From 39a7c3b18e2911b205d3ef8cf6bfe043f069110d Mon Sep 17 00:00:00 2001 From: dlpzx Date: Tue, 10 Nov 2020 13:05:22 +0100 Subject: [PATCH] checks for glue - 7119, 7121, 7123,7124,7125 --- checks/check_extra7119 | 23 ++++++++++++++--------- checks/check_extra7121 | 23 ++++++++++++++--------- checks/check_extra7123 | 25 ++++++++++++++++--------- checks/check_extra7124 | 30 +++++++++++++++++++----------- checks/check_extra7125 | 16 +++++++++------- 5 files changed, 72 insertions(+), 45 deletions(-) diff --git a/checks/check_extra7119 b/checks/check_extra7119 index b21937ed..7ef85252 100644 --- a/checks/check_extra7119 +++ b/checks/check_extra7119 @@ -33,19 +33,24 @@ CHECK_ALTERNATE_check7119="extra7119" extra7119(){ textInfo "Looking for Development Endpoints in all regions... " for regx in $REGIONS; do - LIST_GLUE_SC=$($AWSCLI glue get-dev-endpoints $PROFILE_OPT --region $regx --query 'DevEndpoints[*].SecurityConfiguration' --output text) - if [[ $LIST_GLUE_SC ]]; then - for sc in $(echo '${LIST_GLUE_SC}'| jq -r '.[] | @base64');do - textInfo "$ENDPOINT_SECURITY" - ENDPOINT_SC_ENCRYPTION=$($AWSCLI $PROFILE_OPT --region $regx glue get-security-configurations $sc --query 'SecurityConfiguration.EncryptionConfiguration.S3Encryption.S3EncryptionMode' --output text) - if [[ENDPOINT_SC_ENCRYPTION == "DISABLED" ]]; then - textFail "$regx: Development Endpoint Security Configuration $sc has S3 encryption not enabled!" "$regx" + LIST_EP_SC=$($AWSCLI glue get-dev-endpoints $PROFILE_OPT --region $regx --query 'DevEndpoints[*].{Name:EndpointName,Security:SecurityConfiguration}' --output json) + if [[ ! -z "$LIST_EP_SC" ]]; then + for ep in $(echo "${LIST_EP_SC}"| jq -r '.[] | @base64');do + ENDPOINT_NAME=$(echo $ep | base64 --decode | jq -r '.Name') + ENDPOINT_SC=$(echo $ep | base64 --decode | jq -r '.Security // empty') + if [[ ! -z "$ENDPOINT_SC" ]]; then + ENDPOINT_SC_ENCRYPTION=$($AWSCLI glue get-security-configuration --name "${ENDPOINT_SC}" $PROFILE_OPT --region $regx --query 'SecurityConfiguration.EncryptionConfiguration.S3Encryption[0].S3EncryptionMode' --output text) + if [[ "$ENDPOINT_SC_ENCRYPTION" == "DISABLED" ]]; then + textFail "$regx: Development Endpoint $ENDPOINT_NAME does not have S3 encryption enabled!" "$regx" + else + textPass "$regx: Development Endpoint $ENDPOINT_NAME has S3 encryption enabled" "$regx" + fi else - textPass "$regx: Development Endpoint Security Configuration $sc has S3 encryption enabled" "$regx" + textInfo "$regx: No Security Configuration found for Development Endpoint $ENDPOINT_NAME" "$regx" fi done else - textInfo "$regx: No Security Configuration found" "$regx" + textInfo "$regx: There are no Development Endpoints" "$regx" fi done } diff --git a/checks/check_extra7121 b/checks/check_extra7121 index 7a0cd218..6b7f99c3 100644 --- a/checks/check_extra7121 +++ b/checks/check_extra7121 @@ -33,19 +33,24 @@ CHECK_ALTERNATE_check7121="extra7121" extra7121(){ textInfo "Looking for Development Endpoints in all regions... " for regx in $REGIONS; do - LIST_GLUE_SC=$($AWSCLI glue get-dev-endpoints $PROFILE_OPT --region $regx --query 'DevEndpoints[*].SecurityConfiguration' --output text) - if [[ $LIST_GLUE_SC ]]; then - for sc in $(echo '${LIST_GLUE_SC}'| jq -r '.[] | @base64');do - textInfo "$ENDPOINT_SECURITY" - ENDPOINT_SC_ENCRYPTION=$($AWSCLI $PROFILE_OPT --region $regx glue get-security-configurations $sc --query 'SecurityConfiguration.EncryptionConfiguration.CloudWatchEncryption.CloudWatchEncryptionMode' --output text) - if [[ENDPOINT_SC_ENCRYPTION == "DISABLED" ]]; then - textFail "$regx: Development Endpoint Security Configuration $sc has CloudWatch logs encryption not enabled!" "$regx" + LIST_EP_SC=$($AWSCLI glue get-dev-endpoints $PROFILE_OPT --region $regx --query 'DevEndpoints[*].