ghndrx/prowler
1
0
Fork 0
mirror of https://github.com/ghndrx/prowler.git synced 2026-02-10 14:55:00 +00:00
Code Issues Packages Projects Releases Wiki Activity

checks for glue - 7119, 7121, 7123,7124,7125

Browse Source
This commit is contained in:
dlpzx
2020-11-10 13:05:22 +01:00
parent ebe2594456
commit 39a7c3b18e
5 changed files with 72 additions and 45 deletions
Download Patch File Download Diff File Expand all files Collapse all files

23
checks/check_extra7119
View File

@@ -33,19 +33,24 @@ CHECK_ALTERNATE_check7119="extra7119"
extra7119(){
textInfo "Looking for Development Endpoints in all regions... "
for regx in $REGIONS; do
LIST_GLUE_SC=$($AWSCLI glue get-dev-endpoints $PROFILE_OPT --region $regx --query 'DevEndpoints[*].SecurityConfiguration' --output text)
if [[ $LIST_GLUE_SC ]]; then
for sc in $(echo '${LIST_GLUE_SC}'| jq -r '.[] | @base64');do
textInfo "$ENDPOINT_SECURITY"
ENDPOINT_SC_ENCRYPTION=$($AWSCLI $PROFILE_OPT --region $regx glue get-security-configurations $sc --query 'SecurityConfiguration.EncryptionConfiguration.S3Encryption.S3EncryptionMode' --output text)
if [[ENDPOINT_SC_ENCRYPTION == "DISABLED" ]]; then
textFail "$regx: Development Endpoint Security Configuration $sc has S3 encryption not enabled!" "$regx"
LIST_EP_SC=$($AWSCLI glue get-dev-endpoints $PROFILE_OPT --region $regx --query 'DevEndpoints[*].{Name:EndpointName,Security:SecurityConfiguration}' --output json)
if [[ ! -z "$LIST_EP_SC" ]]; then
for ep in $(echo "${LIST_EP_SC}"| jq -r '.[] | @base64');do
ENDPOINT_NAME=$(echo $ep | base64 --decode | jq -r '.Name')
ENDPOINT_SC=$(echo $ep | base64 --decode | jq -r '.Security // empty')
if [[ ! -z "$ENDPOINT_SC" ]]; then
ENDPOINT_SC_ENCRYPTION=$($AWSCLI glue get-security-configuration --name "${ENDPOINT_SC}" $PROFILE_OPT --region $regx --query 'SecurityConfiguration.EncryptionConfiguration.S3Encryption[0].S3EncryptionMode' --output text)
if [[ "$ENDPOINT_SC_ENCRYPTION" == "DISABLED" ]]; then
textFail "$regx: Development Endpoint $ENDPOINT_NAME does not have S3 encryption enabled!" "$regx"
else
textPass "$regx: Development Endpoint $ENDPOINT_NAME has S3 encryption enabled" "$regx"
fi
else
textPass "$regx: Development Endpoint Security Configuration $sc has S3 encryption enabled" "$regx"
textInfo "$regx: No Security Configuration found for Development Endpoint $ENDPOINT_NAME" "$regx"
fi
done
else
textInfo "$regx: No Security Configuration found" "$regx"
textInfo "$regx: There are no Development Endpoints" "$regx"
fi
done
}

