Merge branch '2.5' into delete_check_extra737_is_duplicated

2026-02-10 14:55:00 +00:00 · 2021-08-02 14:14:45 +02:00
parent 0d9ec6320e ad28cf4671
commit 5685cb8959
10 changed files with 36 additions and 56 deletions
--- a/README.md
+++ b/README.md
@@ -185,6 +185,12 @@ Prowler has been written in bash using AWS-CLI and it works in Linux and OSX.

    Valid check numbers are based on the AWS CIS Benchmark guide, so 1.1 is check11 and 3.10 is check310

+### Regions
+
+By default Prowler scans all opt-in regions available, that might take a long execution time depending on the number of resources and regions used. Same applies for GovCloud or China regions. See below Advance usage for examples.
+
+Prowler has to parameters related to regions: `-r` that is used query AWS services API endpoints (it uses `us-east-1` by default and required for GovCloud or China) and the option `-f` that is to filter those regions you only want to scan. For example if you want to scan Dublin only use `-f eu-west-1` and if you want to scan Dublin and Ohio `-f 'eu-west-1 us-east-s'`, note the single quotes and space between regions.
+
 ## Screenshots

 - Sample screenshot of report first lines:
--- a/checks/check_extra756
+++ b/checks/check_extra756
@@ -1,42 +0,0 @@
-#!/usr/bin/env bash
-
-# Prowler - the handy cloud security tool (copyright 2019) by Toni de la Fuente
-#
-# Licensed under the Apache License, Version 2.0 (the "License"); you may not
-# use this file except in compliance with the License. You may obtain a copy
-# of the License at http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing, software distributed
-# under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR
-# CONDITIONS OF ANY KIND, either express or implied. See the License for the
-# specific language governing permissions and limitations under the License.
-CHECK_ID_extra756="7.56"
-CHECK_TITLE_extra756="[extra756] Check if Redshift cluster is Public Accessible"
-CHECK_SCORED_extra756="NOT_SCORED"
-CHECK_TYPE_extra756="EXTRA"
-CHECK_SEVERITY_extra756="High"
-CHECK_ASFF_RESOURCE_TYPE_extra756="AwsRedshiftCluster"
-CHECK_ALTERNATE_check756="extra756"
-CHECK_SERVICENAME_extra756="redshift"
-CHECK_RISK_extra756='Publicly accessible services could expose sensible data to bad actors.'
-CHECK_REMEDIATION_extra756='Ensure there is a business requirement for service to be public. Use the cluster security group to control access to the service.'
-CHECK_DOC_extra756='https://docs.aws.amazon.com/redshift/latest/mgmt/working-with-security-groups.html'
-CHECK_CAF_EPIC_extra756='Infrastructure Security'
-
-extra756(){
-  for regx in $REGIONS; do
-    LIST_OF_RS_CLUSTERS=$($AWSCLI $PROFILE_OPT redshift describe-clusters --region $regx --query Clusters[*].ClusterIdentifier --output text)
-    if [[ $LIST_OF_RS_CLUSTERS ]];then
-      for cluster in $LIST_OF_RS_CLUSTERS; do
-        IS_PUBLICLY_ACCESSIBLE=$($AWSCLI $PROFILE_OPT redshift describe-clusters --region $regx --cluster-identifier $cluster --query Clusters[*].PubliclyAccessible --output text|grep True)
-        if [[ $IS_PUBLICLY_ACCESSIBLE ]]; then
-          textFail "$regx: Redshift cluster $cluster is publicly accessible" "$regx" "$cluster"
-        else
-          textPass "$regx: Redshift cluster $cluster is not publicly accessible" "$regx" "$cluster"
-        fi
-      done
-    else
-      textInfo "$regx: No Redshift clusters found" "$regx"
-    fi
-  done
-}
--- a/groups/group15_pci
+++ b/groups/group15_pci
@@ -15,7 +15,7 @@ GROUP_ID[15]='pci'
 GROUP_NUMBER[15]='15.0'
 GROUP_TITLE[15]='PCI-DSS v3.2.1 Readiness - ONLY AS REFERENCE - [pci] **********'
 GROUP_RUN_BY_DEFAULT[15]='N' # run it when execute_all is called
-GROUP_CHECKS[15]='check11,check12,check13,check14,check15,check16,check17,check18,check19,check110,check112,check113,check114,check116,check21,check23,check25,check26,check27,check28,check29,check314,check36,check38,check43,extra713,extra717,extra718,extra72,extra729,extra735,extra738,extra740,extra744,extra748,extra75,extra750,extra751,extra753,extra754,extra755,extra756,extra773,extra78,extra780,extra781,extra782,extra783,extra784,extra785,extra787,extra788,extra798'
+GROUP_CHECKS[15]='check11,check12,check13,check14,check15,check16,check17,check18,check19,check110,check112,check113,check114,check116,check21,check23,check25,check26,check27,check28,check29,check314,check36,check38,check43,extra711,extra713,extra717,extra718,extra72,extra729,extra735,extra738,extra740,extra744,extra748,extra75,extra750,extra751,extra753,extra754,extra755,extra773,extra78,extra780,extra781,extra782,extra783,extra784,extra785,extra787,extra788,extra798'

