From 65c63d5bdde85bcb4f4ac3adf948fa8f5bb7862a Mon Sep 17 00:00:00 2001 From: dlpzx Date: Tue, 3 Nov 2020 19:18:40 +0100 Subject: [PATCH 01/21] checks for glue - 7119,7121,7123,7124. 7125 not done yet --- checks/check_extra7119 | 53 ++++++++++++++++++++++++++++++++++++++++++ checks/check_extra7121 | 51 ++++++++++++++++++++++++++++++++++++++++ checks/check_extra7123 | 51 ++++++++++++++++++++++++++++++++++++++++ checks/check_extra7124 | 51 ++++++++++++++++++++++++++++++++++++++++ checks/check_extra7125 | 51 ++++++++++++++++++++++++++++++++++++++++ 5 files changed, 257 insertions(+) create mode 100644 checks/check_extra7119 create mode 100644 checks/check_extra7121 create mode 100644 checks/check_extra7123 create mode 100644 checks/check_extra7124 create mode 100644 checks/check_extra7125 diff --git a/checks/check_extra7119 b/checks/check_extra7119 new file mode 100644 index 00000000..78919000 --- /dev/null +++ b/checks/check_extra7119 @@ -0,0 +1,53 @@ +#!/usr/bin/env bash + +# Prowler - the handy cloud security tool (copyright 2018) by Toni de la Fuente +# +# Licensed under the Apache License, Version 2.0 (the "License"); you may not +# use this file except in compliance with the License. You may obtain a copy +# of the License at http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software distributed +# under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR +# CONDITIONS OF ANY KIND, either express or implied. See the License for the +# specific language governing permissions and limitations under the License. + +# Remediation: +# +# https://www.cloudconformity.com/knowledge-base/aws/RDS/instance-deletion-protection.html +# https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/Overview.DBInstance.Modifying.html +# +# aws rds modify-db-instance \ +# --region us-east-1 \ +# --db-instance-identifier test-db \ +# --deletion-protection \ +# [--apply-immediately | --no-apply-immediately] + +CHECK_ID_extra7119="7.119" +CHECK_TITLE_extra7119="[extra7119] Security configurations used by ETL Development endpoints must have S3 encryption enabled." +CHECK_SCORED_extra7119="NOT_SCORED" +CHECK_TYPE_extra7119="EXTRA" +CHECK_SEVERITY_extra7119="Medium" +CHECK_ASFF_RESOURCE_TYPE_extra7119="AwsGlue" +CHECK_ALTERNATE_check7119="extra7119" + +extra7119(){ + textInfo "Looking for Development Endpoints in all regions... " + for regx in $REGIONS; do + LIST_GLUE_SC=$($AWSCLI glue get-dev-endpoints $PROFILE_OPT --region $regx --query 'DevEndpoints[*].SecurityConfiguration' --output text) + if [[ $LIST_GLUE_SC ]]; then + for sc in $(echo '${LIST_GLUE_SC}'| jq -r '.[] | @base64');do + textInfo "$ENDPOINT_SECURITY" + ENDPOINT_SC_ENCRYPTION=$($AWSCLI $PROFILE_OPT --region $regx glue get-security-configurations $sc --query 'SecurityConfiguration.EncryptionConfiguration.S3Encryption.S3EncryptionMode' --output text) + if [[ENDPOINT_SC_ENCRYPTION == "DISABLED" ]]; then + textFail "$regx: Development Endpoint Security Configuration $sc has S3 encryption not enabled!" "$regx" + else + textPass "$regx: Development Endpoint Security Configuration $sc has S3 encryption enabled" "$regx" + fi + done + else + textInfo "$regx: No Security Configuration found" "$regx" + fi + done +} + + diff --git a/checks/check_extra7121 b/checks/check_extra7121 new file mode 100644 index 00000000..ba7d77c2 --- /dev/null +++ b/checks/check_extra7121 @@ -0,0 +1,51 @@ +#!/usr/bin/env bash + +# Prowler - the handy cloud security tool (copyright 2018) by Toni de la Fuente +# +# Licensed under the Apache License, Version 2.0 (the "License"); you may not +# use this file except in compliance with the License. You may obtain a copy +# of the License at http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software distributed +# under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR +# CONDITIONS OF ANY KIND, either express or implied. See the License for the +# specific language governing permissions and limitations under the License. + +# Remediation: +# +# https://www.cloudconformity.com/knowledge-base/aws/RDS/instance-deletion-protection.html +# https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/Overview.DBInstance.Modifying.html +# +# aws rds modify-db-instance \ +# --region us-east-1 \ +# --db-instance-identifier test-db \ +# --deletion-protection \ +# [--apply-immediately | --no-apply-immediately] + +CHECK_ID_extra7121="7.121" +CHECK_TITLE_extra7121="[extra7121] Security configurations used by ETL Development endpoints must have CloudWatch logs encryption enabled." +CHECK_SCORED_extra7121="NOT_SCORED" +CHECK_TYPE_extra7121="EXTRA" +CHECK_SEVERITY_extra7121="Medium" +CHECK_ASFF_RESOURCE_TYPE_extra7121="AwsGlue" +CHECK_ALTERNATE_check7121="extra7121" + +extra7121(){ + textInfo "Looking for Development Endpoints in all regions... " + for regx in $REGIONS; do + LIST_GLUE_SC=$($AWSCLI glue get-dev-endpoints $PROFILE_OPT --region $regx --query 'DevEndpoints[*].SecurityConfiguration' --output text) + if [[ $LIST_GLUE_SC ]]; then + for sc in $(echo '${LIST_GLUE_SC}'| jq -r '.[] | @base64');do + textInfo "$ENDPOINT_SECURITY" + ENDPOINT_SC_ENCRYPTION=$($AWSCLI $PROFILE_OPT --region $regx glue get-security-configurations $sc --query 'SecurityConfiguration.EncryptionConfiguration.CloudWatchEncryption.CloudWatchEncryptionMode' --output text) + if [[ENDPOINT_SC_ENCRYPTION == "DISABLED" ]]; then + textFail "$regx: Development Endpoint Security Configuration $sc has CloudWatch logs encryption not enabled!" "$regx" + else + textPass "$regx: Development Endpoint Security Configuration $sc has CloudWatch logs encryption enabled" "$regx" + fi + done + else + textInfo "$regx: No Security Configuration found" "$regx" + fi + done +} diff --git a/checks/check_extra7123 b/checks/check_extra7123 new file mode 100644 index 00000000..ab2032f6 --- /dev/null +++ b/checks/check_extra7123 @@ -0,0 +1,51 @@ +#!/usr/bin/env bash + +# Prowler - the handy cloud security tool (copyright 2018) by Toni de la Fuente +# +# Licensed under the Apache License, Version 2.0 (the "License"); you may not +# use this file except in compliance with the License. You may obtain a copy +# of the License at http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software distributed +# under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR +# CONDITIONS OF ANY KIND, either express or implied. See the License for the +# specific language governing permissions and limitations under the License. + +# Remediation: +# +# https://www.cloudconformity.com/knowledge-base/aws/RDS/instance-deletion-protection.html +# https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/Overview.DBInstance.Modifying.html +# +# aws rds modify-db-instance \ +# --region us-east-1 \ +# --db-instance-identifier test-db \ +# --deletion-protection \ +# [--apply-immediately | --no-apply-immediately] + +CHECK_ID_extra7123="7.123" +CHECK_TITLE_extra7123="[extra7123] Security configurations used by ETL Development endpoints must have Job bookmark encryption enabled." +CHECK_SCORED_extra7123="NOT_SCORED" +CHECK_TYPE_extra7123="EXTRA" +CHECK_SEVERITY_extra7123="Medium" +CHECK_ASFF_RESOURCE_TYPE_extra7123="AwsGlue" +CHECK_ALTERNATE_check7123="extra7123" + +extra7123(){ + textInfo "Looking for Development Endpoints in all regions... " + for regx in $REGIONS; do + LIST_GLUE_SC=$($AWSCLI glue get-dev-endpoints $PROFILE_OPT --region $regx --query 'DevEndpoints[*].SecurityConfiguration' --output text) + if [[ $LIST_GLUE_SC ]]; then + for sc in $(echo '${LIST_GLUE_SC}'| jq -r '.[] | @base64');do + textInfo "$ENDPOINT_SECURITY" + ENDPOINT_SC_ENCRYPTION=$($AWSCLI $PROFILE_OPT --region $regx glue get-security-configurations $sc --query 'SecurityConfiguration.EncryptionConfiguration.JobBookmarksEncryption.JobBookmarksEncryptionMode' --output text) + if [[ENDPOINT_SC_ENCRYPTION == "DISABLED" ]]; then + textFail "$regx: Development Endpoint Security Configuration $sc has bookmark encryption not enabled!" "$regx" + else + textPass "$regx: Development EndpointSecurity Configuration $sc has bookmark encryption enabled" "$regx" + fi + done + else + textInfo "$regx: No Security Configuration found" "$regx" + fi + done +} diff --git a/checks/check_extra7124 b/checks/check_extra7124 new file mode 100644 index 00000000..6a85ba75 --- /dev/null +++ b/checks/check_extra7124 @@ -0,0 +1,51 @@ +#!/usr/bin/env bash + +# Prowler - the handy cloud security tool (copyright 2018) by Toni de la Fuente +# +# Licensed under the Apache License, Version 2.0 (the "License"); you may not +# use this file except in compliance with the License. You may obtain a copy +# of the License at http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software distributed +# under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR +# CONDITIONS OF ANY KIND, either express or implied. See the License for the +# specific language governing permissions and limitations under the License. + +# Remediation: +# +# https://www.cloudconformity.com/knowledge-base/aws/RDS/instance-deletion-protection.html +# https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/Overview.DBInstance.Modifying.html +# +# aws rds modify-db-instance \ +# --region us-east-1 \ +# --db-instance-identifier test-db \ +# --deletion-protection \ +# [--apply-immediately | --no-apply-immediately] + +CHECK_ID_extra7124="7.124" +CHECK_TITLE_extra7124="[extra7124] ETL Job Server-side encryption (Enables Amazon S3-managed encryption of the data at the target (SSE-S3) must be enabled." +CHECK_SCORED_extra7124="NOT_SCORED" +CHECK_TYPE_extra7124="EXTRA" +CHECK_SEVERITY_extra7124="Medium" +CHECK_ASFF_RESOURCE_TYPE_extra7124="AwsGlue" +CHECK_ALTERNATE_check7124="extra7124" + +extra7124(){ + textInfo "Looking for ETL Jobs in all regions... " + for regx in $REGIONS; do + LIST_GLUE_SC=$($AWSCLI glue get-jobs $PROFILE_OPT --region $regx --query 'Jobs[*].SecurityConfiguration'--output text) + if [[ $LIST_GLUE_SC ]]; then + for sc in $(echo '${LIST_GLUE_SC}'| jq -r '.[] | @base64');do + textInfo "$ENDPOINT_SECURITY" + ENDPOINT_SC_ENCRYPTION=$($AWSCLI $PROFILE_OPT --region $regx glue get-security-configurations $sc --query 'SecurityConfiguration.EncryptionConfiguration.JobBookmarksEncryption.JobBookmarksEncryptionMode' --output text) + if [[ENDPOINT_SC_ENCRYPTION == "SSE-S3" ]]; then + textFail "$regx: ETL Job Security Configuration $sc has (SSE-S3) encryption enabled" "$regx" + else + textPass "$regx: ETL Job Security Configuration $sc has (SSE-S3) encryption is not enabled!" "$regx" + fi + done + else + textInfo "$regx: No ETL Development endpoints found" "$regx" + fi + done +} \ No newline at end of file diff --git a/checks/check_extra7125 b/checks/check_extra7125 new file mode 100644 index 00000000..5ad80d83 --- /dev/null +++ b/checks/check_extra7125 @@ -0,0 +1,51 @@ +#!/usr/bin/env bash + +# Prowler - the handy cloud security tool (copyright 2018) by Toni de la Fuente +# +# Licensed under the Apache License, Version 2.0 (the "License"); you may not +# use this file except in compliance with the License. You may obtain a copy +# of the License at http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software distributed +# under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR +# CONDITIONS OF ANY KIND, either express or implied. See the License for the +# specific language governing permissions and limitations under the License. + +# Remediation: +# +# https://www.cloudconformity.com/knowledge-base/aws/RDS/instance-deletion-protection.html +# https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/Overview.DBInstance.Modifying.html +# +# aws rds modify-db-instance \ +# --region us-east-1 \ +# --db-instance-identifier test-db \ +# --deletion-protection \ +# [--apply-immediately | --no-apply-immediately] + +CHECK_ID_extra7125="7.125" +CHECK_TITLE_extra7125="[extra7125] AWS Glue must be used with VPC Endpoints." +CHECK_SCORED_extra7125="NOT_SCORED" +CHECK_TYPE_extra7125="EXTRA" +CHECK_SEVERITY_extra7125="Medium" +CHECK_ASFF_RESOURCE_TYPE_extra7125="AwsGlue" +CHECK_ALTERNATE_check7125="extra7125" + +extra7125(){ + textInfo "Looking for Development Endpoints in all regions... " + for regx in $REGIONS; do + LIST_GLUE_SC=$($AWSCLI glue get-jobs $PROFILE_OPT --region $regx --query 'Jobs[*].SecurityConfiguration'--output text) + if [[ $LIST_GLUE_SC ]]; then + for sc in $(echo '${LIST_GLUE_SC}'| jq -r '.[] | @base64');do + textInfo "$ENDPOINT_SECURITY" + ENDPOINT_SC_ENCRYPTION=$($AWSCLI $PROFILE_OPT --region $regx glue get-security-configurations $sc --query 'SecurityConfiguration.EncryptionConfiguration.JobBookmarksEncryption.JobBookmarksEncryptionMode' --output text) + if [[ENDPOINT_SC_ENCRYPTION == "SSE-S3" ]]; then + textFail "$regx: ETL Job Security Configuration $sc has (SSE-S3) encryption enabled" "$regx" + else + textPass "$regx: ETL Job Security Configuration $sc has (SSE-S3) encryption is not enabled!" "$regx" + fi + done + else + textInfo "$regx: No ETL Development endpoints found" "$regx" + fi + done +} \ No newline at end of file From 954848c6e89671418339df440b8665d43e2b20b4 Mon Sep 17 00:00:00 2001 From: Ramon Diez Date: Wed, 4 Nov 2020 10:44:43 +0100 Subject: [PATCH 02/21] Glue checks part 1 --- checks/check_extra7115 | 38 ++++++++++++++++++++++++++++++++++ checks/check_extra7116 | 30 +++++++++++++++++++++++++++ checks/check_extra7117 | 30 +++++++++++++++++++++++++++ checks/check_extra7118 | 46 ++++++++++++++++++++++++++++++++++++++++++ checks/check_extra7120 | 43 +++++++++++++++++++++++++++++++++++++++ checks/check_extra7122 | 43 +++++++++++++++++++++++++++++++++++++++ groups/group23_glue | 19 +++++++++++++++++ 7 files changed, 249 insertions(+) create mode 100644 checks/check_extra7115 create mode 100644 checks/check_extra7116 create mode 100644 checks/check_extra7117 create mode 100644 checks/check_extra7118 create mode 100644 checks/check_extra7120 create mode 100644 checks/check_extra7122 create mode 100644 groups/group23_glue diff --git a/checks/check_extra7115 b/checks/check_extra7115 new file mode 100644 index 00000000..52f0f64b --- /dev/null +++ b/checks/check_extra7115 @@ -0,0 +1,38 @@ +#!/usr/bin/env bash + +# Prowler - the handy cloud security tool (copyright 2018) by Toni de la Fuente +# +# Licensed under the Apache License, Version 2.0 (the "License"); you may not +# use this file except in compliance with the License. You may obtain a copy +# of the License at http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software distributed +# under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR +# CONDITIONS OF ANY KIND, either express or implied. See the License for the +# specific language governing permissions and limitations under the License. +CHECK_ID_extra7115="7.115" +CHECK_TITLE_extra7115="[extra7115] Check if Glue Database connection must have SSL connection enabled. (Not Scored) (Not part of CIS benchmark)" +CHECK_SCORED_extra7115="NOT_SCORED" +CHECK_TYPE_extra7115="EXTRA" +CHECK_SEVERITY_extra7115="Medium" +CHECK_ASFF_RESOURCE_TYPE_extra7115="AwsGlue" +CHECK_ALTERNATE_check7115="extra7115" + +extra7115(){ + for regx in $REGIONS; do + CONNECTION_LIST=$($AWSCLI glue get-connections $PROFILE_OPT --region $regx --output json --query 'ConnectionList[*].{Name:Name,SSL:ConnectionProperties.JDBC_ENFORCE_SSL}') + if [[ ! -z "$CONNECTION_LIST" ]]; then + for connection in $(echo "${CONNECTION_LIST}" | jq -r '.[] | @base64'); do + CONNECTION_NAME=$(echo $connection | base64 --decode | jq -r '.Name' ) + CONNECTION_SSL_STATE=$(echo $connection | base64 --decode | jq -r '.SSL') + if [[ "$CONNECTION_SSL_STATE" == "false" ]]; then + textFail "$regx: Connection $CONNECTION_NAME has SSL connection disabled" "$regx" + else + textInfo "$regx: Connection $CONNECTION_NAME has SSL connection enabled" "$regx" + fi + done + else + textInfo "$regx: There are no connections" "$regx" + fi + done +} diff --git a/checks/check_extra7116 b/checks/check_extra7116 new file mode 100644 index 00000000..a789a8c2 --- /dev/null +++ b/checks/check_extra7116 @@ -0,0 +1,30 @@ +#!