diff --git a/checks/check_extra7100 b/checks/check_extra7100 index 683cbc60..8fe3e53b 100644 --- a/checks/check_extra7100 +++ b/checks/check_extra7100 @@ -23,6 +23,10 @@ CHECK_ASFF_RESOURCE_TYPE_extra7100="AwsIamPolicy" CHECK_ALTERNATE_check7100="extra7100" CHECK_ASFF_COMPLIANCE_TYPE_extra7100="ens-op.acc.2.aws.iam.1" CHECK_SERVICENAME_extra7100="iam" +CHECK_RISK_extra7100='If not restricted unintended access could happen.' +CHECK_REMEDIATION_extra7100='Use the least privilege principle when granting permissions.' +CHECK_DOC_extra7100='https://docs.aws.amazon.com/STS/latest/APIReference/API_AssumeRole.html' +CHECK_CAF_EPIC_extra7100='IAM' extra7100(){ # "Ensure that no custom policies exist which permit assuming any role (e.g. sts:AssumeRole on *)" diff --git a/checks/check_extra7101 b/checks/check_extra7101 index 8646d914..aa6b43e4 100644 --- a/checks/check_extra7101 +++ b/checks/check_extra7101 @@ -10,6 +10,7 @@ # under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR # CONDITIONS OF ANY KIND, either express or implied. See the License for the # specific language governing permissions and limitations under the License. + CHECK_ID_extra7101="7.101" CHECK_TITLE_extra7101="[extra7101] Check if Amazon Elasticsearch Service (ES) domains have audit logging enabled" CHECK_SCORED_extra7101="NOT_SCORED" @@ -18,14 +19,10 @@ CHECK_SEVERITY_extra7101="Low" CHECK_ASFF_RESOURCE_TYPE_extra7101="AwsElasticsearchDomain" CHECK_ALTERNATE_check7101="extra7101" CHECK_SERVICENAME_extra7101="es" - -# More info -# Works for Amazon Elasticsearch Service domains (version 6.7+) with Fine Grained Access Control enabled -# https://aws.amazon.com/about-aws/whats-new/2020/09/audit-logs-launch/ -# https://docs.aws.amazon.com/elasticsearch-service/latest/developerguide/audit-logs.html - -# Remediation -# aws es update-elasticsearch-domain-config --domain-name test1 --log-publishing-options "AUDIT_LOGS={CloudWatchLogsLogGroupArn=arn:aws:logs:us-east-1:123456789012:log-group:my-log-group,Enabled=true}" --region eu-west-1 +CHECK_RISK_extra7101='If logs are not enabled; monitoring of service use and threat analysis is not possible.' +CHECK_REMEDIATION_extra7101='Make sure you are logging information about Amazon Elasticsearch Service operations.' +CHECK_DOC_extra7101='https://docs.aws.amazon.com/elasticsearch-service/latest/developerguide/audit-logs.html' +CHECK_CAF_EPIC_extra7101='Logging and Monitoring' extra7101(){ for regx in $REGIONS; do diff --git a/checks/check_extra7102 b/checks/check_extra7102 index 3be4629e..84edff2f 100644 --- a/checks/check_extra7102 +++ b/checks/check_extra7102 @@ -18,6 +18,10 @@ CHECK_SEVERITY_extra7102="High" CHECK_ASFF_RESOURCE_TYPE_extra7102="AwsEc2Eip" CHECK_ALTERNATE_check7102="extra7102" CHECK_SERVICENAME_extra7102="ec2" +CHECK_RISK_extra7102='Sites like Shodan index exposed systems and further expose them to wider audiences as a quick way to find exploitable systems.' +CHECK_REMEDIATION_extra7102='Check Identified IPs; consider changing them to private ones and delete them from Shodan.' +CHECK_DOC_extra7102='https://www.shodan.io/' +CHECK_CAF_EPIC_extra7102='Infrastructure Security' # Watch out, always use Shodan API key, if you use `curl https://www.shodan.io/host/{ip}` massively # your IP will be banned by Shodan @@ -25,7 +29,6 @@ CHECK_SERVICENAME_extra7102="ec2" # This is the right way to do so # curl -ks https://api.shodan.io/shodan/host/{ip}?key={YOUR_API_KEY} - # Each finding will be saved in prowler/output folder for further review. extra7102(){ diff --git a/checks/check_extra7103 b/checks/check_extra7103 index 3a6feac9..bd0c8116 100644 --- a/checks/check_extra7103 +++ b/checks/check_extra7103 @@ -19,6 +19,10 @@ CHECK_ASFF_RESOURCE_TYPE_extra7103="AwsSageMakerNotebookInstance" CHECK_ALTERNATE_check7103="extra7103" CHECK_SEVERITY_extra7103="Medium" CHECK_SERVICENAME_extra7103="sagemaker" +CHECK_RISK_extra7103='Users with root access have administrator privileges; users can access and edit all files on a notebook instance with root access enabled.' +CHECK_REMEDIATION_extra7103='set the RootAccess field to Disabled. You can also disable root access for users when you create or update a notebook instance in the Amazon SageMaker console.' +CHECK_DOC_extra7103='https://docs.aws.amazon.com/sagemaker/latest/dg/nbi-root-access.html' +CHECK_CAF_EPIC_extra7103='IAM' extra7103(){ for regx in ${REGIONS}; do diff --git a/checks/check_extra7104 b/checks/check_extra7104 index 1009d23b..d38a43cb 100644 --- a/checks/check_extra7104 +++ b/checks/check_extra7104 @@ -19,6 +19,10 @@ CHECK_ASFF_RESOURCE_TYPE_extra7104="AwsSageMakerNotebookInstance" CHECK_ALTERNATE_check7104="extra7104" CHECK_SEVERITY_extra7104="Medium" CHECK_SERVICENAME_extra7104="sagemaker" +CHECK_RISK_extra7104='This could provide an avenue for unauthorized access to your data.' +CHECK_REMEDIATION_extra7104='Restrict which traffic can access by launching Studio in a Virtual Private Cloud (VPC) of your choosing.' +CHECK_DOC_extra7104='https://docs.aws.amazon.com/sagemaker/latest/dg/studio-notebooks-and-internet-access.html' +CHECK_CAF_EPIC_extra7104='Infrastructure Security' extra7104(){ for regx in ${REGIONS}; do diff --git a/checks/check_extra7105 b/checks/check_extra7105 index b62e9732..39220549 100644 --- a/checks/check_extra7105 +++ b/checks/check_extra7105 @@ -19,7 +19,11 @@ CHECK_ASFF_RESOURCE_TYPE_extra7105="AwsSageMakerModel" CHECK_ALTERNATE_check7105="extra7105" CHECK_SEVERITY_extra7105="Medium" CHECK_SERVICENAME_extra7105="sagemaker" - +CHECK_RISK_extra7105='This could provide an avenue for unauthorized access to your data.' +CHECK_REMEDIATION_extra7105='Restrict which traffic can access by launching Studio in a Virtual Private Cloud (VPC) of your choosing.' +CHECK_DOC_extra7105='https://docs.aws.amazon.com/sagemaker/latest/dg/studio-notebooks-and-internet-access.html' +CHECK_CAF_EPIC_extra7105='Infrastructure Security' + extra7105(){ for regx in ${REGIONS}; do LIST_SM_NB_MODELS=$($AWSCLI $PROFILE_OPT --region $regx sagemaker list-models --query 'Models[*].ModelName' --output text) diff --git a/checks/check_extra7106 b/checks/check_extra7106 index 1f91d7aa..39f62234 100644 --- a/checks/check_extra7106 +++ b/checks/check_extra7106 @@ -19,7 +19,11 @@ CHECK_ASFF_RESOURCE_TYPE_extra7106="AwsSageMakerModel" CHECK_ALTERNATE_check7106="extra7106" CHECK_SEVERITY_extra7106="Medium" CHECK_SERVICENAME_extra7106="sagemaker" - +CHECK_RISK_extra7106='This could provide an avenue for unauthorized access to your data.' +CHECK_REMEDIATION_extra7106='Restrict which traffic can access by launching Studio in a Virtual Private Cloud (VPC) of your choosing.' +CHECK_DOC_extra7106='https://docs.aws.amazon.com/sagemaker/latest/dg/studio-notebooks-and-internet-access.html' +CHECK_CAF_EPIC_extra7106='Infrastructure Security' + extra7106(){ for regx in ${REGIONS}; do LIST_SM_NB_MODELS=$($AWSCLI $PROFILE_OPT --region $regx sagemaker list-models --query 'Models[*].ModelName' --output text) diff --git a/checks/check_extra7107 b/checks/check_extra7107 index 0bd75d45..7464387f 100644 --- a/checks/check_extra7107 +++ b/checks/check_extra7107 @@ -19,7 +19,11 @@ CHECK_ASFF_RESOURCE_TYPE_extra7107="AwsSageMakerNotebookInstance" CHECK_ALTERNATE_check7107="extra7107" CHECK_SEVERITY_extra7107="Medium" CHECK_SERVICENAME_extra7107="sagemaker" - +CHECK_RISK_extra7107='If not restricted unintended access could happen.' +CHECK_REMEDIATION_extra7107='Internetwork communications support TLS 1.2 encryption between all components and clients.' +CHECK_DOC_extra7107='https://docs.aws.amazon.com/sagemaker/latest/dg/interface-vpc-endpoint.html' +CHECK_CAF_EPIC_extra7107='Data Protection' + extra7107(){ for regx in ${REGIONS}; do LIST_SM_NB_JOBS=$($AWSCLI $PROFILE_OPT --region $regx sagemaker list-training-jobs --query 'TrainingJobSummaries[*].TrainingJobName' --output text) diff --git a/checks/check_extra7108 b/checks/check_extra7108 index 7b3161cb..45c38b7e 100644 --- a/checks/check_extra7108 +++ b/checks/check_extra7108 @@ -19,7 +19,11 @@ CHECK_ASFF_RESOURCE_TYPE_extra7108="AwsSageMakerNotebookInstance" CHECK_ALTERNATE_check7108="extra7108" CHECK_SEVERITY_extra7108="Medium" CHECK_SERVICENAME_extra7108="sagemaker" - +CHECK_RISK_extra7108='Data exfiltration could happen if information is not protected. KMS keys provide additional security level to IAM policies.' +CHECK_REMEDIATION_extra7108='Specify AWS KMS keys to use for input and output from S3 and EBS.' +CHECK_DOC_extra7108='https://docs.aws.amazon.com/sagemaker/latest/dg/key-management.html' +CHECK_CAF_EPIC_extra7108='Data Protection' + extra7108(){ for regx in ${REGIONS}; do LIST_SM_NB_JOBS=$($AWSCLI $PROFILE_OPT --region $regx sagemaker list-training-jobs --query 'TrainingJobSummaries[*].TrainingJobName' --output text) diff --git a/checks/check_extra7109 b/checks/check_extra7109 index eba6a4cb..5474ce38 100644 --- a/checks/check_extra7109 +++ b/checks/check_extra7109 @@ -19,7 +19,11 @@ CHECK_ASFF_RESOURCE_TYPE_extra7109="AwsSageMakerNotebookInstance" CHECK_ALTERNATE_check7109="extra7109" CHECK_SEVERITY_extra7109="Medium" CHECK_SERVICENAME_extra7109="sagemaker" - +CHECK_RISK_extra7109='This could provide an avenue for unauthorized access to your data.' +CHECK_REMEDIATION_extra7109='Restrict which traffic can access by launching Studio in a Virtual Private Cloud (VPC) of your choosing.' +CHECK_DOC_extra7109='https://docs.aws.amazon.com/sagemaker/latest/dg/interface-vpc-endpoint.html' +CHECK_CAF_EPIC_extra7109='Infrastructure Security' + extra7109(){ for regx in ${REGIONS}; do LIST_SM_NB_JOBS=$($AWSCLI $PROFILE_OPT --region $regx sagemaker list-training-jobs --query 'TrainingJobSummaries[*].TrainingJobName' --output text) diff --git a/checks/check_extra7110 b/checks/check_extra7110 index d9406a38..fe91f12a 100644 --- a/checks/check_extra7110 +++ b/checks/check_extra7110 @@ -19,7 +19,11 @@ CHECK_ASFF_RESOURCE_TYPE_extra7110="AwsSageMakerNotebookInstance" CHECK_ALTERNATE_check7110="extra7110" CHECK_SEVERITY_extra7110="Medium" CHECK_SERVICENAME_extra7110="sagemaker" - +CHECK_RISK_extra7110='This could provide an avenue for unauthorized access to your data.' +CHECK_REMEDIATION_extra7110='Restrict which traffic can access by launching Studio in a Virtual Private Cloud (VPC) of your choosing.' +CHECK_DOC_extra7110='https://docs.aws.amazon.com/sagemaker/latest/dg/interface-vpc-endpoint.html' +CHECK_CAF_EPIC_extra7110='Infrastructure Security' + extra7110(){ for regx in ${REGIONS}; do LIST_SM_NB_JOBS=$($AWSCLI $PROFILE_OPT --region $regx sagemaker list-training-jobs --query 'TrainingJobSummaries[*].TrainingJobName' --output text) diff --git a/checks/check_extra7111 b/checks/check_extra7111 index d3f25dfc..f3117ab0 100644 --- a/checks/check_extra7111 +++ b/checks/check_extra7111 @@ -19,6 +19,10 @@ CHECK_ASFF_RESOURCE_TYPE_extra7111="AwsSageMakerNotebookInstance" CHECK_ALTERNATE_check7111="extra7111" CHECK_SEVERITY_extra7111="Medium" CHECK_SERVICENAME_extra7111="sagemaker" +CHECK_RISK_extra7111='This could provide an avenue for unauthorized access to your data.' +CHECK_REMEDIATION_extra7111='Restrict which traffic can access by launching Studio in a Virtual Private Cloud (VPC) of your choosing.' +CHECK_DOC_extra7111='https://docs.aws.amazon.com/sagemaker/latest/dg/interface-vpc-endpoint.html' +CHECK_CAF_EPIC_extra7111='Infrastructure Security' extra7111(){ for regx in ${REGIONS}; do diff --git a/checks/check_extra7112 b/checks/check_extra7112 index ffa6da15..5693bf0c 100644 --- a/checks/check_extra7112 +++ b/checks/check_extra7112 @@ -19,6 +19,10 @@ CHECK_ASFF_RESOURCE_TYPE_extra7112="AwsSageMakerNotebookInstance" CHECK_ALTERNATE_check7112="extra7112" CHECK_SEVERITY_extra7112="Medium" CHECK_SERVICENAME_extra7112="sagemaker" +CHECK_RISK_extra7112='Data exfiltration could happen if information is not protected. KMS keys provide additional security level to IAM policies.' +CHECK_REMEDIATION_extra7112='Specify AWS KMS keys to use for input and output from S3 and EBS.' +CHECK_DOC_extra7112='https://docs.aws.amazon.com/sagemaker/latest/dg/key-management.html' +CHECK_CAF_EPIC_extra7112='Data Protection' extra7112(){ for regx in ${REGIONS}; do diff --git a/checks/check_extra7113 b/checks/check_extra7113 index 3cbe45a8..a9dcbcce 100644 --- a/checks/check_extra7113 +++ b/checks/check_extra7113 @@ -30,6 +30,10 @@ CHECK_SEVERITY_extra7113="Medium" CHECK_ASFF_RESOURCE_TYPE_extra7113="AwsRdsDbInstance" CHECK_ALTERNATE_check7113="extra7113" CHECK_SERVICENAME_extra7113="rds" +CHECK_RISK_extra7113='You can only delete instances that do not have deletion protection enabled.' +CHECK_REMEDIATION_extra7113='Enable deletion protection using the AWS Management Console for production DB instances.' +CHECK_DOC_extra7113='https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/USER_DeleteInstance.html' +CHECK_CAF_EPIC_extra7113='Data Protection' extra7113(){ textInfo "Looking for RDS Volumes in all regions... " diff --git a/checks/check_extra7114 b/checks/check_extra7114 index fe22a405..0fa3a7b7 100644 --- a/checks/check_extra7114 +++ b/checks/check_extra7114 @@ -19,6 +19,10 @@ CHECK_SEVERITY_extra7114="Medium" CHECK_ASFF_RESOURCE_TYPE_extra7114="AwsGlue" CHECK_ALTERNATE_check7114="extra7114" CHECK_SERVICENAME_extra7114="glue" +CHECK_RISK_extra7114='Data exfiltration could happen if information is not protected. KMS keys provide additional security level to IAM policies.' +CHECK_REMEDIATION_extra7114='Specify AWS KMS keys to use for input and output from S3 and EBS.' +CHECK_DOC_extra7114='https://docs.aws.amazon.com/glue/latest/dg/encryption-security-configuration.html' +CHECK_CAF_EPIC_extra7114='Data Protection' extra7114(){ for regx in $REGIONS; do diff --git a/checks/check_extra7115 b/checks/check_extra7115 index 08beee45..cc883edb 100644 --- a/checks/check_extra7115 +++ b/checks/check_extra7115 @@ -18,6 +18,10 @@ CHECK_SEVERITY_extra7115="Medium" CHECK_ASFF_RESOURCE_TYPE_extra7115="AwsGlue" CHECK_ALTERNATE_check7115="extra7115" CHECK_SERVICENAME_extra7115="glue" +CHECK_RISK_extra7115='Data exfiltration could happen if information is not protected in transit.' +CHECK_REMEDIATION_extra7115='Configure encryption settings for crawlers; ETL jobs; and development endpoints using security configurations in AWS Glue.' +CHECK_DOC_extra7115='https://docs.aws.amazon.com/glue/latest/dg/encryption-in-transit.html' +CHECK_CAF_EPIC_extra7115='Data Protection' extra7115(){ for regx in $REGIONS; do diff --git a/checks/check_extra7116 b/checks/check_extra7116 index 610741a5..43136f76 100644 --- a/checks/check_extra7116 +++ b/checks/check_extra7116 @@ -18,6 +18,10 @@ CHECK_SEVERITY_extra7116="Medium" CHECK_ASFF_RESOURCE_TYPE_extra7116="AwsGlue" CHECK_ALTERNATE_check7116="extra7116" CHECK_SERVICENAME_extra7116="glue" +CHECK_RISK_extra7116='If not enabled sensible information at rest is not protected.' +CHECK_REMEDIATION_extra7116='Enable Encryption. Use a CMK where possible. It will provide additional management and privacy benefits.' +CHECK_DOC_extra7116='https://docs.aws.amazon.com/glue/latest/dg/encrypt-glue-data-catalog.html' +CHECK_CAF_EPIC_extra7116='Data Protection' extra7116(){ for regx in $REGIONS; do diff --git a/checks/check_extra7117 b/checks/check_extra7117 index 62da7ab9..f0eeb03e 100644 --- a/checks/check_extra7117 +++ b/checks/check_extra7117 @@ -18,6 +18,10 @@ CHECK_SEVERITY_extra7117="Medium" CHECK_ASFF_RESOURCE_TYPE_extra7117="AwsGlue" CHECK_ALTERNATE_check7117="extra7117" CHECK_SERVICENAME_extra7117="glue" +CHECK_RISK_extra7117='If not enabled sensible information at rest is not protected.' +CHECK_REMEDIATION_extra7117='On the AWS Glue console; you can enable this option on the Data catalog settings page.' +CHECK_DOC_extra7117='https://docs.aws.amazon.com/glue/latest/dg/encrypt-connection-passwords.html' +CHECK_CAF_EPIC_extra7117='Data Protection' extra7117(){ for regx in $REGIONS; do diff --git a/checks/check_extra7118 b/checks/check_extra7118 index 614d8130..524ac4c2 100644 --- a/checks/check_extra7118 +++ b/checks/check_extra7118 @@ -18,6 +18,10 @@ CHECK_SEVERITY_extra7118="Medium" CHECK_ASFF_RESOURCE_TYPE_extra7118="AwsGlue" CHECK_ALTERNATE_check7118="extra7118" CHECK_SERVICENAME_extra7118="glue" +CHECK_RISK_extra7118='If not enabled sensible information at rest is not protected.' +CHECK_REMEDIATION_extra7118='Provide the encryption properties that are used by crawlers; jobs; and development endpoints.' +CHECK_DOC_extra7118='https://docs.aws.amazon.com/glue/latest/dg/console-security-configurations.html' +CHECK_CAF_EPIC_extra7118='Data Protection' extra7118(){ for regx in $REGIONS; do diff --git a/checks/check_extra7119 b/checks/check_extra7119 index 33162563..fbd035dc 100644 --- a/checks/check_extra7119 +++ b/checks/check_extra7119 @@ -19,6 +19,10 @@ CHECK_SEVERITY_extra7119="Medium" CHECK_ASFF_RESOURCE_TYPE_extra7119="AwsGlue" CHECK_ALTERNATE_check7119="extra7119" CHECK_SERVICENAME_extra7119="glue" +CHECK_RISK_extra7119='If not enabled sensible information at rest is not protected.' +CHECK_REMEDIATION_extra7119='Enable Encryption in the Security configurations.' +CHECK_DOC_extra7119='https://docs.aws.amazon.com/glue/latest/dg/console-security-configurations.html' +CHECK_CAF_EPIC_extra7119='Logging and Monitoring' extra7119(){ for regx in $REGIONS; do diff --git a/checks/check_extra7120 b/checks/check_extra7120 index d51e0208..553a37db 100644 --- a/checks/check_extra7120 +++ b/checks/check_extra7120 @@ -18,6 +18,10 @@ CHECK_SEVERITY_extra7120="Medium" CHECK_ASFF_RESOURCE_TYPE_extra7120="AwsGlue" CHECK_ALTERNATE_check7120="extra7120" CHECK_SERVICENAME_extra7120="glue" +CHECK_RISK_extra7120='If not enabled sensible information at rest is not protected.' +CHECK_REMEDIATION_extra7120='Enable Encryption in the Security configurations.' +CHECK_DOC_extra7120='https://docs.aws.amazon.com/glue/latest/dg/console-security-configurations.html' +CHECK_CAF_EPIC_extra7120='Logging and Monitoring' extra7120(){ for regx in $REGIONS; do diff --git a/checks/check_extra7121 b/checks/check_extra7121 index 1324f7b8..9bfe383e 100644 --- a/checks/check_extra7121 +++ b/checks/check_extra7121 @@ -19,6 +19,10 @@ CHECK_SEVERITY_extra7121="Medium" CHECK_ASFF_RESOURCE_TYPE_extra7121="AwsGlue" CHECK_ALTERNATE_check7121="extra7121" CHECK_SERVICENAME_extra7121="glue" +CHECK_RISK_extra7121='If not enabled sensible information at rest is not protected.' +CHECK_REMEDIATION_extra7121='Enable Encryption in the Security configurations.' +CHECK_DOC_extra7121='https://docs.aws.amazon.com/glue/latest/dg/console-security-configurations.html' +CHECK_CAF_EPIC_extra7121='Data Protection' extra7121(){ for regx in $REGIONS; do diff --git a/checks/check_extra7122 b/checks/check_extra7122 index dba88dd5..de2c2b47 100644 --- a/checks/check_extra7122 +++ b/checks/check_extra7122 @@ -18,6 +18,10 @@ CHECK_SEVERITY_extra7122="Medium" CHECK_ASFF_RESOURCE_TYPE_extra7122="AwsGlue" CHECK_ALTERNATE_check7122="extra7122" CHECK_SERVICENAME_extra7122="glue" +CHECK_RISK_extra7122='If not enabled sensible information at rest is not protected.' +CHECK_REMEDIATION_extra7122='Enable Encryption in the Security configurations.' +CHECK_DOC_extra7122='https://docs.aws.amazon.com/glue/latest/dg/console-security-configurations.html' +CHECK_CAF_EPIC_extra7122='Data Protection' extra7122(){ for regx in $REGIONS; do diff --git a/checks/check_extra7123 b/checks/check_extra7123 index b9af0aaa..0c96f273 100644 --- a/checks/check_extra7123 +++ b/checks/check_extra7123 @@ -20,6 +20,10 @@ CHECK_ASFF_RESOURCE_TYPE_extra7123="AwsIamUser" CHECK_ALTERNATE_check7123="extra7123" CHECK_ASFF_COMPLIANCE_TYPE_extra7123="ens-op.acc.1.aws.iam.2" CHECK_SERVICENAME_extra7123="iam" +CHECK_RISK_extra7123='Access Keys could be lost or stolen. It creates a