checks for glue - 7119,7121,7123,7124. 7125 not done yet

checks/check_extra7119

@@ -0,0 +1,53 @@
+#!/usr/bin/env bash
+
+# Prowler - the handy cloud security tool (copyright 2018) by Toni de la Fuente
+#
+# Licensed under the Apache License, Version 2.0 (the "License"); you may not
+# use this file except in compliance with the License. You may obtain a copy
+# of the License at http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software distributed
+# under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR
+# CONDITIONS OF ANY KIND, either express or implied. See the License for the
+# specific language governing permissions and limitations under the License.
+
+# Remediation:
+#
+# https://www.cloudconformity.com/knowledge-base/aws/RDS/instance-deletion-protection.html
+# https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/Overview.DBInstance.Modifying.html
+#
+# aws rds modify-db-instance \
+#	--region us-east-1 \
+#	--db-instance-identifier test-db \
+#	--deletion-protection \
+#	[--apply-immediately | --no-apply-immediately]
+
+CHECK_ID_extra7119="7.119"
+CHECK_TITLE_extra7119="[extra7119] Security configurations used by ETL Development endpoints must have S3 encryption enabled."
+CHECK_SCORED_extra7119="NOT_SCORED"
+CHECK_TYPE_extra7119="EXTRA"
+CHECK_SEVERITY_extra7119="Medium"
+CHECK_ASFF_RESOURCE_TYPE_extra7119="AwsGlue"
+CHECK_ALTERNATE_check7119="extra7119"
+
+extra7119(){
+  textInfo "Looking for Development Endpoints in all regions...  "
+  for regx in $REGIONS; do
+    LIST_GLUE_SC=$($AWSCLI glue get-dev-endpoints $PROFILE_OPT --region $regx --query 'DevEndpoints[*].SecurityConfiguration' --output text)
+    if [[ $LIST_GLUE_SC ]]; then
+      for sc in $(echo '${LIST_GLUE_SC}'| jq -r '.[] | @base64');do
+        textInfo "$ENDPOINT_SECURITY"
+        ENDPOINT_SC_ENCRYPTION=$($AWSCLI $PROFILE_OPT --region $regx glue get-security-configurations $sc --query 'SecurityConfiguration.EncryptionConfiguration.S3Encryption.S3EncryptionMode' --output text)
+        if [[ENDPOINT_SC_ENCRYPTION == "DISABLED" ]]; then
+          textFail "$regx: Development Endpoint Security Configuration $sc has S3 encryption not enabled!" "$regx"
+        else
+          textPass "$regx: Development Endpoint Security Configuration $sc has S3 encryption enabled" "$regx"
+        fi
+      done
+    else
+      textInfo "$regx: No Security Configuration found" "$regx"
+    fi
+  done
+}
+
+

checks/check_extra7121

@@ -0,0 +1,51 @@
+#!/usr/bin/env bash
+
+# Prowler - the handy cloud security tool (copyright 2018) by Toni de la Fuente
+#
+# Licensed under the Apache License, Version 2.0 (the "License"); you may not
+# use this file except in compliance with the License. You may obtain a copy
+# of the License at http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software distributed
+# under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR
+# CONDITIONS OF ANY KIND, either express or implied. See the License for the
+# specific language governing permissions and limitations under the License.
+
+# Remediation:
+#
+# https://www.cloudconformity.com/knowledge-base/aws/RDS/instance-deletion-protection.html
+# https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/Overview.DBInstance.Modifying.html
+#
+# aws rds modify-db-instance \
+#	--region us-east-1 \
+#	--db-instance-identifier test-db \
+#	--deletion-protection \
+#	[--apply-immediately | --no-apply-immediately]
+
+CHECK_ID_extra7121="7.121"
+CHECK_TITLE_extra7121="[extra7121] Security configurations used by ETL Development endpoints must have CloudWatch logs encryption enabled."
+CHECK_SCORED_extra7121="NOT_SCORED"
+CHECK_TYPE_extra7121="EXTRA"
+CHECK_SEVERITY_extra7121="Medium"
+CHECK_ASFF_RESOURCE_TYPE_extra7121="AwsGlue"
+CHECK_ALTERNATE_check7121="extra7121"
+
+extra7121(){
+  textInfo "Looking for Development Endpoints in all regions...  "
+  for regx in $REGIONS; do
+    LIST_GLUE_SC=$($AWSCLI glue get-dev-endpoints $PROFILE_OPT --region $regx --query 'DevEndpoints[*].SecurityConfiguration' --output text)
+    if [[ $LIST_GLUE_SC ]]; then
+      for sc in $(echo '${LIST_GLUE_SC}'| jq -r '.[] | @base64');do
+        textInfo "$ENDPOINT_SECURITY"
+        ENDPOINT_SC_ENCRYPTION=$($AWSCLI $PROFILE_OPT --region $regx glue get-security-configurations $sc --query 'SecurityConfiguration.EncryptionConfiguration.CloudWatchEncryption.CloudWatchEncryptionMode' --output text)
+        if [[ENDPOINT_SC_ENCRYPTION == "DISABLED" ]]; then
+          textFail "$regx: Development Endpoint Security Configuration $sc has CloudWatch logs encryption not enabled!" "$regx"
+        else
+          textPass "$regx: Development Endpoint Security Configuration $sc has CloudWatch logs encryption enabled" "$regx"
+        fi
+      done
+    else
+      textInfo "$regx: No Security Configuration found" "$regx"
+    fi
+  done
+}

