From 954848c6e89671418339df440b8665d43e2b20b4 Mon Sep 17 00:00:00 2001 From: Ramon Diez Date: Wed, 4 Nov 2020 10:44:43 +0100 Subject: [PATCH 1/4] Glue checks part 1 --- checks/check_extra7115 | 38 ++++++++++++++++++++++++++++++++++ checks/check_extra7116 | 30 +++++++++++++++++++++++++++ checks/check_extra7117 | 30 +++++++++++++++++++++++++++ checks/check_extra7118 | 46 ++++++++++++++++++++++++++++++++++++++++++ checks/check_extra7120 | 43 +++++++++++++++++++++++++++++++++++++++ checks/check_extra7122 | 43 +++++++++++++++++++++++++++++++++++++++ groups/group23_glue | 19 +++++++++++++++++ 7 files changed, 249 insertions(+) create mode 100644 checks/check_extra7115 create mode 100644 checks/check_extra7116 create mode 100644 checks/check_extra7117 create mode 100644 checks/check_extra7118 create mode 100644 checks/check_extra7120 create mode 100644 checks/check_extra7122 create mode 100644 groups/group23_glue diff --git a/checks/check_extra7115 b/checks/check_extra7115 new file mode 100644 index 00000000..52f0f64b --- /dev/null +++ b/checks/check_extra7115 @@ -0,0 +1,38 @@ +#!/usr/bin/env bash + +# Prowler - the handy cloud security tool (copyright 2018) by Toni de la Fuente +# +# Licensed under the Apache License, Version 2.0 (the "License"); you may not +# use this file except in compliance with the License. You may obtain a copy +# of the License at http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software distributed +# under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR +# CONDITIONS OF ANY KIND, either express or implied. See the License for the +# specific language governing permissions and limitations under the License. +CHECK_ID_extra7115="7.115" +CHECK_TITLE_extra7115="[extra7115] Check if Glue Database connection must have SSL connection enabled. (Not Scored) (Not part of CIS benchmark)" +CHECK_SCORED_extra7115="NOT_SCORED" +CHECK_TYPE_extra7115="EXTRA" +CHECK_SEVERITY_extra7115="Medium" +CHECK_ASFF_RESOURCE_TYPE_extra7115="AwsGlue" +CHECK_ALTERNATE_check7115="extra7115" + +extra7115(){ + for regx in $REGIONS; do + CONNECTION_LIST=$($AWSCLI glue get-connections $PROFILE_OPT --region $regx --output json --query 'ConnectionList[*].{Name:Name,SSL:ConnectionProperties.JDBC_ENFORCE_SSL}') + if [[ ! -z "$CONNECTION_LIST" ]]; then + for connection in $(echo "${CONNECTION_LIST}" | jq -r '.[] | @base64'); do + CONNECTION_NAME=$(echo $connection | base64 --decode | jq -r '.Name' ) + CONNECTION_SSL_STATE=$(echo $connection | base64 --decode | jq -r '.SSL') + if [[ "$CONNECTION_SSL_STATE" == "false" ]]; then + textFail "$regx: Connection $CONNECTION_NAME has SSL connection disabled" "$regx" + else + textInfo "$regx: Connection $CONNECTION_NAME has SSL connection enabled" "$regx" + fi + done + else + textInfo "$regx: There are no connections" "$regx" + fi + done +} diff --git a/checks/check_extra7116 b/checks/check_extra7116 new file mode 100644 index 00000000..a789a8c2 --- /dev/null +++ b/checks/check_extra7116 @@ -0,0 +1,30 @@ +#!/usr/bin/env bash + +# Prowler - the handy cloud security tool (copyright 2018) by Toni de la Fuente +# +# Licensed under the Apache License, Version 2.0 (the "License"); you may not +# use this file except in compliance with the License. You may obtain a copy +# of the License at http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software distributed +# under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR +# CONDITIONS OF ANY KIND, either express or implied. See the License for the +# specific language governing permissions and limitations under the License. +CHECK_ID_extra7116="7.116" +CHECK_TITLE_extra7116="[extra7116] Check if Data catalog settings must have metadata encryption enabled. (Not Scored) (Not part of CIS benchmark)" +CHECK_SCORED_extra7116="NOT_SCORED" +CHECK_TYPE_extra7116="EXTRA" +CHECK_SEVERITY_extra7116="Medium" +CHECK_ASFF_RESOURCE_TYPE_extra7116="AwsGlue" +CHECK_ALTERNATE_check7116="extra7116" + +extra7116(){ + for regx in $REGIONS; do + METADATA_ENCRYPTED=$($AWSCLI glue get-data-catalog-encryption-settings $PROFILE_OPT --region $regx --output text --query "DataCatalogEncryptionSettings.EncryptionAtRest.CatalogEncryptionMode") + if [[ "$METADATA_ENCRYPTED" == "DISABLED" ]]; then + textFail "$regx: Glue Catalog is not encrypted" "$regx" + else + textInfo "$regx:Glue catalog is encrypted with $METADATA_ENCRYPTED" "$regx" + fi + done +} diff --git a/checks/check_extra7117 b/checks/check_extra7117 new file mode 100644 index 00000000..ac195606 --- /dev/null +++ b/checks/check_extra7117 @@ -0,0 +1,30 @@ +#!