ghndrx/prowler
1
0
Fork 0
mirror of https://github.com/ghndrx/prowler.git synced 2026-02-10 14:55:00 +00:00
Code Issues Packages Projects Releases Wiki Activity

Added risk, remediation, doc link and caf epic to checks 742 to 7133

Browse Source
This commit is contained in:
Toni de la Fuente
2021-03-24 15:12:32 +01:00
parent 0c4111efda
commit a9d56be81a
91 changed files with 372 additions and 18 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
checks/check_extra7100
View File

@@ -23,6 +23,10 @@ CHECK_ASFF_RESOURCE_TYPE_extra7100="AwsIamPolicy"
CHECK_ALTERNATE_check7100="extra7100"
CHECK_ASFF_COMPLIANCE_TYPE_extra7100="ens-op.acc.2.aws.iam.1"
CHECK_SERVICENAME_extra7100="iam"
CHECK_RISK_extra7100='If not restricted unintended access could happen.'
CHECK_REMEDIATION_extra7100='Use the least privilege principle when granting permissions.'
CHECK_DOC_extra7100='https://docs.aws.amazon.com/STS/latest/APIReference/API_AssumeRole.html'
CHECK_CAF_EPIC_extra7100='IAM'
extra7100(){
# "Ensure that no custom policies exist which permit assuming any role (e.g. sts:AssumeRole on *)"

13
checks/check_extra7101
View File

@@ -10,6 +10,7 @@
# under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR
# CONDITIONS OF ANY KIND, either express or implied. See the License for the
# specific language governing permissions and limitations under the License.
CHECK_ID_extra7101="7.101"
CHECK_TITLE_extra7101="[extra7101] Check if Amazon Elasticsearch Service (ES) domains have audit logging enabled"
CHECK_SCORED_extra7101="NOT_SCORED"
@@ -18,14 +19,10 @@ CHECK_SEVERITY_extra7101="Low"
CHECK_ASFF_RESOURCE_TYPE_extra7101="AwsElasticsearchDomain"
CHECK_ALTERNATE_check7101="extra7101"
CHECK_SERVICENAME_extra7101="es"
# More info
# Works for Amazon Elasticsearch Service domains (version 6.7+) with Fine Grained Access Control enabled
# https://aws.amazon.com/about-aws/whats-new/2020/09/audit-logs-launch/
# https://docs.aws.amazon.com/elasticsearch-service/latest/developerguide/audit-logs.html
# Remediation
# aws es update-elasticsearch-domain-config --domain-name test1 --log-publishing-options "AUDIT_LOGS={CloudWatchLogsLogGroupArn=arn:aws:logs:us-east-1:123456789012:log-group:my-log-group,Enabled=true}" --region eu-west-1
CHECK_RISK_extra7101='If logs are not enabled; monitoring of service use and threat analysis is not possible.'
CHECK_REMEDIATION_extra7101='Make sure you are logging information about Amazon Elasticsearch Service operations.'
CHECK_DOC_extra7101='https://docs.aws.amazon.com/elasticsearch-service/latest/developerguide/audit-logs.html'
CHECK_CAF_EPIC_extra7101='Logging and Monitoring'
extra7101(){
for regx in $REGIONS; do

5
checks/check_extra7102
View File

@@ -18,6 +18,10 @@ CHECK_SEVERITY_extra7102="High"
CHECK_ASFF_RESOURCE_TYPE_extra7102="AwsEc2Eip"
CHECK_ALTERNATE_check7102="extra7102"
CHECK_SERVICENAME_extra7102="ec2"
CHECK_RISK_extra7102='Sites like Shodan index exposed systems and further expose them to wider audiences as a quick way to find exploitable systems.'
CHECK_REMEDIATION_extra7102='Check Identified IPs; consider changing them to private ones and delete them from Shodan.'
CHECK_DOC_extra7102='https://www.shodan.io/'
CHECK_CAF_EPIC_extra7102='Infrastructure Security'
# Watch out, always use Shodan API key, if you use `curl https://www.shodan.io/host/{ip}` massively
# your IP will be banned by Shodan
@@ -25,7 +29,6 @@ CHECK_SERVICENAME_extra7102="ec2"
# This is the right way to do so
# curl -ks https://api.shodan.io/shodan/host/{ip}?key={YOUR_API_KEY}
# Each finding will be saved in prowler/output folder for further review.
extra7102(){

4
checks/check_extra7103
View File

@@ -19,6 +19,10 @@ CHECK_ASFF_RESOURCE_TYPE_extra7103="AwsSageMakerNotebookInstance"
CHECK_ALTERNATE_check7103="extra7103"
CHECK_SEVERITY_extra7103="Medium"
CHECK_SERVICENAME_extra7103="sagemaker"
CHECK_RISK_extra7103='Users with root access have administrator privileges; users can access and edit all files on a notebook instance with root access enabled.'
CHECK_REMEDIATION_extra7103='set the RootAccess field to Disabled. You can also disable root access for users when you create or update a notebook instance in the Amazon SageMaker console.'
CHECK_DOC_extra7103='https://docs.aws.amazon.com/sagemaker/latest/dg/nbi-root-access.html'
CHECK_CAF_EPIC_extra7103='IAM'
extra7103(){
for regx in ${REGIONS}; do

4
checks/check_extra7104
View File

@@ -19,6 +19,10 @@ CHECK_ASFF_RESOURCE_TYPE_extra7104="AwsSageMakerNotebookInstance"
CHECK_ALTERNATE_check7104="extra7104"
CHECK_SEVERITY_extra7104="Medium"
CHECK_SERVICENAME_extra7104="sagemaker"
CHECK_RISK_extra7104='This could provide an avenue for unauthorized access to your data.'
CHECK_REMEDIATION_extra7104='Restrict which traffic can access by launching Studio in a Virtual Private Cloud (VPC) of your choosing.'
CHECK_DOC_extra7104='https://docs.aws.amazon.com/sagemaker/latest/dg/studio-notebooks-and-internet-access.html'
CHECK_CAF_EPIC_extra7104='Infrastructure Security'
extra7104(){
for regx in ${REGIONS}; do

6
checks/check_extra7105
View File

@@ -19,7 +19,11 @@ CHECK_ASFF_RESOURCE_TYPE_extra7105="AwsSageMakerModel"
CHECK_ALTERNATE_check7105="extra7105"
CHECK_SEVERITY_extra7105="Medium"
CHECK_SERVICENAME_extra7105="sagemaker"
CHECK_RISK_extra7105='This could provide an avenue for unauthorized access to your data.'
CHECK_REMEDIATION_extra7105='Restrict which traffic can access by launching Studio in a Virtual Private Cloud (VPC) of your choosing.'
CHECK_DOC_extra7105='https://docs.aws.amazon.com/sagemaker/latest/dg/studio-notebooks-and-internet-access.html'
CHECK_CAF_EPIC_extra7105='Infrastructure Security'
extra7105(){
for regx in ${REGIONS}; do
LIST_SM_NB_MODELS=$($AWSCLI $PROFILE_OPT --region $regx sagemaker list-models --query 'Models[*].ModelName' --output text)

6
checks/check_extra7106
View File

@@ -19,7 +19,11 @@ CHECK_ASFF_RESOURCE_TYPE_extra7106="AwsSageMakerModel"
CHECK_ALTERNATE_check7106="extra7106"
CHECK_SEVERITY_extra7106="Medium"
CHECK_SERVICENAME_extra7106="sagemaker"
CHECK_RISK_extra7106='This could provide an avenue for unauthorized access to your data.'
CHECK_REMEDIATION_extra7106='Restrict which traffic can access by launching Studio in a Virtual Private Cloud (VPC) of your choosing.'
CHECK_DOC_extra7106='https://docs.aws.amazon.com/sagemaker/latest/dg/studio-notebooks-and-internet-access.html'
CHECK_CAF_EPIC_extra7106='Infrastructure Security'
extra7106(){
for regx in ${REGIONS}; do
LIST_SM_NB_MODELS=$($AWSCLI $PROFILE_OPT --region $regx sagemaker list-models --query 'Models[*].ModelName' --output text)

6
checks/check_extra7107
View File

@@ -19,7 +19,11 @@ CHECK_ASFF_RESOURCE_TYPE_extra7107="AwsSageMakerNotebookInstance"
CHECK_ALTERNATE_check7107="extra7107"
CHECK_SEVERITY_extra7107="Medium"
CHECK_SERVICENAME_extra7107="sagemaker"
CHECK_RISK_extra7107='If not restricted unintended access could happen.'
CHECK_REMEDIATION_extra7107='Internetwork communications support TLS 1.2 encryption between all components and clients.'
CHECK_DOC_extra7107='https://docs.aws.amazon.com/sagemaker/latest/dg/interface-vpc-endpoint.html'
CHECK_CAF_EPIC_extra7107='Data Protection'
extra7107(){
for regx in ${REGIONS}; do
LIST_SM_NB_JOBS=$($AWSCLI $PROFILE_OPT --region $regx sagemaker list-training-jobs --query 'TrainingJobSummaries[*].TrainingJobName' --output text)

6
checks/check_extra7108
View File

@@ -19,7 +19,11 @@ CHECK_ASFF_RESOURCE_TYPE_extra7108="AwsSageMakerNotebookInstance"
CHECK_ALTERNATE_check7108="extra7108"
CHECK_SEVERITY_extra7108="Medium"
CHECK_SERVICENAME_extra7108="sagemaker"
CHECK_RISK_extra7108='Data exfiltration could happen if information is not protected. KMS keys provide additional security level to IAM policies.'
CHECK_REMEDIATION_extra7108='Specify AWS KMS keys to use for input and output from S3 and EBS.'
CHECK_DOC_extra7108='https://docs.aws.amazon.com/sagemaker/latest/dg/key-management.html'
CHECK_CAF_EPIC_extra7108='Data Protection'
extra7108(){
for regx in ${REGIONS}; do
LIST_SM_NB_JOBS=$($AWSCLI $PROFILE_OPT --region $regx sagemaker list-training-jobs --query 'TrainingJobSummaries[*].TrainingJobName' --output text)

