From 65c63d5bdde85bcb4f4ac3adf948fa8f5bb7862a Mon Sep 17 00:00:00 2001 From: dlpzx Date: Tue, 3 Nov 2020 19:18:40 +0100 Subject: [PATCH 1/8] checks for glue - 7119,7121,7123,7124. 7125 not done yet --- checks/check_extra7119 | 53 ++++++++++++++++++++++++++++++++++++++++++ checks/check_extra7121 | 51 ++++++++++++++++++++++++++++++++++++++++ checks/check_extra7123 | 51 ++++++++++++++++++++++++++++++++++++++++ checks/check_extra7124 | 51 ++++++++++++++++++++++++++++++++++++++++ checks/check_extra7125 | 51 ++++++++++++++++++++++++++++++++++++++++ 5 files changed, 257 insertions(+) create mode 100644 checks/check_extra7119 create mode 100644 checks/check_extra7121 create mode 100644 checks/check_extra7123 create mode 100644 checks/check_extra7124 create mode 100644 checks/check_extra7125 diff --git a/checks/check_extra7119 b/checks/check_extra7119 new file mode 100644 index 00000000..78919000 --- /dev/null +++ b/checks/check_extra7119 @@ -0,0 +1,53 @@ +#!/usr/bin/env bash + +# Prowler - the handy cloud security tool (copyright 2018) by Toni de la Fuente +# +# Licensed under the Apache License, Version 2.0 (the "License"); you may not +# use this file except in compliance with the License. You may obtain a copy +# of the License at http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software distributed +# under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR +# CONDITIONS OF ANY KIND, either express or implied. See the License for the +# specific language governing permissions and limitations under the License. + +# Remediation: +# +# https://www.cloudconformity.com/knowledge-base/aws/RDS/instance-deletion-protection.html +# https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/Overview.DBInstance.Modifying.html +# +# aws rds modify-db-instance \ +# --region us-east-1 \ +# --db-instance-identifier test-db \ +# --deletion-protection \ +# [--apply-immediately | --no-apply-immediately] + +CHECK_ID_extra7119="7.119" +CHECK_TITLE_extra7119="[extra7119] Security configurations used by ETL Development endpoints must have S3 encryption enabled." +CHECK_SCORED_extra7119="NOT_SCORED" +CHECK_TYPE_extra7119="EXTRA" +CHECK_SEVERITY_extra7119="Medium" +CHECK_ASFF_RESOURCE_TYPE_extra7119="AwsGlue" +CHECK_ALTERNATE_check7119="extra7119" + +extra7119(){ + textInfo "Looking for Development Endpoints in all regions... " + for regx in $REGIONS; do + LIST_GLUE_SC=$($AWSCLI glue get-dev-endpoints $PROFILE_OPT --region $regx --query 'DevEndpoints[*].SecurityConfiguration' --output text) + if [[ $LIST_GLUE_SC ]]; then + for sc in $(echo '${LIST_GLUE_SC}'| jq -r '.[] | @base64');do + textInfo "$ENDPOINT_SECURITY" + ENDPOINT_SC_ENCRYPTION=$($AWSCLI $PROFILE_OPT --region $regx glue get-security-configurations $sc --query 'SecurityConfiguration.EncryptionConfiguration.S3Encryption.S3EncryptionMode' --output text) + if [[ENDPOINT_SC_ENCRYPTION == "DISABLED" ]]; then + textFail "$regx: Development Endpoint Security Configuration $sc has S3 encryption not enabled!" "$regx" + else + textPass "$regx: Development Endpoint Security Configuration $sc has S3 encryption enabled" "$regx" + fi + done + else + textInfo "$regx: No Security Configuration found" "$regx" + fi + done +} + + diff --git a/checks/check_extra7121 b/checks/check_extra7121 new file mode 100644 index 00000000..ba7d77c2 --- /dev/null +++ b/checks/check_extra7121 @@ -0,0 +1,51 @@ +#!/usr/bin/env bash + +# Prowler - the handy cloud security tool (copyright 2018) by Toni de la Fuente +# +# Licensed under the Apache License, Version 2.0 (the "License"); you may not +# use this file except in compliance with the License. You may obtain a copy +# of the License at http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software distributed +# under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR +# CONDITIONS OF ANY KIND, either express or implied. See the License for the +# specific language governing permissions and limitations under the License. + +# Remediation: +# +# https://www.cloudconformity.com/knowledge-base/aws/RDS/instance-deletion-protection.html +# https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/Overview.DBInstance.Modifying.html +# +# aws rds modify-db-instance \ +# --region us-east-1 \ +# --db-instance-identifier test-db \ +# --deletion-protection \ +# [--apply-immediately | --no-apply-immediately] + +CHECK_ID_extra7121="7.121" +CHECK_TITLE_extra7121="[extra7121] Security configurations used by ETL Development endpoints must have CloudWatch logs encryption enabled." +CHECK_SCORED_extra7121="NOT_SCORED" +CHECK_TYPE_extra7121="EXTRA" +CHECK_SEVERITY_extra7121="Medium" +CHECK_ASFF_RESOURCE_TYPE_extra7121="AwsGlue" +CHECK_ALTERNATE_check7121="extra7121" + +extra7121(){ + textInfo "Looking for Development Endpoints in all regions... " + for regx in $REGIONS; do + LIST_GLUE_SC=$($AWSCLI glue get-dev-endpoints $PROFILE_OPT --region $regx --query 'DevEndpoints[*].SecurityConfiguration' --output text) + if [[ $LIST_GLUE_SC ]]; then + for sc in $(echo '${LIST_GLUE_SC}'| jq -r '.[] | @base64');do + textInfo "$ENDPOINT_SECURITY" + ENDPOINT_SC_ENCRYPTION=$($AWSCLI $PROFILE_OPT --region $regx glue get-security-configurations $sc --query 'SecurityConfiguration.EncryptionConfiguration.CloudWatchEncryption.CloudWatchEncryptionMode' --output text) + if [[ENDPOINT_SC_ENCRYPTION == "DISABLED" ]]; then + textFail "$regx: Development Endpoint Security Configuration $sc has CloudWatch logs encryption not enabled!" "$regx" + else + textPass "$regx: Development Endpoint Security Configuration $sc has CloudWatch logs encryption enabled" "$regx" + fi + done + else + textInfo "$regx: No Security Configuration found" "$regx" + fi + done +} diff --git a/checks/check_extra7123 b/checks/check_extra7123 new file mode 100644 index 00000000..ab2032f6 --- /dev/null +++ b/checks/check_extra7123 @@ -0,0 +1,51 @@ +#!/usr/bin/env bash + +# Prowler - the handy cloud security tool (copyright 2018) by Toni de la Fuente +# +# Licensed under the Apache License, Version 2.0 (the "License"); you may not +# use this file except in compliance with the License. You may obtain a copy +# of the License at http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software distributed +# under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR +# CONDITIONS OF ANY KIND, either express or implied. See the License for the +# specific language governing permissions and limitations under the License. + +# Remediation: +# +# https://www.cloudconformity.com/knowledge-base/aws/RDS/instance-deletion-protection.html +# https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/Overview.DBInstance.Modifying.html +# +# aws rds modify-db-instance \ +# --region us-east-1 \ +# --db-instance-identifier test-db \ +# --deletion-protection \ +# [--apply-immediately | --no-apply-immediately] + +CHECK_ID_extra7123="7.123" +CHECK_TITLE_extra7123="[extra7123] Security configurations used by ETL Development endpoints must have Job bookmark encryption enabled." +CHECK_SCORED_extra7123="NOT_SCORED" +CHECK_TYPE_extra7123="EXTRA" +CHECK_SEVERITY_extra7123="Medium" +CHECK_ASFF_RESOURCE_TYPE_extra7123="AwsGlue" +CHECK_ALTERNATE_check7123="extra7123" + +extra7123(){ + textInfo "Looking for Development Endpoints in all regions... " + for regx in $REGIONS; do + LIST_GLUE_SC=$($AWSCLI glue get-dev-endpoints $PROFILE_OPT --region $regx --query 'DevEndpoints[*].SecurityConfiguration' --output text) + if [[ $LIST_GLUE_SC ]]; then + for sc in $(echo '${LIST_GLUE_SC}'| jq -r '.