ghndrx/prowler
1
0
Fork 0
mirror of https://github.com/ghndrx/prowler.git synced 2026-02-10 06:45:08 +00:00
Code Issues Packages Projects Releases Wiki Activity

Improved extra73 to check also Authenticated users

Browse Source 
Ensure there are no S3 buckets open to the Everyone or Any AWS user (Not Scored) (Not part of CIS benchmark)
This commit is contained in:
Toni de la Fuente
2017-07-19 10:57:05 -04:00
committed by GitHub
parent 5723bcb1a4
commit 7eeee0e777
1 changed files with 10 additions and 5 deletions
Download Patch File Download Diff File Expand all files Collapse all files

15
prowler
View File

@@ -1419,7 +1419,7 @@ extra72(){
extra73(){ extra73(){
#set -x #set -x
ID73="7.3" ID73="7.3"
TITLE73="Ensure there are no S3 buckets open to AllUsers (Not Scored) (Not part of CIS benchmark)" TITLE73="Ensure there are no S3 buckets open to the Everyone or Any AWS user (Not Scored) (Not part of CIS benchmark)"
textTitle "$ID73" "$TITLE73" "0" textTitle "$ID73" "$TITLE73" "0"
textNotice "Looking for S3 Buckets in all regions... " textNotice "Looking for S3 Buckets in all regions... "
ALL_BUCKETS_LIST=$($AWSCLI s3api list-buckets --query 'Buckets[*].{Name:Name}' --profile $PROFILE --region $REGION --output text) ALL_BUCKETS_LIST=$($AWSCLI s3api list-buckets --query 'Buckets[*].{Name:Name}' --profile $PROFILE --region $REGION --output text)
@@ -1428,11 +1428,16 @@ extra73(){
if [[ "None" == $BUCKET_LOCATION ]]; then if [[ "None" == $BUCKET_LOCATION ]]; then
BUCKET_LOCATION="us-east-1" BUCKET_LOCATION="us-east-1"
fi fi
CHECK_BUCKET_PERMISSIONS=$($AWSCLI s3api get-bucket-acl --profile $PROFILE --region $BUCKET_LOCATION --bucket $bucket --query "Grants[?Grantee.URI == 'http://acs.amazonaws.com/groups/global/AllUsers']" --output text |grep -v GRANTEE) CHECK_BUCKET_ALLUSERS_PERMISSIONS=$($AWSCLI s3api get-bucket-acl --profile $PROFILE --region $BUCKET_LOCATION --bucket $bucket --query "Grants[?Grantee.URI == 'http://acs.amazonaws.com/groups/global/AllUsers']" --output text |grep -v GRANTEE)
CHECK_BUCKET_PERMISSIONS_SINGLE_LINE=$(echo -ne $CHECK_BUCKET_PERMISSIONS) CHECK_BUCKET_ALLUSERS_PERMISSIONS_SINGLE_LINE=$(echo -ne $CHECK_BUCKET_ALLUSERS_PERMISSIONS)
if [[ $CHECK_BUCKET_PERMISSIONS ]];then CHECK_BUCKET_AUTHUSERS_PERMISSIONS=$($AWSCLI s3api get-bucket-acl --profile $PROFILE --region $BUCKET_LOCATION --bucket $bucket --query "Grants[?Grantee.URI == 'http://acs.amazonaws.com/groups/global/AuthenticatedUsers']" --output text |grep -v GRANTEE)
textWarn "$BUCKET_LOCATION: $bucket bucket is open to the Internet with permissions: $CHECK_BUCKET_PERMISSIONS_SINGLE_LINE" "$regx" CHECK_BUCKET_AUTHUSERS_PERMISSIONS_SINGLE_LINE=$(echo -ne $CHECK_BUCKET_AUTHUSERS_PERMISSIONS)
if [[ $CHECK_BUCKET_ALLUSERS_PERMISSIONS ]];then
textWarn "$BUCKET_LOCATION: $bucket bucket is open to the Internet (Everyone) with permissions: $CHECK_BUCKET_ALLUSERS_PERMISSIONS_SINGLE_LINE" "$regx"
else else
if [[ $CHECK_BUCKET_AUTHUSERS_PERMISSIONS ]];then
textWarn "$BUCKET_LOCATION: $bucket bucket is open to Authenticated users (Any AWS user) with permissions: $CHECK_BUCKET_AUTHUSERS_PERMISSIONS_SINGLE_LINE" "$regx"
fi
textOK "$BUCKET_LOCATION: $bucket bucket is not open" "$regx" textOK "$BUCKET_LOCATION: $bucket bucket is not open" "$regx"
fi fi
done done