diff --git a/checks/check_extra92 b/checks/check_extra92 index 0f76bd84..d83c3f24 100644 --- a/checks/check_extra92 +++ b/checks/check_extra92 @@ -19,8 +19,9 @@ CHECK_ASFF_RESOURCE_TYPE_extra92="AwsEFS" CHECK_ALTERNATE_check92="extra92" CHECK_SERVICENAME_extra92="EFS" -# If an EFS has a policy principle as *, we consider it as public accessible even though client connects through a vpc peering or transit gateway. Also if EFS has a default policy(no user defined -# policy), it's also a security risk, as default policy grants full access to any client that can connect to the file system using a file system mount target. +# If an EFS has a policy principle as *, we consider it as public accessible even though client connects through a +# vpc peering or transit gateway. Also if EFS has a default policy(no user defined policy), it's also a security risk, +# as default policy grants full access to any client that can connect to the file system using a file system mount target. extra92(){ for region in $REGIONS; do @@ -30,7 +31,6 @@ extra92(){ EFS_POLICY_STATEMENTS=$($AWSCLI efs $PROFILE_OPT describe-file-system-policy --region $region --file-system-id $efsId --output json --query Policy 2>&1) if [[ $EFS_POLICY_STATEMENTS == *PolicyNotFound* ]]; then textFail "$region : EFS $efsId doesn't have any policy which means it grants full access to any client" - # textInfo "EFS policy does not exist for efs id $efsId" else EFS_POLICY_BAD_STATEMENTS=$(echo $EFS_POLICY_STATEMENTS | jq '. | fromjson' | jq '.Statement[] | select(.Effect=="Allow") | select(.Principal=="*" or .Principal.AWS=="*" or .Principal.CanonicalUser=="*")') if [[ $EFS_POLICY_BAD_STATEMENTS != "" ]]; then diff --git a/checks/check_extra93 b/checks/check_extra93 index c9aed63d..02fbd1ab 100644 --- a/checks/check_extra93 +++ b/checks/check_extra93 @@ -20,8 +20,8 @@ CHECK_ASFF_RESOURCE_TYPE_extra93="AwsCloudWatch" CHECK_ALTERNATE_check93="extra93" CHECK_SERVICENAME_extra93="CloudWatch" -# When CloudWatch allows cross account sharing, a role with name CloudWatch-CrossAccountSharingRole get's created by aws itself. So we are validating role name existance for checking the -# cloudwatch security. +# When CloudWatch allows cross account sharing, a role with name CloudWatch-CrossAccountSharingRole +# get's created by aws itself. So we are validating role name existance for checking the cloudwatch security. extra93(){ diff --git a/checks/check_extra94 b/checks/check_extra94 index bd721d92..de9a00c3 100644 --- a/checks/check_extra94 +++ b/checks/check_extra94 @@ -12,15 +12,16 @@ # specific language governing permissions and limitations under the License. CHECK_ID_extra94="9.4" -CHECK_TITLE_extra94="[extra94] Check if lambda functions has policies which allow access to everyone having an aws account (Not Scored) (Not part of CIS benchmark) (Custom Check)" +CHECK_TITLE_extra94="[extra94] Check if lambda functions have policies which allow access to everyone having an aws account (Not Scored) (Not part of CIS benchmark) (Custom Check)" CHECK_SCORED_extra94="NOT_SCORED" CHECK_TYPE_extra94="EXTRA" CHECK_SEVERITY_extra94="Critical" -CHECK_ASFF_RESOURCE_TYPE_extra94="AwsCloudWatch" +CHECK_ASFF_RESOURCE_TYPE_extra94="AwsLambda" CHECK_ALTERNATE_check94="extra94" -CHECK_SERVICENAME_extra94="CloudWatch" +CHECK_SERVICENAME_extra94="Lambda" -# If a lambda function has a policy principle as *, It can be accessed by any aws account. We consider such functions as publicly accessible resource. +# If a lambda function has a policy principle as *, It can be accessed by any aws account. +# We consider such functions as publicly accessible resource. extra94(){ for region in $REGIONS; do diff --git a/checks/check_extra95 b/checks/check_extra95 index f9cee66c..a41f3c9c 100644 --- a/checks/check_extra95 +++ b/checks/check_extra95 @@ -16,9 +16,9 @@ CHECK_TITLE_extra95="[extra95] Check if there is any unassigned elastic ip's (No CHECK_SCORED_extra95="NOT_SCORED" CHECK_TYPE_extra95="EXTRA" CHECK_SEVERITY_extra95="Critical" -CHECK_ASFF_RESOURCE_TYPE_extra95="AwsCloudWatch" +CHECK_ASFF_RESOURCE_TYPE_extra95="AwsElasticIPs" CHECK_ALTERNATE_check95="extra95" -CHECK_SERVICENAME_extra95="CloudWatch" +CHECK_SERVICENAME_extra95="ElasticIPs" # If there is any elasting ip which is not assigned to any instance or network interface, we will list that out.