6
checks/check_extra7109
View File

@@ -19,7 +19,11 @@ CHECK_ASFF_RESOURCE_TYPE_extra7109="AwsSageMakerNotebookInstance"
CHECK_ALTERNATE_check7109="extra7109"
CHECK_SEVERITY_extra7109="Medium"
CHECK_SERVICENAME_extra7109="sagemaker"
CHECK_RISK_extra7109='This could provide an avenue for unauthorized access to your data.'
CHECK_REMEDIATION_extra7109='Restrict which traffic can access by launching Studio in a Virtual Private Cloud (VPC) of your choosing.'
CHECK_DOC_extra7109='https://docs.aws.amazon.com/sagemaker/latest/dg/interface-vpc-endpoint.html'
CHECK_CAF_EPIC_extra7109='Infrastructure Security'
extra7109(){
for regx in ${REGIONS}; do
LIST_SM_NB_JOBS=$($AWSCLI $PROFILE_OPT --region $regx sagemaker list-training-jobs --query 'TrainingJobSummaries[*].TrainingJobName' --output text)

6
checks/check_extra7110
View File

@@ -19,7 +19,11 @@ CHECK_ASFF_RESOURCE_TYPE_extra7110="AwsSageMakerNotebookInstance"
CHECK_ALTERNATE_check7110="extra7110"
CHECK_SEVERITY_extra7110="Medium"
CHECK_SERVICENAME_extra7110="sagemaker"
CHECK_RISK_extra7110='This could provide an avenue for unauthorized access to your data.'
CHECK_REMEDIATION_extra7110='Restrict which traffic can access by launching Studio in a Virtual Private Cloud (VPC) of your choosing.'
CHECK_DOC_extra7110='https://docs.aws.amazon.com/sagemaker/latest/dg/interface-vpc-endpoint.html'
CHECK_CAF_EPIC_extra7110='Infrastructure Security'
extra7110(){
for regx in ${REGIONS}; do
LIST_SM_NB_JOBS=$($AWSCLI $PROFILE_OPT --region $regx sagemaker list-training-jobs --query 'TrainingJobSummaries[*].TrainingJobName' --output text)

4
checks/check_extra7111
View File

@@ -19,6 +19,10 @@ CHECK_ASFF_RESOURCE_TYPE_extra7111="AwsSageMakerNotebookInstance"
CHECK_ALTERNATE_check7111="extra7111"
CHECK_SEVERITY_extra7111="Medium"
CHECK_SERVICENAME_extra7111="sagemaker"
CHECK_RISK_extra7111='This could provide an avenue for unauthorized access to your data.'
CHECK_REMEDIATION_extra7111='Restrict which traffic can access by launching Studio in a Virtual Private Cloud (VPC) of your choosing.'
CHECK_DOC_extra7111='https://docs.aws.amazon.com/sagemaker/latest/dg/interface-vpc-endpoint.html'
CHECK_CAF_EPIC_extra7111='Infrastructure Security'
extra7111(){
for regx in ${REGIONS}; do

4
checks/check_extra7112
View File

@@ -19,6 +19,10 @@ CHECK_ASFF_RESOURCE_TYPE_extra7112="AwsSageMakerNotebookInstance"
CHECK_ALTERNATE_check7112="extra7112"
CHECK_SEVERITY_extra7112="Medium"
CHECK_SERVICENAME_extra7112="sagemaker"
CHECK_RISK_extra7112='Data exfiltration could happen if information is not protected. KMS keys provide additional security level to IAM policies.'
CHECK_REMEDIATION_extra7112='Specify AWS KMS keys to use for input and output from S3 and EBS.'
CHECK_DOC_extra7112='https://docs.aws.amazon.com/sagemaker/latest/dg/key-management.html'
CHECK_CAF_EPIC_extra7112='Data Protection'
extra7112(){
for regx in ${REGIONS}; do

4
checks/check_extra7113
View File

@@ -30,6 +30,10 @@ CHECK_SEVERITY_extra7113="Medium"
CHECK_ASFF_RESOURCE_TYPE_extra7113="AwsRdsDbInstance"
CHECK_ALTERNATE_check7113="extra7113"
CHECK_SERVICENAME_extra7113="rds"
CHECK_RISK_extra7113='You can only delete instances that do not have deletion protection enabled.'
CHECK_REMEDIATION_extra7113='Enable deletion protection using the AWS Management Console for production DB instances.'
CHECK_DOC_extra7113='https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/USER_DeleteInstance.html'
CHECK_CAF_EPIC_extra7113='Data Protection'
extra7113(){
textInfo "Looking for RDS Volumes in all regions... "

4
checks/check_extra7114
View File

@@ -19,6 +19,10 @@ CHECK_SEVERITY_extra7114="Medium"
CHECK_ASFF_RESOURCE_TYPE_extra7114="AwsGlue"
CHECK_ALTERNATE_check7114="extra7114"
CHECK_SERVICENAME_extra7114="glue"
CHECK_RISK_extra7114='Data exfiltration could happen if information is not protected. KMS keys provide additional security level to IAM policies.'
CHECK_REMEDIATION_extra7114='Specify AWS KMS keys to use for input and output from S3 and EBS.'
CHECK_DOC_extra7114='https://docs.aws.amazon.com/glue/latest/dg/encryption-security-configuration.html'
CHECK_CAF_EPIC_extra7114='Data Protection'
extra7114(){
for regx in $REGIONS; do

4
checks/check_extra7115
View File

@@ -18,6 +18,10 @@ CHECK_SEVERITY_extra7115="Medium"
CHECK_ASFF_RESOURCE_TYPE_extra7115="AwsGlue"
CHECK_ALTERNATE_check7115="extra7115"
CHECK_SERVICENAME_extra7115="glue"
CHECK_RISK_extra7115='Data exfiltration could happen if information is not protected in transit.'
CHECK_REMEDIATION_extra7115='Configure encryption settings for crawlers; ETL jobs; and development endpoints using security configurations in AWS Glue.'
CHECK_DOC_extra7115='https://docs.aws.amazon.com/glue/latest/dg/encryption-in-transit.html'
CHECK_CAF_EPIC_extra7115='Data Protection'
extra7115(){
for regx in $REGIONS; do

4
checks/check_extra7116
View File

@@ -18,6 +18,10 @@ CHECK_SEVERITY_extra7116="Medium"
CHECK_ASFF_RESOURCE_TYPE_extra7116="AwsGlue"
CHECK_ALTERNATE_check7116="extra7116"
CHECK_SERVICENAME_extra7116="glue"
CHECK_RISK_extra7116='If not enabled sensible information at rest is not protected.'
CHECK_REMEDIATION_extra7116='Enable Encryption. Use a CMK where possible. It will provide additional management and privacy benefits.'
CHECK_DOC_extra7116='https://docs.aws.amazon.com/glue/latest/dg/encrypt-glue-data-catalog.html'
CHECK_CAF_EPIC_extra7116='Data Protection'
extra7116(){
for regx in $REGIONS; do

4
checks/check_extra7117
View File

@@ -18,6 +18,10 @@ CHECK_SEVERITY_extra7117="Medium"
CHECK_ASFF_RESOURCE_TYPE_extra7117="AwsGlue"
CHECK_ALTERNATE_check7117="extra7117"
CHECK_SERVICENAME_extra7117="glue"
CHECK_RISK_extra7117='If not enabled sensible information at rest is not protected.'
CHECK_REMEDIATION_extra7117='On the AWS Glue console; you can enable this option on the Data catalog settings page.'
CHECK_DOC_extra7117='https://docs.aws.amazon.com/glue/latest/dg/encrypt-connection-passwords.html'
CHECK_CAF_EPIC_extra7117='Data Protection'
extra7117(){
for regx in $REGIONS; do

4
checks/check_extra7118
View File

@@ -18,6 +18,10 @@ CHECK_SEVERITY_extra7118="Medium"
CHECK_ASFF_RESOURCE_TYPE_extra7118="AwsGlue"
CHECK_ALTERNATE_check7118="extra7118"
CHECK_SERVICENAME_extra7118="glue"
CHECK_RISK_extra7118='If not enabled sensible information at rest is not protected.'
CHECK_REMEDIATION_extra7118='Provide the encryption properties that are used by crawlers; jobs; and development endpoints.'
CHECK_DOC_extra7118='https://docs.aws.amazon.com/glue/latest/dg/console-security-configurations.html'
CHECK_CAF_EPIC_extra7118='Data Protection'
extra7118(){
for regx in $REGIONS; do

4
checks/check_extra7119
View File

@@ -19,6 +19,10 @@ CHECK_SEVERITY_extra7119="Medium"
CHECK_ASFF_RESOURCE_TYPE_extra7119="AwsGlue"
CHECK_ALTERNATE_check7119="extra7119"
CHECK_SERVICENAME_extra7119="glue"
CHECK_RISK_extra7119='If not enabled sensible information at rest is not protected.'
CHECK_REMEDIATION_extra7119='Enable Encryption in the Security configurations.'
CHECK_DOC_extra7119='https://docs.aws.amazon.com/glue/latest/dg/console-security-configurations.html'
CHECK_CAF_EPIC_extra7119='Logging and Monitoring'
extra7119(){
for regx in $REGIONS; do

4
checks/check_extra7120
View File

@@ -18,6 +18,10 @@ CHECK_SEVERITY_extra7120="Medium"
CHECK_ASFF_RESOURCE_TYPE_extra7120="AwsGlue"
CHECK_ALTERNATE_check7120="extra7120"
CHECK_SERVICENAME_extra7120="glue"
CHECK_RISK_extra7120='If not enabled sensible information at rest is not protected.'
CHECK_REMEDIATION_extra7120='Enable Encryption in the Security configurations.'
CHECK_DOC_extra7120='https://docs.aws.amazon.com/glue/latest/dg/console-security-configurations.html'
CHECK_CAF_EPIC_extra7120='Logging and Monitoring'
extra7120(){
for regx in $REGIONS; do

4
checks/check_extra7121
View File

@@ -19,6 +19,10 @@ CHECK_SEVERITY_extra7121="Medium"
CHECK_ASFF_RESOURCE_TYPE_extra7121="AwsGlue"
CHECK_ALTERNATE_check7121="extra7121"
CHECK_SERVICENAME_extra7121="glue"
CHECK_RISK_extra7121='If not enabled sensible information at rest is not protected.'
CHECK_REMEDIATION_extra7121='Enable Encryption in the Security configurations.'
CHECK_DOC_extra7121='https://docs.aws.amazon.com/glue/latest/dg/console-security-configurations.html'
CHECK_CAF_EPIC_extra7121='Data Protection'
extra7121(){
for regx in $REGIONS; do

