Glue checks part 1

2026-02-11 07:15:15 +00:00 · 2020-11-04 10:44:43 +01:00
parent 97055e84b4
commit 954848c6e8
7 changed files with 249 additions and 0 deletions
--- a/checks/check_extra7115
+++ b/checks/check_extra7115
@@ -0,0 +1,38 @@
+#!/usr/bin/env bash
+
+# Prowler - the handy cloud security tool (copyright 2018) by Toni de la Fuente
+#
+# Licensed under the Apache License, Version 2.0 (the "License"); you may not
+# use this file except in compliance with the License. You may obtain a copy
+# of the License at http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software distributed
+# under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR
+# CONDITIONS OF ANY KIND, either express or implied. See the License for the
+# specific language governing permissions and limitations under the License.
+CHECK_ID_extra7115="7.115"
+CHECK_TITLE_extra7115="[extra7115] Check if Glue Database connection must have SSL connection enabled. (Not Scored) (Not part of CIS benchmark)"
+CHECK_SCORED_extra7115="NOT_SCORED"
+CHECK_TYPE_extra7115="EXTRA"
+CHECK_SEVERITY_extra7115="Medium"
+CHECK_ASFF_RESOURCE_TYPE_extra7115="AwsGlue"
+CHECK_ALTERNATE_check7115="extra7115"
+
+extra7115(){
+  for regx in $REGIONS; do
+    CONNECTION_LIST=$($AWSCLI glue get-connections $PROFILE_OPT --region $regx  --output json --query 'ConnectionList[*].{Name:Name,SSL:ConnectionProperties.JDBC_ENFORCE_SSL}')
+    if [[ ! -z "$CONNECTION_LIST" ]]; then
+      for connection in $(echo "${CONNECTION_LIST}" | jq -r '.[] | @base64'); do
+          CONNECTION_NAME=$(echo $connection | base64 --decode   | jq -r '.Name' )
+          CONNECTION_SSL_STATE=$(echo $connection | base64 --decode  | jq -r '.SSL')
+          if [[ "$CONNECTION_SSL_STATE" == "false" ]]; then
+              textFail "$regx: Connection $CONNECTION_NAME has SSL connection disabled"  "$regx"
+          else 
+              textInfo "$regx: Connection $CONNECTION_NAME has SSL connection enabled"  "$regx"
+          fi
+      done
+    else 
+      textInfo "$regx: There are no connections" "$regx"
+    fi 
+  done     
+}
--- a/checks/check_extra7116
+++ b/checks/check_extra7116
@@ -0,0 +1,30 @@
+#!/usr/bin/env bash
+
+# Prowler - the handy cloud security tool (copyright 2018) by Toni de la Fuente
+#
+# Licensed under the Apache License, Version 2.0 (the "License"); you may not
+# use this file except in compliance with the License. You may obtain a copy
+# of the License at http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software distributed
+# under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR
+# CONDITIONS OF ANY KIND, either express or implied. See the License for the
+# specific language governing permissions and limitations under the License.
+CHECK_ID_extra7116="7.116"
+CHECK_TITLE_extra7116="[extra7116] Check if Data catalog settings must have metadata encryption enabled. (Not Scored) (Not part of CIS benchmark)"
+CHECK_SCORED_extra7116="NOT_SCORED"
+CHECK_TYPE_extra7116="EXTRA"
+CHECK_SEVERITY_extra7116="Medium"
+CHECK_ASFF_RESOURCE_TYPE_extra7116="AwsGlue"
+CHECK_ALTERNATE_check7116="extra7116"
+
+extra7116(){
+  for regx in $REGIONS; do
+    METADATA_ENCRYPTED=$($AWSCLI glue get-data-catalog-encryption-settings $PROFILE_OPT --region $regx --output text --query "DataCatalogEncryptionSettings.EncryptionAtRest.CatalogEncryptionMode")
+    if [[ "$METADATA_ENCRYPTED" == "DISABLED" ]]; then
+      textFail "$regx: Glue Catalog is not encrypted" "$regx"
+    else
+      textInfo "$regx:Glue catalog is encrypted with $METADATA_ENCRYPTED" "$regx"
+    fi
+  done
+}
--- a/checks/check_extra7117
+++ b/checks/check_extra7117
@@ -0,0 +1,30 @@
+#!/usr/bin/env bash
+
+# Prowler - the handy cloud security tool (copyright 2018) by Toni de la Fuente
+#
+# Licensed under the Apache License, Version 2.0 (the "License"); you may not
+# use this file except in compliance with the License. You may obtain a copy
+# of the License at http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software distributed
+# under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR
+# CONDITIONS OF ANY KIND, either express or implied. See the License for the
+# specific language governing permissions and limitations under the License.