/usr/bin/env bash + +# Prowler - the handy cloud security tool (copyright 2018) by Toni de la Fuente +# +# Licensed under the Apache License, Version 2.0 (the "License"); you may not +# use this file except in compliance with the License. You may obtain a copy +# of the License at http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software distributed +# under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR +# CONDITIONS OF ANY KIND, either express or implied. See the License for the +# specific language governing permissions and limitations under the License. +CHECK_ID_extra7117="7.117" +CHECK_TITLE_extra7117="[extra7117] Check if Data catalog settings must have Encrypt connection password enabled. (Not Scored) (Not part of CIS benchmark)" +CHECK_SCORED_extra7117="NOT_SCORED" +CHECK_TYPE_extra7117="EXTRA" +CHECK_SEVERITY_extra7117="Medium" +CHECK_ASFF_RESOURCE_TYPE_extra7117="AwsGlue" +CHECK_ALTERNATE_check7117="extra7117" + +extra7117(){ + for regx in $REGIONS; do + METADATA_ENCRYPTED=$($AWSCLI glue get-data-catalog-encryption-settings $PROFILE_OPT --region $regx --output text --query "DataCatalogEncryptionSettings.ConnectionPasswordEncryption.ReturnConnectionPasswordEncrypted") + if [[ "$METADATA_ENCRYPTED" == "False" ]]; then + textFail "$regx: Glue Catalog connection password is not encrypted" "$regx" + else + textInfo "$regx:Glue catalog connection password is encrypted" "$regx" + fi + done +} diff --git a/checks/check_extra7118 b/checks/check_extra7118 new file mode 100644 index 00000000..3cc70617 --- /dev/null +++ b/checks/check_extra7118 @@ -0,0 +1,46 @@ +#!/usr/bin/env bash + +# Prowler - the handy cloud security tool (copyright 2018) by Toni de la Fuente +# +# Licensed under the Apache License, Version 2.0 (the "License"); you may not +# use this file except in compliance with the License. You may obtain a copy +# of the License at http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software distributed +# under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR +# CONDITIONS OF ANY KIND, either express or implied. See the License for the +# specific language governing permissions and limitations under the License. +CHECK_ID_extra7118="7.117" +CHECK_TITLE_extra7118="[extra7118] Check if Security configurations used by ETL Jobs have S3 encryption enabled. (Not Scored) (Not part of CIS benchmark)" +CHECK_SCORED_extra7118="NOT_SCORED" +CHECK_TYPE_extra7118="EXTRA" +CHECK_SEVERITY_extra7118="Medium" +CHECK_ASFF_RESOURCE_TYPE_extra7118="AwsGlue" +CHECK_ALTERNATE_check7118="extra7118" + +extra7118(){ + for regx in $REGIONS; do + JOB_LIST=$($AWSCLI glue get-jobs $PROFILE_OPT --region $regx --output json --query 'Jobs[*].{Name:Name,SecurityConfiguration:SecurityConfiguration,JobEncryption:DefaultArguments."--encryption-type"}') + if [[ ! -z "$JOB_LIST" ]]; then + for job in $(echo "${JOB_LIST}" | jq -r '.[] | @base64'); do + JOB_NAME=$(echo $job | base64 --decode | jq -r '.Name') + SECURITY_CONFIGURATION=$(echo $job | base64 --decode | jq -r '.SecurityConfiguration // empty') + JOB_ENCRYPTION=$(echo $job | base64 --decode | jq -r '.JobEncryption // empty') + if [[ ! -z "$SECURITY_CONFIGURATION" ]]; then + S3_ENCRYPTION=$($AWSCLI glue get-security-configuration --name "${SECURITY_CONFIGURATION}" $PROFILE_OPT --region $regx --output text --query 'SecurityConfiguration.EncryptionConfiguration.S3Encryption[0].S3EncryptionMode') + if [[ "$S3_ENCRYPTION" == "DISABLED" ]]; then + textFail "$regx: Job $JOB_NAME does not have S3 encryption enabled" "$regx" + else + textInfo "$regx: Job $JOB_NAME does have $S3_ENCRYPTION S3 encryption enabled" "$regx" + fi + elif [[ ! -z "$JOB_ENCRYPTION" ]]; then + textInfo "$regx: Job $JOB_NAME does have $JOB_ENCRYPTION S3 encryption enabled" "$regx" + else + textFail "$regx: Job $JOB_NAME does not have S3 encryption enabled" "$regx" + fi + done + else + textInfo "$regx: There are no jobs" "$regx" + fi + done +} \ No newline at end of file diff --git a/checks/check_extra7120 b/checks/check_extra7120 new file mode 100644 index 00000000..c2782e5f --- /dev/null +++ b/checks/check_extra7120 @@ -0,0 +1,43 @@ +#!/usr/bin/env bash + +# Prowler - the handy cloud security tool (copyright 2018) by Toni de la Fuente +# +# Licensed under the Apache License, Version 2.0 (the "License"); you may not +# use this file except in compliance with the License. You may obtain a copy +# of the License at http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software distributed +# under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR +# CONDITIONS OF ANY KIND, either express or implied. See the License for the +# specific language governing permissions and limitations under the License. +CHECK_ID_extra7120="7.117" +CHECK_TITLE_extra7120="[extra7120] Check if Security configurations used by ETL Jobs have CloudWatch logs encryption enabled. (Not Scored) (Not part of CIS benchmark)" +CHECK_SCORED_extra7120="NOT_SCORED" +CHECK_TYPE_extra7120="EXTRA" +CHECK_SEVERITY_extra7120="Medium" +CHECK_ASFF_RESOURCE_TYPE_extra7120="AwsGlue" +CHECK_ALTERNATE_check7120="extra7120" + +extra7120(){ + for regx in $REGIONS; do + JOB_LIST=$($AWSCLI glue get-jobs $PROFILE_OPT --region $regx --output json --query 'Jobs[*].{Name:Name,SecurityConfiguration:SecurityConfiguration}') + if [[ ! -z "$JOB_LIST" ]]; then + for job in $(echo "${JOB_LIST}" | jq -r '.[] | @base64'); do + JOB_NAME=$(echo $job | base64 --decode | jq -r '.Name') + SECURITY_CONFIGURATION=$(echo $job | base64 --decode | jq -r '.SecurityConfiguration // empty') + if [[ ! -z "$SECURITY_CONFIGURATION" ]]; then + CLOUDWATCH_ENCRYPTION=$($AWSCLI glue get-security-configuration --name "${SECURITY_CONFIGURATION}" $PROFILE_OPT --region $regx --output text --query 'SecurityConfiguration.EncryptionConfiguration.CloudWatchEncryption.CloudWatchEncryptionMode') + if [[ "$CLOUDWATCH_ENCRYPTION" == "DISABLED" ]]; then + textFail "$regx: Job $JOB_NAME does not have CloudWatch logs encryption enabled" "$regx" + else + textInfo "$regx: Job $JOB_NAME does have $CLOUDWATCH_ENCRYPTION CloudWatch logs encryption enabled" "$regx" + fi + else + textFail "$regx: Job $JOB_NAME does not have CloudWatch logs encryption enabled" "$regx" + fi + done + else + textInfo "$regx: There are no jobs" "$regx" + fi + done +} \ No newline at end of file diff --git a/checks/check_extra7122 b/checks/check_extra7122 new file mode 100644 index 00000000..0ef7bc9d --- /dev/null +++ b/checks/check_extra7122 @@ -0,0 +1,43 @@ +#!