23
checks/check_extra7121
View File

@@ -33,19 +33,24 @@ CHECK_ALTERNATE_check7121="extra7121"
extra7121(){
textInfo "Looking for Development Endpoints in all regions... "
for regx in $REGIONS; do
LIST_GLUE_SC=$($AWSCLI glue get-dev-endpoints $PROFILE_OPT --region $regx --query 'DevEndpoints[*].SecurityConfiguration' --output text)
if [[ $LIST_GLUE_SC ]]; then
for sc in $(echo '${LIST_GLUE_SC}'| jq -r '.[] | @base64');do
textInfo "$ENDPOINT_SECURITY"
ENDPOINT_SC_ENCRYPTION=$($AWSCLI $PROFILE_OPT --region $regx glue get-security-configurations $sc --query 'SecurityConfiguration.EncryptionConfiguration.CloudWatchEncryption.CloudWatchEncryptionMode' --output text)
if [[ENDPOINT_SC_ENCRYPTION == "DISABLED" ]]; then
textFail "$regx: Development Endpoint Security Configuration $sc has CloudWatch logs encryption not enabled!" "$regx"
LIST_EP_SC=$($AWSCLI glue get-dev-endpoints $PROFILE_OPT --region $regx --query 'DevEndpoints[*].{Name:EndpointName,Security:SecurityConfiguration}' --output json)
if [[ ! -z "$LIST_EP_SC" ]]; then
for ep in $(echo "${LIST_EP_SC}"| jq -r '.[] | @base64');do
ENDPOINT_NAME=$(echo $ep | base64 --decode | jq -r '.Name')
ENDPOINT_SC=$(echo $ep | base64 --decode | jq -r '.Security // empty')
if [[ ! -z "$ENDPOINT_SC" ]]; then
ENDPOINT_SC_ENCRYPTION=$($AWSCLI glue get-security-configuration --name "${ENDPOINT_SC}" $PROFILE_OPT --region $regx --query 'SecurityConfiguration.EncryptionConfiguration.CloudWatchEncryption.CloudWatchEncryptionMode' --output text)
if [[ $ENDPOINT_SC_ENCRYPTION == "DISABLED" ]]; then
textFail "$regx: Development Endpoint $ENDPOINT_NAME does not have CloudWatch logs encryption enabled!" "$regx"
else
textPass "$regx: Development Endpoint $ENDPOINT_NAME has CloudWatch logs encryption enabled" "$regx"
fi
else
textPass "$regx: Development Endpoint Security Configuration $sc has CloudWatch logs encryption enabled" "$regx"
textInfo "$regx: No Security Configuration found" "$regx"
fi
done
else
textInfo "$regx: No Security Configuration found" "$regx"
textInfo "$regx: There are no Development Endpoints" "$regx"
fi
done
}

25
checks/check_extra7123
View File

@@ -33,19 +33,26 @@ CHECK_ALTERNATE_check7123="extra7123"
extra7123(){
textInfo "Looking for Development Endpoints in all regions... "
for regx in $REGIONS; do
LIST_GLUE_SC=$($AWSCLI glue get-dev-endpoints $PROFILE_OPT --region $regx --query 'DevEndpoints[*].SecurityConfiguration' --output text)
if [[ $LIST_GLUE_SC ]]; then
for sc in $(echo '${LIST_GLUE_SC}'| jq -r '.[] | @base64');do
textInfo "$ENDPOINT_SECURITY"
ENDPOINT_SC_ENCRYPTION=$($AWSCLI $PROFILE_OPT --region $regx glue get-security-configurations $sc --query 'SecurityConfiguration.EncryptionConfiguration.JobBookmarksEncryption.JobBookmarksEncryptionMode' --output text)
if [[ENDPOINT_SC_ENCRYPTION == "DISABLED" ]]; then
textFail "$regx: Development Endpoint Security Configuration $sc has bookmark encryption not enabled!" "$regx"
LIST_EP_SC=$($AWSCLI glue get-dev-endpoints $PROFILE_OPT --region $regx --query 'DevEndpoints[*].{Name:EndpointName,Security:SecurityConfiguration}' --output json)
if [[ ! -z "$LIST_EP_SC" ]]; then
for ep in $(echo "${LIST_EP_SC}"| jq -r '.[] | @base64');do
ENDPOINT_NAME=$(echo $ep | base64 --decode | jq -r '.Name')
ENDPOINT_SC=$(echo $ep | base64 --decode | jq -r '.Security // empty')
if [[ ! -z "$ENDPOINT_SC" ]]; then
ENDPOINT_SC_ENCRYPTION=$($AWSCLI glue get-security-configuration --name "${ENDPOINT_SC}" $PROFILE_OPT --region $regx --query 'SecurityConfiguration.EncryptionConfiguration.JobBookmarksEncryption.JobBookmarksEncryptionMode' --output text)
if [[ "$ENDPOINT_SC_ENCRYPTION" == "DISABLED" ]]; then
textFail "$regx: Development Endpoint $ENDPOINT_NAME does not have Job Bookmark encryption enabled!" "$regx"
else
textPass "$regx: Development Endpoint $ENDPOINT_NAME has Job Bookmark encryption enabled" "$regx"
fi
else
textPass "$regx: Development EndpointSecurity Configuration $sc has bookmark encryption enabled" "$regx"
textInfo "$regx: No Security Configuration found" "$regx"
fi
done
else
textInfo "$regx: No Security Configuration found" "$regx"
textInfo "$regx: There are no Development Endpoints" "$regx"
fi
done
}

