prowler-cloud · sergargar · Jun 24, 2024 · Jun 13, 2024 · Jun 24, 2024
@@ -0,0 +1,30 @@
+{
+  "Provider": "aws",
+  "CheckID": "documentdb_cluster_backup_retention",
+  "CheckTitle": "Check if DocumentDB Clusters have backup enabled.",
+  "CheckType": [],
+  "ServiceName": "DocumentDB",
+  "SubServiceName": "",
+  "ResourceIdTemplate": "arn:aws:rds:region:account-id:db-cluster",
+  "Severity": "medium",
+  "ResourceType": "AwsRdsDbCluster",
+  "Description": "Check if DocumentDB Clusters have backup enabled.",
+  "Risk": "Ensure that your Amazon DocumentDB database clusters have set a minimum backup retention period in order to achieve compliance requirements in your organization.",
+  "RelatedUrl": "https://docs.aws.amazon.com/securityhub/latest/userguide/documentdb-controls.html#documentdb-2",
+  "Remediation": {
+    "Code": {
+      "CLI": "https://www.trendmicro.com/cloudoneconformity-staging/knowledge-base/aws/DocumentDB/sufficient-backup-retention-period.html#",
+      "NativeIaC": "https://www.trendmicro.com/cloudoneconformity-staging/knowledge-base/aws/DocumentDB/sufficient-backup-retention-period.html#",
+      "Other": "",
+      "Terraform": "https://www.trendmicro.com/cloudoneconformity-staging/knowledge-base/aws/DocumentDB/sufficient-backup-retention-period.html#"
+    },
+    "Recommendation": {
+      "Text": "Enable automated backup for production data. Define a retention period and periodically test backup restoration. A Disaster Recovery process should be in place to govern Data Protection approach.",
+      "Url": "https://docs.aws.amazon.com/securityhub/latest/userguide/documentdb-controls.html#documentdb-2"
+    }
+  },
+  "Categories": [],
+  "DependsOn": [],
+  "RelatedTo": [],
+  "Notes": ""
+}
@@ -0,0 +1,33 @@
+from prowler.lib.check.models import Check, Check_Report_AWS
+from prowler.providers.aws.services.documentdb.documentdb_client import (
+    documentdb_client,
+)
+
+
+class documentdb_cluster_backup_enabled(Check):
+    def execute(self):
+        findings = []
+        for cluster in documentdb_client.db_clusters.values():
+            report = Check_Report_AWS(self.metadata())
+            report.region = cluster.region
+            report.resource_id = cluster.id
+            report.resource_arn = cluster.arn
+            report.resource_tags = cluster.tags
+            report.status = "FAIL"
+            report.status_extended = (
+                f"DocumentDB Cluster {cluster.id} does not have backup enabled."
+            )
+            if cluster.backup_retention_period > documentdb_client.audit_config.get(
+                "minimum_backup_retention_period", 7
+            ):
+                report.status = "PASS"
+                report.status_extended = f"DocumentDB Cluster {cluster.id} has backup enabled with retention period {cluster.backup_retention_period} days."
+            else:
+                if cluster.backup_retention_period > 0:
+                    report.status = "FAIL"
+                    report.check_metadata.Severity = "low"
+                    report.status_extended = f"DocumentDB Cluster {cluster.id} has backup enabled with retention period {cluster.backup_retention_period} days. Recommended to increase the backup retention period to a minimum of 7 days."