/usr/bin/env bash + +# Prowler - the handy cloud security tool (copyright 2018) by Toni de la Fuente +# +# Licensed under the Apache License, Version 2.0 (the "License"); you may not +# use this file except in compliance with the License. You may obtain a copy +# of the License at http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software distributed +# under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR +# CONDITIONS OF ANY KIND, either express or implied. See the License for the +# specific language governing permissions and limitations under the License. +CHECK_ID_extra7122="7.117" +CHECK_TITLE_extra7122="[extra7122] Check if Security configurations used by ETL Jobs have Job bookmark encryption enabled. (Not Scored) (Not part of CIS benchmark)" +CHECK_SCORED_extra7122="NOT_SCORED" +CHECK_TYPE_extra7122="EXTRA" +CHECK_SEVERITY_extra7122="Medium" +CHECK_ASFF_RESOURCE_TYPE_extra7122="AwsGlue" +CHECK_ALTERNATE_check7122="extra7122" + +extra7122(){ + for regx in $REGIONS; do + JOB_LIST=$($AWSCLI glue get-jobs $PROFILE_OPT --region $regx --output json --query 'Jobs[*].{Name:Name,SecurityConfiguration:SecurityConfiguration}') + if [[ $JOB_LIST ]]; then + for job in $(echo "${JOB_LIST}" | jq -r '.[] | @base64'); do + JOB_NAME=$(echo $job | base64 --decode | jq -r '.Name') + SECURITY_CONFIGURATION=$(echo $job | base64 --decode | jq -r '.SecurityConfiguration // empty') + if [[ ! -z "$SECURITY_CONFIGURATION" ]]; then + JOB_BOOKMARK_ENCRYPTION=$($AWSCLI glue get-security-configuration --name "${SECURITY_CONFIGURATION}" $PROFILE_OPT --region $regx --output text --query 'SecurityConfiguration.EncryptionConfiguration.JobBookmarksEncryption.JobBookmarksEncryptionMode') + if [[ "$JOB_BOOKMARK_ENCRYPTION" == "DISABLED" ]]; then + textFail "$regx: Job $JOB_NAME does not have Job bookmark encryption enabled" "$regx" + else + textInfo "$regx: Job $JOB_NAME does have $JOB_BOOKMARK_ENCRYPTION Job bookmark encryption enabled" "$regx" + fi + else + textFail "$regx: Job $JOB_NAME does not have Job bookmark encryption enabled" "$regx" + fi + done + else + textInfo "$regx: There are no jobs" "$regx" + fi + done +} \ No newline at end of file diff --git a/groups/group23_glue b/groups/group23_glue new file mode 100644 index 00000000..61bb8718 --- /dev/null +++ b/groups/group23_glue @@ -0,0 +1,19 @@ +#!/usr/bin/env bash + +# Prowler - the handy cloud security tool (copyright 2222) by Toni de la Fuente +# +# Licensed under the Apache License, Version 2.0 (the "License"); you may not +# use this file except in compliance with the License. You may obtain a copy +# of the License at http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software distributed +# under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR +# CONDITIONS OF ANY KIND, either express or implied. See the License for the +# specific language governing permissions and limitations under the License. + +GROUP_ID[23]='glue' +GROUP_NUMBER[23]='23.0' +GROUP_TITLE[23]='Amazon Glue related security checks - [glue] ********' +GROUP_RUN_BY_DEFAULT[23]='N' # run it when execute_all is called +GROUP_CHECKS[23]='extra7115,extra7116,extra7117,extra7118,extra7120,extra7122' + From 0bfa263ad95787a4ba7e0fa098938eaf986c9830 Mon Sep 17 00:00:00 2001 From: Ramon Diez Date: Thu, 12 Nov 2020 12:30:22 +0100 Subject: [PATCH 2/4] Fixing some descriptions --- checks/check_extra7115 | 8 ++++---- checks/check_extra7116 | 4 ++-- checks/check_extra7117 | 4 ++-- checks/check_extra7118 | 12 ++++++------ checks/check_extra7120 | 10 +++++----- checks/check_extra7122 | 10 +++++----- 6 files changed, 24 insertions(+), 24 deletions(-) diff --git a/checks/check_extra7115 b/checks/check_extra7115 index 52f0f64b..a8b5b166 100644 --- a/checks/check_extra7115 +++ b/checks/check_extra7115 @@ -11,7 +11,7 @@ # CONDITIONS OF ANY KIND, either express or implied. See the License for the # specific language governing permissions and limitations under the License. CHECK_ID_extra7115="7.115" -CHECK_TITLE_extra7115="[extra7115] Check if Glue Database connection must have SSL connection enabled. (Not Scored) (Not part of CIS benchmark)" +CHECK_TITLE_extra7115="[extra7115] Check if Glue database connection must have SSL connection enabled. (Not Scored) (Not part of CIS benchmark)" CHECK_SCORED_extra7115="NOT_SCORED" CHECK_TYPE_extra7115="EXTRA" CHECK_SEVERITY_extra7115="Medium" @@ -26,13 +26,13 @@ extra7115(){ CONNECTION_NAME=$(echo $connection | base64 --decode | jq -r '.Name' ) CONNECTION_SSL_STATE=$(echo $connection | base64 --decode | jq -r '.SSL') if [[ "$CONNECTION_SSL_STATE" == "false" ]]; then - textFail "$regx: Connection $CONNECTION_NAME has SSL connection disabled" "$regx" + textFail "$regx: Glue connection $CONNECTION_NAME has SSL connection disabled" "$regx" else - textInfo "$regx: Connection $CONNECTION_NAME has SSL connection enabled" "$regx" + textInfo "$regx: Glue connection $CONNECTION_NAME has SSL connection enabled" "$regx" fi done else - textInfo "$regx: There are no connections" "$regx" + textInfo "$regx: There are no Glue connections" "$regx" fi done } diff --git a/checks/check_extra7116 b/checks/check_extra7116 index a789a8c2..d862559c 100644 --- a/checks/check_extra7116 +++ b/checks/check_extra7116 @@ -11,7 +11,7 @@ # CONDITIONS OF ANY KIND, either express or implied. See the License for the # specific language governing permissions and limitations under the License. CHECK_ID_extra7116="7.116" -CHECK_TITLE_extra7116="[extra7116] Check if Data catalog settings must have metadata encryption enabled. (Not Scored) (Not part of CIS benchmark)" +CHECK_TITLE_extra7116="[extra7116] Check if Glue data-catalog settings must have metadata encryption enabled. (Not Scored) (Not part of CIS benchmark)" CHECK_SCORED_extra7116="NOT_SCORED" CHECK_TYPE_extra7116="EXTRA" CHECK_SEVERITY_extra7116="Medium" @@ -24,7 +24,7 @@ extra7116(){ if [[ "$METADATA_ENCRYPTED" == "DISABLED" ]]; then textFail "$regx: Glue Catalog is not encrypted" "$regx" else - textInfo "$regx:Glue catalog is encrypted with $METADATA_ENCRYPTED" "$regx" + textInfo "$regx: Glue catalog is encrypted with $METADATA_ENCRYPTED" "$regx" fi done } diff --git a/checks/check_extra7117 b/checks/check_extra7117 index ac195606..6a019c70 100644 --- a/checks/check_extra7117 +++ b/checks/check_extra7117 @@ -11,7 +11,7 @@ # CONDITIONS OF ANY KIND, either express or implied. See the License for the # specific language governing permissions and limitations under the License. CHECK_ID_extra7117="7.117" -CHECK_TITLE_extra7117="[extra7117] Check if Data catalog settings must have Encrypt connection password enabled. (Not Scored) (Not part of CIS benchmark)" +CHECK_TITLE_extra7117="[extra7117] Check if Glue data-catalog settings must have Encrypt connection password enabled. (Not Scored) (Not part of CIS benchmark)" CHECK_SCORED_extra7117="NOT_SCORED" CHECK_TYPE_extra7117="EXTRA" CHECK_SEVERITY_extra7117="Medium" @@ -24,7 +24,7 @@ extra7117(){ if [[ "$METADATA_ENCRYPTED" == "False" ]]; then textFail "$regx: Glue Catalog connection password is not encrypted" "$regx" else - textInfo "$regx:Glue catalog connection password is encrypted" "$regx" + textInfo "$regx: Glue catalog connection password is encrypted" "$regx" fi done } diff --git a/checks/check_extra7118 b/checks/check_extra7118 index 3cc70617..516b3086 100644 --- a/checks/check_extra7118 +++ b/checks/check_extra7118 @@ -11,7 +11,7 @@ # CONDITIONS OF ANY KIND, either express or implied. See the License for the # specific language governing permissions and limitations under the License. CHECK_ID_extra7118="7.117" -CHECK_TITLE_extra7118="[extra7118] Check if Security configurations used by ETL Jobs have S3 encryption enabled. (Not Scored) (Not part of CIS benchmark)" +CHECK_TITLE_extra7118="[extra7118] Check if Glue Security configurations used by ETL Jobs have S3 encryption enabled. (Not Scored) (Not part of CIS benchmark)" CHECK_SCORED_extra7118="NOT_SCORED" CHECK_TYPE_extra7118="EXTRA" CHECK_SEVERITY_extra7118="Medium" @@ -29,18 +29,18 @@ extra7118(){ if [[ ! -z "$SECURITY_CONFIGURATION" ]]; then S3_ENCRYPTION=$($AWSCLI glue get-security-configuration --name "${SECURITY_CONFIGURATION}" $PROFILE_OPT --region $regx --output text --query 'SecurityConfiguration.EncryptionConfiguration.S3Encryption[0].S3EncryptionMode') if [[ "$S3_ENCRYPTION" == "DISABLED" ]]; then - textFail "$regx: Job $JOB_NAME does not have S3 encryption enabled" "$regx" + textFail "$regx: Glue job $JOB_NAME does not have S3 encryption enabled" "$regx" else - textInfo "$regx: Job $JOB_NAME does have $S3_ENCRYPTION S3 encryption enabled" "$regx" + textInfo "$regx: Glue job $JOB_NAME does have $S3_ENCRYPTION S3 encryption enabled" "$regx" fi elif [[ ! -z "$JOB_ENCRYPTION" ]]; then - textInfo "$regx: Job $JOB_NAME does have $JOB_ENCRYPTION S3 encryption enabled" "$regx" + textInfo "$regx: Glue job $JOB_NAME does have $JOB_ENCRYPTION S3 encryption enabled" "$regx" else - textFail "$regx: Job $JOB_NAME does not have S3 encryption enabled" "$regx" + textFail "$regx: Glue job $JOB_NAME does not have S3 encryption enabled" "$regx" fi done else - textInfo "$regx: There are no jobs" "$regx" + textInfo "$regx: There are no Glue jobs" "$regx" fi done } \ No newline at end of file diff --git a/checks/check_extra7120 b/checks/check_extra7120 index c2782e5f..751f74f2 100644 --- a/checks/check_extra7120 +++ b/checks/check_extra7120 @@ -11,7 +11,7 @@ # CONDITIONS OF ANY KIND, either express or implied. See the License for the # specific language governing permissions and limitations under the License. CHECK_ID_extra7120="7.117" -CHECK_TITLE_extra7120="[extra7120] Check if Security configurations used by ETL Jobs have CloudWatch logs encryption enabled. (Not Scored) (Not part of CIS benchmark)" +CHECK_TITLE_extra7120="[extra7120] Check if Glue security configurations used by ETL Jobs have CloudWatch logs encryption enabled. (Not Scored) (Not part of CIS