diff --git a/checks/check_extra7103 b/checks/check_extra7103 new file mode 100644 index 00000000..62c7c293 --- /dev/null +++ b/checks/check_extra7103 @@ -0,0 +1,39 @@ +#!/usr/bin/env bash + +# Prowler - the handy cloud security tool (copyright 2020) by Toni de la Fuente +# +# Licensed under the Apache License, Version 2.0 (the "License"); you may not +# use this file except in compliance with the License. You may obtain a copy +# of the License at http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software distributed +# under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR +# CONDITIONS OF ANY KIND, either express or implied. See the License for the +# specific language governing permissions and limitations under the License. + +CHECK_ID_extra7103="7.103" +CHECK_TITLE_extra7103="[extra7103] Check if Amazon SageMaker Notebook instances have root access disabled" +CHECK_SCORED_extra7103="NOT_SCORED" +CHECK_TYPE_extra7103="EXTRA" +CHECK_ASFF_RESOURCE_TYPE_extra7103="AwsSageMakerNotebookInstance" +CHECK_ALTERNATE_check7103="extra7103" +CHECK_SEVERITY_extra7103="Medium" + +extra7103(){ + for regx in ${REGIONS}; do + LIST_SM_NB_INSTANCES=$($AWSCLI $PROFILE_OPT --region $regx sagemaker list-notebook-instances --query 'NotebookInstances[*].NotebookInstanceName' --output text) + if [[ $LIST_SM_NB_INSTANCES ]];then + for nb_instance in $LIST_SM_NB_INSTANCES; do + SM_NB_ROOTACCESS=$($AWSCLI $PROFILE_OPT --region $regx sagemaker describe-notebook-instance --notebook-instance-name $nb_instance --query 'RootAccess' --output text) + if [[ $SM_NB_ROOTACCESS -eq "Enabled" ]]; then + textFail "${regx}: Sagemaker Notebook instance $nb_instance has root access enabled" "${regx}" + else + textPass "${regx}: Sagemaker Notebook instance $nb_instance has root access disabled" "${regx}" + fi + done + else + textInfo "${regx}: No Sagemaker Notebook instances found" "${regx}" + fi + done +} + \ No newline at end of file diff --git a/checks/check_extra7104 b/checks/check_extra7104 new file mode 100644 index 00000000..6d15fbc1 --- /dev/null +++ b/checks/check_extra7104 @@ -0,0 +1,38 @@ +#!/usr/bin/env bash + +# Prowler - the handy cloud security tool (copyright 2020) by Toni de la Fuente +# +# Licensed under the Apache License, Version 2.0 (the "License"); you may not +# use this file except in compliance with the License. You may obtain a copy +# of the License at http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software distributed +# under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR +# CONDITIONS OF ANY KIND, either express or implied. See the License for the +# specific language governing permissions and limitations under the License. + +CHECK_ID_extra7104="7.104" +CHECK_TITLE_extra7104="[extra7104] Check if Amazon SageMaker Notebook instances have VPC settings configured" +CHECK_SCORED_extra7104="NOT_SCORED" +CHECK_TYPE_extra7104="EXTRA" +CHECK_ASFF_RESOURCE_TYPE_extra7104="AwsSageMakerNotebookInstance" +CHECK_ALTERNATE_check7104="extra7104" +CHECK_SEVERITY_extra7104="Medium" + +extra7104(){ + for regx in ${REGIONS}; do + LIST_SM_NB_INSTANCES=$($AWSCLI $PROFILE_OPT --region $regx sagemaker list-notebook-instances --query 'NotebookInstances[*].NotebookInstanceName' --output text) + if [[ $LIST_SM_NB_INSTANCES ]];then + for nb_instance in $LIST_SM_NB_INSTANCES; do + SM_NB_SUBNETID=$($AWSCLI $PROFILE_OPT --region $regx sagemaker describe-notebook-instance --notebook-instance-name $nb_instance --query 'SubnetId' --output text) + if [[ "${SM_NB_SUBNETID}" == "None" ]]; then + textFail "${regx}: Sagemaker Notebook instance $nb_instance has VPC settings disabled" "${regx}" + else + textPass "${regx}: Sagemaker Notebook instance $nb_instance is in a VPC" "${regx}" + fi + done + else + textInfo "${regx}: No Sagemaker Notebook instances found" "${regx}" + fi + done +} \ No newline at end of file diff --git a/checks/check_extra7105 b/checks/check_extra7105 new file mode 100644 index 00000000..e76b8d9b --- /dev/null +++ b/checks/check_extra7105 @@ -0,0 +1,39 @@ +#!