mirror of
https://github.com/ghndrx/prowler.git
synced 2026-02-10 14:55:00 +00:00
Toni de la Fuente
39
README.md
39
README.md
@@ -1,4 +1,8 @@
|
||||
# Prowler AWS Security Tool
|
||||
<p align="center">
|
||||
<img src="https://user-images.githubusercontent.com/3985464/113734260-7ba06900-96fb-11eb-82bc-d4f68a1e2710.png" />
|
||||
</p>
|
||||
|
||||
# Prowler - AWS Security Tool
|
||||
|
||||
## Table of Contents
|
||||
|
||||
@@ -27,7 +31,7 @@
|
||||
|
||||
## Description
|
||||
|
||||
Prowler is a command line tool for AWS Security Best Practices Assessment, Auditing, Hardening and Forensics Readiness Tool.
|
||||
Prowler is a command line tool that helps you with AWS security assessment, auditing, hardening and incident response.
|
||||
|
||||
It follows guidelines of the CIS Amazon Web Services Foundations Benchmark (49 checks) and has more than 100 additional checks including related to GDPR, HIPAA, PCI-DSS, ISO-27001, FFIEC, SOC2 and others.
|
||||
|
||||
@@ -49,22 +53,18 @@ Read more about [CIS Amazon Web Services Foundations Benchmark v1.2.0 - 05-23-20
|
||||
- HIPAA [hipaa] Read more [here](#hipaa-checks)
|
||||
- Trust Boundaries [trustboundaries] Read more [here](#trust-boundaries-checks)
|
||||
- Secrets
|
||||
- PCI-DSS
|
||||
- ISO-27001
|
||||
- Internet exposed resources
|
||||
- EKS-CIS
|
||||
- FFIEC
|
||||
- SOC2
|
||||
- ENS (Esquema Nacional de Seguridad of Spain)
|
||||
- Also includes PCI-DSS, ISO-27001, FFIEC, SOC2, ENS (Esquema Nacional de Seguridad of Spain).
|
||||
|
||||
With Prowler you can:
|
||||
|
||||
- get a direct colorful or monochrome report
|
||||
- a HTML, CSV, JUNIT, JSON or JSON ASFF format report
|
||||
- send findings directly to Security Hub
|
||||
- run specific checks and groups or create your own
|
||||
- check multiple AWS accounts in parallel or sequentially
|
||||
- and more! Read examples below
|
||||
- Get a direct colorful or monochrome report
|
||||
- A HTML, CSV, JUNIT, JSON or JSON ASFF format report
|
||||
- Send findings directly to Security Hub
|
||||
- Run specific checks and groups or create your own
|
||||
- Check multiple AWS accounts in parallel or sequentially
|
||||
- And more! Read examples below
|
||||
|
||||
## High level architecture
|
||||
|
||||
@@ -189,14 +189,15 @@ Prowler has been written in bash using AWS-CLI and it works in Linux and OSX.
|
||||
|
||||
- Sample screenshot of report first lines:
|
||||
|
||||
<img width="1125" alt="screenshot 2016-09-13 16 05 42" src="https://cloud.githubusercontent.com/assets/3985464/18489640/50fe6824-79cc-11e6-8a9c-e788b88a8a6b.png">
|
||||
|
||||
- Sample screenshot of single check for check 3.3:
|
||||
|
||||
<img width="1006" alt="screenshot 2016-09-14 13 20 46" src="https://cloud.githubusercontent.com/assets/3985464/18522590/a04ca9a6-7a7e-11e6-8730-b545c9204990.png">
|
||||
<img width="1125" src="https://user-images.githubusercontent.com/3985464/113942728-92c97e80-9801-11eb-9dfc-aef27ad9f5fb.png">
|
||||
|
||||
- Sample screenshot of the html output `-M html`:
|
||||
<img width="1006" alt="Prowler html" src="https://user-images.githubusercontent.com/3985464/82838608-0229ce80-9ecd-11ea-860c-468f66aa2790.png">
|
||||
|
||||
<img width="1006" alt="Prowler html" src="https://user-images.githubusercontent.com/3985464/113942724-8f35f780-9801-11eb-8089-d3163dd4e5a4.png">
|
||||
|
||||
- Sample screenshot of the junit-xml output in CodeBuild `-M junit-xml`:
|
||||
|
||||
<img width="1006" src="https://user-images.githubusercontent.com/3985464/113942824-ca382b00-9801-11eb-84e5-d7731548a7a9.png">
|
||||
|
||||
### Save your reports
|
||||
|
||||
|
||||
@@ -16,6 +16,10 @@ CHECK_SEVERITY_check11="High"
|
||||
CHECK_ASFF_TYPE_check11="Software and Configuration Checks/Industry and Regulatory Standards/CIS AWS Foundations Benchmark"
|
||||
CHECK_ALTERNATE_check101="check11"
|
||||
CHECK_SERVICENAME_check11="iam"
|
||||
CHECK_RISK_check11='The "root" account has unrestricted access to all resources in the AWS account. It is highly recommended that the use of this account be avoided.'
|
||||
CHECK_REMEDIATION_check11='Follow the remediation instructions of the Ensure IAM policies are attached only to groups or roles recommendation.'
|
||||
CHECK_DOC_check11='http://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html'
|
||||
CHECK_CAF_EPIC_check11='IAM'
|
||||
|
||||
check11(){
|
||||
# "Avoid the use of the root account (Scored)."
|
||||
|
||||
@@ -16,6 +16,10 @@ CHECK_SEVERITY_check110="Medium"
|
||||
CHECK_ASFF_TYPE_check110="Software and Configuration Checks/Industry and Regulatory Standards/CIS AWS Foundations Benchmark"
|
||||
CHECK_ALTERNATE_check110="check110"
|
||||
CHECK_SERVICENAME_check110="iam"
|
||||
CHECK_RISK_check110='Password policies are used to enforce password complexity requirements. IAM password policies can be used to ensure password are comprised of different character sets. It is recommended that the password policy require at least one uppercase letter.'
|
||||
CHECK_REMEDIATION_check110='Ensure "Number of passwords to remember" is set to 24.'
|
||||
CHECK_DOC_check110='https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_passwords_account-policy.html'
|
||||
CHECK_CAF_EPIC_check110='IAM'
|
||||
|
||||
check110(){
|
||||
# "Ensure IAM password policy prevents password reuse: 24 or greater (Scored)"
|
||||
|
||||
@@ -16,6 +16,10 @@ CHECK_SEVERITY_check111="Medium"
|
||||
CHECK_ASFF_TYPE_check111="Software and Configuration Checks/Industry and Regulatory Standards/CIS AWS Foundations Benchmark"
|
||||
CHECK_ALTERNATE_check111="check111"
|
||||
CHECK_SERVICENAME_check111="iam"
|
||||
CHECK_RISK_check111='Password policies are used to enforce password complexity requirements. IAM password policies can be used to ensure password are comprised of different character sets. It is recommended that the password policy require at least one uppercase letter.'
|
||||
CHECK_REMEDIATION_check111='Ensure "Password expiration period (in days):" is set to 90 or less.'
|
||||
CHECK_DOC_check111='https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_passwords_account-policy.html'
|
||||
CHECK_CAF_EPIC_check111='IAM'
|
||||
|
||||
check111(){
|
||||
# "Ensure IAM password policy expires passwords within 90 days or less (Scored)"
|
||||
|
||||
@@ -16,6 +16,10 @@ CHECK_SEVERITY_check112="Critical"
|
||||
CHECK_ASFF_TYPE_check112="Software and Configuration Checks/Industry and Regulatory Standards/CIS AWS Foundations Benchmark"
|
||||
CHECK_ALTERNATE_check112="check112"
|
||||
CHECK_SERVICENAME_check112="iam"
|
||||
CHECK_RISK_check112='The root account is the most privileged user in an AWS account. AWS Access Keys provide programmatic access to a given AWS account. It is recommended that all access keys associated with the root account be removed. Removing access keys associated with the root account limits vectors by which the account can be compromised. Removing the root access keys encourages the creation and use of role based accounts that are least privileged.'
