added support of -g groups

checks/check110

@@ -6,7 +6,6 @@ CHECK_ALTERNATE_check110="check110"
 check110(){
   # "Ensure IAM password policy prevents password reuse: 24 or greater (Scored)"
   COMMAND110=$($AWSCLI iam get-account-password-policy $PROFILE_OPT --region $REGION --query 'PasswordPolicy.PasswordReusePrevention' --output text 2> /dev/null)
-  textTitle "$ID110" "$TITLE110" "SCORED" "LEVEL1"
   if [[ $COMMAND110 ]];then
     if [[ $COMMAND110 -gt "23" ]];then
       textOK "Password Policy limits reuse"

checks/check111

@@ -6,7 +6,6 @@ CHECK_ALTERNATE_check111="check111"
 check111(){
   # "Ensure IAM password policy expires passwords within 90 days or less (Scored)"
   COMMAND111=$($AWSCLI iam get-account-password-policy $PROFILE_OPT --region $REGION --output json | grep MaxPasswordAge | awk -F: '{ print $2 }'|sed 's/\ //g'|sed 's/,/ /g' 2> /dev/null)
-  textTitle "$ID111" "$TITLE111" "SCORED" "LEVEL1"
   if [[ $COMMAND111 ]];then
     if [ "$COMMAND111" == "90" ];then
       textOK "Password Policy includes expiration"

checks/check112

@@ -8,7 +8,6 @@ check112(){
   # ensure the access_key_1_active and access_key_2_active fields are set to FALSE.
   ROOTKEY1=$(cat $TEMP_REPORT_FILE |grep root_account|awk -F',' '{ print $9 }')
   ROOTKEY2=$(cat $TEMP_REPORT_FILE |grep root_account|awk -F',' '{ print $14 }')
-  textTitle "$ID112" "$TITLE112" "SCORED" "LEVEL1"
   if [ "$ROOTKEY1" == "false" ];then
     textOK "No access key 1 found for root"
   else

checks/check113

@@ -6,7 +6,6 @@ CHECK_ALTERNATE_check113="check113"
 check113(){
   # "Ensure MFA is enabled for the root account (Scored)"
   COMMAND113=$($AWSCLI iam get-account-summary $PROFILE_OPT --region $REGION --output json --query 'SummaryMap.AccountMFAEnabled')
-  textTitle "$ID113" "$TITLE113" "SCORED" "LEVEL1"
   if [ "$COMMAND113" == "1" ]; then
     textOK "Virtual MFA is enabled for root"
   else

checks/check114

@@ -6,7 +6,6 @@ CHECK_ALTERNATE_check114="check114"
 check114(){
   # "Ensure hardware MFA is enabled for the root account (Scored)"
   COMMAND113=$($AWSCLI iam get-account-summary $PROFILE_OPT --region $REGION --output json --query 'SummaryMap.AccountMFAEnabled')
-  textTitle "$ID114" "$TITLE114" "SCORED" "LEVEL1"
   if [ "$COMMAND113" == "1" ]; then
     COMMAND114=$($AWSCLI iam list-virtual-mfa-devices $PROFILE_OPT --region $REGION --output text --assignment-status Assigned --query 'VirtualMFADevices[*].[SerialNumber]' | grep '^arn:aws:iam::[0-9]\{12\}:mfa/root-account-mfa-device$')
     if [[ "$COMMAND114" ]]; then

checks/check115

@@ -5,7 +5,6 @@ CHECK_ALTERNATE_check115="check115"
 
 check115(){
   # "Ensure security questions are registered in the AWS account (Not Scored)"
-  textTitle "$ID115" "$TITLE115" "NOT_SCORED" "LEVEL2"
   textNotice "No command available for check 1.15 "
   textNotice "Login to the AWS Console as root & click on the Account "
   textNotice "Name -> My Account -> Configure Security Challenge Questions "

checks/check116

@@ -5,7 +5,6 @@ CHECK_ALTERNATE_check116="check116"
 
 check116(){
   # "Ensure IAM policies are attached only to groups or roles (Scored)"
-  textTitle "$ID116" "$TITLE116" "SCORED" "LEVEL1"
   LIST_USERS=$($AWSCLI iam list-users --query 'Users[*].UserName' --output text $PROFILE_OPT --region $REGION)
   C116_NUM_USERS=0
   for user in $LIST_USERS;do

checks/check117

@@ -6,7 +6,6 @@ CHECK_ALTERNATE_check117="check117"
 check117(){
   # "Enable detailed billing (Scored)"
   # No command available
-  textTitle "$ID117" "$TITLE117" "SCORED" "LEVEL1"
   textNotice "No command available for check 1.17 "
   textNotice "See section 1.17 on the CIS Benchmark guide for details "
 }

checks/check118

@@ -5,7 +5,6 @@ CHECK_ALTERNATE_check118="check118"
 
 check118(){
   # "Ensure IAM Master and IAM Manager roles are active (Scored)"
-  textTitle "$ID118" "$TITLE118" "SCORED" "LEVEL1"
   FINDMASTERANDMANAGER=$($AWSCLI iam list-roles $PROFILE_OPT --region $REGION --query "Roles[*].{RoleName:RoleName}" --output text | grep -E 'Master|Manager'| tr '
 ' ' ')
   if [[ $FINDMASTERANDMANAGER ]];then

checks/check119

@@ -6,7 +6,6 @@ CHECK_ALTERNATE_check119="check119"
 check119(){
   # "Maintain current contact details (Scored)"
   # No command available
-  textTitle "$ID119" "$TITLE119" "SCORED" "LEVEL1"
   textNotice "No command available for check 1.19 "
   textNotice "See section 1.19 on the CIS Benchmark guide for details "
 }

checks/check120

@@ -6,7 +6,6 @@ CHECK_ALTERNATE_check120="check120"
 check120(){
   # "Ensure security contact information is registered (Scored)"
   # No command available
-  textTitle "$ID120" "$TITLE120" "SCORED" "LEVEL1"
   textNotice "No command available for check 1.20 "
   textNotice "See section 1.20 on the CIS Benchmark guide for details "
 }

checks/check121

@@ -5,7 +5,6 @@ CHECK_ALTERNATE_check121="check121"
 
 check121(){
   # "Ensure IAM instance roles are used for AWS resource access from instances (Not Scored)"
-  textTitle "$ID121" "$TITLE121" "NOT_SCORED" "LEVEL2"
   textNotice "No command available for check 1.21 "
   textNotice "See section 1.21 on the CIS Benchmark guide for details "
 }

checks/check122

@@ -5,7 +5,6 @@ CHECK_ALTERNATE_check122="check122"
 
