diff --git a/README.md b/README.md index 58221ebc..c5209528 100644 --- a/README.md +++ b/README.md @@ -93,6 +93,7 @@ USAGE: -c specify a check number or group from the AWS CIS benchmark (i.e.: check11 for check 1.1 or check3 for entire section 3) -f specify an AWS region to run checks against (i.e.: us-west-1) -m specify the maximum number of items to return for long-running requests (default: 100) + -b do not use colors in the output -h this help ``` diff --git a/prowler b/prowler index e3c3c543..85480b9a 100755 --- a/prowler +++ b/prowler @@ -26,34 +26,20 @@ # Exits if any error is found # set -e -# Colors -NORMAL="" -WARNING="" # Bad (red) -SECTION="" # Section (yellow) -NOTICE="" # Notice (yellow) -OK="" # Ok (green) -BAD="" # Bad (red) -CYAN="" -BLUE="" -BROWN="" -DARKGRAY="" -GRAY="" -GREEN="" -MAGENTA="" -PURPLE="" -RED="" -YELLOW="" -WHITE="" +OPTRED="" +OPTNORMAL="" # Set the defaults for these getopts variables PROFILE="default" REGION="us-east-1" FILTERREGION="" MAXITEMS=100 +MONOCHROME=0 # Command usage menu usage(){ - echo -e "\nUSAGE: + echo " +USAGE: `basename $0` -p -r [ -h ] Options: -p specify your AWS profile to use (i.e.: default) @@ -61,17 +47,21 @@ usage(){ -c specify a check number or group from the AWS CIS benchmark (i.e.: check11 for check 1.1 or check3 for entire section 3) -f specify an AWS region to run checks against (i.e.: us-west-1) -m specify the maximum number of items to return for long-running requests (default: 100) + -b do not use colors in the output -h this help " exit } -while getopts "hp:r:c:f:m:" OPTION; do +while getopts ":hbp:r:c:f:m:" OPTION; do case $OPTION in h ) usage exit 1 ;; + b ) + MONOCHROME=1 + ;; p ) PROFILE=$OPTARG ;; @@ -88,17 +78,61 @@ while getopts "hp:r:c:f:m:" OPTION; do MAXITEMS=$OPTARG ;; : ) - echo -e "\n$RED ERROR!$NORMAL -$OPTARG requires an argument\n" + echo "" + echo "$OPTRED ERROR!$OPTNORMAL -$OPTARG requires an argument" + usage exit 1 ;; ? ) - echo -e "\n$RED ERROR!$NORMAL Invalid option" + echo "" + echo "$OPTRED ERROR!$OPTNORMAL Invalid option" usage exit 1 ;; esac done +if [[ $MONOCHROME -eq 1 ]]; then + # Colors + NORMAL='' + WARNING='' # Bad (red) + SECTION='' # Section (yellow) + NOTICE='' # Notice (yellow) + OK='' # Ok (green) + BAD='' # Bad (red) + CYAN='' + BLUE='' + BROWN='' + DARKGRAY='' + GRAY='' + GREEN='' + MAGENTA='' + PURPLE='' + RED='' + YELLOW='' + WHITE='' +else + # Colors + # NOTE: Your editor may NOT show the 0x1b / escape character left of the '[' + NORMAL="" + WARNING="" # Bad (red) + SECTION="" # Section (yellow) + NOTICE="" # Notice (yellow) + OK="" # Ok (green) + BAD="" # Bad (red) + CYAN="" + BLUE="" + BROWN="" + DARKGRAY="" + GRAY="" + GREEN="" + MAGENTA="" + PURPLE="" + RED="" + YELLOW="" + WHITE="" +fi + # Functions to manage dates depending on OS if [[ "$OSTYPE" == "linux-gnu" ]]; then # function to compare in days, usage how_older_from_today date @@ -191,27 +225,38 @@ fi # AWS_SECRET_ACCESS_KEY=${AWS_SECRET_ACCESS_KEY_ID} prowlerBanner() { -echo -e "$CYAN _" -echo -e " _ __ _ __ _____ _| | ___ _ __" -echo -e " | '_ \| '__/ _ \ \ /\ / / |/ _ \ '__|" -echo -e " | |_) | | | (_) \ V V /| | __/ |" -echo -e " | .__/|_| \___/ \_/\_/ |_|\___|_|" -echo -e " |_|$NORMAL$BLUE CIS based AWS Account Hardening Tool$NORMAL\n" + echo -e "$CYAN _" + echo -e " _ __ _ __ _____ _| | ___ _ __" + echo -e " | '_ \| '__/ _ \ \ /\ / / |/ _ \ '__|" + echo -e " | |_) | | | (_) \ V V /| | __/ |" + echo -e " | .__/|_| \___/ \_/\_/ |_|\___|_|" + echo -e " |_|$NORMAL$BLUE CIS based AWS Account Hardening Tool$NORMAL\n" } # Get whoami in AWS, who is the user running this shell script -getWhoami() { - echo -e "\nThis report is being generated using credentials below:\n" +getWhoami(){ + echo "" + echo "This report is being generated using credentials below:" + echo "" echo -e "AWS-CLI Profile: $NOTICE[$PROFILE]$NORMAL AWS API Region: $NOTICE[$REGION]$NORMAL AWS Filter Region: $NOTICE[${FILTERREGION:-all}]\n" - $AWSCLI sts get-caller-identity --output table --profile $PROFILE --region $REGION + if [[ $MONOCHROME -eq 1 ]]; then + $AWSCLI sts get-caller-identity --output json --profile $PROFILE --region $REGION | grep ':' + else + echo "Caller Identity:" + $AWSCLI sts get-caller-identity --output table --profile $PROFILE --region $REGION + echo "" + fi } printCurrentDate(){ - echo -e "\nDate: $NOTICE$(date)$NORMAL" + echo "" + echo "Date: ${NOTICE}$(date)${NORMAL}" } printColorsCode(){ - echo -e "\nColors Code for results: $NOTICE INFORMATIVE$NORMAL,$OK OK (RECOMMENDED VALUE)$NORMAL, $BAD WARNING (FIX REQUIRED)$NORMAL \n" + if [[ $MONOCHROME -eq 0 ]]; then + echo -e "\nColors Code for results: $NOTICE INFORMATIVE$NORMAL,$OK OK (RECOMMENDED VALUE)$NORMAL, $BAD