New forensics-ready check group and extra712

README.md

@@ -9,6 +9,7 @@
 - [Screenshots](#screenshots)
 - [Troubleshooting](#troubleshooting)
 - [Extras](#extras)
+- [Forensics ready checks](#forensics-ready-checks)
 - [Add Custom Checks](#add-custom-checks)
 - [Third Party Integrations](#third-party-integrations)
 
@@ -24,7 +25,7 @@ It covers hardening and security best practices for all AWS regions related to:
 - Logging (8 checks)
 - Monitoring (15 checks)
 - Networking (5 checks)
-- Extras (11 checks) *see Extras section
+- Extras (12 checks) *see Extras section
 
 For a comprehesive list and resolution look at the guide on the link above.
 
@@ -594,6 +595,8 @@ At this moment we have 11 extra checks:
 - 7.9 (`extra79`) Check for internet facing Elastic Load Balancers (Not Scored) (Not part of CIS benchmark)
 - 7.10 (`extra710`) Check for internet facing EC2 Instances (Not Scored) (Not part of CIS benchmark)
 - 7.11 (`extra711`) Check for Publicly Accessible Redshift Clusters (Not Scored) (Not part of CIS benchmark)
+- 7.12 (`extra712`) Check if Amazon Macie is enabled (Not Scored) (Not part of CIS benchmark)
+
 
 To check all extras in one command:
 ```
@@ -604,6 +607,13 @@ or to run just one of the checks:
 ./prowler -c extraNUMBER
 ```
 
+## Forensics Ready Checks
+
+With this group of checks, Prowler looks if each service with logging or audit capabilities has them enabled to ensure all needed evidences are recorded for an eventual digital forensic investigation in case of incident. The `forensics-ready` group of checks uses existing and extra checks. To get a forensics readiness report, run this command:
+```
+./prowler -c forensics-ready
+```
+
 ## Add Custom Checks
 
 In order to add any new check feel free to create a new extra check in the extras section. To do so, you will need to follow these steps:

prowler

@@ -486,7 +486,8 @@ ID710="7.10,7.10"
 TITLE710="Check for internet facing EC2 Instances (Not Scored) (Not part of CIS benchmark)"
 ID711="7.11,7.11"
 TITLE711="Check for Publicly Accessible Redshift Clusters (Not Scored) (Not part of CIS benchmark)"
-
+ID712="7.12,7.12"
+TITLE712="Check if Amazon Macie is enabled (Not Scored) (Not part of CIS benchmark)"
 
 printCsvHeader() {
   >&2 echo ""
@@ -1851,6 +1852,19 @@ extra711(){
   done
 }
 
+extra712(){
+  # "Check if Amazon Macie is enabled (Not Scored) (Not part of CIS benchmark)"
+  textTitle "$ID712" "$TITLE712" "NOT_SCORED" "EXTRA"
+  textNotice "No API commands available to check if Macie is enabled,"
+  textNotice "just looking if IAM Macie related permissions exist.  "
+  MACIE_IAM_ROLES_CREATED=$($AWSCLI iam list-roles $PROFILE_OPT --query 'Roles[*].Arn'|grep AWSMacieServiceCustomer|wc -l)
+  if [[ $MACIE_IAM_ROLES_CREATED -eq 2 ]];then
+    textOK "Macie related IAM roles exist, so it might be enabled. Check it out manually."
+  else
+    textWarn "No Macie related IAM roles found. It is most likely not be enabled"
+  fi
+}
+
 callCheck(){
   if [[ $CHECKNUMBER ]];then
     case "$CHECKNUMBER" in
@@ -1917,6 +1931,7 @@ callCheck(){
       extra79|extra709 ) extra79;;
       extra710|extra710 ) extra710;;
       extra711|extra711 ) extra711;;
+      extra712|extra712 ) extra712;;
 
       ## Groups of Checks
       check1 )
@@ -1953,7 +1968,12 @@ callCheck(){
         ;;
       extras )
         extra71;extra72;extra73;extra74;extra75;extra76;extra77;extra78;
-        extra79;extra710;extra711
+        extra79;extra710;extra711;extra712
+        ;;
+      forensics-ready )
+        check21;check22;check23;check24;check25;check26;check27;
+        check43;
+        extra712;
         ;;
       * )
         textWarn "ERROR! Use a valid check name (i.e. check41 or extra71)\n";