feat(rds): Add a config value to check instance replicas

docs/tutorials/configuration_file.md

@@ -39,6 +39,7 @@ The following list includes all the AWS checks with configurable variables that
 | `cloudtrail_threat_detection_enumeration` | `threat_detection_enumeration_entropy` | Integer |
 | `cloudtrail_threat_detection_enumeration` | `threat_detection_enumeration_minutes` | Integer |
 | `cloudtrail_threat_detection_enumeration` | `threat_detection_enumeration_actions` | List of Strings |
+| `rds_instance_backup_enabled` | `check_rds_replicas` | Boolean |
 ## Azure
 
 ### Configurable Checks
@@ -209,7 +210,7 @@ aws:
  "UpdateFunctionCode",
  "UpdateJob",
  "UpdateLoginProfile",
-]
+ ]
  # aws.cloudtrail_threat_detection_enumeration
  threat_detection_enumeration_entropy: 0.7 # Percentage of actions found to decide if it is an enumeration attack event, by default is 0.7 (70%)
  threat_detection_enumeration_minutes: 1440 # Past minutes to search from now for enumeration attacks, by default is 1440 minutes (24 hours)
@@ -304,7 +305,11 @@ aws:
  "ListUsers",
  "LookupEvents",
  "Search",
-]
+ ]
+
+ # aws.rds_instance_backup_enabled
+ # Whether to check RDS instance replicas or not
+ check_rds_replicas: True
 