4
checks/check_extra7122
View File

@@ -18,6 +18,10 @@ CHECK_SEVERITY_extra7122="Medium"
CHECK_ASFF_RESOURCE_TYPE_extra7122="AwsGlue"
CHECK_ALTERNATE_check7122="extra7122"
CHECK_SERVICENAME_extra7122="glue"
CHECK_RISK_extra7122='If not enabled sensible information at rest is not protected.'
CHECK_REMEDIATION_extra7122='Enable Encryption in the Security configurations.'
CHECK_DOC_extra7122='https://docs.aws.amazon.com/glue/latest/dg/console-security-configurations.html'
CHECK_CAF_EPIC_extra7122='Data Protection'
extra7122(){
for regx in $REGIONS; do

4
checks/check_extra7123
View File

@@ -20,6 +20,10 @@ CHECK_ASFF_RESOURCE_TYPE_extra7123="AwsIamUser"
CHECK_ALTERNATE_check7123="extra7123"
CHECK_ASFF_COMPLIANCE_TYPE_extra7123="ens-op.acc.1.aws.iam.2"
CHECK_SERVICENAME_extra7123="iam"
CHECK_RISK_extra7123='Access Keys could be lost or stolen. It creates a critical risk.'
CHECK_REMEDIATION_extra7123='Avoid using long lived access keys.'
CHECK_DOC_extra7123='https://docs.aws.amazon.com/IAM/latest/APIReference/API_ListAccessKeys.html'
CHECK_CAF_EPIC_extra7123='IAM'
extra7123(){
LIST_OF_USERS_WITH_2ACCESS_KEYS=$(cat $TEMP_REPORT_FILE| awk -F, '{ print $1, $9, $14 }' |grep "\ true\ true" | awk '{ print $1 }')

4
checks/check_extra7124
View File

@@ -19,6 +19,10 @@ CHECK_ASFF_RESOURCE_TYPE_extra7124="AwsEc2Instance"
CHECK_ALTERNATE_check7124="extra7124"
CHECK_ASFF_COMPLIANCE_TYPE_extra7124="ens-op.exp.1.aws.sys.1 ens-op.acc.4.aws.sys.1"
CHECK_SERVICENAME_extra7124="ssm"
CHECK_RISK_extra7124='AWS Config provides AWS Managed Rules; which are predefined; customizable rules that AWS Config uses to evaluate whether your AWS resource configurations comply with common best practices.'
CHECK_REMEDIATION_extra7124='Verify and apply Systems Manager Prerequisites.'
CHECK_DOC_extra7124='https://docs.aws.amazon.com/systems-manager/latest/userguide/managed_instances.html'
CHECK_CAF_EPIC_extra7124='Infrastructure Security'
extra7124(){
for regx in $REGIONS; do

4
checks/check_extra7125
View File

@@ -19,6 +19,10 @@ CHECK_ASFF_RESOURCE_TYPE_extra7125="AwsIamUser"
CHECK_ALTERNATE_check7125="extra7125"
CHECK_ASFF_COMPLIANCE_TYPE_extra7125="ens-op.acc.5.aws.iam.2"
CHECK_SERVICENAME_extra7125="iam"
CHECK_RISK_extra7125='Hardware MFA is preferred over virtual MFA.'
CHECK_REMEDIATION_extra7125='Enable hardware MFA device for an IAM user from the AWS Management Console; the command line; or the IAM API.'
CHECK_DOC_extra7125='https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_mfa_enable_physical.html'
CHECK_CAF_EPIC_extra7125='IAM'
extra7125(){
LIST_USERS=$($AWSCLI iam list-users --query 'Users[*].UserName' --output text $PROFILE_OPT --region $REGION)

4
checks/check_extra7126
View File

@@ -19,6 +19,10 @@ CHECK_ASFF_RESOURCE_TYPE_extra7126="AwsKmsKey"
CHECK_ALTERNATE_check7126="extra7126"
CHECK_ASFF_COMPLIANCE_TYPE_extra7126="op.exp.11.aws.kms.2"
CHECK_SERVICENAME_extra7126="kms"
CHECK_RISK_extra7126='Unused keys may increase service cost.'
CHECK_REMEDIATION_extra7126='Before deleting a customer master key (CMK); you might want to know how many cipher-texts were encrypted under that key. '
CHECK_DOC_extra7126='https://docs.aws.amazon.com/kms/latest/developerguide/deleting-keys-determining-usage.html'
CHECK_CAF_EPIC_extra7126='Data Protection'
extra7126(){
for regx in $REGIONS; do

5
checks/check_extra7127
View File

@@ -20,7 +20,10 @@ CHECK_ASFF_TYPE_extra7127="Software and Configuration Checks/ENS op.exp.4.aws.sy
CHECK_ALTERNATE_check7127="extra7127"
CHECK_ASFF_COMPLIANCE_TYPE_extra7127="ens-op.exp.1.aws.sys.1 ens-op.exp.4.aws.sys.1"
CHECK_SERVICENAME_extra7127="ssm"
CHECK_RISK_extra7127='Without the most recent security patches your system is potentially vulnerable to cyberattacks. Even the best-designed software can not anticipate every future threat to cybersecurity. Poor patch management can leave an organizations data exposed subjecting them to malware and ransomware attacks.'
CHECK_REMEDIATION_extra7127='Consider using SSM in all accounts and services to at least monitor for missing patches on servers. Use a robust process to apply security fixes as soon as they are made available. Patch compliance data from Patch Manager can be sent to AWS Security Hub to centralize security issues.'
CHECK_DOC_extra7127='https://docs.aws.amazon.com/systems-manager/latest/userguide/patch-compliance-identify.html'
CHECK_CAF_EPIC_extra7127='Infrastructure Security'
extra7127(){
for regx in $REGIONS; do

4
checks/check_extra7128
View File

@@ -19,6 +19,10 @@ CHECK_ASFF_RESOURCE_TYPE_extra7128="AwsDynamoDBTable"
CHECK_ALTERNATE_check7128="extra7128"
CHECK_ASFF_COMPLIANCE_TYPE_extra7128="ens-mp.info.3.aws.dyndb.1"
CHECK_SERVICENAME_extra7128="dynamodb"
CHECK_RISK_extra7128='All user data stored in Amazon DynamoDB is fully encrypted at rest. This functionality helps reduce the operational burden and complexity involved in protecting sensitive data.'
CHECK_REMEDIATION_extra7128='Specify an encryption key when you create a new table or switch the encryption keys on an existing table by using the AWS Management Console.'
CHECK_DOC_extra7128='https://docs.aws.amazon.com/amazondynamodb/latest/developerguide/EncryptionAtRest.html'
CHECK_CAF_EPIC_extra7128='Data Protection'
extra7128(){
for regx in $REGIONS; do

4
checks/check_extra7129
View File

@@ -19,6 +19,10 @@ CHECK_ASFF_RESOURCE_TYPE_extra7129="AwsElasticLoadBalancingV2LoadBalancer"
CHECK_ALTERNATE_check7129="extra7129"
CHECK_ASFF_COMPLIANCE_TYPE_extra7129="ens-mp.s.2.aws.waf.3"
CHECK_SERVICENAME_extra7129="elb"
CHECK_RISK_extra7129='If not WAF ACL is attached risk of web attacks increases.'
CHECK_REMEDIATION_extra7129='Using the AWS Management Console open the AWS WAF console to attach an ACL.'
CHECK_DOC_extra7129='https://docs.aws.amazon.com/waf/latest/developerguide/web-acl-associating-aws-resource.html'
CHECK_CAF_EPIC_extra7129='Infrastructure Security'
extra7129(){
for regx in $REGIONS; do

4
checks/check_extra7130
View File

@@ -19,6 +19,10 @@ CHECK_SEVERITY_extra7130="Medium"
CHECK_ASFF_RESOURCE_TYPE_extra7130="AwsSnsTopic"
CHECK_ALTERNATE_check7130="extra7130"
CHECK_SERVICENAME_extra7130="sns"
CHECK_RISK_extra7130='If not enabled sensible information at rest is not protected.'
CHECK_REMEDIATION_extra7130='Use Amazon SNS with AWS KMS.'
CHECK_DOC_extra7130='https://docs.aws.amazon.com/sns/latest/dg/sns-server-side-encryption.html'
CHECK_CAF_EPIC_extra7130='Data Protection'
extra7130(){
textInfo "Looking for SNS Topics in all regions... "

4
checks/check_extra7131
View File

@@ -18,6 +18,10 @@ CHECK_SEVERITY_extra7131="Low"
CHECK_ASFF_RESOURCE_TYPE_extra7131="AwsRdsDbInstance"
CHECK_ALTERNATE_check7131="extra7131"
CHECK_SERVICENAME_extra7131="rds"
CHECK_RISK_extra7131='Auto Minor Version Upgrade is a feature that you can enable to have your database automatically upgraded when a new minor database engine version is available. Minor version upgrades often patch security vulnerabilities and fix bugs; and therefor should be applied.'
CHECK_REMEDIATION_extra7131='Enable auto minor version upgrade for all databases and environments.'
CHECK_DOC_extra7131='https://aws.amazon.com/blogs/database/best-practices-for-upgrading-amazon-rds-to-major-and-minor-versions-of-postgresql/'
CHECK_CAF_EPIC_extra7131='Infrastructure Security'
extra7131(){
for regx in $REGIONS; do

4
checks/check_extra7132
View File

@@ -18,6 +18,10 @@ CHECK_SEVERITY_extra7132="Low"
CHECK_ASFF_RESOURCE_TYPE_extra7132="AwsRdsDbInstance"
CHECK_ALTERNATE_check7132="extra7132"
CHECK_SERVICENAME_extra7132="rds"
CHECK_RISK_extra7132='A smaller monitoring interval results in more frequent reporting of OS metrics.'
CHECK_REMEDIATION_extra7132='To use Enhanced Monitoring; you must create an IAM role; and then enable Enhanced Monitoring.'
CHECK_DOC_extra7132='https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/USER_Monitoring.OS.html'
CHECK_CAF_EPIC_extra7132='Logging and Monitoring'
extra7132(){
for regx in $REGIONS; do

