Merge pull request #2067 from AkhtarAmir/FS-AWS/ManagedBlockchainClou…

…dwatchLogs FS-AWS/ManagedBlockchainCloudwatchLogs
aquasecurity · Sep 18, 2024 · ca65424 · ca65424
2 parents b0a0a2d + dde1e88
commit ca65424
Show file tree

Hide file tree

Showing 3 changed files with 256 additions and 0 deletions.
diff --git a/exports.js b/exports.js
@@ -640,6 +640,7 @@ module.exports = {
         'databrewJobOutputEncrypted'    : require(__dirname + '/plugins/aws/gluedatabrew/databrewJobOutputEncrypted.js'),
 
         'networkMemberDataEncrypted'    : require(__dirname + '/plugins/aws/managedblockchain/networkMemberDataEncrypted.js'),
+        'networkMemberCloudwatchLogs'   : require(__dirname + '/plugins/aws/managedblockchain/networkMemberCloudwatchLogs.js'),
 
         'docdbClusterEncrypted'         : require(__dirname + '/plugins/aws/documentDB/docdbClusterEncrypted.js'),
         'docDbHasTags'                  : require(__dirname + '/plugins/aws/documentDB/docDbHasTags.js'),

diff --git a/plugins/aws/managedblockchain/networkMemberCloudwatchLogs.js b/plugins/aws/managedblockchain/networkMemberCloudwatchLogs.js
@@ -0,0 +1,90 @@
+var async = require('async');
+var helpers = require('../../../helpers/aws');
+
+module.exports = {
+    title: 'Managed Blockchain Network Member CloudWatch Logs',
+    category: 'Managed Blockchain',
+    domain: 'Content Delivery',
+    severity: 'Medium',
+    description: 'Ensure that Amazon Managed Blockchain members have CloudWatch logs enabled.',
+    more_info: 'Enabling CloudWatch Logs for Amazon Managed Blockchain members is essential for monitoring certificate authority (CA) activity, ensuring proper identity management, and troubleshooting any access-related issues by publishing CA logs.',
+    link: 'https://docs.aws.amazon.com/managed-blockchain/latest/hyperledger-fabric-dev/monitoring-cloudwatch-logs.html',
+    recommended_action: 'Modify Managed Blockchain members to enable CloudWatch Logs',
+    apis: ['ManagedBlockchain:listMembers', 'ManagedBlockchain:listNetworks', 'ManagedBlockchain:getMember'],
+    realtime_triggers: ['managedblockchain:CreateNetwork', 'managedblockchain:DeleteMember'],
+
+    run: function(cache, settings, callback) {
+        var results = [];
+        var source = {};
+        var regions = helpers.regions(settings);
+
+        async.each(regions.managedblockchain, function(region, rcb){
+            var listNetworks = helpers.addSource(cache, source,
+                ['managedblockchain', 'listNetworks', region]);
+
+            if (!listNetworks) return rcb();
+
+            if (listNetworks.err || !listNetworks.data) {
+                helpers.addResult(results, 3,
+                    `Unable to query for Managed Blockchain networks: ${helpers.addError(listNetworks)}`, region);
+                return rcb();
+            }
+
+            if (!listNetworks.data.length) {
+                helpers.addResult(results, 0, 'No Managed Blockchain networks found', region);
+                return rcb();
+            }
+
+            for (let network of listNetworks.data) {
+                if (!network.Id || !network.Arn) continue;
+
+                let listMembers = helpers.addSource(cache, source,
+                    ['managedblockchain', 'listMembers', region, network.Id]);
+
+                if (!listMembers || listMembers.err || !listMembers.data || !listMembers.data.Members) {
+                    helpers.addResult(results, 3,
+                        `Unable to query network members: ${helpers.addError(listMembers)}`,
+                        region, network.Arn);
+                    continue;
+                }
+
+                if (!listMembers.data.Members.length) {
+                    helpers.addResult(results, 0, 'No network members found', region, network.Arn);
+                    continue;
+                }
+
+                for (let member of listMembers.data.Members) {
+                    if (!member.Id || !member.Arn) continue;
