mirror of
https://github.com/ghndrx/prowler.git
synced 2026-02-10 14:55:00 +00:00
Some corrections for glue related checks
This commit is contained in:
Toni de la Fuente
@@ -21,14 +21,14 @@ CHECK_ALTERNATE_check7115="extra7115"
|
||||
extra7115(){
|
||||
for regx in $REGIONS; do
|
||||
CONNECTION_LIST=$($AWSCLI glue get-connections $PROFILE_OPT --region $regx --output json --query 'ConnectionList[*].{Name:Name,SSL:ConnectionProperties.JDBC_ENFORCE_SSL}')
|
||||
if [[ ! -z "$CONNECTION_LIST" ]]; then
|
||||
if [[ $CONNECTION_LIST != '[]' ]]; then
|
||||
for connection in $(echo "${CONNECTION_LIST}" | jq -r '.[] | @base64'); do
|
||||
CONNECTION_NAME=$(echo $connection | base64 --decode | jq -r '.Name' )
|
||||
CONNECTION_SSL_STATE=$(echo $connection | base64 --decode | jq -r '.SSL')
|
||||
if [[ "$CONNECTION_SSL_STATE" == "false" ]]; then
|
||||
textFail "$regx: Glue connection $CONNECTION_NAME has SSL connection disabled" "$regx"
|
||||
else
|
||||
textInfo "$regx: Glue connection $CONNECTION_NAME has SSL connection enabled" "$regx"
|
||||
textPass "$regx: Glue connection $CONNECTION_NAME has SSL connection enabled" "$regx"
|
||||
fi
|
||||
done
|
||||
else
|
||||
|
||||
@@ -22,9 +22,9 @@ extra7116(){
|
||||
for regx in $REGIONS; do
|
||||
METADATA_ENCRYPTED=$($AWSCLI glue get-data-catalog-encryption-settings $PROFILE_OPT --region $regx --output text --query "DataCatalogEncryptionSettings.EncryptionAtRest.CatalogEncryptionMode")
|
||||
if [[ "$METADATA_ENCRYPTED" == "DISABLED" ]]; then
|
||||
textFail "$regx: Glue data-catalog settings have metadata encryption disabled" "$regx"
|
||||
textFail "$regx: Glue data catalog settings have metadata encryption disabled" "$regx"
|
||||
else
|
||||
textInfo "$regx: Glue data-catalog settings have metadata encryption enabled" "$regx"
|
||||
textPass "$regx: Glue data catalog settings have metadata encryption enabled" "$regx"
|
||||
fi
|
||||
done
|
||||
}
|
||||
|
||||
@@ -11,7 +11,7 @@
|
||||
# CONDITIONS OF ANY KIND, either express or implied. See the License for the
|
||||
# specific language governing permissions and limitations under the License.
|
||||
CHECK_ID_extra7117="7.117"
|
||||
CHECK_TITLE_extra7117="[extra7117] Check if Glue data-catalog settings have Encrypt connection password enabled."
|
||||
CHECK_TITLE_extra7117="[extra7117] Check if Glue data catalog settings have encrypt connection password enabled."
|
||||
CHECK_SCORED_extra7117="NOT_SCORED"
|
||||
CHECK_TYPE_extra7117="EXTRA"
|
||||
CHECK_SEVERITY_extra7117="Medium"
|
||||
@@ -22,9 +22,9 @@ extra7117(){
|
||||
for regx in $REGIONS; do
|
||||
METADATA_ENCRYPTED=$($AWSCLI glue get-data-catalog-encryption-settings $PROFILE_OPT --region $regx --output text --query "DataCatalogEncryptionSettings.ConnectionPasswordEncryption.ReturnConnectionPasswordEncrypted")
|
||||
if [[ "$METADATA_ENCRYPTED" == "False" ]]; then
|
||||
textFail "$regx: Glue Catalog connection password is not encrypted" "$regx"
|
||||
textFail "$regx: Glue data catalog connection password is not encrypted" "$regx"
|
||||
else
|
||||
textInfo "$regx: Glue catalog connection password is encrypted" "$regx"
|
||||
textPass "$regx: Glue data catalog connection password is encrypted" "$regx"
|
||||
fi
|
||||
done
|
||||
}
|
||||
|
||||
@@ -10,8 +10,8 @@
|
||||
# under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR
|
||||
# CONDITIONS OF ANY KIND, either express or implied. See the License for the
|
||||
# specific language governing permissions and limitations under the License.
|
||||
CHECK_ID_extra7118="7.117"
|
||||
CHECK_TITLE_extra7118="[extra7118] Check if Glue security configurations used by ETL Jobs have S3 encryption enabled."
|
||||
CHECK_ID_extra7118="7.118"
|
||||
CHECK_TITLE_extra7118="[extra7118] Check if Glue ETL Jobs have S3 encryption enabled."
