diff --git a/LIST_OF_CHECKS_AND_GROUPS.md b/LIST_OF_CHECKS_AND_GROUPS.md
index a261cc76..850511cc 100644
--- a/LIST_OF_CHECKS_AND_GROUPS.md
+++ b/LIST_OF_CHECKS_AND_GROUPS.md
@@ -44,21 +44,17 @@ Colors code for results: INFO (Information), PASS (Recommended value), FAIL (F
1.16 [check116] Ensure IAM policies are attached only to groups or roles (Scored)
-1.17 [check117] Enable detailed billing (Scored)
+1.17 [check117] Maintain current contact details (Scored)
-1.18 [check118] Ensure IAM Master and IAM Manager roles are active (Scored)
+1.18 [check118] Ensure security contact information is registered (Scored)
-1.19 [check119] Maintain current contact details (Scored)
+1.19 [check119] Ensure IAM instance roles are used for AWS resource access from instances (Not Scored)
-1.20 [check120] Ensure security contact information is registered (Scored)
+1.20 [check120] Ensure a support role has been created to manage incidents with AWS Support (Scored)
-1.21 [check121] Ensure IAM instance roles are used for AWS resource access from instances (Not Scored)
+1.21 [check121] Do not setup access keys during initial user setup for all IAM users that have a console password (Not Scored)
-1.22 [check122] Ensure a support role has been created to manage incidents with AWS Support (Scored)
-
-1.23 [check123] Do not setup access keys during initial user setup for all IAM users that have a console password (Not Scored)
-
-1.24 [check124] Ensure IAM policies that allow full "*:*" administrative privileges are not created (Scored)
+1.22 [check122] Ensure IAM policies that allow full "*:*" administrative privileges are not created (Scored)
2.0 Logging - [group2] *********************************************
@@ -78,6 +74,8 @@ Colors code for results: INFO (Information), PASS (Recommended value), FAIL (F
2.8 [check28] Ensure rotation for customer created CMKs is enabled (Scored)
+2.9 [check29] Ensure VPC Flow Logging is Enabled in all VPCs (Scored)
+
3.0 Monitoring - [group3] ******************************************
3.1 [check31] Ensure a log metric filter and alarm exist for unauthorized API calls (Scored)
@@ -108,19 +106,15 @@ Colors code for results: INFO (Information), PASS (Recommended value), FAIL (F
3.14 [check314] Ensure a log metric filter and alarm exist for VPC changes (Scored)
-3.15 [check315] Ensure appropriate subscribers to each SNS topic (Not Scored)
-
4.0 Networking - [group4] ******************************************
4.1 [check41] Ensure no security groups allow ingress from 0.0.0.0/0 to port 22 (Scored)
4.2 [check42] Ensure no security groups allow ingress from 0.0.0.0/0 to port 3389 (Scored)
-4.3 [check43] Ensure VPC Flow Logging is Enabled in all VPCs (Scored)
+4.3 [check43] Ensure the default security group of every VPC restricts all traffic (Scored)
-4.4 [check44] Ensure the default security group of every VPC restricts all traffic (Scored)
-
-4.5 [check45] Ensure routing tables for VPC peering are "least access" (Not Scored)
+4.4 [check44] Ensure routing tables for VPC peering are "least access" (Not Scored)
5.0 CIS Level 1 - [cislevel1] **************************************
@@ -154,19 +148,17 @@ Colors code for results: INFO (Information), PASS (Recommended value), FAIL (F
1.16 [check116] Ensure IAM policies are attached only to groups or roles (Scored)
-1.17 [check117] Enable detailed billing (Scored)
+1.17 [check117] Maintain current contact details (Scored)
-1.18 [check118] Ensure IAM Master and IAM Manager roles are active (Scored)
+1.18 [check118] Ensure security contact information is registered (Scored)
-1.19 [check119] Maintain current contact details (Scored)
+1.19 [check119] Ensure IAM instance roles are used for AWS resource access from instances (Not Scored)
-1.20 [check120] Ensure security contact information is registered (Scored)
+1.20 [check120] Ensure a support role has been created to manage incidents with AWS Support (Scored)
-1.22 [check122] Ensure a support role has been created to manage incidents with AWS Support (Scored)
+1.21 [check121] Do not setup access keys during initial user setup for all IAM users that have a console password (Not Scored)
-1.23 [check123] Do not setup access keys during initial user setup for all IAM users that have a console password (Not Scored)
-
-1.24 [check124] Ensure IAM policies that allow full "*:*" administrative privileges are not created (Scored)
+1.22 [check122] Ensure IAM policies that allow full "*:*" administrative privileges are not created (Scored)
2.1 [check21] Ensure CloudTrail is enabled in all regions (Scored)
@@ -196,8 +188,6 @@ Colors code for results: INFO (Information), PASS (Recommended value), FAIL (F
3.14 [check314] Ensure a log metric filter and alarm exist for VPC changes (Scored)
-3.15 [check315] Ensure appropriate subscribers to each SNS topic (Not Scored)
-
4.1 [check41] Ensure no security groups allow ingress from 0.0.0.0/0 to port 22 (Scored)
4.2 [check42] Ensure no security groups allow ingress from 0.0.0.0/0 to port 3389 (Scored)
