ghndrx/prowler
1
0
Fork 0
mirror of https://github.com/ghndrx/prowler.git synced 2026-02-10 14:55:00 +00:00
Code Issues Packages Projects Releases Wiki Activity

Added group12 apigateway checks

Browse Source
This commit is contained in:
Toni de la Fuente
2019-05-13 17:01:45 -04:00
parent 959bd8dfd4
commit a6569a0a70
6 changed files with 32 additions and 49 deletions
Download Patch File Download Diff File Expand all files Collapse all files

5
checks/check_extra743
View File

@@ -21,14 +21,15 @@ extra743(){
LIST_OF_REST_APIS=$($AWSCLI $PROFILE_OPT --region $regx apigateway get-rest-apis --query 'items[*].id' --output text) LIST_OF_REST_APIS=$($AWSCLI $PROFILE_OPT --region $regx apigateway get-rest-apis --query 'items[*].id' --output text)
if [[ $LIST_OF_REST_APIS ]];then if [[ $LIST_OF_REST_APIS ]];then
for api in $LIST_OF_REST_APIS; do for api in $LIST_OF_REST_APIS; do
API_GW_NAME=$($AWSCLI apigateway get-rest-apis $PROFILE_OPT --region $regx --query "items[?id==\`$api\`].name" --output text)
LIST_OF_STAGES=$($AWSCLI $PROFILE_OPT --region $regx apigateway get-stages --rest-api-id $api --query 'item[*].stageName' --output text) LIST_OF_STAGES=$($AWSCLI $PROFILE_OPT --region $regx apigateway get-stages --rest-api-id $api --query 'item[*].stageName' --output text)
if [[ $LIST_OF_STAGES ]]; then if [[ $LIST_OF_STAGES ]]; then
for stage in $LIST_OF_STAGES; do for stage in $LIST_OF_STAGES; do
CHECK_CERTIFICATE=$($AWSCLI $PROFILE_OPT --region $regx apigateway get-stages --rest-api-id $api --query "item[?stageName==\`$stage\`].clientCertificateId" --output text) CHECK_CERTIFICATE=$($AWSCLI $PROFILE_OPT --region $regx apigateway get-stages --rest-api-id $api --query "item[?stageName==\`$stage\`].clientCertificateId" --output text)
if [[ $CHECK_CERTIFICATE ]]; then if [[ $CHECK_CERTIFICATE ]]; then
textPass "$regx: API ID $api in $stage has client certificate enabled" "$regx" textPass "$regx: API Gateway $API_GW_NAME ID $api in $stage has client certificate enabled" "$regx"
else else
textFail "$regx: API ID $api in $stage has not client certificate enabled" "$regx" textFail "$regx: API Gateway $API_GW_NAME ID $api in $stage has not client certificate enabled" "$regx"
fi fi
done done
fi fi

5
checks/check_extra744
View File

@@ -21,14 +21,15 @@ extra744(){
LIST_OF_REST_APIS=$($AWSCLI $PROFILE_OPT --region $regx apigateway get-rest-apis --query 'items[*].id' --output text) LIST_OF_REST_APIS=$($AWSCLI $PROFILE_OPT --region $regx apigateway get-rest-apis --query 'items[*].id' --output text)
if [[ $LIST_OF_REST_APIS ]];then if [[ $LIST_OF_REST_APIS ]];then
for api in $LIST_OF_REST_APIS; do for api in $LIST_OF_REST_APIS; do
API_GW_NAME=$($AWSCLI apigateway get-rest-apis $PROFILE_OPT --region $regx --query "items[?id==\`$api\`].name" --output text)
LIST_OF_STAGES=$($AWSCLI $PROFILE_OPT --region $regx apigateway get-stages --rest-api-id $api --query 'item[*].stageName' --output text) LIST_OF_STAGES=$($AWSCLI $PROFILE_OPT --region $regx apigateway get-stages --rest-api-id $api --query 'item[*].stageName' --output text)
if [[ $LIST_OF_STAGES ]]; then if [[ $LIST_OF_STAGES ]]; then
for stage in $LIST_OF_STAGES; do for stage in $LIST_OF_STAGES; do
CHECK_WAFACL=$($AWSCLI $PROFILE_OPT --region $regx apigateway get-stages --rest-api-id $api --query "item[?stageName==\`$stage\`].webAclArn" --output text) CHECK_WAFACL=$($AWSCLI $PROFILE_OPT --region $regx apigateway get-stages --rest-api-id $api --query "item[?stageName==\`$stage\`].webAclArn" --output text)
if [[ $CHECK_WAFACL ]]; then if [[ $CHECK_WAFACL ]]; then
textPass "$regx: API Gateway ID $api in $stage has $CHECK_WAFACL WAF ACL attached" "$regx" textPass "$regx: API Gateway $API_GW_NAME ID $api in $stage has $CHECK_WAFACL WAF ACL attached" "$regx"
else else
textFail "$regx: API Gateway ID $api in $stage has not WAF ACL attached" "$regx" textFail "$regx: API Gateway $API_GW_NAME ID $api in $stage has not WAF ACL attached" "$regx"
fi fi
done done
fi fi

