Feature/plugin/ses validated domains

collectors/aws/collector.js

@@ -838,6 +838,12 @@ var postcalls = [
                 reliesOnCall: 'listIdentities',
                 override: true,
                 rateLimit: 1000
+            },
+            getIdentityVerificationAttributes: {
+                reliesOnService: 'ses',
+                reliesOnCall: 'listIdentities',
+                override: true,
+                rateLimit: 1000
             }
         },
         SNS: {

collectors/aws/ses/getIdentityVerificationAttributes.js

@@ -0,0 +1,15 @@
+var AWS = require('aws-sdk');
+
+module.exports = function(AWSConfig, collection, callback) {
+    var ses = new AWS.SES(AWSConfig);
+
+    ses.getIdentityVerificationAttributes({Identities: collection.ses.listIdentities[AWSConfig.region].data}, function(err, data){
+        if (err) {
+            collection.ses.getIdentityVerificationAttributes[AWSConfig.region].err = err;
+        }
+
+        collection.ses.getIdentityVerificationAttributes[AWSConfig.region].data = data;
+
+        callback();
+    });
+};

exports.js

@@ -173,6 +173,7 @@ module.exports = {
         'notebookDirectInternetAccess'  : require(__dirname + '/plugins/aws/sagemaker/notebookDirectInternetAccess.js'),
 
         'dkimEnabled'                   : require(__dirname + '/plugins/aws/ses/dkimEnabled.js'),
+        'sesValidatedDomains'           : require(__dirname + '/plugins/aws/ses/sesValidatedDomains.js'),
 
         'topicPolicies'                 : require(__dirname + '/plugins/aws/sns/topicPolicies.js'),
         'sqsCrossAccount'               : require(__dirname + '/plugins/aws/sqs/sqsCrossAccount.js'),

plugins/aws/ses/sesValidatedDomains.js

@@ -0,0 +1,74 @@
+var async = require('async');
+var helpers = require('../../../helpers/aws');
+
+module.exports = {
+    title: 'SES Validated Domains Flagged',
+    category: 'SES',
+    description: 'Ensures that only Email Identities are used for verification of identities.',
+    more_info: 'SES allows for either domains or email addresses to be valid identities. This checks to ensure that only emails have been verified.',
+    recommended_action: 'Remove any domains',
+    link: 'https://docs.aws.amazon.com/ses/latest/DeveloperGuide/remove-verified-domain.html',
+    apis: ['SES:listIdentities', 'SES:getIdentityVerificationAttributes'],
+
+    run: function(cache, settings, callback) {
+        var results = [];
+        var source = {};
+        var regions = helpers.regions(settings);
+
+        async.each(regions.ses, function(region, rcb){
+            var listIdentities = helpers.addSource(cache, source,
+                ['ses', 'listIdentities', region]);
+
+            if (!listIdentities) return rcb();
+
+            if (listIdentities.err || !listIdentities.data) {
+                helpers.addResult(results, 3,
+                    'Unable to query for SES identities: ' + helpers.addError(listIdentities), region);
+                return rcb();
+            }
+
+            if (!listIdentities.data.length) {
+                helpers.addResult(results, 0, 'No SES domain identities found', region);
+                return rcb();
+            }
+
+            var getIdentityVerificationAttributes = helpers.addSource(cache, source,
+                ['ses', 'getIdentityVerificationAttributes', region]);
+
+            if (!getIdentityVerificationAttributes ||
+                getIdentityVerificationAttributes.err ||
+                !getIdentityVerificationAttributes.data) {
+                helpers.addResult(results, 3,
+                    'Unable to get SES Verification attributes: ' + helpers.addError(getIdentityVerificationAttributes), region);
+                return rcb();
+            }
+
+            for (i in getIdentityVerificationAttributes.data.VerificationAttributes) {
+                var identity = getIdentityVerificationAttributes.data.VerificationAttributes[i];
+
+                if (!identity.VerificationStatus) {
+                    helpers.addResult(results, 2, 'Domain identity exists with unknown status', region, i);
+                } else if (identity.VerificationStatus == 'Success') {
+                    helpers.addResult(results, 2,
+                        'Domain identity exists and is verified', region, i);
+                } else if (identity.VerificationStatus == 'Pending') {
+                    helpers.addResult(results, 2,
+                        'Domain identity exists and has verification that is pending', region, i);
+                } else if (identity.VerificationStatus == 'Failed') {
+                    helpers.addResult(results, 2,
+                        'Domain identity exists but verification failed', region, i);
+                } else if (identity.VerificationStatus == 'TemporaryFailure') {
+                    helpers.addResult(results, 2,
+                        'Domain identity exists but verification temporarily failed', region, i);  
+                } else {
+                    helpers.addResult(results, 2, 'Domain identity exists with unknown status', region, i);
+
+                }
+            }
+
+            rcb();
+        }, function(){
+            callback(null, results, source);
+        });
+    }
+};