/usr/bin/env bash + +# Prowler - the handy cloud security tool (copyright 2018) by Toni de la Fuente +# +# Licensed under the Apache License, Version 2.0 (the "License"); you may not +# use this file except in compliance with the License. You may obtain a copy +# of the License at http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software distributed +# under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR +# CONDITIONS OF ANY KIND, either express or implied. See the License for the +# specific language governing permissions and limitations under the License. +CHECK_ID_extra7116="7.116" +CHECK_TITLE_extra7116="[extra7116] Check if Data catalog settings must have metadata encryption enabled. (Not Scored) (Not part of CIS benchmark)" +CHECK_SCORED_extra7116="NOT_SCORED" +CHECK_TYPE_extra7116="EXTRA" +CHECK_SEVERITY_extra7116="Medium" +CHECK_ASFF_RESOURCE_TYPE_extra7116="AwsGlue" +CHECK_ALTERNATE_check7116="extra7116" + +extra7116(){ + for regx in $REGIONS; do + METADATA_ENCRYPTED=$($AWSCLI glue get-data-catalog-encryption-settings $PROFILE_OPT --region $regx --output text --query "DataCatalogEncryptionSettings.EncryptionAtRest.CatalogEncryptionMode") + if [[ "$METADATA_ENCRYPTED" == "DISABLED" ]]; then + textFail "$regx: Glue Catalog is not encrypted" "$regx" + else + textInfo "$regx:Glue catalog is encrypted with $METADATA_ENCRYPTED" "$regx" + fi + done +} diff --git a/checks/check_extra7117 b/checks/check_extra7117 new file mode 100644 index 00000000..ac195606 --- /dev/null +++ b/checks/check_extra7117 @@ -0,0 +1,30 @@ +#!/usr/bin/env bash + +# Prowler - the handy cloud security tool (copyright 2018) by Toni de la Fuente +# +# Licensed under the Apache License, Version 2.0 (the "License"); you may not +# use this file except in compliance with the License. You may obtain a copy +# of the License at http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software distributed +# under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR +# CONDITIONS OF ANY KIND, either express or implied. See the License for the +# specific language governing permissions and limitations under the License. +CHECK_ID_extra7117="7.117" +CHECK_TITLE_extra7117="[extra7117] Check if Data catalog settings must have Encrypt connection password enabled. (Not Scored) (Not part of CIS benchmark)" +CHECK_SCORED_extra7117="NOT_SCORED" +CHECK_TYPE_extra7117="EXTRA" +CHECK_SEVERITY_extra7117="Medium" +CHECK_ASFF_RESOURCE_TYPE_extra7117="AwsGlue" +CHECK_ALTERNATE_check7117="extra7117" + +extra7117(){ + for regx in $REGIONS; do + METADATA_ENCRYPTED=$($AWSCLI glue get-data-catalog-encryption-settings $PROFILE_OPT --region $regx --output text --query "DataCatalogEncryptionSettings.ConnectionPasswordEncryption.ReturnConnectionPasswordEncrypted") + if [[ "$METADATA_ENCRYPTED" == "False" ]]; then + textFail "$regx: Glue Catalog connection password is not encrypted" "$regx" + else + textInfo "$regx:Glue catalog connection password is encrypted" "$regx" + fi + done +} diff --git a/checks/check_extra7118 b/checks/check_extra7118 new file mode 100644 index 00000000..3cc70617 --- /dev/null +++ b/checks/check_extra7118 @@ -0,0 +1,46 @@ +#!/usr/bin/env bash + +# Prowler - the handy cloud security tool (copyright 2018) by Toni de la Fuente +# +# Licensed under the Apache License, Version 2.0 (the "License"); you may not +# use this file except in compliance with the License. You may obtain a copy +# of the License at http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software distributed +# under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR +# CONDITIONS OF ANY KIND, either express or implied. See the License for the +# specific language governing permissions and limitations under the License. +CHECK_ID_extra7118="7.117" +CHECK_TITLE_extra7118="[extra7118] Check if Security configurations used by ETL Jobs have S3 encryption enabled. (Not Scored) (Not part of CIS benchmark)" +CHECK_SCORED_extra7118="NOT_SCORED" +CHECK_TYPE_extra7118="EXTRA" +CHECK_SEVERITY_extra7118="Medium" +CHECK_ASFF_RESOURCE_TYPE_extra7118="AwsGlue" +CHECK_ALTERNATE_check7118="extra7118" + +extra7118(){ + for regx in $REGIONS; do + JOB_LIST=$($AWSCLI glue get-jobs $PROFILE_OPT --region $regx --output json --query 'Jobs[*].{Name:Name,SecurityConfiguration:SecurityConfiguration,JobEncryption:DefaultArguments."--encryption-type"}') + if [[ ! -z "$JOB_LIST" ]]; then + for job in $(echo "${JOB_LIST}" | jq -r '.[] | @base64'); do + JOB_NAME=$(echo $job | base64 --decode | jq -r '.Name') + SECURITY_CONFIGURATION=$(echo $job | base64 --decode | jq -r '.SecurityConfiguration // empty') + JOB_ENCRYPTION=$(echo $job | base64 --decode | jq -r '.JobEncryption // empty') + if [[ ! -z "$SECURITY_CONFIGURATION" ]]; then + S3_ENCRYPTION=$($AWSCLI glue get-security-configuration --name "${SECURITY_CONFIGURATION}" $PROFILE_OPT --region $regx --output text --query 'SecurityConfiguration.EncryptionConfiguration.S3Encryption[0].S3EncryptionMode') + if [[ "$S3_ENCRYPTION" == "DISABLED" ]]; then + textFail "$regx: Job $JOB_NAME does not have S3 encryption enabled" "$regx" + else + textInfo "$regx: Job $JOB_NAME does have $S3_ENCRYPTION S3 encryption enabled" "$regx" + fi + elif [[ ! -z "$JOB_ENCRYPTION" ]]; then + textInfo "$regx: Job $JOB_NAME does have $JOB_ENCRYPTION S3 encryption enabled" "$regx" + else + textFail "$regx: Job $JOB_NAME does not have S3 encryption enabled" "$regx" + fi + done + else + textInfo "$regx: There are no jobs" "$regx" + fi + done +} \ No newline at end of file diff --git a/checks/check_extra7120 b/checks/check_extra7120 new file mode 100644 index 00000000..c2782e5f --- /dev/null +++ b/checks/check_extra7120 @@ -0,0 +1,43 @@ +#!/usr/bin/env bash + +# Prowler - the handy cloud security tool (copyright 2018) by Toni de la Fuente +# +# Licensed under the Apache License, Version 2.0 (the "License"); you may not +# use this file except in compliance with the License. You may obtain a copy +# of the License at http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software distributed +# under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR +# CONDITIONS OF ANY KIND, either express or implied. See the License for the +# specific language governing permissions and limitations under the License. +CHECK_ID_extra7120="7.117" +CHECK_TITLE_extra7120="[extra7120] Check if Security configurations used by ETL Jobs have CloudWatch logs encryption enabled. (Not Scored) (Not part of CIS benchmark)" +CHECK_SCORED_extra7120="NOT_SCORED" +CHECK_TYPE_extra7120="EXTRA" +CHECK_SEVERITY_extra7120="Medium" +CHECK_ASFF_RESOURCE_TYPE_extra7120="AwsGlue" +CHECK_ALTERNATE_check7120="extra7120" + +extra7120(){ + for regx in $REGIONS; do + JOB_LIST=$($AWSCLI glue get-jobs $PROFILE_OPT --region $regx --output json --query 'Jobs[*].{Name:Name,SecurityConfiguration:SecurityConfiguration}') + if [[ ! -z "$JOB_LIST" ]]; then + for job in $(echo "${JOB_LIST}" | jq -r '.[] | @base64'); do + JOB_NAME=$(echo $job | base64 --decode | jq -r '.Name') + SECURITY_CONFIGURATION=$(echo $job | base64 --decode | jq -r '.SecurityConfiguration // empty') + if [[ ! -z "$SECURITY_CONFIGURATION" ]]; then + CLOUDWATCH_ENCRYPTION=$($AWSCLI glue get-security-configuration --name "${SECURITY_CONFIGURATION}" $PROFILE_OPT --region $regx --output text --query 'SecurityConfiguration.EncryptionConfiguration.CloudWatchEncryption.CloudWatchEncryptionMode') + if [[ "$CLOUDWATCH_ENCRYPTION" == "DISABLED" ]]; then + textFail "$regx: Job $JOB_NAME does not have CloudWatch logs encryption enabled" "$regx" + else + textInfo "$regx: Job $JOB_NAME does have $CLOUDWATCH_ENCRYPTION CloudWatch logs encryption enabled" "$regx" + fi + else + textFail "$regx: Job $JOB_NAME does not have CloudWatch logs encryption enabled" "$regx" + fi + done + else + textInfo "$regx: There are no jobs" "$regx" + fi + done +} \ No newline at end of file diff --git a/checks/check_extra7122 b/checks/check_extra7122 new file mode 100644 index 00000000..0ef7bc9d --- /dev/null +++ b/checks/check_extra7122 @@ -0,0 +1,43 @@ +#!/usr/bin/env bash + +# Prowler - the handy cloud security tool (copyright 2018) by Toni de la Fuente +# +# Licensed under the Apache License, Version 2.0 (the "License"); you may not +# use this file except in compliance with the License. You may obtain a copy +# of the License at http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software distributed +# under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR +# CONDITIONS OF ANY KIND, either express or implied. See the License for the +# specific language governing permissions and limitations under the License. +CHECK_ID_extra7122="7.117" +CHECK_TITLE_extra7122="[extra7122] Check if Security configurations used by ETL Jobs have Job bookmark encryption enabled. (Not Scored) (Not part of CIS benchmark)" +CHECK_SCORED_extra7122="NOT_SCORED" +CHECK_TYPE_extra7122="EXTRA" +CHECK_SEVERITY_extra7122="Medium" +CHECK_ASFF_RESOURCE_TYPE_extra7122="AwsGlue" +CHECK_ALTERNATE_check7122="extra7122" + +extra7122(){ + for regx in $REGIONS; do + JOB_LIST=$($AWSCLI glue get-jobs $PROFILE_OPT --region $regx --output json --query 'Jobs[*].{Name:Name,SecurityConfiguration:SecurityConfiguration}') + if [[ $JOB_LIST ]]; then + for job in $(echo "${JOB_LIST}" | jq -r '.[] | @base64'); do + JOB_NAME=$(echo $job | base64 --decode | jq -r '.Name') + SECURITY_CONFIGURATION=$(echo $job | base64 --decode | jq -r '.SecurityConfiguration // empty') + if [[ ! -z "$SECURITY_CONFIGURATION" ]]; then + JOB_BOOKMARK_ENCRYPTION=$($AWSCLI glue get-security-configuration --name "${SECURITY_CONFIGURATION}" $PROFILE_OPT --region $regx --output text --query 'SecurityConfiguration.EncryptionConfiguration.JobBookmarksEncryption.JobBookmarksEncryptionMode') + if [[ "$JOB_BOOKMARK_ENCRYPTION" == "DISABLED" ]]; then + textFail "$regx: Job $JOB_NAME does not have Job bookmark encryption enabled" "$regx" + else + textInfo "$regx: Job $JOB_NAME does have $JOB_BOOKMARK_ENCRYPTION Job bookmark encryption enabled" "$regx" + fi + else + textFail "$regx: Job $JOB_NAME does not have Job bookmark encryption enabled" "$regx" + fi + done + else + textInfo "$regx: There are no jobs" "$regx" + fi + done +} \ No newline at end of file diff --git a/groups/group23_glue b/groups/group23_glue new file mode 100644 index 00000000..61bb8718 --- /dev/null +++ b/groups/group23_glue @@ -0,0 +1,19 @@ +#!/usr/bin/env bash + +# Prowler - the handy cloud security tool (copyright 2222) by Toni de la Fuente +# +# Licensed under the Apache License, Version 2.0 (the "License"); you may not +# use this file except in compliance with the License. You may obtain a copy +# of the License at http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software distributed +# under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR +# CONDITIONS OF ANY KIND, either express or implied. See the License for the +# specific language governing permissions and limitations under the License. + +GROUP_ID[23]='glue' +GROUP_NUMBER[23]='23.0' +GROUP_TITLE[23]='Amazon Glue related security checks - [glue] ********' +GROUP_RUN_BY_DEFAULT[23]='N' # run it when execute_all is called +GROUP_CHECKS[23]='extra7115,extra7116,extra7117,extra7118,extra7120,extra7122' + From e0a8e0f31840a4ed827d62985de5bfcc75bc5c65 Mon Sep 17 00:00:00 2001 From: dlpzx Date: Mon, 9 Nov 2020 18:48:11 +0100 Subject: [PATCH 03/21] checks for glue - 7119, 7121, 7123,7124,7125 --- checks/check_extra7119 | 2 +- checks/check_extra7121 | 2 +- checks/check_extra7123 | 2 +- checks/check_extra7124 | 2 +- checks/check_extra7125 | 16 +++++++--------- 5 files changed, 11 insertions(+), 13 deletions(-) diff --git a/checks/check_extra7119 b/checks/check_extra7119 index 78919000..b21937ed 100644 --- a/checks/check_extra7119 +++ b/checks/check_extra7119 @@ -23,7 +23,7 @@ # [--apply-immediately | --no-apply-immediately] CHECK_ID_extra7119="7.119" -CHECK_TITLE_extra7119="[extra7119] Security configurations used by ETL Development endpoints must have S3 encryption enabled." +CHECK_TITLE_extra7119="[extra7119] Check if Security configurations used by ETL Development endpoints have S3 encryption enabled." CHECK_SCORED_extra7119="NOT_SCORED" CHECK_TYPE_extra7119="EXTRA" CHECK_SEVERITY_extra7119="Medium" diff --git a/checks/check_extra7121 b/checks/check_extra7121 index ba7d77c2..7a0cd218 100644 --- a/checks/check_extra7121 +++ b/checks/check_extra7121 @@ -23,7 +23,7 @@ # [--apply-immediately | --no-apply-immediately] CHECK_ID_extra7121="7.121" -CHECK_TITLE_extra7121="[extra7121] Security configurations used by ETL Development endpoints must have CloudWatch logs encryption enabled." +CHECK_TITLE_extra7121="[extra7121] Check if Security configurations used by ETL Development endpoints have CloudWatch logs encryption enabled." CHECK_SCORED_extra7121="NOT_SCORED" CHECK_TYPE_extra7121="EXTRA" CHECK_SEVERITY_extra7121="Medium" diff --git a/checks/check_extra7123 b/checks/check_extra7123 index ab2032f6..52c451b2 100644 --- a/checks/check_extra7123 +++ b/checks/check_extra7123 @@ -23,7 +23,7 @@ # [--apply-immediately | --no-apply-immediately] CHECK_ID_extra7123="7.123" -CHECK_TITLE_extra7123="[extra7123] Security configurations used by ETL Development endpoints must have Job bookmark encryption enabled." +CHECK_TITLE_extra7123="[extra7123] Check if Security configurations used by ETL Development endpoints have Job bookmark encryption enabled." CHECK_SCORED_extra7123="NOT_SCORED" CHECK_TYPE_extra7123="EXTRA" CHECK_SEVERITY_extra7123="Medium" diff --git a/checks/check_extra7124 b/checks/check_extra7124 index 6a85ba75..cdc814ba 100644 --- a/checks/check_extra7124 +++ b/checks/check_extra7124 @@ -23,7 +23,7 @@ # [--apply-immediately | --no-apply-immediately] CHECK_ID_extra7124="7.124" -CHECK_TITLE_extra7124="[extra7124] ETL Job Server-side encryption (Enables Amazon S3-managed encryption of the data at the target (SSE-S3) must be enabled." +CHECK_TITLE_extra7124="[extra7124] Check if ETL Job Server-side encryption (Enables Amazon S3-managed encryption of the data at the target, SSE-S3) is enabled." CHECK_SCORED_extra7124="NOT_SCORED" CHECK_TYPE_extra7124="EXTRA" CHECK_SEVERITY_extra7124="Medium" diff --git a/checks/check_extra7125 b/checks/check_extra7125 index 5ad80d83..c5097c9c 100644 --- a/checks/check_extra7125 +++ b/checks/check_extra7125 @@ -23,7 +23,7 @@ # [--apply-immediately | --no-apply-immediately] CHECK_ID_extra7125="7.125" -CHECK_TITLE_extra7125="[extra7125] AWS Glue must be used with VPC Endpoints." +CHECK_TITLE_extra7125="[extra7125] Checks if AWS Glue is used with VPC Endpoints." CHECK_SCORED_extra7125="NOT_SCORED" CHECK_TYPE_extra7125="EXTRA" CHECK_SEVERITY_extra7125="Medium" @@ -33,19 +33,17 @@ CHECK_ALTERNATE_check7125="extra7125" extra7125(){ textInfo "Looking for Development Endpoints in all regions... " for regx in $REGIONS; do - LIST_GLUE_SC=$($AWSCLI glue get-jobs $PROFILE_OPT --region $regx --query 'Jobs[*].SecurityConfiguration'--output text) + LIST_GLUE_SC=$($AWSCLI glue get-dev-endpoints $PROFILE_OPT --region $regx --query 'DevEndpoints[*].PrivateAddress' --output text) if [[ $LIST_GLUE_SC ]]; then - for sc in $(echo '${LIST_GLUE_SC}'| jq -r '.[] | @base64');do - textInfo "$ENDPOINT_SECURITY" - ENDPOINT_SC_ENCRYPTION=$($AWSCLI $PROFILE_OPT --region $regx glue get-security-configurations $sc --query 'SecurityConfiguration.EncryptionConfiguration.JobBookmarksEncryption.JobBookmarksEncryptionMode' --output text) - if [[ENDPOINT_SC_ENCRYPTION == "SSE-S3" ]]; then - textFail "$regx: ETL Job Security Configuration $sc has (SSE-S3) encryption enabled" "$regx" + for pa in $(echo '${LIST_GLUE_SC}'| jq -r '.