checks/check_extra7123

@@ -0,0 +1,51 @@
+#!/usr/bin/env bash
+
+# Prowler - the handy cloud security tool (copyright 2018) by Toni de la Fuente
+#
+# Licensed under the Apache License, Version 2.0 (the "License"); you may not
+# use this file except in compliance with the License. You may obtain a copy
+# of the License at http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software distributed
+# under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR
+# CONDITIONS OF ANY KIND, either express or implied. See the License for the
+# specific language governing permissions and limitations under the License.
+
+# Remediation:
+#
+# https://www.cloudconformity.com/knowledge-base/aws/RDS/instance-deletion-protection.html
+# https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/Overview.DBInstance.Modifying.html
+#
+# aws rds modify-db-instance \
+#	--region us-east-1 \
+#	--db-instance-identifier test-db \
+#	--deletion-protection \
+#	[--apply-immediately | --no-apply-immediately]
+
+CHECK_ID_extra7123="7.123"
+CHECK_TITLE_extra7123="[extra7123] Security configurations used by ETL Development endpoints must have Job bookmark encryption enabled."
+CHECK_SCORED_extra7123="NOT_SCORED"
+CHECK_TYPE_extra7123="EXTRA"
+CHECK_SEVERITY_extra7123="Medium"
+CHECK_ASFF_RESOURCE_TYPE_extra7123="AwsGlue"
+CHECK_ALTERNATE_check7123="extra7123"
+
+extra7123(){
+  textInfo "Looking for Development Endpoints in all regions...  "
+  for regx in $REGIONS; do
+    LIST_GLUE_SC=$($AWSCLI glue get-dev-endpoints $PROFILE_OPT --region $regx --query 'DevEndpoints[*].SecurityConfiguration' --output text)
+    if [[ $LIST_GLUE_SC ]]; then
+      for sc in $(echo '${LIST_GLUE_SC}'| jq -r '.[] | @base64');do
+        textInfo "$ENDPOINT_SECURITY"
+        ENDPOINT_SC_ENCRYPTION=$($AWSCLI $PROFILE_OPT --region $regx glue get-security-configurations $sc --query 'SecurityConfiguration.EncryptionConfiguration.JobBookmarksEncryption.JobBookmarksEncryptionMode' --output text)
+        if [[ENDPOINT_SC_ENCRYPTION == "DISABLED" ]]; then
+          textFail "$regx: Development Endpoint Security Configuration $sc has bookmark encryption not enabled!" "$regx"
+        else
+          textPass "$regx: Development EndpointSecurity Configuration $sc has bookmark encryption enabled" "$regx"
+        fi
+      done
+    else
+      textInfo "$regx: No Security Configuration found" "$regx"
+    fi
+  done
+}

