diff --git a/checks/check110 b/checks/check110 index 9c6e4a85..3e638cc5 100644 --- a/checks/check110 +++ b/checks/check110 @@ -16,6 +16,10 @@ CHECK_SEVERITY_check110="Medium" CHECK_ASFF_TYPE_check110="Software and Configuration Checks/Industry and Regulatory Standards/CIS AWS Foundations Benchmark" CHECK_ALTERNATE_check110="check110" CHECK_SERVICENAME_check110="iam" +CHECK_RISK_check110='Password policies are used to enforce password complexity requirements. IAM password policies can be used to ensure password are comprised of different character sets. It is recommended that the password policy require at least one uppercase letter.' +CHECK_REMEDIATION_check110='Ensure "Number of passwords to remember" is set to 24.' +CHECK_DOC_check110='https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_passwords_account-policy.html' +CHECK_CAF_EPIC_check110='IAM' check110(){ # "Ensure IAM password policy prevents password reuse: 24 or greater (Scored)" diff --git a/checks/check111 b/checks/check111 index 71c44c65..ea03f28b 100644 --- a/checks/check111 +++ b/checks/check111 @@ -16,6 +16,10 @@ CHECK_SEVERITY_check111="Medium" CHECK_ASFF_TYPE_check111="Software and Configuration Checks/Industry and Regulatory Standards/CIS AWS Foundations Benchmark" CHECK_ALTERNATE_check111="check111" CHECK_SERVICENAME_check111="iam" +CHECK_RISK_check111='Password policies are used to enforce password complexity requirements. IAM password policies can be used to ensure password are comprised of different character sets. It is recommended that the password policy require at least one uppercase letter.' +CHECK_REMEDIATION_check111='Ensure "Password expiration period (in days):" is set to 90 or less.' +CHECK_DOC_check111='https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_passwords_account-policy.html' +CHECK_CAF_EPIC_check111='IAM' check111(){ # "Ensure IAM password policy expires passwords within 90 days or less (Scored)" diff --git a/checks/check112 b/checks/check112 index 9dd95dbf..4431bf29 100644 --- a/checks/check112 +++ b/checks/check112 @@ -16,6 +16,10 @@ CHECK_SEVERITY_check112="Critical" CHECK_ASFF_TYPE_check112="Software and Configuration Checks/Industry and Regulatory Standards/CIS AWS Foundations Benchmark" CHECK_ALTERNATE_check112="check112" CHECK_SERVICENAME_check112="iam" +CHECK_RISK_check112='The root account is the most privileged user in an AWS account. AWS Access Keys provide programmatic access to a given AWS account. It is recommended that all access keys associated with the root account be removed. Removing access keys associated with the root account limits vectors by which the account can be compromised. Removing the root access keys encourages the creation and use of role based accounts that are least privileged.' +CHECK_REMEDIATION_check112='Use the credential report to that the user and ensure the access_key_1_active and access_key_2_active fields are set to FALSE .' +CHECK_DOC_check112='https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_getting-report.html' +CHECK_CAF_EPIC_check112='IAM' check112(){ # "Ensure no root account access key exists (Scored)" diff --git a/checks/check113 b/checks/check113 index 752fe67b..a5414034 100644 --- a/checks/check113 +++ b/checks/check113 @@ -16,6 +16,10 @@ CHECK_SEVERITY_check113="Critical" CHECK_ASFF_TYPE_check113="Software and Configuration Checks/Industry and Regulatory Standards/CIS AWS Foundations Benchmark" CHECK_ALTERNATE_check113="check113" CHECK_SERVICENAME_check113="iam" +CHECK_RISK_check113='The root account is the most privileged user in an AWS account. MFA adds an extra layer of protection on top of a user name and password. With MFA enabled when a user signs in to an AWS website they will be prompted for their user name and password as well as for an authentication code from their AWS MFA device. When virtual MFA is used for root accounts it is recommended that the device used is NOT a personal device but rather a dedicated mobile device (tablet or phone) that is managed to be kept charged and secured independent of any individual personal devices. ("non-personal virtual MFA") This lessens the risks of losing access to the MFA due to device loss / trade-in or if the individual owning the device is no longer employed at the company.' +CHECK_REMEDIATION_check113='Using IAM console navigate to Dashboard and expand Activate MFA on your root account.' +CHECK_DOC_check113='https://docs.aws.amazon.com/IAM/latest/UserGuide/id_root-user.html#id_root-user_manage_mfa' +CHECK_CAF_EPIC_check113='IAM' check113(){ # "Ensure MFA is enabled for the root account (Scored)" diff --git a/checks/check114 b/checks/check114 index 4348a8ce..3b489350 100644 --- a/checks/check114 +++ b/checks/check114 @@ -16,6 +16,10 @@ CHECK_SEVERITY_check114="Critical" CHECK_ASFF_TYPE_check114="Software and Configuration Checks/Industry and Regulatory Standards/CIS AWS Foundations Benchmark" CHECK_ALTERNATE_check114="check114" CHECK_SERVICENAME_check114="iam" +CHECK_RISK_check114='The root account is the most privileged user in an AWS account. MFA adds an extra layer of protection on top of a user name and password. With MFA enabled when a user signs in to an AWS website they will be prompted for their user name and password as well as for an authentication code from their AWS MFA device. For Level 2 it is recommended that the root account be protected with a hardware MFA.' +CHECK_REMEDIATION_check114='Using IAM console navigate to Dashboard and expand Activate MFA on your root account.' +CHECK_DOC_check114='https://docs.aws.amazon.com/IAM/latest/UserGuide/id_root-user.html#id_root-user_manage_mfa' +CHECK_CAF_EPIC_check114='IAM' check114(){ # "Ensure hardware MFA is enabled for the root account (Scored)" diff --git a/checks/check115 b/checks/check115 index 461ba08c..57827b00 100644 --- a/checks/check115 +++ b/checks/check115 @@ -16,6 +16,10 @@ CHECK_SEVERITY_check115="Medium" CHECK_ASFF_TYPE_check115="Software and Configuration Checks/Industry and Regulatory Standards/CIS AWS Foundations Benchmark" CHECK_ALTERNATE_check115="check115" CHECK_SERVICENAME_check115="support" +CHECK_RISK_check115='The AWS support portal allows account owners to establish security questions that can be used to authenticate individuals calling AWS customer service for support. It is recommended that security questions be established. When creating a new AWS account a default super user is automatically created. This account is referred to as the "root" account. It is recommended that the use of this account be limited and highly controlled. During events in which the root password is no longer accessible or the MFA token associated with root is lost/destroyed it is possible through authentication using secret questions and associated answers to recover root login access.' +CHECK_REMEDIATION_check115='Login as root account and from My Account configure Security questions.' +CHECK_DOC_check115='https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_access-keys_retrieve.html' +CHECK_CAF_EPIC_check115='IAM' check115(){ # "Ensure security questions are registered in the AWS account (Not Scored)" diff --git a/checks/check116 b/checks/check116 index 1088ca4f..3edd41c9 100644 --- a/checks/check116 +++ b/checks/check116 @@ -18,6 +18,10 @@ CHECK_ASFF_RESOURCE_TYPE_check116="AwsIamUser" CHECK_ALTERNATE_check116="check116" CHECK_ASFF_COMPLIANCE_TYPE_check116="ens-op.acc.3.aws.iam.1" CHECK_SERVICENAME_check116="iam" +CHECK_RISK_check116='By default IAM users; groups; and roles have no access to AWS resources. IAM policies are the means by which privileges are granted to users; groups; or roles. It is recommended that IAM policies be applied directly to groups and roles but not users. Assigning privileges at the group or role level reduces the complexity of access management as the number of users grow. Reducing access management complexity may in-turn reduce opportunity for a principal to inadvertently receive or retain excessive privileges.' +CHECK_REMEDIATION_check116='Remove any policy attached directly to the user. Use groups or roles instead.' +CHECK_DOC_check116='https://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html' +CHECK_CAF_EPIC_check116='IAM' check116(){ # "Ensure IAM policies are attached only to groups or roles (Scored)" diff --git a/checks/check117 b/checks/check117 index 0369eda1..e390ad47 100644 --- a/checks/check117 +++ b/checks/check117 @@ -16,6 +16,10 @@ CHECK_SEVERITY_check117="Medium" CHECK_ASFF_TYPE_check117="Software and Configuration Checks/Industry and Regulatory Standards/CIS AWS Foundations Benchmark" CHECK_ALTERNATE_check117="check117" CHECK_SERVICENAME_check117="support" +CHECK_RISK_check117='Ensure contact email and telephone details for AWS accounts are current and map to more than one individual in your organization. An AWS account supports a number of contact details; and AWS will use these to contact the account owner if activity judged to be in breach of Acceptable Use Policy. If an AWS account is observed to be behaving in a prohibited or suspicious manner; AWS will attempt to contact the account owner by email and phone using the contact details listed. If this is unsuccessful and the account behavior needs urgent mitigation; proactive measures may be taken; including throttling of traffic between the account exhibiting suspicious behavior and the AWS API endpoints and the Internet. This will result in impaired service to and from the account in question.' +CHECK_REMEDIATION_check117='Using the Billing and Cost Management console complete contact details.' +CHECK_DOC_check117='https://docs.aws.amazon.com/awsaccountbilling/latest/aboutv2/manage-account-payment.html#contact-info' +CHECK_CAF_EPIC_check117='IAM' check117(){ # "Maintain current contact details (Scored)" diff --git a/checks/check118 b/checks/check118 index 3e23d54c..ef69a226 100644 --- a/checks/check118 +++ b/checks/check118 @@ -16,6 +16,10 @@ CHECK_SEVERITY_check118="Medium" CHECK_ASFF_TYPE_check118="Software and Configuration Checks/Industry and Regulatory Standards/CIS AWS Foundations Benchmark" CHECK_ALTERNATE_check118="check118" CHECK_SERVICENAME_check118="support" +CHECK_RISK_check118='AWS provides customers with the option of specifying the contact information for accounts security team. It is recommended that this information be provided. Specifying security-specific contact information will help ensure that security advisories sent by AWS reach the team in your organization that is best equipped to respond to them.' +CHECK_REMEDIATION_check118='Go to the My Account section and complete alternate