[] | @base64');do + if [[ ! pa ]]; then + textFail "$regx: AWS Glue uses a VPC Endpoint $pa" "$regx" else - textPass "$regx: ETL Job Security Configuration $sc has (SSE-S3) encryption is not enabled!" "$regx" + textPass "$regx: AWS Glue does not use a VPC Endpoint $pa" "$regx" fi done else - textInfo "$regx: No ETL Development endpoints found" "$regx" + textInfo "$regx: No Security Configuration found" "$regx" fi done } \ No newline at end of file From ebe2594456ce90bc9413b5102bc7676d48e7f7c9 Mon Sep 17 00:00:00 2001 From: dlpzx Date: Mon, 9 Nov 2020 19:17:00 +0100 Subject: [PATCH 04/21] checks for glue - 7119, 7121, 7123,7124,7125 --- checks/check_extra7124 | 4 ++-- checks/check_extra7125 | 2 +- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/checks/check_extra7124 b/checks/check_extra7124 index cdc814ba..66073203 100644 --- a/checks/check_extra7124 +++ b/checks/check_extra7124 @@ -33,7 +33,7 @@ CHECK_ALTERNATE_check7124="extra7124" extra7124(){ textInfo "Looking for ETL Jobs in all regions... " for regx in $REGIONS; do - LIST_GLUE_SC=$($AWSCLI glue get-jobs $PROFILE_OPT --region $regx --query 'Jobs[*].SecurityConfiguration'--output text) + LIST_GLUE_SC=$($AWSCLI glue get-jobs $PROFILE_OPT --region $regx --query 'Jobs[*].SecurityConfiguration' --output text) if [[ $LIST_GLUE_SC ]]; then for sc in $(echo '${LIST_GLUE_SC}'| jq -r '.[] | @base64');do textInfo "$ENDPOINT_SECURITY" @@ -45,7 +45,7 @@ extra7124(){ fi done else - textInfo "$regx: No ETL Development endpoints found" "$regx" + textInfo "$regx: No ETL Jobs found" "$regx" fi done } \ No newline at end of file diff --git a/checks/check_extra7125 b/checks/check_extra7125 index c5097c9c..fe50aac9 100644 --- a/checks/check_extra7125 +++ b/checks/check_extra7125 @@ -43,7 +43,7 @@ extra7125(){ fi done else - textInfo "$regx: No Security Configuration found" "$regx" + textInfo "$regx: No Private Addresses for endpoints found" "$regx" fi done } \ No newline at end of file From 39a7c3b18e2911b205d3ef8cf6bfe043f069110d Mon Sep 17 00:00:00 2001 From: dlpzx Date: Tue, 10 Nov 2020 13:05:22 +0100 Subject: [PATCH 05/21] checks for glue - 7119, 7121, 7123,7124,7125 --- checks/check_extra7119 | 23 ++++++++++++++--------- checks/check_extra7121 | 23 ++++++++++++++--------- checks/check_extra7123 | 25 ++++++++++++++++--------- checks/check_extra7124 | 30 +++++++++++++++++++----------- checks/check_extra7125 | 16 +++++++++------- 5 files changed, 72 insertions(+), 45 deletions(-) diff --git a/checks/check_extra7119 b/checks/check_extra7119 index b21937ed..7ef85252 100644 --- a/checks/check_extra7119 +++ b/checks/check_extra7119 @@ -33,19 +33,24 @@ CHECK_ALTERNATE_check7119="extra7119" extra7119(){ textInfo "Looking for Development Endpoints in all regions... " for regx in $REGIONS; do - LIST_GLUE_SC=$($AWSCLI glue get-dev-endpoints $PROFILE_OPT --region $regx --query 'DevEndpoints[*].SecurityConfiguration' --output text) - if [[ $LIST_GLUE_SC ]]; then - for sc in $(echo '${LIST_GLUE_SC}'| jq -r '.[] | @base64');do - textInfo "$ENDPOINT_SECURITY" - ENDPOINT_SC_ENCRYPTION=$($AWSCLI $PROFILE_OPT --region $regx glue get-security-configurations $sc --query 'SecurityConfiguration.EncryptionConfiguration.S3Encryption.S3EncryptionMode' --output text) - if [[ENDPOINT_SC_ENCRYPTION == "DISABLED" ]]; then - textFail "$regx: Development Endpoint Security Configuration $sc has S3 encryption not enabled!" "$regx" + LIST_EP_SC=$($AWSCLI glue get-dev-endpoints $PROFILE_OPT --region $regx --query 'DevEndpoints[*].{Name:EndpointName,Security:SecurityConfiguration}' --output json) + if [[ ! -z "$LIST_EP_SC" ]]; then + for ep in $(echo "${LIST_EP_SC}"| jq -r '.[] | @base64');do + ENDPOINT_NAME=$(echo $ep | base64 --decode | jq -r '.Name') + ENDPOINT_SC=$(echo $ep | base64 --decode | jq -r '.Security // empty') + if [[ ! -z "$ENDPOINT_SC" ]]; then + ENDPOINT_SC_ENCRYPTION=$($AWSCLI glue get-security-configuration --name "${ENDPOINT_SC}" $PROFILE_OPT --region $regx --query 'SecurityConfiguration.EncryptionConfiguration.S3Encryption[0].S3EncryptionMode' --output text) + if [[ "$ENDPOINT_SC_ENCRYPTION" == "DISABLED" ]]; then + textFail "$regx: Development Endpoint $ENDPOINT_NAME does not have S3 encryption enabled!" "$regx" + else + textPass "$regx: Development Endpoint $ENDPOINT_NAME has S3 encryption enabled" "$regx" + fi else - textPass "$regx: Development Endpoint Security Configuration $sc has S3 encryption enabled" "$regx" + textInfo "$regx: No Security Configuration found for Development Endpoint $ENDPOINT_NAME" "$regx" fi done else - textInfo "$regx: No Security Configuration found" "$regx" + textInfo "$regx: There are no Development Endpoints" "$regx" fi done } diff --git a/checks/check_extra7121 b/checks/check_extra7121 index 7a0cd218..6b7f99c3 100644 --- a/checks/check_extra7121 +++ b/checks/check_extra7121 @@ -33,19 +33,24 @@ CHECK_ALTERNATE_check7121="extra7121" extra7121(){ textInfo "Looking for Development Endpoints in all regions... " for regx in $REGIONS; do - LIST_GLUE_SC=$($AWSCLI glue get-dev-endpoints $PROFILE_OPT --region $regx --query 'DevEndpoints[*].SecurityConfiguration' --output text) - if [[ $LIST_GLUE_SC ]]; then - for sc in $(echo '${LIST_GLUE_SC}'| jq -r '.[] | @base64');do - textInfo "$ENDPOINT_SECURITY" - ENDPOINT_SC_ENCRYPTION=$($AWSCLI $PROFILE_OPT --region $regx glue get-security-configurations $sc --query 'SecurityConfiguration.EncryptionConfiguration.CloudWatchEncryption.CloudWatchEncryptionMode' --output text) - if [[ENDPOINT_SC_ENCRYPTION == "DISABLED" ]]; then - textFail "$regx: Development Endpoint Security Configuration $sc has CloudWatch logs encryption not enabled!" "$regx" + LIST_EP_SC=$($AWSCLI glue get-dev-endpoints $PROFILE_OPT --region $regx --query 'DevEndpoints[*].{Name:EndpointName,Security:SecurityConfiguration}' --output json) + if [[ ! -z "$LIST_EP_SC" ]]; then + for ep in $(echo "${LIST_EP_SC}"| jq -r '.[] | @base64');do + ENDPOINT_NAME=$(echo $ep | base64 --decode | jq -r '.Name') + ENDPOINT_SC=$(echo $ep | base64 --decode | jq -r '.Security // empty') + if [[ ! -z "$ENDPOINT_SC" ]]; then + ENDPOINT_SC_ENCRYPTION=$($AWSCLI glue get-security-configuration --name "${ENDPOINT_SC}" $PROFILE_OPT --region $regx --query 'SecurityConfiguration.EncryptionConfiguration.CloudWatchEncryption.CloudWatchEncryptionMode' --output text) + if [[ $ENDPOINT_SC_ENCRYPTION == "DISABLED" ]]; then + textFail "$regx: Development Endpoint $ENDPOINT_NAME does not have CloudWatch logs encryption enabled!" "$regx" + else + textPass "$regx: Development Endpoint $ENDPOINT_NAME has CloudWatch logs encryption enabled" "$regx" + fi else - textPass "$regx: Development Endpoint Security Configuration $sc has CloudWatch logs encryption enabled" "$regx" + textInfo "$regx: No Security Configuration found" "$regx" fi done else - textInfo "$regx: No Security Configuration found" "$regx" + textInfo "$regx: There are no Development Endpoints" "$regx" fi done } diff --git a/checks/check_extra7123 b/checks/check_extra7123 index 52c451b2..bd5cb5ec 100644 --- a/checks/check_extra7123 +++ b/checks/check_extra7123 @@ -33,19 +33,26 @@ CHECK_ALTERNATE_check7123="extra7123" extra7123(){ textInfo "Looking for Development Endpoints in all regions... " for regx in $REGIONS; do - LIST_GLUE_SC=$($AWSCLI glue get-dev-endpoints $PROFILE_OPT --region $regx --query 'DevEndpoints[*].SecurityConfiguration' --output text) - if [[ $LIST_GLUE_SC ]]; then - for sc in $(echo '${LIST_GLUE_SC}'| jq -r '.[] | @base64');do - textInfo "$ENDPOINT_SECURITY" - ENDPOINT_SC_ENCRYPTION=$($AWSCLI $PROFILE_OPT --region $regx glue get-security-configurations $sc --query 'SecurityConfiguration.EncryptionConfiguration.JobBookmarksEncryption.JobBookmarksEncryptionMode' --output text) - if [[ENDPOINT_SC_ENCRYPTION == "DISABLED" ]]; then - textFail "$regx: Development Endpoint Security Configuration $sc has bookmark encryption not enabled!" "$regx" + LIST_EP_SC=$($AWSCLI glue get-dev-endpoints $PROFILE_OPT --region $regx --query 'DevEndpoints[*].{Name:EndpointName,Security:SecurityConfiguration}' --output json) + if [[ ! -z "$LIST_EP_SC" ]]; then + for ep in $(echo "${LIST_EP_SC}"| jq -r '.[] | @base64');do + ENDPOINT_NAME=$(echo $ep | base64 --decode | jq -r '.Name') + ENDPOINT_SC=$(echo $ep | base64 --decode | jq -r '.Security // empty') + if [[ ! -z "$ENDPOINT_SC" ]]; then + ENDPOINT_SC_ENCRYPTION=$($AWSCLI glue get-security-configuration --name "${ENDPOINT_SC}" $PROFILE_OPT --region $regx --query 'SecurityConfiguration.EncryptionConfiguration.JobBookmarksEncryption.JobBookmarksEncryptionMode' --output text) + if [[ "$ENDPOINT_SC_ENCRYPTION" == "DISABLED" ]]; then + textFail "$regx: Development Endpoint $ENDPOINT_NAME does not have Job Bookmark encryption enabled!" "$regx" + else + textPass "$regx: Development Endpoint $ENDPOINT_NAME has Job Bookmark encryption enabled" "$regx" + fi else - textPass "$regx: Development EndpointSecurity Configuration $sc has bookmark encryption enabled" "$regx" + textInfo "$regx: No Security Configuration found" "$regx" fi done else - textInfo "$regx: No Security Configuration found" "$regx" + textInfo "$regx: There are no Development Endpoints" "$regx" fi done } + + diff --git a/checks/check_extra7124 b/checks/check_extra7124 index 66073203..b531cda9 100644 --- a/checks/check_extra7124 +++ b/checks/check_extra7124 @@ -33,19 +33,27 @@ CHECK_ALTERNATE_check7124="extra7124" extra7124(){ textInfo "Looking for ETL Jobs in all regions... " for regx in $REGIONS; do - LIST_GLUE_SC=$($AWSCLI glue get-jobs $PROFILE_OPT --region $regx --query 'Jobs[*].SecurityConfiguration' --output text) - if [[ $LIST_GLUE_SC ]]; then - for sc in $(echo '${LIST_GLUE_SC}'| jq -r '.[] | @base64');do - textInfo "$ENDPOINT_SECURITY" - ENDPOINT_SC_ENCRYPTION=$($AWSCLI $PROFILE_OPT --region $regx glue get-security-configurations $sc --query 'SecurityConfiguration.EncryptionConfiguration.JobBookmarksEncryption.JobBookmarksEncryptionMode' --output text) - if [[ENDPOINT_SC_ENCRYPTION == "SSE-S3" ]]; then - textFail "$regx: ETL Job Security Configuration $sc has (SSE-S3) encryption enabled" "$regx" - else - textPass "$regx: ETL Job Security Configuration $sc has (SSE-S3) encryption is not enabled!" "$regx" - fi + JOB_LIST=$($AWSCLI glue get-jobs $PROFILE_OPT --region $regx --output json --query 'Jobs[*].{Name:Name,SecurityConfiguration:SecurityConfiguration,JobEncryption:DefaultArguments."--encryption-type"}') + if [[ ! -z "$JOB_LIST" ]]; then + for job in $(echo "${JOB_LIST}" | jq -r '.[] | @base64'); do + JOB_NAME=$(echo $job | base64 --decode | jq -r '.Name') + SECURITY_CONFIGURATION=$(echo $job | base64 --decode | jq -r '.SecurityConfiguration // empty') + JOB_ENCRYPTION=$(echo $job | base64 --decode | jq -r '.JobEncryption // empty') + if [[ ! -z "$SECURITY_CONFIGURATION" ]]; then + S3_ENCRYPTION=$($AWSCLI glue get-security-configuration --name "${SECURITY_CONFIGURATION}" $PROFILE_OPT --region $regx --output text --query 'SecurityConfiguration.EncryptionConfiguration.S3Encryption[0].S3EncryptionMode') + if [[ "$S3_ENCRYPTION" == "SSE-S3" ]]; then + textFail "$regx: Job $JOB_NAME has Server side encryption (SSE-S3) enabled" "$regx" + else + textInfo "$regx: Job $JOB_NAME does not have Server side encryption (SSE-S3) enabled" "$regx" + fi + elif [[ ! -z "$JOB_ENCRYPTION" ]]; then + textInfo "$regx: Job $JOB_NAME does have $JOB_ENCRYPTION S3 encryption enabled" "$regx" + else + textFail "$regx: Job $JOB_NAME does not have S3 encryption enabled" "$regx" + fi done else - textInfo "$regx: No ETL Jobs found" "$regx" + textInfo "$regx: There are no ETL jobs" "$regx" fi done } \ No newline at end of file diff --git a/checks/check_extra7125 b/checks/check_extra7125 index fe50aac9..1444230f 100644 --- a/checks/check_extra7125 +++ b/checks/check_extra7125 @@ -33,17 +33,19 @@ CHECK_ALTERNATE_check7125="extra7125" extra7125(){ textInfo "Looking for Development Endpoints in all regions... " for regx in $REGIONS; do - LIST_GLUE_SC=$($AWSCLI glue get-dev-endpoints $PROFILE_OPT --region $regx --query 'DevEndpoints[*].PrivateAddress' --output text) - if [[ $LIST_GLUE_SC ]]; then - for pa in $(echo '${LIST_GLUE_SC}'| jq -r '.[] | @base64');do - if [[ ! pa ]]; then - textFail "$regx: AWS Glue uses a VPC Endpoint $pa" "$regx" + LIST_EP_PA=$($AWSCLI glue get-dev-endpoints $PROFILE_OPT --region $regx --query 'DevEndpoints[*].{Name:EndpointName,Address:PrivateAddress}' --output json) + if [[ ! -z "$LIST_EP_PA" ]]; then + for ep in $(echo "${LIST_EP_PA}" | jq -r '.[] | @base64'); do + EP_NAME=$(echo $ep | base64 --decode | jq -r '.Name') + PRIVATE_ADDRESS=$(echo $ep | base64 --decode | jq -r '.Address') + if [[ ! -z "$PRIVATE_ADDRESS" ]]; then + textFail "$regx: AWS Glue Development Endpoint $EP_NAME uses a VPC Endpoint" "$regx" else - textPass "$regx: AWS Glue does not use a VPC Endpoint $pa" "$regx" + textPass "$regx: AWS Glue Development Endpoint $EP_NAME does not use a VPC Endpoint" "$regx" fi done else - textInfo "$regx: No Private Addresses for endpoints found" "$regx" + textInfo "$regx: No Development Endpoints found" "$regx" fi done } \ No newline at end of file From 888133e98615854c67ffb75f299e870a8f8c569d Mon Sep 17 00:00:00 2001 From: dlpzx Date: Tue, 10 Nov 2020 13:06:03 +0100 Subject: [PATCH 06/21] checks for glue - 7119, 7121, 7123,7124,7125 --- checks/check_extra7125 | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/checks/check_extra7125 b/checks/check_extra7125 index 1444230f..226eeb58 100644 --- a/checks/check_extra7125 +++ b/checks/check_extra7125 @@ -39,9 +39,9 @@ extra7125(){ EP_NAME=$(echo $ep | base64 --decode | jq -r '.Name') PRIVATE_ADDRESS=$(echo $ep | base64 --decode | jq -r '.Address') if [[ ! -z "$PRIVATE_ADDRESS" ]]; then - textFail "$regx: AWS Glue Development Endpoint $EP_NAME uses a VPC Endpoint" "$regx" + textPass "$regx: AWS Glue Development Endpoint $EP_NAME uses a VPC Endpoint" "$regx" else - textPass "$regx: AWS Glue Development Endpoint $EP_NAME does not use a VPC Endpoint" "$regx" + textFail "$regx: AWS Glue Development Endpoint $EP_NAME does not use a VPC Endpoint" "$regx" fi done else From 943b096f35daf9071b5a137a51f17d048e68b90e Mon Sep 17 00:00:00 2001 From: dlpzx Date: Thu, 12 Nov 2020 12:06:43 +0100 Subject: [PATCH 07/21] checks for glue - 7119, 7121, 7123 --- checks/check_extra7119 | 11 ++++---- checks/check_extra7121 | 11 ++++---- checks/check_extra7123 | 11 ++++---- checks/check_extra7124 | 59 ------------------------------------------ checks/check_extra7125 | 51 ------------------------------------ 5 files changed, 15 insertions(+), 128 deletions(-) delete mode 100644 checks/check_extra7124 delete mode 100644 checks/check_extra7125 diff --git a/checks/check_extra7119 b/checks/check_extra7119 index 7ef85252..e5928f69 100644 --- a/checks/check_extra7119 +++ b/checks/check_extra7119 @@ -23,7 +23,7 @@ # [--apply-immediately | --no-apply-immediately] CHECK_ID_extra7119="7.119" -CHECK_TITLE_extra7119="[extra7119] Check if Security configurations used by ETL Development endpoints have S3 encryption enabled." +CHECK_TITLE_extra7119="[extra7119] Check if Glue security configurations used by ETL Development endpoints have S3 encryption enabled." CHECK_SCORED_extra7119="NOT_SCORED" CHECK_TYPE_extra7119="EXTRA" CHECK_SEVERITY_extra7119="Medium" @@ -31,7 +31,6 @@ CHECK_ASFF_RESOURCE_TYPE_extra7119="AwsGlue" CHECK_ALTERNATE_check7119="extra7119" extra7119(){ - textInfo "Looking for Development Endpoints in all regions... " for regx in $REGIONS; do LIST_EP_SC=$($AWSCLI glue get-dev-endpoints $PROFILE_OPT --region $regx --query 'DevEndpoints[*].