+CHECK_ID_extra7117="7.117"
+CHECK_TITLE_extra7117="[extra7117] Check if Data catalog settings must have Encrypt connection password enabled. (Not Scored) (Not part of CIS benchmark)"
+CHECK_SCORED_extra7117="NOT_SCORED"
+CHECK_TYPE_extra7117="EXTRA"
+CHECK_SEVERITY_extra7117="Medium"
+CHECK_ASFF_RESOURCE_TYPE_extra7117="AwsGlue"
+CHECK_ALTERNATE_check7117="extra7117"
+
+extra7117(){
+  for regx in $REGIONS; do
+    METADATA_ENCRYPTED=$($AWSCLI glue get-data-catalog-encryption-settings $PROFILE_OPT --region $regx --output text --query "DataCatalogEncryptionSettings.ConnectionPasswordEncryption.ReturnConnectionPasswordEncrypted")
+    if [[ "$METADATA_ENCRYPTED" == "False" ]]; then
+      textFail "$regx: Glue Catalog connection password is not encrypted" "$regx"
+    else
+      textInfo "$regx:Glue catalog connection password is encrypted" "$regx"
+    fi
+  done
+}
--- a/checks/check_extra7118
+++ b/checks/check_extra7118
@@ -0,0 +1,46 @@
+#!/usr/bin/env bash
+
+# Prowler - the handy cloud security tool (copyright 2018) by Toni de la Fuente
+#
+# Licensed under the Apache License, Version 2.0 (the "License"); you may not
+# use this file except in compliance with the License. You may obtain a copy
+# of the License at http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software distributed
+# under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR
+# CONDITIONS OF ANY KIND, either express or implied. See the License for the
+# specific language governing permissions and limitations under the License.
+CHECK_ID_extra7118="7.117"
+CHECK_TITLE_extra7118="[extra7118] Check if Security configurations used by ETL Jobs have S3 encryption enabled. (Not Scored) (Not part of CIS benchmark)"
+CHECK_SCORED_extra7118="NOT_SCORED"
+CHECK_TYPE_extra7118="EXTRA"
+CHECK_SEVERITY_extra7118="Medium"
+CHECK_ASFF_RESOURCE_TYPE_extra7118="AwsGlue"
+CHECK_ALTERNATE_check7118="extra7118"
+
+extra7118(){
+  for regx in $REGIONS; do
+    JOB_LIST=$($AWSCLI glue get-jobs $PROFILE_OPT --region $regx --output json --query 'Jobs[*].{Name:Name,SecurityConfiguration:SecurityConfiguration,JobEncryption:DefaultArguments."--encryption-type"}')
+    if [[ ! -z "$JOB_LIST" ]]; then
+      for job in $(echo "${JOB_LIST}" | jq -r '.[] | @base64'); do
+          JOB_NAME=$(echo $job | base64 --decode | jq -r '.Name')
+          SECURITY_CONFIGURATION=$(echo $job | base64 --decode | jq -r '.SecurityConfiguration // empty')
+          JOB_ENCRYPTION=$(echo $job | base64 --decode | jq -r '.JobEncryption // empty')
+          if [[ ! -z "$SECURITY_CONFIGURATION" ]]; then
+            S3_ENCRYPTION=$($AWSCLI glue get-security-configuration --name "${SECURITY_CONFIGURATION}" $PROFILE_OPT --region $regx --output text --query 'SecurityConfiguration.EncryptionConfiguration.S3Encryption[0].S3EncryptionMode')
+            if [[ "$S3_ENCRYPTION" == "DISABLED" ]]; then
+              textFail "$regx: Job $JOB_NAME does not have S3 encryption enabled" "$regx"
+            else
+              textInfo "$regx: Job $JOB_NAME does have $S3_ENCRYPTION S3 encryption enabled" "$regx"
+            fi
+          elif [[ ! -z "$JOB_ENCRYPTION" ]]; then
+            textInfo "$regx: Job $JOB_NAME does have $JOB_ENCRYPTION S3 encryption enabled" "$regx"
