mirror of
https://github.com/ghndrx/prowler.git
synced 2026-02-10 23:05:05 +00:00
New RC6 including ENS as a new compliance type all formats
This commit is contained in:
Toni de la Fuente
@@ -16,6 +16,7 @@ CHECK_SEVERITY_check116="Low"
|
||||
CHECK_ASFF_TYPE_check116="Software and Configuration Checks/Industry and Regulatory Standards/CIS AWS Foundations Benchmark"
|
||||
CHECK_ASFF_RESOURCE_TYPE_check116="AwsIamUser"
|
||||
CHECK_ALTERNATE_check116="check116"
|
||||
CHECK_ASFF_COMPLIANCE_TYPE_check116="ens-op.acc.3.aws.iam.1"
|
||||
|
||||
check116(){
|
||||
# "Ensure IAM policies are attached only to groups or roles (Scored)"
|
||||
|
||||
@@ -16,6 +16,7 @@ CHECK_SEVERITY_check12="High"
|
||||
CHECK_ASFF_TYPE_check12="Software and Configuration Checks/Industry and Regulatory Standards/CIS AWS Foundations Benchmark"
|
||||
CHECK_ASFF_RESOURCE_TYPE_check12="AwsIamUser"
|
||||
CHECK_ALTERNATE_check102="check12"
|
||||
CHECK_ASFF_COMPLIANCE_TYPE_check12="ens-op.acc.5.aws.iam.1"
|
||||
|
||||
check12(){
|
||||
# "Ensure multi-factor authentication (MFA) is enabled for all IAM users that have a console password (Scored)"
|
||||
|
||||
@@ -16,6 +16,7 @@ CHECK_SEVERITY_check120="Medium"
|
||||
CHECK_ASFF_TYPE_check120="Software and Configuration Checks/Industry and Regulatory Standards/CIS AWS Foundations Benchmark"
|
||||
CHECK_ASFF_RESOURCE_TYPE_check120="AwsIamRole"
|
||||
CHECK_ALTERNATE_check120="check120"
|
||||
CHECK_ASFF_COMPLIANCE_TYPE_check120="ens-op.acc.1.aws.iam.4"
|
||||
|
||||
check120(){
|
||||
# "Ensure a support role has been created to manage incidents with AWS Support (Scored)"
|
||||
|
||||
@@ -16,6 +16,7 @@ CHECK_SEVERITY_check121="Medium"
|
||||
CHECK_ASFF_TYPE_check121="Software and Configuration Checks/Industry and Regulatory Standards/CIS AWS Foundations Benchmark"
|
||||
CHECK_ASFF_RESOURCE_TYPE_check121="AwsIamUser"
|
||||
CHECK_ALTERNATE_check121="check121"
|
||||
CHECK_ASFF_COMPLIANCE_TYPE_check121="ens-op.acc.1.aws.iam.5"
|
||||
|
||||
check121(){
|
||||
# "Do not setup access keys during initial user setup for all IAM users that have a console password (Not Scored)"
|
||||
|
||||
@@ -16,6 +16,7 @@ CHECK_SEVERITY_check13="Medium"
|
||||
CHECK_ASFF_TYPE_check13="Software and Configuration Checks/Industry and Regulatory Standards/CIS AWS Foundations Benchmark"
|
||||
CHECK_ASFF_RESOURCE_TYPE_check13="AwsIamUser"
|
||||
CHECK_ALTERNATE_check103="check13"
|
||||
CHECK_ASFF_COMPLIANCE_TYPE_check13="ens-op.acc.1.aws.iam.3,ens-op.acc.5.aws.iam.4"
|
||||
|
||||
check13(){
|
||||
check_creds_used_in_last_days 90
|
||||
|
||||
@@ -16,6 +16,7 @@ CHECK_SEVERITY_check14="Medium"
|
||||
CHECK_ASFF_TYPE_check14="Software and Configuration Checks/Industry and Regulatory Standards/CIS AWS Foundations Benchmark"
|
||||
CHECK_ASFF_RESOURCE_TYPE_check14="AwsIamUser"
|
||||
CHECK_ALTERNATE_check104="check14"
|
||||