@@ -236,21 +226,17 @@ Colors code for results: INFO (Information), PASS (Recommended value), FAIL (F
1.16 [check116] Ensure IAM policies are attached only to groups or roles (Scored)
-1.17 [check117] Enable detailed billing (Scored)
+1.17 [check117] Maintain current contact details (Scored)
-1.18 [check118] Ensure IAM Master and IAM Manager roles are active (Scored)
+1.18 [check118] Ensure security contact information is registered (Scored)
-1.19 [check119] Maintain current contact details (Scored)
+1.19 [check119] Ensure IAM instance roles are used for AWS resource access from instances (Not Scored)
-1.20 [check120] Ensure security contact information is registered (Scored)
+1.20 [check120] Ensure a support role has been created to manage incidents with AWS Support (Scored)
-1.21 [check121] Ensure IAM instance roles are used for AWS resource access from instances (Not Scored)
+1.21 [check121] Do not setup access keys during initial user setup for all IAM users that have a console password (Not Scored)
-1.22 [check122] Ensure a support role has been created to manage incidents with AWS Support (Scored)
-
-1.23 [check123] Do not setup access keys during initial user setup for all IAM users that have a console password (Not Scored)
-
-1.24 [check124] Ensure IAM policies that allow full "*:*" administrative privileges are not created (Scored)
+1.22 [check122] Ensure IAM policies that allow full "*:*" administrative privileges are not created (Scored)
2.1 [check21] Ensure CloudTrail is enabled in all regions (Scored)
@@ -268,6 +254,8 @@ Colors code for results: INFO (Information), PASS (Recommended value), FAIL (F
2.8 [check28] Ensure rotation for customer created CMKs is enabled (Scored)
+2.9 [check29] Ensure VPC Flow Logging is Enabled in all VPCs (Scored)
+
3.1 [check31] Ensure a log metric filter and alarm exist for unauthorized API calls (Scored)
3.2 [check32] Ensure a log metric filter and alarm exist for Management Console sign-in without MFA (Scored)
@@ -296,17 +284,13 @@ Colors code for results: INFO (Information), PASS (Recommended value), FAIL (F
3.14 [check314] Ensure a log metric filter and alarm exist for VPC changes (Scored)
-3.15 [check315] Ensure appropriate subscribers to each SNS topic (Not Scored)
-
4.1 [check41] Ensure no security groups allow ingress from 0.0.0.0/0 to port 22 (Scored)
4.2 [check42] Ensure no security groups allow ingress from 0.0.0.0/0 to port 3389 (Scored)
-4.3 [check43] Ensure VPC Flow Logging is Enabled in all VPCs (Scored)
+4.3 [check43] Ensure the default security group of every VPC restricts all traffic (Scored)
-4.4 [check44] Ensure the default security group of every VPC restricts all traffic (Scored)
-
-4.5 [check45] Ensure routing tables for VPC peering are "least access" (Not Scored)
+4.4 [check44] Ensure routing tables for VPC peering are "least access" (Not Scored)
7.0 Extras - [extras] **********************************************
@@ -376,7 +360,7 @@ Colors code for results: INFO (Information), PASS (Recommended value), FAIL (F
2.7 [check27] Ensure CloudTrail logs are encrypted at rest using KMS CMKs (Scored)
-4.3 [check43] Ensure VPC Flow Logging is Enabled in all VPCs (Scored)
+2.9 [check29] Ensure VPC Flow Logging is Enabled in all VPCs (Scored)
7.12 [extra712] Check if Amazon Macie is enabled (Not Scored) (Not part of CIS benchmark)
diff --git a/checks/check117 b/checks/check117
index 4805a9fb..72b62ba0 100644
--- a/checks/check117
+++ b/checks/check117
@@ -9,13 +9,13 @@
# work. If not, see .
CHECK_ID_check117="1.17"
-CHECK_TITLE_check117="[check117] Enable detailed billing (Scored)"
+CHECK_TITLE_check117="[check117] Maintain current contact details (Scored)"
CHECK_SCORED_check117="SCORED"
CHECK_TYPE_check117="LEVEL1"
CHECK_ALTERNATE_check117="check117"
check117(){
- # "Enable detailed billing (Scored)"
+ # "Maintain current contact details (Scored)"
# No command available
textInfo "No command available for check 1.17 "
textInfo "See section 1.17 on the CIS Benchmark guide for details "
diff --git a/checks/check118 b/checks/check118
index e6bb9ce9..f3c20f2a 100644
--- a/checks/check118
+++ b/checks/check118
@@ -9,32 +9,14 @@
# work. If not, see .
CHECK_ID_check118="1.18"
-CHECK_TITLE_check118="[check118] Ensure IAM Master and IAM Manager roles are active (Scored)"
+CHECK_TITLE_check118="[check118] Ensure security contact information is registered (Scored)"
CHECK_SCORED_check118="SCORED"
CHECK_TYPE_check118="LEVEL1"
CHECK_ALTERNATE_check118="check118"
check118(){
- # "Ensure IAM Master and IAM Manager roles are active (Scored)"
- FINDMASTERANDMANAGER=$($AWSCLI iam list-roles $PROFILE_OPT --region $REGION --query "Roles[*].{RoleName:RoleName}" --output text | grep -E 'Master|Manager'| tr '
-' ' ')
- if [[ $FINDMASTERANDMANAGER ]];then
- textInfo "Found next roles as possible IAM Master and IAM Manager candidates: "
- textInfo "$FINDMASTERANDMANAGER "
- textInfo "run the commands below to check their policies with section 1.18 in the guide..."
