ghndrx/prowler
1
0
Fork 0
mirror of https://github.com/ghndrx/prowler.git synced 2026-02-10 23:05:05 +00:00
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #50 from MrSecure/monochrome

Browse Source 
Add Monochrome Mode and other fixes
This commit is contained in:
Toni de la Fuente
2017-06-15 08:44:12 -04:00
committed by GitHub
parent bd75f0ff4b efbf37faaf
commit 1899866225
2 changed files with 199 additions and 147 deletions
Download Patch File Download Diff File Expand all files Collapse all files

1
README.md
View File

@@ -93,6 +93,7 @@ USAGE:
-c <checknum> specify a check number or group from the AWS CIS benchmark (i.e.: check11 for check 1.1 or check3 for entire section 3)
-f <filterregion> specify an AWS region to run checks against (i.e.: us-west-1)
-m <maxitems> specify the maximum number of items to return for long-running requests (default: 100)
-b do not use colors in the output
-h this help
```

345
prowler
View File

@@ -26,34 +26,20 @@
# Exits if any error is found
# set -e
# Colors
NORMAL=""
WARNING="" # Bad (red)
SECTION="" # Section (yellow)
NOTICE="" # Notice (yellow)
OK="" # Ok (green)
BAD="" # Bad (red)
CYAN=""
BLUE=""
BROWN=""
DARKGRAY=""
GRAY=""
GREEN=""
MAGENTA=""
PURPLE=""
RED=""
YELLOW=""
WHITE=""
OPTRED=""
OPTNORMAL=""
# Set the defaults for these getopts variables
PROFILE="default"
REGION="us-east-1"
FILTERREGION=""
MAXITEMS=100
MONOCHROME=0
# Command usage menu
usage(){
echo -e "\nUSAGE:
echo "
USAGE:
`basename $0` -p <profile> -r <region> [ -h ]
Options:
-p <profile> specify your AWS profile to use (i.e.: default)
@@ -61,17 +47,21 @@ usage(){
-c <checknum> specify a check number or group from the AWS CIS benchmark (i.e.: check11 for check 1.1 or check3 for entire section 3)
-f <filterregion> specify an AWS region to run checks against (i.e.: us-west-1)
-m <maxitems> specify the maximum number of items to return for long-running requests (default: 100)
-b do not use colors in the output
-h this help
"
exit
}
while getopts "hp:r:c:f:m:" OPTION; do
while getopts ":hbp:r:c:f:m:" OPTION; do
case $OPTION in
h )
usage
exit 1
;;
b )
MONOCHROME=1
;;
p )
PROFILE=$OPTARG
;;
@@ -88,17 +78,61 @@ while getopts "hp:r:c:f:m:" OPTION; do
MAXITEMS=$OPTARG
;;
: )
echo -e "\n$RED ERROR!$NORMAL -$OPTARG requires an argument\n"
echo ""
echo "$OPTRED ERROR!$OPTNORMAL -$OPTARG requires an argument"
usage
exit 1
;;
? )
echo -e "\n$RED ERROR!$NORMAL Invalid option"
echo ""
echo "$OPTRED ERROR!$OPTNORMAL Invalid option"
usage
exit 1
;;
esac
done
if [[ $MONOCHROME -eq 1 ]]; then
# Colors
NORMAL=''
WARNING='' # Bad (red)
SECTION='' # Section (yellow)
NOTICE='' # Notice (yellow)
OK='' # Ok (green)
BAD='' # Bad (red)
CYAN=''
BLUE=''
BROWN=''
DARKGRAY=''
GRAY=''
GREEN=''
MAGENTA=''
PURPLE=''
RED=''
YELLOW=''
WHITE=''
else
# Colors
# NOTE: Your editor may NOT show the 0x1b / escape character left of the '['
NORMAL=""
WARNING="" # Bad (red)
SECTION="" # Section (yellow)
NOTICE="" # Notice (yellow)
OK="" # Ok (green)
BAD="" # Bad (red)
CYAN=""
BLUE=""
BROWN=""
DARKGRAY=""
GRAY=""
GREEN=""
MAGENTA=""
PURPLE=""
RED=""
YELLOW=""
WHITE=""
fi
# Functions to manage dates depending on OS
if [[ "$OSTYPE" == "linux-gnu" ]]; then
# function to compare in days, usage how_older_from_today date
@@ -191,27 +225,38 @@ fi
# AWS_SECRET_ACCESS_KEY=${AWS_SECRET_ACCESS_KEY_ID}
prowlerBanner() {
echo -e "$CYAN _"
echo -e " _ __ _ __ _____ _| | ___ _ __"
echo -e " | '_ \| '__/ _ \ \ /\ / / |/ _ \ '__|"
echo -e " | |_) | | | (_) \ V V /| | __/ |"
echo -e " | .__/|_| \___/ \_/\_/ |_|\___|_|"
echo -e " |_|$NORMAL$BLUE CIS based AWS Account Hardening Tool$NORMAL\n"
echo -e "$CYAN _"
echo -e " _ __ _ __ _____ _| | ___ _ __"
echo -e " | '_ \| '__/ _ \ \ /\ / / |/ _ \ '__|"
echo -e " | |_) | | | (_) \ V V /| | __/ |"
echo -e " | .__/|_| \___/ \_/\_/ |_|\___|_|"
echo -e " |_|$NORMAL$BLUE CIS based AWS Account Hardening Tool$NORMAL\n"
}
# Get whoami in AWS, who is the user running this shell script
getWhoami() {
echo -e "\nThis report is being generated using credentials below:\n"
getWhoami(){
echo ""
echo "This report is being generated using credentials below:"
echo ""
echo -e "AWS-CLI Profile: $NOTICE[$PROFILE]$NORMAL AWS API Region: $NOTICE[$REGION]$NORMAL AWS Filter Region: $NOTICE[${FILTERREGION:-all}]\n"
$AWSCLI sts get-caller-identity --output table --profile $PROFILE --region $REGION
if [[ $MONOCHROME -eq 1 ]]; then
$AWSCLI sts get-caller-identity --output json --profile $PROFILE --region $REGION | grep ':'
else
echo "Caller Identity:"
$AWSCLI sts get-caller-identity --output table --profile $PROFILE --region $REGION
echo ""
fi
}
printCurrentDate(){
echo -e "\nDate: $NOTICE$(date)$NORMAL"
echo ""
echo "Date: ${NOTICE}$(date)${NORMAL}"
}
printColorsCode(){
echo -e "\nColors Code for results: $NOTICE INFORMATIVE$NORMAL,$OK OK (RECOMMENDED VALUE)$NORMAL, $BAD WARNING (FIX REQUIRED)$NORMAL \n"
if [[ $MONOCHROME -eq 0 ]]; then
echo -e "\nColors Code for results: $NOTICE INFORMATIVE$NORMAL,$OK OK (RECOMMENDED VALUE)$NORMAL, $BAD WARNING (FIX REQUIRED)$NORMAL \n"
