From 943b096f35daf9071b5a137a51f17d048e68b90e Mon Sep 17 00:00:00 2001 From: dlpzx Date: Thu, 12 Nov 2020 12:06:43 +0100 Subject: [PATCH] checks for glue - 7119, 7121, 7123 --- checks/check_extra7119 | 11 ++++---- checks/check_extra7121 | 11 ++++---- checks/check_extra7123 | 11 ++++---- checks/check_extra7124 | 59 ------------------------------------------ checks/check_extra7125 | 51 ------------------------------------ 5 files changed, 15 insertions(+), 128 deletions(-) delete mode 100644 checks/check_extra7124 delete mode 100644 checks/check_extra7125 diff --git a/checks/check_extra7119 b/checks/check_extra7119 index 7ef85252..e5928f69 100644 --- a/checks/check_extra7119 +++ b/checks/check_extra7119 @@ -23,7 +23,7 @@ # [--apply-immediately | --no-apply-immediately] CHECK_ID_extra7119="7.119" -CHECK_TITLE_extra7119="[extra7119] Check if Security configurations used by ETL Development endpoints have S3 encryption enabled." +CHECK_TITLE_extra7119="[extra7119] Check if Glue security configurations used by ETL Development endpoints have S3 encryption enabled." CHECK_SCORED_extra7119="NOT_SCORED" CHECK_TYPE_extra7119="EXTRA" CHECK_SEVERITY_extra7119="Medium" @@ -31,7 +31,6 @@ CHECK_ASFF_RESOURCE_TYPE_extra7119="AwsGlue" CHECK_ALTERNATE_check7119="extra7119" extra7119(){ - textInfo "Looking for Development Endpoints in all regions... " for regx in $REGIONS; do LIST_EP_SC=$($AWSCLI glue get-dev-endpoints $PROFILE_OPT --region $regx --query 'DevEndpoints[*].{Name:EndpointName,Security:SecurityConfiguration}' --output json) if [[ ! -z "$LIST_EP_SC" ]]; then @@ -41,16 +40,16 @@ extra7119(){ if [[ ! -z "$ENDPOINT_SC" ]]; then ENDPOINT_SC_ENCRYPTION=$($AWSCLI glue get-security-configuration --name "${ENDPOINT_SC}" $PROFILE_OPT --region $regx --query 'SecurityConfiguration.EncryptionConfiguration.S3Encryption[0].S3EncryptionMode' --output text) if [[ "$ENDPOINT_SC_ENCRYPTION" == "DISABLED" ]]; then - textFail "$regx: Development Endpoint $ENDPOINT_NAME does not have S3 encryption enabled!" "$regx" + textFail "$regx: Glue Development Endpoint $ENDPOINT_NAME does not have S3 encryption enabled!" "$regx" else - textPass "$regx: Development Endpoint $ENDPOINT_NAME has S3 encryption enabled" "$regx" + textPass "$regx: Glue Development Endpoint $ENDPOINT_NAME has S3 encryption enabled" "$regx" fi else - textInfo "$regx: No Security Configuration found for Development Endpoint $ENDPOINT_NAME" "$regx" + textInfo "$regx: No Glue security configuration found for Development Endpoint $ENDPOINT_NAME" "$regx" fi done else - textInfo "$regx: There are no Development Endpoints" "$regx" + textInfo "$regx: There are no Glue Development Endpoints" "$regx" fi done } diff --git a/checks/check_extra7121 b/checks/check_extra7121 index 6b7f99c3..e5d5c35f 100644 --- a/checks/check_extra7121 +++ b/checks/check_extra7121 @@ -23,7 +23,7 @@ # [--apply-immediately | --no-apply-immediately] CHECK_ID_extra7121="7.121" -CHECK_TITLE_extra7121="[extra7121] Check if Security configurations used by ETL Development endpoints have CloudWatch logs encryption enabled." +CHECK_TITLE_extra7121="[extra7121] Check if Glue security configurations used by ETL Development endpoints have CloudWatch logs encryption enabled." CHECK_SCORED_extra7121="NOT_SCORED" CHECK_TYPE_extra7121="EXTRA" CHECK_SEVERITY_extra7121="Medium" @@ -31,7 +31,6 @@ CHECK_ASFF_RESOURCE_TYPE_extra7121="AwsGlue" CHECK_ALTERNATE_check7121="extra7121" extra7121(){ - textInfo "Looking for Development Endpoints in all regions... " for regx in $REGIONS; do LIST_EP_SC=$($AWSCLI glue get-dev-endpoints $PROFILE_OPT --region $regx --query 'DevEndpoints[*].