diff --git a/README.md b/README.md index 56580f28..43deffaf 100644 --- a/README.md +++ b/README.md @@ -1,4 +1,8 @@ -# Prowler AWS Security Tool +

+ +

+ +# Prowler - AWS Security Tool ## Table of Contents @@ -27,7 +31,7 @@ ## Description -Prowler is a command line tool for AWS Security Best Practices Assessment, Auditing, Hardening and Forensics Readiness Tool. +Prowler is a command line tool that helps you with AWS security assessment, auditing, hardening and incident response. It follows guidelines of the CIS Amazon Web Services Foundations Benchmark (49 checks) and has more than 100 additional checks including related to GDPR, HIPAA, PCI-DSS, ISO-27001, FFIEC, SOC2 and others. @@ -48,23 +52,19 @@ Read more about [CIS Amazon Web Services Foundations Benchmark v1.2.0 - 05-23-20 - GDPR [gdpr] Read more [here](#gdpr-checks) - HIPAA [hipaa] Read more [here](#hipaa-checks) - Trust Boundaries [trustboundaries] Read more [here](#trust-boundaries-checks) -- Secrets -- PCI-DSS -- ISO-27001 +- Secrets - Internet exposed resources - EKS-CIS -- FFIEC -- SOC2 -- ENS (Esquema Nacional de Seguridad of Spain) +- Also includes PCI-DSS, ISO-27001, FFIEC, SOC2, ENS (Esquema Nacional de Seguridad of Spain). With Prowler you can: -- get a direct colorful or monochrome report -- a HTML, CSV, JUNIT, JSON or JSON ASFF format report -- send findings directly to Security Hub -- run specific checks and groups or create your own -- check multiple AWS accounts in parallel or sequentially -- and more! Read examples below +- Get a direct colorful or monochrome report +- A HTML, CSV, JUNIT, JSON or JSON ASFF format report +- Send findings directly to Security Hub +- Run specific checks and groups or create your own +- Check multiple AWS accounts in parallel or sequentially +- And more! Read examples below ## High level architecture @@ -189,14 +189,15 @@ Prowler has been written in bash using AWS-CLI and it works in Linux and OSX. - Sample screenshot of report first lines: - screenshot 2016-09-13 16 05 42 - -- Sample screenshot of single check for check 3.3: - - screenshot 2016-09-14 13 20 46 + - Sample screenshot of the html output `-M html`: - Prowler html + + Prowler html + +- Sample screenshot of the junit-xml output in CodeBuild `-M junit-xml`: + + ### Save your reports diff --git a/checks/check11 b/checks/check11 index c6cf4aef..d8040e41 100644 --- a/checks/check11 +++ b/checks/check11 @@ -16,6 +16,10 @@ CHECK_SEVERITY_check11="High" CHECK_ASFF_TYPE_check11="Software and Configuration Checks/Industry and Regulatory Standards/CIS AWS Foundations Benchmark" CHECK_ALTERNATE_check101="check11" CHECK_SERVICENAME_check11="iam" +CHECK_RISK_check11='The "root" account has unrestricted access to all resources in the AWS account. It is highly recommended that the use of this account be avoided.' +CHECK_REMEDIATION_check11='Follow the remediation instructions of the Ensure IAM policies are attached only to groups or roles recommendation.' +CHECK_DOC_check11='http://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html' +CHECK_CAF_EPIC_check11='IAM' check11(){ # "Avoid the use of the root account (Scored)." diff --git a/checks/check110 b/checks/check110 index 9c6e4a85..3e638cc5 100644 --- a/checks/check110 +++ b/checks/check110 @@ -16,6 +16,10 @@ CHECK_SEVERITY_check110="Medium" CHECK_ASFF_TYPE_check110="Software and Configuration Checks/Industry and Regulatory Standards/CIS AWS Foundations Benchmark" CHECK_ALTERNATE_check110="check110" CHECK_SERVICENAME_check110="iam" +CHECK_RISK_check110='Password policies are used to enforce password complexity requirements. IAM password policies can be used to ensure password are comprised of different character sets. It is recommended that the password policy require at least one uppercase letter.' +CHECK_REMEDIATION_check110='Ensure "Number of passwords to remember" is set to 24.' +CHECK_DOC_check110='https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_passwords_account-policy.html' +CHECK_CAF_EPIC_check110='IAM' check110(){ # "Ensure IAM password policy prevents password reuse: 24 or greater (Scored)" diff --git a/checks/check111 b/checks/check111 index 71c44c65..ea03f28b 100644 --- a/checks/check111 +++ b/checks/check111 @@ -16,6 +16,10 @@ CHECK_SEVERITY_check111="Medium" CHECK_ASFF_TYPE_check111="Software and Configuration Checks/Industry and Regulatory Standards/CIS AWS Foundations Benchmark" CHECK_ALTERNATE_check111="check111" CHECK_SERVICENAME_check111="iam" +CHECK_RISK_check111='Password policies are used to enforce password complexity requirements. IAM password policies can be used to ensure password are comprised of different character sets. It is recommended that the password policy require at least one uppercase letter.' +CHECK_REMEDIATION_check111='Ensure "Password expiration period (in days):" is set to 90 or less.' +CHECK_DOC_check111='https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_passwords_account-policy.html' +CHECK_CAF_EPIC_check111='IAM' check111(){ # "Ensure IAM password policy expires passwords within 90 days or less (Scored)" diff --git a/checks/check112 b/checks/check112 index 9dd95dbf..4431bf29 100644 --- a/checks/check112 +++ b/checks/check112 @@ -16,6 +16,10 @@ CHECK_SEVERITY_check112="Critical" CHECK_ASFF_TYPE_check112="Software and Configuration Checks/Industry and Regulatory Standards/CIS AWS Foundations Benchmark" CHECK_ALTERNATE_check112="check112" CHECK_SERVICENAME_check112="iam" +CHECK_RISK_check112='The root account is the most privileged user in an AWS account. AWS Access Keys provide programmatic access to a given AWS account. It is recommended that all access keys associated with the root account be removed. Removing access keys associated with the root account limits vectors by which the account can be compromised. Removing the root access keys encourages the creation and use of role based accounts that are least privileged.' +CHECK_REMEDIATION_check112='Use the credential report to that the user and ensure the access_key_1_active and access_key_2_active fields are set to FALSE .' +CHECK_DOC_check112='https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_getting-report.html' +CHECK_CAF_EPIC_check112='IAM' check112(){ # "Ensure no root account access key exists (Scored)" diff --git a/checks/check113 b/checks/check113 index 752fe67b..a5414034 100644 --- a/checks/check113 +++ b/checks/check113 @@ -16,6 +16,10 @@ CHECK_SEVERITY_check113="Critical" CHECK_ASFF_TYPE_check113="Software and Configuration Checks/Industry and Regulatory Standards/CIS AWS Foundations Benchmark" CHECK_ALTERNATE_check113="check113" CHECK_SERVICENAME_check113="iam" +CHECK_RISK_check113='The root account is the most privileged user in an AWS account. MFA adds an extra layer of protection on top of a user name and password. With MFA enabled when a user signs in to an AWS website they will be prompted for their user name and password as well as for an authentication code from their AWS MFA device. When virtual MFA is used for root accounts it is recommended that the device used is NOT a personal device but rather a dedicated mobile device (tablet or phone) that is managed to be kept charged and secured independent of any individual personal devices. ("non-personal virtual MFA") This lessens the risks of losing access to the MFA due to device loss / trade-in or if the individual owning the device is no longer employed at the company.' +CHECK_REMEDIATION_check113='Using IAM console navigate to Dashboard and expand Activate MFA on your root account.' +CHECK_DOC_check113='https://docs.aws.amazon.com/IAM/latest/UserGuide/id_root-user.html#id_root-user_manage_mfa' +CHECK_CAF_EPIC_check113='IAM' check113(){ # "Ensure MFA is enabled for the root account (Scored)" diff --git a/checks/check114 b/checks/check114 index 4348a8ce..3b489350 100644 --- a/checks/check114 +++ b/checks/check114 @@ -16,6 +16,10 @@ CHECK_SEVERITY_check114="Critical" CHECK_ASFF_TYPE_check114="Software and Configuration Checks/Industry and Regulatory Standards/CIS AWS Foundations Benchmark" CHECK_ALTERNATE_check114="check114" CHECK_SERVICENAME_check114="iam" +CHECK_RISK_check114='The root account is the most privileged user in an AWS account. MFA adds an extra layer of protection on top of a user name and password. With MFA enabled when a user signs in to an AWS website they will be prompted for their user name and password as well as for an authentication code from their AWS MFA device. For Level 2 it is recommended that the root account be protected with a hardware MFA.' +CHECK_REMEDIATION_check114='Using IAM console navigate to Dashboard and expand Activate MFA on your root account.' +CHECK_DOC_check114='https://docs.aws.amazon.com/IAM/latest/UserGuide/id_root-user.html#id_root-user_manage_mfa' +CHECK_CAF_EPIC_check114='IAM' check114(){ # "Ensure hardware MFA is enabled for the root account (Scored)" diff --git a/checks/check115 b/checks/check115 index 461ba08c..57827b00 100644 --- a/checks/check115 +++ b/checks/check115 @@ -16,6 +16,10 @@ CHECK_SEVERITY_check115="Medium" CHECK_ASFF_TYPE_check115="Software and Configuration Checks/Industry and Regulatory Standards/CIS AWS Foundations Benchmark" CHECK_ALTERNATE_check115="check115" CHECK_SERVICENAME_check115="support" +CHECK_RISK_check115='The AWS support portal allows account owners to establish security questions that can be used to authenticate individuals calling AWS customer service for support. It is recommended that security questions be established. When creating a new AWS account a default super user is automatically created. This account is referred to as the "root" account. It is recommended that the use of this account be limited and highly controlled. During events in which the root password is no longer accessible or the MFA token associated with root is lost/destroyed it is possible through authentication using secret questions and associated answers to recover root login access.' +CHECK_REMEDIATION_check115='Login as root account and from My Account configure Security questions.' +CHECK_DOC_check115='https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_access-keys_retrieve.html' +CHECK_CAF_EPIC_check115='IAM' check115(){ # "Ensure security questions are registered in the AWS account (Not Scored)" diff --git a/checks/check116 b/checks/check116 index 1088ca4f..3edd41c9 100644 --- a/checks/check116 +++ b/checks/check116 @@ -18,6 +18,10 @@ CHECK_ASFF_RESOURCE_TYPE_check116="AwsIamUser" CHECK_ALTERNATE_check116="check116" CHECK_ASFF_COMPLIANCE_TYPE_check116="ens-op.acc.3.aws.iam.1" CHECK_SERVICENAME_check116="iam" +CHECK_RISK_check116='By default IAM users; groups; and roles have no access to AWS resources. IAM policies are the means by which privileges are granted to users; groups; or roles. It is recommended that IAM policies be applied directly to groups and roles but not users. Assigning privileges at the group or role level reduces the complexity of access management as the number of users grow. Reducing access management complexity may in-turn reduce opportunity for a principal to inadvertently receive or retain excessive privileges.' +CHECK_REMEDIATION_check116='Remove any policy attached directly to the user. Use groups or roles instead.' +CHECK_DOC_check116='https://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html' +CHECK_CAF_EPIC_check116='IAM' check116(){ # "Ensure IAM policies are attached only to groups or roles (Scored)" diff --git a/checks/check117 b/checks/check117 index 0369eda1..e390ad47 100644 --- a/checks/check117 +++ b/checks/check117 @@ -16,6 +16,10 @@ CHECK_SEVERITY_check117="Medium" CHECK_ASFF_TYPE_check117="Software and Configuration Checks/Industry and Regulatory Standards/CIS AWS Foundations Benchmark" CHECK_ALTERNATE_check117="check117" CHECK_SERVICENAME_check117="support" +CHECK_RISK_check117='Ensure contact email and telephone details for AWS accounts are current and map to more than one individual in your organization. An AWS account supports a number of contact details; and AWS will use these to contact the account owner if activity judged to be in breach of Acceptable Use Policy. If an AWS account is observed to be behaving in a prohibited or suspicious manner; AWS will attempt to contact the account owner by email and phone using the contact details listed. If this is unsuccessful and the account behavior needs urgent mitigation; proactive measures may be taken; including throttling of traffic between the account exhibiting suspicious behavior and the AWS API endpoints and the Internet. This will result in impaired service to and from the account in question.' +CHECK_REMEDIATION_check117='Using the Billing and Cost Management console complete contact details.' +CHECK_DOC_check117='https://docs.aws.amazon.com/awsaccountbilling/latest/aboutv2/manage-account-payment.html#contact-info' +CHECK_CAF_EPIC_check117='IAM' check117(){ # "Maintain current contact details (Scored)" diff --git a/checks/check118 b/checks/check118 index 3e23d54c..ef69a226 100644 --- a/checks/check118 +++ b/checks/check118 @@ -16,6 +16,10 @@ CHECK_SEVERITY_check118="Medium" CHECK_ASFF_TYPE_check118="Software and Configuration Checks/Industry and Regulatory Standards/CIS AWS Foundations Benchmark" CHECK_ALTERNATE_check118="check118" CHECK_SERVICENAME_check118="support" +CHECK_RISK_check118='AWS provides customers with the option of specifying the contact information for accounts security team. It is recommended that this information be provided. Specifying security-specific contact information will help ensure that security advisories sent by AWS reach the team in your organization that is best equipped to respond to them.' +CHECK_REMEDIATION_check118='Go to the My Account section and complete alternate contacts.' +CHECK_DOC_check118='https://docs.aws.amazon.com/awsaccountbilling/latest/aboutv2/manage-account-payment.html' +CHECK_CAF_EPIC_check118='IAM' check118(){ # "Ensure security contact information is registered (Scored)" diff --git a/checks/check119 b/checks/check119 index 96a540b1..43db9e77 100644 --- a/checks/check119 +++ b/checks/check119 @@ -17,6 +17,10 @@ CHECK_ASFF_TYPE_check119="Software and Configuration Checks/Industry and Regulat CHECK_ASFF_RESOURCE_TYPE_check119="AwsEc2Instance" CHECK_ALTERNATE_check119="check119" CHECK_SERVICENAME_check119="ec2" +CHECK_RISK_check119='AWS access from within AWS instances can be done by either encoding AWS keys into AWS API calls or by assigning the instance to a role which has an appropriate permissions policy for the required access. AWS IAM roles reduce the risks associated with sharing and rotating credentials that can be used outside of AWS itself. If credentials are compromised; they can be used from outside of the AWS account.' +CHECK_REMEDIATION_check119='IAM roles can only be associated at the launch of an instance. To remediate an instance to add it to a role you must create or re-launch a new instance. (Check for external dependencies on its current private ip or public addresses).' +CHECK_DOC_check119='http://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use_switch-role-ec2.html' +CHECK_CAF_EPIC_check119='IAM' check119(){ for regx in $REGIONS; do diff --git a/checks/check12 b/checks/check12 index 6d1a1975..1d8f572f 100644 --- a/checks/check12 +++ b/checks/check12 @@ -18,6 +18,10 @@ CHECK_ASFF_RESOURCE_TYPE_check12="AwsIamUser" CHECK_ALTERNATE_check102="check12" CHECK_ASFF_COMPLIANCE_TYPE_check12="ens-op.acc.5.aws.iam.1" CHECK_SERVICENAME_check12="iam" +CHECK_RISK_check12='Unauthorized access to this critical account if password is not secure or it is disclosed in any way.' +CHECK_REMEDIATION_check12='Enable MFA for root account. is a simple best practice that adds an extra layer of protection on top of your user name and password. Recommended to use hardware keys over virtual MFA.' +CHECK_DOC_check12='https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_mfa_enable_virtual.html' +CHECK_CAF_EPIC_check12='IAM' check12(){ # "Ensure multi-factor authentication (MFA) is enabled for all IAM users that have a console password (Scored)" diff --git a/checks/check120 b/checks/check120 index fecf7c0e..6a520b16 100644 --- a/checks/check120 +++ b/checks/check120 @@ -18,6 +18,10 @@ CHECK_ASFF_RESOURCE_TYPE_check120="AwsIamRole" CHECK_ALTERNATE_check120="check120" CHECK_ASFF_COMPLIANCE_TYPE_check120="ens-op.acc.1.aws.iam.4" CHECK_SERVICENAME_check120="iam" +CHECK_RISK_check120='AWS provides a support center that can be used for incident notification and response; as well as technical support and customer services. Create an IAM Role to allow authorized users to manage incidents with AWS Support.' +CHECK_REMEDIATION_check120='Create an IAM role for managing incidents with AWS.' +CHECK_DOC_check120='https://docs.aws.amazon.com/awssupport/latest/user/using-service-linked-roles-sup.html' +CHECK_CAF_EPIC_check120='IAM' check120(){ # "Ensure a support role has been created to manage incidents with AWS Support (Scored)" diff --git a/checks/check121 b/checks/check121 index af53ff18..df966919 100644 --- a/checks/check121 +++ b/checks/check121 @@ -18,6 +18,10 @@ CHECK_ASFF_RESOURCE_TYPE_check121="AwsIamUser" CHECK_ALTERNATE_check121="check121" CHECK_ASFF_COMPLIANCE_TYPE_check121="ens-op.acc.1.aws.iam.5" CHECK_SERVICENAME_check121="iam" +CHECK_RISK_check121='AWS console defaults the checkbox for creating access keys to enabled. This results in many access keys being generated unnecessarily. In addition to unnecessary credentials; it also generates unnecessary management work in auditing and rotating these keys. Requiring that additional steps be taken by the user after their profile has been created will give a stronger indication of intent that access keys are (a) necessary for their work and (b) once the access key is established on an account that the keys may be in use somewhere in the organization.' +CHECK_REMEDIATION_check121='From the IAM console: generate credential report and disable not required keys.' +CHECK_DOC_check121='https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_getting-report.html' +CHECK_CAF_EPIC_check121='IAM' check121(){ # "Do not setup access keys during initial user setup for all IAM users that have a console password (Not Scored)" diff --git a/checks/check122 b/checks/check122 index 013dafe8..29b69ffe 100644 --- a/checks/check122 +++ b/checks/check122 @@ -17,6 +17,10 @@ CHECK_ASFF_TYPE_check122="Software and Configuration Checks/Industry and Regulat CHECK_ASFF_RESOURCE_TYPE_check122="AwsIamPolicy" CHECK_ALTERNATE_check122="check122" CHECK_SERVICENAME_check122="iam" +CHECK_RISK_check122='IAM policies are the means by which privileges are granted to users; groups; or roles. It is recommended and considered a standard security advice to grant least privilege—that is; granting only the permissions required to perform a task. Determine what users need to do and then craft policies for them that let the users perform only those tasks instead of allowing full administrative privileges. Providing full administrative privileges instead of restricting to the minimum set of permissions that the user is required to do exposes the resources to potentially unwanted actions.' +CHECK_REMEDIATION_check122='It is more secure to start with a minimum set of permissions and grant additional permissions as necessary; rather than starting with permissions that are too lenient and then trying to tighten them later. List policies an analyze if permissions are the least possible to conduct business activities.' +CHECK_DOC_check122='http://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html' +CHECK_CAF_EPIC_check122='IAM' check122(){ # "Ensure IAM policies that allow full \"*:*\" administrative privileges are not created (Scored)" diff --git a/checks/check13 b/checks/check13 index 14da7201..80388de1 100644 --- a/checks/check13 +++ b/checks/check13 @@ -18,6 +18,10 @@ CHECK_ASFF_RESOURCE_TYPE_check13="AwsIamUser" CHECK_ALTERNATE_check103="check13" CHECK_ASFF_COMPLIANCE_TYPE_check13="ens-op.acc.1.aws.iam.3 ens-op.acc.5.aws.iam.4" CHECK_SERVICENAME_check13="iam" +CHECK_RISK_check13='AWS IAM users can access AWS resources using different types of credentials (passwords or access keys). It is recommended that all credentials that have been unused in 90 or greater days be removed or deactivated.' +CHECK_REMEDIATION_check13='Use the credential report to ensure password_last_changed is less than 90 days ago.' +CHECK_DOC_check13='https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_getting-report.html' +CHECK_CAF_EPIC_check13='IAM' check13(){ check_creds_used_in_last_days 90 diff --git a/checks/check14 b/checks/check14 index 8743d08c..01147aca 100644 --- a/checks/check14 +++ b/checks/check14 @@ -18,6 +18,10 @@ CHECK_ASFF_RESOURCE_TYPE_check14="AwsIamUser" CHECK_ALTERNATE_check104="check14" CHECK_ASFF_COMPLIANCE_TYPE_check14="ens-op.acc.1.aws.iam.4 ens-op.acc.5.aws.iam.3" CHECK_SERVICENAME_check14="iam" +CHECK_RISK_check14='Access keys consist of an access key ID and secret access key which are used to sign programmatic requests that you make to AWS. AWS users need their own access keys to make programmatic calls to AWS from the AWS Command Line Interface (AWS CLI)- Tools for Windows PowerShell- the AWS SDKs- or direct HTTP calls using the APIs for individual AWS services. It is recommended that all access keys be regularly rotated.' +CHECK_REMEDIATION_check14='Use the credential report to ensure access_key_X_last_rotated is less than 90 days ago.' +CHECK_DOC_check14='https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_getting-report.html' +CHECK_CAF_EPIC_check14='IAM' check14(){ # "Ensure access keys are rotated every 90 days or less (Scored)" # also checked by Security Monkey diff --git a/checks/check15 b/checks/check15 index 49a35d45..4cbc6203 100644 --- a/checks/check15 +++ b/checks/check15 @@ -16,6 +16,10 @@ CHECK_SEVERITY_check15="Medium" CHECK_ASFF_TYPE_check15="Software and Configuration Checks/Industry and Regulatory Standards/CIS AWS Foundations Benchmark" CHECK_ALTERNATE_check105="check15" CHECK_SERVICENAME_check15="iam" +CHECK_RISK_check15='Password policies are used to enforce password complexity requirements. IAM password policies can be used to ensure password are comprised of different character sets. It is recommended that the password policy require at least one uppercase letter.' +CHECK_REMEDIATION_check15='Ensure "Requires at least one uppercase letter" is checked under "Password Policy".' +CHECK_DOC_check15='https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_passwords_account-policy.html' +CHECK_CAF_EPIC_check15='IAM' check15(){ # "Ensure IAM password policy requires at least one uppercase letter (Scored)" diff --git a/checks/check16 b/checks/check16 index 7e682b48..009a3cd3 100644 --- a/checks/check16 +++ b/checks/check16 @@ -16,6 +16,10 @@ CHECK_SEVERITY_check16="Medium" CHECK_ASFF_TYPE_check16="Software and Configuration Checks/Industry and Regulatory Standards/CIS AWS Foundations Benchmark" CHECK_ALTERNATE_check106="check16" CHECK_SERVICENAME_check16="iam" +CHECK_RISK_check16='Password policies are used to enforce password complexity requirements. IAM password policies can be used to ensure password are comprised of different character sets. It is recommended that the password policy require at least one uppercase letter.' +CHECK_REMEDIATION_check16='Ensure "Requires at least one lowercase letter" is checked under "Password Policy".' +CHECK_DOC_check16='https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_passwords_account-policy.html' +CHECK_CAF_EPIC_check16='IAM' check16(){ # "Ensure IAM password policy require at least one lowercase letter (Scored)" diff --git a/checks/check17 b/checks/check17 index 1afe6fab..5230095f 100644 --- a/checks/check17 +++ b/checks/check17 @@ -16,6 +16,10 @@ CHECK_SEVERITY_check17="Medium" CHECK_ASFF_TYPE_check17="Software and Configuration Checks/Industry and Regulatory Standards/CIS AWS Foundations Benchmark" CHECK_ALTERNATE_check107="check17" CHECK_SERVICENAME_check17="iam" +CHECK_RISK_check17='Password policies are used to enforce password complexity requirements. IAM password policies can be used to ensure password are comprised of different character sets. It is recommended that the password policy require at least one uppercase letter.' +CHECK_REMEDIATION_check17='Ensure "Require at least one non-alphanumeric character" is checked under "Password Policy".' +CHECK_DOC_check17='https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_passwords_account-policy.html' +CHECK_CAF_EPIC_check17='IAM' check17(){ # "Ensure IAM password policy require at least one symbol (Scored)" diff --git a/checks/check18 b/checks/check18 index 7749128a..453a0a7d 100644 --- a/checks/check18 +++ b/checks/check18 @@ -16,6 +16,10 @@ CHECK_SEVERITY_check18="Medium" CHECK_ASFF_TYPE_check18="Software and Configuration Checks/Industry and Regulatory Standards/CIS AWS Foundations Benchmark" CHECK_ALTERNATE_check108="check18" CHECK_SERVICENAME_check18="iam" +CHECK_RISK_check18='Password policies are used to enforce password complexity requirements. IAM password policies can be used to ensure password are comprised of different character sets. It is recommended that the password policy require at least one uppercase letter.' +CHECK_REMEDIATION_check18='Ensure "Require at least one number " is checked under "Password Policy".' +CHECK_DOC_check18='https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_passwords_account-policy.html' +CHECK_CAF_EPIC_check18='IAM' check18(){ # "Ensure IAM password policy require at least one number (Scored)" diff --git a/checks/check19 b/checks/check19 index 42fe5bdf..97b43848 100644 --- a/checks/check19 +++ b/checks/check19 @@ -16,6 +16,10 @@ CHECK_SEVERITY_check19="Medium" CHECK_ASFF_TYPE_check19="Software and Configuration Checks/Industry and Regulatory Standards/CIS AWS Foundations Benchmark" CHECK_ALTERNATE_check109="check19" CHECK_SERVICENAME_check19="iam" +CHECK_RISK_check19='Password policies are used to enforce password complexity requirements. IAM password policies can be used to ensure password are comprised of different character sets. It is recommended