7
checks/check_extra745
View File

@@ -21,17 +21,18 @@ extra745(){
LIST_OF_REST_APIS=$($AWSCLI $PROFILE_OPT --region $regx apigateway get-rest-apis --query 'items[*].id' --output text) LIST_OF_REST_APIS=$($AWSCLI $PROFILE_OPT --region $regx apigateway get-rest-apis --query 'items[*].id' --output text)
if [[ $LIST_OF_REST_APIS ]];then if [[ $LIST_OF_REST_APIS ]];then
for api in $LIST_OF_REST_APIS; do for api in $LIST_OF_REST_APIS; do
API_GW_NAME=$($AWSCLI apigateway get-rest-apis $PROFILE_OPT --region $regx --query "items[?id==\`$api\`].name" --output text)
ENDPOINT_CONFIG_TYPE=$($AWSCLI $PROFILE_OPT --region $regx apigateway get-rest-api --rest-api-id $api --query endpointConfiguration.types --output text) ENDPOINT_CONFIG_TYPE=$($AWSCLI $PROFILE_OPT --region $regx apigateway get-rest-api --rest-api-id $api --query endpointConfiguration.types --output text)
if [[ $ENDPOINT_CONFIG_TYPE ]]; then if [[ $ENDPOINT_CONFIG_TYPE ]]; then
case $ENDPOINT_CONFIG_TYPE in case $ENDPOINT_CONFIG_TYPE in
PRIVATE ) PRIVATE )
textPass "$regx: API ID $api is set as $ENDPOINT_CONFIG_TYPE" "$regx" textPass "$regx: API Gateway $API_GW_NAME ID $api is set as $ENDPOINT_CONFIG_TYPE" "$regx"
;; ;;
REGIONAL ) REGIONAL )
textFail "$regx: API ID $api is internet accesible as $ENDPOINT_CONFIG_TYPE" "$regx" textFail "$regx: API Gateway $API_GW_NAME ID $api is internet accesible as $ENDPOINT_CONFIG_TYPE" "$regx"
;; ;;
EDGE ) EDGE )
textFail "$regx: API ID $api is internet accesible as $ENDPOINT_CONFIG_TYPE" "$regx" textFail "$regx: API Gateway $API_GW_NAME ID $api is internet accesible as $ENDPOINT_CONFIG_TYPE" "$regx"
esac esac
fi fi
done done