- for role in $FINDMASTERANDMANAGER;do
- # find inline policies in found roles
- INLINEPOLICIES=$($AWSCLI iam list-role-policies --role-name $role $PROFILE_OPT --region $REGION --query "PolicyNames[*]" --output text)
- for policy in $INLINEPOLICIES;do
- textInfo "INLINE: $AWSCLI iam get-role-policy --role-name $role --policy-name $policy $PROFILE_OPT --region $REGION --output json"
- done
- # find attached policies in found roles
- ATTACHEDPOLICIES=$($AWSCLI iam list-attached-role-policies --role-name $role $PROFILE_OPT --region $REGION --query "AttachedPolicies[*]" --output text)
- for policy in $ATTACHEDPOLICIES;do
- textInfo "ATTACHED: $AWSCLI iam get-role-policy --role-name $role --policy-name $policy $PROFILE_OPT --region $REGION --output json"
- done
- done
- else
- textFail "IAM Master and IAM Manager roles not found"
- fi
+ # "Ensure security contact information is registered (Scored)"
+ # No command available
+ textInfo "No command available for check 1.18 "
+ textInfo "See section 1.18 on the CIS Benchmark guide for details "
}
diff --git a/checks/check119 b/checks/check119
index b8549cec..5555bbe7 100644
--- a/checks/check119
+++ b/checks/check119
@@ -9,14 +9,13 @@
# work. If not, see .
CHECK_ID_check119="1.19"
-CHECK_TITLE_check119="[check119] Maintain current contact details (Scored)"
-CHECK_SCORED_check119="SCORED"
-CHECK_TYPE_check119="LEVEL1"
+CHECK_TITLE_check119="[check119] Ensure IAM instance roles are used for AWS resource access from instances (Not Scored)"
+CHECK_SCORED_check119="NOT_SCORED"
+CHECK_TYPE_check119="LEVEL2"
CHECK_ALTERNATE_check119="check119"
check119(){
- # "Maintain current contact details (Scored)"
- # No command available
+ # "Ensure IAM instance roles are used for AWS resource access from instances (Not Scored)"
textInfo "No command available for check 1.19 "
textInfo "See section 1.19 on the CIS Benchmark guide for details "
}
diff --git a/checks/check120 b/checks/check120
index 17ca89f5..a7491c38 100644
--- a/checks/check120
+++ b/checks/check120
@@ -9,14 +9,28 @@
# work. If not, see .
CHECK_ID_check120="1.20"
-CHECK_TITLE_check120="[check120] Ensure security contact information is registered (Scored)"
+CHECK_TITLE_check120="[check120] Ensure a support role has been created to manage incidents with AWS Support (Scored)"
CHECK_SCORED_check120="SCORED"
CHECK_TYPE_check120="LEVEL1"
CHECK_ALTERNATE_check120="check120"
check120(){
- # "Ensure security contact information is registered (Scored)"
- # No command available
- textInfo "No command available for check 1.20 "
- textInfo "See section 1.20 on the CIS Benchmark guide for details "
+ # "Ensure a support role has been created to manage incidents with AWS Support (Scored)"
+ SUPPORTPOLICYARN=$($AWSCLI iam list-policies --query "Policies[?PolicyName == 'AWSSupportAccess'].Arn" $PROFILE_OPT --region $REGION --output text)
+ if [[ $SUPPORTPOLICYARN ]];then
+ for policyarn in $SUPPORTPOLICYARN;do
+ POLICYUSERS=$($AWSCLI iam list-entities-for-policy --policy-arn $SUPPORTPOLICYARN $PROFILE_OPT --region $REGION --output json)
+ if [[ $POLICYUSERS ]];then
+ textPass "Support Policy attached to $policyarn"
+ for user in $(echo "$POLICYUSERS" | grep UserName | cut -d'"' -f4) ; do
+ textInfo "User $user has support access via $policyarn"
+ done
+ # textInfo "Make sure your team can create a Support case with AWS "
+ else
+ textFail "Support Policy not applied to any Group / User / Role "
+ fi
+ done
+ else
+ textFail "No Support Policy found"
+ fi
}
diff --git a/checks/check121 b/checks/check121
index 72086221..7f621add 100644
--- a/checks/check121
+++ b/checks/check121
@@ -9,13 +9,32 @@
# work. If not, see .
CHECK_ID_check121="1.21"
-CHECK_TITLE_check121="[check121] Ensure IAM instance roles are used for AWS resource access from instances (Not Scored)"
+CHECK_TITLE_check121="[check121] Do not setup access keys during initial user setup for all IAM users that have a console password (Not Scored)"
CHECK_SCORED_check121="NOT_SCORED"
-CHECK_TYPE_check121="LEVEL2"
+CHECK_TYPE_check121="LEVEL1"
CHECK_ALTERNATE_check121="check121"
check121(){
- # "Ensure IAM instance roles are used for AWS resource access from instances (Not Scored)"
- textInfo "No command available for check 1.21 "
- textInfo "See section 1.21 on the CIS Benchmark guide for details "
+ # "Do not setup access keys during initial user setup for all IAM users that have a console password (Not Scored)"
+ LIST_USERS=$($AWSCLI iam list-users --query 'Users[*].UserName' --output text $PROFILE_OPT --region $REGION)
+ # List of USERS with KEY1 last_used_date as N/A
+ LIST_USERS_KEY1_NA=$(for user in $LIST_USERS; do grep "^${user}," $TEMP_REPORT_FILE|awk -F, '{ print $1,$11 }'|grep N/A |awk '{ print $1 }'; done)
+ LIST_USERS_KEY1_ACTIVE=$(for user in $LIST_USERS_KEY1_NA; do grep "^${user}," $TEMP_REPORT_FILE|awk -F, '{ print $1,$9 }'|grep "true$"|awk '{ print $1 }'|sed 's/[[:blank:]]+/,/g' ; done)
+ if [[ $LIST_USERS_KEY1_ACTIVE ]]; then
+ for user in $LIST_USERS_KEY1_ACTIVE; do
+ textInfo "$user has never used Access Key 1"
+ done
+ else
+ textPass "No users found with Access Key 1 never used"
+ fi
+ # List of USERS with KEY2 last_used_date as N/A
+ LIST_USERS_KEY2_NA=$(for user in $LIST_USERS; do grep "^${user}," $TEMP_REPORT_FILE|awk -F, '{ print $1,$16 }'|grep N/A |awk '{ print $1 }' ; done)
+ LIST_USERS_KEY2_ACTIVE=$(for user in $LIST_USERS_KEY2_NA; do grep "^${user}," $TEMP_REPORT_FILE|awk -F, '{ print $1,$14 }'|grep "true$" |awk '{ print $1 }' ; done)
+ if [[ $LIST_USERS_KEY2_ACTIVE ]]; then
+ for user in $LIST_USERS_KEY2_ACTIVE; do
+ textInfo "$user has never used Access Key 2"
+ done
+ else
+ textPass "No users found with Access Key 2 never used"