contacts.' +CHECK_DOC_check118='https://docs.aws.amazon.com/awsaccountbilling/latest/aboutv2/manage-account-payment.html' +CHECK_CAF_EPIC_check118='IAM' check118(){ # "Ensure security contact information is registered (Scored)" diff --git a/checks/check119 b/checks/check119 index 96a540b1..43db9e77 100644 --- a/checks/check119 +++ b/checks/check119 @@ -17,6 +17,10 @@ CHECK_ASFF_TYPE_check119="Software and Configuration Checks/Industry and Regulat CHECK_ASFF_RESOURCE_TYPE_check119="AwsEc2Instance" CHECK_ALTERNATE_check119="check119" CHECK_SERVICENAME_check119="ec2" +CHECK_RISK_check119='AWS access from within AWS instances can be done by either encoding AWS keys into AWS API calls or by assigning the instance to a role which has an appropriate permissions policy for the required access. AWS IAM roles reduce the risks associated with sharing and rotating credentials that can be used outside of AWS itself. If credentials are compromised; they can be used from outside of the AWS account.' +CHECK_REMEDIATION_check119='IAM roles can only be associated at the launch of an instance. To remediate an instance to add it to a role you must create or re-launch a new instance. (Check for external dependencies on its current private ip or public addresses).' +CHECK_DOC_check119='http://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use_switch-role-ec2.html' +CHECK_CAF_EPIC_check119='IAM' check119(){ for regx in $REGIONS; do diff --git a/checks/check120 b/checks/check120 index fecf7c0e..6a520b16 100644 --- a/checks/check120 +++ b/checks/check120 @@ -18,6 +18,10 @@ CHECK_ASFF_RESOURCE_TYPE_check120="AwsIamRole" CHECK_ALTERNATE_check120="check120" CHECK_ASFF_COMPLIANCE_TYPE_check120="ens-op.acc.1.aws.iam.4" CHECK_SERVICENAME_check120="iam" +CHECK_RISK_check120='AWS provides a support center that can be used for incident notification and response; as well as technical support and customer services. Create an IAM Role to allow authorized users to manage incidents with AWS Support.' +CHECK_REMEDIATION_check120='Create an IAM role for managing incidents with AWS.' +CHECK_DOC_check120='https://docs.aws.amazon.com/awssupport/latest/user/using-service-linked-roles-sup.html' +CHECK_CAF_EPIC_check120='IAM' check120(){ # "Ensure a support role has been created to manage incidents with AWS Support (Scored)" diff --git a/checks/check121 b/checks/check121 index af53ff18..df966919 100644 --- a/checks/check121 +++ b/checks/check121 @@ -18,6 +18,10 @@ CHECK_ASFF_RESOURCE_TYPE_check121="AwsIamUser" CHECK_ALTERNATE_check121="check121" CHECK_ASFF_COMPLIANCE_TYPE_check121="ens-op.acc.1.aws.iam.5" CHECK_SERVICENAME_check121="iam" +CHECK_RISK_check121='AWS console defaults the checkbox for creating access keys to enabled. This results in many access keys being generated unnecessarily. In addition to unnecessary credentials; it also generates unnecessary management work in auditing and rotating these keys. Requiring that additional steps be taken by the user after their profile has been created will give a stronger indication of intent that access keys are (a) necessary for their work and (b) once the access key is established on an account that the keys may be in use somewhere in the organization.' +CHECK_REMEDIATION_check121='From the IAM console: generate credential report and disable not required keys.' +CHECK_DOC_check121='https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_getting-report.html' +CHECK_CAF_EPIC_check121='IAM' check121(){ # "Do not setup access keys during initial user setup for all IAM users that have a console password (Not Scored)" diff --git a/checks/check122 b/checks/check122 index 013dafe8..29b69ffe 100644 --- a/checks/check122 +++ b/checks/check122 @@ -17,6 +17,10 @@ CHECK_ASFF_TYPE_check122="Software and Configuration Checks/Industry and Regulat CHECK_ASFF_RESOURCE_TYPE_check122="AwsIamPolicy" CHECK_ALTERNATE_check122="check122" CHECK_SERVICENAME_check122="iam" +CHECK_RISK_check122='IAM policies are the means by which privileges are granted to users; groups; or roles. It is recommended and considered a standard security advice to grant least privilege—that is; granting only the permissions required to perform a task. Determine what users need to do and then craft policies for them that let the users perform only those tasks instead of allowing full administrative privileges. Providing full administrative privileges instead of restricting to the minimum set of permissions that the user is required to do exposes the resources to potentially unwanted actions.' +CHECK_REMEDIATION_check122='It is more secure to start with a minimum set of permissions and grant additional permissions as necessary; rather than starting with permissions that are too lenient and then trying to tighten them later. List policies an analyze if permissions are the least possible to conduct business activities.' +CHECK_DOC_check122='http://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html' +CHECK_CAF_EPIC_check122='IAM' check122(){ # "Ensure IAM policies that allow full \"*:*\" administrative privileges are not created (Scored)" diff --git a/checks/check14 b/checks/check14 index 8743d08c..01147aca 100644 --- a/checks/check14 +++ b/checks/check14 @@ -18,6 +18,10 @@ CHECK_ASFF_RESOURCE_TYPE_check14="AwsIamUser" CHECK_ALTERNATE_check104="check14" CHECK_ASFF_COMPLIANCE_TYPE_check14="ens-op.acc.1.aws.iam.4 ens-op.acc.5.aws.iam.3" CHECK_SERVICENAME_check14="iam" +CHECK_RISK_check14='Access keys consist of an access key ID and secret access key which are used to sign programmatic requests that you make to AWS. AWS users need their own access keys to make programmatic calls to AWS from the AWS Command Line Interface (AWS CLI)- Tools for Windows PowerShell- the AWS SDKs- or direct HTTP calls using the APIs for individual AWS services. It is recommended that all access keys be regularly rotated.' +CHECK_REMEDIATION_check14='Use the credential report to ensure access_key_X_last_rotated is less than 90 days ago.' +CHECK_DOC_check14='https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_getting-report.html' +CHECK_CAF_EPIC_check14='IAM' check14(){ # "Ensure access keys are rotated every 90 days or less (Scored)" # also checked by Security Monkey diff --git a/checks/check15 b/checks/check15 index 49a35d45..4cbc6203 100644 --- a/checks/check15 +++ b/checks/check15 @@ -16,6 +16,10 @@ CHECK_SEVERITY_check15="Medium" CHECK_ASFF_TYPE_check15="Software and Configuration Checks/Industry and Regulatory Standards/CIS AWS Foundations Benchmark" CHECK_ALTERNATE_check105="check15" CHECK_SERVICENAME_check15="iam" +CHECK_RISK_check15='Password policies are used to enforce password complexity requirements. IAM password policies can be used to ensure password are comprised of different character sets. It is recommended that the password policy require at least one uppercase letter.' +CHECK_REMEDIATION_check15='Ensure "Requires at least one uppercase letter" is checked under "Password Policy".' +CHECK_DOC_check15='https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_passwords_account-policy.html' +CHECK_CAF_EPIC_check15='IAM' check15(){ # "Ensure IAM password policy requires at least one uppercase letter (Scored)" diff --git a/checks/check16 b/checks/check16 index 7e682b48..009a3cd3 100644 --- a/checks/check16 +++ b/checks/check16 @@ -16,6 +16,10 @@ CHECK_SEVERITY_check16="Medium" CHECK_ASFF_TYPE_check16="Software and Configuration Checks/Industry and Regulatory Standards/CIS AWS Foundations Benchmark" CHECK_ALTERNATE_check106="check16" CHECK_SERVICENAME_check16="iam" +CHECK_RISK_check16='Password policies are used to enforce password complexity requirements. IAM password policies can be used to ensure password are comprised of different character sets. It is recommended that the password policy require at least one uppercase letter.' +CHECK_REMEDIATION_check16='Ensure "Requires at least one lowercase letter" is checked under "Password Policy".' +CHECK_DOC_check16='https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_passwords_account-policy.html' +CHECK_CAF_EPIC_check16='IAM' check16(){ # "Ensure IAM password policy require at least one lowercase letter (Scored)" diff --git a/checks/check17 b/checks/check17 index 1afe6fab..5230095f 100644 --- a/checks/check17 +++ b/checks/check17 @@ -16,6 +16,10 @@ CHECK_SEVERITY_check17="Medium" CHECK_ASFF_TYPE_check17="Software and Configuration Checks/Industry and Regulatory Standards/CIS AWS Foundations Benchmark" CHECK_ALTERNATE_check107="check17" CHECK_SERVICENAME_check17="iam" +CHECK_RISK_check17='Password policies are used to enforce password complexity requirements. IAM password policies can be used to ensure password are comprised of different character sets. It is recommended that the password policy require at least one uppercase letter.' +CHECK_REMEDIATION_check17='Ensure "Require at least one non-alphanumeric character" is checked under "Password Policy".' +CHECK_DOC_check17='https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_passwords_account-policy.html' +CHECK_CAF_EPIC_check17='IAM' check17(){ # "Ensure IAM password policy require at least one symbol (Scored)" diff --git a/checks/check18 b/checks/check18 index 7749128a..453a0a7d 100644 --- a/checks/check18 +++ b/checks/check18 @@ -16,6 +16,10 @@ CHECK_SEVERITY_check18="Medium" CHECK_ASFF_TYPE_check18="Software and Configuration Checks/Industry and Regulatory Standards/CIS AWS Foundations Benchmark" CHECK_ALTERNATE_check108="check18" CHECK_SERVICENAME_check18="iam" +CHECK_RISK_check18='Password policies are used to enforce password complexity requirements. IAM password policies can be used to ensure password are comprised of different character sets. It is recommended that the password policy require at least one uppercase letter.' +CHECK_REMEDIATION_check18='Ensure "Require at least one number " is checked under "Password Policy".' +CHECK_DOC_check18='https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_passwords_account-policy.html' +CHECK_CAF_EPIC_check18='IAM' check18(){ # "Ensure IAM password policy require at least one number (Scored)" diff --git a/checks/check19 b/checks/check19 index 42fe5bdf..97b43848 100644 --- a/checks/check19 +++ b/checks/check19 @@ -16,6 +16,10 @@ CHECK_SEVERITY_check19="Medium" CHECK_ASFF_TYPE_check19="Software and Configuration Checks/Industry and Regulatory Standards/CIS AWS Foundations Benchmark" CHECK_ALTERNATE_check109="check19" CHECK_SERVICENAME_check19="iam" +CHECK_RISK_check19='Password policies are used to enforce password complexity requirements. IAM password policies can be used to ensure password are comprised of different character sets. It