benchmark)" CHECK_SCORED_extra7120="NOT_SCORED" CHECK_TYPE_extra7120="EXTRA" CHECK_SEVERITY_extra7120="Medium" @@ -28,16 +28,16 @@ extra7120(){ if [[ ! -z "$SECURITY_CONFIGURATION" ]]; then CLOUDWATCH_ENCRYPTION=$($AWSCLI glue get-security-configuration --name "${SECURITY_CONFIGURATION}" $PROFILE_OPT --region $regx --output text --query 'SecurityConfiguration.EncryptionConfiguration.CloudWatchEncryption.CloudWatchEncryptionMode') if [[ "$CLOUDWATCH_ENCRYPTION" == "DISABLED" ]]; then - textFail "$regx: Job $JOB_NAME does not have CloudWatch logs encryption enabled" "$regx" + textFail "$regx: Glue job $JOB_NAME does not have CloudWatch logs encryption enabled" "$regx" else - textInfo "$regx: Job $JOB_NAME does have $CLOUDWATCH_ENCRYPTION CloudWatch logs encryption enabled" "$regx" + textInfo "$regx: Glue job $JOB_NAME does have $CLOUDWATCH_ENCRYPTION CloudWatch logs encryption enabled" "$regx" fi else - textFail "$regx: Job $JOB_NAME does not have CloudWatch logs encryption enabled" "$regx" + textFail "$regx: Glue job $JOB_NAME does not have CloudWatch logs encryption enabled" "$regx" fi done else - textInfo "$regx: There are no jobs" "$regx" + textInfo "$regx: There are no Glue jobs" "$regx" fi done } \ No newline at end of file diff --git a/checks/check_extra7122 b/checks/check_extra7122 index 0ef7bc9d..438be869 100644 --- a/checks/check_extra7122 +++ b/checks/check_extra7122 @@ -11,7 +11,7 @@ # CONDITIONS OF ANY KIND, either express or implied. See the License for the # specific language governing permissions and limitations under the License. CHECK_ID_extra7122="7.117" -CHECK_TITLE_extra7122="[extra7122] Check if Security configurations used by ETL Jobs have Job bookmark encryption enabled. (Not Scored) (Not part of CIS benchmark)" +CHECK_TITLE_extra7122="[extra7122] Check if Glue security configurations used by ETL Jobs have Job bookmark encryption enabled. (Not Scored) (Not part of CIS benchmark)" CHECK_SCORED_extra7122="NOT_SCORED" CHECK_TYPE_extra7122="EXTRA" CHECK_SEVERITY_extra7122="Medium" @@ -28,16 +28,16 @@ extra7122(){ if [[ ! -z "$SECURITY_CONFIGURATION" ]]; then JOB_BOOKMARK_ENCRYPTION=$($AWSCLI glue get-security-configuration --name "${SECURITY_CONFIGURATION}" $PROFILE_OPT --region $regx --output text --query 'SecurityConfiguration.EncryptionConfiguration.JobBookmarksEncryption.JobBookmarksEncryptionMode') if [[ "$JOB_BOOKMARK_ENCRYPTION" == "DISABLED" ]]; then - textFail "$regx: Job $JOB_NAME does not have Job bookmark encryption enabled" "$regx" + textFail "$regx: Glue job $JOB_NAME does not have Job bookmark encryption enabled" "$regx" else - textInfo "$regx: Job $JOB_NAME does have $JOB_BOOKMARK_ENCRYPTION Job bookmark encryption enabled" "$regx" + textInfo "$regx: Glue job $JOB_NAME does have $JOB_BOOKMARK_ENCRYPTION Job bookmark encryption enabled" "$regx" fi else - textFail "$regx: Job $JOB_NAME does not have Job bookmark encryption enabled" "$regx" + textFail "$regx: Glue job $JOB_NAME does not have Job bookmark encryption enabled" "$regx" fi done else - textInfo "$regx: There are no jobs" "$regx" + textInfo "$regx: There are no Glue jobs" "$regx" fi done } \ No newline at end of file From 8c9d843813d41e0cbe27864eb6136bf7b93c1d90 Mon Sep 17 00:00:00 2001 From: Toni de la Fuente Date: Fri, 13 Nov 2020 19:02:26 +0100 Subject: [PATCH 3/4] Glue review 1 --- checks/check_extra7115 | 2 +- checks/check_extra7116 | 6 +++--- checks/check_extra7117 | 2 +- checks/check_extra7118 | 2 +- checks/check_extra7120 | 2 +- checks/check_extra7122 | 2 +- groups/group23_glue | 19 ------------------- 7 files changed, 8 insertions(+), 27 deletions(-) delete mode 100644 groups/group23_glue diff --git a/checks/check_extra7115 b/checks/check_extra7115 index a8b5b166..ad597b07 100644 --- a/checks/check_extra7115 +++ b/checks/check_extra7115 @@ -11,7 +11,7 @@ # CONDITIONS OF ANY KIND, either express or implied. See the License for the # specific language governing permissions and limitations under the License. CHECK_ID_extra7115="7.115" -CHECK_TITLE_extra7115="[extra7115] Check if Glue database connection must have SSL connection enabled. (Not Scored) (Not part of CIS benchmark)" +CHECK_TITLE_extra7115="[extra7115] Check if Glue database connection has SSL connection enabled." CHECK_SCORED_extra7115="NOT_SCORED" CHECK_TYPE_extra7115="EXTRA" CHECK_SEVERITY_extra7115="Medium" diff --git a/checks/check_extra7116 b/checks/check_extra7116 index d862559c..aa778774 100644 --- a/checks/check_extra7116 +++ b/checks/check_extra7116 @@ -11,7 +11,7 @@ # CONDITIONS OF ANY KIND, either express or implied. See the License for the # specific language governing permissions and limitations under the License. CHECK_ID_extra7116="7.116" -CHECK_TITLE_extra7116="[extra7116] Check if Glue data-catalog settings must have metadata encryption enabled. (Not Scored) (Not part of CIS benchmark)" +CHECK_TITLE_extra7116="[extra7116] Check if Glue data-catalog settings have metadata encryption enabled." CHECK_SCORED_extra7116="NOT_SCORED" CHECK_TYPE_extra7116="EXTRA" CHECK_SEVERITY_extra7116="Medium" @@ -22,9 +22,9 @@ extra7116(){ for regx in $REGIONS; do METADATA_ENCRYPTED=$($AWSCLI glue get-data-catalog-encryption-settings $PROFILE_OPT --region $regx --output text --query "DataCatalogEncryptionSettings.EncryptionAtRest.CatalogEncryptionMode") if [[ "$METADATA_ENCRYPTED" == "DISABLED" ]]; then - textFail "$regx: Glue Catalog is not encrypted" "$regx" + textFail "$regx: Glue data-catalog settings have metadata encryption disabled" "$regx" else - textInfo "$regx: Glue catalog is encrypted with $METADATA_ENCRYPTED" "$regx" + textInfo "$regx: Glue data-catalog settings have metadata encryption enabled" "$regx" fi done } diff --git a/checks/check_extra7117 b/checks/check_extra7117 index 6a019c70..cd8b66b5 100644 --- a/checks/check_extra7117 +++ b/checks/check_extra7117 @@ -11,7 +11,7 @@ # CONDITIONS OF ANY KIND, either express or implied. See the License for the # specific language governing permissions and limitations under the License. CHECK_ID_extra7117="7.117" -CHECK_TITLE_extra7117="[extra7117] Check if Glue data-catalog settings must have Encrypt connection password enabled. (Not Scored) (Not part of CIS benchmark)" +CHECK_TITLE_extra7117="[extra7117] Check if Glue data-catalog settings have Encrypt connection password enabled." CHECK_SCORED_extra7117="NOT_SCORED" CHECK_TYPE_extra7117="EXTRA" CHECK_SEVERITY_extra7117="Medium" diff --git a/checks/check_extra7118 b/checks/check_extra7118 index 516b3086..abc02ac7 100644 --- a/checks/check_extra7118 +++ b/checks/check_extra7118 @@ -11,7 +11,7 @@ # CONDITIONS OF ANY KIND, either express or implied. See the License for the # specific language governing permissions and limitations under the License. CHECK_ID_extra7118="7.117" -CHECK_TITLE_extra7118="[extra7118] Check if Glue Security configurations used by ETL Jobs have S3 encryption enabled. (Not Scored) (Not part of CIS benchmark)" +CHECK_TITLE_extra7118="[extra7118] Check if Glue security configurations used by ETL Jobs have S3 encryption enabled." CHECK_SCORED_extra7118="NOT_SCORED" CHECK_TYPE_extra7118="EXTRA" CHECK_SEVERITY_extra7118="Medium" diff --git a/checks/check_extra7120 b/checks/check_extra7120 index 751f74f2..32a6053b 100644 --- a/checks/check_extra7120 +++ b/checks/check_extra7120 @@ -11,7 +11,7 @@ # CONDITIONS OF ANY KIND, either express or implied. See the License for the # specific language governing permissions and limitations under the License. CHECK_ID_extra7120="7.117" -CHECK_TITLE_extra7120="[extra7120] Check if Glue security configurations used by ETL Jobs have CloudWatch logs encryption enabled. (Not Scored) (Not part of CIS benchmark)" +CHECK_TITLE_extra7120="[extra7120] Check if Glue security configurations used by ETL Jobs have CloudWatch logs encryption enabled." CHECK_SCORED_extra7120="NOT_SCORED" CHECK_TYPE_extra7120="EXTRA" CHECK_SEVERITY_extra7120="Medium" diff --git a/checks/check_extra7122 b/checks/check_extra7122 index 438be869..3ea87a2d 100644 --- a/checks/check_extra7122 +++ b/checks/check_extra7122 @@ -11,7 +11,7 @@ # CONDITIONS OF ANY KIND, either express or implied. See the License for the # specific language governing permissions and limitations under the License. CHECK_ID_extra7122="7.117" -CHECK_TITLE_extra7122="[extra7122] Check if Glue security configurations used by ETL Jobs have Job bookmark encryption enabled. (Not Scored) (Not part of CIS benchmark)" +CHECK_TITLE_extra7122="[extra7122] Check if Glue security configurations used by ETL Jobs have Job bookmark encryption enabled." CHECK_SCORED_extra7122="NOT_SCORED" CHECK_TYPE_extra7122="EXTRA" CHECK_SEVERITY_extra7122="Medium" diff --git a/groups/group23_glue b/groups/group23_glue deleted file mode 100644 index 61bb8718..00000000 --- a/groups/group23_glue +++ /dev/null @@ -1,19 +0,0 @@ -#!/usr/bin/env bash - -# Prowler - the handy cloud security tool (copyright 2222) by Toni de la Fuente -# -# Licensed under the Apache License, Version 2.0 (the "License"); you may not -# use this file except in compliance with the License. You may obtain a copy -# of the License at http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software distributed -# under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR -# CONDITIONS OF ANY KIND, either express or implied. See the License for the -# specific language governing permissions and limitations under the License. - -GROUP_ID[23]='glue' -GROUP_NUMBER[23]='23.0' -GROUP_TITLE[23]='Amazon Glue related security checks - [glue] ********' -GROUP_RUN_BY_DEFAULT[23]='N' # run it when execute_all is called -GROUP_CHECKS[23]='extra7115,extra7116,extra7117,extra7118,extra7120,extra7122' - From 6e604e1834b2886a49bb47565efd3c22990e2ccd Mon Sep 17 00:00:00 2001 From: Toni de la Fuente Date: Mon, 16 Nov 2020 17:51:53 +0100 Subject: [PATCH 4/4] Some corrections for glue related checks --- checks/check_extra7115 | 4 ++-- checks/check_extra7116 | 4 ++-- checks/check_extra7117 | 6 +++--- checks/check_extra7118 | 16 ++++++++++------ checks/check_extra7120 | 12 ++++++------ checks/check_extra7122 | 8 ++++---- groups/group24_glue | 18 ++++++++++++++++++ 7 files changed, 45 insertions(+), 23 deletions(-) create mode 100644 groups/group24_glue diff --git a/checks/check_extra7115 b/checks/check_extra7115 index ad597b07..da606669 100644 --- a/checks/check_extra7115 +++ b/checks/check_extra7115 @@ -21,14 +21,14 @@ CHECK_ALTERNATE_check7115="extra7115" extra7115(){ for regx in $REGIONS; do CONNECTION_LIST=$($AWSCLI glue get-connections $PROFILE_OPT --region $regx --output json --query 'ConnectionList[*].