{Name:EndpointName,Security:SecurityConfiguration}' --output json) + if [[ ! -z "$LIST_EP_SC" ]]; then + for ep in $(echo "${LIST_EP_SC}"| jq -r '.[] | @base64');do + ENDPOINT_NAME=$(echo $ep | base64 --decode | jq -r '.Name') + ENDPOINT_SC=$(echo $ep | base64 --decode | jq -r '.Security // empty') + if [[ ! -z "$ENDPOINT_SC" ]]; then + ENDPOINT_SC_ENCRYPTION=$($AWSCLI glue get-security-configuration --name "${ENDPOINT_SC}" $PROFILE_OPT --region $regx --query 'SecurityConfiguration.EncryptionConfiguration.CloudWatchEncryption.CloudWatchEncryptionMode' --output text) + if [[ $ENDPOINT_SC_ENCRYPTION == "DISABLED" ]]; then + textFail "$regx: Development Endpoint $ENDPOINT_NAME does not have CloudWatch logs encryption enabled!" "$regx" + else + textPass "$regx: Development Endpoint $ENDPOINT_NAME has CloudWatch logs encryption enabled" "$regx" + fi else - textPass "$regx: Development Endpoint Security Configuration $sc has CloudWatch logs encryption enabled" "$regx" + textInfo "$regx: No Security Configuration found" "$regx" fi done else - textInfo "$regx: No Security Configuration found" "$regx" + textInfo "$regx: There are no Development Endpoints" "$regx" fi done } diff --git a/checks/check_extra7123 b/checks/check_extra7123 index 52c451b2..bd5cb5ec 100644 --- a/checks/check_extra7123 +++ b/checks/check_extra7123 @@ -33,19 +33,26 @@ CHECK_ALTERNATE_check7123="extra7123" extra7123(){ textInfo "Looking for Development Endpoints in all regions... " for regx in $REGIONS; do - LIST_GLUE_SC=$($AWSCLI glue get-dev-endpoints $PROFILE_OPT --region $regx --query 'DevEndpoints[*].SecurityConfiguration' --output text) - if [[ $LIST_GLUE_SC ]]; then - for sc in $(echo '${LIST_GLUE_SC}'| jq -r '.[] | @base64');do - textInfo "$ENDPOINT_SECURITY" - ENDPOINT_SC_ENCRYPTION=$($AWSCLI $PROFILE_OPT --region $regx glue get-security-configurations $sc --query 'SecurityConfiguration.EncryptionConfiguration.JobBookmarksEncryption.JobBookmarksEncryptionMode' --output text) - if [[ENDPOINT_SC_ENCRYPTION == "DISABLED" ]]; then - textFail "$regx: Development Endpoint Security Configuration $sc has bookmark encryption not enabled!" "$regx" + LIST_EP_SC=$($AWSCLI glue get-dev-endpoints $PROFILE_OPT --region $regx --query 'DevEndpoints[*].{Name:EndpointName,Security:SecurityConfiguration}' --output json) + if [[ ! -z "$LIST_EP_SC" ]]; then + for ep in $(echo "${LIST_EP_SC}"| jq -r '.[] | @base64');do + ENDPOINT_NAME=$(echo $ep | base64 --decode | jq -r '.Name') + ENDPOINT_SC=$(echo $ep | base64 --decode | jq -r '.Security // empty') + if [[ ! -z "$ENDPOINT_SC" ]]; then + ENDPOINT_SC_ENCRYPTION=$($AWSCLI glue get-security-configuration --name "${ENDPOINT_SC}" $PROFILE_OPT --region $regx --query 'SecurityConfiguration.EncryptionConfiguration.JobBookmarksEncryption.JobBookmarksEncryptionMode' --output text) + if [[ "$ENDPOINT_SC_ENCRYPTION" == "DISABLED" ]]; then + textFail "$regx: Development Endpoint $ENDPOINT_NAME does not have Job Bookmark encryption enabled!" "$regx" + else + textPass "$regx: Development Endpoint $ENDPOINT_NAME has Job Bookmark encryption enabled" "$regx" + fi else - textPass "$regx: Development EndpointSecurity Configuration $sc has bookmark encryption enabled" "$regx" + textInfo "$regx: No Security Configuration found" "$regx" fi done else - textInfo "$regx: No Security Configuration found" "$regx" + textInfo "$regx: There are no Development Endpoints" "$regx" fi done } + + diff --git a/checks/check_extra7124 b/checks/check_extra7124 index 66073203..b531cda9 100644 --- a/checks/check_extra7124 +++ b/checks/check_extra7124 @@ -33,19 +33,27 @@ CHECK_ALTERNATE_check7124="extra7124" extra7124(){ textInfo "Looking for ETL Jobs in all regions... " for regx in $REGIONS; do - LIST_GLUE_SC=$($AWSCLI glue get-jobs $PROFILE_OPT --region $regx --query 'Jobs[*].SecurityConfiguration' --output text) - if [[ $LIST_GLUE_SC ]]; then - for sc in $(echo '${LIST_GLUE_SC}'| jq -r '.