Add cluster view, change draw render to svg, update deprecated RDS/EK…

…S engine in rules

.gitignore

@@ -3,7 +3,7 @@ __pycache__
 venv
 package
 .env
-*.png
+*.svg
 
 # Config
 config/rules.yaml

CHANGELOG.md

@@ -16,6 +16,7 @@ AWS-TOWER
   - Dissociate IAM services and actions, easier to read and understand findings
   - whitelist more IAM actions as readers and not poweruser
   - Add more retryier in lambda monitoring and split in another lambda child
+  - Update deprecated RDS/EKS engine in rules
 
 ### Fixtures
   - Fix iam_scan to use min-rights

config/rules.yaml.sample

@@ -662,6 +662,7 @@ types:
 # https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/CHAP_MySQL.html
 # https://dev.mysql.com/doc/relnotes/mysql/8.0/en/
 # https://dev.mysql.com/doc/relnotes/mysql/5.7/en/
+# https://nvd.nist.gov/vuln/search/results?form_type=Advanced&results_type=overview&isCpeNameSearch=true&seach_type=all&query=cpe:2.3:a:oracle:mysql:8.0.29:*:*:*:*:*:*:*
       - message:
           text: '[{service_name}] Deprecated mysql engine version ({current_version})'
           args:
@@ -692,9 +693,8 @@ types:
               - type: constant
                 name: versions
                 value:
-                  - '5.6.34'
-                  - '5.7.16'
-                  - '8.0.11'
+                  - '5.7.38'
+                  - '8.0.29'
             data_sources:
               - type: attribute
                 name: attribute_value
@@ -733,13 +733,13 @@ types:
               - type: constant
                 name: versions
                 value:
-                  - '10.2.43'
-                  - '10.3.34'
-                  - '10.4.24'
-                  - '10.5.15'
-                  - '10.6.7'
-                  - '10.7.3'
-                  - '10.8.1'
+                  - '10.3.36'
+                  - '10.4.26'
+                  - '10.5.17'
+                  - '10.6.9'
+                  - '10.7.5'
+                  - '10.8.4'
+                  - '10.9.2'
             data_sources:
               - type: attribute
                 name: attribute_value
@@ -777,11 +777,11 @@ types:
               - type: constant
                 name: versions
                 value:
-                  - '10.22'
-                  - '11.17'
-                  - '12.12'
-                  - '13.8'
-                  - '14.5'
+                  - '10.21'
+                  - '11.16'
+                  - '12.11'
+                  - '13.7'
+                  - '14.4'
             data_sources:
               - type: attribute
                 name: attribute_value
@@ -860,6 +860,7 @@ types:
                 value: aws_service
         metadata:
           risks: ['WAN reachable asset', 'Sensitive asset']
+# https://docs.aws.amazon.com/eks/latest/userguide/kubernetes-versions.html#kubernetes-release-calendar
       - message:
           text: '[{service_name}] Deprecated EKS Kubernetes version ({current_version})'
           args:
@@ -900,7 +901,7 @@ types:
               - type: constant
                 name: versions
                 value:
-                  - '1.18'
+                  - '1.21'
             data_sources:
               - type: attribute
                 name: attribute_value

libs/asset_type.py

@@ -94,3 +94,9 @@ def src_linked_assets(self, _):
         Among all asset, find assets linked in source
         """
         return []
+
+    def cluster_name(self):
+        """
+        Return nothing by default
+        """
+        return ''

libs/asset_type_ec2.py

@@ -35,6 +35,7 @@ def __init__(self, name: str, private_ip: str, public: bool=False):
         self.role_poweruser = ''
         self.role_admin = ''
         self.instance_id = ''
+        self.eks_cluster = ''
 
     def report(self, report, brief=False):
         """
@@ -114,6 +115,13 @@ def src_linked_assets(self, assets):
                     result.add(elb)
         return result
 
+    def cluster_name(self):
+        """
+        Return the name of the belonging cluster
+        """
+        return self.eks_cluster
+
+
 @log_me('Getting EC2 raw data...')
 def get_raw_data(raw_data, authorizations, boto_session, cache, _):
     """
@@ -205,6 +213,9 @@ def scan(ec2, sg_raw, subnets_raw, kp_raw, boto_session, public_only):
             pass
     if 'Tags' in ec2:
         ec2_asset.name = get_tag(ec2['Tags'], 'Name')
+        eks_cluster_name =  [ i['Key'].split('/')[-1] for i in ec2['Tags'] if i['Key'].startswith('kubernetes.io/cluster/') ]
+        if eks_cluster_name:
+            ec2_asset.eks_cluster = eks_cluster_name[0]
     if 'PublicIpAddress' in ec2:
         ec2_asset.public_ip = ec2['PublicIpAddress']
     if 'SecurityGroups' in ec2:

libs/asset_type_eks.py

@@ -68,6 +68,12 @@ def finding_description(self, _):
             return f'<Public> {self.endpoint} v{self.version}'
         return f'<Private> {self.endpoint} v{self.version}'
 
+    def cluster_name(self):
+        """
+        Return the name of the cluster
+        """
+        return self.name
+
 
 @log_me('Getting EKS raw data...')
 def get_raw_data(raw_data, authorizations, boto_session, cache, _):

libs/display.py

@@ -119,6 +119,7 @@ def draw_threats(title, assets, csl):
     from diagrams.aws.database import RDS
     from diagrams.aws.storage import S3
     from diagrams.aws.general import InternetGateway
+    from diagrams.aws.management import OrganizationsAccount
 
     def get_asset_risks(asset):
         report = set()
@@ -189,13 +190,19 @@ def is_present(diag_objs, asset):
     edge_attr = {
         "minlen": "5"
     }
-    with Diagram(title, direction='LR', edge_attr=edge_attr):
+    with Diagram(title, direction='LR', edge_attr=edge_attr, outformat="svg"):
         internet = InternetGateway('INTERNET')
         lan = InternetGateway('LAN')
 
-        # Create objects
+        # Draw objects not in Cluster
         objects = []
+        clusters = {}
         for asset in vuln_assets:
+            if asset.cluster_name():
+                if asset.cluster_name() not in clusters:
+                    clusters[asset.cluster_name()] = []
+                clusters[asset.cluster_name()].append(asset)
+                continue
             if not is_present(objects, asset):
                 objects.append(locals()[asset.get_type()](tagged_name(asset)))
             for linked_asset in asset.src_linked_assets(assets):
@@ -204,6 +211,18 @@ def is_present(diag_objs, asset):
                         objects.append(locals()[linked_asset.get_type()](f'Private {linked_asset.get_type()}'))
                 elif not is_present(objects, linked_asset):
                     objects.append(locals()[linked_asset.get_type()](tagged_name(linked_asset)))
+        # Draw each Cluster
+        for cluster_name, cluster_members in clusters.items():
+            with Cluster(cluster_name):
+                for asset in cluster_members:
+                    if not is_present(objects, asset):
+                        objects.append(locals()[asset.get_type()](tagged_name(asset)))
+                    for linked_asset in asset.src_linked_assets(assets):
+                        if get_asset_color(linked_asset) == '🟢':
+                            if not is_present(objects, f'Private {linked_asset.get_type()}'):
+                                objects.append(locals()[linked_asset.get_type()](f'Private {linked_asset.get_type()}'))
+                        elif not is_present(objects, linked_asset):
+                            objects.append(locals()[linked_asset.get_type()](tagged_name(linked_asset)))
 
         # Create link between objects
         links = []