[] | @base64');do + textInfo "$ENDPOINT_SECURITY" + ENDPOINT_SC_ENCRYPTION=$($AWSCLI $PROFILE_OPT --region $regx glue get-security-configurations $sc --query 'SecurityConfiguration.EncryptionConfiguration.JobBookmarksEncryption.JobBookmarksEncryptionMode' --output text) + if [[ENDPOINT_SC_ENCRYPTION == "DISABLED" ]]; then + textFail "$regx: Development Endpoint Security Configuration $sc has bookmark encryption not enabled!" "$regx" + else + textPass "$regx: Development EndpointSecurity Configuration $sc has bookmark encryption enabled" "$regx" + fi + done + else + textInfo "$regx: No Security Configuration found" "$regx" + fi + done +} diff --git a/checks/check_extra7124 b/checks/check_extra7124 new file mode 100644 index 00000000..6a85ba75 --- /dev/null +++ b/checks/check_extra7124 @@ -0,0 +1,51 @@ +#!/usr/bin/env bash + +# Prowler - the handy cloud security tool (copyright 2018) by Toni de la Fuente +# +# Licensed under the Apache License, Version 2.0 (the "License"); you may not +# use this file except in compliance with the License. You may obtain a copy +# of the License at http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software distributed +# under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR +# CONDITIONS OF ANY KIND, either express or implied. See the License for the +# specific language governing permissions and limitations under the License. + +# Remediation: +# +# https://www.cloudconformity.com/knowledge-base/aws/RDS/instance-deletion-protection.html +# https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/Overview.DBInstance.Modifying.html +# +# aws rds modify-db-instance \ +# --region us-east-1 \ +# --db-instance-identifier test-db \ +# --deletion-protection \ +# [--apply-immediately | --no-apply-immediately] + +CHECK_ID_extra7124="7.124" +CHECK_TITLE_extra7124="[extra7124] ETL Job Server-side encryption (Enables Amazon S3-managed encryption of the data at the target (SSE-S3) must be enabled." +CHECK_SCORED_extra7124="NOT_SCORED" +CHECK_TYPE_extra7124="EXTRA" +CHECK_SEVERITY_extra7124="Medium" +CHECK_ASFF_RESOURCE_TYPE_extra7124="AwsGlue" +CHECK_ALTERNATE_check7124="extra7124" + +extra7124(){ + textInfo "Looking for ETL Jobs in all regions... " + for regx in $REGIONS; do + LIST_GLUE_SC=$($AWSCLI glue get-jobs $PROFILE_OPT --region $regx --query 'Jobs[*].SecurityConfiguration'--output text) + if [[ $LIST_GLUE_SC ]]; then + for sc in $(echo '${LIST_GLUE_SC}'| jq -r '.[] | @base64');do + textInfo "$ENDPOINT_SECURITY" + ENDPOINT_SC_ENCRYPTION=$($AWSCLI $PROFILE_OPT --region $regx glue get-security-configurations $sc --query 'SecurityConfiguration.EncryptionConfiguration.JobBookmarksEncryption.JobBookmarksEncryptionMode' --output text) + if [[ENDPOINT_SC_ENCRYPTION == "SSE-S3" ]]; then + textFail "$regx: ETL Job Security Configuration $sc has (SSE-S3) encryption enabled" "$regx" + else + textPass "$regx: ETL Job Security Configuration $sc has (SSE-S3) encryption is not enabled!" "$regx" + fi + done + else + textInfo "$regx: No ETL Development endpoints found" "$regx" + fi + done +} \ No newline at end of file diff --git a/checks/check_extra7125 b/checks/check_extra7125 new file mode 100644 index 00000000..5ad80d83 --- /dev/null +++ b/checks/check_extra7125 @@ -0,0 +1,51 @@ +#!/usr/bin/env bash + +# Prowler - the handy cloud security tool (copyright 2018) by Toni de la Fuente +# +# Licensed under the Apache License, Version 2.0 (the "License"); you may not +# use this file except in compliance with the License. You may obtain a copy +# of the License at http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software distributed +# under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR +# CONDITIONS OF ANY KIND, either express or implied. See the License for the +# specific language governing permissions and limitations under the License. + +# Remediation: +# +# https://www.cloudconformity.com/knowledge-base/aws/RDS/instance-deletion-protection.html +# https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/Overview.DBInstance.Modifying.html +# +# aws rds modify-db-instance \ +# --region us-east-1 \ +# --db-instance-identifier test-db \ +# --deletion-protection \ +# [--apply-immediately | --no-apply-immediately] + +CHECK_ID_extra7125="7.125" +CHECK_TITLE_extra7125="[extra7125] AWS Glue must be used with VPC Endpoints." +CHECK_SCORED_extra7125="NOT_SCORED" +CHECK_TYPE_extra7125="EXTRA" +CHECK_SEVERITY_extra7125="Medium" +CHECK_ASFF_RESOURCE_TYPE_extra7125="AwsGlue" +CHECK_ALTERNATE_check7125="extra7125" + +extra7125(){ + textInfo "Looking for Development Endpoints in all regions... " + for regx in $REGIONS; do + LIST_GLUE_SC=$($AWSCLI glue get-jobs $PROFILE_OPT --region $regx --query 'Jobs[*].SecurityConfiguration'--output text) + if [[ $LIST_GLUE_SC ]]; then + for sc in $(echo '${LIST_GLUE_SC}'| jq -r '.[] | @base64');do + textInfo "$ENDPOINT_SECURITY" + ENDPOINT_SC_ENCRYPTION=$($AWSCLI $PROFILE_OPT --region $regx glue get-security-configurations $sc --query 'SecurityConfiguration.EncryptionConfiguration.JobBookmarksEncryption.JobBookmarksEncryptionMode' --output text) + if [[ENDPOINT_SC_ENCRYPTION == "SSE-S3" ]]; then + textFail "$regx: ETL Job Security Configuration $sc has (SSE-S3) encryption enabled" "$regx" + else + textPass "$regx: ETL Job Security Configuration $sc has (SSE-S3) encryption is not enabled!" "$regx" + fi + done + else + textInfo "$regx: No ETL Development endpoints found" "$regx" + fi + done +} \ No newline at end of file From e0a8e0f31840a4ed827d62985de5bfcc75bc5c65 Mon Sep 17 00:00:00 2001 From: dlpzx Date: Mon, 9 Nov 2020 18:48:11 +0100 Subject: [PATCH 2/8] checks for glue - 7119, 7121, 7123,7124,7125 --- checks/check_extra7119 | 2 +- checks/check_extra7121 | 2 +- checks/check_extra7123 | 2 +- checks/check_extra7124 | 2 +- checks/check_extra7125 | 16 +++++++--------- 5 files changed, 11 insertions(+), 13 deletions(-) diff --git a/checks/check_extra7119 b/checks/check_extra7119 index 78919000..b21937ed 100644 --- a/checks/check_extra7119 +++ b/checks/check_extra7119 @@ -23,7 +23,7 @@ # [--apply-immediately | --no-apply-immediately] CHECK_ID_extra7119="7.119" -CHECK_TITLE_extra7119="[extra7119] Security configurations used by ETL Development endpoints must have S3 encryption enabled." +CHECK_TITLE_extra7119="[extra7119] Check if Security configurations used by ETL Development endpoints have S3 encryption enabled." CHECK_SCORED_extra7119="NOT_SCORED" CHECK_TYPE_extra7119="EXTRA" CHECK_SEVERITY_extra7119="Medium" diff --git a/checks/check_extra7121 b/checks/check_extra7121 index ba7d77c2..7a0cd218 100644 --- a/checks/check_extra7121 +++ b/checks/check_extra7121 @@ -23,7 +23,7 @@ # [--apply-immediately | --no-apply-immediately] CHECK_ID_extra7121="7.121" -CHECK_TITLE_extra7121="[extra7121] Security configurations used by ETL Development endpoints must have CloudWatch logs encryption enabled." +CHECK_TITLE_extra7121="[extra7121] Check if Security configurations used by ETL Development endpoints have CloudWatch logs encryption enabled." CHECK_SCORED_extra7121="NOT_SCORED" CHECK_TYPE_extra7121="EXTRA" CHECK_SEVERITY_extra7121="Medium" diff --git a/checks/check_extra7123 b/checks/check_extra7123 index ab2032f6..52c451b2 100644 --- a/checks/check_extra7123 +++ b/checks/check_extra7123 @@ -23,7 +23,7 @@ # [--apply-immediately | --no-apply-immediately] CHECK_ID_extra7123="7.123" -CHECK_TITLE_extra7123="[extra7123] Security configurations used by ETL Development endpoints must have Job bookmark encryption enabled." +CHECK_TITLE_extra7123="[extra7123] Check if Security configurations used by ETL Development endpoints have Job bookmark encryption enabled." CHECK_SCORED_extra7123="NOT_SCORED" CHECK_TYPE_extra7123="EXTRA" CHECK_SEVERITY_extra7123="Medium" diff --git a/checks/check_extra7124 b/checks/check_extra7124 index 6a85ba75..cdc814ba 100644 --- a/checks/check_extra7124 +++ b/checks/check_extra7124 @@ -23,7 +23,7 @@ # [--apply-immediately | --no-apply-immediately] CHECK_ID_extra7124="7.124" -CHECK_TITLE_extra7124="[extra7124] ETL Job Server-side encryption (Enables Amazon S3-managed encryption of the data at the target (SSE-S3) must be enabled." +CHECK_TITLE_extra7124="[extra7124] Check if ETL Job Server-side encryption (Enables Amazon S3-managed encryption of the data at the target, SSE-S3) is enabled." CHECK_SCORED_extra7124="NOT_SCORED" CHECK_TYPE_extra7124="EXTRA" CHECK_SEVERITY_extra7124="Medium" diff --git a/checks/check_extra7125 b/checks/check_extra7125 index 5ad80d83..c5097c9c 100644 --- a/checks/check_extra7125 +++ b/checks/check_extra7125 @@ -23,7 +23,7 @@ # [--apply-immediately | --no-apply-immediately] CHECK_ID_extra7125="7.125" -CHECK_TITLE_extra7125="[extra7125] AWS Glue must be used with VPC Endpoints." +CHECK_TITLE_extra7125="[extra7125] Checks if AWS Glue is used with VPC Endpoints." CHECK_SCORED_extra7125="NOT_SCORED" CHECK_TYPE_extra7125="EXTRA" CHECK_SEVERITY_extra7125="Medium" @@ -33,19 +33,17 @@ CHECK_ALTERNATE_check7125="extra7125" extra7125(){ textInfo "Looking for Development Endpoints in all regions... " for regx in $REGIONS; do - LIST_GLUE_SC=$($AWSCLI glue get-jobs $PROFILE_OPT --region $regx --query 'Jobs[*].SecurityConfiguration'--output text) + LIST_GLUE_SC=$($AWSCLI glue get-dev-endpoints $PROFILE_OPT --region $regx --query 'DevEndpoints[*].PrivateAddress' --output text) if [[ $LIST_GLUE_SC ]]; then - for sc in $(echo '${LIST_GLUE_SC}'| jq -r '.[] | @base64');do - textInfo "$ENDPOINT_SECURITY" - ENDPOINT_SC_ENCRYPTION=$($AWSCLI $PROFILE_OPT --region $regx glue get-security-configurations $sc --query 'SecurityConfiguration.EncryptionConfiguration.JobBookmarksEncryption.JobBookmarksEncryptionMode' --output text) - if [[ENDPOINT_SC_ENCRYPTION == "SSE-S3" ]]; then - textFail "$regx: ETL Job Security Configuration $sc has (SSE-S3) encryption enabled" "$regx" + for pa in $(echo '${LIST_GLUE_SC}'| jq -r '.[] | @base64');do + if [[ ! pa ]]; then + textFail "$regx: AWS Glue uses a VPC Endpoint $pa" "$regx" else - textPass "$regx: ETL Job Security Configuration $sc has (SSE-S3) encryption is not enabled!" "$regx" + textPass "$regx: AWS Glue does not use a VPC Endpoint $pa" "$regx" fi done else - textInfo "$regx: No ETL Development endpoints found" "$regx" + textInfo "$regx: No Security Configuration found" "$regx" fi done } \ No newline at end of file From ebe2594456ce90bc9413b5102bc7676d48e7f7c9 Mon Sep 17 00:00:00 2001 From: dlpzx Date: Mon, 9 Nov 2020 19:17:00 +0100 Subject: [PATCH 3/8] checks for glue - 7119, 7121, 7123,7124,7125 --- checks/check_extra7124 | 4 ++-- checks/check_extra7125 | 2 +- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/checks/check_extra7124 b/checks/check_extra7124 index cdc814ba..66073203 100644 --- a/checks/check_extra7124 +++ b/checks/check_extra7124 @@ -33,7 +33,7 @@ CHECK_ALTERNATE_check7124="extra7124" extra7124(){ textInfo "Looking for ETL Jobs in all regions... " for regx in $REGIONS; do - LIST_GLUE_SC=$($AWSCLI glue get-jobs $PROFILE_OPT --region $regx --query 'Jobs[*].SecurityConfiguration'--output text) + LIST_GLUE_SC=$($AWSCLI glue get-jobs $PROFILE_OPT --region $regx --query 'Jobs[*].SecurityConfiguration' --output text) if [[ $LIST_GLUE_SC ]]; then for sc in $(echo '${LIST_GLUE_SC}'| jq -r '.[] | @base64');do textInfo "$ENDPOINT_SECURITY" @@ -45,7 +45,7 @@ extra7124(){ fi done else - textInfo "$regx: No ETL Development endpoints found" "$regx" + textInfo "$regx: No ETL Jobs found" "$regx" fi done } \ No newline at end of file diff --git a/checks/check_extra7125 b/checks/check_extra7125 index c5097c9c..fe50aac9 100644 --- a/checks/check_extra7125 +++ b/checks/check_extra7125 @@ -43,7 +43,7 @@ extra7125(){ fi done else - textInfo "$regx: No Security Configuration found" "$regx" + textInfo "$regx: No Private Addresses for endpoints found" "$regx" fi done } \ No newline at end of file From 39a7c3b18e2911b205d3ef8cf6bfe043f069110d Mon Sep 17 00:00:00 2001 From: dlpzx Date: Tue, 10 Nov 2020 13:05:22 +0100 Subject: [PATCH 4/8] checks for glue - 7119, 7121, 7123,7124,7125 --- checks/check_extra7119 | 23 ++++++++++++++--------- checks/check_extra7121 | 23 ++++++++++++++--------- checks/check_extra7123 | 25 ++++++++++++++++--------- checks/check_extra7124 | 30 +++++++++++++++++++----------- checks/check_extra7125 | 16 +++++++++------- 5 files changed, 72 insertions(+), 45 deletions(-) diff --git a/checks/check_extra7119 b/checks/check_extra7119 index b21937ed..7ef85252 100644 --- a/checks/check_extra7119 +++ b/checks/check_extra7119 @@ -33,19 +33,24 @@ CHECK_ALTERNATE_check7119="extra7119" extra7119(){ textInfo "Looking for Development Endpoints in all regions... " for regx in $REGIONS; do - LIST_GLUE_SC=$($AWSCLI glue get-dev-endpoints $PROFILE_OPT --region $regx --query 'DevEndpoints[*].SecurityConfiguration' --output text) - if [[ $LIST_GLUE_SC ]]; then - for sc in $(echo '${LIST_GLUE_SC}'| jq -r '.[] | @base64');do - textInfo "$ENDPOINT_SECURITY" - ENDPOINT_SC_ENCRYPTION=$($AWSCLI $PROFILE_OPT --region $regx glue get-security-configurations $sc --query 'SecurityConfiguration.EncryptionConfiguration.S3Encryption.S3EncryptionMode' --output text) - if [[ENDPOINT_SC_ENCRYPTION == "DISABLED" ]]; then - textFail "$regx: Development Endpoint Security Configuration $sc has S3 encryption not enabled!" "$regx" + LIST_EP_SC=$($AWSCLI glue get-dev-endpoints $PROFILE_OPT --region $regx --query 'DevEndpoints[*].{Name:EndpointName,Security:SecurityConfiguration}' --output json) + if [[ ! -z "$LIST_EP_SC" ]]; then + for ep in $(echo "${LIST_EP_SC}"| jq -r '.