{Name:EndpointName,Security:SecurityConfiguration}' --output json) if [[ ! -z "$LIST_EP_SC" ]]; then @@ -41,16 +40,16 @@ extra7121(){ if [[ ! -z "$ENDPOINT_SC" ]]; then ENDPOINT_SC_ENCRYPTION=$($AWSCLI glue get-security-configuration --name "${ENDPOINT_SC}" $PROFILE_OPT --region $regx --query 'SecurityConfiguration.EncryptionConfiguration.CloudWatchEncryption.CloudWatchEncryptionMode' --output text) if [[ $ENDPOINT_SC_ENCRYPTION == "DISABLED" ]]; then - textFail "$regx: Development Endpoint $ENDPOINT_NAME does not have CloudWatch logs encryption enabled!" "$regx" + textFail "$regx: Glue Development Endpoint $ENDPOINT_NAME does not have CloudWatch logs encryption enabled!" "$regx" else - textPass "$regx: Development Endpoint $ENDPOINT_NAME has CloudWatch logs encryption enabled" "$regx" + textPass "$regx: Glue Development Endpoint $ENDPOINT_NAME has CloudWatch logs encryption enabled" "$regx" fi else - textInfo "$regx: No Security Configuration found" "$regx" + textInfo "$regx: No Glue security configuration found" "$regx" fi done else - textInfo "$regx: There are no Development Endpoints" "$regx" + textInfo "$regx: There are no Glue Development Endpoints" "$regx" fi done } diff --git a/checks/check_extra7123 b/checks/check_extra7123 index bd5cb5ec..f601c9a4 100644 --- a/checks/check_extra7123 +++ b/checks/check_extra7123 @@ -23,7 +23,7 @@ # [--apply-immediately | --no-apply-immediately] CHECK_ID_extra7123="7.123" -CHECK_TITLE_extra7123="[extra7123] Check if Security configurations used by ETL Development endpoints have Job bookmark encryption enabled." +CHECK_TITLE_extra7123="[extra7123] Check if Glue security configurations used by ETL Development endpoints have Job bookmark encryption enabled." CHECK_SCORED_extra7123="NOT_SCORED" CHECK_TYPE_extra7123="EXTRA" CHECK_SEVERITY_extra7123="Medium" @@ -31,7 +31,6 @@ CHECK_ASFF_RESOURCE_TYPE_extra7123="AwsGlue" CHECK_ALTERNATE_check7123="extra7123" extra7123(){ - textInfo "Looking for Development Endpoints in all regions... " for regx in $REGIONS; do LIST_EP_SC=$($AWSCLI glue get-dev-endpoints $PROFILE_OPT --region $regx --query 'DevEndpoints[*].{Name:EndpointName,Security:SecurityConfiguration}' --output json) if [[ ! -z "$LIST_EP_SC" ]]; then @@ -41,16 +40,16 @@ extra7123(){ if [[ ! -z "$ENDPOINT_SC" ]]; then ENDPOINT_SC_ENCRYPTION=$($AWSCLI glue get-security-configuration --name "${ENDPOINT_SC}" $PROFILE_OPT --region $regx --query 'SecurityConfiguration.EncryptionConfiguration.JobBookmarksEncryption.JobBookmarksEncryptionMode' --output text) if [[ "$ENDPOINT_SC_ENCRYPTION" == "DISABLED" ]]; then - textFail "$regx: Development Endpoint $ENDPOINT_NAME does not have Job Bookmark encryption enabled!" "$regx" + textFail "$regx: Glue Development Endpoint $ENDPOINT_NAME does not have Job Bookmark encryption enabled!" "$regx" else - textPass "$regx: Development Endpoint $ENDPOINT_NAME has Job Bookmark encryption enabled" "$regx" + textPass "$regx: Glue Development Endpoint $ENDPOINT_NAME has Job Bookmark encryption enabled" "$regx" fi else - textInfo "$regx: No Security Configuration found" "$regx" + textInfo "$regx: No Glue security configuration found" "$regx" fi done else - textInfo "$regx: There are no Development Endpoints" "$regx" + textInfo "$regx: There are no Glue Development Endpoints" "$regx" fi done } diff --git a/checks/check_extra7124 b/checks/check_extra7124 deleted file mode 100644 index b531cda9..00000000 --- a/checks/check_extra7124 +++ /dev/null @@ -1,59 +0,0 @@ -#!/usr/bin/env bash - -# Prowler - the handy cloud security tool (copyright 2018) by Toni de la Fuente -# -# Licensed under the Apache License, Version 2.0 (the "License"); you may not -# use this file except in compliance with the License. You may obtain a copy -# of the License at http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software distributed -# under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR -# CONDITIONS OF ANY KIND, either express or implied. See the License for the -# specific language governing permissions and limitations under the License. - -# Remediation: -# -# https://www.cloudconformity.com/knowledge-base/aws/RDS/instance-deletion-protection.html -# https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/Overview.DBInstance.Modifying.html -# -# aws rds modify-db-instance \ -# --region us-east-1 \ -# --db-instance-identifier test-db \ -# --deletion-protection \ -# [--apply-immediately | --no-apply-immediately] - -CHECK_ID_extra7124="7.124" -CHECK_TITLE_extra7124="[extra7124] Check if ETL Job Server-side encryption (Enables Amazon S3-managed encryption of the data at the target, SSE-S3) is enabled." -CHECK_SCORED_extra7124="NOT_SCORED" -CHECK_TYPE_extra7124="EXTRA" -CHECK_SEVERITY_extra7124="Medium" -CHECK_ASFF_RESOURCE_TYPE_extra7124="AwsGlue" -CHECK_ALTERNATE_check7124="extra7124" - -extra7124(){ - textInfo "Looking for ETL Jobs in all regions... " - for regx in $REGIONS; do - JOB_LIST=$($AWSCLI glue get-jobs $PROFILE_OPT --region $regx --output json --query 'Jobs[*].