diff --git a/checks/check_extra743 b/checks/check_extra743 index 6cebb4ef..e24326f9 100644 --- a/checks/check_extra743 +++ b/checks/check_extra743 @@ -21,14 +21,15 @@ extra743(){ LIST_OF_REST_APIS=$($AWSCLI $PROFILE_OPT --region $regx apigateway get-rest-apis --query 'items[*].id' --output text) if [[ $LIST_OF_REST_APIS ]];then for api in $LIST_OF_REST_APIS; do + API_GW_NAME=$($AWSCLI apigateway get-rest-apis $PROFILE_OPT --region $regx --query "items[?id==\`$api\`].name" --output text) LIST_OF_STAGES=$($AWSCLI $PROFILE_OPT --region $regx apigateway get-stages --rest-api-id $api --query 'item[*].stageName' --output text) if [[ $LIST_OF_STAGES ]]; then for stage in $LIST_OF_STAGES; do CHECK_CERTIFICATE=$($AWSCLI $PROFILE_OPT --region $regx apigateway get-stages --rest-api-id $api --query "item[?stageName==\`$stage\`].clientCertificateId" --output text) if [[ $CHECK_CERTIFICATE ]]; then - textPass "$regx: API ID $api in $stage has client certificate enabled" "$regx" + textPass "$regx: API Gateway $API_GW_NAME ID $api in $stage has client certificate enabled" "$regx" else - textFail "$regx: API ID $api in $stage has not client certificate enabled" "$regx" + textFail "$regx: API Gateway $API_GW_NAME ID $api in $stage has not client certificate enabled" "$regx" fi done fi diff --git a/checks/check_extra744 b/checks/check_extra744 index 63dcfb78..6b7bfb3a 100644 --- a/checks/check_extra744 +++ b/checks/check_extra744 @@ -21,14 +21,15 @@ extra744(){ LIST_OF_REST_APIS=$($AWSCLI $PROFILE_OPT --region $regx apigateway get-rest-apis --query 'items[*].id' --output text) if [[ $LIST_OF_REST_APIS ]];then for api in $LIST_OF_REST_APIS; do + API_GW_NAME=$($AWSCLI apigateway get-rest-apis $PROFILE_OPT --region $regx --query "items[?id==\`$api\`].name" --output text) LIST_OF_STAGES=$($AWSCLI $PROFILE_OPT --region $regx apigateway get-stages --rest-api-id $api --query 'item[*].stageName' --output text) if [[ $LIST_OF_STAGES ]]; then for stage in $LIST_OF_STAGES; do CHECK_WAFACL=$($AWSCLI $PROFILE_OPT --region $regx apigateway get-stages --rest-api-id $api --query "item[?stageName==\`$stage\`].webAclArn" --output text) if [[ $CHECK_WAFACL ]]; then - textPass "$regx: API Gateway ID $api in $stage has $CHECK_WAFACL WAF ACL attached" "$regx" + textPass "$regx: API Gateway $API_GW_NAME ID $api in $stage has $CHECK_WAFACL WAF ACL attached" "$regx" else - textFail "$regx: API Gateway ID $api in $stage has not WAF ACL attached" "$regx" + textFail "$regx: API Gateway $API_GW_NAME ID $api in $stage has not WAF ACL attached" "$regx" fi done fi diff --git a/checks/check_extra745 b/checks/check_extra745 index b404e04e..98a98e63 100644 --- a/checks/check_extra745 +++ b/checks/check_extra745 @@ -21,17 +21,18 @@ extra745(){ LIST_OF_REST_APIS=$($AWSCLI $PROFILE_OPT --region $regx apigateway get-rest-apis --query 'items[*].id' --output text) if [[ $LIST_OF_REST_APIS ]];then for api in $LIST_OF_REST_APIS; do + API_GW_NAME=$($AWSCLI apigateway get-rest-apis $PROFILE_OPT --region $regx --query "items[?id==\`$api\`].name" --output text) ENDPOINT_CONFIG_TYPE=$($AWSCLI $PROFILE_OPT --region $regx apigateway get-rest-api --rest-api-id $api --query endpointConfiguration.types --output text) if [[ $ENDPOINT_CONFIG_TYPE ]]; then case $ENDPOINT_CONFIG_TYPE in PRIVATE ) - textPass "$regx: API ID $api is set as $ENDPOINT_CONFIG_TYPE" "$regx" + textPass "$regx: API Gateway $API_GW_NAME ID $api is set as $ENDPOINT_CONFIG_TYPE" "$regx" ;; REGIONAL ) - textFail "$regx: API ID $api is internet accesible as $ENDPOINT_CONFIG_TYPE" "$regx" + textFail "$regx: API Gateway $API_GW_NAME ID $api is internet accesible as $ENDPOINT_CONFIG_TYPE" "$regx" ;; EDGE ) - textFail "$regx: API ID $api is internet accesible as $ENDPOINT_CONFIG_TYPE" "$regx" + textFail "$regx: API Gateway $API_GW_NAME ID $api is internet accesible as $ENDPOINT_CONFIG_TYPE" "$regx" esac fi done diff --git a/checks/check_extra746 b/checks/check_extra746 index 