WARNING (FIX REQUIRED)$NORMAL \n" + fi } # Generate Credential Report @@ -281,9 +326,9 @@ check12(){ echo -e "\n$TITLE12" if [[ $COMMAND12 ]]; then echo -e " List of users with Password enabled but MFA disabled:" - echo -e " $RED $COMMAND12 $NORMAL" + echo -e " $BAD WARNING! $COMMAND12 $NORMAL" else - echo -e " $OK OK! No users found with Password enabled and MFA disabled $NORMAL" + echo -e " $OK OK! $NORMAL No users found with Password enabled and MFA disabled" fi } @@ -304,14 +349,14 @@ check13(){ DATEUSED=$($AWSCLI iam list-users --query "Users[?UserName=='$i'].PasswordLastUsed" --output text --profile $PROFILE --region $REGION | cut -d'T' -f1) HOWOLDER=$(how_older_from_today $DATEUSED) if [ $HOWOLDER -gt "90" ];then - echo " $RED $i $NORMAL" + echo " $BAD WARNING! User \"$i\" has not logged in during the last 90 days $NORMAL" else - echo " $OK OK! User \"$i\" found with unused credentials for 90 days or greater $NORMAL" + echo " $OK OK! $NORMAL User \"$i\" found with credentials used in the last 90 days" fi done fi else - echo " $OK OK! No users found with password enabled $NORMAL" + echo " $OK OK! $NORMAL No users found with password enabled" fi } @@ -328,7 +373,7 @@ check14(){ HOWOLDER=$(how_older_from_today $DATEROTATED1) if [ $HOWOLDER -gt "90" ];then - echo -e " $RED $user $NORMAL" + echo -e " $BAD WARNING! $user has not rotated access key1. $NORMAL" fi done echo -e " Users with access key 2 older than 90 days: " @@ -337,7 +382,7 @@ check14(){ DATEROTATED2=$(cat $TEMP_REPORT_FILE | grep $user| awk -F, '{ print $10 }' | grep -v "N/A" | awk -F"T" '{ print $1 }') HOWOLDER=$(how_older_from_today $DATEROTATED2) if [ $HOWOLDER -gt "90" ];then - echo -e " $RED $user $NORMAL" + echo -e " $BAD WARNING! $user has not rotated access key2. $NORMAL" fi done } @@ -349,7 +394,7 @@ check15(){ if [[ $COMMAND15 == "true" ]];then echo -e " $OK OK! $NORMAL" else - echo -e " $RED WARNING! $NORMAL" + echo -e " $BAD WARNING! $NORMAL" fi } @@ -360,7 +405,7 @@ check16(){ if [[ $COMMAND16 == "true" ]];then echo -e " $OK OK! $NORMAL" else - echo -e " $RED WARNING! $NORMAL" + echo -e " $BAD WARNING! $NORMAL" fi } @@ -371,7 +416,7 @@ check17(){ if [[ $COMMAND17 == "true" ]];then echo -e " $OK OK! $NORMAL" else - echo -e " $RED WARNING! $NORMAL" + echo -e " $BAD WARNING! $NORMAL" fi } @@ -382,7 +427,7 @@ check18(){ if [[ $COMMAND18 == "true" ]];then echo -e " $OK OK! $NORMAL" else - echo -e " $RED WARNING! $NORMAL" + echo -e " $BAD WARNING! $NORMAL" fi } @@ -393,7 +438,7 @@ check19(){ if [[ $COMMAND19 -gt "13" ]];then echo -e " $OK OK! $NORMAL" else - echo -e " $RED WARNING! $NORMAL" + echo -e " $BAD WARNING! $NORMAL" fi } @@ -405,10 +450,10 @@ check110(){ if [[ $COMMAND110 -gt "23" ]];then echo -e " $OK OK! $NORMAL" else - echo -e " $RED WARNING! It is not set or it is set lower than 24 $NORMAL" + echo -e " $BAD WARNING! It is not set or it is set lower than 24 $NORMAL" fi else - echo -e " $RED WARNING! It is not set $NORMAL" + echo -e " $BAD WARNING! It is not set $NORMAL" fi } @@ -421,7 +466,7 @@ check111(){ echo -e " $OK OK! $NORMAL" fi else - echo -e " $RED WARNING! $NORMAL" + echo -e " $BAD WARNING! Passowrd expiration not set or set greater than 90 days $NORMAL" fi } @@ -432,14 +477,14 @@ check112(){ ROOTKEY2=$(cat $TEMP_REPORT_FILE |grep root_account|awk -F',' '{ print $14 }') echo -e "\n$TITLE112 " if [ $ROOTKEY1 == "false" ];then - echo -e " $OK OK! $NORMAL No access key 1 found " + echo -e " $OK OK! $NORMAL No access key 1 found for root " else - echo -e " $RED Found access key 1 $NORMAL" + echo -e " $BAD WARNING! Found access key 1 for root $NORMAL" fi if [ $ROOTKEY2 == "false" ];then - echo -e " $OK OK! $NORMAL No access key 2 found " + echo -e " $OK OK! $NORMAL No access key 2 found for root " else - echo -e " $RED Found access key 2 $NORMAL" + echo -e " $BAD WARNING! Found access key 2 for root $NORMAL" fi } @@ -450,7 +495,7 @@ check113(){ if [ $COMMAND113 == "1" ]; then echo " $OK OK! $NORMAL Virtual MFA is enabled. " else - echo " $RED WARNING! MFA is not ENABLED for root account $NORMAL" + echo " $BAD WARNING! MFA is not ENABLED for root account $NORMAL" fi } @@ -466,7 +511,7 @@ check114(){ echo " $OK OK! $NORMAL Hardware MFA is enabled. " fi else - echo " $RED WARNING! MFA is not ENABLED for root account $NORMAL" + echo " $BAD WARNING! MFA is not ENABLED for root account $NORMAL" fi } @@ -484,12 +529,17 @@ check116(){ echo -e "\n$TITLE116" LIST_USERS=$($AWSCLI iam list-users --query 'Users[*].UserName' --output text --profile $PROFILE --region $REGION) echo -e " Users with policy attached to them instead to groups: (it may take few seconds...) " + C116_NUM_USERS=0 for user in $LIST_USERS;do USER_POLICY=$($AWSCLI iam