|
||||
CHECK_REMEDIATION_check112='Use the credential report to that the user and ensure the access_key_1_active and access_key_2_active fields are set to FALSE .'
|
||||
CHECK_DOC_check112='https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_getting-report.html'
|
||||
CHECK_CAF_EPIC_check112='IAM'
|
||||
|
||||
check112(){
|
||||
# "Ensure no root account access key exists (Scored)"
|
||||
|
||||
@@ -16,6 +16,10 @@ CHECK_SEVERITY_check113="Critical"
|
||||
CHECK_ASFF_TYPE_check113="Software and Configuration Checks/Industry and Regulatory Standards/CIS AWS Foundations Benchmark"
|
||||
CHECK_ALTERNATE_check113="check113"
|
||||
CHECK_SERVICENAME_check113="iam"
|
||||
CHECK_RISK_check113='The root account is the most privileged user in an AWS account. MFA adds an extra layer of protection on top of a user name and password. With MFA enabled when a user signs in to an AWS website they will be prompted for their user name and password as well as for an authentication code from their AWS MFA device. When virtual MFA is used for root accounts it is recommended that the device used is NOT a personal device but rather a dedicated mobile device (tablet or phone) that is managed to be kept charged and secured independent of any individual personal devices. ("non-personal virtual MFA") This lessens the risks of losing access to the MFA due to device loss / trade-in or if the individual owning the device is no longer employed at the company.'
|
||||
CHECK_REMEDIATION_check113='Using IAM console navigate to Dashboard and expand Activate MFA on your root account.'
|
||||
CHECK_DOC_check113='https://docs.aws.amazon.com/IAM/latest/UserGuide/id_root-user.html#id_root-user_manage_mfa'
|
||||
CHECK_CAF_EPIC_check113='IAM'
|
||||
|
||||
check113(){
|
||||
# "Ensure MFA is enabled for the root account (Scored)"
|
||||
|
||||
@@ -16,6 +16,10 @@ CHECK_SEVERITY_check114="Critical"
|
||||
CHECK_ASFF_TYPE_check114="Software and Configuration Checks/Industry and Regulatory Standards/CIS AWS Foundations Benchmark"
|
||||
CHECK_ALTERNATE_check114="check114"
|
||||
CHECK_SERVICENAME_check114="iam"
|
||||
CHECK_RISK_check114='The root account is the most privileged user in an AWS account. MFA adds an extra layer of protection on top of a user name and password. With MFA enabled when a user signs in to an AWS website they will be prompted for their user name and password as well as for an authentication code from their AWS MFA device. For Level 2 it is recommended that the root account be protected with a hardware MFA.'
|
||||
CHECK_REMEDIATION_check114='Using IAM console navigate to Dashboard and expand Activate MFA on your root account.'
|
||||
CHECK_DOC_check114='https://docs.aws.amazon.com/IAM/latest/UserGuide/id_root-user.html#id_root-user_manage_mfa'
|
||||
CHECK_CAF_EPIC_check114='IAM'
|
||||
|
||||
check114(){
|
||||
# "Ensure hardware MFA is enabled for the root account (Scored)"
|
||||
|
||||
@@ -16,6 +16,10 @@ CHECK_SEVERITY_check115="Medium"
|
||||
CHECK_ASFF_TYPE_check115="Software and Configuration Checks/Industry and Regulatory Standards/CIS AWS Foundations Benchmark"
|
||||
CHECK_ALTERNATE_check115="check115"
|
||||
CHECK_SERVICENAME_check115="support"
|
||||
CHECK_RISK_check115='The AWS support portal allows account owners to establish security questions that can be used to authenticate individuals calling AWS customer service for support. It is recommended that security questions be established. When creating a new AWS account a default super user is automatically created. This account is referred to as the "root" account. It is recommended that the use of this account be limited and highly controlled. During events in which the root password is no longer accessible or the MFA token associated with root is lost/destroyed it is possible through authentication using secret questions and associated answers to recover root login access.'
|
||||
CHECK_REMEDIATION_check115='Login as root account and from My Account configure Security questions.'
|
||||
CHECK_DOC_check115='https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_access-keys_retrieve.html'
|
||||
CHECK_CAF_EPIC_check115='IAM'
|
||||
|
||||
check115(){
|
||||
# "Ensure security questions are registered in the AWS account (Not Scored)"
|
||||
|
||||
@@ -18,6 +18,10 @@ CHECK_ASFF_RESOURCE_TYPE_check116="AwsIamUser"
|
||||
CHECK_ALTERNATE_check116="check116"
|
||||
CHECK_ASFF_COMPLIANCE_TYPE_check116="ens-op.acc.3.aws.iam.1"
|
||||
CHECK_SERVICENAME_check116="iam"
|
||||
CHECK_RISK_check116='By default IAM users; groups; and roles have no access to AWS resources. IAM policies are the means by which privileges are granted to users; groups; or roles. It is recommended that IAM policies be applied directly to groups and roles but not users. Assigning privileges at the group or role level reduces the complexity of access management as the number of users grow. Reducing access management complexity may in-turn reduce opportunity for a principal to inadvertently receive or retain excessive privileges.'
|
||||
CHECK_REMEDIATION_check116='Remove any policy attached directly to the user. Use groups or roles instead.'
|
||||
CHECK_DOC_check116='https://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html'
|
||||
CHECK_CAF_EPIC_check116='IAM'
|
||||
|
||||
check116(){
|
||||
# "Ensure IAM policies are attached only to groups or roles (Scored)"
|
||||
|
||||
@@ -16,6 +16,10 @@ CHECK_SEVERITY_check117="Medium"
|
||||
CHECK_ASFF_TYPE_check117="Software and Configuration Checks/Industry and Regulatory Standards/CIS AWS Foundations Benchmark"
|
||||
CHECK_ALTERNATE_check117="check117"
|
||||
CHECK_SERVICENAME_check117="support"
|
||||
CHECK_RISK_check117='Ensure contact email and telephone details for AWS accounts are current and map to more than one individual in your organization. An AWS account supports a number of contact details; and AWS will use these to contact the account owner if activity judged to be in breach of Acceptable Use Policy. If an AWS account is observed to be behaving in a prohibited or suspicious manner; AWS will attempt to contact the account owner by email and phone using the contact details listed. If this is unsuccessful and the account behavior needs urgent mitigation; proactive measures may be taken; including throttling of traffic between the account exhibiting suspicious behavior and the AWS API endpoints and the Internet. This will result in impaired service to and from the account in question.'
|
||||
CHECK_REMEDIATION_check117='Using the Billing and Cost Management console complete contact details.'
|
||||
CHECK_DOC_check117='https://docs.aws.amazon.com/awsaccountbilling/latest/aboutv2/manage-account-payment.html#contact-info'
|
||||
CHECK_CAF_EPIC_check117='IAM'
|
||||
|
||||
check117(){
|
||||
# "Maintain current contact details (Scored)"
|
||||
|
||||
@@ -16,6 +16,10 @@ CHECK_SEVERITY_check118="Medium"
|
||||
CHECK_ASFF_TYPE_check118="Software and Configuration Checks/Industry and Regulatory Standards/CIS AWS Foundations Benchmark"
|
||||
CHECK_ALTERNATE_check118="check118"
|
||||
CHECK_SERVICENAME_check118="support"
|
||||
CHECK_RISK_check118='AWS provides customers with the option of specifying the contact information for accounts security team. It is recommended that this information be provided. Specifying security-specific contact information will help ensure that security advisories sent by AWS reach the team in your organization that is best equipped to respond to them.'
|
||||
CHECK_REMEDIATION_check118='Go to the My Account section and complete alternate contacts.'
