checks for glue - 7119, 7121, 7123

checks/check_extra7119

@@ -23,7 +23,7 @@
 #	[--apply-immediately | --no-apply-immediately]
 
 CHECK_ID_extra7119="7.119"
-CHECK_TITLE_extra7119="[extra7119] Check if Security configurations used by ETL Development endpoints have S3 encryption enabled."
+CHECK_TITLE_extra7119="[extra7119] Check if Glue security configurations used by ETL Development endpoints have S3 encryption enabled."
 CHECK_SCORED_extra7119="NOT_SCORED"
 CHECK_TYPE_extra7119="EXTRA"
 CHECK_SEVERITY_extra7119="Medium"
@@ -31,7 +31,6 @@ CHECK_ASFF_RESOURCE_TYPE_extra7119="AwsGlue"
 CHECK_ALTERNATE_check7119="extra7119"
 
 extra7119(){
-  textInfo "Looking for Development Endpoints in all regions...  "
   for regx in $REGIONS; do
     LIST_EP_SC=$($AWSCLI glue get-dev-endpoints $PROFILE_OPT --region $regx --query 'DevEndpoints[*].{Name:EndpointName,Security:SecurityConfiguration}' --output json)
     if [[ ! -z "$LIST_EP_SC" ]]; then
@@ -41,16 +40,16 @@ extra7119(){
         if [[ ! -z "$ENDPOINT_SC" ]]; then
           ENDPOINT_SC_ENCRYPTION=$($AWSCLI glue get-security-configuration --name "${ENDPOINT_SC}" $PROFILE_OPT --region $regx --query 'SecurityConfiguration.EncryptionConfiguration.S3Encryption[0].S3EncryptionMode' --output text)
           if [[ "$ENDPOINT_SC_ENCRYPTION" == "DISABLED" ]]; then
-            textFail "$regx: Development Endpoint $ENDPOINT_NAME does not have S3 encryption enabled!" "$regx"
+            textFail "$regx: Glue Development Endpoint $ENDPOINT_NAME does not have S3 encryption enabled!" "$regx"
           else
-            textPass "$regx: Development Endpoint $ENDPOINT_NAME has S3 encryption enabled" "$regx"
+            textPass "$regx: Glue Development Endpoint $ENDPOINT_NAME has S3 encryption enabled" "$regx"
           fi
         else
-          textInfo "$regx: No Security Configuration found for Development Endpoint $ENDPOINT_NAME" "$regx"
+          textInfo "$regx: No Glue security configuration found for Development Endpoint $ENDPOINT_NAME" "$regx"
         fi
       done
     else
-      textInfo "$regx: There are no Development Endpoints" "$regx"
+      textInfo "$regx: There are no Glue Development Endpoints" "$regx"
     fi
   done
 }

checks/check_extra7121

@@ -23,7 +23,7 @@
 #	[--apply-immediately | --no-apply-immediately]
 
 CHECK_ID_extra7121="7.121"
-CHECK_TITLE_extra7121="[extra7121] Check if Security configurations used by ETL Development endpoints have CloudWatch logs encryption enabled."
+CHECK_TITLE_extra7121="[extra7121] Check if Glue security configurations used by ETL Development endpoints have CloudWatch logs encryption enabled."
 CHECK_SCORED_extra7121="NOT_SCORED"
 CHECK_TYPE_extra7121="EXTRA"
 CHECK_SEVERITY_extra7121="Medium"
@@ -31,7 +31,6 @@ CHECK_ASFF_RESOURCE_TYPE_extra7121="AwsGlue"
 CHECK_ALTERNATE_check7121="extra7121"
 
 extra7121(){
-  textInfo "Looking for Development Endpoints in all regions...  "
   for regx in $REGIONS; do
     LIST_EP_SC=$($AWSCLI glue get-dev-endpoints $PROFILE_OPT --region $regx --query 'DevEndpoints[*].{Name:EndpointName,Security:SecurityConfiguration}' --output json)
     if [[ ! -z "$LIST_EP_SC" ]]; then
@@ -41,16 +40,16 @@ extra7121(){
         if [[ ! -z "$ENDPOINT_SC" ]]; then
           ENDPOINT_SC_ENCRYPTION=$($AWSCLI glue get-security-configuration --name "${ENDPOINT_SC}" $PROFILE_OPT --region $regx --query 'SecurityConfiguration.EncryptionConfiguration.CloudWatchEncryption.CloudWatchEncryptionMode' --output text)
           if [[ $ENDPOINT_SC_ENCRYPTION == "DISABLED" ]]; then
-            textFail "$regx: Development Endpoint $ENDPOINT_NAME does not have CloudWatch logs encryption enabled!" "$regx"
+            textFail "$regx: Glue Development Endpoint $ENDPOINT_NAME does not have CloudWatch logs encryption enabled!" "$regx"
           else
-            textPass "$regx: Development Endpoint $ENDPOINT_NAME has CloudWatch logs encryption enabled" "$regx"
+            textPass "$regx: Glue Development Endpoint $ENDPOINT_NAME has CloudWatch logs encryption enabled" "$regx"
           fi
         else
-          textInfo "$regx: No Security Configuration found" "$regx"
+          textInfo "$regx: No Glue security configuration found" "$regx"
         fi
       done
     else
-      textInfo "$regx: There are no Development Endpoints" "$regx"
+      textInfo "$regx: There are no Glue Development Endpoints" "$regx"
     fi
   done
 }