[] | @base64');do + ENDPOINT_NAME=$(echo $ep | base64 --decode | jq -r '.Name') + ENDPOINT_SC=$(echo $ep | base64 --decode | jq -r '.Security // empty') + if [[ ! -z "$ENDPOINT_SC" ]]; then + ENDPOINT_SC_ENCRYPTION=$($AWSCLI glue get-security-configuration --name "${ENDPOINT_SC}" $PROFILE_OPT --region $regx --query 'SecurityConfiguration.EncryptionConfiguration.S3Encryption[0].S3EncryptionMode' --output text) + if [[ "$ENDPOINT_SC_ENCRYPTION" == "DISABLED" ]]; then + textFail "$regx: Development Endpoint $ENDPOINT_NAME does not have S3 encryption enabled!" "$regx" + else + textPass "$regx: Development Endpoint $ENDPOINT_NAME has S3 encryption enabled" "$regx" + fi else - textPass "$regx: Development Endpoint Security Configuration $sc has S3 encryption enabled" "$regx" + textInfo "$regx: No Security Configuration found for Development Endpoint $ENDPOINT_NAME" "$regx" fi done else - textInfo "$regx: No Security Configuration found" "$regx" + textInfo "$regx: There are no Development Endpoints" "$regx" fi done } diff --git a/checks/check_extra7121 b/checks/check_extra7121 index 7a0cd218..6b7f99c3 100644 --- a/checks/check_extra7121 +++ b/checks/check_extra7121 @@ -33,19 +33,24 @@ CHECK_ALTERNATE_check7121="extra7121" extra7121(){ textInfo "Looking for Development Endpoints in all regions... " for regx in $REGIONS; do - LIST_GLUE_SC=$($AWSCLI glue get-dev-endpoints $PROFILE_OPT --region $regx --query 'DevEndpoints[*].SecurityConfiguration' --output text) - if [[ $LIST_GLUE_SC ]]; then - for sc in $(echo '${LIST_GLUE_SC}'| jq -r '.[] | @base64');do - textInfo "$ENDPOINT_SECURITY" - ENDPOINT_SC_ENCRYPTION=$($AWSCLI $PROFILE_OPT --region $regx glue get-security-configurations $sc --query 'SecurityConfiguration.EncryptionConfiguration.CloudWatchEncryption.CloudWatchEncryptionMode' --output text) - if [[ENDPOINT_SC_ENCRYPTION == "DISABLED" ]]; then - textFail "$regx: Development Endpoint Security Configuration $sc has CloudWatch logs encryption not enabled!" "$regx" + LIST_EP_SC=$($AWSCLI glue get-dev-endpoints $PROFILE_OPT --region $regx --query 'DevEndpoints[*].{Name:EndpointName,Security:SecurityConfiguration}' --output json) + if [[ ! -z "$LIST_EP_SC" ]]; then + for ep in $(echo "${LIST_EP_SC}"| jq -r '.[] | @base64');do + ENDPOINT_NAME=$(echo $ep | base64 --decode | jq -r '.Name') + ENDPOINT_SC=$(echo $ep | base64 --decode | jq -r '.Security // empty') + if [[ ! -z "$ENDPOINT_SC" ]]; then + ENDPOINT_SC_ENCRYPTION=$($AWSCLI glue get-security-configuration --name "${ENDPOINT_SC}" $PROFILE_OPT --region $regx --query 'SecurityConfiguration.EncryptionConfiguration.CloudWatchEncryption.CloudWatchEncryptionMode' --output text) + if [[ $ENDPOINT_SC_ENCRYPTION == "DISABLED" ]]; then + textFail "$regx: Development Endpoint $ENDPOINT_NAME does not have CloudWatch logs encryption enabled!" "$regx" + else + textPass "$regx: Development Endpoint $ENDPOINT_NAME has CloudWatch logs encryption enabled" "$regx" + fi else - textPass "$regx: Development Endpoint Security Configuration $sc has CloudWatch logs encryption enabled" "$regx" + textInfo "$regx: No Security Configuration found" "$regx" fi done else - textInfo "$regx: No Security Configuration found" "$regx" + textInfo "$regx: There are no Development Endpoints" "$regx" fi done } diff --git a/checks/check_extra7123 b/checks/check_extra7123 index 52c451b2..bd5cb5ec 100644 --- a/checks/check_extra7123 +++ b/checks/check_extra7123 @@ -33,19 +33,26 @@ CHECK_ALTERNATE_check7123="extra7123" extra7123(){ textInfo "Looking for Development Endpoints in all regions... " for regx in $REGIONS; do - LIST_GLUE_SC=$($AWSCLI glue get-dev-endpoints $PROFILE_OPT --region $regx --query 'DevEndpoints[*].SecurityConfiguration' --output text) - if [[ $LIST_GLUE_SC ]]; then - for sc in $(echo '${LIST_GLUE_SC}'| jq -r '.[] | @base64');do - textInfo "$ENDPOINT_SECURITY" - ENDPOINT_SC_ENCRYPTION=$($AWSCLI $PROFILE_OPT --region $regx glue get-security-configurations $sc --query 'SecurityConfiguration.EncryptionConfiguration.JobBookmarksEncryption.JobBookmarksEncryptionMode' --output text) - if [[ENDPOINT_SC_ENCRYPTION == "DISABLED" ]]; then - textFail "$regx: Development Endpoint Security Configuration $sc has bookmark encryption not enabled!" "$regx" + LIST_EP_SC=$($AWSCLI glue get-dev-endpoints $PROFILE_OPT --region $regx --query 'DevEndpoints[*].{Name:EndpointName,Security:SecurityConfiguration}' --output json) + if [[ ! -z "$LIST_EP_SC" ]]; then + for ep in $(echo "${LIST_EP_SC}"| jq -r '.[] | @base64');do + ENDPOINT_NAME=$(echo $ep | base64 --decode | jq -r '.Name') + ENDPOINT_SC=$(echo $ep | base64 --decode | jq -r '.Security // empty') + if [[ ! -z "$ENDPOINT_SC" ]]; then + ENDPOINT_SC_ENCRYPTION=$($AWSCLI glue get-security-configuration --name "${ENDPOINT_SC}" $PROFILE_OPT --region $regx --query 'SecurityConfiguration.EncryptionConfiguration.JobBookmarksEncryption.JobBookmarksEncryptionMode' --output text) + if [[ "$ENDPOINT_SC_ENCRYPTION" == "DISABLED" ]]; then + textFail "$regx: Development Endpoint $ENDPOINT_NAME does not have Job Bookmark encryption enabled!" "$regx" + else + textPass "$regx: Development Endpoint $ENDPOINT_NAME has Job Bookmark encryption enabled" "$regx" + fi else - textPass "$regx: Development EndpointSecurity Configuration $sc has bookmark encryption enabled" "$regx" + textInfo "$regx: No Security Configuration found" "$regx" fi done else - textInfo "$regx: No Security Configuration found" "$regx" + textInfo "$regx: There are no Development Endpoints" "$regx" fi done } + + diff --git a/checks/check_extra7124 b/checks/check_extra7124 index 66073203..b531cda9 100644 --- a/checks/check_extra7124 +++ b/checks/check_extra7124 @@ -33,19 +33,27 @@ CHECK_ALTERNATE_check7124="extra7124" extra7124(){ textInfo "Looking for ETL Jobs in all regions... " for regx in $REGIONS; do - LIST_GLUE_SC=$($AWSCLI glue get-jobs $PROFILE_OPT --region $regx --query 'Jobs[*].SecurityConfiguration' --output text) - if [[ $LIST_GLUE_SC ]]; then - for sc in $(echo '${LIST_GLUE_SC}'| jq -r '.[] | @base64');do - textInfo "$ENDPOINT_SECURITY" - ENDPOINT_SC_ENCRYPTION=$($AWSCLI $PROFILE_OPT --region $regx glue get-security-configurations $sc --query 'SecurityConfiguration.EncryptionConfiguration.JobBookmarksEncryption.JobBookmarksEncryptionMode' --output text) - if [[ENDPOINT_SC_ENCRYPTION == "SSE-S3" ]]; then - textFail "$regx: ETL Job Security Configuration $sc has (SSE-S3) encryption enabled" "$regx" - else - textPass "$regx: ETL Job Security Configuration $sc has (SSE-S3) encryption is not enabled!" "$regx" - fi + JOB_LIST=$($AWSCLI glue get-jobs $PROFILE_OPT --region $regx --output json --query 'Jobs[*].{Name:Name,SecurityConfiguration:SecurityConfiguration,JobEncryption:DefaultArguments."--encryption-type"}') + if [[ ! -z "$JOB_LIST" ]]; then + for job in $(echo "${JOB_LIST}" | jq -r '.