/usr/bin/env bash + +# Prowler - the handy cloud security tool (copyright 2020) by Toni de la Fuente +# +# Licensed under the Apache License, Version 2.0 (the "License"); you may not +# use this file except in compliance with the License. You may obtain a copy +# of the License at http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software distributed +# under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR +# CONDITIONS OF ANY KIND, either express or implied. See the License for the +# specific language governing permissions and limitations under the License. + +CHECK_ID_extra7105="7.105" +CHECK_TITLE_extra7105="[extra7105] Check if Amazon SageMaker Models have network isolation enabled" +CHECK_SCORED_extra7105="NOT_SCORED" +CHECK_TYPE_extra7105="EXTRA" +CHECK_ASFF_RESOURCE_TYPE_extra7105="AwsSageMakerModel" +CHECK_ALTERNATE_check7105="extra7105" +CHECK_SEVERITY_extra7105="Medium" + +extra7105(){ + for regx in ${REGIONS}; do + LIST_SM_NB_MODELS=$($AWSCLI $PROFILE_OPT --region $regx sagemaker list-models --query 'Models[*].ModelName' --output text) + if [[ $LIST_SM_NB_MODELS ]];then + for nb_model_name in $LIST_SM_NB_MODELS; do + SM_NB_NETWORKISOLATION=$($AWSCLI $PROFILE_OPT --region $regx sagemaker describe-model --model-name $nb_model_name --query 'EnableNetworkIsolation' --output text) + if [[ $SM_NB_NETWORKISOLATION == False ]]; then + textFail "${regx}: SageMaker Model $nb_model_name has network isolation disabled" "${regx}" + else + textPass "${regx}: SageMaker Model $nb_model_name has network isolation enabled" "${regx}" + fi + done + else + textInfo "${regx}: No Sagemaker Models found" "${regx}" + fi + done +} + \ No newline at end of file diff --git a/checks/check_extra7106 b/checks/check_extra7106 new file mode 100644 index 00000000..d4907513 --- /dev/null +++ b/checks/check_extra7106 @@ -0,0 +1,39 @@ +#!/usr/bin/env bash + +# Prowler - the handy cloud security tool (copyright 2020) by Toni de la Fuente +# +# Licensed under the Apache License, Version 2.0 (the "License"); you may not +# use this file except in compliance with the License. You may obtain a copy +# of the License at http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software distributed +# under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR +# CONDITIONS OF ANY KIND, either express or implied. See the License for the +# specific language governing permissions and limitations under the License. + +CHECK_ID_extra7106="7.106" +CHECK_TITLE_extra7106="[extra7106] Check if Amazon SageMaker Models have VPC settings configured" +CHECK_SCORED_extra7106="NOT_SCORED" +CHECK_TYPE_extra7106="EXTRA" +CHECK_ASFF_RESOURCE_TYPE_extra7106="AwsSageMakerModel" +CHECK_ALTERNATE_check7106="extra7106" +CHECK_SEVERITY_extra7106="Medium" + +extra7106(){ + for regx in ${REGIONS}; do + LIST_SM_NB_MODELS=$($AWSCLI $PROFILE_OPT --region $regx sagemaker list-models --query 'Models[*].ModelName' --output text) + if [[ $LIST_SM_NB_MODELS ]];then + for nb_model_name in $LIST_SM_NB_MODELS; do + SM_NB_VPCCONFIG=$($AWSCLI $PROFILE_OPT --region $regx sagemaker describe-model --model-name $nb_model_name --query 'VpcConfig.Subnets' --output text) + if [[ $SM_NB_VPCCONFIG == "None" ]]; then + textFail "${regx}: Amazon SageMaker Model $nb_model_name has VPC settings disabled" "${regx}" + else + textPass "${regx}: Amazon SageMaker Model $nb_model_name has VPC settings enabled" "${regx}" + fi + done + else + textInfo "${regx}: No Sagemaker Models found" "${regx}" + fi + done +} + \ No newline at end of file diff --git a/checks/check_extra7107 b/checks/check_extra7107 new file mode 100644 index 00000000..86499bb3 --- /dev/null +++ b/checks/check_extra7107 @@ -0,0 +1,39 @@ +#!