critical risk.' +CHECK_REMEDIATION_extra7123='Avoid using long lived access keys.' +CHECK_DOC_extra7123='https://docs.aws.amazon.com/IAM/latest/APIReference/API_ListAccessKeys.html' +CHECK_CAF_EPIC_extra7123='IAM' extra7123(){ LIST_OF_USERS_WITH_2ACCESS_KEYS=$(cat $TEMP_REPORT_FILE| awk -F, '{ print $1, $9, $14 }' |grep "\ true\ true" | awk '{ print $1 }') diff --git a/checks/check_extra7124 b/checks/check_extra7124 index 3828164f..739ede63 100644 --- a/checks/check_extra7124 +++ b/checks/check_extra7124 @@ -19,6 +19,10 @@ CHECK_ASFF_RESOURCE_TYPE_extra7124="AwsEc2Instance" CHECK_ALTERNATE_check7124="extra7124" CHECK_ASFF_COMPLIANCE_TYPE_extra7124="ens-op.exp.1.aws.sys.1 ens-op.acc.4.aws.sys.1" CHECK_SERVICENAME_extra7124="ssm" +CHECK_RISK_extra7124='AWS Config provides AWS Managed Rules; which are predefined; customizable rules that AWS Config uses to evaluate whether your AWS resource configurations comply with common best practices.' +CHECK_REMEDIATION_extra7124='Verify and apply Systems Manager Prerequisites.' +CHECK_DOC_extra7124='https://docs.aws.amazon.com/systems-manager/latest/userguide/managed_instances.html' +CHECK_CAF_EPIC_extra7124='Infrastructure Security' extra7124(){ for regx in $REGIONS; do diff --git a/checks/check_extra7125 b/checks/check_extra7125 index 007947e4..8aabe4d3 100644 --- a/checks/check_extra7125 +++ b/checks/check_extra7125 @@ -19,6 +19,10 @@ CHECK_ASFF_RESOURCE_TYPE_extra7125="AwsIamUser" CHECK_ALTERNATE_check7125="extra7125" CHECK_ASFF_COMPLIANCE_TYPE_extra7125="ens-op.acc.5.aws.iam.2" CHECK_SERVICENAME_extra7125="iam" +CHECK_RISK_extra7125='Hardware MFA is preferred over virtual MFA.' +CHECK_REMEDIATION_extra7125='Enable hardware MFA device for an IAM user from the AWS Management Console; the command line; or the IAM API.' +CHECK_DOC_extra7125='https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_mfa_enable_physical.html' +CHECK_CAF_EPIC_extra7125='IAM' extra7125(){ LIST_USERS=$($AWSCLI iam list-users --query 'Users[*].UserName' --output text $PROFILE_OPT --region $REGION) diff --git a/checks/check_extra7126 b/checks/check_extra7126 index 4c089e27..f1b80877 100644 --- a/checks/check_extra7126 +++ b/checks/check_extra7126 @@ -19,6 +19,10 @@ CHECK_ASFF_RESOURCE_TYPE_extra7126="AwsKmsKey" CHECK_ALTERNATE_check7126="extra7126" CHECK_ASFF_COMPLIANCE_TYPE_extra7126="op.exp.11.aws.kms.2" CHECK_SERVICENAME_extra7126="kms" +CHECK_RISK_extra7126='Unused keys may increase service cost.' +CHECK_REMEDIATION_extra7126='Before deleting a customer master key (CMK); you might want to know how many cipher-texts were encrypted under that key. ' +CHECK_DOC_extra7126='https://docs.aws.amazon.com/kms/latest/developerguide/deleting-keys-determining-usage.html' +CHECK_CAF_EPIC_extra7126='Data Protection' extra7126(){ for regx in $REGIONS; do diff --git a/checks/check_extra7127 b/checks/check_extra7127 index 9f28c605..ecc725c1 100644 --- a/checks/check_extra7127 +++ b/checks/check_extra7127 @@ -20,7 +20,10 @@ CHECK_ASFF_TYPE_extra7127="Software and Configuration Checks/ENS op.exp.4.aws.sy CHECK_ALTERNATE_check7127="extra7127" CHECK_ASFF_COMPLIANCE_TYPE_extra7127="ens-op.exp.1.aws.sys.1 ens-op.exp.4.aws.sys.1" CHECK_SERVICENAME_extra7127="ssm" - +CHECK_RISK_extra7127='Without the most recent security patches your system is potentially vulnerable to cyberattacks. Even the best-designed software can not anticipate every future threat to cybersecurity. Poor patch management can leave an organizations data exposed subjecting them to malware and ransomware attacks.' +CHECK_REMEDIATION_extra7127='Consider using SSM in all accounts and services to at least monitor for missing patches on servers. Use a robust process to apply security fixes as soon as they are made available. Patch compliance data from Patch Manager can be sent to AWS Security Hub to centralize security issues.' +CHECK_DOC_extra7127='https://docs.aws.amazon.com/systems-manager/latest/userguide/patch-compliance-identify.html' +CHECK_CAF_EPIC_extra7127='Infrastructure Security' extra7127(){ for regx in $REGIONS; do diff --git a/checks/check_extra7128 b/checks/check_extra7128 index 13bc161c..27be1f66 100644 --- a/checks/check_extra7128 +++ b/checks/check_extra7128 @@ -19,6 +19,10 @@ CHECK_ASFF_RESOURCE_TYPE_extra7128="AwsDynamoDBTable" CHECK_ALTERNATE_check7128="extra7128" CHECK_ASFF_COMPLIANCE_TYPE_extra7128="ens-mp.info.3.aws.dyndb.1" CHECK_SERVICENAME_extra7128="dynamodb" +CHECK_RISK_extra7128='All user data stored in Amazon DynamoDB is fully encrypted at rest. This functionality helps reduce the operational burden and complexity involved in protecting sensitive data.' +CHECK_REMEDIATION_extra7128='Specify an encryption key when you create a new table or switch the encryption keys on an existing table by using the AWS Management Console.' +CHECK_DOC_extra7128='https://docs.aws.amazon.com/amazondynamodb/latest/developerguide/EncryptionAtRest.html' +CHECK_CAF_EPIC_extra7128='Data Protection' extra7128(){ for regx in $REGIONS; do diff --git a/checks/check_extra7129 b/checks/check_extra7129 index d6a55d8e..130c8074 100644 --- a/checks/check_extra7129 +++ b/checks/check_extra7129 @@ -19,6 +19,10 @@ CHECK_ASFF_RESOURCE_TYPE_extra7129="AwsElasticLoadBalancingV2LoadBalancer" CHECK_ALTERNATE_check7129="extra7129" CHECK_ASFF_COMPLIANCE_TYPE_extra7129="ens-mp.s.2.aws.waf.3" CHECK_SERVICENAME_extra7129="elb" +CHECK_RISK_extra7129='If not WAF ACL is attached risk of web attacks increases.' +CHECK_REMEDIATION_extra7129='Using the AWS Management Console open the AWS WAF console to attach an ACL.' +CHECK_DOC_extra7129='https://docs.aws.amazon.com/waf/latest/developerguide/web-acl-associating-aws-resource.html' +CHECK_CAF_EPIC_extra7129='Infrastructure Security' extra7129(){ for regx in $REGIONS; do diff --git a/checks/check_extra7130 b/checks/check_extra7130 index 7165a5fe..4a712973 100644 --- a/checks/check_extra7130 +++ b/checks/check_extra7130 @@ -19,6 +19,10 @@ CHECK_SEVERITY_extra7130="Medium" CHECK_ASFF_RESOURCE_TYPE_extra7130="AwsSnsTopic" CHECK_ALTERNATE_check7130="extra7130" CHECK_SERVICENAME_extra7130="sns" +CHECK_RISK_extra7130='If not enabled sensible information at rest is not protected.' +CHECK_REMEDIATION_extra7130='Use Amazon SNS with AWS KMS.' +CHECK_DOC_extra7130='https://docs.aws.amazon.com/sns/latest/dg/sns-server-side-encryption.html' +CHECK_CAF_EPIC_extra7130='Data Protection' extra7130(){ textInfo "Looking for SNS Topics in all regions... " diff --git a/checks/check_extra7131 b/checks/check_extra7131 index 3f85c2a9..fc8266a1 100644 --- a/checks/check_extra7131 +++ b/checks/check_extra7131 @@ -18,6 +18,10 @@ CHECK_SEVERITY_extra7131="Low" CHECK_ASFF_RESOURCE_TYPE_extra7131="AwsRdsDbInstance" CHECK_ALTERNATE_check7131="extra7131" CHECK_SERVICENAME_extra7131="rds" +CHECK_RISK_extra7131='Auto Minor Version Upgrade is a feature that you can enable to have your database automatically upgraded when a new minor database engine version is available. Minor version upgrades often patch security vulnerabilities and fix bugs; and therefor should be applied.' +CHECK_REMEDIATION_extra7131='Enable auto minor version upgrade for all databases and environments.' +CHECK_DOC_extra7131='https://aws.amazon.com/blogs/database/best-practices-for-upgrading-amazon-rds-to-major-and-minor-versions-of-postgresql/' +CHECK_CAF_EPIC_extra7131='Infrastructure Security' extra7131(){ for regx in $REGIONS; do diff --git a/checks/check_extra7132 b/checks/check_extra7132 index 8a704100..eb64827d 100644 --- a/checks/check_extra7132 +++ b/checks/check_extra7132 @@ -18,6 +18,10 @@ CHECK_SEVERITY_extra7132="Low" CHECK_ASFF_RESOURCE_TYPE_extra7132="AwsRdsDbInstance" CHECK_ALTERNATE_check7132="extra7132" CHECK_SERVICENAME_extra7132="rds" +CHECK_RISK_extra7132='A smaller monitoring interval results in more frequent reporting of OS metrics.' +CHECK_REMEDIATION_extra7132='To use Enhanced Monitoring; you must create an IAM role; and then enable Enhanced Monitoring.' +CHECK_DOC_extra7132='https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/USER_Monitoring.OS.html' +CHECK_CAF_EPIC_extra7132='Logging and Monitoring' extra7132(){ for regx in $REGIONS; do diff --git a/checks/check_extra7133 b/checks/check_extra7133 index 15db98d4..2be3d662 100644 --- a/checks/check_extra7133 +++ b/checks/check_extra7133 @@ -18,8 +18,10 @@ CHECK_SEVERITY_extra7133="Medium" CHECK_ASFF_RESOURCE_TYPE_extra7133="AwsRdsDbInstance" CHECK_ALTERNATE_check7133="extra7133" CHECK_SERVICENAME_extra7133="rds" -CHECK_RISK_extra7133="In case of failure with a single-AZ deployment configuration should an availability zone specific database failure occur Amazon RDS can not automatically fail over to the standby availability zone." -CHECK_REMEDIATION_extra7133="Enable multi-AZ deployment for production databases. More here: https://aws.amazon.com/rds/features/multi-az/." +CHECK_RISK_extra7133='In case of failure; with a single-AZ deployment configuration; should an availability zone specific database failure occur; Amazon RDS can not automatically fail over to the standby availability zone.' +CHECK_REMEDIATION_extra7133='Enable multi-AZ deployment for production databases.' +CHECK_DOC_extra7133='https://aws.amazon.com/rds/features/multi-az/' +CHECK_CAF_EPIC_extra7133='Data Protection' extra7133(){ for regx in $REGIONS; do diff --git a/checks/check_extra742 b/checks/check_extra742 index 957ef0c2..d6083ef0 100644 --- a/checks/check_extra742 +++ b/checks/check_extra742 @@ -18,6 +18,10 @@ CHECK_SEVERITY_extra742="Critical" CHECK_ASFF_RESOURCE_TYPE_extra742="AwsCloudFormationStack" CHECK_ALTERNATE_check742="extra742" CHECK_SERVICENAME_extra742="cloudformation" +CHECK_RISK_extra742='Secrets hardcoded into CloudFormation outputs can be used by malware and bad actors to gain lateral access to other services.' +CHECK_REMEDIATION_extra742='Implement automated detective