fi
}
# Generate Credential Report
@@ -281,9 +326,9 @@ check12(){
echo -e "\n$TITLE12"
if [[ $COMMAND12 ]]; then
echo -e " List of users with Password enabled but MFA disabled:"
echo -e " $RED $COMMAND12 $NORMAL"
echo -e " $BAD WARNING! $COMMAND12 $NORMAL"
else
echo -e " $OK OK! No users found with Password enabled and MFA disabled $NORMAL"
echo -e " $OK OK! $NORMAL No users found with Password enabled and MFA disabled"
fi
}
@@ -304,14 +349,14 @@ check13(){
DATEUSED=$($AWSCLI iam list-users --query "Users[?UserName=='$i'].PasswordLastUsed" --output text --profile $PROFILE --region $REGION | cut -d'T' -f1)
HOWOLDER=$(how_older_from_today $DATEUSED)
if [ $HOWOLDER -gt "90" ];then
echo " $RED $i $NORMAL"
echo " $BAD WARNING! User \"$i\" has not logged in during the last 90 days $NORMAL"
else
echo " $OK OK! User \"$i\" found with unused credentials for 90 days or greater $NORMAL"
echo " $OK OK! $NORMAL User \"$i\" found with credentials used in the last 90 days"
fi
done
fi
else
echo " $OK OK! No users found with password enabled $NORMAL"
echo " $OK OK! $NORMAL No users found with password enabled"
fi
}
@@ -328,7 +373,7 @@ check14(){
HOWOLDER=$(how_older_from_today $DATEROTATED1)
if [ $HOWOLDER -gt "90" ];then
echo -e " $RED $user $NORMAL"
echo -e " $BAD WARNING! $user has not rotated access key1. $NORMAL"
fi
done
echo -e " Users with access key 2 older than 90 days: "
@@ -337,7 +382,7 @@ check14(){
DATEROTATED2=$(cat $TEMP_REPORT_FILE | grep $user| awk -F, '{ print $10 }' | grep -v "N/A" | awk -F"T" '{ print $1 }')
HOWOLDER=$(how_older_from_today $DATEROTATED2)
if [ $HOWOLDER -gt "90" ];then
echo -e " $RED $user $NORMAL"
echo -e " $BAD WARNING! $user has not rotated access key2. $NORMAL"
fi
done
}
@@ -349,7 +394,7 @@ check15(){
if [[ $COMMAND15 == "true" ]];then
echo -e " $OK OK! $NORMAL"
else
echo -e " $RED WARNING! $NORMAL"
echo -e " $BAD WARNING! $NORMAL"
fi
}
@@ -360,7 +405,7 @@ check16(){
if [[ $COMMAND16 == "true" ]];then
echo -e " $OK OK! $NORMAL"
else
echo -e " $RED WARNING! $NORMAL"
echo -e " $BAD WARNING! $NORMAL"
fi
}
@@ -371,7 +416,7 @@ check17(){
if [[ $COMMAND17 == "true" ]];then
echo -e " $OK OK! $NORMAL"
else
echo -e " $RED WARNING! $NORMAL"
echo -e " $BAD WARNING! $NORMAL"
fi
}
@@ -382,7 +427,7 @@ check18(){
if [[ $COMMAND18 == "true" ]];then
echo -e " $OK OK! $NORMAL"
else
echo -e " $RED WARNING! $NORMAL"
echo -e " $BAD WARNING! $NORMAL"
fi
}
@@ -393,7 +438,7 @@ check19(){
if [[ $COMMAND19 -gt "13" ]];then
echo -e " $OK OK! $NORMAL"
else
echo -e " $RED WARNING! $NORMAL"
echo -e " $BAD WARNING! $NORMAL"
fi
}
@@ -405,10 +450,10 @@ check110(){
if [[ $COMMAND110 -gt "23" ]];then
echo -e " $OK OK! $NORMAL"
else
echo -e " $RED WARNING! It is not set or it is set lower than 24 $NORMAL"
echo -e " $BAD WARNING! It is not set or it is set lower than 24 $NORMAL"
fi
else
echo -e " $RED WARNING! It is not set $NORMAL"
echo -e " $BAD WARNING! It is not set $NORMAL"
fi
}
@@ -421,7 +466,7 @@ check111(){
echo -e " $OK OK! $NORMAL"
fi
else
echo -e " $RED WARNING! $NORMAL"
echo -e " $BAD WARNING! Passowrd expiration not set or set greater than 90 days $NORMAL"
fi
}
@@ -432,14 +477,14 @@ check112(){
ROOTKEY2=$(cat $TEMP_REPORT_FILE |grep root_account|awk -F',' '{ print $14 }')
echo -e "\n$TITLE112 "
if [ $ROOTKEY1 == "false" ];then
echo -e " $OK OK! $NORMAL No access key 1 found "
echo -e " $OK OK! $NORMAL No access key 1 found for root "
else
echo -e " $RED Found access key 1 $NORMAL"
echo -e " $BAD WARNING! Found access key 1 for root $NORMAL"
fi
if [ $ROOTKEY2 == "false" ];then
echo -e " $OK OK! $NORMAL No access key 2 found "
echo -e " $OK OK! $NORMAL No access key 2 found for root "
else
echo -e " $RED Found access key 2 $NORMAL"
echo -e " $BAD WARNING! Found access key 2 for root $NORMAL"
fi
}
@@ -450,7 +495,7 @@ check113(){
if [ $COMMAND113 == "1" ]; then
echo " $OK OK! $NORMAL Virtual MFA is enabled. "
else
echo " $RED WARNING! MFA is not ENABLED for root account $NORMAL"
echo " $BAD WARNING! MFA is not ENABLED for root account $NORMAL"
fi
}
@@ -466,7 +511,7 @@ check114(){
echo " $OK OK! $NORMAL Hardware MFA is enabled. "
fi
else
echo " $RED WARNING! MFA is not ENABLED for root account $NORMAL"
echo " $BAD WARNING! MFA is not ENABLED for root account $NORMAL"
fi
}
@@ -484,12 +529,17 @@ check116(){
echo -e "\n$TITLE116"
LIST_USERS=$($AWSCLI iam list-users --query 'Users[*].UserName' --output text --profile $PROFILE --region $REGION)
echo -e " Users with policy attached to them instead to groups: (it may take few seconds...) "
C116_NUM_USERS=0
for user in $LIST_USERS;do
USER_POLICY=$($AWSCLI iam list-attached-user-policies --output text --profile $PROFILE --region $REGION --user-name $user)
if [[ $USER_POLICY ]]; then
echo -e " $RED $user $NORMAL"
echo -e " $BAD WARNING! $user has policy directly attached $NORMAL"
C116_NUM_USERS=$(expr $C116_NUM_USERS + 1)
fi
done
if [[ $C116_NUM_USERS -eq 0 ]]; then
echo -e " $OK OK! $NORMAL No policies attached to users."