 # Azure Configuration
 azure:

prowler/config/config.yaml

@@ -100,154 +100,159 @@ aws:
  # aws.cloudtrail_threat_detection_privilege_escalation
  threat_detection_privilege_escalation_threshold: 0.1 # Percentage of actions found to decide if it is an privilege_escalation attack event, by default is 0.1 (10%)
  threat_detection_privilege_escalation_minutes: 1440 # Past minutes to search from now for privilege_escalation attacks, by default is 1440 minutes (24 hours)
- threat_detection_privilege_escalation_actions: [
- "AddPermission",
- "AddRoleToInstanceProfile",
- "AddUserToGroup",
- "AssociateAccessPolicy",
- "AssumeRole",
- "AttachGroupPolicy",
- "AttachRolePolicy",
- "AttachUserPolicy",
- "ChangePassword",
- "CreateAccessEntry",
- "CreateAccessKey",
- "CreateDevEndpoint",
- "CreateEventSourceMapping",
- "CreateFunction",
- "CreateGroup",
- "CreateJob",
- "CreateKeyPair",
- "CreateLoginProfile",
- "CreatePipeline",
- "CreatePolicyVersion",
- "CreateRole",
- "CreateStack",
- "DeleteRolePermissionsBoundary",
- "DeleteRolePolicy",
- "DeleteUserPermissionsBoundary",
- "DeleteUserPolicy",
- "DetachRolePolicy",
- "DetachUserPolicy",
- "GetCredentialsForIdentity",
- "GetId",
- "GetPolicyVersion",
- "GetUserPolicy",
- "Invoke",
- "ModifyInstanceAttribute",
- "PassRole",
- "PutGroupPolicy",
- "PutPipelineDefinition",
- "PutRolePermissionsBoundary",
- "PutRolePolicy",
- "PutUserPermissionsBoundary",
- "PutUserPolicy",
- "ReplaceIamInstanceProfileAssociation",
- "RunInstances",
- "SetDefaultPolicyVersion",
- "UpdateAccessKey",
- "UpdateAssumeRolePolicy",
- "UpdateDevEndpoint",
- "UpdateEventSourceMapping",
- "UpdateFunctionCode",
- "UpdateJob",
- "UpdateLoginProfile",
-]
+ threat_detection_privilege_escalation_actions:
+ [
+ "AddPermission",
+ "AddRoleToInstanceProfile",
+ "AddUserToGroup",
+ "AssociateAccessPolicy",
+ "AssumeRole",
+ "AttachGroupPolicy",
+ "AttachRolePolicy",
+ "AttachUserPolicy",
+ "ChangePassword",
+ "CreateAccessEntry",
+ "CreateAccessKey",
+ "CreateDevEndpoint",
+ "CreateEventSourceMapping",
+ "CreateFunction",
+ "CreateGroup",
+ "CreateJob",
+ "CreateKeyPair",
+ "CreateLoginProfile",
+ "CreatePipeline",
+ "CreatePolicyVersion",
+ "CreateRole",
+ "CreateStack",
+ "DeleteRolePermissionsBoundary",
+ "DeleteRolePolicy",
+ "DeleteUserPermissionsBoundary",
+ "DeleteUserPolicy",
+ "DetachRolePolicy",
+ "DetachUserPolicy",
+ "GetCredentialsForIdentity",
+ "GetId",
+ "GetPolicyVersion",
+ "GetUserPolicy",
+ "Invoke",
+ "ModifyInstanceAttribute",
+ "PassRole",
+ "PutGroupPolicy",
+ "PutPipelineDefinition",
+ "PutRolePermissionsBoundary",
+ "PutRolePolicy",
+ "PutUserPermissionsBoundary",
+ "PutUserPolicy",
+ "ReplaceIamInstanceProfileAssociation",
+ "RunInstances",
+ "SetDefaultPolicyVersion",
+ "UpdateAccessKey",
+ "UpdateAssumeRolePolicy",
+ "UpdateDevEndpoint",
+ "UpdateEventSourceMapping",
+ "UpdateFunctionCode",
+ "UpdateJob",
+ "UpdateLoginProfile",
+ ]
  # aws.cloudtrail_threat_detection_enumeration
  threat_detection_enumeration_threshold: 0.1 # Percentage of actions found to decide if it is an enumeration attack event, by default is 0.1 (10%)
  threat_detection_enumeration_minutes: 1440 # Past minutes to search from now for enumeration attacks, by default is 1440 minutes (24 hours)
- threat_detection_enumeration_actions: [
- "DescribeAccessEntry",
- "DescribeAccountAttributes",
- "DescribeAvailabilityZones",
- "DescribeBundleTasks",
- "DescribeCarrierGateways",
- "DescribeClientVpnRoutes",
- "DescribeCluster",
- "DescribeDhcpOptions",
- "DescribeFlowLogs",
- "DescribeImages",
- "DescribeInstanceAttribute",
- "DescribeInstanceInformation",
- "DescribeInstanceTypes",
- "DescribeInstances",
- "DescribeInstances",
- "DescribeKeyPairs",
- "DescribeLogGroups",
- "DescribeLogStreams",
- "DescribeOrganization",
- "DescribeRegions",
- "DescribeSecurityGroups",
- "DescribeSnapshotAttribute",
- "DescribeSnapshotTierStatus",
- "DescribeSubscriptionFilters",
- "DescribeTransitGatewayMulticastDomains",
- "DescribeVolumes",
- "DescribeVolumesModifications",
- "DescribeVpcEndpointConnectionNotifications",
- "DescribeVpcs",
- "GetAccount",