that the password policy require at least one uppercase letter.' +CHECK_REMEDIATION_check19='Ensure "Minimum password length" is set to 14 or greater.' +CHECK_DOC_check19='https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_passwords_account-policy.html' +CHECK_CAF_EPIC_check19='IAM' check19(){ # "Ensure IAM password policy requires minimum length of 14 or greater (Scored)" diff --git a/checks/check21 b/checks/check21 index 6dd8e214..b9e63b97 100644 --- a/checks/check21 +++ b/checks/check21 @@ -18,6 +18,10 @@ CHECK_ASFF_RESOURCE_TYPE_check21="AwsCloudTrailTrail" CHECK_ALTERNATE_check201="check21" CHECK_ASFF_COMPLIANCE_TYPE_check21="ens-op.acc.7.aws.iam.1 ens-op.mon.1.aws.trail.1" CHECK_SERVICENAME_check21="cloudtrail" +CHECK_RISK_check21='AWS CloudTrail is a web service that records AWS API calls for your account and delivers log files to you. The recorded information includes the identity of the API caller; the time of the API call; the source IP address of the API caller; the request parameters; and the response elements returned by the AWS service.' +CHECK_REMEDIATION_check21='Ensure Logging is set to ON on all regions (even if they are not being used at the moment.' +CHECK_DOC_check21='https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrailconcepts.html#cloudtrail-concepts-management-events' +CHECK_CAF_EPIC_check21='Logging and Monitoring' check21(){ trail_count=0 diff --git a/checks/check22 b/checks/check22 index faf624a5..94fbe2f5 100644 --- a/checks/check22 +++ b/checks/check22 @@ -18,6 +18,10 @@ CHECK_ASFF_RESOURCE_TYPE_check22="AwsCloudTrailTrail" CHECK_ALTERNATE_check202="check22" CHECK_ASFF_COMPLIANCE_TYPE_check22="ens-op.exp.10.aws.trail.1" CHECK_SERVICENAME_check22="cloudtrail" +CHECK_RISK_check22='Enabling log file validation will provide additional integrity checking of CloudTrail logs. ' +CHECK_REMEDIATION_check22='Ensure LogFileValidationEnabled is set to true for each trail.' +CHECK_DOC_check22='http://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-log-filevalidation-enabling.html' +CHECK_CAF_EPIC_check22='Logging and Monitoring' check22(){ trail_count=0 diff --git a/checks/check23 b/checks/check23 index 149b7149..d88cc079 100644 --- a/checks/check23 +++ b/checks/check23 @@ -18,6 +18,10 @@ CHECK_ASFF_RESOURCE_TYPE_check23="AwsS3Bucket" CHECK_ALTERNATE_check203="check23" CHECK_ASFF_COMPLIANCE_TYPE_check23="ens-op.exp.10.aws.trail.3 ens-op.exp.10.aws.trail.4" CHECK_SERVICENAME_check23="cloudtrail" +CHECK_RISK_check23='Allowing public access to CloudTrail log content may aid an adversary in identifying weaknesses in the affected accounts use or configuration.' +CHECK_REMEDIATION_check23='Analyze Bucket policy to validate appropriate permissions. Ensure the AllUsers principal is not granted privileges. Ensure the AuthenticatedUsers principal is not granted privileges.' +CHECK_DOC_check23='https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_ principal.html ' +CHECK_CAF_EPIC_check23='Logging and Monitoring' check23(){ trail_count=0 diff --git a/checks/check24 b/checks/check24 index e4265424..c423e64c 100644 --- a/checks/check24 +++ b/checks/check24 @@ -18,6 +18,10 @@ CHECK_ASFF_RESOURCE_TYPE_check24="AwsCloudTrailTrail" CHECK_ALTERNATE_check204="check24" CHECK_ASFF_COMPLIANCE_TYPE_check24="ens-op.exp.8.aws.cw.1" CHECK_SERVICENAME_check24="cloudtrail" +CHECK_RISK_check24='Sending CloudTrail logs to CloudWatch Logs will facilitate real-time and historic activity logging based on user; API; resource; and IP address; and provides opportunity to establish alarms and notifications for anomalous or sensitivity account activity.' +CHECK_REMEDIATION_check24='Validate that the trails in CloudTrail has an arn set in the CloudWatchLogsLogGroupArn property.' +CHECK_DOC_check24='https://docs.aws.amazon.com/awscloudtrail/latest/userguide/send-cloudtrail-events-to-cloudwatch-logs.html' +CHECK_CAF_EPIC_check24='Logging and Monitoring' check24(){ trail_count=0 diff --git a/checks/check25 b/checks/check25 index 010e8e3f..d836e7c9 100644 --- a/checks/check25 +++ b/checks/check25 @@ -17,6 +17,10 @@ CHECK_ASFF_TYPE_check25="Software and Configuration Checks/Industry and Regulato CHECK_ALTERNATE_check205="check25" CHECK_ASFF_COMPLIANCE_TYPE_check25="ens-op.exp.1.aws.cfg.1" CHECK_SERVICENAME_check25="configservice" +CHECK_RISK_check25='The AWS configuration item history captured by AWS Config enables security analysis; resource change tracking; and compliance auditing.' +CHECK_REMEDIATION_check25='It is recommended to enable AWS Config be enabled in all regions.' +CHECK_DOC_check25='https://aws.amazon.com/blogs/mt/aws-config-best-practices/' +CHECK_CAF_EPIC_check25='Logging and Monitoring' check25(){ # "Ensure AWS Config is enabled in all regions (Scored)" diff --git a/checks/check26 b/checks/check26 index 47d791d4..7730623e 100644 --- a/checks/check26 +++ b/checks/check26 @@ -17,6 +17,10 @@ CHECK_ASFF_TYPE_check26="Software and Configuration Checks/Industry and Regulato CHECK_ASFF_RESOURCE_TYPE_check26="AwsS3Bucket" CHECK_ALTERNATE_check206="check26" CHECK_SERVICENAME_check26="s3" +CHECK_RISK_check26='Server access logs can assist you in security and access audits; help you learn about your customer base; and understand your Amazon S3 bill.' +CHECK_REMEDIATION_check26='Ensure that S3 buckets have Logging enabled. CloudTrail data events can be used in place of S3 bucket logging. If that is the case; this finding can be considered a false positive.' +CHECK_DOC_check26='https://docs.aws.amazon.com/AmazonS3/latest/dev/security-best-practices.html' +CHECK_CAF_EPIC_check26='Logging and Monitoring' check26(){ trail_count=0 diff --git a/checks/check27 b/checks/check27 index 927da424..1afea54d 100644 --- a/checks/check27 +++ b/checks/check27 @@ -18,6 +18,10 @@ CHECK_ASFF_RESOURCE_TYPE_check27="AwsCloudTrailTrail" CHECK_ALTERNATE_check207="check27" CHECK_ASFF_COMPLIANCE_TYPE_check27="ens-op.exp.10.aws.trail.5" CHECK_SERVICENAME_check27="cloudtrail" +CHECK_RISK_check27='By default; the log files delivered by CloudTrail to your bucket are encrypted by Amazon server-side encryption with Amazon S3-managed encryption keys (SSE-S3). To provide a security layer that is directly manageable; you can instead use server-side encryption with AWS KMS–managed keys (SSE-KMS) for your CloudTrail log files.' +CHECK_REMEDIATION_check27='This approach has the following advantages: You can create and manage the CMK encryption keys yourself. You can use a single CMK to encrypt and decrypt log files for multiple accounts across all regions. You have control over who can use your key for encrypting and decrypting CloudTrail log files. You can assign permissions for the key to the users. You have enhanced security.' +CHECK_DOC_check27='https://docs.aws.amazon.com/awscloudtrail/latest/userguide/encrypting-cloudtrail-log-files-with-aws-kms.html' +CHECK_CAF_EPIC_check27='Logging and Monitoring' check27(){ trail_count=0 diff --git a/checks/check28 b/checks/check28 index 84863b4b..b35b4c95 100644 --- a/checks/check28 +++ b/checks/check28 @@ -17,6 +17,10 @@ CHECK_ASFF_TYPE_check28="Software and Configuration Checks/Industry and Regulato CHECK_ASFF_RESOURCE_TYPE_check28="AwsKmsKey" CHECK_ALTERNATE_check208="check28" CHECK_SERVICENAME_check28="kms" +CHECK_RISK_check28='Cryptographic best practices discourage extensive reuse of encryption keys. Consequently; Customer Master Keys (CMKs) should be rotated to prevent usage of compromised keys.' +CHECK_REMEDIATION_check28='For every KMS Customer Master Keys (CMKs); ensure that Rotate this key every year is enabled.' +CHECK_DOC_check28='https://docs.aws.amazon.com/kms/latest/developerguide/rotate-keys.html' +CHECK_CAF_EPIC_check28='Data Protection' check28(){ # "Ensure rotation for customer created CMKs is enabled (Scored)" diff --git a/checks/check29 b/checks/check29 index c71571ef..311e715d 100644 --- a/checks/check29 +++ b/checks/check29 @@ -18,6 +18,10 @@ CHECK_ASFF_RESOURCE_TYPE_check29="AwsEc2Vpc" CHECK_ALTERNATE_check209="check29" CHECK_ASFF_COMPLIANCE_TYPE_check29="ens-op.mon.1.aws.flow.1" CHECK_SERVICENAME_check29="vpc" +CHECK_RISK_check29='PC Flow Logs provide visibility into network traffic that traverses the VPC and can be used to detect anomalous traffic or insight during security workflows.' +CHECK_REMEDIATION_check29='It is recommended that VPC Flow Logs be enabled for packet "Rejects" for VPCs. ' +CHECK_DOC_check29='http://docs.aws.amazon.com/AmazonVPC/latest/UserGuide/flow-logs.html ' +CHECK_CAF_EPIC_check29='Logging and Monitoring' check29(){ # "Ensure VPC Flow Logging is Enabled in all VPCs (Scored)" diff --git a/checks/check31 b/checks/check31 index 4677be39..7674f8a4 100644 --- a/checks/check31 +++ b/checks/check31 @@ -43,6 +43,10 @@ CHECK_ASFF_RESOURCE_TYPE_check31="AwsCloudTrailTrail" CHECK_ALTERNATE_check301="check31" CHECK_ASFF_COMPLIANCE_TYPE_check31="ens-op.exp.8.aws.trail.2" CHECK_SERVICENAME_check31="iam" +CHECK_RISK_check31='Monitoring unauthorized API calls will help reveal application errors and may reduce time to detect malicious activity.' +CHECK_REMEDIATION_check31='It is recommended that a metric filter and alarm be established for unauthorized requests.' +CHECK_DOC_check31='https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudwatch-alarms-for-cloudtrail.html' +CHECK_CAF_EPIC_check31='Logging and Monitoring' check31(){ check3x '\$\.errorCode\s*=\s*"\*UnauthorizedOperation".+\$\.errorCode\s*=\s*"AccessDenied\*"' diff --git a/checks/check310 b/checks/check310 index f53ac698..40744be0 100644 --- a/checks/check310 +++ b/checks/check310 @@ -42,6 +42,10 @@ CHECK_ASFF_TYPE_check310="Software and Configuration Checks/Industry and Regulat CHECK_ASFF_RESOURCE_TYPE_check310="AwsCloudTrailTrail" CHECK_ALTERNATE_check310="check310" CHECK_SERVICENAME_check310="ec2" +CHECK_RISK_check310='Monitoring unauthorized API calls will help reveal application errors and may reduce time to detect malicious activity.' +CHECK_REMEDIATION_check310='It is recommended that a metric filter and alarm be established for unauthorized requests.' +CHECK_DOC_check310='https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudwatch-alarms-for-cloudtrail.html' +CHECK_CAF_EPIC_check310='Logging and Monitoring' check310(){ check3x '\$\.eventName\s*=\s*AuthorizeSecurityGroupIngress.+\$\.eventName\s*=\s*AuthorizeSecurityGroupEgress.+\$\.eventName\s*=\s*RevokeSecurityGroupIngress.+\$\.eventName\s*=\s*RevokeSecurityGroupEgress.+\$\.eventName\s*=\s*CreateSecurityGroup.+\$\.eventName\s*=\s*DeleteSecurityGroup' diff --git a/checks/check311 b/checks/check311 index dcd53b24..b36dff27 100644 --- a/checks/check311 +++ b/checks/check311 @@ -42,6 +42,10 @@ CHECK_ASFF_TYPE_check311="Software and Configuration Checks/Industry and Regulat CHECK_ASFF_RESOURCE_TYPE_check311="AwsCloudTrailTrail" CHECK_ALTERNATE_check311="check311" CHECK_SERVICENAME_check311="vpc" +CHECK_RISK_check311='Monitoring unauthorized API calls will help reveal application errors and may reduce time to detect malicious activity.' +CHECK_REMEDIATION_check311='It is recommended that a metric filter and alarm be established for unauthorized requests.' +CHECK_DOC_check311='https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudwatch-alarms-for-cloudtrail.html' +CHECK_CAF_EPIC_check311='Logging and Monitoring' check311(){ check3x '\$\.eventName\s*=\s*CreateNetworkAcl.+\$\.eventName\s*=\s*CreateNetworkAclEntry.+\$\.eventName\s*=\s*DeleteNetworkAcl.+\$\.eventName\s*=\s*DeleteNetworkAclEntry.+\$\.eventName\s*=\s*ReplaceNetworkAclEntry.+\$\.eventName\s*=\s*ReplaceNetworkAclAssociation' diff --git a/checks/check312 b/checks/check312 index 2761159b..702f068e 100644 --- a/checks/check312 +++ b/checks/check312 @@ -42,6 +42,10 @@ CHECK_ASFF_TYPE_check312="Software and Configuration Checks/Industry and Regulat CHECK_ASFF_RESOURCE_TYPE_check312="AwsCloudTrailTrail" CHECK_ALTERNATE_check312="check312" CHECK_SERVICENAME_check312="vpc" +CHECK_RISK_check312='Monitoring unauthorized API calls will help reveal application errors and may reduce time to detect malicious activity.' +CHECK_REMEDIATION_check312='It is recommended that a metric filter and alarm be established for unauthorized requests.' +CHECK_DOC_check312='https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudwatch-alarms-for-cloudtrail.html' +CHECK_CAF_EPIC_check312='Logging and Monitoring' check312(){ check3x '\$\.eventName\s*=\s*CreateCustomerGateway.+\$\.eventName\s*=\s*DeleteCustomerGateway.+\$\.eventName\s*=\s*AttachInternetGateway.+\$\.eventName\s*=\s*CreateInternetGateway.+\$\.eventName\s*=\s*DeleteInternetGateway.+\$\.eventName\s*=\s*DetachInternetGateway' diff --git a/checks/check313 b/checks/check313 index ac014d8b..258af60d 100644 --- a/checks/check313 +++ b/checks/check313 @@ -42,6 +42,10 @@ CHECK_ASFF_TYPE_check313="Software and Configuration Checks/Industry and Regulat CHECK_ASFF_RESOURCE_TYPE_check313="AwsCloudTrailTrail" CHECK_ALTERNATE_check313="check313" CHECK_SERVICENAME_check313="vpc" +CHECK_RISK_check313='Monitoring unauthorized API calls will help reveal application errors and may reduce time to detect malicious activity.' +CHECK_REMEDIATION_check313='It is recommended that a metric filter and alarm be established for unauthorized requests.' +CHECK_DOC_check313='https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudwatch-alarms-for-cloudtrail.html' +CHECK_CAF_EPIC_check313='Logging and Monitoring' check313(){ check3x '\$\.eventName\s*=\s*CreateRoute.+\$\.eventName\s*=\s*CreateRouteTable.+\$\.eventName\s*=\s*ReplaceRoute.+\$\.eventName\s*=\s*ReplaceRouteTableAssociation.+\$\.eventName\s*=\s*DeleteRouteTable.+\$\.eventName\s*=\s*DeleteRoute.+\$\.eventName\s*=\s*DisassociateRouteTable' diff --git a/checks/check314 b/checks/check314 index a30a0d8e..488663c4 100644 --- a/checks/check314 +++ b/checks/check314 @@ -42,6 +42,10 @@ CHECK_ASFF_TYPE_check314="Software and Configuration Checks/Industry and Regulat CHECK_ASFF_RESOURCE_TYPE_check314="AwsCloudTrailTrail" CHECK_ALTERNATE_check314="check314" CHECK_SERVICENAME_check314="vpc" +CHECK_RISK_check314='Monitoring unauthorized API calls will help reveal application errors and may reduce time to detect malicious activity.' +CHECK_REMEDIATION_check314='It is recommended that a metric filter and alarm be established for unauthorized requests.' +CHECK_DOC_check314='https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudwatch-alarms-for-cloudtrail.html' +CHECK_CAF_EPIC_check314='Logging and Monitoring' check314(){ check3x '\$\.eventName\s*=\s*CreateVpc.+\$\.eventName\s*=\s*DeleteVpc.+\$\.eventName\s*=\s*ModifyVpcAttribute.+\$\.eventName\s*=\s*AcceptVpcPeeringConnection.+\$\.eventName\s*=\s*CreateVpcPeeringConnection.+\$\.eventName\s*=\s*DeleteVpcPeeringConnection.+\$\.eventName\s*=\s*RejectVpcPeeringConnection.+\$\.eventName\s*=\s*AttachClassicLinkVpc.+\$\.eventName\s*=\s*DetachClassicLinkVpc.+\$\.eventName\s*=\s*DisableVpcClassicLink.+\$\.eventName\s*=\s*EnableVpcClassicLink' diff --git a/checks/check32 b/checks/check32 index 73fe480b..ff13166b 100644 --- a/checks/check32 +++ b/checks/check32 @@ -43,6 +43,10 @@ CHECK_ASFF_RESOURCE_TYPE_check32="AwsCloudTrailTrail" CHECK_ALTERNATE_check302="check32" CHECK_ASFF_COMPLIANCE_TYPE_check32="ens-op.exp.8.aws.trail.4" CHECK_SERVICENAME_check32="iam" +CHECK_RISK_check32='Monitoring unauthorized API calls will help reveal application errors and may reduce time to detect malicious activity.' +CHECK_REMEDIATION_check32='It is recommended that a metric filter and alarm be established for unauthorized requests.' +CHECK_DOC_check32='https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudwatch-alarms-for-cloudtrail.html' +CHECK_CAF_EPIC_check32='Logging and Monitoring' check32(){ check3x '\$\.eventName\s*=\s*"ConsoleLogin".+\$\.additionalEventData\.MFAUsed\s*!=\s*"Yes"' diff --git a/checks/check33 b/checks/check33 index 8044ebe0..840e386d 100644 --- a/checks/check33 +++ b/checks/check33 @@ -43,6 +43,10 @@ CHECK_ASFF_RESOURCE_TYPE_check33="AwsCloudTrailTrail" CHECK_ALTERNATE_check303="check33" CHECK_ASFF_COMPLIANCE_TYPE_check33="ens-op.exp.8.aws.trail.5" CHECK_SERVICENAME_check33="iam" +CHECK_RISK_check33='Monitoring unauthorized API calls will help reveal application errors and may reduce time to detect malicious activity.' +CHECK_REMEDIATION_check33='It is recommended that a metric filter and alarm be established for unauthorized requests.' +CHECK_DOC_check33='https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudwatch-alarms-for-cloudtrail.html' +CHECK_CAF_EPIC_check33='Logging and Monitoring' check33(){ check3x '\$\.userIdentity\.type\s*=\s*"Root".+\$\.userIdentity\.invokedBy NOT EXISTS.+\$\.eventType\s*!=\s*"AwsServiceEvent"' diff --git a/checks/check34 b/checks/check34 index ed272edd..727512c8 100644 --- a/checks/check34 +++ b/checks/check34 @@ -43,6 +43,10 @@ CHECK_ASFF_RESOURCE_TYPE_check34="AwsCloudTrailTrail" CHECK_ALTERNATE_check304="check34" CHECK_ASFF_COMPLIANCE_TYPE_check34="ens-op.exp.8.aws.trail.6" CHECK_SERVICENAME_check34="iam" +CHECK_RISK_check34='Monitoring unauthorized API calls will help reveal application errors and may reduce time to detect malicious activity.' +CHECK_REMEDIATION_check34='It is recommended that a metric filter and alarm be established for unauthorized requests.' +CHECK_DOC_check34='https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudwatch-alarms-for-cloudtrail.html' +CHECK_CAF_EPIC_check34='IAM' check34(){ check3x '\$\.eventName\s*=\s*DeleteGroupPolicy.+\$\.eventName\s*=\s*DeleteRolePolicy.+\$\.eventName\s*=\s*DeleteUserPolicy.+\$\.eventName\s*=\s*PutGroupPolicy.+\$\.eventName\s*=\s*PutRolePolicy.+\$\.eventName\s*=\s*PutUserPolicy.+\$\.eventName\s*=\s*CreatePolicy.+\$\.eventName\s*=\s*DeletePolicy.+\$\.eventName\s*=\s*CreatePolicyVersion.+\$\.eventName\s*=\s*DeletePolicyVersion.+\$\.eventName\s*=\s*AttachRolePolicy.+\$\.eventName\s*=\s*DetachRolePolicy.+\$\.eventName\s*=\s*AttachUserPolicy.+\$\.eventName\s*=\s*DetachUserPolicy.+\$\.eventName\s*=\s*AttachGroupPolicy.+\$\.eventName\s*=\s*DetachGroupPolicy' diff --git a/checks/check35 b/checks/check35 index 8157a6a4..13fae612 100644 --- a/checks/check35 +++ b/checks/check35 @@ -43,6 +43,10 @@ CHECK_ASFF_RESOURCE_TYPE_check35="AwsCloudTrailTrail" CHECK_ALTERNATE_check305="check35" CHECK_ASFF_COMPLIANCE_TYPE_check35="ens-op.exp.8.aws.trail.1" CHECK_SERVICENAME_check35="cloudtrail" +CHECK_RISK_check35='Monitoring unauthorized API calls will help reveal application errors and may reduce time to detect malicious activity.' +CHECK_REMEDIATION_check35='It is recommended that a metric filter and alarm be established for unauthorized requests.' +CHECK_DOC_check35='https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudwatch-alarms-for-cloudtrail.html' +CHECK_CAF_EPIC_check35='Logging and Monitoring' check35(){ check3x '\$\.eventName\s*=\s*CreateTrail.+\$\.eventName\s*=\s*UpdateTrail.+\$\.eventName\s*=\s*DeleteTrail.+\$\.eventName\s*=\s*StartLogging.+\$\.eventName\s*=\s*StopLogging' diff --git a/checks/check36 b/checks/check36 index c17ffe87..8ab2a0ef 100644 --- a/checks/check36 +++ b/checks/check36 @@ -43,6 +43,10 @@ CHECK_ASFF_RESOURCE_TYPE_check36="AwsCloudTrailTrail" CHECK_ALTERNATE_check306="check36" CHECK_ASFF_COMPLIANCE_TYPE_check36="ens-op.exp.8.aws.trail.3" CHECK_SERVICENAME_check36="iam" +CHECK_RISK_check36='Monitoring unauthorized API calls will help reveal application errors and may reduce time to detect malicious activity.' +CHECK_REMEDIATION_check36='It is recommended that a metric filter and alarm be established for unauthorized requests.' +CHECK_DOC_check36='https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudwatch-alarms-for-cloudtrail.html' +CHECK_CAF_EPIC_check36='Logging and Monitoring' check36(){ check3x '\$\.eventName\s*=\s*ConsoleLogin.+\$\.errorMessage\s*=\s*"Failed authentication"' diff --git a/checks/check37 b/checks/check37 index c6466039..7c891a9e 100644 --- a/checks/check37 +++ b/checks/check37 @@ -43,6 +43,10 @@ CHECK_ASFF_RESOURCE_TYPE_check37="AwsCloudTrailTrail" CHECK_ALTERNATE_check307="check37" CHECK_ASFF_COMPLIANCE_TYPE_check37="ens-op.exp.11.aws.kms.1" CHECK_SERVICENAME_check37="kms" +CHECK_RISK_check37='Monitoring unauthorized API calls will help reveal application errors and may reduce time to detect malicious activity.' +CHECK_REMEDIATION_check37='It is recommended that a metric filter and alarm be established for unauthorized requests.' +CHECK_DOC_check37='https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudwatch-alarms-for-cloudtrail.html' +CHECK_CAF_EPIC_check37='Logging and Monitoring' check37(){ check3x '\$\.eventSource\s*=\s*kms.amazonaws.com.+\$\.eventName\s*=\s*DisableKey.+\$\.eventName\s*=\s*ScheduleKeyDeletion' diff --git a/checks/check38 b/checks/check38 index 22b55710..eabf8475 100644 --- a/checks/check38 +++ b/checks/check38 @@ -42,6 +42,10 @@ CHECK_ASFF_TYPE_check38="Software and Configuration Checks/Industry and Regulato CHECK_ASFF_RESOURCE_TYPE_check38="AwsCloudTrailTrail" CHECK_ALTERNATE_check308="check38" CHECK_SERVICENAME_check38="s3" +CHECK_RISK_check38='Monitoring unauthorized API calls will help reveal application errors and may reduce time to detect malicious activity.' +CHECK_REMEDIATION_check38='It is recommended that a metric filter and alarm be established for unauthorized requests.' +CHECK_DOC_check38='https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudwatch-alarms-for-cloudtrail.html' +CHECK_CAF_EPIC_check38='Logging and Monitoring' check38(){ check3x '\$\.eventSource\s*=\s*s3.amazonaws.com.+\$\.eventName\s*=\s*PutBucketAcl.+\$\.eventName\s*=\s*PutBucketPolicy.+\$\.eventName\s*=\s*PutBucketCors.+\$\.eventName\s*=\s*PutBucketLifecycle.+\$\.eventName\s*=\s*PutBucketReplication.+\$\.eventName\s*=\s*DeleteBucketPolicy.+\$\.eventName\s*=\s*DeleteBucketCors.+\$\.eventName\s*=\s*DeleteBucketLifecycle.+\$\.eventName\s*=\s*DeleteBucketReplication' diff --git a/checks/check39 b/checks/check39 index 531a3bdc..05cc9936 100644 --- a/checks/check39 +++ b/checks/check39 @@ -42,6 +42,10 @@ CHECK_ASFF_TYPE_check39="Software and Configuration Checks/Industry and Regulato CHECK_ASFF_RESOURCE_TYPE_check39="AwsCloudTrailTrail" CHECK_ALTERNATE_check309="check39" CHECK_SERVICENAME_check39="configservice" +CHECK_RISK_check39='If not enabled important changes to accounts could go unnoticed or difficult to find.' +CHECK_REMEDIATION_check39='Use this service as a complement to implement detective controls that cannot be prevented. (e.g. a Security Group is modified to open to internet without restrictions or route changed to avoid going thru the network firewall). Ensure AWS Config is enabled in all regions in order to detect any not intended action. On the other hand if sufficient preventive controls to make changes in critical services are in place; the rating on this finding can be lowered or discarded depending on residual risk.' +CHECK_DOC_check39='https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudwatch-alarms-for-cloudtrail.html' +CHECK_CAF_EPIC_check39='Logging and Monitoring' check39(){ check3x '\$\.eventSource\s*=\s*config.amazonaws.com.+\$\.eventName\s*=\s*StopConfigurationRecorder.+\$\.eventName\s*=\s*DeleteDeliveryChannel.+\$\.eventName\s*=\s*PutDeliveryChannel.+\$\.eventName\s*=\s*PutConfigurationRecorder' diff --git a/checks/check41 b/checks/check41 index 06ee469c..3231f42f 100644 --- a/checks/check41 +++ b/checks/check41 @@ -18,6 +18,10 @@ CHECK_ASFF_RESOURCE_TYPE_check41="AwsEc2SecurityGroup" CHECK_ALTERNATE_check401="check41" CHECK_ASFF_COMPLIANCE_TYPE_check41="ens-mp.com.4.aws.sg.4" CHECK_SERVICENAME_check41="ec2" +CHECK_RISK_check41='Even having a perimeter firewall; having security groups open allows any user or malware with vpc access to scan for well known and sensitive ports and gain access to instance.' +CHECK_REMEDIATION_check41='Apply Zero Trust approach. Implement a process to scan and remediate unrestricted or overly permissive security groups. Recommended best practices is to narrow the definition for the minimum ports required.' +CHECK_DOC_check41='https://docs.aws.amazon.com/eks/latest/userguide/sec-group-reqs.html' +CHECK_CAF_EPIC_check41='Infrastructure Security' check41(){ # "Ensure no security groups allow ingress from 0.0.0.0/0 or ::/0 to port 22 (Scored)" diff --git a/checks/check42 b/checks/check42 index 7edfc12a..da7b50f3 100644 --- a/checks/check42 +++ b/checks/check42 @@ -18,6 +18,10 @@ CHECK_ASFF_RESOURCE_TYPE_check42="AwsEc2SecurityGroup" CHECK_ALTERNATE_check402="check42" CHECK_ASFF_COMPLIANCE_TYPE_check42="ens-mp.com.4.aws.sg.5" CHECK_SERVICENAME_check42="ec2" +CHECK_RISK_check42='Even having a perimeter firewall; having security groups open allows any user or malware with vpc access to scan for well known and sensitive ports and gain access to instance.' +CHECK_REMEDIATION_check42='Apply Zero Trust approach. Implement a process to scan and remediate unrestricted or overly permissive security groups. Recommended best practices is to narrow the definition for the minimum ports required.' +CHECK_DOC_check42='https://docs.aws.amazon.com/eks/latest/userguide/sec-group-reqs.html' +CHECK_CAF_EPIC_check42='Infrastructure Security' check42(){ # "Ensure no security groups allow ingress from 0.0.0.0/0 or ::/0 to port 3389 (Scored)" diff --git a/checks/check43 b/checks/check43 index 1742e675..ae11b6f1 100644 --- a/checks/check43 +++ b/checks/check43 @@ -18,13 +18,17 @@ CHECK_ASFF_RESOURCE_TYPE_check43="AwsEc2SecurityGroup" CHECK_ALTERNATE_check403="check43" CHECK_ASFF_COMPLIANCE_TYPE_check43="ens-mp.com.4.aws.sg.1" CHECK_SERVICENAME_check43="ec2" +CHECK_RISK_check43='Even having a perimeter firewall; having security groups open allows any user or malware with vpc access to scan for well known and sensitive ports and gain access to instance.' +CHECK_REMEDIATION_check43='Apply Zero Trust approach. Implement a process to scan and remediate unrestricted or overly permissive security groups. Recommended best practices is to narrow the definition for the minimum ports required.' +CHECK_DOC_check43='https://docs.aws.amazon.com/eks/latest/userguide/sec-group-reqs.html' +CHECK_CAF_EPIC_check43='Infrastructure Security' check43(){ # "Ensure the default security group of every VPC restricts all traffic (Scored)" for regx in $REGIONS; do CHECK_SGDEFAULT_IDS=$($AWSCLI ec2 describe-security-groups $PROFILE_OPT --region $regx --filters Name=group-name,Values='default' --query 'SecurityGroups[*].GroupId[]' --output text) for CHECK_SGDEFAULT_ID in $CHECK_SGDEFAULT_IDS; do - CHECK_SGDEFAULT_ID_OPEN=$($AWSCLI ec2 describe-security-groups $PROFILE_OPT --region $regx --group-ids $CHECK_SGDEFAULT_ID --query 'SecurityGroups[*].