CHECK_ASFF_COMPLIANCE_TYPE_check14="ens-op.acc.1.aws.iam.4,ens-op.acc.5.aws.iam.3"
|
||||
|
||||
check14(){
|
||||
# "Ensure access keys are rotated every 90 days or less (Scored)" # also checked by Security Monkey
|
||||
|
||||
@@ -16,6 +16,7 @@ CHECK_SEVERITY_check21="High"
|
||||
CHECK_ASFF_TYPE_check21="Software and Configuration Checks/Industry and Regulatory Standards/CIS AWS Foundations Benchmark"
|
||||
CHECK_ASFF_RESOURCE_TYPE_check21="AwsCloudTrailTrail"
|
||||
CHECK_ALTERNATE_check201="check21"
|
||||
CHECK_ASFF_COMPLIANCE_TYPE_check21="ens-op.acc.7.aws.iam.1,ens-op.mon.1.aws.trail.1"
|
||||
|
||||
check21(){
|
||||
trail_count=0
|
||||
|
||||
@@ -16,6 +16,7 @@ CHECK_SEVERITY_check22="Medium"
|
||||
CHECK_ASFF_TYPE_check22="Software and Configuration Checks/Industry and Regulatory Standards/CIS AWS Foundations Benchmark"
|
||||
CHECK_ASFF_RESOURCE_TYPE_check22="AwsCloudTrailTrail"
|
||||
CHECK_ALTERNATE_check202="check22"
|
||||
CHECK_ASFF_COMPLIANCE_TYPE_check22="ens-op.exp.10.aws.trail.1"
|
||||
|
||||
check22(){
|
||||
# "Ensure CloudTrail log file validation is enabled (Scored)"
|
||||
|
||||
@@ -16,6 +16,7 @@ CHECK_SEVERITY_check23="Critical"
|
||||
CHECK_ASFF_TYPE_check23="Software and Configuration Checks/Industry and Regulatory Standards/CIS AWS Foundations Benchmark"
|
||||
CHECK_ASFF_RESOURCE_TYPE_check23="AwsS3Bucket"
|
||||
CHECK_ALTERNATE_check203="check23"
|
||||
CHECK_ASFF_COMPLIANCE_TYPE_check23="ens-op.exp.10.aws.trail.3,ens-op.exp.10.aws.trail.4"
|
||||
|
||||
check23(){
|
||||
# "Ensure the S3 bucket CloudTrail logs to is not publicly accessible (Scored)"
|
||||
|
||||
@@ -16,6 +16,7 @@ CHECK_SEVERITY_check24="Low"
|
||||
CHECK_ASFF_TYPE_check24="Software and Configuration Checks/Industry and Regulatory Standards/CIS AWS Foundations Benchmark"
|
||||
CHECK_ASFF_RESOURCE_TYPE_check24="AwsCloudTrailTrail"
|
||||
CHECK_ALTERNATE_check204="check24"
|
||||
CHECK_ASFF_COMPLIANCE_TYPE_check24="ens-op.exp.8.aws.cw.1"
|
||||
|
||||
check24(){
|
||||
# "Ensure CloudTrail trails are integrated with CloudWatch Logs (Scored)"
|
||||
|
||||
@@ -15,6 +15,7 @@ CHECK_TYPE_check25="LEVEL1"
|
||||
CHECK_SEVERITY_check25="Medium"
|
||||
CHECK_ASFF_TYPE_check25="Software and Configuration Checks/Industry and Regulatory Standards/CIS AWS Foundations Benchmark"
|
||||
CHECK_ALTERNATE_check205="check25"
|
||||
CHECK_ASFF_COMPLIANCE_TYPE_check25="ens-op.exp.1.aws.cfg.1"
|
||||
|
||||
check25(){
|
||||
# "Ensure AWS Config is enabled in all regions (Scored)"
|
||||
|
||||
@@ -16,6 +16,7 @@ CHECK_SEVERITY_check27="Medium"
|
||||
CHECK_ASFF_TYPE_check27="Software and Configuration Checks/Industry and Regulatory Standards/CIS AWS Foundations Benchmark"
|
||||
CHECK_ASFF_RESOURCE_TYPE_check27="AwsCloudTrailTrail"
|
||||
CHECK_ALTERNATE_check207="check27"
|
||||
CHECK_ASFF_COMPLIANCE_TYPE_check27="ens-op.exp.10.aws.trail.5"