|
||||
CHECK_DOC_check118='https://docs.aws.amazon.com/awsaccountbilling/latest/aboutv2/manage-account-payment.html'
|
||||
CHECK_CAF_EPIC_check118='IAM'
|
||||
|
||||
check118(){
|
||||
# "Ensure security contact information is registered (Scored)"
|
||||
|
||||
@@ -17,6 +17,10 @@ CHECK_ASFF_TYPE_check119="Software and Configuration Checks/Industry and Regulat
|
||||
CHECK_ASFF_RESOURCE_TYPE_check119="AwsEc2Instance"
|
||||
CHECK_ALTERNATE_check119="check119"
|
||||
CHECK_SERVICENAME_check119="ec2"
|
||||
CHECK_RISK_check119='AWS access from within AWS instances can be done by either encoding AWS keys into AWS API calls or by assigning the instance to a role which has an appropriate permissions policy for the required access. AWS IAM roles reduce the risks associated with sharing and rotating credentials that can be used outside of AWS itself. If credentials are compromised; they can be used from outside of the AWS account.'
|
||||
CHECK_REMEDIATION_check119='IAM roles can only be associated at the launch of an instance. To remediate an instance to add it to a role you must create or re-launch a new instance. (Check for external dependencies on its current private ip or public addresses).'
|
||||
CHECK_DOC_check119='http://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use_switch-role-ec2.html'
|
||||
CHECK_CAF_EPIC_check119='IAM'
|
||||
|
||||
check119(){
|
||||
for regx in $REGIONS; do
|
||||
|
||||
@@ -18,6 +18,10 @@ CHECK_ASFF_RESOURCE_TYPE_check12="AwsIamUser"
|
||||
CHECK_ALTERNATE_check102="check12"
|
||||
CHECK_ASFF_COMPLIANCE_TYPE_check12="ens-op.acc.5.aws.iam.1"
|
||||
CHECK_SERVICENAME_check12="iam"
|
||||
CHECK_RISK_check12='Unauthorized access to this critical account if password is not secure or it is disclosed in any way.'
|
||||
CHECK_REMEDIATION_check12='Enable MFA for root account. is a simple best practice that adds an extra layer of protection on top of your user name and password. Recommended to use hardware keys over virtual MFA.'
|
||||
CHECK_DOC_check12='https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_mfa_enable_virtual.html'
|
||||
CHECK_CAF_EPIC_check12='IAM'
|
||||
|
||||
check12(){
|
||||
# "Ensure multi-factor authentication (MFA) is enabled for all IAM users that have a console password (Scored)"
|
||||
|
||||
@@ -18,6 +18,10 @@ CHECK_ASFF_RESOURCE_TYPE_check120="AwsIamRole"
|
||||
CHECK_ALTERNATE_check120="check120"
|
||||
CHECK_ASFF_COMPLIANCE_TYPE_check120="ens-op.acc.1.aws.iam.4"
|
||||
CHECK_SERVICENAME_check120="iam"
|
||||
CHECK_RISK_check120='AWS provides a support center that can be used for incident notification and response; as well as technical support and customer services. Create an IAM Role to allow authorized users to manage incidents with AWS Support.'
|
||||
CHECK_REMEDIATION_check120='Create an IAM role for managing incidents with AWS.'
|
||||
CHECK_DOC_check120='https://docs.aws.amazon.com/awssupport/latest/user/using-service-linked-roles-sup.html'
|
||||
CHECK_CAF_EPIC_check120='IAM'
|
||||
|
||||
check120(){
|
||||
# "Ensure a support role has been created to manage incidents with AWS Support (Scored)"
|
||||
|
||||
@@ -18,6 +18,10 @@ CHECK_ASFF_RESOURCE_TYPE_check121="AwsIamUser"
|
||||
CHECK_ALTERNATE_check121="check121"
|
||||
CHECK_ASFF_COMPLIANCE_TYPE_check121="ens-op.acc.1.aws.iam.5"
|
||||
CHECK_SERVICENAME_check121="iam"
|
||||
CHECK_RISK_check121='AWS console defaults the checkbox for creating access keys to enabled. This results in many access keys being generated unnecessarily. In addition to unnecessary credentials; it also generates unnecessary management work in auditing and rotating these keys. Requiring that additional steps be taken by the user after their profile has been created will give a stronger indication of intent that access keys are (a) necessary for their work and (b) once the access key is established on an account that the keys may be in use somewhere in the organization.'
|
||||
CHECK_REMEDIATION_check121='From the IAM console: generate credential report and disable not required keys.'
|
||||
CHECK_DOC_check121='https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_getting-report.html'
|
||||
CHECK_CAF_EPIC_check121='IAM'
|
||||
|
||||
check121(){
|
||||
# "Do not setup access keys during initial user setup for all IAM users that have a console password (Not Scored)"
|
||||
|
||||
@@ -17,6 +17,10 @@ CHECK_ASFF_TYPE_check122="Software and Configuration Checks/Industry and Regulat
|
||||
CHECK_ASFF_RESOURCE_TYPE_check122="AwsIamPolicy"
|
||||
CHECK_ALTERNATE_check122="check122"
|
||||
CHECK_SERVICENAME_check122="iam"
|
||||
CHECK_RISK_check122='IAM policies are the means by which privileges are granted to users; groups; or roles. It is recommended and considered a standard security advice to grant least privilege—that is; granting only the permissions required to perform a task. Determine what users need to do and then craft policies for them that let the users perform only those tasks instead of allowing full administrative privileges. Providing full administrative privileges instead of restricting to the minimum set of permissions that the user is required to do exposes the resources to potentially unwanted actions.'
|
||||
CHECK_REMEDIATION_check122='It is more secure to start with a minimum set of permissions and grant additional permissions as necessary; rather than starting with permissions that are too lenient and then trying to tighten them later. List policies an analyze if permissions are the least possible to conduct business activities.'
|
||||
CHECK_DOC_check122='http://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html'
|
||||
CHECK_CAF_EPIC_check122='IAM'
|
||||
|
||||
check122(){
|
||||
# "Ensure IAM policies that allow full \"*:*\" administrative privileges are not created (Scored)"
|
||||
|
||||
@@ -18,6 +18,10 @@ CHECK_ASFF_RESOURCE_TYPE_check13="AwsIamUser"
|
||||
CHECK_ALTERNATE_check103="check13"
|
||||
CHECK_ASFF_COMPLIANCE_TYPE_check13="ens-op.acc.1.aws.iam.3 ens-op.acc.5.aws.iam.4"
|
||||
CHECK_SERVICENAME_check13="iam"
|
||||
CHECK_RISK_check13='AWS IAM users can access AWS resources using different types of credentials (passwords or access keys). It is recommended that all credentials that have been unused in 90 or greater days be removed or deactivated.'
|
||||
CHECK_REMEDIATION_check13='Use the credential report to ensure password_last_changed is less than 90 days ago.'
|
||||
CHECK_DOC_check13='https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_getting-report.html'
|
||||
CHECK_CAF_EPIC_check13='IAM'
|
||||
|
||||
check13(){
|
||||
check_creds_used_in_last_days 90
|
||||
|
||||
@@ -18,6 +18,10 @@ CHECK_ASFF_RESOURCE_TYPE_check14="AwsIamUser"
|
||||
CHECK_ALTERNATE_check104="check14"
|
||||
CHECK_ASFF_COMPLIANCE_TYPE_check14="ens-op.acc.1.aws.iam.4 ens-op.acc.5.aws.iam.3"
|
||||
CHECK_SERVICENAME_check14="iam"
|
||||
CHECK_RISK_check14='Access keys consist of an access key ID and secret access key which are used to sign programmatic requests that you make to AWS. AWS users need their own access keys to make programmatic calls to AWS from the AWS Command Line Interface (AWS CLI)- Tools for Windows PowerShell- the AWS SDKs- or direct HTTP calls using the APIs for individual AWS services. It is recommended that all access keys be regularly rotated.'
|
||||
CHECK_REMEDIATION_check14='Use the credential report to ensure access_key_X_last_rotated is less than 90 days ago.'
