From 13ca147d02c186658d3918a89e312267b0ce3f83 Mon Sep 17 00:00:00 2001 From: Toni de la Fuente Date: Wed, 22 Apr 2020 23:23:17 +0200 Subject: [PATCH] Updated checks with hardcoded arn to support GovCloud partition --- checks/check114 | 2 +- checks/check_extra71 | 6 +++--- checks/check_extra720 | 2 +- checks/check_extra725 | 6 +++--- checks/check_extra771 | 6 +++--- 5 files changed, 11 insertions(+), 11 deletions(-) diff --git a/checks/check114 b/checks/check114 index fff68b72..d1777c10 100644 --- a/checks/check114 +++ b/checks/check114 @@ -19,7 +19,7 @@ check114(){ # "Ensure hardware MFA is enabled for the root account (Scored)" COMMAND113=$($AWSCLI iam get-account-summary $PROFILE_OPT --region $REGION --output json --query 'SummaryMap.AccountMFAEnabled') if [ "$COMMAND113" == "1" ]; then - COMMAND114=$($AWSCLI iam list-virtual-mfa-devices $PROFILE_OPT --region $REGION --output text --assignment-status Assigned --query 'VirtualMFADevices[*].[SerialNumber]' | grep '^arn:aws:iam::[0-9]\{12\}:mfa/root-account-mfa-device$') + COMMAND114=$($AWSCLI iam list-virtual-mfa-devices $PROFILE_OPT --region $REGION --output text --assignment-status Assigned --query 'VirtualMFADevices[*].[SerialNumber]' | grep '^arn:${AWS_PARTITION}:iam::[0-9]\{12\}:mfa/root-account-mfa-device$') if [[ "$COMMAND114" ]]; then textFail "Only Virtual MFA is enabled for root" else diff --git a/checks/check_extra71 b/checks/check_extra71 index 197eec97..19465244 100644 --- a/checks/check_extra71 +++ b/checks/check_extra71 @@ -22,15 +22,15 @@ CHECK_ALTERNATE_check701="extra71" extra71(){ # "Ensure users of groups with AdministratorAccess policy have MFA tokens enabled (Not Scored) (Not part of CIS benchmark)" ADMIN_GROUPS='' - AWS_GROUPS=$($AWSCLI $PROFILE_OPT iam list-groups --output text --query 'Groups[].GroupName') + AWS_GROUPS=$($AWSCLI $PROFILE_OPT iam list-groups --output text --region $REGION --query 'Groups[].GroupName') for grp in $AWS_GROUPS; do # aws --profile onlinetraining iam list-attached-group-policies --group-name Administrators --query 'AttachedPolicies[].PolicyArn' | grep 'arn:aws:iam::aws:policy/AdministratorAccess' # list-attached-group-policies - CHECK_ADMIN_GROUP=$($AWSCLI $PROFILE_OPT iam list-attached-group-policies --group-name $grp --output json --query 'AttachedPolicies[].PolicyArn' | grep 'arn:aws:iam::aws:policy/AdministratorAccess') + CHECK_ADMIN_GROUP=$($AWSCLI $PROFILE_OPT --region $REGION iam list-attached-group-policies --group-name $grp --output json --query 'AttachedPolicies[].PolicyArn' | grep 'arn:${AWS_PARTITION}:iam::aws:policy/AdministratorAccess') if [[ $CHECK_ADMIN_GROUP ]]; then ADMIN_GROUPS="$ADMIN_GROUPS $grp" textInfo "$grp group provides administrative access" - ADMIN_USERS=$($AWSCLI $PROFILE_OPT iam get-group --group-name $grp --output json --query 'Users[].UserName' | grep '"' | cut -d'"' -f2 ) + ADMIN_USERS=$($AWSCLI $PROFILE_OPT iam get-group --region $REGION --group-name $grp --output json --query 'Users[].UserName' | grep '"' | cut -d'"' -f2 ) for auser in $ADMIN_USERS; do # users in group are Administrators # users diff --git a/checks/check_extra720 b/checks/check_extra720 index 8f950bdb..f8b2a890 100644 --- a/checks/check_extra720 +++ b/checks/check_extra720 @@ -26,7 +26,7 @@ extra720(){ LIST_OF_TRAILS=$($AWSCLI cloudtrail describe-trails $PROFILE_OPT --region $regx --query trailList[].TrailARN --output text) if [[ $LIST_OF_TRAILS ]]; then for trail in $LIST_OF_TRAILS; do - FUNCTION_ENABLED_IN_TRAIL=$($AWSCLI cloudtrail get-event-selectors $PROFILE_OPT --trail-name $trail --region $regx --query "EventSelectors[*].DataResources[?Type == \`AWS::Lambda::Function\`].Values" --output text |xargs -n1| grep -E "^arn:aws:lambda.*function:$lambdafunction$|^arn:aws:lambda$") + FUNCTION_ENABLED_IN_TRAIL=$($AWSCLI cloudtrail get-event-selectors $PROFILE_OPT --trail-name $trail --region $regx --query "EventSelectors[*].DataResources[?Type == \`AWS::Lambda::Function\`].Values" --output text |xargs -n1| grep -E "^arn:${AWS_PARTITION}:lambda.