{Name:EndpointName,Security:SecurityConfiguration}' --output json) if [[ ! -z "$LIST_EP_SC" ]]; then @@ -41,16 +40,16 @@ extra7119(){ if [[ ! -z "$ENDPOINT_SC" ]]; then ENDPOINT_SC_ENCRYPTION=$($AWSCLI glue get-security-configuration --name "${ENDPOINT_SC}" $PROFILE_OPT --region $regx --query 'SecurityConfiguration.EncryptionConfiguration.S3Encryption[0].S3EncryptionMode' --output text) if [[ "$ENDPOINT_SC_ENCRYPTION" == "DISABLED" ]]; then - textFail "$regx: Development Endpoint $ENDPOINT_NAME does not have S3 encryption enabled!" "$regx" + textFail "$regx: Glue Development Endpoint $ENDPOINT_NAME does not have S3 encryption enabled!" "$regx" else - textPass "$regx: Development Endpoint $ENDPOINT_NAME has S3 encryption enabled" "$regx" + textPass "$regx: Glue Development Endpoint $ENDPOINT_NAME has S3 encryption enabled" "$regx" fi else - textInfo "$regx: No Security Configuration found for Development Endpoint $ENDPOINT_NAME" "$regx" + textInfo "$regx: No Glue security configuration found for Development Endpoint $ENDPOINT_NAME" "$regx" fi done else - textInfo "$regx: There are no Development Endpoints" "$regx" + textInfo "$regx: There are no Glue Development Endpoints" "$regx" fi done } diff --git a/checks/check_extra7121 b/checks/check_extra7121 index 6b7f99c3..e5d5c35f 100644 --- a/checks/check_extra7121 +++ b/checks/check_extra7121 @@ -23,7 +23,7 @@ # [--apply-immediately | --no-apply-immediately] CHECK_ID_extra7121="7.121" -CHECK_TITLE_extra7121="[extra7121] Check if Security configurations used by ETL Development endpoints have CloudWatch logs encryption enabled." +CHECK_TITLE_extra7121="[extra7121] Check if Glue security configurations used by ETL Development endpoints have CloudWatch logs encryption enabled." CHECK_SCORED_extra7121="NOT_SCORED" CHECK_TYPE_extra7121="EXTRA" CHECK_SEVERITY_extra7121="Medium" @@ -31,7 +31,6 @@ CHECK_ASFF_RESOURCE_TYPE_extra7121="AwsGlue" CHECK_ALTERNATE_check7121="extra7121" extra7121(){ - textInfo "Looking for Development Endpoints in all regions... " for regx in $REGIONS; do LIST_EP_SC=$($AWSCLI glue get-dev-endpoints $PROFILE_OPT --region $regx --query 'DevEndpoints[*].{Name:EndpointName,Security:SecurityConfiguration}' --output json) if [[ ! -z "$LIST_EP_SC" ]]; then @@ -41,16 +40,16 @@ extra7121(){ if [[ ! -z "$ENDPOINT_SC" ]]; then ENDPOINT_SC_ENCRYPTION=$($AWSCLI glue get-security-configuration --name "${ENDPOINT_SC}" $PROFILE_OPT --region $regx --query 'SecurityConfiguration.EncryptionConfiguration.CloudWatchEncryption.CloudWatchEncryptionMode' --output text) if [[ $ENDPOINT_SC_ENCRYPTION == "DISABLED" ]]; then - textFail "$regx: Development Endpoint $ENDPOINT_NAME does not have CloudWatch logs encryption enabled!" "$regx" + textFail "$regx: Glue Development Endpoint $ENDPOINT_NAME does not have CloudWatch logs encryption enabled!" "$regx" else - textPass "$regx: Development Endpoint $ENDPOINT_NAME has CloudWatch logs encryption enabled" "$regx" + textPass "$regx: Glue Development Endpoint $ENDPOINT_NAME has CloudWatch logs encryption enabled" "$regx" fi else - textInfo "$regx: No Security Configuration found" "$regx" + textInfo "$regx: No Glue security configuration found" "$regx" fi done else - textInfo "$regx: There are no Development Endpoints" "$regx" + textInfo "$regx: There are no Glue Development Endpoints" "$regx" fi done } diff --git a/checks/check_extra7123 b/checks/check_extra7123 index bd5cb5ec..f601c9a4 100644 --- a/checks/check_extra7123 +++ b/checks/check_extra7123 @@ -23,7 +23,7 @@ # [--apply-immediately | --no-apply-immediately] CHECK_ID_extra7123="7.123" -CHECK_TITLE_extra7123="[extra7123] Check if Security configurations used by ETL Development endpoints have Job bookmark encryption enabled." +CHECK_TITLE_extra7123="[extra7123] Check if Glue security configurations used by ETL Development endpoints have Job bookmark encryption enabled." CHECK_SCORED_extra7123="NOT_SCORED" CHECK_TYPE_extra7123="EXTRA" CHECK_SEVERITY_extra7123="Medium" @@ -31,7 +31,6 @@ CHECK_ASFF_RESOURCE_TYPE_extra7123="AwsGlue" CHECK_ALTERNATE_check7123="extra7123" extra7123(){ - textInfo "Looking for Development Endpoints in all regions... " for regx in $REGIONS; do LIST_EP_SC=$($AWSCLI glue get-dev-endpoints $PROFILE_OPT --region $regx --query 'DevEndpoints[*].{Name:EndpointName,Security:SecurityConfiguration}' --output json) if [[ ! -z "$LIST_EP_SC" ]]; then @@ -41,16 +40,16 @@ extra7123(){ if [[ ! -z "$ENDPOINT_SC" ]]; then ENDPOINT_SC_ENCRYPTION=$($AWSCLI glue get-security-configuration --name "${ENDPOINT_SC}" $PROFILE_OPT --region $regx --query 'SecurityConfiguration.EncryptionConfiguration.JobBookmarksEncryption.JobBookmarksEncryptionMode' --output text) if [[ "$ENDPOINT_SC_ENCRYPTION" == "DISABLED" ]]; then - textFail "$regx: Development Endpoint $ENDPOINT_NAME does not have Job Bookmark encryption enabled!" "$regx" + textFail "$regx: Glue Development Endpoint $ENDPOINT_NAME does not have Job Bookmark encryption enabled!" "$regx" else - textPass "$regx: Development Endpoint $ENDPOINT_NAME has Job Bookmark encryption enabled" "$regx" + textPass "$regx: Glue Development Endpoint $ENDPOINT_NAME has Job Bookmark encryption enabled" "$regx" fi else - textInfo "$regx: No Security Configuration found" "$regx" + textInfo "$regx: No Glue security configuration found" "$regx" fi done else - textInfo "$regx: There are no Development Endpoints" "$regx" + textInfo "$regx: There are no Glue Development Endpoints" "$regx" fi done } diff --git a/checks/check_extra7124 b/checks/check_extra7124 deleted file mode 100644 index b531cda9..00000000 --- a/checks/check_extra7124 +++ /dev/null @@ -1,59 +0,0 @@ -#!/usr/bin/env bash - -# Prowler - the handy cloud security tool (copyright 2018) by Toni de la Fuente -# -# Licensed under the Apache License, Version 2.0 (the "License"); you may not -# use this file except in compliance with the License. You may obtain a copy -# of the License at http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software distributed -# under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR -# CONDITIONS OF ANY KIND, either express or implied. See the License for the -# specific language governing permissions and limitations under the License. - -# Remediation: -# -# https://www.cloudconformity.com/knowledge-base/aws/RDS/instance-deletion-protection.html -# https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/Overview.DBInstance.Modifying.html -# -# aws rds modify-db-instance \ -# --region us-east-1 \ -# --db-instance-identifier test-db \ -# --deletion-protection \ -# [--apply-immediately | --no-apply-immediately] - -CHECK_ID_extra7124="7.124" -CHECK_TITLE_extra7124="[extra7124] Check if ETL Job Server-side encryption (Enables Amazon S3-managed encryption of the data at the target, SSE-S3) is enabled." -CHECK_SCORED_extra7124="NOT_SCORED" -CHECK_TYPE_extra7124="EXTRA" -CHECK_SEVERITY_extra7124="Medium" -CHECK_ASFF_RESOURCE_TYPE_extra7124="AwsGlue" -CHECK_ALTERNATE_check7124="extra7124" - -extra7124(){ - textInfo "Looking for ETL Jobs in all regions... " - for regx in $REGIONS; do - JOB_LIST=$($AWSCLI glue get-jobs $PROFILE_OPT --region $regx --output json --query 'Jobs[*].{Name:Name,SecurityConfiguration:SecurityConfiguration,JobEncryption:DefaultArguments."--encryption-type"}') - if [[ ! -z "$JOB_LIST" ]]; then - for job in $(echo "${JOB_LIST}" | jq -r '.[] | @base64'); do - JOB_NAME=$(echo $job | base64 --decode | jq -r '.Name') - SECURITY_CONFIGURATION=$(echo $job | base64 --decode | jq -r '.SecurityConfiguration // empty') - JOB_ENCRYPTION=$(echo $job | base64 --decode | jq -r '.JobEncryption // empty') - if [[ ! -z "$SECURITY_CONFIGURATION" ]]; then - S3_ENCRYPTION=$($AWSCLI glue get-security-configuration --name "${SECURITY_CONFIGURATION}" $PROFILE_OPT --region $regx --output text --query 'SecurityConfiguration.EncryptionConfiguration.S3Encryption[0].S3EncryptionMode') - if [[ "$S3_ENCRYPTION" == "SSE-S3" ]]; then - textFail "$regx: Job $JOB_NAME has Server side encryption (SSE-S3) enabled" "$regx" - else - textInfo "$regx: Job $JOB_NAME does not have Server side encryption (SSE-S3) enabled" "$regx" - fi - elif [[ ! -z "$JOB_ENCRYPTION" ]]; then - textInfo "$regx: Job $JOB_NAME does have $JOB_ENCRYPTION S3 encryption enabled" "$regx" - else - textFail "$regx: Job $JOB_NAME does not have S3 encryption enabled" "$regx" - fi - done - else - textInfo "$regx: There are no ETL jobs" "$regx" - fi - done -} \ No newline at end of file diff --git a/checks/check_extra7125 b/checks/check_extra7125 deleted file mode 100644 index 226eeb58..00000000 --- a/checks/check_extra7125 +++ /dev/null @@ -1,51 +0,0 @@ -#!/usr/bin/env bash - -# Prowler - the handy cloud security tool (copyright 2018) by Toni de la Fuente -# -# Licensed under the Apache License, Version 2.0 (the "License"); you may not -# use this file except in compliance with the License. You may obtain a copy -# of the License at http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software distributed -# under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR -# CONDITIONS OF ANY KIND, either express or implied. See the License for the -# specific language governing permissions and limitations under the License. - -# Remediation: -# -# https://www.cloudconformity.com/knowledge-base/aws/RDS/instance-deletion-protection.html -# https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/Overview.DBInstance.Modifying.html -# -# aws rds modify-db-instance \ -# --region us-east-1 \ -# --db-instance-identifier test-db \ -# --deletion-protection \ -# [--apply-immediately | --no-apply-immediately] - -CHECK_ID_extra7125="7.125" -CHECK_TITLE_extra7125="[extra7125] Checks if AWS Glue is used with VPC Endpoints." -CHECK_SCORED_extra7125="NOT_SCORED" -CHECK_TYPE_extra7125="EXTRA" -CHECK_SEVERITY_extra7125="Medium" -CHECK_ASFF_RESOURCE_TYPE_extra7125="AwsGlue" -CHECK_ALTERNATE_check7125="extra7125" - -extra7125(){ - textInfo "Looking for Development Endpoints in all regions... " - for regx in $REGIONS; do - LIST_EP_PA=$($AWSCLI glue get-dev-endpoints $PROFILE_OPT --region $regx --query 'DevEndpoints[*].{Name:EndpointName,Address:PrivateAddress}' --output json) - if [[ ! -z "$LIST_EP_PA" ]]; then - for ep in $(echo "${LIST_EP_PA}" | jq -r '.[] | @base64'); do - EP_NAME=$(echo $ep | base64 --decode | jq -r '.Name') - PRIVATE_ADDRESS=$(echo $ep | base64 --decode | jq -r '.Address') - if [[ ! -z "$PRIVATE_ADDRESS" ]]; then - textPass "$regx: AWS Glue Development Endpoint $EP_NAME uses a VPC Endpoint" "$regx" - else - textFail "$regx: AWS Glue Development Endpoint $EP_NAME does not use a VPC Endpoint" "$regx" - fi - done - else - textInfo "$regx: No Development Endpoints found" "$regx" - fi - done -} \ No newline at end of file From 0bfa263ad95787a4ba7e0fa098938eaf986c9830 Mon Sep 17 00:00:00 2001 From: Ramon Diez Date: Thu, 12 Nov 2020 12:30:22 +0100 Subject: [PATCH 08/21] Fixing some descriptions --- checks/check_extra7115 | 8 ++++---- checks/check_extra7116 | 4 ++-- checks/check_extra7117 | 4 ++-- checks/check_extra7118 | 12 ++++++------ checks/check_extra7120 | 10 +++++----- checks/check_extra7122 | 10 +++++----- 6 files changed, 24 insertions(+), 24 deletions(-) diff --git a/checks/check_extra7115 b/checks/check_extra7115 index 52f0f64b..a8b5b166 100644 --- a/checks/check_extra7115 +++ b/checks/check_extra7115 @@ -11,7 +11,7 @@ # CONDITIONS OF ANY KIND, either express or implied. See the License for the # specific language governing permissions and limitations under the License. CHECK_ID_extra7115="7.115" -CHECK_TITLE_extra7115="[extra7115] Check if Glue Database connection must have SSL connection enabled. (Not Scored) (Not part of CIS benchmark)" +CHECK_TITLE_extra7115="[extra7115] Check if Glue database connection must have SSL connection enabled. (Not Scored) (Not part of CIS benchmark)" CHECK_SCORED_extra7115="NOT_SCORED" CHECK_TYPE_extra7115="EXTRA" CHECK_SEVERITY_extra7115="Medium" @@ -26,13 +26,13 @@ extra7115(){ CONNECTION_NAME=$(echo $connection | base64 --decode | jq -r '.Name' ) CONNECTION_SSL_STATE=$(echo $connection | base64 --decode | jq -r '.SSL') if [[ "$CONNECTION_SSL_STATE" == "false" ]]; then - textFail "$regx: Connection $CONNECTION_NAME has SSL connection disabled" "$regx" + textFail "$regx: Glue connection $CONNECTION_NAME has SSL connection disabled" "$regx" else - textInfo "$regx: Connection $CONNECTION_NAME has SSL connection enabled" "$regx" + textInfo "$regx: Glue connection $CONNECTION_NAME has SSL connection enabled" "$regx" fi done else - textInfo "$regx: There are no connections" "$regx" + textInfo "$regx: There are no Glue connections" "$regx" fi done } diff --git a/checks/check_extra7116 b/checks/check_extra7116 index a789a8c2..d862559c 100644 --- a/checks/check_extra7116 +++ b/checks/check_extra7116 @@ -11,7 +11,7 @@ # CONDITIONS OF ANY KIND, either express or implied. See the License for the # specific language governing permissions and limitations under the License. CHECK_ID_extra7116="7.116" -CHECK_TITLE_extra7116="[extra7116] Check if Data catalog settings must have metadata encryption enabled. (Not Scored) (Not part of CIS benchmark)" +CHECK_TITLE_extra7116="[extra7116] Check if Glue data-catalog settings must have metadata encryption enabled. (Not Scored) (Not part of CIS benchmark)" CHECK_SCORED_extra7116="NOT_SCORED" CHECK_TYPE_extra7116="EXTRA" CHECK_SEVERITY_extra7116="Medium" @@ -24,7 +24,7 @@ extra7116(){ if [[ "$METADATA_ENCRYPTED" == "DISABLED" ]]; then textFail "$regx: Glue Catalog is not encrypted" "$regx" else - textInfo "$regx:Glue catalog is encrypted with $METADATA_ENCRYPTED" "$regx" + textInfo "$regx: Glue catalog is encrypted with $METADATA_ENCRYPTED" "$regx" fi done } diff --git a/checks/check_extra7117 b/checks/check_extra7117 index ac195606..6a019c70 100644 --- a/checks/check_extra7117 +++ b/checks/check_extra7117 @@ -11,7 +11,7 @@ # CONDITIONS OF ANY KIND, either express or implied. See the License for the # specific language governing permissions and limitations under the License. CHECK_ID_extra7117="7.117" -CHECK_TITLE_extra7117="[extra7117] Check if Data catalog settings must have Encrypt connection password enabled. (Not Scored) (Not part of CIS benchmark)" +CHECK_TITLE_extra7117="[extra7117] Check if Glue data-catalog settings must have Encrypt connection password enabled. (Not Scored) (Not part of CIS benchmark)" CHECK_SCORED_extra7117="NOT_SCORED" CHECK_TYPE_extra7117="EXTRA" CHECK_SEVERITY_extra7117="Medium" @@ -24,7 +24,7 @@ extra7117(){ if [[ "$METADATA_ENCRYPTED" == "False" ]]; then textFail "$regx: Glue Catalog connection password is not encrypted" "$regx" else - textInfo "$regx:Glue catalog connection password is encrypted" "$regx" + textInfo "$regx: Glue catalog connection password is encrypted" "$regx" fi done } diff --git a/checks/check_extra7118 b/checks/check_extra7118 index 3cc70617..516b3086 100644 --- a/checks/check_extra7118 +++ b/checks/check_extra7118 @@ -11,7 +11,7 @@ # CONDITIONS OF ANY KIND, either express or implied. See the License for the # specific language governing permissions and limitations under the License. CHECK_ID_extra7118="7.117" -CHECK_TITLE_extra7118="[extra7118] Check if Security configurations used by ETL Jobs have S3 encryption enabled. (Not Scored) (Not part of CIS benchmark)" +CHECK_TITLE_extra7118="[extra7118] Check if Glue Security configurations used by ETL Jobs have S3 encryption enabled. (Not Scored) (Not part of CIS benchmark)" CHECK_SCORED_extra7118="NOT_SCORED" CHECK_TYPE_extra7118="EXTRA" CHECK_SEVERITY_extra7118="Medium" @@ -29,18 +29,18 @@ extra7118(){ if [[ ! -z "$SECURITY_CONFIGURATION" ]]; then S3_ENCRYPTION=$($AWSCLI glue get-security-configuration --name "${SECURITY_CONFIGURATION}" $PROFILE_OPT --region $regx --output text --query 'SecurityConfiguration.EncryptionConfiguration.S3Encryption[0].S3EncryptionMode') if [[ "$S3_ENCRYPTION" == "DISABLED" ]]; then - textFail "$regx: Job $JOB_NAME does not have S3 encryption enabled" "$regx" + textFail "$regx: Glue job $JOB_NAME does not have S3 encryption enabled" "$regx" else - textInfo "$regx: Job $JOB_NAME does have $S3_ENCRYPTION S3 encryption enabled" "$regx" + textInfo "$regx: Glue job $JOB_NAME does have $S3_ENCRYPTION S3 encryption enabled" "$regx" fi elif [[ ! -z "$JOB_ENCRYPTION" ]]; then - textInfo "$regx: Job $JOB_NAME does have $JOB_ENCRYPTION S3 encryption enabled" "$regx" + textInfo "$regx: Glue job $JOB_NAME does have $JOB_ENCRYPTION S3 encryption enabled" "$regx" else - textFail "$regx: Job $JOB_NAME does not have S3 encryption enabled" "$regx" + textFail "$regx: Glue job $JOB_NAME does not have S3 encryption enabled" "$regx" fi done else - textInfo "$regx: There are no jobs" "$regx" + textInfo "$regx: There are no Glue jobs" "$regx" fi done } \ No newline at end of file diff --git a/checks/check_extra7120 b/checks/check_extra7120 index c2782e5f..751f74f2 100644 --- a/checks/check_extra7120 +++ b/checks/check_extra7120 @@ -11,7 +11,7 @@ # CONDITIONS OF ANY KIND, either express or implied. See the License for the # specific language governing permissions and limitations under the License. CHECK_ID_extra7120="7.117" -CHECK_TITLE_extra7120="[extra7120] Check if Security configurations used by ETL Jobs have CloudWatch logs encryption enabled. (Not Scored) (Not part of CIS benchmark)" +CHECK_TITLE_extra7120="[extra7120] Check if Glue security configurations used by ETL Jobs have CloudWatch logs encryption enabled. (Not Scored) (Not part of CIS benchmark)" CHECK_SCORED_extra7120="NOT_SCORED" CHECK_TYPE_extra7120="EXTRA" CHECK_SEVERITY_extra7120="Medium" @@ -28,16 +28,16 @@ extra7120(){ if [[ ! -z "$SECURITY_CONFIGURATION" ]]; then CLOUDWATCH_ENCRYPTION=$($AWSCLI glue get-security-configuration --name "${SECURITY_CONFIGURATION}" $PROFILE_OPT --region $regx --output text --query 'SecurityConfiguration.EncryptionConfiguration.CloudWatchEncryption.CloudWatchEncryptionMode') if [[ "$CLOUDWATCH_ENCRYPTION" == "DISABLED" ]]; then - textFail "$regx: Job $JOB_NAME does not have CloudWatch logs encryption enabled" "$regx" + textFail "$regx: Glue job $JOB_NAME does not have CloudWatch logs encryption enabled" "$regx" else - textInfo "$regx: Job $JOB_NAME does have $CLOUDWATCH_ENCRYPTION CloudWatch logs encryption enabled" "$regx" + textInfo "$regx: Glue job $JOB_NAME does have $CLOUDWATCH_ENCRYPTION CloudWatch logs encryption enabled" "$regx" fi else - textFail "$regx: Job $JOB_NAME does not have CloudWatch logs encryption enabled" "$regx" + textFail "$regx: Glue job $JOB_NAME does not have CloudWatch logs encryption enabled" "$regx" fi done else - textInfo "$regx: There are no jobs" "$regx" + textInfo "$regx: There are no Glue jobs" "$regx" fi done } \ No newline at end of file diff --git a/checks/check_extra7122 b/checks/check_extra7122 index 0ef7bc9d..438be869 100644 --- a/checks/check_extra7122 +++ b/checks/check_extra7122 @@ -11,7 +11,7 @@ # CONDITIONS OF ANY KIND, either express or implied. See the License for the # specific language governing permissions and limitations under the License. CHECK_ID_extra7122="7.117" -CHECK_TITLE_extra7122="[extra7122] Check if Security configurations used by ETL Jobs have Job bookmark encryption enabled. (Not Scored) (Not part of CIS benchmark)" +CHECK_TITLE_extra7122="[extra7122] Check if Glue security configurations used by ETL Jobs have Job bookmark encryption enabled. (Not Scored) (Not part of CIS benchmark)" CHECK_SCORED_extra7122="NOT_SCORED" CHECK_TYPE_extra7122="EXTRA" CHECK_SEVERITY_extra7122="Medium" @@ -28,16 +28,16 @@ extra7122(){ if [[ ! -z "$SECURITY_CONFIGURATION" ]]; then JOB_BOOKMARK_ENCRYPTION=$($AWSCLI glue get-security-configuration --name "${SECURITY_CONFIGURATION}" $PROFILE_OPT --region $regx --output text --query 'SecurityConfiguration.EncryptionConfiguration.JobBookmarksEncryption.JobBookmarksEncryptionMode') if [[ "$JOB_BOOKMARK_ENCRYPTION" == "DISABLED" ]]; then - textFail "$regx: Job $JOB_NAME does not have Job bookmark encryption enabled" "$regx" + textFail "$regx: Glue job $JOB_NAME does not have Job bookmark encryption enabled" "$regx" else - textInfo "$regx: Job $JOB_NAME does have $JOB_BOOKMARK_ENCRYPTION Job bookmark encryption enabled" "$regx" + textInfo "$regx: Glue job $JOB_NAME does have $JOB_BOOKMARK_ENCRYPTION Job bookmark encryption enabled" "$regx" fi else - textFail "$regx: Job $JOB_NAME does not have Job bookmark encryption enabled" "$regx" + textFail "$regx: Glue job $JOB_NAME does not have Job bookmark encryption enabled" "$regx" fi done else - textInfo "$regx: There are no jobs" "$regx" + textInfo "$regx: There are no Glue jobs" "$regx" fi done } \ No newline at end of file From 8c9d843813d41e0cbe27864eb6136bf7b93c1d90 Mon Sep 17 00:00:00 2001 From: Toni de la Fuente Date: Fri, 13 Nov 2020 19:02:26 +0100 Subject: [PATCH 09/21] Glue review 1 --- checks/check_extra7115 | 2 +- checks/check_extra7116 | 6 +++--- checks/check_extra7117 | 2 +- checks/check_extra7118 | 2 +- checks/check_extra7120 | 2 +- checks/check_extra7122 | 2 +- groups/group23_glue | 19 ------------------- 7 files changed, 8 insertions(+), 27 deletions(-) delete mode 100644 groups/group23_glue diff --git a/checks/check_extra7115 b/checks/check_extra7115 index a8b5b166..ad597b07 100644 --- a/checks/check_extra7115 +++ b/checks/check_extra7115 @@ -11,7 +11,7 @@ # CONDITIONS OF ANY KIND, either express or implied. See the License for the # specific language governing permissions and limitations under the License. CHECK_ID_extra7115="7.115" -CHECK_TITLE_extra7115="[extra7115] Check if Glue database connection must have SSL connection enabled. (Not Scored) (Not part of CIS benchmark)" +CHECK_TITLE_extra7115="[extra7115] Check if Glue database connection has SSL connection enabled." CHECK_SCORED_extra7115="NOT_SCORED" CHECK_TYPE_extra7115="EXTRA" CHECK_SEVERITY_extra7115="Medium" diff --git a/checks/check_extra7116 b/checks/check_extra7116 index d862559c..aa778774 100644 --- a/checks/check_extra7116 +++ b/checks/check_extra7116 @@ -11,7 +11,7 @@ # CONDITIONS OF ANY KIND, either express or implied. See the License for the # specific language governing permissions and limitations under the License. CHECK_ID_extra7116="7.116" -CHECK_TITLE_extra7116="[extra7116] Check if Glue data-catalog settings must have metadata encryption enabled. (Not Scored) (Not part of CIS benchmark)" +CHECK_TITLE_extra7116="[extra7116] Check if Glue data-catalog settings have metadata encryption enabled." CHECK_SCORED_extra7116="NOT_SCORED" CHECK_TYPE_extra7116="EXTRA" CHECK_SEVERITY_extra7116="Medium" @@ -22,9 +22,9 @@ extra7116(){ for regx in $REGIONS; do METADATA_ENCRYPTED=$($AWSCLI glue get-data-catalog-encryption-settings $PROFILE_OPT --region $regx --output text --query "DataCatalogEncryptionSettings.EncryptionAtRest.CatalogEncryptionMode") if [[ "$METADATA_ENCRYPTED" == "DISABLED" ]]; then - textFail "$regx: Glue Catalog is not encrypted" "$regx" + textFail "$regx: Glue data-catalog settings have metadata encryption disabled" "$regx" else - textInfo "$regx: Glue catalog is encrypted with $METADATA_ENCRYPTED" "$regx" + textInfo "$regx: Glue data-catalog settings have metadata encryption enabled" "$regx" fi done } diff --git a/checks/check_extra7117 b/checks/check_extra7117 index 6a019c70..cd8b66b5 100644 --- a/checks/check_extra7117 +++ b/checks/check_extra7117 @@ -11,7 +11,7 @@ # CONDITIONS OF ANY KIND, either express or implied. See the License for the # specific language governing permissions and limitations under the License. CHECK_ID_extra7117="7.117" -CHECK_TITLE_extra7117="[extra7117] Check if Glue data-catalog settings must have Encrypt connection password enabled. (Not Scored) (Not part of CIS benchmark)" +CHECK_TITLE_extra7117="[extra7117] Check if Glue data-catalog settings have Encrypt connection password enabled." CHECK_SCORED_extra7117="NOT_SCORED" CHECK_TYPE_extra7117="EXTRA" CHECK_SEVERITY_extra7117="Medium" diff --git a/checks/check_extra7118 b/checks/check_extra7118 index 516b3086..abc02ac7 100644 --- a/checks/check_extra7118 +++ b/checks/check_extra7118 @@ -11,7 +11,7 @@ # CONDITIONS OF ANY KIND, either express or implied. See the License for the # specific language governing permissions and limitations under the License. CHECK_ID_extra7118="7.117" -CHECK_TITLE_extra7118="[extra7118] Check if Glue Security configurations used by ETL Jobs have S3 encryption enabled. (Not Scored) (Not part of CIS benchmark)" +CHECK_TITLE_extra7118="[extra7118] Check if Glue security configurations used by ETL Jobs have S3 encryption enabled." CHECK_SCORED_extra7118="NOT_SCORED" CHECK_TYPE_extra7118="EXTRA" CHECK_SEVERITY_extra7118="Medium" diff --git a/checks/check_extra7120 b/checks/check_extra7120 index 751f74f2..32a6053b 100644 --- a/checks/check_extra7120 +++ b/checks/check_extra7120 @@ -11,7 +11,7 @@ # CONDITIONS OF ANY KIND, either express or implied. See the License for the # specific language governing permissions and limitations under the License. CHECK_ID_extra7120="7.117" -CHECK_TITLE_extra7120="[extra7120] Check if Glue security configurations used by ETL Jobs have CloudWatch logs encryption enabled. (Not Scored) (Not part of CIS benchmark)" +CHECK_TITLE_extra7120="[extra7120] Check if Glue security configurations used by ETL Jobs have CloudWatch logs encryption enabled." CHECK_SCORED_extra7120="NOT_SCORED" CHECK_TYPE_extra7120="EXTRA" CHECK_SEVERITY_extra7120="Medium" diff --git a/checks/check_extra7122 b/checks/check_extra7122 index 438be869..3ea87a2d 100644 --- a/checks/check_extra7122 +++ b/checks/check_extra7122 @@ -11,7 +11,7 @@ # CONDITIONS OF ANY KIND, either express or implied. See the License for the # specific language governing permissions and limitations under the License. CHECK_ID_extra7122="7.117" -CHECK_TITLE_extra7122="[extra7122] Check if Glue security configurations used by ETL Jobs have Job bookmark encryption enabled. (Not Scored) (Not part of CIS benchmark)" +CHECK_TITLE_extra7122="[extra7122] Check if Glue security configurations used by ETL Jobs have Job bookmark encryption enabled." CHECK_SCORED_extra7122="NOT_SCORED" CHECK_TYPE_extra7122="EXTRA" CHECK_SEVERITY_extra7122="Medium" diff --git a/groups/group23_glue b/groups/group23_glue deleted file mode 100644 index 61bb8718..00000000 --- a/groups/group23_glue +++ /dev/null @@ -1,19 +0,0 @@ -#!/usr/bin/env bash - -# Prowler - the handy cloud security tool (copyright 2222) by Toni de la Fuente -# -# Licensed under the Apache License, Version 2.0 (the "License"); you may not -# use this file except in compliance with the License. You may obtain a copy -# of the License at http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software distributed -# under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR -# CONDITIONS OF ANY KIND, either express or implied. See the License for the -# specific language governing permissions and limitations under the License. - -GROUP_ID[23]='glue' -GROUP_NUMBER[23]='23.0' -GROUP_TITLE[23]='Amazon Glue related security checks - [glue] ********' -GROUP_RUN_BY_DEFAULT[23]='N' # run it when execute_all is called -GROUP_CHECKS[23]='extra7115,extra7116,extra7117,extra7118,extra7120,extra7122' - From b32538b7e5f03ae32e0effce4727675d0555d13b Mon Sep 17 00:00:00 2001 From: Toni de la Fuente Date: Fri, 13 Nov 2020 19:05:19 +0100 Subject: [PATCH 10/21] Glue review 2 --- checks/check_extra7119 | 11 ----------- checks/check_extra7121 | 11 ----------- checks/check_extra7123 | 11 ----------- groups/group24_glue | 19 +++++++++++++++++++ 4 files changed, 19 insertions(+), 33 deletions(-) create mode 100644 groups/group24_glue diff --git a/checks/check_extra7119 b/checks/check_extra7119 index e5928f69..081cbbd5 100644 --- a/checks/check_extra7119 +++ b/checks/check_extra7119 @@ -11,17 +11,6 @@ # CONDITIONS OF ANY KIND, either express or implied. See the License for the # specific language governing permissions and limitations under the License. -# Remediation: -# -# https://www.cloudconformity.com/knowledge-base/aws/RDS/instance-deletion-protection.html -# https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/Overview.DBInstance.Modifying.html -# -# aws rds modify-db-instance \ -# --region us-east-1 \ -# --db-instance-identifier test-db \ -# --deletion-protection \ -# [--apply-immediately | --no-apply-immediately] - CHECK_ID_extra7119="7.119" CHECK_TITLE_extra7119="[extra7119] Check if Glue security configurations used by ETL Development endpoints have S3 encryption enabled." CHECK_SCORED_extra7119="NOT_SCORED" diff --git a/checks/check_extra7121 b/checks/check_extra7121 index e5d5c35f..2aa1ef5a 100644 --- a/checks/check_extra7121 +++ b/checks/check_extra7121 @@ -11,17 +11,6 @@ # CONDITIONS OF ANY KIND, either express or implied. See the License for the # specific language governing permissions and limitations under the License. -# Remediation: -# -# https://www.cloudconformity.com/knowledge-base/aws/RDS/instance-deletion-protection.html -# https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/Overview.DBInstance.Modifying.html -# -# aws rds modify-db-instance \ -# --region us-east-1 \ -# --db-instance-identifier test-db \ -# --deletion-protection \ -# [--apply-immediately | --no-apply-immediately] - CHECK_ID_extra7121="7.121" CHECK_TITLE_extra7121="[extra7121] Check if Glue security configurations used by ETL Development endpoints have CloudWatch logs encryption enabled." CHECK_SCORED_extra7121="NOT_SCORED" diff --git a/checks/check_extra7123 b/checks/check_extra7123 index f601c9a4..a6671e86 100644 --- a/checks/check_extra7123 +++ b/checks/check_extra7123 @@ -11,17 +11,6 @@ # CONDITIONS OF ANY KIND, either express or implied. See the License for the # specific language governing permissions and limitations under the License. -# Remediation: -# -# https://www.cloudconformity.com/knowledge-base/aws/RDS/instance-deletion-protection.html -# https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/Overview.DBInstance.Modifying.html -# -# aws rds modify-db-instance \ -# --region us-east-1 \ -# --db-instance-identifier test-db \ -# --deletion-protection \ -# [--apply-immediately | --no-apply-immediately] - CHECK_ID_extra7123="7.123" CHECK_TITLE_extra7123="[extra7123] Check if Glue security configurations used by ETL Development endpoints have Job bookmark encryption enabled." CHECK_SCORED_extra7123="NOT_SCORED" diff --git a/groups/group24_glue b/groups/group24_glue new file mode 100644 index 00000000..4e06b2d0 --- /dev/null +++ b/groups/group24_glue @@ -0,0 +1,19 @@ +#!/usr/bin/env bash + +# Prowler - the handy cloud security tool (copyright 2222) by Toni de la Fuente +# +# Licensed under the Apache License, Version 2.0 (the "License"); you may not +# use this file except in compliance with the License. You may obtain a copy +# of the License at http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software distributed +# under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR +# CONDITIONS OF ANY KIND, either express or implied. See the License for the +# specific language governing permissions and limitations under the License. + +GROUP_ID[24]='glue' +GROUP_NUMBER[24]='24.0' +GROUP_TITLE[24]='Amazon Glue related security checks - [glue] ******************' +GROUP_RUN_BY_DEFAULT[24]='N' # run it when execute_all is called +GROUP_CHECKS[24]='extra7115,extra7116,extra7117,extra7118,extra7120,extra7122' + From 6e604e1834b2886a49bb47565efd3c22990e2ccd Mon Sep 17 00:00:00 2001 From: Toni de la Fuente Date: Mon, 16 Nov 2020 17:51:53 +0100 Subject: [PATCH 11/21] Some corrections for glue related checks --- checks/check_extra7115 | 4 ++-- checks/check_extra7116 | 4 ++-- checks/check_extra7117 | 6 +++--- checks/check_extra7118 | 16 ++++++++++------ checks/check_extra7120 | 12 ++++++------ checks/check_extra7122 | 8 ++++---- groups/group24_glue | 18 ++++++++++++++++++ 7 files changed, 45 insertions(+), 23 deletions(-) create mode 100644 groups/group24_glue diff --git a/checks/check_extra7115 b/checks/check_extra7115 index ad597b07..da606669 100644 --- a/checks/check_extra7115 +++ b/checks/check_extra7115 @@ -21,14 +21,14 @@ CHECK_ALTERNATE_check7115="extra7115" extra7115(){ for regx in $REGIONS; do CONNECTION_LIST=$($AWSCLI glue get-connections $PROFILE_OPT --region $regx --output json --query 'ConnectionList[*].{Name:Name,SSL:ConnectionProperties.JDBC_ENFORCE_SSL}') - if [[ ! -z "$CONNECTION_LIST" ]]; then + if [[ $CONNECTION_LIST != '[]' ]]; then for connection in $(echo "${CONNECTION_LIST}" | jq -r '.