feat(cognito): Add new checks related with cognito service #3898
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
github-actions
bot
added
the
provider/aws
jfagoagas
requested changes
Apr 30, 2024
| report.resource_arn = pool.arn | ||
| if ( | ||
| pool.advanced_security_mode == "ENFORCED" | ||
| and pool.risk_configuration.account_takeover_risk_configuration.get( |
There was a problem hiding this comment.
I think it'd be better to map this into an object.
| == "BLOCK" | ||
| ): | ||
| report.status = "PASS" | ||
| report.status_extended = f"User pool {pool.id} has advanced security enforced with adaptative authentication sign-in blocked." |
There was a problem hiding this comment.
Please get the tags in the service, check other AWS services for that.
Codecov ReportAttention: Patch coverage is
Additional details and impacted files@@ Coverage Diff @@
## master #3898 +/- ##
==========================================
+ Coverage 86.37% 86.44% +0.06%
==========================================
Files 748 767 +19
Lines 23333 23856 +523
==========================================
+ Hits 20155 20622 +467
- Misses 3178 3234 +56 ☔ View full report in Codecov by Sentry. |
sergargar
reviewed
May 7, 2024
| @@ -0,0 +1,30 @@ | |||
| { | |||
| "Provider": "aws", | |||
| "CheckID": "cognito_identity_pool_guest_access_enabled", | |||
There was a problem hiding this comment.
Suggested change
| "CheckID": "cognito_identity_pool_guest_access_enabled", | |
| "CheckID": "cognito_identity_pool_guest_access_disabled", |
sergargar
reviewed
May 7, 2024
| f"Identity pool {identity_pool.id} has guest access enabled." | ||
| ) | ||
| if identity_pool.roles.unauthenticated: | ||
| report.status_extended = f"Identity pool {identity_pool.id} has guest access enabled and unauthenticated role {identity_pool.roles.unauthenticated} defined." |
There was a problem hiding this comment.
Suggested change
| report.status_extended = f"Identity pool {identity_pool.id} has guest access enabled and unauthenticated role {identity_pool.roles.unauthenticated} defined." | |
| report.status_extended = f"Identity pool {identity_pool.id} has guest access enabled assuming the role {identity_pool.roles.unauthenticated}." |
sergargar
reviewed
May 7, 2024
Comment on lines
99
to
104
| ].describe_user_pool_client( | ||
| UserPoolId=user_pool.id, | ||
| ClientId=self.regional_clients[ | ||
| user_pool.region | ||
| ].list_user_pool_clients(UserPoolId=user_pool.id)[ | ||
| "UserPoolClients" |
There was a problem hiding this comment.
Please, create two different functions for the describe and list calls.
sergargar
reviewed
May 7, 2024
| tags: Optional[list] = [] | ||
| tags: Optional[dict] | ||
| account_recovery_settings: Optional[dict] | ||
| user_pool_client: Optional[UserPoolClient] |
There was a problem hiding this comment.
Please, create a list of UserPoolClient since there can be more than one.
sergargar
reviewed
May 7, 2024
| account_takeover_risk_configuration: Optional[AccountTakeoverRiskConfiguration] | ||
|
|
||
|
|
||
| class UserPoolClient(BaseModel): |
There was a problem hiding this comment.
Please add the ID and Name of the client when doing the list
sergargar
reviewed
May 7, 2024
| elif pool.advanced_security_mode == "AUDIT": | ||
| report.status = "FAIL" | ||
| report.status_extended = ( | ||
| f"User pool {pool.id} has advanced security audit enabled." |
There was a problem hiding this comment.
Suggested change
| f"User pool {pool.id} has advanced security audit enabled." | |
| f"User pool {pool.id} has advanced security enabled but with audit-only mode." |
sergargar
reviewed
May 7, 2024
| if pool.advanced_security_mode == "ENFORCED": | ||
| report.status = "PASS" | ||
| report.status_extended = ( | ||
| f"User pool {pool.id} has advanced security enforced." |
There was a problem hiding this comment.
Suggested change
| f"User pool {pool.id} has advanced security enforced." | |
| f"User pool {pool.id} has advanced security enforced with full-function mode." |
sergargar
reviewed
May 7, 2024
| report.resource_id = pool.id | ||
| report.resource_arn = pool.arn | ||
| report.resource_tags = pool.tags | ||
| if pool.user_pool_client.prevent_user_existence_errors == "ENABLED": |
There was a problem hiding this comment.
Please, iterate for each client and add a finding for each one.
There was a problem hiding this comment.
The resource ID and name must be the user_pool_client one.
sergargar
reviewed
May 7, 2024
| @@ -0,0 +1,30 @@ | |||
| { | |||
| "Provider": "aws", | |||
| "CheckID": "cognito_user_pool_prevent_reveal_user_existence", | |||
There was a problem hiding this comment.
