Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Severity discrepancy between autoscaling_group_launch_configuration_requires_imdsv2 and ec2_instance_imdsv2_enabled #5932

Open
pr3l14t0r opened this issue Nov 27, 2024 · 2 comments
Open

Severity discrepancy between autoscaling_group_launch_configuration_requires_imdsv2 and ec2_instance_imdsv2_enabled #5932

pr3l14t0r opened this issue Nov 27, 2024 · 2 comments
Assignees
@pedrooot
Labels
bug status/waiting-for-revision Waiting for maintainer's revision

Comments

@pr3l14t0r
Copy link

Steps to Reproduce

Heyho! We recently updated from 4.4.0 to 4.5.3. One of the new checks is autoscaling_group_launch_configuration_requires_imdsv2, which fails for a few resources. We do alert on Critical and High severity, that is mainly why it was brought to my attention.

The mentioned check is referring to autoscaling groups specifically rather than EC2 instances that are currently running.

That means there are currently two checks that would test the MetaData configuration for EC2 instances.

Question:

Why is autoscaling_group_launch_configuration_requires_imdsv2 of severity High while ec2_instance_imdsv2_enable is set to medium?

Here's the output of prowler aws --list-checks | grep imds, maybe it helps (ignore ec2_instance_account_imdsv2_enabled for this discussion):

[autoscaling_group_launch_configuration_requires_imdsv2] Check if Auto Scaling group launch configurations require Instance Metadata Service Version 2 (IMDSv2). - autoscaling [high]
[ec2_instance_account_imdsv2_enabled] Ensure Instance Metadata Service Version 2 (IMDSv2) is enforced for EC2 instances at the account level to protect against SSRF vulnerabilities. - ec2 [medium]
[ec2_instance_imdsv2_enabled] Check if EC2 Instance Metadata Service Version 2 (IMDSv2) is Enabled and Required. - ec2 [medium]

Second question:

Is it possible to set a custom severity to a check? I couldn't find a "simple" solution to this in the docs. It's not worth the effort to create a dedicated customized check out of it.. 😅

Expected behavior

Both ec2_instance_imdsv2_enabled and ec2_instance_account_imdsv2_enabled have the same severity.

Actual Result with Screenshots or Logs

NA

How did you install Prowler?

Cloning the repository from github.com (git clone)

Environment Resource

  • Fargate Task
  • Local Docker image

OS used

Alpine Linux

Prowler version

Prowler 4.5.3

Pip version

pip 24.2 from /usr/local/lib/python3.12/site-packages/pip (python 3.12)

Context

No response
@pr3l14t0r pr3l14t0r added bug status/needs-triage Issue pending triage labels Nov 27, 2024
@pedrooot pedrooot self-assigned this Nov 27, 2024
@pedrooot
Copy link
Member

Hi! @pr3l14t0r thanks for the ping. We’ll need to review the logic behind the severity of the checks you mentioned. Once we make a decision, I’ll create a PR with the solution and let you know. Thanks!

Regarding your second question, you can use the custom check metadata feature:
Custom Checks Metadata Documentation
You can find all the information about this feature in our documentation.

Thanks! Best regards.

@pedrooot pedrooot added status/waiting-for-revision Waiting for maintainer's revision and removed status/needs-triage Issue pending triage labels Nov 27, 2024
@pr3l14t0r
Copy link
Author

Heyho @pedrooot ! Thank you so much for the super quick response. :)

I don't know how i have overseen the Custom Checks Metada file in the documentation. Lo siento, señor y muchas gracias!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@pedrooot pedrooot

Labels
bug status/waiting-for-revision Waiting for maintainer's revision
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@pedrooot @pr3l14t0r