is recommended that the password policy require at least one uppercase letter.' +CHECK_REMEDIATION_check19='Ensure "Minimum password length" is set to 14 or greater.' +CHECK_DOC_check19='https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_passwords_account-policy.html' +CHECK_CAF_EPIC_check19='IAM' check19(){ # "Ensure IAM password policy requires minimum length of 14 or greater (Scored)" diff --git a/checks/check21 b/checks/check21 index 6dd8e214..b9e63b97 100644 --- a/checks/check21 +++ b/checks/check21 @@ -18,6 +18,10 @@ CHECK_ASFF_RESOURCE_TYPE_check21="AwsCloudTrailTrail" CHECK_ALTERNATE_check201="check21" CHECK_ASFF_COMPLIANCE_TYPE_check21="ens-op.acc.7.aws.iam.1 ens-op.mon.1.aws.trail.1" CHECK_SERVICENAME_check21="cloudtrail" +CHECK_RISK_check21='AWS CloudTrail is a web service that records AWS API calls for your account and delivers log files to you. The recorded information includes the identity of the API caller; the time of the API call; the source IP address of the API caller; the request parameters; and the response elements returned by the AWS service.' +CHECK_REMEDIATION_check21='Ensure Logging is set to ON on all regions (even if they are not being used at the moment.' +CHECK_DOC_check21='https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrailconcepts.html#cloudtrail-concepts-management-events' +CHECK_CAF_EPIC_check21='Logging and Monitoring' check21(){ trail_count=0 diff --git a/checks/check22 b/checks/check22 index faf624a5..94fbe2f5 100644 --- a/checks/check22 +++ b/checks/check22 @@ -18,6 +18,10 @@ CHECK_ASFF_RESOURCE_TYPE_check22="AwsCloudTrailTrail" CHECK_ALTERNATE_check202="check22" CHECK_ASFF_COMPLIANCE_TYPE_check22="ens-op.exp.10.aws.trail.1" CHECK_SERVICENAME_check22="cloudtrail" +CHECK_RISK_check22='Enabling log file validation will provide additional integrity checking of CloudTrail logs. ' +CHECK_REMEDIATION_check22='Ensure LogFileValidationEnabled is set to true for each trail.' +CHECK_DOC_check22='http://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-log-filevalidation-enabling.html' +CHECK_CAF_EPIC_check22='Logging and Monitoring' check22(){ trail_count=0 diff --git a/checks/check23 b/checks/check23 index 149b7149..d88cc079 100644 --- a/checks/check23 +++ b/checks/check23 @@ -18,6 +18,10 @@ CHECK_ASFF_RESOURCE_TYPE_check23="AwsS3Bucket" CHECK_ALTERNATE_check203="check23" CHECK_ASFF_COMPLIANCE_TYPE_check23="ens-op.exp.10.aws.trail.3 ens-op.exp.10.aws.trail.4" CHECK_SERVICENAME_check23="cloudtrail" +CHECK_RISK_check23='Allowing public access to CloudTrail log content may aid an adversary in identifying weaknesses in the affected accounts use or configuration.' +CHECK_REMEDIATION_check23='Analyze Bucket policy to validate appropriate permissions. Ensure the AllUsers principal is not granted privileges. Ensure the AuthenticatedUsers principal is not granted privileges.' +CHECK_DOC_check23='https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_ principal.html ' +CHECK_CAF_EPIC_check23='Logging and Monitoring' check23(){ trail_count=0 diff --git a/checks/check24 b/checks/check24 index e4265424..c423e64c 100644 --- a/checks/check24 +++ b/checks/check24 @@ -18,6 +18,10 @@ CHECK_ASFF_RESOURCE_TYPE_check24="AwsCloudTrailTrail" CHECK_ALTERNATE_check204="check24" CHECK_ASFF_COMPLIANCE_TYPE_check24="ens-op.exp.8.aws.cw.1" CHECK_SERVICENAME_check24="cloudtrail" +CHECK_RISK_check24='Sending CloudTrail logs to CloudWatch Logs will facilitate real-time and historic activity logging based on user; API; resource; and IP address; and provides opportunity to establish alarms and notifications for anomalous or sensitivity account activity.' +CHECK_REMEDIATION_check24='Validate that the trails in CloudTrail has an arn set in the CloudWatchLogsLogGroupArn property.' +CHECK_DOC_check24='https://docs.aws.amazon.com/awscloudtrail/latest/userguide/send-cloudtrail-events-to-cloudwatch-logs.html' +CHECK_CAF_EPIC_check24='Logging and Monitoring' check24(){ trail_count=0 diff --git a/checks/check25 b/checks/check25 index 010e8e3f..d836e7c9 100644 --- a/checks/check25 +++ b/checks/check25 @@ -17,6 +17,10 @@ CHECK_ASFF_TYPE_check25="Software and Configuration Checks/Industry and Regulato CHECK_ALTERNATE_check205="check25" CHECK_ASFF_COMPLIANCE_TYPE_check25="ens-op.exp.1.aws.cfg.1" CHECK_SERVICENAME_check25="configservice" +CHECK_RISK_check25='The AWS configuration item history captured by AWS Config enables security analysis; resource change tracking; and compliance auditing.' +CHECK_REMEDIATION_check25='It is recommended to enable AWS Config be enabled in all regions.' +CHECK_DOC_check25='https://aws.amazon.com/blogs/mt/aws-config-best-practices/' +CHECK_CAF_EPIC_check25='Logging and Monitoring' check25(){ # "Ensure AWS Config is enabled in all regions (Scored)" diff --git a/checks/check26 b/checks/check26 index 47d791d4..7730623e 100644 --- a/checks/check26 +++ b/checks/check26 @@ -17,6 +17,10 @@ CHECK_ASFF_TYPE_check26="Software and Configuration Checks/Industry and Regulato CHECK_ASFF_RESOURCE_TYPE_check26="AwsS3Bucket" CHECK_ALTERNATE_check206="check26" CHECK_SERVICENAME_check26="s3" +CHECK_RISK_check26='Server access logs can assist you in security and access audits; help you learn about your customer base; and understand your Amazon S3 bill.' +CHECK_REMEDIATION_check26='Ensure that S3 buckets have Logging enabled. CloudTrail data events can be used in place of S3 bucket logging. If that is the case; this finding can be considered a false positive.' +CHECK_DOC_check26='https://docs.aws.amazon.com/AmazonS3/latest/dev/security-best-practices.html' +CHECK_CAF_EPIC_check26='Logging and Monitoring' check26(){ trail_count=0 diff --git a/checks/check27 b/checks/check27 index 927da424..1afea54d 100644 --- a/checks/check27 +++ b/checks/check27 @@ -18,6 +18,10 @@ CHECK_ASFF_RESOURCE_TYPE_check27="AwsCloudTrailTrail" CHECK_ALTERNATE_check207="check27" CHECK_ASFF_COMPLIANCE_TYPE_check27="ens-op.exp.10.aws.trail.5" CHECK_SERVICENAME_check27="cloudtrail" +CHECK_RISK_check27='By default; the log files delivered by CloudTrail to your bucket are encrypted by Amazon server-side encryption with Amazon S3-managed encryption keys (SSE-S3). To provide a security layer that is directly manageable; you can instead use server-side encryption with AWS KMS–managed keys (SSE-KMS) for your CloudTrail log files.' +CHECK_REMEDIATION_check27='This approach has the following advantages: You can create and manage the CMK encryption keys yourself. You can use a single CMK to encrypt and decrypt log files for multiple accounts across all regions. You have control over who can use your key for encrypting and decrypting CloudTrail log files. You can assign permissions for the key to the users. You have enhanced security.' +CHECK_DOC_check27='https://docs.aws.amazon.com/awscloudtrail/latest/userguide/encrypting-cloudtrail-log-files-with-aws-kms.html' +CHECK_CAF_EPIC_check27='Logging and Monitoring' check27(){ trail_count=0 diff --git a/checks/check28 b/checks/check28 index 84863b4b..b35b4c95 100644 --- a/checks/check28 +++ b/checks/check28 @@ -17,6 +17,10 @@ CHECK_ASFF_TYPE_check28="Software and Configuration Checks/Industry and Regulato CHECK_ASFF_RESOURCE_TYPE_check28="AwsKmsKey" CHECK_ALTERNATE_check208="check28" CHECK_SERVICENAME_check28="kms" +CHECK_RISK_check28='Cryptographic best practices discourage extensive reuse of encryption keys. Consequently; Customer Master Keys (CMKs) should be rotated to prevent usage of compromised keys.' +CHECK_REMEDIATION_check28='For every KMS Customer Master Keys (CMKs); ensure that Rotate this key every year is enabled.' +CHECK_DOC_check28='https://docs.aws.amazon.com/kms/latest/developerguide/rotate-keys.html' +CHECK_CAF_EPIC_check28='Data Protection' check28(){ # "Ensure rotation for customer created CMKs is enabled (Scored)" diff --git a/checks/check29 b/checks/check29 index c71571ef..311e715d 100644 --- a/checks/check29 +++ b/checks/check29 @@ -18,6 +18,10 @@ CHECK_ASFF_RESOURCE_TYPE_check29="AwsEc2Vpc" CHECK_ALTERNATE_check209="check29" CHECK_ASFF_COMPLIANCE_TYPE_check29="ens-op.mon.1.aws.flow.1" CHECK_SERVICENAME_check29="vpc" +CHECK_RISK_check29='PC Flow Logs provide visibility into network traffic that traverses the VPC and can be used to detect anomalous traffic or insight during security workflows.' +CHECK_REMEDIATION_check29='It is recommended that VPC Flow Logs be enabled for packet "Rejects" for VPCs. ' +CHECK_DOC_check29='http://docs.aws.amazon.com/AmazonVPC/latest/UserGuide/flow-logs.html ' +CHECK_CAF_EPIC_check29='Logging and Monitoring' check29(){ # "Ensure VPC Flow Logging is Enabled in all VPCs (Scored)" diff --git a/checks/check31 b/checks/check31 index 4677be39..7674f8a4 100644 --- a/checks/check31 +++ b/checks/check31 @@ -43,6 +43,10 @@ CHECK_ASFF_RESOURCE_TYPE_check31="AwsCloudTrailTrail" CHECK_ALTERNATE_check301="check31" CHECK_ASFF_COMPLIANCE_TYPE_check31="ens-op.exp.8.aws.trail.2" CHECK_SERVICENAME_check31="iam" +CHECK_RISK_check31='Monitoring unauthorized API calls will help reveal application errors and may reduce time to detect malicious activity.' +CHECK_REMEDIATION_check31='It is recommended that a metric filter and alarm be established for unauthorized requests.' +CHECK_DOC_check31='https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudwatch-alarms-for-cloudtrail.html' +CHECK_CAF_EPIC_check31='Logging and Monitoring' check31(){ check3x '\$\.errorCode\s*=\s*"\*UnauthorizedOperation".+\$\.errorCode\s*=\s*"AccessDenied\*"' diff --git a/checks/check310 b/checks/check310 index f53ac698..40744be0 100644 --- a/checks/check310 +++ b/checks/check310 @@ -42,6 +42,10 @@ CHECK_ASFF_TYPE_check310="Software and Configuration Checks/Industry and Regulat CHECK_ASFF_RESOURCE_TYPE_check310="AwsCloudTrailTrail" CHECK_ALTERNATE_check310="check310" CHECK_SERVICENAME_check310="ec2" +CHECK_RISK_check310='Monitoring unauthorized API calls will help reveal application errors and may reduce time to detect malicious activity.' +CHECK_REMEDIATION_check310='It is recommended that a metric filter and alarm be established for unauthorized requests.' +CHECK_DOC_check310='https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudwatch-alarms-for-cloudtrail.html' +CHECK_CAF_EPIC_check310='Logging and Monitoring' check310(){ check3x '\$\.eventName\s*=\s*AuthorizeSecurityGroupIngress.+\$\.eventName\s*=\s*AuthorizeSecurityGroupEgress.+\$\.eventName\s*=\s*RevokeSecurityGroupIngress.+\$\.eventName\s*=\s*RevokeSecurityGroupEgress.+\$\.eventName\s*=\s*CreateSecurityGroup.