[] | @base64'); do + JOB_NAME=$(echo $job | base64 --decode | jq -r '.Name') + SECURITY_CONFIGURATION=$(echo $job | base64 --decode | jq -r '.SecurityConfiguration // empty') + JOB_ENCRYPTION=$(echo $job | base64 --decode | jq -r '.JobEncryption // empty') + if [[ ! -z "$SECURITY_CONFIGURATION" ]]; then + S3_ENCRYPTION=$($AWSCLI glue get-security-configuration --name "${SECURITY_CONFIGURATION}" $PROFILE_OPT --region $regx --output text --query 'SecurityConfiguration.EncryptionConfiguration.S3Encryption[0].S3EncryptionMode') + if [[ "$S3_ENCRYPTION" == "SSE-S3" ]]; then + textFail "$regx: Job $JOB_NAME has Server side encryption (SSE-S3) enabled" "$regx" + else + textInfo "$regx: Job $JOB_NAME does not have Server side encryption (SSE-S3) enabled" "$regx" + fi + elif [[ ! -z "$JOB_ENCRYPTION" ]]; then + textInfo "$regx: Job $JOB_NAME does have $JOB_ENCRYPTION S3 encryption enabled" "$regx" + else + textFail "$regx: Job $JOB_NAME does not have S3 encryption enabled" "$regx" + fi done else - textInfo "$regx: No ETL Jobs found" "$regx" + textInfo "$regx: There are no ETL jobs" "$regx" fi done } \ No newline at end of file diff --git a/checks/check_extra7125 b/checks/check_extra7125 index fe50aac9..1444230f 100644 --- a/checks/check_extra7125 +++ b/checks/check_extra7125 @@ -33,17 +33,19 @@ CHECK_ALTERNATE_check7125="extra7125" extra7125(){ textInfo "Looking for Development Endpoints in all regions... " for regx in $REGIONS; do - LIST_GLUE_SC=$($AWSCLI glue get-dev-endpoints $PROFILE_OPT --region $regx --query 'DevEndpoints[*].PrivateAddress' --output text) - if [[ $LIST_GLUE_SC ]]; then - for pa in $(echo '${LIST_GLUE_SC}'| jq -r '.[] | @base64');do - if [[ ! pa ]]; then - textFail "$regx: AWS Glue uses a VPC Endpoint $pa" "$regx" + LIST_EP_PA=$($AWSCLI glue get-dev-endpoints $PROFILE_OPT --region $regx --query 'DevEndpoints[*].{Name:EndpointName,Address:PrivateAddress}' --output json) + if [[ ! -z "$LIST_EP_PA" ]]; then + for ep in $(echo "${LIST_EP_PA}" | jq -r '.[] | @base64'); do + EP_NAME=$(echo $ep | base64 --decode | jq -r '.Name') + PRIVATE_ADDRESS=$(echo $ep | base64 --decode | jq -r '.Address') + if [[ ! -z "$PRIVATE_ADDRESS" ]]; then + textFail "$regx: AWS Glue Development Endpoint $EP_NAME uses a VPC Endpoint" "$regx" else - textPass "$regx: AWS Glue does not use a VPC Endpoint $pa" "$regx" + textPass "$regx: AWS Glue Development Endpoint $EP_NAME does not use a VPC Endpoint" "$regx" fi done else - textInfo "$regx: No Private Addresses for endpoints found" "$regx" + textInfo "$regx: No Development Endpoints found" "$regx" fi done } \ No newline at end of file From 888133e98615854c67ffb75f299e870a8f8c569d Mon Sep 17 00:00:00 2001 From: dlpzx Date: Tue, 10 Nov 2020 13:06:03 +0100 Subject: [PATCH 5/8] checks for glue - 7119, 7121, 7123,7124,7125 --- checks/check_extra7125 | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/checks/check_extra7125 b/checks/check_extra7125 index 1444230f..226eeb58 100644 --- a/checks/check_extra7125 +++ b/checks/check_extra7125 @@ -39,9 +39,9 @@ extra7125(){ EP_NAME=$(echo $ep | base64 --decode | jq -r '.Name') PRIVATE_ADDRESS=$(echo $ep | base64 --decode | jq -r '.Address') if [[ ! -z "$PRIVATE_ADDRESS" ]]; then - textFail "$regx: AWS Glue Development Endpoint $EP_NAME uses a VPC Endpoint" "$regx" + textPass "$regx: AWS Glue Development Endpoint $EP_NAME uses a VPC Endpoint" "$regx" else - textPass "$regx: AWS Glue Development Endpoint $EP_NAME does not use a VPC Endpoint" "$regx" + textFail "$regx: AWS Glue Development Endpoint $EP_NAME does not use a VPC Endpoint" "$regx" fi done else From 943b096f35daf9071b5a137a51f17d048e68b90e Mon Sep 17 00:00:00 2001 From: dlpzx Date: Thu, 12 Nov 2020 12:06:43 +0100 Subject: [PATCH 6/8] checks for glue - 7119, 7121, 7123 --- checks/check_extra7119 | 11 ++++---- checks/check_extra7121 | 11 ++++---- checks/check_extra7123 | 11 ++++---- checks/check_extra7124 | 59 ------------------------------------------ checks/check_extra7125 | 51 ------------------------------------ 5 files changed, 15 insertions(+), 128 deletions(-) delete mode 100644 checks/check_extra7124 delete mode 100644 checks/check_extra7125 diff --git a/checks/check_extra7119 b/checks/check_extra7119 index 7ef85252..e5928f69 100644 --- a/checks/check_extra7119 +++ b/checks/check_extra7119 @@ -23,7 +23,7 @@ # [--apply-immediately | --no-apply-immediately] CHECK_ID_extra7119="7.119" -CHECK_TITLE_extra7119="[extra7119] Check if Security configurations used by ETL Development endpoints have S3 encryption enabled." +CHECK_TITLE_extra7119="[extra7119] Check if Glue security configurations used by ETL Development endpoints have S3 encryption enabled." CHECK_SCORED_extra7119="NOT_SCORED" CHECK_TYPE_extra7119="EXTRA" CHECK_SEVERITY_extra7119="Medium" @@ -31,7 +31,6 @@ CHECK_ASFF_RESOURCE_TYPE_extra7119="AwsGlue" CHECK_ALTERNATE_check7119="extra7119" extra7119(){ - textInfo "Looking for Development Endpoints in all regions... " for regx in $REGIONS; do LIST_EP_SC=$($AWSCLI glue get-dev-endpoints $PROFILE_OPT --region $regx --query 'DevEndpoints[*].{Name:EndpointName,Security:SecurityConfiguration}' --output json) if [[ ! -z "$LIST_EP_SC" ]]; then @@ -41,16 +40,16 @@ extra7119(){ if [[ ! -z "$ENDPOINT_SC" ]]; then ENDPOINT_SC_ENCRYPTION=$($AWSCLI glue get-security-configuration --name "${ENDPOINT_SC}" $PROFILE_OPT --region $regx --query 'SecurityConfiguration.EncryptionConfiguration.S3Encryption[0].S3EncryptionMode' --output text) if [[ "$ENDPOINT_SC_ENCRYPTION" == "DISABLED" ]]; then - textFail "$regx: Development Endpoint $ENDPOINT_NAME does not have S3 encryption enabled!" "$regx" + textFail "$regx: Glue Development Endpoint $ENDPOINT_NAME does not have S3 encryption enabled!" "$regx" else - textPass "$regx: Development Endpoint $ENDPOINT_NAME has S3 encryption enabled" "$regx" + textPass "$regx: Glue Development Endpoint $ENDPOINT_NAME has S3 encryption enabled" "$regx" fi else - textInfo "$regx: No Security Configuration found for Development Endpoint $ENDPOINT_NAME" "$regx" + textInfo "$regx: No Glue security configuration found for Development Endpoint $ENDPOINT_NAME" "$regx" fi done else - textInfo "$regx: There are no Development Endpoints" "$regx" + textInfo "$regx: There are no Glue Development Endpoints" "$regx" fi done } diff --git a/checks/check_extra7121 b/checks/check_extra7121 index 6b7f99c3..e5d5c35f 100644 --- a/checks/check_extra7121 +++ b/checks/check_extra7121 @@ -23,7 +23,7 @@ # [--apply-immediately | --no-apply-immediately] CHECK_ID_extra7121="7.121" -CHECK_TITLE_extra7121="[extra7121] Check if Security configurations used by ETL Development endpoints have CloudWatch logs encryption enabled." +CHECK_TITLE_extra7121="[extra7121] Check if Glue security configurations used by ETL Development endpoints have CloudWatch logs encryption enabled." CHECK_SCORED_extra7121="NOT_SCORED" CHECK_TYPE_extra7121="EXTRA" CHECK_SEVERITY_extra7121="Medium" @@ -31,7 +31,6 @@ CHECK_ASFF_RESOURCE_TYPE_extra7121="AwsGlue" CHECK_ALTERNATE_check7121="extra7121" extra7121(){ - textInfo "Looking for Development Endpoints in all regions... " for regx in $REGIONS; do LIST_EP_SC=$($AWSCLI glue get-dev-endpoints $PROFILE_OPT --region $regx --query 'DevEndpoints[*].