|
||||
|
||||
check27(){
|
||||
# "Ensure CloudTrail logs are encrypted at rest using KMS CMKs (Scored)"
|
||||
|
||||
@@ -16,6 +16,7 @@ CHECK_SEVERITY_check29="Medium"
|
||||
CHECK_ASFF_TYPE_check29="Software and Configuration Checks/Industry and Regulatory Standards/CIS AWS Foundations Benchmark"
|
||||
CHECK_ASFF_RESOURCE_TYPE_check29="AwsEc2Vpc"
|
||||
CHECK_ALTERNATE_check209="check29"
|
||||
CHECK_ASFF_COMPLIANCE_TYPE_check29="ens-op.mon.1.aws.flow.1"
|
||||
|
||||
check29(){
|
||||
# "Ensure VPC Flow Logging is Enabled in all VPCs (Scored)"
|
||||
|
||||
@@ -41,6 +41,7 @@ CHECK_SEVERITY_check31="Medium"
|
||||
CHECK_ASFF_TYPE_check31="Software and Configuration Checks/Industry and Regulatory Standards/CIS AWS Foundations Benchmark"
|
||||
CHECK_ASFF_RESOURCE_TYPE_check31="AwsCloudTrailTrail"
|
||||
CHECK_ALTERNATE_check301="check31"
|
||||
CHECK_ASFF_COMPLIANCE_TYPE_check31="ens-op.exp.8.aws.trail.2"
|
||||
|
||||
check31(){
|
||||
check3x '\$\.errorCode\s*=\s*"\*UnauthorizedOperation".+\$\.errorCode\s*=\s*"AccessDenied\*"'
|
||||
|
||||
@@ -41,6 +41,7 @@ CHECK_SEVERITY_check32="Medium"
|
||||
CHECK_ASFF_TYPE_check32="Software and Configuration Checks/Industry and Regulatory Standards/CIS AWS Foundations Benchmark"
|
||||
CHECK_ASFF_RESOURCE_TYPE_check32="AwsCloudTrailTrail"
|
||||
CHECK_ALTERNATE_check302="check32"
|
||||
CHECK_ASFF_COMPLIANCE_TYPE_check32="ens-op.exp.8.aws.trail.4"
|
||||
|
||||
check32(){
|
||||
check3x '\$\.eventName\s*=\s*"ConsoleLogin".+\$\.additionalEventData\.MFAUsed\s*!=\s*"Yes"'
|
||||
|
||||
@@ -41,6 +41,7 @@ CHECK_SEVERITY_check33="Medium"
|
||||
CHECK_ASFF_TYPE_check33="Software and Configuration Checks/Industry and Regulatory Standards/CIS AWS Foundations Benchmark"
|
||||
CHECK_ASFF_RESOURCE_TYPE_check33="AwsCloudTrailTrail"
|
||||
CHECK_ALTERNATE_check303="check33"
|
||||
CHECK_ASFF_COMPLIANCE_TYPE_check33="ens-op.exp.8.aws.trail.5"
|
||||
|
||||
check33(){
|
||||
check3x '\$\.userIdentity\.type\s*=\s*"Root".+\$\.userIdentity\.invokedBy NOT EXISTS.+\$\.eventType\s*!=\s*"AwsServiceEvent"'
|
||||
|
||||
@@ -41,6 +41,7 @@ CHECK_SEVERITY_check34="Medium"
|
||||
CHECK_ASFF_TYPE_check34="Software and Configuration Checks/Industry and Regulatory Standards/CIS AWS Foundations Benchmark"
|
||||
CHECK_ASFF_RESOURCE_TYPE_check34="AwsCloudTrailTrail"
|
||||
CHECK_ALTERNATE_check304="check34"
|
||||
CHECK_ASFF_COMPLIANCE_TYPE_check34="ens-op.exp.8.aws.trail.6"
|
||||
|
||||
check34(){
|
||||
check3x '\$\.eventName\s*=\s*DeleteGroupPolicy.+\$\.eventName\s*=\s*DeleteRolePolicy.+\$\.eventName\s*=\s*DeleteUserPolicy.+\$\.eventName\s*=\s*PutGroupPolicy.+\$\.eventName\s*=\s*PutRolePolicy.+\$\.eventName\s*=\s*PutUserPolicy.+\$\.eventName\s*=\s*CreatePolicy.+\$\.eventName\s*=\s*DeletePolicy.+\$\.eventName\s*=\s*CreatePolicyVersion.+\$\.eventName\s*=\s*DeletePolicyVersion.+\$\.eventName\s*=\s*AttachRolePolicy.+\$\.eventName\s*=\s*DetachRolePolicy.+\$\.eventName\s*=\s*AttachUserPolicy.+\$\.eventName\s*=\s*DetachUserPolicy.+\$\.eventName\s*=\s*AttachGroupPolicy.+\$\.eventName\s*=\s*DetachGroupPolicy'
