Added extra738 CloudFront HTTPS

README.md

@@ -417,6 +417,7 @@ At this moment we have 37 extra checks:
 - 7.35 (`extra735`) Check if RDS instances storage is encrypted (Not Scored) (Not part of CIS benchmark)
 - 7.36 (`extra736`) Check exposed KMS keys (Not Scored) (Not part of CIS benchmark)
 - 7.37 (`extra737`) Check KMS keys with key rotation disabled (Not Scored) (Not part of CIS benchmark)
+- 7.38 (`extra738`) Check if CloudFront distributions are set to HTTPS (Not Scored) (Not part of CIS benchmark)
 
 To check all extras in one command:
 

checks/check_extra738

@@ -0,0 +1,35 @@
+#!/usr/bin/env bash
+
+# Prowler - the handy cloud security tool (copyright 2018) by Toni de la Fuente
+#
+# Licensed under the Apache License, Version 2.0 (the "License"); you may not
+# use this file except in compliance with the License. You may obtain a copy
+# of the License at http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software distributed
+# under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR
+# CONDITIONS OF ANY KIND, either express or implied. See the License for the
+# specific language governing permissions and limitations under the License.
+CHECK_ID_extra738="7.38"
+CHECK_TITLE_extra738="[extra738] Check if CloudFront distributions are set to HTTPS (Not Scored) (Not part of CIS benchmark)"
+CHECK_SCORED_extra738="NOT_SCORED"
+CHECK_TYPE_extra738="EXTRA"
+CHECK_ALTERNATE_check738="extra738"
+
+extra738(){
+    LIST_OF_DISTRIBUTIONS=$($AWSCLI cloudfront list-distributions --query 'DistributionList.Items[*].Id' $PROFILE_OPT --output text|grep -v ^None)
+    if [[ $LIST_OF_DISTRIBUTIONS ]];then
+      for dist in $LIST_OF_DISTRIBUTIONS; do
+        CHECK_HTTPS_STATUS=$($AWSCLI cloudfront get-distribution --id $dist --query Distribution.DistributionConfig.DefaultCacheBehavior.ViewerProtocolPolicy $PROFILE_OPT --output text)
+        if [[ $CHECK_HTTPS_STATUS == "allow-all" ]]; then
+          textFail "CloudFront distribution $dist viewers can use HTTP or HTTPS!" "$regx"
+        elif [[ $CHECK_HTTPS_STATUS == "redirect-to-https" ]]; then
+          textPass "CloudFront distribution $dist has redirect to HTTPS" "$regx"
+        else
+          textPass "CloudFront distribution $dist has HTTPS only" "$regx"
+        fi
+      done
+    else
+      textInfo "No CloudFront distributions found" "$regx"
+    fi
+}

groups/group9_gdpr

@@ -15,7 +15,7 @@ GROUP_ID[9]='gdpr'
 GROUP_NUMBER[9]='9.0'
 GROUP_TITLE[9]='GDPR Readiness - WORK IN PROGRESS!! - [gdpr] *******************'
 GROUP_RUN_BY_DEFAULT[9]='N' # run it when execute_all is called
-GROUP_CHECKS[9]='extra718,extra725,extra727,check12,check113,check114,extra71,extra731,extra732,extra733,check25,check39,check21,check22,check23,check24,check26,check27,check35,extra726,extra714,extra715,extra717,extra719,extra720,extra721,extra722,check43,check25,extra714,extra729,extra734,extra735,extra736'
+GROUP_CHECKS[9]='extra718,extra725,extra727,check12,check113,check114,extra71,extra731,extra732,extra733,check25,check39,check21,check22,check23,check24,check26,check27,check35,extra726,extra714,extra715,extra717,extra719,extra720,extra721,extra722,check43,check25,extra714,extra729,extra734,extra735,extra736,extra738'
 
 # Resources:
 # https://d1.awsstatic.com/whitepapers/compliance/GDPR_Compliance_on_AWS.pdf