{Name:EndpointName,Security:SecurityConfiguration}' --output json) if [[ ! -z "$LIST_EP_SC" ]]; then @@ -41,16 +40,16 @@ extra7121(){ if [[ ! -z "$ENDPOINT_SC" ]]; then ENDPOINT_SC_ENCRYPTION=$($AWSCLI glue get-security-configuration --name "${ENDPOINT_SC}" $PROFILE_OPT --region $regx --query 'SecurityConfiguration.EncryptionConfiguration.CloudWatchEncryption.CloudWatchEncryptionMode' --output text) if [[ $ENDPOINT_SC_ENCRYPTION == "DISABLED" ]]; then - textFail "$regx: Development Endpoint $ENDPOINT_NAME does not have CloudWatch logs encryption enabled!" "$regx" + textFail "$regx: Glue Development Endpoint $ENDPOINT_NAME does not have CloudWatch logs encryption enabled!" "$regx" else - textPass "$regx: Development Endpoint $ENDPOINT_NAME has CloudWatch logs encryption enabled" "$regx" + textPass "$regx: Glue Development Endpoint $ENDPOINT_NAME has CloudWatch logs encryption enabled" "$regx" fi else - textInfo "$regx: No Security Configuration found" "$regx" + textInfo "$regx: No Glue security configuration found" "$regx" fi done else - textInfo "$regx: There are no Development Endpoints" "$regx" + textInfo "$regx: There are no Glue Development Endpoints" "$regx" fi done } diff --git a/checks/check_extra7123 b/checks/check_extra7123 index bd5cb5ec..f601c9a4 100644 --- a/checks/check_extra7123 +++ b/checks/check_extra7123 @@ -23,7 +23,7 @@ # [--apply-immediately | --no-apply-immediately] CHECK_ID_extra7123="7.123" -CHECK_TITLE_extra7123="[extra7123] Check if Security configurations used by ETL Development endpoints have Job bookmark encryption enabled." +CHECK_TITLE_extra7123="[extra7123] Check if Glue security configurations used by ETL Development endpoints have Job bookmark encryption enabled." CHECK_SCORED_extra7123="NOT_SCORED" CHECK_TYPE_extra7123="EXTRA" CHECK_SEVERITY_extra7123="Medium" @@ -31,7 +31,6 @@ CHECK_ASFF_RESOURCE_TYPE_extra7123="AwsGlue" CHECK_ALTERNATE_check7123="extra7123" extra7123(){ - textInfo "Looking for Development Endpoints in all regions... " for regx in $REGIONS; do LIST_EP_SC=$($AWSCLI glue get-dev-endpoints $PROFILE_OPT --region $regx --query 'DevEndpoints[*].{Name:EndpointName,Security:SecurityConfiguration}' --output json) if [[ ! -z "$LIST_EP_SC" ]]; then @@ -41,16 +40,16 @@ extra7123(){ if [[ ! -z "$ENDPOINT_SC" ]]; then ENDPOINT_SC_ENCRYPTION=$($AWSCLI glue get-security-configuration --name "${ENDPOINT_SC}" $PROFILE_OPT --region $regx --query 'SecurityConfiguration.EncryptionConfiguration.JobBookmarksEncryption.JobBookmarksEncryptionMode' --output text) if [[ "$ENDPOINT_SC_ENCRYPTION" == "DISABLED" ]]; then - textFail "$regx: Development Endpoint $ENDPOINT_NAME does not have Job Bookmark encryption enabled!" "$regx" + textFail "$regx: Glue Development Endpoint $ENDPOINT_NAME does not have Job Bookmark encryption enabled!" "$regx" else - textPass "$regx: Development Endpoint $ENDPOINT_NAME has Job Bookmark encryption enabled" "$regx" + textPass "$regx: Glue Development Endpoint $ENDPOINT_NAME has Job Bookmark encryption enabled" "$regx" fi else - textInfo "$regx: No Security Configuration found" "$regx" + textInfo "$regx: No Glue security configuration found" "$regx" fi done else - textInfo "$regx: There are no Development Endpoints" "$regx" + textInfo "$regx: There are no Glue Development Endpoints" "$regx" fi done } diff --git a/checks/check_extra7124 b/checks/check_extra7124 deleted file mode 100644 index b531cda9..00000000 --- a/checks/check_extra7124 +++ /dev/null @@ -1,59 +0,0 @@ -#!/usr/bin/env bash - -# Prowler - the handy cloud security tool (copyright 2018) by Toni de la Fuente -# -# Licensed under the Apache License, Version 2.0 (the "License"); you may not -# use this file except in compliance with the License. You may obtain a copy -# of the License at http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software distributed -# under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR -# CONDITIONS OF ANY KIND, either express or implied. See the License for the -# specific language governing permissions and limitations under the License. - -# Remediation: -# -# https://www.cloudconformity.com/knowledge-base/aws/RDS/instance-deletion-protection.html -# https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/Overview.DBInstance.Modifying.html -# -# aws rds modify-db-instance \ -# --region us-east-1 \ -# --db-instance-identifier test-db \ -# --deletion-protection \ -# [--apply-immediately | --no-apply-immediately] - -CHECK_ID_extra7124="7.124" -CHECK_TITLE_extra7124="[extra7124] Check if ETL Job Server-side encryption (Enables Amazon S3-managed encryption of the data at the target, SSE-S3) is enabled." -CHECK_SCORED_extra7124="NOT_SCORED" -CHECK_TYPE_extra7124="EXTRA" -CHECK_SEVERITY_extra7124="Medium" -CHECK_ASFF_RESOURCE_TYPE_extra7124="AwsGlue" -CHECK_ALTERNATE_check7124="extra7124" - -extra7124(){ - textInfo "Looking for ETL Jobs in all regions... " - for regx in $REGIONS; do - JOB_LIST=$($AWSCLI glue get-jobs $PROFILE_OPT --region $regx --output json --query 'Jobs[*].{Name:Name,SecurityConfiguration:SecurityConfiguration,JobEncryption:DefaultArguments."--encryption-type"}') - if [[ ! -z "$JOB_LIST" ]]; then - for job in $(echo "${JOB_LIST}" | jq -r '.[] | @base64'); do - JOB_NAME=$(echo $job | base64 --decode | jq -r '.Name') - SECURITY_CONFIGURATION=$(echo $job | base64 --decode | jq -r '.SecurityConfiguration // empty') - JOB_ENCRYPTION=$(echo $job | base64 --decode | jq -r '.JobEncryption // empty') - if [[ ! -z "$SECURITY_CONFIGURATION" ]]; then - S3_ENCRYPTION=$($AWSCLI glue get-security-configuration --name "${SECURITY_CONFIGURATION}" $PROFILE_OPT --region $regx --output text --query 'SecurityConfiguration.EncryptionConfiguration.S3Encryption[0].S3EncryptionMode') - if [[ "$S3_ENCRYPTION" == "SSE-S3" ]]; then - textFail "$regx: Job $JOB_NAME has Server side encryption (SSE-S3) enabled" "$regx" - else - textInfo "$regx: Job $JOB_NAME does not have Server side encryption (SSE-S3) enabled" "$regx" - fi - elif [[ ! -z "$JOB_ENCRYPTION" ]]; then - textInfo "$regx: Job $JOB_NAME does have $JOB_ENCRYPTION S3 encryption enabled" "$regx" - else - textFail "$regx: Job $JOB_NAME does not have S3 encryption enabled" "$regx" - fi - done - else - textInfo "$regx: There are no ETL jobs" "$regx" - fi - done -} \ No newline at end of file diff --git a/checks/check_extra7125 b/checks/check_extra7125 deleted file mode 100644 index 226eeb58..00000000 --- a/checks/check_extra7125 +++ /dev/null @@ -1,51 +0,0 @@ -#!/usr/bin/env bash - -# Prowler - the handy cloud security tool (copyright 2018) by Toni de la Fuente -# -# Licensed under the Apache License, Version 2.0 (the "License"); you may not -# use this file except in compliance with the License. You may obtain a copy -# of the License at http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software distributed -# under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR -# CONDITIONS OF ANY KIND, either express or implied. See the License for the -# specific language governing permissions and limitations under the License. - -# Remediation: -# -# https://www.cloudconformity.com/knowledge-base/aws/RDS/instance-deletion-protection.html -# https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/Overview.DBInstance.Modifying.html -# -# aws rds modify-db-instance \ -# --region us-east-1 \ -# --db-instance-identifier test-db \ -# --deletion-protection \ -# [--apply-immediately | --no-apply-immediately] - -CHECK_ID_extra7125="7.125" -CHECK_TITLE_extra7125="[extra7125] Checks if AWS Glue is used with VPC Endpoints." -CHECK_SCORED_extra7125="NOT_SCORED" -CHECK_TYPE_extra7125="EXTRA" -CHECK_SEVERITY_extra7125="Medium" -CHECK_ASFF_RESOURCE_TYPE_extra7125="AwsGlue" -CHECK_ALTERNATE_check7125="extra7125" - -extra7125(){ - textInfo "Looking for Development Endpoints in all regions... " - for regx in $REGIONS; do - LIST_EP_PA=$($AWSCLI glue get-dev-endpoints $PROFILE_OPT --region $regx --query 'DevEndpoints[*].