 # Resources:
 # https://github.com/toniblyx/prowler/issues/296
@@ -39,7 +39,7 @@ GROUP_CHECKS[15]='check11,check12,check13,check14,check15,check16,check17,check1
 #     Ensure the default security group restricts all traffic check43
 #     Remove unused security groups extra75
 #     RDS should not have Public interface open to a public scope extra78
-#     Check for Publicly Accessible Redshift Clusters extra756
+#     Check for Publicly Accessible Redshift Clusters extra711
 #     Ensure Lambda Functions are not publicly accessible   extra798

 # 3.2 Requirement 2: Do Not Use Vendor-Supplied Defaults for System Passwords and Other Security Parameters
--- a/groups/group17_internetexposed
+++ b/groups/group17_internetexposed
@@ -15,7 +15,7 @@ GROUP_ID[17]='internet-exposed'
 GROUP_NUMBER[17]='17.0'
 GROUP_TITLE[17]='Find resources exposed to the internet - [internet-exposed] ***'
 GROUP_RUN_BY_DEFAULT[17]='N' # run it when execute_all is called
-GROUP_CHECKS[17]='check41,check42,check45,check46,extra72,extra73,extra74,extra76,extra77,extra78,extra79,extra710,extra711,extra716,extra723,extra727,extra731,extra736,extra738,extra745,extra748,extra749,extra750,extra751,extra752,extra753,extra754,extra755,extra756,extra770,extra771,extra778,extra779,extra787,extra788,extra795,extra796,extra798,extra7102,extra7134,extra7135,extra7136,extra7137,extra7138'
+GROUP_CHECKS[17]='check41,check42,check45,check46,extra72,extra73,extra74,extra76,extra77,extra78,extra79,extra710,extra711,extra716,extra723,extra727,extra731,extra736,extra738,extra745,extra748,extra749,extra750,extra751,extra752,extra753,extra754,extra755,extra770,extra771,extra778,extra779,extra787,extra788,extra795,extra796,extra798,extra7102,extra7134,extra7135,extra7136,extra7137,extra7138'