+          else 
+            textFail "$regx: Job $JOB_NAME does not have S3 encryption enabled" "$regx"
+          fi
+      done
+    else 
+      textInfo "$regx: There are no jobs" "$regx"
+    fi 
+  done
+}
--- a/checks/check_extra7120
+++ b/checks/check_extra7120
@@ -0,0 +1,43 @@
+#!/usr/bin/env bash
+
+# Prowler - the handy cloud security tool (copyright 2018) by Toni de la Fuente
+#
+# Licensed under the Apache License, Version 2.0 (the "License"); you may not
+# use this file except in compliance with the License. You may obtain a copy
+# of the License at http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software distributed
+# under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR
+# CONDITIONS OF ANY KIND, either express or implied. See the License for the
+# specific language governing permissions and limitations under the License.
+CHECK_ID_extra7120="7.117"
+CHECK_TITLE_extra7120="[extra7120] Check if Security configurations used by ETL Jobs have CloudWatch logs encryption enabled. (Not Scored) (Not part of CIS benchmark)"
+CHECK_SCORED_extra7120="NOT_SCORED"
+CHECK_TYPE_extra7120="EXTRA"
+CHECK_SEVERITY_extra7120="Medium"
+CHECK_ASFF_RESOURCE_TYPE_extra7120="AwsGlue"
+CHECK_ALTERNATE_check7120="extra7120"
+
+extra7120(){
+  for regx in $REGIONS; do
+    JOB_LIST=$($AWSCLI glue get-jobs $PROFILE_OPT --region $regx --output json --query 'Jobs[*].{Name:Name,SecurityConfiguration:SecurityConfiguration}')
+    if [[ ! -z "$JOB_LIST" ]]; then
+      for job in $(echo "${JOB_LIST}" | jq -r '.[] | @base64'); do
+          JOB_NAME=$(echo $job | base64 --decode | jq -r '.Name')
+          SECURITY_CONFIGURATION=$(echo $job | base64 --decode | jq -r '.SecurityConfiguration  // empty')
+          if [[ ! -z "$SECURITY_CONFIGURATION" ]]; then
+            CLOUDWATCH_ENCRYPTION=$($AWSCLI glue get-security-configuration --name "${SECURITY_CONFIGURATION}" $PROFILE_OPT --region $regx --output text --query 'SecurityConfiguration.EncryptionConfiguration.CloudWatchEncryption.CloudWatchEncryptionMode')
+            if [[ "$CLOUDWATCH_ENCRYPTION" == "DISABLED" ]]; then
+              textFail "$regx: Job $JOB_NAME does not have CloudWatch logs encryption enabled" "$regx"
+            else
+              textInfo "$regx: Job $JOB_NAME does have $CLOUDWATCH_ENCRYPTION CloudWatch logs encryption enabled" "$regx"
+            fi
+          else
+            textFail "$regx: Job $JOB_NAME does not have CloudWatch logs encryption enabled" "$regx"
+          fi
+      done
+    else 
+      textInfo "$regx: There are no jobs" "$regx"
+    fi 
+  done
+}
--- a/checks/check_extra7122
+++ b/checks/check_extra7122
@@ -0,0 +1,43 @@
+#!/usr/bin/env bash
+
+# Prowler - the handy cloud security tool (copyright 2018) by Toni de la Fuente
+#
+# Licensed under the Apache License, Version 2.0 (the "License"); you may not
+# use this file except in compliance with the License. You may obtain a copy
+# of the License at http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software distributed
+# under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR
+# CONDITIONS OF ANY KIND, either express or implied. See the License for the
+# specific language governing permissions and limitations under the License.