control (e.g. using tools like Prowler ) to scan accounts for passwords and secrets. Use secrets manager service to store and retrieve passwords and secrets. ' +CHECK_DOC_extra742='https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-secretsmanager-secret-generatesecretstring.html' +CHECK_CAF_EPIC_extra742='IAM' extra742(){ SECRETS_TEMP_FOLDER="$PROWLER_DIR/secrets-$ACCOUNT_NUM" diff --git a/checks/check_extra743 b/checks/check_extra743 index 38c80447..e7e21965 100644 --- a/checks/check_extra743 +++ b/checks/check_extra743 @@ -18,6 +18,10 @@ CHECK_SEVERITY_extra743="Medium" CHECK_ASFF_RESOURCE_TYPE_extra743="AwsApiGatewayRestApi" CHECK_ALTERNATE_check743="extra743" CHECK_SERVICENAME_extra743="apigateway" +CHECK_RISK_extra743='Possible man in the middle attacks and other similar risks.' +CHECK_REMEDIATION_extra743='Enable client certificate. Mutual TLS is recommended and commonly used for business-to-business (B2B) applications. It’s used in standards such as Open Banking. API Gateway now provides integrated mutual TLS authentication at no additional cost.' +CHECK_DOC_extra743='https://aws.amazon.com/blogs/compute/introducing-mutual-tls-authentication-for-amazon-api-gateway/' +CHECK_CAF_EPIC_extra743='Data Protection' extra743(){ for regx in $REGIONS; do diff --git a/checks/check_extra744 b/checks/check_extra744 index 2c495108..36ed0705 100644 --- a/checks/check_extra744 +++ b/checks/check_extra744 @@ -19,6 +19,10 @@ CHECK_ASFF_RESOURCE_TYPE_extra744="AwsApiGatewayRestApi" CHECK_ALTERNATE_check744="extra744" CHECK_ASFF_COMPLIANCE_TYPE_extra744="ens-mp.s.2.aws.waf.2" CHECK_SERVICENAME_extra744="apigateway" +CHECK_RISK_extra744='Potential attacks and / or abuse of service; more even for even for internet reachable services.' +CHECK_REMEDIATION_extra744='Use AWS WAF to protect your API Gateway API from common web exploits; such as SQL injection and cross-site scripting (XSS) attacks. These could affect API availability and performance; compromise security; or consume excessive resources.' +CHECK_DOC_extra744='https://docs.aws.amazon.com/apigateway/latest/developerguide/apigateway-control-access-aws-waf.html' +CHECK_CAF_EPIC_extra744='Infrastructure Security' extra744(){ for regx in $REGIONS; do diff --git a/checks/check_extra745 b/checks/check_extra745 index 2148dcaf..0b507d7b 100644 --- a/checks/check_extra745 +++ b/checks/check_extra745 @@ -18,6 +18,10 @@ CHECK_SEVERITY_extra745="Medium" CHECK_ASFF_RESOURCE_TYPE_extra745="AwsApiGatewayRestApi" CHECK_ALTERNATE_check745="extra745" CHECK_SERVICENAME_extra745="apigateway" +CHECK_RISK_extra745='If accessible from internet without restrictions opens up attack / abuse surface for any malicious user.' +CHECK_REMEDIATION_extra745='Verify that any public Api Gateway is protected and audited. Detective controls for common risks should be implemented.' +CHECK_DOC_extra745='https://d1.awsstatic.com/whitepapers/api-gateway-security.pdf?svrd_sip6' +CHECK_CAF_EPIC_extra745='Infrastructure Security' extra745(){ for regx in $REGIONS; do diff --git a/checks/check_extra746 b/checks/check_extra746 index 0599d2e8..82f82d53 100644 --- a/checks/check_extra746 +++ b/checks/check_extra746 @@ -18,6 +18,10 @@ CHECK_SEVERITY_extra746="Medium" CHECK_ASFF_RESOURCE_TYPE_extra746="AwsApiGatewayRestApi" CHECK_ALTERNATE_check746="extra746" CHECK_SERVICENAME_extra746="apigateway" +CHECK_RISK_extra746='If no authorizer is enabled anyone can use the service.' +CHECK_REMEDIATION_extra746='Implement Amazon Cognito or a Lambda function to control access to your API.' +CHECK_DOC_extra746='https://docs.aws.amazon.com/apigateway/latest/developerguide/apigateway-use-lambda-authorizer.html' +CHECK_CAF_EPIC_extra746='IAM' extra746(){ for regx in $REGIONS; do diff --git a/checks/check_extra747 b/checks/check_extra747 index 9e16b1fb..ae8c0a72 100644 --- a/checks/check_extra747 +++ b/checks/check_extra747 @@ -18,6 +18,10 @@ CHECK_SEVERITY_extra747="Medium" CHECK_ASFF_RESOURCE_TYPE_extra747="AwsRdsDbInstance" CHECK_ALTERNATE_check747="extra747" CHECK_SERVICENAME_extra747="rds" +CHECK_RISK_extra747='If logs are not enabled; monitoring of service use and threat analysis is not possible.' +CHECK_REMEDIATION_extra747='Use CloudWatch Logs to perform real-time analysis of the log data. Create alarms and view metrics.' +CHECK_DOC_extra747='https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/publishing_cloudwatchlogs.html' +CHECK_CAF_EPIC_extra747='Logging and Monitoring' extra747(){ for regx in $REGIONS; do diff --git a/checks/check_extra748 b/checks/check_extra748 index 3dc303ce..245b40b4 100644 --- a/checks/check_extra748 +++ b/checks/check_extra748 @@ -18,6 +18,10 @@ CHECK_SEVERITY_extra748="High" CHECK_ASFF_RESOURCE_TYPE_extra748="AwsEc2SecurityGroup" CHECK_ALTERNATE_check748="extra748" CHECK_SERVICENAME_extra748="ec2" +CHECK_RISK_extra748='If Security groups are not properly configured the attack surface is increased. ' +CHECK_REMEDIATION_extra748='Use a Zero Trust approach. Narrow ingress traffic as much as possible. Consider north-south as well as east-west traffic.' +CHECK_DOC_extra748='https://docs.aws.amazon.com/vpc/latest/userguide/VPC_SecurityGroups.html' +CHECK_CAF_EPIC_extra748='Infrastructure Security' extra748(){ for regx in $REGIONS; do diff --git a/checks/check_extra749 b/checks/check_extra749 index 922e9c3d..4acf5f35 100644 --- a/checks/check_extra749 +++ b/checks/check_extra749 @@ -19,6 +19,10 @@ CHECK_ASFF_RESOURCE_TYPE_extra749="AwsEc2SecurityGroup" CHECK_ALTERNATE_check749="extra749" CHECK_ASFF_COMPLIANCE_TYPE_extra749="ens-mp.com.4.aws.sg.6" CHECK_SERVICENAME_extra749="ec2" +CHECK_RISK_extra749='If Security groups are not properly configured the attack surface is increased. ' +CHECK_REMEDIATION_extra749='Use a Zero Trust approach. Narrow ingress traffic as much as possible. Consider north-south as well as east-west traffic.' +CHECK_DOC_extra749='https://docs.aws.amazon.com/vpc/latest/userguide/VPC_SecurityGroups.html' +CHECK_CAF_EPIC_extra749='Infrastructure Security' extra749(){ for regx in $REGIONS; do diff --git a/checks/check_extra750 b/checks/check_extra750 index 061acde1..54b09ac1 100644 --- a/checks/check_extra750 +++ b/checks/check_extra750 @@ -19,6 +19,10 @@ CHECK_ASFF_RESOURCE_TYPE_extra750="AwsEc2SecurityGroup" CHECK_ALTERNATE_check750="extra750" CHECK_ASFF_COMPLIANCE_TYPE_extra750="ens-mp.com.4.aws.sg.7" CHECK_SERVICENAME_extra750="ec2" +CHECK_RISK_extra750='If Security groups are not properly configured the attack surface is increased. ' +CHECK_REMEDIATION_extra750='Use a Zero Trust approach. Narrow ingress traffic as much as possible. Consider north-south as well as east-west traffic.' +CHECK_DOC_extra750='https://docs.aws.amazon.com/vpc/latest/userguide/VPC_SecurityGroups.html' +CHECK_CAF_EPIC_extra750='Infrastructure Security' extra750(){ for regx in $REGIONS; do diff --git a/checks/check_extra751 b/checks/check_extra751 index 8b4c67e1..5e44d87b 100644 --- a/checks/check_extra751 +++ b/checks/check_extra751 @@ -19,6 +19,10 @@ CHECK_ASFF_RESOURCE_TYPE_extra751="AwsEc2SecurityGroup" CHECK_ALTERNATE_check751="extra751" CHECK_ASFF_COMPLIANCE_TYPE_extra751="ens-mp.com.4.aws.sg.8" CHECK_SERVICENAME_extra751="ec2" +CHECK_RISK_extra751='If Security groups are not properly configured the attack surface is increased. ' +CHECK_REMEDIATION_extra751='Use a Zero Trust approach. Narrow ingress traffic as much as possible. Consider north-south as well as east-west traffic.' +CHECK_DOC_extra751='https://docs.aws.amazon.com/vpc/latest/userguide/VPC_SecurityGroups.html' +CHECK_CAF_EPIC_extra751='Infrastructure Security' extra751(){ for regx in $REGIONS; do diff --git a/checks/check_extra752 b/checks/check_extra752 index 06c95baa..815f3f01 100644 --- a/checks/check_extra752 +++ b/checks/check_extra752 @@ -19,6 +19,10 @@ CHECK_ASFF_RESOURCE_TYPE_extra752="AwsEc2SecurityGroup" CHECK_ALTERNATE_check752="extra752" CHECK_ASFF_COMPLIANCE_TYPE_extra752="ens-mp.com.4.aws.sg.9" CHECK_SERVICENAME_extra752="ec2" +CHECK_RISK_extra752='If Security groups are not properly configured the attack surface is increased. ' +CHECK_REMEDIATION_extra752='Use a Zero Trust approach. Narrow ingress traffic as much as possible. Consider north-south as well as east-west traffic.' +CHECK_DOC_extra752='https://docs.aws.amazon.com/vpc/latest/userguide/VPC_SecurityGroups.html' +CHECK_CAF_EPIC_extra752='Infrastructure Security' extra752(){ for regx in $REGIONS; do diff --git a/checks/check_extra753 b/checks/check_extra753 index 81270cdc..150a8c14 100644 --- a/checks/check_extra753 +++ b/checks/check_extra753 @@ -19,6 +19,10 @@ CHECK_ASFF_RESOURCE_TYPE_extra753="AwsEc2SecurityGroup" CHECK_ALTERNATE_check753="extra753" CHECK_ASFF_COMPLIANCE_TYPE_extra753="ens-mp.com.4.aws.sg.10" CHECK_SERVICENAME_extra753="ec2" +CHECK_RISK_extra753='If Security groups are not properly configured the attack surface is increased. ' +CHECK_REMEDIATION_extra753='Use a Zero Trust approach. Narrow ingress traffic as much as possible. Consider north-south as well as east-west traffic.' +CHECK_DOC_extra753='https://docs.aws.amazon.com/vpc/latest/userguide/VPC_SecurityGroups.html' +CHECK_CAF_EPIC_extra753='Infrastructure Security' extra753(){ for regx in $REGIONS; do diff --git a/checks/check_extra754 b/checks/check_extra754 index 3316f152..8046782f 100644 --- a/checks/check_extra754 +++ b/checks/check_extra754 @@ -19,6 +19,10 @@ CHECK_ASFF_RESOURCE_TYPE_extra754="AwsEc2SecurityGroup" CHECK_ALTERNATE_check754="extra754" CHECK_ASFF_COMPLIANCE_TYPE_extra754="ens-mp.com.4.aws.sg.11" CHECK_SERVICENAME_extra754="ec2" +CHECK_RISK_extra754='If Security groups are not properly configured the attack surface is increased. ' +CHECK_REMEDIATION_extra754='Use a Zero Trust approach. Narrow ingress traffic as much as possible. Consider north-south as well as east-west