 check122(){
   # "Ensure a support role has been created to manage incidents with AWS Support (Scored)"
-  textTitle "$ID122" "$TITLE122" "SCORED" "LEVEL1"
   SUPPORTPOLICYARN=$($AWSCLI iam list-policies --query "Policies[?PolicyName == 'AWSSupportAccess'].Arn" $PROFILE_OPT --region $REGION --output text)
   if [[ $SUPPORTPOLICYARN ]];then
     for policyarn in $SUPPORTPOLICYARN;do

checks/check123

@@ -5,7 +5,6 @@ CHECK_ALTERNATE_check123="check123"
 
 check123(){
   # "Do not setup access keys during initial user setup for all IAM users that have a console password (Not Scored)"
-  textTitle "$ID123" "$TITLE123" "NOT_SCORED" "LEVEL1"
   LIST_USERS=$($AWSCLI iam list-users --query 'Users[*].UserName' --output text $PROFILE_OPT --region $REGION)
   # List of USERS with KEY1 last_used_date as N/A
   LIST_USERS_KEY1_NA=$(for user in $LIST_USERS; do grep "^${user}," $TEMP_REPORT_FILE|awk -F, '{ print $1,$11 }'|grep N/A |awk '{ print $1 }'; done)

checks/check124

@@ -5,7 +5,6 @@ CHECK_ALTERNATE_check124="check124"
 
 check124(){
   # "Ensure IAM policies that allow full \"*:*\" administrative privileges are not created (Scored)"
-  textTitle "$ID124" "$TITLE124" "SCORED" "LEVEL1"
   LIST_CUSTOM_POLICIES=$($AWSCLI iam list-policies --output text $PROFILE_OPT --region $REGION|grep 'arn:aws:iam::[0-9]\{12\}:'|awk '{ print $2 }')
   if [[ $LIST_CUSTOM_POLICIES ]]; then
     textNotice "Looking for custom policies: (skipping default policies - it may take few seconds...)"

checks/check13

@@ -5,7 +5,6 @@ CHECK_ALTERNATE_check103="check13"
 
 check13(){
   # "Ensure credentials unused for 90 days or greater are disabled (Scored)"
-  textTitle "$ID13" "$TITLE13" "SCORED" "LEVEL1"
   COMMAND12_LIST_USERS_WITH_PASSWORD_ENABLED=$(cat $TEMP_REPORT_FILE|awk -F, '{ print $1,$4 }' |grep true | awk '{ print $1 }')
   if [[ $COMMAND12_LIST_USERS_WITH_PASSWORD_ENABLED ]]; then
     COMMAND13=$(

checks/check14

@@ -7,7 +7,6 @@ check14(){
   # "Ensure access keys are rotated every 90 days or less (Scored)" # also checked by Security Monkey
   LIST_OF_USERS_WITH_ACCESS_KEY1=$(cat $TEMP_REPORT_FILE| awk -F, '{ print $1, $9 }' |grep "\ true" | awk '{ print $1 }')
   LIST_OF_USERS_WITH_ACCESS_KEY2=$(cat $TEMP_REPORT_FILE| awk -F, '{ print $1, $14 }' |grep "\ true" | awk '{ print $1 }')
-  textTitle "$ID14" "$TITLE14" "SCORED" "LEVEL1"
   C14_NUM_USERS1=0
   C14_NUM_USERS2=0
     if [[ $LIST_OF_USERS_WITH_ACCESS_KEY1 ]]; then

checks/check15

@@ -6,7 +6,6 @@ CHECK_ALTERNATE_check105="check15"
 check15(){
   # "Ensure IAM password policy requires at least one uppercase letter (Scored)"
   COMMAND15=$($AWSCLI iam get-account-password-policy $PROFILE_OPT --region $REGION --output json --query 'PasswordPolicy.RequireUppercaseCharacters' 2> /dev/null) # must be true
-  textTitle "$ID15" "$TITLE15" "SCORED" "LEVEL1"
   if [[ "$COMMAND15" == "true" ]];then
     textOK "Password Policy requires upper case"
   else

checks/check16

@@ -6,7 +6,6 @@ CHECK_ALTERNATE_check106="check16"
 check16(){
   # "Ensure IAM password policy require at least one lowercase letter (Scored)"
   COMMAND16=$($AWSCLI iam get-account-password-policy $PROFILE_OPT --region $REGION --output json --query 'PasswordPolicy.RequireLowercaseCharacters' 2> /dev/null) # must be true
-  textTitle "$ID16" "$TITLE16" "SCORED" "LEVEL1"
   if [[ "$COMMAND16" == "true" ]];then
     textOK "Password Policy requires lower case"
   else

checks/check17

@@ -6,7 +6,6 @@ CHECK_ALTERNATE_check107="check17"
 check17(){
   # "Ensure IAM password policy require at least one symbol (Scored)"
   COMMAND17=$($AWSCLI iam get-account-password-policy $PROFILE_OPT --region $REGION --output json --query 'PasswordPolicy.RequireSymbols' 2> /dev/null) # must be true
-  textTitle "$ID17" "$TITLE17" "SCORED" "LEVEL1"
   if [[ "$COMMAND17" == "true" ]];then
     textOK "Password Policy requires symbol"
   else

checks/check18

@@ -6,7 +6,6 @@ CHECK_ALTERNATE_check18="check18"
 check18(){
   # "Ensure IAM password policy require at least one number (Scored)"
   COMMAND18=$($AWSCLI iam get-account-password-policy $PROFILE_OPT --region $REGION --output json --query 'PasswordPolicy.RequireNumbers' 2> /dev/null) # must be true
-  textTitle "$ID18" "$TITLE18" "SCORED" "LEVEL1"
   if [[ "$COMMAND18" == "true" ]];then
     textOK "Password Policy requires number"
   else

checks/check19

@@ -6,7 +6,6 @@ CHECK_ALTERNATE_check109="check19"
 check19(){
   # "Ensure IAM password policy requires minimum length of 14 or greater (Scored)"
   COMMAND19=$($AWSCLI iam get-account-password-policy $PROFILE_OPT --region $REGION --output json --query 'PasswordPolicy.MinimumPasswordLength' 2> /dev/null)
-  textTitle "$ID19" "$TITLE19" "SCORED" "LEVEL1"
   if [[ $COMMAND19 -gt "13" ]];then
     textOK "Password Policy requires more than 13 characters"
   else

checks/check21

@@ -5,7 +5,6 @@ CHECK_ALTERNATE_check201="check21"
 