checks/check_extra7123

@@ -23,7 +23,7 @@
 #	[--apply-immediately | --no-apply-immediately]
 
 CHECK_ID_extra7123="7.123"
-CHECK_TITLE_extra7123="[extra7123] Check if Security configurations used by ETL Development endpoints have Job bookmark encryption enabled."
+CHECK_TITLE_extra7123="[extra7123] Check if Glue security configurations used by ETL Development endpoints have Job bookmark encryption enabled."
 CHECK_SCORED_extra7123="NOT_SCORED"
 CHECK_TYPE_extra7123="EXTRA"
 CHECK_SEVERITY_extra7123="Medium"
@@ -31,7 +31,6 @@ CHECK_ASFF_RESOURCE_TYPE_extra7123="AwsGlue"
 CHECK_ALTERNATE_check7123="extra7123"
 
 extra7123(){
-  textInfo "Looking for Development Endpoints in all regions...  "
   for regx in $REGIONS; do
     LIST_EP_SC=$($AWSCLI glue get-dev-endpoints $PROFILE_OPT --region $regx --query 'DevEndpoints[*].{Name:EndpointName,Security:SecurityConfiguration}' --output json)
     if [[ ! -z "$LIST_EP_SC" ]]; then
@@ -41,16 +40,16 @@ extra7123(){
         if [[ ! -z "$ENDPOINT_SC" ]]; then
           ENDPOINT_SC_ENCRYPTION=$($AWSCLI glue get-security-configuration --name "${ENDPOINT_SC}" $PROFILE_OPT --region $regx --query 'SecurityConfiguration.EncryptionConfiguration.JobBookmarksEncryption.JobBookmarksEncryptionMode' --output text)
           if [[ "$ENDPOINT_SC_ENCRYPTION" == "DISABLED" ]]; then
-            textFail "$regx: Development Endpoint $ENDPOINT_NAME does not have Job Bookmark encryption enabled!" "$regx"
+            textFail "$regx: Glue Development Endpoint $ENDPOINT_NAME does not have Job Bookmark encryption enabled!" "$regx"
           else
-            textPass "$regx: Development Endpoint $ENDPOINT_NAME has Job Bookmark encryption enabled" "$regx"
+            textPass "$regx: Glue Development Endpoint $ENDPOINT_NAME has Job Bookmark encryption enabled" "$regx"
           fi
         else
-          textInfo "$regx: No Security Configuration found" "$regx"
+          textInfo "$regx: No Glue security configuration found" "$regx"
         fi
       done
     else
-      textInfo "$regx: There are no Development Endpoints" "$regx"
+      textInfo "$regx: There are no Glue Development Endpoints" "$regx"
     fi
   done
 }