/usr/bin/env bash + +# Prowler - the handy cloud security tool (copyright 2020) by Toni de la Fuente +# +# Licensed under the Apache License, Version 2.0 (the "License"); you may not +# use this file except in compliance with the License. You may obtain a copy +# of the License at http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software distributed +# under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR +# CONDITIONS OF ANY KIND, either express or implied. See the License for the +# specific language governing permissions and limitations under the License. + +CHECK_ID_extra7107="7.107" +CHECK_TITLE_extra7107="[extra7107] Check if Amazon SageMaker Training jobs have intercontainer encryption enabled" +CHECK_SCORED_extra7107="NOT_SCORED" +CHECK_TYPE_extra7107="EXTRA" +CHECK_ASFF_RESOURCE_TYPE_extra7107="AwsSageMakerNotebookInstance" +CHECK_ALTERNATE_check7107="extra7107" +CHECK_SEVERITY_extra7107="Medium" + +extra7107(){ + for regx in ${REGIONS}; do + LIST_SM_NB_JOBS=$($AWSCLI $PROFILE_OPT --region $regx sagemaker list-training-jobs --query 'TrainingJobSummaries[*].TrainingJobName' --output text) + if [[ $LIST_SM_NB_JOBS ]];then + for nb_job_name in $LIST_SM_NB_JOBS; do + SM_NB_INTERCONTAINERENCRYPTION=$($AWSCLI $PROFILE_OPT --region $regx sagemaker describe-training-job --training-job-name $nb_job_name --query 'EnableInterContainerTrafficEncryption' --output text) + if [[ $SM_NB_INTERCONTAINERENCRYPTION -eq "None" ]]; then + textFail "${regx}: SageMaker Training job $nb_job_name has intercontainer encryption disabled" "${regx}" + else + textPass "${regx}: SageMaker Training jobs $nb_job_name has intercontainer encryption enabled" "${regx}" + fi + done + else + textInfo "${regx}: No Sagemaker Training found" "${regx}" + fi + done +} + \ No newline at end of file diff --git a/checks/check_extra7108 b/checks/check_extra7108 new file mode 100644 index 00000000..4febf369 --- /dev/null +++ b/checks/check_extra7108 @@ -0,0 +1,38 @@ +#!/usr/bin/env bash + +# Prowler - the handy cloud security tool (copyright 2020) by Toni de la Fuente +# +# Licensed under the Apache License, Version 2.0 (the "License"); you may not +# use this file except in compliance with the License. You may obtain a copy +# of the License at http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software distributed +# under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR +# CONDITIONS OF ANY KIND, either express or implied. See the License for the +# specific language governing permissions and limitations under the License. + +CHECK_ID_extra7108="7.108" +CHECK_TITLE_extra7108="[extra7108] Check if Amazon SageMaker Training jobs have volume and output with KMS encryption enabled" +CHECK_SCORED_extra7108="NOT_SCORED" +CHECK_TYPE_extra7108="EXTRA" +CHECK_ASFF_RESOURCE_TYPE_extra7108="AwsSageMakerNotebookInstance" +CHECK_ALTERNATE_check7108="extra7108" +CHECK_SEVERITY_extra7108="Medium" + +extra7108(){ + for regx in ${REGIONS}; do + LIST_SM_NB_JOBS=$($AWSCLI $PROFILE_OPT --region $regx sagemaker list-training-jobs --query 'TrainingJobSummaries[*].TrainingJobName' --output text) + if [[ $LIST_SM_NB_JOBS ]];then + for nb_job_name in $LIST_SM_NB_JOBS; do + SM_JOB_KMSENCRYPTION=$($AWSCLI $PROFILE_OPT --region $regx sagemaker describe-training-job --training-job-name $nb_job_name --query 'ResourceConfig.VolumeKmsKeyId' --output text) + if [[ $SM_JOB_KMSENCRYPTION -eq "None" ]]; then + textFail "${regx}: Sagemaker Trainings job $nb_job_name has KMS encryption disabled" "${regx}" + else + textPass "${regx}: Sagemaker Trainings job $nb_job_name has KSM encryption enabled" "${regx}" + fi + done + else + textInfo "${regx}: No Sagemaker Trainings jobs found" "${regx}" + fi + done +} \ No newline at end of file diff --git a/checks/check_extra7109 b/checks/check_extra7109 new file mode 100644 index 00000000..9abedf47 --- /dev/null +++ b/checks/check_extra7109 @@ -0,0 +1,39 @@ +#!