+\$\.eventName\s*=\s*DeleteSecurityGroup' diff --git a/checks/check311 b/checks/check311 index dcd53b24..b36dff27 100644 --- a/checks/check311 +++ b/checks/check311 @@ -42,6 +42,10 @@ CHECK_ASFF_TYPE_check311="Software and Configuration Checks/Industry and Regulat CHECK_ASFF_RESOURCE_TYPE_check311="AwsCloudTrailTrail" CHECK_ALTERNATE_check311="check311" CHECK_SERVICENAME_check311="vpc" +CHECK_RISK_check311='Monitoring unauthorized API calls will help reveal application errors and may reduce time to detect malicious activity.' +CHECK_REMEDIATION_check311='It is recommended that a metric filter and alarm be established for unauthorized requests.' +CHECK_DOC_check311='https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudwatch-alarms-for-cloudtrail.html' +CHECK_CAF_EPIC_check311='Logging and Monitoring' check311(){ check3x '\$\.eventName\s*=\s*CreateNetworkAcl.+\$\.eventName\s*=\s*CreateNetworkAclEntry.+\$\.eventName\s*=\s*DeleteNetworkAcl.+\$\.eventName\s*=\s*DeleteNetworkAclEntry.+\$\.eventName\s*=\s*ReplaceNetworkAclEntry.+\$\.eventName\s*=\s*ReplaceNetworkAclAssociation' diff --git a/checks/check312 b/checks/check312 index 2761159b..702f068e 100644 --- a/checks/check312 +++ b/checks/check312 @@ -42,6 +42,10 @@ CHECK_ASFF_TYPE_check312="Software and Configuration Checks/Industry and Regulat CHECK_ASFF_RESOURCE_TYPE_check312="AwsCloudTrailTrail" CHECK_ALTERNATE_check312="check312" CHECK_SERVICENAME_check312="vpc" +CHECK_RISK_check312='Monitoring unauthorized API calls will help reveal application errors and may reduce time to detect malicious activity.' +CHECK_REMEDIATION_check312='It is recommended that a metric filter and alarm be established for unauthorized requests.' +CHECK_DOC_check312='https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudwatch-alarms-for-cloudtrail.html' +CHECK_CAF_EPIC_check312='Logging and Monitoring' check312(){ check3x '\$\.eventName\s*=\s*CreateCustomerGateway.+\$\.eventName\s*=\s*DeleteCustomerGateway.+\$\.eventName\s*=\s*AttachInternetGateway.+\$\.eventName\s*=\s*CreateInternetGateway.+\$\.eventName\s*=\s*DeleteInternetGateway.+\$\.eventName\s*=\s*DetachInternetGateway' diff --git a/checks/check313 b/checks/check313 index ac014d8b..258af60d 100644 --- a/checks/check313 +++ b/checks/check313 @@ -42,6 +42,10 @@ CHECK_ASFF_TYPE_check313="Software and Configuration Checks/Industry and Regulat CHECK_ASFF_RESOURCE_TYPE_check313="AwsCloudTrailTrail" CHECK_ALTERNATE_check313="check313" CHECK_SERVICENAME_check313="vpc" +CHECK_RISK_check313='Monitoring unauthorized API calls will help reveal application errors and may reduce time to detect malicious activity.' +CHECK_REMEDIATION_check313='It is recommended that a metric filter and alarm be established for unauthorized requests.' +CHECK_DOC_check313='https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudwatch-alarms-for-cloudtrail.html' +CHECK_CAF_EPIC_check313='Logging and Monitoring' check313(){ check3x '\$\.eventName\s*=\s*CreateRoute.+\$\.eventName\s*=\s*CreateRouteTable.+\$\.eventName\s*=\s*ReplaceRoute.+\$\.eventName\s*=\s*ReplaceRouteTableAssociation.+\$\.eventName\s*=\s*DeleteRouteTable.+\$\.eventName\s*=\s*DeleteRoute.+\$\.eventName\s*=\s*DisassociateRouteTable' diff --git a/checks/check314 b/checks/check314 index a30a0d8e..488663c4 100644 --- a/checks/check314 +++ b/checks/check314 @@ -42,6 +42,10 @@ CHECK_ASFF_TYPE_check314="Software and Configuration Checks/Industry and Regulat CHECK_ASFF_RESOURCE_TYPE_check314="AwsCloudTrailTrail" CHECK_ALTERNATE_check314="check314" CHECK_SERVICENAME_check314="vpc" +CHECK_RISK_check314='Monitoring unauthorized API calls will help reveal application errors and may reduce time to detect malicious activity.' +CHECK_REMEDIATION_check314='It is recommended that a metric filter and alarm be established for unauthorized requests.' +CHECK_DOC_check314='https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudwatch-alarms-for-cloudtrail.html' +CHECK_CAF_EPIC_check314='Logging and Monitoring' check314(){ check3x '\$\.eventName\s*=\s*CreateVpc.+\$\.eventName\s*=\s*DeleteVpc.+\$\.eventName\s*=\s*ModifyVpcAttribute.+\$\.eventName\s*=\s*AcceptVpcPeeringConnection.+\$\.eventName\s*=\s*CreateVpcPeeringConnection.+\$\.eventName\s*=\s*DeleteVpcPeeringConnection.+\$\.eventName\s*=\s*RejectVpcPeeringConnection.+\$\.eventName\s*=\s*AttachClassicLinkVpc.+\$\.eventName\s*=\s*DetachClassicLinkVpc.+\$\.eventName\s*=\s*DisableVpcClassicLink.+\$\.eventName\s*=\s*EnableVpcClassicLink' diff --git a/checks/check32 b/checks/check32 index 73fe480b..ff13166b 100644 --- a/checks/check32 +++ b/checks/check32 @@ -43,6 +43,10 @@ CHECK_ASFF_RESOURCE_TYPE_check32="AwsCloudTrailTrail" CHECK_ALTERNATE_check302="check32" CHECK_ASFF_COMPLIANCE_TYPE_check32="ens-op.exp.8.aws.trail.4" CHECK_SERVICENAME_check32="iam" +CHECK_RISK_check32='Monitoring unauthorized API calls will help reveal application errors and may reduce time to detect malicious activity.' +CHECK_REMEDIATION_check32='It is recommended that a metric filter and alarm be established for unauthorized requests.' +CHECK_DOC_check32='https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudwatch-alarms-for-cloudtrail.html' +CHECK_CAF_EPIC_check32='Logging and Monitoring' check32(){ check3x '\$\.eventName\s*=\s*"ConsoleLogin".+\$\.additionalEventData\.MFAUsed\s*!=\s*"Yes"' diff --git a/checks/check33 b/checks/check33 index 8044ebe0..840e386d 100644 --- a/checks/check33 +++ b/checks/check33 @@ -43,6 +43,10 @@ CHECK_ASFF_RESOURCE_TYPE_check33="AwsCloudTrailTrail" CHECK_ALTERNATE_check303="check33" CHECK_ASFF_COMPLIANCE_TYPE_check33="ens-op.exp.8.aws.trail.5" CHECK_SERVICENAME_check33="iam" +CHECK_RISK_check33='Monitoring unauthorized API calls will help reveal application errors and may reduce time to detect malicious activity.' +CHECK_REMEDIATION_check33='It is recommended that a metric filter and alarm be established for unauthorized requests.' +CHECK_DOC_check33='https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudwatch-alarms-for-cloudtrail.html' +CHECK_CAF_EPIC_check33='Logging and Monitoring' check33(){ check3x '\$\.userIdentity\.type\s*=\s*"Root".+\$\.userIdentity\.invokedBy NOT EXISTS.+\$\.eventType\s*!=\s*"AwsServiceEvent"' diff --git a/checks/check34 b/checks/check34 index ed272edd..727512c8 100644 --- a/checks/check34 +++ b/checks/check34 @@ -43,6 +43,10 @@ CHECK_ASFF_RESOURCE_TYPE_check34="AwsCloudTrailTrail" CHECK_ALTERNATE_check304="check34" CHECK_ASFF_COMPLIANCE_TYPE_check34="ens-op.exp.8.aws.trail.6" CHECK_SERVICENAME_check34="iam" +CHECK_RISK_check34='Monitoring unauthorized API calls will help reveal application errors and may reduce time to detect malicious activity.' +CHECK_REMEDIATION_check34='It is recommended that a metric filter and alarm be established for unauthorized requests.' +CHECK_DOC_check34='https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudwatch-alarms-for-cloudtrail.html' +CHECK_CAF_EPIC_check34='IAM' check34(){ check3x '\$\.eventName\s*=\s*DeleteGroupPolicy.+\$\.eventName\s*=\s*DeleteRolePolicy.+\$\.eventName\s*=\s*DeleteUserPolicy.+\$\.eventName\s*=\s*PutGroupPolicy.+\$\.eventName\s*=\s*PutRolePolicy.+\$\.eventName\s*=\s*PutUserPolicy.+\$\.eventName\s*=\s*CreatePolicy.+\$\.eventName\s*=\s*DeletePolicy.+\$\.eventName\s*=\s*CreatePolicyVersion.+\$\.eventName\s*=\s*DeletePolicyVersion.+\$\.eventName\s*=\s*AttachRolePolicy.+\$\.eventName\s*=\s*DetachRolePolicy.+\$\.eventName\s*=\s*AttachUserPolicy.+\$\.eventName\s*=\s*DetachUserPolicy.+\$\.eventName\s*=\s*AttachGroupPolicy.+\$\.eventName\s*=\s*DetachGroupPolicy' diff --git a/checks/check35 b/checks/check35 index 8157a6a4..13fae612 100644 --- a/checks/check35 +++ b/checks/check35 @@ -43,6 +43,10 @@ CHECK_ASFF_RESOURCE_TYPE_check35="AwsCloudTrailTrail" CHECK_ALTERNATE_check305="check35" CHECK_ASFF_COMPLIANCE_TYPE_check35="ens-op.exp.8.aws.trail.1" CHECK_SERVICENAME_check35="cloudtrail" +CHECK_RISK_check35='Monitoring unauthorized API calls will help reveal application errors and may reduce time to detect malicious activity.' +CHECK_REMEDIATION_check35='It is recommended that a metric filter and alarm be established for unauthorized requests.' +CHECK_DOC_check35='https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudwatch-alarms-for-cloudtrail.html' +CHECK_CAF_EPIC_check35='Logging and Monitoring' check35(){ check3x '\$\.eventName\s*=\s*CreateTrail.+\$\.eventName\s*=\s*UpdateTrail.+\$\.eventName\s*=\s*DeleteTrail.+\$\.eventName\s*=\s*StartLogging.+\$\.eventName\s*=\s*StopLogging' diff --git a/checks/check36 b/checks/check36 index c17ffe87..8ab2a0ef 100644 --- a/checks/check36 +++ b/checks/check36 @@ -43,6 +43,10 @@ CHECK_ASFF_RESOURCE_TYPE_check36="AwsCloudTrailTrail" CHECK_ALTERNATE_check306="check36" CHECK_ASFF_COMPLIANCE_TYPE_check36="ens-op.exp.8.aws.trail.3" CHECK_SERVICENAME_check36="iam" +CHECK_RISK_check36='Monitoring unauthorized API calls will help reveal application errors and may reduce time to detect malicious activity.' +CHECK_REMEDIATION_check36='It is recommended that a metric filter and alarm be established for unauthorized requests.' +CHECK_DOC_check36='https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudwatch-alarms-for-cloudtrail.html' +CHECK_CAF_EPIC_check36='Logging and Monitoring' check36(){ check3x '\$\.eventName\s*=\s*ConsoleLogin.+\$\.errorMessage\s*=\s*"Failed authentication"' diff --git a/checks/check37 b/checks/check37 index c6466039..7c891a9e 100644 --- a/checks/check37 +++ b/checks/check37 @@ -43,6 +43,10 @@ CHECK_ASFF_RESOURCE_TYPE_check37="AwsCloudTrailTrail" CHECK_ALTERNATE_check307="check37" CHECK_ASFF_COMPLIANCE_TYPE_check37="ens-op.exp.11.aws.kms.1" CHECK_SERVICENAME_check37="kms" +CHECK_RISK_check37='Monitoring unauthorized API calls will help reveal application errors and may reduce time to detect malicious activity.' +CHECK_REMEDIATION_check37='It is recommended that a metric filter and alarm be established for unauthorized requests.' +CHECK_DOC_check37='https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudwatch-alarms-for-cloudtrail.html' +CHECK_CAF_EPIC_check37='Logging and Monitoring' check37(){ check3x '\$\.eventSource\s*=\s*kms.amazonaws.com.+\$\.eventName\s*=\s*DisableKey.+\$\.eventName\s*=\s*ScheduleKeyDeletion' diff --git a/checks/check38 b/checks/check38 index 22b55710..eabf8475 100644 --- a/checks/check38 +++ b/checks/check38 @@ -42,6 +42,10 @@ CHECK_ASFF_TYPE_check38="Software and Configuration Checks/Industry and Regulato CHECK_ASFF_RESOURCE_TYPE_check38="AwsCloudTrailTrail" CHECK_ALTERNATE_check308="check38" CHECK_SERVICENAME_check38="s3" +CHECK_RISK_check38='Monitoring unauthorized API calls will help reveal application errors and may reduce time to detect malicious activity.' +CHECK_REMEDIATION_check38='It is recommended that a metric filter and alarm be established for unauthorized requests.' +CHECK_DOC_check38='https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudwatch-alarms-for-cloudtrail.html' +CHECK_CAF_EPIC_check38='Logging and Monitoring' check38(){ check3x '\$\.eventSource\s*=\s*s3.amazonaws.com.