 # 4.1 [check41] Ensure no security groups allow ingress from 0.0.0.0/0 or ::/0 to port 22 (Scored)  [group4, cislevel1, cislevel2]
 # 4.2 [check42] Ensure no security groups allow ingress from 0.0.0.0/0 or ::/0 to port 3389 (Scored)  [group4, cislevel1, cislevel2]
@@ -42,7 +42,6 @@ GROUP_CHECKS[17]='check41,check42,check45,check46,extra72,extra73,extra74,extra7
 # 7.53 [extra753] Ensure no security groups allow ingress from 0.0.0.0/0 or ::/0 to MongoDB ports 27017 and 27018    [extras]
 # 7.54 [extra754] Ensure no security groups allow ingress from 0.0.0.0/0 or ::/0 to Cassandra ports 7199 or 9160 or 8888    [extras]
 # 7.55 [extra755] Ensure no security groups allow ingress from 0.0.0.0/0 or ::/0 to Memcached port 11211    [extras]
-# redundant 7.56 [extra756] Check if Redshift cluster is Public Accessible    [extras]
 # 7.70 [extra770] Check for internet facing EC2 instances with Instance Profiles attached    [extras]
 # 7.78 [extra778] Find VPC security groups with wide-open public IPv4 CIDR ranges (non-RFC1918)    [extras]
 # 7.79 [extra779] Ensure no security groups allow ingress from 0.0.0.0/0 or ::/0 to Elasticsearch/Kibana ports   [extras, elasticsearch]
--- a/groups/group18_iso27001
+++ b/groups/group18_iso27001
@@ -15,7 +15,7 @@ GROUP_ID[18]='iso27001'
 GROUP_NUMBER[18]='18.0'
 GROUP_TITLE[18]='ISO 27001:2013 Readiness - ONLY AS REFERENCE - [iso27001] *****'
 GROUP_RUN_BY_DEFAULT[18]='N' # run it when execute_all is called
-GROUP_CHECKS[18]='check11,check110,check111,check112,check113,check114,check115,check116,check119,check12,check122,check13,check14,check15,check16,check17,check18,check19,check21,check22,check23,check24,check25,check26,check27,check28,check29,check31,check310,check311,check312,check313,check314,check32,check33,check34,check35,check36,check37,check38,check39,check41,check42,check43,check44,extra71,extra710,extra7100,extra711,extra7113,extra7123,extra7125,extra7126,extra7128,extra7129,extra713,extra714,extra7130,extra718,extra719,extra72,extra720,extra721,extra722,extra723,extra724,extra725,extra726,extra727,extra728,extra729,extra731,extra73,extra731,extra735,extra739,extra74,extra741,extra747,extra748,extra75,extra756,extra757,extra758,extra759,extra76,extra760,extra761,extra762,extra763,extra764,extra765,extra767,extra768,extra769,extra77,extra771,extra772,extra774,extra776,extra777,extra778,extra78,extra789,extra79,extra790,extra792,extra793,extra794,extra795,extra796,extra798'
+GROUP_CHECKS[18]='check11,check110,check111,check112,check113,check114,check115,check116,check119,check12,check122,check13,check14,check15,check16,check17,check18,check19,check21,check22,check23,check24,check25,check26,check27,check28,check29,check31,check310,check311,check312,check313,check314,check32,check33,check34,check35,check36,check37,check38,check39,check41,check42,check43,check44,extra71,extra710,extra7100,extra711,extra7113,extra7123,extra7125,extra7126,extra7128,extra7129,extra713,extra714,extra7130,extra718,extra719,extra72,extra720,extra721,extra722,extra723,extra724,extra725,extra726,extra727,extra728,extra729,extra731,extra73,extra731,extra735,extra739,extra74,extra741,extra747,extra748,extra75,extra757,extra758,extra759,extra76,extra760,extra761,extra762,extra763,extra764,extra765,extra767,extra768,extra769,extra77,extra771,extra772,extra774,extra776,extra777,extra778,extra78,extra789,extra79,extra790,extra792,extra793,extra794,extra795,extra796,extra798'

 # #	Category	Objective ID	Objective Name	Prowler check ID	Check Summary
 # 1		A.9 Access Control	A.9.2	User Access Management	check122	Ensure IAM policies that allow full "*:*" administrative privileges are not created.
@@ -66,13 +66,13 @@ GROUP_CHECKS[18]='check11,check110,check111,check112,check113,check114,check115,
 # 46	A.9 Access Control	A.9.4	System and Application Access Control	check14	Ensure access keys are rotated every 90 days or less
 # 47	A.9 Access Control	A.9.4	System and Application Access Control	check13	Ensure credentials unused for 90 days or greater are disabled
 # 48	A.9 Access Control	A.9.4	System and Application Access Control	check112	Ensure no root account access key exists
+# 55    A.9 Access Control	A.9.4	System and Application Access Control	extra711	Check if Redshift cluster is Public Accessible
 # 49	A.9 Access Control	A.9.4	System and Application Access Control	extra7113	Check if RDS instances have deletion protection enabled
 # 50	A.9 Access Control	A.9.4	System and Application Access Control	extra72	Ensure there are no EBS Snapshots set as Public
 # 51	A.9 Access Control	A.9.4	System and Application Access Control	extra723	Check if RDS Snapshots and Cluster Snapshots are public
 # 52    A.9 Access Control	A.9.4	System and Application Access Control	extra727	Check if SQS queues have policy set as Public
 # 53    A.9 Access Control	A.9.4	System and Application Access Control	extra73	Ensure there are no S3 buckets open to Everyone or Any AWS user
 # 54    A.9 Access Control	A.9.4	System and Application Access Control	extra731	Check if SNS topics have policy set as Public
-# 55    A.9 Access Control	A.9.4	System and Application Access Control	extra756	Check if Redshift cluster is Public Accessible
 # 56    A.9 Access Control	A.9.4	System and Application Access Control	extra76	Ensure there are no EC2 AMIs set as Public
 # 57    A.9 Access Control	A.9.4	System and Application Access Control	extra77 Ensure there are no ECR repositories set as Public
 # 58    A.9 Access Control	A.9.4	System and Application Access Control	extra771 Check if S3 buckets have policies which allow WRITE access
--- a/groups/group7_extras
+++ b/groups/group7_extras
@@ -22,4 +22,4 @@ GROUP_CHECKS[7]='extra71,extra72,extra73,extra74,extra75,extra76,extra77,extra78

