From b42cc33a6c59665794916d57167df8d8cb83b46c Mon Sep 17 00:00:00 2001
From: "He.Longfei" <he.longfei@HeLongfeis-MacBook-Pro.local>
Date: Mon, 20 Apr 2020 15:01:38 +0800
Subject: [PATCH 1/2] using api commands to check if macie is enabled instead
 of looking iam role

---
 checks/check_extra712 | 22 +++++++++++++---------
 1 file changed, 13 insertions(+), 9 deletions(-)

diff --git a/checks/check_extra712 b/checks/check_extra712
index 251d93a5..d15f5bcf 100644
--- a/checks/check_extra712
+++ b/checks/check_extra712
@@ -18,12 +18,16 @@ CHECK_ALTERNATE_check712="extra712"
 
 extra712(){
   # "Check if Amazon Macie is enabled (Not Scored) (Not part of CIS benchmark)"
-  textInfo "No API commands available to check if Macie is enabled,"
-  textInfo "just looking if IAM Macie related permissions exist.  "
-  MACIE_IAM_ROLES_CREATED=$($AWSCLI iam list-roles $PROFILE_OPT --query 'Roles[*].Arn'|grep AWSMacieServiceCustomer|wc -l)
-  if [[ $MACIE_IAM_ROLES_CREATED -eq 2 ]];then
-    textPass "Macie related IAM roles exist so it might be enabled. Check it out manually"
-  else
-    textFail "No Macie related IAM roles found. It is most likely not to be enabled"
-  fi
-}
+  MACIE_NOT_SUPPORTED="Could not connect to the endpoint URL"
+  MACIE_NOT_ENABLED="Macie is not enabled for this AWS account"
+  for regx in $REGIONS; do
+      MACIE_MEMBER_ACCOUNTS=$($AWSCLI macie list-member-accounts $PROFILE_OPT --region $regx --output text --query 'memberAccounts[*]' 2>&1)
+      if [[ ${MACIE_MEMBER_ACCOUNTS} == *${MACIE_NOT_SUPPORTED}* ]];then
+        textInfo "Macie is not supported in the $regx AWS Regions"
+      elif [[ ${MACIE_MEMBER_ACCOUNTS} == *${MACIE_NOT_ENABLED}* ]];then
+        textFail "$regx: Amazon Macie is not enabled!"
+      else
+        textPass "$regx: Amazon Macie is enabled!"
+      fi
+  done
+} 

From 86ea46d77cebccffbc6fc0d963a9ad70540dbc28 Mon Sep 17 00:00:00 2001
From: Toni de la Fuente <toni@blyx.com>
Date: Mon, 20 Apr 2020 19:19:05 +0200
Subject: [PATCH 2/2] Update check_extra712

---
 checks/check_extra712 | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/checks/check_extra712 b/checks/check_extra712
index d15f5bcf..ac941c2e 100644
--- a/checks/check_extra712
+++ b/checks/check_extra712
@@ -25,9 +25,9 @@ extra712(){
       if [[ ${MACIE_MEMBER_ACCOUNTS} == *${MACIE_NOT_SUPPORTED}* ]];then
         textInfo "Macie is not supported in the $regx AWS Regions"
       elif [[ ${MACIE_MEMBER_ACCOUNTS} == *${MACIE_NOT_ENABLED}* ]];then
-        textFail "$regx: Amazon Macie is not enabled!"
+        textFail "$regx: Amazon Macie is not enabled!" "$regx"
       else
-        textPass "$regx: Amazon Macie is enabled!"
+        textPass "$regx: Amazon Macie is enabled!" "$regx"
       fi
   done
 }