+\$\.eventName\s*=\s*PutBucketAcl.+\$\.eventName\s*=\s*PutBucketPolicy.+\$\.eventName\s*=\s*PutBucketCors.+\$\.eventName\s*=\s*PutBucketLifecycle.+\$\.eventName\s*=\s*PutBucketReplication.+\$\.eventName\s*=\s*DeleteBucketPolicy.+\$\.eventName\s*=\s*DeleteBucketCors.+\$\.eventName\s*=\s*DeleteBucketLifecycle.+\$\.eventName\s*=\s*DeleteBucketReplication' diff --git a/checks/check39 b/checks/check39 index 531a3bdc..05cc9936 100644 --- a/checks/check39 +++ b/checks/check39 @@ -42,6 +42,10 @@ CHECK_ASFF_TYPE_check39="Software and Configuration Checks/Industry and Regulato CHECK_ASFF_RESOURCE_TYPE_check39="AwsCloudTrailTrail" CHECK_ALTERNATE_check309="check39" CHECK_SERVICENAME_check39="configservice" +CHECK_RISK_check39='If not enabled important changes to accounts could go unnoticed or difficult to find.' +CHECK_REMEDIATION_check39='Use this service as a complement to implement detective controls that cannot be prevented. (e.g. a Security Group is modified to open to internet without restrictions or route changed to avoid going thru the network firewall). Ensure AWS Config is enabled in all regions in order to detect any not intended action. On the other hand if sufficient preventive controls to make changes in critical services are in place; the rating on this finding can be lowered or discarded depending on residual risk.' +CHECK_DOC_check39='https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudwatch-alarms-for-cloudtrail.html' +CHECK_CAF_EPIC_check39='Logging and Monitoring' check39(){ check3x '\$\.eventSource\s*=\s*config.amazonaws.com.+\$\.eventName\s*=\s*StopConfigurationRecorder.+\$\.eventName\s*=\s*DeleteDeliveryChannel.+\$\.eventName\s*=\s*PutDeliveryChannel.+\$\.eventName\s*=\s*PutConfigurationRecorder' diff --git a/checks/check41 b/checks/check41 index 06ee469c..3231f42f 100644 --- a/checks/check41 +++ b/checks/check41 @@ -18,6 +18,10 @@ CHECK_ASFF_RESOURCE_TYPE_check41="AwsEc2SecurityGroup" CHECK_ALTERNATE_check401="check41" CHECK_ASFF_COMPLIANCE_TYPE_check41="ens-mp.com.4.aws.sg.4" CHECK_SERVICENAME_check41="ec2" +CHECK_RISK_check41='Even having a perimeter firewall; having security groups open allows any user or malware with vpc access to scan for well known and sensitive ports and gain access to instance.' +CHECK_REMEDIATION_check41='Apply Zero Trust approach. Implement a process to scan and remediate unrestricted or overly permissive security groups. Recommended best practices is to narrow the definition for the minimum ports required.' +CHECK_DOC_check41='https://docs.aws.amazon.com/eks/latest/userguide/sec-group-reqs.html' +CHECK_CAF_EPIC_check41='Infrastructure Security' check41(){ # "Ensure no security groups allow ingress from 0.0.0.0/0 or ::/0 to port 22 (Scored)" diff --git a/checks/check42 b/checks/check42 index 7edfc12a..da7b50f3 100644 --- a/checks/check42 +++ b/checks/check42 @@ -18,6 +18,10 @@ CHECK_ASFF_RESOURCE_TYPE_check42="AwsEc2SecurityGroup" CHECK_ALTERNATE_check402="check42" CHECK_ASFF_COMPLIANCE_TYPE_check42="ens-mp.com.4.aws.sg.5" CHECK_SERVICENAME_check42="ec2" +CHECK_RISK_check42='Even having a perimeter firewall; having security groups open allows any user or malware with vpc access to scan for well known and sensitive ports and gain access to instance.' +CHECK_REMEDIATION_check42='Apply Zero Trust approach. Implement a process to scan and remediate unrestricted or overly permissive security groups. Recommended best practices is to narrow the definition for the minimum ports required.' +CHECK_DOC_check42='https://docs.aws.amazon.com/eks/latest/userguide/sec-group-reqs.html' +CHECK_CAF_EPIC_check42='Infrastructure Security' check42(){ # "Ensure no security groups allow ingress from 0.0.0.0/0 or ::/0 to port 3389 (Scored)" diff --git a/checks/check43 b/checks/check43 index 1742e675..5b5e5222 100644 --- a/checks/check43 +++ b/checks/check43 @@ -18,6 +18,10 @@ CHECK_ASFF_RESOURCE_TYPE_check43="AwsEc2SecurityGroup" CHECK_ALTERNATE_check403="check43" CHECK_ASFF_COMPLIANCE_TYPE_check43="ens-mp.com.4.aws.sg.1" CHECK_SERVICENAME_check43="ec2" +CHECK_RISK_check43='Even having a perimeter firewall; having security groups open allows any user or malware with vpc access to scan for well known and sensitive ports and gain access to instance.' +CHECK_REMEDIATION_check43='Apply Zero Trust approach. Implement a process to scan and remediate unrestricted or overly permissive security groups. Recommended best practices is to narrow the definition for the minimum ports required.' +CHECK_DOC_check43='https://docs.aws.amazon.com/eks/latest/userguide/sec-group-reqs.html' +CHECK_CAF_EPIC_check43='Infrastructure Security' check43(){ # "Ensure the default security group of every VPC restricts all traffic (Scored)" diff --git a/checks/check44 b/checks/check44 index f84d31ab..4683abe8 100644 --- a/checks/check44 +++ b/checks/check44 @@ -17,6 +17,10 @@ CHECK_ASFF_TYPE_check44="Software and Configuration Checks/Industry and Regulato CHECK_ASFF_RESOURCE_TYPE_check44="AwsEc2Vpc" CHECK_ALTERNATE_check404="check44" CHECK_SERVICENAME_check44="vpc" +CHECK_RISK_check44='Being highly selective in peering routing tables is a very effective way of minimizing the impact of breach as resources outside of these routes are inaccessible to the peered VPC.' +CHECK_REMEDIATION_check44='Review routing tables of peered VPCs for whether they route all subnets of each VPC and whether that is necessary to accomplish the intended purposes for peering the VPCs.' +CHECK_DOC_check44='https://docs.aws.amazon.com/vpc/latest/peering/peering-configurations-partial-access.html' +CHECK_CAF_EPIC_check44='Infrastructure Security' check44(){ # "Ensure routing tables for VPC peering are \"least access\" (Not Scored)" diff --git a/checks/check_extra71 b/checks/check_extra71 index 96f367fd..a0a8ce03 100644 --- a/checks/check_extra71 +++ b/checks/check_extra71 @@ -21,6 +21,10 @@ CHECK_ALTERNATE_check71="extra71" CHECK_ALTERNATE_check701="extra71" CHECK_ASFF_COMPLIANCE_TYPE_extra71="ens-op.exp.10.aws.trail.2" CHECK_SERVICENAME_extra71="iam" +CHECK_RISK_extra71='Policy "may" allow Anonymous users to perform actions.' +CHECK_REMEDIATION_extra71='Ensure this repository and its contents should be publicly accessible.' +CHECK_DOC_extra71='https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_mfa_enable_virtual.html' +CHECK_CAF_EPIC_extra71='Infrastructure Security' extra71(){ # "Ensure users of groups with AdministratorAccess policy have MFA tokens enabled (Not Scored) (Not part of CIS benchmark)" diff --git a/checks/check_extra710 b/checks/check_extra710 index fccbce46..3a15384e 100644 --- a/checks/check_extra710 +++ b/checks/check_extra710 @@ -19,6 +19,10 @@ CHECK_ASFF_RESOURCE_TYPE_extra710="AwsEc2Instance" CHECK_ALTERNATE_check710="extra710" CHECK_ASFF_COMPLIANCE_TYPE_extra710="ens-mp.com.4.aws.vpc.1" CHECK_SERVICENAME_extra710="ec2" +CHECK_RISK_extra710='Exposing an EC2 directly to internet increases the attack surface and therefore the risk of compromise.' +CHECK_REMEDIATION_extra710='Use an ALB and apply WAF ACL.' +CHECK_DOC_extra710='https://aws.amazon.com/blogs/aws/aws-web-application-firewall-waf-for-application-load-balancers/' +CHECK_CAF_EPIC_extra710='Infrastructure Security' extra710(){ # "Check for internet facing EC2 Instances (Not Scored) (Not part of CIS benchmark)" diff --git a/checks/check_extra711 b/checks/check_extra711 index 04a3a60c..b5bf3ee7 100644 --- a/checks/check_extra711 +++ b/checks/check_extra711 @@ -18,6 +18,10 @@ CHECK_SEVERITY_extra711="High" CHECK_ASFF_RESOURCE_TYPE_extra711="AwsRedshiftCluster" CHECK_ALTERNATE_check711="extra711" CHECK_SERVICENAME_extra711="redshift" +CHECK_RISK_extra711='Publicly accessible services could expose sensible data to bad actors.' +CHECK_REMEDIATION_extra711='List all shared Redshift clusters and make sure there is a business reason for them.' +CHECK_DOC_extra711='https://docs.aws.amazon.com/redshift/latest/mgmt/managing-clusters-vpc.html' +CHECK_CAF_EPIC_extra711='Data Protection' extra711(){ # "Check for Publicly Accessible Redshift Clusters (Not Scored) (Not part of CIS benchmark)" diff --git a/checks/check_extra712 b/checks/check_extra712 index 39e0e3c2..8007a601 100644 --- a/checks/check_extra712 +++ b/checks/check_extra712 @@ -18,6 +18,10 @@ CHECK_SEVERITY_extra712="Low" CHECK_ALTERNATE_check712="extra712" CHECK_ASFF_RESOURCE_TYPE_extra712="AwsMacieSession" CHECK_SERVICENAME_extra712="macie" +CHECK_RISK_extra712='Amazon Macie is a fully managed data security and data privacy service that uses machine learning and pattern matching to help you discover; monitor; and protect your sensitive data in AWS.' +CHECK_REMEDIATION_extra712='Enable Amazon Macie and create appropriate jobs to discover sensitive data.' +CHECK_DOC_extra712='https://docs.aws.amazon.com/macie/latest/user/getting-started.html' +CHECK_CAF_EPIC_extra712='Data Protection' extra712(){ textInfo "No API commands available to check if Macie is enabled," diff --git a/checks/check_extra713 b/checks/check_extra713 index 49606523..6002ac8d 100644 --- a/checks/check_extra713 +++ b/checks/check_extra713 @@ -19,6 +19,10 @@ CHECK_ALTERNATE_check713="extra713" CHECK_ASFF_COMPLIANCE_TYPE_extra713="ens-op.mon.1.aws.duty.1" CHECK_ASFF_RESOURCE_TYPE_extra713="AwsGuardDutyDetector" CHECK_SERVICENAME_extra713="guardduty" +CHECK_RISK_extra713='Amazon GuardDuty is a continuous security monitoring service that analyzes and processes several datasources.' +CHECK_REMEDIATION_extra713='Enable GuardDuty and analyze its findings.' +CHECK_DOC_extra713='https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_settingup.html' +CHECK_CAF_EPIC_extra713='Data Protection' extra713(){ # "Check if GuardDuty is enabled (Not Scored) (Not part of CIS benchmark)" diff --git a/checks/check_extra714 b/checks/check_extra714 index 362b69c0..38bddcc1 100644 --- a/checks/check_extra714 +++ b/checks/check_extra714 @@ -18,6 +18,10 @@ CHECK_SEVERITY_extra714="Medium" CHECK_ASFF_RESOURCE_TYPE_extra714="AwsCloudFrontDistribution" CHECK_ALTERNATE_check714="extra714" CHECK_SERVICENAME_extra714="cloudfront" +CHECK_RISK_extra714='If not enabled monitoring of service use is not possible.' +CHECK_REMEDIATION_extra714='Real-time monitoring can be achieved by directing CloudTrail Logs to CloudWatch Logs and establishing corresponding metric filters and alarms. Enable logging for services with defined log