6
checks/check_extra7133
View File

@@ -18,8 +18,10 @@ CHECK_SEVERITY_extra7133="Medium"
CHECK_ASFF_RESOURCE_TYPE_extra7133="AwsRdsDbInstance"
CHECK_ALTERNATE_check7133="extra7133"
CHECK_SERVICENAME_extra7133="rds"
CHECK_RISK_extra7133="In case of failure with a single-AZ deployment configuration should an availability zone specific database failure occur Amazon RDS can not automatically fail over to the standby availability zone."
CHECK_REMEDIATION_extra7133="Enable multi-AZ deployment for production databases. More here: https://aws.amazon.com/rds/features/multi-az/."
CHECK_RISK_extra7133='In case of failure; with a single-AZ deployment configuration; should an availability zone specific database failure occur; Amazon RDS can not automatically fail over to the standby availability zone.'
CHECK_REMEDIATION_extra7133='Enable multi-AZ deployment for production databases.'
CHECK_DOC_extra7133='https://aws.amazon.com/rds/features/multi-az/'
CHECK_CAF_EPIC_extra7133='Data Protection'
extra7133(){
for regx in $REGIONS; do

4
checks/check_extra742
View File

@@ -18,6 +18,10 @@ CHECK_SEVERITY_extra742="Critical"
CHECK_ASFF_RESOURCE_TYPE_extra742="AwsCloudFormationStack"
CHECK_ALTERNATE_check742="extra742"
CHECK_SERVICENAME_extra742="cloudformation"
CHECK_RISK_extra742='Secrets hardcoded into CloudFormation outputs can be used by malware and bad actors to gain lateral access to other services.'
CHECK_REMEDIATION_extra742='Implement automated detective control (e.g. using tools like Prowler ) to scan accounts for passwords and secrets. Use secrets manager service to store and retrieve passwords and secrets. '
CHECK_DOC_extra742='https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-secretsmanager-secret-generatesecretstring.html'
CHECK_CAF_EPIC_extra742='IAM'
extra742(){
SECRETS_TEMP_FOLDER="$PROWLER_DIR/secrets-$ACCOUNT_NUM"

4
checks/check_extra743
View File

@@ -18,6 +18,10 @@ CHECK_SEVERITY_extra743="Medium"
CHECK_ASFF_RESOURCE_TYPE_extra743="AwsApiGatewayRestApi"
CHECK_ALTERNATE_check743="extra743"
CHECK_SERVICENAME_extra743="apigateway"
CHECK_RISK_extra743='Possible man in the middle attacks and other similar risks.'
CHECK_REMEDIATION_extra743='Enable client certificate. Mutual TLS is recommended and commonly used for business-to-business (B2B) applications. Its used in standards such as Open Banking. API Gateway now provides integrated mutual TLS authentication at no additional cost.'
CHECK_DOC_extra743='https://aws.amazon.com/blogs/compute/introducing-mutual-tls-authentication-for-amazon-api-gateway/'
CHECK_CAF_EPIC_extra743='Data Protection'
extra743(){
for regx in $REGIONS; do

4
checks/check_extra744
View File

@@ -19,6 +19,10 @@ CHECK_ASFF_RESOURCE_TYPE_extra744="AwsApiGatewayRestApi"
CHECK_ALTERNATE_check744="extra744"
CHECK_ASFF_COMPLIANCE_TYPE_extra744="ens-mp.s.2.aws.waf.2"
CHECK_SERVICENAME_extra744="apigateway"
CHECK_RISK_extra744='Potential attacks and / or abuse of service; more even for even for internet reachable services.'
CHECK_REMEDIATION_extra744='Use AWS WAF to protect your API Gateway API from common web exploits; such as SQL injection and cross-site scripting (XSS) attacks. These could affect API availability and performance; compromise security; or consume excessive resources.'
CHECK_DOC_extra744='https://docs.aws.amazon.com/apigateway/latest/developerguide/apigateway-control-access-aws-waf.html'
CHECK_CAF_EPIC_extra744='Infrastructure Security'
extra744(){
for regx in $REGIONS; do

4
checks/check_extra745
View File

@@ -18,6 +18,10 @@ CHECK_SEVERITY_extra745="Medium"
CHECK_ASFF_RESOURCE_TYPE_extra745="AwsApiGatewayRestApi"
CHECK_ALTERNATE_check745="extra745"
CHECK_SERVICENAME_extra745="apigateway"
CHECK_RISK_extra745='If accessible from internet without restrictions opens up attack / abuse surface for any malicious user.'
CHECK_REMEDIATION_extra745='Verify that any public Api Gateway is protected and audited. Detective controls for common risks should be implemented.'
CHECK_DOC_extra745='https://d1.awsstatic.com/whitepapers/api-gateway-security.pdf?svrd_sip6'
CHECK_CAF_EPIC_extra745='Infrastructure Security'
extra745(){
for regx in $REGIONS; do

4
checks/check_extra746
View File

@@ -18,6 +18,10 @@ CHECK_SEVERITY_extra746="Medium"
CHECK_ASFF_RESOURCE_TYPE_extra746="AwsApiGatewayRestApi"
CHECK_ALTERNATE_check746="extra746"
CHECK_SERVICENAME_extra746="apigateway"
CHECK_RISK_extra746='If no authorizer is enabled anyone can use the service.'
CHECK_REMEDIATION_extra746='Implement Amazon Cognito or a Lambda function to control access to your API.'
CHECK_DOC_extra746='https://docs.aws.amazon.com/apigateway/latest/developerguide/apigateway-use-lambda-authorizer.html'
CHECK_CAF_EPIC_extra746='IAM'
extra746(){
for regx in $REGIONS; do

4
checks/check_extra747
View File

@@ -18,6 +18,10 @@ CHECK_SEVERITY_extra747="Medium"
CHECK_ASFF_RESOURCE_TYPE_extra747="AwsRdsDbInstance"
CHECK_ALTERNATE_check747="extra747"
CHECK_SERVICENAME_extra747="rds"
CHECK_RISK_extra747='If logs are not enabled; monitoring of service use and threat analysis is not possible.'
CHECK_REMEDIATION_extra747='Use CloudWatch Logs to perform real-time analysis of the log data. Create alarms and view metrics.'
CHECK_DOC_extra747='https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/publishing_cloudwatchlogs.html'
CHECK_CAF_EPIC_extra747='Logging and Monitoring'
extra747(){
for regx in $REGIONS; do

4
checks/check_extra748
View File

@@ -18,6 +18,10 @@ CHECK_SEVERITY_extra748="High"
CHECK_ASFF_RESOURCE_TYPE_extra748="AwsEc2SecurityGroup"
CHECK_ALTERNATE_check748="extra748"
CHECK_SERVICENAME_extra748="ec2"
CHECK_RISK_extra748='If Security groups are not properly configured the attack surface is increased. '
CHECK_REMEDIATION_extra748='Use a Zero Trust approach. Narrow ingress traffic as much as possible. Consider north-south as well as east-west traffic.'
CHECK_DOC_extra748='https://docs.aws.amazon.com/vpc/latest/userguide/VPC_SecurityGroups.html'
CHECK_CAF_EPIC_extra748='Infrastructure Security'
extra748(){
for regx in $REGIONS; do

4
checks/check_extra749
View File

@@ -19,6 +19,10 @@ CHECK_ASFF_RESOURCE_TYPE_extra749="AwsEc2SecurityGroup"
CHECK_ALTERNATE_check749="extra749"
CHECK_ASFF_COMPLIANCE_TYPE_extra749="ens-mp.com.4.aws.sg.6"
CHECK_SERVICENAME_extra749="ec2"
CHECK_RISK_extra749='If Security groups are not properly configured the attack surface is increased. '
CHECK_REMEDIATION_extra749='Use a Zero Trust approach. Narrow ingress traffic as much as possible. Consider north-south as well as east-west traffic.'
CHECK_DOC_extra749='https://docs.aws.amazon.com/vpc/latest/userguide/VPC_SecurityGroups.html'
CHECK_CAF_EPIC_extra749='Infrastructure Security'
extra749(){
for regx in $REGIONS; do

4
checks/check_extra750
View File

@@ -19,6 +19,10 @@ CHECK_ASFF_RESOURCE_TYPE_extra750="AwsEc2SecurityGroup"
CHECK_ALTERNATE_check750="extra750"
CHECK_ASFF_COMPLIANCE_TYPE_extra750="ens-mp.com.4.aws.sg.7"
CHECK_SERVICENAME_extra750="ec2"
CHECK_RISK_extra750='If Security groups are not properly configured the attack surface is increased. '
CHECK_REMEDIATION_extra750='Use a Zero Trust approach. Narrow ingress traffic as much as possible. Consider north-south as well as east-west traffic.'
CHECK_DOC_extra750='https://docs.aws.amazon.com/vpc/latest/userguide/VPC_SecurityGroups.html'
CHECK_CAF_EPIC_extra750='Infrastructure Security'
extra750(){
for regx in $REGIONS; do

4
checks/check_extra751
View File

@@ -19,6 +19,10 @@ CHECK_ASFF_RESOURCE_TYPE_extra751="AwsEc2SecurityGroup"
CHECK_ALTERNATE_check751="extra751"
CHECK_ASFF_COMPLIANCE_TYPE_extra751="ens-mp.com.4.aws.sg.8"
CHECK_SERVICENAME_extra751="ec2"
CHECK_RISK_extra751='If Security groups are not properly configured the attack surface is increased. '
CHECK_REMEDIATION_extra751='Use a Zero Trust approach. Narrow ingress traffic as much as possible. Consider north-south as well as east-west traffic.'
CHECK_DOC_extra751='https://docs.aws.amazon.com/vpc/latest/userguide/VPC_SecurityGroups.html'
CHECK_CAF_EPIC_extra751='Infrastructure Security'
extra751(){
for regx in $REGIONS; do

4
checks/check_extra752
View File

@@ -19,6 +19,10 @@ CHECK_ASFF_RESOURCE_TYPE_extra752="AwsEc2SecurityGroup"
CHECK_ALTERNATE_check752="extra752"
CHECK_ASFF_COMPLIANCE_TYPE_extra752="ens-mp.com.4.aws.sg.9"
CHECK_SERVICENAME_extra752="ec2"
CHECK_RISK_extra752='If Security groups are not properly configured the attack surface is increased. '
CHECK_REMEDIATION_extra752='Use a Zero Trust approach. Narrow ingress traffic as much as possible. Consider north-south as well as east-west traffic.'
CHECK_DOC_extra752='https://docs.aws.amazon.com/vpc/latest/userguide/VPC_SecurityGroups.html'
CHECK_CAF_EPIC_extra752='Infrastructure Security'
extra752(){
for regx in $REGIONS; do