{IpPermissions:IpPermissions,IpPermissionsEgress:IpPermissionsEgress,GroupId:GroupId}' --output text |egrep ' 0.0.0.0|\:\:\/0') + CHECK_SGDEFAULT_ID_OPEN=$($AWSCLI ec2 describe-security-groups $PROFILE_OPT --region $regx --group-ids $CHECK_SGDEFAULT_ID --query 'SecurityGroups[*].{IpPermissions:IpPermissions,IpPermissionsEgress:IpPermissionsEgress,GroupId:GroupId}' --output text |egrep '\s0.0.0.0|\:\:\/0') if [[ $CHECK_SGDEFAULT_ID_OPEN ]];then textFail "Default Security Groups ($CHECK_SGDEFAULT_ID) found that allow 0.0.0.0 IN or OUT traffic in Region $regx" "$regx" else diff --git a/checks/check44 b/checks/check44 index f84d31ab..4683abe8 100644 --- a/checks/check44 +++ b/checks/check44 @@ -17,6 +17,10 @@ CHECK_ASFF_TYPE_check44="Software and Configuration Checks/Industry and Regulato CHECK_ASFF_RESOURCE_TYPE_check44="AwsEc2Vpc" CHECK_ALTERNATE_check404="check44" CHECK_SERVICENAME_check44="vpc" +CHECK_RISK_check44='Being highly selective in peering routing tables is a very effective way of minimizing the impact of breach as resources outside of these routes are inaccessible to the peered VPC.' +CHECK_REMEDIATION_check44='Review routing tables of peered VPCs for whether they route all subnets of each VPC and whether that is necessary to accomplish the intended purposes for peering the VPCs.' +CHECK_DOC_check44='https://docs.aws.amazon.com/vpc/latest/peering/peering-configurations-partial-access.html' +CHECK_CAF_EPIC_check44='Infrastructure Security' check44(){ # "Ensure routing tables for VPC peering are \"least access\" (Not Scored)" diff --git a/checks/check_extra71 b/checks/check_extra71 index 96f367fd..a0a8ce03 100644 --- a/checks/check_extra71 +++ b/checks/check_extra71 @@ -21,6 +21,10 @@ CHECK_ALTERNATE_check71="extra71" CHECK_ALTERNATE_check701="extra71" CHECK_ASFF_COMPLIANCE_TYPE_extra71="ens-op.exp.10.aws.trail.2" CHECK_SERVICENAME_extra71="iam" +CHECK_RISK_extra71='Policy "may" allow Anonymous users to perform actions.' +CHECK_REMEDIATION_extra71='Ensure this repository and its contents should be publicly accessible.' +CHECK_DOC_extra71='https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_mfa_enable_virtual.html' +CHECK_CAF_EPIC_extra71='Infrastructure Security' extra71(){ # "Ensure users of groups with AdministratorAccess policy have MFA tokens enabled (Not Scored) (Not part of CIS benchmark)" diff --git a/checks/check_extra710 b/checks/check_extra710 index fccbce46..3a15384e 100644 --- a/checks/check_extra710 +++ b/checks/check_extra710 @@ -19,6 +19,10 @@ CHECK_ASFF_RESOURCE_TYPE_extra710="AwsEc2Instance" CHECK_ALTERNATE_check710="extra710" CHECK_ASFF_COMPLIANCE_TYPE_extra710="ens-mp.com.4.aws.vpc.1" CHECK_SERVICENAME_extra710="ec2" +CHECK_RISK_extra710='Exposing an EC2 directly to internet increases the attack surface and therefore the risk of compromise.' +CHECK_REMEDIATION_extra710='Use an ALB and apply WAF ACL.' +CHECK_DOC_extra710='https://aws.amazon.com/blogs/aws/aws-web-application-firewall-waf-for-application-load-balancers/' +CHECK_CAF_EPIC_extra710='Infrastructure Security' extra710(){ # "Check for internet facing EC2 Instances (Not Scored) (Not part of CIS benchmark)" diff --git a/checks/check_extra7100 b/checks/check_extra7100 index 683cbc60..8fe3e53b 100644 --- a/checks/check_extra7100 +++ b/checks/check_extra7100 @@ -23,6 +23,10 @@ CHECK_ASFF_RESOURCE_TYPE_extra7100="AwsIamPolicy" CHECK_ALTERNATE_check7100="extra7100" CHECK_ASFF_COMPLIANCE_TYPE_extra7100="ens-op.acc.2.aws.iam.1" CHECK_SERVICENAME_extra7100="iam" +CHECK_RISK_extra7100='If not restricted unintended access could happen.' +CHECK_REMEDIATION_extra7100='Use the least privilege principle when granting permissions.' +CHECK_DOC_extra7100='https://docs.aws.amazon.com/STS/latest/APIReference/API_AssumeRole.html' +CHECK_CAF_EPIC_extra7100='IAM' extra7100(){ # "Ensure that no custom policies exist which permit assuming any role (e.g. sts:AssumeRole on *)" diff --git a/checks/check_extra7101 b/checks/check_extra7101 index 8646d914..aa6b43e4 100644 --- a/checks/check_extra7101 +++ b/checks/check_extra7101 @@ -10,6 +10,7 @@ # under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR # CONDITIONS OF ANY KIND, either express or implied. See the License for the # specific language governing permissions and limitations under the License. + CHECK_ID_extra7101="7.101" CHECK_TITLE_extra7101="[extra7101] Check if Amazon Elasticsearch Service (ES) domains have audit logging enabled" CHECK_SCORED_extra7101="NOT_SCORED" @@ -18,14 +19,10 @@ CHECK_SEVERITY_extra7101="Low" CHECK_ASFF_RESOURCE_TYPE_extra7101="AwsElasticsearchDomain" CHECK_ALTERNATE_check7101="extra7101" CHECK_SERVICENAME_extra7101="es" - -# More info -# Works for Amazon Elasticsearch Service domains (version 6.7+) with Fine Grained Access Control enabled -# https://aws.amazon.com/about-aws/whats-new/2020/09/audit-logs-launch/ -# https://docs.aws.amazon.com/elasticsearch-service/latest/developerguide/audit-logs.html - -# Remediation -# aws es update-elasticsearch-domain-config --domain-name test1 --log-publishing-options "AUDIT_LOGS={CloudWatchLogsLogGroupArn=arn:aws:logs:us-east-1:123456789012:log-group:my-log-group,Enabled=true}" --region eu-west-1 +CHECK_RISK_extra7101='If logs are not enabled; monitoring of service use and threat analysis is not possible.' +CHECK_REMEDIATION_extra7101='Make sure you are logging information about Amazon Elasticsearch Service operations.' +CHECK_DOC_extra7101='https://docs.aws.amazon.com/elasticsearch-service/latest/developerguide/audit-logs.html' +CHECK_CAF_EPIC_extra7101='Logging and Monitoring' extra7101(){ for regx in $REGIONS; do diff --git a/checks/check_extra7102 b/checks/check_extra7102 index 3be4629e..dc47d115 100644 --- a/checks/check_extra7102 +++ b/checks/check_extra7102 @@ -18,6 +18,10 @@ CHECK_SEVERITY_extra7102="High" CHECK_ASFF_RESOURCE_TYPE_extra7102="AwsEc2Eip" CHECK_ALTERNATE_check7102="extra7102" CHECK_SERVICENAME_extra7102="ec2" +CHECK_RISK_extra7102='Sites like Shodan index exposed systems and further expose them to wider audiences as a quick way to find exploitable systems.' +CHECK_REMEDIATION_extra7102='Check Identified IPs; consider changing them to private ones and delete them from Shodan.' +CHECK_DOC_extra7102='https://www.shodan.io/' +CHECK_CAF_EPIC_extra7102='Infrastructure Security' # Watch out, always use Shodan API key, if you use `curl https://www.shodan.io/host/{ip}` massively # your IP will be banned by Shodan @@ -25,7 +29,6 @@ CHECK_SERVICENAME_extra7102="ec2" # This is the right way to do so # curl -ks https://api.shodan.io/shodan/host/{ip}?key={YOUR_API_KEY} - # Each finding will be saved in prowler/output folder for further review. extra7102(){ @@ -33,7 +36,7 @@ extra7102(){ textInfo "[extra7102] Requires a Shodan API key to work. Use -N " else for regx in $REGIONS; do - LIST_OF_EIP=$($AWSCLI $PROFILE_OPT --region $regx ec2 describe-addresses --query 'Addresses[*].PublicIp' --output text) + LIST_OF_EIP=$($AWSCLI $PROFILE_OPT --region $regx ec2 describe-network-interfaces --query 'NetworkInterfaces[*].Association.PublicIp' --output text) if [[ $LIST_OF_EIP ]]; then for ip in $LIST_OF_EIP;do SHODAN_QUERY=$(curl -ks https://api.shodan.io/shodan/host/$ip?key=$SHODAN_API_KEY) diff --git a/checks/check_extra7103 b/checks/check_extra7103 index 3a6feac9..bd0c8116 100644 --- a/checks/check_extra7103 +++ b/checks/check_extra7103 @@ -19,6 +19,10 @@ CHECK_ASFF_RESOURCE_TYPE_extra7103="AwsSageMakerNotebookInstance" CHECK_ALTERNATE_check7103="extra7103" CHECK_SEVERITY_extra7103="Medium" CHECK_SERVICENAME_extra7103="sagemaker" +CHECK_RISK_extra7103='Users with root access have administrator privileges; users can access and edit all files on a notebook instance with root access enabled.' +CHECK_REMEDIATION_extra7103='set the RootAccess field to Disabled. You can also disable root access for users when you create or update a notebook instance in the Amazon SageMaker console.' +CHECK_DOC_extra7103='https://docs.aws.amazon.com/sagemaker/latest/dg/nbi-root-access.html' +CHECK_CAF_EPIC_extra7103='IAM' extra7103(){ for regx in ${REGIONS}; do diff --git a/checks/check_extra7104 b/checks/check_extra7104 index 1009d23b..d38a43cb 100644 --- a/checks/check_extra7104 +++ b/checks/check_extra7104 @@ -19,6 +19,10 @@ CHECK_ASFF_RESOURCE_TYPE_extra7104="AwsSageMakerNotebookInstance" CHECK_ALTERNATE_check7104="extra7104" CHECK_SEVERITY_extra7104="Medium" CHECK_SERVICENAME_extra7104="sagemaker" +CHECK_RISK_extra7104='This could provide an avenue for unauthorized access to your data.' +CHECK_REMEDIATION_extra7104='Restrict which traffic can access by launching Studio in a Virtual Private Cloud (VPC) of your choosing.' +CHECK_DOC_extra7104='https://docs.aws.amazon.com/sagemaker/latest/dg/studio-notebooks-and-internet-access.html' +CHECK_CAF_EPIC_extra7104='Infrastructure Security' extra7104(){ for regx in ${REGIONS}; do diff --git a/checks/check_extra7105 b/checks/check_extra7105 index b62e9732..39220549 100644 --- a/checks/check_extra7105 +++ b/checks/check_extra7105 @@ -19,7 +19,11 @@ CHECK_ASFF_RESOURCE_TYPE_extra7105="AwsSageMakerModel" CHECK_ALTERNATE_check7105="extra7105" CHECK_SEVERITY_extra7105="Medium" CHECK_SERVICENAME_extra7105="sagemaker" - +CHECK_RISK_extra7105='This could provide an avenue for unauthorized access to your data.' +CHECK_REMEDIATION_extra7105='Restrict which traffic can access by launching Studio in a Virtual Private Cloud (VPC) of your choosing.' +CHECK_DOC_extra7105='https://docs.aws.amazon.com/sagemaker/latest/dg/studio-notebooks-and-internet-access.html' +CHECK_CAF_EPIC_extra7105='Infrastructure Security' + extra7105(){ for regx in ${REGIONS}; do LIST_SM_NB_MODELS=$($AWSCLI $PROFILE_OPT --region $regx sagemaker list-models --query 'Models[*].ModelName' --output text) diff --git a/checks/check_extra7106 b/checks/check_extra7106 index 1f91d7aa..39f62234 100644 --- a/checks/check_extra7106 +++ b/checks/check_extra7106 @@ -19,7 +19,11 @@ CHECK_ASFF_RESOURCE_TYPE_extra7106="AwsSageMakerModel" CHECK_ALTERNATE_check7106="extra7106" CHECK_SEVERITY_extra7106="Medium" CHECK_SERVICENAME_extra7106="sagemaker" - +CHECK_RISK_extra7106='This could provide an avenue for unauthorized access to your data.' +CHECK_REMEDIATION_extra7106='Restrict which traffic can access by launching Studio in a Virtual Private Cloud (VPC) of your choosing.' +CHECK_DOC_extra7106='https://docs.aws.amazon.com/sagemaker/latest/dg/studio-notebooks-and-internet-access.html' +CHECK_CAF_EPIC_extra7106='Infrastructure Security' + extra7106(){ for regx in ${REGIONS}; do LIST_SM_NB_MODELS=$($AWSCLI $PROFILE_OPT --region $regx sagemaker list-models --query 'Models[*].ModelName' --output text) diff --git a/checks/check_extra7107 b/checks/check_extra7107 index 0bd75d45..7464387f 100644 --- a/checks/check_extra7107 +++ b/checks/check_extra7107 @@ -19,7 +19,11 @@ CHECK_ASFF_RESOURCE_TYPE_extra7107="AwsSageMakerNotebookInstance" CHECK_ALTERNATE_check7107="extra7107" CHECK_SEVERITY_extra7107="Medium" CHECK_SERVICENAME_extra7107="sagemaker" - +CHECK_RISK_extra7107='If not restricted unintended access could happen.' +CHECK_REMEDIATION_extra7107='Internetwork communications support TLS 1.2 encryption between all components and clients.' +CHECK_DOC_extra7107='https://docs.aws.amazon.com/sagemaker/latest/dg/interface-vpc-endpoint.html' +CHECK_CAF_EPIC_extra7107='Data Protection' + extra7107(){ for regx in ${REGIONS}; do LIST_SM_NB_JOBS=$($AWSCLI $PROFILE_OPT --region $regx sagemaker list-training-jobs --query 'TrainingJobSummaries[*].TrainingJobName' --output text) diff --git a/checks/check_extra7108 b/checks/check_extra7108 index 7b3161cb..45c38b7e 100644 --- a/checks/check_extra7108 +++ b/checks/check_extra7108 @@ -19,7 +19,11 @@ CHECK_ASFF_RESOURCE_TYPE_extra7108="AwsSageMakerNotebookInstance" CHECK_ALTERNATE_check7108="extra7108" CHECK_SEVERITY_extra7108="Medium" CHECK_SERVICENAME_extra7108="sagemaker" - +CHECK_RISK_extra7108='Data exfiltration could happen if information is not protected. KMS keys provide additional security level to IAM policies.' +CHECK_REMEDIATION_extra7108='Specify AWS KMS keys to use for input and output from S3 and EBS.' +CHECK_DOC_extra7108='https://docs.aws.amazon.com/sagemaker/latest/dg/key-management.html' +CHECK_CAF_EPIC_extra7108='Data Protection' + extra7108(){ for regx in ${REGIONS}; do LIST_SM_NB_JOBS=$($AWSCLI $PROFILE_OPT --region $regx sagemaker list-training-jobs --query 'TrainingJobSummaries[*].TrainingJobName' --output text) diff --git a/checks/check_extra7109 b/checks/check_extra7109 index eba6a4cb..5474ce38 100644 --- a/checks/check_extra7109 +++ b/checks/check_extra7109 @@ -19,7 +19,11 @@ CHECK_ASFF_RESOURCE_TYPE_extra7109="AwsSageMakerNotebookInstance" CHECK_ALTERNATE_check7109="extra7109" CHECK_SEVERITY_extra7109="Medium" CHECK_SERVICENAME_extra7109="sagemaker" - +CHECK_RISK_extra7109='This could provide an avenue for unauthorized access to your data.' +CHECK_REMEDIATION_extra7109='Restrict which traffic can access by launching Studio in a Virtual Private Cloud (VPC) of your choosing.' +CHECK_DOC_extra7109='https://docs.aws.amazon.com/sagemaker/latest/dg/interface-vpc-endpoint.html' +CHECK_CAF_EPIC_extra7109='Infrastructure Security' + extra7109(){ for regx in ${REGIONS}; do LIST_SM_NB_JOBS=$($AWSCLI $PROFILE_OPT --region $regx sagemaker list-training-jobs --query 'TrainingJobSummaries[*].TrainingJobName' --output text) diff --git a/checks/check_extra711 b/checks/check_extra711 index 04a3a60c..b5bf3ee7 100644 --- a/checks/check_extra711 +++ b/checks/check_extra711 @@ -18,6 +18,10 @@ CHECK_SEVERITY_extra711="High" CHECK_ASFF_RESOURCE_TYPE_extra711="AwsRedshiftCluster" CHECK_ALTERNATE_check711="extra711" CHECK_SERVICENAME_extra711="redshift" +CHECK_RISK_extra711='Publicly accessible services could expose sensible data to bad actors.' +CHECK_REMEDIATION_extra711='List all shared Redshift clusters and make sure there is a business reason for them.' +CHECK_DOC_extra711='https://docs.aws.amazon.com/redshift/latest/mgmt/managing-clusters-vpc.html' +CHECK_CAF_EPIC_extra711='Data Protection' extra711(){ # "Check for Publicly Accessible Redshift Clusters (Not Scored) (Not part of CIS benchmark)" diff --git a/checks/check_extra7110 b/checks/check_extra7110 index d9406a38..fe91f12a 100644 --- a/checks/check_extra7110 +++ b/checks/check_extra7110 @@ -19,7 +19,11 @@ CHECK_ASFF_RESOURCE_TYPE_extra7110="AwsSageMakerNotebookInstance" CHECK_ALTERNATE_check7110="extra7110" CHECK_SEVERITY_extra7110="Medium" CHECK_SERVICENAME_extra7110="sagemaker" - +CHECK_RISK_extra7110='This could provide an avenue for unauthorized access to your data.' +CHECK_REMEDIATION_extra7110='Restrict which traffic can access by launching Studio in a Virtual Private Cloud (VPC) of your choosing.' +CHECK_DOC_extra7110='https://docs.aws.amazon.com/sagemaker/latest/dg/interface-vpc-endpoint.html' +CHECK_CAF_EPIC_extra7110='Infrastructure Security' + extra7110(){ for regx in ${REGIONS}; do LIST_SM_NB_JOBS=$($AWSCLI $PROFILE_OPT --region $regx sagemaker list-training-jobs --query 'TrainingJobSummaries[*].TrainingJobName' --output text) diff --git a/checks/check_extra7111 b/checks/check_extra7111 index d3f25dfc..f3117ab0 100644 --- a/checks/check_extra7111 +++ b/checks/check_extra7111 @@ -19,6 +19,10 @@ CHECK_ASFF_RESOURCE_TYPE_extra7111="AwsSageMakerNotebookInstance" CHECK_ALTERNATE_check7111="extra7111" CHECK_SEVERITY_extra7111="Medium" CHECK_SERVICENAME_extra7111="sagemaker" +CHECK_RISK_extra7111='This could provide an avenue for unauthorized access to your data.' +CHECK_REMEDIATION_extra7111='Restrict which traffic can access by launching Studio in a Virtual Private Cloud (VPC) of your choosing.' +CHECK_DOC_extra7111='https://docs.aws.amazon.com/sagemaker/latest/dg/interface-vpc-endpoint.html' +CHECK_CAF_EPIC_extra7111='Infrastructure Security' extra7111(){ for regx in ${REGIONS}; do diff --git a/checks/check_extra7112 b/checks/check_extra7112 index ffa6da15..5693bf0c 100644 --- a/checks/check_extra7112 +++ b/checks/check_extra7112 @@ -19,6 +19,10 @@ CHECK_ASFF_RESOURCE_TYPE_extra7112="AwsSageMakerNotebookInstance" CHECK_ALTERNATE_check7112="extra7112" CHECK_SEVERITY_extra7112="Medium" CHECK_SERVICENAME_extra7112="sagemaker" +CHECK_RISK_extra7112='Data exfiltration could happen if information is not protected. KMS keys provide additional security level to IAM policies.' +CHECK_REMEDIATION_extra7112='Specify AWS KMS keys to use for input and output from S3 and EBS.' +CHECK_DOC_extra7112='https://docs.aws.amazon.com/sagemaker/latest/dg/key-management.html' +CHECK_CAF_EPIC_extra7112='Data Protection' extra7112(){ for regx in ${REGIONS}; do diff --git a/checks/check_extra7113 b/checks/check_extra7113 index 3cbe45a8..a9dcbcce 100644 --- a/checks/check_extra7113 +++ b/checks/check_extra7113 @@ -30,6 +30,10 @@ CHECK_SEVERITY_extra7113="Medium" CHECK_ASFF_RESOURCE_TYPE_extra7113="AwsRdsDbInstance" CHECK_ALTERNATE_check7113="extra7113" CHECK_SERVICENAME_extra7113="rds" +CHECK_RISK_extra7113='You can only delete instances that do not have deletion protection enabled.' +CHECK_REMEDIATION_extra7113='Enable deletion protection using the AWS Management Console for production DB instances.' +CHECK_DOC_extra7113='https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/USER_DeleteInstance.html' +CHECK_CAF_EPIC_extra7113='Data Protection' extra7113(){ textInfo "Looking for RDS Volumes in all regions... " diff --git a/checks/check_extra7114 b/checks/check_extra7114 index fe22a405..0fa3a7b7 100644 --- a/checks/check_extra7114 +++ b/checks/check_extra7114 @@ -19,6 +19,10 @@ CHECK_SEVERITY_extra7114="Medium" CHECK_ASFF_RESOURCE_TYPE_extra7114="AwsGlue" CHECK_ALTERNATE_check7114="extra7114" CHECK_SERVICENAME_extra7114="glue" +CHECK_RISK_extra7114='Data exfiltration could happen if information is not protected. KMS keys provide additional security level to IAM policies.' +CHECK_REMEDIATION_extra7114='Specify AWS KMS keys to use for input and output from S3 and EBS.' +CHECK_DOC_extra7114='https://docs.aws.amazon.com/glue/latest/dg/encryption-security-configuration.html' +CHECK_CAF_EPIC_extra7114='Data Protection' extra7114(){ for regx in $REGIONS; do diff --git a/checks/check_extra7115 b/checks/check_extra7115 index 08beee45..cc883edb 100644 --- a/checks/check_extra7115 +++ b/checks/check_extra7115 @@ -18,6 +18,10 @@ CHECK_SEVERITY_extra7115="Medium" CHECK_ASFF_RESOURCE_TYPE_extra7115="AwsGlue" CHECK_ALTERNATE_check7115="extra7115" CHECK_SERVICENAME_extra7115="glue" +CHECK_RISK_extra7115='Data exfiltration could happen if information is not protected in transit.' +CHECK_REMEDIATION_extra7115='Configure encryption settings for crawlers; ETL jobs; and development endpoints using security configurations in AWS Glue.' +CHECK_DOC_extra7115='https://docs.aws.amazon.com/glue/latest/dg/encryption-in-transit.html' +CHECK_CAF_EPIC_extra7115='Data Protection' extra7115(){ for regx in $REGIONS; do diff --git a/checks/check_extra7116 b/checks/check_extra7116 index 610741a5..43136f76 100644 --- a/checks/check_extra7116 +++ b/checks/check_extra7116 @@ -18,6 +18,10 @@ CHECK_SEVERITY_extra7116="Medium" CHECK_ASFF_RESOURCE_TYPE_extra7116="AwsGlue" CHECK_ALTERNATE_check7116="extra7116" CHECK_SERVICENAME_extra7116="glue" +CHECK_RISK_extra7116='If not enabled sensible information at rest is not protected.' +CHECK_REMEDIATION_extra7116='Enable Encryption. Use a CMK where possible. It will provide additional management and privacy benefits.' +CHECK_DOC_extra7116='https://docs.aws.amazon.com/glue/latest/dg/encrypt-glue-data-catalog.html' +CHECK_CAF_EPIC_extra7116='Data Protection' extra7116(){ for regx in $REGIONS; do diff --git a/checks/check_extra7117 b/checks/check_extra7117 index 62da7ab9..f0eeb03e 100644 --- a/checks/check_extra7117 +++ b/checks/check_extra7117 @@ -18,6 +18,10 @@ CHECK_SEVERITY_extra7117="Medium" CHECK_ASFF_RESOURCE_TYPE_extra7117="AwsGlue" CHECK_ALTERNATE_check7117="extra7117" CHECK_SERVICENAME_extra7117="glue" +CHECK_RISK_extra7117='If not enabled sensible information at rest is not protected.' +CHECK_REMEDIATION_extra7117='On the AWS Glue console; you can enable this option on the Data catalog settings page.' +CHECK_DOC_extra7117='https://docs.aws.amazon.com/glue/latest/dg/encrypt-connection-passwords.html' +CHECK_CAF_EPIC_extra7117='Data Protection' extra7117(){ for regx in $REGIONS; do diff --git a/checks/check_extra7118 b/checks/check_extra7118 index 614d8130..524ac4c2 100644 --- a/checks/check_extra7118 +++ b/checks/check_extra7118 @@ -18,6 +18,10 @@ CHECK_SEVERITY_extra7118="Medium" CHECK_ASFF_RESOURCE_TYPE_extra7118="AwsGlue" CHECK_ALTERNATE_check7118="extra7118" CHECK_SERVICENAME_extra7118="glue" +CHECK_RISK_extra7118='If not enabled sensible information at rest is not protected.' +CHECK_REMEDIATION_extra7118='Provide the encryption properties that are used by crawlers; jobs; and development endpoints.' +CHECK_DOC_extra7118='https://docs.aws.amazon.com/glue/latest/dg/console-security-configurations.html' +CHECK_CAF_EPIC_extra7118='Data Protection' extra7118(){ for regx in $REGIONS; do diff --git a/checks/check_extra7119 b/checks/check_extra7119 index 33162563..fbd035dc 100644 --- a/checks/check_extra7119 +++ b/checks/check_extra7119 @@ -19,6 +19,10 @@ CHECK_SEVERITY_extra7119="Medium" CHECK_ASFF_RESOURCE_TYPE_extra7119="AwsGlue" CHECK_ALTERNATE_check7119="extra7119" CHECK_SERVICENAME_extra7119="glue" +CHECK_RISK_extra7119='If not enabled sensible information at rest is not protected.' +CHECK_REMEDIATION_extra7119='Enable Encryption in the Security configurations.' +CHECK_DOC_extra7119='https://docs.aws.amazon.com/glue/latest/dg/console-security-configurations.html' +CHECK_CAF_EPIC_extra7119='Logging and Monitoring' extra7119(){ for regx in $REGIONS; do diff --git a/checks/check_extra712 b/checks/check_extra712 index 39e0e3c2..21c9fcae 100644 --- a/checks/check_extra712 +++ b/checks/check_extra712 @@ -18,10 +18,14 @@ CHECK_SEVERITY_extra712="Low" CHECK_ALTERNATE_check712="extra712" CHECK_ASFF_RESOURCE_TYPE_extra712="AwsMacieSession" CHECK_SERVICENAME_extra712="macie" +CHECK_RISK_extra712='Amazon Macie is a fully managed data security and data privacy service that uses machine learning and pattern matching to help you discover; monitor; and protect your sensitive data in AWS.' +CHECK_REMEDIATION_extra712='Enable Amazon Macie and create appropriate jobs to discover sensitive data.' +CHECK_DOC_extra712='https://docs.aws.amazon.com/macie/latest/user/getting-started.html' +CHECK_CAF_EPIC_extra712='Data Protection' extra712(){ - textInfo "No API commands available to check if Macie is enabled," - textInfo "just looking if IAM Macie related permissions exist. " +# textInfo "No API commands available to check if Macie is enabled," +# textInfo "just looking if IAM Macie related permissions exist. " MACIE_IAM_ROLES_CREATED=$($AWSCLI iam list-roles $PROFILE_OPT --query 'Roles[*].Arn'|grep AWSMacieServiceCustomer|wc -l) if [[ $MACIE_IAM_ROLES_CREATED -eq 2 ]];then textPass "Macie related IAM roles exist so it might be enabled. Check it out manually" diff --git a/checks/check_extra7120 b/checks/check_extra7120 index d51e0208..553a37db 100644 --- a/checks/check_extra7120 +++ b/checks/check_extra7120 @@ -18,6 +18,10 @@ CHECK_SEVERITY_extra7120="Medium" CHECK_ASFF_RESOURCE_TYPE_extra7120="AwsGlue" CHECK_ALTERNATE_check7120="extra7120" CHECK_SERVICENAME_extra7120="glue" +CHECK_RISK_extra7120='If not enabled sensible information at rest is not protected.' +CHECK_REMEDIATION_extra7120='Enable Encryption in the Security configurations.' +CHECK_DOC_extra7120='https://docs.aws.amazon.com/glue/latest/dg/console-security-configurations.html' +CHECK_CAF_EPIC_extra7120='Logging and Monitoring' extra7120(){ for regx in $REGIONS; do diff --git a/checks/check_extra7121 b/checks/check_extra7121 index 1324f7b8..9bfe383e 100644 --- a/checks/check_extra7121 +++ b/checks/check_extra7121 @@ -19,6 +19,10 @@ CHECK_SEVERITY_extra7121="Medium" CHECK_ASFF_RESOURCE_TYPE_extra7121="AwsGlue" CHECK_ALTERNATE_check7121="extra7121" CHECK_SERVICENAME_extra7121="glue" +CHECK_RISK_extra7121='If not enabled sensible information at rest is not protected.' +CHECK_REMEDIATION_extra7121='Enable Encryption in the Security configurations.' +CHECK_DOC_extra7121='https://docs.aws.amazon.com/glue/latest/dg/console-security-configurations.html' +CHECK_CAF_EPIC_extra7121='Data Protection' extra7121(){ for regx in $REGIONS; do diff --git a/checks/check_extra7122 b/checks/check_extra7122 index dba88dd5..de2c2b47 100644 --- a/checks/check_extra7122 +++ b/checks/check_extra7122 @@ -18,6 +18,10 @@ CHECK_SEVERITY_extra7122="Medium" CHECK_ASFF_RESOURCE_TYPE_extra7122="AwsGlue" CHECK_ALTERNATE_check7122="extra7122" CHECK_SERVICENAME_extra7122="glue" +CHECK_RISK_extra7122='If not enabled sensible information at rest is not protected.' +CHECK_REMEDIATION_extra7122='Enable Encryption in the Security configurations.' +CHECK_DOC_extra7122='https://docs.aws.amazon.com/glue/latest/dg/console-security-configurations.html' +CHECK_CAF_EPIC_extra7122='Data Protection' extra7122(){ for regx in $REGIONS; do diff --git a/checks/check_extra7123 b/checks/check_extra7123 index b9af0aaa..0c96f273 100644 --- a/checks/check_extra7123 +++ b/checks/check_extra7123 @@ -20,6 +20,10 @@ CHECK_ASFF_RESOURCE_TYPE_extra7123="AwsIamUser" CHECK_ALTERNATE_check7123="extra7123" CHECK_ASFF_COMPLIANCE_TYPE_extra7123="ens-op.acc.1.aws.iam.2" CHECK_SERVICENAME_extra7123="iam" +CHECK_RISK_extra7123='Access Keys could be lost or stolen. It creates a critical risk.' +CHECK_REMEDIATION_extra7123='Avoid using long lived access keys.' +CHECK_DOC_extra7123='https://docs.aws.amazon.com/IAM/latest/APIReference/API_ListAccessKeys.html' +CHECK_CAF_EPIC_extra7123='IAM' extra7123(){ LIST_OF_USERS_WITH_2ACCESS_KEYS=$(cat $TEMP_REPORT_FILE| awk -F, '{ print $1, $9, $14 }' |grep "\ true\ true" | awk '{ print $1 }') diff --git a/checks/check_extra7124 b/checks/check_extra7124 index 3828164f..739ede63 100644 --- a/checks/check_extra7124 +++ b/checks/check_extra7124 @@ -19,6 +19,10 @@ CHECK_ASFF_RESOURCE_TYPE_extra7124="AwsEc2Instance" CHECK_ALTERNATE_check7124="extra7124" CHECK_ASFF_COMPLIANCE_TYPE_extra7124="ens-op.exp.1.aws.sys.1 ens-op.acc.4.aws.sys.1" CHECK_SERVICENAME_extra7124="ssm" +CHECK_RISK_extra7124='AWS Config provides AWS Managed Rules; which are predefined; customizable rules that AWS Config uses to evaluate whether your AWS resource configurations comply with common best practices.' +CHECK_REMEDIATION_extra7124='Verify and apply Systems Manager Prerequisites.' +CHECK_DOC_extra7124='https://docs.aws.amazon.com/systems-manager/latest/userguide/managed_instances.html' +CHECK_CAF_EPIC_extra7124='Infrastructure Security' extra7124(){ for regx in $REGIONS; do diff --git a/checks/check_extra7125 b/checks/check_extra7125 index 007947e4..8aabe4d3 100644 --- a/checks/check_extra7125 +++ b/checks/check_extra7125 @@ -19,6 +19,10 @@ CHECK_ASFF_RESOURCE_TYPE_extra7125="AwsIamUser" CHECK_ALTERNATE_check7125="extra7125" CHECK_ASFF_COMPLIANCE_TYPE_extra7125="ens-op.acc.5.aws.iam.2" CHECK_SERVICENAME_extra7125="iam" +CHECK_RISK_extra7125='Hardware MFA is preferred over virtual MFA.' +CHECK_REMEDIATION_extra7125='Enable hardware MFA device for an IAM user from the AWS Management Console; the command line; or the IAM API.' +CHECK_DOC_extra7125='https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_mfa_enable_physical.html' +CHECK_CAF_EPIC_extra7125='IAM' extra7125(){ LIST_USERS=$($AWSCLI iam list-users --query 'Users[*].UserName' --output text $PROFILE_OPT --region $REGION) diff --git a/checks/check_extra7126 b/checks/check_extra7126 index 4c089e27..f1b80877 100644 --- a/checks/check_extra7126 +++ b/checks/check_extra7126 @@ -19,6 +19,10 @@ CHECK_ASFF_RESOURCE_TYPE_extra7126="AwsKmsKey" CHECK_ALTERNATE_check7126="extra7126" CHECK_ASFF_COMPLIANCE_TYPE_extra7126="op.exp.11.aws.kms.2" CHECK_SERVICENAME_extra7126="kms" +CHECK_RISK_extra7126='Unused keys may increase service cost.' +CHECK_REMEDIATION_extra7126='Before deleting a customer master key (CMK); you might want to know how many cipher-texts were encrypted under that key. ' +CHECK_DOC_extra7126='https://docs.aws.amazon.com/kms/latest/developerguide/deleting-keys-determining-usage.html' +CHECK_CAF_EPIC_extra7126='Data Protection' extra7126(){ for regx in $REGIONS; do diff --git a/checks/check_extra7127 b/checks/check_extra7127 index 9f28c605..ecc725c1 100644 --- a/checks/check_extra7127 +++ b/checks/check_extra7127 @@ -20,7 +20,10 @@ CHECK_ASFF_TYPE_extra7127="Software and Configuration Checks/ENS op.exp.4.aws.sy CHECK_ALTERNATE_check7127="extra7127" CHECK_ASFF_COMPLIANCE_TYPE_extra7127="ens-op.exp.1.aws.sys.1 ens-op.exp.4.aws.sys.1" CHECK_SERVICENAME_extra7127="ssm" - +CHECK_RISK_extra7127='Without the most recent security patches your system is potentially vulnerable to cyberattacks. Even the best-designed software can not anticipate every future threat to cybersecurity. Poor patch management can leave an organizations data exposed subjecting them to malware and ransomware attacks.' +CHECK_REMEDIATION_extra7127='Consider using SSM in all accounts and services to at least monitor for missing patches on servers. Use a robust process to apply security fixes as soon as they are made available. Patch compliance data from Patch Manager can be sent to AWS Security Hub to centralize security issues.' +CHECK_DOC_extra7127='https://docs.aws.amazon.com/systems-manager/latest/userguide/patch-compliance-identify.html' +CHECK_CAF_EPIC_extra7127='Infrastructure Security' extra7127(){ for regx in $REGIONS; do diff --git a/checks/check_extra7128 b/checks/check_extra7128 index 13bc161c..27be1f66 100644 --- a/checks/check_extra7128 +++ b/checks/check_extra7128 @@ -19,6 +19,10 @@ CHECK_ASFF_RESOURCE_TYPE_extra7128="AwsDynamoDBTable" CHECK_ALTERNATE_check7128="extra7128" CHECK_ASFF_COMPLIANCE_TYPE_extra7128="ens-mp.info.3.aws.dyndb.1" CHECK_SERVICENAME_extra7128="dynamodb" +CHECK_RISK_extra7128='All user data stored in Amazon DynamoDB is fully encrypted at rest. This functionality helps reduce the operational burden and complexity involved in protecting sensitive data.' +CHECK_REMEDIATION_extra7128='Specify an encryption key when you create a new table or switch the encryption keys on an existing table by using the AWS Management Console.' +CHECK_DOC_extra7128='https://docs.aws.amazon.com/amazondynamodb/latest/developerguide/EncryptionAtRest.html' +CHECK_CAF_EPIC_extra7128='Data Protection' extra7128(){ for regx in $REGIONS; do diff --git a/checks/check_extra7129 b/checks/check_extra7129 index d6a55d8e..130c8074 100644 --- a/checks/check_extra7129 +++ b/checks/check_extra7129 @@ -19,6 +19,10 @@ CHECK_ASFF_RESOURCE_TYPE_extra7129="AwsElasticLoadBalancingV2LoadBalancer" CHECK_ALTERNATE_check7129="extra7129" CHECK_ASFF_COMPLIANCE_TYPE_extra7129="ens-mp.s.2.aws.waf.3" CHECK_SERVICENAME_extra7129="elb" +CHECK_RISK_extra7129='If not WAF ACL is attached risk of web attacks increases.' +CHECK_REMEDIATION_extra7129='Using the AWS Management Console open the AWS WAF console to attach an ACL.' +CHECK_DOC_extra7129='https://docs.aws.amazon.com/waf/latest/developerguide/web-acl-associating-aws-resource.html' +CHECK_CAF_EPIC_extra7129='Infrastructure Security' extra7129(){ for regx in $REGIONS; do diff --git a/checks/check_extra713 b/checks/check_extra713 index 49606523..6002ac8d 100644 --- a/checks/check_extra713 +++ b/checks/check_extra713 @@ -19,6 +19,10 @@ CHECK_ALTERNATE_check713="extra713" CHECK_ASFF_COMPLIANCE_TYPE_extra713="ens-op.mon.1.aws.duty.1" CHECK_ASFF_RESOURCE_TYPE_extra713="AwsGuardDutyDetector" CHECK_SERVICENAME_extra713="guardduty" +CHECK_RISK_extra713='Amazon GuardDuty is a continuous security monitoring service that analyzes and processes several datasources.' +CHECK_REMEDIATION_extra713='Enable GuardDuty and analyze its findings.' +CHECK_DOC_extra713='https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_settingup.html' +CHECK_CAF_EPIC_extra713='Data Protection' extra713(){ # "Check if GuardDuty is enabled (Not Scored) (Not part of CIS benchmark)" diff --git a/checks/check_extra7130 b/checks/check_extra7130 index 7165a5fe..4a712973 100644 --- a/checks/check_extra7130 +++ b/checks/check_extra7130 @@ -19,6 +19,10 @@ CHECK_SEVERITY_extra7130="Medium" CHECK_ASFF_RESOURCE_TYPE_extra7130="AwsSnsTopic" CHECK_ALTERNATE_check7130="extra7130" CHECK_SERVICENAME_extra7130="sns" +CHECK_RISK_extra7130='If not enabled sensible information at rest is not protected.' +CHECK_REMEDIATION_extra7130='Use Amazon SNS with AWS KMS.' +CHECK_DOC_extra7130='https://docs.aws.amazon.com/sns/latest/dg/sns-server-side-encryption.html' +CHECK_CAF_EPIC_extra7130='Data Protection' extra7130(){ textInfo "Looking for SNS Topics in all regions... " diff --git a/checks/check_extra7131 b/checks/check_extra7131 index 3f85c2a9..fc8266a1 100644 --- a/checks/check_extra7131 +++ b/checks/check_extra7131 @@ -18,6 +18,10 @@ CHECK_SEVERITY_extra7131="Low" CHECK_ASFF_RESOURCE_TYPE_extra7131="AwsRdsDbInstance" CHECK_ALTERNATE_check7131="extra7131" CHECK_SERVICENAME_extra7131="rds" +CHECK_RISK_extra7131='Auto Minor Version Upgrade is a feature that you can enable to have your database automatically upgraded when a new minor database engine version is available. Minor version upgrades often patch security vulnerabilities and fix bugs; and therefor should be applied.' +CHECK_REMEDIATION_extra7131='Enable auto minor version upgrade for all databases and environments.' +CHECK_DOC_extra7131='https://aws.amazon.com/blogs/database/best-practices-for-upgrading-amazon-rds-to-major-and-minor-versions-of-postgresql/' +CHECK_CAF_EPIC_extra7131='Infrastructure Security' extra7131(){ for regx in $REGIONS; do diff --git a/checks/check_extra7132 b/checks/check_extra7132 index 8a704100..eb64827d 100644 --- a/checks/check_extra7132 +++ b/checks/check_extra7132 @@ -18,6 +18,10 @@ CHECK_SEVERITY_extra7132="Low" CHECK_ASFF_RESOURCE_TYPE_extra7132="AwsRdsDbInstance" CHECK_ALTERNATE_check7132="extra7132" CHECK_SERVICENAME_extra7132="rds" +CHECK_RISK_extra7132='A smaller monitoring interval results in more frequent reporting of OS metrics.' +CHECK_REMEDIATION_extra7132='To use Enhanced Monitoring; you must create an IAM role; and then enable Enhanced Monitoring.' +CHECK_DOC_extra7132='https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/USER_Monitoring.OS.html' +CHECK_CAF_EPIC_extra7132='Logging and Monitoring' extra7132(){ for regx in $REGIONS; do diff --git a/checks/check_extra7133 b/checks/check_extra7133 index 15db98d4..2be3d662 100644 --- a/checks/check_extra7133 +++ b/checks/check_extra7133 @@ -18,8 +18,10 @@ CHECK_SEVERITY_extra7133="Medium" CHECK_ASFF_RESOURCE_TYPE_extra7133="AwsRdsDbInstance" CHECK_ALTERNATE_check7133="extra7133" CHECK_SERVICENAME_extra7133="rds" -CHECK_RISK_extra7133="In case of failure with a single-AZ deployment configuration should an availability zone specific database failure occur Amazon RDS can not automatically fail over to the standby availability zone." -CHECK_REMEDIATION_extra7133="Enable multi-AZ deployment for production databases. More here: https://aws.amazon.com/rds/features/multi-az/." +CHECK_RISK_extra7133='In case of failure; with a single-AZ deployment configuration; should an availability zone specific database failure occur; Amazon RDS can not automatically fail over to the standby availability zone.' +CHECK_REMEDIATION_extra7133='Enable multi-AZ deployment for production databases.' +CHECK_DOC_extra7133='https://aws.amazon.com/rds/features/multi-az/' +CHECK_CAF_EPIC_extra7133='Data Protection' extra7133(){ for regx in $REGIONS; do diff --git a/checks/check_extra714 b/checks/check_extra714 index 362b69c0..38bddcc1 100644 --- a/checks/check_extra714 +++ b/checks/check_extra714 @@ -18,6 +18,10 @@ CHECK_SEVERITY_extra714="Medium" CHECK_ASFF_RESOURCE_TYPE_extra714="AwsCloudFrontDistribution" CHECK_ALTERNATE_check714="extra714" CHECK_SERVICENAME_extra714="cloudfront" +CHECK_RISK_extra714='If not enabled monitoring of service use is not possible.' +CHECK_REMEDIATION_extra714='Real-time monitoring can be achieved by directing CloudTrail Logs to CloudWatch Logs and establishing corresponding metric filters and alarms. Enable logging for services with defined log rotation. This logs are useful for Incident Response and forensics investigation among other use cases.' +CHECK_DOC_extra714='https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/AccessLogs.html' +CHECK_CAF_EPIC_extra714='Logging and Monitoring' extra714(){ # "Check if CloudFront distributions have logging enabled (Not Scored) (Not part of CIS benchmark)" diff --git a/checks/check_extra715 b/checks/check_extra715 index e848e78b..2be3409b 100644 --- a/checks/check_extra715 +++ b/checks/check_extra715 @@ -18,6 +18,10 @@ CHECK_SEVERITY_extra715="Medium" CHECK_ASFF_RESOURCE_TYPE_extra715="AwsElasticsearchDomain" CHECK_ALTERNATE_check715="extra715" CHECK_SERVICENAME_extra715="es" +CHECK_RISK_extra715='Amazon ES exposes four Elasticsearch logs through Amazon CloudWatch Logs: error logs; search slow logs; index slow logs; and audit logs. ' +CHECK_REMEDIATION_extra715='Enable Elasticsearch log. Create use cases for them. Using audit logs check for access denied events.' +CHECK_DOC_extra715='https://docs.aws.amazon.com/elasticsearch-service/latest/developerguide/es-createdomain-configure-slow-logs.html' +CHECK_CAF_EPIC_extra715='Logging and Monitoring' extra715(){ for regx in $REGIONS; do diff --git a/checks/check_extra716 b/checks/check_extra716 index cc6a88c3..360d32f2 100644 --- a/checks/check_extra716 +++ b/checks/check_extra716 @@ -18,6 +18,10 @@ CHECK_SEVERITY_extra716="Critical" CHECK_ASFF_RESOURCE_TYPE_extra716="AwsElasticsearchDomain" CHECK_ALTERNATE_check716="extra716" CHECK_SERVICENAME_extra716="es" +CHECK_RISK_extra716='Publicly accessible services could expose sensible data to bad actors.' +CHECK_REMEDIATION_extra716='Use VPC endpoints for internal services.' +CHECK_DOC_extra716='https://docs.aws.amazon.com/elasticsearch-service/latest/developerguide/es-vpc.html' +CHECK_CAF_EPIC_extra716='Infrastructure Security' extra716(){ for regx in $REGIONS; do diff --git a/checks/check_extra717 b/checks/check_extra717 index 1c7a6a22..982bb232 100644 --- a/checks/check_extra717 +++ b/checks/check_extra717 @@ -18,6 +18,10 @@ CHECK_SEVERITY_extra717="Medium" CHECK_ASFF_RESOURCE_TYPE_extra717="AwsElbLoadBalancer" CHECK_ALTERNATE_check717="extra717" CHECK_SERVICENAME_extra717="elb" +CHECK_RISK_extra717='If logs are not enabled monitoring of service use and threat analysis is not possible.' +CHECK_REMEDIATION_extra717='Enable ELB logging; create la log lifecycle and define use cases.' +CHECK_DOC_extra717='https://docs.aws.amazon.com/elasticloadbalancing/latest/application/load-balancer-access-logs.html' +CHECK_CAF_EPIC_extra717='Logging and Monitoring' extra717(){ # "Check if Elastic Load Balancers have logging enabled (Not Scored) (Not part of CIS benchmark)" diff --git a/checks/check_extra718 b/checks/check_extra718 index 738fc59e..39f27bb1 100644 --- a/checks/check_extra718 +++ b/checks/check_extra718 @@ -18,6 +18,10 @@ CHECK_SEVERITY_extra718="Medium" CHECK_ASFF_RESOURCE_TYPE_extra718="AwsS3Bucket" CHECK_ALTERNATE_check718="extra718" CHECK_SERVICENAME_extra718="s3" +CHECK_RISK_extra718='Server access logs can assist you in security and access audits; help you learn about your customer base; and understand your Amazon S3 bill.' +CHECK_REMEDIATION_extra718='Ensure that S3 buckets have Logging enabled. CloudTrail data events can be used in place of S3 bucket logging. If that is the case; this finding can be considered a false positive.' +CHECK_DOC_extra718='https://docs.aws.amazon.com/AmazonS3/latest/dev/security-best-practices.html' +CHECK_CAF_EPIC_extra718='Logging and Monitoring' extra718(){ # "Check if S3 buckets have server access logging enabled (Not Scored) (Not part of CIS benchmark)" diff --git a/checks/check_extra719 b/checks/check_extra719 index 9578ccd6..998c6e86 100644 --- a/checks/check_extra719 +++ b/checks/check_extra719 @@ -18,6 +18,10 @@ CHECK_SEVERITY_extra719="Medium" CHECK_ALTERNATE_check719="extra719" CHECK_ASFF_RESOURCE_TYPE_extra719="AwsRoute53HostedZone" CHECK_SERVICENAME_extra719="route53" +CHECK_RISK_extra719='If logs are not enabled; monitoring of service use and threat analysis is not possible.' +CHECK_REMEDIATION_extra719='Enable CloudWatch logs and define metrics and uses cases for the events recorded.' +CHECK_DOC_extra719='https://docs.aws.amazon.com/Route53/latest/DeveloperGuide/monitoring-hosted-zones-with-cloudwatch.html' +CHECK_CAF_EPIC_extra719='Logging and Monitoring' extra719(){ # You can't create a query logging config for a private hosted zone. diff --git a/checks/check_extra72 b/checks/check_extra72 index 07ff9393..b4ce5a70 100644 --- a/checks/check_extra72 +++ b/checks/check_extra72 @@ -19,7 +19,11 @@ CHECK_ASFF_RESOURCE_TYPE_extra72="AwsEc2Snapshot" CHECK_ALTERNATE_extra702="extra72" CHECK_ALTERNATE_check72="extra72" CHECK_ALTERNATE_check702="extra72" -CHECK_SERVICENAME_check72="ec2" +CHECK_SERVICENAME_extra72="ec2" +CHECK_RISK_extra72='When you share a snapshot; you are giving others access to all of the data on the snapshot. Share snapshots only with people with whom you want to share all of your snapshot data.' +CHECK_REMEDIATION_extra72='Ensure the snapshot should be shared.' +CHECK_DOC_extra72='https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ebs-modifying-snapshot-permissions.html' +CHECK_CAF_EPIC_extra72='Data Protection' extra72(){ # "Ensure there are no EBS Snapshots set as Public (Not Scored) (Not part of CIS benchmark)" diff --git a/checks/check_extra720 b/checks/check_extra720 index f36ab448..396f59b2 100644 --- a/checks/check_extra720 +++ b/checks/check_extra720 @@ -18,6 +18,10 @@ CHECK_SEVERITY_extra720="Low" CHECK_ASFF_RESOURCE_TYPE_extra720="AwsLambdaFunction" CHECK_ALTERNATE_check720="extra720" CHECK_SERVICENAME_extra720="lambda" +CHECK_RISK_extra720='If logs are not enabled; monitoring of service use and threat analysis is not possible.' +CHECK_REMEDIATION_extra720='Make sure you are logging information about Lambda operations. Create a lifecycle and use cases for each trail.' +CHECK_DOC_extra720='https://docs.aws.amazon.com/lambda/latest/dg/logging-using-cloudtrail.html' +CHECK_CAF_EPIC_extra720='Logging and Monitoring' extra720(){ # "Check if Lambda functions invoke API operations are being recorded by CloudTrail (Not Scored) (Not part of CIS benchmark)" diff --git a/checks/check_extra721 b/checks/check_extra721 index 5e2b6f89..d8c03776 100644 --- a/checks/check_extra721 +++ b/checks/check_extra721 @@ -18,6 +18,10 @@ CHECK_SEVERITY_extra721="Medium" CHECK_ASFF_RESOURCE_TYPE_extra721="AwsRedshiftCluster" CHECK_ALTERNATE_check721="extra721" CHECK_SERVICENAME_extra721="redshift" +CHECK_RISK_extra721='If logs are not enabled; monitoring of service use and threat analysis is not possible.' +CHECK_REMEDIATION_extra721='Enable logs. Create an S3 lifecycle policy. Define use cases; metrics and automated responses where applicable.' +CHECK_DOC_extra721='https://docs.aws.amazon.com/redshift/latest/mgmt/db-auditing.html' +CHECK_CAF_EPIC_extra721='Logging and Monitoring' extra721(){ # "Check if Redshift cluster has audit logging enabled (Not Scored) (Not part of CIS benchmark)" diff --git a/checks/check_extra722 b/checks/check_extra722 index e9ff44c8..30146620 100644 --- a/checks/check_extra722 +++ b/checks/check_extra722 @@ -18,6 +18,10 @@ CHECK_SEVERITY_extra722="Medium" CHECK_ASFF_RESOURCE_TYPE_extra722="AwsApiGatewayRestApi" CHECK_ALTERNATE_check722="extra722" CHECK_SERVICENAME_extra722="apigateway" +CHECK_RISK_extra722='If not enabled; monitoring of service use is not possible. Real-time monitoring of API calls can be achieved by directing CloudTrail Logs to CloudWatch Logs and establishing corresponding metric filters and alarms.' +CHECK_REMEDIATION_extra722='Monitoring is an important part of maintaining the reliability; availability; and performance of API Gateway and your AWS solutions. You should collect monitoring data from all of the parts of your AWS solution. CloudTrail provides a record of actions taken by a user; role; or an AWS service in API Gateway. Using the information collected by CloudTrail; you can determine the request that was made to API Gateway; the IP address from which the request was made; who made the request; etc.' +CHECK_DOC_extra722='https://docs.aws.amazon.com/apigateway/latest/developerguide/security-monitoring.html' +CHECK_CAF_EPIC_extra722='Logging and Monitoring' extra722(){ # "Check if API Gateway has logging enabled (Not Scored) (Not part of CIS benchmark)" diff --git a/checks/check_extra723 b/checks/check_extra723 index 6051282b..187f50ce 100644 --- a/checks/check_extra723 +++ b/checks/check_extra723 @@ -18,6 +18,10 @@ CHECK_SEVERITY_extra723="Critical" CHECK_ASFF_RESOURCE_TYPE_extra723="AwsRdsDbSnapshot" CHECK_ALTERNATE_check723="extra723" CHECK_SERVICENAME_extra723="rds" +CHECK_RISK_extra723='Publicly accessible services could expose sensible data to bad actors. t is recommended that your RDS snapshots should not be public in order to prevent potential leak or misuse of sensitive data or any other kind of security threat. If your RDS snapshot is public; then the data which is backed up in that snapshot is accessible to all other AWS accounts.' +CHECK_REMEDIATION_extra723='Use AWS Config to identify any sanpshot that is public.' +CHECK_DOC_extra723='https://docs.aws.amazon.com/config/latest/developerguide/rds-snapshots-public-prohibited.html' +CHECK_CAF_EPIC_extra723='Data Protection' extra723(){ # "Check if RDS Snapshots are public (Not Scored) (Not part of CIS benchmark)" diff --git a/checks/check_extra724 b/checks/check_extra724 index ac0c501a..69356973 100644 --- a/checks/check_extra724 +++ b/checks/check_extra724 @@ -18,6 +18,10 @@ CHECK_SEVERITY_extra724="Medium" CHECK_ASFF_RESOURCE_TYPE_extra724="AwsCertificateManagerCertificate" CHECK_ALTERNATE_check724="extra724" CHECK_SERVICENAME_extra724="acm" +CHECK_RISK_extra724='Domain owners can search the log to identify unexpected certificates; whether issued by mistake or malice. Domain owners can also identify Certificate Authorities (CAs) that are improperly issuing certificates.' +CHECK_REMEDIATION_extra724='Make sure you are logging information about Lambda operations. Create a lifecycle and use cases for each trail.' +CHECK_DOC_extra724='https://aws.amazon.com/blogs/security/how-to-get-ready-for-certificate-transparency/' +CHECK_CAF_EPIC_extra724='Logging and Monitoring' extra724(){ # "Check if ACM certificates have Certificate Transparency logging enabled (Not Scored) (Not part of CIS benchmark)" diff --git a/checks/check_extra725 b/checks/check_extra725 index d12fd367..614feff0 100644 --- a/checks/check_extra725 +++ b/checks/check_extra725 @@ -19,7 +19,10 @@ CHECK_SEVERITY_extra725="Medium" CHECK_ASFF_RESOURCE_TYPE_extra725="AwsS3Bucket" CHECK_ALTERNATE_check725="extra725" CHECK_SERVICENAME_extra725="s3" - +CHECK_RISK_extra725='If logs are not enabled; monitoring of service use and threat analysis is not possible.' +CHECK_REMEDIATION_extra725='Enable logs. Create an S3 lifecycle policy. Define use cases; metrics and automated responses where applicable.' +CHECK_DOC_extra725='https://docs.aws.amazon.com/AmazonS3/latest/userguide/enable-cloudtrail-logging-for-s3.html' +CHECK_CAF_EPIC_extra725='Logging and Monitoring' # per Object-level logging is not configured at Bucket level but at CloudTrail trail level extra725(){ diff --git a/checks/check_extra726 b/checks/check_extra726 index f4762623..341833e1 100644 --- a/checks/check_extra726 +++ b/checks/check_extra726 @@ -18,6 +18,10 @@ CHECK_TYPE_extra726="EXTRA" CHECK_SEVERITY_extra726="Medium" CHECK_ALTERNATE_check726="extra726" CHECK_SERVICENAME_extra726="trustedadvisor" +CHECK_RISK_extra726='Improve the security of your application by closing gaps; enabling various AWS security features; and examining your permissions.' +CHECK_REMEDIATION_extra726='Review and act upon its recommendations.' +CHECK_DOC_extra726='https://aws.amazon.com/premiumsupport/technology/trusted-advisor/best-practice-checklist/' +CHECK_CAF_EPIC_extra726='IAM' extra726(){ trap "exit" INT diff --git a/checks/check_extra727 b/checks/check_extra727 index d618b0bd..400e78d8 100644 --- a/checks/check_extra727 +++ b/checks/check_extra727 @@ -19,6 +19,10 @@ CHECK_SEVERITY_extra727="Critical" CHECK_ASFF_RESOURCE_TYPE_extra727="AwsSqsQueue" CHECK_ALTERNATE_check727="extra727" CHECK_SERVICENAME_extra727="sqs" +CHECK_RISK_extra727='Sensible information could be disclosed.' +CHECK_REMEDIATION_extra727='Review service with overly permissive policies. Adhere to Principle of Least Privilege.' +CHECK_DOC_extra727='https://docs.aws.amazon.com/AWSSimpleQueueService/latest/SQSDeveloperGuide/sqs-basic-examples-of-sqs-policies.html' +CHECK_CAF_EPIC_extra727='Infrastructure Security' extra727(){ for regx in $REGIONS; do diff --git a/checks/check_extra728 b/checks/check_extra728 index bde576a1..60758fd1 100644 --- a/checks/check_extra728 +++ b/checks/check_extra728 @@ -20,6 +20,10 @@ CHECK_ASFF_RESOURCE_TYPE_extra728="AwsSqsQueue" CHECK_ALTERNATE_check728="extra728" CHECK_ASFF_COMPLIANCE_TYPE_extra728="ens-mp.info.3.sns.1" CHECK_SERVICENAME_extra728="sqs" +CHECK_RISK_extra728='If not enabled sensible information in transit is not protected.' +CHECK_REMEDIATION_extra728='Enable Encryption. Use a CMK where possible. It will provide additional management and privacy benefits.' +CHECK_DOC_extra728='https://docs.aws.amazon.com/AWSSimpleQueueService/latest/SQSDeveloperGuide/sqs-configure-sse-existing-queue.html' +CHECK_CAF_EPIC_extra728='Data Protection' extra728(){ for regx in $REGIONS; do diff --git a/checks/check_extra729 b/checks/check_extra729 index 58bf6e40..21feea47 100644 --- a/checks/check_extra729 +++ b/checks/check_extra729 @@ -20,7 +20,10 @@ CHECK_ASFF_RESOURCE_TYPE_extra729="AwsEc2Volume" CHECK_ALTERNATE_check729="extra729" CHECK_ASFF_COMPLIANCE_TYPE_extra729="ens-mp.info.3.aws.ebs.1" CHECK_SERVICENAME_extra729="ec2" - +CHECK_RISK_extra729='Data encryption at rest prevents data visibility in the event of its unauthorized access or theft.' +CHECK_REMEDIATION_extra729='Encrypt al EBS volumes and Enable Encryption by default You can configure your AWS account to enforce the encryption of the new EBS volumes and snapshot copies that you create. For example; Amazon EBS encrypts the EBS volumes created when you launch an instance and the snapshots that you copy from an unencrypted snapshot.' +CHECK_DOC_extra729='https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/EBSEncryption.html' +CHECK_CAF_EPIC_extra729='Data Protection' extra729(){ # "Ensure there are no EBS Volumes unencrypted (Not Scored) (Not part of CIS benchmark)" diff --git a/checks/check_extra73 b/checks/check_extra73 index b8c81961..0340096b 100644 --- a/checks/check_extra73 +++ b/checks/check_extra73 @@ -21,6 +21,10 @@ CHECK_ALTERNATE_extra703="extra73" CHECK_ALTERNATE_check73="extra73" CHECK_ALTERNATE_check703="extra73" CHECK_SERVICENAME_extra73="s3" +CHECK_RISK_extra73='Even if you enable all possible bucket ACL options available in the Amazon S3 console the ACL alone does not allow everyone to download objects from your bucket. Depending on which option you select any user could perform some actions.' +CHECK_REMEDIATION_extra73='You can enable block public access settings only for access points; buckets; and AWS accounts. Amazon S3 does not support block public access settings on a per-object basis. When you apply block public access settings to an account; the settings apply to all AWS Regions globally. The settings might not take effect in all Regions immediately or simultaneously; but they eventually propagate to all Regions.' +CHECK_DOC_extra73='https://docs.aws.amazon.com/AmazonS3/latest/userguide/access-control-block-public-access.html' +CHECK_CAF_EPIC_extra73='Data