traffic.' +CHECK_DOC_extra754='https://docs.aws.amazon.com/vpc/latest/userguide/VPC_SecurityGroups.html' +CHECK_CAF_EPIC_extra754='Infrastructure Security' extra754(){ for regx in $REGIONS; do diff --git a/checks/check_extra755 b/checks/check_extra755 index 6c746702..45460007 100644 --- a/checks/check_extra755 +++ b/checks/check_extra755 @@ -19,6 +19,10 @@ CHECK_ASFF_RESOURCE_TYPE_extra755="AwsEc2SecurityGroup" CHECK_ALTERNATE_check755="extra755" CHECK_ASFF_COMPLIANCE_TYPE_extra755="ens-mp.com.4.aws.sg.12" CHECK_SERVICENAME_extra755="ec2" +CHECK_RISK_extra755='If Security groups are not properly configured the attack surface is increased. ' +CHECK_REMEDIATION_extra755='Use a Zero Trust approach. Narrow ingress traffic as much as possible. Consider north-south as well as east-west traffic.' +CHECK_DOC_extra755='https://docs.aws.amazon.com/vpc/latest/userguide/VPC_SecurityGroups.html' +CHECK_CAF_EPIC_extra755='Infrastructure Security' extra755(){ for regx in $REGIONS; do diff --git a/checks/check_extra756 b/checks/check_extra756 index ffcab810..5e33bcc5 100644 --- a/checks/check_extra756 +++ b/checks/check_extra756 @@ -18,6 +18,10 @@ CHECK_SEVERITY_extra756="High" CHECK_ASFF_RESOURCE_TYPE_extra756="AwsRedshiftCluster" CHECK_ALTERNATE_check756="extra756" CHECK_SERVICENAME_extra756="redshift" +CHECK_RISK_extra756='Publicly accessible services could expose sensible data to bad actors.' +CHECK_REMEDIATION_extra756='Ensure there is a business requirement for service to be public. Use the cluster security group to control access to the service.' +CHECK_DOC_extra756='https://docs.aws.amazon.com/redshift/latest/mgmt/working-with-security-groups.html' +CHECK_CAF_EPIC_extra756='Infrastructure Security' extra756(){ for regx in $REGIONS; do diff --git a/checks/check_extra757 b/checks/check_extra757 index 757ab819..23c8bff8 100644 --- a/checks/check_extra757 +++ b/checks/check_extra757 @@ -18,6 +18,10 @@ CHECK_SEVERITY_extra757="Medium" CHECK_ASFF_RESOURCE_TYPE_extra757="AwsEc2Instance" CHECK_ALTERNATE_check757="extra757" CHECK_SERVICENAME_extra757="ec2" +CHECK_RISK_extra757='Having old instances within your AWS account could increase the risk of having vulnerable software.' +CHECK_REMEDIATION_extra757='Check if software running in the instance is up to date and patched accordingly. Use AWS Systems Manager to patch instances and view patching compliance information.' +CHECK_DOC_extra757='https://docs.aws.amazon.com/systems-manager/latest/userguide/viewing-patch-compliance-results.html' +CHECK_CAF_EPIC_extra757='Infrastructure Security' extra757(){ OLDAGE="$(get_date_previous_than_months 6)" diff --git a/checks/check_extra758 b/checks/check_extra758 index bda9e922..b4c483cd 100644 --- a/checks/check_extra758 +++ b/checks/check_extra758 @@ -18,6 +18,10 @@ CHECK_SEVERITY_extra758="Medium" CHECK_ASFF_RESOURCE_TYPE_extra758="AwsEc2Instance" CHECK_ALTERNATE_check758="extra758" CHECK_SERVICENAME_extra758="ec2" +CHECK_RISK_extra758='Having old instances within your AWS account could increase the risk of having vulnerable software.' +CHECK_REMEDIATION_extra758='Check if software running in the instance is up to date and patched accordingly. Use AWS Systems Manager to patch instances and view patching compliance information.' +CHECK_DOC_extra758='https://docs.aws.amazon.com/systems-manager/latest/userguide/viewing-patch-compliance-results.html' +CHECK_CAF_EPIC_extra758='Infrastructure Security' extra758(){ OLDAGE="$(get_date_previous_than_months 12)" diff --git a/checks/check_extra759 b/checks/check_extra759 index bf4d8052..01c6bebb 100644 --- a/checks/check_extra759 +++ b/checks/check_extra759 @@ -18,6 +18,10 @@ CHECK_SEVERITY_extra759="Critical" CHECK_ASFF_RESOURCE_TYPE_extra759="AwsLambdaFunction" CHECK_ALTERNATE_check759="extra759" CHECK_SERVICENAME_extra759="lambda" +CHECK_RISK_extra759='The use of a hard-coded password increases the possibility of password guessing. If hard-coded passwords are used; it is possible that malicious users gain access through the account in question.' +CHECK_REMEDIATION_extra759='Use Secrets Manager to securely provide database credentials to Lambda functions and secure the databases as well as use the credentials to connect and query them without hardcoding the secrets in code or passing them through environmental variables. ' +CHECK_DOC_extra759='https://docs.aws.amazon.com/secretsmanager/latest/userguide/lambda-functions.html' +CHECK_CAF_EPIC_extra759='IAM' extra759(){ SECRETS_TEMP_FOLDER="$PROWLER_DIR/secrets-$ACCOUNT_NUM" diff --git a/checks/check_extra760 b/checks/check_extra760 index ba54aa89..b75303ae 100644 --- a/checks/check_extra760 +++ b/checks/check_extra760 @@ -18,6 +18,10 @@ CHECK_SEVERITY_extra760="Critical" CHECK_ASFF_RESOURCE_TYPE_extra760="AwsLambdaFunction" CHECK_ALTERNATE_check760="extra760" CHECK_SERVICENAME_extra760="lambda" +CHECK_RISK_extra760='The use of a hard-coded password increases the possibility of password guessing. If hard-coded passwords are used; it is possible that malicious users gain access through the account in question.' +CHECK_REMEDIATION_extra760='Use Secrets Manager to securely provide database credentials to Lambda functions and secure the databases as well as use the credentials to connect and query them without hardcoding the secrets in code or passing them through environmental variables. ' +CHECK_DOC_extra760='https://docs.aws.amazon.com/secretsmanager/latest/userguide/lambda-functions.html' +CHECK_CAF_EPIC_extra760='IAM' extra760(){ SECRETS_TEMP_FOLDER="$PROWLER_DIR/secrets-$ACCOUNT_NUM" diff --git a/checks/check_extra761 b/checks/check_extra761 index a0ad91f7..a8504632 100644 --- a/checks/check_extra761 +++ b/checks/check_extra761 @@ -18,6 +18,10 @@ CHECK_SEVERITY_extra761="Medium" CHECK_ALTERNATE_check761="extra761" CHECK_ASFF_COMPLIANCE_TYPE_extra761="ens-mp.info.3.aws.ebs.2" CHECK_SERVICENAME_extra761="ec2" +CHECK_RISK_extra761='If not enabled sensible information at rest is not protected.' +CHECK_REMEDIATION_extra761='Enable Encryption. Use a CMK where possible. It will provide additional management and privacy benefits.' +CHECK_DOC_extra761='https://aws.amazon.com/premiumsupport/knowledge-center/ebs-automatic-encryption/' +CHECK_CAF_EPIC_extra761='Data Protection' extra761(){ textInfo "Looking for EBS Default Encryption activation in all regions... " diff --git a/checks/check_extra762 b/checks/check_extra762 index 16143008..fe55e875 100644 --- a/checks/check_extra762 +++ b/checks/check_extra762 @@ -18,6 +18,10 @@ CHECK_SEVERITY_extra762="Medium" CHECK_ASFF_RESOURCE_TYPE_extra762="AwsLambdaFunction" CHECK_ALTERNATE_check762="extra762" CHECK_SERVICENAME_extra762="lambda" +CHECK_RISK_extra762=' If you have functions running on a runtime that will be deprecated in the next 60 days; Lambda notifies you by email that you should prepare by migrating your function to a supported runtime. In some cases; such as security issues that require a backwards-incompatible update; or software that does not support a long-term support (LTS) schedule; advance notice might not be possible. After a runtime is deprecated; Lambda might retire it completely at any time by disabling invocation. Deprecated runtimes are not eligible for security updates or technical support.' +CHECK_REMEDIATION_extra762='Test new runtimes as they are made available. Implement them in production as soon as possible.' +CHECK_DOC_extra762='https://docs.aws.amazon.com/lambda/latest/dg/runtime-support-policy.html' +CHECK_CAF_EPIC_extra762='Infrastructure Security' extra762(){ diff --git a/checks/check_extra763 b/checks/check_extra763 index a420df22..79d35f1e 100644 --- a/checks/check_extra763 +++ b/checks/check_extra763 @@ -18,6 +18,10 @@ CHECK_SEVERITY_extra763="Medium" CHECK_ASFF_RESOURCE_TYPE_extra763="AwsS3Bucket" CHECK_ALTERNATE_check763="extra763" CHECK_SERVICENAME_extra763="s3" +CHECK_RISK_extra763=' With versioning; you can easily recover from both unintended user actions and application failures.' +CHECK_REMEDIATION_extra763='Configure versioning using the Amazon console or API for buckets with sensible information that is changing frecuently; and backup may not be enough to capture all the changes.' +CHECK_DOC_extra763='https://docs.aws.amazon.com/AmazonS3/latest/dev-retired/Versioning.html' +CHECK_CAF_EPIC_extra763='Data Protection' extra763(){ # "Check if S3 buckets have object versioning enabled (Not Scored) (Not part of CIS benchmark)" diff --git a/checks/check_extra764 b/checks/check_extra764 index 673de716..426c53ae 100644 --- a/checks/check_extra764 +++ b/checks/check_extra764 @@ -19,6 +19,11 @@ CHECK_ASFF_RESOURCE_TYPE_extra764="AwsS3Bucket" CHECK_ALTERNATE_check764="extra764" CHECK_ASFF_COMPLIANCE_TYPE_extra764="ens-mp.com.2.aws.s3.1" CHECK_SERVICENAME_extra764="s3" +CHECK_RISK_extra764='If HTTPS is not enforced on the bucket policy; communication between clients and S3 buckets can use unencrypted HTTP. As a result; sensitive information could be transmitted in clear text over the network or internet.' +CHECK_REMEDIATION_extra764='Ensure that S3 buckets has encryption in transit enabled.' +CHECK_DOC_extra764='https://docs.aws.amazon.com/AmazonS3/latest/dev/security-best-practices.html' +CHECK_CAF_EPIC_extra764='Data Protection' + extra764(){ LIST_OF_BUCKETS=$($AWSCLI s3api list-buckets $PROFILE_OPT --query Buckets[*].Name --output text --region $REGION|xargs -n1) diff --git a/checks/check_extra765 b/checks/check_extra765 index 8dce6fb7..8c23408f 100644 --- a/checks/check_extra765 +++ b/checks/check_extra765 @@ -27,6 +27,10 @@ CHECK_TYPE_extra765="EXTRA" CHECK_SEVERITY_extra765="Medium" CHECK_ALTERNATE_check765="extra765" CHECK_SERVICENAME_extra765="ecr" +CHECK_RISK_extra765='Amazon ECR image scanning helps in identifying software vulnerabilities in your container images. Amazon ECR uses the Common Vulnerabilities and Exposures (CVEs) database from the open-source