rotation. This logs are useful for Incident Response and forensics investigation among other use cases.' +CHECK_DOC_extra714='https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/AccessLogs.html' +CHECK_CAF_EPIC_extra714='Logging and Monitoring' extra714(){ # "Check if CloudFront distributions have logging enabled (Not Scored) (Not part of CIS benchmark)" diff --git a/checks/check_extra715 b/checks/check_extra715 index e848e78b..2be3409b 100644 --- a/checks/check_extra715 +++ b/checks/check_extra715 @@ -18,6 +18,10 @@ CHECK_SEVERITY_extra715="Medium" CHECK_ASFF_RESOURCE_TYPE_extra715="AwsElasticsearchDomain" CHECK_ALTERNATE_check715="extra715" CHECK_SERVICENAME_extra715="es" +CHECK_RISK_extra715='Amazon ES exposes four Elasticsearch logs through Amazon CloudWatch Logs: error logs; search slow logs; index slow logs; and audit logs. ' +CHECK_REMEDIATION_extra715='Enable Elasticsearch log. Create use cases for them. Using audit logs check for access denied events.' +CHECK_DOC_extra715='https://docs.aws.amazon.com/elasticsearch-service/latest/developerguide/es-createdomain-configure-slow-logs.html' +CHECK_CAF_EPIC_extra715='Logging and Monitoring' extra715(){ for regx in $REGIONS; do diff --git a/checks/check_extra716 b/checks/check_extra716 index cc6a88c3..360d32f2 100644 --- a/checks/check_extra716 +++ b/checks/check_extra716 @@ -18,6 +18,10 @@ CHECK_SEVERITY_extra716="Critical" CHECK_ASFF_RESOURCE_TYPE_extra716="AwsElasticsearchDomain" CHECK_ALTERNATE_check716="extra716" CHECK_SERVICENAME_extra716="es" +CHECK_RISK_extra716='Publicly accessible services could expose sensible data to bad actors.' +CHECK_REMEDIATION_extra716='Use VPC endpoints for internal services.' +CHECK_DOC_extra716='https://docs.aws.amazon.com/elasticsearch-service/latest/developerguide/es-vpc.html' +CHECK_CAF_EPIC_extra716='Infrastructure Security' extra716(){ for regx in $REGIONS; do diff --git a/checks/check_extra717 b/checks/check_extra717 index 1c7a6a22..982bb232 100644 --- a/checks/check_extra717 +++ b/checks/check_extra717 @@ -18,6 +18,10 @@ CHECK_SEVERITY_extra717="Medium" CHECK_ASFF_RESOURCE_TYPE_extra717="AwsElbLoadBalancer" CHECK_ALTERNATE_check717="extra717" CHECK_SERVICENAME_extra717="elb" +CHECK_RISK_extra717='If logs are not enabled monitoring of service use and threat analysis is not possible.' +CHECK_REMEDIATION_extra717='Enable ELB logging; create la log lifecycle and define use cases.' +CHECK_DOC_extra717='https://docs.aws.amazon.com/elasticloadbalancing/latest/application/load-balancer-access-logs.html' +CHECK_CAF_EPIC_extra717='Logging and Monitoring' extra717(){ # "Check if Elastic Load Balancers have logging enabled (Not Scored) (Not part of CIS benchmark)" diff --git a/checks/check_extra718 b/checks/check_extra718 index 738fc59e..39f27bb1 100644 --- a/checks/check_extra718 +++ b/checks/check_extra718 @@ -18,6 +18,10 @@ CHECK_SEVERITY_extra718="Medium" CHECK_ASFF_RESOURCE_TYPE_extra718="AwsS3Bucket" CHECK_ALTERNATE_check718="extra718" CHECK_SERVICENAME_extra718="s3" +CHECK_RISK_extra718='Server access logs can assist you in security and access audits; help you learn about your customer base; and understand your Amazon S3 bill.' +CHECK_REMEDIATION_extra718='Ensure that S3 buckets have Logging enabled. CloudTrail data events can be used in place of S3 bucket logging. If that is the case; this finding can be considered a false positive.' +CHECK_DOC_extra718='https://docs.aws.amazon.com/AmazonS3/latest/dev/security-best-practices.html' +CHECK_CAF_EPIC_extra718='Logging and Monitoring' extra718(){ # "Check if S3 buckets have server access logging enabled (Not Scored) (Not part of CIS benchmark)" diff --git a/checks/check_extra719 b/checks/check_extra719 index 9578ccd6..998c6e86 100644 --- a/checks/check_extra719 +++ b/checks/check_extra719 @@ -18,6 +18,10 @@ CHECK_SEVERITY_extra719="Medium" CHECK_ALTERNATE_check719="extra719" CHECK_ASFF_RESOURCE_TYPE_extra719="AwsRoute53HostedZone" CHECK_SERVICENAME_extra719="route53" +CHECK_RISK_extra719='If logs are not enabled; monitoring of service use and threat analysis is not possible.' +CHECK_REMEDIATION_extra719='Enable CloudWatch logs and define metrics and uses cases for the events recorded.' +CHECK_DOC_extra719='https://docs.aws.amazon.com/Route53/latest/DeveloperGuide/monitoring-hosted-zones-with-cloudwatch.html' +CHECK_CAF_EPIC_extra719='Logging and Monitoring' extra719(){ # You can't create a query logging config for a private hosted zone. diff --git a/checks/check_extra72 b/checks/check_extra72 index 07ff9393..ad09b746 100644 --- a/checks/check_extra72 +++ b/checks/check_extra72 @@ -20,6 +20,10 @@ CHECK_ALTERNATE_extra702="extra72" CHECK_ALTERNATE_check72="extra72" CHECK_ALTERNATE_check702="extra72" CHECK_SERVICENAME_check72="ec2" +CHECK_RISK_extra72='When you share a snapshot; you are giving others access to all of the data on the snapshot. Share snapshots only with people with whom you want to share all of your snapshot data.' +CHECK_REMEDIATION_extra72='Ensure the snapshot should be shared.' +CHECK_DOC_extra72='https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ebs-modifying-snapshot-permissions.html' +CHECK_CAF_EPIC_extra72='Data Protection' extra72(){ # "Ensure there are no EBS Snapshots set as Public (Not Scored) (Not part of CIS benchmark)" diff --git a/checks/check_extra720 b/checks/check_extra720 index f36ab448..396f59b2 100644 --- a/checks/check_extra720 +++ b/checks/check_extra720 @@ -18,6 +18,10 @@ CHECK_SEVERITY_extra720="Low" CHECK_ASFF_RESOURCE_TYPE_extra720="AwsLambdaFunction" CHECK_ALTERNATE_check720="extra720" CHECK_SERVICENAME_extra720="lambda" +CHECK_RISK_extra720='If logs are not enabled; monitoring of service use and threat analysis is not possible.' +CHECK_REMEDIATION_extra720='Make sure you are logging information about Lambda operations. Create a lifecycle and use cases for each trail.' +CHECK_DOC_extra720='https://docs.aws.amazon.com/lambda/latest/dg/logging-using-cloudtrail.html' +CHECK_CAF_EPIC_extra720='Logging and Monitoring' extra720(){ # "Check if Lambda functions invoke API operations are being recorded by CloudTrail (Not Scored) (Not part of CIS benchmark)" diff --git a/checks/check_extra721 b/checks/check_extra721 index 5e2b6f89..d8c03776 100644 --- a/checks/check_extra721 +++ b/checks/check_extra721 @@ -18,6 +18,10 @@ CHECK_SEVERITY_extra721="Medium" CHECK_ASFF_RESOURCE_TYPE_extra721="AwsRedshiftCluster" CHECK_ALTERNATE_check721="extra721" CHECK_SERVICENAME_extra721="redshift" +CHECK_RISK_extra721='If logs are not enabled; monitoring of service use and threat analysis is not possible.' +CHECK_REMEDIATION_extra721='Enable logs. Create an S3 lifecycle policy. Define use cases; metrics and automated responses where applicable.' +CHECK_DOC_extra721='https://docs.aws.amazon.com/redshift/latest/mgmt/db-auditing.html' +CHECK_CAF_EPIC_extra721='Logging and Monitoring' extra721(){ # "Check if Redshift cluster has audit logging enabled (Not Scored) (Not part of CIS benchmark)" diff --git a/checks/check_extra722 b/checks/check_extra722 index e9ff44c8..30146620 100644 --- a/checks/check_extra722 +++ b/checks/check_extra722 @@ -18,6 +18,10 @@ CHECK_SEVERITY_extra722="Medium" CHECK_ASFF_RESOURCE_TYPE_extra722="AwsApiGatewayRestApi" CHECK_ALTERNATE_check722="extra722" CHECK_SERVICENAME_extra722="apigateway" +CHECK_RISK_extra722='If not enabled; monitoring of service use is not possible. Real-time monitoring of API calls can be achieved by directing CloudTrail Logs to CloudWatch Logs and establishing corresponding metric filters and alarms.' +CHECK_REMEDIATION_extra722='Monitoring is an important part of maintaining the reliability; availability; and performance of API Gateway and your AWS solutions. You should collect monitoring data from all of the parts of your AWS solution. CloudTrail provides a record of actions taken by a user; role; or an AWS service in API Gateway. Using the information collected by CloudTrail; you can determine the request that was made to API Gateway; the IP address from which the request was made; who made the request; etc.' +CHECK_DOC_extra722='https://docs.aws.amazon.com/apigateway/latest/developerguide/security-monitoring.html' +CHECK_CAF_EPIC_extra722='Logging and Monitoring' extra722(){ # "Check if API Gateway has logging enabled (Not Scored) (Not part of CIS benchmark)" diff --git a/checks/check_extra723 b/checks/check_extra723 index 6051282b..187f50ce 100644 --- a/checks/check_extra723 +++ b/checks/check_extra723 @@ -18,6 +18,10 @@ CHECK_SEVERITY_extra723="Critical" CHECK_ASFF_RESOURCE_TYPE_extra723="AwsRdsDbSnapshot" CHECK_ALTERNATE_check723="extra723" CHECK_SERVICENAME_extra723="rds" +CHECK_RISK_extra723='Publicly accessible services could expose sensible data to bad actors. t is recommended that your RDS snapshots should not be public in order to prevent potential leak or misuse of sensitive data or any other kind of security threat. If your RDS snapshot is public; then the data which is backed up in that snapshot is accessible to all other AWS accounts.' +CHECK_REMEDIATION_extra723='Use AWS Config to identify any sanpshot that is public.' +CHECK_DOC_extra723='https://docs.aws.amazon.com/config/latest/developerguide/rds-snapshots-public-prohibited.html' +CHECK_CAF_EPIC_extra723='Data Protection' extra723(){ # "Check if RDS Snapshots are public (Not Scored) (Not part of CIS benchmark)" diff --git a/checks/check_extra724 b/checks/check_extra724 index ac0c501a..69356973 100644 --- a/checks/check_extra724 +++ b/checks/check_extra724 @@ -18,6 +18,10 @@ CHECK_SEVERITY_extra724="Medium" CHECK_ASFF_RESOURCE_TYPE_extra724="AwsCertificateManagerCertificate" CHECK_ALTERNATE_check724="extra724" CHECK_SERVICENAME_extra724="acm" +CHECK_RISK_extra724='Domain owners can search the log to identify unexpected certificates; whether issued by mistake or malice. Domain owners can also identify Certificate Authorities (CAs) that are improperly issuing certificates.' +CHECK_REMEDIATION_extra724='Make sure you are logging information about Lambda operations. Create a lifecycle and use cases for each trail.' +CHECK_DOC_extra724='https://aws.amazon.com/blogs/security/how-to-get-ready-for-certificate-transparency/' +CHECK_CAF_EPIC_extra724='Logging and Monitoring' extra724(){ # "Check if ACM certificates have Certificate Transparency logging enabled (Not Scored) (Not part of CIS benchmark)" diff --git a/checks/check_extra725 b/checks/check_extra725 index d12fd367..614feff0 100644 --- a/checks/check_extra725 +++ b/checks/check_extra725 @@ -19,7 +19,10 @@ CHECK_SEVERITY_extra725="Medium" CHECK_ASFF_RESOURCE_TYPE_extra725="AwsS3Bucket" CHECK_ALTERNATE_check725="extra725" CHECK_SERVICENAME_extra725="s3" - +CHECK_RISK_extra725='If