30
checks/check_extra7124
View File

@@ -33,19 +33,27 @@ CHECK_ALTERNATE_check7124="extra7124"
extra7124(){
textInfo "Looking for ETL Jobs in all regions... "
for regx in $REGIONS; do
LIST_GLUE_SC=$($AWSCLI glue get-jobs $PROFILE_OPT --region $regx --query 'Jobs[*].SecurityConfiguration' --output text)
if [[ $LIST_GLUE_SC ]]; then
for sc in $(echo '${LIST_GLUE_SC}'| jq -r '.[] | @base64');do
textInfo "$ENDPOINT_SECURITY"
ENDPOINT_SC_ENCRYPTION=$($AWSCLI $PROFILE_OPT --region $regx glue get-security-configurations $sc --query 'SecurityConfiguration.EncryptionConfiguration.JobBookmarksEncryption.JobBookmarksEncryptionMode' --output text)
if [[ENDPOINT_SC_ENCRYPTION == "SSE-S3" ]]; then
textFail "$regx: ETL Job Security Configuration $sc has (SSE-S3) encryption enabled" "$regx"
else
textPass "$regx: ETL Job Security Configuration $sc has (SSE-S3) encryption is not enabled!" "$regx"
fi
JOB_LIST=$($AWSCLI glue get-jobs $PROFILE_OPT --region $regx --output json --query 'Jobs[*].{Name:Name,SecurityConfiguration:SecurityConfiguration,JobEncryption:DefaultArguments."--encryption-type"}')
if [[ ! -z "$JOB_LIST" ]]; then
for job in $(echo "${JOB_LIST}" | jq -r '.[] | @base64'); do
JOB_NAME=$(echo $job | base64 --decode | jq -r '.Name')
SECURITY_CONFIGURATION=$(echo $job | base64 --decode | jq -r '.SecurityConfiguration // empty')
JOB_ENCRYPTION=$(echo $job | base64 --decode | jq -r '.JobEncryption // empty')
if [[ ! -z "$SECURITY_CONFIGURATION" ]]; then
S3_ENCRYPTION=$($AWSCLI glue get-security-configuration --name "${SECURITY_CONFIGURATION}" $PROFILE_OPT --region $regx --output text --query 'SecurityConfiguration.EncryptionConfiguration.S3Encryption[0].S3EncryptionMode')
if [[ "$S3_ENCRYPTION" == "SSE-S3" ]]; then
textFail "$regx: Job $JOB_NAME has Server side encryption (SSE-S3) enabled" "$regx"
else
textInfo "$regx: Job $JOB_NAME does not have Server side encryption (SSE-S3) enabled" "$regx"
fi
elif [[ ! -z "$JOB_ENCRYPTION" ]]; then
textInfo "$regx: Job $JOB_NAME does have $JOB_ENCRYPTION S3 encryption enabled" "$regx"
else
textFail "$regx: Job $JOB_NAME does not have S3 encryption enabled" "$regx"
fi
done
else
textInfo "$regx: No ETL Jobs found" "$regx"
textInfo "$regx: There are no ETL jobs" "$regx"
fi
done
}

16
checks/check_extra7125
View File

@@ -33,17 +33,19 @@ CHECK_ALTERNATE_check7125="extra7125"
extra7125(){
textInfo "Looking for Development Endpoints in all regions... "
for regx in $REGIONS; do
LIST_GLUE_SC=$($AWSCLI glue get-dev-endpoints $PROFILE_OPT --region $regx --query 'DevEndpoints[*].PrivateAddress' --output text)
if [[ $LIST_GLUE_SC ]]; then
for pa in $(echo '${LIST_GLUE_SC}'| jq -r '.[] | @base64');do
if [[ ! pa ]]; then
textFail "$regx: AWS Glue uses a VPC Endpoint $pa" "$regx"
LIST_EP_PA=$($AWSCLI glue get-dev-endpoints $PROFILE_OPT --region $regx --query 'DevEndpoints[*].{Name:EndpointName,Address:PrivateAddress}' --output json)
if [[ ! -z "$LIST_EP_PA" ]]; then
for ep in $(echo "${LIST_EP_PA}" | jq -r '.[] | @base64'); do
EP_NAME=$(echo $ep | base64 --decode | jq -r '.Name')
PRIVATE_ADDRESS=$(echo $ep | base64 --decode | jq -r '.Address')
if [[ ! -z "$PRIVATE_ADDRESS" ]]; then
textFail "$regx: AWS Glue Development Endpoint $EP_NAME uses a VPC Endpoint" "$regx"
else
textPass "$regx: AWS Glue does not use a VPC Endpoint $pa" "$regx"
textPass "$regx: AWS Glue Development Endpoint $EP_NAME does not use a VPC Endpoint" "$regx"
fi
done
else
textInfo "$regx: No Private Addresses for endpoints found" "$regx"
textInfo "$regx: No Development Endpoints found" "$regx"
fi
done
}