Added new check extra716 ES service allow open access

README.md

@@ -583,7 +583,7 @@ We are adding additional checks to improve the information gather from each acco
 
 Note: Some of these checks for publicly facing resources may not actually be fully public due to other layered controls like S3 Bucket Policies, Security Groups or Network ACLs.
 
-At this moment we have 15 extra checks:
+At this moment we have 16 extra checks:
 
 - 7.1 (`extra71`) Ensure users with AdministratorAccess policy have MFA tokens enabled (Not Scored) (Not part of CIS benchmark)
 - 7.2 (`extra72`) Ensure there are no EBS Snapshots set as Public (Not Scored) (Not part of CIS benchmark)
@@ -600,6 +600,7 @@ At this moment we have 15 extra checks:
 - 7.13 (`extra713`) Check if GuardDuty is enabled (Not Scored) (Not part of CIS benchmark)
 - 7.14 (`extra714`) Check if CloudFront distributions have logging enabled (Not Scored) (Not part of CIS benchmark)
 - 7.15 (`extra715`) Check if Elasticsearch Service domains have logging enabled (Not Scored) (Not part of CIS benchmark)
+- 7.16 (`extra716`) Check if Elasticsearch Service domains allow open access (Not Scored) (Not part of CIS benchmark)
 
 
 To check all extras in one command:

prowler

@@ -498,6 +498,9 @@ ID714="7.14,7.14"
 TITLE714="Check if CloudFront distributions have logging enabled (Not Scored) (Not part of CIS benchmark)"
 ID715="7.15,7.15"
 TITLE715="Check if Elasticsearch Service domains have logging enabled (Not Scored) (Not part of CIS benchmark)"
+ID716="7.16,7.16"
+TITLE716="Check if Elasticsearch Service domains allow open access (Not Scored) (Not part of CIS benchmark)"
+
 
 printCsvHeader() {
   >&2 echo ""
@@ -1940,6 +1943,29 @@ extra715(){
   done
 }
 
+extra716(){
+  # "Check if Elasticsearch Service domains allow open access (Not Scored) (Not part of CIS benchmark)"
+  textTitle "$ID716" "$TITLE716" "NOT_SCORED" "EXTRA"
+  for regx in $REGIONS; do
+    LIST_OF_DOMAINS=$($AWSCLI es list-domain-names $PROFILE_OPT --region $regx --query DomainNames --output text)
+    if [[ $LIST_OF_DOMAINS ]]; then
+      for domain in $LIST_OF_DOMAINS;do
+        TEMP_POLICY_FILE=$(mktemp -t prowler-${ACCOUNT_NUM}-es-domain.policy.XXXXXXXXXX)
+        $AWSCLI es describe-elasticsearch-domain-config --domain-name $domain $PROFILE_OPT --region $regx --query DomainConfig.AccessPolicies.Options --output text > $TEMP_POLICY_FILE 2> /dev/null
+        # check if the policy has Principal as *
+        CHECK_ES_DOMAIN_ALLUSERS_POLICY=$(cat $TEMP_POLICY_FILE | awk -v k="text" '{n=split($0,a,","); for (i=1; i<=n; i++) print a[i]}' | awk '/Principal/ && !skip { print } { skip = /Deny/} '|grep \"Principal|grep \*)
+        if [[ $CHECK_ES_DOMAIN_ALLUSERS_POLICY ]];then
+          textWarn "$regx: $domain policy \"may\" allow Anonymous users to perform actions (Principal: \"*\")" "$regx"
+        else
+          textOK "$regx: $domain is not open" "$regx"
+        fi
+      done
+    fi
+    textOK "$regx: No Elasticsearch Service domain found" "$regx"
+    rm -fr $TEMP_POLICY_FILE
+  done
+}
+
 callCheck(){
   if [[ $CHECKNUMBER ]];then
     case "$CHECKNUMBER" in
@@ -2010,6 +2036,7 @@ callCheck(){
       extra713|extra713 ) extra713;;
       extra714|extra714 ) extra714;;
       extra715|extra715 ) extra715;;
+      extra716|extra716 ) extra716;;
 
       ## Groups of Checks
       check1 )
@@ -2046,7 +2073,7 @@ callCheck(){
         ;;
       extras )
         extra71;extra72;extra73;extra74;extra75;extra76;extra77;extra78;
-        extra79;extra710;extra711;extra712;extra713;extra714;extra715
+        extra79;extra710;extra711;extra712;extra713;extra714;extra715;extra716
         ;;
       forensics-ready )
         check21;check22;check23;check24;check25;check26;check27;
@@ -2137,6 +2164,7 @@ if [[ $PRINTCHECKSONLY == "1" ]]; then
   textTitle "$ID713" "$TITLE713" "NOT_SCORED" "EXTRA"
   textTitle "$ID714" "$TITLE714" "NOT_SCORED" "EXTRA"
   textTitle "$ID715" "$TITLE715" "NOT_SCORED" "EXTRA"
+  textTitle "$ID716" "$TITLE716" "NOT_SCORED" "EXTRA"
   exit $EXITCODE
 fi
 
@@ -2228,6 +2256,7 @@ extra712
 extra713
 extra714
 extra715
+extra716
 
 cleanTemp
 exit $EXITCODE