[] | @base64'); do CONNECTION_NAME=$(echo $connection | base64 --decode | jq -r '.Name' ) CONNECTION_SSL_STATE=$(echo $connection | base64 --decode | jq -r '.SSL') if [[ "$CONNECTION_SSL_STATE" == "false" ]]; then textFail "$regx: Glue connection $CONNECTION_NAME has SSL connection disabled" "$regx" else - textInfo "$regx: Glue connection $CONNECTION_NAME has SSL connection enabled" "$regx" + textPass "$regx: Glue connection $CONNECTION_NAME has SSL connection enabled" "$regx" fi done else diff --git a/checks/check_extra7116 b/checks/check_extra7116 index aa778774..2165b91a 100644 --- a/checks/check_extra7116 +++ b/checks/check_extra7116 @@ -22,9 +22,9 @@ extra7116(){ for regx in $REGIONS; do METADATA_ENCRYPTED=$($AWSCLI glue get-data-catalog-encryption-settings $PROFILE_OPT --region $regx --output text --query "DataCatalogEncryptionSettings.EncryptionAtRest.CatalogEncryptionMode") if [[ "$METADATA_ENCRYPTED" == "DISABLED" ]]; then - textFail "$regx: Glue data-catalog settings have metadata encryption disabled" "$regx" + textFail "$regx: Glue data catalog settings have metadata encryption disabled" "$regx" else - textInfo "$regx: Glue data-catalog settings have metadata encryption enabled" "$regx" + textPass "$regx: Glue data catalog settings have metadata encryption enabled" "$regx" fi done } diff --git a/checks/check_extra7117 b/checks/check_extra7117 index cd8b66b5..7c11c76d 100644 --- a/checks/check_extra7117 +++ b/checks/check_extra7117 @@ -11,7 +11,7 @@ # CONDITIONS OF ANY KIND, either express or implied. See the License for the # specific language governing permissions and limitations under the License. CHECK_ID_extra7117="7.117" -CHECK_TITLE_extra7117="[extra7117] Check if Glue data-catalog settings have Encrypt connection password enabled." +CHECK_TITLE_extra7117="[extra7117] Check if Glue data catalog settings have encrypt connection password enabled." CHECK_SCORED_extra7117="NOT_SCORED" CHECK_TYPE_extra7117="EXTRA" CHECK_SEVERITY_extra7117="Medium" @@ -22,9 +22,9 @@ extra7117(){ for regx in $REGIONS; do METADATA_ENCRYPTED=$($AWSCLI glue get-data-catalog-encryption-settings $PROFILE_OPT --region $regx --output text --query "DataCatalogEncryptionSettings.ConnectionPasswordEncryption.ReturnConnectionPasswordEncrypted") if [[ "$METADATA_ENCRYPTED" == "False" ]]; then - textFail "$regx: Glue Catalog connection password is not encrypted" "$regx" + textFail "$regx: Glue data catalog connection password is not encrypted" "$regx" else - textInfo "$regx: Glue catalog connection password is encrypted" "$regx" + textPass "$regx: Glue data catalog connection password is encrypted" "$regx" fi done } diff --git a/checks/check_extra7118 b/checks/check_extra7118 index abc02ac7..aa39907f 100644 --- a/checks/check_extra7118 +++ b/checks/check_extra7118 @@ -10,8 +10,8 @@ # under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR # CONDITIONS OF ANY KIND, either express or implied. See the License for the # specific language governing permissions and limitations under the License. -CHECK_ID_extra7118="7.117" -CHECK_TITLE_extra7118="[extra7118] Check if Glue security configurations used by ETL Jobs have S3 encryption enabled." +CHECK_ID_extra7118="7.118" +CHECK_TITLE_extra7118="[extra7118] Check if Glue ETL Jobs have S3 encryption enabled." CHECK_SCORED_extra7118="NOT_SCORED" CHECK_TYPE_extra7118="EXTRA" CHECK_SEVERITY_extra7118="Medium" @@ -21,7 +21,7 @@ CHECK_ALTERNATE_check7118="extra7118" extra7118(){ for regx in $REGIONS; do JOB_LIST=$($AWSCLI glue get-jobs $PROFILE_OPT --region $regx --output json --query 'Jobs[*].{Name:Name,SecurityConfiguration:SecurityConfiguration,JobEncryption:DefaultArguments."--encryption-type"}') - if [[ ! -z "$JOB_LIST" ]]; then + if [[ $JOB_LIST != '[]' ]]; then for job in $(echo "${JOB_LIST}" | jq -r '.[] | @base64'); do JOB_NAME=$(echo $job | base64 --decode | jq -r '.Name') SECURITY_CONFIGURATION=$(echo $job | base64 --decode | jq -r '.SecurityConfiguration // empty') @@ -29,12 +29,16 @@ extra7118(){ if [[ ! -z "$SECURITY_CONFIGURATION" ]]; then S3_ENCRYPTION=$($AWSCLI glue get-security-configuration --name "${SECURITY_CONFIGURATION}" $PROFILE_OPT --region $regx --output text --query 'SecurityConfiguration.EncryptionConfiguration.S3Encryption[0].S3EncryptionMode') if [[ "$S3_ENCRYPTION" == "DISABLED" ]]; then - textFail "$regx: Glue job $JOB_NAME does not have S3 encryption enabled" "$regx" + if [[ ! -z "$JOB_ENCRYPTION" ]]; then + textPass "$regx: Glue job $JOB_NAME does have $JOB_ENCRYPTION for S3 encryption enabled" "$regx" + else + textFail "$regx: Glue job $JOB_NAME does not have S3 encryption enabled" "$regx" + fi else - textInfo "$regx: Glue job $JOB_NAME does have $S3_ENCRYPTION S3 encryption enabled" "$regx" + textPass "$regx: Glue job $JOB_NAME does have $S3_ENCRYPTION for S3 encryption enabled" "$regx" fi elif [[ ! -z "$JOB_ENCRYPTION" ]]; then - textInfo "$regx: Glue job $JOB_NAME does have $JOB_ENCRYPTION S3 encryption enabled" "$regx" + textPass "$regx: Glue job $JOB_NAME does have $JOB_ENCRYPTION for S3 encryption enabled" "$regx" else textFail "$regx: Glue job $JOB_NAME does not have S3 encryption enabled" "$regx" fi diff --git a/checks/check_extra7120 b/checks/check_extra7120 index 32a6053b..69695b7f 100644 --- a/checks/check_extra7120 +++ b/checks/check_extra7120 @@ -10,8 +10,8 @@ # under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR # CONDITIONS OF ANY KIND, either express or implied. See the License for the # specific language governing permissions and limitations under the License. -CHECK_ID_extra7120="7.117" -CHECK_TITLE_extra7120="[extra7120] Check if Glue security configurations used by ETL Jobs have CloudWatch logs encryption enabled." +CHECK_ID_extra7120="7.120" +CHECK_TITLE_extra7120="[extra7120] Check if Glue ETL Jobs have CloudWatch Logs encryption enabled." CHECK_SCORED_extra7120="NOT_SCORED" CHECK_TYPE_extra7120="EXTRA" CHECK_SEVERITY_extra7120="Medium" @@ -21,19 +21,19 @@ CHECK_ALTERNATE_check7120="extra7120" extra7120(){ for regx in $REGIONS; do JOB_LIST=$($AWSCLI glue get-jobs $PROFILE_OPT --region $regx --output json --query 'Jobs[*].{Name:Name,SecurityConfiguration:SecurityConfiguration}') - if [[ ! -z "$JOB_LIST" ]]; then + if [[ $JOB_LIST != '[]' ]]; then for job in $(echo "${JOB_LIST}" | jq -r '.[] | @base64'); do JOB_NAME=$(echo $job | base64 --decode | jq -r '.Name') SECURITY_CONFIGURATION=$(echo $job | base64 --decode | jq -r '.SecurityConfiguration // empty') if [[ ! -z "$SECURITY_CONFIGURATION" ]]; then CLOUDWATCH_ENCRYPTION=$($AWSCLI glue get-security-configuration --name "${SECURITY_CONFIGURATION}" $PROFILE_OPT --region $regx --output text --query 'SecurityConfiguration.EncryptionConfiguration.CloudWatchEncryption.CloudWatchEncryptionMode') if [[ "$CLOUDWATCH_ENCRYPTION" == "DISABLED" ]]; then - textFail "$regx: Glue job $JOB_NAME does not have CloudWatch logs encryption enabled" "$regx" + textFail "$regx: Glue job $JOB_NAME does not have CloudWatch Logs encryption enabled" "$regx" else - textInfo "$regx: Glue job $JOB_NAME does have $CLOUDWATCH_ENCRYPTION CloudWatch logs encryption enabled" "$regx" + textPass "$regx: Glue job $JOB_NAME does have $CLOUDWATCH_ENCRYPTION CloudWatch Logs encryption enabled" "$regx" fi else - textFail "$regx: Glue job $JOB_NAME does not have CloudWatch logs encryption enabled" "$regx" + textFail "$regx: Glue job $JOB_NAME does not have CloudWatch Logs encryption enabled" "$regx" fi done else diff --git a/checks/check_extra7122 b/checks/check_extra7122 index 3ea87a2d..618181c4 100644 --- a/checks/check_extra7122 +++ b/checks/check_extra7122 @@ -10,8 +10,8 @@ # under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR # CONDITIONS OF ANY KIND, either express or implied. See the License for the # specific language governing permissions and limitations under the License. -CHECK_ID_extra7122="7.117" -CHECK_TITLE_extra7122="[extra7122] Check if Glue security configurations used by ETL Jobs have Job bookmark encryption enabled." +CHECK_ID_extra7122="7.122" +CHECK_TITLE_extra7122="[extra7122] Check if Glue ETL Jobs have Job bookmark encryption enabled." CHECK_SCORED_extra7122="NOT_SCORED" CHECK_TYPE_extra7122="EXTRA" CHECK_SEVERITY_extra7122="Medium" @@ -21,7 +21,7 @@ CHECK_ALTERNATE_check7122="extra7122" extra7122(){ for regx in $REGIONS; do JOB_LIST=$($AWSCLI glue get-jobs $PROFILE_OPT --region $regx --output json --query 'Jobs[*].{Name:Name,SecurityConfiguration:SecurityConfiguration}') - if [[ $JOB_LIST ]]; then + if [[ $JOB_LIST != '[]' ]]; then for job in $(echo "${JOB_LIST}" | jq -r '.[] | @base64'); do JOB_NAME=$(echo $job | base64 --decode | jq -r '.Name') SECURITY_CONFIGURATION=$(echo $job | base64 --decode | jq -r '.SecurityConfiguration // empty') @@ -30,7 +30,7 @@ extra7122(){ if [[ "$JOB_BOOKMARK_ENCRYPTION" == "DISABLED" ]]; then textFail "$regx: Glue job $JOB_NAME does not have Job bookmark encryption enabled" "$regx" else - textInfo "$regx: Glue job $JOB_NAME does have $JOB_BOOKMARK_ENCRYPTION Job bookmark encryption enabled" "$regx" + textPass "$regx: Glue job $JOB_NAME does have $JOB_BOOKMARK_ENCRYPTION for Job bookmark encryption enabled" "$regx" fi else textFail "$regx: Glue job $JOB_NAME does not have Job bookmark encryption enabled" "$regx" diff --git a/groups/group24_glue b/groups/group24_glue new file mode 100644 index 00000000..518a6f24 --- /dev/null +++ b/groups/group24_glue @@ -0,0 +1,18 @@ +#!/usr/bin/env bash + +# Prowler - the handy cloud security tool (copyright 2020) by Toni de la Fuente +# +# Licensed under the Apache License, Version 2.0 (the "License"); you may not +# use this file except in compliance with the License. You may obtain a copy +# of the License at http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software distributed +# under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR +# CONDITIONS OF ANY KIND, either express or implied. See the License for the +# specific language governing permissions and limitations under the License. + +GROUP_ID[23]='glue' +GROUP_NUMBER[23]='23.0' +GROUP_TITLE[23]='Amazon Glue related security checks - [glue] ********' +GROUP_RUN_BY_DEFAULT[23]='N' # run it when execute_all is called +GROUP_CHECKS[23]='extra7115,extra7116,extra7117,extra7118,extra7120,extra7122' From 7cd1413c93ebab35485e0ccadccbd5a7d2212153 Mon Sep 17 00:00:00 2001 From: Toni de la Fuente Date: Mon, 16 Nov 2020 18:29:16 +0100 Subject: [PATCH 12/21] Glue grup 2 corrections --- checks/{check_extra7123 => check_extra7114} | 28 ++++++++++----------- checks/check_extra7119 | 18 ++++++------- checks/check_extra7121 | 18 +++++++------ groups/group24_glue | 2 +- 4 files changed, 33 insertions(+), 33 deletions(-) rename checks/{check_extra7123 => check_extra7114} (60%) diff --git a/checks/check_extra7123 b/checks/check_extra7114 similarity index 60% rename from checks/check_extra7123 rename to checks/check_extra7114 index a6671e86..a728c83f 100644 --- a/checks/check_extra7123 +++ b/checks/check_extra7114 @@ -11,34 +11,34 @@ # CONDITIONS OF ANY KIND, either express or implied. See the License for the # specific language governing permissions and limitations under the License. -CHECK_ID_extra7123="7.123" -CHECK_TITLE_extra7123="[extra7123] Check if Glue security configurations used by ETL Development endpoints have Job bookmark encryption enabled." -CHECK_SCORED_extra7123="NOT_SCORED" -CHECK_TYPE_extra7123="EXTRA" -CHECK_SEVERITY_extra7123="Medium" -CHECK_ASFF_RESOURCE_TYPE_extra7123="AwsGlue" -CHECK_ALTERNATE_check7123="extra7123" +CHECK_ID_extra7114="7.114" +CHECK_TITLE_extra7114="[extra7114] Check if Glue development endpoints have S3 encryption enabled." +CHECK_SCORED_extra7114="NOT_SCORED" +CHECK_TYPE_extra7114="EXTRA" +CHECK_SEVERITY_extra7114="Medium" +CHECK_ASFF_RESOURCE_TYPE_extra7114="AwsGlue" +CHECK_ALTERNATE_check7114="extra7114" -extra7123(){ +extra7114(){ for regx in $REGIONS; do LIST_EP_SC=$($AWSCLI glue get-dev-endpoints $PROFILE_OPT --region $regx --query 'DevEndpoints[*].{Name:EndpointName,Security:SecurityConfiguration}' --output json) - if [[ ! -z "$LIST_EP_SC" ]]; then + if [[ $LIST_EP_SC != '[]' ]]; then for ep in $(echo "${LIST_EP_SC}"| jq -r '.[] | @base64');do ENDPOINT_NAME=$(echo $ep | base64 --decode | jq -r '.Name') ENDPOINT_SC=$(echo $ep | base64 --decode | jq -r '.Security // empty') if [[ ! -z "$ENDPOINT_SC" ]]; then - ENDPOINT_SC_ENCRYPTION=$($AWSCLI glue get-security-configuration --name "${ENDPOINT_SC}" $PROFILE_OPT --region $regx --query 'SecurityConfiguration.EncryptionConfiguration.JobBookmarksEncryption.JobBookmarksEncryptionMode' --output text) + ENDPOINT_SC_ENCRYPTION=$($AWSCLI glue get-security-configuration --name "${ENDPOINT_SC}" $PROFILE_OPT --region $regx --query 'SecurityConfiguration.EncryptionConfiguration.S3Encryption[0].S3EncryptionMode' --output text) if [[ "$ENDPOINT_SC_ENCRYPTION" == "DISABLED" ]]; then - textFail "$regx: Glue Development Endpoint $ENDPOINT_NAME does not have Job Bookmark encryption enabled!" "$regx" + textFail "$regx: Glue development endpoint $ENDPOINT_NAME does not have S3 encryption enabled!" "$regx" else - textPass "$regx: Glue Development Endpoint $ENDPOINT_NAME has Job Bookmark encryption enabled" "$regx" + textPass "$regx: Glue development endpoint $ENDPOINT_NAME has S3 encryption enabled" "$regx" fi else - textInfo "$regx: No Glue security configuration found" "$regx" + textFail "$regx: Glue development endpoint $ENDPOINT_NAME does not have security configuration" "$regx" fi done else - textInfo "$regx: There are no Glue Development Endpoints" "$regx" + textInfo "$regx: There are no Glue development endpoints" "$regx" fi done } diff --git a/checks/check_extra7119 b/checks/check_extra7119 index 081cbbd5..e8d60488 100644 --- a/checks/check_extra7119 +++ b/checks/check_extra7119 @@ -12,7 +12,7 @@ # specific language governing permissions and limitations under the License. CHECK_ID_extra7119="7.119" -CHECK_TITLE_extra7119="[extra7119] Check if Glue security configurations used by ETL Development endpoints have S3 encryption enabled." +CHECK_TITLE_extra7119="[extra7119] Check if Glue development endpoints have CloudWatch logs encryption enabled." CHECK_SCORED_extra7119="NOT_SCORED" CHECK_TYPE_extra7119="EXTRA" CHECK_SEVERITY_extra7119="Medium" @@ -22,25 +22,23 @@ CHECK_ALTERNATE_check7119="extra7119" extra7119(){ for regx in $REGIONS; do LIST_EP_SC=$($AWSCLI glue get-dev-endpoints $PROFILE_OPT --region $regx --query 'DevEndpoints[*].{Name:EndpointName,Security:SecurityConfiguration}' --output json) - if [[ ! -z "$LIST_EP_SC" ]]; then + if [[ $LIST_EP_SC != '[]' ]]; then for ep in $(echo "${LIST_EP_SC}"| jq -r '.[] | @base64');do ENDPOINT_NAME=$(echo $ep | base64 --decode | jq -r '.Name') ENDPOINT_SC=$(echo $ep | base64 --decode | jq -r '.Security // empty') if [[ ! -z "$ENDPOINT_SC" ]]; then - ENDPOINT_SC_ENCRYPTION=$($AWSCLI glue get-security-configuration --name "${ENDPOINT_SC}" $PROFILE_OPT --region $regx --query 'SecurityConfiguration.EncryptionConfiguration.S3Encryption[0].S3EncryptionMode' --output text) - if [[ "$ENDPOINT_SC_ENCRYPTION" == "DISABLED" ]]; then - textFail "$regx: Glue Development Endpoint $ENDPOINT_NAME does not have S3 encryption enabled!" "$regx" + ENDPOINT_SC_ENCRYPTION=$($AWSCLI glue get-security-configuration --name "${ENDPOINT_SC}" $PROFILE_OPT --region $regx --query 'SecurityConfiguration.EncryptionConfiguration.CloudWatchEncryption.CloudWatchEncryptionMode' --output text) + if [[ $ENDPOINT_SC_ENCRYPTION == "DISABLED" ]]; then + textFail "$regx: Glue development endpoint $ENDPOINT_NAME does not have CloudWatch logs encryption enabled!" "$regx" else - textPass "$regx: Glue Development Endpoint $ENDPOINT_NAME has S3 encryption enabled" "$regx" + textPass "$regx: Glue development endpoint $ENDPOINT_NAME has CloudWatch logs encryption enabled" "$regx" fi else - textInfo "$regx: No Glue security configuration found for Development Endpoint $ENDPOINT_NAME" "$regx" + textFail "$regx: Glue development endpoint $ENDPOINT_NAME does not have security configuration" "$regx" fi done else - textInfo "$regx: There are no Glue Development Endpoints" "$regx" + textInfo "$regx: There are no Glue development endpoints" "$regx" fi done } - - diff --git a/checks/check_extra7121 b/checks/check_extra7121 index 2aa1ef5a..0dd83446 100644 --- a/checks/check_extra7121 +++ b/checks/check_extra7121 @@ -12,7 +12,7 @@ # specific language governing permissions and limitations under the License. CHECK_ID_extra7121="7.121" -CHECK_TITLE_extra7121="[extra7121] Check if Glue security configurations used by ETL Development endpoints have CloudWatch logs encryption enabled." +CHECK_TITLE_extra7121="[extra7121] Check if Glue development endpoints have Job bookmark encryption enabled." CHECK_SCORED_extra7121="NOT_SCORED" CHECK_TYPE_extra7121="EXTRA" CHECK_SEVERITY_extra7121="Medium" @@ -22,23 +22,25 @@ CHECK_ALTERNATE_check7121="extra7121" extra7121(){ for regx in $REGIONS; do LIST_EP_SC=$($AWSCLI glue get-dev-endpoints $PROFILE_OPT --region $regx --query 'DevEndpoints[*].