list-attached-user-policies --output text --profile $PROFILE --region $REGION --user-name $user) if [[ $USER_POLICY ]]; then - echo -e " $RED $user $NORMAL" + echo -e " $BAD WARNING! $user has policy directly attached $NORMAL" + C116_NUM_USERS=$(expr $C116_NUM_USERS + 1) fi done + if [[ $C116_NUM_USERS -eq 0 ]]; then + echo -e " $OK OK! $NORMAL No policies attached to users." + fi } check117(){ @@ -522,7 +572,7 @@ check118(){ done done else - echo -e " $RED WARNING! IAM Master and IAM Manager roles not found$NORMAL" + echo -e " $BAD WARNING! IAM Master and IAM Manager roles not found$NORMAL" fi } @@ -560,14 +610,14 @@ check122(){ for policyarn in $SUPPORTPOLICYARN;do POLICYTOSHOW=$($AWSCLI iam list-entities-for-policy --policy-arn $SUPPORTPOLICYARN --profile $PROFILE --region $REGION --output text) if [[ $POLICYTOSHOW ]];then - echo -e " $OK $POLICYTOSHOW $NORMAL" + echo -e " $OK OK! $NORMAL $POLICYTOSHOW" echo -e " $NOTICE Make sure your team can create a Support case with AWS $NORMAL" else - echo -e " $RED Support Policy not applied to any Group, User or Role $NORMAL" + echo -e " $BAD WARNING! Support Policy not applied to any Group, User or Role $NORMAL" fi done else - echo -e " $RED WARNING! No Support Policy found$NORMAL" + echo -e " $BAD WARNING! No Support Policy found$NORMAL" fi } @@ -580,18 +630,18 @@ check123(){ LIST_USERS_KEY1_ACTIVE=$(for user in $LIST_USERS_KEY1_NA; do grep $user $TEMP_REPORT_FILE|awk -F, '{ print $1,$9 }'|grep "true$"|awk '{ print $1 }'|sed 's/[:blank:]+/,/g' ; done) if [[ $LIST_USERS_KEY1_ACTIVE ]]; then echo -e " $NOTICE List of users with Access Key 1 never used:$NORMAL" - echo -e " $RED $LIST_USERS_KEY1_ACTIVE $NORMAL" + echo -e " $NOTICE $LIST_USERS_KEY1_ACTIVE $NORMAL have never used Access Key 1" else - echo -e " $OK No users found with Access Key 1 never used $NORMAL" + echo -e " $OK OK! $NORMAL No users found with Access Key 1 never used" fi # List of USERS with KEY2 last_used_date as N/A LIST_USERS_KEY2_NA=$(for user in $LIST_USERS; do grep $user $TEMP_REPORT_FILE|awk -F, '{ print $1,$16 }'|grep N/A |awk '{ print $1 }' ; done) LIST_USERS_KEY2_ACTIVE=$(for user in $LIST_USERS_KEY2_NA; do grep $user $TEMP_REPORT_FILE|awk -F, '{ print $1,$14 }'|grep "true$" |awk '{ print $1 }' ; done) if [[ $LIST_USERS_KEY2_ACTIVE ]]; then echo -e " $NOTICE List of users with Access Key 2 never used:$NORMAL" - echo -e " $RED $LIST_USERS_KEY2_ACTIVE $NORMAL" + echo -e " $NOTICE $LIST_USERS_KEY2_ACTIVE $NORMAL have never used Access Key 2" else - echo -e " $OK No users found with Access Key 2 never used $NORMAL" + echo -e " $OK OK! $NORMAL No users found with Access Key 2 never used" fi } @@ -611,13 +661,13 @@ check124(){ if [[ $POLICIES_ALLOW_LIST ]]; then echo -e " $NOTICE List of custom policies: $NORMAL" for policy in $POLICIES_ALLOW_LIST; do - echo " $RED $policy $NORMAL" + echo " $NOTICE Policy $policy allows \"*:*\" $NORMAL" done else - echo " $OK No custom policy found that allow full \"*:*\" administrative privileges $NORMAL" + echo " $OK OK! $NORMAL No custom policy found that allow full \"*:*\" administrative privileges" fi else - echo " $OK No custom policies found $NORMAL" + echo " $OK OK! $NORMAL No custom policies found" fi } @@ -629,13 +679,13 @@ check21(){ for trail in $LIST_OF_TRAILS;do MULTIREGION_TRAIL_STATUS=$($AWSCLI cloudtrail describe-trails --profile $PROFILE --region $REGION --query 'trailList[*].IsMultiRegionTrail' --output text --trail-name-list $trail) if [[ $MULTIREGION_TRAIL_STATUS == 'False' ]];then - echo -e " $RED WARNING! $trail trail in $REGION is not enabled in multi region mode$NORMAL" + echo -e " $BAD WARNING! $trail trail in $REGION is not enabled in multi region mode$NORMAL" else - echo -e " $OK OK! $trail trail in $REGION is enabled for all regions$NORMAL" + echo -e " $OK OK! $NORMAL $trail trail in $REGION is enabled for all regions" fi done else - echo -e " $RED WARNING! No CloudTrail trails found!$NORMAL" + echo -e " $BAD WARNING! No CloudTrail trails found!$NORMAL" fi } @@ -647,13 +697,13 @@ check22(){ for trail in $LIST_OF_TRAILS;do LOGFILEVALIDATION_TRAIL_STATUS=$($AWSCLI cloudtrail describe-trails --profile $PROFILE --region $REGION --query 'trailList[*].LogFileValidationEnabled' --output text --trail-name-list $trail) if [[ $LOGFILEVALIDATION_TRAIL_STATUS == 'False' ]];then - echo -e " $RED WARNING! $trail trail in $REGION has not log file validation enabled$NORMAL" + echo -e " $BAD WARNING! $trail trail in $REGION has not log file validation enabled$NORMAL" else - echo -e " $OK OK! $trail trail in $REGION has log file validation enabled$NORMAL" + echo -e " $OK OK! $NORMAL $trail trail in $REGION has log file validation enabled" fi done else - echo -e " $RED WARNING! No CloudTrail trails found!