|
||||
|
||||
@@ -41,6 +41,7 @@ CHECK_SEVERITY_check35="Medium"
|
||||
CHECK_ASFF_TYPE_check35="Software and Configuration Checks/Industry and Regulatory Standards/CIS AWS Foundations Benchmark"
|
||||
CHECK_ASFF_RESOURCE_TYPE_check35="AwsCloudTrailTrail"
|
||||
CHECK_ALTERNATE_check305="check35"
|
||||
CHECK_ASFF_COMPLIANCE_TYPE_check35="ens-op.exp.8.aws.trail.1"
|
||||
|
||||
check35(){
|
||||
check3x '\$\.eventName\s*=\s*CreateTrail.+\$\.eventName\s*=\s*UpdateTrail.+\$\.eventName\s*=\s*DeleteTrail.+\$\.eventName\s*=\s*StartLogging.+\$\.eventName\s*=\s*StopLogging'
|
||||
|
||||
@@ -41,6 +41,7 @@ CHECK_SEVERITY_check36="Medium"
|
||||
CHECK_ASFF_TYPE_check36="Software and Configuration Checks/Industry and Regulatory Standards/CIS AWS Foundations Benchmark"
|
||||
CHECK_ASFF_RESOURCE_TYPE_check36="AwsCloudTrailTrail"
|
||||
CHECK_ALTERNATE_check306="check36"
|
||||
CHECK_ASFF_COMPLIANCE_TYPE_check36="ens-op.exp.8.aws.trail.3"
|
||||
|
||||
check36(){
|
||||
check3x '\$\.eventName\s*=\s*ConsoleLogin.+\$\.errorMessage\s*=\s*"Failed authentication"'
|
||||
|
||||
@@ -41,6 +41,7 @@ CHECK_SEVERITY_check37="Medium"
|
||||
CHECK_ASFF_TYPE_check37="Software and Configuration Checks/Industry and Regulatory Standards/CIS AWS Foundations Benchmark"
|
||||
CHECK_ASFF_RESOURCE_TYPE_check37="AwsCloudTrailTrail"
|
||||
CHECK_ALTERNATE_check307="check37"
|
||||
CHECK_ASFF_COMPLIANCE_TYPE_check37="ens-op.exp.11.aws.kms.1"
|
||||
|
||||
check37(){
|
||||
check3x '\$\.eventSource\s*=\s*kms.amazonaws.com.+\$\.eventName\s*=\s*DisableKey.+\$\.eventName\s*=\s*ScheduleKeyDeletion'
|
||||
|
||||
@@ -16,6 +16,7 @@ CHECK_SEVERITY_check41="High"
|
||||
CHECK_ASFF_TYPE_check41="Software and Configuration Checks/Industry and Regulatory Standards/CIS AWS Foundations Benchmark"
|
||||
CHECK_ASFF_RESOURCE_TYPE_check41="AwsEc2SecurityGroup"
|
||||
CHECK_ALTERNATE_check401="check41"
|
||||
CHECK_ASFF_COMPLIANCE_TYPE_check41="ens-mp.com.4.aws.sg.4"
|
||||
|
||||
check41(){
|
||||
# "Ensure no security groups allow ingress from 0.0.0.0/0 or ::/0 to port 22 (Scored)"
|
||||
|
||||
@@ -16,6 +16,7 @@ CHECK_SEVERITY_check42="High"
|
||||
CHECK_ASFF_TYPE_check42="Software and Configuration Checks/Industry and Regulatory Standards/CIS AWS Foundations Benchmark"
|
||||
CHECK_ASFF_RESOURCE_TYPE_check42="AwsEc2SecurityGroup"
|
||||
CHECK_ALTERNATE_check402="check42"
|
||||
CHECK_ASFF_COMPLIANCE_TYPE_check42="ens-mp.com.4.aws.sg.5"
|
||||
|
||||
check42(){
|
||||
# "Ensure no security groups allow ingress from 0.0.0.0/0 or ::/0 to port 3389 (Scored)"
|
||||
|
||||
@@ -16,6 +16,7 @@ CHECK_SEVERITY_check43="Medium"
|
||||