4
checks/check_extra753
View File

@@ -19,6 +19,10 @@ CHECK_ASFF_RESOURCE_TYPE_extra753="AwsEc2SecurityGroup"
CHECK_ALTERNATE_check753="extra753"
CHECK_ASFF_COMPLIANCE_TYPE_extra753="ens-mp.com.4.aws.sg.10"
CHECK_SERVICENAME_extra753="ec2"
CHECK_RISK_extra753='If Security groups are not properly configured the attack surface is increased. '
CHECK_REMEDIATION_extra753='Use a Zero Trust approach. Narrow ingress traffic as much as possible. Consider north-south as well as east-west traffic.'
CHECK_DOC_extra753='https://docs.aws.amazon.com/vpc/latest/userguide/VPC_SecurityGroups.html'
CHECK_CAF_EPIC_extra753='Infrastructure Security'
extra753(){
for regx in $REGIONS; do

4
checks/check_extra754
View File

@@ -19,6 +19,10 @@ CHECK_ASFF_RESOURCE_TYPE_extra754="AwsEc2SecurityGroup"
CHECK_ALTERNATE_check754="extra754"
CHECK_ASFF_COMPLIANCE_TYPE_extra754="ens-mp.com.4.aws.sg.11"
CHECK_SERVICENAME_extra754="ec2"
CHECK_RISK_extra754='If Security groups are not properly configured the attack surface is increased. '
CHECK_REMEDIATION_extra754='Use a Zero Trust approach. Narrow ingress traffic as much as possible. Consider north-south as well as east-west traffic.'
CHECK_DOC_extra754='https://docs.aws.amazon.com/vpc/latest/userguide/VPC_SecurityGroups.html'
CHECK_CAF_EPIC_extra754='Infrastructure Security'
extra754(){
for regx in $REGIONS; do

4
checks/check_extra755
View File

@@ -19,6 +19,10 @@ CHECK_ASFF_RESOURCE_TYPE_extra755="AwsEc2SecurityGroup"
CHECK_ALTERNATE_check755="extra755"
CHECK_ASFF_COMPLIANCE_TYPE_extra755="ens-mp.com.4.aws.sg.12"
CHECK_SERVICENAME_extra755="ec2"
CHECK_RISK_extra755='If Security groups are not properly configured the attack surface is increased. '
CHECK_REMEDIATION_extra755='Use a Zero Trust approach. Narrow ingress traffic as much as possible. Consider north-south as well as east-west traffic.'
CHECK_DOC_extra755='https://docs.aws.amazon.com/vpc/latest/userguide/VPC_SecurityGroups.html'
CHECK_CAF_EPIC_extra755='Infrastructure Security'
extra755(){
for regx in $REGIONS; do

4
checks/check_extra756
View File

@@ -18,6 +18,10 @@ CHECK_SEVERITY_extra756="High"
CHECK_ASFF_RESOURCE_TYPE_extra756="AwsRedshiftCluster"
CHECK_ALTERNATE_check756="extra756"
CHECK_SERVICENAME_extra756="redshift"
CHECK_RISK_extra756='Publicly accessible services could expose sensible data to bad actors.'
CHECK_REMEDIATION_extra756='Ensure there is a business requirement for service to be public. Use the cluster security group to control access to the service.'
CHECK_DOC_extra756='https://docs.aws.amazon.com/redshift/latest/mgmt/working-with-security-groups.html'
CHECK_CAF_EPIC_extra756='Infrastructure Security'
extra756(){
for regx in $REGIONS; do

4
checks/check_extra757
View File

@@ -18,6 +18,10 @@ CHECK_SEVERITY_extra757="Medium"
CHECK_ASFF_RESOURCE_TYPE_extra757="AwsEc2Instance"
CHECK_ALTERNATE_check757="extra757"
CHECK_SERVICENAME_extra757="ec2"
CHECK_RISK_extra757='Having old instances within your AWS account could increase the risk of having vulnerable software.'
CHECK_REMEDIATION_extra757='Check if software running in the instance is up to date and patched accordingly. Use AWS Systems Manager to patch instances and view patching compliance information.'
CHECK_DOC_extra757='https://docs.aws.amazon.com/systems-manager/latest/userguide/viewing-patch-compliance-results.html'
CHECK_CAF_EPIC_extra757='Infrastructure Security'
extra757(){
OLDAGE="$(get_date_previous_than_months 6)"

4
checks/check_extra758
View File

@@ -18,6 +18,10 @@ CHECK_SEVERITY_extra758="Medium"
CHECK_ASFF_RESOURCE_TYPE_extra758="AwsEc2Instance"
CHECK_ALTERNATE_check758="extra758"
CHECK_SERVICENAME_extra758="ec2"
CHECK_RISK_extra758='Having old instances within your AWS account could increase the risk of having vulnerable software.'
CHECK_REMEDIATION_extra758='Check if software running in the instance is up to date and patched accordingly. Use AWS Systems Manager to patch instances and view patching compliance information.'
CHECK_DOC_extra758='https://docs.aws.amazon.com/systems-manager/latest/userguide/viewing-patch-compliance-results.html'
CHECK_CAF_EPIC_extra758='Infrastructure Security'
extra758(){
OLDAGE="$(get_date_previous_than_months 12)"

4
checks/check_extra759
View File

@@ -18,6 +18,10 @@ CHECK_SEVERITY_extra759="Critical"
CHECK_ASFF_RESOURCE_TYPE_extra759="AwsLambdaFunction"
CHECK_ALTERNATE_check759="extra759"
CHECK_SERVICENAME_extra759="lambda"
CHECK_RISK_extra759='The use of a hard-coded password increases the possibility of password guessing. If hard-coded passwords are used; it is possible that malicious users gain access through the account in question.'
CHECK_REMEDIATION_extra759='Use Secrets Manager to securely provide database credentials to Lambda functions and secure the databases as well as use the credentials to connect and query them without hardcoding the secrets in code or passing them through environmental variables. '
CHECK_DOC_extra759='https://docs.aws.amazon.com/secretsmanager/latest/userguide/lambda-functions.html'
CHECK_CAF_EPIC_extra759='IAM'
extra759(){
SECRETS_TEMP_FOLDER="$PROWLER_DIR/secrets-$ACCOUNT_NUM"

4
checks/check_extra760
View File

@@ -18,6 +18,10 @@ CHECK_SEVERITY_extra760="Critical"
CHECK_ASFF_RESOURCE_TYPE_extra760="AwsLambdaFunction"
CHECK_ALTERNATE_check760="extra760"
CHECK_SERVICENAME_extra760="lambda"
CHECK_RISK_extra760='The use of a hard-coded password increases the possibility of password guessing. If hard-coded passwords are used; it is possible that malicious users gain access through the account in question.'
CHECK_REMEDIATION_extra760='Use Secrets Manager to securely provide database credentials to Lambda functions and secure the databases as well as use the credentials to connect and query them without hardcoding the secrets in code or passing them through environmental variables. '
CHECK_DOC_extra760='https://docs.aws.amazon.com/secretsmanager/latest/userguide/lambda-functions.html'
CHECK_CAF_EPIC_extra760='IAM'
extra760(){
SECRETS_TEMP_FOLDER="$PROWLER_DIR/secrets-$ACCOUNT_NUM"

4
checks/check_extra761
View File

@@ -18,6 +18,10 @@ CHECK_SEVERITY_extra761="Medium"
CHECK_ALTERNATE_check761="extra761"
CHECK_ASFF_COMPLIANCE_TYPE_extra761="ens-mp.info.3.aws.ebs.2"
CHECK_SERVICENAME_extra761="ec2"
CHECK_RISK_extra761='If not enabled sensible information at rest is not protected.'
CHECK_REMEDIATION_extra761='Enable Encryption. Use a CMK where possible. It will provide additional management and privacy benefits.'
CHECK_DOC_extra761='https://aws.amazon.com/premiumsupport/knowledge-center/ebs-automatic-encryption/'
CHECK_CAF_EPIC_extra761='Data Protection'
extra761(){
textInfo "Looking for EBS Default Encryption activation in all regions... "

4
checks/check_extra762
View File

@@ -18,6 +18,10 @@ CHECK_SEVERITY_extra762="Medium"
CHECK_ASFF_RESOURCE_TYPE_extra762="AwsLambdaFunction"
CHECK_ALTERNATE_check762="extra762"
CHECK_SERVICENAME_extra762="lambda"
CHECK_RISK_extra762=' If you have functions running on a runtime that will be deprecated in the next 60 days; Lambda notifies you by email that you should prepare by migrating your function to a supported runtime. In some cases; such as security issues that require a backwards-incompatible update; or software that does not support a long-term support (LTS) schedule; advance notice might not be possible. After a runtime is deprecated; Lambda might retire it completely at any time by disabling invocation. Deprecated runtimes are not eligible for security updates or technical support.'
CHECK_REMEDIATION_extra762='Test new runtimes as they are made available. Implement them in production as soon as possible.'
CHECK_DOC_extra762='https://docs.aws.amazon.com/lambda/latest/dg/runtime-support-policy.html'
CHECK_CAF_EPIC_extra762='Infrastructure Security'
extra762(){

4
checks/check_extra763
View File

@@ -18,6 +18,10 @@ CHECK_SEVERITY_extra763="Medium"
CHECK_ASFF_RESOURCE_TYPE_extra763="AwsS3Bucket"
CHECK_ALTERNATE_check763="extra763"
CHECK_SERVICENAME_extra763="s3"
CHECK_RISK_extra763=' With versioning; you can easily recover from both unintended user actions and application failures.'
CHECK_REMEDIATION_extra763='Configure versioning using the Amazon console or API for buckets with sensible information that is changing frecuently; and backup may not be enough to capture all the changes.'
CHECK_DOC_extra763='https://docs.aws.amazon.com/AmazonS3/latest/dev-retired/Versioning.html'
CHECK_CAF_EPIC_extra763='Data Protection'
extra763(){
# "Check if S3 buckets have object versioning enabled (Not Scored) (Not part of CIS benchmark)"