$NORMAL" + echo -e " $BAD WARNING! No CloudTrail trails found!$NORMAL" fi } @@ -665,38 +715,39 @@ check23(){ for bucket in $CLOUDTRAILBUCKET;do CLOUDTRAILBUCKET_HASALLPERMISIONS=$($AWSCLI s3api get-bucket-acl --bucket $bucket --query 'Grants[?Grantee.URI==`http://acs.amazonaws.com/groups/global/AllUsers`]' --profile $PROFILE --region $REGION --output text) if [[ $CLOUDTRAILBUCKET_HASALLPERMISIONS ]];then - echo -e " $RED WARNING! check your $bucket CloudTrail bucket ACL and Policy!$NORMAL" + echo -e " $BAD WARNING! check your $bucket CloudTrail bucket ACL and Policy!$NORMAL" else - echo -e " $OK OK! Bucket $bucket is set correctly $NORMAL" + echo -e " $OK OK! $NORMAL Bucket $bucket is set correctly" fi done else - echo -e " $RED WARNING! No CloudTrail bucket found!$NORMAL" + echo -e " $BAD WARNING! No CloudTrail bucket found!$NORMAL" fi } check24(){ TITLE24="$BLUE 2.4$NORMAL Ensure CloudTrail trails are integrated with CloudWatch Logs (Scored)" echo -e "\n$TITLE24" - LIST_OF_TRAILS=$($AWSCLI cloudtrail describe-trails --profile $PROFILE --region $REGION --query 'trailList[*].Name' --output text) - if [[ $LIST_OF_TRAILS ]];then - for trail in $LIST_OF_TRAILS;do - TRAIL_REGION=$($AWSCLI cloudtrail describe-trails --profile $PROFILE --region $REGION --trail-name-list "$trail" --query 'trailList[*].HomeRegion' --output text) + TRAILS_AND_REGIONS=$($AWSCLI cloudtrail describe-trails --profile $PROFILE --region $REGION --query 'trailList[*].{Name:Name, HomeRegion:HomeRegion}' --output text | tr "\t" ',') + if [[ $TRAILS_AND_REGIONS ]];then + for reg_trail in $TRAILS_AND_REGIONS;do + trail=$(echo $reg_trail | cut -d',' -f2) + TRAIL_REGION=$(echo $reg_trail | cut -d',' -f1) LATESTDELIVERY_TIMESTAMP=$($AWSCLI cloudtrail get-trail-status --name $trail --profile $PROFILE --region $TRAIL_REGION --query 'LatestCloudWatchLogsDeliveryTime' --output text|grep -v None) if [[ ! $LATESTDELIVERY_TIMESTAMP ]];then - echo -e " $RED $trail trail is not logging in the last 24h or not configured (it is in $TRAIL_REGION)$NORMAL" + echo -e " $BAD WARNING! $trail trail is not logging in the last 24h or not configured (it is in $TRAIL_REGION)$NORMAL" else LATESTDELIVERY_DATE=$(timestamp_to_date $LATESTDELIVERY_TIMESTAMP) HOWOLDER=$(how_older_from_today $LATESTDELIVERY_DATE) if [ $HOWOLDER -gt "1" ];then - echo -e " $RED $trail trail is not logging in the last 24h or not configured (it is in $TRAIL_REGION)$NORMAL" + echo -e " $BAD WARNING! $trail trail is not logging in the last 24h or not configured (it is in $TRAIL_REGION)$NORMAL" else - echo -e " $OK $trail trail has been logging during the last 24h (it is in $TRAIL_REGION)$NORMAL" + echo -e " $OK OK! $NORMAL $trail trail has been logging during the last 24h (it is in $TRAIL_REGION)" fi fi done else - echo -e " $RED WARNING! No CloudTrail trails found!$NORMAL" + echo -e " $BAD WARNING! No CloudTrail trails found!$NORMAL" fi } @@ -706,9 +757,9 @@ check25(){ for regx in $REGIONS; do CHECK_AWSCONFIG_STATUS=$($AWSCLI configservice get-status --profile $PROFILE --region $regx | grep "recorder: ON") if [[ $CHECK_AWSCONFIG_STATUS ]];then - echo -e " $OK Region $regx has AWS Config recorder: ON $NORMAL" + echo -e " $OK OK! $NORMAL Region $regx has AWS Config recorder: ON " else - echo -e " $RED WARNING! Region $regx has AWS Config disabled or not configured$NORMAL" + echo -e " $BAD WARNING! Region $regx has AWS Config disabled or not configured$NORMAL" fi done } @@ -721,13 +772,13 @@ check26(){ for bucket in $CLOUDTRAILBUCKET;do CLOUDTRAILBUCKET_LOGENABLED=$($AWSCLI s3api get-bucket-logging --bucket $bucket --profile $PROFILE --region $REGION --query 'LoggingEnabled.TargetBucket' --output text|grep -v None) if [[ $CLOUDTRAILBUCKET_LOGENABLED ]];then - echo -e " $OK OK! It is enabled in $bucket $NORMAL" + echo -e " $OK OK! $NORMAL It is enabled in $bucket" else - echo -e " $RED WARNING! access logging is not enabled in $bucket CloudTrail S3 bucket!$NORMAL" + echo -e " $BAD WARNING! access logging is not enabled in $bucket CloudTrail S3 bucket!$NORMAL" fi done else - echo -e " $RED WARNING! CloudTrail bucket not found!$NORMAL" + echo -e " $BAD WARNING! CloudTrail bucket not found!$NORMAL" fi } @@ -739,13 +790,13 @@ check27(){ for trail in $CLOUDTRAILNAME;do CLOUDTRAILENC_ENABLED=$($AWSCLI cloudtrail describe-trails --profile $PROFILE --region $REGION --trail $trail --query 'trailList[*].KmsKeyId' --output text) if [[ $CLOUDTRAILENC_ENABLED ]];then - echo -e " $OK OK! KMS key found for $trail $NORMAL" + echo -e " $OK OK! $NORMAL KMS key found for $trail" else - echo -e " $RED WARNING! encryption is not enabled in your CloudTrail trail $trail, KMS key not found!