Suggested change
| "CheckID": "cognito_user_pool_prevent_reveal_user_existence", | |
| "CheckID": "cognito_user_pool_client_prevent_user_existence_errors", |
sergargar
reviewed
May 7, 2024
| else: | ||
| associated_identity_pools.append(identity_pool.name) | ||
| if associated_identity_pools: | ||
| report.status_extended = f"User pool {user_pool.id} has self registration enabled and is associated with the following identity pools: {(', ').join(associated_identity_pools)}" |
There was a problem hiding this comment.
Suggested change
| report.status_extended = f"User pool {user_pool.id} has self registration enabled and is associated with the following identity pools: {(', ').join(associated_identity_pools)}" | |
| report.status_extended = f"User pool {user_pool.id} has self registration enabled assuming the role(s): {(', ').join(associated_identity_pools)}" |
sergargar
reviewed
May 7, 2024
| report.status_extended = ( | ||
| f"User pool {user_pool.id} has self registration enabled." | ||
| ) | ||
| associated_identity_pools = [] |
There was a problem hiding this comment.
Suggested change
| associated_identity_pools = [] | |
| associated_identity_pool_authenticated_roles = [] |
sergargar
reviewed
May 7, 2024
| @@ -0,0 +1,30 @@ | |||
| { | |||
| "Provider": "aws", | |||
| "CheckID": "cognito_user_pool_self_registration_enabled", | |||
There was a problem hiding this comment.
Suggested change
| "CheckID": "cognito_user_pool_self_registration_enabled", | |
| "CheckID": "cognito_user_pool_self_registration_disabled", |
sergargar
reviewed
May 7, 2024
Comment on lines
4
to
23
| "CheckTitle": "Ensure cognito user pools has advanced security enabled with full-function with adaptive authentication automatic risk response as block sign-in", | ||
| "CheckType": [], | ||
| "ServiceName": "cognito", | ||
| "SubServiceName": "", | ||
| "ResourceIdTemplate": "arn:aws:cognito-idp:region:account:userpool/userpool-id", | ||
| "Severity": "medium", | ||
| "ResourceType": "AwsCognitoUserPool", | ||
| "Description": "Amazon Cognito advanced security features provide adaptive authentication and protection against compromised credentials. Adaptive authentication helps protect your applications from malicious actors and compromised credentials by evaluating the risk associated with each user login and providing the appropriate level of security to mitigate that risk. Adaptive authentication is a feature of advanced security that uses contextual data and intelligent mechanisms to evaluate the risk of each authentication attempt and respond with the appropriate level of security. Adaptive authentication can be configured to block sign-in when the risk is too high.", | ||
| "Risk": "If adaptive authentication is not enabled, your user pool is more vulnerable to attacks that use compromised credentials. Adaptive authentication helps protect your applications from malicious actors and compromised credentials by evaluating the risk associated with each user login and providing the appropriate level of security to mitigate that risk.", | ||
| "RelatedUrl": "https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-pool-settings-advanced-security.html", | ||
| "Remediation": { | ||
| "Code": { | ||
| "CLI": "", | ||
| "NativeIaC": "", | ||
| "Other": "", | ||
| "Terraform": "" | ||
| }, | ||
| "Recommendation": { | ||
| "Text": "To enable adaptive authentication with automatic risk response as block sign-in, follow the Amazon Cognito documentation", | ||
| "Url": "https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-pool-settings-advanced-security.html" |
There was a problem hiding this comment.
Review this again with the new check name.
sergargar
reviewed
May 7, 2024
| ] | ||
| ): | ||
| report.status = "PASS" | ||
| report.status_extended = f"User pool {pool.id} has advanced security enforced with adaptative authentication sign-in blocked." |
There was a problem hiding this comment.
Suggested change
| report.status_extended = f"User pool {pool.id} has advanced security enforced with adaptative authentication sign-in blocked." | |
| report.status_extended = f"User pool {pool.id} blocks all potential malicious sign-in attempts." |
sergargar
reviewed
May 7, 2024
| if pool.advanced_security_mode == "ENFORCED" and all( | ||
| [ | ||
| pool.risk_configuration.account_takeover_risk_configuration.low_action | ||
| and pool.risk_configuration.account_takeover_risk_configuration.low_action.get( |
There was a problem hiding this comment.
omit the EventAction attribute and add it in the service to the action
sergargar
reviewed
May 7, 2024
| report.status_extended = f"User pool {pool.id} has advanced security enforced with adaptative authentication sign-in blocked." | ||
| else: | ||
| report.status = "FAIL" | ||
| report.status_extended = f"User pool {pool.id} does not have advanced security enforced with adaptative authentication sign-in blocked." |
There was a problem hiding this comment.