{Name:Name,SSL:ConnectionProperties.JDBC_ENFORCE_SSL}') - if [[ ! -z "$CONNECTION_LIST" ]]; then + if [[ $CONNECTION_LIST != '[]' ]]; then for connection in $(echo "${CONNECTION_LIST}" | jq -r '.[] | @base64'); do CONNECTION_NAME=$(echo $connection | base64 --decode | jq -r '.Name' ) CONNECTION_SSL_STATE=$(echo $connection | base64 --decode | jq -r '.SSL') if [[ "$CONNECTION_SSL_STATE" == "false" ]]; then textFail "$regx: Glue connection $CONNECTION_NAME has SSL connection disabled" "$regx" else - textInfo "$regx: Glue connection $CONNECTION_NAME has SSL connection enabled" "$regx" + textPass "$regx: Glue connection $CONNECTION_NAME has SSL connection enabled" "$regx" fi done else diff --git a/checks/check_extra7116 b/checks/check_extra7116 index aa778774..2165b91a 100644 --- a/checks/check_extra7116 +++ b/checks/check_extra7116 @@ -22,9 +22,9 @@ extra7116(){ for regx in $REGIONS; do METADATA_ENCRYPTED=$($AWSCLI glue get-data-catalog-encryption-settings $PROFILE_OPT --region $regx --output text --query "DataCatalogEncryptionSettings.EncryptionAtRest.CatalogEncryptionMode") if [[ "$METADATA_ENCRYPTED" == "DISABLED" ]]; then - textFail "$regx: Glue data-catalog settings have metadata encryption disabled" "$regx" + textFail "$regx: Glue data catalog settings have metadata encryption disabled" "$regx" else - textInfo "$regx: Glue data-catalog settings have metadata encryption enabled" "$regx" + textPass "$regx: Glue data catalog settings have metadata encryption enabled" "$regx" fi done } diff --git a/checks/check_extra7117 b/checks/check_extra7117 index cd8b66b5..7c11c76d 100644 --- a/checks/check_extra7117 +++ b/checks/check_extra7117 @@ -11,7 +11,7 @@ # CONDITIONS OF ANY KIND, either express or implied. See the License for the # specific language governing permissions and limitations under the License. CHECK_ID_extra7117="7.117" -CHECK_TITLE_extra7117="[extra7117] Check if Glue data-catalog settings have Encrypt connection password enabled." +CHECK_TITLE_extra7117="[extra7117] Check if Glue data catalog settings have encrypt connection password enabled." CHECK_SCORED_extra7117="NOT_SCORED" CHECK_TYPE_extra7117="EXTRA" CHECK_SEVERITY_extra7117="Medium" @@ -22,9 +22,9 @@ extra7117(){ for regx in $REGIONS; do METADATA_ENCRYPTED=$($AWSCLI glue get-data-catalog-encryption-settings $PROFILE_OPT --region $regx --output text --query "DataCatalogEncryptionSettings.ConnectionPasswordEncryption.ReturnConnectionPasswordEncrypted") if [[ "$METADATA_ENCRYPTED" == "False" ]]; then - textFail "$regx: Glue Catalog connection password is not encrypted" "$regx" + textFail "$regx: Glue data catalog connection password is not encrypted" "$regx" else - textInfo "$regx: Glue catalog connection password is encrypted" "$regx" + textPass "$regx: Glue data catalog connection password is encrypted" "$regx" fi done } diff --git a/checks/check_extra7118 b/checks/check_extra7118 index abc02ac7..aa39907f 100644 --- a/checks/check_extra7118 +++ b/checks/check_extra7118 @@ -10,8 +10,8 @@ # under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR # CONDITIONS OF ANY KIND, either express or implied. See the License for the # specific language governing permissions and limitations under the License. -CHECK_ID_extra7118="7.117" -CHECK_TITLE_extra7118="[extra7118] Check if Glue security configurations used by ETL Jobs have S3 encryption enabled." +CHECK_ID_extra7118="7.118" +CHECK_TITLE_extra7118="[extra7118] Check if Glue ETL Jobs have S3 encryption enabled." CHECK_SCORED_extra7118="NOT_SCORED" CHECK_TYPE_extra7118="EXTRA" CHECK_SEVERITY_extra7118="Medium" @@ -21,7 +21,7 @@ CHECK_ALTERNATE_check7118="extra7118" extra7118(){ for regx in $REGIONS; do JOB_LIST=$($AWSCLI glue get-jobs $PROFILE_OPT --region $regx --output json --query 'Jobs[*].{Name:Name,SecurityConfiguration:SecurityConfiguration,JobEncryption:DefaultArguments."--encryption-type"}') - if [[ ! -z "$JOB_LIST" ]]; then + if [[ $JOB_LIST != '[]' ]]; then for job in $(echo "${JOB_LIST}" | jq -r '.[] | @base64'); do JOB_NAME=$(echo $job | base64 --decode | jq -r '.Name') SECURITY_CONFIGURATION=$(echo $job | base64 --decode | jq -r '.SecurityConfiguration // empty') @@ -29,12 +29,16 @@ extra7118(){ if [[ ! -z "$SECURITY_CONFIGURATION" ]]; then S3_ENCRYPTION=$($AWSCLI glue get-security-configuration --name "${SECURITY_CONFIGURATION}" $PROFILE_OPT --region $regx --output text --query 'SecurityConfiguration.EncryptionConfiguration.S3Encryption[0].S3EncryptionMode') if [[ "$S3_ENCRYPTION" == "DISABLED" ]]; then - textFail "$regx: Glue job $JOB_NAME does not have S3 encryption enabled" "$regx" + if [[ ! -z "$JOB_ENCRYPTION" ]]; then + textPass "$regx: Glue job $JOB_NAME does have $JOB_ENCRYPTION for S3 encryption enabled" "$regx" + else + textFail "$regx: Glue job $JOB_NAME does not have S3 encryption enabled" "$regx" + fi else - textInfo "$regx: Glue job $JOB_NAME does have $S3_ENCRYPTION S3 encryption enabled" "$regx" + textPass "$regx: Glue job $JOB_NAME does have $S3_ENCRYPTION for S3 encryption enabled" "$regx" fi elif [[ ! -z "$JOB_ENCRYPTION" ]]; then - textInfo "$regx: Glue job $JOB_NAME does have $JOB_ENCRYPTION S3 encryption enabled" "$regx" + textPass "$regx: Glue job $JOB_NAME