|
||||
CHECK_SCORED_extra7118="NOT_SCORED"
|
||||
CHECK_TYPE_extra7118="EXTRA"
|
||||
CHECK_SEVERITY_extra7118="Medium"
|
||||
@@ -21,7 +21,7 @@ CHECK_ALTERNATE_check7118="extra7118"
|
||||
extra7118(){
|
||||
for regx in $REGIONS; do
|
||||
JOB_LIST=$($AWSCLI glue get-jobs $PROFILE_OPT --region $regx --output json --query 'Jobs[*].{Name:Name,SecurityConfiguration:SecurityConfiguration,JobEncryption:DefaultArguments."--encryption-type"}')
|
||||
if [[ ! -z "$JOB_LIST" ]]; then
|
||||
if [[ $JOB_LIST != '[]' ]]; then
|
||||
for job in $(echo "${JOB_LIST}" | jq -r '.[] | @base64'); do
|
||||
JOB_NAME=$(echo $job | base64 --decode | jq -r '.Name')
|
||||
SECURITY_CONFIGURATION=$(echo $job | base64 --decode | jq -r '.SecurityConfiguration // empty')
|
||||
@@ -29,12 +29,16 @@ extra7118(){
|
||||
if [[ ! -z "$SECURITY_CONFIGURATION" ]]; then
|
||||
S3_ENCRYPTION=$($AWSCLI glue get-security-configuration --name "${SECURITY_CONFIGURATION}" $PROFILE_OPT --region $regx --output text --query 'SecurityConfiguration.EncryptionConfiguration.S3Encryption[0].S3EncryptionMode')
|
||||
if [[ "$S3_ENCRYPTION" == "DISABLED" ]]; then
|
||||
textFail "$regx: Glue job $JOB_NAME does not have S3 encryption enabled" "$regx"
|
||||
if [[ ! -z "$JOB_ENCRYPTION" ]]; then
|
||||
textPass "$regx: Glue job $JOB_NAME does have $JOB_ENCRYPTION for S3 encryption enabled" "$regx"
|
||||
else
|
||||
textFail "$regx: Glue job $JOB_NAME does not have S3 encryption enabled" "$regx"
|
||||
fi
|
||||
else
|
||||
textInfo "$regx: Glue job $JOB_NAME does have $S3_ENCRYPTION S3 encryption enabled" "$regx"
|
||||
textPass "$regx: Glue job $JOB_NAME does have $S3_ENCRYPTION for S3 encryption enabled" "$regx"
|
||||
fi
|
||||
elif [[ ! -z "$JOB_ENCRYPTION" ]]; then
|
||||
textInfo "$regx: Glue job $JOB_NAME does have $JOB_ENCRYPTION S3 encryption enabled" "$regx"
|
||||
textPass "$regx: Glue job $JOB_NAME does have $JOB_ENCRYPTION for S3 encryption enabled" "$regx"
|
||||
else
|
||||
textFail "$regx: Glue job $JOB_NAME does not have S3 encryption enabled" "$regx"
|
||||
fi
|
||||
|
||||
@@ -10,8 +10,8 @@
|
||||
# under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR
|
||||
# CONDITIONS OF ANY KIND, either express or implied. See the License for the
|
||||
# specific language governing permissions and limitations under the License.
|
||||
CHECK_ID_extra7120="7.117"
|
||||
CHECK_TITLE_extra7120="[extra7120] Check if Glue security configurations used by ETL Jobs have CloudWatch logs encryption enabled."
|
||||
CHECK_ID_extra7120="7.120"
|
||||
CHECK_TITLE_extra7120="[extra7120] Check if Glue ETL Jobs have CloudWatch Logs encryption enabled."
|
||||
CHECK_SCORED_extra7120="NOT_SCORED"
|
||||
CHECK_TYPE_extra7120="EXTRA"
|
||||
CHECK_SEVERITY_extra7120="Medium"
|
||||
@@ -21,19 +21,19 @@ CHECK_ALTERNATE_check7120="extra7120"
|
||||
extra7120(){
|
||||
for regx in $REGIONS; do
|
||||
JOB_LIST=$($AWSCLI glue get-jobs $PROFILE_OPT --region $regx --output json --query 'Jobs[*].{Name:Name,SecurityConfiguration:SecurityConfiguration}')
|
||||
if [[ ! -z "$JOB_LIST" ]]; then
|
||||
if [[ $JOB_LIST != '[]' ]]; then
|
||||
for job in $(echo "${JOB_LIST}" | jq -r '.[] | @base64'); do
|
||||
JOB_NAME=$(echo $job | base64 --decode | jq -r '.Name')
|
||||
SECURITY_CONFIGURATION=$(echo $job | base64 --decode | jq -r '.SecurityConfiguration // empty')
|
||||
if [[ ! -z "$SECURITY_CONFIGURATION" ]]; then
|
||||
CLOUDWATCH_ENCRYPTION=$($AWSCLI glue get-security-configuration --name "${SECURITY_CONFIGURATION}" $PROFILE_OPT --region $regx --output text --query 'SecurityConfiguration.EncryptionConfiguration.CloudWatchEncryption.CloudWatchEncryptionMode')
|
||||
if [[ "$CLOUDWATCH_ENCRYPTION" == "DISABLED" ]]; then
|
||||
textFail "$regx: Glue job $JOB_NAME does not have CloudWatch logs encryption enabled" "$regx"
|
||||
textFail "$regx: Glue job $JOB_NAME does not have CloudWatch Logs encryption enabled" "$regx"
|
||||
else
|
||||
textInfo "$regx: Glue job $JOB_NAME does have $CLOUDWATCH_ENCRYPTION CloudWatch logs encryption enabled" "$regx"
|
||||
textPass "$regx: Glue job $JOB_NAME does have $CLOUDWATCH_ENCRYPTION CloudWatch Logs encryption enabled" "$regx"
|
||||
fi
|
||||
else
|
||||
textFail "$regx: Glue job $JOB_NAME does not have CloudWatch logs encryption enabled" "$regx"
|
||||
textFail "$regx: Glue job $JOB_NAME does not have CloudWatch Logs encryption enabled" "$regx"