5
checks/check_extra764
View File

@@ -19,6 +19,11 @@ CHECK_ASFF_RESOURCE_TYPE_extra764="AwsS3Bucket"
CHECK_ALTERNATE_check764="extra764"
CHECK_ASFF_COMPLIANCE_TYPE_extra764="ens-mp.com.2.aws.s3.1"
CHECK_SERVICENAME_extra764="s3"
CHECK_RISK_extra764='If HTTPS is not enforced on the bucket policy; communication between clients and S3 buckets can use unencrypted HTTP. As a result; sensitive information could be transmitted in clear text over the network or internet.'
CHECK_REMEDIATION_extra764='Ensure that S3 buckets has encryption in transit enabled.'
CHECK_DOC_extra764='https://docs.aws.amazon.com/AmazonS3/latest/dev/security-best-practices.html'
CHECK_CAF_EPIC_extra764='Data Protection'
extra764(){
LIST_OF_BUCKETS=$($AWSCLI s3api list-buckets $PROFILE_OPT --query Buckets[*].Name --output text --region $REGION|xargs -n1)

4
checks/check_extra765
View File

@@ -27,6 +27,10 @@ CHECK_TYPE_extra765="EXTRA"
CHECK_SEVERITY_extra765="Medium"
CHECK_ALTERNATE_check765="extra765"
CHECK_SERVICENAME_extra765="ecr"
CHECK_RISK_extra765='Amazon ECR image scanning helps in identifying software vulnerabilities in your container images. Amazon ECR uses the Common Vulnerabilities and Exposures (CVEs) database from the open-source Clair project and provides a list of scan findings. '
CHECK_REMEDIATION_extra765='Enable ECR image scanning and review the scan findings for information about the security of the container images that are being deployed.'
CHECK_DOC_extra765='https://docs.aws.amazon.com/AmazonECR/latest/userguide/image-scanning.html'
CHECK_CAF_EPIC_extra765='Infrastructure Security'
extra765(){
for region in $REGIONS; do

4
checks/check_extra767
View File

@@ -18,6 +18,10 @@ CHECK_SEVERITY_extra767="Low"
CHECK_ASFF_RESOURCE_TYPE_extra767="AwsCloudFrontDistribution"
CHECK_ALTERNATE_check767="extra767"
CHECK_SERVICENAME_extra767="cloudfront"
CHECK_RISK_extra767='Allows you protect specific data throughout system processing so that only certain applications can see it.'
CHECK_REMEDIATION_extra767='Check if applicable to any sensible data. This encryption ensures that only applications that need the data—and have the credentials to decrypt it - are able to do so.'
CHECK_DOC_extra767='https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/field-level-encryption.html'
CHECK_CAF_EPIC_extra767='Data Protection'
extra767(){
LIST_OF_DISTRIBUTIONS=$($AWSCLI cloudfront list-distributions --query 'DistributionList.Items[*].Id' $PROFILE_OPT --output text|grep -v ^None)

4
checks/check_extra768
View File

@@ -18,6 +18,10 @@ CHECK_SEVERITY_extra768="Critical"
CHECK_ASFF_RESOURCE_TYPE_extra768="AwsEcsTaskDefinition"
CHECK_ALTERNATE_check768="extra768"
CHECK_SERVICENAME_extra768="ecs"
CHECK_RISK_extra768='The use of a hard-coded password increases the possibility of password guessing. If hard-coded passwords are used; it is possible that malicious users gain access through the account in question.'
CHECK_REMEDIATION_extra768='Use Secrets Manager to securely provide database credentials to Lambda functions and secure the databases as well as use the credentials to connect and query them without hardcoding the secrets in code or passing them through environmental variables. '
CHECK_DOC_extra768='https://docs.aws.amazon.com/secretsmanager/latest/userguide/lambda-functions.html'
CHECK_CAF_EPIC_extra768='Logging and Monitoring'
extra768(){
SECRETS_TEMP_FOLDER="$PROWLER_DIR/secrets-$ACCOUNT_NUM"

4
checks/check_extra769
View File

@@ -18,6 +18,10 @@ CHECK_TYPE_extra769="EXTRA"
CHECK_SEVERITY_extra769="High"
CHECK_ALTERNATE_check769="extra769"
CHECK_SERVICENAME_extra769="accessanalyzer"
CHECK_RISK_extra769='AWS IAM Access Analyzer helps you identify the resources in your organization and accounts; such as Amazon S3 buckets or IAM roles; that are shared with an external entity. This lets you identify unintended access to your resources and data; which is a security risk. IAM Access Analyzer uses a form of mathematical analysis called automated reasoning; which applies logic and mathematical inference to determine all possible access paths allowed by a resource policy.'
CHECK_REMEDIATION_extra769='Enable IAM Access Analyzer for all accounts; create analyzer and take action over it is recommendations (IAM Access Analyzer is available at no additional cost).'
CHECK_DOC_extra769='https://docs.aws.amazon.com/IAM/latest/UserGuide/what-is-access-analyzer.html'
CHECK_CAF_EPIC_extra769='IAM'
extra769(){
for regx in $REGIONS; do

4
checks/check_extra770
View File

@@ -18,6 +18,10 @@ CHECK_SEVERITY_extra770="Medium"
CHECK_ASFF_RESOURCE_TYPE_extra770="AwsEc2Instance"
CHECK_ALTERNATE_check770="extra770"
CHECK_SERVICENAME_extra770="ec2"
CHECK_RISK_extra770='Exposing an EC2 directly to internet increases the attack surface and therefore the risk of compromise.'
CHECK_REMEDIATION_extra770='Use an ALB and apply WAF ACL.'
CHECK_DOC_extra770='https://aws.amazon.com/blogs/aws/aws-web-application-firewall-waf-for-application-load-balancers/'
CHECK_CAF_EPIC_extra770='Infrastructure Security'
extra770(){
# "Check for internet facing EC2 Instances (Not Scored) (Not part of CIS benchmark)"

4
checks/check_extra771
View File

@@ -18,6 +18,10 @@ CHECK_SEVERITY_extra771="Critical"
CHECK_ASFF_RESOURCE_TYPE_extra771="AwsS3Bucket"
CHECK_ALTERNATE_check771="extra771"
CHECK_SERVICENAME_extra771="s3"
CHECK_RISK_extra771='Non intended users can put objects in a given bucket.'
CHECK_REMEDIATION_extra771='Ensure proper bucket policy is in place with the least privilege principle applied.'
CHECK_DOC_extra771='https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_examples_s3_rw-bucket.html'
CHECK_CAF_EPIC_extra771='IAM'
extra771(){
LIST_OF_BUCKETS=$($AWSCLI s3api list-buckets $PROFILE_OPT --region $REGION --query Buckets[*].Name --output text|xargs -n1)

4
checks/check_extra772
View File

@@ -18,6 +18,10 @@ CHECK_SEVERITY_extra772="Low"
CHECK_ASFF_RESOURCE_TYPE_extra772="AwsEc2Eip"
CHECK_ALTERNATE_check772="extra772"
CHECK_SERVICENAME_extra772="ec2"
CHECK_RISK_extra772='You are charged by the hour for each Elastic IP address that are not attached to an EC2 instance .'
CHECK_REMEDIATION_extra772='If you dont need an Elastic IP address; you can stop the charges by releasing the IP address.'
CHECK_DOC_extra772='https://aws.amazon.com/premiumsupport/knowledge-center/elastic-ip-charges/'
CHECK_CAF_EPIC_extra772='Infrastructure Security'
extra772(){
for region in $REGIONS; do

4
checks/check_extra773
View File

@@ -19,6 +19,10 @@ CHECK_ASFF_RESOURCE_TYPE_extra773="AwsCloudFrontDistribution"
CHECK_ALTERNATE_check773="extra773"
CHECK_ASFF_COMPLIANCE_TYPE_extra773="ens-mp.s.2.aws.waf.1"
CHECK_SERVICENAME_extra773="cloudfront"
CHECK_RISK_extra773='Potential attacks and / or abuse of service; more even for even for internet reachable services.'
CHECK_REMEDIATION_extra773='Use AWS WAF to protect your service from common web exploits. These could affect availability and performance; compromise security; or consume excessive resources.'
CHECK_DOC_extra773='https://docs.aws.amazon.com/waf/latest/developerguide/cloudfront-features.html'
CHECK_CAF_EPIC_extra773='Infrastructure Security'
extra773(){
# "Check if CloudFront distributions have logging enabled (Not Scored) (Not part of CIS benchmark)"

4
checks/check_extra774
View File

@@ -18,6 +18,10 @@ CHECK_SEVERITY_extra774="Medium"
CHECK_ASFF_RESOURCE_TYPE_extra774="AwsIamUser"
CHECK_ALTERNATE_check774="extra774"
CHECK_SERVICENAME_extra774="iam"
CHECK_RISK_extra774='To increase the security of your AWS account; remove IAM user credentials (that is; passwords and access keys) that are not needed. For example; when users leave your organization or no longer need AWS access.'
CHECK_REMEDIATION_extra774='Find the credentials that they were using and ensure that they are no longer operational. Ideally; you delete credentials if they are no longer needed. You can always recreate them at a later date if the need arises. At the very least; you should change the password or deactivate the access keys so that the former users no longer have access.'
CHECK_DOC_extra774='https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_finding-unused.html'
CHECK_CAF_EPIC_extra774='IAM'
extra774(){
check_creds_used_in_last_days 30

4
checks/check_extra775
View File

@@ -17,6 +17,10 @@ CHECK_TYPE_extra775="EXTRA"
CHECK_SEVERITY_extra775="Critical"
CHECK_ALTERNATE_check775="extra775"
CHECK_SERVICENAME_extra775="autoscaling"
CHECK_RISK_extra775='The use of a hard-coded password increases the possibility of password guessing. If hard-coded passwords are used; it is possible that malicious users gain access through the account in question.'
CHECK_REMEDIATION_extra775='Use Secrets Manager to securely provide database credentials to Lambda functions and secure the databases as well as use the credentials to connect and query them without hardcoding the secrets in code or passing them through environmental variables. '
CHECK_DOC_extra775='https://docs.aws.amazon.com/secretsmanager/latest/userguide/lambda-functions.html'
CHECK_CAF_EPIC_extra775='IAM'
extra775(){
SECRETS_TEMP_FOLDER="$PROWLER_DIR/secrets-$ACCOUNT_NUM"

4
checks/check_extra776
View File

@@ -32,6 +32,10 @@ CHECK_TYPE_extra776="EXTRA"
CHECK_SEVERITY_extra776="Medium"
CHECK_ALTERNATE_check776="extra776"
CHECK_SERVICENAME_extra776="ecr"
CHECK_RISK_extra776='Amazon ECR image scanning helps in identifying software vulnerabilities in your container images. Amazon ECR uses the Common Vulnerabilities and Exposures (CVEs) database from the open-source Clair project and provides a list of scan findings. '
CHECK_REMEDIATION_extra776='Open the Amazon ECR console. look for vulnerabilities and fix them.'
CHECK_DOC_extra776='https://docs.aws.amazon.com/AmazonECR/latest/userguide/image-scanning.html#describe-scan-findings'
CHECK_CAF_EPIC_extra776='Logging and Monitoring'
extra776(){
for region in $REGIONS; do

