Skip to content

module: AWS EC2 serial console access without account-level disablement #32

@rudraditya21

Description

@rudraditya21

Summary
Add an atomic deterministic validation module for AWS EC2 serial console access without account-level disablement. The module must perform read-only state inspection, return a stable pass/fail result for this single control, and emit planner-ready metadata (risk, noise, detection_surface, and postcondition ControlFailure). Classification target: Level 2.

Protocol and Category

  • Protocol: AWS EC2 API
  • Category: cloud/aws/compute

Module Path
Proposed module path in registry/: registry/auxiliary/validation/aws/ec2/aws_ec2_serial_console_access_without_account_level_disablement

Manifest Details
List required manifest fields, inputs, and outputs.

  • Required fields: manifest_version: 1, module_api_version: 1, runtime: builtin, name, description, category: auxiliary, rank: normal, author, platforms, tags, entrypoint, references.
  • Suggested name: auxiliary/validation/aws/ec2/aws_ec2_serial_console_access_without_account_level_disablement
  • Suggested platforms: ['cross'] unless the check is host-OS specific.
  • Suggested tags: validation, defensive, domain/provider tags, and control-family tags.
  • Input: AWS_ACCOUNT_ID (required)
  • Input: AWS_REGION (optional when global service)
  • Input: EVIDENCE_MODE (summary|full, default summary)
  • Input: TIMEOUT_SECONDS (default 30)
  • Output: status = compliant|non_compliant|error for AWS EC2 serial console access without account-level disablement.
  • Output: postcondition = ControlFailure when non_compliant.
  • Output: risk_level default medium and noise_class default low.
  • Output: detection_surface includes CloudTrail, VPC Flow Logs, GuardDuty.
  • Output: evidence with normalized fields (resource_id, expected_state, observed_state, source_api).

Dependencies
Protocol stack or subsystem dependencies.

  • AWS authentication chain with read-only EC2 permissions.
  • AWS SDK EC2 and SSM clients.
  • Instance metadata option normalization.
  • Shared validation core for deterministic comparison and stable finding IDs.

Tests Required

  • Unit tests: parser and evaluator tests for AWS EC2 serial console access without account-level disablement expected/observed-state logic, including compliant and non-compliant fixtures.
  • Integration tests: provider/target-backed read-only check proving deterministic results across repeated runs with identical input state.
  • Compliance vectors: at minimum one pass vector, one fail vector, and one error vector for missing permissions or missing resource.

Performance Expectations
Any latency, throughput, or memory expectations. Single-resource evaluation should complete with p95 <= 2s, batched 100-resource scan <= 60s, memory <= 128 MB, and no write-side API calls.

Acceptance Criteria
Clear, testable outcomes that confirm completion.

  • Module exists at registry/auxiliary/validation/aws/ec2/aws_ec2_serial_console_access_without_account_level_disablement with valid manifest and entrypoint.
  • Running the module against a known failing fixture reports non_compliant for AWS EC2 serial console access without account-level disablement and emits ControlFailure.
  • Running the module against a known compliant fixture reports compliant with no side effects.
  • Risk/noise/detection metadata are emitted in machine-readable output for planner integration.
  • Integration and compliance vector tests pass in CI.

Metadata

Metadata

Assignees

No one assigned

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions