NetworkAcl) (*ec2.NetworkACL, error) { 123 124 naclMetadata := a.CreateMetadata("network-acl/" + *apiNacl.NetworkAclId) 125 126 nacl := &ec2.NetworkACL{ 127 Metadata: naclMetadata, 128 IsDefaultRule: defsecTypes.BoolDefault(false, naclMetadata), 129 } 130 131 for _, entry := range apiNacl.Entries { 132 naclType := "ingress" 133 if aws.ToBool(entry.Egress) { 134 naclType = "egress" 135 } 136 137 nacl.Rules = append(nacl.Rules, ec2.NetworkACLRule{ 138 Metadata: naclMetadata, 139 Action: defsecTypes.String(string(entry.RuleAction), naclMetadata), 140 Protocol: defsecTypes.String(aws.ToString(entry.Protocol), naclMetadata), 141 Type: defsecTypes.String(naclType, naclMetadata), 142 CIDRs: []defsecTypes.StringValue{defsecTypes.String(aws.ToString(entry.CidrBlock), naclMetadata)}, 143 }) 144 } 145 return nacl, nil 146 } 147 148 func (a *adapter) adaptVPC(v types.Vpc) (*ec2.VPC, error) { 149 150 vpcMetadata := a.CreateMetadata("vpc/" + *v.VpcId) 151 vpc := &ec2.VPC{ 152 Metadata: vpcMetadata, 153 ID: defsecTypes.String(*v.VpcId, vpcMetadata), 154 IsDefault: defsecTypes.BoolDefault(false, vpcMetadata), 155 FlowLogsEnabled: defsecTypes.BoolDefault(false, vpcMetadata), 156 SecurityGroups: nil, // we link these up afterwards 157 } 158 159 if v.IsDefault != nil { 160 vpc.IsDefault = defsecTypes.BoolDefault(*v.IsDefault, vpcMetadata) 161 } 162 163 logs, err := a.client.DescribeFlowLogs(a.Context(), &ec2api.DescribeFlowLogsInput{ 164 Filter: []types.Filter{ 165 { 166 Name: aws.String("resource-id"), 167 Values: []string{*v.VpcId}, 168 }, 169 }, 170 }) 171 if err != nil { 172 return nil, err 173 } 174 175 if logs != nil && len(logs.FlowLogs) > 0 { 176 vpc.FlowLogsEnabled = defsecTypes.BoolDefault(true, vpcMetadata) 177 } 178 179 return vpc, nil 180 181 }