- "GetAccountAuthorizationDetails",
- "GetAccountSendingEnabled",
- "GetBucketAcl",
- "GetBucketLogging",
- "GetBucketPolicy",
- "GetBucketReplication",
- "GetBucketVersioning",
- "GetCallerIdentity",
- "GetCertificate",
- "GetConsoleScreenshot",
- "GetCostAndUsage",
- "GetDetector",
- "GetEbsDefaultKmsKeyId",
- "GetEbsEncryptionByDefault",
- "GetFindings",
- "GetFlowLogsIntegrationTemplate",
- "GetIdentityVerificationAttributes",
- "GetInstances",
- "GetIntrospectionSchema",
- "GetLaunchTemplateData",
- "GetLaunchTemplateData",
- "GetLogRecord",
- "GetParameters",
- "GetPolicyVersion",
- "GetPublicAccessBlock",
- "GetQueryResults",
- "GetRegions",
- "GetSMSAttributes",
- "GetSMSSandboxAccountStatus",
- "GetSendQuota",
- "GetTransitGatewayRouteTableAssociations",
- "GetUserPolicy",
- "HeadObject",
- "ListAccessKeys",
- "ListAccounts",
- "ListAllMyBuckets",
- "ListAssociatedAccessPolicies",
- "ListAttachedUserPolicies",
- "ListClusters",
- "ListDetectors",
- "ListDomains",
- "ListFindings",
- "ListHostedZones",
- "ListIPSets",
- "ListIdentities",
- "ListInstanceProfiles",
- "ListObjects",
- "ListOrganizationalUnitsForParent",
- "ListOriginationNumbers",
- "ListPolicyVersions",
- "ListRoles",
- "ListRoles",
- "ListRules",
- "ListServiceQuotas",
- "ListSubscriptions",
- "ListTargetsByRule",
- "ListTopics",
- "ListUsers",
- "LookupEvents",
- "Search",
-]
+ threat_detection_enumeration_actions:
+ [
+ "DescribeAccessEntry",
+ "DescribeAccountAttributes",
+ "DescribeAvailabilityZones",
+ "DescribeBundleTasks",
+ "DescribeCarrierGateways",
+ "DescribeClientVpnRoutes",
+ "DescribeCluster",
+ "DescribeDhcpOptions",
+ "DescribeFlowLogs",
+ "DescribeImages",
+ "DescribeInstanceAttribute",
+ "DescribeInstanceInformation",
+ "DescribeInstanceTypes",
+ "DescribeInstances",
+ "DescribeInstances",
+ "DescribeKeyPairs",
+ "DescribeLogGroups",
+ "DescribeLogStreams",
+ "DescribeOrganization",
+ "DescribeRegions",
+ "DescribeSecurityGroups",
+ "DescribeSnapshotAttribute",
+ "DescribeSnapshotTierStatus",
+ "DescribeSubscriptionFilters",
+ "DescribeTransitGatewayMulticastDomains",
+ "DescribeVolumes",
+ "DescribeVolumesModifications",
+ "DescribeVpcEndpointConnectionNotifications",
+ "DescribeVpcs",
+ "GetAccount",
+ "GetAccountAuthorizationDetails",
+ "GetAccountSendingEnabled",
+ "GetBucketAcl",
+ "GetBucketLogging",
+ "GetBucketPolicy",
+ "GetBucketReplication",
+ "GetBucketVersioning",
+ "GetCallerIdentity",
+ "GetCertificate",
+ "GetConsoleScreenshot",
+ "GetCostAndUsage",
+ "GetDetector",
+ "GetEbsDefaultKmsKeyId",
+ "GetEbsEncryptionByDefault",
+ "GetFindings",
+ "GetFlowLogsIntegrationTemplate",
+ "GetIdentityVerificationAttributes",
+ "GetInstances",
+ "GetIntrospectionSchema",
+ "GetLaunchTemplateData",
+ "GetLaunchTemplateData",
+ "GetLogRecord",
+ "GetParameters",
+ "GetPolicyVersion",
+ "GetPublicAccessBlock",
+ "GetQueryResults",
+ "GetRegions",
+ "GetSMSAttributes",
+ "GetSMSSandboxAccountStatus",
+ "GetSendQuota",
+ "GetTransitGatewayRouteTableAssociations",
+ "GetUserPolicy",
+ "HeadObject",
+ "ListAccessKeys",
+ "ListAccounts",
+ "ListAllMyBuckets",
+ "ListAssociatedAccessPolicies",
+ "ListAttachedUserPolicies",
+ "ListClusters",
+ "ListDetectors",
+ "ListDomains",
+ "ListFindings",
+ "ListHostedZones",
+ "ListIPSets",
+ "ListIdentities",
+ "ListInstanceProfiles",
+ "ListObjects",
+ "ListOrganizationalUnitsForParent",
+ "ListOriginationNumbers",
+ "ListPolicyVersions",
+ "ListRoles",
+ "ListRoles",
+ "ListRules",
+ "ListServiceQuotas",
+ "ListSubscriptions",
+ "ListTargetsByRule",
+ "ListTopics",
+ "ListUsers",
+ "LookupEvents",
+ "Search",
+ ]
+ # aws.rds_instance_backup_enabled
+ # Whether to check RDS instance replicas or not
+ check_rds_replicas: True
 
 # Azure Configuration
 azure:

prowler/providers/aws/services/rds/rds_instance_backup_enabled/rds_instance_backup_enabled.py

@@ -20,6 +20,10 @@ def execute(self):
  f"RDS Instance {db_instance.id} does not have backup enabled."
  )
 
+ if db_instance.replica_source and not rds_client.audit_config.get(
+ "check_rds_replicas", True
+ ):
+ continue
  findings.append(report)
 
  return findings