fi
}
check117(){
@@ -522,7 +572,7 @@ check118(){
done
done
else
echo -e " $RED WARNING! IAM Master and IAM Manager roles not found$NORMAL"
echo -e " $BAD WARNING! IAM Master and IAM Manager roles not found$NORMAL"
fi
}
@@ -560,14 +610,14 @@ check122(){
for policyarn in $SUPPORTPOLICYARN;do
POLICYTOSHOW=$($AWSCLI iam list-entities-for-policy --policy-arn $SUPPORTPOLICYARN --profile $PROFILE --region $REGION --output text)
if [[ $POLICYTOSHOW ]];then
echo -e " $OK $POLICYTOSHOW $NORMAL"
echo -e " $OK OK! $NORMAL $POLICYTOSHOW"
echo -e " $NOTICE Make sure your team can create a Support case with AWS $NORMAL"
else
echo -e " $RED Support Policy not applied to any Group, User or Role $NORMAL"
echo -e " $BAD WARNING! Support Policy not applied to any Group, User or Role $NORMAL"
fi
done
else
echo -e " $RED WARNING! No Support Policy found$NORMAL"
echo -e " $BAD WARNING! No Support Policy found$NORMAL"
fi
}
@@ -580,18 +630,18 @@ check123(){
LIST_USERS_KEY1_ACTIVE=$(for user in $LIST_USERS_KEY1_NA; do grep $user $TEMP_REPORT_FILE|awk -F, '{ print $1,$9 }'|grep "true$"|awk '{ print $1 }'|sed 's/[:blank:]+/,/g' ; done)
if [[ $LIST_USERS_KEY1_ACTIVE ]]; then
echo -e " $NOTICE List of users with Access Key 1 never used:$NORMAL"
echo -e " $RED $LIST_USERS_KEY1_ACTIVE $NORMAL"
echo -e " $NOTICE $LIST_USERS_KEY1_ACTIVE $NORMAL have never used Access Key 1"
else
echo -e " $OK No users found with Access Key 1 never used $NORMAL"
echo -e " $OK OK! $NORMAL No users found with Access Key 1 never used"
fi
# List of USERS with KEY2 last_used_date as N/A
LIST_USERS_KEY2_NA=$(for user in $LIST_USERS; do grep $user $TEMP_REPORT_FILE|awk -F, '{ print $1,$16 }'|grep N/A |awk '{ print $1 }' ; done)
LIST_USERS_KEY2_ACTIVE=$(for user in $LIST_USERS_KEY2_NA; do grep $user $TEMP_REPORT_FILE|awk -F, '{ print $1,$14 }'|grep "true$" |awk '{ print $1 }' ; done)
if [[ $LIST_USERS_KEY2_ACTIVE ]]; then
echo -e " $NOTICE List of users with Access Key 2 never used:$NORMAL"
echo -e " $RED $LIST_USERS_KEY2_ACTIVE $NORMAL"
echo -e " $NOTICE $LIST_USERS_KEY2_ACTIVE $NORMAL have never used Access Key 2"
else
echo -e " $OK No users found with Access Key 2 never used $NORMAL"
echo -e " $OK OK! $NORMAL No users found with Access Key 2 never used"
fi
}
@@ -611,13 +661,13 @@ check124(){
if [[ $POLICIES_ALLOW_LIST ]]; then
echo -e " $NOTICE List of custom policies: $NORMAL"
for policy in $POLICIES_ALLOW_LIST; do
echo " $RED $policy $NORMAL"
echo " $NOTICE Policy $policy allows \"*:*\" $NORMAL"
done
else
echo " $OK No custom policy found that allow full \"*:*\" administrative privileges $NORMAL"
echo " $OK OK! $NORMAL No custom policy found that allow full \"*:*\" administrative privileges"
fi
else
echo " $OK No custom policies found $NORMAL"
echo " $OK OK! $NORMAL No custom policies found"
fi
}
@@ -629,13 +679,13 @@ check21(){
for trail in $LIST_OF_TRAILS;do
MULTIREGION_TRAIL_STATUS=$($AWSCLI cloudtrail describe-trails --profile $PROFILE --region $REGION --query 'trailList[*].IsMultiRegionTrail' --output text --trail-name-list $trail)
if [[ $MULTIREGION_TRAIL_STATUS == 'False' ]];then
echo -e " $RED WARNING! $trail trail in $REGION is not enabled in multi region mode$NORMAL"
echo -e " $BAD WARNING! $trail trail in $REGION is not enabled in multi region mode$NORMAL"
else
echo -e " $OK OK! $trail trail in $REGION is enabled for all regions$NORMAL"
echo -e " $OK OK! $NORMAL $trail trail in $REGION is enabled for all regions"
fi
done
else
echo -e " $RED WARNING! No CloudTrail trails found!$NORMAL"
echo -e " $BAD WARNING! No CloudTrail trails found!$NORMAL"
fi
}
@@ -647,13 +697,13 @@ check22(){
for trail in $LIST_OF_TRAILS;do
LOGFILEVALIDATION_TRAIL_STATUS=$($AWSCLI cloudtrail describe-trails --profile $PROFILE --region $REGION --query 'trailList[*].LogFileValidationEnabled' --output text --trail-name-list $trail)
if [[ $LOGFILEVALIDATION_TRAIL_STATUS == 'False' ]];then
echo -e " $RED WARNING! $trail trail in $REGION has not log file validation enabled$NORMAL"
echo -e " $BAD WARNING! $trail trail in $REGION has not log file validation enabled$NORMAL"
else
echo -e " $OK OK! $trail trail in $REGION has log file validation enabled$NORMAL"
echo -e " $OK OK! $NORMAL $trail trail in $REGION has log file validation enabled"
fi
done
else
echo -e " $RED WARNING! No CloudTrail trails found!$NORMAL"
echo -e " $BAD WARNING! No CloudTrail trails found!$NORMAL"
fi
}
@@ -665,38 +715,39 @@ check23(){
for bucket in $CLOUDTRAILBUCKET;do
CLOUDTRAILBUCKET_HASALLPERMISIONS=$($AWSCLI s3api get-bucket-acl --bucket $bucket --query 'Grants[?Grantee.URI==`http://acs.amazonaws.com/groups/global/AllUsers`]' --profile $PROFILE --region $REGION --output text)
