diff --git a/README.md b/README.md index a028ef10..0bc00148 100644 --- a/README.md +++ b/README.md @@ -150,259 +150,6 @@ USAGE: - Sample screnshot of single check for check 3.3: screenshot 2016-09-14 13 20 46 -- Sample of a full report: - -``` -$ ./prowler - _ - _ __ _ __ _____ _| | ___ _ __ - | '_ \| '__/ _ \ \ /\ / / |/ _ \ '__| - | |_) | | | (_) \ V V /| | __/ | - | .__/|_| \___/ \_/\_/ |_|\___|_| - |_| CIS based AWS Account Hardening Tool - - -Date: Wed Sep 14 13:30:13 EDT 2016 - -This report is being generated using credentials below: - -AWS-CLI Profile: [default] AWS Region: [us-east-1] - --------------------------------------------------------------------------------------- -| GetCallerIdentity | -+--------------+-------------------------------------------+-------------------------+ -| Account | Arn | UserId | -+--------------+-------------------------------------------+-------------------------+ -| XXXXXXXXXXXX| arn:aws:iam::XXXXXXXXXXXX:user/toni | XXXXXXXXXXXXXXXXXXXXX | -+--------------+-------------------------------------------+-------------------------+ - -Colors Code for results: INFORMATIVE, OK (RECOMMENDED VALUE), CRITICAL (FIX REQUIRED) - - -Generating AWS IAM Credential Report....COMPLETE - - - 1 Identity and Access Management ********************************* - - 1.1 Avoid the use of the root account (Scored). Last time root account was used - (password last used, access_key_1_last_used, access_key_2_last_used): - 2016-08-11T20:59:27+00:00, N/A, N/A - - 1.2 Ensure multi-factor authentication (MFA) is enabled for all IAM users that have a console password (Scored) - List of users with Password enabled but MFA disabled: - toni - - 1.3 Ensure credentials unused for 90 days or greater are disabled (Scored) - User list: - toni - - 1.4 Ensure access keys are rotated every 90 days or less (Scored) - Users with access key 1 older than 90 days: - - Users with access key 2 older than 90 days: - - 1.5 Ensure IAM password policy requires at least one uppercase letter (Scored) - FALSE - - 1.6 Ensure IAM password policy require at least one lowercase letter (Scored) - FALSE - - 1.7 Ensure IAM password policy require at least one symbol (Scored) - FALSE - - 1.8 Ensure IAM password policy require at least one number (Scored) - FALSE - - 1.9 Ensure IAM password policy requires minimum length of 14 or greater (Scored) - FALSE - - 1.10 Ensure IAM password policy prevents password reuse (Scored) - FALSE - - 1.11 Ensure IAM password policy expires passwords within 90 days or less (Scored) - FALSE - - 1.12 Ensure no root account access key exists (Scored) - Found access key 1 - OK No access key 2 found - - 1.13 Ensure hardware MFA is enabled for the root account (Scored) - OK - - 1.14 Ensure security questions are registered in the AWS account (Not Scored) - No command available for check 1.14 - Login to the AWS Console as root, click on the Account - Name -> My Account -> Configure Security Challenge Questions - - 1.15 Ensure IAM policies are attached only to groups or roles (Scored) - Users with policy attached to them instead to groups: (it may take few seconds...) - toni - - - 2 Logging ******************************************************** - - 2.1 Ensure CloudTrail is enabled in all regions (Scored) - FALSE - - 2.2 Ensure CloudTrail log file validation is enabled (Scored) - FALSE - - 2.3 Ensure the S3 bucket CloudTrail logs to is not publicly accessible (Scored) - WARNING! CloudTrail bucket doesn't exist! - - 2.4 Ensure CloudTrail trails are integrated with CloudWatch Logs (Scored) - WARNING! No CloudTrail trails found! - - 2.5 Ensure AWS Config is enabled in all regions (Scored) - WARNING! Region ap-south-1 has AWS Config disabled or not configured - WARNING! Region eu-west-1 has AWS Config disabled or not configured - WARNING! Region ap-southeast-1 has AWS Config disabled or not configured - WARNING! Region ap-southeast-2 has AWS Config disabled or not configured - WARNING! Region eu-central-1 has AWS Config disabled or not configured - WARNING! Region ap-northeast-2 has AWS Config disabled or not configured - WARNING! Region ap-northeast-1 has AWS Config disabled or not configured - WARNING! Region us-east-1 has AWS Config disabled