*function:$lambdafunction$|^arn:${AWS_PARTITION}:lambda$") if [[ $FUNCTION_ENABLED_IN_TRAIL ]]; then textPass "$regx: Lambda function $lambdafunction enabled in trail $trail" "$regx" else diff --git a/checks/check_extra725 b/checks/check_extra725 index 88f43ce5..eb336b79 100644 --- a/checks/check_extra725 +++ b/checks/check_extra725 @@ -23,14 +23,14 @@ extra725(){ # "Check if S3 buckets have Object-level logging enabled in CloudTrail (Not Scored) (Not part of CIS benchmark)" textInfo "Looking for S3 Buckets Object-level logging information in all trails... " - LIST_OF_BUCKETS=$($AWSCLI s3api list-buckets $PROFILE_OPT --query 'Buckets[*].{Name:Name}' --output text) - LIST_OF_TRAILS=$($AWSCLI cloudtrail describe-trails $PROFILE_OPT --query 'trailList[].TrailARN' --output text) + LIST_OF_BUCKETS=$($AWSCLI s3api list-buckets $PROFILE_OPT --region $REGION --query 'Buckets[*].{Name:Name}' --output text) + LIST_OF_TRAILS=$($AWSCLI cloudtrail describe-trails $PROFILE_OPT --region $REGION --query 'trailList[].TrailARN' --output text) if [[ $LIST_OF_BUCKETS ]]; then for bucketName in $LIST_OF_BUCKETS;do if [[ $LIST_OF_TRAILS ]]; then BUCKET_ENABLED_TRAILS=() for trail in $LIST_OF_TRAILS; do - BUCKET_ENABLED_IN_TRAIL=$($AWSCLI cloudtrail get-event-selectors $PROFILE_OPT --trail-name $trail --query "EventSelectors[*].DataResources[?Type == \`AWS::S3::Object\`].Values" --output text |xargs -n1| grep -E "^arn:aws:s3:::$bucketName/\S*$|^arn:aws:s3$|^arn:aws:s3:::$") + BUCKET_ENABLED_IN_TRAIL=$($AWSCLI cloudtrail get-event-selectors --region $REGION $PROFILE_OPT --trail-name $trail --query "EventSelectors[*].DataResources[?Type == \`AWS::S3::Object\`].Values" --output text |xargs -n1| grep -E "^arn:${AWS_PARTITION}:s3:::$bucketName/\S*$|^arn:${AWS_PARTITION}:s3$|^arn:${AWS_PARTITION}:s3:::$") if [[ $BUCKET_ENABLED_IN_TRAIL ]]; then BUCKET_ENABLED_TRAILS+=($trail) # textPass "$regx: S3 bucket $bucketName has Object-level logging enabled in trail $trail" "$regx" diff --git a/checks/check_extra771 b/checks/check_extra771 index 0c940649..98d2da9b 100644 --- a/checks/check_extra771 +++ b/checks/check_extra771 @@ -18,14 +18,14 @@ CHECK_ASFF_RESOURCE_TYPE_extra771="AwsS3Bucket" CHECK_ALTERNATE_check771="extra771" extra771(){ - LIST_OF_BUCKETS=$($AWSCLI s3api list-buckets $PROFILE_OPT --query Buckets[*].Name --output text|xargs -n1) + LIST_OF_BUCKETS=$($AWSCLI s3api list-buckets $PROFILE_OPT --region $REGION --query Buckets[*].Name --output text|xargs -n1) if [[ $LIST_OF_BUCKETS ]]; then for bucket in $LIST_OF_BUCKETS;do - BUCKET_POLICY_STATEMENTS=$($AWSCLI s3api $PROFILE_OPT get-bucket-policy --bucket $bucket --output json --query Policy 2>&1) + BUCKET_POLICY_STATEMENTS=$($AWSCLI s3api $PROFILE_OPT get-bucket-policy --region $REGION --bucket $bucket --output json --query Policy 2>&1) if [[ $BUCKET_POLICY_STATEMENTS == *GetBucketPolicy* ]]; then textInfo "Bucket policy does not exist for bucket $bucket" else - BUCKET_POLICY_BAD_STATEMENTS=$(echo $BUCKET_POLICY_STATEMENTS | jq --arg arn "arn:aws:s3:::$bucket" 'fromjson | .Statement[]|select(.Effect=="Allow" and (((.Principal|type == "object") and .Principal.AWS == "*") or ((.Principal|type == "string") and .Principal == "*")) and (.Action|startswith("s3:Put") or startswith("s3:*")) and .Condition == null)') + BUCKET_POLICY_BAD_STATEMENTS=$(echo $BUCKET_POLICY_STATEMENTS | jq --arg arn "arn:${AWS_PARTITION}:s3:::$bucket" 'fromjson | .Statement[]|select(.Effect=="Allow" and (((.Principal|type == "object") and .Principal.AWS == "*") or ((.Principal|type == "string") and .Principal == "*")) and (.Action|startswith("s3:Put") or startswith("s3:*")) and .Condition == null)') if [[ $BUCKET_POLICY_BAD_STATEMENTS != "" ]]; then textFail "Bucket $bucket allows public write: $BUCKET_POLICY_BAD_STATEMENTS" else