if [[ $CLOUDTRAILBUCKET_HASALLPERMISIONS ]];then
echo -e " $RED WARNING! check your $bucket CloudTrail bucket ACL and Policy!$NORMAL"
echo -e " $BAD WARNING! check your $bucket CloudTrail bucket ACL and Policy!$NORMAL"
else
echo -e " $OK OK! Bucket $bucket is set correctly $NORMAL"
echo -e " $OK OK! $NORMAL Bucket $bucket is set correctly"
fi
done
else
echo -e " $RED WARNING! No CloudTrail bucket found!$NORMAL"
echo -e " $BAD WARNING! No CloudTrail bucket found!$NORMAL"
fi
}
check24(){
TITLE24="$BLUE 2.4$NORMAL Ensure CloudTrail trails are integrated with CloudWatch Logs (Scored)"
echo -e "\n$TITLE24"
LIST_OF_TRAILS=$($AWSCLI cloudtrail describe-trails --profile $PROFILE --region $REGION --query 'trailList[*].Name' --output text)
if [[ $LIST_OF_TRAILS ]];then
for trail in $LIST_OF_TRAILS;do
TRAIL_REGION=$($AWSCLI cloudtrail describe-trails --profile $PROFILE --region $REGION --trail-name-list "$trail" --query 'trailList[*].HomeRegion' --output text)
TRAILS_AND_REGIONS=$($AWSCLI cloudtrail describe-trails --profile $PROFILE --region $REGION --query 'trailList[*].{Name:Name, HomeRegion:HomeRegion}' --output text | tr "\t" ',')
if [[ $TRAILS_AND_REGIONS ]];then
for reg_trail in $TRAILS_AND_REGIONS;do
trail=$(echo $reg_trail | cut -d',' -f2)
TRAIL_REGION=$(echo $reg_trail | cut -d',' -f1)
LATESTDELIVERY_TIMESTAMP=$($AWSCLI cloudtrail get-trail-status --name $trail --profile $PROFILE --region $TRAIL_REGION --query 'LatestCloudWatchLogsDeliveryTime' --output text|grep -v None)
if [[ ! $LATESTDELIVERY_TIMESTAMP ]];then
echo -e " $RED $trail trail is not logging in the last 24h or not configured (it is in $TRAIL_REGION)$NORMAL"
echo -e " $BAD WARNING! $trail trail is not logging in the last 24h or not configured (it is in $TRAIL_REGION)$NORMAL"
else
LATESTDELIVERY_DATE=$(timestamp_to_date $LATESTDELIVERY_TIMESTAMP)
HOWOLDER=$(how_older_from_today $LATESTDELIVERY_DATE)
if [ $HOWOLDER -gt "1" ];then
echo -e " $RED $trail trail is not logging in the last 24h or not configured (it is in $TRAIL_REGION)$NORMAL"
echo -e " $BAD WARNING! $trail trail is not logging in the last 24h or not configured (it is in $TRAIL_REGION)$NORMAL"
else
echo -e " $OK $trail trail has been logging during the last 24h (it is in $TRAIL_REGION)$NORMAL"
echo -e " $OK OK! $NORMAL $trail trail has been logging during the last 24h (it is in $TRAIL_REGION)"
fi
fi
done
else
echo -e " $RED WARNING! No CloudTrail trails found!$NORMAL"
echo -e " $BAD WARNING! No CloudTrail trails found!$NORMAL"
fi
}
@@ -706,9 +757,9 @@ check25(){
for regx in $REGIONS; do
CHECK_AWSCONFIG_STATUS=$($AWSCLI configservice get-status --profile $PROFILE --region $regx | grep "recorder: ON")
if [[ $CHECK_AWSCONFIG_STATUS ]];then
echo -e " $OK Region $regx has AWS Config recorder: ON $NORMAL"
echo -e " $OK OK! $NORMAL Region $regx has AWS Config recorder: ON "
else
echo -e " $RED WARNING! Region $regx has AWS Config disabled or not configured$NORMAL"
echo -e " $BAD WARNING! Region $regx has AWS Config disabled or not configured$NORMAL"
fi
done
}
@@ -721,13 +772,13 @@ check26(){
for bucket in $CLOUDTRAILBUCKET;do
CLOUDTRAILBUCKET_LOGENABLED=$($AWSCLI s3api get-bucket-logging --bucket $bucket --profile $PROFILE --region $REGION --query 'LoggingEnabled.TargetBucket' --output text|grep -v None)
if [[ $CLOUDTRAILBUCKET_LOGENABLED ]];then
echo -e " $OK OK! It is enabled in $bucket $NORMAL"
echo -e " $OK OK! $NORMAL It is enabled in $bucket"
else
echo -e " $RED WARNING! access logging is not enabled in $bucket CloudTrail S3 bucket!$NORMAL"
echo -e " $BAD WARNING! access logging is not enabled in $bucket CloudTrail S3 bucket!$NORMAL"
fi
done
else
echo -e " $RED WARNING! CloudTrail bucket not found!$NORMAL"
echo -e " $BAD WARNING! CloudTrail bucket not found!$NORMAL"
fi
}
@@ -739,13 +790,13 @@ check27(){
for trail in $CLOUDTRAILNAME;do
CLOUDTRAILENC_ENABLED=$($AWSCLI cloudtrail describe-trails --profile $PROFILE --region $REGION --trail $trail --query 'trailList[*].KmsKeyId' --output text)
if [[ $CLOUDTRAILENC_ENABLED ]];then
echo -e " $OK OK! KMS key found for $trail $NORMAL"
echo -e " $OK OK! $NORMAL KMS key found for $trail"
else
echo -e " $RED WARNING! encryption is not enabled in your CloudTrail trail $trail, KMS key not found!$NORMAL"
echo -e " $BAD WARNING! encryption is not enabled in your CloudTrail trail $trail, KMS key not found!$NORMAL"
fi
done
else
echo -e " $RED WARNING! CloudTrail bucket doesn't exist!$NORMAL"
echo -e " $BAD WARNING! CloudTrail bucket doesn't exist!$NORMAL"
fi
}
@@ -758,16 +809,16 @@ check28(){
