diff --git a/checks/check_extra732 b/checks/check_extra732 index 18a04c81..cb734782 100644 --- a/checks/check_extra732 +++ b/checks/check_extra732 @@ -11,34 +11,24 @@ # CONDITIONS OF ANY KIND, either express or implied. See the License for the # specific language governing permissions and limitations under the License. -CHECK_ID_extra731="7.31" -CHECK_TITLE_extra731="[extra731] Check if SNS topics have policy set as Public (Not Scored) (Not part of CIS benchmark)" -CHECK_SCORED_extra731="NOT_SCORED" -CHECK_TYPE_extra731="EXTRA" -CHECK_ALTERNATE_check731="extra731" +CHECK_ID_extra732="7.32" +CHECK_TITLE_extra732="[extra732] Check if Geo restrictions are enabled in CloudFront distributions (Not Scored) (Not part of CIS benchmark)" +CHECK_SCORED_extra732="NOT_SCORED" +CHECK_TYPE_extra732="EXTRA" +CHECK_ALTERNATE_check732="extra732" -extra731(){ - for regx in $REGIONS; do - LIST_SNS=$($AWSCLI sns list-topics $PROFILE_OPT --region $regx --query Topics --output text |grep -v ^None) - if [[ $LIST_SNS ]]; then - for topic in $LIST_SNS; do - # check if the policy has Principal as * - SNS_TO_CHECK=$($AWSCLI sns get-topic-attributes --topic-arn $topic $PROFILE_OPT --region $regx --query Attributes.Policy --output text | awk -v k="text" '{n=split($0,a,","); for (i=1; i<=n; i++) print a[i]}' | awk '/Principal/ || /Condition/ && !skip { print } { skip = /Deny/}') - PUBLIC_SNS_WCONDITION=$(echo $SNS_TO_CHECK|grep Condition) - SHORT_TOPIC=$(echo $topic| cut -d: -f6) - if [[ $PUBLIC_SNS_WCONDITION ]]; then - textInfo "$regx: SNS topic $SHORT_TOPIC has a Condition" "$regx" - else - PUBLIC_SNS=$(echo $SNS_TO_CHECK|grep \"Principal|grep \*) - if [[ $PUBLIC_SNS ]]; then - textFail "$regx: SNS topic $SHORT_TOPIC seems to be public (Principal: \"*\")" "$regx" - else - textInfo "$regx: SNS topic $SHORT_TOPIC seems correct" "$regx" - fi - fi - done - else - textInfo "$regx: No SNS topics found" "$regx" - fi - done +extra732(){ + LIST_DISTRIBUTIONS=$($AWSCLI cloudfront list-distributions $PROFILE_OPT --query 'DistributionList.Items[*].Id' --output text |grep -v ^None) + if [[ $LIST_DISTRIBUTIONS ]]; then + for dist in $LIST_DISTRIBUTIONS; do + GEO_ENABLED=$($AWSCLI cloudfront get-distribution-config $PROFILE_OPT --id $dist --query DistributionConfig.Restrictions.GeoRestriction.RestrictionType --output text) + if [[ $GEO_ENABLED == "none" ]]; then + textFail "CloudFront distribution $dist has not Geo restrictions" + else + textPass "CloudFront distribution $dist has Geo restrictions enabled" + fi + done + else + textInfo "$regx: No CloudFront distributions found" "$regx" + fi } diff --git a/groups/group7_extras b/groups/group7_extras index d57c3084..02f96984 100644 --- a/groups/group7_extras +++ b/groups/group7_extras @@ -15,4 +15,4 @@ GROUP_ID[7]='extras' GROUP_NUMBER[7]='7.0' GROUP_TITLE[7]='Extras - [extras] **********************************************' GROUP_RUN_BY_DEFAULT[7]='Y' # run it when execute_all is called -GROUP_CHECKS[7]='extra71,extra72,extra73,extra74,extra75,extra76,extra77,extra78,extra79,extra710,extra711,extra712,extra713,extra714,extra715,extra716,extra717,extra718,extra719,extra720,extra721,extra722,extra723,extra724,extra725,extra726,extra727,extra728,extra729,extra730' +GROUP_CHECKS[7]='extra71,extra72,extra73,extra74,extra75,extra76,extra77,extra78,extra79,extra710,extra711,extra712,extra713,extra714,extra715,extra716,extra717,extra718,extra719,extra720,extra721,extra722,extra723,extra724,extra725,extra726,extra727,extra728,extra729,extra730,extra731,extra732'