Merge pull request #1973 from muzzamilinovaqo/feature/plugin-aws-work…

…space-operational-state aws workspace operational state
aquasecurity · Apr 22, 2024 · d6d52c1 · d6d52c1
2 parents d2a6dbf + 9a1fab9
commit d6d52c1
Show file tree

Hide file tree

Showing 3 changed files with 162 additions and 0 deletions.
diff --git a/exports.js b/exports.js
@@ -591,6 +591,7 @@ module.exports = {
         'exportedFindingsEncrypted'     : require(__dirname + '/plugins/aws/guardduty/exportedFindingsEncrypted.js'),
 
         'workspacesVolumeEncryption'    : require(__dirname + '/plugins/aws/workspaces/workspacesVolumeEncryption.js'),
+        'workSpacesHealthyInstances'    : require(__dirname + '/plugins/aws/workspaces/workSpacesHealthyInstances.js'),
         'workspacesIpAccessControl'     : require(__dirname + '/plugins/aws/workspaces/workspacesIpAccessControl.js'),
         'unusedWorkspaces'              : require(__dirname + '/plugins/aws/workspaces/unusedWorkspaces.js'),
         'workspacesInstanceCount'       : require(__dirname + '/plugins/aws/workspaces/workspacesInstanceCount.js'),

diff --git a/plugins/aws/workspaces/workSpacesHealthyInstances.js b/plugins/aws/workspaces/workSpacesHealthyInstances.js
@@ -0,0 +1,60 @@
+var async = require('async');
+var helpers = require('../../../helpers/aws');
+
+module.exports = {
+    title: 'WorkSpaces Healthy Instances',
+    category: 'WorkSpaces',
+    domain: 'Identity and Access Management',
+    severity: 'Medium',
+    description: 'Ensures that the AWS WorkSpace have healthy instances.',
+    more_info: 'Amazon WorkSpace should have healthy and running instances to ensure proper connection. The WorkSpace is marked as Unhealthy if response isn’t received from the WorkSpace in a timely manner. When the WorkSpaces instance’s status is unhealthy, it fails to respond to the HealthCheck requests.',
+    recommended_action: 'Troubleshoot and resolve the unhealthy workspace issues.',
+    link: 'https://docs.aws.amazon.com/workspaces/latest/adminguide/cloudwatch-dashboard.html',
+    apis: ['WorkSpaces:describeWorkspaces','STS:getCallerIdentity'],
+    realtime_triggers: ['workspaces:CreateWorkspaces','workspaces:DeleteWorkspaces'],
+
+    run: function(cache, settings, callback) {
+        var results = [];
+        var source = {};
+        var regions = helpers.regions(settings);
+        var acctRegion = helpers.defaultRegion(settings);
+        var awsOrGov = helpers.defaultPartition(settings);
+
+        var accountId = helpers.addSource(cache, source, ['sts', 'getCallerIdentity', acctRegion, 'data']);
+
+        async.each(regions.workspaces, function(region, rcb){
+            var listWorkspaces = helpers.addSource(cache, source, ['workspaces', 'describeWorkspaces', region]);
+
+            if (!listWorkspaces)  return rcb();
+
+            if (!listWorkspaces || listWorkspaces.err || !listWorkspaces.data) {
+                helpers.addResult(results, 3,
+                    'Unable to list Workspaces: ' + helpers.addError(listWorkspaces), region);
+                return rcb();
+            }
+
+            if (!listWorkspaces.data.length) {
+                helpers.addResult(results, 0,
+                    'No WorkSpaces instances found', region);
+                return rcb();
+            }
+            listWorkspaces.data.forEach(workspace => {
+                if (!workspace.WorkspaceId) return;
+
+                let resource = `arn:${awsOrGov}:region:${region}:${accountId}:worskpace/${workspace.WorkspaceId}`;
+
+                if (workspace.State === 'UNHEALTHY') {
+                    helpers.addResult(results, 2,
+                        'Workspace instance is not in healthy state', region, resource);
+                } else {
+                    helpers.addResult(results, 0,
+                        'WorkSpace instance is in healthy state', region, resource);
+                }
+            });
+
+            rcb();
+        }, function() {
+            callback(null, results, source);
+        });
+    }
+};
diff --git a/plugins/aws/workspaces/workSpacesHealthyInstances.spec.js b/plugins/aws/workspaces/workSpacesHealthyInstances.spec.js
@@ -0,0 +1,101 @@
+
+var expect = require('chai').expect;
+var workSpacesHealthyInstances = require('./workSpacesHealthyInstances');
+
+const describeWorkspaces = [
+    {
+        WorkspaceId: 'ws-f7hsrphp6',
+        DirectoryId: 'd-9067552532',
+        UserName: 'test',
+        IpAddress: '172.16.1.134',
+        State: 'AVAILABLE',
+        BundleId: 'wsb-clj85qzj1',
+        SubnetId: 'subnet-017fd5eda595ac73f',
+        ModificationStates: []
+    },
+    {
+        WorkspaceId: 'ws-f7hsrphp6',
+        DirectoryId: 'd-9067552532',
+        UserName: 'test',
+        IpAddress: '172.16.1.134',
+        State: 'UNHEALTHY',
+        BundleId: 'wsb-clj85qzj1',
+        ModificationStates: []
+    },
+];
+
+const createCache = (data, err) => {
+    return {
+        workspaces: {
+          describeWorkspaces: {
+                'us-east-1': {
+                    data: data,
+                    err: err
+                }
+            }
+        }
+    };
+};
+
+const createErrorCache = () => {
+    return {
+        workspaces: {
+            describeWorkspaces: {
+                'us-east-1': {
+                    data: [],
+                    err: {
+                        message: 'error describing workspaces'
+                    },
+                }
+            }
+        }
+    };
+};
+
+describe('workSpacesHealthyInstances', function () {
+    describe('run', function () {
+        it('should PASS if no workspace instances found', function (done) {
+            const cache = createCache([]);
+            workSpacesHealthyInstances.run(cache, { }, (err, results) => {
+                expect(results.length).to.equal(1);
+                expect(results[0].status).to.equal(0);
+                expect(results[0].region).to.include('us-east-1')
+                expect(results[0].message).to.include('No WorkSpaces instances found')
+                done();
+            });
+        });
+
+        it('should UNKNOWN if Unable to query for WorkSpaces instances', function (done) {
+            const cache = createErrorCache();
+            workSpacesHealthyInstances.run(cache,{}, (err, results) => {
+                expect(results.length).to.equal(1);
+                expect(results[0].status).to.equal(3);
+                expect(results[0].region).to.include('us-east-1')
+                expect(results[0].message).to.include('Unable to list Workspaces')
+                done();
+            });
+        });
+
+        it('should PASS if the Workspace is operational', function (done) {
+            const cache = createCache([describeWorkspaces[0]]);
+            workSpacesHealthyInstances.run(cache, { }, (err, results) => {
+                expect(results.length).to.equal(1);
+                expect(results[0].status).to.equal(0);
+                expect(results[0].region).to.equal('us-east-1');
+                expect(results[0].message).to.include('WorkSpace instance is in healthy state')
+                done();
+            });
+        });
+
+        it('should FAIL if Workspace is not operational', function (done) {
+            const cache = createCache([describeWorkspaces[1]]);
+            workSpacesHealthyInstances.run(cache, {  }, (err, results) => {
+                expect(results.length).to.equal(1);
+                expect(results[0].status).to.equal(2);
+                expect(results[0].region).to.equal('us-east-1')
+                expect(results[0].message).to.include('Workspace instance is not in healthy state')
+                done();
+            });
+        });
+    });
+});