 check21(){
   # "Ensure CloudTrail is enabled in all regions (Scored)"
-  textTitle "$ID21" "$TITLE21" "SCORED" "LEVEL1"
   LIST_OF_TRAILS=$($AWSCLI cloudtrail describe-trails $PROFILE_OPT --region $REGION --query 'trailList[*].Name' --output text)
   if [[ $LIST_OF_TRAILS ]];then
     for trail in $LIST_OF_TRAILS;do

checks/check22

@@ -5,7 +5,6 @@ CHECK_ALTERNATE_check202="check22"
 
 check22(){
   # "Ensure CloudTrail log file validation is enabled (Scored)"
-  textTitle "$ID22" "$TITLE22" "SCORED" "LEVEL2"
   LIST_OF_TRAILS=$($AWSCLI cloudtrail describe-trails $PROFILE_OPT --region $REGION --query 'trailList[*].Name' --output text)
   if [[ $LIST_OF_TRAILS ]];then
     for trail in $LIST_OF_TRAILS;do

checks/check23

@@ -5,7 +5,6 @@ CHECK_ALTERNATE_check203="check23"
 
 check23(){
   # "Ensure the S3 bucket CloudTrail logs to is not publicly accessible (Scored)"
-  textTitle "$ID23" "$TITLE23" "SCORED" "LEVEL1"
   CLOUDTRAILBUCKET=$($AWSCLI cloudtrail describe-trails --query 'trailList[*].S3BucketName' --output text $PROFILE_OPT --region $REGION)
   if [[ $CLOUDTRAILBUCKET ]];then
     for bucket in $CLOUDTRAILBUCKET;do

checks/check24

@@ -5,7 +5,6 @@ CHECK_ALTERNATE_check204="check24"
 
 check24(){
   # "Ensure CloudTrail trails are integrated with CloudWatch Logs (Scored)"
-  textTitle "$ID24" "$TITLE24" "SCORED" "LEVEL1"
   TRAILS_AND_REGIONS=$($AWSCLI cloudtrail describe-trails $PROFILE_OPT --region $REGION --query 'trailList[*].{Name:Name, HomeRegion:HomeRegion}' --output text | tr "	" ',')
   if [[ $TRAILS_AND_REGIONS ]];then
     for reg_trail in $TRAILS_AND_REGIONS;do

checks/check25

@@ -5,7 +5,6 @@ CHECK_ALTERNATE_check205="check25"
 
 check25(){
   # "Ensure AWS Config is enabled in all regions (Scored)"
-  textTitle "$ID25" "$TITLE25" "SCORED" "LEVEL1"
   for regx in $REGIONS; do
     CHECK_AWSCONFIG_STATUS=$($AWSCLI configservice get-status $PROFILE_OPT --region $regx --output json| grep "recorder: ON")
     if [[ $CHECK_AWSCONFIG_STATUS ]];then

checks/check26

@@ -5,7 +5,6 @@ CHECK_ALTERNATE_check206="check26"
 
 check26(){
   # "Ensure S3 bucket access logging is enabled on the CloudTrail S3 bucket (Scored)"
-  textTitle "$ID26" "$TITLE26" "SCORED" "LEVEL1"
   CLOUDTRAILBUCKET=$($AWSCLI cloudtrail describe-trails --query 'trailList[*].S3BucketName' --output text $PROFILE_OPT --region $REGION)
     if [[ $CLOUDTRAILBUCKET ]];then
       for bucket in $CLOUDTRAILBUCKET;do

checks/check27

@@ -5,7 +5,6 @@ CHECK_ALTERNATE_check207="check27"
 
 check27(){
   # "Ensure CloudTrail logs are encrypted at rest using KMS CMKs (Scored)"
-  textTitle "$ID27" "$TITLE27" "SCORED" "LEVEL2"
   CLOUDTRAILNAME=$($AWSCLI cloudtrail describe-trails --query 'trailList[*].Name' --output text $PROFILE_OPT --region $REGION)
     if [[ $CLOUDTRAILNAME ]];then
       for trail in $CLOUDTRAILNAME;do

checks/check28

@@ -5,7 +5,6 @@ CHECK_ALTERNATE_check208="check28"
 
 check28(){
   # "Ensure rotation for customer created CMKs is enabled (Scored)"
-  textTitle "$ID28" "$TITLE28" "SCORED" "LEVEL2"
   for regx in $REGIONS; do
   CHECK_KMS_KEYLIST=$($AWSCLI kms list-keys $PROFILE_OPT --region $regx --output text --query 'Keys[*].KeyId')
     if [[ $CHECK_KMS_KEYLIST ]];then

checks/check31

@@ -5,7 +5,6 @@ CHECK_ALTERNATE_check301="check31"
 
 check31(){
   # "Ensure a log metric filter and alarm exist for unauthorized API calls (Scored)"
-  textTitle "$ID31" "$TITLE31" "SCORED" "LEVEL1"
   CLOUDWATCH_GROUP=$($AWSCLI cloudtrail describe-trails $PROFILE_OPT --region $REGION --query 'trailList[*].CloudWatchLogsLogGroupArn' --output text| tr '	' '
 ' | awk -F: '{ print $7 }')
   if [[ $CLOUDWATCH_GROUP ]];then

checks/check310

@@ -5,7 +5,6 @@ CHECK_ALTERNATE_check310="check310"
 
 check310(){
   # "Ensure a log metric filter and alarm exist for security group changes (Scored)"
-  textTitle "$ID310" "$TITLE310" "SCORED" "LEVEL2"
   CLOUDWATCH_GROUP=$($AWSCLI cloudtrail describe-trails $PROFILE_OPT --region $REGION --query 'trailList[*].CloudWatchLogsLogGroupArn' --output text | tr '	' '
 ' | awk -F: '{ print $7 }')
   if [[ $CLOUDWATCH_GROUP ]];then

checks/check311

@@ -5,7 +5,6 @@ CHECK_ALTERNATE_check311="check311"
 
 check311(){
   # "Ensure a log metric filter and alarm exist for changes to Network Access Control Lists (NACL) (Scored)"
-  textTitle "$ID311" "$TITLE311" "SCORED" "LEVEL2"
   CLOUDWATCH_GROUP=$($AWSCLI cloudtrail describe-trails $PROFILE_OPT --region $REGION --query 'trailList[*].CloudWatchLogsLogGroupArn' --output text | tr '	' '
 ' | awk -F: '{ print $7 }')
   if [[ $CLOUDWATCH_GROUP ]];then

checks/check312

@@ -5,7 +5,6 @@ CHECK_ALTERNATE_check312="check312"
 