Protection' # Verified with AWS support that if get-bucket-acl doesn't return a grant # for All and get-bucket-policy-status returns IsPublic false or bad request diff --git a/checks/check_extra730 b/checks/check_extra730 index 1b3ed3fe..100cb37d 100644 --- a/checks/check_extra730 +++ b/checks/check_extra730 @@ -21,6 +21,10 @@ CHECK_SEVERITY_extra730="High" CHECK_ASFF_RESOURCE_TYPE_extra730="AwsCertificateManagerCertificate" CHECK_ALTERNATE_check730="extra730" CHECK_SERVICENAME_extra730="acm" +CHECK_RISK_extra730='Expired certificates can impact service availability.' +CHECK_REMEDIATION_extra730='Monitor certificate expiration and take automated action to renew; replace or remove. Having shorter TTL for any security artifact is a general recommendation; but requires additional automation in place. If not longer required delete certificate. Use AWS config using the managed rule: acm-certificate-expiration-check.' +CHECK_DOC_extra730='https://docs.aws.amazon.com/config/latest/developerguide/acm-certificate-expiration-check.html' +CHECK_CAF_EPIC_extra730='Data Protection' extra730(){ # "Check if ACM Certificates are about to expire in $DAYS_TO_EXPIRE_THRESHOLD days or less" diff --git a/checks/check_extra731 b/checks/check_extra731 index 0519c3f6..5bf1743b 100644 --- a/checks/check_extra731 +++ b/checks/check_extra731 @@ -19,6 +19,10 @@ CHECK_SEVERITY_extra731="Critical" CHECK_ASFF_RESOURCE_TYPE_extra731="AwsSnsTopic" CHECK_ALTERNATE_check731="extra731" CHECK_SERVICENAME_extra731="sns" +CHECK_RISK_extra731='Publicly accessible services could expose sensible data to bad actors.' +CHECK_REMEDIATION_extra731='Ensure there is a business requirement for service to be public.' +CHECK_DOC_extra731='https://docs.aws.amazon.com/config/latest/developerguide/sns-topic-policy.html' +CHECK_CAF_EPIC_extra731='Infrastructure Security' extra731(){ for regx in $REGIONS; do diff --git a/checks/check_extra732 b/checks/check_extra732 index 0e38ee9d..2f355c13 100644 --- a/checks/check_extra732 +++ b/checks/check_extra732 @@ -19,6 +19,10 @@ CHECK_SEVERITY_extra732="Low" CHECK_ASFF_RESOURCE_TYPE_extra732="AwsCloudFrontDistribution" CHECK_ALTERNATE_check732="extra732" CHECK_SERVICENAME_extra732="cloudfront" +CHECK_RISK_extra732='Consider countries where service should not be accessed; by legal or compliance requirements. Additionally if not restricted the attack vector is increased.' +CHECK_REMEDIATION_extra732='If possible; define and enable Geo restrictions for this service.' +CHECK_DOC_extra732='https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/georestrictions.html' +CHECK_CAF_EPIC_extra732='Infrastructure Security' extra732(){ LIST_DISTRIBUTIONS=$($AWSCLI cloudfront list-distributions $PROFILE_OPT --query 'DistributionList.Items[*].Id' --output text |grep -v ^None) diff --git a/checks/check_extra733 b/checks/check_extra733 index 40de63d6..3fa7e785 100644 --- a/checks/check_extra733 +++ b/checks/check_extra733 @@ -19,6 +19,10 @@ CHECK_SEVERITY_extra733="Low" CHECK_ALTERNATE_check733="extra733" CHECK_ASFF_COMPLIANCE_TYPE_extra733="ens-op.acc.1.aws.iam.1" CHECK_SERVICENAME_extra733="iam" +CHECK_RISK_extra733='Without SAML provider users with AWS CLI or AWS API access can use IAM static credentials. SAML helps users to assume role by default each time they authenticate.' +CHECK_REMEDIATION_extra733='Enable SAML provider and use temporary credentials. You can use temporary security credentials to make programmatic requests for AWS resources using the AWS CLI or AWS API (using the AWS SDKs ). The temporary credentials provide the same permissions that you have with use long-term security credentials such as IAM user credentials. In case of not having SAML provider capabilities prevent usage of long-lived credentials.' +CHECK_DOC_extra733='https://docs.aws.amazon.com/STS/latest/APIReference/API_AssumeRoleWithSAML.html' +CHECK_CAF_EPIC_extra733='IAM' extra733(){ LIST_SAML_PROV=$($AWSCLI iam list-saml-providers $PROFILE_OPT --query 'SAMLProviderList[*].Arn' --output text |grep -v ^None) diff --git a/checks/check_extra734 b/checks/check_extra734 index a4cc58c5..3d66582e 100644 --- a/checks/check_extra734 +++ b/checks/check_extra734 @@ -19,6 +19,10 @@ CHECK_ASFF_RESOURCE_TYPE_extra734="AwsS3Bucket" CHECK_ALTERNATE_check734="extra734" CHECK_ASFF_COMPLIANCE_TYPE_extra734="ens-mp.info.3.s3.1" CHECK_SERVICENAME_extra734="s3" +CHECK_RISK_extra734='Amazon S3 default encryption provides a way to set the default encryption behavior for an S3 bucket. This will ensure data-at-rest is encrypted.' +CHECK_REMEDIATION_extra734='Ensure that S3 buckets has encryption at rest enabled.' +CHECK_DOC_extra734='https://docs.aws.amazon.com/AmazonS3/latest/dev/bucket-encryption.html' +CHECK_CAF_EPIC_extra734='Data Protection' extra734(){ LIST_OF_BUCKETS=$($AWSCLI s3api list-buckets $PROFILE_OPT --region $REGION --query Buckets[*].Name --output text|xargs -n1) diff --git a/checks/check_extra735 b/checks/check_extra735 index 409e08a4..0b789f5e 100644 --- a/checks/check_extra735 +++ b/checks/check_extra735 @@ -19,6 +19,10 @@ CHECK_ASFF_RESOURCE_TYPE_extra735="AwsRdsDbInstance" CHECK_ALTERNATE_check735="extra735" CHECK_ASFF_COMPLIANCE_TYPE_extra735="ens-mp.info.3.aws.rds.1" CHECK_SERVICENAME_extra735="rds" +CHECK_RISK_extra735='If not enabled sensible information at rest is not protected.' +CHECK_REMEDIATION_extra735='Enable Encryption. Use a CMK where possible. It will provide additional management and privacy benefits.' +CHECK_DOC_extra735='https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/Overview.Encryption.html' +CHECK_CAF_EPIC_extra735='Data Protection' extra735(){ textInfo "Looking for RDS Volumes in all regions... " diff --git a/checks/check_extra736 b/checks/check_extra736 index 291d971d..f9266d65 100644 --- a/checks/check_extra736 +++ b/checks/check_extra736 @@ -19,6 +19,10 @@ CHECK_ASFF_RESOURCE_TYPE_extra736="AwsKmsKey" CHECK_ALTERNATE_check736="extra736" CHECK_ASFF_COMPLIANCE_TYPE_extra736="ens-op.exp.11.aws.kms.2" CHECK_SERVICENAME_extra736="kms" +CHECK_RISK_extra736='Exposed KMS Keys or wide policy permissions my leave data unprotected.' +CHECK_REMEDIATION_extra736='To determine the full extent of who or what currently has access to a customer master key (CMK) in AWS KMS; you must examine the CMK key policy; all grants that apply to the CMK; and potentially all AWS Identity and Access Management (IAM) policies. You might do this to determine the scope of potential usage of a CMK.' +CHECK_DOC_extra736='https://docs.aws.amazon.com/kms/latest/developerguide/determining-access.html' +CHECK_CAF_EPIC_extra736='Data Protection' extra736(){ textInfo "Looking for KMS keys in all regions... " diff --git a/checks/check_extra737 b/checks/check_extra737 index 1dc12679..dc159378 100644 --- a/checks/check_extra737 +++ b/checks/check_extra737 @@ -19,6 +19,10 @@ CHECK_ASFF_RESOURCE_TYPE_extra737="AwsKmsKey" CHECK_ALTERNATE_check737="extra737" CHECK_ASFF_COMPLIANCE_TYPE_extra737="ens-op.exp.11.aws.kms.3" CHECK_SERVICENAME_extra737="kms" +CHECK_RISK_extra737='Cryptographic best practices discourage extensive reuse of encryption keys. Consequently; Customer Master Keys (CMKs) should be rotated to prevent usage of compromised keys.' +CHECK_REMEDIATION_extra737='For every KMS Customer Master Keys (CMKs); ensure that Rotate this key every year is enabled.' +CHECK_DOC_extra737='https://docs.aws.amazon.com/kms/latest/developerguide/rotate-keys.html' +CHECK_CAF_EPIC_extra737='Data Protection' extra737(){ textInfo "Looking for KMS keys in all regions... " diff --git a/checks/check_extra738 b/checks/check_extra738 index 566b715e..1ea1c457 100644 --- a/checks/check_extra738 +++ b/checks/check_extra738 @@ -19,6 +19,10 @@ CHECK_ASFF_RESOURCE_TYPE_extra738="AwsCloudFrontDistribution" CHECK_ALTERNATE_check738="extra738" CHECK_ASFF_COMPLIANCE_TYPE_extra738="ens-mp.com.2.aws.front.1" CHECK_SERVICENAME_extra738="cloudfront" +CHECK_RISK_extra738='If not enabled sensible information in transit is not protected. Surveillance and other threats are risks may exists.' +CHECK_REMEDIATION_extra738='Use HTTPS everywhere possible. It will enforce privacy and protect against account hijacking and other threats.' +CHECK_DOC_extra738='https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/using-https.html' +CHECK_CAF_EPIC_extra738='Data Protection' extra738(){ LIST_OF_DISTRIBUTIONS=$($AWSCLI cloudfront list-distributions --query 'DistributionList.Items[*].Id' $PROFILE_OPT --output text|grep -v ^None) diff --git a/checks/check_extra739 b/checks/check_extra739 index c0aec8b3..e36f4ab1 100644 --- a/checks/check_extra739 +++ b/checks/check_extra739 @@ -18,6 +18,10 @@ CHECK_SEVERITY_extra739="Medium" CHECK_ASFF_RESOURCE_TYPE_extra739="AwsRdsDbInstance" CHECK_ALTERNATE_check739="extra739" CHECK_SERVICENAME_extra739="rds" +CHECK_RISK_extra739='If backup is not enabled; data is vulnerable. Human error or bad actors could erase or modify data.' +CHECK_REMEDIATION_extra739='Enable automated backup for production data. Define a retention period and periodically test backup restoration. A Disaster Recovery process should be in place to govern Data Protection approach.' +CHECK_DOC_extra739='https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/USER_WorkingWithAutomatedBackups.html' +CHECK_CAF_EPIC_extra739='Data Protection' extra739(){ for regx in $REGIONS; do diff --git a/checks/check_extra74 b/checks/check_extra74 index 5061bb4d..6ffa01d8 100644 --- a/checks/check_extra74 +++ b/checks/check_extra74 @@ -21,6 +21,10 @@ CHECK_ALTERNATE_check74="extra74" CHECK_ALTERNATE_check704="extra74" CHECK_ASFF_COMPLIANCE_TYPE_extra74="ens-mp.com.4.aws.sg.2" CHECK_SERVICENAME_extra74="ec2" +CHECK_RISK_extra74='If Security groups are not filtering traffic appropriately the attack surface is increased.' +CHECK_REMEDIATION_extra74=' You can grant access to a specific CIDR range; or to another security group in your VPC or in a peer VPC.' +CHECK_DOC_extra74='https://docs.aws.amazon.com/vpc/latest/userguide/VPC_SecurityGroups.html' +CHECK_CAF_EPIC_extra74='Infrastructure Security' extra74(){ # "Ensure there are no Security Groups without ingress filtering being used (Not Scored) (Not part of CIS benchmark)" diff --git a/checks/check_extra740 b/checks/check_extra740 index c1c8fe22..37f81434 100644 --- a/checks/check_extra740 +++ b/checks/check_extra740 @@ -19,6 +19,10 @@ CHECK_ASFF_RESOURCE_TYPE_extra740="AwsEc2Snapshot" CHECK_ALTERNATE_check740="extra740" CHECK_ASFF_COMPLIANCE_TYPE_extra740="ens-mp.info.3.aws.ebs.3" CHECK_SERVICENAME_extra740="ec2" +CHECK_RISK_extra740='Data encryption at rest prevents data visibility in the event of its unauthorized access or theft.' +CHECK_REMEDIATION_extra740='Encrypt al EBS Snapshot and Enable Encryption by default. You can configure your AWS account to enforce the encryption of the new EBS volumes and snapshot copies that you create. For example; Amazon EBS encrypts the EBS volumes created when you launch an instance and the snapshots that you copy from an unencrypted snapshot.' +CHECK_DOC_extra740='https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/EBSEncryption.html#encryption-by-default' +CHECK_CAF_EPIC_extra740='Data Protection' extra740(){ textInfo "Examining EBS Volume Snapshots ..." diff --git a/checks/check_extra741 b/checks/check_extra741 index d0501ce9..023e4f00 100644 --- a/checks/check_extra741 +++ b/checks/check_extra741 @@ -18,6 +18,10 @@ CHECK_SEVERITY_extra741="Critical" CHECK_ASFF_RESOURCE_TYPE_extra741="AwsEc2Instance" CHECK_ALTERNATE_check741="extra741" CHECK_SERVICENAME_extra741="ec2" +CHECK_RISK_extra741='Secrets hardcoded into instance user data can be used by malware and bad actors to gain lateral access to other services.' +CHECK_REMEDIATION_extra741='Implement automated detective control (e.g. using tools like Prowler ) to scan accounts for passwords and secrets. Use secrets manager service to store and retrieve passwords and secrets. ' +CHECK_DOC_extra741='https://docs.aws.amazon.com/secretsmanager/latest/userguide/tutorials_basic.html' +CHECK_CAF_EPIC_extra741='IAM' extra741(){ SECRETS_TEMP_FOLDER="$PROWLER_DIR/secrets-$ACCOUNT_NUM" diff --git a/checks/check_extra742 b/checks/check_extra742 index 957ef0c2..d6083ef0 100644 --- a/checks/check_extra742 +++ b/checks/check_extra742 @@ -18,6 +18,10 @@ CHECK_SEVERITY_extra742="Critical" CHECK_ASFF_RESOURCE_TYPE_extra742="AwsCloudFormationStack" CHECK_ALTERNATE_check742="extra742" CHECK_SERVICENAME_extra742="cloudformation" +CHECK_RISK_extra742='Secrets hardcoded into CloudFormation outputs can be used by malware and bad actors to gain lateral access to other services.' +CHECK_REMEDIATION_extra742='Implement automated detective control (e.g. using tools like Prowler ) to scan accounts for passwords and secrets. Use secrets manager service to store and retrieve passwords and secrets. ' +CHECK_DOC_extra742='https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-secretsmanager-secret-generatesecretstring.html' +CHECK_CAF_EPIC_extra742='IAM' extra742(){ SECRETS_TEMP_FOLDER="$PROWLER_DIR/secrets-$ACCOUNT_NUM" diff --git a/checks/check_extra743 b/checks/check_extra743 index 38c80447..e7e21965 100644 --- a/checks/check_extra743 +++ b/checks/check_extra743 @@ -18,6 +18,10 @@ CHECK_SEVERITY_extra743="Medium" CHECK_ASFF_RESOURCE_TYPE_extra743="AwsApiGatewayRestApi" CHECK_ALTERNATE_check743="extra743" CHECK_SERVICENAME_extra743="apigateway" +CHECK_RISK_extra743='Possible man in the middle attacks and other similar risks.' +CHECK_REMEDIATION_extra743='Enable client certificate. Mutual TLS is recommended and commonly used for business-to-business (B2B) applications. It’s used in standards such as Open Banking. API Gateway now provides integrated mutual TLS authentication at no additional cost.' +CHECK_DOC_extra743='https://aws.amazon.com/blogs/compute/introducing-mutual-tls-authentication-for-amazon-api-gateway/' +CHECK_CAF_EPIC_extra743='Data Protection' extra743(){ for regx in $REGIONS; do diff --git a/checks/check_extra744 b/checks/check_extra744 index 2c495108..36ed0705 100644 --- a/checks/check_extra744 +++ b/checks/check_extra744 @@ -19,6 +19,10 @@ CHECK_ASFF_RESOURCE_TYPE_extra744="AwsApiGatewayRestApi" CHECK_ALTERNATE_check744="extra744" CHECK_ASFF_COMPLIANCE_TYPE_extra744="ens-mp.s.2.aws.waf.2" CHECK_SERVICENAME_extra744="apigateway" +CHECK_RISK_extra744='Potential attacks and / or abuse of service; more even for even for internet reachable services.' +CHECK_REMEDIATION_extra744='Use AWS WAF to protect your API Gateway API from common web exploits; such as SQL injection and cross-site scripting (XSS) attacks. These could affect API availability and performance; compromise security; or consume excessive resources.' +CHECK_DOC_extra744='https://docs.aws.amazon.com/apigateway/latest/developerguide/apigateway-control-access-aws-waf.html' +CHECK_CAF_EPIC_extra744='Infrastructure Security' extra744(){ for regx in $REGIONS; do diff --git a/checks/check_extra745 b/checks/check_extra745 index 2148dcaf..0b507d7b 100644 --- a/checks/check_extra745 +++ b/checks/check_extra745 @@ -18,6 +18,10 @@ CHECK_SEVERITY_extra745="Medium" CHECK_ASFF_RESOURCE_TYPE_extra745="AwsApiGatewayRestApi" CHECK_ALTERNATE_check745="extra745" CHECK_SERVICENAME_extra745="apigateway" +CHECK_RISK_extra745='If accessible from internet without restrictions opens up attack / abuse surface for any malicious user.' +CHECK_REMEDIATION_extra745='Verify that any public Api Gateway is protected and audited. Detective controls for common risks should be implemented.' +CHECK_DOC_extra745='https://d1.awsstatic.com/whitepapers/api-gateway-security.pdf?svrd_sip6' +CHECK_CAF_EPIC_extra745='Infrastructure Security' extra745(){ for regx in $REGIONS; do diff --git a/checks/check_extra746 b/checks/check_extra746 index 0599d2e8..82f82d53 100644 --- a/checks/check_extra746 +++ b/checks/check_extra746 @@ -18,6 +18,10 @@ CHECK_SEVERITY_extra746="Medium" CHECK_ASFF_RESOURCE_TYPE_extra746="AwsApiGatewayRestApi" CHECK_ALTERNATE_check746="extra746" CHECK_SERVICENAME_extra746="apigateway" +CHECK_RISK_extra746='If no authorizer is enabled anyone can use the service.' +CHECK_REMEDIATION_extra746='Implement Amazon Cognito or a Lambda function to control access to your API.' +CHECK_DOC_extra746='https://docs.aws.amazon.com/apigateway/latest/developerguide/apigateway-use-lambda-authorizer.html' +CHECK_CAF_EPIC_extra746='IAM' extra746(){ for regx in $REGIONS; do diff --git a/checks/check_extra747 b/checks/check_extra747 index 9e16b1fb..ae8c0a72 100644 --- a/checks/check_extra747 +++ b/checks/check_extra747 @@ -18,6 +18,10 @@ CHECK_SEVERITY_extra747="Medium" CHECK_ASFF_RESOURCE_TYPE_extra747="AwsRdsDbInstance" CHECK_ALTERNATE_check747="extra747" CHECK_SERVICENAME_extra747="rds" +CHECK_RISK_extra747='If logs are not enabled; monitoring of service use and threat analysis is not possible.' +CHECK_REMEDIATION_extra747='Use CloudWatch Logs to perform real-time analysis of the log data. Create alarms and view metrics.' +CHECK_DOC_extra747='https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/publishing_cloudwatchlogs.html' +CHECK_CAF_EPIC_extra747='Logging and Monitoring' extra747(){ for regx in $REGIONS; do diff --git a/checks/check_extra748 b/checks/check_extra748 index 3dc303ce..245b40b4 100644 --- a/checks/check_extra748 +++ b/checks/check_extra748 @@ -18,6 +18,10 @@ CHECK_SEVERITY_extra748="High" CHECK_ASFF_RESOURCE_TYPE_extra748="AwsEc2SecurityGroup" CHECK_ALTERNATE_check748="extra748" CHECK_SERVICENAME_extra748="ec2" +CHECK_RISK_extra748='If Security groups are not properly configured the attack surface is increased. ' +CHECK_REMEDIATION_extra748='Use a Zero Trust approach. Narrow ingress traffic as much as possible. Consider north-south as well as east-west traffic.' +CHECK_DOC_extra748='https://docs.aws.amazon.com/vpc/latest/userguide/VPC_SecurityGroups.html' +CHECK_CAF_EPIC_extra748='Infrastructure Security' extra748(){ for regx in $REGIONS; do diff --git a/checks/check_extra749 b/checks/check_extra749 index 922e9c3d..4acf5f35 100644 --- a/checks/check_extra749 +++ b/checks/check_extra749 @@ -19,6 +19,10 @@ CHECK_ASFF_RESOURCE_TYPE_extra749="AwsEc2SecurityGroup" CHECK_ALTERNATE_check749="extra749" CHECK_ASFF_COMPLIANCE_TYPE_extra749="ens-mp.com.4.aws.sg.6" CHECK_SERVICENAME_extra749="ec2" +CHECK_RISK_extra749='If Security groups are not properly configured the attack surface is increased. ' +CHECK_REMEDIATION_extra749='Use a Zero Trust approach. Narrow ingress traffic as much as possible. Consider north-south as well as east-west traffic.' +CHECK_DOC_extra749='https://docs.aws.amazon.com/vpc/latest/userguide/VPC_SecurityGroups.html' +CHECK_CAF_EPIC_extra749='Infrastructure Security' extra749(){ for regx in $REGIONS; do diff --git a/checks/check_extra75 b/checks/check_extra75 index a28cd3a3..f6e97ccb 100644 --- a/checks/check_extra75 +++ b/checks/check_extra75 @@ -21,6 +21,10 @@ CHECK_ALTERNATE_check75="extra75" CHECK_ALTERNATE_check705="extra75" CHECK_ASFF_COMPLIANCE_TYPE_extra75="ens-mp.com.4.aws.sg.3" CHECK_SERVICENAME_extra75="ec2" +CHECK_RISK_extra75='Having clear definition and scope for Security Groups creates a better administration environment.' +CHECK_REMEDIATION_extra75='List all the security groups and then use the cli to check if they are attached to an instance.' +CHECK_DOC_extra75='https://aws.amazon.com/premiumsupport/knowledge-center/ec2-find-security-group-resources/' +CHECK_CAF_EPIC_extra75='Infrastructure Security' extra75(){ # "Ensure there are no Security Groups not being used (Not Scored) (Not part of CIS benchmark)" diff --git a/checks/check_extra750 b/checks/check_extra750 index 061acde1..54b09ac1 100644 --- a/checks/check_extra750 +++ b/checks/check_extra750 @@ -19,6 +19,10 @@ CHECK_ASFF_RESOURCE_TYPE_extra750="AwsEc2SecurityGroup" CHECK_ALTERNATE_check750="extra750" CHECK_ASFF_COMPLIANCE_TYPE_extra750="ens-mp.com.4.aws.sg.7" CHECK_SERVICENAME_extra750="ec2" +CHECK_RISK_extra750='If Security groups are not properly configured the attack surface is increased. ' +CHECK_REMEDIATION_extra750='Use a Zero Trust approach. Narrow ingress traffic as much as possible. Consider north-south as well as east-west traffic.' +CHECK_DOC_extra750='https://docs.aws.amazon.com/vpc/latest/userguide/VPC_SecurityGroups.html' +CHECK_CAF_EPIC_extra750='Infrastructure Security' extra750(){ for regx in $REGIONS; do diff --git a/checks/check_extra751 b/checks/check_extra751 index 8b4c67e1..5e44d87b 100644 --- a/checks/check_extra751 +++ b/checks/check_extra751 @@ -19,6 +19,10 @@ CHECK_ASFF_RESOURCE_TYPE_extra751="AwsEc2SecurityGroup" CHECK_ALTERNATE_check751="extra751" CHECK_ASFF_COMPLIANCE_TYPE_extra751="ens-mp.com.4.aws.sg.8" CHECK_SERVICENAME_extra751="ec2" +CHECK_RISK_extra751='If Security groups are not properly configured the attack surface is increased. ' +CHECK_REMEDIATION_extra751='Use a Zero Trust approach. Narrow ingress traffic as much as possible. Consider north-south as well as east-west traffic.' +CHECK_DOC_extra751='https://docs.aws.amazon.com/vpc/latest/userguide/VPC_SecurityGroups.html' +CHECK_CAF_EPIC_extra751='Infrastructure Security' extra751(){ for regx in $REGIONS; do diff --git a/checks/check_extra752 b/checks/check_extra752 index 06c95baa..815f3f01 100644 --- a/checks/check_extra752 +++ b/checks/check_extra752 @@ -19,6 +19,10 @@ CHECK_ASFF_RESOURCE_TYPE_extra752="AwsEc2SecurityGroup" CHECK_ALTERNATE_check752="extra752" CHECK_ASFF_COMPLIANCE_TYPE_extra752="ens-mp.com.4.aws.sg.9" CHECK_SERVICENAME_extra752="ec2" +CHECK_RISK_extra752='If Security groups are not properly configured the attack surface is increased. ' +CHECK_REMEDIATION_extra752='Use a Zero Trust approach. Narrow ingress traffic as much as possible. Consider north-south as well as east-west traffic.' +CHECK_DOC_extra752='https://docs.aws.amazon.com/vpc/latest/userguide/VPC_SecurityGroups.html' +CHECK_CAF_EPIC_extra752='Infrastructure Security' extra752(){ for regx in $REGIONS; do diff --git a/checks/check_extra753 b/checks/check_extra753 index 81270cdc..150a8c14 100644 --- a/checks/check_extra753 +++ b/checks/check_extra753 @@ -19,6 +19,10 @@ CHECK_ASFF_RESOURCE_TYPE_extra753="AwsEc2SecurityGroup" CHECK_ALTERNATE_check753="extra753" CHECK_ASFF_COMPLIANCE_TYPE_extra753="ens-mp.com.4.aws.sg.10" CHECK_SERVICENAME_extra753="ec2" +CHECK_RISK_extra753='If Security groups are not properly configured the attack surface is increased. ' +CHECK_REMEDIATION_extra753='Use a Zero Trust approach. Narrow ingress traffic as much as possible. Consider north-south as well as east-west traffic.' +CHECK_DOC_extra753='https://docs.aws.amazon.com/vpc/latest/userguide/VPC_SecurityGroups.html' +CHECK_CAF_EPIC_extra753='Infrastructure Security' extra753(){ for regx in $REGIONS; do diff --git a/checks/check_extra754 b/checks/check_extra754 index 3316f152..8046782f 100644 --- a/checks/check_extra754 +++ b/checks/check_extra754 @@ -19,6 +19,10 @@ CHECK_ASFF_RESOURCE_TYPE_extra754="AwsEc2SecurityGroup" CHECK_ALTERNATE_check754="extra754" CHECK_ASFF_COMPLIANCE_TYPE_extra754="ens-mp.com.4.aws.sg.11" CHECK_SERVICENAME_extra754="ec2" +CHECK_RISK_extra754='If Security groups are not properly configured the attack surface is increased. ' +CHECK_REMEDIATION_extra754='Use a Zero Trust approach. Narrow ingress traffic as much as possible. Consider north-south as well as east-west traffic.' +CHECK_DOC_extra754='https://docs.aws.amazon.com/vpc/latest/userguide/VPC_SecurityGroups.html' +CHECK_CAF_EPIC_extra754='Infrastructure Security' extra754(){ for regx in $REGIONS; do diff --git a/checks/check_extra755 b/checks/check_extra755 index 6c746702..45460007 100644 --- a/checks/check_extra755 +++ b/checks/check_extra755 @@ -19,6 +19,10 @@ CHECK_ASFF_RESOURCE_TYPE_extra755="AwsEc2SecurityGroup" CHECK_ALTERNATE_check755="extra755" CHECK_ASFF_COMPLIANCE_TYPE_extra755="ens-mp.com.4.aws.sg.12" CHECK_SERVICENAME_extra755="ec2" +CHECK_RISK_extra755='If Security groups are not properly configured the attack surface is increased. ' +CHECK_REMEDIATION_extra755='Use a Zero Trust approach. Narrow ingress traffic as much as possible. Consider north-south as well as east-west traffic.' +CHECK_DOC_extra755='https://docs.aws.amazon.com/vpc/latest/userguide/VPC_SecurityGroups.html' +CHECK_CAF_EPIC_extra755='Infrastructure Security' extra755(){ for regx in $REGIONS; do diff --git a/checks/check_extra756 b/checks/check_extra756 index ffcab810..5e33bcc5 100644 --- a/checks/check_extra756 +++ b/checks/check_extra756 @@ -18,6 +18,10 @@ CHECK_SEVERITY_extra756="High" CHECK_ASFF_RESOURCE_TYPE_extra756="AwsRedshiftCluster" CHECK_ALTERNATE_check756="extra756" CHECK_SERVICENAME_extra756="redshift" +CHECK_RISK_extra756='Publicly accessible services could expose sensible data to bad actors.' +CHECK_REMEDIATION_extra756='Ensure there is a business requirement for service to be public. Use the cluster security group to control access to the service.' +CHECK_DOC_extra756='https://docs.aws.amazon.com/redshift/latest/mgmt/working-with-security-groups.html' +CHECK_CAF_EPIC_extra756='Infrastructure Security' extra756(){ for regx in $REGIONS; do diff --git a/checks/check_extra757 b/checks/check_extra757 index 757ab819..23c8bff8 100644 --- a/checks/check_extra757 +++ b/checks/check_extra757 @@ -18,6 +18,10 @@ CHECK_SEVERITY_extra757="Medium" CHECK_ASFF_RESOURCE_TYPE_extra757="AwsEc2Instance" CHECK_ALTERNATE_check757="extra757" CHECK_SERVICENAME_extra757="ec2" +CHECK_RISK_extra757='Having old instances within your AWS account could increase the risk of having vulnerable software.' +CHECK_REMEDIATION_extra757='Check if software running in the instance is up to date and patched accordingly. Use AWS Systems Manager to patch instances and view patching compliance information.' +CHECK_DOC_extra757='https://docs.aws.amazon.com/systems-manager/latest/userguide/viewing-patch-compliance-results.html' +CHECK_CAF_EPIC_extra757='Infrastructure Security' extra757(){ OLDAGE="$(get_date_previous_than_months 6)" diff --git a/checks/check_extra758 b/checks/check_extra758 index bda9e922..b4c483cd 100644 --- a/checks/check_extra758 +++ b/checks/check_extra758 @@ -18,6 +18,10 @@ CHECK_SEVERITY_extra758="Medium" CHECK_ASFF_RESOURCE_TYPE_extra758="AwsEc2Instance" CHECK_ALTERNATE_check758="extra758" CHECK_SERVICENAME_extra758="ec2" +CHECK_RISK_extra758='Having old instances within your AWS account could increase the risk of having vulnerable software.' +CHECK_REMEDIATION_extra758='Check if software running in the instance is up to date and patched accordingly. Use AWS Systems Manager to patch instances and view patching compliance information.' +CHECK_DOC_extra758='https://docs.aws.amazon.com/systems-manager/latest/userguide/viewing-patch-compliance-results.html' +CHECK_CAF_EPIC_extra758='Infrastructure Security' extra758(){ OLDAGE="$(get_date_previous_than_months 12)" diff --git a/checks/check_extra759 b/checks/check_extra759 index bf4d8052..01c6bebb 100644 --- a/checks/check_extra759 +++ b/checks/check_extra759 @@ -18,6 +18,10 @@ CHECK_SEVERITY_extra759="Critical" CHECK_ASFF_RESOURCE_TYPE_extra759="AwsLambdaFunction" CHECK_ALTERNATE_check759="extra759" CHECK_SERVICENAME_extra759="lambda" +CHECK_RISK_extra759='The use of a hard-coded password increases the possibility of password guessing. If hard-coded passwords are used; it is possible that malicious users gain access through the account in question.' +CHECK_REMEDIATION_extra759='Use Secrets Manager to securely provide database credentials to Lambda functions and secure the databases as well as use the credentials to connect and query them without hardcoding the secrets in code or passing them through environmental variables. ' +CHECK_DOC_extra759='https://docs.aws.amazon.com/secretsmanager/latest/userguide/lambda-functions.html' +CHECK_CAF_EPIC_extra759='IAM' extra759(){ SECRETS_TEMP_FOLDER="$PROWLER_DIR/secrets-$ACCOUNT_NUM" diff --git a/checks/check_extra76 b/checks/check_extra76 index 898b5a09..854d48e7 100644 --- a/checks/check_extra76 +++ b/checks/check_extra76 @@ -19,6 +19,10 @@ CHECK_ALTERNATE_extra706="extra76" CHECK_ALTERNATE_check76="extra76" CHECK_ALTERNATE_check706="extra76" CHECK_SERVICENAME_extra76="ec2" +CHECK_RISK_extra76='A shared AMI is an AMI that a developer created and made available for other developers to use. If AMIs have embebed information about the environment could pose a security risk. You use a shared AMI at your own risk. Amazon can not vouch for the integrity or security of AMIs shared by Amazon EC2 users. ' +CHECK_REMEDIATION_extra76='List all shared AMIs and make sure there is a business reason for them.' +CHECK_DOC_extra76='https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/usingsharedamis-finding.html' +CHECK_CAF_EPIC_extra76='Infrastructure Security' extra76(){ # "Ensure there are no EC2 AMIs set as Public (Not Scored) (Not part of CIS benchmark)" diff --git a/checks/check_extra760 b/checks/check_extra760 index ba54aa89..b75303ae 100644 --- a/checks/check_extra760 +++ b/checks/check_extra760 @@ -18,6 +18,10 @@ CHECK_SEVERITY_extra760="Critical" CHECK_ASFF_RESOURCE_TYPE_extra760="AwsLambdaFunction" CHECK_ALTERNATE_check760="extra760" CHECK_SERVICENAME_extra760="lambda" +CHECK_RISK_extra760='The use of a hard-coded password increases the possibility of password guessing. If hard-coded passwords are used; it is possible that malicious users gain access through the account in question.' +CHECK_REMEDIATION_extra760='Use Secrets Manager to securely provide database credentials to Lambda functions and secure the databases as well as use the credentials to connect and query them without hardcoding the secrets in code or passing them through environmental variables. ' +CHECK_DOC_extra760='https://docs.aws.amazon.com/secretsmanager/latest/userguide/lambda-functions.html' +CHECK_CAF_EPIC_extra760='IAM' extra760(){ SECRETS_TEMP_FOLDER="$PROWLER_DIR/secrets-$ACCOUNT_NUM" diff --git a/checks/check_extra761 b/checks/check_extra761 index a0ad91f7..a8504632 100644 --- a/checks/check_extra761 +++ b/checks/check_extra761 @@ -18,6 +18,10 @@ CHECK_SEVERITY_extra761="Medium" CHECK_ALTERNATE_check761="extra761" CHECK_ASFF_COMPLIANCE_TYPE_extra761="ens-mp.info.3.aws.ebs.2" CHECK_SERVICENAME_extra761="ec2" +CHECK_RISK_extra761='If not enabled sensible information at rest is not protected.' +CHECK_REMEDIATION_extra761='Enable Encryption. Use a CMK where possible. It will provide additional management and privacy benefits.' +CHECK_DOC_extra761='https://aws.amazon.com/premiumsupport/knowledge-center/ebs-automatic-encryption/' +CHECK_CAF_EPIC_extra761='Data Protection' extra761(){ textInfo "Looking for EBS Default Encryption activation in all regions... " diff --git a/checks/check_extra762 b/checks/check_extra762 index 16143008..fe55e875 100644 --- a/checks/check_extra762 +++ b/checks/check_extra762 @@ -18,6 +18,10 @@ CHECK_SEVERITY_extra762="Medium" CHECK_ASFF_RESOURCE_TYPE_extra762="AwsLambdaFunction" CHECK_ALTERNATE_check762="extra762" CHECK_SERVICENAME_extra762="lambda" +CHECK_RISK_extra762=' If you have functions running on a runtime that will be deprecated in the next 60 days; Lambda notifies you by email that you should prepare by migrating your function to a supported runtime. In some cases; such as security issues that require a backwards-incompatible update; or software that does not support a long-term support (LTS) schedule; advance notice might not be possible. After a runtime is deprecated; Lambda might retire it completely at any time by disabling invocation. Deprecated runtimes are not eligible for security updates or technical support.' +CHECK_REMEDIATION_extra762='Test new runtimes as they are made available. Implement them in production as soon as possible.' +CHECK_DOC_extra762='https://docs.aws.amazon.com/lambda/latest/dg/runtime-support-policy.html' +CHECK_CAF_EPIC_extra762='Infrastructure Security' extra762(){ diff --git a/checks/check_extra763 b/checks/check_extra763 index a420df22..79d35f1e 100644 --- a/checks/check_extra763 +++ b/checks/check_extra763 @@ -18,6 +18,10 @@ CHECK_SEVERITY_extra763="Medium" CHECK_ASFF_RESOURCE_TYPE_extra763="AwsS3Bucket" CHECK_ALTERNATE_check763="extra763" CHECK_SERVICENAME_extra763="s3" +CHECK_RISK_extra763=' With versioning; you can easily recover from both unintended user actions and application failures.' +CHECK_REMEDIATION_extra763='Configure versioning using the Amazon console or API for buckets with sensible information that is changing frecuently; and backup may not be enough to capture all the changes.' +CHECK_DOC_extra763='https://docs.aws.amazon.com/AmazonS3/latest/dev-retired/Versioning.html' +CHECK_CAF_EPIC_extra763='Data Protection' extra763(){ # "Check if S3 buckets have object versioning enabled (Not Scored) (Not part of CIS benchmark)" diff --git a/checks/check_extra764 b/checks/check_extra764 index 673de716..426c53ae 100644 --- a/checks/check_extra764 +++ b/checks/check_extra764 @@ -19,6 +19,11 @@ CHECK_ASFF_RESOURCE_TYPE_extra764="AwsS3Bucket" CHECK_ALTERNATE_check764="extra764" CHECK_ASFF_COMPLIANCE_TYPE_extra764="ens-mp.com.2.aws.s3.1" CHECK_SERVICENAME_extra764="s3" +CHECK_RISK_extra764='If HTTPS is not enforced on the bucket policy; communication between clients and S3 buckets can use unencrypted HTTP. As a result; sensitive information could be transmitted in clear text over the network or internet.' +CHECK_REMEDIATION_extra764='Ensure that S3 buckets has encryption in transit enabled.' +CHECK_DOC_extra764='https://docs.aws.amazon.com/AmazonS3/latest/dev/security-best-practices.html' +CHECK_CAF_EPIC_extra764='Data Protection' + extra764(){ LIST_OF_BUCKETS=$($AWSCLI s3api list-buckets $PROFILE_OPT --query Buckets[*].Name --output text --region $REGION|xargs -n1) diff --git a/checks/check_extra765 b/checks/check_extra765 index 8dce6fb7..8c23408f 100644 --- a/checks/check_extra765 +++ b/checks/check_extra765 @@ -27,6 +27,10 @@ CHECK_TYPE_extra765="EXTRA" CHECK_SEVERITY_extra765="Medium" CHECK_ALTERNATE_check765="extra765" CHECK_SERVICENAME_extra765="ecr" +CHECK_RISK_extra765='Amazon ECR image scanning helps in identifying software vulnerabilities in your container images. Amazon ECR uses the Common Vulnerabilities and Exposures (CVEs) database from the open-source Clair project and provides a list of scan findings. ' +CHECK_REMEDIATION_extra765='Enable ECR image scanning and review the scan findings for information about the security of the container images that are being deployed.' +CHECK_DOC_extra765='https://docs.aws.amazon.com/AmazonECR/latest/userguide/image-scanning.html' +CHECK_CAF_EPIC_extra765='Infrastructure Security' extra765(){ for region in $REGIONS; do diff --git a/checks/check_extra767 b/checks/check_extra767 index 403c8947..a87b0c52 100644 --- a/checks/check_extra767 +++ b/checks/check_extra767 @@ -18,6 +18,10 @@ CHECK_SEVERITY_extra767="Low" CHECK_ASFF_RESOURCE_TYPE_extra767="AwsCloudFrontDistribution" CHECK_ALTERNATE_check767="extra767" CHECK_SERVICENAME_extra767="cloudfront" +CHECK_RISK_extra767='Allows you protect specific data throughout system processing so that only certain applications can see it.' +CHECK_REMEDIATION_extra767='Check if applicable to any sensible data. This encryption ensures that only applications that need the data—and have the credentials to decrypt it - are able to do so.' +CHECK_DOC_extra767='https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/field-level-encryption.html' +CHECK_CAF_EPIC_extra767='Data Protection' extra767(){ LIST_OF_DISTRIBUTIONS=$($AWSCLI cloudfront list-distributions --query 'DistributionList.Items[*].Id' $PROFILE_OPT --output text|grep -v ^None) diff --git a/checks/check_extra768 b/checks/check_extra768 index 25078fd8..f0c6b3d1 100644 --- a/checks/check_extra768 +++ b/checks/check_extra768 @@ -18,6 +18,10 @@ CHECK_SEVERITY_extra768="Critical" CHECK_ASFF_RESOURCE_TYPE_extra768="AwsEcsTaskDefinition" CHECK_ALTERNATE_check768="extra768" CHECK_SERVICENAME_extra768="ecs" +CHECK_RISK_extra768='The use of a hard-coded password increases the possibility of password guessing. If hard-coded passwords are used; it is possible that malicious users gain access through the account in question.' +CHECK_REMEDIATION_extra768='Use Secrets Manager to securely provide database credentials to Lambda functions and secure the databases as well as use the credentials to connect and query them without hardcoding the secrets in code or passing them through environmental variables. ' +CHECK_DOC_extra768='https://docs.aws.amazon.com/secretsmanager/latest/userguide/lambda-functions.html' +CHECK_CAF_EPIC_extra768='Logging and Monitoring' extra768(){ SECRETS_TEMP_FOLDER="$PROWLER_DIR/secrets-$ACCOUNT_NUM" diff --git a/checks/check_extra769 b/checks/check_extra769 index e56196d4..3d45692b 100644 --- a/checks/check_extra769 +++ b/checks/check_extra769 @@ -18,6 +18,10 @@ CHECK_TYPE_extra769="EXTRA" CHECK_SEVERITY_extra769="High" CHECK_ALTERNATE_check769="extra769" CHECK_SERVICENAME_extra769="accessanalyzer" +CHECK_RISK_extra769='AWS IAM Access Analyzer helps you identify the resources in your organization and accounts; such as Amazon S3 buckets or IAM roles; that are shared with an external entity. This lets you identify unintended access to your resources and data; which is a security risk. IAM Access Analyzer uses a form of mathematical analysis called automated reasoning; which applies logic and mathematical inference to determine all possible access paths allowed by a resource policy.' +CHECK_REMEDIATION_extra769='Enable IAM Access Analyzer for all accounts; create analyzer and take action over it is recommendations (IAM Access Analyzer is available at no additional cost).' +CHECK_DOC_extra769='https://docs.aws.amazon.com/IAM/latest/UserGuide/what-is-access-analyzer.html' +CHECK_CAF_EPIC_extra769='IAM' extra769(){ for regx in $REGIONS; do diff --git a/checks/check_extra77 b/checks/check_extra77 index ef3f9a91..4391c320 100644 --- a/checks/check_extra77 +++ b/checks/check_extra77 @@ -20,6 +20,10 @@ CHECK_ALTERNATE_extra707="extra77" CHECK_ALTERNATE_check77="extra77" CHECK_ALTERNATE_check707="extra77" CHECK_SERVICENAME_extra77="ecr" +CHECK_RISK_extra77='Policy may allow Anonymous users to perform actions.' +CHECK_REMEDIATION_extra77='Ensure this repository and its contents should be publicly accessible.' +CHECK_DOC_extra77='https://docs.aws.amazon.com/AmazonECR/latest/public/security_iam_service-with-iam.html' +CHECK_CAF_EPIC_extra77='Data Protection' extra77(){ # "Ensure there are no ECR repositories set as Public (Not Scored) (Not part of CIS benchmark)" diff --git a/checks/check_extra770 b/checks/check_extra770 index f2f9e218..7c52439b 100644 --- a/checks/check_extra770 +++ b/checks/check_extra770 @@ -18,6 +18,10 @@ CHECK_SEVERITY_extra770="Medium" CHECK_ASFF_RESOURCE_TYPE_extra770="AwsEc2Instance" CHECK_ALTERNATE_check770="extra770" CHECK_SERVICENAME_extra770="ec2" +CHECK_RISK_extra770='Exposing an EC2 directly to internet increases the attack surface and therefore the risk of compromise.' +CHECK_REMEDIATION_extra770='Use an ALB and apply WAF ACL.' +CHECK_DOC_extra770='https://aws.amazon.com/blogs/aws/aws-web-application-firewall-waf-for-application-load-balancers/' +CHECK_CAF_EPIC_extra770='Infrastructure Security' extra770(){ # "Check for internet facing EC2 Instances (Not Scored) (Not part of CIS benchmark)" diff --git a/checks/check_extra771 b/checks/check_extra771 index c109d059..cffc6021 100644 --- a/checks/check_extra771 +++ b/checks/check_extra771 @@ -18,6 +18,10 @@ CHECK_SEVERITY_extra771="Critical" CHECK_ASFF_RESOURCE_TYPE_extra771="AwsS3Bucket" CHECK_ALTERNATE_check771="extra771" CHECK_SERVICENAME_extra771="s3" +CHECK_RISK_extra771='Non intended users can put objects in a given bucket.' +CHECK_REMEDIATION_extra771='Ensure proper bucket policy is in place with the least privilege principle applied.' +CHECK_DOC_extra771='https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_examples_s3_rw-bucket.html' +CHECK_CAF_EPIC_extra771='IAM' extra771(){ LIST_OF_BUCKETS=$($AWSCLI s3api list-buckets $PROFILE_OPT --region $REGION --query Buckets[*].Name --output text|xargs -n1) diff --git a/checks/check_extra772 b/checks/check_extra772 index 87a1c528..2604662e 100644 --- a/checks/check_extra772 +++ b/checks/check_extra772 @@ -18,6 +18,10 @@ CHECK_SEVERITY_extra772="Low" CHECK_ASFF_RESOURCE_TYPE_extra772="AwsEc2Eip" CHECK_ALTERNATE_check772="extra772" CHECK_SERVICENAME_extra772="ec2" +CHECK_RISK_extra772='You are charged by the hour for each Elastic IP address that are not attached to an EC2 instance .' +CHECK_REMEDIATION_extra772='If you don’t need an Elastic IP address; you can stop the charges by releasing the IP address.' +CHECK_DOC_extra772='https://aws.amazon.com/premiumsupport/knowledge-center/elastic-ip-charges/' +CHECK_CAF_EPIC_extra772='Infrastructure Security' extra772(){ for region in $REGIONS; do diff --git a/checks/check_extra773 b/checks/check_extra773 index 20068495..34a6cacc 100644 --- a/checks/check_extra773 +++ b/checks/check_extra773 @@ -19,6 +19,10 @@ CHECK_ASFF_RESOURCE_TYPE_extra773="AwsCloudFrontDistribution" CHECK_ALTERNATE_check773="extra773" CHECK_ASFF_COMPLIANCE_TYPE_extra773="ens-mp.s.2.aws.waf.1" CHECK_SERVICENAME_extra773="cloudfront" +CHECK_RISK_extra773='Potential attacks and / or abuse of service; more even for even for internet reachable services.' +CHECK_REMEDIATION_extra773='Use AWS WAF to protect your service from common web exploits. These could affect availability and performance; compromise security; or consume excessive resources.' +CHECK_DOC_extra773='https://docs.aws.amazon.com/waf/latest/developerguide/cloudfront-features.html' +CHECK_CAF_EPIC_extra773='Infrastructure Security' extra773(){ # "Check if CloudFront distributions have logging enabled (Not Scored) (Not part of CIS benchmark)" diff --git a/checks/check_extra774 b/checks/check_extra774 index 9f167514..4fce1afe 100644 --- a/checks/check_extra774 +++ b/checks/check_extra774 @@ -18,6 +18,10 @@ CHECK_SEVERITY_extra774="Medium" CHECK_ASFF_RESOURCE_TYPE_extra774="AwsIamUser" CHECK_ALTERNATE_check774="extra774" CHECK_SERVICENAME_extra774="iam" +CHECK_RISK_extra774='To increase the security of your AWS account; remove IAM user credentials (that is; passwords and access keys) that are not needed. For example; when users leave your organization or no longer need AWS access.' +CHECK_REMEDIATION_extra774='Find the credentials that they were using and ensure that they are no longer operational. Ideally; you delete credentials if they are no longer needed. You can always recreate them at a later date if the need arises. At the very least; you should change the password or deactivate the access keys so that the former users no longer have access.' +CHECK_DOC_extra774='https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_finding-unused.html' +CHECK_CAF_EPIC_extra774='IAM' extra774(){ check_creds_used_in_last_days 30 diff --git a/checks/check_extra775 b/checks/check_extra775 index 5a60b320..9d871b97 100644 --- a/checks/check_extra775 +++ b/checks/check_extra775 @@ -17,6 +17,10 @@ CHECK_TYPE_extra775="EXTRA" CHECK_SEVERITY_extra775="Critical" CHECK_ALTERNATE_check775="extra775" CHECK_SERVICENAME_extra775="autoscaling" +CHECK_RISK_extra775='The use of a hard-coded password increases the possibility of password guessing. If hard-coded passwords are used; it is possible that malicious users gain access through the account in question.' +CHECK_REMEDIATION_extra775='Use Secrets Manager to securely provide database credentials to Lambda functions and secure the databases as well as use the credentials to connect and query them without hardcoding the secrets in code or passing them through environmental variables. ' +CHECK_DOC_extra775='https://docs.aws.amazon.com/secretsmanager/latest/userguide/lambda-functions.html' +CHECK_CAF_EPIC_extra775='IAM' extra775(){ SECRETS_TEMP_FOLDER="$PROWLER_DIR/secrets-$ACCOUNT_NUM" diff --git a/checks/check_extra776 b/checks/check_extra776 index 9f14cd04..5bfe48a4 100644 --- a/checks/check_extra776 +++ b/checks/check_extra776 @@ -32,6 +32,10 @@ CHECK_TYPE_extra776="EXTRA" CHECK_SEVERITY_extra776="Medium" CHECK_ALTERNATE_check776="extra776" CHECK_SERVICENAME_extra776="ecr" +CHECK_RISK_extra776='Amazon ECR image scanning helps in identifying software vulnerabilities in your container images. Amazon ECR uses the Common Vulnerabilities and Exposures (CVEs) database from the open-source Clair project and provides a list of scan findings. ' +CHECK_REMEDIATION_extra776='Open the Amazon ECR console. look for vulnerabilities and fix them.' +CHECK_DOC_extra776='https://docs.aws.amazon.com/AmazonECR/latest/userguide/image-scanning.html#describe-scan-findings' +CHECK_CAF_EPIC_extra776='Logging and Monitoring' extra776(){ for region in $REGIONS; do diff --git a/checks/check_extra777 b/checks/check_extra777 index 3120963d..ffd79feb 100644 --- a/checks/check_extra777 +++ b/checks/check_extra777 @@ -22,6 +22,10 @@ CHECK_SEVERITY_extra777="Medium" CHECK_ASFF_RESOURCE_TYPE_extra777="AwsEc2SecurityGroup" CHECK_ALTERNATE_check777="extra777" CHECK_SERVICENAME_extra777="ec2" +CHECK_RISK_extra777='If Security groups are not properly configured the attack surface is increased. ' +CHECK_REMEDIATION_extra777='Use a Zero Trust approach. Narrow ingress traffic as much as possible. Consider north-south as well as east-west traffic.' +CHECK_DOC_extra777='https://docs.aws.amazon.com/vpc/latest/userguide/VPC_SecurityGroups.html' +CHECK_CAF_EPIC_extra777='Infrastructure Security' extra777(){ THRESHOLD=50 diff --git a/checks/check_extra778 b/checks/check_extra778 index 59d60335..3814d52c 100644 --- a/checks/check_extra778 +++ b/checks/check_extra778 @@ -19,6 +19,10 @@ CHECK_SEVERITY_extra778="Medium" CHECK_ASFF_RESOURCE_TYPE_extra778="AwsEc2SecurityGroup" CHECK_ALTERNATE_check778="extra778" CHECK_SERVICENAME_extra778="ec2" +CHECK_RISK_extra778='If Security groups are not properly configured the attack surface is increased. ' +CHECK_REMEDIATION_extra778='Use a Zero Trust approach. Narrow ingress traffic as much as possible. Consider north-south as well as east-west traffic.' +CHECK_DOC_extra778='https://docs.aws.amazon.com/vpc/latest/userguide/VPC_SecurityGroups.html' +CHECK_CAF_EPIC_extra778='Infrastructure Security' extra778(){ CIDR_THRESHOLD=24 diff --git a/checks/check_extra779 b/checks/check_extra779 index cfd8ebc9..e0d614ec 100644 --- a/checks/check_extra779 +++ b/checks/check_extra779 @@ -18,6 +18,10 @@ CHECK_SEVERITY_extra779="High" CHECK_ASFF_RESOURCE_TYPE_extra779="AwsEc2SecurityGroup" CHECK_ALTERNATE_check779="extra779" CHECK_SERVICENAME_extra779="ec2" +CHECK_RISK_extra779='If Security groups are not properly configured the attack surface is increased. ' +CHECK_REMEDIATION_extra779='Use a Zero Trust approach. Narrow ingress traffic as much as possible. Consider north-south as well as east-west traffic.' +CHECK_DOC_extra779='https://docs.aws.amazon.com/vpc/latest/userguide/VPC_SecurityGroups.html' +CHECK_CAF_EPIC_extra779='Infrastructure Security' extra779(){ ES_API_PORT="9200" diff --git a/checks/check_extra78 b/checks/check_extra78 index 064cf6cc..16d91ba2 100644 --- a/checks/check_extra78 +++ b/checks/check_extra78 @@ -20,6 +20,10 @@ CHECK_ALTERNATE_extra708="extra78" CHECK_ALTERNATE_check78="extra78" CHECK_ALTERNATE_check708="extra78" CHECK_SERVICENAME_extra78="rds" +CHECK_RISK_extra78='Publicly accessible databases could expose sensible data to bad actors.' +CHECK_REMEDIATION_extra78='Using an AWS Config rule check for RDS public instances periodically and check there is a business reason for it.' +CHECK_DOC_extra78='https://docs.amazonaws.cn/en_us/config/latest/developerguide/rds-instance-public-access-check.html' +CHECK_CAF_EPIC_extra78='Data Protection' extra78(){ # "Ensure there are no Public Accessible RDS instances (Not Scored) (Not part of CIS benchmark)" diff --git a/checks/check_extra780 b/checks/check_extra780 index 688e9b94..17c85c9a 100644 --- a/checks/check_extra780 +++ b/checks/check_extra780 @@ -18,6 +18,10 @@ CHECK_SEVERITY_extra780="High" CHECK_ASFF_RESOURCE_TYPE_extra780="AwsElasticsearchDomain" CHECK_ALTERNATE_check780="extra780" CHECK_SERVICENAME_extra780="es" +CHECK_RISK_extra780='Amazon Elasticsearch Service supports Amazon Cognito for Kibana authentication. ' +CHECK_REMEDIATION_extra780='If you do not configure Amazon Cognito authentication; you can still protect Kibana using an IP-based access policy and a proxy server; HTTP basic authentication; or SAML.' +CHECK_DOC_extra780='https://docs.aws.amazon.com/elasticsearch-service/latest/developerguide/es-ac.html' +CHECK_CAF_EPIC_extra780='IAM' extra780(){ for regx in $REGIONS; do diff --git a/checks/check_extra781 b/checks/check_extra781 index 40968fdc..73528083 100644 --- a/checks/check_extra781 +++ b/checks/check_extra781 @@ -19,6 +19,10 @@ CHECK_ASFF_RESOURCE_TYPE_extra781="AwsElasticsearchDomain" CHECK_ALTERNATE_check781="extra781" CHECK_ASFF_COMPLIANCE_TYPE_extra781="ens-mp.info.3.aws.au.1" CHECK_SERVICENAME_extra781="es" +CHECK_RISK_extra781='If not enable unauthorized access to your data could risk increases.' +CHECK_REMEDIATION_extra781='Enable encryption at rest using AWS KMS to store and manage your encryption keys and the Advanced Encryption Standard algorithm with 256-bit keys (AES-256) to perform the encryption.' +CHECK_DOC_extra781='https://docs.aws.amazon.com/elasticsearch-service/latest/developerguide/encryption-at-rest.html' +CHECK_CAF_EPIC_extra781='Data Protection' extra781(){ for regx in $REGIONS; do diff --git a/checks/check_extra782 b/checks/check_extra782 index ecb9b3b0..4ff97968 100644 --- a/checks/check_extra782 +++ b/checks/check_extra782 @@ -18,6 +18,10 @@ CHECK_SEVERITY_extra782="Medium" CHECK_ASFF_RESOURCE_TYPE_extra782="AwsElasticsearchDomain" CHECK_ALTERNATE_check782="extra782" CHECK_SERVICENAME_extra782="es" +CHECK_RISK_extra782='Node-to-node encryption provides an additional layer of security on top of the default features of Amazon ES. This architecture prevents potential attackers from intercepting traffic between Elasticsearch nodes and keeps the cluster secure.' +CHECK_REMEDIATION_extra782='Node-to-node encryption on new domains requires Elasticsearch 6.0 or later. Enabling the feature on existing domains requires Elasticsearch 6.7 or later. Choose the existing domain in the AWS console; Actions; and Modify encryption.' +CHECK_DOC_extra782='https://docs.aws.amazon.com/elasticsearch-service/latest/developerguide/ntn.html' +CHECK_CAF_EPIC_extra782='Data Protection' extra782(){ for regx in $REGIONS; do diff --git a/checks/check_extra783 b/checks/check_extra783 index 09ffe99e..0294f6bc 100644 --- a/checks/check_extra783 +++ b/checks/check_extra783 @@ -18,6 +18,10 @@ CHECK_SEVERITY_extra783="Medium" CHECK_ASFF_RESOURCE_TYPE_extra783="AwsElasticsearchDomain" CHECK_ALTERNATE_check783="extra783" CHECK_SERVICENAME_extra783="es" +CHECK_RISK_extra783='If not enable unauthorized access to your data could risk increases.' +CHECK_REMEDIATION_extra783='When creating ES Domains; enable "Require HTTPS fo all traffic to the domain".' +CHECK_DOC_extra783='https://docs.aws.amazon.com/elasticsearch-service/latest/developerguide/es-createupdatedomains.html' +CHECK_CAF_EPIC_extra783='Data Protection' extra783(){ for regx in $REGIONS; do diff --git a/checks/check_extra784 b/checks/check_extra784 index ea4fa4d9..9c9de6b0 100644 --- a/checks/check_extra784 +++ b/checks/check_extra784 @@ -18,6 +18,10 @@ CHECK_SEVERITY_extra784="Medium" CHECK_ASFF_RESOURCE_TYPE_extra784="AwsElasticsearchDomain" CHECK_ALTERNATE_check784="extra784" CHECK_SERVICENAME_extra784="es" +CHECK_RISK_extra784='Internal User Database is convenient for demos; for production environment use Federated authentication.' +CHECK_REMEDIATION_extra784='Remove users from internal user database and uso Cognito instead.' +CHECK_DOC_extra784='https://docs.aws.amazon.com/elasticsearch-service/latest/developerguide/fgac.html' +CHECK_CAF_EPIC_extra784='IAM' extra784(){ for regx in $REGIONS; do diff --git a/checks/check_extra785 b/checks/check_extra785 index 31483ae9..0c51277a 100644 --- a/checks/check_extra785 +++ b/checks/check_extra785 @@ -18,6 +18,10 @@ CHECK_SEVERITY_extra785="Low" CHECK_ASFF_RESOURCE_TYPE_extra785="AwsElasticsearchDomain" CHECK_ALTERNATE_check785="extra785" CHECK_SERVICENAME_extra785="es" +CHECK_RISK_extra785='Amazon ES regularly releases