checks/check_extra7124

@@ -0,0 +1,51 @@
+#!/usr/bin/env bash
+
+# Prowler - the handy cloud security tool (copyright 2018) by Toni de la Fuente
+#
+# Licensed under the Apache License, Version 2.0 (the "License"); you may not
+# use this file except in compliance with the License. You may obtain a copy
+# of the License at http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software distributed
+# under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR
+# CONDITIONS OF ANY KIND, either express or implied. See the License for the
+# specific language governing permissions and limitations under the License.
+
+# Remediation:
+#
+# https://www.cloudconformity.com/knowledge-base/aws/RDS/instance-deletion-protection.html
+# https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/Overview.DBInstance.Modifying.html
+#
+# aws rds modify-db-instance \
+#	--region us-east-1 \
+#	--db-instance-identifier test-db \
+#	--deletion-protection \
+#	[--apply-immediately | --no-apply-immediately]
+
+CHECK_ID_extra7124="7.124"
+CHECK_TITLE_extra7124="[extra7124] ETL Job Server-side encryption (Enables Amazon S3-managed encryption of the data at the target (SSE-S3) must be enabled."
+CHECK_SCORED_extra7124="NOT_SCORED"
+CHECK_TYPE_extra7124="EXTRA"
+CHECK_SEVERITY_extra7124="Medium"
+CHECK_ASFF_RESOURCE_TYPE_extra7124="AwsGlue"
+CHECK_ALTERNATE_check7124="extra7124"
+
+extra7124(){
+  textInfo "Looking for ETL Jobs in all regions...  "
+  for regx in $REGIONS; do
+    LIST_GLUE_SC=$($AWSCLI glue get-jobs $PROFILE_OPT --region $regx --query 'Jobs[*].SecurityConfiguration'--output text)
+    if [[ $LIST_GLUE_SC ]]; then
+      for sc in $(echo '${LIST_GLUE_SC}'| jq -r '.[] | @base64');do
+        textInfo "$ENDPOINT_SECURITY"
+        ENDPOINT_SC_ENCRYPTION=$($AWSCLI $PROFILE_OPT --region $regx glue get-security-configurations $sc --query 'SecurityConfiguration.EncryptionConfiguration.JobBookmarksEncryption.JobBookmarksEncryptionMode' --output text)
+        if [[ENDPOINT_SC_ENCRYPTION == "SSE-S3" ]]; then
+          textFail "$regx: ETL Job Security Configuration $sc has (SSE-S3) encryption enabled" "$regx"
+        else
+          textPass "$regx: ETL Job Security Configuration $sc has (SSE-S3) encryption is not enabled!" "$regx"
+        fi
+      done
+    else
+      textInfo "$regx: No ETL Development endpoints found" "$regx"
+    fi
+  done
+}

checks/check_extra7125

@@ -0,0 +1,51 @@
+#!/usr/bin/env bash
+
+# Prowler - the handy cloud security tool (copyright 2018) by Toni de la Fuente
+#
+# Licensed under the Apache License, Version 2.0 (the "License"); you may not
+# use this file except in compliance with the License. You may obtain a copy
+# of the License at http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software distributed
+# under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR
+# CONDITIONS OF ANY KIND, either express or implied. See the License for the
+# specific language governing permissions and limitations under the License.
+
+# Remediation:
+#
+# https://www.cloudconformity.com/knowledge-base/aws/RDS/instance-deletion-protection.html
+# https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/Overview.DBInstance.Modifying.html
+#
+# aws rds modify-db-instance \
+#	--region us-east-1 \
+#	--db-instance-identifier test-db \
+#	--deletion-protection \
+#	[--apply-immediately | --no-apply-immediately]
+
+CHECK_ID_extra7125="7.125"
+CHECK_TITLE_extra7125="[extra7125] AWS Glue must be used with VPC Endpoints."
+CHECK_SCORED_extra7125="NOT_SCORED"
+CHECK_TYPE_extra7125="EXTRA"
+CHECK_SEVERITY_extra7125="Medium"
+CHECK_ASFF_RESOURCE_TYPE_extra7125="AwsGlue"
+CHECK_ALTERNATE_check7125="extra7125"
+
+extra7125(){
+  textInfo "Looking for Development Endpoints in all regions...  "
+  for regx in $REGIONS; do
+    LIST_GLUE_SC=$($AWSCLI glue get-jobs $PROFILE_OPT --region $regx --query 'Jobs[*].SecurityConfiguration'--output text)
+    if [[ $LIST_GLUE_SC ]]; then
+      for sc in $(echo '${LIST_GLUE_SC}'| jq -r '.[] | @base64');do
+        textInfo "$ENDPOINT_SECURITY"
+        ENDPOINT_SC_ENCRYPTION=$($AWSCLI $PROFILE_OPT --region $regx glue get-security-configurations $sc --query 'SecurityConfiguration.EncryptionConfiguration.JobBookmarksEncryption.JobBookmarksEncryptionMode' --output text)
+        if [[ENDPOINT_SC_ENCRYPTION == "SSE-S3" ]]; then
+          textFail "$regx: ETL Job Security Configuration $sc has (SSE-S3) encryption enabled" "$regx"
+        else
+          textPass "$regx: ETL Job Security Configuration $sc has (SSE-S3) encryption is not enabled!" "$regx"
+        fi
+      done
+    else
+      textInfo "$regx: No ETL Development endpoints found" "$regx"
+    fi
+  done
+}