+CHECK_ID_extra7122="7.117"
+CHECK_TITLE_extra7122="[extra7122] Check if Security configurations used by ETL Jobs have Job bookmark encryption enabled. (Not Scored) (Not part of CIS benchmark)"
+CHECK_SCORED_extra7122="NOT_SCORED"
+CHECK_TYPE_extra7122="EXTRA"
+CHECK_SEVERITY_extra7122="Medium"
+CHECK_ASFF_RESOURCE_TYPE_extra7122="AwsGlue"
+CHECK_ALTERNATE_check7122="extra7122"
+
+extra7122(){
+  for regx in $REGIONS; do
+    JOB_LIST=$($AWSCLI glue get-jobs $PROFILE_OPT --region $regx --output json --query 'Jobs[*].{Name:Name,SecurityConfiguration:SecurityConfiguration}')
+    if [[ $JOB_LIST ]]; then
+      for job in $(echo "${JOB_LIST}" | jq -r '.[] | @base64'); do
+          JOB_NAME=$(echo $job | base64 --decode | jq -r '.Name')
+          SECURITY_CONFIGURATION=$(echo $job | base64 --decode | jq -r '.SecurityConfiguration // empty')
+          if [[ ! -z "$SECURITY_CONFIGURATION" ]]; then
+            JOB_BOOKMARK_ENCRYPTION=$($AWSCLI glue get-security-configuration --name "${SECURITY_CONFIGURATION}" $PROFILE_OPT --region $regx --output text --query 'SecurityConfiguration.EncryptionConfiguration.JobBookmarksEncryption.JobBookmarksEncryptionMode')
+            if [[ "$JOB_BOOKMARK_ENCRYPTION" == "DISABLED" ]]; then
+              textFail "$regx: Job $JOB_NAME does not have Job bookmark encryption enabled" "$regx"
+            else
+              textInfo "$regx: Job $JOB_NAME does have $JOB_BOOKMARK_ENCRYPTION Job bookmark  encryption enabled" "$regx"
+            fi
+          else
+            textFail "$regx: Job $JOB_NAME does not have Job bookmark encryption enabled" "$regx"
+          fi
+      done
+    else 
+      textInfo "$regx: There are no jobs" "$regx"
+    fi 
+  done
+}
--- a/groups/group23_glue
+++ b/groups/group23_glue
@@ -0,0 +1,19 @@
+#!/usr/bin/env bash
+
+# Prowler - the handy cloud security tool (copyright 2222) by Toni de la Fuente
+#
+# Licensed under the Apache License, Version 2.0 (the "License"); you may not
+# use this file except in compliance with the License. You may obtain a copy
+# of the License at http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software distributed
+# under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR
+# CONDITIONS OF ANY KIND, either express or implied. See the License for the
+# specific language governing permissions and limitations under the License.
+
+GROUP_ID[23]='glue'
+GROUP_NUMBER[23]='23.0'
+GROUP_TITLE[23]='Amazon Glue related security checks - [glue] ********'
+GROUP_RUN_BY_DEFAULT[23]='N' # run it when execute_all is called
+GROUP_CHECKS[23]='extra7115,extra7116,extra7117,extra7118,extra7120,extra7122'
+