 check312(){
   # "Ensure a log metric filter and alarm exist for changes to network gateways (Scored)"
-  textTitle "$ID312" "$TITLE312" "SCORED" "LEVEL1"
   CLOUDWATCH_GROUP=$($AWSCLI cloudtrail describe-trails $PROFILE_OPT --region $REGION --query 'trailList[*].CloudWatchLogsLogGroupArn' --output text | tr '	' '
 ' | awk -F: '{ print $7 }')
   if [[ $CLOUDWATCH_GROUP ]];then

checks/check313

@@ -5,7 +5,6 @@ CHECK_ALTERNATE_check313="check313"
 
 check313(){
   # "Ensure a log metric filter and alarm exist for route table changes (Scored)"
-  textTitle "$ID313" "$TITLE313" "SCORED" "LEVEL1"
   CLOUDWATCH_GROUP=$($AWSCLI cloudtrail describe-trails $PROFILE_OPT --region $REGION --query 'trailList[*].CloudWatchLogsLogGroupArn' --output text | tr '	' '
 ' | awk -F: '{ print $7 }')
   if [[ $CLOUDWATCH_GROUP ]];then

checks/check314

@@ -5,7 +5,6 @@ CHECK_ALTERNATE_check314="check314"
 
 check314(){
   # "Ensure a log metric filter and alarm exist for VPC changes (Scored)"
-  textTitle "$ID314" "$TITLE314" "SCORED" "LEVEL1"
   CLOUDWATCH_GROUP=$($AWSCLI cloudtrail describe-trails $PROFILE_OPT --region $REGION --query 'trailList[*].CloudWatchLogsLogGroupArn' --output text | tr '	' '
 ' | awk -F: '{ print $7 }')
   if [[ $CLOUDWATCH_GROUP ]];then

checks/check315

@@ -5,7 +5,6 @@ CHECK_ALTERNATE_check315="check315"
 
 check315(){
   # "Ensure appropriate subscribers to each SNS topic (Not Scored)"
-  textTitle "$ID315" "$TITLE315" "NOT_SCORED" "LEVEL1"
   CAN_SNS_LIST_SUBS=1
   for regx in $REGIONS; do
     TOPICS_LIST=$($AWSCLI sns list-topics $PROFILE_OPT --region $regx --output text --query 'Topics[*].TopicArn')

checks/check32

@@ -5,7 +5,6 @@ CHECK_ALTERNATE_check302="check32"
 
 check32(){
   # "Ensure a log metric filter and alarm exist for Management Console sign-in without MFA (Scored)"
-  textTitle "$ID32" "$TITLE32" "SCORED" "LEVEL1"
   CLOUDWATCH_GROUP=$($AWSCLI cloudtrail describe-trails $PROFILE_OPT --region $REGION --query 'trailList[*].CloudWatchLogsLogGroupArn' --output text | tr '	' '
 ' | awk -F: '{ print $7 }')
   if [[ $CLOUDWATCH_GROUP ]];then

checks/check33

@@ -5,7 +5,6 @@ CHECK_ALTERNATE_check303="check33"
 
 check33(){
   # "Ensure a log metric filter and alarm exist for usage of root account (Scored)"
-  textTitle "$ID33" "$TITLE33" "SCORED" "LEVEL1"
   CLOUDWATCH_GROUP=$($AWSCLI cloudtrail describe-trails $PROFILE_OPT --region $REGION --query 'trailList[*].CloudWatchLogsLogGroupArn' --output text | tr '	' '
 ' | awk -F: '{ print $7 }')
   if [[ $CLOUDWATCH_GROUP ]];then

checks/check34

@@ -5,7 +5,6 @@ CHECK_ALTERNATE_check304="check34"
 
 check34(){
   # "Ensure a log metric filter and alarm exist for IAM policy changes (Scored)"
-  textTitle "$ID34" "$TITLE34" "SCORED" "LEVEL1"
   CLOUDWATCH_GROUP=$($AWSCLI cloudtrail describe-trails $PROFILE_OPT --region $REGION --query 'trailList[*].CloudWatchLogsLogGroupArn' --output text | tr '	' '
 ' | awk -F: '{ print $7 }')
   if [[ $CLOUDWATCH_GROUP ]];then

checks/check35

@@ -5,7 +5,6 @@ CHECK_ALTERNATE_check305="check35"
 
 check35(){
   # "Ensure a log metric filter and alarm exist for CloudTrail configuration changes (Scored)"
-  textTitle "$ID35" "$TITLE35" "SCORED" "LEVEL1"
   CLOUDWATCH_GROUP=$($AWSCLI cloudtrail describe-trails $PROFILE_OPT --region $REGION --query 'trailList[*].CloudWatchLogsLogGroupArn' --output text | tr '	' '
 ' | awk -F: '{ print $7 }')
   if [[ $CLOUDWATCH_GROUP ]];then

checks/check36

@@ -5,7 +5,6 @@ CHECK_ALTERNATE_check306="check36"
 
 check36(){
   # "Ensure a log metric filter and alarm exist for AWS Management Console authentication failures (Scored)"
-  textTitle "$ID36" "$TITLE36" "SCORED" "LEVEL2"
   CLOUDWATCH_GROUP=$($AWSCLI cloudtrail describe-trails $PROFILE_OPT --region $REGION --query 'trailList[*].CloudWatchLogsLogGroupArn' --output text | tr '	' '
 ' | awk -F: '{ print $7 }')
   if [[ $CLOUDWATCH_GROUP ]];then

checks/check37

@@ -5,7 +5,6 @@ CHECK_ALTERNATE_check307="check37"
 
 check37(){
   # "Ensure a log metric filter and alarm exist for disabling or scheduled deletion of customer created CMKs (Scored)"
-  textTitle "$ID37" "$TITLE37" "SCORED" "LEVEL2"
   CLOUDWATCH_GROUP=$($AWSCLI cloudtrail describe-trails $PROFILE_OPT --region $REGION --query 'trailList[*].CloudWatchLogsLogGroupArn' --output text | tr '	' '
 ' | awk -F: '{ print $7 }')
   if [[ $CLOUDWATCH_GROUP ]];then

checks/check38

@@ -5,7 +5,6 @@ CHECK_ALTERNATE_check308="check38"
 
 check38(){
   # "Ensure a log metric filter and alarm exist for S3 bucket policy changes (Scored)"
-  textTitle "$ID38" "$TITLE38" "SCORED" "LEVEL1"
   CLOUDWATCH_GROUP=$($AWSCLI cloudtrail describe-trails $PROFILE_OPT --region $REGION --query 'trailList[*].CloudWatchLogsLogGroupArn' --output text | tr '	' '
 ' | awk -F: '{ print $7 }')
   if [[ $CLOUDWATCH_GROUP ]];then