for key in $CHECK_KMS_KEYLIST; do
CHECK_KMS_KEY_TYPE=$($AWSCLI kms describe-key --key-id $key --profile $PROFILE --region $regx --query 'KeyMetadata.Origin' | sed 's/["]//g')
if [[ $CHECK_KMS_KEY_TYPE == "EXTERNAL" ]];then
echo -e " $BLUE Key $key in Region $regx Customer Uploaded Key Material.$NORMAL"
echo -e " $OK OK! $NORMAL Key $key in Region $regx Customer Uploaded Key Material."
else
CHECK_KMS_KEY_ROTATION=$($AWSCLI kms get-key-rotation-status --key-id $key --profile $PROFILE --region $regx --output text)
CHECK_KMS_DEFAULT_KEY=$($AWSCLI kms describe-key --key-id $key --profile $PROFILE --region $regx --query 'KeyMetadata.Description' | sed -n '/Default master key that protects my /p')
if [[ $CHECK_KMS_KEY_ROTATION == "True" ]];then
echo -e " $OK OK! Key $key in Region $regx is set correctly$NORMAL"
echo -e " $OK OK! $NORMAL Key $key in Region $regx is set correctly"
elif [[ $CHECK_KMS_KEY_ROTATION == "False" && $CHECK_KMS_DEFAULT_KEY ]];then
echo -e " $NOTICE Region $regx key $key is an AWS default master key and cannot be deleted nor modified.$NORMAL"
else
echo -e " $RED WARNING! Key $key in Region $regx is not set to rotate!!!$NORMAL"
echo -e " $BAD WARNING! Key $key in Region $regx is not set to rotate!!!$NORMAL"
fi
fi
done
@@ -785,12 +836,12 @@ check31(){
if [[ $CLOUDWATCH_GROUP ]];then
METRICFILTER_SET=$($AWSCLI logs describe-metric-filters --log-group-name $CLOUDWATCH_GROUP --profile $PROFILE --region $REGION --query 'metricFilters' | grep AccessDenied)
if [[ $METRICFILTER_SET ]];then
echo -e " $OK OK! CloudWatch group found, and metric filters for Access Denied enabled$NORMAL"
echo -e " $OK OK! $NORMAL CloudWatch group found, and metric filters for Access Denied enabled"
else
echo -e " $RED WARNING! CloudWatch group found, but no metric filters or alarms associated$NORMAL"
echo -e " $BAD WARNING! CloudWatch group found, but no metric filters or alarms associated$NORMAL"
fi
else
echo -e " $RED WARNING! No CloudWatch group found, no metric filters or alarms associated$NORMAL"
echo -e " $BAD WARNING! No CloudWatch group found, no metric filters or alarms associated$NORMAL"
fi
}
@@ -801,12 +852,12 @@ check32(){
if [[ $CLOUDWATCH_GROUP ]];then
METRICFILTER_SET=$($AWSCLI logs describe-metric-filters --log-group-name $CLOUDWATCH_GROUP --profile $PROFILE --region $REGION --query 'metricFilters' | grep -E 'userIdentity.sessionContext.attributes.mfaAuthenticated.*true')
if [[ $METRICFILTER_SET ]];then
echo -e " $OK OK! CloudWatch group found, and metric filters for sign-in Console without MFA enabled$NORMAL"
echo -e " $OK OK! $NORMAL CloudWatch group found, and metric filters for sign-in Console without MFA enabled"
else
echo -e " $RED WARNING! CloudWatch group found, but no metric filters or alarms associated$NORMAL"
echo -e " $BAD WARNING! CloudWatch group found, but no metric filters or alarms associated$NORMAL"
fi
else
echo -e " $RED WARNING! No CloudWatch group found, no metric filters or alarms associated$NORMAL"
echo -e " $BAD WARNING! No CloudWatch group found, no metric filters or alarms associated$NORMAL"
fi
}
@@ -817,12 +868,12 @@ check33(){
if [[ $CLOUDWATCH_GROUP ]];then
METRICFILTER_SET=$($AWSCLI logs describe-metric-filters --log-group-name $CLOUDWATCH_GROUP --profile $PROFILE --region $REGION |grep -E 'userIdentity.*Root.*AwsServiceEvent')
if [[ $METRICFILTER_SET ]];then
echo -e " $OK OK! CloudWatch group found, and metric filters for usage of root account enabled$NORMAL"
echo -e " $OK OK! $NORMAL CloudWatch group found, and metric filters for usage of root account enabled"
else
echo -e " $RED WARNING! CloudWatch group found, but no metric filters or alarms associated$NORMAL"
echo -e " $BAD WARNING! CloudWatch group found, but no metric filters or alarms associated$NORMAL"
fi
else
echo -e " $RED WARNING! No CloudWatch group found, no metric filters or alarms associated$NORMAL"
echo -e " $BAD WARNING! No CloudWatch group found, no metric filters or alarms associated$NORMAL"
fi
}
@@ -833,12 +884,12 @@ check34(){
if [[ $CLOUDWATCH_GROUP ]];then
METRICFILTER_SET=$($AWSCLI logs describe-metric-filters --log-group-name $CLOUDWATCH_GROUP --profile $PROFILE --region $REGION --query 'metricFilters' | grep -E 'DeleteGroupPolicy.*DeleteRolePolicy.*DeleteUserPolicy.*PutGroupPolicy.*PutRolePolicy.*PutUserPolicy.*CreatePolicy.*DeletePolicy.*CreatePolicyVersion.*DeletePolicyVersion.*AttachRolePolicy.*DetachRolePolicy.*AttachUserPolicy.*DetachUserPolicy.*AttachGroupPolicy.*DetachGroupPolicy')
if [[ $METRICFILTER_SET ]];then
echo -e " $OK OK! CloudWatch group found, and metric filters for IAM policy changes enabled$NORMAL"