CHECK_ASFF_TYPE_check43="Software and Configuration Checks/Industry and Regulatory Standards/CIS AWS Foundations Benchmark"
|
||||
CHECK_ASFF_RESOURCE_TYPE_check43="AwsEc2SecurityGroup"
|
||||
CHECK_ALTERNATE_check403="check43"
|
||||
CHECK_ASFF_COMPLIANCE_TYPE_check43="ens-mp.com.4.aws.sg.1"
|
||||
|
||||
check43(){
|
||||
# "Ensure the default security group of every VPC restricts all traffic (Scored)"
|
||||
|
||||
@@ -19,6 +19,7 @@ CHECK_ASFF_RESOURCE_TYPE_extra71="AwsIamUser"
|
||||
CHECK_ALTERNATE_extra701="extra71"
|
||||
CHECK_ALTERNATE_check71="extra71"
|
||||
CHECK_ALTERNATE_check701="extra71"
|
||||
CHECK_ASFF_COMPLIANCE_TYPE_extra71="ens-op.exp.10.aws.trail.2"
|
||||
|
||||
extra71(){
|
||||
# "Ensure users of groups with AdministratorAccess policy have MFA tokens enabled (Not Scored) (Not part of CIS benchmark)"
|
||||
|
||||
@@ -17,6 +17,7 @@ CHECK_TYPE_extra710="EXTRA"
|
||||
CHECK_SEVERITY_extra710="Medium"
|
||||
CHECK_ASFF_RESOURCE_TYPE_extra710="AwsEc2Instance"
|
||||
CHECK_ALTERNATE_check710="extra710"
|
||||
CHECK_ASFF_COMPLIANCE_TYPE_extra710="ens-mp.com.4.aws.vpc.1"
|
||||
|
||||
extra710(){
|
||||
# "Check for internet facing EC2 Instances (Not Scored) (Not part of CIS benchmark)"
|
||||
|
||||
@@ -21,6 +21,7 @@ CHECK_TYPE_extra7100="EXTRA"
|
||||
CHECK_SEVERITY_extra7100="Critical"
|
||||
CHECK_ASFF_RESOURCE_TYPE_extra7100="AwsIamPolicy"
|
||||
CHECK_ALTERNATE_check7100="extra7100"
|
||||
CHECK_ASFF_COMPLIANCE_TYPE_extra7100="ens-op.acc.2.aws.iam.1"
|
||||
|
||||
extra7100(){
|
||||
# "Ensure that no custom policies exist which permit assuming any role (e.g. sts:AssumeRole on *)"
|
||||
|
||||
@@ -16,6 +16,7 @@ CHECK_SCORED_extra713="NOT_SCORED"
|
||||
CHECK_TYPE_extra713="EXTRA"
|
||||
CHECK_SEVERITY_extra713="High"
|
||||
CHECK_ALTERNATE_check713="extra713"
|
||||
CHECK_ASFF_COMPLIANCE_TYPE_extra713="ens-op.mon.1.aws.duty.1"
|
||||
|
||||
extra713(){
|
||||
# "Check if GuardDuty is enabled (Not Scored) (Not part of CIS benchmark)"
|
||||
|
||||
@@ -18,6 +18,7 @@ CHECK_TYPE_extra728="EXTRA"
|
||||
CHECK_SEVERITY_extra728="Medium"
|
||||
CHECK_ASFF_RESOURCE_TYPE_extra728="AwsSqsQueue"
|
||||
CHECK_ALTERNATE_check728="extra728"
|
||||
CHECK_ASFF_COMPLIANCE_TYPE_extra728="ens-mp.info.3.sns.1"
|
||||
|
||||
extra728(){
|
||||
for regx in $REGIONS; do
|
||||
|
||||
@@ -18,6 +18,7 @@ CHECK_TYPE_extra729="EXTRA"
|
||||
CHECK_SEVERITY_extra729="Medium"
|
||||
CHECK_ASFF_RESOURCE_TYPE_extra729="AwsEc2Volume"
|
||||
CHECK_ALTERNATE_check729="extra729"
|
||||
CHECK_ASFF_COMPLIANCE_TYPE_extra729="ens-mp.info.3.aws.ebs.1"
|
||||
|
||||
extra729(){
|
||||
# "Ensure there are no EBS Volumes unencrypted (Not Scored) (Not part of CIS benchmark)"
|
||||
|
||||
@@ -17,6 +17,7 @@ CHECK_SCORED_extra733="NOT_SCORED"
|
||||
CHECK_TYPE_extra733="EXTRA"
|
||||
CHECK_SEVERITY_extra733="Low"
|
||||
CHECK_ALTERNATE_check733="extra733"
|
||||
CHECK_ASFF_COMPLIANCE_TYPE_extra733="ens-op.acc.1.aws.iam.1"