checks/check39

@@ -5,7 +5,6 @@ CHECK_ALTERNATE_check309="check39"
 
 check39(){
   # "Ensure a log metric filter and alarm exist for AWS Config configuration changes (Scored)"
-  textTitle "$ID39" "$TITLE39" "SCORED" "LEVEL2"
   CLOUDWATCH_GROUP=$($AWSCLI cloudtrail describe-trails $PROFILE_OPT --region $REGION --query 'trailList[*].CloudWatchLogsLogGroupArn' --output text | tr '	' '
 ' | awk -F: '{ print $7 }')
   if [[ $CLOUDWATCH_GROUP ]];then

checks/check41

@@ -5,7 +5,6 @@ CHECK_ALTERNATE_check401="check41"
 
 check41(){
   # "Ensure no security groups allow ingress from 0.0.0.0/0 to port 22 (Scored)"
-  textTitle "$ID41" "$TITLE41" "SCORED" "LEVEL1"
   for regx in $REGIONS; do
     SG_LIST=$($AWSCLI ec2 describe-security-groups --query 'SecurityGroups[?length(IpPermissions[?((FromPort==null && ToPort==null) || (FromPort<=`22` && ToPort>=`22`)) && contains(IpRanges[].CidrIp, `0.0.0.0/0`)]) > `0`].{GroupId:GroupId}' $PROFILE_OPT --region $regx --output text)
     if [[ $SG_LIST ]];then

checks/check42

@@ -5,7 +5,6 @@ CHECK_ALTERNATE_check402="check42"
 
 check42(){
   # "Ensure no security groups allow ingress from 0.0.0.0/0 to port 3389 (Scored)"
-  textTitle "$ID42" "$TITLE42" "SCORED" "LEVEL1"
   for regx in $REGIONS; do
     SG_LIST=$($AWSCLI ec2 describe-security-groups --query 'SecurityGroups[?length(IpPermissions[?((FromPort==null && ToPort==null) || (FromPort<=`3389` && ToPort>=`3389`)) && contains(IpRanges[].CidrIp, `0.0.0.0/0`)]) > `0`].{GroupId:GroupId}' $PROFILE_OPT --region $regx --output text)
     if [[ $SG_LIST ]];then

checks/check43

@@ -5,7 +5,6 @@ CHECK_ALTERNATE_check403="check43"
 
 check43(){
   # "Ensure VPC Flow Logging is Enabled in all VPCs (Scored)"
-  textTitle "$ID43" "$TITLE43" "SCORED" "LEVEL2"
   for regx in $REGIONS; do
     CHECK_FL=$($AWSCLI ec2 describe-flow-logs $PROFILE_OPT --region $regx --query 'FlowLogs[?FlowLogStatus==`ACTIVE`].LogGroupName' --output text)
     if [[ $CHECK_FL ]];then

checks/check44

@@ -5,7 +5,6 @@ CHECK_ALTERNATE_check404="check44"
 
 check44(){
   # "Ensure the default security group of every VPC restricts all traffic (Scored)"
-  textTitle "$ID44" "$TITLE44" "SCORED" "LEVEL2"
   for regx in $REGIONS; do
     CHECK_SGDEFAULT=$($AWSCLI ec2 describe-security-groups $PROFILE_OPT --region $regx --filters Name=group-name,Values='default' --query 'SecurityGroups[*].{IpPermissions:IpPermissions,IpPermissionsEgress:IpPermissionsEgress,GroupId:GroupId}' --output text |grep 0.0.0.0)
     if [[ $CHECK_SGDEFAULT ]];then

checks/check45

@@ -5,7 +5,6 @@ CHECK_ALTERNATE_check405="check45"
 
 check45(){
   # "Ensure routing tables for VPC peering are \"least access\" (Not Scored)"
-  textTitle "$ID45" "$TITLE45" "NOT_SCORED" "LEVEL2"
   textNotice "Looking for VPC peering in all regions...  "
   for regx in $REGIONS; do
     LIST_OF_VPCS_PEERING_CONNECTIONS=$($AWSCLI ec2 describe-vpc-peering-connections --output text $PROFILE_OPT --region $regx --query 'VpcPeeringConnections[*].VpcPeeringConnectionId')

checks/check_extra71

@@ -7,7 +7,6 @@ CHECK_ALTERNATE_check701="extra71"
 
 extra71(){
   # "Ensure users with AdministratorAccess policy have MFA tokens enabled (Not Scored) (Not part of CIS benchmark)"
-  textTitle "$ID71" "$TITLE71" "NOT_SCORED" "EXTRA"
   ADMIN_GROUPS=''
   AWS_GROUPS=$($AWSCLI $PROFILE_OPT iam list-groups --output text --query 'Groups[].GroupName')
   for grp in $AWS_GROUPS; do

checks/check_extra710

@@ -6,7 +6,6 @@ CHECK_ALTERNATE_check710="extra710"
 
 extra710(){
   # "Check for internet facing EC2 Instances (Not Scored) (Not part of CIS benchmark)"
-  textTitle "$ID710" "$TITLE710" "NOT_SCORED" "EXTRA"
   textNotice "Looking for instances in all regions...  "
   for regx in $REGIONS; do
     LIST_OF_PUBLIC_INSTANCES=$($AWSCLI ec2 describe-instances $PROFILE_OPT --region $regx --query 'Reservations[*].Instances[?PublicIpAddress].[InstanceId,PublicIpAddress]' --output text)

checks/check_extra711

@@ -6,7 +6,6 @@ CHECK_ALTERNATE_check711="extra711"
 
 extra711(){
   # "Check for Publicly Accessible Redshift Clusters (Not Scored) (Not part of CIS benchmark)"
-  textTitle "$ID711" "$TITLE711" "NOT_SCORED" "EXTRA"
   textNotice "Looking for Reshift clusters in all regions...  "
   for regx in $REGIONS; do
     LIST_OF_PUBLIC_REDSHIFT_CLUSTERS=$($AWSCLI redshift describe-clusters $PROFILE_OPT --region $regx --query 'Clusters[?PubliclyAccessible == `true`].[ClusterIdentifier,Endpoint.Address]' --output text)

checks/check_extra712

@@ -6,7 +6,6 @@ CHECK_ALTERNATE_check712="extra712"
 
