From 669469e618ab588839105e67187e36ce69a12182 Mon Sep 17 00:00:00 2001 From: zfLQ2qx2 <31103058+zfLQ2qx2@users.noreply.github.com> Date: Thu, 21 Nov 2019 03:04:58 -0500 Subject: [PATCH] Update extra764 and extra734, add .gitignore rules for vim --- .gitignore | 18 ++++++++++++++++++ checks/check_extra734 | 13 ++++++++++--- checks/check_extra764 | 4 ++-- 3 files changed, 30 insertions(+), 5 deletions(-) create mode 100644 .gitignore diff --git a/.gitignore b/.gitignore new file mode 100644 index 00000000..3dc461ab --- /dev/null +++ b/.gitignore @@ -0,0 +1,18 @@ +# Swap +[._]*.s[a-v][a-z] +[._]*.sw[a-p] +[._]s[a-rt-v][a-z] +[._]ss[a-gi-z] +[._]sw[a-p] + +# Session +Session.vim +Sessionx.vim + +# Temporary +.netrwhist +*~ +# Auto-generated tag files +tags +# Persistent undo +[._]*.un~ diff --git a/checks/check_extra734 b/checks/check_extra734 index 235e7423..26c5fbcf 100644 --- a/checks/check_extra734 +++ b/checks/check_extra734 @@ -21,14 +21,21 @@ extra734(){ if [[ $LIST_OF_BUCKETS ]]; then for bucket in $LIST_OF_BUCKETS;do + # For this test to pass one of the following must be present: + # - Configure ServerSideEncryptionConfiguration rule for AES256 or aws:kms + # OR + # - Have bucket policy denying s3:PutObject when s3:x-amz-server-side-encryption is absent + # query to get if has encryption enabled or not RESULT=$($AWSCLI s3api get-bucket-encryption $PROFILE_OPT --bucket $bucket --query ServerSideEncryptionConfiguration.Rules[].ApplyServerSideEncryptionByDefault[].SSEAlgorithm --output text 2>&1) if [[ $(echo "$RESULT" | grep AccessDenied) ]]; then textFail "Access Denied Trying to Get Encryption for $bucket" continue fi - if [[ $(echo "$RESULT" | grep ServerSideEncryptionConfigurationNotFoundError) ]]; then - textFail "Bucket $bucket does not enforce encryption!" + + if [[ $RESULT == "AES256" || $RESULT == "aws:kms" ]]; + then + textPass "Bucket $bucket is enabled for default encryption with $RESULT" continue fi @@ -48,7 +55,7 @@ extra734(){ fi # check if the S3 policy forces SSE s3:x-amz-server-side-encryption:true - CHECK_BUCKET_SSE_POLICY_PRESENT=$(cat $TEMP_SSE_POLICY_FILE | jq --arg arn "arn:aws:s3:::${bucket}/*" '.Statement[]|select(.Effect=="Deny" and (.Principal|type == "object") and .Principal.AWS == "*" and .Action=="s3:PutObject" and .Resource==$arn and .Condition.StringNotEquals."s3:x-amz-server-side-encryption" != null)') + CHECK_BUCKET_SSE_POLICY_PRESENT=$(cat $TEMP_SSE_POLICY_FILE | jq --arg arn "arn:aws:s3:::${bucket}/*" '.Statement[]|select(.Effect=="Deny" and ((.Principal|type == "object") and .Principal.AWS == "*") or ((.Principal|type == "string") and .Principal == "*") and .Action=="s3:PutObject" and .Resource==$arn and .Condition.StringEquals."s3:x-amz-server-side-encryption" != null)') if [[ $CHECK_BUCKET_SSE_POLICY_PRESENT == "" ]]; then textFail "Bucket $bucket does not enforce encryption!" rm -fr $TEMP_SSE_POLICY_FILE diff --git a/checks/check_extra764 b/checks/check_extra764 index fc3e7009..8ef4a806 100644 --- a/checks/check_extra764 +++ b/checks/check_extra764 @@ -33,8 +33,8 @@ extra764(){ continue fi - # check if the S3 policy denies all actions by all principals when aws:SecureTransport:false - CHECK_BUCKET_STP_POLICY_PRESENT=$(cat $TEMP_STP_POLICY_FILE | jq --arg arn "arn:aws:s3:::${bucket}/*" '.Statement[]|select(.Effect=="Deny" and (.Principal|type == "object") and .Principal.AWS == "*" and .Action=="s3:*" and .Resource==$arn and .Condition.Bool."aws:SecureTransport" == "false")') + # https://aws.amazon.com/premiumsupport/knowledge-center/s3-bucket-policy-for-config-rule/ + CHECK_BUCKET_STP_POLICY_PRESENT=$(cat $TEMP_STP_POLICY_FILE | jq --arg arn "arn:aws:s3:::${bucket}/*" '.Statement[]|select(((.Principal|type == "object") and .Principal.AWS == "*") or ((.Principal|type == "string") and .Principal == "*")) and .Action=="s3:*" and (.Resource|type == "array") and (.Resource|map({(.):0})[]|has($arn)) and (.Resource|map({(.):0})[]|has($arn+"/*")) and .Condition.Bool."aws:SecureTransport" == "false")') if [[ $CHECK_BUCKET_STP_POLICY_PRESENT ]]; then textPass "Bucket $bucket has S3 bucket policy to deny requests over insecure transport" else