Clair project and provides a list of scan findings. ' +CHECK_REMEDIATION_extra765='Enable ECR image scanning and review the scan findings for information about the security of the container images that are being deployed.' +CHECK_DOC_extra765='https://docs.aws.amazon.com/AmazonECR/latest/userguide/image-scanning.html' +CHECK_CAF_EPIC_extra765='Infrastructure Security' extra765(){ for region in $REGIONS; do diff --git a/checks/check_extra767 b/checks/check_extra767 index 403c8947..a87b0c52 100644 --- a/checks/check_extra767 +++ b/checks/check_extra767 @@ -18,6 +18,10 @@ CHECK_SEVERITY_extra767="Low" CHECK_ASFF_RESOURCE_TYPE_extra767="AwsCloudFrontDistribution" CHECK_ALTERNATE_check767="extra767" CHECK_SERVICENAME_extra767="cloudfront" +CHECK_RISK_extra767='Allows you protect specific data throughout system processing so that only certain applications can see it.' +CHECK_REMEDIATION_extra767='Check if applicable to any sensible data. This encryption ensures that only applications that need the data—and have the credentials to decrypt it - are able to do so.' +CHECK_DOC_extra767='https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/field-level-encryption.html' +CHECK_CAF_EPIC_extra767='Data Protection' extra767(){ LIST_OF_DISTRIBUTIONS=$($AWSCLI cloudfront list-distributions --query 'DistributionList.Items[*].Id' $PROFILE_OPT --output text|grep -v ^None) diff --git a/checks/check_extra768 b/checks/check_extra768 index 25078fd8..f0c6b3d1 100644 --- a/checks/check_extra768 +++ b/checks/check_extra768 @@ -18,6 +18,10 @@ CHECK_SEVERITY_extra768="Critical" CHECK_ASFF_RESOURCE_TYPE_extra768="AwsEcsTaskDefinition" CHECK_ALTERNATE_check768="extra768" CHECK_SERVICENAME_extra768="ecs" +CHECK_RISK_extra768='The use of a hard-coded password increases the possibility of password guessing. If hard-coded passwords are used; it is possible that malicious users gain access through the account in question.' +CHECK_REMEDIATION_extra768='Use Secrets Manager to securely provide database credentials to Lambda functions and secure the databases as well as use the credentials to connect and query them without hardcoding the secrets in code or passing them through environmental variables. ' +CHECK_DOC_extra768='https://docs.aws.amazon.com/secretsmanager/latest/userguide/lambda-functions.html' +CHECK_CAF_EPIC_extra768='Logging and Monitoring' extra768(){ SECRETS_TEMP_FOLDER="$PROWLER_DIR/secrets-$ACCOUNT_NUM" diff --git a/checks/check_extra769 b/checks/check_extra769 index e56196d4..3d45692b 100644 --- a/checks/check_extra769 +++ b/checks/check_extra769 @@ -18,6 +18,10 @@ CHECK_TYPE_extra769="EXTRA" CHECK_SEVERITY_extra769="High" CHECK_ALTERNATE_check769="extra769" CHECK_SERVICENAME_extra769="accessanalyzer" +CHECK_RISK_extra769='AWS IAM Access Analyzer helps you identify the resources in your organization and accounts; such as Amazon S3 buckets or IAM roles; that are shared with an external entity. This lets you identify unintended access to your resources and data; which is a security risk. IAM Access Analyzer uses a form of mathematical analysis called automated reasoning; which applies logic and mathematical inference to determine all possible access paths allowed by a resource policy.' +CHECK_REMEDIATION_extra769='Enable IAM Access Analyzer for all accounts; create analyzer and take action over it is recommendations (IAM Access Analyzer is available at no additional cost).' +CHECK_DOC_extra769='https://docs.aws.amazon.com/IAM/latest/UserGuide/what-is-access-analyzer.html' +CHECK_CAF_EPIC_extra769='IAM' extra769(){ for regx in $REGIONS; do diff --git a/checks/check_extra770 b/checks/check_extra770 index f2f9e218..7c52439b 100644 --- a/checks/check_extra770 +++ b/checks/check_extra770 @@ -18,6 +18,10 @@ CHECK_SEVERITY_extra770="Medium" CHECK_ASFF_RESOURCE_TYPE_extra770="AwsEc2Instance" CHECK_ALTERNATE_check770="extra770" CHECK_SERVICENAME_extra770="ec2" +CHECK_RISK_extra770='Exposing an EC2 directly to internet increases the attack surface and therefore the risk of compromise.' +CHECK_REMEDIATION_extra770='Use an ALB and apply WAF ACL.' +CHECK_DOC_extra770='https://aws.amazon.com/blogs/aws/aws-web-application-firewall-waf-for-application-load-balancers/' +CHECK_CAF_EPIC_extra770='Infrastructure Security' extra770(){ # "Check for internet facing EC2 Instances (Not Scored) (Not part of CIS benchmark)" diff --git a/checks/check_extra771 b/checks/check_extra771 index c109d059..cffc6021 100644 --- a/checks/check_extra771 +++ b/checks/check_extra771 @@ -18,6 +18,10 @@ CHECK_SEVERITY_extra771="Critical" CHECK_ASFF_RESOURCE_TYPE_extra771="AwsS3Bucket" CHECK_ALTERNATE_check771="extra771" CHECK_SERVICENAME_extra771="s3" +CHECK_RISK_extra771='Non intended users can put objects in a given bucket.' +CHECK_REMEDIATION_extra771='Ensure proper bucket policy is in place with the least privilege principle applied.' +CHECK_DOC_extra771='https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_examples_s3_rw-bucket.html' +CHECK_CAF_EPIC_extra771='IAM' extra771(){ LIST_OF_BUCKETS=$($AWSCLI s3api list-buckets $PROFILE_OPT --region $REGION --query Buckets[*].Name --output text|xargs -n1) diff --git a/checks/check_extra772 b/checks/check_extra772 index 87a1c528..2604662e 100644 --- a/checks/check_extra772 +++ b/checks/check_extra772 @@ -18,6 +18,10 @@ CHECK_SEVERITY_extra772="Low" CHECK_ASFF_RESOURCE_TYPE_extra772="AwsEc2Eip" CHECK_ALTERNATE_check772="extra772" CHECK_SERVICENAME_extra772="ec2" +CHECK_RISK_extra772='You are charged by the hour for each Elastic IP address that are not attached to an EC2 instance .' +CHECK_REMEDIATION_extra772='If you don’t need an Elastic IP address; you can stop the charges by releasing the IP address.' +CHECK_DOC_extra772='https://aws.amazon.com/premiumsupport/knowledge-center/elastic-ip-charges/' +CHECK_CAF_EPIC_extra772='Infrastructure Security' extra772(){ for region in $REGIONS; do diff --git a/checks/check_extra773 b/checks/check_extra773 index 20068495..34a6cacc 100644 --- a/checks/check_extra773 +++ b/checks/check_extra773 @@ -19,6 +19,10 @@ CHECK_ASFF_RESOURCE_TYPE_extra773="AwsCloudFrontDistribution" CHECK_ALTERNATE_check773="extra773" CHECK_ASFF_COMPLIANCE_TYPE_extra773="ens-mp.s.2.aws.waf.1" CHECK_SERVICENAME_extra773="cloudfront" +CHECK_RISK_extra773='Potential attacks and / or abuse of service; more even for even for internet reachable services.' +CHECK_REMEDIATION_extra773='Use AWS WAF to protect your service from common web exploits. These could affect availability and performance; compromise security; or consume excessive resources.' +CHECK_DOC_extra773='https://docs.aws.amazon.com/waf/latest/developerguide/cloudfront-features.html' +CHECK_CAF_EPIC_extra773='Infrastructure Security' extra773(){ # "Check if CloudFront distributions have logging enabled (Not Scored) (Not part of CIS benchmark)" diff --git a/checks/check_extra774 b/checks/check_extra774 index 9f167514..4fce1afe 100644 --- a/checks/check_extra774 +++ b/checks/check_extra774 @@ -18,6 +18,10 @@ CHECK_SEVERITY_extra774="Medium" CHECK_ASFF_RESOURCE_TYPE_extra774="AwsIamUser" CHECK_ALTERNATE_check774="extra774" CHECK_SERVICENAME_extra774="iam" +CHECK_RISK_extra774='To increase the security of your AWS account; remove IAM user credentials (that is; passwords and access keys) that are not needed. For example; when users leave your organization or no longer need AWS access.' +CHECK_REMEDIATION_extra774='Find the credentials that they were using and ensure that they are no longer operational. Ideally; you delete credentials if they are no longer needed. You can always recreate them at a later date if the need arises. At the very least; you should change the password or deactivate the access keys so that the former users no longer have access.' +CHECK_DOC_extra774='https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_finding-unused.html' +CHECK_CAF_EPIC_extra774='IAM' extra774(){ check_creds_used_in_last_days 30 diff --git a/checks/check_extra775 b/checks/check_extra775 index 5a60b320..9d871b97 100644 --- a/checks/check_extra775 +++ b/checks/check_extra775 @@ -17,6 +17,10 @@ CHECK_TYPE_extra775="EXTRA" CHECK_SEVERITY_extra775="Critical" CHECK_ALTERNATE_check775="extra775" CHECK_SERVICENAME_extra775="autoscaling" +CHECK_RISK_extra775='The use of a hard-coded password increases the possibility of password guessing. If hard-coded passwords are used; it is possible that malicious users gain access through the account in question.' +CHECK_REMEDIATION_extra775='Use Secrets Manager to securely provide database credentials to Lambda functions and secure the databases as well as use the credentials to connect and query them without hardcoding the secrets in code or passing them through environmental variables. ' +CHECK_DOC_extra775='https://docs.aws.amazon.com/secretsmanager/latest/userguide/lambda-functions.html' +CHECK_CAF_EPIC_extra775='IAM' extra775(){ SECRETS_TEMP_FOLDER="$PROWLER_DIR/secrets-$ACCOUNT_NUM" diff --git a/checks/check_extra776 b/checks/check_extra776 index 9f14cd04..5bfe48a4 100644 --- a/checks/check_extra776 +++ b/checks/check_extra776 @@ -32,6 +32,10 @@ CHECK_TYPE_extra776="EXTRA" CHECK_SEVERITY_extra776="Medium" CHECK_ALTERNATE_check776="extra776" CHECK_SERVICENAME_extra776="ecr" +CHECK_RISK_extra776='Amazon ECR image scanning helps in identifying software vulnerabilities in your container images. Amazon ECR uses the Common Vulnerabilities and Exposures (CVEs) database from the open-source Clair project and provides a list of scan findings. ' +CHECK_REMEDIATION_extra776='Open the Amazon ECR console. look for vulnerabilities and fix them.' +CHECK_DOC_extra776='https://docs.aws.amazon.com/AmazonECR/latest/userguide/image-scanning.html#describe-scan-findings' +CHECK_CAF_EPIC_extra776='Logging and Monitoring' extra776(){ for region in $REGIONS; do diff --git a/checks/check_extra777 