|
||||
fi
|
||||
done
|
||||
else
|
||||
|
||||
@@ -10,8 +10,8 @@
|
||||
# under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR
|
||||
# CONDITIONS OF ANY KIND, either express or implied. See the License for the
|
||||
# specific language governing permissions and limitations under the License.
|
||||
CHECK_ID_extra7122="7.117"
|
||||
CHECK_TITLE_extra7122="[extra7122] Check if Glue security configurations used by ETL Jobs have Job bookmark encryption enabled."
|
||||
CHECK_ID_extra7122="7.122"
|
||||
CHECK_TITLE_extra7122="[extra7122] Check if Glue ETL Jobs have Job bookmark encryption enabled."
|
||||
CHECK_SCORED_extra7122="NOT_SCORED"
|
||||
CHECK_TYPE_extra7122="EXTRA"
|
||||
CHECK_SEVERITY_extra7122="Medium"
|
||||
@@ -21,7 +21,7 @@ CHECK_ALTERNATE_check7122="extra7122"
|
||||
extra7122(){
|
||||
for regx in $REGIONS; do
|
||||
JOB_LIST=$($AWSCLI glue get-jobs $PROFILE_OPT --region $regx --output json --query 'Jobs[*].{Name:Name,SecurityConfiguration:SecurityConfiguration}')
|
||||
if [[ $JOB_LIST ]]; then
|
||||
if [[ $JOB_LIST != '[]' ]]; then
|
||||
for job in $(echo "${JOB_LIST}" | jq -r '.[] | @base64'); do
|
||||
JOB_NAME=$(echo $job | base64 --decode | jq -r '.Name')
|
||||
SECURITY_CONFIGURATION=$(echo $job | base64 --decode | jq -r '.SecurityConfiguration // empty')
|
||||
@@ -30,7 +30,7 @@ extra7122(){
|
||||
if [[ "$JOB_BOOKMARK_ENCRYPTION" == "DISABLED" ]]; then
|
||||
textFail "$regx: Glue job $JOB_NAME does not have Job bookmark encryption enabled" "$regx"
|
||||
else
|
||||
textInfo "$regx: Glue job $JOB_NAME does have $JOB_BOOKMARK_ENCRYPTION Job bookmark encryption enabled" "$regx"
|
||||
textPass "$regx: Glue job $JOB_NAME does have $JOB_BOOKMARK_ENCRYPTION for Job bookmark encryption enabled" "$regx"
|
||||
fi
|
||||
else
|
||||
textFail "$regx: Glue job $JOB_NAME does not have Job bookmark encryption enabled" "$regx"
|
||||
|
||||
18
groups/group24_glue
Normal file
18
groups/group24_glue
Normal file
@@ -0,0 +1,18 @@
|
||||
#!/usr/bin/env bash
|
||||
|
||||
# Prowler - the handy cloud security tool (copyright 2020) by Toni de la Fuente
|
||||
#
|
||||
# Licensed under the Apache License, Version 2.0 (the "License"); you may not
|
||||
# use this file except in compliance with the License. You may obtain a copy
|
||||
# of the License at http://www.apache.org/licenses/LICENSE-2.0
|
||||
#
|
||||
# Unless required by applicable law or agreed to in writing, software distributed
|
||||
# under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR
|
||||
# CONDITIONS OF ANY KIND, either express or implied. See the License for the
|
||||
# specific language governing permissions and limitations under the License.
|
||||
|
||||
GROUP_ID[23]='glue'
|
||||
GROUP_NUMBER[23]='23.0'
|
||||
GROUP_TITLE[23]='Amazon Glue related security checks - [glue] ********'
|
||||
GROUP_RUN_BY_DEFAULT[23]='N' # run it when execute_all is called
|
||||
GROUP_CHECKS[23]='extra7115,extra7116,extra7117,extra7118,extra7120,extra7122'
|
||||
Reference in New Issue
Block a user