system software updates that add features or otherwise improve your domains.' +CHECK_REMEDIATION_extra785='The Notifications panel in the console is the easiest way to see if an update is available or check the status of an update. You can also receive these notifications through Amazon EventBridge. If you take no action on required updates; Amazon ES still updates your domain service software automatically after a certain timeframe (typically two weeks). In this situation; Amazon ES sends notifications when it starts the update and when the update is complete.' +CHECK_DOC_extra785='https://docs.aws.amazon.com/elasticsearch-service/latest/developerguide/es-service-software.html' +CHECK_CAF_EPIC_extra785='Infrastructure Security' # NOTE! # API does not properly shows if an update is available while it is a new version available diff --git a/checks/check_extra786 b/checks/check_extra786 index 04570dfc..99c0c9ea 100644 --- a/checks/check_extra786 +++ b/checks/check_extra786 @@ -18,6 +18,10 @@ CHECK_SEVERITY_extra786="Medium" CHECK_ASFF_RESOURCE_TYPE_extra786="AwsEc2Instance" CHECK_ALTERNATE_check786="extra786" CHECK_SERVICENAME_extra786="ec2" +CHECK_RISK_extra786='Using IMDSv2 will protect from misconfiguration and SSRF vulnerabilities. IMDSv1 will not.' +CHECK_REMEDIATION_extra786='If you don’t need IMDS you can turn it off. Using aws-cli you can force the instance to use only IMDSv2.' +CHECK_DOC_extra786='https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/configuring-instance-metadata-service.html#configuring-instance-metadata-options' +CHECK_CAF_EPIC_extra786='Infrastructure Security' extra786(){ for regx in $REGIONS; do diff --git a/checks/check_extra787 b/checks/check_extra787 index b85b3969..5481a0f6 100644 --- a/checks/check_extra787 +++ b/checks/check_extra787 @@ -18,6 +18,10 @@ CHECK_SEVERITY_extra787="Critical" CHECK_ASFF_RESOURCE_TYPE_extra787="AwsEc2Instance" CHECK_ALTERNATE_check787="extra787" CHECK_SERVICENAME_extra787="es" +CHECK_RISK_extra787='Internet exposed services increases the risk of unauthorised.' +CHECK_REMEDIATION_extra787='Placing an Amazon ES domain within a VPC enables secure communication between Amazon ES and other services within the VPC without the need for an internet gateway; NAT device; or VPN connection. All traffic remains securely within the AWS Cloud.' +CHECK_DOC_extra787='https://docs.aws.amazon.com/elasticsearch-service/latest/developerguide/es-vpc.html' +CHECK_CAF_EPIC_extra787='Infrastructure Security' extra787(){ # Prowler will try to access each ElasticSearch server to port: diff --git a/checks/check_extra788 b/checks/check_extra788 index 9bd0e819..3510a1f8 100644 --- a/checks/check_extra788 +++ b/checks/check_extra788 @@ -18,6 +18,10 @@ CHECK_SEVERITY_extra788="Critical" CHECK_ASFF_RESOURCE_TYPE_extra788="AwsElasticsearchDomain" CHECK_ALTERNATE_check788="extra788" CHECK_SERVICENAME_extra788="es" +CHECK_RISK_extra788='Internet exposed services increases the risk of unauthorised.' +CHECK_REMEDIATION_extra788='Placing an Amazon ES domain within a VPC enables secure communication between Amazon ES and other services within the VPC without the need for an internet gateway; NAT device; or VPN connection. All traffic remains securely within the AWS Cloud.' +CHECK_DOC_extra788='https://docs.aws.amazon.com/elasticsearch-service/latest/developerguide/es-vpc.html' +CHECK_CAF_EPIC_extra788='Infrastructure Security' extra788(){ # Prowler will try to access each ElasticSearch server to the public URI endpoint. diff --git a/checks/check_extra789 b/checks/check_extra789 index f289785a..c005c036 100644 --- a/checks/check_extra789 +++ b/checks/check_extra789 @@ -19,6 +19,10 @@ CHECK_SEVERITY_extra789="Medium" CHECK_ASFF_RESOURCE_TYPE_extra789="AwsEc2Vpc" CHECK_ALTERNATE_extra789="extra789" CHECK_SERVICENAME_extra789="vpc" +CHECK_RISK_extra789='Account VPC could be linked to other accounts.' +CHECK_REMEDIATION_extra789='In multi Account environments identify untrusted links. Check trust chaining and dependencies between accounts.' +CHECK_DOC_extra789='https://github.com/toniblyx/prowler/#trust-boundaries-checks' +CHECK_CAF_EPIC_extra789='Infrastructure Security' extra789(){ TRUSTED_ACCOUNT_IDS=$( echo "${ACCOUNT_NUM} ${GROUP_TRUSTBOUNDARIES_TRUSTED_ACCOUNT_IDS}" | xargs ) diff --git a/checks/check_extra79 b/checks/check_extra79 index 377ffeae..81d541df 100644 --- a/checks/check_extra79 +++ b/checks/check_extra79 @@ -20,6 +20,10 @@ CHECK_ALTERNATE_extra709="extra79" CHECK_ALTERNATE_check79="extra79" CHECK_ALTERNATE_check709="extra79" CHECK_SERVICENAME_extra79="elb" +CHECK_RISK_extra79='Publicly accessible load balancers could expose sensible data to bad actors.' +CHECK_REMEDIATION_extra79='Ensure the load balancer should be publicly accessible. If publiccly exposed ensure a WAF ACL is implemented.' +CHECK_DOC_extra79='https://docs.aws.amazon.com/waf/latest/developerguide/web-acl-associating-aws-resource.html' +CHECK_CAF_EPIC_extra79='Data Protection' extra79(){ # "Check for internet facing Elastic Load Balancers (Not Scored) (Not part of CIS benchmark)" diff --git a/checks/check_extra790 b/checks/check_extra790 index 5278365c..91f54808 100644 --- a/checks/check_extra790 +++ b/checks/check_extra790 @@ -19,6 +19,10 @@ CHECK_SEVERITY_extra790="Medium" CHECK_ASFF_RESOURCE_TYPE_extra790="AwsEc2Vpc" CHECK_ALTERNATE_extra790="extra790" CHECK_SERVICENAME_extra790="vpc" +CHECK_RISK_extra790='Account VPC could be linked to other accounts.' +CHECK_REMEDIATION_extra790='In multi Account environments identify untrusted links. Check trust chaining and dependencies between accounts.' +CHECK_DOC_extra790='https://github.com/toniblyx/prowler/#trust-boundaries-checks' +CHECK_CAF_EPIC_extra790='Infrastructure Security' extra790(){ TRUSTED_ACCOUNT_IDS=$( echo "${ACCOUNT_NUM} ${GROUP_TRUSTBOUNDARIES_TRUSTED_ACCOUNT_IDS}" | xargs ) diff --git a/checks/check_extra791 b/checks/check_extra791 index a6ca4f9d..06b5784e 100644 --- a/checks/check_extra791 +++ b/checks/check_extra791 @@ -18,6 +18,10 @@ CHECK_SEVERITY_extra791="Medium" CHECK_ASFF_RESOURCE_TYPE_extra791="AwsCloudFrontDistribution" CHECK_ALTERNATE_check791="extra791" CHECK_SERVICENAME_extra791="cloudfront" +CHECK_RISK_extra791='Using insecure ciphers could affect privacy of in transit information.' +CHECK_REMEDIATION_extra791='Use a Security policy with a ciphers that are stronger as possible. Drop legacy and unsecure ciphers.' +CHECK_DOC_extra791='https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/secure-connections-supported-viewer-protocols-ciphers.html' +CHECK_CAF_EPIC_extra791='Data Protection' extra791(){ LIST_OF_DISTRIBUTIONS=$($AWSCLI cloudfront list-distributions --query 'DistributionList.Items[*].Id' $PROFILE_OPT --output text|grep -v ^None) diff --git a/checks/check_extra792 b/checks/check_extra792 index 23f0d03d..df64d8b6 100644 --- a/checks/check_extra792 +++ b/checks/check_extra792 @@ -19,6 +19,10 @@ CHECK_ASFF_RESOURCE_TYPE_extra792="AwsElbLoadBalancer" CHECK_ALTERNATE_check792="extra792" CHECK_ASFF_COMPLIANCE_TYPE_extra792="ens-mp.com.2.aws.elb.2" CHECK_SERVICENAME_extra792="elb" +CHECK_RISK_extra792='Using insecure ciphers could affect privacy of in transit information.' +CHECK_REMEDIATION_extra792='Use a Security policy with a ciphers that are stronger as possible. Drop legacy and unsecure ciphers.' +CHECK_DOC_extra792='https://docs.aws.amazon.com/elasticloadbalancing/latest/classic/elb-ssl-security-policy.html' +CHECK_CAF_EPIC_extra792='Data Protection' extra792(){ # "Check if Elastic Load Balancers have insecure SSL ciphers (Not Scored) (Not part of CIS benchmark)" diff --git a/checks/check_extra793 b/checks/check_extra793 index 7ffc6df6..dac5bf98 100644 --- a/checks/check_extra793 +++ b/checks/check_extra793 @@ -19,6 +19,10 @@ CHECK_ASFF_RESOURCE_TYPE_extra793="AwsElbLoadBalancer" CHECK_ALTERNATE_check793="extra793" CHECK_ASFF_COMPLIANCE_TYPE_extra793="ens-mp.com.2.aws.elb.1" CHECK_SERVICENAME_extra793="elb" +CHECK_RISK_extra793='Clear text communication could affect privacy of information in transit.' +CHECK_REMEDIATION_extra793='Scan for Load Balancers with HTTP or TCP listeners and understand the reason for each of them. Check if the listener can be implemented as TLS instead.' +CHECK_DOC_extra793='https://docs.aws.amazon.com/elasticloadbalancing/latest/application/create-https-listener.html' +CHECK_CAF_EPIC_extra793='Data Protection' extra793(){ # "Check if Elastic Load Balancers have encrypted listeners (Not Scored) (Not part of CIS benchmark)" diff --git a/checks/check_extra794 b/checks/check_extra794 index fd763765..1e424237 100644 --- a/checks/check_extra794 +++ b/checks/check_extra794 @@ -18,6 +18,10 @@ CHECK_SEVERITY_extra794="Medium" CHECK_ASFF_RESOURCE_TYPE_extra794="AwsEksCluster" CHECK_ALTERNATE_check794="extra794" CHECK_SERVICENAME_extra794="eks" +CHECK_RISK_extra794='If logs are not enabled; monitoring of service use and threat analysis is not possible.' +CHECK_REMEDIATION_extra794='Make sure you logging for EKS control plane is enabled.' +CHECK_DOC_extra794='https://docs.aws.amazon.com/eks/latest/userguide/logging-monitoring.html' +CHECK_CAF_EPIC_extra794='Logging and Monitoring' extra794(){ textInfo "Looking for control plane logging enabled for EKS clusters across all regions... " diff --git a/checks/check_extra795 b/checks/check_extra795 index 4196456e..698f0d8c 100644 --- a/checks/check_extra795 +++ b/checks/check_extra795 @@ -18,6 +18,10 @@ CHECK_SEVERITY_extra795="High" CHECK_ASFF_RESOURCE_TYPE_extra795="AwsEksCluster" CHECK_ALTERNATE_check795="extra795" CHECK_SERVICENAME_extra795="eks" +CHECK_RISK_extra795='Publicly accessible services could expose sensible data to bad actors.' +CHECK_REMEDIATION_extra795='Enable private access to the Kubernetes API server so that all communication between your nodes and the API server stays within your VPC. Disable internet access to the API server.' +CHECK_DOC_extra795='https://docs.aws.amazon.com/eks/latest/userguide/infrastructure-security.html' +CHECK_CAF_EPIC_extra795='Infrastructure Security' extra795(){ textInfo "Looking for public access enabled for EKS clusters across all regions... " diff --git a/checks/check_extra796 b/checks/check_extra796 index d4134b35..e69040a9 100644 --- a/checks/check_extra796 +++ b/checks/check_extra796 @@ -18,6 +18,10 @@ CHECK_SEVERITY_extra796="High" CHECK_ASFF_RESOURCE_TYPE_extra796="AwsEksCluster" CHECK_ALTERNATE_check796="extra796" CHECK_SERVICENAME_extra796="eks" +CHECK_RISK_extra796='By default; this API server endpoint is public to the internet; and access to the API server is secured using a combination of AWS Identity and Access Management (IAM) and native Kubernetes Role Based Access Control (RBAC).' +CHECK_REMEDIATION_extra796='You should enable private access to the Kubernetes API server so that all communication between your nodes and the API server stays within your VPC. You can limit the IP addresses that can access your API server from the internet; or completely disable internet access to the API server.' +CHECK_DOC_extra796='https://docs.aws.amazon.com/eks/latest/userguide/cluster-endpoint.html' +CHECK_CAF_EPIC_extra796='Infrastructure Security' extra796(){ textInfo "Looking for public access CIDRs for EKS clusters across all regions... " diff --git a/checks/check_extra797 b/checks/check_extra797 index cafe95b4..13a16727 100644 --- a/checks/check_extra797 +++ b/checks/check_extra797 @@ -18,6 +18,10 @@ CHECK_SEVERITY_extra797="Medium" CHECK_ASFF_RESOURCE_TYPE_extra797="AwsEksCluster" CHECK_ALTERNATE_check797="extra797" CHECK_SERVICENAME_extra797="eks" +CHECK_RISK_extra797='Implementing envelope encryption is considered a security best practice for applications that store sensitive data and is part of a defense in depth security strategy.' +CHECK_REMEDIATION_extra797=' Setup your own Customer Master Key (CMK) in KMS and link this key by providing the CMK ARN when you create an EKS cluster.' +CHECK_DOC_extra797='https://docs.aws.amazon.com/eks/latest/userguide/create-cluster.html' +CHECK_CAF_EPIC_extra797='Data Protection' extra797(){ textInfo "Looking for encryption config for EKS clusters across all regions... " diff --git a/checks/check_extra798 b/checks/check_extra798 index 136c85e5..ddbfe8fa 100644 --- a/checks/check_extra798 +++ b/checks/check_extra798 @@ -19,6 +19,10 @@ CHECK_SEVERITY_extra798="Critical" CHECK_ASFF_RESOURCE_TYPE_extra798="AwsLambdaFunction" CHECK_ALTERNATE_check798="extra798" CHECK_SERVICENAME_extra798="lambda" +CHECK_RISK_extra798='Publicly accessible services could expose sensible data to bad actors.' +CHECK_REMEDIATION_extra798='Grant usage permission on a per-resource basis and applying least privilege principle.' +CHECK_DOC_extra798='https://docs.aws.amazon.com/lambda/latest/dg/access-control-resource-based.html' +CHECK_CAF_EPIC_extra798='Infrastructure Security' extra798(){ for regx in $REGIONS; do diff --git a/checks/check_extra799 b/checks/check_extra799 index 75a391ec..c028df95 100644 --- a/checks/check_extra799 +++ b/checks/check_extra799 @@ -19,6 +19,10 @@ CHECK_SEVERITY_extra799="High" CHECK_ASFF_RESOURCE_TYPE_extra799="AwsSecurityHubHub" CHECK_ALTERNATE_check799="extra799" CHECK_SERVICENAME_extra799="securityhub" +CHECK_RISK_extra799='AWS Security Hub gives you a comprehensive view of your security alerts and security posture across your AWS accounts.' +CHECK_REMEDIATION_extra799='Security Hub is Regional. When you enable or disable a security standard; it is enabled or disabled only in the current Region or in the Region that you specify.' +CHECK_DOC_extra799='https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-standards-enable-disable.html' +CHECK_CAF_EPIC_extra799='Logging and Monitoring' extra799(){ for regx in $REGIONS; do diff --git a/include/assume_role b/include/assume_role index 2921563f..fd4e779d 100644 --- a/include/assume_role +++ b/include/assume_role @@ -70,7 +70,7 @@ assume_role(){ export AWS_ACCESS_KEY_ID=$(cat $TEMP_STS_ASSUMED_FILE | jq -r '.Credentials.AccessKeyId') export AWS_SECRET_ACCESS_KEY=$(cat $TEMP_STS_ASSUMED_FILE | jq -r '.Credentials.SecretAccessKey') export AWS_SESSION_TOKEN=$(cat $TEMP_STS_ASSUMED_FILE | jq -r '.Credentials.SessionToken') - export AWS_SESSION_EXPIRATION=$(convert_date_to_timestamp "$(cat $TEMP_STS_ASSUMED_FILE | jq -r '.Credentials.Expiration')") + export AWS_SESSION_EXPIRATION=$(convert_date_to_timestamp "$(cat $TEMP_STS_ASSUMED_FILE | jq -r '.Credentials.Expiration'| sed 's/+00:00//g')") rm -fr $TEMP_STS_ASSUMED_FILE } diff --git a/include/csv_header b/include/csv_header index 2c4c81fc..7a867815 100644 --- a/include/csv_header +++ b/include/csv_header @@ -13,7 +13,8 @@ printCsvHeader() { - >&2 echo "" - >&2 echo "Generating \"${SEP}\" delimited report on stdout for profile $PROFILE, account $ACCOUNT_NUM" - echo "PROFILE${SEP}ACCOUNT_NUM${SEP}REGION${SEP}TITLE_ID${SEP}RESULT${SEP}SCORED${SEP}LEVEL${SEP}TITLE_TEXT${SEP}NOTES${SEP}COMPLIANCE${SEP}SEVERITY${SEP}SERVICENAME" | tee -a $OUTPUT_FILE_NAME.$EXTENSION_CSV + # >&2 echo "" + # >&2 echo "Generating \"${SEP}\" delimited report on stdout for profile $PROFILE, account $ACCOUNT_NUM" + echo "PROFILE${SEP}ACCOUNT_NUM${SEP}REGION${SEP}TITLE_ID${SEP}CHECK_RESULT${SEP}ITEM_SCORED${SEP}ITEM_LEVEL${SEP}TITLE_TEXT${SEP}CHECK_RESULT_EXTENDED${SEP}CHECK_ASFF_COMPLIANCE_TYPE${SEP}CHECK_SEVERITY${SEP}CHECK_SERVICENAME${SEP}CHECK_ASFF_RESOURCE_TYPE${SEP}CHECK_ASFF_TYPE${SEP}CHECK_RISK${SEP}CHECK_REMEDIATION${SEP}CHECK_DOC${SEP}CHECK_CAF_EPIC" | tee -a ${OUTPUT_FILE_NAME}.$EXTENSION_CSV + # echo "PROFILE${SEP}ACCOUNT_NUM${SEP}REGION${SEP}TITLE_ID${SEP}RESULT${SEP}SCORED${SEP}LEVEL${SEP}TITLE_TEXT${SEP}NOTES${SEP}COMPLIANCE${SEP}SEVERITY${SEP}SERVICENAME" | tee -a $OUTPUT_FILE_NAME.$EXTENSION_CSV } diff --git a/include/html_report b/include/html_report index e2c513f0..42db8626 100644 --- a/include/html_report +++ b/include/html_report @@ -31,18 +31,42 @@ addHtmlHeader() { - Prowler - AWS Security Assesments + + + Prowler - AWS Security Assessments
- Report Information + Report Information:
  • @@ -65,10 +89,11 @@ addHtmlHeader() {
-
+ +
- Assesment Summary + Assessment Summary:
  • @@ -88,7 +113,30 @@ addHtmlHeader() {
- * Sortable columns are CheckID (default) and Result +
+
+
+
+ Scoring Information: +
+
    +
  • + Prowler Score: PROWLER_SCORE% +
    • +
  • + Total Resources: TOTAL_RESOURCES +
    • +
  • + Passed: PASS_COUNTER +
    • +
  • + Failed: FAIL_COUNTER +
    • +
  • + Total Checks Executed: CHECKS_COUNTER +
    • +
+
@@ -106,6 +154,10 @@ addHtmlHeader() { CheckID Check Title Check Output + CAF Epic + Risk + Remediation + Link to doc diff --git a/include/os_detector b/include/os_detector index a6667cbe..2c3105aa 100644 --- a/include/os_detector +++ b/include/os_detector @@ -112,13 +112,12 @@ gnu_convert_date_to_timestamp() { # if [ "$OSTYPE" == "linux-musl" ]; then # date -D "%Y-%m-%dT%H:%M:%SZ" -d "$1" +%s # else - date -d "$1" +%s + date -u -d "$1" +%s # fi } bsd_convert_date_to_timestamp() { - echo $(( $(date -j -f %Y-%m-%dT%H:%M:%S "$1" +%s) + 3600 )) - # Change above is because epoch time generator in BSD is 1h less than in Linux ¯\_(ツ)_/¯ + echo $(date -u -j -f %Y-%m-%dT%H:%M:%S "$1" +%s) #date -j -f "%Y-%m-%dT%H:%M:%S" "$1" "+%s" } @@ -139,6 +138,14 @@ bsd_test_tcp_connectivity() { nc -z -G $TIMEOUT $HOST $PORT >/dev/null 2>&1 && echo "200" || echo "000" } +gnu_replace_sed(){ + sed -i $1 $2 +} + +bsd_replace_sed(){ + sed -i '' $1 $2 +} + # Functions to manage dates depending on OS if [ "$OSTYPE" == "linux-gnu" ] || [ "$OSTYPE" == "linux-musl" ]; then TEMP_REPORT_FILE=$(mktemp -t -p /tmp prowler.cred_report-XXXXXX) @@ -171,6 +178,10 @@ if [ "$OSTYPE" == "linux-gnu" ] || [ "$OSTYPE" == "linux-musl" ]; then convert_date_to_timestamp() { gnu_convert_date_to_timestamp "$1" } + replace_sed() { + gnu_replace_sed $1 $2 + } + elif [[ "$OSTYPE" == "darwin"* ]] || [[ "$OSTYPE" == "freebsd"* ]]; then # BSD/OSX commands compatibility TEMP_REPORT_FILE=$(mktemp -t prowler.cred_report-XXXXXX) @@ -244,6 +255,9 @@ elif [[ "$OSTYPE" == "darwin"* ]] || [[ "$OSTYPE" == "freebsd"* ]]; then test_tcp_connectivity() { bsd_test_tcp_connectivity "$1" "$2" "$3" } + replace_sed() { + bsd_replace_sed $1 $2 + } elif [[ "$OSTYPE" == "cygwin" ]]; then # POSIX compatibility layer and Linux environment emulation for Windows TEMP_REPORT_FILE=$(mktemp -t -p /tmp prowler.cred_report-XXXXXX) @@ -274,6 +288,9 @@ elif [[ "$OSTYPE" == "cygwin" ]]; then convert_date_to_timestamp() { gnu_convert_date_to_timestamp "$1" } + replace_sed() { + gnu_replace_sed $1 $2 + } else echo "Unknown Operating System! Valid \$OSTYPE: linux-gnu, linux-musl, darwin* or cygwin" echo "Found: $OSTYPE" diff --git a/include/outputs b/include/outputs index 18342128..d9d4fb1c 100644 --- a/include/outputs +++ b/include/outputs @@ -19,13 +19,35 @@ EXTENSION_ASFF="asff-json" EXTENSION_TEXT="txt" EXTENSION_HTML="html" OUTPUT_DATE=$(date -u +"%Y%m%d%H%M%S") -OUTPUT_DIR="${PROWLER_DIR}/output" +OUTPUT_DIR="${PROWLER_DIR}/output" # default output if none OUTPUT_FILE_NAME="${OUTPUT_DIR}/prowler-output-${ACCOUNT_NUM}-${OUTPUT_DATE}" HTML_LOGO_URL="https://github.com/toniblyx/prowler/" -HTML_LOGO_IMG="https://raw.githubusercontent.com/toniblyx/prowler/master/util/html/prowler-logo.png" +#HTML_LOGO_IMG="https://raw.githubusercontent.com/toniblyx/prowler/master/util/html/prowler-logo.png" +HTML_LOGO_IMG="https://github.com/toniblyx/prowler/raw/2.4/util/html/prowler-logo-new.png" TIMESTAMP=$(get_iso8601_timestamp) PROWLER_PARAMETERS=$@ +# Available parameters for outputs formats (implemented this in CSV from v2.4): + +# $PROFILE profile used to run Prowler (--profile in AWS CLI) +# $ACCOUNT_NUM AWS Account ID +# $REPREGION AWS region scanned +# $TITLE_ID Numeric identifier of each check (1.2, 2.3, etc), originally based on CIS checks. +# $CHECK_RESULT values can be PASS, FAIL, INFO or WARNING if whitelisted +# $ITEM_SCORED corresponds to CHECK_SCORED, values can be Scored/Not Scored. This is CIS only, will be deprecated in Prowler. +# $ITEM_LEVEL corresponds to CHECK_TYPE_ currently only for CIS Level 1, CIS Level 2 and Extras (all checks not part of CIS) +# $TITLE_TEXT corresponds to CHECK_TITLE_ shows title of each check +# $CHECK_RESULT_EXTENDED shows response of each check per resource like sg-123438 is open! +# $CHECK_ASFF_COMPLIANCE_TYPE specify type from taxonomy https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-findings-format-type-taxonomy.html +# $CHECK_SEVERITY severity Low, Medium, High, Critical +# $CHECK_SERVICENAME AWS service name short name +# $CHECK_ASFF_RESOURCE_TYPE values from https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-findings-format.html#asff-resources +# $CHECK_ASFF_TYPE generic type from taxonomy here https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-findings-format-type-taxonomy.html +# $CHECK_RISK text about risk +# $CHECK_REMEDIATION text about remediation +# $CHECK_DOC link to related documentation +# $CHECK_CAF_EPIC it can be Logging and Monitoring, IAM, Data Protection, Infrastructure Security. Incident Response is not included since CAF has not specific checks on it logs enablement are part of Logging and Monitoring. + # Ensure that output directory always exists when -M is used if [[ $MODE ]];then mkdir -p "${OUTPUT_DIR}" @@ -40,6 +62,9 @@ if [[ $PROFILE == "" ]];then fi textPass(){ + CHECK_RESULT="PASS" + CHECK_RESULT_EXTENDED="$1" + if [[ "$QUIET" == 1 ]]; then return fi @@ -51,7 +76,7 @@ textPass(){ REPREGION=$REGION fi if [[ "${MODES[@]}" =~ "csv" ]]; then - echo "$PROFILE${SEP}$ACCOUNT_NUM${SEP}$REPREGION${SEP}$TITLE_ID${SEP}PASS${SEP}$ITEM_SCORED${SEP}$ITEM_LEVEL${SEP}$TITLE_TEXT${SEP}$1${SEP}$ASFF_COMPLIANCE_TYPE${SEP}$CHECK_SEVERITY${SEP}$CHECK_SERVICENAME" | tee -a ${OUTPUT_FILE_NAME}.$EXTENSION_CSV + echo "$PROFILE${SEP}$ACCOUNT_NUM${SEP}$REPREGION${SEP}$TITLE_ID${SEP}$CHECK_RESULT${SEP}$ITEM_SCORED${SEP}$ITEM_LEVEL${SEP}$TITLE_TEXT${SEP}$CHECK_RESULT_EXTENDED${SEP}$CHECK_ASFF_COMPLIANCE_TYPE${SEP}$CHECK_SEVERITY${SEP}$CHECK_SERVICENAME${SEP}$CHECK_ASFF_RESOURCE_TYPE${SEP}$CHECK_ASFF_TYPE${SEP}$CHECK_RISK${SEP}$CHECK_REMEDIATION${SEP}$CHECK_DOC${SEP}$CHECK_CAF_EPIC" | tee -a ${OUTPUT_FILE_NAME}.$EXTENSION_CSV fi if [[ "${MODES[@]}" =~ "json" ]]; then generateJsonOutput "$1" "Pass" | tee -a ${OUTPUT_FILE_NAME}.$EXTENSION_JSON @@ -78,6 +103,9 @@ textPass(){ } textInfo(){ + CHECK_RESULT="INFO" + CHECK_RESULT_EXTENDED="$1" + if [[ "$QUIET" == 1 ]]; then return fi @@ -88,7 +116,7 @@ textInfo(){ REPREGION=$REGION fi if [[ "${MODES[@]}" =~ "csv" ]]; then - echo "$PROFILE${SEP}$ACCOUNT_NUM${SEP}$REPREGION${SEP}$TITLE_ID${SEP}INFO${SEP}$ITEM_SCORED${SEP}$ITEM_LEVEL${SEP}$TITLE_TEXT${SEP}$1${SEP}$ASFF_COMPLIANCE_TYPE${SEP}$CHECK_SEVERITY${SEP}$CHECK_SERVICENAME" | tee -a ${OUTPUT_FILE_NAME}.${EXTENSION_CSV} + echo "$PROFILE${SEP}$ACCOUNT_NUM${SEP}$REPREGION${SEP}$TITLE_ID${SEP}$CHECK_RESULT${SEP}$ITEM_SCORED${SEP}$ITEM_LEVEL${SEP}$TITLE_TEXT${SEP}$CHECK_RESULT_EXTENDED${SEP}$CHECK_ASFF_COMPLIANCE_TYPE${SEP}$CHECK_SEVERITY${SEP}$CHECK_SERVICENAME${SEP}$CHECK_ASFF_RESOURCE_TYPE${SEP}$CHECK_ASFF_TYPE${SEP}$CHECK_RISK${SEP}$CHECK_REMEDIATION${SEP}$CHECK_DOC${SEP}$CHECK_CAF_EPIC" | tee -a ${OUTPUT_FILE_NAME}.$EXTENSION_CSV fi if [[ "${MODES[@]}" =~ "json" ]]; then generateJsonOutput "$1" "Info" | tee -a ${OUTPUT_FILE_NAME}.${EXTENSION_JSON} @@ -133,6 +161,9 @@ textFail(){ EXITCODE=3 fi + CHECK_RESULT=$level + CHECK_RESULT_EXTENDED="$1" + if [[ $2 ]]; then REPREGION=$2 else @@ -140,7 +171,7 @@ textFail(){ fi if [[ "${MODES[@]}" =~ "csv" ]]; then - echo "$PROFILE${SEP}$ACCOUNT_NUM${SEP}$REPREGION${SEP}$TITLE_ID${SEP}${level}${SEP}$ITEM_SCORED${SEP}$ITEM_LEVEL${SEP}$TITLE_TEXT${SEP}$1${SEP}$ASFF_COMPLIANCE_TYPE${SEP}$CHECK_SEVERITY${SEP}$CHECK_SERVICENAME" | tee -a ${OUTPUT_FILE_NAME}.${EXTENSION_CSV} + echo "$PROFILE${SEP}$ACCOUNT_NUM${SEP}$REPREGION${SEP}$TITLE_ID${SEP}$CHECK_RESULT${SEP}$ITEM_SCORED${SEP}$ITEM_LEVEL${SEP}$TITLE_TEXT${SEP}$CHECK_RESULT_EXTENDED${SEP}$CHECK_ASFF_COMPLIANCE_TYPE${SEP}$CHECK_SEVERITY${SEP}$CHECK_SERVICENAME${SEP}$CHECK_ASFF_RESOURCE_TYPE${SEP}$CHECK_ASFF_TYPE${SEP}$CHECK_RISK${SEP}$CHECK_REMEDIATION${SEP}$CHECK_DOC${SEP}$CHECK_CAF_EPIC" | tee -a ${OUTPUT_FILE_NAME}.$EXTENSION_CSV fi if [[ "${MODES[@]}" =~ "json" ]]; then generateJsonOutput "$1" "${level}" | tee -a ${OUTPUT_FILE_NAME}.${EXTENSION_JSON} @@ -206,7 +237,7 @@ textTitle(){ fi if [[ "${MODES[@]}" =~ "csv" ]]; then - >&2 echo "$TITLE_ID $TITLE_TEXT" | tee -a ${OUTPUT_FILE_NAME}.${EXTENSION_CSV} + >&2 echo "$TITLE_ID $TITLE_TEXT" | tee -a ${OUTPUT_FILE_NAME}.${EXTENSION_CSV} elif [[ "${MODES[@]}" =~ "json" || "${MODES[@]}" =~ "json-asff" ]]; then : else @@ -232,7 +263,7 @@ generateJsonOutput(){ --arg ITEM_LEVEL "$ITEM_LEVEL" \ --arg TITLE_ID "$TITLE_ID" \ --arg REPREGION "$REPREGION" \ - --arg TYPE "$ASFF_COMPLIANCE_TYPE" \ + --arg TYPE "$CHECK_ASFF_COMPLIANCE_TYPE" \ --arg TIMESTAMP "$(get_iso8601_timestamp)" \ --arg SERVICENAME "$CHECK_SERVICENAME" \ -n '{ @@ -270,8 +301,8 @@ generateJsonAsffOutput(){ --arg SEVERITY "$(echo $CHECK_SEVERITY| awk '{ print toupper($0) }')" \ --arg TITLE_ID "$TITLE_ID" \ --arg CHECK_ID "$CHECK_ID" \ - --arg TYPE "$ASFF_COMPLIANCE_TYPE" \ - --arg COMPLIANCE_RELATED_REQUIREMENTS "$ASFF_COMPLIANCE_TYPE" \ + --arg TYPE "$CHECK_ASFF_COMPLIANCE_TYPE" \ + --arg COMPLIANCE_RELATED_REQUIREMENTS "$CHECK_ASFF_COMPLIANCE_TYPE" \ --arg RESOURCE_TYPE "$ASFF_RESOURCE_TYPE" \ --arg REPREGION "$REPREGION" \ --arg TIMESTAMP "$(get_iso8601_timestamp)" \ @@ -324,11 +355,15 @@ generateHtmlOutput(){ echo ''$CHECK_SEVERITY'' >> ${OUTPUT_FILE_NAME}.$EXTENSION_HTML echo ''$ACCOUNT_NUM'' >> ${OUTPUT_FILE_NAME}.$EXTENSION_HTML echo ''$REPREGION'' >> ${OUTPUT_FILE_NAME}.$EXTENSION_HTML - echo ''$ASFF_COMPLIANCE_TYPE'' >> ${OUTPUT_FILE_NAME}.$EXTENSION_HTML + echo ''$CHECK_ASFF_COMPLIANCE_TYPE'' >> ${OUTPUT_FILE_NAME}.$EXTENSION_HTML echo ''$CHECK_SERVICENAME'' >> ${OUTPUT_FILE_NAME}.$EXTENSION_HTML echo ''$TITLE_ID'' >> ${OUTPUT_FILE_NAME}.$EXTENSION_HTML echo ''$TITLE_TEXT'' >> ${OUTPUT_FILE_NAME}.$EXTENSION_HTML echo ''$message'' >> ${OUTPUT_FILE_NAME}.$EXTENSION_HTML + echo ''$CHECK_CAF_EPIC'' >> ${OUTPUT_FILE_NAME}.$EXTENSION_HTML + echo '