7fcb4ce0..073ca55f 100644 --- a/checks/check_extra746 +++ b/checks/check_extra746 @@ -21,11 +21,12 @@ extra746(){ LIST_OF_REST_APIS=$($AWSCLI $PROFILE_OPT --region $regx apigateway get-rest-apis --query 'items[*].id' --output text) if [[ $LIST_OF_REST_APIS ]];then for api in $LIST_OF_REST_APIS; do + API_GW_NAME=$($AWSCLI apigateway get-rest-apis $PROFILE_OPT --region $regx --query "items[?id==\`$api\`].name" --output text) AUTHORIZER_CONFIGURED=$($AWSCLI $PROFILE_OPT --region $regx apigateway get-authorizers --rest-api-id $api --query items[*].type --output text) if [[ $AUTHORIZER_CONFIGURED ]]; then - textPass "$regx: API ID $api has authorizer configured" "$regx" + textPass "$regx: API Gateway $API_GW_NAME ID $api has authorizer configured" "$regx" else - textFail "$regx: API ID $api has not authorizer configured" "$regx" + textFail "$regx: API Gateway $API_GW_NAME ID $api has not authorizer configured" "$regx" fi done else diff --git a/checks/check_extra747 b/checks/check_extra747 deleted file mode 100644 index 2bda2a76..00000000 --- a/checks/check_extra747 +++ /dev/null @@ -1,40 +0,0 @@ -#!/usr/bin/env bash - -# Prowler - the handy cloud security tool (copyright 2019) by Toni de la Fuente -# -# Licensed under the Apache License, Version 2.0 (the "License"); you may not -# use this file except in compliance with the License. You may obtain a copy -# of the License at http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software distributed -# under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR -# CONDITIONS OF ANY KIND, either express or implied. See the License for the -# specific language governing permissions and limitations under the License. -CHECK_ID_extra747="7.47" -CHECK_TITLE_extra747="[extra747] Check if API Gateway has CloudWatch Logs enabled (Not Scored) (Not part of CIS benchmark)" -CHECK_SCORED_extra747="NOT_SCORED" -CHECK_TYPE_extra747="EXTRA" -CHECK_ALTERNATE_check747="extra747" - -extra747(){ - for regx in $REGIONS; do - LIST_OF_REST_APIS=$($AWSCLI $PROFILE_OPT --region $regx apigateway get-rest-apis --query 'items[*].id' --output text) - if [[ $LIST_OF_REST_APIS ]];then - for api in $LIST_OF_REST_APIS; do - LIST_OF_STAGES=$($AWSCLI $PROFILE_OPT --region $regx apigateway get-stages --rest-api-id $api --query 'item[*].stageName' --output text) - if [[ $LIST_OF_STAGES ]]; then - for stage in $LIST_OF_STAGES; do - CHECK_CLOUDWATCHLOG=$($AWSCLI $PROFILE_OPT --region $regx apigateway get-stages --rest-api-id $api --query "item[?stageName==\`$stage\`].methodSettings" --output text|awk '{ print $6 }'|egrep 'ERROR|INFO') - if [[ $CHECK_CLOUDWATCHLOG ]]; then - textPass "$regx: API Gateway ID $api in $stage has CloudWatch Logs configured" "$regx" - else - textFail "$regx: API Gateway ID $api in $stage has not CloudWatch Logs configured" "$regx" - fi - done - fi - done - else - textInfo "$regx: No API Gateways found" "$regx" - fi - done -} diff --git a/groups/group12_apigateway b/groups/group12_apigateway new file mode 100644 index 00000000..fbecc23c --- /dev/null +++ b/groups/group12_apigateway @@ -0,0 +1,19 @@ +#!/usr/bin/env bash + +# Prowler - the handy cloud security tool (copyright 2018) by Toni de la Fuente +# +# Licensed under the Apache License, Version 2.0 (the "License"); you may not +# use this file except in compliance with the License. You may obtain a copy +# of the License at http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software distributed +# under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR +# CONDITIONS OF ANY KIND, either express or implied. See the License for the +# specific language governing permissions and limitations under the License. + +GROUP_ID[12]='apigateway' +GROUP_NUMBER[12]='12.0' +GROUP_TITLE[12]='API Gateway security checks - [apigateway] ********************' +GROUP_RUN_BY_DEFAULT[12]='N' # run it when execute_all is called +GROUP_CHECKS[12]='extra722,extra743,extra744,extra745,extra746' +