mirror of
https://github.com/ghndrx/prowler.git
synced 2026-02-10 06:45:08 +00:00
Add check for publicly accessible redshift clusters.
This commit is contained in:
Geoff Webster
10
README.md
10
README.md
@@ -24,7 +24,7 @@ It covers hardening and security best practices for all AWS regions related to:
|
||||
- Logging (8 checks)
|
||||
- Monitoring (15 checks)
|
||||
- Networking (5 checks)
|
||||
- Extras (10 checks) *see Extras section
|
||||
- Extras (11 checks) *see Extras section
|
||||
|
||||
For a comprehesive list and resolution look at the guide on the link above.
|
||||
|
||||
@@ -577,8 +577,11 @@ unset ACCOUNT_ID AWS_DEFAULT_PROFILE
|
||||
The `aws iam create-access-key` command will output the secret access key and the key id; keep these somewhere safe, and add them to ~/.aws/credentials with an appropriate profile name to use them with prowler. This is the only time they secret key will be shown. If you loose it, you will need to generate a replacement.
|
||||
|
||||
## Extras
|
||||
We are adding additional checks to improve the information gather from each account, these checks are out of the scope of the CIS benchmark for AWS but we consider them very helpful to get to know each AWS account set up and find issues on it.
|
||||
At this moment we have 10 extra checks:
|
||||
We are adding additional checks to improve the information gather from each account, these checks are out of the scope of the CIS benchmark for AWS but we consider them very helpful to get to know each AWS account set up and find issues on it.
|
||||
|
||||
Note: Some of these checks for publicly facing resources may not actually be fully public due to other layered controls like S3 Bucket Policies, Security Groups or Network ACLs.
|
||||
|
||||
At this moment we have 11 extra checks:
|
||||
|
||||
- 7.1 (`extra71`) Ensure users with AdministratorAccess policy have MFA tokens enabled (Not Scored) (Not part of CIS benchmark)
|
||||
- 7.2 (`extra72`) Ensure there are no EBS Snapshots set as Public (Not Scored) (Not part of CIS benchmark)
|
||||
@@ -590,6 +593,7 @@ At this moment we have 10 extra checks:
|
||||
- 7.8 (`extra78`) Ensure there are no Public Accessible RDS instances (Not Scored) (Not part of CIS benchmark)
|
||||
- 7.9 (`extra79`) Check for internet facing Elastic Load Blancers (Not Scored) (Not part of CIS benchmark)
|
||||
- 7.10 (`extra710`) Check for internet facing EC2 Instances (Not Scored) (Not part of CIS benchmark)
|
||||
- 7.11 (`extra711`) Check for Publicly Accessible Redshift Clusters (Not Scored) (Not part of CIS benchmark)
|
||||
|
||||
To check all extras in one command:
|
||||
```
|
||||
|
||||
27
prowler
27
prowler
@@ -241,7 +241,7 @@ fi
|
||||
|
||||
# It checks -p optoin first and use it as profile, if not -p provided then
|
||||
# check environment variables and if not, it checks and loads credentials from
|
||||
# instance profile (metadata server) if runs in an EC2 instance
|
||||
# instance profile (metadata server) if runs in an EC2 instance
|
||||
|
||||
if [[ $PROFILE ]]; then
|
||||
PROFILE_OPT="--profile $PROFILE"
|
||||
@@ -484,6 +484,8 @@ ID79="7.9,7.09"
|
||||
TITLE79="Check for internet facing Elastic Load Balancers (Not Scored) (Not part of CIS benchmark)"
|
||||
ID710="7.10,7.10"
|
||||
TITLE710="Check for internet facing EC2 Instances (Not Scored) (Not part of CIS benchmark)"
|
||||
ID711="7.11,7.11"
|
||||
TITLE711="Check for Publicly Accessible Redshift Clusters (Not Scored) (Not part of CIS benchmark)"
|
||||
|
||||
|
||||
printCsvHeader() {
|
||||
@@ -1809,6 +1811,24 @@ extra710(){
|
||||
done
|
||||
}
|
||||
|
||||
extra711(){
|
||||
# "Check for Publicly Accessible Redshift Clusters (Not Scored) (Not part of CIS benchmark)"
|
||||
textTitle "$ID711" "$TITLE711" "NOT_SCORED" "EXTRA"
|
||||
textNotice "Looking for Reshift clusters in all regions... "
|
||||
for regx in $REGIONS; do
|
||||
LIST_OF_PUBLIC_REDSHIFT_CLUSTERS=$($AWSCLI redshift describe-clusters $PROFILE_OPT --region $regx --query 'Clusters[?PubliclyAccessible == `true`].[ClusterIdentifier,Endpoint.Address]' --output text)
|
||||
if [[ $LIST_OF_PUBLIC_REDSHIFT_CLUSTERS ]];then
|
||||
while read -r cluster;do
|
||||
CLUSTER_ID=$(echo $cluster | awk '{ print $1; }')
|
||||
CLUSTER_ENDPOINT=$(echo $cluster | awk '{ print $2; }')
|
||||
textWarn "$regx: Cluster: $CLUSTER_ID at Endpoint: $CLUSTER_ENDPOINT is publicly accessible!" "$regx"
|
||||
done <<< "$LIST_OF_PUBLIC_REDSHIFT_CLUSTERS"
|
||||
else
|
||||
textOK "$regx: no Publicly Accessible Redshift Clusters found" "$regx"
|
||||
fi
|
||||
done
|
||||
}
|
||||
|
||||
callCheck(){
|
||||
if [[ $CHECKNUMBER ]];then
|
||||
case "$CHECKNUMBER" in
|
||||
@@ -1874,6 +1894,7 @@ callCheck(){
|
||||
extra78|extra708 ) extra78;;
|
||||
extra79|extra709 ) extra79;;
|
||||
extra710|extra710 ) extra710;;
|
||||
extra711|extra711 ) extra711;;
|
||||
|
||||
## Groups of Checks
|
||||
check1 )
|
||||
@@ -1910,7 +1931,7 @@ callCheck(){
|
||||
;;
|
||||
extras )
|
||||
extra71;extra72;extra73;extra74;extra75;extra76;extra77;extra78;
|
||||
extra79;extra710
|
||||
extra79;extra710;extra711
|
||||
;;
|
||||
* )
|
||||
textWarn "ERROR! Use a valid check name (i.e. check41 or extra71)\n";
|
||||
@@ -1991,6 +2012,7 @@ if [[ $PRINTCHECKSONLY == "1" ]]; then
|
||||
textTitle "$ID78" "$TITLE78" "NOT_SCORED" "EXTRA"
|
||||
textTitle "$ID79" "$TITLE79" "NOT_SCORED" "EXTRA"
|
||||
textTitle "$ID710" "$TITLE710" "NOT_SCORED" "EXTRA"
|
||||
textTitle "$ID711" "$TITLE711" "NOT_SCORED" "EXTRA"
|
||||
exit $EXITCODE
|
||||
fi
|
||||
|
||||
@@ -2077,6 +2099,7 @@ extra77
|
||||
extra78
|
||||
extra79
|
||||
extra710
|
||||
extra711
|
||||
|
||||
cleanTemp
|
||||
exit $EXITCODE
|
||||
|
||||
Reference in New Issue
Block a user