or not configured - WARNING! Region sa-east-1 has AWS Config disabled or not configured - WARNING! Region us-west-1 has AWS Config disabled or not configured - WARNING! Region us-west-2 has AWS Config disabled or not configured - - 2.6 Ensure S3 bucket access logging is enabled on the CloudTrail S3 bucket (Scored) - WARNING! CloudTrail bucket doesn't exist! - - 2.7 Ensure CloudTrail logs are encrypted at rest using KMS CMKs (Scored) - WARNING! CloudTrail bucket doesn't exist! - - 2.8 Ensure rotation for customer created CMKs is enabled (Scored) - Region ap-south-1 doesn't have encryption keys - Region eu-west-1 doesn't have encryption keys - Region ap-southeast-1 doesn't have encryption keys - Region ap-southeast-2 doesn't have encryption keys - Region eu-central-1 doesn't have encryption keys - Region ap-northeast-2 doesn't have encryption keys - Region ap-northeast-1 doesn't have encryption keys - WARNING! Key a0e988df-bc84-423f-996c-XXXX in Region us-east-1 is not set to rotate! - Region sa-east-1 doesn't have encryption keys - Region us-west-1 doesn't have encryption keys - Region us-west-2 doesn't have encryption keys - - - 3 Monitoring ***************************************************** - - 3.1 Ensure a log metric filter and alarm exist for unauthorized API calls (Scored) - WARNING! No CloudWatch group found, no metric filters or alarms associated - - 3.2 Ensure a log metric filter and alarm exist for Management Console sign-in without MFA (Scored) - WARNING! No CloudWatch group found, no metric filters or alarms associated - - 3.3 Ensure a log metric filter and alarm exist for usage of root account (Scored) - WARNING! No CloudWatch group found, no metric filters or alarms associated - - 3.4 Ensure a log metric filter and alarm exist for IAM policy changes (Scored) - WARNING! No CloudWatch group found, no metric filters or alarms associated - - 3.5 Ensure a log metric filter and alarm exist for CloudTrail configuration changes (Scored) - WARNING! No CloudWatch group found, no metric filters or alarms associated - - 3.6 Ensure a log metric filter and alarm exist for AWS Management Console authentication failures (Scored) - WARNING! No CloudWatch group found, no metric filters or alarms associated - - 3.7 Ensure a log metric filter and alarm exist for disabling or scheduled deletion of customer created CMKs (Scored) - WARNING! No CloudWatch group found, no metric filters or alarms associated - - 3.8 Ensure a log metric filter and alarm exist for S3 bucket policy changes (Scored) - WARNING! No CloudWatch group found, no metric filters or alarms associated - - 3.9 Ensure a log metric filter and alarm exist for AWS Config configuration changes (Scored) - WARNING! No CloudWatch group found, no metric filters or alarms associated - - 3.10 Ensure a log metric filter and alarm exist for security group changes (Scored) - WARNING! No CloudWatch group found, no metric filters or alarms associated - - 3.11 Ensure a log metric filter and alarm exist for changes to Network Access Control Lists (NACL) (Scored) - WARNING! No CloudWatch group found, no metric filters or alarms associated - - 3.12 Ensure a log metric filter and alarm exist for changes to network gateways (Scored) - WARNING! No CloudWatch group found, no metric filters or alarms associated - - 3.13 Ensure a log metric filter and alarm exist for route table changes (Scored) - WARNING! No CloudWatch group found, no metric filters or alarms associated - - 3.14 Ensure a log metric filter and alarm exist for VPC changes (Scored) - WARNING! No CloudWatch group found, no metric filters or alarms associated - - 3.15 Ensure security contact information is registered (Scored) - No command available for check 3.15 - Login to the AWS Console, click on My Account - Go to Alternate Contacts -> make sure Security section is filled - - 3.16 Ensure appropriate subscribers to each SNS topic (Not Scored) - Region ap-south-1 doesn't have topics - Region eu-west-1 doesn't have topics - Region ap-southeast-1 doesn't have topics - Region ap-southeast-2 doesn't have topics - Region eu-central-1 doesn't have topics - Region ap-northeast-2 doesn't have topics - Region ap-northeast-1 doesn't have topics - Region us-east-1 doesn't have topics - Region sa-east-1 doesn't have topics - Region us-west-1 doesn't have topics - Region us-west-2 doesn't have topics - - - 4 Networking ************************************************** - - 4.1 Ensure no security groups allow ingress from 0.0.0.0/0 to port 22 (Scored) - OK, No Security Groups found in ap-south-1 with port 22 TCP open to 0.0.0.0/0 - OK, No Security Groups found in eu-west-1 with port 22 TCP open to 0.0.0.0/0 - OK, No Security Groups found in ap-southeast-1 with port 22 TCP open to 0.0.0.0/0 - OK, No Security Groups found in ap-southeast-2 with port 22 TCP open to 0.0.0.0/0 - OK, No Security Groups found in eu-central-1 with port 22 TCP open to 0.0.0.0/0 - OK, No Security Groups found in ap-northeast-2 with port 22 TCP open to 0.0.0.0/0 - OK, No Security Groups found in ap-northeast-1 with port 22 TCP open to 0.0.0.0/0 - OK, No Security Groups found in us-east-1 with port 22 TCP open to 0.0.0.0/0 - OK, No Security Groups found in sa-east-1 with port 22 TCP open to 0.0.0.0/0 - OK, No Security Groups found in us-west-1 with port 22 TCP open to 0.0.0.0/0 - OK, No Security Groups found in us-west-2 with port 22 TCP open to 0.0.0.0/0 - - 4.2 Ensure no security groups allow ingress from 0.0.0.0/0 to port 3389 (Scored) - OK, No Security Groups found in ap-south-1 with port 3389 TCP open to 0.0.0.0/0 - OK, No Security Groups found in eu-west-1 with port 3389 TCP open to 0.0.0.0/0 - OK, No Security Groups found in ap-southeast-1 with port 3389 TCP open to 0.0.0.0/0 - OK, No Security Groups found in ap-southeast-2 with port 3389 TCP open to 0.0.0.0/0 - OK, No Security Groups found in eu-central-1 with port 3389 TCP open to 0.0.0.0/0 - OK, No Security Groups found in ap-northeast-2 with port 3389 TCP open to 0.0.0.0/0 - OK, No Security Groups found in ap-northeast-1 with port 3389 TCP open to 0.0.0.0/0 - OK, No Security Groups found in us-east-1 with port 3389 TCP open to 0.0.0.0/0 - OK, No Security Groups found in sa-east-1 with port 3389 TCP open to 0.0.0.0/0 - OK, No Security Groups found in us-west-1 with port 3389 TCP open to 0.0.0.0/0 - OK, No Security Groups found in us-west-2 with port 3389 TCP open to 0.0.0.0/0 - - 4.3 Ensure VPC Flow Logging is Enabled in all Applicable Regions (Scored) - WARNING! no VPCFlowLog has been found in Region ap-south-1 - WARNING! no VPCFlowLog has been found in Region eu-west-1 - WARNING! no VPCFlowLog has been found in Region ap-southeast-1 - WARNING! no VPCFlowLog has been found in Region ap-southeast-2 - WARNING! no VPCFlowLog has been found in Region eu-central-1 - WARNING! no VPCFlowLog has been found in Region ap-northeast-2 - WARNING! no VPCFlowLog has been found in Region ap-northeast-1 - WARNING! no VPCFlowLog has been found in Region us-east-1 - WARNING! no VPCFlowLog has been found in Region sa-east-1 - WARNING! no VPCFlowLog has been found in Region us-west-1 - WARNING! no VPCFlowLog has been found in Region us-west-2 - - 4.4 Ensure the default security group restricts all traffic (Scored) - WARNING! Default Security Groups found that allow 0.0.0.0 IN or OUT traffic in Region ap-south-1 - WARNING! Default Security Groups found that allow 0.0.0.0 IN or OUT traffic in Region eu-west-1 - WARNING! Default Security Groups found that allow 0.0.0.0 IN or OUT traffic in Region ap-southeast-1 - WARNING! Default Security Groups found that allow 0.0.0.0 IN or OUT traffic in Region ap-southeast-2 - WARNING! Default Security Groups found that allow 0.0.0.0 IN or OUT traffic in Region eu-central-1 - WARNING! Default Security Groups found that allow 0.0.0.0 IN or OUT traffic in Region ap-northeast-2 - WARNING! Default Security Groups found that allow 0.0.0.0 IN or OUT traffic in Region ap-northeast-1 - OK, no Default Security Groups open to 0.0.0.0 found in Region us-east-1 - WARNING! Default Security Groups found that allow 0.0.0.0 IN or OUT traffic in Region sa-east-1 - WARNING! Default Security Groups found that allow 0.0.0.0 IN or OUT traffic in Region us-west-1 - OK, no Default Security Groups open to 0.0.0.0 found in Region us-west-2 - - For more information and reference: https://d0.awsstatic.com/whitepapers/compliance/AWS_CIS_Foundations_Benchmark.pdf ```