|
||||
CHECK_DOC_check14='https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_getting-report.html'
|
||||
CHECK_CAF_EPIC_check14='IAM'
|
||||
|
||||
check14(){
|
||||
# "Ensure access keys are rotated every 90 days or less (Scored)" # also checked by Security Monkey
|
||||
|
||||
@@ -16,6 +16,10 @@ CHECK_SEVERITY_check15="Medium"
|
||||
CHECK_ASFF_TYPE_check15="Software and Configuration Checks/Industry and Regulatory Standards/CIS AWS Foundations Benchmark"
|
||||
CHECK_ALTERNATE_check105="check15"
|
||||
CHECK_SERVICENAME_check15="iam"
|
||||
CHECK_RISK_check15='Password policies are used to enforce password complexity requirements. IAM password policies can be used to ensure password are comprised of different character sets. It is recommended that the password policy require at least one uppercase letter.'
|
||||
CHECK_REMEDIATION_check15='Ensure "Requires at least one uppercase letter" is checked under "Password Policy".'
|
||||
CHECK_DOC_check15='https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_passwords_account-policy.html'
|
||||
CHECK_CAF_EPIC_check15='IAM'
|
||||
|
||||
check15(){
|
||||
# "Ensure IAM password policy requires at least one uppercase letter (Scored)"
|
||||
|
||||
@@ -16,6 +16,10 @@ CHECK_SEVERITY_check16="Medium"
|
||||
CHECK_ASFF_TYPE_check16="Software and Configuration Checks/Industry and Regulatory Standards/CIS AWS Foundations Benchmark"
|
||||
CHECK_ALTERNATE_check106="check16"
|
||||
CHECK_SERVICENAME_check16="iam"
|
||||
CHECK_RISK_check16='Password policies are used to enforce password complexity requirements. IAM password policies can be used to ensure password are comprised of different character sets. It is recommended that the password policy require at least one uppercase letter.'
|
||||
CHECK_REMEDIATION_check16='Ensure "Requires at least one lowercase letter" is checked under "Password Policy".'
|
||||
CHECK_DOC_check16='https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_passwords_account-policy.html'
|
||||
CHECK_CAF_EPIC_check16='IAM'
|
||||
|
||||
check16(){
|
||||
# "Ensure IAM password policy require at least one lowercase letter (Scored)"
|
||||
|
||||
@@ -16,6 +16,10 @@ CHECK_SEVERITY_check17="Medium"
|
||||
CHECK_ASFF_TYPE_check17="Software and Configuration Checks/Industry and Regulatory Standards/CIS AWS Foundations Benchmark"
|
||||
CHECK_ALTERNATE_check107="check17"
|
||||
CHECK_SERVICENAME_check17="iam"
|
||||
CHECK_RISK_check17='Password policies are used to enforce password complexity requirements. IAM password policies can be used to ensure password are comprised of different character sets. It is recommended that the password policy require at least one uppercase letter.'
|
||||
CHECK_REMEDIATION_check17='Ensure "Require at least one non-alphanumeric character" is checked under "Password Policy".'
|
||||
CHECK_DOC_check17='https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_passwords_account-policy.html'
|
||||
CHECK_CAF_EPIC_check17='IAM'
|
||||
|
||||
check17(){
|
||||
# "Ensure IAM password policy require at least one symbol (Scored)"
|
||||
|
||||
@@ -16,6 +16,10 @@ CHECK_SEVERITY_check18="Medium"
|
||||
CHECK_ASFF_TYPE_check18="Software and Configuration Checks/Industry and Regulatory Standards/CIS AWS Foundations Benchmark"
|
||||
CHECK_ALTERNATE_check108="check18"
|
||||
CHECK_SERVICENAME_check18="iam"
|
||||
CHECK_RISK_check18='Password policies are used to enforce password complexity requirements. IAM password policies can be used to ensure password are comprised of different character sets. It is recommended that the password policy require at least one uppercase letter.'
|
||||
CHECK_REMEDIATION_check18='Ensure "Require at least one number " is checked under "Password Policy".'
|
||||
CHECK_DOC_check18='https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_passwords_account-policy.html'
|
||||
CHECK_CAF_EPIC_check18='IAM'
|
||||
|
||||
check18(){
|
||||
# "Ensure IAM password policy require at least one number (Scored)"
|
||||
|
||||
@@ -16,6 +16,10 @@ CHECK_SEVERITY_check19="Medium"
|
||||
CHECK_ASFF_TYPE_check19="Software and Configuration Checks/Industry and Regulatory Standards/CIS AWS Foundations Benchmark"
|
||||
CHECK_ALTERNATE_check109="check19"
|
||||
CHECK_SERVICENAME_check19="iam"
|
||||
CHECK_RISK_check19='Password policies are used to enforce password complexity requirements. IAM password policies can be used to ensure password are comprised of different character sets. It is recommended that the password policy require at least one uppercase letter.'
|
||||
CHECK_REMEDIATION_check19='Ensure "Minimum password length" is set to 14 or greater.'
|
||||
CHECK_DOC_check19='https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_passwords_account-policy.html'
|
||||
CHECK_CAF_EPIC_check19='IAM'
|
||||
|
||||
check19(){
|
||||
# "Ensure IAM password policy requires minimum length of 14 or greater (Scored)"
|
||||
|
||||
@@ -18,6 +18,10 @@ CHECK_ASFF_RESOURCE_TYPE_check21="AwsCloudTrailTrail"
|
||||
CHECK_ALTERNATE_check201="check21"
|
||||
CHECK_ASFF_COMPLIANCE_TYPE_check21="ens-op.acc.7.aws.iam.1 ens-op.mon.1.aws.trail.1"
|
||||
CHECK_SERVICENAME_check21="cloudtrail"
|
||||
CHECK_RISK_check21='AWS CloudTrail is a web service that records AWS API calls for your account and delivers log files to you. The recorded information includes the identity of the API caller; the time of the API call; the source IP address of the API caller; the request parameters; and the response elements returned by the AWS service.'
|
||||
CHECK_REMEDIATION_check21='Ensure Logging is set to ON on all regions (even if they are not being used at the moment.'
|
||||
CHECK_DOC_check21='https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrailconcepts.html#cloudtrail-concepts-management-events'
|
||||
CHECK_CAF_EPIC_check21='Logging and Monitoring'
|
||||
|
||||
check21(){
|
||||
trail_count=0
|
||||
|
||||
@@ -18,6 +18,10 @@ CHECK_ASFF_RESOURCE_TYPE_check22="AwsCloudTrailTrail"
|
||||
CHECK_ALTERNATE_check202="check22"
|
||||
CHECK_ASFF_COMPLIANCE_TYPE_check22="ens-op.exp.10.aws.trail.1"
|
||||
CHECK_SERVICENAME_check22="cloudtrail"
|
||||
CHECK_RISK_check22='Enabling log file validation will provide additional integrity checking of CloudTrail logs. '
|
||||
CHECK_REMEDIATION_check22='Ensure LogFileValidationEnabled is set to true for each trail.'
|
||||
CHECK_DOC_check22='http://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-log-filevalidation-enabling.html'
|
||||
CHECK_CAF_EPIC_check22='Logging and Monitoring'
|
||||
|
||||
check22(){
|
||||
trail_count=0
|
||||
|
||||
@@ -18,6 +18,10 @@ CHECK_ASFF_RESOURCE_TYPE_check23="AwsS3Bucket"
|
||||
CHECK_ALTERNATE_check203="check23"
|
||||
CHECK_ASFF_COMPLIANCE_TYPE_check23="ens-op.exp.10.aws.trail.3 ens-op.exp.10.aws.trail.4"
|
||||
CHECK_SERVICENAME_check23="cloudtrail"
|
||||
CHECK_RISK_check23='Allowing public access to CloudTrail log content may aid an adversary in identifying weaknesses in the affected accounts use or configuration.'
|
||||
CHECK_REMEDIATION_check23='Analyze Bucket policy to validate appropriate permissions. Ensure the AllUsers principal is not granted privileges. Ensure the AuthenticatedUsers principal is not granted privileges.'