|
||||
|
||||
extra733(){
|
||||
LIST_SAML_PROV=$($AWSCLI iam list-saml-providers $PROFILE_OPT --query 'SAMLProviderList[*].Arn' --output text |grep -v ^None)
|
||||
@@ -26,6 +27,6 @@ extra733(){
|
||||
textInfo "SAML Provider $PROVIDER_NAME has been found"
|
||||
done
|
||||
else
|
||||
textInfo "No SAML Provider found, add one and use STS"
|
||||
textInfo "No SAML Provider found. Add one and use STS"
|
||||
fi
|
||||
}
|
||||
|
||||
@@ -17,6 +17,7 @@ CHECK_TYPE_extra734="EXTRA"
|
||||
CHECK_SEVERITY_extra734="Medium"
|
||||
CHECK_ASFF_RESOURCE_TYPE_extra734="AwsS3Bucket"
|
||||
CHECK_ALTERNATE_check734="extra734"
|
||||
CHECK_ASFF_COMPLIANCE_TYPE_extra734="ens-mp.info.3.s3.1"
|
||||
|
||||
extra734(){
|
||||
LIST_OF_BUCKETS=$($AWSCLI s3api list-buckets $PROFILE_OPT --region $REGION --query Buckets[*].Name --output text|xargs -n1)
|
||||
|
||||
@@ -17,6 +17,7 @@ CHECK_TYPE_extra735="EXTRA"
|
||||
CHECK_SEVERITY_extra735="Medium"
|
||||
CHECK_ASFF_RESOURCE_TYPE_extra735="AwsRdsDbInstance"
|
||||
CHECK_ALTERNATE_check735="extra735"
|
||||
CHECK_ASFF_COMPLIANCE_TYPE_extra735="ens-mp.info.3.aws.rds.1"
|
||||
|
||||
extra735(){
|
||||
textInfo "Looking for RDS Volumes in all regions... "
|
||||
|
||||
@@ -17,6 +17,7 @@ CHECK_TYPE_extra736="EXTRA"
|
||||
CHECK_SEVERITY_extra736="Critical"
|
||||
CHECK_ASFF_RESOURCE_TYPE_extra736="AwsKmsKey"
|
||||
CHECK_ALTERNATE_check736="extra736"
|
||||
CHECK_ASFF_COMPLIANCE_TYPE_extra736="ens-op.exp.11.aws.kms.2"
|
||||
|
||||
extra736(){
|
||||
textInfo "Looking for KMS keys in all regions... "
|
||||
|
||||
@@ -17,6 +17,7 @@ CHECK_TYPE_extra737="EXTRA"
|
||||
CHECK_SEVERITY_extra737="Medium"
|
||||
CHECK_ASFF_RESOURCE_TYPE_extra737="AwsKmsKey"
|
||||
CHECK_ALTERNATE_check737="extra737"
|
||||
CHECK_ASFF_COMPLIANCE_TYPE_extra737="ens-op.exp.11.aws.kms.3"
|
||||
|
||||
extra737(){
|
||||
textInfo "Looking for KMS keys in all regions... "
|
||||
|
||||
@@ -17,6 +17,7 @@ CHECK_TYPE_extra738="EXTRA"
|
||||
CHECK_SEVERITY_extra738="Medium"
|
||||
CHECK_ASFF_RESOURCE_TYPE_extra738="AwsCloudFrontDistribution"
|
||||
CHECK_ALTERNATE_check738="extra738"
|
||||
CHECK_ASFF_COMPLIANCE_TYPE_extra738="ens-mp.com.2.aws.front.1"
|
||||
|
||||
extra738(){
|
||||
LIST_OF_DISTRIBUTIONS=$($AWSCLI cloudfront list-distributions --query 'DistributionList.Items[*].Id' $PROFILE_OPT --output text|grep -v ^None)
|
||||
|
||||
@@ -19,6 +19,7 @@ CHECK_ASFF_RESOURCE_TYPE_extra74="AwsEc2SecurityGroup"
|
||||
CHECK_ALTERNATE_extra704="extra74"
|
||||
CHECK_ALTERNATE_check74="extra74"
|
||||
CHECK_ALTERNATE_check704="extra74"
|
||||
CHECK_ASFF_COMPLIANCE_TYPE_extra74="ens-mp.com.4.aws.sg.2"
|
||||
|
||||
extra74(){
|
||||
# "Ensure there are no Security Groups without ingress filtering being used (Not Scored) (Not part of CIS benchmark)"
|
||||
|
||||
@@ -17,6 +17,7 @@ CHECK_TYPE_extra740="EXTRA"