 extra712(){
   # "Check if Amazon Macie is enabled (Not Scored) (Not part of CIS benchmark)"
-  textTitle "$ID712" "$TITLE712" "NOT_SCORED" "EXTRA"
   textNotice "No API commands available to check if Macie is enabled,"
   textNotice "just looking if IAM Macie related permissions exist.  "
   MACIE_IAM_ROLES_CREATED=$($AWSCLI iam list-roles $PROFILE_OPT --query 'Roles[*].Arn'|grep AWSMacieServiceCustomer|wc -l)

checks/check_extra713

@@ -6,7 +6,6 @@ CHECK_ALTERNATE_check713="extra713"
 
 extra713(){
   # "Check if GuardDuty is enabled (Not Scored) (Not part of CIS benchmark)"
-  textTitle "$ID713" "$TITLE713" "NOT_SCORED" "EXTRA"
   for regx in $REGIONS; do
     LIST_OF_GUARDDUTY_DETECTORS=$($AWSCLI guardduty list-detectors $PROFILE_OPT --region $regx --output text |cut -f2)
     if [[ $LIST_OF_GUARDDUTY_DETECTORS ]];then

checks/check_extra714

@@ -6,7 +6,6 @@ CHECK_ALTERNATE_check714="extra714"
 
 extra714(){
   # "Check if CloudFront distributions have logging enabled (Not Scored) (Not part of CIS benchmark)"
-  textTitle "$ID714" "$TITLE714" "NOT_SCORED" "EXTRA"
   for regx in $REGIONS; do
     LIST_OF_DISTRIBUTIONS=$($AWSCLI cloudfront list-distributions $PROFILE_OPT --region $regx --query 'DistributionList.Items[].Id' --output text |grep -v "^None")
     if [[ $LIST_OF_DISTRIBUTIONS ]]; then

checks/check_extra715

@@ -5,7 +5,6 @@ CHECK_ALTERNATE_extra715="extra715"
 CHECK_ALTERNATE_check715="extra715"
 
 extra715(){
-  textTitle "$ID715" "$TITLE715" "NOT_SCORED" "EXTRA"
   for regx in $REGIONS; do
     LIST_OF_DOMAINS=$($AWSCLI es list-domain-names $PROFILE_OPT --region $regx --query DomainNames --output text)
     if [[ $LIST_OF_DOMAINS ]]; then

checks/check_extra716

@@ -6,7 +6,6 @@ CHECK_ALTERNATE_check716="extra716"
 
 extra716(){
   # "Check if Elasticsearch Service domains allow open access (Not Scored) (Not part of CIS benchmark)"
-  textTitle "$ID716" "$TITLE716" "NOT_SCORED" "EXTRA"
   for regx in $REGIONS; do
     LIST_OF_DOMAINS=$($AWSCLI es list-domain-names $PROFILE_OPT --region $regx --query DomainNames --output text)
     if [[ $LIST_OF_DOMAINS ]]; then

checks/check_extra717

@@ -6,7 +6,6 @@ CHECK_ALTERNATE_check717="extra717"
 
 extra717(){
   # "Check if Elastic Load Balancers have logging enabled (Not Scored) (Not part of CIS benchmark)"
-  textTitle "$ID717" "$TITLE717" "NOT_SCORED" "EXTRA"
   for regx in $REGIONS; do
     LIST_OF_ELBS=$($AWSCLI elb describe-load-balancers $PROFILE_OPT --region $regx --query 'LoadBalancerDescriptions[*].LoadBalancerName' --output text|xargs -n1)
     LIST_OF_ELBSV2=$($AWSCLI elbv2 describe-load-balancers $PROFILE_OPT --region $regx --query 'LoadBalancers[*].LoadBalancerArn' --output text|xargs -n1)

checks/check_extra718

@@ -6,7 +6,6 @@ CHECK_ALTERNATE_check718="extra718"
 
 extra718(){
   # "Check if S3 buckets have server access logging enabled (Not Scored) (Not part of CIS benchmark)"
-  textTitle "$ID718" "$TITLE718" "NOT_SCORED" "EXTRA"
   LIST_OF_BUCKETS=$($AWSCLI s3api list-buckets $PROFILE_OPT --query Buckets[*].Name --output text|xargs -n1)
   if [[ $LIST_OF_BUCKETS ]]; then
     for bucket in $LIST_OF_BUCKETS;do

checks/check_extra719

@@ -6,7 +6,6 @@ CHECK_ALTERNATE_check719="extra719"
 
 extra719(){
   # "Check if Route53 hosted zones are logging queries to CloudWatch Logs (Not Scored) (Not part of CIS benchmark)"
-  textTitle "$ID719" "$TITLE719" "NOT_SCORED" "EXTRA"
   LIST_OF_HOSTED_ZONES=$($AWSCLI route53 list-hosted-zones $PROFILE_OPT --query HostedZones[*].Id --output text|xargs -n1)
   if [[ $LIST_OF_HOSTED_ZONES ]]; then
     for hostedzoneid in $LIST_OF_HOSTED_ZONES;do

checks/check_extra72

@@ -7,7 +7,6 @@ CHECK_ALTERNATE_check702="extra72"
 
 extra72(){
   # "Ensure there are no EBS Snapshots set as Public (Not Scored) (Not part of CIS benchmark)"
-  textTitle "$ID72" "$TITLE72" "NOT_SCORED" "EXTRA"
   textNotice "Looking for EBS Snapshots in all regions...  "
   for regx in $REGIONS; do
     LIST_OF_EBS_SNAPSHOTS=$($AWSCLI ec2 describe-snapshots $PROFILE_OPT --region $regx --owner-ids $ACCOUNT_NUM --output text --query 'Snapshots[*].{ID:SnapshotId}' --max-items $MAXITEMS | grep -v None 2> /dev/null)

checks/check_extra720

@@ -6,7 +6,6 @@ CHECK_ALTERNATE_check720="extra720"
 
 extra720(){
   # "Check if Lambda functions invoke API operations are being recorded by CloudTrail (Not Scored) (Not part of CIS benchmark)"
-  textTitle "$ID720" "$TITLE720" "NOT_SCORED" "EXTRA"
   for regx in $REGIONS; do
     LIST_OF_FUNCTIONS=$($AWSCLI lambda list-functions $PROFILE_OPT --region $regx --query Functions[*].FunctionName --output text)
     if [[ $LIST_OF_FUNCTIONS ]]; then

checks/check_extra721

@@ -6,7 +6,6 @@ CHECK_ALTERNATE_check721="extra721"
 
 extra721(){
   # "Check if Redshift cluster has audit logging enabled (Not Scored) (Not part of CIS benchmark)"
-  textTitle "$ID721" "$TITLE721" "NOT_SCORED" "EXTRA"
   for regx in $REGIONS; do
     LIST_OF_REDSHIFT_CLUSTERS=$($AWSCLI redshift describe-clusters $PROFILE_OPT --region $regx --query 'Clusters[*].ClusterIdentifier' --output text)
     if [[ $LIST_OF_REDSHIFT_CLUSTERS ]]; then