logs are not enabled; monitoring of service use and threat analysis is not possible.' +CHECK_REMEDIATION_extra725='Enable logs. Create an S3 lifecycle policy. Define use cases; metrics and automated responses where applicable.' +CHECK_DOC_extra725='https://docs.aws.amazon.com/AmazonS3/latest/userguide/enable-cloudtrail-logging-for-s3.html' +CHECK_CAF_EPIC_extra725='Logging and Monitoring' # per Object-level logging is not configured at Bucket level but at CloudTrail trail level extra725(){ diff --git a/checks/check_extra726 b/checks/check_extra726 index f4762623..341833e1 100644 --- a/checks/check_extra726 +++ b/checks/check_extra726 @@ -18,6 +18,10 @@ CHECK_TYPE_extra726="EXTRA" CHECK_SEVERITY_extra726="Medium" CHECK_ALTERNATE_check726="extra726" CHECK_SERVICENAME_extra726="trustedadvisor" +CHECK_RISK_extra726='Improve the security of your application by closing gaps; enabling various AWS security features; and examining your permissions.' +CHECK_REMEDIATION_extra726='Review and act upon its recommendations.' +CHECK_DOC_extra726='https://aws.amazon.com/premiumsupport/technology/trusted-advisor/best-practice-checklist/' +CHECK_CAF_EPIC_extra726='IAM' extra726(){ trap "exit" INT diff --git a/checks/check_extra727 b/checks/check_extra727 index d618b0bd..400e78d8 100644 --- a/checks/check_extra727 +++ b/checks/check_extra727 @@ -19,6 +19,10 @@ CHECK_SEVERITY_extra727="Critical" CHECK_ASFF_RESOURCE_TYPE_extra727="AwsSqsQueue" CHECK_ALTERNATE_check727="extra727" CHECK_SERVICENAME_extra727="sqs" +CHECK_RISK_extra727='Sensible information could be disclosed.' +CHECK_REMEDIATION_extra727='Review service with overly permissive policies. Adhere to Principle of Least Privilege.' +CHECK_DOC_extra727='https://docs.aws.amazon.com/AWSSimpleQueueService/latest/SQSDeveloperGuide/sqs-basic-examples-of-sqs-policies.html' +CHECK_CAF_EPIC_extra727='Infrastructure Security' extra727(){ for regx in $REGIONS; do diff --git a/checks/check_extra728 b/checks/check_extra728 index bde576a1..60758fd1 100644 --- a/checks/check_extra728 +++ b/checks/check_extra728 @@ -20,6 +20,10 @@ CHECK_ASFF_RESOURCE_TYPE_extra728="AwsSqsQueue" CHECK_ALTERNATE_check728="extra728" CHECK_ASFF_COMPLIANCE_TYPE_extra728="ens-mp.info.3.sns.1" CHECK_SERVICENAME_extra728="sqs" +CHECK_RISK_extra728='If not enabled sensible information in transit is not protected.' +CHECK_REMEDIATION_extra728='Enable Encryption. Use a CMK where possible. It will provide additional management and privacy benefits.' +CHECK_DOC_extra728='https://docs.aws.amazon.com/AWSSimpleQueueService/latest/SQSDeveloperGuide/sqs-configure-sse-existing-queue.html' +CHECK_CAF_EPIC_extra728='Data Protection' extra728(){ for regx in $REGIONS; do diff --git a/checks/check_extra729 b/checks/check_extra729 index 58bf6e40..21feea47 100644 --- a/checks/check_extra729 +++ b/checks/check_extra729 @@ -20,7 +20,10 @@ CHECK_ASFF_RESOURCE_TYPE_extra729="AwsEc2Volume" CHECK_ALTERNATE_check729="extra729" CHECK_ASFF_COMPLIANCE_TYPE_extra729="ens-mp.info.3.aws.ebs.1" CHECK_SERVICENAME_extra729="ec2" - +CHECK_RISK_extra729='Data encryption at rest prevents data visibility in the event of its unauthorized access or theft.' +CHECK_REMEDIATION_extra729='Encrypt al EBS volumes and Enable Encryption by default You can configure your AWS account to enforce the encryption of the new EBS volumes and snapshot copies that you create. For example; Amazon EBS encrypts the EBS volumes created when you launch an instance and the snapshots that you copy from an unencrypted snapshot.' +CHECK_DOC_extra729='https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/EBSEncryption.html' +CHECK_CAF_EPIC_extra729='Data Protection' extra729(){ # "Ensure there are no EBS Volumes unencrypted (Not Scored) (Not part of CIS benchmark)" diff --git a/checks/check_extra73 b/checks/check_extra73 index b8c81961..0340096b 100644 --- a/checks/check_extra73 +++ b/checks/check_extra73 @@ -21,6 +21,10 @@ CHECK_ALTERNATE_extra703="extra73" CHECK_ALTERNATE_check73="extra73" CHECK_ALTERNATE_check703="extra73" CHECK_SERVICENAME_extra73="s3" +CHECK_RISK_extra73='Even if you enable all possible bucket ACL options available in the Amazon S3 console the ACL alone does not allow everyone to download objects from your bucket. Depending on which option you select any user could perform some actions.' +CHECK_REMEDIATION_extra73='You can enable block public access settings only for access points; buckets; and AWS accounts. Amazon S3 does not support block public access settings on a per-object basis. When you apply block public access settings to an account; the settings apply to all AWS Regions globally. The settings might not take effect in all Regions immediately or simultaneously; but they eventually propagate to all Regions.' +CHECK_DOC_extra73='https://docs.aws.amazon.com/AmazonS3/latest/userguide/access-control-block-public-access.html' +CHECK_CAF_EPIC_extra73='Data Protection' # Verified with AWS support that if get-bucket-acl doesn't return a grant # for All and get-bucket-policy-status returns IsPublic false or bad request diff --git a/checks/check_extra730 b/checks/check_extra730 index 1b3ed3fe..100cb37d 100644 --- a/checks/check_extra730 +++ b/checks/check_extra730 @@ -21,6 +21,10 @@ CHECK_SEVERITY_extra730="High" CHECK_ASFF_RESOURCE_TYPE_extra730="AwsCertificateManagerCertificate" CHECK_ALTERNATE_check730="extra730" CHECK_SERVICENAME_extra730="acm" +CHECK_RISK_extra730='Expired certificates can impact service availability.' +CHECK_REMEDIATION_extra730='Monitor certificate expiration and take automated action to renew; replace or remove. Having shorter TTL for any security artifact is a general recommendation; but requires additional automation in place. If not longer required delete certificate. Use AWS config using the managed rule: acm-certificate-expiration-check.' +CHECK_DOC_extra730='https://docs.aws.amazon.com/config/latest/developerguide/acm-certificate-expiration-check.html' +CHECK_CAF_EPIC_extra730='Data Protection' extra730(){ # "Check if ACM Certificates are about to expire in $DAYS_TO_EXPIRE_THRESHOLD days or less" diff --git a/checks/check_extra731 b/checks/check_extra731 index 0519c3f6..5bf1743b 100644 --- a/checks/check_extra731 +++ b/checks/check_extra731 @@ -19,6 +19,10 @@ CHECK_SEVERITY_extra731="Critical" CHECK_ASFF_RESOURCE_TYPE_extra731="AwsSnsTopic" CHECK_ALTERNATE_check731="extra731" CHECK_SERVICENAME_extra731="sns" +CHECK_RISK_extra731='Publicly accessible services could expose sensible data to bad actors.' +CHECK_REMEDIATION_extra731='Ensure there is a business requirement for service to be public.' +CHECK_DOC_extra731='https://docs.aws.amazon.com/config/latest/developerguide/sns-topic-policy.html' +CHECK_CAF_EPIC_extra731='Infrastructure Security' extra731(){ for regx in $REGIONS; do diff --git a/checks/check_extra732 b/checks/check_extra732 index 0e38ee9d..2f355c13 100644 --- a/checks/check_extra732 +++ b/checks/check_extra732 @@ -19,6 +19,10 @@ CHECK_SEVERITY_extra732="Low" CHECK_ASFF_RESOURCE_TYPE_extra732="AwsCloudFrontDistribution" CHECK_ALTERNATE_check732="extra732" CHECK_SERVICENAME_extra732="cloudfront" +CHECK_RISK_extra732='Consider countries where service should not be accessed; by legal or compliance requirements. Additionally if not restricted the attack vector is increased.' +CHECK_REMEDIATION_extra732='If possible; define and enable Geo restrictions for this service.' +CHECK_DOC_extra732='https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/georestrictions.html' +CHECK_CAF_EPIC_extra732='Infrastructure Security' extra732(){ LIST_DISTRIBUTIONS=$($AWSCLI cloudfront list-distributions $PROFILE_OPT --query 'DistributionList.Items[*].Id' --output text |grep -v ^None) diff --git a/checks/check_extra733 b/checks/check_extra733 index 40de63d6..3fa7e785 100644 --- a/checks/check_extra733 +++ b/checks/check_extra733 @@ -19,6 +19,10 @@ CHECK_SEVERITY_extra733="Low" CHECK_ALTERNATE_check733="extra733" CHECK_ASFF_COMPLIANCE_TYPE_extra733="ens-op.acc.1.aws.iam.1" CHECK_SERVICENAME_extra733="iam" +CHECK_RISK_extra733='Without SAML provider users with AWS CLI or AWS API access can use IAM static credentials. SAML helps users to assume role by default each time they authenticate.' +CHECK_REMEDIATION_extra733='Enable SAML provider and use temporary credentials. You can use temporary security credentials to make programmatic requests for AWS resources using the AWS CLI or AWS API (using the AWS SDKs ). The temporary credentials provide the same permissions that you have with use long-term security credentials such as IAM user credentials. In case of not having SAML provider capabilities prevent usage of long-lived credentials.' +CHECK_DOC_extra733='https://docs.aws.amazon.com/STS/latest/APIReference/API_AssumeRoleWithSAML.html' +CHECK_CAF_EPIC_extra733='IAM' extra733(){ LIST_SAML_PROV=$($AWSCLI iam list-saml-providers $PROFILE_OPT --query 'SAMLProviderList[*].Arn' --output text |grep -v ^None) diff --git a/checks/check_extra734 b/checks/check_extra734 index a4cc58c5..3d66582e 100644 --- a/checks/check_extra734 +++ b/checks/check_extra734 @@ -19,6 +19,10 @@ CHECK_ASFF_RESOURCE_TYPE_extra734="AwsS3Bucket" CHECK_ALTERNATE_check734="extra734" CHECK_ASFF_COMPLIANCE_TYPE_extra734="ens-mp.info.3.s3.1" CHECK_SERVICENAME_extra734="s3" +CHECK_RISK_extra734='Amazon S3 default encryption provides a way to set the default encryption behavior for an S3 bucket. This will ensure data-at-rest is encrypted.' +CHECK_REMEDIATION_extra734='Ensure that S3 buckets has encryption at rest enabled.' +CHECK_DOC_extra734='https://docs.aws.amazon.com/AmazonS3/latest/dev/bucket-encryption.html' +CHECK_CAF_EPIC_extra734='Data Protection' extra734(){ LIST_OF_BUCKETS=$($AWSCLI s3api list-buckets $PROFILE_OPT --region $REGION --query Buckets[*].Name --output text|xargs -n1) diff --git a/checks/check_extra735 b/checks/check_extra735 index 409e08a4..0b789f5e 100644 --- a/checks/check_extra735 +++ b/checks/check_extra735 @@ -19,6 +19,10 @@ CHECK_ASFF_RESOURCE_TYPE_extra735="AwsRdsDbInstance" CHECK_ALTERNATE_check735="extra735" CHECK_ASFF_COMPLIANCE_TYPE_extra735="ens-mp.info.3.aws.rds.1" CHECK_SERVICENAME_extra735="rds" +CHECK_RISK_extra735='If not enabled sensible information at rest is not protected.' +CHECK_REMEDIATION_extra735='Enable Encryption. Use a CMK where possible. It will provide additional management and privacy benefits.' +CHECK_DOC_extra735='https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/Overview.Encryption.html' +CHECK_CAF_EPIC_extra735='Data Protection' extra735(){ textInfo "Looking for