From 8bfd9c0e62f540b5e70cc5e8eb455203fe18b84e Mon Sep 17 00:00:00 2001
From: Pepe Fagoaga <j.fagoagas@alumnos.upm.es>
Date: Fri, 29 Apr 2022 14:23:54 +0200
Subject: [PATCH] feat(emr): Check BlockPublicAccessConfiguration for EMR
 (#1120)

---
 checks/check_extra7178 | 41 +++++++++++++++++++++++++++++++++++++++++
 1 file changed, 41 insertions(+)
 create mode 100644 checks/check_extra7178

diff --git a/checks/check_extra7178 b/checks/check_extra7178
new file mode 100644
index 00000000..d49ef2dc
--- /dev/null
+++ b/checks/check_extra7178
@@ -0,0 +1,41 @@
+#!/usr/bin/env bash
+
+# Prowler - the handy cloud security tool (copyright 2019) by Toni de la Fuente
+#
+# Licensed under the Apache License, Version 2.0 (the "License"); you may not
+# use this file except in compliance with the License. You may obtain a copy
+# of the License at http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software distributed
+# under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR
+# CONDITIONS OF ANY KIND, either express or implied. See the License for the
+# specific language governing permissions and limitations under the License.
+
+
+CHECK_ID_extra7178="7.178"
+CHECK_TITLE_extra7178="[extra7178] EMR Account Public Access Block enabled"
+CHECK_SCORED_extra7178="NOT_SCORED"
+CHECK_CIS_LEVEL_extra7178="EXTRA"
+CHECK_SEVERITY_extra7178="High"
+CHECK_ASFF_TYPE_extra7178="AwsEMR"
+CHECK_ALTERNATE_check7178="extra7178"
+CHECK_SERVICENAME_extra7178="emr"
+CHECK_RISK_extra7178='EMR Clusters must have Account Public Access Block enabled'
+CHECK_REMEDIATION_extra7178='Enable EMR Account Public Access Block'
+CHECK_DOC_extra7178='https://docs.aws.amazon.com/emr/latest/ManagementGuide/emr-block-public-access.html'
+CHECK_CAF_EPIC_extra7178='Infrastructure Security'
+
+extra7178(){
+    for regx in ${REGIONS}; do
+        block_public_access=$("${AWSCLI}" emr get-block-public-access-configuration ${PROFILE_OPT} --region "${regx}" --query 'BlockPublicAccessConfiguration.BlockPublicSecurityGroupRules' --output json 2>&1)
+        if grep -q -E 'AccessDenied|UnauthorizedOperation|AuthorizationError' <<< "${block_public_access}"; then
+            textInfo "${regx}: Access Denied trying to get block public access configuration for EMR clusters" "${regx}"
+            continue
+        fi
+        if [[ "${block_public_access}" == "true"  ]]; then
+            textPass "${regx}: EMR Account has Block Public Access enabled" "${regx}"
+        else
+            textFail "${regx}: EMR Account has Block Public Access disabled" "${regx}"
+        fi
+    done
+}
\ No newline at end of file