From 9ed7d75c44b5aa6c6c7154838cdb27b18b7afd47 Mon Sep 17 00:00:00 2001 From: root Date: Sat, 11 Jan 2020 21:38:21 -0500 Subject: [PATCH 1/2] Add command for check119 --- checks/check119 | 24 +++++++++++++++++++----- 1 file changed, 19 insertions(+), 5 deletions(-) diff --git a/checks/check119 b/checks/check119 index 5555bbe7..27f9b3a3 100644 --- a/checks/check119 +++ b/checks/check119 @@ -9,13 +9,27 @@ # work. If not, see . CHECK_ID_check119="1.19" -CHECK_TITLE_check119="[check119] Ensure IAM instance roles are used for AWS resource access from instances (Not Scored)" -CHECK_SCORED_check119="NOT_SCORED" +CHECK_TITLE_check119="[check119] Ensure IAM instance roles are used for AWS resource access from instances (Scored)" +CHECK_SCORED_check119="SCORED" CHECK_TYPE_check119="LEVEL2" CHECK_ALTERNATE_check119="check119" check119(){ - # "Ensure IAM instance roles are used for AWS resource access from instances (Not Scored)" - textInfo "No command available for check 1.19 " - textInfo "See section 1.19 on the CIS Benchmark guide for details " + for regx in $REGIONS; do + EC2_DATA=$($AWSCLI ec2 describe-instances $PROFILE_OPT --region $regx --query 'Reservations[].Instances[].[InstanceId, IamInstanceProfile.Arn]') + EC2_DATA=$(echo $EC2_DATA | jq '.[]|{InstanceId: .[0], ProfileArn: .[1]}') + INSTANCE_LIST=$(echo $EC2_DATA | jq -r '.InstanceId') + if [[ $INSTANCE_LIST ]]; then + for instance in $INSTANCE_LIST; do + PROFILEARN=$(echo $EC2_DATA | jq -r --arg i "$instance" 'select(.InstanceId==$i)|.ProfileArn') + if [[ $PROFILEARN == "null" ]]; then + textFail "$regx: Instance $instance not associated with an instance role." $regx + else + textPass "$regx: Instance $instance associated with role ${PROFILEARN##*/}." $regx + fi + done + else + textInfo "$regx: No EC2 instances found" $regx + fi + done } From 528e14d4cfa26da3bde0fe99ce62d7632d803240 Mon Sep 17 00:00:00 2001 From: Toni de la Fuente Date: Mon, 10 Feb 2020 22:55:57 +0100 Subject: [PATCH 2/2] Update check119 updated to not scored --- checks/check119 | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/checks/check119 b/checks/check119 index 27f9b3a3..015836e3 100644 --- a/checks/check119 +++ b/checks/check119 @@ -9,8 +9,8 @@ # work. If not, see . CHECK_ID_check119="1.19" -CHECK_TITLE_check119="[check119] Ensure IAM instance roles are used for AWS resource access from instances (Scored)" -CHECK_SCORED_check119="SCORED" +CHECK_TITLE_check119="[check119] Ensure IAM instance roles are used for AWS resource access from instances (Not Scored)" +CHECK_SCORED_check119="NOT_SCORED" CHECK_TYPE_check119="LEVEL2" CHECK_ALTERNATE_check119="check119"