+ fi
}
diff --git a/checks/check122 b/checks/check122
index 70ad1100..8ca4a4af 100644
--- a/checks/check122
+++ b/checks/check122
@@ -9,28 +9,32 @@
# work. If not, see .
CHECK_ID_check122="1.22"
-CHECK_TITLE_check122="[check122] Ensure a support role has been created to manage incidents with AWS Support (Scored)"
+CHECK_TITLE_check122="[check122] Ensure IAM policies that allow full \"*:*\" administrative privileges are not created (Scored)"
CHECK_SCORED_check122="SCORED"
CHECK_TYPE_check122="LEVEL1"
CHECK_ALTERNATE_check122="check122"
check122(){
- # "Ensure a support role has been created to manage incidents with AWS Support (Scored)"
- SUPPORTPOLICYARN=$($AWSCLI iam list-policies --query "Policies[?PolicyName == 'AWSSupportAccess'].Arn" $PROFILE_OPT --region $REGION --output text)
- if [[ $SUPPORTPOLICYARN ]];then
- for policyarn in $SUPPORTPOLICYARN;do
- POLICYUSERS=$($AWSCLI iam list-entities-for-policy --policy-arn $SUPPORTPOLICYARN $PROFILE_OPT --region $REGION --output json)
- if [[ $POLICYUSERS ]];then
- textPass "Support Policy attached to $policyarn"
- for user in $(echo "$POLICYUSERS" | grep UserName | cut -d'"' -f4) ; do
- textInfo "User $user has support access via $policyarn"
- done
- # textInfo "Make sure your team can create a Support case with AWS "
- else
- textFail "Support Policy not applied to any Group / User / Role "
+ # "Ensure IAM policies that allow full \"*:*\" administrative privileges are not created (Scored)"
+ LIST_CUSTOM_POLICIES=$($AWSCLI iam list-policies --output text $PROFILE_OPT --region $REGION|grep 'arn:aws:iam::[0-9]\{12\}:'|awk '{ print $2 }')
+ if [[ $LIST_CUSTOM_POLICIES ]]; then
+ textInfo "Looking for custom policies: (skipping default policies - it may take few seconds...)"
+ for policy in $LIST_CUSTOM_POLICIES; do
+ POLICY_VERSION=$($AWSCLI iam list-policies $PROFILE_OPT --region $REGION --query 'Policies[*].[Arn,DefaultVersionId]' --output text |awk "\$1 == \"$policy\" { print \$2 }")
+ POLICY_WITH_FULL=$($AWSCLI iam get-policy-version --output text --policy-arn $policy --version-id $POLICY_VERSION --query "PolicyVersion.Document.Statement[?Action!=null]|[?Effect == 'Allow' && contains(Resource, '*') && contains (Action, '*')]" $PROFILE_OPT --region $REGION)
+ if [[ $POLICY_WITH_FULL ]]; then
+ POLICIES_ALLOW_LIST="$POLICIES_ALLOW_LIST $policy"
fi
done
+ if [[ $POLICIES_ALLOW_LIST ]]; then
+ textInfo "List of custom policies: "
+ for policy in $POLICIES_ALLOW_LIST; do
+ textInfo "Policy $policy allows \"*:*\""
+ done
+ else
+ textPass "No custom policy found that allow full \"*:*\" administrative privileges"
+ fi
else
- textFail "No Support Policy found"
+ textPass "No custom policies found"
fi
}
diff --git a/checks/check123 b/checks/check123
deleted file mode 100644
index 9f20fddf..00000000
--- a/checks/check123
+++ /dev/null
@@ -1,40 +0,0 @@
-#!/usr/bin/env bash
-
-# Prowler - the handy cloud security tool (c) by Toni de la Fuente
-#
-# This Prowler check is licensed under a
-# Creative Commons Attribution-NonCommercial-ShareAlike 4.0 International License.
-#
-# You should have received a copy of the license along with this
-# work. If not, see .