+
+            findings.append(report)
+
+        return findings
@@ -0,0 +1,30 @@
+{
+  "Provider": "aws",
+  "CheckID": "documentdb_cluster_cloudwatch_log_export",
+  "CheckTitle": "Check if DocumentDB clusters are using the log export feature.",
+  "CheckType": [],
+  "ServiceName": "documentdb",
+  "SubServiceName": "",
+  "ResourceIdTemplate": "arn:partition:service:region:account-id:resource-id",
+  "Severity": "medium",
+  "ResourceType": "AwsRDSDBCluster",
+  "Description": "Check if DocumentDB clusters are using the log export feature.",
+  "Risk": "Ensure that all your Amazon DocumentDB clusters are using the Log Exports feature in order to publish audit logs directly to CloudWatch Logs. The events recorded by Log Exports include events such as successful and failed authentication attempts, creating indexes, or dropping collections in DocumentDB databases.",
+  "RelatedUrl": "https://docs.aws.amazon.com/securityhub/latest/userguide/documentdb-controls.html#documentdb-4",
+  "Remediation": {
+    "Code": {
+      "CLI": "https://www.trendmicro.com/cloudoneconformity-staging/knowledge-base/aws/DocumentDB/enable-profiler.html",
+      "NativeIaC": "https://www.trendmicro.com/cloudoneconformity-staging/knowledge-base/aws/DocumentDB/enable-profiler.html",
+      "Other": "",
+      "Terraform": "https://www.trendmicro.com/cloudoneconformity-staging/knowledge-base/aws/DocumentDB/enable-profiler.html"
+    },
+    "Recommendation": {
+      "Text": "Enabled DocumentDB Log export functionality to analyze, monitor, and archive auditing events for security and compliance requirements.",
+      "Url": "https://docs.aws.amazon.com/securityhub/latest/userguide/documentdb-controls.html#documentdb-4"
+    }
+  },
+  "Categories": [],
+  "DependsOn": [],
+  "RelatedTo": [],
+  "Notes": ""
+}
@@ -0,0 +1,35 @@
+from prowler.lib.check.models import Check, Check_Report_AWS
+from prowler.providers.aws.services.documentdb.documentdb_client import (
+    documentdb_client,
+)
+
+
+class documentdb_cluster_cloudwatch_log_export(Check):
+    def execute(self):
+        findings = []
+        for cluster in documentdb_client.db_clusters.values():
+            report = Check_Report_AWS(self.metadata())
+            report.region = cluster.region
+            report.resource_id = cluster.id
+            report.resource_arn = cluster.arn
+            report.resource_tags = cluster.tags
+            report.status = "FAIL"
+            report.status_extended = f"DocumentDB Cluster {cluster.id} does not have cloudwatch log export enabled."
+            if cluster.cloudwatch_logs:
+                if (
+                    "audit" in cluster.cloudwatch_logs
+                    and "profiler" in cluster.cloudwatch_logs
+                ):
+                    report.status = "PASS"
+                    report.status_extended = f"DocumentDB Cluster {cluster.id} is shipping {' '.join(cluster.cloudwatch_logs)} to CloudWatch Logs."
+                elif (
+                    "audit" in cluster.cloudwatch_logs
+                    or "profiler" in cluster.cloudwatch_logs
+                ):
+                    report.status = "FAIL"
+                    report.check_metadata.Severity = "low"
+                    report.status_extended = f"DocumentDB Cluster {cluster.id} is only shipping {' '.join(cluster.cloudwatch_logs)} to CloudWatch Logs. Recommended to ship both Audit and Profiler logs."