5
checks/check_extra746
View File

@@ -21,11 +21,12 @@ extra746(){
LIST_OF_REST_APIS=$($AWSCLI $PROFILE_OPT --region $regx apigateway get-rest-apis --query 'items[*].id' --output text) LIST_OF_REST_APIS=$($AWSCLI $PROFILE_OPT --region $regx apigateway get-rest-apis --query 'items[*].id' --output text)
if [[ $LIST_OF_REST_APIS ]];then if [[ $LIST_OF_REST_APIS ]];then
for api in $LIST_OF_REST_APIS; do for api in $LIST_OF_REST_APIS; do
API_GW_NAME=$($AWSCLI apigateway get-rest-apis $PROFILE_OPT --region $regx --query "items[?id==\`$api\`].name" --output text)
AUTHORIZER_CONFIGURED=$($AWSCLI $PROFILE_OPT --region $regx apigateway get-authorizers --rest-api-id $api --query items[*].type --output text) AUTHORIZER_CONFIGURED=$($AWSCLI $PROFILE_OPT --region $regx apigateway get-authorizers --rest-api-id $api --query items[*].type --output text)
if [[ $AUTHORIZER_CONFIGURED ]]; then if [[ $AUTHORIZER_CONFIGURED ]]; then
textPass "$regx: API ID $api has authorizer configured" "$regx" textPass "$regx: API Gateway $API_GW_NAME ID $api has authorizer configured" "$regx"
else else
textFail "$regx: API ID $api has not authorizer configured" "$regx" textFail "$regx: API Gateway $API_GW_NAME ID $api has not authorizer configured" "$regx"
fi fi
done done
else else

40
checks/check_extra747
View File

@@ -1,40 +0,0 @@
#!/usr/bin/env bash
# Prowler - the handy cloud security tool (copyright 2019) by Toni de la Fuente
#
# Licensed under the Apache License, Version 2.0 (the "License"); you may not
# use this file except in compliance with the License. You may obtain a copy
# of the License at http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software distributed
# under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR
# CONDITIONS OF ANY KIND, either express or implied. See the License for the
# specific language governing permissions and limitations under the License.
CHECK_ID_extra747="7.47"
CHECK_TITLE_extra747="[extra747] Check if API Gateway has CloudWatch Logs enabled (Not Scored) (Not part of CIS benchmark)"
CHECK_SCORED_extra747="NOT_SCORED"
CHECK_TYPE_extra747="EXTRA"
CHECK_ALTERNATE_check747="extra747"
extra747(){
for regx in $REGIONS; do
LIST_OF_REST_APIS=$($AWSCLI $PROFILE_OPT --region $regx apigateway get-rest-apis --query 'items[*].id' --output text)
if [[ $LIST_OF_REST_APIS ]];then
for api in $LIST_OF_REST_APIS; do
LIST_OF_STAGES=$($AWSCLI $PROFILE_OPT --region $regx apigateway get-stages --rest-api-id $api --query 'item[*].stageName' --output text)
if [[ $LIST_OF_STAGES ]]; then
for stage in $LIST_OF_STAGES; do
CHECK_CLOUDWATCHLOG=$($AWSCLI $PROFILE_OPT --region $regx apigateway get-stages --rest-api-id $api --query "item[?stageName==\`$stage\`].methodSettings" --output text|awk '{ print $6 }'|egrep 'ERROR|INFO')
if [[ $CHECK_CLOUDWATCHLOG ]]; then
textPass "$regx: API Gateway ID $api in $stage has CloudWatch Logs configured" "$regx"
else
textFail "$regx: API Gateway ID $api in $stage has not CloudWatch Logs configured" "$regx"
fi
done
fi
done
else
textInfo "$regx: No API Gateways found" "$regx"
fi
done
}

19
groups/group12_apigateway Normal file
View File

@@ -0,0 +1,19 @@
#!/usr/bin/env bash
# Prowler - the handy cloud security tool (copyright 2018) by Toni de la Fuente
#
# Licensed under the Apache License, Version 2.0 (the "License"); you may not
# use this file except in compliance with the License. You may obtain a copy
# of the License at http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software distributed
# under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR
# CONDITIONS OF ANY KIND, either express or implied. See the License for the
# specific language governing permissions and limitations under the License.
GROUP_ID[12]='apigateway'
GROUP_NUMBER[12]='12.0'
GROUP_TITLE[12]='API Gateway security checks - [apigateway] ********************'
GROUP_RUN_BY_DEFAULT[12]='N' # run it when execute_all is called
GROUP_CHECKS[12]='extra722,extra743,extra744,extra745,extra746'