[] | @base64');do - textInfo "$ENDPOINT_SECURITY" - ENDPOINT_SC_ENCRYPTION=$($AWSCLI $PROFILE_OPT --region $regx glue get-security-configurations $sc --query 'SecurityConfiguration.EncryptionConfiguration.JobBookmarksEncryption.JobBookmarksEncryptionMode' --output text) - if [[ENDPOINT_SC_ENCRYPTION == "SSE-S3" ]]; then - textFail "$regx: ETL Job Security Configuration $sc has (SSE-S3) encryption enabled" "$regx" - else - textPass "$regx: ETL Job Security Configuration $sc has (SSE-S3) encryption is not enabled!" "$regx" - fi + JOB_LIST=$($AWSCLI glue get-jobs $PROFILE_OPT --region $regx --output json --query 'Jobs[*].{Name:Name,SecurityConfiguration:SecurityConfiguration,JobEncryption:DefaultArguments."--encryption-type"}') + if [[ ! -z "$JOB_LIST" ]]; then + for job in $(echo "${JOB_LIST}" | jq -r '.[] | @base64'); do + JOB_NAME=$(echo $job | base64 --decode | jq -r '.Name') + SECURITY_CONFIGURATION=$(echo $job | base64 --decode | jq -r '.SecurityConfiguration // empty') + JOB_ENCRYPTION=$(echo $job | base64 --decode | jq -r '.JobEncryption // empty') + if [[ ! -z "$SECURITY_CONFIGURATION" ]]; then + S3_ENCRYPTION=$($AWSCLI glue get-security-configuration --name "${SECURITY_CONFIGURATION}" $PROFILE_OPT --region $regx --output text --query 'SecurityConfiguration.EncryptionConfiguration.S3Encryption[0].S3EncryptionMode') + if [[ "$S3_ENCRYPTION" == "SSE-S3" ]]; then + textFail "$regx: Job $JOB_NAME has Server side encryption (SSE-S3) enabled" "$regx" + else + textInfo "$regx: Job $JOB_NAME does not have Server side encryption (SSE-S3) enabled" "$regx" + fi + elif [[ ! -z "$JOB_ENCRYPTION" ]]; then + textInfo "$regx: Job $JOB_NAME does have $JOB_ENCRYPTION S3 encryption enabled" "$regx" + else + textFail "$regx: Job $JOB_NAME does not have S3 encryption enabled" "$regx" + fi done else - textInfo "$regx: No ETL Jobs found" "$regx" + textInfo "$regx: There are no ETL jobs" "$regx" fi done } \ No newline at end of file diff --git a/checks/check_extra7125 b/checks/check_extra7125 index fe50aac9..1444230f 100644 --- a/checks/check_extra7125 +++ b/checks/check_extra7125 @@ -33,17 +33,19 @@ CHECK_ALTERNATE_check7125="extra7125" extra7125(){ textInfo "Looking for Development Endpoints in all regions... " for regx in $REGIONS; do - LIST_GLUE_SC=$($AWSCLI glue get-dev-endpoints $PROFILE_OPT --region $regx --query 'DevEndpoints[*].PrivateAddress' --output text) - if [[ $LIST_GLUE_SC ]]; then - for pa in $(echo '${LIST_GLUE_SC}'| jq -r '.[] | @base64');do - if [[ ! pa ]]; then - textFail "$regx: AWS Glue uses a VPC Endpoint $pa" "$regx" + LIST_EP_PA=$($AWSCLI glue get-dev-endpoints $PROFILE_OPT --region $regx --query 'DevEndpoints[*].{Name:EndpointName,Address:PrivateAddress}' --output json) + if [[ ! -z "$LIST_EP_PA" ]]; then + for ep in $(echo "${LIST_EP_PA}" | jq -r '.[] | @base64'); do + EP_NAME=$(echo $ep | base64 --decode | jq -r '.Name') + PRIVATE_ADDRESS=$(echo $ep | base64 --decode | jq -r '.Address') + if [[ ! -z "$PRIVATE_ADDRESS" ]]; then + textFail "$regx: AWS Glue Development Endpoint $EP_NAME uses a VPC Endpoint" "$regx" else - textPass "$regx: AWS Glue does not use a VPC Endpoint $pa" "$regx" + textPass "$regx: AWS Glue Development Endpoint $EP_NAME does not use a VPC Endpoint" "$regx" fi done else - textInfo "$regx: No Private Addresses for endpoints found" "$regx" + textInfo "$regx: No Development Endpoints found" "$regx" fi done } \ No newline at end of file