+
+            findings.append(report)
+
+        return findings
@@ -0,0 +1,30 @@
+{
+  "Provider": "aws",
+  "CheckID": "documentdb_cluster_deletion_protection_enabled",
+  "CheckTitle": "Check if DocumentDB Clusters has deletion protection enabled.",
+  "CheckType": [],
+  "ServiceName": "documentdb",
+  "SubServiceName": "",
+  "ResourceIdTemplate": "arn:aws:rds:region:account-id:db-cluster",
+  "Severity": "medium",
+  "ResourceType": "AwsRdsDbClusters",
+  "Description": "Check if Neptune Clusters has deletion protection enabled.",
+  "Risk": "Enabling cluster deletion protection offers an additional layer of protection against accidental database deletion or deletion by an unauthorized user. A Neptune DB cluster can't be deleted while deletion protection is enabled. You must first disable deletion protection before a delete request can succeed.",
+  "RelatedUrl": "https://docs.aws.amazon.com/securityhub/latest/userguide/documentdb-controls.html#documentdb-5",
+  "Remediation": {
+    "Code": {
+      "CLI": "https://www.trendmicro.com/cloudoneconformity-staging/knowledge-base/aws/DocumentDB/deletion-protection.html#",
+      "NativeIaC": "https://www.trendmicro.com/cloudoneconformity-staging/knowledge-base/aws/DocumentDB/deletion-protection.html#",
+      "Other": "",
+      "Terraform": "https://www.trendmicro.com/cloudoneconformity-staging/knowledge-base/aws/DocumentDB/deletion-protection.html#"
+    },
+    "Recommendation": {
+      "Text": "Enable deletion protection for production DocumentDB Clusters.",
+      "Url": "https://docs.aws.amazon.com/securityhub/latest/userguide/documentdb-controls.html#documentdb-5"
+    }
+  },
+  "Categories": [],
+  "DependsOn": [],
+  "RelatedTo": [],
+  "Notes": ""
+}
@@ -0,0 +1,26 @@
+from prowler.lib.check.models import Check, Check_Report_AWS
+from prowler.providers.aws.services.documentdb.documentdb_client import (
+    documentdb_client,
+)
+
+
+class documentdb_cluster_deletion_protection(Check):
+    def execute(self):
+        findings = []
+        for cluster in documentdb_client.db_clusters.values():
+            report = Check_Report_AWS(self.metadata())
+            report.region = cluster.region
+            report.resource_id = cluster.id
+            report.resource_arn = cluster.arn
+            report.resource_tags = cluster.tags
+            report.status = "FAIL"
+            report.status_extended = f"DocumentDB Cluster {cluster.id} does not have deletion protection enabled."
+            if cluster.deletion_protection:
+                report.status = "PASS"
+                report.status_extended = (
+                    f"DocumentDB Cluster {cluster.id} has deletion protection enabled."
+                )
+
+            findings.append(report)
+
+        return findings
@@ -0,0 +1,32 @@
+{
+  "Provider": "aws",
+  "CheckID": "documentdb_cluster_storage_encrypted",
+  "CheckTitle": "Check if DocumentDB cluster storage is encrypted.",
+  "CheckType": [
+    "Data Protection"
+  ],
+  "ServiceName": "documentdb",
+  "SubServiceName": "",
+  "ResourceIdTemplate": "arn:partition:service:region:account-id:resource-id",
+  "Severity": "medium",
+  "ResourceType": "AwsRDSDBCluster",
+  "Description": "Check if DocumentDB cluster storage is encrypted.",
+  "Risk": "Ensure that encryption of data at rest is enabled for your Amazon DocumentDB (with MongoDB compatibility) database clusters for additional data security and regulatory compliance.",
+  "RelatedUrl": "https://docs.aws.amazon.com/securityhub/latest/userguide/documentdb-controls.html#documentdb-1",
+  "Remediation": {
+    "Code": {
+      "CLI": "https://docs.prowler.com/checks/aws/general-policies/bc_aws_general_28/",
+      "NativeIaC": "https://www.trendmicro.com/cloudoneconformity-staging/knowledge-base/aws/DocumentDB/encryption-enabled.html#",
+      "Other": "",
+      "Terraform": "https://docs.prowler.com/checks/aws/general-policies/bc_aws_general_28/"
+    },
+    "Recommendation": {
+      "Text": "Enable Encryption. Use a CMK where possible. It will provide additional management and privacy benefits.",
+      "Url": "https://docs.aws.amazon.com/securityhub/latest/userguide/documentdb-controls.html#documentdb-1"
+    }
+  },
+  "Categories": [],
+  "DependsOn": [],
+  "RelatedTo": [],
+  "Notes": ""
+}
@@ -4,24 +4,24 @@
 )
 
 
-class documentdb_instance_storage_encrypted(Check):
+class documentdb_cluster_storage_encrypted(Check):
     def execute(self):
         findings = []
-        for db_instance in documentdb_client.db_instances.values():
+        for db_cluster in documentdb_client.db_clusters.values():
             report = Check_Report_AWS(self.metadata())
-            report.region = db_instance.region
-            report.resource_id = db_instance.id
-            report.resource_arn = db_instance.arn
-            report.resource_tags = db_instance.tags
-            if db_instance.encrypted:
+            report.region = db_cluster.region
+            report.resource_id = db_cluster.id
+            report.resource_arn = db_cluster.arn
+            report.resource_tags = db_cluster.tags
+            if db_cluster.encrypted:
                 report.status = "PASS"
                 report.status_extended = (
-                    f"DocumentDB Instance {db_instance.id} is encrypted."
