mirror of
https://github.com/ghndrx/prowler.git
synced 2026-02-10 14:55:00 +00:00
Updated checks with hardcoded arn to support GovCloud partition
This commit is contained in:
Toni de la Fuente
@@ -19,7 +19,7 @@ check114(){
|
||||
# "Ensure hardware MFA is enabled for the root account (Scored)"
|
||||
COMMAND113=$($AWSCLI iam get-account-summary $PROFILE_OPT --region $REGION --output json --query 'SummaryMap.AccountMFAEnabled')
|
||||
if [ "$COMMAND113" == "1" ]; then
|
||||
COMMAND114=$($AWSCLI iam list-virtual-mfa-devices $PROFILE_OPT --region $REGION --output text --assignment-status Assigned --query 'VirtualMFADevices[*].[SerialNumber]' | grep '^arn:aws:iam::[0-9]\{12\}:mfa/root-account-mfa-device$')
|
||||
COMMAND114=$($AWSCLI iam list-virtual-mfa-devices $PROFILE_OPT --region $REGION --output text --assignment-status Assigned --query 'VirtualMFADevices[*].[SerialNumber]' | grep '^arn:${AWS_PARTITION}:iam::[0-9]\{12\}:mfa/root-account-mfa-device$')
|
||||
if [[ "$COMMAND114" ]]; then
|
||||
textFail "Only Virtual MFA is enabled for root"
|
||||
else
|
||||
|
||||
@@ -22,15 +22,15 @@ CHECK_ALTERNATE_check701="extra71"
|
||||
extra71(){
|
||||
# "Ensure users of groups with AdministratorAccess policy have MFA tokens enabled (Not Scored) (Not part of CIS benchmark)"
|
||||
ADMIN_GROUPS=''
|
||||
AWS_GROUPS=$($AWSCLI $PROFILE_OPT iam list-groups --output text --query 'Groups[].GroupName')
|
||||
AWS_GROUPS=$($AWSCLI $PROFILE_OPT iam list-groups --output text --region $REGION --query 'Groups[].GroupName')
|
||||
for grp in $AWS_GROUPS; do
|
||||
# aws --profile onlinetraining iam list-attached-group-policies --group-name Administrators --query 'AttachedPolicies[].PolicyArn' | grep 'arn:aws:iam::aws:policy/AdministratorAccess'
|
||||
# list-attached-group-policies
|
||||
CHECK_ADMIN_GROUP=$($AWSCLI $PROFILE_OPT iam list-attached-group-policies --group-name $grp --output json --query 'AttachedPolicies[].PolicyArn' | grep 'arn:aws:iam::aws:policy/AdministratorAccess')
|
||||
CHECK_ADMIN_GROUP=$($AWSCLI $PROFILE_OPT --region $REGION iam list-attached-group-policies --group-name $grp --output json --query 'AttachedPolicies[].PolicyArn' | grep 'arn:${AWS_PARTITION}:iam::aws:policy/AdministratorAccess')
|
||||
if [[ $CHECK_ADMIN_GROUP ]]; then
|
||||
ADMIN_GROUPS="$ADMIN_GROUPS $grp"
|
||||
textInfo "$grp group provides administrative access"
|
||||
ADMIN_USERS=$($AWSCLI $PROFILE_OPT iam get-group --group-name $grp --output json --query 'Users[].UserName' | grep '"' | cut -d'"' -f2 )
|
||||
ADMIN_USERS=$($AWSCLI $PROFILE_OPT iam get-group --region $REGION --group-name $grp --output json --query 'Users[].UserName' | grep '"' | cut -d'"' -f2 )
|
||||
for auser in $ADMIN_USERS; do
|
||||
# users in group are Administrators
|
||||
# users
|
||||
|
||||
@@ -26,7 +26,7 @@ extra720(){
|
||||
LIST_OF_TRAILS=$($AWSCLI cloudtrail describe-trails $PROFILE_OPT --region $regx --query trailList[].TrailARN --output text)
|
||||
if [[ $LIST_OF_TRAILS ]]; then
|
||||
for trail in $LIST_OF_TRAILS; do
|
||||
FUNCTION_ENABLED_IN_TRAIL=$($AWSCLI cloudtrail get-event-selectors $PROFILE_OPT --trail-name $trail --region $regx --query "EventSelectors[*].DataResources[?Type == \`AWS::Lambda::Function\`].Values" --output text |xargs -n1| grep -E "^arn:aws:lambda.*function:$lambdafunction$|^arn:aws:lambda$")
|
||||
FUNCTION_ENABLED_IN_TRAIL=$($AWSCLI cloudtrail get-event-selectors $PROFILE_OPT --trail-name $trail --region $regx --query "EventSelectors[*].DataResources[?Type == \`AWS::Lambda::Function\`].Values" --output text |xargs -n1| grep -E "^arn:${AWS_PARTITION}:lambda.*function:$lambdafunction$|^arn:${AWS_PARTITION}:lambda$")
|
||||
if [[ $FUNCTION_ENABLED_IN_TRAIL ]]; then