Suggested change
| report.status_extended = f"User pool {pool.id} does not have advanced security enforced with adaptative authentication sign-in blocked." | |
| report.status_extended = f"User pool {pool.id} does not block all potential malicious sign-in attempts." |
sergargar
reviewed
May 7, 2024
| @@ -0,0 +1,30 @@ | |||
| { | |||
| "Provider": "aws", | |||
| "CheckID": "cognito_user_pool_advanced_security_block_sign_in_compromised_credentials", | |||
There was a problem hiding this comment.
Suggested change
| "CheckID": "cognito_user_pool_advanced_security_block_sign_in_compromised_credentials", | |
| "CheckID": "cognito_user_pool_blocks_compromised_credentials_sign_in_attempts", |
sergargar
reviewed
May 7, 2024
Comment on lines
4
to
24
| "CheckTitle": "Ensure cognito user pools has advanced security enabled with full-function to block sign-in by users with suspected compromised credentials", | ||
| "CheckType": [], | ||
| "ServiceName": "cognito", | ||
| "SubServiceName": "", | ||
| "ResourceIdTemplate": "arn:aws:cognito-idp:region:account:userpool/userpool-id", | ||
| "Severity": "medium", | ||
| "ResourceType": "AwsCognitoUserPool", | ||
| "Description": "Checks whether advanced security features are enabled for an Amazon Cognito User Pool to block sign-in by users with suspected compromised credentials.", | ||
| "Risk": "If advanced security features are not enabled for an Amazon Cognito User Pool, the user pool will not be able to block sign-in by users with suspected compromised credentials.", | ||
| "RelatedUrl": "https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-pool-settings-advanced-security.html", | ||
| "Remediation": { | ||
| "Code": { | ||
| "CLI": "", | ||
| "NativeIaC": "", | ||
| "Other": "", | ||
| "Terraform": "" | ||
| }, | ||
| "Recommendation": { | ||
| "Text": "To enable advanced security features for an Amazon Cognito User Pool, follow the steps in the Amazon Cognito Developer Guide.", | ||
| "Url": "https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-pool-settings-advanced-security.html" | ||
| } |
There was a problem hiding this comment.
Review this again with the new check name.
sergargar
reviewed
May 7, 2024
| ): | ||
| print(pool.risk_configuration) | ||
| report.status = "PASS" | ||
| report.status_extended = f"User pool {pool.id} has advanced security enforced with compromised credentials sign-in blocked." |
There was a problem hiding this comment.
Suggested change
| report.status_extended = f"User pool {pool.id} has advanced security enforced with compromised credentials sign-in blocked." | |
| report.status_extended = f"User pool {pool.id} block sign-in attempts with suspected compromised credentials." |
sergargar
reviewed
May 7, 2024
| report.status_extended = f"User pool {pool.id} has advanced security enforced with compromised credentials sign-in blocked." | ||
| else: | ||
| report.status = "FAIL" | ||
| report.status_extended = f"User pool {pool.id} does not have advanced security enforced with compromised credentials sign-in blocked." |
There was a problem hiding this comment.
Suggested change
| report.status_extended = f"User pool {pool.id} does not have advanced security enforced with compromised credentials sign-in blocked." | |
| report.status_extended = f"User pool {pool.id} does not have advanced security enforced with compromised credentials sign-in blocked." |
Suggested change
| report.status_extended = f"User pool {pool.id} does not have advanced security enforced with compromised credentials sign-in blocked." | |
| report.status_extended = f"User pool {pool.id} does not block sign-in attempts with suspected compromised credentials." |
sergargar
requested changes
May 7, 2024
sergargar
reviewed
May 7, 2024
| ) | ||
| == "BLOCK" | ||
| ): | ||
| print(pool.risk_configuration) |
There was a problem hiding this comment.
Suggested change
| print(pool.risk_configuration) |
|
Please, remove all |
sergargar
reviewed
May 7, 2024
| == "BLOCK" | ||
| ): | ||
| report.status = "PASS" | ||
| report.status_extended = f"User pool {pool.name} block sign-in attempts with suspected compromised credentials." |
There was a problem hiding this comment.
Suggested change
| report.status_extended = f"User pool {pool.name} block sign-in attempts with suspected compromised credentials." | |
| report.status_extended = f"User pool {pool.name} blocks sign-in attempts with suspected compromised credentials." |
sergargar
reviewed
May 7, 2024
| report = Check_Report_AWS(self.metadata()) | ||
| report.region = pool.region | ||
| report.resource_id = user_pool_client.id | ||
| report.resource_arn = pool.arn |
There was a problem hiding this comment.