+                    f"DocumentDB Cluster {db_cluster.id} is encrypted at rest."
                 )
             else:
                 report.status = "FAIL"
                 report.status_extended = (
-                    f"DocumentDB Instance {db_instance.id} is not encrypted."
+                    f"DocumentDB Cluster {db_cluster.id} is not encrypted at rest."
                 )
 
             findings.append(report)

@@ -14,7 +14,9 @@
         self.service_name = "docdb"
         super().__init__(self.service_name, provider)
         self.db_instances = {}
+        self.db_clusters = {}
         self.__threading_call__(self.__describe_db_instances__)
+        self.__threading_call__(self.__describe_db_clusters__)
         self.__list_tags_for_resource__()
 
     def __describe_db_instances__(self, regional_client):
@@ -75,6 +77,52 @@
                 f"{regional_client.region} -- {error.__class__.__name__}[{error.__traceback__.tb_lineno}]: {error}"
             )
 
+    def __describe_db_clusters__(self, regional_client):
+        logger.info("DocumentDB - Describe Clusters...")
+        try:
+            describe_db_clusters_paginator = regional_client.get_paginator(
+                "describe_db_clusters"
+            )
+            for page in describe_db_clusters_paginator.paginate(
+                Filters=[
+                    {
+                        "Name": "engine",
+                        "Values": [
+                            self.service_name,
+                        ],
+                    },
+                ],
+            ):
+                for cluster in page["DBClusters"]:
+                    db_cluster_arn = cluster["DBClusterArn"]
+                    if not self.audit_resources or (
+                        is_resource_filtered(db_cluster_arn, self.audit_resources)
+                    ):
+                        self.db_clusters[db_cluster_arn] = DBCluster(
+                            id=cluster["DBClusterIdentifier"],
+                            arn=db_cluster_arn,
+                            endpoint=cluster.get("Endpoint"),
+                            engine=cluster["Engine"],
+                            status=cluster["Status"],
+                            encrypted=cluster["StorageEncrypted"],
+                            backup_retention_period=cluster.get(
+                                "BackupRetentionPeriod"
+                            ),
+                            cloudwatch_logs=cluster.get(
+                                "EnabledCloudwatchLogsExports", []
+                            ),
+                            deletion_protection=cluster["DeletionProtection"],
+                            parameter_group=cluster["DBClusterParameterGroup"],
+                            multi_az=cluster["MultiAZ"],
+                            region=regional_client.region,
+                            tags=cluster.get("TagList", []),
+                        )
+
+        except Exception as error:
+            logger.error(
+                f"{regional_client.region} -- {error.__class__.__name__}[{error.__traceback__.tb_lineno}]: {error}"
+            )
+
 
 class Instance(BaseModel):
     id: str
@@ -87,3 +135,19 @@
     cluster_id: Optional[str]
     region: str
     tags: Optional[list]
+
+
+class DBCluster(BaseModel):
+    id: str
+    arn: str
+    endpoint: Optional[str]
+    engine: str
+    status: str
+    encrypted: bool
+    backup_retention_period: int = 0
+    cloudwatch_logs: Optional[list] = []
+    deletion_protection: bool
+    multi_az: bool
+    parameter_group: str
+    region: str
+    tags: Optional[list] = []