 # Extras 789 and 790 VPC trust boundaries are not included by default in Extras
 # to run trust-boundaries use `./prowler -g trustboundaries`
-# read more in https://github.com/toniblyx/prowler/#trust-boundaries-checks
+# read more in https://github.com/toniblyx/prowler/#trust-boundaries-checks
--- a/iam/create_role_to_assume_cfn.yaml
+++ b/iam/create_role_to_assume_cfn.yaml
@@ -55,12 +55,12 @@ Resources:
            Statement:
            - Effect: Allow
              Action:
-                - 'dax:ListTables'
                - 'ds:ListAuthorizedApplications'
-                - 'ds:DescribeRoles'
                - 'ec2:GetEbsEncryptionByDefault'
                - 'ecr:Describe*'
                - 'support:Describe*'
                - 'tag:GetTagKeys'
                - 'lambda:GetFunction'
+                - 'glue:GetConnections'
+                - 's3:GetAccountPublicAccessBlock'
              Resource: '*'
--- a/iam/prowler-additions-policy.json
+++ b/iam/prowler-additions-policy.json
@@ -3,14 +3,15 @@
    "Statement": [
        {
            "Action": [
-                "dax:ListTables",
                "ds:ListAuthorizedApplications",
-                "ds:DescribeRoles",
                "ec2:GetEbsEncryptionByDefault",
                "ecr:Describe*",
                "support:Describe*",
                "tag:GetTagKeys",
-		"lambda:GetFunction"
+		        "lambda:GetFunction",
+                "glue:GetConnections",
+                "glue:SearchTables",
+                "s3:GetAccountPublicAccessBlock"
            ],
            "Resource": "*",
            "Effect": "Allow",
--- a/include/outputs
+++ b/include/outputs
@@ -326,7 +326,7 @@ generateJsonAsffOutput(){
  local status=$2
  
  #Checks to determine if the rule passes in a resource name that prowler uses to track the AWS Resource for whitelisting purposes
-  if [ -z $3 ]; then
+  if [[ -z $3 ]]; then
    local resource_id="NONE_PROVIDED"
  else
    local resource_id=$3
@@ -337,7 +337,7 @@ generateJsonAsffOutput(){
  fi
  jq -M -c \
  --arg ACCOUNT_NUM "$ACCOUNT_NUM" \
-  --arg TITLE_TEXT "$TITLE_TEXT" \
+  --arg TITLE_TEXT "$CHECK_SERVICENAME.$TITLE_TEXT" \
  --arg MESSAGE "$(echo -e "${message}")" \
  --arg UNIQUE_ID "$(LC_ALL=C echo -e -n "${message}" | tr -cs '[:alnum:]._~-' '_')" \
  --arg STATUS "$status" \
--- a/util/codebuild/codebuild-prowler-audit-account-cfn.yaml
+++ b/util/codebuild/codebuild-prowler-audit-account-cfn.yaml
@@ -179,6 +179,22 @@ Resources:
                  - s3:GetBucketLocation
                Effect: Allow
                Resource: !Sub 'arn:aws:s3:::${ArtifactBucket}/*'
+        - PolicyName: ProwlerAdditions
+          PolicyDocument:
+            Version: '2012-10-17'
+            Statement:
+              - Action:
+                  - s3:GetAccountPublicAccessBlock
+                  - glue:GetConnections
+                  - glue:SearchTables
+                  - ds:ListAuthorizedApplications
+                  - ec2:GetEbsEncryptionByDefault
+                  - ecr:Describe*
+                  - support:Describe*
+                  - tag:GetTagKeys
+                  - lambda:GetFunction
+                Effect: Allow
+                Resource: !Sub 'arn:aws:glue:${AWS::Region}:${AWS::AccountId}:catalog'
        - PolicyName: CodeBuild
          PolicyDocument:
            Version: '2012-10-17'