$NORMAL" + echo -e " $BAD WARNING! encryption is not enabled in your CloudTrail trail $trail, KMS key not found!$NORMAL" fi done else - echo -e " $RED WARNING! CloudTrail bucket doesn't exist!$NORMAL" + echo -e " $BAD WARNING! CloudTrail bucket doesn't exist!$NORMAL" fi } @@ -758,16 +809,16 @@ check28(){ for key in $CHECK_KMS_KEYLIST; do CHECK_KMS_KEY_TYPE=$($AWSCLI kms describe-key --key-id $key --profile $PROFILE --region $regx --query 'KeyMetadata.Origin' | sed 's/["]//g') if [[ $CHECK_KMS_KEY_TYPE == "EXTERNAL" ]];then - echo -e " $BLUE Key $key in Region $regx Customer Uploaded Key Material.$NORMAL" + echo -e " $OK OK! $NORMAL Key $key in Region $regx Customer Uploaded Key Material." else CHECK_KMS_KEY_ROTATION=$($AWSCLI kms get-key-rotation-status --key-id $key --profile $PROFILE --region $regx --output text) CHECK_KMS_DEFAULT_KEY=$($AWSCLI kms describe-key --key-id $key --profile $PROFILE --region $regx --query 'KeyMetadata.Description' | sed -n '/Default master key that protects my /p') if [[ $CHECK_KMS_KEY_ROTATION == "True" ]];then - echo -e " $OK OK! Key $key in Region $regx is set correctly$NORMAL" + echo -e " $OK OK! $NORMAL Key $key in Region $regx is set correctly" elif [[ $CHECK_KMS_KEY_ROTATION == "False" && $CHECK_KMS_DEFAULT_KEY ]];then echo -e " $NOTICE Region $regx key $key is an AWS default master key and cannot be deleted nor modified.$NORMAL" else - echo -e " $RED WARNING! Key $key in Region $regx is not set to rotate!!!$NORMAL" + echo -e " $BAD WARNING! Key $key in Region $regx is not set to rotate!!!$NORMAL" fi fi done @@ -785,12 +836,12 @@ check31(){ if [[ $CLOUDWATCH_GROUP ]];then METRICFILTER_SET=$($AWSCLI logs describe-metric-filters --log-group-name $CLOUDWATCH_GROUP --profile $PROFILE --region $REGION --query 'metricFilters' | grep AccessDenied) if [[ $METRICFILTER_SET ]];then - echo -e " $OK OK! CloudWatch group found, and metric filters for Access Denied enabled$NORMAL" + echo -e " $OK OK! $NORMAL CloudWatch group found, and metric filters for Access Denied enabled" else - echo -e " $RED WARNING! CloudWatch group found, but no metric filters or alarms associated$NORMAL" + echo -e " $BAD WARNING! CloudWatch group found, but no metric filters or alarms associated$NORMAL" fi else - echo -e " $RED WARNING! No CloudWatch group found, no metric filters or alarms associated$NORMAL" + echo -e " $BAD WARNING! No CloudWatch group found, no metric filters or alarms associated$NORMAL" fi } @@ -801,12 +852,12 @@ check32(){ if [[ $CLOUDWATCH_GROUP ]];then METRICFILTER_SET=$($AWSCLI logs describe-metric-filters --log-group-name $CLOUDWATCH_GROUP --profile $PROFILE --region $REGION --query 'metricFilters' | grep -E 'userIdentity.sessionContext.attributes.mfaAuthenticated.*true') if [[ $METRICFILTER_SET ]];then - echo -e " $OK OK! CloudWatch group found, and metric filters for sign-in Console without MFA enabled$NORMAL" + echo -e " $OK OK! $NORMAL CloudWatch group found, and metric filters for sign-in Console without MFA enabled" else - echo -e " $RED WARNING! CloudWatch group found, but no metric filters or alarms associated$NORMAL" + echo -e " $BAD WARNING! CloudWatch group found, but no metric filters or alarms associated$NORMAL" fi else - echo -e " $RED WARNING! No CloudWatch group found, no metric filters or alarms associated$NORMAL" + echo -e " $BAD WARNING! No CloudWatch group found, no metric filters or alarms associated$NORMAL" fi } @@ -817,12 +868,12 @@ check33(){ if [[ $CLOUDWATCH_GROUP ]];then METRICFILTER_SET=$($AWSCLI logs describe-metric-filters --log-group-name $CLOUDWATCH_GROUP --profile $PROFILE --region $REGION |grep -E 'userIdentity.*Root.*AwsServiceEvent') if [[ $METRICFILTER_SET ]];then - echo -e " $OK OK! CloudWatch group found, and metric filters for usage of root account enabled$NORMAL" + echo -e " $OK OK! $NORMAL CloudWatch group found, and metric filters for usage of root account enabled" else - echo -e " $RED WARNING! CloudWatch group found, but no metric filters or alarms associated$NORMAL" + echo -e " $BAD WARNING! CloudWatch group found, but no metric filters or alarms associated$NORMAL" fi else - echo -e " $RED WARNING! No CloudWatch group found, no metric filters or alarms associated$NORMAL" + echo -e " $BAD WARNING! No CloudWatch group found, no metric filters or alarms associated$NORMAL" fi } @@ -833,12 +884,12 @@ check34(){ if [[ $CLOUDWATCH_GROUP ]];then METRICFILTER_SET=$($AWSCLI logs describe-metric-filters --log-group-name $CLOUDWATCH_GROUP --profile $PROFILE --region $REGION --query 'metricFilters' | grep -E 'DeleteGroupPolicy.*DeleteRolePolicy.*DeleteUserPolicy.*PutGroupPolicy.*PutRolePolicy.*PutUserPolicy.*CreatePolicy.*DeletePolicy.*CreatePolicyVersion.*DeletePolicyVersion.*AttachRolePolicy.