b/checks/check_extra777 index 3120963d..ffd79feb 100644 --- a/checks/check_extra777 +++ b/checks/check_extra777 @@ -22,6 +22,10 @@ CHECK_SEVERITY_extra777="Medium" CHECK_ASFF_RESOURCE_TYPE_extra777="AwsEc2SecurityGroup" CHECK_ALTERNATE_check777="extra777" CHECK_SERVICENAME_extra777="ec2" +CHECK_RISK_extra777='If Security groups are not properly configured the attack surface is increased. ' +CHECK_REMEDIATION_extra777='Use a Zero Trust approach. Narrow ingress traffic as much as possible. Consider north-south as well as east-west traffic.' +CHECK_DOC_extra777='https://docs.aws.amazon.com/vpc/latest/userguide/VPC_SecurityGroups.html' +CHECK_CAF_EPIC_extra777='Infrastructure Security' extra777(){ THRESHOLD=50 diff --git a/checks/check_extra778 b/checks/check_extra778 index 59d60335..3814d52c 100644 --- a/checks/check_extra778 +++ b/checks/check_extra778 @@ -19,6 +19,10 @@ CHECK_SEVERITY_extra778="Medium" CHECK_ASFF_RESOURCE_TYPE_extra778="AwsEc2SecurityGroup" CHECK_ALTERNATE_check778="extra778" CHECK_SERVICENAME_extra778="ec2" +CHECK_RISK_extra778='If Security groups are not properly configured the attack surface is increased. ' +CHECK_REMEDIATION_extra778='Use a Zero Trust approach. Narrow ingress traffic as much as possible. Consider north-south as well as east-west traffic.' +CHECK_DOC_extra778='https://docs.aws.amazon.com/vpc/latest/userguide/VPC_SecurityGroups.html' +CHECK_CAF_EPIC_extra778='Infrastructure Security' extra778(){ CIDR_THRESHOLD=24 diff --git a/checks/check_extra779 b/checks/check_extra779 index cfd8ebc9..e0d614ec 100644 --- a/checks/check_extra779 +++ b/checks/check_extra779 @@ -18,6 +18,10 @@ CHECK_SEVERITY_extra779="High" CHECK_ASFF_RESOURCE_TYPE_extra779="AwsEc2SecurityGroup" CHECK_ALTERNATE_check779="extra779" CHECK_SERVICENAME_extra779="ec2" +CHECK_RISK_extra779='If Security groups are not properly configured the attack surface is increased. ' +CHECK_REMEDIATION_extra779='Use a Zero Trust approach. Narrow ingress traffic as much as possible. Consider north-south as well as east-west traffic.' +CHECK_DOC_extra779='https://docs.aws.amazon.com/vpc/latest/userguide/VPC_SecurityGroups.html' +CHECK_CAF_EPIC_extra779='Infrastructure Security' extra779(){ ES_API_PORT="9200" diff --git a/checks/check_extra780 b/checks/check_extra780 index 688e9b94..17c85c9a 100644 --- a/checks/check_extra780 +++ b/checks/check_extra780 @@ -18,6 +18,10 @@ CHECK_SEVERITY_extra780="High" CHECK_ASFF_RESOURCE_TYPE_extra780="AwsElasticsearchDomain" CHECK_ALTERNATE_check780="extra780" CHECK_SERVICENAME_extra780="es" +CHECK_RISK_extra780='Amazon Elasticsearch Service supports Amazon Cognito for Kibana authentication. ' +CHECK_REMEDIATION_extra780='If you do not configure Amazon Cognito authentication; you can still protect Kibana using an IP-based access policy and a proxy server; HTTP basic authentication; or SAML.' +CHECK_DOC_extra780='https://docs.aws.amazon.com/elasticsearch-service/latest/developerguide/es-ac.html' +CHECK_CAF_EPIC_extra780='IAM' extra780(){ for regx in $REGIONS; do diff --git a/checks/check_extra781 b/checks/check_extra781 index 40968fdc..73528083 100644 --- a/checks/check_extra781 +++ b/checks/check_extra781 @@ -19,6 +19,10 @@ CHECK_ASFF_RESOURCE_TYPE_extra781="AwsElasticsearchDomain" CHECK_ALTERNATE_check781="extra781" CHECK_ASFF_COMPLIANCE_TYPE_extra781="ens-mp.info.3.aws.au.1" CHECK_SERVICENAME_extra781="es" +CHECK_RISK_extra781='If not enable unauthorized access to your data could risk increases.' +CHECK_REMEDIATION_extra781='Enable encryption at rest using AWS KMS to store and manage your encryption keys and the Advanced Encryption Standard algorithm with 256-bit keys (AES-256) to perform the encryption.' +CHECK_DOC_extra781='https://docs.aws.amazon.com/elasticsearch-service/latest/developerguide/encryption-at-rest.html' +CHECK_CAF_EPIC_extra781='Data Protection' extra781(){ for regx in $REGIONS; do diff --git a/checks/check_extra782 b/checks/check_extra782 index ecb9b3b0..4ff97968 100644 --- a/checks/check_extra782 +++ b/checks/check_extra782 @@ -18,6 +18,10 @@ CHECK_SEVERITY_extra782="Medium" CHECK_ASFF_RESOURCE_TYPE_extra782="AwsElasticsearchDomain" CHECK_ALTERNATE_check782="extra782" CHECK_SERVICENAME_extra782="es" +CHECK_RISK_extra782='Node-to-node encryption provides an additional layer of security on top of the default features of Amazon ES. This architecture prevents potential attackers from intercepting traffic between Elasticsearch nodes and keeps the cluster secure.' +CHECK_REMEDIATION_extra782='Node-to-node encryption on new domains requires Elasticsearch 6.0 or later. Enabling the feature on existing domains requires Elasticsearch 6.7 or later. Choose the existing domain in the AWS console; Actions; and Modify encryption.' +CHECK_DOC_extra782='https://docs.aws.amazon.com/elasticsearch-service/latest/developerguide/ntn.html' +CHECK_CAF_EPIC_extra782='Data Protection' extra782(){ for regx in $REGIONS; do diff --git a/checks/check_extra783 b/checks/check_extra783 index 09ffe99e..0294f6bc 100644 --- a/checks/check_extra783 +++ b/checks/check_extra783 @@ -18,6 +18,10 @@ CHECK_SEVERITY_extra783="Medium" CHECK_ASFF_RESOURCE_TYPE_extra783="AwsElasticsearchDomain" CHECK_ALTERNATE_check783="extra783" CHECK_SERVICENAME_extra783="es" +CHECK_RISK_extra783='If not enable unauthorized access to your data could risk increases.' +CHECK_REMEDIATION_extra783='When creating ES Domains; enable "Require HTTPS fo all traffic to the domain".' +CHECK_DOC_extra783='https://docs.aws.amazon.com/elasticsearch-service/latest/developerguide/es-createupdatedomains.html' +CHECK_CAF_EPIC_extra783='Data Protection' extra783(){ for regx in $REGIONS; do diff --git a/checks/check_extra784 b/checks/check_extra784 index ea4fa4d9..9c9de6b0 100644 --- a/checks/check_extra784 +++ b/checks/check_extra784 @@ -18,6 +18,10 @@ CHECK_SEVERITY_extra784="Medium" CHECK_ASFF_RESOURCE_TYPE_extra784="AwsElasticsearchDomain" CHECK_ALTERNATE_check784="extra784" CHECK_SERVICENAME_extra784="es" +CHECK_RISK_extra784='Internal User Database is convenient for demos; for production environment use Federated authentication.' +CHECK_REMEDIATION_extra784='Remove users from internal user database and uso Cognito instead.' +CHECK_DOC_extra784='https://docs.aws.amazon.com/elasticsearch-service/latest/developerguide/fgac.html' +CHECK_CAF_EPIC_extra784='IAM' extra784(){ for regx in $REGIONS; do diff --git a/checks/check_extra785 b/checks/check_extra785 index 31483ae9..0c51277a 100644 --- a/checks/check_extra785 +++ b/checks/check_extra785 @@ -18,6 +18,10 @@ CHECK_SEVERITY_extra785="Low" CHECK_ASFF_RESOURCE_TYPE_extra785="AwsElasticsearchDomain" CHECK_ALTERNATE_check785="extra785" CHECK_SERVICENAME_extra785="es" +CHECK_RISK_extra785='Amazon ES regularly releases system software updates that add features or otherwise improve your domains.' +CHECK_REMEDIATION_extra785='The Notifications panel in the console is the easiest way to see if an update is available or check the status of an update. You can also receive these notifications through Amazon EventBridge. If you take no action on required updates; Amazon ES still updates your domain service software automatically after a certain timeframe (typically two weeks). In this situation; Amazon ES sends notifications when it starts the update and when the update is complete.' +CHECK_DOC_extra785='https://docs.aws.amazon.com/elasticsearch-service/latest/developerguide/es-service-software.html' +CHECK_CAF_EPIC_extra785='Infrastructure Security' # NOTE! # API does not properly shows if an update is available while it is a new version available diff --git a/checks/check_extra786 b/checks/check_extra786 index 04570dfc..99c0c9ea 100644 --- a/checks/check_extra786 +++ b/checks/check_extra786 @@ -18,6 +18,10 @@ CHECK_SEVERITY_extra786="Medium" CHECK_ASFF_RESOURCE_TYPE_extra786="AwsEc2Instance" CHECK_ALTERNATE_check786="extra786" CHECK_SERVICENAME_extra786="ec2" +CHECK_RISK_extra786='Using IMDSv2 will protect from misconfiguration and SSRF vulnerabilities. IMDSv1 will not.' +CHECK_REMEDIATION_extra786='If you don’t need IMDS you can turn it off. Using aws-cli you can force the instance to use only IMDSv2.' +CHECK_DOC_extra786='https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/configuring-instance-metadata-service.html#configuring-instance-metadata-options' +CHECK_CAF_EPIC_extra786='Infrastructure Security' extra786(){ for regx in $REGIONS; do diff --git a/checks/check_extra787 b/checks/check_extra787 index b85b3969..5481a0f6 100644 --- a/checks/check_extra787 +++ b/checks/check_extra787 @@ -18,6 +18,10 @@ CHECK_SEVERITY_extra787="Critical" CHECK_ASFF_RESOURCE_TYPE_extra787="AwsEc2Instance" CHECK_ALTERNATE_check787="extra787" CHECK_SERVICENAME_extra787="es" +CHECK_RISK_extra787='Internet exposed services increases the risk of unauthorised.' +CHECK_REMEDIATION_extra787='Placing an Amazon ES domain within a VPC enables secure communication between Amazon ES and other services within the VPC without the need for an internet gateway; NAT device; or VPN connection. All traffic remains securely within the AWS Cloud.' +CHECK_DOC_extra787='https://docs.aws.amazon.com/elasticsearch-service/latest/developerguide/es-vpc.html' +CHECK_CAF_EPIC_extra787='Infrastructure Security' extra787(){ # Prowler will try to access each ElasticSearch server to port: diff --git a/checks/check_extra788 b/checks/check_extra788 index 9bd0e819..3510a1f8 100644 --- a/checks/check_extra788 +++ b/checks/check_extra788 @@ -18,6 +18,10 @@ CHECK_SEVERITY_extra788="Critical" CHECK_ASFF_RESOURCE_TYPE_extra788="AwsElasticsearchDomain" CHECK_ALTERNATE_check788="extra788" CHECK_SERVICENAME_extra788="es" +CHECK_RISK_extra788='Internet exposed services increases the risk of unauthorised.' +CHECK_REMEDIATION_extra788='Placing an Amazon ES domain within a VPC enables secure communication between Amazon