4
checks/check_extra777
View File

@@ -22,6 +22,10 @@ CHECK_SEVERITY_extra777="Medium"
CHECK_ASFF_RESOURCE_TYPE_extra777="AwsEc2SecurityGroup"
CHECK_ALTERNATE_check777="extra777"
CHECK_SERVICENAME_extra777="ec2"
CHECK_RISK_extra777='If Security groups are not properly configured the attack surface is increased. '
CHECK_REMEDIATION_extra777='Use a Zero Trust approach. Narrow ingress traffic as much as possible. Consider north-south as well as east-west traffic.'
CHECK_DOC_extra777='https://docs.aws.amazon.com/vpc/latest/userguide/VPC_SecurityGroups.html'
CHECK_CAF_EPIC_extra777='Infrastructure Security'
extra777(){
THRESHOLD=50

4
checks/check_extra778
View File

@@ -19,6 +19,10 @@ CHECK_SEVERITY_extra778="Medium"
CHECK_ASFF_RESOURCE_TYPE_extra778="AwsEc2SecurityGroup"
CHECK_ALTERNATE_check778="extra778"
CHECK_SERVICENAME_extra778="ec2"
CHECK_RISK_extra778='If Security groups are not properly configured the attack surface is increased. '
CHECK_REMEDIATION_extra778='Use a Zero Trust approach. Narrow ingress traffic as much as possible. Consider north-south as well as east-west traffic.'
CHECK_DOC_extra778='https://docs.aws.amazon.com/vpc/latest/userguide/VPC_SecurityGroups.html'
CHECK_CAF_EPIC_extra778='Infrastructure Security'
extra778(){
CIDR_THRESHOLD=24

4
checks/check_extra779
View File

@@ -18,6 +18,10 @@ CHECK_SEVERITY_extra779="High"
CHECK_ASFF_RESOURCE_TYPE_extra779="AwsEc2SecurityGroup"
CHECK_ALTERNATE_check779="extra779"
CHECK_SERVICENAME_extra779="ec2"
CHECK_RISK_extra779='If Security groups are not properly configured the attack surface is increased. '
CHECK_REMEDIATION_extra779='Use a Zero Trust approach. Narrow ingress traffic as much as possible. Consider north-south as well as east-west traffic.'
CHECK_DOC_extra779='https://docs.aws.amazon.com/vpc/latest/userguide/VPC_SecurityGroups.html'
CHECK_CAF_EPIC_extra779='Infrastructure Security'
extra779(){
ES_API_PORT="9200"

4
checks/check_extra780
View File

@@ -18,6 +18,10 @@ CHECK_SEVERITY_extra780="High"
CHECK_ASFF_RESOURCE_TYPE_extra780="AwsElasticsearchDomain"
CHECK_ALTERNATE_check780="extra780"
CHECK_SERVICENAME_extra780="es"
CHECK_RISK_extra780='Amazon Elasticsearch Service supports Amazon Cognito for Kibana authentication. '
CHECK_REMEDIATION_extra780='If you do not configure Amazon Cognito authentication; you can still protect Kibana using an IP-based access policy and a proxy server; HTTP basic authentication; or SAML.'
CHECK_DOC_extra780='https://docs.aws.amazon.com/elasticsearch-service/latest/developerguide/es-ac.html'
CHECK_CAF_EPIC_extra780='IAM'
extra780(){
for regx in $REGIONS; do

4
checks/check_extra781
View File

@@ -19,6 +19,10 @@ CHECK_ASFF_RESOURCE_TYPE_extra781="AwsElasticsearchDomain"
CHECK_ALTERNATE_check781="extra781"
CHECK_ASFF_COMPLIANCE_TYPE_extra781="ens-mp.info.3.aws.au.1"
CHECK_SERVICENAME_extra781="es"
CHECK_RISK_extra781='If not enable unauthorized access to your data could risk increases.'
CHECK_REMEDIATION_extra781='Enable encryption at rest using AWS KMS to store and manage your encryption keys and the Advanced Encryption Standard algorithm with 256-bit keys (AES-256) to perform the encryption.'
CHECK_DOC_extra781='https://docs.aws.amazon.com/elasticsearch-service/latest/developerguide/encryption-at-rest.html'
CHECK_CAF_EPIC_extra781='Data Protection'
extra781(){
for regx in $REGIONS; do

4
checks/check_extra782
View File

@@ -18,6 +18,10 @@ CHECK_SEVERITY_extra782="Medium"
CHECK_ASFF_RESOURCE_TYPE_extra782="AwsElasticsearchDomain"
CHECK_ALTERNATE_check782="extra782"
CHECK_SERVICENAME_extra782="es"
CHECK_RISK_extra782='Node-to-node encryption provides an additional layer of security on top of the default features of Amazon ES. This architecture prevents potential attackers from intercepting traffic between Elasticsearch nodes and keeps the cluster secure.'
CHECK_REMEDIATION_extra782='Node-to-node encryption on new domains requires Elasticsearch 6.0 or later. Enabling the feature on existing domains requires Elasticsearch 6.7 or later. Choose the existing domain in the AWS console; Actions; and Modify encryption.'
CHECK_DOC_extra782='https://docs.aws.amazon.com/elasticsearch-service/latest/developerguide/ntn.html'
CHECK_CAF_EPIC_extra782='Data Protection'
extra782(){
for regx in $REGIONS; do

4
checks/check_extra783
View File

@@ -18,6 +18,10 @@ CHECK_SEVERITY_extra783="Medium"
CHECK_ASFF_RESOURCE_TYPE_extra783="AwsElasticsearchDomain"
CHECK_ALTERNATE_check783="extra783"
CHECK_SERVICENAME_extra783="es"
CHECK_RISK_extra783='If not enable unauthorized access to your data could risk increases.'
CHECK_REMEDIATION_extra783='When creating ES Domains; enable "Require HTTPS fo all traffic to the domain".'
CHECK_DOC_extra783='https://docs.aws.amazon.com/elasticsearch-service/latest/developerguide/es-createupdatedomains.html'
CHECK_CAF_EPIC_extra783='Data Protection'
extra783(){
for regx in $REGIONS; do

4
checks/check_extra784
View File

@@ -18,6 +18,10 @@ CHECK_SEVERITY_extra784="Medium"
CHECK_ASFF_RESOURCE_TYPE_extra784="AwsElasticsearchDomain"
CHECK_ALTERNATE_check784="extra784"
CHECK_SERVICENAME_extra784="es"
CHECK_RISK_extra784='Internal User Database is convenient for demos; for production environment use Federated authentication.'
CHECK_REMEDIATION_extra784='Remove users from internal user database and uso Cognito instead.'
CHECK_DOC_extra784='https://docs.aws.amazon.com/elasticsearch-service/latest/developerguide/fgac.html'
CHECK_CAF_EPIC_extra784='IAM'
extra784(){
for regx in $REGIONS; do

4
checks/check_extra785
View File

@@ -18,6 +18,10 @@ CHECK_SEVERITY_extra785="Low"
CHECK_ASFF_RESOURCE_TYPE_extra785="AwsElasticsearchDomain"
CHECK_ALTERNATE_check785="extra785"
CHECK_SERVICENAME_extra785="es"
CHECK_RISK_extra785='Amazon ES regularly releases system software updates that add features or otherwise improve your domains.'
CHECK_REMEDIATION_extra785='The Notifications panel in the console is the easiest way to see if an update is available or check the status of an update. You can also receive these notifications through Amazon EventBridge. If you take no action on required updates; Amazon ES still updates your domain service software automatically after a certain timeframe (typically two weeks). In this situation; Amazon ES sends notifications when it starts the update and when the update is complete.'
CHECK_DOC_extra785='https://docs.aws.amazon.com/elasticsearch-service/latest/developerguide/es-service-software.html'
CHECK_CAF_EPIC_extra785='Infrastructure Security'
# NOTE!
# API does not properly shows if an update is available while it is a new version available

4
checks/check_extra786
View File

@@ -18,6 +18,10 @@ CHECK_SEVERITY_extra786="Medium"
CHECK_ASFF_RESOURCE_TYPE_extra786="AwsEc2Instance"
CHECK_ALTERNATE_check786="extra786"
CHECK_SERVICENAME_extra786="ec2"
CHECK_RISK_extra786='Using IMDSv2 will protect from misconfiguration and SSRF vulnerabilities. IMDSv1 will not.'
CHECK_REMEDIATION_extra786='If you dont need IMDS you can turn it off. Using aws-cli you can force the instance to use only IMDSv2.'
CHECK_DOC_extra786='https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/configuring-instance-metadata-service.html#configuring-instance-metadata-options'
CHECK_CAF_EPIC_extra786='Infrastructure Security'
extra786(){
for regx in $REGIONS; do

4
checks/check_extra787
View File

@@ -18,6 +18,10 @@ CHECK_SEVERITY_extra787="Critical"
CHECK_ASFF_RESOURCE_TYPE_extra787="AwsEc2Instance"
CHECK_ALTERNATE_check787="extra787"
CHECK_SERVICENAME_extra787="es"
CHECK_RISK_extra787='Internet exposed services increases the risk of unauthorised.'
CHECK_REMEDIATION_extra787='Placing an Amazon ES domain within a VPC enables secure communication between Amazon ES and other services within the VPC without the need for an internet gateway; NAT device; or VPN connection. All traffic remains securely within the AWS Cloud.'
CHECK_DOC_extra787='https://docs.aws.amazon.com/elasticsearch-service/latest/developerguide/es-vpc.html'
CHECK_CAF_EPIC_extra787='Infrastructure Security'
extra787(){
# Prowler will try to access each ElasticSearch server to port:

4
checks/check_extra788
View File

@@ -18,6 +18,10 @@ CHECK_SEVERITY_extra788="Critical"
CHECK_ASFF_RESOURCE_TYPE_extra788="AwsElasticsearchDomain"
CHECK_ALTERNATE_check788="extra788"
CHECK_SERVICENAME_extra788="es"
CHECK_RISK_extra788='Internet exposed services increases the risk of unauthorised.'
CHECK_REMEDIATION_extra788='Placing an Amazon ES domain within a VPC enables secure communication between Amazon ES and other services within the VPC without the need for an internet gateway; NAT device; or VPN connection. All traffic remains securely within the AWS Cloud.'
CHECK_DOC_extra788='https://docs.aws.amazon.com/elasticsearch-service/latest/developerguide/es-vpc.html'
CHECK_CAF_EPIC_extra788='Infrastructure Security'
extra788(){
# Prowler will try to access each ElasticSearch server to the public URI endpoint.