echo -e " $OK OK! $NORMAL CloudWatch group found, and metric filters for IAM policy changes enabled"
else
echo -e " $RED WARNING! CloudWatch group found, but no metric filters or alarms associated$NORMAL"
echo -e " $BAD WARNING! CloudWatch group found, but no metric filters or alarms associated$NORMAL"
fi
else
echo -e " $RED WARNING! No CloudWatch group found, no metric filters or alarms associated$NORMAL"
echo -e " $BAD WARNING! No CloudWatch group found, no metric filters or alarms associated$NORMAL"
fi
}
@@ -849,12 +900,12 @@ check35(){
if [[ $CLOUDWATCH_GROUP ]];then
METRICFILTER_SET=$($AWSCLI logs describe-metric-filters --log-group-name $CLOUDWATCH_GROUP --profile $PROFILE --region $REGION --query 'metricFilters' | grep -E 'CreateTrail.*UpdateTrail.*DeleteTrail.*StartLogging.*StopLogging')
if [[ $METRICFILTER_SET ]];then
echo -e " $OK OK! CloudWatch group found, and metric filters for CloudTrail configuration changes enabled$NORMAL"
echo -e " $OK OK! $NORMAL CloudWatch group found, and metric filters for CloudTrail configuration changes enabled"
else
echo -e " $RED WARNING! CloudWatch group found, but no metric filters or alarms associated$NORMAL"
echo -e " $BAD WARNING! CloudWatch group found, but no metric filters or alarms associated$NORMAL"
fi
else
echo -e " $RED WARNING! No CloudWatch group found, no metric filters or alarms associated$NORMAL"
echo -e " $BAD WARNING! No CloudWatch group found, no metric filters or alarms associated$NORMAL"
fi
}
@@ -865,12 +916,12 @@ check36(){
if [[ $CLOUDWATCH_GROUP ]];then
METRICFILTER_SET=$($AWSCLI logs describe-metric-filters --log-group-name $CLOUDWATCH_GROUP --profile $PROFILE --region $REGION --query 'metricFilters' | grep -E 'ConsoleLogin.*Failed')
if [[ $METRICFILTER_SET ]];then
echo -e " $OK OK! CloudWatch group found, and metric filters for usage of root account enabled$NORMAL"
echo -e " $OK OK! $NORMAL CloudWatch group found, and metric filters for usage of root account enabled"
else
echo -e " $RED WARNING! CloudWatch group found, but no metric filters or alarms associated$NORMAL"
echo -e " $BAD WARNING! CloudWatch group found, but no metric filters or alarms associated$NORMAL"
fi
else
echo -e " $RED WARNING! No CloudWatch group found, no metric filters or alarms associated$NORMAL"
echo -e " $BAD WARNING! No CloudWatch group found, no metric filters or alarms associated$NORMAL"
fi
}
@@ -881,12 +932,12 @@ check37(){
if [[ $CLOUDWATCH_GROUP ]];then
METRICFILTER_SET=$($AWSCLI logs describe-metric-filters --log-group-name $CLOUDWATCH_GROUP --profile $PROFILE --region $REGION --query 'metricFilters' | grep -E 'kms.amazonaws.com.*DisableKey.*ScheduleKeyDeletion')
if [[ $METRICFILTER_SET ]];then
echo -e " $OK OK! CloudWatch group found, and metric filters enabled$NORMAL"
echo -e " $OK OK! $NORMAL CloudWatch group found, and metric filters enabled"
else
echo -e " $RED WARNING! CloudWatch group found, but no metric filters or alarms associated$NORMAL"
echo -e " $BAD WARNING! CloudWatch group found, but no metric filters or alarms associated$NORMAL"
fi
else
echo -e " $RED WARNING! No CloudWatch group found, no metric filters or alarms associated$NORMAL"
echo -e " $BAD WARNING! No CloudWatch group found, no metric filters or alarms associated$NORMAL"
fi
}
@@ -897,12 +948,12 @@ check38(){
if [[ $CLOUDWATCH_GROUP ]];then
METRICFILTER_SET=$($AWSCLI logs describe-metric-filters --log-group-name $CLOUDWATCH_GROUP --profile $PROFILE --region $REGION --query 'metricFilters' | grep -E 's3.amazonaws.com.*PutBucketAcl.*PutBucketPolicy.*PutBucketCors.*PutBucketLifecycle.*PutBucketReplication.*DeleteBucketPolicy.*DeleteBucketCors.*DeleteBucketLifecycle.*DeleteBucketReplication')
if [[ $METRICFILTER_SET ]];then
echo -e " $OK OK! CloudWatch group found, and metric filters enabled$NORMAL"
echo -e " $OK OK! $NORMAL CloudWatch group found, and metric filters enabled"
else
echo -e " $RED WARNING! CloudWatch group found, but no metric filters or alarms associated$NORMAL"
echo -e " $BAD WARNING! CloudWatch group found, but no metric filters or alarms associated$NORMAL"
fi
else
echo -e " $RED WARNING! No CloudWatch group found, no metric filters or alarms associated$NORMAL"
echo -e " $BAD WARNING! No CloudWatch group found, no metric filters or alarms associated$NORMAL"
fi
}
@@ -913,12 +964,12 @@ check39(){
if [[ $CLOUDWATCH_GROUP ]];then
METRICFILTER_SET=$($AWSCLI logs describe-metric-filters --log-group-name $CLOUDWATCH_GROUP --profile $PROFILE --region $REGION --query 'metricFilters' | grep -E 'config.amazonaws.com.*StopConfigurationRecorder.*DeleteDeliveryChannel.*PutDeliveryChannel.*PutConfigurationRecorder')