{Name:EndpointName,Address:PrivateAddress}' --output json) - if [[ ! -z "$LIST_EP_PA" ]]; then - for ep in $(echo "${LIST_EP_PA}" | jq -r '.[] | @base64'); do - EP_NAME=$(echo $ep | base64 --decode | jq -r '.Name') - PRIVATE_ADDRESS=$(echo $ep | base64 --decode | jq -r '.Address') - if [[ ! -z "$PRIVATE_ADDRESS" ]]; then - textPass "$regx: AWS Glue Development Endpoint $EP_NAME uses a VPC Endpoint" "$regx" - else - textFail "$regx: AWS Glue Development Endpoint $EP_NAME does not use a VPC Endpoint" "$regx" - fi - done - else - textInfo "$regx: No Development Endpoints found" "$regx" - fi - done -} \ No newline at end of file From b32538b7e5f03ae32e0effce4727675d0555d13b Mon Sep 17 00:00:00 2001 From: Toni de la Fuente Date: Fri, 13 Nov 2020 19:05:19 +0100 Subject: [PATCH 7/8] Glue review 2 --- checks/check_extra7119 | 11 ----------- checks/check_extra7121 | 11 ----------- checks/check_extra7123 | 11 ----------- groups/group24_glue | 19 +++++++++++++++++++ 4 files changed, 19 insertions(+), 33 deletions(-) create mode 100644 groups/group24_glue diff --git a/checks/check_extra7119 b/checks/check_extra7119 index e5928f69..081cbbd5 100644 --- a/checks/check_extra7119 +++ b/checks/check_extra7119 @@ -11,17 +11,6 @@ # CONDITIONS OF ANY KIND, either express or implied. See the License for the # specific language governing permissions and limitations under the License. -# Remediation: -# -# https://www.cloudconformity.com/knowledge-base/aws/RDS/instance-deletion-protection.html -# https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/Overview.DBInstance.Modifying.html -# -# aws rds modify-db-instance \ -# --region us-east-1 \ -# --db-instance-identifier test-db \ -# --deletion-protection \ -# [--apply-immediately | --no-apply-immediately] - CHECK_ID_extra7119="7.119" CHECK_TITLE_extra7119="[extra7119] Check if Glue security configurations used by ETL Development endpoints have S3 encryption enabled." CHECK_SCORED_extra7119="NOT_SCORED" diff --git a/checks/check_extra7121 b/checks/check_extra7121 index e5d5c35f..2aa1ef5a 100644 --- a/checks/check_extra7121 +++ b/checks/check_extra7121 @@ -11,17 +11,6 @@ # CONDITIONS OF ANY KIND, either express or implied. See the License for the # specific language governing permissions and limitations under the License. -# Remediation: -# -# https://www.cloudconformity.com/knowledge-base/aws/RDS/instance-deletion-protection.html -# https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/Overview.DBInstance.Modifying.html -# -# aws rds modify-db-instance \ -# --region us-east-1 \ -# --db-instance-identifier test-db \ -# --deletion-protection \ -# [--apply-immediately | --no-apply-immediately] - CHECK_ID_extra7121="7.121" CHECK_TITLE_extra7121="[extra7121] Check if Glue security configurations used by ETL Development endpoints have CloudWatch logs encryption enabled." CHECK_SCORED_extra7121="NOT_SCORED" diff --git a/checks/check_extra7123 b/checks/check_extra7123 index f601c9a4..a6671e86 100644 --- a/checks/check_extra7123 +++ b/checks/check_extra7123 @@ -11,17 +11,6 @@ # CONDITIONS OF ANY KIND, either express or implied. See the License for the # specific language governing permissions and limitations under the License. -# Remediation: -# -# https://www.cloudconformity.com/knowledge-base/aws/RDS/instance-deletion-protection.html -# https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/Overview.DBInstance.Modifying.html -# -# aws rds modify-db-instance \ -# --region us-east-1 \ -# --db-instance-identifier test-db \ -# --deletion-protection \ -# [--apply-immediately | --no-apply-immediately] - CHECK_ID_extra7123="7.123" CHECK_TITLE_extra7123="[extra7123] Check if Glue security configurations used by ETL Development endpoints have Job bookmark encryption enabled." CHECK_SCORED_extra7123="NOT_SCORED" diff --git a/groups/group24_glue b/groups/group24_glue new file mode 100644 index 00000000..4e06b2d0 --- /dev/null +++ b/groups/group24_glue @@ -0,0 +1,19 @@ +#!/usr/bin/env bash + +# Prowler - the handy cloud security tool (copyright 2222) by Toni de la Fuente +# +# Licensed under the Apache License, Version 2.0 (the "License"); you may not +# use this file except in compliance with the License. You may obtain a copy +# of the License at http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software distributed +# under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR +# CONDITIONS OF ANY KIND, either express or implied. See the License for the +# specific language governing permissions and limitations under the License. + +GROUP_ID[24]='glue' +GROUP_NUMBER[24]='24.0' +GROUP_TITLE[24]='Amazon Glue related security checks - [glue] ******************' +GROUP_RUN_BY_DEFAULT[24]='N' # run it when execute_all is called +GROUP_CHECKS[24]='extra7115,extra7116,extra7117,extra7118,extra7120,extra7122' + From 7cd1413c93ebab35485e0ccadccbd5a7d2212153 Mon Sep 17 00:00:00 2001 From: Toni de la Fuente Date: Mon, 16 Nov 2020 18:29:16 +0100 Subject: [PATCH 8/8] Glue grup 2 corrections --- checks/{check_extra7123 => check_extra7114} | 28 ++++++++++----------- checks/check_extra7119 | 18 ++++++------- checks/check_extra7121 | 18 +++++++------ groups/group24_glue | 2 +- 4 files changed, 33 insertions(+), 33 deletions(-) rename checks/{check_extra7123 => check_extra7114} (60%) diff --git a/checks/check_extra7123 b/checks/check_extra7114 similarity index 60% rename from checks/check_extra7123 rename to checks/check_extra7114 index a6671e86..a728c83f 100644 --- a/checks/check_extra7123 +++ b/checks/check_extra7114 @@ -11,34 +11,34 @@ # CONDITIONS OF ANY KIND, either express or implied. See the License for the # specific language governing permissions and limitations under the License. -CHECK_ID_extra7123="7.123" -CHECK_TITLE_extra7123="[extra7123] Check if Glue security configurations used by ETL Development endpoints have Job bookmark encryption enabled." -CHECK_SCORED_extra7123="NOT_SCORED" -CHECK_TYPE_extra7123="EXTRA" -CHECK_SEVERITY_extra7123="Medium" -CHECK_ASFF_RESOURCE_TYPE_extra7123="AwsGlue" -CHECK_ALTERNATE_check7123="extra7123" +CHECK_ID_extra7114="7.114" +CHECK_TITLE_extra7114="[extra7114] Check if Glue development endpoints have S3 encryption enabled." +CHECK_SCORED_extra7114="NOT_SCORED" +CHECK_TYPE_extra7114="EXTRA" +CHECK_SEVERITY_extra7114="Medium" +CHECK_ASFF_RESOURCE_TYPE_extra7114="AwsGlue" +CHECK_ALTERNATE_check7114="extra7114" -extra7123(){ +extra7114(){ for regx in $REGIONS; do LIST_EP_SC=$($AWSCLI glue get-dev-endpoints $PROFILE_OPT --region $regx --query 'DevEndpoints[*].{Name:EndpointName,Security:SecurityConfiguration}' --output json) - if [[ ! -z "$LIST_EP_SC" ]]; then + if [[ $LIST_EP_SC != '[]' ]]; then for ep in $(echo "${LIST_EP_SC}"| jq -r '.