|
||||
textPass "$regx: Lambda function $lambdafunction enabled in trail $trail" "$regx"
|
||||
else
|
||||
|
||||
@@ -23,14 +23,14 @@ extra725(){
|
||||
# "Check if S3 buckets have Object-level logging enabled in CloudTrail (Not Scored) (Not part of CIS benchmark)"
|
||||
textInfo "Looking for S3 Buckets Object-level logging information in all trails... "
|
||||
|
||||
LIST_OF_BUCKETS=$($AWSCLI s3api list-buckets $PROFILE_OPT --query 'Buckets[*].{Name:Name}' --output text)
|
||||
LIST_OF_TRAILS=$($AWSCLI cloudtrail describe-trails $PROFILE_OPT --query 'trailList[].TrailARN' --output text)
|
||||
LIST_OF_BUCKETS=$($AWSCLI s3api list-buckets $PROFILE_OPT --region $REGION --query 'Buckets[*].{Name:Name}' --output text)
|
||||
LIST_OF_TRAILS=$($AWSCLI cloudtrail describe-trails $PROFILE_OPT --region $REGION --query 'trailList[].TrailARN' --output text)
|
||||
if [[ $LIST_OF_BUCKETS ]]; then
|
||||
for bucketName in $LIST_OF_BUCKETS;do
|
||||
if [[ $LIST_OF_TRAILS ]]; then
|
||||
BUCKET_ENABLED_TRAILS=()
|
||||
for trail in $LIST_OF_TRAILS; do
|
||||
BUCKET_ENABLED_IN_TRAIL=$($AWSCLI cloudtrail get-event-selectors $PROFILE_OPT --trail-name $trail --query "EventSelectors[*].DataResources[?Type == \`AWS::S3::Object\`].Values" --output text |xargs -n1| grep -E "^arn:aws:s3:::$bucketName/\S*$|^arn:aws:s3$|^arn:aws:s3:::$")
|
||||
BUCKET_ENABLED_IN_TRAIL=$($AWSCLI cloudtrail get-event-selectors --region $REGION $PROFILE_OPT --trail-name $trail --query "EventSelectors[*].DataResources[?Type == \`AWS::S3::Object\`].Values" --output text |xargs -n1| grep -E "^arn:${AWS_PARTITION}:s3:::$bucketName/\S*$|^arn:${AWS_PARTITION}:s3$|^arn:${AWS_PARTITION}:s3:::$")
|
||||
if [[ $BUCKET_ENABLED_IN_TRAIL ]]; then
|
||||
BUCKET_ENABLED_TRAILS+=($trail)
|
||||
# textPass "$regx: S3 bucket $bucketName has Object-level logging enabled in trail $trail" "$regx"
|
||||
|
||||
@@ -18,14 +18,14 @@ CHECK_ASFF_RESOURCE_TYPE_extra771="AwsS3Bucket"
|
||||
CHECK_ALTERNATE_check771="extra771"
|
||||
|
||||
extra771(){
|
||||
LIST_OF_BUCKETS=$($AWSCLI s3api list-buckets $PROFILE_OPT --query Buckets[*].Name --output text|xargs -n1)
|
||||
LIST_OF_BUCKETS=$($AWSCLI s3api list-buckets $PROFILE_OPT --region $REGION --query Buckets[*].Name --output text|xargs -n1)
|
||||
if [[ $LIST_OF_BUCKETS ]]; then
|
||||
for bucket in $LIST_OF_BUCKETS;do
|
||||
BUCKET_POLICY_STATEMENTS=$($AWSCLI s3api $PROFILE_OPT get-bucket-policy --bucket $bucket --output json --query Policy 2>&1)
|
||||
BUCKET_POLICY_STATEMENTS=$($AWSCLI s3api $PROFILE_OPT get-bucket-policy --region $REGION --bucket $bucket --output json --query Policy 2>&1)
|
||||
if [[ $BUCKET_POLICY_STATEMENTS == *GetBucketPolicy* ]]; then
|
||||
textInfo "Bucket policy does not exist for bucket $bucket"
|
||||
else
|
||||
BUCKET_POLICY_BAD_STATEMENTS=$(echo $BUCKET_POLICY_STATEMENTS | jq --arg arn "arn:aws:s3:::$bucket" 'fromjson | .Statement[]|select(.Effect=="Allow" and (((.Principal|type == "object") and .Principal.AWS == "*") or ((.Principal|type == "string") and .Principal == "*")) and (.Action|startswith("s3:Put") or startswith("s3:*")) and .Condition == null)')
|
||||
BUCKET_POLICY_BAD_STATEMENTS=$(echo $BUCKET_POLICY_STATEMENTS | jq --arg arn "arn:${AWS_PARTITION}:s3:::$bucket" 'fromjson | .Statement[]|select(.Effect=="Allow" and (((.Principal|type == "object") and .Principal.AWS == "*") or ((.Principal|type == "string") and .Principal == "*")) and (.Action|startswith("s3:Put") or startswith("s3:*")) and .Condition == null)')
|
||||
if [[ $BUCKET_POLICY_BAD_STATEMENTS != "" ]]; then
|
||||
textFail "Bucket $bucket allows public write: $BUCKET_POLICY_BAD_STATEMENTS"
|
||||
else
|
||||
|
||||
Reference in New Issue
Block a user