New 7 checks required for ENS

2026-02-10 14:55:00 +00:00 · 2020-12-01 09:55:20 +01:00
parent 25a04cd59e
commit 63040e1c07
7 changed files with 289 additions and 0 deletions
--- a/checks/check_extra7123
+++ b/checks/check_extra7123
@@ -0,0 +1,33 @@
+#!/usr/bin/env bash
+
+# Prowler - the handy cloud security tool (copyright 2018) by Toni de la Fuente
+#
+# Licensed under the Apache License, Version 2.0 (the "License"); you may not
+# use this file except in compliance with the License. You may obtain a copy
+# of the License at http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software distributed
+# under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR
+# CONDITIONS OF ANY KIND, either express or implied. See the License for the
+# specific language governing permissions and limitations under the License.
+CHECK_ID_extra7123="7.123"
+CHECK_TITLE_extra7123="[extra7123] Check if IAM users have two active access keys"
+CHECK_SCORED_extra7123="NOT_SCORED"
+CHECK_TYPE_extra7123="EXTRA"
+CHECK_SEVERITY_extra7123="Medium"
+CHECK_ASFF_TYPE_extra7123="Software and Configuration Checks/Industry and Regulatory Standards/CIS AWS Foundations Benchmark"
+CHECK_ASFF_RESOURCE_TYPE_extra7123="AwsIamUser"
+CHECK_ALTERNATE_check7123="extra7123"
+CHECK_ASFF_COMPLIANCE_TYPE_extra7123="ens-op.acc.1.aws.iam.2"
+
+extra7123(){
+  LIST_OF_USERS_WITH_2ACCESS_KEYS=$(cat $TEMP_REPORT_FILE| awk -F, '{ print $1, $9, $14 }' |grep "\ true\ true" | awk '{ print $1 }')
+  if [[ $LIST_OF_USERS_WITH_2ACCESS_KEYS ]]; then
+    # textFail "Users with access key 1 older than 90 days:"
+    for user in $LIST_OF_USERS_WITH_2ACCESS_KEYS; do
+      textFail "User $user has 2 active access keys" 
+    done
+  else
+    textPass "No users with 2 active access keys"
+  fi
+}
--- a/checks/check_extra7124
+++ b/checks/check_extra7124
@@ -0,0 +1,43 @@
+#!/usr/bin/env bash
+
+# Prowler - the handy cloud security tool (copyright 2018) by Toni de la Fuente
+#
+# Licensed under the Apache License, Version 2.0 (the "License"); you may not
+# use this file except in compliance with the License. You may obtain a copy
+# of the License at http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software distributed
+# under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR
+# CONDITIONS OF ANY KIND, either express or implied. See the License for the
+# specific language governing permissions and limitations under the License.
+CHECK_ID_extra7124="7.124"
+CHECK_TITLE_extra7124="[extra7124] Check if EC2 instances are managed by Systems Manager."
+CHECK_SCORED_extra7124="NOT_SCORED"
+CHECK_TYPE_extra7124="EXTRA"
+CHECK_SEVERITY_extra7124="Medium"
+CHECK_ASFF_RESOURCE_TYPE_extra7124="AwsEc2Instance"
+CHECK_ALTERNATE_check7124="extra7124"
+CHECK_ASFF_COMPLIANCE_TYPE_extra7124="ens-op.exp.1.aws.sys.1,ens-op.acc.4.aws.sys.1"
+
+extra7124(){
+  for regx in $REGIONS; do
+    # Filters running instances only 
+    LIST_EC2_INSTANCES=$($AWSCLI ec2 describe-instances $PROFILE_OPT --query 'Reservations[*].Instances[*].[InstanceId]' --filters Name=instance-state-name,Values=running --region $regx --output text)
+    if [[ $LIST_EC2_INSTANCES ]]; then
+      LIST_SSM_MANAGED_INSTANCES=$($AWSCLI ssm describe-instance-information $PROFILE_OPT --query "InstanceInformationList[].InstanceId"  --region $regx | jq -r '.[]')
+      LIST_EC2_UNMANAGED=$(echo ${LIST_SSM_MANAGED_INSTANCES[@]} ${LIST_EC2_INSTANCES[@]} | tr ' ' '\n' | sort | uniq -u)
+      if [[ $LIST_EC2_UNMANAGED ]]; then
+        for instance in $LIST_EC2_UNMANAGED; do
+          textFail "$regx: EC2 instance $instance is not managed by Systems Manager" "$regx"
+        done
+      fi 
+      if [[ $LIST_SSM_MANAGED_INSTANCES ]]; then
+        for instance in $LIST_SSM_MANAGED_INSTANCES; do 
+          textPass "$regx: EC2 instance $instance is managed by Systems Manager" "$regx"
+        done 
+      fi 
+    else 
+      textInfo "$regx: No EC2 instances running found" "$regx"
+    fi
+  done
+}
--- a/checks/check_extra7125
+++ b/checks/check_extra7125
@@ -0,0 +1,40 @@
+#!/usr/bin/env bash
+
+# Prowler - the handy cloud security tool (copyright 2018) by Toni de la Fuente
+#
+# Licensed under the Apache License, Version 2.0 (the "License"); you may not
+# use this file except in compliance with the License. You may obtain a copy
+# of the License at http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software distributed
+# under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR
+# CONDITIONS OF ANY KIND, either express or implied. See the License for the
+# specific language governing permissions and limitations under the License.