checks/check_extra722

@@ -6,7 +6,6 @@ CHECK_ALTERNATE_extra722="extra722"
 
 extra722(){
   # "Check if API Gateway has logging enabled (Not Scored) (Not part of CIS benchmark)"
-  textTitle "$ID722" "$TITLE722" "NOT_SCORED" "EXTRA"
   for regx in $REGIONS; do
     LIST_OF_API_GW=$($AWSCLI apigateway get-rest-apis $PROFILE_OPT --region $regx --query items[*].id --output text)
     if [[ $LIST_OF_API_GW ]];then

checks/check_extra723

@@ -6,7 +6,6 @@ CHECK_ALTERNATE_extra723="extra723"
 
 extra723(){
   # "Check if RDS Snapshots are public (Not Scored) (Not part of CIS benchmark)"
-  textTitle "$ID723" "$TITLE723" "NOT_SCORED" "EXTRA"
   for regx in $REGIONS; do
     # RDS snapshots
     LIST_OF_RDS_SNAPSHOTS=$($AWSCLI rds describe-db-snapshots $PROFILE_OPT --region $regx --query DBSnapshots[*].DBSnapshotIdentifier --output text)

checks/check_extra73

@@ -7,7 +7,6 @@ CHECK_ALTERNATE_check703="extra73"
 
 extra73(){
   # "Ensure there are no S3 buckets open to the Everyone or Any AWS user (Not Scored) (Not part of CIS benchmark)"
-  textTitle "$ID73" "$TITLE73" "NOT_SCORED" "EXTRA"
   textNotice "Looking for open S3 Buckets (ACLs and Policies) in all regions...  "
   ALL_BUCKETS_LIST=$($AWSCLI s3api list-buckets --query 'Buckets[*].{Name:Name}' $PROFILE_OPT --region $REGION --output text)
   for bucket in $ALL_BUCKETS_LIST; do

checks/check_extra74

@@ -7,7 +7,6 @@ CHECK_ALTERNATE_check704="extra74"
 
 extra74(){
   # "Ensure there are no Security Groups without ingress filtering being used (Not Scored) (Not part of CIS benchmark)"
-  textTitle "$ID74" "$TITLE74" "NOT_SCORED" "EXTRA"
   textNotice "Looking for Security Groups in all regions...  "
   for regx in $REGIONS; do
     LIST_OF_SECURITYGROUPS=$($AWSCLI ec2 describe-security-groups $PROFILE_OPT --region $regx --filters "Name=ip-permission.cidr,Values=0.0.0.0/0" --query "SecurityGroups[].[GroupId]" --output text --max-items $MAXITEMS)

checks/check_extra75

@@ -7,7 +7,6 @@ CHECK_ALTERNATE_check705="extra75"
 
 extra75(){
   # "Ensure there are no Security Groups not being used (Not Scored) (Not part of CIS benchmark)"
-  textTitle "$ID75" "$TITLE75" "NOT_SCORED" "EXTRA"
   textNotice "Looking for Security Groups in all regions...  "
   for regx in $REGIONS; do
     LIST_OF_SECURITYGROUPS=$($AWSCLI ec2 describe-security-groups $PROFILE_OPT --region $regx --query "SecurityGroups[].[GroupId]" --output text --max-items $MAXITEMS)

checks/check_extra76

@@ -7,7 +7,6 @@ CHECK_ALTERNATE_check706="extra76"
 
 extra76(){
   # "Ensure there are no EC2 AMIs set as Public (Not Scored) (Not part of CIS benchmark)"
-  textTitle "$ID76" "$TITLE76" "NOT_SCORED" "EXTRA"
   textNotice "Looking for AMIs in all regions...  "
   for regx in $REGIONS; do
     LIST_OF_PUBLIC_AMIS=$($AWSCLI ec2 describe-images --owners self $PROFILE_OPT --region $regx --filters "Name=is-public,Values=true" --query 'Images[*].{ID:ImageId}' --output text)

checks/check_extra77

@@ -7,7 +7,6 @@ CHECK_ALTERNATE_check707="extra77"
 
 extra77(){
   # "Ensure there are no ECR repositories set as Public (Not Scored) (Not part of CIS benchmark)"
-  textTitle "$ID77" "$TITLE77" "NOT_SCORED" "EXTRA"
   textNotice "Looking for ECR repos in all regions...  "
   for regx in $REGIONS; do
     LIST_OF_ECR_REPOS=$($AWSCLI ecr describe-repositories $PROFILE_OPT --region $regx --query 'repositories[*].{Name:repositoryName}' --output text)

checks/check_extra78

@@ -7,7 +7,6 @@ CHECK_ALTERNATE_check708="extra78"
 
 extra78(){
   # "Ensure there are no Public Accessible RDS instances (Not Scored) (Not part of CIS benchmark)"
-  textTitle "$ID78" "$TITLE78" "NOT_SCORED" "EXTRA"
   textNotice "Looking for RDS instances in all regions...  "
   for regx in $REGIONS; do
     LIST_OF_RDS_PUBLIC_INSTANCES=$($AWSCLI rds describe-db-instances $PROFILE_OPT --region $regx --query 'DBInstances[?PubliclyAccessible==`true`].[DBInstanceIdentifier,Endpoint.Address]' --output text)

checks/check_extra79

@@ -7,7 +7,6 @@ CHECK_ALTERNATE_check709="extra79"
 
 extra79(){
   # "Check for internet facing Elastic Load Balancers (Not Scored) (Not part of CIS benchmark)"
-  textTitle "$ID79" "$TITLE79" "NOT_SCORED" "EXTRA"
   textNotice "Looking for Elastic Load Balancers in all regions...  "
   for regx in $REGIONS; do
     LIST_OF_PUBLIC_ELBS=$($AWSCLI elb describe-load-balancers $PROFILE_OPT --region $regx --query 'LoadBalancerDescriptions[?Scheme == `internet-facing`].[LoadBalancerName,DNSName]' --output text)

groups/group0_init

@@ -1,6 +0,0 @@
-GROUP_ID[0]='init' # this group make easier to understand the array of groups
-GROUP_NUMBER[0]='0.0'
-GROUP_TITLE[0]='Init ****************************************************************'
-GROUP_RUN_BY_DEFAULT[0]='N' # run it when execute_all is called
-GROUP_CHECKS[0]=''
-