|
||||
CHECK_DOC_check23='https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_ principal.html '
|
||||
CHECK_CAF_EPIC_check23='Logging and Monitoring'
|
||||
|
||||
check23(){
|
||||
trail_count=0
|
||||
|
||||
@@ -18,6 +18,10 @@ CHECK_ASFF_RESOURCE_TYPE_check24="AwsCloudTrailTrail"
|
||||
CHECK_ALTERNATE_check204="check24"
|
||||
CHECK_ASFF_COMPLIANCE_TYPE_check24="ens-op.exp.8.aws.cw.1"
|
||||
CHECK_SERVICENAME_check24="cloudtrail"
|
||||
CHECK_RISK_check24='Sending CloudTrail logs to CloudWatch Logs will facilitate real-time and historic activity logging based on user; API; resource; and IP address; and provides opportunity to establish alarms and notifications for anomalous or sensitivity account activity.'
|
||||
CHECK_REMEDIATION_check24='Validate that the trails in CloudTrail has an arn set in the CloudWatchLogsLogGroupArn property.'
|
||||
CHECK_DOC_check24='https://docs.aws.amazon.com/awscloudtrail/latest/userguide/send-cloudtrail-events-to-cloudwatch-logs.html'
|
||||
CHECK_CAF_EPIC_check24='Logging and Monitoring'
|
||||
|
||||
check24(){
|
||||
trail_count=0
|
||||
|
||||
@@ -17,6 +17,10 @@ CHECK_ASFF_TYPE_check25="Software and Configuration Checks/Industry and Regulato
|
||||
CHECK_ALTERNATE_check205="check25"
|
||||
CHECK_ASFF_COMPLIANCE_TYPE_check25="ens-op.exp.1.aws.cfg.1"
|
||||
CHECK_SERVICENAME_check25="configservice"
|
||||
CHECK_RISK_check25='The AWS configuration item history captured by AWS Config enables security analysis; resource change tracking; and compliance auditing.'
|
||||
CHECK_REMEDIATION_check25='It is recommended to enable AWS Config be enabled in all regions.'
|
||||
CHECK_DOC_check25='https://aws.amazon.com/blogs/mt/aws-config-best-practices/'
|
||||
CHECK_CAF_EPIC_check25='Logging and Monitoring'
|
||||
|
||||
check25(){
|
||||
# "Ensure AWS Config is enabled in all regions (Scored)"
|
||||
|
||||
@@ -17,6 +17,10 @@ CHECK_ASFF_TYPE_check26="Software and Configuration Checks/Industry and Regulato
|
||||
CHECK_ASFF_RESOURCE_TYPE_check26="AwsS3Bucket"
|
||||
CHECK_ALTERNATE_check206="check26"
|
||||
CHECK_SERVICENAME_check26="s3"
|
||||
CHECK_RISK_check26='Server access logs can assist you in security and access audits; help you learn about your customer base; and understand your Amazon S3 bill.'
|
||||
CHECK_REMEDIATION_check26='Ensure that S3 buckets have Logging enabled. CloudTrail data events can be used in place of S3 bucket logging. If that is the case; this finding can be considered a false positive.'
|
||||
CHECK_DOC_check26='https://docs.aws.amazon.com/AmazonS3/latest/dev/security-best-practices.html'
|
||||
CHECK_CAF_EPIC_check26='Logging and Monitoring'
|
||||
|
||||
check26(){
|
||||
trail_count=0
|
||||
|
||||
@@ -18,6 +18,10 @@ CHECK_ASFF_RESOURCE_TYPE_check27="AwsCloudTrailTrail"
|
||||
CHECK_ALTERNATE_check207="check27"
|
||||
CHECK_ASFF_COMPLIANCE_TYPE_check27="ens-op.exp.10.aws.trail.5"
|
||||
CHECK_SERVICENAME_check27="cloudtrail"
|
||||
CHECK_RISK_check27='By default; the log files delivered by CloudTrail to your bucket are encrypted by Amazon server-side encryption with Amazon S3-managed encryption keys (SSE-S3). To provide a security layer that is directly manageable; you can instead use server-side encryption with AWS KMS–managed keys (SSE-KMS) for your CloudTrail log files.'
|
||||
CHECK_REMEDIATION_check27='This approach has the following advantages: You can create and manage the CMK encryption keys yourself. You can use a single CMK to encrypt and decrypt log files for multiple accounts across all regions. You have control over who can use your key for encrypting and decrypting CloudTrail log files. You can assign permissions for the key to the users. You have enhanced security.'
|
||||
CHECK_DOC_check27='https://docs.aws.amazon.com/awscloudtrail/latest/userguide/encrypting-cloudtrail-log-files-with-aws-kms.html'
|
||||
CHECK_CAF_EPIC_check27='Logging and Monitoring'
|
||||
|
||||
check27(){
|
||||
trail_count=0
|
||||
|
||||
@@ -17,6 +17,10 @@ CHECK_ASFF_TYPE_check28="Software and Configuration Checks/Industry and Regulato
|
||||
CHECK_ASFF_RESOURCE_TYPE_check28="AwsKmsKey"
|
||||
CHECK_ALTERNATE_check208="check28"
|
||||
CHECK_SERVICENAME_check28="kms"
|
||||
CHECK_RISK_check28='Cryptographic best practices discourage extensive reuse of encryption keys. Consequently; Customer Master Keys (CMKs) should be rotated to prevent usage of compromised keys.'
|
||||
CHECK_REMEDIATION_check28='For every KMS Customer Master Keys (CMKs); ensure that Rotate this key every year is enabled.'
|
||||
CHECK_DOC_check28='https://docs.aws.amazon.com/kms/latest/developerguide/rotate-keys.html'
|
||||
CHECK_CAF_EPIC_check28='Data Protection'
|
||||
|
||||
check28(){
|
||||
# "Ensure rotation for customer created CMKs is enabled (Scored)"
|
||||
|
||||
@@ -18,6 +18,10 @@ CHECK_ASFF_RESOURCE_TYPE_check29="AwsEc2Vpc"
|
||||
CHECK_ALTERNATE_check209="check29"
|
||||
CHECK_ASFF_COMPLIANCE_TYPE_check29="ens-op.mon.1.aws.flow.1"
|
||||
CHECK_SERVICENAME_check29="vpc"
|
||||
CHECK_RISK_check29='PC Flow Logs provide visibility into network traffic that traverses the VPC and can be used to detect anomalous traffic or insight during security workflows.'
|
||||
CHECK_REMEDIATION_check29='It is recommended that VPC Flow Logs be enabled for packet "Rejects" for VPCs. '
|
||||
CHECK_DOC_check29='http://docs.aws.amazon.com/AmazonVPC/latest/UserGuide/flow-logs.html '
|
||||
CHECK_CAF_EPIC_check29='Logging and Monitoring'
|
||||
|
||||
check29(){
|
||||
# "Ensure VPC Flow Logging is Enabled in all VPCs (Scored)"
|
||||
|
||||
@@ -43,6 +43,10 @@ CHECK_ASFF_RESOURCE_TYPE_check31="AwsCloudTrailTrail"
|
||||
CHECK_ALTERNATE_check301="check31"
|
||||
CHECK_ASFF_COMPLIANCE_TYPE_check31="ens-op.exp.8.aws.trail.2"
|
||||
CHECK_SERVICENAME_check31="iam"
|
||||
CHECK_RISK_check31='Monitoring unauthorized API calls will help reveal application errors and may reduce time to detect malicious activity.'
|
||||
CHECK_REMEDIATION_check31='It is recommended that a metric filter and alarm be established for unauthorized requests.'