+CHECK_ID_extra7125="7.125"
+CHECK_TITLE_extra7125="[extra7125] Check if IAM users have Hardware MFA enabled."
+CHECK_SCORED_extra7125="NOT_SCORED"
+CHECK_TYPE_extra7125="EXTRA"
+CHECK_SEVERITY_extra7125="Medium"
+CHECK_ASFF_RESOURCE_TYPE_extra7125="AwsIamUser"
+CHECK_ALTERNATE_check7125="extra7125"
+CHECK_ASFF_COMPLIANCE_TYPE_extra7125="ens-op.acc.5.aws.iam.2"
+
+extra7125(){
+  LIST_USERS=$($AWSCLI iam list-users --query 'Users[*].UserName' --output text $PROFILE_OPT --region $REGION)
+  if [[ $LIST_USERS ]]; then
+    # textFail "Users with access key 1 older than 90 days:"
+    for user in $LIST_USERS; do
+      # Would be virtual if sms-mfa or mfa, hardware is u2f or different.
+      MFA_TYPE=$($AWSCLI iam list-mfa-devices --user-name $user $PROFILE_OPT --region $REGION --query MFADevices[].SerialNumber --output text | awk -F':' '{ print $6 }'| awk -F'/' '{ print $1 }')
+      if [[ $MFA_TYPE == "mfa" || $MFA_TYPE == "sms-mfa" ]]; then 
+        textInfo "User $user has virtual MFA enabled" 
+      elif [[ $MFA_TYPE == "" ]]; then 
+        textFail "User $user has not hardware MFA enabled"
+      else 
+        textPass "User $user has hardware MFA enabled"
+      fi
+    done
+  else
+    textPass "No users found"
+  fi
+}
--- a/checks/check_extra7126
+++ b/checks/check_extra7126
@@ -0,0 +1,40 @@
+#!/usr/bin/env bash
+
+# Prowler - the handy cloud security tool (copyright 2018) by Toni de la Fuente
+#
+# Licensed under the Apache License, Version 2.0 (the "License"); you may not
+# use this file except in compliance with the License. You may obtain a copy
+# of the License at http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software distributed
+# under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR
+# CONDITIONS OF ANY KIND, either express or implied. See the License for the
+# specific language governing permissions and limitations under the License.
+CHECK_ID_extra7126="7.126"
+CHECK_TITLE_extra7126="[extra7126] Check if there are CMK KMS keys not used"
+CHECK_SCORED_extra7126="NOT_SCORED"
+CHECK_TYPE_extra7126="EXTRA"
+CHECK_SEVERITY_extra7126="Medium"
+CHECK_ASFF_RESOURCE_TYPE_extra7126="AwsKmsKey"
+CHECK_ALTERNATE_check7126="extra7126"
+CHECK_ASFF_COMPLIANCE_TYPE_extra7126="op.exp.11.aws.kms.2"
+
+extra7126(){
+  for regx in $REGIONS; do
+    LIST_OF_CUSTOMER_KMS_KEYS=$($AWSCLI kms list-aliases $PROFILE_OPT --region $regx --output text |grep -v :alias/aws/ |awk '{ print $4 }')
+    if [[ $LIST_OF_CUSTOMER_KMS_KEYS ]];then
+      for key in $LIST_OF_CUSTOMER_KMS_KEYS; do
+        CHECK_STATUS=$($AWSCLI kms describe-key --key-id $key $PROFILE_OPT --region $regx --output json | jq -r '.KeyMetadata.KeyState')
+        if [[ $CHECK_STATUS == "PendingDeletion" ]]; then
+          textInfo "$regx: KMS key $key is pending deletion" "$regx"
+        elif [[ $CHECK_STATUS == "Disabled"  ]]; then
+          textInfo "$regx: KMS key $key is disabled" "$regx"
+        else
+          textPass "$regx: KMS key $key is not disabled or pending deletion" "$regx"
+        fi
+      done
+    else
+      textInfo "$regx: No KMS keys found" "$regx"
+    fi
+  done
+}
--- a/checks/check_extra7127
+++ b/checks/check_extra7127
@@ -0,0 +1,43 @@
+#!/usr/bin/env bash
+
+# Prowler - the handy cloud security tool (copyright 2018) by Toni de la Fuente
+#
+# Licensed under the Apache License, Version 2.0 (the "License"); you may not
+# use this file except in compliance with the License. You may obtain a copy
+# of the License at http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software distributed
+# under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR
+# CONDITIONS OF ANY KIND, either express or implied. See the License for the
+# specific language governing permissions and limitations under the License.