include/banner

@@ -1,11 +1,14 @@
 prowlerBanner() {
-  echo -e "$CYAN                          _"
-  echo -e "  _ __  _ __ _____      _| | ___ _ __"
-  echo -e " | '_ \| '__/ _ \ \ /\ / / |/ _ \ '__|"
-  echo -e " | |_) | | | (_) \ V  V /| |  __/ |"
-  echo -e " | .__/|_|  \___/ \_/\_/ |_|\___|_|v2.0"
-  echo -e " |_|$NORMAL$BLUE the handy cloud security tool$NORMAL\n"
-  echo -e "$YELLOW Date: $(date)"
+  if [[ $BANNER != "0" ]]; then
+    echo -e "$CYAN                          _"
+    echo -e "  _ __  _ __ _____      _| | ___ _ __"
+    echo -e " | '_ \| '__/ _ \ \ /\ / / |/ _ \ '__|"
+    echo -e " | |_) | | | (_) \ V  V /| |  __/ |"
+    echo -e " | .__/|_|  \___/ \_/\_/ |_|\___|_|v2.0"
+    echo -e " |_|$NORMAL$BLUE the handy cloud security tool$NORMAL\n"
+    echo -e "$YELLOW Date: $(date)"
+    printColorsCode
+  fi
 }
 
 infoReferenceLong(){

include/colors

@@ -53,6 +53,6 @@ fi
 
 printColorsCode(){
   if [[ $MONOCHROME -eq 0 ]]; then
-    echo -e "\n$NORMAL Colors code for results: $NOTICE INFORMATIVE$NORMAL,$OK OK (RECOMMENDED VALUE)$NORMAL, $BAD WARNING (FIX REQUIRED)$NORMAL"
+    echo -e "\n$NORMAL Colors code for results: $NOTICE INFO (Information)$NORMAL,$OK PASS (Recommended value)$NORMAL, $BAD FAIL (Fix required)$NORMAL"
   fi
 }

include/outputs

@@ -33,7 +33,7 @@ textWarn(){
     else
       REPREGION=$REGION
     fi
-    echo "$PROFILE${SEP}$ACCOUNT_NUM${SEP}$REPREGION${SEP}$TITLE_ID${SEP}WARNING${SEP}$ITEM_SCORED${SEP}$ITEM_LEVEL${SEP}$TITLE_TEXT${SEP}$1"
+    echo "$PROFILE${SEP}$ACCOUNT_NUM${SEP}$REPREGION${SEP}$TITLE_ID${SEP}FAIL${SEP}$ITEM_SCORED${SEP}$ITEM_LEVEL${SEP}$TITLE_TEXT${SEP}$1"
   else
     echo "      $BAD FAIL! $1 $NORMAL"
   fi

prowler

@@ -11,6 +11,8 @@
 #
 # Author: Toni de la Fuente - @ToniBlyx - https://blyx.com/contact
 
+# http://prowler.cloud 
+
 # Prowler - Iron Maiden
 #
 # Walking through the city, looking oh so pretty
@@ -44,9 +46,11 @@ USAGE:
   Options:
       -p <profile>        specify your AWS profile to use (i.e.: default)
       -r <region>         specify an AWS region to direct API requests to
-                            (i.e.: us-east-1), all regions are checked anyway
-      -c <check_id>       specify a check number or group from the AWS CIS benchmark
-                            (i.e.: "check11" for check 1.1, "check3" for entire section 3, "level1" for CIS Level 1 Profile Definitions or "forensics-ready")
+                            (i.e.: us-east-1), all regions are checked anyway if the check requires it
+      -c <check_id>       specify a check id, to see all available checks use "-l" option
+                            (i.e.: "check11" for check 1.1 or "extra71" for extra check 71)
+      -g <group_id>       specify a group of checks by id, to see all available group of checks use "-l"
+                            (i.e.: "check3" for entire section 3, "level1" for CIS Level 1 Profile Definitions or "forensics-ready")
       -f <filterregion>   specify an AWS region to run checks against
                             (i.e.: us-west-1)
       -m <maxitems>       specify the maximum number of items to return for long-running requests (default: 100)
@@ -62,7 +66,7 @@ USAGE:
   exit
 }
 
-while getopts ":hlkp:r:c:f:m:M:enb" OPTION; do
+while getopts ":hlkp:r:c:g:f:m:M:enb" OPTION; do
    case $OPTION in
      h )
         usage
@@ -82,7 +86,10 @@ while getopts ":hlkp:r:c:f:m:M:enb" OPTION; do
         REGION=$OPTARG
         ;;
      c )
-        CHECKNUMBER=$OPTARG
+        CHECK_ID=$OPTARG
+        ;;
+     g )
+        GROUP_ID=$OPTARG
         ;;
      f )
         FILTERREGION=$OPTARG
@@ -97,7 +104,7 @@ while getopts ":hlkp:r:c:f:m:M:enb" OPTION; do
         NUMERAL=1
         ;;
      b )
-        BANNER=1
+        BANNER=0
         ;;
      e )
         EXTRAS=1
@@ -184,6 +191,7 @@ execute_check() {
 		  $1
     else
       textWarn "ERROR! Use a valid check name (i.e. check41 or extra71)";
+      exit $EXITCODE
     fi
 	fi
 }
@@ -199,10 +207,13 @@ execute_group() {
 }
 
 # Function to execute group by name
-execute_group_by_name() {
-	for i in ${#GROUP_NAME[@]}; do
-		if [ "${GROUP_NAME[$i]}" == "$1" ]; then
+execute_group_by_id() {
+	for i in "${!GROUP_ID[@]}"; do
+		if [ "${GROUP_ID[$i]}" == "$1" ]; then
 			execute_group $i
+    else
+      textWarn "ERROR! Use a valid group check name (i.e. group1 or extras or forensics-ready)";
+      exit $EXITCODE
 		fi
 	done
 }
@@ -229,8 +240,15 @@ show_all_titles() {
 }
 
 # Execute single check if called with -c
-if [[ $CHECKNUMBER ]];then
-  execute_check $CHECKNUMBER
+if [[ $CHECK_ID ]];then
+  execute_check $CHECK_ID
+  cleanTemp
+  exit $EXITCODE
+fi
+
+# Execute group of checks if called with -g
+if [[ $GROUP_ID ]];then
+  execute_group_by_id $GROUP_ID
   cleanTemp
   exit $EXITCODE
 fi
@@ -245,7 +263,6 @@ fi
 ### All functions defined above ... run the workflow
 if [[ $MODE != "csv" ]]; then
   prowlerBanner
-  printColorsCode
 fi
 getWhoami
 genCredReport