|
||||
CHECK_DOC_check31='https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudwatch-alarms-for-cloudtrail.html'
|
||||
CHECK_CAF_EPIC_check31='Logging and Monitoring'
|
||||
|
||||
check31(){
|
||||
check3x '\$\.errorCode\s*=\s*"\*UnauthorizedOperation".+\$\.errorCode\s*=\s*"AccessDenied\*"'
|
||||
|
||||
@@ -42,6 +42,10 @@ CHECK_ASFF_TYPE_check310="Software and Configuration Checks/Industry and Regulat
|
||||
CHECK_ASFF_RESOURCE_TYPE_check310="AwsCloudTrailTrail"
|
||||
CHECK_ALTERNATE_check310="check310"
|
||||
CHECK_SERVICENAME_check310="ec2"
|
||||
CHECK_RISK_check310='Monitoring unauthorized API calls will help reveal application errors and may reduce time to detect malicious activity.'
|
||||
CHECK_REMEDIATION_check310='It is recommended that a metric filter and alarm be established for unauthorized requests.'
|
||||
CHECK_DOC_check310='https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudwatch-alarms-for-cloudtrail.html'
|
||||
CHECK_CAF_EPIC_check310='Logging and Monitoring'
|
||||
|
||||
check310(){
|
||||
check3x '\$\.eventName\s*=\s*AuthorizeSecurityGroupIngress.+\$\.eventName\s*=\s*AuthorizeSecurityGroupEgress.+\$\.eventName\s*=\s*RevokeSecurityGroupIngress.+\$\.eventName\s*=\s*RevokeSecurityGroupEgress.+\$\.eventName\s*=\s*CreateSecurityGroup.+\$\.eventName\s*=\s*DeleteSecurityGroup'
|
||||
|
||||
@@ -42,6 +42,10 @@ CHECK_ASFF_TYPE_check311="Software and Configuration Checks/Industry and Regulat
|
||||
CHECK_ASFF_RESOURCE_TYPE_check311="AwsCloudTrailTrail"
|
||||
CHECK_ALTERNATE_check311="check311"
|
||||
CHECK_SERVICENAME_check311="vpc"
|
||||
CHECK_RISK_check311='Monitoring unauthorized API calls will help reveal application errors and may reduce time to detect malicious activity.'
|
||||
CHECK_REMEDIATION_check311='It is recommended that a metric filter and alarm be established for unauthorized requests.'
|
||||
CHECK_DOC_check311='https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudwatch-alarms-for-cloudtrail.html'
|
||||
CHECK_CAF_EPIC_check311='Logging and Monitoring'
|
||||
|
||||
check311(){
|
||||
check3x '\$\.eventName\s*=\s*CreateNetworkAcl.+\$\.eventName\s*=\s*CreateNetworkAclEntry.+\$\.eventName\s*=\s*DeleteNetworkAcl.+\$\.eventName\s*=\s*DeleteNetworkAclEntry.+\$\.eventName\s*=\s*ReplaceNetworkAclEntry.+\$\.eventName\s*=\s*ReplaceNetworkAclAssociation'
|
||||
|
||||
@@ -42,6 +42,10 @@ CHECK_ASFF_TYPE_check312="Software and Configuration Checks/Industry and Regulat
|
||||
CHECK_ASFF_RESOURCE_TYPE_check312="AwsCloudTrailTrail"
|
||||
CHECK_ALTERNATE_check312="check312"
|
||||
CHECK_SERVICENAME_check312="vpc"
|
||||
CHECK_RISK_check312='Monitoring unauthorized API calls will help reveal application errors and may reduce time to detect malicious activity.'
|
||||
CHECK_REMEDIATION_check312='It is recommended that a metric filter and alarm be established for unauthorized requests.'
|
||||
CHECK_DOC_check312='https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudwatch-alarms-for-cloudtrail.html'
|
||||
CHECK_CAF_EPIC_check312='Logging and Monitoring'
|
||||
|
||||
check312(){
|
||||
check3x '\$\.eventName\s*=\s*CreateCustomerGateway.+\$\.eventName\s*=\s*DeleteCustomerGateway.+\$\.eventName\s*=\s*AttachInternetGateway.+\$\.eventName\s*=\s*CreateInternetGateway.+\$\.eventName\s*=\s*DeleteInternetGateway.+\$\.eventName\s*=\s*DetachInternetGateway'
|
||||
|
||||
@@ -42,6 +42,10 @@ CHECK_ASFF_TYPE_check313="Software and Configuration Checks/Industry and Regulat
|
||||
CHECK_ASFF_RESOURCE_TYPE_check313="AwsCloudTrailTrail"
|
||||
CHECK_ALTERNATE_check313="check313"
|
||||
CHECK_SERVICENAME_check313="vpc"
|
||||
CHECK_RISK_check313='Monitoring unauthorized API calls will help reveal application errors and may reduce time to detect malicious activity.'
|
||||
CHECK_REMEDIATION_check313='It is recommended that a metric filter and alarm be established for unauthorized requests.'
|
||||
CHECK_DOC_check313='https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudwatch-alarms-for-cloudtrail.html'
|
||||
CHECK_CAF_EPIC_check313='Logging and Monitoring'
|
||||
|
||||
check313(){
|
||||
check3x '\$\.eventName\s*=\s*CreateRoute.+\$\.eventName\s*=\s*CreateRouteTable.+\$\.eventName\s*=\s*ReplaceRoute.+\$\.eventName\s*=\s*ReplaceRouteTableAssociation.+\$\.eventName\s*=\s*DeleteRouteTable.+\$\.eventName\s*=\s*DeleteRoute.+\$\.eventName\s*=\s*DisassociateRouteTable'
|
||||
|
||||
@@ -42,6 +42,10 @@ CHECK_ASFF_TYPE_check314="Software and Configuration Checks/Industry and Regulat
|
||||
CHECK_ASFF_RESOURCE_TYPE_check314="AwsCloudTrailTrail"
|
||||
CHECK_ALTERNATE_check314="check314"
|
||||
CHECK_SERVICENAME_check314="vpc"
|
||||
CHECK_RISK_check314='Monitoring unauthorized API calls will help reveal application errors and may reduce time to detect malicious activity.'
|
||||
CHECK_REMEDIATION_check314='It is recommended that a metric filter and alarm be established for unauthorized requests.'
|
||||
CHECK_DOC_check314='https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudwatch-alarms-for-cloudtrail.html'
|
||||
CHECK_CAF_EPIC_check314='Logging and Monitoring'
|
||||
|
||||
check314(){
|
||||
check3x '\$\.eventName\s*=\s*CreateVpc.+\$\.eventName\s*=\s*DeleteVpc.+\$\.eventName\s*=\s*ModifyVpcAttribute.+\$\.eventName\s*=\s*AcceptVpcPeeringConnection.+\$\.eventName\s*=\s*CreateVpcPeeringConnection.+\$\.eventName\s*=\s*DeleteVpcPeeringConnection.+\$\.eventName\s*=\s*RejectVpcPeeringConnection.+\$\.eventName\s*=\s*AttachClassicLinkVpc.+\$\.eventName\s*=\s*DetachClassicLinkVpc.+\$\.eventName\s*=\s*DisableVpcClassicLink.+\$\.eventName\s*=\s*EnableVpcClassicLink'
|
||||
|
||||
@@ -43,6 +43,10 @@ CHECK_ASFF_RESOURCE_TYPE_check32="AwsCloudTrailTrail"
|
||||
CHECK_ALTERNATE_check302="check32"
|
||||
CHECK_ASFF_COMPLIANCE_TYPE_check32="ens-op.exp.8.aws.trail.4"
|
||||
CHECK_SERVICENAME_check32="iam"
|
||||
CHECK_RISK_check32='Monitoring unauthorized API calls will help reveal application errors and may reduce time to detect malicious activity.'
|
||||
CHECK_REMEDIATION_check32='It is recommended that a metric filter and alarm be established for unauthorized requests.'