if [[ $METRICFILTER_SET ]];then
echo -e " $OK OK! CloudWatch group found, and metric filters enabled$NORMAL"
echo -e " $OK OK! $NORMAL CloudWatch group found, and metric filters enabled"
else
echo -e " $RED WARNING! CloudWatch group found, but no metric filters or alarms associated$NORMAL"
echo -e " $BAD WARNING! CloudWatch group found, but no metric filters or alarms associated$NORMAL"
fi
else
echo -e " $RED WARNING! No CloudWatch group found, no metric filters or alarms associated$NORMAL"
echo -e " $BAD WARNING! No CloudWatch group found, no metric filters or alarms associated$NORMAL"
fi
}
@@ -929,12 +980,12 @@ check310(){
if [[ $CLOUDWATCH_GROUP ]];then
METRICFILTER_SET=$($AWSCLI logs describe-metric-filters --log-group-name $CLOUDWATCH_GROUP --profile $PROFILE --region $REGION --query 'metricFilters' | grep -E 'AuthorizeSecurityGroupIngress.*AuthorizeSecurityGroupEgress.*RevokeSecurityGroupIngress.*RevokeSecurityGroupEgress.*CreateSecurityGroup.*DeleteSecurityGroup')
if [[ $METRICFILTER_SET ]];then
echo -e " $OK OK! CloudWatch group found, and metric filters enabled$NORMAL"
echo -e " $OK OK! $NORMAL CloudWatch group found, and metric filters enabled"
else
echo -e " $RED WARNING! CloudWatch group found, but no metric filters or alarms associated$NORMAL"
echo -e " $BAD WARNING! CloudWatch group found, but no metric filters or alarms associated$NORMAL"
fi
else
echo -e " $RED WARNING! No CloudWatch group found, no metric filters or alarms associated$NORMAL"
echo -e " $BAD WARNING! No CloudWatch group found, no metric filters or alarms associated$NORMAL"
fi
}
@@ -945,12 +996,12 @@ check311(){
if [[ $CLOUDWATCH_GROUP ]];then
METRICFILTER_SET=$($AWSCLI logs describe-metric-filters --log-group-name $CLOUDWATCH_GROUP --profile $PROFILE --region $REGION --query 'metricFilters' | grep -E 'CreateNetworkAcl.*CreateNetworkAclEntry.*DeleteNetworkAcl.*DeleteNetworkAclEntry.*ReplaceNetworkAclEntry.*ReplaceNetworkAclAssociation')
if [[ $METRICFILTER_SET ]];then
echo -e " $OK OK! CloudWatch group found, and metric filters enabled$NORMAL"
echo -e " $OK OK! $NORMAL CloudWatch group found, and metric filters enabled"
else
echo -e " $RED WARNING! CloudWatch group found, but no metric filters or alarms associated$NORMAL"
echo -e " $BAD WARNING! CloudWatch group found, but no metric filters or alarms associated$NORMAL"
fi
else
echo -e " $RED WARNING! No CloudWatch group found, no metric filters or alarms associated$NORMAL"
echo -e " $BAD WARNING! No CloudWatch group found, no metric filters or alarms associated$NORMAL"
fi
}
@@ -961,12 +1012,12 @@ check312(){
if [[ $CLOUDWATCH_GROUP ]];then
METRICFILTER_SET=$($AWSCLI logs describe-metric-filters --log-group-name $CLOUDWATCH_GROUP --profile $PROFILE --region $REGION --query 'metricFilters' | grep -E 'CreateCustomerGateway.*DeleteCustomerGateway.*AttachInternetGateway.*CreateInternetGateway.*DeleteInternetGateway.*DetachInternetGateway')
if [[ $METRICFILTER_SET ]];then
echo -e " $OK OK! CloudWatch group found, and metric filters enabled$NORMAL"
echo -e " $OK OK! $NORMAL CloudWatch group found, and metric filters enabled"
else
echo -e " $RED WARNING! CloudWatch group found, but no metric filters or alarms associated$NORMAL"
echo -e " $BAD WARNING! CloudWatch group found, but no metric filters or alarms associated$NORMAL"
fi
else
echo -e " $RED WARNING! No CloudWatch group found, no metric filters or alarms associated$NORMAL"
echo -e " $BAD WARNING! No CloudWatch group found, no metric filters or alarms associated$NORMAL"
fi
}
@@ -977,12 +1028,12 @@ check313(){
if [[ $CLOUDWATCH_GROUP ]];then
METRICFILTER_SET=$($AWSCLI logs describe-metric-filters --log-group-name $CLOUDWATCH_GROUP --profile $PROFILE --region $REGION --query 'metricFilters' | grep -E 'CreateRoute.*CreateRouteTable.*ReplaceRoute.*ReplaceRouteTableAssociation.*DeleteRouteTable.*DeleteRoute.*DisassociateRouteTable')
if [[ $METRICFILTER_SET ]];then
echo -e " $OK OK! CloudWatch group found, and metric filters enabled$NORMAL"
echo -e " $OK OK! $NORMAL CloudWatch group found, and metric filters enabled"
else
echo -e " $RED WARNING! CloudWatch group found, but no metric filters or alarms associated$NORMAL"
echo -e " $BAD WARNING! CloudWatch group found, but no metric filters or alarms associated$NORMAL"
fi
else
echo -e " $RED WARNING! No CloudWatch group found, no metric filters or alarms associated$NORMAL"
echo -e " $BAD WARNING! No CloudWatch group found, no metric filters or alarms associated$NORMAL"
fi
}
@@ -993,12 +1044,12 @@ check314(){
