-
Notifications
You must be signed in to change notification settings - Fork 1.4k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
chore(ec2): add EC2 Security group check to verify if at least one port is opened #3982
Conversation
Hi @jfagoagas
Yes, it is. In this PR I took the code from PR #3962 and adapted it to work with prowler v3. |
If you don't mind we prefer to do the backport in our way, picking the PR commit and then doing following commits if something needs to be addressed, e.g.: breaking changes in v4. The way this PR is done requires us to verify again the content of all the files included and I see that the original PR included changes in 10 files but this one just touched 8. |
Yes, of course. I thought I could help you by doing this to speed up the backport to v3 because we need this check in our company. But if you have your own mechanism for backporting, I fully understand that you prefer to use that. I'm also very interested to know how to deal with the cases I described on prowler's slack channel related to this check Copied from the slack channel:
Do you think that you could implement my suggestions in this check or a even create a new check? |
This is an interesting point, I think probably we can include a modification in the EC2 service and tests to handle that case. Could you show me an example of a security group created automatically by the creation of a VPC endpoint? What are the cases you want to cover? Just the above? Remember that the Mutelist is a powerful ally here. |
Hi @jfagoagas, thanks for your reply. We are aware of the What's your idea to implement this in prowler v3/v4? |
What if we include these filters in the EC2 service while retrieving security groups? We can store the Btw, the current PR was backported yesterday to v3 and released in https://github.com/prowler-cloud/prowler/releases/tag/3.16.5. This PR can be closed, but let's keep it open until we find a solution for the issue. |
This sounds really good!
Nice, well done, thank you! 🚀
Ok, but shouldn't we rather move it to "discussions"? But maybe it's not worth anymore since your proposal sounds very good! 😄 |
Makes sense 😂 You can open up an issue or a thread in the Slack channel, whatever you want. Let's work on that there. Thanks again 👏 |
The discussion continues here: #4065 |
Context
Backport check
ec2_securitygroup_allow_ingress_from_internet_to_any_port
to prowler v3.Description
Check
ec2_securitygroup_allow_ingress_from_internet_to_any_port
had been renamed toec2_securitygroup_allow_ingress_from_internet_to_all_ports
and an accurate checkec2_securitygroup_allow_ingress_from_internet_to_any_port
had been created in PR #3962.This PR backports the changes to prowler v3.
License
By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.