/usr/bin/env bash + +# Prowler - the handy cloud security tool (copyright 2020) by Toni de la Fuente +# +# Licensed under the Apache License, Version 2.0 (the "License"); you may not +# use this file except in compliance with the License. You may obtain a copy +# of the License at http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software distributed +# under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR +# CONDITIONS OF ANY KIND, either express or implied. See the License for the +# specific language governing permissions and limitations under the License. + +CHECK_ID_extra7109="7.109" +CHECK_TITLE_extra7109="[extra7109] Check if Amazon SageMaker Training jobs have network isolation enabled" +CHECK_SCORED_extra7109="NOT_SCORED" +CHECK_TYPE_extra7109="EXTRA" +CHECK_ASFF_RESOURCE_TYPE_extra7109="AwsSageMakerNotebookInstance" +CHECK_ALTERNATE_check7109="extra7109" +CHECK_SEVERITY_extra7109="Medium" + +extra7109(){ + for regx in ${REGIONS}; do + LIST_SM_NB_JOBS=$($AWSCLI $PROFILE_OPT --region $regx sagemaker list-training-jobs --query 'TrainingJobSummaries[*].TrainingJobName' --output text) + if [[ $LIST_SM_NB_JOBS ]];then + for nb_job_name in $LIST_SM_NB_JOBS; do + SM_NB_NETWORKISOLATION=$($AWSCLI $PROFILE_OPT --region $regx sagemaker describe-training-job --training-job-name $nb_job_name --query 'EnableNetworkIsolation' --output text) + if [[ $SM_NB_NETWORKISOLATION == False ]]; then + textFail "${regx}: Sagemaker Training job $nb_job_name has network isolation disabled" "${regx}" + else + textPass "${regx}: Sagemaker Training job $nb_job_name has network isolation enabled" "${regx}" + fi + done + else + textInfo "${regx}: No Sagemaker Trainings jobs found" "${regx}" + fi + done +} + \ No newline at end of file diff --git a/checks/check_extra7110 b/checks/check_extra7110 new file mode 100644 index 00000000..7b6a16b9 --- /dev/null +++ b/checks/check_extra7110 @@ -0,0 +1,39 @@ +#!/usr/bin/env bash + +# Prowler - the handy cloud security tool (copyright 2020) by Toni de la Fuente +# +# Licensed under the Apache License, Version 2.0 (the "License"); you may not +# use this file except in compliance with the License. You may obtain a copy +# of the License at http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software distributed +# under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR +# CONDITIONS OF ANY KIND, either express or implied. See the License for the +# specific language governing permissions and limitations under the License. + +CHECK_ID_extra7110="7.110" +CHECK_TITLE_extra7110="[extra7110] Check if Amazon SageMaker Training job volume and output have VPC settings configured." +CHECK_SCORED_extra7110="NOT_SCORED" +CHECK_TYPE_extra7110="EXTRA" +CHECK_ASFF_RESOURCE_TYPE_extra7110="AwsSageMakerNotebookInstance" +CHECK_ALTERNATE_check7110="extra7110" +CHECK_SEVERITY_extra7110="Medium" + +extra7110(){ + for regx in ${REGIONS}; do + LIST_SM_NB_JOBS=$($AWSCLI $PROFILE_OPT --region $regx sagemaker list-training-jobs --query 'TrainingJobSummaries[*].TrainingJobName' --output text) + if [[ $LIST_SM_NB_JOBS ]];then + for nb_job_name in $LIST_SM_NB_JOBS; do + SM_NB_SUBNETS=$($AWSCLI $PROFILE_OPT --region $regx sagemaker describe-training-job --training-job-name $nb_job_name --query 'VpcConfig.Subnets' --output text) + if [[ $SM_NB_SUBNETS -eq "None" ]]; then + textFail "${regx}: Sagemaker Training job $nb_job_name has VPC settings for the training job volume and output disabled" "${regx}" + else + textPass "${regx}: Sagemaker Training job $nb_job_name has VPC settings for the training job volume and output enabled" "${regx}" + fi + done + else + textInfo "${regx}: No Sagemaker Trainings jobs found" "${regx}" + fi + done +} + \ No newline at end of file diff --git a/checks/check_extra7111 b/checks/check_extra7111 new file mode 100644 index 00000000..41c6c44b --- /dev/null +++ b/checks/check_extra7111 @@ -0,0 +1,38 @@ +#!/usr/bin/env bash + +# Prowler - the handy cloud security tool (copyright 2020) by Toni de la Fuente +# +# Licensed under the Apache License, Version 2.0 (the "License"); you may not +# use this file except in compliance with the License. You may obtain a copy +# of the License at http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software distributed +# under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR +# CONDITIONS OF ANY KIND, either express or implied. See the License for the +# specific language governing permissions and limitations under the License. + +CHECK_ID_extra7111="7.111" +CHECK_TITLE_extra7111="[extra7111] Check if Amazon SageMaker Notebook instances have direct internet