added check extra725 S3 object-level logging

checks/check_extra725

@@ -10,49 +10,51 @@
 # under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR
 # CONDITIONS OF ANY KIND, either express or implied. See the License for the
 # specific language governing permissions and limitations under the License.
-# CHECK_ID_extra725="7.25"
-# CHECK_TITLE_extra725="[extra725] Check if S3 buckets have Object-level logging enabled (Not Scored) (Not part of CIS benchmark)"
-# CHECK_SCORED_extra725="NOT_SCORED"
-# CHECK_ALTERNATE_check725="extra725"
-#
-# aws cloudtrail get-event-selectors --trail-name Default --profile security --region us-east-1 --query "EventSelectors[*].DataResources[?Type == \`AWS::S3::Object\`].Values" --output text |xargs -n1 |cut -d: -f 6|sed 's/\///g'
-#
-# extra725(){
-#   # "Check if Lambda functions invoke API operations are being recorded by CloudTrail (Not Scored) (Not part of CIS benchmark)"
-#   for regx in $REGIONS; do
-#     LIST_OF_FUNCTIONS=$($AWSCLI lambda list-functions $PROFILE_OPT --region $regx --query Functions[*].FunctionName --output text)
-#     if [[ $LIST_OF_FUNCTIONS ]]; then
-#       for lambdafunction in $LIST_OF_FUNCTIONS;do
-#         LIST_OF_TRAILS=$($AWSCLI cloudtrail describe-trails $PROFILE_OPT --region $regx --query trailList[?HomeRegion==\`$regx\`].Name --output text)
-#         if [[ $LIST_OF_TRAILS ]]; then
-#           for trail in $LIST_OF_TRAILS; do
-#             FUNCTION_ENABLED_IN_TRAIL=$($AWSCLI cloudtrail get-event-selectors $PROFILE_OPT --trail-name $trail --region $regx --query "EventSelectors[*].DataResources[?Type == \`AWS::Lambda::Function\`].Values" --output text |xargs -n1| grep -E "^arn:aws:lambda.*function:$lambdafunction$")
-#             if [[ $FUNCTION_ENABLED_IN_TRAIL ]]; then
-#               textPass "$regx: Lambda function $lambdafunction enabled in trail $trail" "$regx"
-#             else
-#               textFail "$regx: Lambda function $lambdafunction NOT enabled in trail $trail" "$regx"
-#             fi
-#           done
-#           # LIST_OF_MULTIREGION_TRAILS=$($AWSCLI cloudtrail describe-trails $PROFILE_OPT --region $regx --query "trailList[?IsMultiRegionTrail == \`true\`].Name" --output text)
-#           # if [[ $LIST_OF_MULTIREGION_TRAILS ]]; then
-#           #   for trail in $LIST_OF_MULTIREGION_TRAILS; do
-#           #     REGION_OF_TRAIL=$($AWSCLI cloudtrail describe-trails $PROFILE_OPT --region $regx --query "trailList[?IsMultiRegionTrail == \`true\` && Name == \`$trail\` ].HomeRegion" --output text)
-#           #     FUNCTION_ENABLED_IN_THIS_REGION=$($AWSCLI cloudtrail get-event-selectors $PROFILE_OPT --trail-name $trail --region $REGION_OF_TRAIL --query "EventSelectors[*].DataResources[?Type == \`AWS::Lambda::Function\`].Values" --output text |xargs -n1| grep -E "^arn:aws:lambda.*function:$lambdafunction$")
-#           #     if [[ $FUNCTION_ENABLED_IN_THIS_REGION ]]; then
-#           #       textPass "$regx: Lambda function $lambdafunction enabled in trail $trail" "$regx"
-#           #     else
-#           #       textFail "$regx: Lambda function $lambdafunction NOT enabled in trail $trail" "$regx"
-#           #     fi
-#           #   done
-#           # else
-#           #   textFail "$regx: Lambda function $lambdafunction is not being recorded!" "$regx"
-#           # fi
-#         else