|
||||
CHECK_SEVERITY_extra740="Medium"
|
||||
CHECK_ASFF_RESOURCE_TYPE_extra740="AwsEc2Snapshot"
|
||||
CHECK_ALTERNATE_check740="extra740"
|
||||
CHECK_ASFF_COMPLIANCE_TYPE_extra740="ens-mp.info.3.aws.ebs.3"
|
||||
|
||||
extra740(){
|
||||
textInfo "Looking for EBS Snapshots in all regions... "
|
||||
|
||||
@@ -17,6 +17,7 @@ CHECK_TYPE_extra744="EXTRA"
|
||||
CHECK_SEVERITY_extra744="Medium"
|
||||
CHECK_ASFF_RESOURCE_TYPE_extra744="AwsApiGatewayRestApi"
|
||||
CHECK_ALTERNATE_check744="extra744"
|
||||
CHECK_ASFF_COMPLIANCE_TYPE_extra744="ens-mp.s.2.aws.waf.2"
|
||||
|
||||
extra744(){
|
||||
for regx in $REGIONS; do
|
||||
|
||||
@@ -17,6 +17,7 @@ CHECK_TYPE_extra749="EXTRA"
|
||||
CHECK_SEVERITY_extra749="High"
|
||||
CHECK_ASFF_RESOURCE_TYPE_extra749="AwsEc2SecurityGroup"
|
||||
CHECK_ALTERNATE_check749="extra749"
|
||||
CHECK_ASFF_COMPLIANCE_TYPE_extra749="ens-mp.com.4.aws.sg.6"
|
||||
|
||||
extra749(){
|
||||
for regx in $REGIONS; do
|
||||
|
||||
@@ -19,6 +19,7 @@ CHECK_ASFF_RESOURCE_TYPE_extra75="AwsEc2SecurityGroup"
|
||||
CHECK_ALTERNATE_extra705="extra75"
|
||||
CHECK_ALTERNATE_check75="extra75"
|
||||
CHECK_ALTERNATE_check705="extra75"
|
||||
CHECK_ASFF_COMPLIANCE_TYPE_extra75="ens-mp.com.4.aws.sg.3"
|
||||
|
||||
extra75(){
|
||||
# "Ensure there are no Security Groups not being used (Not Scored) (Not part of CIS benchmark)"
|
||||
|
||||
@@ -17,6 +17,7 @@ CHECK_TYPE_extra750="EXTRA"
|
||||
CHECK_SEVERITY_extra750="High"
|
||||
CHECK_ASFF_RESOURCE_TYPE_extra750="AwsEc2SecurityGroup"
|
||||
CHECK_ALTERNATE_check750="extra750"
|
||||
CHECK_ASFF_COMPLIANCE_TYPE_extra750="ens-mp.com.4.aws.sg.7"
|
||||
|
||||
extra750(){
|
||||
for regx in $REGIONS; do
|
||||
|
||||
@@ -17,6 +17,7 @@ CHECK_TYPE_extra751="EXTRA"
|
||||
CHECK_SEVERITY_extra751="High"
|
||||
CHECK_ASFF_RESOURCE_TYPE_extra751="AwsEc2SecurityGroup"
|
||||
CHECK_ALTERNATE_check751="extra751"
|
||||
CHECK_ASFF_COMPLIANCE_TYPE_extra751="ens-mp.com.4.aws.sg.8"
|
||||
|
||||
extra751(){
|
||||
for regx in $REGIONS; do
|
||||
|
||||
@@ -17,6 +17,7 @@ CHECK_TYPE_extra752="EXTRA"
|
||||
CHECK_SEVERITY_extra752="High"
|
||||
CHECK_ASFF_RESOURCE_TYPE_extra752="AwsEc2SecurityGroup"
|
||||
CHECK_ALTERNATE_check752="extra752"
|
||||
CHECK_ASFF_COMPLIANCE_TYPE_extra752="ens-mp.com.4.aws.sg.9"
|
||||
|
||||
extra752(){
|
||||
for regx in $REGIONS; do
|
||||
|
||||
@@ -17,6 +17,7 @@ CHECK_TYPE_extra753="EXTRA"
|
||||
CHECK_SEVERITY_extra753="High"
|
||||
CHECK_ASFF_RESOURCE_TYPE_extra753="AwsEc2SecurityGroup"
|
||||
CHECK_ALTERNATE_check753="extra753"
|
||||
CHECK_ASFF_COMPLIANCE_TYPE_extra753="ens-mp.com.4.aws.sg.10"
|
||||
|
||||
extra753(){
|
||||
for regx in $REGIONS; do
|
||||
|
||||
@@ -17,6 +17,7 @@ CHECK_TYPE_extra754="EXTRA"
|
||||
CHECK_SEVERITY_extra754="High"
|
||||
CHECK_ASFF_RESOURCE_TYPE_extra754="AwsEc2SecurityGroup"
|
||||
