diff --git a/prowler/compliance/aws/aws_well_architected_framework_performance_pillar_aws.json b/prowler/compliance/aws/aws_well_architected_framework_performance_pillar_aws.json new file mode 100644 index 00000000000..d1da8896e59 --- /dev/null +++ b/prowler/compliance/aws/aws_well_architected_framework_performance_pillar_aws.json @@ -0,0 +1,30 @@ +{ + "Framework": "AWS-Well-Architected-Framework-Performance-Pillar", + "Version": "", + "Provider": "AWS", + "Description": "Best Practices for the AWS Well-Architected Framework Performance Efficiency Pillar encompass the ability of a workload to use computing resources efficiently and meet requirements. Performance efficiency focuses on the efficient use of cloud resources to meet requirements and avoid unnecessary costs.", + "Requirements": [ + { + "Id": "PERF03-BP02", + "Description": "Optimize the use of computing resources by selecting the right instance types and sizes for your workload. Regularly review and update your choices based on the workload's evolving requirements.", + "Attributes": [ + { + "Name": "PERF03-BP02 Optimize instance types and sizes", + "WellArchitectedQuestionId": "selecting-right-instance-types", + "WellArchitectedPracticeId": "perf_selecting_right_instance_types", + "Section": "Resource optimization", + "SubSection": "Selecting the right instance types", + "LevelOfRisk": "Medium", + "AssessmentMethod": "Manual", + "Description": "Optimize the use of computing resources by selecting the right instance types and sizes for your workload. Regularly review and update your choices based on the workload's evolving requirements.", + "ImplementationGuidanceUrl": "https://docs.aws.amazon.com/wellarchitected/latest/performance-pillar/perf_selecting_right_instance_types.html#implementation-guidance" + } + ], + "Checks": [ + "ec2_instance_type_optimized", + "autoscaling_group_scaling_enabled", + "awslambda_function_serverless_architecture" + ] + } + ] +} diff --git a/prowler/lib/outputs/file_descriptors.py b/prowler/lib/outputs/file_descriptors.py index 9b5def4d224..33a991fdda8 100644 --- a/prowler/lib/outputs/file_descriptors.py +++ b/prowler/lib/outputs/file_descriptors.py @@ -172,6 +172,19 @@ def fill_file_descriptors(output_modes, output_directory, output_filename, audit ) file_descriptors.update({output_mode: file_descriptor}) + elif ( + output_mode + == "aws_well_architected_framework_performance_pillar_aws" + ): + filename = f"{output_directory}/{output_filename}_aws_well_architected_framework_performance_pillar_aws{csv_file_suffix}" + file_descriptor = initialize_file_descriptor( + filename, + output_mode, + audit_info, + Check_Output_CSV_AWS_Well_Architected, + ) + file_descriptors.update({output_mode: file_descriptor}) + elif output_mode == "iso27001_2013_aws": filename = f"{output_directory}/{output_filename}_iso27001_2013_aws{csv_file_suffix}" file_descriptor = initialize_file_descriptor( diff --git a/prowler/providers/aws/services/autoscaling/autoscaling_group_scaling_enabled/__init__.py b/prowler/providers/aws/services/autoscaling/autoscaling_group_scaling_enabled/__init__.py new file mode 100644 index 00000000000..e69de29bb2d diff --git a/prowler/providers/aws/services/autoscaling/autoscaling_group_scaling_enabled/autoscaling_group_scaling_enabled.metadata.json b/prowler/providers/aws/services/autoscaling/autoscaling_group_scaling_enabled/autoscaling_group_scaling_enabled.metadata.json new file mode 100644 index 00000000000..43cfaf1e127 --- /dev/null +++ b/prowler/providers/aws/services/autoscaling/autoscaling_group_scaling_enabled/autoscaling_group_scaling_enabled.metadata.json @@ -0,0 +1,31 @@ +{ + "Provider": "aws", + "CheckID": "autoscaling_group_scaling_enabled", + "CheckTitle": "Ensure Auto Scaling group has scaling enabled", + "CheckType": ["Service"], + "ServiceName": "autoscaling", + "SubServiceName": "", + "ResourceIdTemplate": "", + "Severity": "medium", + "ResourceType": "Other", + "Description": "Ensure Auto Scaling group has scaling enabled.", + "Risk": "If Auto Scaling group does not have scaling enabled, it may not effectively respond to changes in demand, leading to suboptimal resource utilization.", + "RelatedUrl": "https://docs.aws.amazon.com/autoscaling/ec2/userguide/as-scale-based-on-demand.html", + "Remediation": { + "Code": { + "CLI": "aws autoscaling update-auto-scaling-group --auto-scaling-group-name --min-size --max-size --desired-capacity ", + "NativeIaC": "", + "Other": "", + "Terraform": "resource \"aws_autoscaling_group\" \"example\" {\n desired_capacity = \n min_size = \n max_size = \n}" + }, + "Recommendation": { + "Text": "We recommend enabling scaling for Auto Scaling groups to effectively respond to changes in demand.", + "Url": "https://docs.aws.amazon.com/autoscaling/ec2/userguide/as-scale-based-on-demand.html" + } + }, + "Categories": ["autoscaling"], + "DependsOn": [], + "RelatedTo": [], + "Notes": "" + } + \ No newline at end of file diff --git a/prowler/providers/aws/services/autoscaling/autoscaling_group_scaling_enabled/autoscaling_group_scaling_enabled.py b/prowler/providers/aws/services/autoscaling/autoscaling_group_scaling_enabled/autoscaling_group_scaling_enabled.py new file mode 100644 index 00000000000..a67379fb905 --- /dev/null +++ b/prowler/providers/aws/services/autoscaling/autoscaling_group_scaling_enabled/autoscaling_group_scaling_enabled.py @@ -0,0 +1,30 @@ +from prowler.lib.check.models import Check, Check_Report_AWS +from prowler.providers.aws.services.autoscaling.autoscaling_client import autoscaling_client + +class autoscaling_group_scaling_enabled(Check): + def execute(self): + findings = [] + + # Fetch the audit configuration value from prowler config.yaml + max_autoscaling_group_size = autoscaling_client.audit_config.get( + "max_autoscaling_group_size", 10 + ) + + for autoscaling_group in autoscaling_client.groups: + report = Check_Report_AWS(self.metadata()) + report.region = autoscaling_group.region + report.resource_id = autoscaling_group.name + report.resource_arn = autoscaling_group.arn + report.resource_tags = autoscaling_group.tags + + report.status = "PASS" + report.status_extended = f"Auto Scaling group {autoscaling_group.name} has scaling enabled." + + # Check if scaling is enabled + if not autoscaling_group.scaling_enabled: + report.status = "FAIL" + report.status_extended = f"Auto Scaling group {autoscaling_group.name} does not have scaling enabled." + + findings.append(report) + + return findings diff --git a/prowler/providers/aws/services/awslambda/awslambda_function_serverless_architecture/__init__.py b/prowler/providers/aws/services/awslambda/awslambda_function_serverless_architecture/__init__.py new file mode 100644 index 00000000000..e69de29bb2d diff --git a/prowler/providers/aws/services/awslambda/awslambda_function_serverless_architecture/awslambda_function_serverless_architecture.metadata.json b/prowler/providers/aws/services/awslambda/awslambda_function_serverless_architecture/awslambda_function_serverless_architecture.metadata.json new file mode 100644 index 00000000000..2ac97efa4a6 --- /dev/null +++ b/prowler/providers/aws/services/awslambda/awslambda_function_serverless_architecture/awslambda_function_serverless_architecture.metadata.json @@ -0,0 +1,31 @@ +{ + "Provider": "aws", + "CheckID": "awslambda_function_serverless_architecture", + "CheckTitle": "Ensure AWS Lambda functions use serverless architecture", + "CheckType": ["Service"], + "ServiceName": "awslambda", + "SubServiceName": "", + "ResourceIdTemplate": "", + "Severity": "medium", + "ResourceType": "Other", + "Description": "Ensure AWS Lambda functions use serverless architecture.", + "Risk": "Using non-serverless architecture for Lambda functions may require infrastructure provisioning and maintenance, reducing the efficiency of resource usage.", + "RelatedUrl": "https://docs.aws.amazon.com/lambda/latest/dg/serverless_app_arch.html", + "Remediation": { + "Code": { + "CLI": "N/A", + "NativeIaC": "", + "Other": "", + "Terraform": "N/A" + }, + "Recommendation": { + "Text": "We recommend leveraging serverless architecture for AWS Lambda functions to eliminate the need for infrastructure provisioning and maintenance.", + "Url": "https://docs.aws.amazon.com/lambda/latest/dg/serverless_app_arch.html" + } + }, + "Categories": ["compute"], + "DependsOn": [], + "RelatedTo": [], + "Notes": "" + } + \ No newline at end of file diff --git a/prowler/providers/aws/services/awslambda/awslambda_function_serverless_architecture/awslambda_function_serverless_architecture.py b/prowler/providers/aws/services/awslambda/awslambda_function_serverless_architecture/awslambda_function_serverless_architecture.py new file mode 100644 index 00000000000..666c6b338f9 --- /dev/null +++ b/prowler/providers/aws/services/awslambda/awslambda_function_serverless_architecture/awslambda_function_serverless_architecture.py @@ -0,0 +1,28 @@ +from prowler.lib.check.models import Check, Check_Report_AWS +from prowler.providers.aws.services.awslambda.awslambda_client import awslambda_client # Update with the correct import path + +class awslambda_function_serverless_architecture(Check): + """awslambda_function_serverless_architecture verifies if an AWS Lambda function uses a serverless architecture""" + + def execute(self): + findings = [] + + for lambda_function in awslambda_client.functions: + report = Check_Report_AWS(self.metadata()) + + report.region = lambda_function.region + report.resource_id = lambda_function.name + report.resource_arn = lambda_function.arn + report.resource_tags = lambda_function.tags + + report.status = "PASS" + report.status_extended = f"AWS Lambda function {lambda_function.name} is not using a serverless architecture." + + # Replace the condition with the actual logic to check if the Lambda function uses a serverless architecture + if not lambda_function.serverless_architecture: + report.status = "FAIL" + report.status_extended = f"AWS Lambda function {lambda_function.name} is using a serverless architecture." + + findings.append(report) + + return findings \ No newline at end of file diff --git a/prowler/providers/aws/services/ec2/ec2_instance_type_optimized/__init__.py b/prowler/providers/aws/services/ec2/ec2_instance_type_optimized/__init__.py new file mode 100644 index 00000000000..e69de29bb2d diff --git a/prowler/providers/aws/services/ec2/ec2_instance_type_optimized/ec2_instance_type_optimized.metadata.json b/prowler/providers/aws/services/ec2/ec2_instance_type_optimized/ec2_instance_type_optimized.metadata.json new file mode 100644 index 00000000000..7bc8064ee98 --- /dev/null +++ b/prowler/providers/aws/services/ec2/ec2_instance_type_optimized/ec2_instance_type_optimized.metadata.json @@ -0,0 +1,34 @@ +{ + "Provider": "aws", + "CheckID": "ec2_instance_type_optimized", + "CheckTitle": "Ensure EC2 instances are of the optimized type", + "CheckType": [ + "Service" + ], + "ServiceName": "ec2", + "SubServiceName": "", + "ResourceIdTemplate": "", + "Severity": "high", + "ResourceType": "Other", + "Description": "Ensure EC2 instances are of the optimized type.", + "Risk": "Using non-optimized EC2 instance types may result in suboptimal performance and increased costs.", + "RelatedUrl": "https://aws.amazon.com/ec2/instance-types/", + "Remediation": { + "Code": { + "CLI": "N/A", + "NativeIaC": "", + "Other": "", + "Terraform": "N/A" + }, + "Recommendation": { + "Text": "We recommend choosing EC2 instance types that are optimized for your specific workload to achieve better performance and cost efficiency.", + "Url": "https://aws.amazon.com/ec2/instance-types/" + } + }, + "Categories": [ + "compute" + ], + "DependsOn": [], + "RelatedTo": [], + "Notes": "" +} diff --git a/prowler/providers/aws/services/ec2/ec2_instance_type_optimized/ec2_instance_type_optimized.py b/prowler/providers/aws/services/ec2/ec2_instance_type_optimized/ec2_instance_type_optimized.py new file mode 100644 index 00000000000..3b3091d6559 --- /dev/null +++ b/prowler/providers/aws/services/ec2/ec2_instance_type_optimized/ec2_instance_type_optimized.py @@ -0,0 +1,31 @@ +from prowler.lib.check.models import Check, Check_Report_AWS +from prowler.providers.aws.services.ec2.ec2_client import ec2_client + + +class ec2_instance_type_optimized(Check): + def execute(self): + findings = [] + + # List of optimized instance types (modify as needed) + optimized_instance_types = ["t3.micro", "t3.small", "t3.medium"] + + for instance in ec2_client.instances: + report = Check_Report_AWS(self.metadata()) + report.region = instance.region + report.resource_id = instance.id + report.resource_arn = instance.arn + report.resource_tags = instance.tags + + report.status = "PASS" + report.status_extended = ( + f"EC2 instance {instance.id} is using an optimized instance type." + ) + + # Check if the instance type is in the list of optimized instance types + if instance.type not in optimized_instance_types: + report.status = "FAIL" + report.status_extended = f"EC2 instance {instance.id} is not using an optimized instance type. Current type: {instance.type}" + + findings.append(report) + + return findings