{Name:Name,SecurityConfiguration:SecurityConfiguration,JobEncryption:DefaultArguments."--encryption-type"}') - if [[ ! -z "$JOB_LIST" ]]; then - for job in $(echo "${JOB_LIST}" | jq -r '.[] | @base64'); do - JOB_NAME=$(echo $job | base64 --decode | jq -r '.Name') - SECURITY_CONFIGURATION=$(echo $job | base64 --decode | jq -r '.SecurityConfiguration // empty') - JOB_ENCRYPTION=$(echo $job | base64 --decode | jq -r '.JobEncryption // empty') - if [[ ! -z "$SECURITY_CONFIGURATION" ]]; then - S3_ENCRYPTION=$($AWSCLI glue get-security-configuration --name "${SECURITY_CONFIGURATION}" $PROFILE_OPT --region $regx --output text --query 'SecurityConfiguration.EncryptionConfiguration.S3Encryption[0].S3EncryptionMode') - if [[ "$S3_ENCRYPTION" == "SSE-S3" ]]; then - textFail "$regx: Job $JOB_NAME has Server side encryption (SSE-S3) enabled" "$regx" - else - textInfo "$regx: Job $JOB_NAME does not have Server side encryption (SSE-S3) enabled" "$regx" - fi - elif [[ ! -z "$JOB_ENCRYPTION" ]]; then - textInfo "$regx: Job $JOB_NAME does have $JOB_ENCRYPTION S3 encryption enabled" "$regx" - else - textFail "$regx: Job $JOB_NAME does not have S3 encryption enabled" "$regx" - fi - done - else - textInfo "$regx: There are no ETL jobs" "$regx" - fi - done -} \ No newline at end of file diff --git a/checks/check_extra7125 b/checks/check_extra7125 deleted file mode 100644 index 226eeb58..00000000 --- a/checks/check_extra7125 +++ /dev/null @@ -1,51 +0,0 @@ -#!/usr/bin/env bash - -# Prowler - the handy cloud security tool (copyright 2018) by Toni de la Fuente -# -# Licensed under the Apache License, Version 2.0 (the "License"); you may not -# use this file except in compliance with the License. You may obtain a copy -# of the License at http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software distributed -# under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR -# CONDITIONS OF ANY KIND, either express or implied. See the License for the -# specific language governing permissions and limitations under the License. - -# Remediation: -# -# https://www.cloudconformity.com/knowledge-base/aws/RDS/instance-deletion-protection.html -# https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/Overview.DBInstance.Modifying.html -# -# aws rds modify-db-instance \ -# --region us-east-1 \ -# --db-instance-identifier test-db \ -# --deletion-protection \ -# [--apply-immediately | --no-apply-immediately] - -CHECK_ID_extra7125="7.125" -CHECK_TITLE_extra7125="[extra7125] Checks if AWS Glue is used with VPC Endpoints." -CHECK_SCORED_extra7125="NOT_SCORED" -CHECK_TYPE_extra7125="EXTRA" -CHECK_SEVERITY_extra7125="Medium" -CHECK_ASFF_RESOURCE_TYPE_extra7125="AwsGlue" -CHECK_ALTERNATE_check7125="extra7125" - -extra7125(){ - textInfo "Looking for Development Endpoints in all regions... " - for regx in $REGIONS; do - LIST_EP_PA=$($AWSCLI glue get-dev-endpoints $PROFILE_OPT --region $regx --query 'DevEndpoints[*].{Name:EndpointName,Address:PrivateAddress}' --output json) - if [[ ! -z "$LIST_EP_PA" ]]; then - for ep in $(echo "${LIST_EP_PA}" | jq -r '.[] | @base64'); do - EP_NAME=$(echo $ep | base64 --decode | jq -r '.Name') - PRIVATE_ADDRESS=$(echo $ep | base64 --decode | jq -r '.Address') - if [[ ! -z "$PRIVATE_ADDRESS" ]]; then - textPass "$regx: AWS Glue Development Endpoint $EP_NAME uses a VPC Endpoint" "$regx" - else - textFail "$regx: AWS Glue Development Endpoint $EP_NAME does not use a VPC Endpoint" "$regx" - fi - done - else - textInfo "$regx: No Development Endpoints found" "$regx" - fi - done -} \ No newline at end of file