if [[ $CLOUDWATCH_GROUP ]];then
METRICFILTER_SET=$($AWSCLI logs describe-metric-filters --log-group-name $CLOUDWATCH_GROUP --profile $PROFILE --region $REGION --query 'metricFilters' | grep -E 'CreateVpc.*DeleteVpc.*ModifyVpcAttribute.*AcceptVpcPeeringConnection.*CreateVpcPeeringConnection.*DeleteVpcPeeringConnection.*RejectVpcPeeringConnection.*AttachClassicLinkVpc.*DetachClassicLinkVpc.*DisableVpcClassicLink.*EnableVpcClassicLink')
if [[ $METRICFILTER_SET ]];then
echo -e " $OK OK! CloudWatch group found, and metric filters enabled$NORMAL"
echo -e " $OK OK! $NORMAL CloudWatch group found, and metric filters enabled"
else
echo -e " $RED WARNING! CloudWatch group found, but no metric filters or alarms associated$NORMAL"
echo -e " $BAD WARNING! CloudWatch group found, but no metric filters or alarms associated$NORMAL"
fi
else
echo -e " $RED WARNING! No CloudWatch group found, no metric filters or alarms associated$NORMAL"
echo -e " $BAD WARNING! No CloudWatch group found, no metric filters or alarms associated$NORMAL"
fi
}
@@ -1015,8 +1066,8 @@ check315(){
echo -e " $NOTICE Region $regx with Topic $TOPIC_SHORT: $NORMAL "
echo -e " $NOTICE - Suscription: $CHECK_TOPIC_LIST $NORMAL"
else
echo -e " $RED WARNING! No suscription found in: Region $regx and Topic $topic $NORMAL"
echo -e " $RED - Region $regx and Topic $topic $NORMAL"
echo -e " $BAD WARNING! No suscription found in: Region $regx and Topic $topic $NORMAL"
echo -e " $BAD - Region $regx and Topic $topic $NORMAL"
fi
done
else
@@ -1032,10 +1083,10 @@ check41(){
SG_LIST=$($AWSCLI ec2 describe-security-groups --filters "Name=ip-permission.to-port,Values=22" --query 'SecurityGroups[?length(IpPermissions[?ToPort==`22` && contains(IpRanges[].CidrIp, `0.0.0.0/0`)]) > `0`].{GroupName: GroupName}' --profile $PROFILE --region $regx --output text)
if [[ $SG_LIST ]];then
for SG in $SG_LIST;do
echo -e " $RED Found Security Group: $SG open to 0.0.0.0/0 in Region $regx $NORMAL "
echo -e " $BAD WARNING! Found Security Group: $SG open to 0.0.0.0/0 in Region $regx $NORMAL "
done
else
echo -e " $OK OK! No Security Groups found in $regx with port 22 TCP open to 0.0.0.0/0 $NORMAL "
echo -e " $OK OK! $NORMAL No Security Groups found in $regx with port 22 TCP open to 0.0.0.0/0 "
fi
done
}
@@ -1047,10 +1098,10 @@ check42(){
SG_LIST=$($AWSCLI ec2 describe-security-groups --filters "Name=ip-permission.to-port,Values=3389" --query 'SecurityGroups[?length(IpPermissions[?ToPort==`3389` && contains(IpRanges[].CidrIp, `0.0.0.0/0`)]) > `0`].{GroupName: GroupName}' --profile $PROFILE --region $regx --output text)
if [[ $SG_LIST ]];then
for SG in $SG_LIST;do
echo -e " $RED Found Security Group: $SG open to 0.0.0.0/0 in Region $regx $NORMAL "
echo -e " $BAD WARNING! Found Security Group: $SG open to 0.0.0.0/0 in Region $regx $NORMAL "
done
else
echo -e " $OK OK! No Security Groups found in $regx with port 3389 TCP open to 0.0.0.0/0 $NORMAL "
echo -e " $OK OK! $NORMAL No Security Groups found in $regx with port 3389 TCP open to 0.0.0.0/0 "
fi
done
}
@@ -1062,10 +1113,10 @@ check43(){
CHECK_FL=$($AWSCLI ec2 describe-flow-logs --profile $PROFILE --region $regx --query 'FlowLogs[?FlowLogStatus==`ACTIVE`].LogGroupName' --output text)
if [[ $CHECK_FL ]];then
for FL in $CHECK_FL;do
echo -e " $OK OK! VPCFlowLog is enabled for LogGroupName: $FL in Region $regx $NORMAL "
echo -e " $OK OK! $NORMAL VPCFlowLog is enabled for LogGroupName: $FL in Region $regx "
done
else
echo -e " $RED WARNING! No VPCFlowLog has been found in Region $regx $NORMAL "
echo -e " $BAD WARNING! No VPCFlowLog has been found in Region $regx $NORMAL "
fi
done
}
@@ -1076,9 +1127,9 @@ check44(){
for regx in $REGIONS; do
CHECK_SGDEFAULT=$($AWSCLI ec2 describe-security-groups --profile $PROFILE --region $regx --filters Name=group-name,Values='default' --query 'SecurityGroups[*].{IpPermissions:IpPermissions,IpPermissionsEgress:IpPermissionsEgress,GroupId:GroupId}' --output text |grep 0.0.0.0)
if [[ $CHECK_SGDEFAULT ]];then
echo -e " $RED WARNING! Default Security Groups found that allow 0.0.0.0 IN or OUT traffic in Region $regx $NORMAL "
echo -e " $BAD WARNING! Default Security Groups found that allow 0.0.0.0 IN or OUT traffic in Region $regx $NORMAL "
else
echo -e " $OK OK! No Default Security Groups open to 0.0.0.0 found in Region $regx $NORMAL "
echo -e " $OK OK! $NORMAL No Default Security Groups open to 0.0.0.0 found in Region $regx "
fi
done
}
@@ -1099,7 +1150,7 @@ check45(){
# done
#echo $VPCS_WITH_PEERING
else
echo -e " $OK $regx: No VPC peering found $NORMAL "
echo -e " $OK OK! $NORMAL $regx: No VPC peering found "
fi
done
}