+
+                    let resource = member.Arn;
+                    let getMember = helpers.addSource(cache, source,
+                        ['managedblockchain', 'getMember', region, member.Id]);
+
+                    if (!getMember || getMember.err || !getMember.data || !getMember.data.Member) {
+                        helpers.addResult(results, 3,
+                            `Unable to query network member: ${helpers.addError(getMember)}`,
+                            region, member.Arn);
+                        continue;
+                    }
+                    const getmember = getMember.data.Member;
+
+                    if (getmember.LogPublishingConfiguration && getmember.LogPublishingConfiguration.Fabric &&
+                        getmember.LogPublishingConfiguration.Fabric.CaLogs && getmember.LogPublishingConfiguration.Fabric.CaLogs.Cloudwatch
+                        &&  getmember.LogPublishingConfiguration.Fabric.CaLogs.Cloudwatch.Enabled) {
+                        helpers.addResult(results, 0,
+                            'Network member has CloudWatch logs enabled',
+                            region, resource);
+                    } else {
+                        helpers.addResult(results, 2,
+                            'Network member does not have CloudWatch logs enabled',
+                            region, resource);
+                    }
+                }
+            }
+
+            rcb();
+        }, function(){
+            callback(null, results, source);
+        });
+    }
+};
diff --git a/plugins/aws/managedblockchain/networkMemberCloudwatchLogs.spec.js b/plugins/aws/managedblockchain/networkMemberCloudwatchLogs.spec.js
@@ -0,0 +1,165 @@
+var expect = require('chai').expect;
+var networkMemberCloudwatchLogs = require('./networkMemberCloudwatchLogs');
+
+const listNetworks = [
+    {
+        "Id": "n-Z7YTJ3EHSBENRKI7UM6XW2XWFQ",
+        "Name": "akhtar-net",
+        "Description": null,
+        "Framework": "HYPERLEDGER_FABRIC",
+        "FrameworkVersion": "1.4",
+        "Status": "AVAILABLE",
+        "CreationDate": "2021-11-16T07:46:51.158Z",
+        "Arn": "arn:aws:managedblockchain:us-east-1::networks/n-Z7YTJ3EHSBENRKI7UM6XW2XWFQ"
+    }
+];
+
+const listMembers = [
+    {
+        "Id": "m-3WDFHOCKPZFPXOXP5SVIYEBTYA",
+        "Name": "akhtar",
+        "Description": null,
+        "Status": "AVAILABLE",
+        "CreationDate": "2021-11-16T07:46:51.146Z",
+        "IsOwned": true,
+        "Arn": "arn:aws:managedblockchain:us-east-1:000011112222:members/m-3WDFHOCKPZFPXOXP5SVIYEBTYA"
+    }
+];
+
+const getMember = [
+    {
+        "NetworkId": "n-Z7YTJ3EHSBENRKI7UM6XW2XWFQ",
+        "Id": "m-3WDFHOCKPZFPXOXP5SVIYEBTYA",
+        "Name": "akhtar",
+        "Description": null,
+        "FrameworkAttributes": {
+          "Fabric": {
+            "AdminUsername": "cloudsploit",
+            "CaEndpoint": "ca.m-3wdfhockpzfpxoxp5sviyebtya.n-z7ytj3ehsbenrki7um6xw2xwfq.managedblockchain.us-east-1.amazonaws.com:30002"
+          }
+        },
+        "LogPublishingConfiguration": {
+          "Fabric": {
+            "CaLogs": {
+              "Cloudwatch": {
+                "Enabled": true
+              }
+            }
+          }
+        },
+        "Status": "AVAILABLE",
+        "CreationDate": "2021-11-16T07:46:51.146Z",
+        "Tags": {},
+        "Arn": "arn:aws:managedblockchain:us-east-1:000011112222:members/m-3WDFHOCKPZFPXOXP5SVIYEBTYA",
+        "KmsKeyArn": "arn:aws:kms:us-east-1:000011112222:key/ad013a33-b01d-4d88-ac97-127399c18b3e"
+    },
+    {
+        "NetworkId": "n-Z7YTJ3EHSBENRKI7UM6XW2XWFQ",
+        "Id": "m-3WDFHOCKPZFPXOXP5SVIYEBTYA",
+        "Name": "akhtar",
+        "Description": null,
+        "FrameworkAttributes": {
+          "Fabric": {
+            "AdminUsername": "cloudsploit",
+            "CaEndpoint": "ca.m-3wdfhockpzfpxoxp5sviyebtya.n-z7ytj3ehsbenrki7um6xw2xwfq.managedblockchain.us-east-1.amazonaws.com:30002"