-#           textFail "$regx: Lambda function $lambdafunction is not being recorded no CloudTrail found!" "$regx"
-#         fi
-#       done
-#     else
-#       textInfo "$regx: No Lambda functions found" "$regx"
-#     fi
-#   done
-# }
+
+CHECK_ID_extra725="7.25"
+CHECK_TITLE_extra725="[extra725] Check if S3 buckets have Object-level logging enabled in CloudTrail (Not Scored) (Not part of CIS benchmark)"
+CHECK_SCORED_extra725="NOT_SCORED"
+CHECK_ALTERNATE_check725="extra725"
+
+# per Object-level logging is not configured at Bucket level but at CloudTrail trail level
+extra725(){
+  # "Check if S3 buckets have Object-level logging enabled in CloudTrail (Not Scored) (Not part of CIS benchmark)"
+  textInfo "Looking for S3 Buckets Object-level logging information in all trails...  "
+
+  # create a file with a list of all buckets
+  TEMP_BUCKET_LIST_FILE=$(mktemp -t prowler.bucket-list-XXXXXX)
+  $AWSCLI s3api list-buckets --query 'Buckets[*].{Name:Name}' $PROFILE_OPT --region $REGION --output text > $TEMP_BUCKET_LIST_FILE
+
+  # now create a list with all trails available and their region
+  TEMP_TRAILS_LIST_FILE=$(mktemp -t prowler.trails-list-XXXXXX)
+  for regx in $REGIONS; do
+    $AWSCLI cloudtrail describe-trails $PROFILE_OPT --region $regx --query trailList[?HomeRegion==\`$regx\`].[Name,HomeRegion] --output text >> $TEMP_TRAILS_LIST_FILE
+  done
+  if [ ! -s $TEMP_TRAILS_LIST_FILE ]; then
+    textInfo "$regx: No S3 buckets found" "$regx"
+    exit
+  fi
+
+  # look for buckets being logged per trail and create a list with them
+  TEMP_BUCKETS_LOGGING_LIST_FILE=$(mktemp -t prowler.buckets-logging-list-XXXXXX)
+  for trail in $(cat $TEMP_TRAILS_LIST_FILE | awk '{ print $1 }'); do
+    TRAIL_REGION=$(grep ^$trail $TEMP_TRAILS_LIST_FILE | awk '{ print $2 }')
+    BUCKETS_OBJECT_LOGGING_ENABLED=$($AWSCLI cloudtrail get-event-selectors --trail-name $trail $PROFILE_OPT --region $TRAIL_REGION --query "EventSelectors[*].DataResources[?Type == \`AWS::S3::Object\`].Values" --output text |xargs -n1 |cut -d: -f 6|sed 's/\///g')
+    echo $BUCKETS_OBJECT_LOGGING_ENABLED |tr " " "\n"|sort >> $TEMP_BUCKETS_LOGGING_LIST_FILE
+    if [[ $BUCKETS_OBJECT_LOGGING_ENABLED ]]; then
+      for bucket in $BUCKETS_OBJECT_LOGGING_ENABLED; do
+        textPass "$regx: S3 bucket $bucket has Object-level logging enabled in trail $trail" "$regx"
+     done
+    fi
+  done
+  # diff to get the ones that are not in any trail then they are not logging
+  BUCKETS_NOT_LOGGING=$(diff $TEMP_BUCKETS_LOGGING_LIST_FILE $TEMP_BUCKET_LIST_FILE | sed -n 's/^> //p')
+  if [[ $BUCKETS_NOT_LOGGING ]]; then
+    for bucket in $BUCKETS_NOT_LOGGING; do
+      textFail "$regx: S3 bucket $bucket has Object-level logging disabled" "$regx"
+   done
+  fi
+  # delete all temp files 
+  rm -fr $TEMP_BUCKET_LIST_FILE $TEMP_TRAILS_LIST_FILE $TEMP_BUCKETS_LOGGING_LIST_FILE
+
+}

groups/group9_gdpr

@@ -16,3 +16,9 @@ GROUP_NUMBER[9]='8.0'
 GROUP_TITLE[9]='GDPR Readiness - [gdpr] ****************************************'
 GROUP_RUN_BY_DEFAULT[9]='N' # run it when execute_all is called
 GROUP_CHECKS[9]=''
+
+# Resources:
+# https://d1.awsstatic.com/whitepapers/compliance/GDPR_Compliance_on_AWS.pdf
+# https://github.com/toniblyx/prowler/issues/189
+# https://www.slideshare.net/AmazonWebServices/sid303-navigating-gdpr-compliance-on-aws
+# https://aws.amazon.com/compliance/gdpr-center/