{Name:EndpointName,Security:SecurityConfiguration}' --output json) - if [[ ! -z "$LIST_EP_SC" ]]; then + if [[ $LIST_EP_SC != '[]' ]]; then for ep in $(echo "${LIST_EP_SC}"| jq -r '.[] | @base64');do ENDPOINT_NAME=$(echo $ep | base64 --decode | jq -r '.Name') ENDPOINT_SC=$(echo $ep | base64 --decode | jq -r '.Security // empty') if [[ ! -z "$ENDPOINT_SC" ]]; then - ENDPOINT_SC_ENCRYPTION=$($AWSCLI glue get-security-configuration --name "${ENDPOINT_SC}" $PROFILE_OPT --region $regx --query 'SecurityConfiguration.EncryptionConfiguration.CloudWatchEncryption.CloudWatchEncryptionMode' --output text) - if [[ $ENDPOINT_SC_ENCRYPTION == "DISABLED" ]]; then - textFail "$regx: Glue Development Endpoint $ENDPOINT_NAME does not have CloudWatch logs encryption enabled!" "$regx" + ENDPOINT_SC_ENCRYPTION=$($AWSCLI glue get-security-configuration --name "${ENDPOINT_SC}" $PROFILE_OPT --region $regx --query 'SecurityConfiguration.EncryptionConfiguration.JobBookmarksEncryption.JobBookmarksEncryptionMode' --output text) + if [[ "$ENDPOINT_SC_ENCRYPTION" == "DISABLED" ]]; then + textFail "$regx: Glue development endpoint $ENDPOINT_NAME does not have Job Bookmark encryption enabled!" "$regx" else - textPass "$regx: Glue Development Endpoint $ENDPOINT_NAME has CloudWatch logs encryption enabled" "$regx" + textPass "$regx: Glue development endpoint $ENDPOINT_NAME has Job Bookmark encryption enabled" "$regx" fi else - textInfo "$regx: No Glue security configuration found" "$regx" + textFail "$regx: Glue development endpoint $ENDPOINT_NAME does not have security configuration" "$regx" fi done else - textInfo "$regx: There are no Glue Development Endpoints" "$regx" + textInfo "$regx: There are no Glue development endpoints" "$regx" fi done } + + diff --git a/groups/group24_glue b/groups/group24_glue index 4e06b2d0..3722b2cb 100644 --- a/groups/group24_glue +++ b/groups/group24_glue @@ -15,5 +15,5 @@ GROUP_ID[24]='glue' GROUP_NUMBER[24]='24.0' GROUP_TITLE[24]='Amazon Glue related security checks - [glue] ******************' GROUP_RUN_BY_DEFAULT[24]='N' # run it when execute_all is called -GROUP_CHECKS[24]='extra7115,extra7116,extra7117,extra7118,extra7120,extra7122' +GROUP_CHECKS[24]='extra7114,extra7115,extra7116,extra7117,extra7118,extra7119,extra7120,extra7121,extra7122' From 1576f2ba3999d88aa8e32f4ca56ec3699d027e08 Mon Sep 17 00:00:00 2001 From: Toni de la Fuente Date: Mon, 16 Nov 2020 20:15:41 +0100 Subject: [PATCH 13/21] Added start build automatically --- .../codebuild-auditor-account-cfn.yaml | 65 ++++++++++++++++++- 1 file changed, 63 insertions(+), 2 deletions(-) diff --git a/util/codebuild/codebuild-auditor-account-cfn.yaml b/util/codebuild/codebuild-auditor-account-cfn.yaml index 213a2703..d8b06a7a 100644 --- a/util/codebuild/codebuild-auditor-account-cfn.yaml +++ b/util/codebuild/codebuild-auditor-account-cfn.yaml @@ -19,6 +19,67 @@ Parameters: Default: -r eu-west-1 -f eu-west-1 -M text,junit-xml,html -c check11,check12,check13,check14 Resources: + CodeBuildStartBuild: + Type: 'Custom::CodeBuildStartBuild' + Properties: + Build: !Ref ProwlerCodeBuild + ServiceToken: + 'Fn::GetAtt': + - CodeBuildStartBuildLambda + - Arn + CodeBuildStartBuildLambdaRole: + Type: 'AWS::IAM::Role' + Properties: + AssumeRolePolicyDocument: + Version: '2012-10-17' + Statement: + - Effect: Allow + Principal: + Service: lambda.amazonaws.com + Action: + - 'sts:AssumeRole' + Path: / + ManagedPolicyArns: + - 'arn:aws:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole' + Policies: + - PolicyName: StartBuildInline + PolicyDocument: + Statement: + - Effect: Allow + Action: + - 'codebuild:StartBuild' + Resource: '*' + CodeBuildStartBuildLambda: + Type: 'AWS::Lambda::Function' + Properties: + Handler: index.lambda_handler + MemorySize: 128 + Role: + 'Fn::GetAtt': + - CodeBuildStartBuildLambdaRole + - Arn + Runtime: python3.6 + Timeout: 120 + Code: + ZipFile: | + import boto3 + import cfnresponse + from botocore.exceptions import ClientError + + def lambda_handler(event,context): + props = event['ResourceProperties'] + codebuil_client = boto3.client('codebuild') + + if (event['RequestType'] == 'Create' or event['RequestType'] == 'Update'): + try: + response = codebuil_client.start_build(projectName=props['Build']) + print(response) + print("Respond: SUCCESS") + cfnresponse.send(event, context, cfnresponse.SUCCESS, {}) + except Exception as ex: + print(ex.response['Error']['Message']) + cfnresponse.send(event, context, cfnresponse.FAILED, ex.response) + ArtifactBucket: Type: AWS::S3::Bucket Properties: @@ -78,7 +139,7 @@ Resources: - id: W28 reason: "Explicit name is required for this resource to avoid circular dependencies." Properties: - RoleName: prowler-codebuild-role + RoleName: !Sub 'prowler-codebuild-role-${ServiceName}' Path: '/service-role/' ManagedPolicyArns: - 'arn:aws:iam::aws:policy/job-function/SupportUser' @@ -197,7 +258,7 @@ Resources: ProwlerCodeBuildReportGroup: Type: AWS::CodeBuild::ReportGroup Properties: - Name: prowler + Name: !Ref ServiceName Type: TEST ExportConfig: ExportConfigType: NO_EXPORT From 345a8d48c4817ba394f8c10076974d0954ef07e2 Mon Sep 17 00:00:00 2001 From: Toni de la Fuente Date: Wed, 18 Nov 2020 11:45:07 +0100 Subject: [PATCH 14/21] Added group for ENS - Spanish Esquema Nacional de Seguridad --- groups/group23_ens | 83 ++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 83 insertions(+) create mode 100644 groups/group23_ens diff --git a/groups/group23_ens b/groups/group23_ens new file mode 100644 index 00000000..689e5673 --- /dev/null +++ b/groups/group23_ens @@ -0,0 +1,83 @@ +#!/usr/bin/env bash + +# Prowler - the handy cloud security tool (copyright 2020) by Toni de la Fuente +# +# Licensed under the Apache License, Version 2.0 (the "License"); you may not +# use this file except in compliance with the License. You may obtain a copy +# of the License at http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software distributed +# under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR +# CONDITIONS OF ANY KIND, either express or implied. See the License for the +# specific language governing permissions and limitations under the License. + +GROUP_ID[23]='ens' +GROUP_NUMBER[23]='23.0' +GROUP_TITLE[23]='ENS Esquema Nacional de Seguridad security checks - [ens] *****' +GROUP_RUN_BY_DEFAULT[23]='N' # run it when execute_all is called +GROUP_CHECKS[23]='extra733,check13,check14,check121,extra7100,check120,check116,check12,check14,check13,check21,check25,check35,check24,check31,check36,check32,check33,check34,check22,extra71,check23,check23,check27,check37,extra736,extra737,extra713,check21,check29,extra793,extra792,extra764,extra738,check43,extra74,extra710,extra75,check41,check42,extra749,extra750,extra751,extra752,extra753,extra754,extra755,extra729,extra761,extra740,extra735,extra734,extra728,extra781,extra773,extra744' + +# ENS Control ID for AWS;Prowler checks that apply +# op.acc.1.aws.iam.1;extra733 +# op.acc.1.aws.iam.2;todo +# op.acc.1.aws.iam.3;check13 +# op.acc.1.aws.iam.4;check14 +# op.acc.1.aws.iam.5;check121 +# op.acc.2.aws.iam.1;extra7100 +# op.acc.1.aws.iam.4;check120 +# op.acc.3.aws.iam.1;check116 +# op.acc.4.aws.sys.1;todo ssm session manager +# op.acc.5.aws.iam.1;check12 +# op.acc.5.aws.iam.2;todo +# op.acc.5.aws.iam.3;check14 +# op.acc.5.aws.iam.4;check13 +# op.acc.7.aws.iam.1;check21 +# op.exp.1.aws.cfg.1;check25 +# op.exp.1.aws.sys.1;todo ssm inventory +# op.exp.4.aws.sys.1;todo ssm compliance +# op.exp.8.aws.trail.1;check35 +# op.exp.8.aws.cw.1;check24 +# op.exp.8.aws.trail.2;check31 +# op.exp.8.aws.trail.3;check36 +# op.exp.8.aws.trail.4;check32 +# op.exp.8.aws.trail.5;check33 +# op.exp.8.aws.trail.6;check34 +# op.exp.10.aws.trail.1;check22 +# op.exp.10.aws.trail.2;extra71 +# op.exp.10.aws.trail.3;check23 +# op.exp.10.aws.trail.4;check23 +# op.exp.10.aws.trail.5;check27 +# op.exp.11.aws.kms.1;check37 +# op.exp.11.aws.kms.2;extra736 +# op.exp.11.aws.kms.3;extra737 +# op.mon.1.aws.duty.1;extra713 +# op.mon.1.aws.trail.1;check21 +# op.mon.1.aws.flow.1;check29 +# mp.com.2.aws.elb.1;extra793 +# mp.com.2.aws.elb.2;extra792 +# mp.com.2.aws.s3.1;extra764 +# mp.com.2.aws.front.1;extra738 +# mp.com.4.aws.sg.1;check43 +# mp.com.4.aws.sg.2;extra74 +# mp.com.4.aws.vpc.1;extra710 +# mp.com.4.aws.sg.3;extra75 +# mp.com.4.aws.sg.4;check41 +# mp.com.4.aws.sg.5;check42 +# mp.com.4.aws.sg.6;extra749 +# mp.com.4.aws.sg.7;extra750 +# mp.com.4.aws.sg.8;extra751 +# mp.com.4.aws.sg.9;extra752 +# mp.com.4.aws.sg.10;extra753 +# mp.com.4.aws.sg.11;extra754 +# mp.com.4.aws.sg.12;extra755 +# mp.info.3.aws.dyndb.1;todo +# mp.info.3.aws.ebs.1 ;extra729 +# mp.info.3.aws.ebs.2;extra761 +# mp.info.3.aws.ebs.3;extra740 +# mp.info.3.aws.rds.1;extra735 +# mp.info.3.s3.1;extra734 +# mp.info.3.sns.1;extra728 +# mp.info.3.aws.au.1;extra781 +# mp.s.2.aws.waf.1;extra773 +# mp.s.2.aws.waf.2;extra744 +# mp.s.2.aws.waf.3;todo From 49423dee4a12ba20372507edce66fdddb33f74ee Mon Sep 17 00:00:00 2001 From: Ramon Diez Date: Wed, 18 Nov 2020 12:42:01 +0100 Subject: [PATCH 15/21] fixing check_extra7116 and check_extra7117 --- checks/check_extra7116 | 13 +++++++++---- checks/check_extra7117 | 13 +++++++++---- 2 files changed, 18 insertions(+), 8 deletions(-) diff --git a/checks/check_extra7116 b/checks/check_extra7116 index 2165b91a..de077e4a 100644 --- a/checks/check_extra7116 +++ b/checks/check_extra7116 @@ -20,11 +20,16 @@ CHECK_ALTERNATE_check7116="extra7116" extra7116(){ for regx in $REGIONS; do - METADATA_ENCRYPTED=$($AWSCLI glue get-data-catalog-encryption-settings $PROFILE_OPT --region $regx --output text --query "DataCatalogEncryptionSettings.EncryptionAtRest.CatalogEncryptionMode") - if [[ "$METADATA_ENCRYPTED" == "DISABLED" ]]; then - textFail "$regx: Glue data catalog settings have metadata encryption disabled" "$regx" + TABLE_LIST=$($AWSCLI glue search-tables --max-results 1 $PROFILE_OPT --region $regx --output text --query 'TableList[*]' ) + if [[ ! -z $TABLE_LIST ]]; then + METADATA_ENCRYPTED=$($AWSCLI glue get-data-catalog-encryption-settings $PROFILE_OPT --region $regx --output text --query "DataCatalogEncryptionSettings.EncryptionAtRest.CatalogEncryptionMode") + if [[ "$METADATA_ENCRYPTED" == "DISABLED" ]]; then + textFail "$regx: Glue data catalog settings have metadata encryption disabled" "$regx" + else + textPass "$regx: Glue data catalog settings have metadata encryption enabled" "$regx" + fi else - textPass "$regx: Glue data catalog settings have metadata encryption enabled" "$regx" + textInfo "$regx: Glue data catalog settings metadata encryption does not apply" "$regx" fi done } diff --git a/checks/check_extra7117 b/checks/check_extra7117 index 7c11c76d..808687c5 100644 --- a/checks/check_extra7117 +++ b/checks/check_extra7117 @@ -20,11 +20,16 @@ CHECK_ALTERNATE_check7117="extra7117" extra7117(){ for regx in $REGIONS; do - METADATA_ENCRYPTED=$($AWSCLI glue get-data-catalog-encryption-settings $PROFILE_OPT --region $regx --output text --query "DataCatalogEncryptionSettings.ConnectionPasswordEncryption.ReturnConnectionPasswordEncrypted") - if [[ "$METADATA_ENCRYPTED" == "False" ]]; then - textFail "$regx: Glue data catalog connection password is not encrypted" "$regx" + CONNECTION_LIST=$($AWSCLI glue get-connections $PROFILE_OPT --region $regx --output text --query 'ConnectionList[*]') + if [[ ! -z $CONNECTION_LIST ]]; then + METADATA_ENCRYPTED=$($AWSCLI glue get-data-catalog-encryption-settings $PROFILE_OPT --region $regx --output text --query "DataCatalogEncryptionSettings.ConnectionPasswordEncryption.ReturnConnectionPasswordEncrypted") + if [[ "$METADATA_ENCRYPTED" == "False" ]]; then + textFail "$regx: Glue data catalog connection password is not encrypted" "$regx" + else + textPass "$regx: Glue data catalog connection password is encrypted" "$regx" + fi else - textPass "$regx: Glue data catalog connection password is encrypted" "$regx" + textInfo "$regx: Glue data catalog connection password encryption does not apply" "$regx" fi done } From 147fac077723e36d15a80f5d72ed7569fb6ad2d9 Mon Sep 17 00:00:00 2001 From: Stefan Kunkel Date: Wed, 18 Nov 2020 13:14:38 +0100 Subject: [PATCH 16/21] adapt check119 to exclude instances shutting down --- checks/check119 | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/checks/check119 b/checks/check119 index bf37abe9..45530b98 100644 --- a/checks/check119 +++ b/checks/check119 @@ -25,7 +25,7 @@ check119(){ if [[ $INSTANCE_LIST ]]; then for instance in $INSTANCE_LIST; do STATE_NAME=$(echo $EC2_DATA | jq -r --arg i "$instance" 'select(.InstanceId==$i)|.StateName') - if [[ $STATE_NAME != "terminated" ]]; then + if [[ $STATE_NAME != "terminated" || $STATE_NAME != "shutting-down" ]]; then PROFILEARN=$(echo $EC2_DATA | jq -r --arg i "$instance" 'select(.InstanceId==$i)|.ProfileArn') if [[ $PROFILEARN == "null" ]]; then textFail "$regx: Instance $instance not associated with an instance role" $regx From 7397126794310c6ab8180f6428ba16df1b7548dd Mon Sep 17 00:00:00 2001 From: Stefan Kunkel Date: Wed, 18 Nov 2020 13:25:28 +0100 Subject: [PATCH 17/21] adapt check119 to exclude instances shutting down brain fart: used logical 'or' instead of correct '&&' --- checks/check119 | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/checks/check119 b/checks/check119 index 45530b98..63557bbe 100644 --- a/checks/check119 +++ b/checks/check119 @@ -25,7 +25,7 @@ check119(){ if [[ $INSTANCE_LIST ]]; then for instance in $INSTANCE_LIST; do STATE_NAME=$(echo $EC2_DATA | jq -r --arg i "$instance" 'select(.InstanceId==$i)|.StateName') - if [[ $STATE_NAME != "terminated" || $STATE_NAME != "shutting-down" ]]; then + if [[ $STATE_NAME != "terminated" && $STATE_NAME != "shutting-down" ]]; then PROFILEARN=$(echo $EC2_DATA | jq -r --arg i "$instance" 'select(.InstanceId==$i)|.ProfileArn') if [[ $PROFILEARN == "null" ]]; then textFail "$regx: Instance $instance not associated with an instance role" $regx From f3d4cc85141126c5894dacbd35465259b447df2d Mon Sep 17 00:00:00 2001 From: Toni de la Fuente Date: Wed, 18 Nov 2020 13:31:20 +0100 Subject: [PATCH 18/21] Fixed extra7116 extra7117 outputs and added to extras --- checks/check_extra7116 | 4 ++-- checks/check_extra7117 | 2 +- groups/group7_extras | 2 +- 3 files changed, 4 insertions(+), 4 deletions(-) diff --git a/checks/check_extra7116 b/checks/check_extra7116 index de077e4a..2dee0295 100644 --- a/checks/check_extra7116 +++ b/checks/check_extra7116 @@ -11,7 +11,7 @@ # CONDITIONS OF ANY KIND, either express or implied. See the License for the # specific language governing permissions and limitations under the License. CHECK_ID_extra7116="7.116" -CHECK_TITLE_extra7116="[extra7116] Check if Glue data-catalog settings have metadata encryption enabled." +CHECK_TITLE_extra7116="[extra7116] Check if Glue data catalog settings have metadata encryption enabled." CHECK_SCORED_extra7116="NOT_SCORED" CHECK_TYPE_extra7116="EXTRA" CHECK_SEVERITY_extra7116="Medium" @@ -29,7 +29,7 @@ extra7116(){ textPass "$regx: Glue data catalog settings have metadata encryption enabled" "$regx" fi else - textInfo "$regx: Glue data catalog settings metadata encryption does not apply" "$regx" + textInfo "$regx: Glue data catalog settings metadata encryption does not apply since there are no tables" "$regx" fi done } diff --git a/checks/check_extra7117 b/checks/check_extra7117 index 808687c5..686cd729 100644 --- a/checks/check_extra7117 +++ b/checks/check_extra7117 @@ -29,7 +29,7 @@ extra7117(){ textPass "$regx: Glue data catalog connection password is encrypted" "$regx" fi else - textInfo "$regx: Glue data catalog connection password encryption does not apply" "$regx" + textInfo "$regx: Glue data catalog connection password encryption does not apply since there are no connections" "$regx" fi done } diff --git a/groups/group7_extras b/groups/group7_extras index 041b56df..3326013b 100644 --- a/groups/group7_extras +++ b/groups/group7_extras @@ -15,7 +15,7 @@ GROUP_ID[7]='extras' GROUP_NUMBER[7]='7.0' GROUP_TITLE[7]='Extras - all non CIS specific checks - [extras] ****************' GROUP_RUN_BY_DEFAULT[7]='Y' # run it when execute_all is called -GROUP_CHECKS[7]='extra71,extra72,extra73,extra74,extra75,extra76,extra77,extra78,extra79,extra710,extra711,extra712,extra713,extra714,extra715,extra716,extra717,extra718,extra719,extra720,extra721,extra722,extra723,extra724,extra725,extra726,extra727,extra728,extra729,extra730,extra731,extra732,extra733,extra734,extra735,extra736,extra737,extra738,extra739,extra740,extra741,extra742,extra743,extra744,extra745,extra746,extra747,extra748,extra749,extra750,extra751,extra752,extra753,extra754,extra755,extra756,extra757,extra758,extra761,extra762,extra763,extra764,extra765,extra767,extra768,extra769,extra770,extra771,extra772,extra773,extra774,extra775,extra776,extra777,extra778,extra779,extra780,extra781,extra782,extra783,extra784,extra785,extra786,extra787,extra788,extra791,extra792,extra793,extra794,extra795,extra796,extra797,extra798,extra799,extra7100,extra7101,extra7102,extra7103,extra7104,extra7105,extra7106,extra7107,extra7108,extra7109,extra7110,extra7111,extra7112,extra7113' +GROUP_CHECKS[7]='extra71,extra72,extra73,extra74,extra75,extra76,extra77,extra78,extra79,extra710,extra711,extra712,extra713,extra714,extra715,extra716,extra717,extra718,extra719,extra720,extra721,extra722,extra723,extra724,extra725,extra726,extra727,extra728,extra729,extra730,extra731,extra732,extra733,extra734,extra735,extra736,extra737,extra738,extra739,extra740,extra741,extra742,extra743,extra744,extra745,extra746,extra747,extra748,extra749,extra750,extra751,extra752,extra753,extra754,extra755,extra756,extra757,extra758,extra761,extra762,extra763,extra764,extra765,extra767,extra768,extra769,extra770,extra771,extra772,extra773,extra774,extra775,extra776,extra777,extra778,extra779,extra780,extra781,extra782,extra783,extra784,extra785,extra786,extra787,extra788,extra791,extra792,extra793,extra794,extra795,extra796,extra797,extra798,extra799,extra7100,extra7101,extra7102,extra7103,extra7104,extra7105,extra7106,extra7107,extra7108,extra7109,extra7110,extra7111,extra7112,extra7113,extra7114,extra7115,extra7116,extra7117,extra7118,extra7119,extra7120,extra7121,extra7122' # Extras 759 and 760 (lambda variables and code secrets finder are not included) # to run detect-secrets use `./prowler -g secrets` From fdc8c1ce363b99040c4369a725e11cf8aaa0cb79 Mon Sep 17 00:00:00 2001 From: Toni de la Fuente Date: Wed, 18 Nov 2020 14:48:34 +0100 Subject: [PATCH 19/21] Added session durantion option to 12h --- iam/create_role_to_assume_cfn.yaml | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/iam/create_role_to_assume_cfn.yaml b/iam/create_role_to_assume_cfn.yaml index 386224da..0ad1a73b 100644 --- a/iam/create_role_to_assume_cfn.yaml +++ b/iam/create_role_to_assume_cfn.yaml @@ -37,11 +37,13 @@ Resources: Principal: AWS: !Sub ${AuthorisedARN} Action: 'sts:AssumeRole' - ## In case MFA is required uncomment lines below - ## and read https://github.com/toniblyx/prowler#run-prowler-with-mfa-protected-credentials + ## In case MFA is required uncomment lines below and read https://github.com/toniblyx/prowler#run-prowler-with-mfa-protected-credentials # Condition: # Bool: # 'aws:MultiFactorAuthPresent': true + # This is 12h that is maximum allowed, Minimum is 3600 = 1h + # to take advantage of this use -T like in './prowler -A -R ProwlerExecRole -T 43200 -M text,html' + MaxSessionDuration: 43200 ManagedPolicyArns: - 'arn:aws:iam::aws:policy/SecurityAudit' - 'arn:aws:iam::aws:policy/job-function/ViewOnlyAccess' From 53e95ac9f383fa9fe77c9065a3fa1fda447fabf8 Mon Sep 17 00:00:00 2001 From: Toni de la Fuente Date: Wed, 18 Nov 2020 15:12:44 +0100 Subject: [PATCH 20/21] Improved CodeBuild CFN template with scheduler and documentation --- README.md | 6 +- ... codebuild-prowler-audit-account-cfn.yaml} | 107 +++++++++++++----- 2 files changed, 84 insertions(+), 29 deletions(-) rename util/codebuild/{codebuild-auditor-account-cfn.yaml => codebuild-prowler-audit-account-cfn.yaml} (68%) diff --git a/README.md b/README.md index 9ee849d6..ff7c40d7 100644 --- a/README.md +++ b/README.md @@ -385,7 +385,11 @@ To use Prowler and Security Hub integration in China regions there is an additio ## CodeBuild deployment -CodeBuild can help you running Prowler and there is a Cloud Formation template that helps you doing that [here](https://github.com/toniblyx/prowler/blob/master/util/codebuild/codebuild-auditor-account-cfn.yaml). +Either to run Prowler once or based on a schedule this template makes it pretty straight forward. This template will create a CodeBuild environment and run Prowler directly leaving all reports in a bucket and creating a report also inside CodeBuild basedon the JUnit output from Prowler. Scheduling can be cron based like `cron(0 22 * * ? *)` or rate based like `rate(5 hours)` since CloudWatch Event rules (or Eventbridge) is used here. + +The Cloud Formation template that helps you doing that is [here](https://github.com/toniblyx/prowler/blob/master/util/codebuild/codebuild-prowler-audit-account-cfn.yaml). + +> This is a simple solution to monitor one account. For multiples accounts see [Multi Account and Continuous Monitoring](util/org-multi-account/README.md). ## Whitelist or allowlist or remove a fail from resources diff --git a/util/codebuild/codebuild-auditor-account-cfn.yaml b/util/codebuild/codebuild-prowler-audit-account-cfn.yaml similarity index 68% rename from util/codebuild/codebuild-auditor-account-cfn.yaml rename to util/codebuild/codebuild-prowler-audit-account-cfn.yaml index d8b06a7a..381e4c54 100644 --- a/util/codebuild/codebuild-auditor-account-cfn.yaml +++ b/util/codebuild/codebuild-prowler-audit-account-cfn.yaml @@ -1,6 +1,6 @@ --- AWSTemplateFormatVersion: 2010-09-09 -Description: Creates a CodeBuild project to audit the AWS account with Prowler and stores the html report in a S3 bucket / Original author https://github.com/stevecjones +Description: Creates a CodeBuild project to audit the AWS account with Prowler and stores the html report in a S3 bucket / Original idea https://github.com/stevecjones Parameters: ServiceName: Description: 'Specifies the service name used within component naming' @@ -8,15 +8,22 @@ Parameters: Default: 'prowler' LogsRetentionInDays: - Description: 'Specifies the number of days you want to retain CodeBuild run log events in the specified log group. Junit reports are kept for 30 days' + Description: 'Specifies the number of days you want to retain CodeBuild run log events in the specified log group. Junit reports are kept for 30 days, HTML reports in S3 are not deleted' Type: Number Default: 3 - AllowedValues: [1, 3, 5, 7, 14, 30, 60] + AllowedValues: [1, 3, 5, 7, 14, 30, 60, 90, 180, 365] ProwlerOptions: - Description: 'Options to pass to Prowler command, make sure at least -M junit-xml is used. -r for the region to send API queries, -f to filter only that region, -M output formats, -c for comma separated checks, for all checks do not use -c, for more options see -h' + Description: 'Options to pass to Prowler command, make sure at least -M junit-xml is used for CodeBuild reports. Use -r for the region to send API queries, -f to filter only one region, -M output formats, -c for comma separated checks, for all checks do not use -c or -g, for more options see -h. For a complete assessment use "-M text,junit-xml,html,csv,json", for SecurityHub integration use "-r region -f region -M text,junit-xml,html,csv,json,json-asff -S -q"' Type: String - Default: -r eu-west-1 -f eu-west-1 -M text,junit-xml,html -c check11,check12,check13,check14 + # Prowler command below runs a set of checks, configure it base on your needs, no options will run all regions all checks. + # option -M junit-xml is requirede in order to get the report in CodeBuild. + Default: -r eu-west-1 -f eu-west-1 -M text,junit-xml,html,csv,json -c check11,check12,check13,check14 + + ProwlerScheduler: + Description: The time when Prowler will run in cron format. Default is daily at 22:00h or 10PM 'cron(0 22 * * ? *)', for every 5 hours also works 'rate(5 hours)'. More info here https://docs.aws.amazon.com/AmazonCloudWatch/latest/events/ScheduledEvents.html. + Type: String + Default: 'cron(0 22 * * ? *)' Resources: CodeBuildStartBuild: @@ -27,6 +34,7 @@ Resources: 'Fn::GetAtt': - CodeBuildStartBuildLambda - Arn + CodeBuildStartBuildLambdaRole: Type: 'AWS::IAM::Role' Properties: @@ -49,17 +57,15 @@ Resources: Action: - 'codebuild:StartBuild' Resource: '*' + CodeBuildStartBuildLambda: Type: 'AWS::Lambda::Function' Properties: Handler: index.lambda_handler MemorySize: 128 - Role: - 'Fn::GetAtt': - - CodeBuildStartBuildLambdaRole - - Arn - Runtime: python3.6 + Role: !Sub ${CodeBuildStartBuildLambdaRole.Arn} Timeout: 120 + Runtime: python3.6 Code: ZipFile: | import boto3 @@ -85,14 +91,11 @@ Resources: Properties: Tags: - Key: Name - Value: !Join ['-', ['AP2', 'INF', !Ref 'ServiceName', !Ref 'AWS::AccountId', 'S3', 'Prowler']] - BucketName: !Sub '${ServiceName}-${AWS::Region}-prowler-${AWS::AccountId}' + Value: !Join ['-', [!Ref 'ServiceName', !Ref 'AWS::AccountId', 'S3', 'Prowler', !Ref AWS::StackName]] + BucketName: !Sub '${ServiceName}-reports-${AWS::Region}-prowler-${AWS::AccountId}' AccessControl: LogDeliveryWrite VersioningConfiguration: Status: Enabled - # LoggingConfiguration: - # DestinationBucketName: !ImportValue 'ProviderLogBucket' - # LogFilePrefix: !Sub '${ServiceName}-${AWS::Region}-prowler-${AWS::AccountId}/' BucketEncryption: ServerSideEncryptionConfiguration: - ServerSideEncryptionByDefault: @@ -130,7 +133,6 @@ Resources: - !Join ['', ['arn:aws:s3:::', !Ref 'ArtifactBucket', '/*']] Sid: DenyUnEncryptedObjectUploads - # Codebuild Project CodeBuildServiceRole: Type: AWS::IAM::Role Metadata: @@ -139,7 +141,7 @@ Resources: - id: W28 reason: "Explicit name is required for this resource to avoid circular dependencies." Properties: - RoleName: !Sub 'prowler-codebuild-role-${ServiceName}' + RoleName: !Sub 'prowler-codebuild-role-${ServiceName}-${AWS::StackName}' Path: '/service-role/' ManagedPolicyArns: - 'arn:aws:iam::aws:policy/job-function/SupportUser' @@ -189,6 +191,14 @@ Resources: - codebuild:BatchPutCodeCoverages Effect: Allow Resource: !Sub 'arn:aws:codebuild:${AWS::Region}:${AWS::AccountId}:report-group/*' + - PolicyName: SecurityHubBatchImportFindings + PolicyDocument: + Version: '2012-10-17' + Statement: + - Action: + - securityhub:BatchImportFindings + Effect: Allow + Resource: !Sub 'arn:aws:securityhub:${AWS::Region}::product/prowler/prowler' - PolicyName: AssumeRole PolicyDocument: Version: '2012-10-17' @@ -205,8 +215,6 @@ Resources: Type: NO_ARTIFACTS Source: Type: NO_SOURCE - # Prowler command below runs a set of checks, configure it base on your needs, no options will run all regions all checks. - # option -M junit-xml is requirede in order to get the report in CodeBuild. BuildSpec: | version: 0.2 phases: @@ -223,13 +231,13 @@ Resources: - git clone https://github.com/toniblyx/prowler build: commands: - - echo "Running Prowler..." + - echo "Running Prowler as ./prowler $PROWLER_OPTIONS" - cd prowler - ./prowler $PROWLER_OPTIONS post_build: commands: - echo "Uploading reports to S3..." - - aws s3 cp --sse AES256 output/*.html s3://$BUCKET_REPORT/ + - aws s3 cp --sse AES256 output/ s3://$BUCKET_REPORT/ --recursive - echo "Done!" reports: prowler: @@ -238,9 +246,11 @@ Resources: base-directory: 'prowler/junit-reports' file-format: JunitXml Environment: - # UILD_GENERAL1_SMALL: Use up to 3 GB memory and 2 vCPUs for builds. - # BUILD_GENERAL1_MEDIUM: Use up to 7 GB memory and 4 vCPUs for builds. - # BUILD_GENERAL1_LARGE: Use up to 15 GB memory and 8 vCPUs for builds. + # AWS CodeBuild free tier includes 100 build minutes of BUILD_GENERAL1_SMALL per month. + # BUILD_GENERAL1_SMALL: Use up to 3 GB memory and 2 vCPUs for builds. $0.005/minute. + # BUILD_GENERAL1_MEDIUM: Use up to 7 GB memory and 4 vCPUs for builds. $0.01/minute. + # BUILD_GENERAL1_LARGE: Use up to 15 GB memory and 8 vCPUs for builds. $0.02/minute. + # BUILD_GENERAL1_2XLARGE: Use up to 144 GB memory and 72 vCPUs for builds. $0.20/minute. ComputeType: "BUILD_GENERAL1_SMALL" Image: "aws/codebuild/amazonlinux2-x86_64-standard:3.0" Type: "LINUX_CONTAINER" @@ -258,7 +268,7 @@ Resources: ProwlerCodeBuildReportGroup: Type: AWS::CodeBuild::ReportGroup Properties: - Name: !Ref ServiceName + Name: !Sub 'prowler-report-group-${ServiceName}-${AWS::StackName}' Type: TEST ExportConfig: ExportConfigType: NO_EXPORT @@ -269,9 +279,50 @@ Resources: LogGroupName: !Sub '/aws/codebuild/${ProwlerCodeBuild}' RetentionInDays: !Ref LogsRetentionInDays + ProwlerSchedule: + Type: "AWS::Events::Rule" + Properties: + Description: > + A schedule for the Lambda function that triggers Prowler in CodeBuild.. + ScheduleExpression: !Ref ProwlerScheduler + State: ENABLED + Targets: + - Arn: !Sub ${ProwlerScheduleLambdaFunction.Arn} + Id: ProwlerSchedule + + ProwlerSchedulePermission: + Type: "AWS::Lambda::Permission" + Properties: + Action: 'lambda:InvokeFunction' + FunctionName: !Sub ${ProwlerScheduleLambdaFunction.Arn} + Principal: 'events.amazonaws.com' + SourceArn: !Sub ${ProwlerSchedule.Arn} + + ProwlerScheduleLambdaFunction: + Type: "AWS::Lambda::Function" + Properties: + Handler: index.lambda_handler + MemorySize: 128 + Role: !Sub ${CodeBuildStartBuildLambdaRole.Arn} + Timeout: 120 + Runtime: python3.6 + Environment: + Variables: + buildName: !Ref ProwlerCodeBuild + Code: + ZipFile: | + import boto3 + import os + + def lambda_handler(event,context): + codebuild_client = boto3.client('codebuild') + print("Running Prowler scheduled!: " + os.environ['buildName']) + project_name = os.environ['buildName'] + response = codebuild_client.start_build(projectName=project_name) + print(response) + print("Respond: SUCCESS") + Outputs: ArtifactBucketName: Description: Artifact Bucket Name - Value: !Ref 'ArtifactBucket' - Export: - Name: !Sub 'ArtifactBucketName-${ServiceName}' \ No newline at end of file + Value: !Ref 'ArtifactBucket' \ No newline at end of file From 72303ea126c6b6e15da4be8bfa983992f8561691 Mon Sep 17 00:00:00 2001 From: Toni de la Fuente Date: Fri, 20 Nov 2020 15:04:47 +0100 Subject: [PATCH 21/21] Fixed syntax typo --- util/codebuild/codebuild-prowler-audit-account-cfn.yaml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/util/codebuild/codebuild-prowler-audit-account-cfn.yaml b/util/codebuild/codebuild-prowler-audit-account-cfn.yaml index 381e4c54..1022da6e 100644 --- a/util/codebuild/codebuild-prowler-audit-account-cfn.yaml +++ b/util/codebuild/codebuild-prowler-audit-account-cfn.yaml @@ -1,6 +1,6 @@ --- AWSTemplateFormatVersion: 2010-09-09 -Description: Creates a CodeBuild project to audit the AWS account with Prowler and stores the html report in a S3 bucket / Original idea https://github.com/stevecjones +Description: Creates a CodeBuild project to audit an AWS account with Prowler and stores the html report in a S3 bucket. This will run onece at the beginning and on a schedule afterwards. Partial contribution from https://github.com/stevecjones Parameters: ServiceName: Description: 'Specifies the service name used within component naming' @@ -91,7 +91,7 @@ Resources: Properties: Tags: - Key: Name - Value: !Join ['-', [!Ref 'ServiceName', !Ref 'AWS::AccountId', 'S3', 'Prowler', !Ref AWS::StackName]] + Value: !Join ['-', [!Ref 'ServiceName', !Ref 'AWS::AccountId', 'S3', 'Prowler', !Ref 'AWS::StackName']] BucketName: !Sub '${ServiceName}-reports-${AWS::Region}-prowler-${AWS::AccountId}' AccessControl: LogDeliveryWrite VersioningConfiguration: