From 6fb49a46bf9627017e224dffa68efb2e95e66c8e Mon Sep 17 00:00:00 2001
From: Toni de la Fuente <toni.delafuente@alfresco.com>
Date: Tue, 5 Oct 2021 17:31:30 +0200
Subject: [PATCH] New check 7153 Route53 transfer lock for domains enabled
 @jarrettandrulis

---
 checks/check_extra7153 | 52 ++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 52 insertions(+)
 create mode 100644 checks/check_extra7153

diff --git a/checks/check_extra7153 b/checks/check_extra7153
new file mode 100644
index 00000000..bc481853
--- /dev/null
+++ b/checks/check_extra7153
@@ -0,0 +1,52 @@
+#!/usr/bin/env bash
+
+# Prowler - the handy cloud security tool (copyright 2019) by Toni de la Fuente
+#
+# Licensed under the Apache License, Version 2.0 (the "License"); you may not
+# use this file except in compliance with the License. You may obtain a copy
+# of the License at http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software distributed
+# under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR
+# CONDITIONS OF ANY KIND, either express or implied. See the License for the
+# specific language governing permissions and limitations under the License.
+
+# Remediation:
+#
+#   https://docs.aws.amazon.com/cli/latest/reference/route53domains/update-domain-contact-privacy.html
+#
+#   update-domain-contact-privacy \
+#   --region us-east-1 \
+#   --domain-name example.com \
+#   --enable-domain-transfer-lock
+
+CHECK_ID_extra7153="7.153"
+CHECK_TITLE_extra7153="[extra7153] Enable Transfer Lock for a Route53 Domain"
+CHECK_SCORED_extra7153="NOT_SCORED"
+CHECK_TYPE_extra7153="EXTRA"
+CHECK_SEVERITY_extra7153="Medium"
+CHECK_ASFF_RESOURCE_TYPE_extra7153="AwsRoute53Domain"
+CHECK_ALTERNATE_check7153="extra7153"
+CHECK_SERVICENAME_extra7153="route53"
+CHECK_RISK_extra7153='Without transfer lock enabled, a domain name could be incorrectly moved to a new registrar'
+CHECK_REMEDIATION_extra7153='Ensure transfer lock is enabled'
+CHECK_DOC_extra7153='https://docs.aws.amazon.com/Route53/latest/DeveloperGuide/domain-privacy-protection.html'
+CHECK_CAF_EPIC_extra7153='Data Protection'
+
+extra7153(){
+    # Route53 is a global service, looking for domains in US-EAST-1
+    DOMAIN_NAMES=$($AWSCLI route53domains list-domains $PROFILE_OPT --region us-east-1 --query 'Domains[*].DomainName' --output text )
+    if [[ $DOMAIN_NAMES ]];then
+      for domain_name in $DOMAIN_NAMES;do
+        DOMAIN_DETAIL=$($AWSCLI route53domains get-domain-detail $PROFILE_OPT --region us-east-1 --query 'StatusList' --domain-name $domain_name)
+        HAS_TRANSFER_LOCK=$( grep -o 'clientTransferProhibited' <<< $DOMAIN_DETAIL)
+        if [[ $HAS_TRANSFER_LOCK ]]; then
+          textPass "$regx: clientTransferProhibited found for: $domain_name" "$regx" "$domain_name"
+          else
+          textFail "$regx: clientTransferProhibited not found for: $domain_name" "$regx" "$domain_name"
+        fi
+      done
+      else
+      textPass "$regx: No Domain Names found" "$regx"
+    fi
+}