-
-CHECK_ID_check123="1.23"
-CHECK_TITLE_check123="[check123] Do not setup access keys during initial user setup for all IAM users that have a console password (Not Scored)"
-CHECK_SCORED_check123="NOT_SCORED"
-CHECK_TYPE_check123="LEVEL1"
-CHECK_ALTERNATE_check123="check123"
-
-check123(){
- # "Do not setup access keys during initial user setup for all IAM users that have a console password (Not Scored)"
- LIST_USERS=$($AWSCLI iam list-users --query 'Users[*].UserName' --output text $PROFILE_OPT --region $REGION)
- # List of USERS with KEY1 last_used_date as N/A
- LIST_USERS_KEY1_NA=$(for user in $LIST_USERS; do grep "^${user}," $TEMP_REPORT_FILE|awk -F, '{ print $1,$11 }'|grep N/A |awk '{ print $1 }'; done)
- LIST_USERS_KEY1_ACTIVE=$(for user in $LIST_USERS_KEY1_NA; do grep "^${user}," $TEMP_REPORT_FILE|awk -F, '{ print $1,$9 }'|grep "true$"|awk '{ print $1 }'|sed 's/[[:blank:]]+/,/g' ; done)
- if [[ $LIST_USERS_KEY1_ACTIVE ]]; then
- for user in $LIST_USERS_KEY1_ACTIVE; do
- textInfo "$user has never used Access Key 1"
- done
- else
- textPass "No users found with Access Key 1 never used"
- fi
- # List of USERS with KEY2 last_used_date as N/A
- LIST_USERS_KEY2_NA=$(for user in $LIST_USERS; do grep "^${user}," $TEMP_REPORT_FILE|awk -F, '{ print $1,$16 }'|grep N/A |awk '{ print $1 }' ; done)
- LIST_USERS_KEY2_ACTIVE=$(for user in $LIST_USERS_KEY2_NA; do grep "^${user}," $TEMP_REPORT_FILE|awk -F, '{ print $1,$14 }'|grep "true$" |awk '{ print $1 }' ; done)
- if [[ $LIST_USERS_KEY2_ACTIVE ]]; then
- for user in $LIST_USERS_KEY2_ACTIVE; do
- textInfo "$user has never used Access Key 2"
- done
- else
- textPass "No users found with Access Key 2 never used"
- fi
-}
diff --git a/checks/check124 b/checks/check124
deleted file mode 100644
index e2aeab9d..00000000
--- a/checks/check124
+++ /dev/null
@@ -1,40 +0,0 @@
-#!/usr/bin/env bash
-
-# Prowler - the handy cloud security tool (c) by Toni de la Fuente
-#
-# This Prowler check is licensed under a
-# Creative Commons Attribution-NonCommercial-ShareAlike 4.0 International License.
-#
-# You should have received a copy of the license along with this
-# work. If not, see .
-
-CHECK_ID_check124="1.24"
-CHECK_TITLE_check124="[check124] Ensure IAM policies that allow full \"*:*\" administrative privileges are not created (Scored)"
-CHECK_SCORED_check124="SCORED"
-CHECK_TYPE_check124="LEVEL1"
-CHECK_ALTERNATE_check124="check124"
-
-check124(){
- # "Ensure IAM policies that allow full \"*:*\" administrative privileges are not created (Scored)"
- LIST_CUSTOM_POLICIES=$($AWSCLI iam list-policies --output text $PROFILE_OPT --region $REGION|grep 'arn:aws:iam::[0-9]\{12\}:'|awk '{ print $2 }')
- if [[ $LIST_CUSTOM_POLICIES ]]; then
- textInfo "Looking for custom policies: (skipping default policies - it may take few seconds...)"
- for policy in $LIST_CUSTOM_POLICIES; do
- POLICY_VERSION=$($AWSCLI iam list-policies $PROFILE_OPT --region $REGION --query 'Policies[*].[Arn,DefaultVersionId]' --output text |awk "\$1 == \"$policy\" { print \$2 }")
- POLICY_WITH_FULL=$($AWSCLI iam get-policy-version --output text --policy-arn $policy --version-id $POLICY_VERSION --query "PolicyVersion.Document.Statement[?Action!=null]|[?Effect == 'Allow' && contains(Resource, '*') && contains (Action, '*')]" $PROFILE_OPT --region $REGION)
- if [[ $POLICY_WITH_FULL ]]; then
- POLICIES_ALLOW_LIST="$POLICIES_ALLOW_LIST $policy"
- fi
- done
- if [[ $POLICIES_ALLOW_LIST ]]; then
- textInfo "List of custom policies: "
- for policy in $POLICIES_ALLOW_LIST; do
- textInfo "Policy $policy allows \"*:*\""
- done
- else
- textPass "No custom policy found that allow full \"*:*\" administrative privileges"
- fi
- else
- textPass "No custom policies found"
- fi
-}
diff --git a/checks/check29 b/checks/check29
new file mode 100644
index 00000000..294430f0
--- /dev/null
+++ b/checks/check29
@@ -0,0 +1,29 @@
+#!/usr/bin/env bash
+
+# Prowler - the handy cloud security tool (c) by Toni de la Fuente
+#
+# This Prowler check is licensed under a
+# Creative Commons Attribution-NonCommercial-ShareAlike 4.0 International License.
+#
+# You should have received a copy of the license along with this
+# work. If not, see .
+
+CHECK_ID_check29="2.9,2.09"
+CHECK_TITLE_check29="[check29] Ensure VPC Flow Logging is Enabled in all VPCs (Scored)"
+CHECK_SCORED_check29="SCORED"
+CHECK_TYPE_check29="LEVEL2"
+CHECK_ALTERNATE_check209="check29"
+
+check29(){
+ # "Ensure VPC Flow Logging is Enabled in all VPCs (Scored)"
+ for regx in $REGIONS; do
+ CHECK_FL=$($AWSCLI ec2 describe-flow-logs $PROFILE_OPT --region $regx --query 'FlowLogs[?FlowLogStatus==`ACTIVE`].LogGroupName' --output text)
+ if [[ $CHECK_FL ]];then
+ for FL in $CHECK_FL;do
+ textPass "VPCFlowLog is enabled for LogGroupName: $FL in Region $regx" "$regx"
+ done
+ else
+ textFail "No VPCFlowLog has been found in Region $regx" "$regx"
+ fi
+ done
+}
diff --git a/checks/check315 b/checks/check315
deleted file mode 100644
index 679125be..00000000
--- a/checks/check315
+++ /dev/null
@@ -1,51 +0,0 @@
-#!/usr/bin/env bash
-
-# Prowler - the handy cloud security tool (c) by Toni de la Fuente
-#
-# This Prowler check is licensed under a
-# Creative Commons Attribution-NonCommercial-ShareAlike 4.0 International License.