ES and other services within the VPC without the need for an internet gateway; NAT device; or VPN connection. All traffic remains securely within the AWS Cloud.' +CHECK_DOC_extra788='https://docs.aws.amazon.com/elasticsearch-service/latest/developerguide/es-vpc.html' +CHECK_CAF_EPIC_extra788='Infrastructure Security' extra788(){ # Prowler will try to access each ElasticSearch server to the public URI endpoint. diff --git a/checks/check_extra789 b/checks/check_extra789 index f289785a..c005c036 100644 --- a/checks/check_extra789 +++ b/checks/check_extra789 @@ -19,6 +19,10 @@ CHECK_SEVERITY_extra789="Medium" CHECK_ASFF_RESOURCE_TYPE_extra789="AwsEc2Vpc" CHECK_ALTERNATE_extra789="extra789" CHECK_SERVICENAME_extra789="vpc" +CHECK_RISK_extra789='Account VPC could be linked to other accounts.' +CHECK_REMEDIATION_extra789='In multi Account environments identify untrusted links. Check trust chaining and dependencies between accounts.' +CHECK_DOC_extra789='https://github.com/toniblyx/prowler/#trust-boundaries-checks' +CHECK_CAF_EPIC_extra789='Infrastructure Security' extra789(){ TRUSTED_ACCOUNT_IDS=$( echo "${ACCOUNT_NUM} ${GROUP_TRUSTBOUNDARIES_TRUSTED_ACCOUNT_IDS}" | xargs ) diff --git a/checks/check_extra790 b/checks/check_extra790 index 5278365c..91f54808 100644 --- a/checks/check_extra790 +++ b/checks/check_extra790 @@ -19,6 +19,10 @@ CHECK_SEVERITY_extra790="Medium" CHECK_ASFF_RESOURCE_TYPE_extra790="AwsEc2Vpc" CHECK_ALTERNATE_extra790="extra790" CHECK_SERVICENAME_extra790="vpc" +CHECK_RISK_extra790='Account VPC could be linked to other accounts.' +CHECK_REMEDIATION_extra790='In multi Account environments identify untrusted links. Check trust chaining and dependencies between accounts.' +CHECK_DOC_extra790='https://github.com/toniblyx/prowler/#trust-boundaries-checks' +CHECK_CAF_EPIC_extra790='Infrastructure Security' extra790(){ TRUSTED_ACCOUNT_IDS=$( echo "${ACCOUNT_NUM} ${GROUP_TRUSTBOUNDARIES_TRUSTED_ACCOUNT_IDS}" | xargs ) diff --git a/checks/check_extra791 b/checks/check_extra791 index a6ca4f9d..06b5784e 100644 --- a/checks/check_extra791 +++ b/checks/check_extra791 @@ -18,6 +18,10 @@ CHECK_SEVERITY_extra791="Medium" CHECK_ASFF_RESOURCE_TYPE_extra791="AwsCloudFrontDistribution" CHECK_ALTERNATE_check791="extra791" CHECK_SERVICENAME_extra791="cloudfront" +CHECK_RISK_extra791='Using insecure ciphers could affect privacy of in transit information.' +CHECK_REMEDIATION_extra791='Use a Security policy with a ciphers that are stronger as possible. Drop legacy and unsecure ciphers.' +CHECK_DOC_extra791='https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/secure-connections-supported-viewer-protocols-ciphers.html' +CHECK_CAF_EPIC_extra791='Data Protection' extra791(){ LIST_OF_DISTRIBUTIONS=$($AWSCLI cloudfront list-distributions --query 'DistributionList.Items[*].Id' $PROFILE_OPT --output text|grep -v ^None) diff --git a/checks/check_extra792 b/checks/check_extra792 index 23f0d03d..df64d8b6 100644 --- a/checks/check_extra792 +++ b/checks/check_extra792 @@ -19,6 +19,10 @@ CHECK_ASFF_RESOURCE_TYPE_extra792="AwsElbLoadBalancer" CHECK_ALTERNATE_check792="extra792" CHECK_ASFF_COMPLIANCE_TYPE_extra792="ens-mp.com.2.aws.elb.2" CHECK_SERVICENAME_extra792="elb" +CHECK_RISK_extra792='Using insecure ciphers could affect privacy of in transit information.' +CHECK_REMEDIATION_extra792='Use a Security policy with a ciphers that are stronger as possible. Drop legacy and unsecure ciphers.' +CHECK_DOC_extra792='https://docs.aws.amazon.com/elasticloadbalancing/latest/classic/elb-ssl-security-policy.html' +CHECK_CAF_EPIC_extra792='Data Protection' extra792(){ # "Check if Elastic Load Balancers have insecure SSL ciphers (Not Scored) (Not part of CIS benchmark)" diff --git a/checks/check_extra793 b/checks/check_extra793 index 7ffc6df6..dac5bf98 100644 --- a/checks/check_extra793 +++ b/checks/check_extra793 @@ -19,6 +19,10 @@ CHECK_ASFF_RESOURCE_TYPE_extra793="AwsElbLoadBalancer" CHECK_ALTERNATE_check793="extra793" CHECK_ASFF_COMPLIANCE_TYPE_extra793="ens-mp.com.2.aws.elb.1" CHECK_SERVICENAME_extra793="elb" +CHECK_RISK_extra793='Clear text communication could affect privacy of information in transit.' +CHECK_REMEDIATION_extra793='Scan for Load Balancers with HTTP or TCP listeners and understand the reason for each of them. Check if the listener can be implemented as TLS instead.' +CHECK_DOC_extra793='https://docs.aws.amazon.com/elasticloadbalancing/latest/application/create-https-listener.html' +CHECK_CAF_EPIC_extra793='Data Protection' extra793(){ # "Check if Elastic Load Balancers have encrypted listeners (Not Scored) (Not part of CIS benchmark)" diff --git a/checks/check_extra794 b/checks/check_extra794 index fd763765..1e424237 100644 --- a/checks/check_extra794 +++ b/checks/check_extra794 @@ -18,6 +18,10 @@ CHECK_SEVERITY_extra794="Medium" CHECK_ASFF_RESOURCE_TYPE_extra794="AwsEksCluster" CHECK_ALTERNATE_check794="extra794" CHECK_SERVICENAME_extra794="eks" +CHECK_RISK_extra794='If logs are not enabled; monitoring of service use and threat analysis is not possible.' +CHECK_REMEDIATION_extra794='Make sure you logging for EKS control plane is enabled.' +CHECK_DOC_extra794='https://docs.aws.amazon.com/eks/latest/userguide/logging-monitoring.html' +CHECK_CAF_EPIC_extra794='Logging and Monitoring' extra794(){ textInfo "Looking for control plane logging enabled for EKS clusters across all regions... " diff --git a/checks/check_extra795 b/checks/check_extra795 index 4196456e..698f0d8c 100644 --- a/checks/check_extra795 +++ b/checks/check_extra795 @@ -18,6 +18,10 @@ CHECK_SEVERITY_extra795="High" CHECK_ASFF_RESOURCE_TYPE_extra795="AwsEksCluster" CHECK_ALTERNATE_check795="extra795" CHECK_SERVICENAME_extra795="eks" +CHECK_RISK_extra795='Publicly accessible services could expose sensible data to bad actors.' +CHECK_REMEDIATION_extra795='Enable private access to the Kubernetes API server so that all communication between your nodes and the API server stays within your VPC. Disable internet access to the API server.' +CHECK_DOC_extra795='https://docs.aws.amazon.com/eks/latest/userguide/infrastructure-security.html' +CHECK_CAF_EPIC_extra795='Infrastructure Security' extra795(){ textInfo "Looking for public access enabled for EKS clusters across all regions... " diff --git a/checks/check_extra796 b/checks/check_extra796 index d4134b35..e69040a9 100644 --- a/checks/check_extra796 +++ b/checks/check_extra796 @@ -18,6 +18,10 @@ CHECK_SEVERITY_extra796="High" CHECK_ASFF_RESOURCE_TYPE_extra796="AwsEksCluster" CHECK_ALTERNATE_check796="extra796" CHECK_SERVICENAME_extra796="eks" +CHECK_RISK_extra796='By default; this API server endpoint is public to the internet; and access to the API server is secured using a combination of AWS Identity and Access Management (IAM) and native Kubernetes Role Based Access Control (RBAC).' +CHECK_REMEDIATION_extra796='You should enable private access to the Kubernetes API server so that all communication between your nodes and the API server stays within your VPC. You can limit the IP addresses that can access your API server from the internet; or completely disable internet access to the API server.' +CHECK_DOC_extra796='https://docs.aws.amazon.com/eks/latest/userguide/cluster-endpoint.html' +CHECK_CAF_EPIC_extra796='Infrastructure Security' extra796(){ textInfo "Looking for public access CIDRs for EKS clusters across all regions... " diff --git a/checks/check_extra797 b/checks/check_extra797 index cafe95b4..13a16727 100644 --- a/checks/check_extra797 +++ b/checks/check_extra797 @@ -18,6 +18,10 @@ CHECK_SEVERITY_extra797="Medium" CHECK_ASFF_RESOURCE_TYPE_extra797="AwsEksCluster" CHECK_ALTERNATE_check797="extra797" CHECK_SERVICENAME_extra797="eks" +CHECK_RISK_extra797='Implementing envelope encryption is considered a security best practice for applications that store sensitive data and is part of a defense in depth security strategy.' +CHECK_REMEDIATION_extra797=' Setup your own Customer Master Key (CMK) in KMS and link this key by providing the CMK ARN when you create an EKS cluster.' +CHECK_DOC_extra797='https://docs.aws.amazon.com/eks/latest/userguide/create-cluster.html' +CHECK_CAF_EPIC_extra797='Data Protection' extra797(){ textInfo "Looking for encryption config for EKS clusters across all regions... " diff --git a/checks/check_extra798 b/checks/check_extra798 index 136c85e5..ddbfe8fa 100644 --- a/checks/check_extra798 +++ b/checks/check_extra798 @@ -19,6 +19,10 @@ CHECK_SEVERITY_extra798="Critical" CHECK_ASFF_RESOURCE_TYPE_extra798="AwsLambdaFunction" CHECK_ALTERNATE_check798="extra798" CHECK_SERVICENAME_extra798="lambda" +CHECK_RISK_extra798='Publicly accessible services could expose sensible data to bad actors.' +CHECK_REMEDIATION_extra798='Grant usage permission on a per-resource basis and applying least privilege principle.' +CHECK_DOC_extra798='https://docs.aws.amazon.com/lambda/latest/dg/access-control-resource-based.html' +CHECK_CAF_EPIC_extra798='Infrastructure Security' extra798(){ for regx in $REGIONS; do diff --git a/checks/check_extra799 b/checks/check_extra799 index 75a391ec..c028df95 100644 --- a/checks/check_extra799 +++ b/checks/check_extra799 @@ -19,6 +19,10 @@ CHECK_SEVERITY_extra799="High" CHECK_ASFF_RESOURCE_TYPE_extra799="AwsSecurityHubHub" CHECK_ALTERNATE_check799="extra799" CHECK_SERVICENAME_extra799="securityhub" +CHECK_RISK_extra799='AWS Security Hub gives you a comprehensive view of your security alerts and security posture across your AWS accounts.' +CHECK_REMEDIATION_extra799='Security Hub is Regional. When you enable or disable a security standard; it is enabled or disabled only in the current Region or in the Region that you specify.' +CHECK_DOC_extra799='https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-standards-enable-disable.html' +CHECK_CAF_EPIC_extra799='Logging and Monitoring' extra799(){ for regx in $REGIONS; do