4
checks/check_extra789
View File

@@ -19,6 +19,10 @@ CHECK_SEVERITY_extra789="Medium"
CHECK_ASFF_RESOURCE_TYPE_extra789="AwsEc2Vpc"
CHECK_ALTERNATE_extra789="extra789"
CHECK_SERVICENAME_extra789="vpc"
CHECK_RISK_extra789='Account VPC could be linked to other accounts.'
CHECK_REMEDIATION_extra789='In multi Account environments identify untrusted links. Check trust chaining and dependencies between accounts.'
CHECK_DOC_extra789='https://github.com/toniblyx/prowler/#trust-boundaries-checks'
CHECK_CAF_EPIC_extra789='Infrastructure Security'
extra789(){
TRUSTED_ACCOUNT_IDS=$( echo "${ACCOUNT_NUM} ${GROUP_TRUSTBOUNDARIES_TRUSTED_ACCOUNT_IDS}" | xargs )

4
checks/check_extra790
View File

@@ -19,6 +19,10 @@ CHECK_SEVERITY_extra790="Medium"
CHECK_ASFF_RESOURCE_TYPE_extra790="AwsEc2Vpc"
CHECK_ALTERNATE_extra790="extra790"
CHECK_SERVICENAME_extra790="vpc"
CHECK_RISK_extra790='Account VPC could be linked to other accounts.'
CHECK_REMEDIATION_extra790='In multi Account environments identify untrusted links. Check trust chaining and dependencies between accounts.'
CHECK_DOC_extra790='https://github.com/toniblyx/prowler/#trust-boundaries-checks'
CHECK_CAF_EPIC_extra790='Infrastructure Security'
extra790(){
TRUSTED_ACCOUNT_IDS=$( echo "${ACCOUNT_NUM} ${GROUP_TRUSTBOUNDARIES_TRUSTED_ACCOUNT_IDS}" | xargs )

4
checks/check_extra791
View File

@@ -18,6 +18,10 @@ CHECK_SEVERITY_extra791="Medium"
CHECK_ASFF_RESOURCE_TYPE_extra791="AwsCloudFrontDistribution"
CHECK_ALTERNATE_check791="extra791"
CHECK_SERVICENAME_extra791="cloudfront"
CHECK_RISK_extra791='Using insecure ciphers could affect privacy of in transit information.'
CHECK_REMEDIATION_extra791='Use a Security policy with a ciphers that are stronger as possible. Drop legacy and unsecure ciphers.'
CHECK_DOC_extra791='https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/secure-connections-supported-viewer-protocols-ciphers.html'
CHECK_CAF_EPIC_extra791='Data Protection'
extra791(){
LIST_OF_DISTRIBUTIONS=$($AWSCLI cloudfront list-distributions --query 'DistributionList.Items[*].Id' $PROFILE_OPT --output text|grep -v ^None)

4
checks/check_extra792
View File

@@ -19,6 +19,10 @@ CHECK_ASFF_RESOURCE_TYPE_extra792="AwsElbLoadBalancer"
CHECK_ALTERNATE_check792="extra792"
CHECK_ASFF_COMPLIANCE_TYPE_extra792="ens-mp.com.2.aws.elb.2"
CHECK_SERVICENAME_extra792="elb"
CHECK_RISK_extra792='Using insecure ciphers could affect privacy of in transit information.'
CHECK_REMEDIATION_extra792='Use a Security policy with a ciphers that are stronger as possible. Drop legacy and unsecure ciphers.'
CHECK_DOC_extra792='https://docs.aws.amazon.com/elasticloadbalancing/latest/classic/elb-ssl-security-policy.html'
CHECK_CAF_EPIC_extra792='Data Protection'
extra792(){
# "Check if Elastic Load Balancers have insecure SSL ciphers (Not Scored) (Not part of CIS benchmark)"

4
checks/check_extra793
View File

@@ -19,6 +19,10 @@ CHECK_ASFF_RESOURCE_TYPE_extra793="AwsElbLoadBalancer"
CHECK_ALTERNATE_check793="extra793"
CHECK_ASFF_COMPLIANCE_TYPE_extra793="ens-mp.com.2.aws.elb.1"
CHECK_SERVICENAME_extra793="elb"
CHECK_RISK_extra793='Clear text communication could affect privacy of information in transit.'
CHECK_REMEDIATION_extra793='Scan for Load Balancers with HTTP or TCP listeners and understand the reason for each of them. Check if the listener can be implemented as TLS instead.'
CHECK_DOC_extra793='https://docs.aws.amazon.com/elasticloadbalancing/latest/application/create-https-listener.html'
CHECK_CAF_EPIC_extra793='Data Protection'
extra793(){
# "Check if Elastic Load Balancers have encrypted listeners (Not Scored) (Not part of CIS benchmark)"

4
checks/check_extra794
View File

@@ -18,6 +18,10 @@ CHECK_SEVERITY_extra794="Medium"
CHECK_ASFF_RESOURCE_TYPE_extra794="AwsEksCluster"
CHECK_ALTERNATE_check794="extra794"
CHECK_SERVICENAME_extra794="eks"
CHECK_RISK_extra794='If logs are not enabled; monitoring of service use and threat analysis is not possible.'
CHECK_REMEDIATION_extra794='Make sure you logging for EKS control plane is enabled.'
CHECK_DOC_extra794='https://docs.aws.amazon.com/eks/latest/userguide/logging-monitoring.html'
CHECK_CAF_EPIC_extra794='Logging and Monitoring'
extra794(){
textInfo "Looking for control plane logging enabled for EKS clusters across all regions... "

4
checks/check_extra795
View File

@@ -18,6 +18,10 @@ CHECK_SEVERITY_extra795="High"
CHECK_ASFF_RESOURCE_TYPE_extra795="AwsEksCluster"
CHECK_ALTERNATE_check795="extra795"
CHECK_SERVICENAME_extra795="eks"
CHECK_RISK_extra795='Publicly accessible services could expose sensible data to bad actors.'
CHECK_REMEDIATION_extra795='Enable private access to the Kubernetes API server so that all communication between your nodes and the API server stays within your VPC. Disable internet access to the API server.'
CHECK_DOC_extra795='https://docs.aws.amazon.com/eks/latest/userguide/infrastructure-security.html'
CHECK_CAF_EPIC_extra795='Infrastructure Security'
extra795(){
textInfo "Looking for public access enabled for EKS clusters across all regions... "

4
checks/check_extra796
View File

@@ -18,6 +18,10 @@ CHECK_SEVERITY_extra796="High"
CHECK_ASFF_RESOURCE_TYPE_extra796="AwsEksCluster"
CHECK_ALTERNATE_check796="extra796"
CHECK_SERVICENAME_extra796="eks"
CHECK_RISK_extra796='By default; this API server endpoint is public to the internet; and access to the API server is secured using a combination of AWS Identity and Access Management (IAM) and native Kubernetes Role Based Access Control (RBAC).'
CHECK_REMEDIATION_extra796='You should enable private access to the Kubernetes API server so that all communication between your nodes and the API server stays within your VPC. You can limit the IP addresses that can access your API server from the internet; or completely disable internet access to the API server.'
CHECK_DOC_extra796='https://docs.aws.amazon.com/eks/latest/userguide/cluster-endpoint.html'
CHECK_CAF_EPIC_extra796='Infrastructure Security'
extra796(){
textInfo "Looking for public access CIDRs for EKS clusters across all regions... "

4
checks/check_extra797
View File

@@ -18,6 +18,10 @@ CHECK_SEVERITY_extra797="Medium"
CHECK_ASFF_RESOURCE_TYPE_extra797="AwsEksCluster"
CHECK_ALTERNATE_check797="extra797"
CHECK_SERVICENAME_extra797="eks"
CHECK_RISK_extra797='Implementing envelope encryption is considered a security best practice for applications that store sensitive data and is part of a defense in depth security strategy.'
CHECK_REMEDIATION_extra797=' Setup your own Customer Master Key (CMK) in KMS and link this key by providing the CMK ARN when you create an EKS cluster.'
CHECK_DOC_extra797='https://docs.aws.amazon.com/eks/latest/userguide/create-cluster.html'
CHECK_CAF_EPIC_extra797='Data Protection'
extra797(){
textInfo "Looking for encryption config for EKS clusters across all regions... "

4
checks/check_extra798
View File

@@ -19,6 +19,10 @@ CHECK_SEVERITY_extra798="Critical"
CHECK_ASFF_RESOURCE_TYPE_extra798="AwsLambdaFunction"
CHECK_ALTERNATE_check798="extra798"
CHECK_SERVICENAME_extra798="lambda"
CHECK_RISK_extra798='Publicly accessible services could expose sensible data to bad actors.'
CHECK_REMEDIATION_extra798='Grant usage permission on a per-resource basis and applying least privilege principle.'
CHECK_DOC_extra798='https://docs.aws.amazon.com/lambda/latest/dg/access-control-resource-based.html'
CHECK_CAF_EPIC_extra798='Infrastructure Security'
extra798(){
for regx in $REGIONS; do

4
checks/check_extra799
View File

@@ -19,6 +19,10 @@ CHECK_SEVERITY_extra799="High"
CHECK_ASFF_RESOURCE_TYPE_extra799="AwsSecurityHubHub"
CHECK_ALTERNATE_check799="extra799"
CHECK_SERVICENAME_extra799="securityhub"
CHECK_RISK_extra799='AWS Security Hub gives you a comprehensive view of your security alerts and security posture across your AWS accounts.'
CHECK_REMEDIATION_extra799='Security Hub is Regional. When you enable or disable a security standard; it is enabled or disabled only in the current Region or in the Region that you specify.'
CHECK_DOC_extra799='https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-standards-enable-disable.html'
CHECK_CAF_EPIC_extra799='Logging and Monitoring'
extra799(){
for regx in $REGIONS; do