-#
-# You should have received a copy of the license along with this
-# work. If not, see .
-
-CHECK_ID_check315="3.15"
-CHECK_TITLE_check315="[check315] Ensure appropriate subscribers to each SNS topic (Not Scored)"
-CHECK_SCORED_check315="NOT_SCORED"
-CHECK_TYPE_check315="LEVEL1"
-CHECK_ALTERNATE_check315="check315"
-
-check315(){
- # "Ensure appropriate subscribers to each SNS topic (Not Scored)"
- CAN_SNS_LIST_SUBS=1
- for regx in $REGIONS; do
- TOPICS_LIST=$($AWSCLI sns list-topics $PROFILE_OPT --region $regx --output text --query 'Topics[*].TopicArn')
- ntopics=$(echo $TOPICS_LIST | wc -w )
- if [[ $TOPICS_LIST && $CAN_SNS_LIST_SUBS -eq 1 ]];then
- textInfo "Region $regx has $ntopics topics" "$regx"
- for topic in $TOPICS_LIST; do
- TOPIC_SHORT=$(echo $topic | awk -F: '{ print $6 }')
- CHECK_TOPIC_LIST=$($AWSCLI sns list-subscriptions-by-topic --topic-arn $topic $PROFILE_OPT --region $regx --query 'Subscriptions[*].{Endpoint:Endpoint,Protocol:Protocol}' --output text --max-items $MAXITEMS 2> /dev/null)
- if [[ $? -eq 255 ]]; then
- # Permission error
- export CAN_SNS_LIST_SUBS=0
- ntopics=$(echo $TOPICS_LIST | wc -w )
- textInfo "Region $regx / $ntopics Topics / Subscriptions NO_PERMISSION" "$regx"
- break;
- fi
- if [[ "Z" != "Z${CHECK_TOPIC_LIST}" ]]; then
- printf '%s
-' "$CHECK_TOPIC_LIST" | while IFS= read -r dest ; do
- textInfo "Region $regx / Topic $TOPIC_SHORT / Subscription $dest" "$regx"
- done
- else
- textFail "Region $regx / Topic $TOPIC_SHORT / Subscription NONE" "$regx"
- fi
- done
- elif [[ $CAN_SNS_LIST_SUBS -eq 0 ]]; then
- textInfo "Region $regx has $ntopics topics - unable to list subscribers" "$regx"
- # break
- else
- textPass "Region $regx has 0 topics" "$regx"
- fi
- done
-}
diff --git a/checks/check43 b/checks/check43
index e91ee4c6..36f81fb9 100644
--- a/checks/check43
+++ b/checks/check43
@@ -9,21 +9,19 @@
# work. If not, see .
CHECK_ID_check43="4.3,4.03"
-CHECK_TITLE_check43="[check43] Ensure VPC Flow Logging is Enabled in all VPCs (Scored)"
+CHECK_TITLE_check43="[check43] Ensure the default security group of every VPC restricts all traffic (Scored)"
CHECK_SCORED_check43="SCORED"
CHECK_TYPE_check43="LEVEL2"
CHECK_ALTERNATE_check403="check43"
check43(){
- # "Ensure VPC Flow Logging is Enabled in all VPCs (Scored)"
+ # "Ensure the default security group of every VPC restricts all traffic (Scored)"
for regx in $REGIONS; do
- CHECK_FL=$($AWSCLI ec2 describe-flow-logs $PROFILE_OPT --region $regx --query 'FlowLogs[?FlowLogStatus==`ACTIVE`].LogGroupName' --output text)
- if [[ $CHECK_FL ]];then
- for FL in $CHECK_FL;do
- textPass "VPCFlowLog is enabled for LogGroupName: $FL in Region $regx" "$regx"
- done
+ CHECK_SGDEFAULT=$($AWSCLI ec2 describe-security-groups $PROFILE_OPT --region $regx --filters Name=group-name,Values='default' --query 'SecurityGroups[*].{IpPermissions:IpPermissions,IpPermissionsEgress:IpPermissionsEgress,GroupId:GroupId}' --output text |grep 0.0.0.0)
+ if [[ $CHECK_SGDEFAULT ]];then
+ textFail "Default Security Groups found that allow 0.0.0.0 IN or OUT traffic in Region $regx" "$regx"
else
- textFail "No VPCFlowLog has been found in Region $regx" "$regx"
+ textPass "No Default Security Groups open to 0.0.0.0 found in Region $regx" "$regx"