checks/check_extra7124

@@ -1,59 +0,0 @@
-#!/usr/bin/env bash
-
-# Prowler - the handy cloud security tool (copyright 2018) by Toni de la Fuente
-#
-# Licensed under the Apache License, Version 2.0 (the "License"); you may not
-# use this file except in compliance with the License. You may obtain a copy
-# of the License at http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing, software distributed
-# under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR
-# CONDITIONS OF ANY KIND, either express or implied. See the License for the
-# specific language governing permissions and limitations under the License.
-
-# Remediation:
-#
-# https://www.cloudconformity.com/knowledge-base/aws/RDS/instance-deletion-protection.html
-# https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/Overview.DBInstance.Modifying.html
-#
-# aws rds modify-db-instance \
-#	--region us-east-1 \
-#	--db-instance-identifier test-db \
-#	--deletion-protection \
-#	[--apply-immediately | --no-apply-immediately]
-
-CHECK_ID_extra7124="7.124"
-CHECK_TITLE_extra7124="[extra7124] Check if ETL Job Server-side encryption (Enables Amazon S3-managed encryption of the data at the target, SSE-S3) is enabled."
-CHECK_SCORED_extra7124="NOT_SCORED"
-CHECK_TYPE_extra7124="EXTRA"
-CHECK_SEVERITY_extra7124="Medium"
-CHECK_ASFF_RESOURCE_TYPE_extra7124="AwsGlue"
-CHECK_ALTERNATE_check7124="extra7124"
-
-extra7124(){
-  textInfo "Looking for ETL Jobs in all regions...  "
-  for regx in $REGIONS; do
-    JOB_LIST=$($AWSCLI glue get-jobs $PROFILE_OPT --region $regx --output json --query 'Jobs[*].{Name:Name,SecurityConfiguration:SecurityConfiguration,JobEncryption:DefaultArguments."--encryption-type"}')
-    if [[ ! -z "$JOB_LIST" ]]; then
-      for job in $(echo "${JOB_LIST}" | jq -r '.[] | @base64'); do
-          JOB_NAME=$(echo $job | base64 --decode | jq -r '.Name')
-          SECURITY_CONFIGURATION=$(echo $job | base64 --decode | jq -r '.SecurityConfiguration // empty')
-          JOB_ENCRYPTION=$(echo $job | base64 --decode | jq -r '.JobEncryption // empty')
-          if [[ ! -z "$SECURITY_CONFIGURATION" ]]; then
-            S3_ENCRYPTION=$($AWSCLI glue get-security-configuration --name "${SECURITY_CONFIGURATION}" $PROFILE_OPT --region $regx --output text --query 'SecurityConfiguration.EncryptionConfiguration.S3Encryption[0].S3EncryptionMode')
-            if [[ "$S3_ENCRYPTION" == "SSE-S3" ]]; then
-              textFail "$regx: Job $JOB_NAME has Server side encryption (SSE-S3) enabled" "$regx"
-            else
-              textInfo "$regx: Job $JOB_NAME does not have Server side encryption (SSE-S3) enabled" "$regx"
-            fi
-          elif [[ ! -z "$JOB_ENCRYPTION" ]]; then
-            textInfo "$regx: Job $JOB_NAME does have $JOB_ENCRYPTION S3 encryption enabled" "$regx"
-          else
-            textFail "$regx: Job $JOB_NAME does not have S3 encryption enabled" "$regx"
-          fi
-      done
-    else
-      textInfo "$regx: There are no ETL jobs" "$regx"
-    fi
-  done
-}

checks/check_extra7125

@@ -1,51 +0,0 @@
-#!/usr/bin/env bash
-
-# Prowler - the handy cloud security tool (copyright 2018) by Toni de la Fuente
-#
-# Licensed under the Apache License, Version 2.0 (the "License"); you may not
-# use this file except in compliance with the License. You may obtain a copy
-# of the License at http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing, software distributed
-# under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR
-# CONDITIONS OF ANY KIND, either express or implied. See the License for the
-# specific language governing permissions and limitations under the License.
-
-# Remediation:
-#
-# https://www.cloudconformity.com/knowledge-base/aws/RDS/instance-deletion-protection.html
-# https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/Overview.DBInstance.Modifying.html
-#
-# aws rds modify-db-instance \
-#	--region us-east-1 \
-#	--db-instance-identifier test-db \
-#	--deletion-protection \
-#	[--apply-immediately | --no-apply-immediately]
-
-CHECK_ID_extra7125="7.125"
-CHECK_TITLE_extra7125="[extra7125] Checks if AWS Glue is used with VPC Endpoints."
-CHECK_SCORED_extra7125="NOT_SCORED"
-CHECK_TYPE_extra7125="EXTRA"
-CHECK_SEVERITY_extra7125="Medium"
-CHECK_ASFF_RESOURCE_TYPE_extra7125="AwsGlue"
-CHECK_ALTERNATE_check7125="extra7125"
-
-extra7125(){
-  textInfo "Looking for Development Endpoints in all regions...  "
-  for regx in $REGIONS; do
-    LIST_EP_PA=$($AWSCLI glue get-dev-endpoints $PROFILE_OPT --region $regx --query 'DevEndpoints[*].{Name:EndpointName,Address:PrivateAddress}' --output json)
-    if [[ ! -z "$LIST_EP_PA" ]]; then
-      for ep in $(echo "${LIST_EP_PA}" | jq -r '.[] | @base64'); do
-        EP_NAME=$(echo $ep | base64 --decode | jq -r '.Name')
-        PRIVATE_ADDRESS=$(echo $ep | base64 --decode | jq -r '.Address')
-        if [[ ! -z "$PRIVATE_ADDRESS" ]]; then
-          textPass "$regx: AWS Glue Development Endpoint $EP_NAME uses a VPC Endpoint" "$regx"
-        else
-          textFail "$regx: AWS Glue  Development Endpoint $EP_NAME does not use a VPC Endpoint" "$regx"
-        fi
-      done
-    else
-      textInfo "$regx: No Development Endpoints found" "$regx"
-    fi
-  done
-}