does have $JOB_ENCRYPTION for S3 encryption enabled" "$regx" else textFail "$regx: Glue job $JOB_NAME does not have S3 encryption enabled" "$regx" fi diff --git a/checks/check_extra7120 b/checks/check_extra7120 index 32a6053b..69695b7f 100644 --- a/checks/check_extra7120 +++ b/checks/check_extra7120 @@ -10,8 +10,8 @@ # under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR # CONDITIONS OF ANY KIND, either express or implied. See the License for the # specific language governing permissions and limitations under the License. -CHECK_ID_extra7120="7.117" -CHECK_TITLE_extra7120="[extra7120] Check if Glue security configurations used by ETL Jobs have CloudWatch logs encryption enabled." +CHECK_ID_extra7120="7.120" +CHECK_TITLE_extra7120="[extra7120] Check if Glue ETL Jobs have CloudWatch Logs encryption enabled." CHECK_SCORED_extra7120="NOT_SCORED" CHECK_TYPE_extra7120="EXTRA" CHECK_SEVERITY_extra7120="Medium" @@ -21,19 +21,19 @@ CHECK_ALTERNATE_check7120="extra7120" extra7120(){ for regx in $REGIONS; do JOB_LIST=$($AWSCLI glue get-jobs $PROFILE_OPT --region $regx --output json --query 'Jobs[*].{Name:Name,SecurityConfiguration:SecurityConfiguration}') - if [[ ! -z "$JOB_LIST" ]]; then + if [[ $JOB_LIST != '[]' ]]; then for job in $(echo "${JOB_LIST}" | jq -r '.[] | @base64'); do JOB_NAME=$(echo $job | base64 --decode | jq -r '.Name') SECURITY_CONFIGURATION=$(echo $job | base64 --decode | jq -r '.SecurityConfiguration // empty') if [[ ! -z "$SECURITY_CONFIGURATION" ]]; then CLOUDWATCH_ENCRYPTION=$($AWSCLI glue get-security-configuration --name "${SECURITY_CONFIGURATION}" $PROFILE_OPT --region $regx --output text --query 'SecurityConfiguration.EncryptionConfiguration.CloudWatchEncryption.CloudWatchEncryptionMode') if [[ "$CLOUDWATCH_ENCRYPTION" == "DISABLED" ]]; then - textFail "$regx: Glue job $JOB_NAME does not have CloudWatch logs encryption enabled" "$regx" + textFail "$regx: Glue job $JOB_NAME does not have CloudWatch Logs encryption enabled" "$regx" else - textInfo "$regx: Glue job $JOB_NAME does have $CLOUDWATCH_ENCRYPTION CloudWatch logs encryption enabled" "$regx" + textPass "$regx: Glue job $JOB_NAME does have $CLOUDWATCH_ENCRYPTION CloudWatch Logs encryption enabled" "$regx" fi else - textFail "$regx: Glue job $JOB_NAME does not have CloudWatch logs encryption enabled" "$regx" + textFail "$regx: Glue job $JOB_NAME does not have CloudWatch Logs encryption enabled" "$regx" fi done else diff --git a/checks/check_extra7122 b/checks/check_extra7122 index 3ea87a2d..618181c4 100644 --- a/checks/check_extra7122 +++ b/checks/check_extra7122 @@ -10,8 +10,8 @@ # under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR # CONDITIONS OF ANY KIND, either express or implied. See the License for the # specific language governing permissions and limitations under the License. -CHECK_ID_extra7122="7.117" -CHECK_TITLE_extra7122="[extra7122] Check if Glue security configurations used by ETL Jobs have Job bookmark encryption enabled." +CHECK_ID_extra7122="7.122" +CHECK_TITLE_extra7122="[extra7122] Check if Glue ETL Jobs have Job bookmark encryption enabled." CHECK_SCORED_extra7122="NOT_SCORED" CHECK_TYPE_extra7122="EXTRA" CHECK_SEVERITY_extra7122="Medium" @@ -21,7 +21,7 @@ CHECK_ALTERNATE_check7122="extra7122" extra7122(){ for regx in $REGIONS; do JOB_LIST=$($AWSCLI glue get-jobs $PROFILE_OPT --region $regx --output json --query 'Jobs[*].{Name:Name,SecurityConfiguration:SecurityConfiguration}') - if [[ $JOB_LIST ]]; then + if [[ $JOB_LIST != '[]' ]]; then for job in $(echo "${JOB_LIST}" | jq -r '.[] | @base64'); do JOB_NAME=$(echo $job | base64 --decode | jq -r '.Name') SECURITY_CONFIGURATION=$(echo $job | base64 --decode | jq -r '.SecurityConfiguration // empty') @@ -30,7 +30,7 @@ extra7122(){ if [[ "$JOB_BOOKMARK_ENCRYPTION" == "DISABLED" ]]; then textFail "$regx: Glue job $JOB_NAME does not have Job bookmark encryption enabled" "$regx" else - textInfo "$regx: Glue job $JOB_NAME does have $JOB_BOOKMARK_ENCRYPTION Job bookmark encryption enabled" "$regx" + textPass "$regx: Glue job $JOB_NAME does have $JOB_BOOKMARK_ENCRYPTION for Job bookmark encryption enabled" "$regx" fi else textFail "$regx: Glue job $JOB_NAME does not have Job bookmark encryption enabled" "$regx" diff --git a/groups/group24_glue b/groups/group24_glue new file mode 100644 index 00000000..518a6f24 --- /dev/null +++ b/groups/group24_glue @@ -0,0 +1,18 @@ +#!/usr/bin/env bash + +# Prowler - the handy cloud security tool (copyright 2020) by Toni de la Fuente +# +# Licensed under the Apache License, Version 2.0 (the "License"); you may not +# use this file except in compliance with the License. You may obtain a copy +# of the License at http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software distributed +# under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR +# CONDITIONS OF ANY KIND, either express or implied. See the License for the +# specific language governing permissions and limitations under the License. + +GROUP_ID[23]='glue' +GROUP_NUMBER[23]='23.0' +GROUP_TITLE[23]='Amazon Glue related security checks - [glue] ********' +GROUP_RUN_BY_DEFAULT[23]='N' # run it when execute_all is called +GROUP_CHECKS[23]='extra7115,extra7116,extra7117,extra7118,extra7120,extra7122'