*DetachRolePolicy.*AttachUserPolicy.*DetachUserPolicy.*AttachGroupPolicy.*DetachGroupPolicy') if [[ $METRICFILTER_SET ]];then - echo -e " $OK OK! CloudWatch group found, and metric filters for IAM policy changes enabled$NORMAL" + echo -e " $OK OK! $NORMAL CloudWatch group found, and metric filters for IAM policy changes enabled" else - echo -e " $RED WARNING! CloudWatch group found, but no metric filters or alarms associated$NORMAL" + echo -e " $BAD WARNING! CloudWatch group found, but no metric filters or alarms associated$NORMAL" fi else - echo -e " $RED WARNING! No CloudWatch group found, no metric filters or alarms associated$NORMAL" + echo -e " $BAD WARNING! No CloudWatch group found, no metric filters or alarms associated$NORMAL" fi } @@ -849,12 +900,12 @@ check35(){ if [[ $CLOUDWATCH_GROUP ]];then METRICFILTER_SET=$($AWSCLI logs describe-metric-filters --log-group-name $CLOUDWATCH_GROUP --profile $PROFILE --region $REGION --query 'metricFilters' | grep -E 'CreateTrail.*UpdateTrail.*DeleteTrail.*StartLogging.*StopLogging') if [[ $METRICFILTER_SET ]];then - echo -e " $OK OK! CloudWatch group found, and metric filters for CloudTrail configuration changes enabled$NORMAL" + echo -e " $OK OK! $NORMAL CloudWatch group found, and metric filters for CloudTrail configuration changes enabled" else - echo -e " $RED WARNING! CloudWatch group found, but no metric filters or alarms associated$NORMAL" + echo -e " $BAD WARNING! CloudWatch group found, but no metric filters or alarms associated$NORMAL" fi else - echo -e " $RED WARNING! No CloudWatch group found, no metric filters or alarms associated$NORMAL" + echo -e " $BAD WARNING! No CloudWatch group found, no metric filters or alarms associated$NORMAL" fi } @@ -865,12 +916,12 @@ check36(){ if [[ $CLOUDWATCH_GROUP ]];then METRICFILTER_SET=$($AWSCLI logs describe-metric-filters --log-group-name $CLOUDWATCH_GROUP --profile $PROFILE --region $REGION --query 'metricFilters' | grep -E 'ConsoleLogin.*Failed') if [[ $METRICFILTER_SET ]];then - echo -e " $OK OK! CloudWatch group found, and metric filters for usage of root account enabled$NORMAL" + echo -e " $OK OK! $NORMAL CloudWatch group found, and metric filters for usage of root account enabled" else - echo -e " $RED WARNING! CloudWatch group found, but no metric filters or alarms associated$NORMAL" + echo -e " $BAD WARNING! CloudWatch group found, but no metric filters or alarms associated$NORMAL" fi else - echo -e " $RED WARNING! No CloudWatch group found, no metric filters or alarms associated$NORMAL" + echo -e " $BAD WARNING! No CloudWatch group found, no metric filters or alarms associated$NORMAL" fi } @@ -881,12 +932,12 @@ check37(){ if [[ $CLOUDWATCH_GROUP ]];then METRICFILTER_SET=$($AWSCLI logs describe-metric-filters --log-group-name $CLOUDWATCH_GROUP --profile $PROFILE --region $REGION --query 'metricFilters' | grep -E 'kms.amazonaws.com.*DisableKey.*ScheduleKeyDeletion') if [[ $METRICFILTER_SET ]];then - echo -e " $OK OK! CloudWatch group found, and metric filters enabled$NORMAL" + echo -e " $OK OK! $NORMAL CloudWatch group found, and metric filters enabled" else - echo -e " $RED WARNING! CloudWatch group found, but no metric filters or alarms associated$NORMAL" + echo -e " $BAD WARNING! CloudWatch group found, but no metric filters or alarms associated$NORMAL" fi else - echo -e " $RED WARNING! No CloudWatch group found, no metric filters or alarms associated$NORMAL" + echo -e " $BAD WARNING! No CloudWatch group found, no metric filters or alarms associated$NORMAL" fi } @@ -897,12 +948,12 @@ check38(){ if [[ $CLOUDWATCH_GROUP ]];then METRICFILTER_SET=$($AWSCLI logs describe-metric-filters --log-group-name $CLOUDWATCH_GROUP --profile $PROFILE --region $REGION --query 'metricFilters' | grep -E 's3.amazonaws.com.*PutBucketAcl.*PutBucketPolicy.*PutBucketCors.*PutBucketLifecycle.*PutBucketReplication.*DeleteBucketPolicy.*DeleteBucketCors.*DeleteBucketLifecycle.*DeleteBucketReplication') if [[ $METRICFILTER_SET ]];then - echo -e " $OK OK! CloudWatch group found, and metric filters enabled$NORMAL" + echo -e " $OK OK! $NORMAL CloudWatch group found, and metric filters enabled" else - echo -e " $RED WARNING! CloudWatch group found, but no metric filters or alarms associated$NORMAL" + echo -e " $BAD WARNING! CloudWatch group found, but no metric filters or alarms associated$NORMAL" fi else - echo -e " $RED WARNING! No CloudWatch group found, no metric filters or alarms associated$NORMAL" + echo -e " $BAD WARNING! No CloudWatch group found, no metric filters or alarms associated$NORMAL" fi } @@ -913,12 +964,12 @@ check39(){ if [[ $CLOUDWATCH_GROUP ]];then METRICFILTER_SET=$($AWSCLI logs describe-metric-filters --log-group-name $CLOUDWATCH_GROUP --profile $PROFILE --region $REGION --query 'metricFilters' | grep -E 'config.amazonaws.com.