[] | @base64');do ENDPOINT_NAME=$(echo $ep | base64 --decode | jq -r '.Name') ENDPOINT_SC=$(echo $ep | base64 --decode | jq -r '.Security // empty') if [[ ! -z "$ENDPOINT_SC" ]]; then - ENDPOINT_SC_ENCRYPTION=$($AWSCLI glue get-security-configuration --name "${ENDPOINT_SC}" $PROFILE_OPT --region $regx --query 'SecurityConfiguration.EncryptionConfiguration.JobBookmarksEncryption.JobBookmarksEncryptionMode' --output text) + ENDPOINT_SC_ENCRYPTION=$($AWSCLI glue get-security-configuration --name "${ENDPOINT_SC}" $PROFILE_OPT --region $regx --query 'SecurityConfiguration.EncryptionConfiguration.S3Encryption[0].S3EncryptionMode' --output text) if [[ "$ENDPOINT_SC_ENCRYPTION" == "DISABLED" ]]; then - textFail "$regx: Glue Development Endpoint $ENDPOINT_NAME does not have Job Bookmark encryption enabled!" "$regx" + textFail "$regx: Glue development endpoint $ENDPOINT_NAME does not have S3 encryption enabled!" "$regx" else - textPass "$regx: Glue Development Endpoint $ENDPOINT_NAME has Job Bookmark encryption enabled" "$regx" + textPass "$regx: Glue development endpoint $ENDPOINT_NAME has S3 encryption enabled" "$regx" fi else - textInfo "$regx: No Glue security configuration found" "$regx" + textFail "$regx: Glue development endpoint $ENDPOINT_NAME does not have security configuration" "$regx" fi done else - textInfo "$regx: There are no Glue Development Endpoints" "$regx" + textInfo "$regx: There are no Glue development endpoints" "$regx" fi done } diff --git a/checks/check_extra7119 b/checks/check_extra7119 index 081cbbd5..e8d60488 100644 --- a/checks/check_extra7119 +++ b/checks/check_extra7119 @@ -12,7 +12,7 @@ # specific language governing permissions and limitations under the License. CHECK_ID_extra7119="7.119" -CHECK_TITLE_extra7119="[extra7119] Check if Glue security configurations used by ETL Development endpoints have S3 encryption enabled." +CHECK_TITLE_extra7119="[extra7119] Check if Glue development endpoints have CloudWatch logs encryption enabled." CHECK_SCORED_extra7119="NOT_SCORED" CHECK_TYPE_extra7119="EXTRA" CHECK_SEVERITY_extra7119="Medium" @@ -22,25 +22,23 @@ CHECK_ALTERNATE_check7119="extra7119" extra7119(){ for regx in $REGIONS; do LIST_EP_SC=$($AWSCLI glue get-dev-endpoints $PROFILE_OPT --region $regx --query 'DevEndpoints[*].{Name:EndpointName,Security:SecurityConfiguration}' --output json) - if [[ ! -z "$LIST_EP_SC" ]]; then + if [[ $LIST_EP_SC != '[]' ]]; then for ep in $(echo "${LIST_EP_SC}"| jq -r '.[] | @base64');do ENDPOINT_NAME=$(echo $ep | base64 --decode | jq -r '.Name') ENDPOINT_SC=$(echo $ep | base64 --decode | jq -r '.Security // empty') if [[ ! -z "$ENDPOINT_SC" ]]; then - ENDPOINT_SC_ENCRYPTION=$($AWSCLI glue get-security-configuration --name "${ENDPOINT_SC}" $PROFILE_OPT --region $regx --query 'SecurityConfiguration.EncryptionConfiguration.S3Encryption[0].S3EncryptionMode' --output text) - if [[ "$ENDPOINT_SC_ENCRYPTION" == "DISABLED" ]]; then - textFail "$regx: Glue Development Endpoint $ENDPOINT_NAME does not have S3 encryption enabled!" "$regx" + ENDPOINT_SC_ENCRYPTION=$($AWSCLI glue get-security-configuration --name "${ENDPOINT_SC}" $PROFILE_OPT --region $regx --query 'SecurityConfiguration.EncryptionConfiguration.CloudWatchEncryption.CloudWatchEncryptionMode' --output text) + if [[ $ENDPOINT_SC_ENCRYPTION == "DISABLED" ]]; then + textFail "$regx: Glue development endpoint $ENDPOINT_NAME does not have CloudWatch logs encryption enabled!" "$regx" else - textPass "$regx: Glue Development Endpoint $ENDPOINT_NAME has S3 encryption enabled" "$regx" + textPass "$regx: Glue development endpoint $ENDPOINT_NAME has CloudWatch logs encryption enabled" "$regx" fi else - textInfo "$regx: No Glue security configuration found for Development Endpoint $ENDPOINT_NAME" "$regx" + textFail "$regx: Glue development endpoint $ENDPOINT_NAME does not have security configuration" "$regx" fi done else - textInfo "$regx: There are no Glue Development Endpoints" "$regx" + textInfo "$regx: There are no Glue development endpoints" "$regx" fi done } - - diff --git a/checks/check_extra7121 b/checks/check_extra7121 index 2aa1ef5a..0dd83446 100644 --- a/checks/check_extra7121 +++ b/checks/check_extra7121 @@ -12,7 +12,7 @@ # specific language governing permissions and limitations under the License. CHECK_ID_extra7121="7.121" -CHECK_TITLE_extra7121="[extra7121] Check if Glue security configurations used by ETL Development endpoints have CloudWatch logs encryption enabled." +CHECK_TITLE_extra7121="[extra7121] Check if Glue development endpoints have Job bookmark encryption enabled." CHECK_SCORED_extra7121="NOT_SCORED" CHECK_TYPE_extra7121="EXTRA" CHECK_SEVERITY_extra7121="Medium" @@ -22,23 +22,25 @@ CHECK_ALTERNATE_check7121="extra7121" extra7121(){ for regx in $REGIONS; do LIST_EP_SC=$($AWSCLI glue get-dev-endpoints $PROFILE_OPT --region $regx --query 'DevEndpoints[*].{Name:EndpointName,Security:SecurityConfiguration}' --output json) - if [[ ! -z "$LIST_EP_SC" ]]; then + if [[ $LIST_EP_SC != '[]' ]]; then for ep in $(echo "${LIST_EP_SC}"| jq -r '.[] | @base64');do ENDPOINT_NAME=$(echo $ep | base64 --decode | jq -r '.Name') ENDPOINT_SC=$(echo $ep | base64 --decode | jq -r '.Security // empty') if [[ ! -z "$ENDPOINT_SC" ]]; then - ENDPOINT_SC_ENCRYPTION=$($AWSCLI glue get-security-configuration --name "${ENDPOINT_SC}" $PROFILE_OPT --region $regx --query 'SecurityConfiguration.EncryptionConfiguration.CloudWatchEncryption.CloudWatchEncryptionMode' --output text) - if [[ $ENDPOINT_SC_ENCRYPTION == "DISABLED" ]]; then - textFail "$regx: Glue Development Endpoint $ENDPOINT_NAME does not have CloudWatch logs encryption enabled!" "$regx" + ENDPOINT_SC_ENCRYPTION=$($AWSCLI glue get-security-configuration --name "${ENDPOINT_SC}" $PROFILE_OPT --region $regx --query 'SecurityConfiguration.EncryptionConfiguration.JobBookmarksEncryption.JobBookmarksEncryptionMode' --output text) + if [[ "$ENDPOINT_SC_ENCRYPTION" == "DISABLED" ]]; then + textFail "$regx: Glue development endpoint $ENDPOINT_NAME does not have Job Bookmark encryption enabled!" "$regx" else - textPass "$regx: Glue Development Endpoint $ENDPOINT_NAME has CloudWatch logs encryption enabled" "$regx" + textPass "$regx: Glue development endpoint $ENDPOINT_NAME has Job Bookmark encryption enabled" "$regx" fi else - textInfo "$regx: No Glue security configuration found" "$regx" + textFail "$regx: Glue development endpoint $ENDPOINT_NAME does not have security configuration" "$regx" fi done else - textInfo "$regx: There are no Glue Development Endpoints" "$regx" + textInfo "$regx: There are no Glue development endpoints" "$regx" fi done } + + diff --git a/groups/group24_glue b/groups/group24_glue index 4e06b2d0..3722b2cb 100644 --- a/groups/group24_glue +++ b/groups/group24_glue @@ -15,5 +15,5 @@ GROUP_ID[24]='glue' GROUP_NUMBER[24]='24.0' GROUP_TITLE[24]='Amazon Glue related security checks - [glue] ******************' GROUP_RUN_BY_DEFAULT[24]='N' # run it when execute_all is called -GROUP_CHECKS[24]='extra7115,extra7116,extra7117,extra7118,extra7120,extra7122' +GROUP_CHECKS[24]='extra7114,extra7115,extra7116,extra7117,extra7118,extra7119,extra7120,extra7121,extra7122'