access" +CHECK_SCORED_extra7111="NOT_SCORED" +CHECK_TYPE_extra7111="EXTRA" +CHECK_ASFF_RESOURCE_TYPE_extra7111="AwsSageMakerNotebookInstance" +CHECK_ALTERNATE_check7111="extra7111" +CHECK_SEVERITY_extra7111="Medium" + +extra7111(){ + for regx in ${REGIONS}; do + LIST_SM_NB_INSTANCES=$($AWSCLI $PROFILE_OPT --region $regx sagemaker list-notebook-instances --query 'NotebookInstances[*].NotebookInstanceName' --output text) + if [[ $LIST_SM_NB_INSTANCES ]];then + for nb_instance in $LIST_SM_NB_INSTANCES; do + SM_NB_DIRECTINET=$($AWSCLI $PROFILE_OPT --region $regx sagemaker describe-notebook-instance --notebook-instance-name $nb_instance --query 'DirectInternetAccess' --output text) + if [[ $SM_NB_DIRECTINET -eq "Disabled" ]]; then + textFail "${regx}: Sagemaker Notebook instance $nb_instance has direct internet access enabled" "${regx}" + else + textPass "${regx}: Sagemaker Notebook instance $nb_instance has direct internet access disabled" "${regx}" + fi + done + else + textInfo "${regx}: No Sagemaker Notebook instances found" "${regx}" + fi + done +} \ No newline at end of file diff --git a/checks/check_extra7112 b/checks/check_extra7112 new file mode 100644 index 00000000..f1f46e32 --- /dev/null +++ b/checks/check_extra7112 @@ -0,0 +1,38 @@ +#!/usr/bin/env bash + +# Prowler - the handy cloud security tool (copyright 2020) by Toni de la Fuente +# +# Licensed under the Apache License, Version 2.0 (the "License"); you may not +# use this file except in compliance with the License. You may obtain a copy +# of the License at http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software distributed +# under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR +# CONDITIONS OF ANY KIND, either express or implied. See the License for the +# specific language governing permissions and limitations under the License. + +CHECK_ID_extra7112="7.112" +CHECK_TITLE_extra7112="[extra7112] Check if Amazon SageMaker Notebook instances have data encryption enabled" +CHECK_SCORED_extra7112="NOT_SCORED" +CHECK_TYPE_extra7112="EXTRA" +CHECK_ASFF_RESOURCE_TYPE_extra7112="AwsSageMakerNotebookInstance" +CHECK_ALTERNATE_check7112="extra7112" +CHECK_SEVERITY_extra7112="Medium" + +extra7112(){ + for regx in ${REGIONS}; do + LIST_SM_NB_INSTANCES=$($AWSCLI $PROFILE_OPT --region $regx sagemaker list-notebook-instances --query 'NotebookInstances[*].NotebookInstanceName' --output text) + if [[ $LIST_SM_NB_INSTANCES ]];then + for nb_instance in $LIST_SM_NB_INSTANCES; do + SM_NB_KMSKEY=$($AWSCLI $PROFILE_OPT --region $regx sagemaker describe-notebook-instance --notebook-instance-name $nb_instance --query 'KmsKeyId' --output text) + if [[ "${SM_NB_KMSKEY}" == "None" ]]; then + textFail "${regx}: Sagemaker Notebook instance $nb_instance has data encryption disabled" "${regx}" + else + textPass "${regx}: Sagemaker Notebook instance $nb_instance has data encryption enabled" "${regx}" + fi + done + else + textInfo "${regx}: No Sagemaker Notebook instances found" "${regx}" + fi + done +} \ No newline at end of file diff --git a/groups/group22_sagemaker b/groups/group22_sagemaker new file mode 100644 index 00000000..7a4d62ab --- /dev/null +++ b/groups/group22_sagemaker @@ -0,0 +1,19 @@ +#!/usr/bin/env bash + +# Prowler - the handy cloud security tool (copyright 2222) by Toni de la Fuente +# +# Licensed under the Apache License, Version 2.0 (the "License"); you may not +# use this file except in compliance with the License. You may obtain a copy +# of the License at http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software distributed +# under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR +# CONDITIONS OF ANY KIND, either express or implied. See the License for the +# specific language governing permissions and limitations under the License. + +GROUP_ID[22]='sagemaker' +GROUP_NUMBER[22]='22.0' +GROUP_TITLE[22]='Amazon SageMaker related security checks - [sagemaker] ********' +GROUP_RUN_BY_DEFAULT[22]='N' # run it when execute_all is called +GROUP_CHECKS[22]='extra7103,extra7104,extra7111,extra7112,extra7105,extra7106,extra7107,extra7108,extra7109,extra7110' +