'$CHECK_RISK'

' >> ${OUTPUT_FILE_NAME}.$EXTENSION_HTML + echo '

'$CHECK_REMEDIATION'

' >> ${OUTPUT_FILE_NAME}.$EXTENSION_HTML + echo ''$CHECK_DOC'' >> ${OUTPUT_FILE_NAME}.$EXTENSION_HTML echo '' >> ${OUTPUT_FILE_NAME}.$EXTENSION_HTML fi if [[ $status == "PASS" ]];then @@ -338,11 +373,15 @@ generateHtmlOutput(){ echo ''$CHECK_SEVERITY'' >> ${OUTPUT_FILE_NAME}.$EXTENSION_HTML echo ''$ACCOUNT_NUM'' >> ${OUTPUT_FILE_NAME}.$EXTENSION_HTML echo ''$REPREGION'' >> ${OUTPUT_FILE_NAME}.$EXTENSION_HTML - echo ''$ASFF_COMPLIANCE_TYPE'' >> ${OUTPUT_FILE_NAME}.$EXTENSION_HTML + echo ''$CHECK_ASFF_COMPLIANCE_TYPE'' >> ${OUTPUT_FILE_NAME}.$EXTENSION_HTML echo ''$CHECK_SERVICENAME'' >> ${OUTPUT_FILE_NAME}.$EXTENSION_HTML echo ''$TITLE_ID'' >> ${OUTPUT_FILE_NAME}.$EXTENSION_HTML echo ''$TITLE_TEXT'' >> ${OUTPUT_FILE_NAME}.$EXTENSION_HTML echo ''$message'' >> ${OUTPUT_FILE_NAME}.$EXTENSION_HTML + echo ''$CHECK_CAF_EPIC'' >> ${OUTPUT_FILE_NAME}.$EXTENSION_HTML + echo '

'$CHECK_RISK'

' >> ${OUTPUT_FILE_NAME}.$EXTENSION_HTML + echo '

'$CHECK_REMEDIATION'

' >> ${OUTPUT_FILE_NAME}.$EXTENSION_HTML + echo ''$CHECK_DOC'' >> ${OUTPUT_FILE_NAME}.$EXTENSION_HTML echo '' >> ${OUTPUT_FILE_NAME}.$EXTENSION_HTML fi if [[ $status == "FAIL" ]];then @@ -352,11 +391,15 @@ generateHtmlOutput(){ echo ''$CHECK_SEVERITY'' >> ${OUTPUT_FILE_NAME}.$EXTENSION_HTML echo ''$ACCOUNT_NUM'' >> ${OUTPUT_FILE_NAME}.$EXTENSION_HTML echo ''$REPREGION'' >> ${OUTPUT_FILE_NAME}.$EXTENSION_HTML - echo ''$ASFF_COMPLIANCE_TYPE'' >> ${OUTPUT_FILE_NAME}.$EXTENSION_HTML + echo ''$CHECK_ASFF_COMPLIANCE_TYPE'' >> ${OUTPUT_FILE_NAME}.$EXTENSION_HTML echo ''$CHECK_SERVICENAME'' >> ${OUTPUT_FILE_NAME}.$EXTENSION_HTML echo ''$TITLE_ID'' >> ${OUTPUT_FILE_NAME}.$EXTENSION_HTML echo ''$TITLE_TEXT'' >> ${OUTPUT_FILE_NAME}.$EXTENSION_HTML echo ''$message'' >> ${OUTPUT_FILE_NAME}.$EXTENSION_HTML + echo ''$CHECK_CAF_EPIC'' >> ${OUTPUT_FILE_NAME}.$EXTENSION_HTML + echo '

'$CHECK_RISK'

' >> ${OUTPUT_FILE_NAME}.$EXTENSION_HTML + echo '

'$CHECK_REMEDIATION'

' >> ${OUTPUT_FILE_NAME}.$EXTENSION_HTML + echo ''$CHECK_DOC'' >> ${OUTPUT_FILE_NAME}.$EXTENSION_HTML echo '' >> ${OUTPUT_FILE_NAME}.$EXTENSION_HTML fi if [[ $status == "WARNING" ]];then @@ -366,11 +409,15 @@ generateHtmlOutput(){ echo ''$CHECK_SEVERITY'' >> ${OUTPUT_FILE_NAME}.$EXTENSION_HTML echo ''$ACCOUNT_NUM'' >> ${OUTPUT_FILE_NAME}.$EXTENSION_HTML echo ''$REPREGION'' >> ${OUTPUT_FILE_NAME}.$EXTENSION_HTML - echo ''$ASFF_COMPLIANCE_TYPE'' >> ${OUTPUT_FILE_NAME}.$EXTENSION_HTML + echo ''$CHECK_ASFF_COMPLIANCE_TYPE'' >> ${OUTPUT_FILE_NAME}.$EXTENSION_HTML echo ''$CHECK_SERVICENAME'' >> ${OUTPUT_FILE_NAME}.$EXTENSION_HTML echo ''$TITLE_ID'' >> ${OUTPUT_FILE_NAME}.$EXTENSION_HTML echo ''$TITLE_TEXT'' >> ${OUTPUT_FILE_NAME}.$EXTENSION_HTML echo ''$message'' >> ${OUTPUT_FILE_NAME}.$EXTENSION_HTML + echo ''$CHECK_CAF_EPIC'' >> ${OUTPUT_FILE_NAME}.$EXTENSION_HTML + echo '

'$CHECK_RISK'

' >> ${OUTPUT_FILE_NAME}.$EXTENSION_HTML + echo '

'$CHECK_REMEDIATION'

' >> ${OUTPUT_FILE_NAME}.$EXTENSION_HTML + echo ''$CHECK_DOC'' >> ${OUTPUT_FILE_NAME}.$EXTENSION_HTML echo ''>> ${OUTPUT_FILE_NAME}.$EXTENSION_HTML fi } \ No newline at end of file diff --git a/include/scoring b/include/scoring index a46b4d77..b6fc7f08 100644 --- a/include/scoring +++ b/include/scoring @@ -13,19 +13,19 @@ # Scoring POC scoring(){ + if [[ ! $PASS_COUNTER ]]; then + PASS_COUNTER=0 + fi + if [[ ! $FAIL_COUNTER ]]; then + FAIL_COUNTER=0 + fi + + # TOTAL_RESOURCES=$(awk "BEGIN {print $FAIL_COUNTER+$PASS_COUNTER; exit}") + TOTAL_RESOURCES=$(($FAIL_COUNTER + $PASS_COUNTER)) + # Score is % of passed compared to failures. The higher score, the better + PROWLER_SCORE=$(( $PASS_COUNTER * 100 / $TOTAL_RESOURCES )) + if [[ $SCORING == "1" ]]; then - if [[ ! $PASS_COUNTER ]]; then - PASS_COUNTER=0 - fi - if [[ ! $FAIL_COUNTER ]]; then - FAIL_COUNTER=0 - fi - - # TOTAL_RESOURCES=$(awk "BEGIN {print $FAIL_COUNTER+$PASS_COUNTER; exit}") - TOTAL_RESOURCES=$(($FAIL_COUNTER + $PASS_COUNTER)) - # Score is % of passed compared to failures. The higher score, the better - PROWLER_SCORE=$(( $PASS_COUNTER * 100 / $TOTAL_RESOURCES )) - echo -e "$BLUE------------------------------------------------------------------ $NORMAL" echo -e "$CYAN _" echo -e " _ __ _ __ _____ _| | ___ _ __" @@ -49,5 +49,12 @@ scoring(){ echo -e "$BLUE------------------------------------------------------------------ $NORMAL" echo -e " * the highest the better (0 to 100)$NORMAL" echo -e " Prowler scoring uses any check, including CIS not scored checks$NORMAL" + fi + if [[ "${MODES[@]}" =~ "html" ]]; then + replace_sed 's/PROWLER_SCORE/'$PROWLER_SCORE'/g' ${OUTPUT_FILE_NAME}.$EXTENSION_HTML + replace_sed 's/PASS_COUNTER/'$PASS_COUNTER'/g' ${OUTPUT_FILE_NAME}.$EXTENSION_HTML + replace_sed 's/TOTAL_RESOURCES/'$TOTAL_RESOURCES'/g' ${OUTPUT_FILE_NAME}.$EXTENSION_HTML + replace_sed 's/FAIL_COUNTER/'$FAIL_COUNTER'/g' ${OUTPUT_FILE_NAME}.$EXTENSION_HTML + replace_sed 's/CHECKS_COUNTER/'$CHECKS_COUNTER'/g' ${OUTPUT_FILE_NAME}.$EXTENSION_HTML fi } diff --git a/include/whoami b/include/whoami index e7c237ca..a2fa3ce2 100644 --- a/include/whoami +++ b/include/whoami @@ -29,9 +29,8 @@ case "$REGION" in ;; esac -GETCALLER=$($AWSCLI sts get-caller-identity $PROFILE_OPT --region $REGION_FOR_STS) -RESULT_CALL=$? -if [[ $RESULT_CALL == 254 ]]; then +GETCALLER=$($AWSCLI sts get-caller-identity $PROFILE_OPT --region $REGION_FOR_STS 2>&1) +if [[ $(echo "$GETCALLER" | grep 'Unable') ]]; then if [[ $PRINTCHECKSONLY || $PRINTGROUPSONLY ]]; then echo Listing... else @@ -45,11 +44,11 @@ fi if [[ $ACCOUNT_TO_ASSUME ]]; then ACCOUNT_NUM=$ACCOUNT_TO_ASSUME else - ACCOUNT_NUM=$(echo $GETCALLER | jq -r '.Account') + ACCOUNT_NUM=$(echo $GETCALLER | jq -r '.Account' 2>&1) fi -CALLER_ARN=$(echo $GETCALLER | jq -r '.Arn') -USER_ID=$(echo $GETCALLER | jq -r '.UserId') +CALLER_ARN=$(echo $GETCALLER | jq -r '.Arn' 2>&1) +USER_ID=$(echo $GETCALLER | jq -r '.UserId' 2>&1) AWS_PARTITION=$(echo $CALLER_ARN| cut -d: -f2) getWhoami(){ @@ -63,8 +62,8 @@ getWhoami(){ exit $EXITCODE fi printCsvHeader - textTitle "0.0" "Show report generation info" "NOT_SCORED" "SUPPORT" - textInfo "ARN: $CALLER_ARN TIMESTAMP: $SCRIPT_START_TIME" + # textTitle "0.0" "Show report generation info" "NOT_SCORED" "SUPPORT" + # textInfo "ARN: $CALLER_ARN TIMESTAMP: $SCRIPT_START_TIME" elif [[ "$MODE" == "json" || "$MODE" == "json-asff" ]]; then : else diff --git a/prowler b/prowler index b31a8d2f..8d129916 100755 --- a/prowler +++ b/prowler @@ -32,7 +32,7 @@ OPTRED="" OPTNORMAL="" # Set the defaults variables -PROWLER_VERSION=2.3.0-22012021 +PROWLER_VERSION=2.4.0-07042021 PROWLER_DIR=$(dirname "$0") REGION="" @@ -254,14 +254,6 @@ unset AWS_DEFAULT_OUTPUT . $PROWLER_DIR/include/securityhub_integration . $PROWLER_DIR/include/junit_integration -# Get list of regions based on include/whoami -REGIONS=$($AWSCLI ec2 describe-regions --query 'Regions[].RegionName' --output text $PROFILE_OPT --region $REGION_FOR_STS --region-names $FILTERREGION 2>&1) -if [[ $(echo "$REGIONS" | grep AccessDenied) ]]; then - echo "Access Denied trying to describe regions" - EXITCODE=1 - exit $EXITCODE -fi - # Pre-process whitelist file if supplied if [[ -n "$WHITELIST_FILE" ]]; then # ignore lines starting with # (comments) @@ -299,6 +291,17 @@ done # 6th character is the section number, 7th character onwards is the individual ID (e.g. check110 = check 1 10) TOTAL_CHECKS=($(echo "${TOTAL_CHECKS[*]}" | tr ' ' '\n' | awk '!seen[$0]++' | sort -k 1.6,1.6n -k 1.7n)) +# Function to get all regions +get_regions() { + # Get list of regions based on include/whoami + REGIONS=$($AWSCLI ec2 describe-regions --query 'Regions[].RegionName' --output text $PROFILE_OPT --region $REGION_FOR_STS --region-names $FILTERREGION 2>&1) + if [[ $(echo "$REGIONS" | grep 'AccessDenied\|UnauthorizedOperation') ]]; then + echo "$OPTRED Access Denied trying to describe regions! Review permissions as described here: https://github.com/toniblyx/prowler/#requirements-and-installation $OPTNORMAL" + EXITCODE=1 + exit $EXITCODE + fi +} + # Function to show the title of the check, and optionally which group(s) it belongs to # using this way instead of arrays to keep bash3 (osx) and bash4(linux) compatibility show_check_title() { @@ -339,11 +342,14 @@ show_group_title() { # Function to execute the check execute_check() { + if [[ $ACCOUNT_TO_ASSUME ]]; then - MINIMUM_REMAINING_TIME_ALLOWED=$(($SESSION_DURATION_TO_ASSUME / 10 )) + # Following logic looks for time remaining in the session and review it + # if it is less than 600 seconds, 10 minutes. CURRENT_TIMESTAMP=$(date -u "+%s") - SESSION_CUTOFF=$(($CURRENT_TIMESTAMP + $MINIMUM_REMAINING_TIME_ALLOWED)) - if [[ $AWS_SESSION_EXPIRATION < $SESSION_CUTOFF ]]; then + SESSION_TIME_REMAINING=$(expr $AWS_SESSION_EXPIRATION - $CURRENT_TIMESTAMP) + MINIMUM_REMAINING_TIME_ALLOWED="600" + if [[ $MINIMUM_REMAINING_TIME_ALLOWED > $SESSION_TIME_REMAINING ]]; then unset AWS_ACCESS_KEY_ID unset AWS_SECRET_ACCESS_KEY unset AWS_SESSION_TOKEN @@ -351,15 +357,24 @@ execute_check() { fi fi + CHECK_ID="$1" + # See if this is an alternate name for a check # for example, we might have been passed 1.01 which is another name for 1.1 local alternate_name_var=CHECK_ALTERNATE_$1 local alternate_name=${!alternate_name_var} # See if this check defines an ASFF Type, if so, use this, falling back to a sane default - # For a list of Types, see: https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-findings-format.html#securityhub-findings-format-type-taxonomy + # For a list of Types Taxonomy, see: https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-findings-format-type-taxonomy.html local asff_type_var=CHECK_ASFF_TYPE_$1 - local asff_compliance_type_var=CHECK_ASFF_COMPLIANCE_TYPE_$1 + CHECK_ASFF_TYPE="${!asff_type_var:-Software and Configuration Checks}" + local asff_compliance_type_var=CHECK_ASFF_COMPLIANCE_TYPE_$1 + CHECK_ASFF_COMPLIANCE_TYPE="${!asff_compliance_type_var:-Software and Configuration Checks}" + + # See if this check defines an ASFF Resource Type, if so, use this, falling back to a sane default + # For a list of Resource Types, see: https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-findings-format.html#asff-resources + local asff_resource_type_var=CHECK_ASFF_RESOURCE_TYPE_$1 + CHECK_ASFF_RESOURCE_TYPE="${!asff_resource_type_var:-AwsAccount}" local severity_var=CHECK_SEVERITY_$1 CHECK_SEVERITY="${!severity_var}" @@ -367,15 +382,17 @@ execute_check() { local servicename_var=CHECK_SERVICENAME_$1 CHECK_SERVICENAME="${!servicename_var}" - CHECK_ID="$1" + local risk_var=CHECK_RISK_$1 + CHECK_RISK="${!risk_var}" - ASFF_TYPE="${!asff_type_var:-Software and Configuration Checks}" - ASFF_COMPLIANCE_TYPE="${!asff_compliance_type_var:-Software and Configuration Checks}" - # See if this check defines an ASFF Resource Type, if so, use this, falling back to a sane default - # For a list of Resource Types, see: https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-findings-format.html#asff-resources - local asff_resource_type_var=CHECK_ASFF_RESOURCE_TYPE_$1 + local remediation_var=CHECK_REMEDIATION_$1 + CHECK_REMEDIATION="${!remediation_var}" - ASFF_RESOURCE_TYPE="${!asff_resource_type_var:-AwsAccount}" + local doc_var=CHECK_DOC_$1 + CHECK_DOC="${!doc_var}" + + local caf_epic_var=CHECK_CAF_EPIC_$1 + CHECK_CAF_EPIC="${!caf_epic_var}" SECURITYHUB_NEW_FINDINGS_IDS=() @@ -577,6 +594,9 @@ if [[ $ACCOUNT_TO_ASSUME ]]; then assume_role fi +# List regions +get_regions + # Execute group of checks if called with -g if [[ $GROUP_ID_READ ]];then if [[ " ${GROUP_ID[@]} " =~ " ${GROUP_ID_READ} " ]]; then diff --git a/util/html/prowler-logo-new.png b/util/html/prowler-logo-new.png new file mode 100644 index 00000000..71c9e56f Binary files /dev/null and b/util/html/prowler-logo-new.png differ