*StopConfigurationRecorder.*DeleteDeliveryChannel.*PutDeliveryChannel.*PutConfigurationRecorder') if [[ $METRICFILTER_SET ]];then - echo -e " $OK OK! CloudWatch group found, and metric filters enabled$NORMAL" + echo -e " $OK OK! $NORMAL CloudWatch group found, and metric filters enabled" else - echo -e " $RED WARNING! CloudWatch group found, but no metric filters or alarms associated$NORMAL" + echo -e " $BAD WARNING! CloudWatch group found, but no metric filters or alarms associated$NORMAL" fi else - echo -e " $RED WARNING! No CloudWatch group found, no metric filters or alarms associated$NORMAL" + echo -e " $BAD WARNING! No CloudWatch group found, no metric filters or alarms associated$NORMAL" fi } @@ -929,12 +980,12 @@ check310(){ if [[ $CLOUDWATCH_GROUP ]];then METRICFILTER_SET=$($AWSCLI logs describe-metric-filters --log-group-name $CLOUDWATCH_GROUP --profile $PROFILE --region $REGION --query 'metricFilters' | grep -E 'AuthorizeSecurityGroupIngress.*AuthorizeSecurityGroupEgress.*RevokeSecurityGroupIngress.*RevokeSecurityGroupEgress.*CreateSecurityGroup.*DeleteSecurityGroup') if [[ $METRICFILTER_SET ]];then - echo -e " $OK OK! CloudWatch group found, and metric filters enabled$NORMAL" + echo -e " $OK OK! $NORMAL CloudWatch group found, and metric filters enabled" else - echo -e " $RED WARNING! CloudWatch group found, but no metric filters or alarms associated$NORMAL" + echo -e " $BAD WARNING! CloudWatch group found, but no metric filters or alarms associated$NORMAL" fi else - echo -e " $RED WARNING! No CloudWatch group found, no metric filters or alarms associated$NORMAL" + echo -e " $BAD WARNING! No CloudWatch group found, no metric filters or alarms associated$NORMAL" fi } @@ -945,12 +996,12 @@ check311(){ if [[ $CLOUDWATCH_GROUP ]];then METRICFILTER_SET=$($AWSCLI logs describe-metric-filters --log-group-name $CLOUDWATCH_GROUP --profile $PROFILE --region $REGION --query 'metricFilters' | grep -E 'CreateNetworkAcl.*CreateNetworkAclEntry.*DeleteNetworkAcl.*DeleteNetworkAclEntry.*ReplaceNetworkAclEntry.*ReplaceNetworkAclAssociation') if [[ $METRICFILTER_SET ]];then - echo -e " $OK OK! CloudWatch group found, and metric filters enabled$NORMAL" + echo -e " $OK OK! $NORMAL CloudWatch group found, and metric filters enabled" else - echo -e " $RED WARNING! CloudWatch group found, but no metric filters or alarms associated$NORMAL" + echo -e " $BAD WARNING! CloudWatch group found, but no metric filters or alarms associated$NORMAL" fi else - echo -e " $RED WARNING! No CloudWatch group found, no metric filters or alarms associated$NORMAL" + echo -e " $BAD WARNING! No CloudWatch group found, no metric filters or alarms associated$NORMAL" fi } @@ -961,12 +1012,12 @@ check312(){ if [[ $CLOUDWATCH_GROUP ]];then METRICFILTER_SET=$($AWSCLI logs describe-metric-filters --log-group-name $CLOUDWATCH_GROUP --profile $PROFILE --region $REGION --query 'metricFilters' | grep -E 'CreateCustomerGateway.*DeleteCustomerGateway.*AttachInternetGateway.*CreateInternetGateway.*DeleteInternetGateway.*DetachInternetGateway') if [[ $METRICFILTER_SET ]];then - echo -e " $OK OK! CloudWatch group found, and metric filters enabled$NORMAL" + echo -e " $OK OK! $NORMAL CloudWatch group found, and metric filters enabled" else - echo -e " $RED WARNING! CloudWatch group found, but no metric filters or alarms associated$NORMAL" + echo -e " $BAD WARNING! CloudWatch group found, but no metric filters or alarms associated$NORMAL" fi else - echo -e " $RED WARNING! No CloudWatch group found, no metric filters or alarms associated$NORMAL" + echo -e " $BAD WARNING! No CloudWatch group found, no metric filters or alarms associated$NORMAL" fi } @@ -977,12 +1028,12 @@ check313(){ if [[ $CLOUDWATCH_GROUP ]];then METRICFILTER_SET=$($AWSCLI logs describe-metric-filters --log-group-name $CLOUDWATCH_GROUP --profile $PROFILE --region $REGION --query 'metricFilters' | grep -E 'CreateRoute.*CreateRouteTable.*ReplaceRoute.*ReplaceRouteTableAssociation.*DeleteRouteTable.*DeleteRoute.*DisassociateRouteTable') if [[ $METRICFILTER_SET ]];then - echo -e " $OK OK! CloudWatch group found, and metric filters enabled$NORMAL" + echo -e " $OK OK! $NORMAL CloudWatch group found, and metric filters enabled" else - echo -e " $RED WARNING! CloudWatch group found, but no metric filters or alarms associated$NORMAL" + echo -e " $BAD WARNING! CloudWatch group found, but no metric filters or alarms associated$NORMAL" fi else - echo -e " $RED WARNING! No CloudWatch group found, no metric filters or alarms associated$NORMAL" + echo -e " $BAD WARNING! No CloudWatch group found, no metric filters or alarms associated$NORMAL" fi } @@ -993,12 +1044,12 @@ check314(){ if [[ $CLOUDWATCH_GROUP ]];then METRICFILTER_SET=$($AWSCLI logs describe-metric-filters --log-group-name $CLOUDWATCH_GROUP --profile $PROFILE --region $REGION --query 'metricFilters' | grep -E 'CreateVpc.*DeleteVpc.*ModifyVpcAttribute.*AcceptVpcPeeringConnection.*CreateVpcPeeringConnection.*DeleteVpcPeeringConnection.*RejectVpcPeeringConnection.*AttachClassicLinkVpc.*DetachClassicLinkVpc.*DisableVpcClassicLink.*EnableVpcClassicLink') if [[ $METRICFILTER_SET ]];then - echo -e " $OK OK! CloudWatch group found, and metric filters enabled$NORMAL" + echo -e " $OK OK! $NORMAL CloudWatch group found, and metric filters enabled" else - echo -e " $RED WARNING! CloudWatch group found, but no metric filters or alarms associated$NORMAL" + echo -e " $BAD WARNING! CloudWatch group found, but no metric filters or alarms associated$NORMAL" fi else - echo -e " $RED WARNING! No CloudWatch group found, no metric filters or alarms associated$NORMAL" + echo -e " $BAD WARNING! No CloudWatch group found, no metric filters or alarms associated$NORMAL" fi } @@ -1015,8 +1066,8 @@ check315(){ echo -e " $NOTICE Region $regx with Topic $TOPIC_SHORT: $NORMAL " echo -e " $NOTICE - Suscription: $CHECK_TOPIC_LIST $NORMAL" else - echo -e " $RED WARNING! No suscription found in: Region $regx and Topic $topic $NORMAL" - echo -e " $RED - Region $regx and Topic $topic $NORMAL" + echo -e " $BAD WARNING! No suscription found in: Region $regx and Topic $topic $NORMAL" + echo -e " $BAD - Region $regx and Topic $topic $NORMAL" fi done else @@ -1032,10 +1083,10 @@ check41(){ SG_LIST=$($AWSCLI ec2 describe-security-groups --filters "Name=ip-permission.to-port,Values=22" --query 'SecurityGroups[?length(IpPermissions[?ToPort==`22` && contains(IpRanges[].CidrIp, `0.0.0.0/0`)]) > `0`].{GroupName: GroupName}' --profile $PROFILE --region $regx --output text) if [[ $SG_LIST ]];then for SG in $SG_LIST;do - echo -e " $RED Found Security Group: $SG open to 0.0.0.0/0 in Region $regx $NORMAL " + echo -e " $BAD WARNING! Found Security Group: $SG open to 0.0.0.0/0 in Region $regx $NORMAL " done else - echo -e " $OK OK! No Security Groups found in $regx with port 22 TCP open to 0.0.0.0/0 $NORMAL " + echo -e " $OK OK! $NORMAL No Security Groups found in $regx with port 22 TCP open to 0.0.0.0/0 " fi done } @@ -1047,10 +1098,10 @@ check42(){ SG_LIST=$($AWSCLI ec2 describe-security-groups --filters "Name=ip-permission.to-port,Values=3389" --query 'SecurityGroups[?length(IpPermissions[?ToPort==`3389` && contains(IpRanges[].CidrIp, `0.0.0.0/0`)]) > `0`].{GroupName: GroupName}' --profile $PROFILE --region $regx --output text) if [[ $SG_LIST ]];then for SG in $SG_LIST;do - echo -e " $RED Found Security Group: $SG open to 0.0.0.0/0 in Region $regx $NORMAL " + echo -e " $BAD WARNING! Found Security Group: $SG open to 0.0.0.0/0 in Region $regx $NORMAL " done else - echo -e " $OK OK! No Security Groups found in $regx with port 3389 TCP open to 0.0.0.0/0 $NORMAL " + echo -e " $OK OK! $NORMAL No Security Groups found in $regx with port 3389 TCP open to 0.0.0.0/0 " fi done } @@ -1062,10 +1113,10 @@ check43(){ CHECK_FL=$($AWSCLI ec2 describe-flow-logs --profile $PROFILE --region $regx --query 'FlowLogs[?FlowLogStatus==`ACTIVE`].LogGroupName' --output text) if [[ $CHECK_FL ]];then for FL in $CHECK_FL;do - echo -e " $OK OK! VPCFlowLog is enabled for LogGroupName: $FL in Region $regx $NORMAL " + echo -e " $OK OK! $NORMAL VPCFlowLog is enabled for LogGroupName: $FL in Region $regx " done else - echo -e " $RED WARNING! No VPCFlowLog has been found in Region $regx $NORMAL " + echo -e " $BAD WARNING! No VPCFlowLog has been found in Region $regx $NORMAL " fi done } @@ -1076,9 +1127,9 @@ check44(){ for regx in $REGIONS; do CHECK_SGDEFAULT=$($AWSCLI ec2 describe-security-groups --profile $PROFILE --region $regx --filters Name=group-name,Values='default' --query 'SecurityGroups[*].{IpPermissions:IpPermissions,IpPermissionsEgress:IpPermissionsEgress,GroupId:GroupId}' --output text |grep 0.0.0.0) if [[ $CHECK_SGDEFAULT ]];then - echo -e " $RED WARNING! Default Security Groups found that allow 0.0.0.0 IN or OUT traffic in Region $regx $NORMAL " + echo -e " $BAD WARNING! Default Security Groups found that allow 0.0.0.0 IN or OUT traffic in Region $regx $NORMAL " else - echo -e " $OK OK! No Default Security Groups open to 0.0.0.0 found in Region $regx $NORMAL " + echo -e " $OK OK! $NORMAL No Default Security Groups open to 0.0.0.0 found in Region $regx " fi done } @@ -1099,7 +1150,7 @@ check45(){ # done #echo $VPCS_WITH_PEERING else - echo -e " $OK $regx: No VPC peering found $NORMAL " + echo -e " $OK OK! $NORMAL $regx: No VPC peering found " fi done }