+CHECK_ID_extra7127="7.127"
+CHECK_TITLE_extra7127="[extra7127] Check if EC2 instances managed by Systems Manager are compliant with patching requirements"
+CHECK_SCORED_extra7127="NOT_SCORED"
+CHECK_TYPE_extra7127="EXTRA"
+CHECK_SEVERITY_extra7127="Medium"
+CHECK_ASFF_RESOURCE_TYPE_extra7127="AwsEc2Instance"
+CHECK_ASFF_TYPE_extra7127="Software and Configuration Checks/ENS op.exp.4.aws.sys.1"
+CHECK_ALTERNATE_check7127="extra7127"
+CHECK_ASFF_COMPLIANCE_TYPE_extra7127="ens-op.exp.1.aws.sys.1,ens-op.exp.4.aws.sys.1"
+
+
+extra7127(){
+  for regx in $REGIONS; do
+    NON_COMPLIANT_SSM_MANAGED_INSTANCES=$($AWSCLI ssm list-resource-compliance-summaries $PROFILE_OPT --region $regx --filters Key=Status,Values=NON_COMPLIANT --query ResourceComplianceSummaryItems[].ResourceId --output text)
+    COMPLIANT_SSM_MANAGED_INSTANCES=$($AWSCLI ssm list-resource-compliance-summaries $PROFILE_OPT --region $regx --filters Key=Status,Values=COMPLIANT --query ResourceComplianceSummaryItems[].ResourceId --output text)
+    if [[ $NON_COMPLIANT_SSM_MANAGED_INSTANCES || $COMPLIANT_SSM_MANAGED_INSTANCES ]]; then
+      if [[ $NON_COMPLIANT_SSM_MANAGED_INSTANCES ]]; then
+        for instance in $NON_COMPLIANT_SSM_MANAGED_INSTANCES; do
+          textFail "$regx: EC2 managed instance $instance is non-compliant" "$regx"
+        done
+      fi
+      if [[ $COMPLIANT_SSM_MANAGED_INSTANCES ]]; then
+        for instance in $COMPLIANT_SSM_MANAGED_INSTANCES; do
+          textPass "$regx: EC2 managed instance $instance is compliant" "$regx"
+        done
+      fi 
+    else 
+      textInfo "$regx: No EC2 managed instances found" "$regx"
+    fi
+  done
+}
--- a/checks/check_extra7128
+++ b/checks/check_extra7128
@@ -0,0 +1,38 @@
+#!/usr/bin/env bash
+
+# Prowler - the handy cloud security tool (copyright 2018) by Toni de la Fuente
+#
+# Licensed under the Apache License, Version 2.0 (the "License"); you may not
+# use this file except in compliance with the License. You may obtain a copy
+# of the License at http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software distributed
+# under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR
+# CONDITIONS OF ANY KIND, either express or implied. See the License for the
+# specific language governing permissions and limitations under the License.