fi
done
}
diff --git a/checks/check44 b/checks/check44
index 74450d08..536e6a36 100644
--- a/checks/check44
+++ b/checks/check44
@@ -9,19 +9,26 @@
# work. If not, see .
CHECK_ID_check44="4.4,4.04"
-CHECK_TITLE_check44="[check44] Ensure the default security group of every VPC restricts all traffic (Scored)"
-CHECK_SCORED_check44="SCORED"
+CHECK_TITLE_check44="[check44] Ensure routing tables for VPC peering are \"least access\" (Not Scored)"
+CHECK_SCORED_check44="NOT_SCORED"
CHECK_TYPE_check44="LEVEL2"
CHECK_ALTERNATE_check404="check44"
check44(){
- # "Ensure the default security group of every VPC restricts all traffic (Scored)"
+ # "Ensure routing tables for VPC peering are \"least access\" (Not Scored)"
+ textInfo "Looking for VPC peering in all regions... "
for regx in $REGIONS; do
- CHECK_SGDEFAULT=$($AWSCLI ec2 describe-security-groups $PROFILE_OPT --region $regx --filters Name=group-name,Values='default' --query 'SecurityGroups[*].{IpPermissions:IpPermissions,IpPermissionsEgress:IpPermissionsEgress,GroupId:GroupId}' --output text |grep 0.0.0.0)
- if [[ $CHECK_SGDEFAULT ]];then
- textFail "Default Security Groups found that allow 0.0.0.0 IN or OUT traffic in Region $regx" "$regx"
+ LIST_OF_VPCS_PEERING_CONNECTIONS=$($AWSCLI ec2 describe-vpc-peering-connections --output text $PROFILE_OPT --region $regx --query 'VpcPeeringConnections[*].VpcPeeringConnectionId')
+ if [[ $LIST_OF_VPCS_PEERING_CONNECTIONS ]];then
+ textInfo "$regx: $LIST_OF_VPCS_PEERING_CONNECTIONS - review routing tables" "$regx"
+ #LIST_OF_VPCS=$($AWSCLI ec2 describe-vpcs $PROFILE_OPT --region $regx --query 'Vpcs[*].VpcId' --output text)
+ #aws ec2 describe-route-tables --filter "Name=vpc-id,Values=vpc-0213e864" --query "RouteTables[*].{RouteTableId:RouteTableId, VpcId:VpcId, Routes:Routes, AssociatedSubnets:Associations[*].SubnetId}" $PROFILE_OPT --region $regx
+ # for vpc in $LIST_OF_VPCS; do
+ # VPCS_WITH_PEERING=$($AWSCLI ec2 describe-route-tables --filter "Name=vpc-id,Values=$vpc" $PROFILE_OPT --region $regx --query "RouteTables[*].{RouteTableId:RouteTableId, VpcId:VpcId, Routes:Routes, AssociatedSubnets:Associations[*].SubnetId}" |grep GatewayId|grep pcx-)
+ # done
+ #echo $VPCS_WITH_PEERING
else
- textPass "No Default Security Groups open to 0.0.0.0 found in Region $regx" "$regx"
+ textPass "$regx: No VPC peering found" "$regx"
fi
done
}
diff --git a/checks/check45 b/checks/check45
deleted file mode 100644
index 586cdef4..00000000
--- a/checks/check45
+++ /dev/null
@@ -1,35 +0,0 @@
-#!/usr/bin/env bash
-
-# Prowler - the handy cloud security tool (c) by Toni de la Fuente
-#
-# This Prowler check is licensed under a
-# Creative Commons Attribution-NonCommercial-ShareAlike 4.0 International License.
-#
-# You should have received a copy of the license along with this
-# work. If not, see .
-
-CHECK_ID_check45="4.5,4.05"
-CHECK_TITLE_check45="[check45] Ensure routing tables for VPC peering are \"least access\" (Not Scored)"
-CHECK_SCORED_check45="NOT_SCORED"
-CHECK_TYPE_check45="LEVEL2"
-CHECK_ALTERNATE_check405="check45"
-
-check45(){
- # "Ensure routing tables for VPC peering are \"least access\" (Not Scored)"
- textInfo "Looking for VPC peering in all regions... "
- for regx in $REGIONS; do
- # Sort output so that we can diff between runs.
- LIST_OF_VPCS_PEERING_CONNECTIONS=$(printf '%s\n' $($AWSCLI ec2 describe-vpc-peering-connections --output text $PROFILE_OPT --region $regx --query 'VpcPeeringConnections[*].VpcPeeringConnectionId') | sort | paste -s -d" " -)
- if [[ $LIST_OF_VPCS_PEERING_CONNECTIONS ]];then
- textInfo "$regx: $LIST_OF_VPCS_PEERING_CONNECTIONS - review routing tables" "$regx"
- #LIST_OF_VPCS=$($AWSCLI ec2 describe-vpcs $PROFILE_OPT --region $regx --query 'Vpcs[*].VpcId' --output text)
- #aws ec2 describe-route-tables --filter "Name=vpc-id,Values=vpc-0213e864" --query "RouteTables[*].{RouteTableId:RouteTableId, VpcId:VpcId, Routes:Routes, AssociatedSubnets:Associations[*].SubnetId}" $PROFILE_OPT --region $regx
- # for vpc in $LIST_OF_VPCS; do
- # VPCS_WITH_PEERING=$($AWSCLI ec2 describe-route-tables --filter "Name=vpc-id,Values=$vpc" $PROFILE_OPT --region $regx --query "RouteTables[*].{RouteTableId:RouteTableId, VpcId:VpcId, Routes:Routes, AssociatedSubnets:Associations[*].SubnetId}" |grep GatewayId|grep pcx-)
- # done
- #echo $VPCS_WITH_PEERING
- else
- textPass "$regx: No VPC peering found" "$regx"
- fi
- done
-}
diff --git a/groups/group1_iam b/groups/group1_iam
index 006d4c53..e999b7c7 100644
--- a/groups/group1_iam
+++ b/groups/group1_iam
@@ -12,4 +12,4 @@ GROUP_ID[1]='group1'
GROUP_NUMBER[1]='1.0'
GROUP_TITLE[1]='Identity and Access Management - [group1] **********************'
GROUP_RUN_BY_DEFAULT[1]='Y' # run it when execute_all is called
-GROUP_CHECKS[1]='check11,check12,check13,check14,check15,check16,check17,check18,check19,check110,check111,check112,check113,check114,check115,check116,check117,check118,check119,check120,check121,check122,check123,check124'