plugins/aws/ses/sesValidatedDomains.spec.js

@@ -0,0 +1,126 @@
+var assert = require('assert');
+var expect = require('chai').expect;
+var ses = require('./sesValidatedDomains');
+
+const createCache = (lData, gData) => {
+    return {
+        ses: {
+            listIdentities: {
+                'us-east-1': {
+                    err: null,
+                    data: lData
+                }
+            },
+            getIdentityVerificationAttributes: {
+                'us-east-1': {
+                    err: null,
+                    data: gData
+                }
+            }
+
+        }
+    }
+};
+
+describe('sesValidatedDomains', function () {
+    describe('run', function () {
+        it('should give passing result if no domain identities are found', function (done) {
+            const callback = (err, results) => {
+                expect(results.length).to.equal(1)
+                expect(results[0].status).to.equal(0)
+                expect(results[0].message).to.include('No SES domain identities found')
+                done()
+            };
+
+            const cache = createCache(
+                [],
+                []
+            );
+
+            ses.run(cache, {}, callback);
+        })
+    });
+
+    describe('run', function () {
+        it('should give error result if verified domain identities exist', function (done) {
+            const callback = (err, results) => {
+                expect(results.length).to.equal(1)
+                expect(results[0].status).to.equal(2)
+                expect(results[0].message).to.include('Domain identity exists and is verified')
+                done()
+            };
+
+            const cache = createCache(
+                [{
+                    "Identities": [
+                        "test@test.com"
+                    ]
+                }],
+                {
+                    "VerificationAttributes": [
+                        {
+                            "VerificationStatus": "Success"
+                        }
+                    ]
+                }
+            );
+
+            ses.run(cache, {}, callback);
+        })
+    })
+
+    describe('run', function () {
+        it('should give warning result if verified domain identities are pending', function (done) {
+            const callback = (err, results) => {
+                expect(results.length).to.equal(1)
+                expect(results[0].status).to.equal(2)
+                expect(results[0].message).to.include('Domain identity exists and has verification that is pending')
+                done()
+            };
+
+            const cache = createCache(
+                [{
+                    "Identities": [
+                        "test@test.com"
+                    ]
+                }],
+                {
+                    "VerificationAttributes": [
+                        {
+                            "VerificationStatus": "Pending"
+                        }
+                    ]
+                }
+            );
+
+            ses.run(cache, {}, callback);
+        })
+    })
+
+    describe('run', function () {
+        it('should give warning result if domain identity exists, but verification has not yet been requested', function (done) {
+            const callback = (err, results) => {
+                expect(results.length).to.equal(1)
+                expect(results[0].status).to.equal(2)
+                expect(results[0].message).to.include('Domain identity exists with unknown status')
+                done()
+            };
+
+            const cache = createCache(
+                [{
+                    "Identities": [
+                        "test@test.com"
+                    ]
+                }],
+                {
+                    "VerificationAttributes": [
+                        {}
+                    ]
+                }
+            );
+
+            ses.run(cache, {}, callback);
+        })
+    })
+
+})