|
||||
CHECK_DOC_check32='https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudwatch-alarms-for-cloudtrail.html'
|
||||
CHECK_CAF_EPIC_check32='Logging and Monitoring'
|
||||
|
||||
check32(){
|
||||
check3x '\$\.eventName\s*=\s*"ConsoleLogin".+\$\.additionalEventData\.MFAUsed\s*!=\s*"Yes"'
|
||||
|
||||
@@ -43,6 +43,10 @@ CHECK_ASFF_RESOURCE_TYPE_check33="AwsCloudTrailTrail"
|
||||
CHECK_ALTERNATE_check303="check33"
|
||||
CHECK_ASFF_COMPLIANCE_TYPE_check33="ens-op.exp.8.aws.trail.5"
|
||||
CHECK_SERVICENAME_check33="iam"
|
||||
CHECK_RISK_check33='Monitoring unauthorized API calls will help reveal application errors and may reduce time to detect malicious activity.'
|
||||
CHECK_REMEDIATION_check33='It is recommended that a metric filter and alarm be established for unauthorized requests.'
|
||||
CHECK_DOC_check33='https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudwatch-alarms-for-cloudtrail.html'
|
||||
CHECK_CAF_EPIC_check33='Logging and Monitoring'
|
||||
|
||||
check33(){
|
||||
check3x '\$\.userIdentity\.type\s*=\s*"Root".+\$\.userIdentity\.invokedBy NOT EXISTS.+\$\.eventType\s*!=\s*"AwsServiceEvent"'
|
||||
|
||||
@@ -43,6 +43,10 @@ CHECK_ASFF_RESOURCE_TYPE_check34="AwsCloudTrailTrail"
|
||||
CHECK_ALTERNATE_check304="check34"
|
||||
CHECK_ASFF_COMPLIANCE_TYPE_check34="ens-op.exp.8.aws.trail.6"
|
||||
CHECK_SERVICENAME_check34="iam"
|
||||
CHECK_RISK_check34='Monitoring unauthorized API calls will help reveal application errors and may reduce time to detect malicious activity.'
|
||||
CHECK_REMEDIATION_check34='It is recommended that a metric filter and alarm be established for unauthorized requests.'
|
||||
CHECK_DOC_check34='https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudwatch-alarms-for-cloudtrail.html'
|
||||
CHECK_CAF_EPIC_check34='IAM'
|
||||
|
||||
check34(){
|
||||
check3x '\$\.eventName\s*=\s*DeleteGroupPolicy.+\$\.eventName\s*=\s*DeleteRolePolicy.+\$\.eventName\s*=\s*DeleteUserPolicy.+\$\.eventName\s*=\s*PutGroupPolicy.+\$\.eventName\s*=\s*PutRolePolicy.+\$\.eventName\s*=\s*PutUserPolicy.+\$\.eventName\s*=\s*CreatePolicy.+\$\.eventName\s*=\s*DeletePolicy.+\$\.eventName\s*=\s*CreatePolicyVersion.+\$\.eventName\s*=\s*DeletePolicyVersion.+\$\.eventName\s*=\s*AttachRolePolicy.+\$\.eventName\s*=\s*DetachRolePolicy.+\$\.eventName\s*=\s*AttachUserPolicy.+\$\.eventName\s*=\s*DetachUserPolicy.+\$\.eventName\s*=\s*AttachGroupPolicy.+\$\.eventName\s*=\s*DetachGroupPolicy'
|
||||
|
||||
@@ -43,6 +43,10 @@ CHECK_ASFF_RESOURCE_TYPE_check35="AwsCloudTrailTrail"
|
||||
CHECK_ALTERNATE_check305="check35"
|
||||
CHECK_ASFF_COMPLIANCE_TYPE_check35="ens-op.exp.8.aws.trail.1"
|
||||
CHECK_SERVICENAME_check35="cloudtrail"
|
||||
CHECK_RISK_check35='Monitoring unauthorized API calls will help reveal application errors and may reduce time to detect malicious activity.'
|
||||
CHECK_REMEDIATION_check35='It is recommended that a metric filter and alarm be established for unauthorized requests.'
|
||||
CHECK_DOC_check35='https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudwatch-alarms-for-cloudtrail.html'
|
||||
CHECK_CAF_EPIC_check35='Logging and Monitoring'
|
||||
|
||||
check35(){
|
||||
check3x '\$\.eventName\s*=\s*CreateTrail.+\$\.eventName\s*=\s*UpdateTrail.+\$\.eventName\s*=\s*DeleteTrail.+\$\.eventName\s*=\s*StartLogging.+\$\.eventName\s*=\s*StopLogging'
|
||||
|
||||
@@ -43,6 +43,10 @@ CHECK_ASFF_RESOURCE_TYPE_check36="AwsCloudTrailTrail"
|
||||
CHECK_ALTERNATE_check306="check36"
|
||||
CHECK_ASFF_COMPLIANCE_TYPE_check36="ens-op.exp.8.aws.trail.3"
|
||||
CHECK_SERVICENAME_check36="iam"
|
||||
CHECK_RISK_check36='Monitoring unauthorized API calls will help reveal application errors and may reduce time to detect malicious activity.'
|
||||
CHECK_REMEDIATION_check36='It is recommended that a metric filter and alarm be established for unauthorized requests.'
|
||||
CHECK_DOC_check36='https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudwatch-alarms-for-cloudtrail.html'
|
||||
CHECK_CAF_EPIC_check36='Logging and Monitoring'
|
||||
|
||||
check36(){
|
||||
check3x '\$\.eventName\s*=\s*ConsoleLogin.+\$\.errorMessage\s*=\s*"Failed authentication"'
|
||||
|
||||
@@ -43,6 +43,10 @@ CHECK_ASFF_RESOURCE_TYPE_check37="AwsCloudTrailTrail"
|
||||
CHECK_ALTERNATE_check307="check37"
|
||||
CHECK_ASFF_COMPLIANCE_TYPE_check37="ens-op.exp.11.aws.kms.1"
|
||||
CHECK_SERVICENAME_check37="kms"
|
||||
CHECK_RISK_check37='Monitoring unauthorized API calls will help reveal application errors and may reduce time to detect malicious activity.'
|
||||
CHECK_REMEDIATION_check37='It is recommended that a metric filter and alarm be established for unauthorized requests.'
|
||||
CHECK_DOC_check37='https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudwatch-alarms-for-cloudtrail.html'
|
||||
CHECK_CAF_EPIC_check37='Logging and Monitoring'
|
||||
|
||||
check37(){
|
||||
check3x '\$\.eventSource\s*=\s*kms.amazonaws.com.+\$\.eventName\s*=\s*DisableKey.+\$\.eventName\s*=\s*ScheduleKeyDeletion'
|
||||
|
||||
@@ -42,6 +42,10 @@ CHECK_ASFF_TYPE_check38="Software and Configuration Checks/Industry and Regulato
|
||||
CHECK_ASFF_RESOURCE_TYPE_check38="AwsCloudTrailTrail"
|
||||
CHECK_ALTERNATE_check308="check38"
|
||||
CHECK_SERVICENAME_check38="s3"
|
||||
CHECK_RISK_check38='Monitoring unauthorized API calls will help reveal application errors and may reduce time to detect malicious activity.'
|
||||
CHECK_REMEDIATION_check38='It is recommended that a metric filter and alarm be established for unauthorized requests.'
|
||||
CHECK_DOC_check38='https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudwatch-alarms-for-cloudtrail.html'
|
||||
CHECK_CAF_EPIC_check38='Logging and Monitoring'
|
||||
|
||||
check38(){
|
||||
check3x '\$\.eventSource\s*=\s*s3.amazonaws.com.+\$\.eventName\s*=\s*PutBucketAcl.+\$\.eventName\s*=\s*PutBucketPolicy.+\$\.eventName\s*=\s*PutBucketCors.+\$\.eventName\s*=\s*PutBucketLifecycle.+\$\.eventName\s*=\s*PutBucketReplication.+\$\.eventName\s*=\s*DeleteBucketPolicy.+\$\.eventName\s*=\s*DeleteBucketCors.+\$\.eventName\s*=\s*DeleteBucketLifecycle.+\$\.eventName\s*=\s*DeleteBucketReplication'
|
||||
|
||||
@@ -42,6 +42,10 @@ CHECK_ASFF_TYPE_check39="Software and Configuration Checks/Industry and Regulato
|
||||
CHECK_ASFF_RESOURCE_TYPE_check39="AwsCloudTrailTrail"
|
||||
CHECK_ALTERNATE_check309="check39"
|
||||
CHECK_SERVICENAME_check39="configservice"
|
||||
CHECK_RISK_check39='If not enabled important changes to accounts could go unnoticed or difficult to find.'