+          }
+        },
+        "LogPublishingConfiguration": {
+          "Fabric": {
+            "CaLogs": {
+              "Cloudwatch": {
+                "Enabled": false
+              }
+            }
+          }
+        },
+        "Status": "AVAILABLE",
+        "CreationDate": "2021-11-16T07:46:51.146Z",
+        "Tags": {},
+        "Arn": "arn:aws:managedblockchain:us-east-1:000011112222:members/m-3WDFHOCKPZFPXOXP5SVIYEBTYA",
+        "KmsKeyArn": "AWS_OWNED_KMS_KEY"
+    }
+];
+
+
+const createCache = (networks, members, getMember, networksErr) => {
+    var networkId = (networks && networks.length) ? networks[0].Id : null;
+    var memberId = (members && members.length) ? members[0].Id : null;
+    return {
+        managedblockchain: {
+            listNetworks: {
+                'us-east-1': {
+                    err: networksErr,
+                    data: networks
+                },
+            },
+            listMembers: {
+                'us-east-1': {
+                    [networkId]: {
+                        data: {
+                            "Members": members
+                        }
+                    }
+                }
+            },
+            getMember: {
+                'us-east-1': {
+                    [memberId]: {
+                        data: {
+                            "Member": getMember
+                        }
+                    }
+                }
+            }
+        },
+    };
+};
+
+describe('networkMemberCloudwatchLogs', function () {
+    describe('run', function () {
+        it('should PASS if Network member has cloudwatch logs enabled', function (done) {
+            const cache = createCache(listNetworks ,listMembers, getMember[0]);
+            networkMemberCloudwatchLogs.run(cache, {}, (err, results) => {
+                expect(results.length).to.equal(1);
+                expect(results[0].status).to.equal(0);
+                expect(results[0].region).to.equal('us-east-1');
+                expect(results[0].message).to.include('Network member has CloudWatch logs enabled');
+                done();
+            });
+        });
+
+        it('should FAIL if Network member does not have cloudwatch logs enabled', function (done) {
+            const cache = createCache(listNetworks ,listMembers, getMember[1]);
+            networkMemberCloudwatchLogs.run(cache, {}, (err, results) => {
+                expect(results.length).to.equal(1);
+                expect(results[0].status).to.equal(2);
+                expect(results[0].region).to.equal('us-east-1');
+                expect(results[0].message).to.include('Network member does not have CloudWatch logs enabled');
+                done();
+            });
+        });
+
+        it('should PASS if no Managed Blockchain networks found', function (done) {
+            const cache = createCache([]);
+            networkMemberCloudwatchLogs.run(cache, {}, (err, results) => {
+                expect(results.length).to.equal(1);
+                expect(results[0].status).to.equal(0);
+                expect(results[0].region).to.equal('us-east-1');
+                expect(results[0].message).to.include('No Managed Blockchain networks found');
+                done();
+            });
+        });
+
+        it('should UNKNOWN if unable to query Managed Blockchain networks', function (done) {
+            const cache = createCache(null, null, null, { message: "unable to obtain data" });
+            networkMemberCloudwatchLogs.run(cache, {}, (err, results) => {
+                expect(results.length).to.equal(1);
+                expect(results[0].status).to.equal(3);
+                expect(results[0].region).to.equal('us-east-1');
+                expect(results[0].message).to.include('Unable to query for Managed Blockchain networks:');
+                done();
+            });
+        });
+
+    });
+})