RDS Volumes in all regions... " diff --git a/checks/check_extra736 b/checks/check_extra736 index 291d971d..f9266d65 100644 --- a/checks/check_extra736 +++ b/checks/check_extra736 @@ -19,6 +19,10 @@ CHECK_ASFF_RESOURCE_TYPE_extra736="AwsKmsKey" CHECK_ALTERNATE_check736="extra736" CHECK_ASFF_COMPLIANCE_TYPE_extra736="ens-op.exp.11.aws.kms.2" CHECK_SERVICENAME_extra736="kms" +CHECK_RISK_extra736='Exposed KMS Keys or wide policy permissions my leave data unprotected.' +CHECK_REMEDIATION_extra736='To determine the full extent of who or what currently has access to a customer master key (CMK) in AWS KMS; you must examine the CMK key policy; all grants that apply to the CMK; and potentially all AWS Identity and Access Management (IAM) policies. You might do this to determine the scope of potential usage of a CMK.' +CHECK_DOC_extra736='https://docs.aws.amazon.com/kms/latest/developerguide/determining-access.html' +CHECK_CAF_EPIC_extra736='Data Protection' extra736(){ textInfo "Looking for KMS keys in all regions... " diff --git a/checks/check_extra737 b/checks/check_extra737 index 1dc12679..dc159378 100644 --- a/checks/check_extra737 +++ b/checks/check_extra737 @@ -19,6 +19,10 @@ CHECK_ASFF_RESOURCE_TYPE_extra737="AwsKmsKey" CHECK_ALTERNATE_check737="extra737" CHECK_ASFF_COMPLIANCE_TYPE_extra737="ens-op.exp.11.aws.kms.3" CHECK_SERVICENAME_extra737="kms" +CHECK_RISK_extra737='Cryptographic best practices discourage extensive reuse of encryption keys. Consequently; Customer Master Keys (CMKs) should be rotated to prevent usage of compromised keys.' +CHECK_REMEDIATION_extra737='For every KMS Customer Master Keys (CMKs); ensure that Rotate this key every year is enabled.' +CHECK_DOC_extra737='https://docs.aws.amazon.com/kms/latest/developerguide/rotate-keys.html' +CHECK_CAF_EPIC_extra737='Data Protection' extra737(){ textInfo "Looking for KMS keys in all regions... " diff --git a/checks/check_extra738 b/checks/check_extra738 index 566b715e..1ea1c457 100644 --- a/checks/check_extra738 +++ b/checks/check_extra738 @@ -19,6 +19,10 @@ CHECK_ASFF_RESOURCE_TYPE_extra738="AwsCloudFrontDistribution" CHECK_ALTERNATE_check738="extra738" CHECK_ASFF_COMPLIANCE_TYPE_extra738="ens-mp.com.2.aws.front.1" CHECK_SERVICENAME_extra738="cloudfront" +CHECK_RISK_extra738='If not enabled sensible information in transit is not protected. Surveillance and other threats are risks may exists.' +CHECK_REMEDIATION_extra738='Use HTTPS everywhere possible. It will enforce privacy and protect against account hijacking and other threats.' +CHECK_DOC_extra738='https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/using-https.html' +CHECK_CAF_EPIC_extra738='Data Protection' extra738(){ LIST_OF_DISTRIBUTIONS=$($AWSCLI cloudfront list-distributions --query 'DistributionList.Items[*].Id' $PROFILE_OPT --output text|grep -v ^None) diff --git a/checks/check_extra739 b/checks/check_extra739 index c0aec8b3..e36f4ab1 100644 --- a/checks/check_extra739 +++ b/checks/check_extra739 @@ -18,6 +18,10 @@ CHECK_SEVERITY_extra739="Medium" CHECK_ASFF_RESOURCE_TYPE_extra739="AwsRdsDbInstance" CHECK_ALTERNATE_check739="extra739" CHECK_SERVICENAME_extra739="rds" +CHECK_RISK_extra739='If backup is not enabled; data is vulnerable. Human error or bad actors could erase or modify data.' +CHECK_REMEDIATION_extra739='Enable automated backup for production data. Define a retention period and periodically test backup restoration. A Disaster Recovery process should be in place to govern Data Protection approach.' +CHECK_DOC_extra739='https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/USER_WorkingWithAutomatedBackups.html' +CHECK_CAF_EPIC_extra739='Data Protection' extra739(){ for regx in $REGIONS; do diff --git a/checks/check_extra74 b/checks/check_extra74 index 5061bb4d..6ffa01d8 100644 --- a/checks/check_extra74 +++ b/checks/check_extra74 @@ -21,6 +21,10 @@ CHECK_ALTERNATE_check74="extra74" CHECK_ALTERNATE_check704="extra74" CHECK_ASFF_COMPLIANCE_TYPE_extra74="ens-mp.com.4.aws.sg.2" CHECK_SERVICENAME_extra74="ec2" +CHECK_RISK_extra74='If Security groups are not filtering traffic appropriately the attack surface is increased.' +CHECK_REMEDIATION_extra74=' You can grant access to a specific CIDR range; or to another security group in your VPC or in a peer VPC.' +CHECK_DOC_extra74='https://docs.aws.amazon.com/vpc/latest/userguide/VPC_SecurityGroups.html' +CHECK_CAF_EPIC_extra74='Infrastructure Security' extra74(){ # "Ensure there are no Security Groups without ingress filtering being used (Not Scored) (Not part of CIS benchmark)" diff --git a/checks/check_extra740 b/checks/check_extra740 index c1c8fe22..37f81434 100644 --- a/checks/check_extra740 +++ b/checks/check_extra740 @@ -19,6 +19,10 @@ CHECK_ASFF_RESOURCE_TYPE_extra740="AwsEc2Snapshot" CHECK_ALTERNATE_check740="extra740" CHECK_ASFF_COMPLIANCE_TYPE_extra740="ens-mp.info.3.aws.ebs.3" CHECK_SERVICENAME_extra740="ec2" +CHECK_RISK_extra740='Data encryption at rest prevents data visibility in the event of its unauthorized access or theft.' +CHECK_REMEDIATION_extra740='Encrypt al EBS Snapshot and Enable Encryption by default. You can configure your AWS account to enforce the encryption of the new EBS volumes and snapshot copies that you create. For example; Amazon EBS encrypts the EBS volumes created when you launch an instance and the snapshots that you copy from an unencrypted snapshot.' +CHECK_DOC_extra740='https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/EBSEncryption.html#encryption-by-default' +CHECK_CAF_EPIC_extra740='Data Protection' extra740(){ textInfo "Examining EBS Volume Snapshots ..." diff --git a/checks/check_extra741 b/checks/check_extra741 index d0501ce9..023e4f00 100644 --- a/checks/check_extra741 +++ b/checks/check_extra741 @@ -18,6 +18,10 @@ CHECK_SEVERITY_extra741="Critical" CHECK_ASFF_RESOURCE_TYPE_extra741="AwsEc2Instance" CHECK_ALTERNATE_check741="extra741" CHECK_SERVICENAME_extra741="ec2" +CHECK_RISK_extra741='Secrets hardcoded into instance user data can be used by malware and bad actors to gain lateral access to other services.' +CHECK_REMEDIATION_extra741='Implement automated detective control (e.g. using tools like Prowler ) to scan accounts for passwords and secrets. Use secrets manager service to store and retrieve passwords and secrets. ' +CHECK_DOC_extra741='https://docs.aws.amazon.com/secretsmanager/latest/userguide/tutorials_basic.html' +CHECK_CAF_EPIC_extra741='IAM' extra741(){ SECRETS_TEMP_FOLDER="$PROWLER_DIR/secrets-$ACCOUNT_NUM" diff --git a/checks/check_extra75 b/checks/check_extra75 index a28cd3a3..f6e97ccb 100644 --- a/checks/check_extra75 +++ b/checks/check_extra75 @@ -21,6 +21,10 @@ CHECK_ALTERNATE_check75="extra75" CHECK_ALTERNATE_check705="extra75" CHECK_ASFF_COMPLIANCE_TYPE_extra75="ens-mp.com.4.aws.sg.3" CHECK_SERVICENAME_extra75="ec2" +CHECK_RISK_extra75='Having clear definition and scope for Security Groups creates a better administration environment.' +CHECK_REMEDIATION_extra75='List all the security groups and then use the cli to check if they are attached to an instance.' +CHECK_DOC_extra75='https://aws.amazon.com/premiumsupport/knowledge-center/ec2-find-security-group-resources/' +CHECK_CAF_EPIC_extra75='Infrastructure Security' extra75(){ # "Ensure there are no Security Groups not being used (Not Scored) (Not part of CIS benchmark)" diff --git a/checks/check_extra76 b/checks/check_extra76 index 898b5a09..854d48e7 100644 --- a/checks/check_extra76 +++ b/checks/check_extra76 @@ -19,6 +19,10 @@ CHECK_ALTERNATE_extra706="extra76" CHECK_ALTERNATE_check76="extra76" CHECK_ALTERNATE_check706="extra76" CHECK_SERVICENAME_extra76="ec2" +CHECK_RISK_extra76='A shared AMI is an AMI that a developer created and made available for other developers to use. If AMIs have embebed information about the environment could pose a security risk. You use a shared AMI at your own risk. Amazon can not vouch for the integrity or security of AMIs shared by Amazon EC2 users. ' +CHECK_REMEDIATION_extra76='List all shared AMIs and make sure there is a business reason for them.' +CHECK_DOC_extra76='https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/usingsharedamis-finding.html' +CHECK_CAF_EPIC_extra76='Infrastructure Security' extra76(){ # "Ensure there are no EC2 AMIs set as Public (Not Scored) (Not part of CIS benchmark)" diff --git a/checks/check_extra77 b/checks/check_extra77 index ef3f9a91..4391c320 100644 --- a/checks/check_extra77 +++ b/checks/check_extra77 @@ -20,6 +20,10 @@ CHECK_ALTERNATE_extra707="extra77" CHECK_ALTERNATE_check77="extra77" CHECK_ALTERNATE_check707="extra77" CHECK_SERVICENAME_extra77="ecr" +CHECK_RISK_extra77='Policy may allow Anonymous users to perform actions.' +CHECK_REMEDIATION_extra77='Ensure this repository and its contents should be publicly accessible.' +CHECK_DOC_extra77='https://docs.aws.amazon.com/AmazonECR/latest/public/security_iam_service-with-iam.html' +CHECK_CAF_EPIC_extra77='Data Protection' extra77(){ # "Ensure there are no ECR repositories set as Public (Not Scored) (Not part of CIS benchmark)" diff --git a/checks/check_extra78 b/checks/check_extra78 index 064cf6cc..16d91ba2 100644 --- a/checks/check_extra78 +++ b/checks/check_extra78 @@ -20,6 +20,10 @@ CHECK_ALTERNATE_extra708="extra78" CHECK_ALTERNATE_check78="extra78" CHECK_ALTERNATE_check708="extra78" CHECK_SERVICENAME_extra78="rds" +CHECK_RISK_extra78='Publicly accessible databases could expose sensible data to bad actors.' +CHECK_REMEDIATION_extra78='Using an AWS Config rule check for RDS public instances periodically and check there is a business reason for it.' +CHECK_DOC_extra78='https://docs.amazonaws.cn/en_us/config/latest/developerguide/rds-instance-public-access-check.html' +CHECK_CAF_EPIC_extra78='Data Protection' extra78(){ # "Ensure there are no Public Accessible RDS instances (Not Scored) (Not part of CIS benchmark)" diff --git a/checks/check_extra79 b/checks/check_extra79 index 377ffeae..81d541df 100644 --- a/checks/check_extra79 +++ b/checks/check_extra79 @@ -20,6 +20,10 @@ CHECK_ALTERNATE_extra709="extra79" CHECK_ALTERNATE_check79="extra79" CHECK_ALTERNATE_check709="extra79" CHECK_SERVICENAME_extra79="elb" +CHECK_RISK_extra79='Publicly accessible load balancers could expose sensible data to bad actors.' +CHECK_REMEDIATION_extra79='Ensure the load balancer should be publicly accessible. If publiccly exposed ensure a WAF ACL is implemented.' +CHECK_DOC_extra79='https://docs.aws.amazon.com/waf/latest/developerguide/web-acl-associating-aws-resource.html' +CHECK_CAF_EPIC_extra79='Data Protection' extra79(){ # "Check for internet facing Elastic Load Balancers (Not Scored) (Not part of CIS benchmark)"