CHECK_ALTERNATE_check754="extra754"
|
||||
CHECK_ASFF_COMPLIANCE_TYPE_extra754="ens-mp.com.4.aws.sg.11"
|
||||
|
||||
extra754(){
|
||||
for regx in $REGIONS; do
|
||||
|
||||
@@ -17,6 +17,7 @@ CHECK_TYPE_extra755="EXTRA"
|
||||
CHECK_SEVERITY_extra755="High"
|
||||
CHECK_ASFF_RESOURCE_TYPE_extra755="AwsEc2SecurityGroup"
|
||||
CHECK_ALTERNATE_check755="extra755"
|
||||
CHECK_ASFF_COMPLIANCE_TYPE_extra755="ens-mp.com.4.aws.sg.12"
|
||||
|
||||
extra755(){
|
||||
for regx in $REGIONS; do
|
||||
|
||||
@@ -16,6 +16,7 @@ CHECK_SCORED_extra761="NOT_SCORED"
|
||||
CHECK_TYPE_extra761="EXTRA"
|
||||
CHECK_SEVERITY_extra761="Medium"
|
||||
CHECK_ALTERNATE_check761="extra761"
|
||||
CHECK_ASFF_COMPLIANCE_TYPE_extra761="ens-mp.info.3.aws.ebs.2"
|
||||
|
||||
extra761(){
|
||||
textInfo "Looking for EBS Default Encryption activation in all regions... "
|
||||
|
||||
@@ -17,6 +17,7 @@ CHECK_TYPE_extra764="EXTRA"
|
||||
CHECK_SEVERITY_extra764="Medium"
|
||||
CHECK_ASFF_RESOURCE_TYPE_extra764="AwsS3Bucket"
|
||||
CHECK_ALTERNATE_check764="extra764"
|
||||
CHECK_ASFF_COMPLIANCE_TYPE_extra764="ens-mp.com.2.aws.s3.1"
|
||||
|
||||
extra764(){
|
||||
LIST_OF_BUCKETS=$($AWSCLI s3api list-buckets $PROFILE_OPT --query Buckets[*].Name --output text --region $REGION|xargs -n1)
|
||||
|
||||
@@ -17,6 +17,7 @@ CHECK_TYPE_extra773="EXTRA"
|
||||
CHECK_SEVERITY_extra773="Medium"
|
||||
CHECK_ASFF_RESOURCE_TYPE_extra773="AwsCloudFrontDistribution"
|
||||
CHECK_ALTERNATE_check773="extra773"
|
||||
CHECK_ASFF_COMPLIANCE_TYPE_extra773="ens-mp.s.2.aws.waf.1"
|
||||
|
||||
extra773(){
|
||||
# "Check if CloudFront distributions have logging enabled (Not Scored) (Not part of CIS benchmark)"
|
||||
|
||||
@@ -17,6 +17,7 @@ CHECK_TYPE_extra781="EXTRA"
|
||||
CHECK_SEVERITY_extra781="Medium"
|
||||
CHECK_ASFF_RESOURCE_TYPE_extra781="AwsElasticsearchDomain"
|
||||
CHECK_ALTERNATE_check781="extra781"
|
||||
CHECK_ASFF_COMPLIANCE_TYPE_extra781="ens-mp.info.3.aws.au.1"
|
||||
|
||||
extra781(){
|
||||
for regx in $REGIONS; do
|
||||
|
||||
@@ -17,6 +17,7 @@ CHECK_TYPE_extra792="EXTRA"
|
||||
CHECK_SEVERITY_extra792="Medium"
|
||||
CHECK_ASFF_RESOURCE_TYPE_extra792="AwsElbLoadBalancer"
|
||||
CHECK_ALTERNATE_check792="extra792"
|
||||
CHECK_ASFF_COMPLIANCE_TYPE_extra792="ens-mp.com.2.aws.elb.2"
|
||||
|
||||
extra792(){
|
||||
# "Check if Elastic Load Balancers have insecure SSL ciphers (Not Scored) (Not part of CIS benchmark)"
|
||||
|
||||
@@ -17,6 +17,7 @@ CHECK_TYPE_extra793="EXTRA"
|
||||
CHECK_SEVERITY_extra793="Medium"
|
||||
CHECK_ASFF_RESOURCE_TYPE_extra793="AwsElbLoadBalancer"
|
||||
CHECK_ALTERNATE_check793="extra793"
|
||||
CHECK_ASFF_COMPLIANCE_TYPE_extra793="ens-mp.com.2.aws.elb.1"
|
||||
|
||||
extra793(){
|
||||
# "Check if Elastic Load Balancers have encrypted listeners (Not Scored) (Not part of CIS benchmark)"
|
||||
|
||||
Reference in New Issue
Block a user