+CHECK_ID_extra7128="7.128"
+CHECK_TITLE_extra7128="[extra7128] Check if DynamoDB table has encryption at rest enabled using CMK KMS"
+CHECK_SCORED_extra7128="NOT_SCORED"
+CHECK_TYPE_extra7128="EXTRA"
+CHECK_SEVERITY_extra7128="Medium"
+CHECK_ASFF_RESOURCE_TYPE_extra7128="AwsDynamoDBTable"
+CHECK_ALTERNATE_check7128="extra7128"
+CHECK_ASFF_COMPLIANCE_TYPE_extra7128="ens-mp.info.3.aws.dyndb.1"
+
+extra7128(){
+  for regx in $REGIONS; do
+    DDB_TABLES_LIST=$($AWSCLI dynamodb list-tables $PROFILE_OPT --region $regx --output text --query TableNames)
+    if [[ $DDB_TABLES_LIST ]]; then
+      for table in $DDB_TABLES_LIST; do
+          DDB_TABLE_WITH_KMS=$($AWSCLI dynamodb describe-table --table-name $table $PROFILE_OPT --region $regx --query Table.SSEDescription.SSEType --output text)
+          if [[ $DDB_TABLE_WITH_KMS == "KMS" ]]; then
+            textPass "$regx: DynamoDB table $table does have KMS encryption enabled" "$regx"
+          else
+            textInfo "$regx: DynamoDB table $table does have DEFAULT encryption enabled" "$regx"
+          fi
+      done
+    else 
+      textInfo "$regx: There are no DynamoDB tables" "$regx"
+    fi 
+  done
+}
--- a/checks/check_extra7129
+++ b/checks/check_extra7129
@@ -0,0 +1,52 @@
+#!/usr/bin/env bash
+
+# Prowler - the handy cloud security tool (copyright 2018) by Toni de la Fuente
+#
+# Licensed under the Apache License, Version 2.0 (the "License"); you may not
+# use this file except in compliance with the License. You may obtain a copy
+# of the License at http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software distributed
+# under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR
+# CONDITIONS OF ANY KIND, either express or implied. See the License for the
+# specific language governing permissions and limitations under the License.
+CHECK_ID_extra7129="7.129"
+CHECK_TITLE_extra7129="[extra7129] Check if Application Load Balancer has a WAF ACL attached"
+CHECK_SCORED_extra7129="NOT_SCORED"
+CHECK_TYPE_extra7129="EXTRA"
+CHECK_SEVERITY_extra7129="Medium"
+CHECK_ASFF_RESOURCE_TYPE_extra7129="AwsElasticLoadBalancingV2LoadBalancer"
+CHECK_ALTERNATE_check7129="extra7129"
+CHECK_ASFF_COMPLIANCE_TYPE_extra7129="ens-mp.s.2.aws.waf.3"
+
+extra7129(){
+  for regx in $REGIONS; do
+    LIST_OF_ELBSV2=$($AWSCLI elbv2 describe-load-balancers $PROFILE_OPT --region $regx --query 'LoadBalancers[?Scheme == `internet-facing` && Type == `application`].[LoadBalancerName]' --output text)
+    LIST_OF_WAFV2_WEBACL_ARN=$($AWSCLI wafv2 list-web-acls $PROFILE_OPT --region=$regx --scope=REGIONAL --query WebACLs[*].ARN --output text)
+    if [[ $LIST_OF_ELBSV2 ]]; then
+      for alb in $LIST_OF_ELBSV2; do
+        if [[ $LIST_OF_WAFV2_WEBACL_ARN ]]; then 
+          WAF_PROTECTED_ALBS=()
+          for wafaclarn in $LIST_OF_WAFV2_WEBACL_ARN; do
+            ALB_RESOURCES_IN_WEBACL=$($AWSCLI wafv2 list-resources-for-web-acl $PROFILE_OPT --web-acl-arn $wafaclarn --region=$regx --resource-type APPLICATION_LOAD_BALANCER --query ResourceArns --output text | xargs -n1 | awk -F'/' '{ print $3 }'| grep $alb)
+            if [[ $ALB_RESOURCES_IN_WEBACL ]]; then 
+              WAF_PROTECTED_ALBS+=($wafaclarn)
+            fi
+          done
+          if [[ ${#WAF_PROTECTED_ALBS[@]} -gt 0 ]]; then
+            for wafaclarn in "${WAF_PROTECTED_ALBS[@]}"; do
+              WAFV2_WEBACL_ARN_SHORT=$(echo $wafaclarn |  awk -F'/' '{ print $3 }')
+              textPass "$regx: Application Load Balancer $alb is protected by WAFv2 ACL $WAFV2_WEBACL_ARN_SHORT" "$regx"
+            done
+          else
+            textFail "$regx: Application Load Balancer $alb is not protected by WAFv2 ACL" "$regx"
+          fi
+        else 
+          textFail "$regx: Application Load Balancer $alb is not protected no WAFv2 ACL found" "$regx"
+        fi
+      done         
+    else
+      textInfo "$regx: No Application Load Balancers found" "$regx"
+    fi    
+  done
+}