Would not be the user_pool_client.arn and user_pool_client.region?
sergargar
reviewed
May 7, 2024
| report.resource_tags = pool.tags | ||
| if user_pool_client.prevent_user_existence_errors == "ENABLED": | ||
| report.status = "PASS" | ||
| report.status_extended = f"User pool client {user_pool_client.name} has prevent user existence reveal enabled." |
There was a problem hiding this comment.
Suggested change
| report.status_extended = f"User pool client {user_pool_client.name} has prevent user existence reveal enabled." | |
| report.status_extended = f"User pool client {user_pool_client.name} prevents revealing users in existence errors." |
sergargar
reviewed
May 7, 2024
| report.status_extended = f"User pool client {user_pool_client.name} has prevent user existence reveal enabled." | ||
| else: | ||
| report.status = "FAIL" | ||
| report.status_extended = f"User pool client {user_pool_client.name} has prevent user existence reveal disabled." |
There was a problem hiding this comment.
Suggested change
| report.status_extended = f"User pool client {user_pool_client.name} has prevent user existence reveal disabled." | |
| report.status_extended = f"User pool client {user_pool_client.name} does not prevent revealing users in existence errors." |
sergargar
reviewed
May 7, 2024
Comment on lines
11
to
14
| report.region = pool.region | ||
| report.resource_id = pool_client.id | ||
| report.resource_arn = pool.arn | ||
| report.resource_tags = pool.tags |
There was a problem hiding this comment.
Would not it be with the pool_client attributes?
There was a problem hiding this comment.
Yes, for all but not for tags since user pool clients don't have tags 😀
sergargar
requested changes
May 7, 2024
jfagoagas
reviewed
May 8, 2024
| pool.advanced_security_mode == "ENFORCED" | ||
| and "SIGN_IN" | ||
| in pool.risk_configuration.compromised_credentials_risk_configuration.event_filter | ||
| and pool.risk_configuration.compromised_credentials_risk_configuration.actions.get( |
There was a problem hiding this comment.
Could you store this into the class object instead of doing a get in the map?
jfagoagas
reviewed
May 8, 2024
| report.resource_arn = pool.arn | ||
| report.resource_tags = pool.tags | ||
| if pool.password_policy: | ||
| if pool.password_policy.get("RequireLowercase", False): |
There was a problem hiding this comment.
Could you store this into the class object instead of doing a get in the map?
jfagoagas
reviewed
May 8, 2024
| report.status_extended = ( | ||
| f"User pool {user_pool.id} has self registration disabled." | ||
| ) | ||
| if not user_pool.admin_create_user_config.get( |
There was a problem hiding this comment.
Could you store this into the class object instead of doing a get in the map?
sergargar
approved these changes
May 8, 2024
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Description
New checks related with cognito service for aws are added:
cognito_user_pool_temporary_password_expiration -> Cognito user pools temporary passwords set by administrators expire in 7 days or less
cognito_user_pool_password_policy_lowercase -> Ensure Cognito User Pool has password policy to require at least one lowercase letter
cognito_user_pool_password_policy_minimum_length_14 -> Ensure that the password policy for your user pools require a minimum length of 14 or greater
cognito_user_pool_password_policy_number -> Ensure that the password policy for your user pool requires a number
cognito_user_pool_password_policy_symbol -> Ensure that the password policy for your Amazon Cognito user pool requires at least one symbol.
cognito_user_pool_password_policy_uppercase -> Ensure that the password policy for your user pool requires at least one uppercase letter
cognito_user_pool_mfa_enabled -> Cognito user pools require multi factor authentication (MFA)
cognito_user_pool_web_acl_associated -> Cognito user pools should be protected by AWS Web Application Firewall
cognito_user_pool_prevent_reveal_user_existence -> Cognito user pools should prevent error messages that reveal user existence
cognito_user_pool_token_revocation_enabled -> Cognito user pools should have enabled token revocation
cognito_user_pool_advanced_security_enabled -> Cognito user pools has advanced security enabled with full-function
cognito_user_pool_advanced_security_block_sign_in_compromised_credentials -> Cognito user pools has advanced security enabled with full-function to block sign-in by users with suspected compromised credentials
cognito_user_pool_advanced_security_adaptative_authentication_block_sign_in -> Cognito user pools has advanced security enabled with full-function with adaptive authentication automatic risk response as block sign-in
cognito_user_pool_deletion_protection_enabled -> Cognito user pools deletion protection enabled to prevent accidental deletion
cognito_user_pool_self_registration_enabled -> Self-registration is enabled on the user pools and it is associated with an identity pool (and show the roles that can be asssumed)
cognito_identity_pool_guest_access_enabled -> Guest access is enabled on the identity pool(and show the roles that can be assumed)
License
By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.