+GROUP_CHECKS[1]='check11,check12,check13,check14,check15,check16,check17,check18,check19,check110,check111,check112,check113,check114,check115,check116,check117,check118,check119,check120,check121,check122'
diff --git a/groups/group2_logging b/groups/group2_logging
index 4b5af935..426d8ee9 100644
--- a/groups/group2_logging
+++ b/groups/group2_logging
@@ -12,4 +12,4 @@ GROUP_ID[2]='group2'
GROUP_NUMBER[2]='2.0'
GROUP_TITLE[2]='Logging - [group2] *********************************************'
GROUP_RUN_BY_DEFAULT[2]='Y' # run it when execute_all is called
-GROUP_CHECKS[2]='check21,check22,check23,check24,check25,check26,check27,check28'
+GROUP_CHECKS[2]='check21,check22,check23,check24,check25,check26,check27,check28,check29'
diff --git a/groups/group3_monitoring b/groups/group3_monitoring
index 6f4263ea..e6fd1e4a 100644
--- a/groups/group3_monitoring
+++ b/groups/group3_monitoring
@@ -12,4 +12,4 @@ GROUP_ID[3]='group3'
GROUP_NUMBER[3]='3.0'
GROUP_TITLE[3]='Monitoring - [group3] ******************************************'
GROUP_RUN_BY_DEFAULT[3]='Y' # run it when execute_all is called
-GROUP_CHECKS[3]='check31,check32,check33,check34,check35,check36,check37,check38,check39,check310,check311,check312,check313,check314,check315'
+GROUP_CHECKS[3]='check31,check32,check33,check34,check35,check36,check37,check38,check39,check310,check311,check312,check313,check314'
diff --git a/groups/group4_networking b/groups/group4_networking
index 126e4923..0f552890 100644
--- a/groups/group4_networking
+++ b/groups/group4_networking
@@ -12,4 +12,4 @@ GROUP_ID[4]='group4'
GROUP_NUMBER[4]='4.0'
GROUP_TITLE[4]='Networking - [group4] ******************************************'
GROUP_RUN_BY_DEFAULT[4]='Y' # run it when execute_all is called
-GROUP_CHECKS[4]='check41,check42,check43,check44,check45'
+GROUP_CHECKS[4]='check41,check42,check43,check44'
diff --git a/groups/group5_cislevel1 b/groups/group5_cislevel1
index db7413de..88e0f49c 100644
--- a/groups/group5_cislevel1
+++ b/groups/group5_cislevel1
@@ -12,4 +12,4 @@ GROUP_ID[5]='cislevel1'
GROUP_NUMBER[5]='5.0'
GROUP_TITLE[5]='CIS Level 1 - [cislevel1] **************************************'
GROUP_RUN_BY_DEFAULT[5]='N' # run it when execute_all is called
-GROUP_CHECKS[5]='check11,check12,check13,check14,check15,check16,check17,check18,check19,check110,check111,check112,check113,check115,check116,check117,check118,check119,check120,check122,check123,check124,check21,check23,check24,check25,check26,check31,check32,check33,check34,check35,check38,check312,check313,check314,check315,check41,check42'
+GROUP_CHECKS[5]='check11,check12,check13,check14,check15,check16,check17,check18,check19,check110,check111,check112,check113,check115,check116,check117,check118,check119,check120,check122,check21,check23,check24,check25,check26,check31,check32,check33,check34,check35,check38,check312,check313,check314,check315,check41,check42'
diff --git a/groups/group6_cislevel2 b/groups/group6_cislevel2
index b1394b3f..23b81f51 100644
--- a/groups/group6_cislevel2
+++ b/groups/group6_cislevel2
@@ -12,4 +12,4 @@ GROUP_ID[6]='cislevel2'
GROUP_NUMBER[6]='6.0'
GROUP_TITLE[6]='CIS Level 2 - [cislevel2] **************************************'
GROUP_RUN_BY_DEFAULT[6]='N' # run it when execute_all is called
-GROUP_CHECKS[6]='check11,check12,check13,check14,check15,check16,check17,check18,check19,check110,check111,check112,check113,check114,check115,check116,check117,check118,check119,check120,check121,check122,check123,check124,check21,check22,check23,check24,check25,check26,check27,check28,check31,check32,check33,check34,check35,check36,check37,check38,check39,check310,check311,check312,check313,check314,check315,check41,check42,check43,check44,check45'
+GROUP_CHECKS[6]='check11,check12,check13,check14,check15,check16,check17,check18,check19,check110,check111,check112,check113,check114,check115,check116,check117,check118,check119,check120,check121,check122,check21,check22,check23,check24,check25,check26,check27,check28,check29,check31,check32,check33,check34,check35,check36,check37,check38,check39,check310,check311,check312,check313,check314,check41,check42,check43,check44'
diff --git a/groups/group8_forensics b/groups/group8_forensics
index d3230562..58508568 100644
--- a/groups/group8_forensics
+++ b/groups/group8_forensics
@@ -15,4 +15,4 @@ GROUP_ID[8]='forensics-ready'
GROUP_NUMBER[8]='8.0'
GROUP_TITLE[8]='Forensics Readiness - [forensics-ready] ************************'
GROUP_RUN_BY_DEFAULT[8]='N' # run it when execute_all is called
-GROUP_CHECKS[8]='check21,check22,check23,check24,check25,check26,check27,check43,extra712,extra713,extra714,extra715,extra717,extra718,extra719,extra720,extra721,extra722,extra725'
+GROUP_CHECKS[8]='check21,check22,check23,check24,check25,check26,check27,check29,extra712,extra713,extra714,extra715,extra717,extra718,extra719,extra720,extra721,extra722,extra725'