|
||||
CHECK_REMEDIATION_check39='Use this service as a complement to implement detective controls that cannot be prevented. (e.g. a Security Group is modified to open to internet without restrictions or route changed to avoid going thru the network firewall). Ensure AWS Config is enabled in all regions in order to detect any not intended action. On the other hand if sufficient preventive controls to make changes in critical services are in place; the rating on this finding can be lowered or discarded depending on residual risk.'
|
||||
CHECK_DOC_check39='https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudwatch-alarms-for-cloudtrail.html'
|
||||
CHECK_CAF_EPIC_check39='Logging and Monitoring'
|
||||
|
||||
check39(){
|
||||
check3x '\$\.eventSource\s*=\s*config.amazonaws.com.+\$\.eventName\s*=\s*StopConfigurationRecorder.+\$\.eventName\s*=\s*DeleteDeliveryChannel.+\$\.eventName\s*=\s*PutDeliveryChannel.+\$\.eventName\s*=\s*PutConfigurationRecorder'
|
||||
|
||||
@@ -18,6 +18,10 @@ CHECK_ASFF_RESOURCE_TYPE_check41="AwsEc2SecurityGroup"
|
||||
CHECK_ALTERNATE_check401="check41"
|
||||
CHECK_ASFF_COMPLIANCE_TYPE_check41="ens-mp.com.4.aws.sg.4"
|
||||
CHECK_SERVICENAME_check41="ec2"
|
||||
CHECK_RISK_check41='Even having a perimeter firewall; having security groups open allows any user or malware with vpc access to scan for well known and sensitive ports and gain access to instance.'
|
||||
CHECK_REMEDIATION_check41='Apply Zero Trust approach. Implement a process to scan and remediate unrestricted or overly permissive security groups. Recommended best practices is to narrow the definition for the minimum ports required.'
|
||||
CHECK_DOC_check41='https://docs.aws.amazon.com/eks/latest/userguide/sec-group-reqs.html'
|
||||
CHECK_CAF_EPIC_check41='Infrastructure Security'
|
||||
|
||||
check41(){
|
||||
# "Ensure no security groups allow ingress from 0.0.0.0/0 or ::/0 to port 22 (Scored)"
|
||||
|
||||
@@ -18,6 +18,10 @@ CHECK_ASFF_RESOURCE_TYPE_check42="AwsEc2SecurityGroup"
|
||||
CHECK_ALTERNATE_check402="check42"
|
||||
CHECK_ASFF_COMPLIANCE_TYPE_check42="ens-mp.com.4.aws.sg.5"
|
||||
CHECK_SERVICENAME_check42="ec2"
|
||||
CHECK_RISK_check42='Even having a perimeter firewall; having security groups open allows any user or malware with vpc access to scan for well known and sensitive ports and gain access to instance.'
|
||||
CHECK_REMEDIATION_check42='Apply Zero Trust approach. Implement a process to scan and remediate unrestricted or overly permissive security groups. Recommended best practices is to narrow the definition for the minimum ports required.'
|
||||
CHECK_DOC_check42='https://docs.aws.amazon.com/eks/latest/userguide/sec-group-reqs.html'
|
||||
CHECK_CAF_EPIC_check42='Infrastructure Security'
|
||||
|
||||
check42(){
|
||||
# "Ensure no security groups allow ingress from 0.0.0.0/0 or ::/0 to port 3389 (Scored)"
|
||||
|
||||
@@ -18,13 +18,17 @@ CHECK_ASFF_RESOURCE_TYPE_check43="AwsEc2SecurityGroup"
|
||||
CHECK_ALTERNATE_check403="check43"
|
||||
CHECK_ASFF_COMPLIANCE_TYPE_check43="ens-mp.com.4.aws.sg.1"
|
||||
CHECK_SERVICENAME_check43="ec2"
|
||||
CHECK_RISK_check43='Even having a perimeter firewall; having security groups open allows any user or malware with vpc access to scan for well known and sensitive ports and gain access to instance.'
|
||||
CHECK_REMEDIATION_check43='Apply Zero Trust approach. Implement a process to scan and remediate unrestricted or overly permissive security groups. Recommended best practices is to narrow the definition for the minimum ports required.'
|
||||
CHECK_DOC_check43='https://docs.aws.amazon.com/eks/latest/userguide/sec-group-reqs.html'
|
||||
CHECK_CAF_EPIC_check43='Infrastructure Security'
|
||||
|
||||
check43(){
|
||||
# "Ensure the default security group of every VPC restricts all traffic (Scored)"
|
||||
for regx in $REGIONS; do
|
||||
CHECK_SGDEFAULT_IDS=$($AWSCLI ec2 describe-security-groups $PROFILE_OPT --region $regx --filters Name=group-name,Values='default' --query 'SecurityGroups[*].GroupId[]' --output text)
|
||||
for CHECK_SGDEFAULT_ID in $CHECK_SGDEFAULT_IDS; do
|
||||
CHECK_SGDEFAULT_ID_OPEN=$($AWSCLI ec2 describe-security-groups $PROFILE_OPT --region $regx --group-ids $CHECK_SGDEFAULT_ID --query 'SecurityGroups[*].{IpPermissions:IpPermissions,IpPermissionsEgress:IpPermissionsEgress,GroupId:GroupId}' --output text |egrep ' 0.0.0.0|\:\:\/0')
|
||||
CHECK_SGDEFAULT_ID_OPEN=$($AWSCLI ec2 describe-security-groups $PROFILE_OPT --region $regx --group-ids $CHECK_SGDEFAULT_ID --query 'SecurityGroups[*].{IpPermissions:IpPermissions,IpPermissionsEgress:IpPermissionsEgress,GroupId:GroupId}' --output text |egrep '\s0.0.0.0|\:\:\/0')
|
||||
if [[ $CHECK_SGDEFAULT_ID_OPEN ]];then
|
||||
textFail "Default Security Groups ($CHECK_SGDEFAULT_ID) found that allow 0.0.0.0 IN or OUT traffic in Region $regx" "$regx"
|
||||
else
|
||||
|
||||
@@ -17,6 +17,10 @@ CHECK_ASFF_TYPE_check44="Software and Configuration Checks/Industry and Regulato
|
||||
CHECK_ASFF_RESOURCE_TYPE_check44="AwsEc2Vpc"
|
||||
CHECK_ALTERNATE_check404="check44"
|
||||
CHECK_SERVICENAME_check44="vpc"
|
||||
CHECK_RISK_check44='Being highly selective in peering routing tables is a very effective way of minimizing the impact of breach as resources outside of these routes are inaccessible to the peered VPC.'
|
||||
CHECK_REMEDIATION_check44='Review routing tables of peered VPCs for whether they route all subnets of each VPC and whether that is necessary to accomplish the intended purposes for peering the VPCs.'
|
||||
CHECK_DOC_check44='https://docs.aws.amazon.com/vpc/latest/peering/peering-configurations-partial-access.html'
|
||||
CHECK_CAF_EPIC_check44='Infrastructure Security'
|
||||
|
||||
check44(){
|
||||
# "Ensure routing tables for VPC peering are \"least access\" (Not Scored)"
|
||||
|
||||
@@ -21,6 +21,10 @@ CHECK_ALTERNATE_check71="extra71"
|
||||
CHECK_ALTERNATE_check701="extra71"
|
||||
CHECK_ASFF_COMPLIANCE_TYPE_extra71="ens-op.exp.10.aws.trail.2"
|
||||
CHECK_SERVICENAME_extra71="iam"
|
||||
CHECK_RISK_extra71='Policy "may" allow Anonymous users to perform actions.'
|
||||
CHECK_REMEDIATION_extra71='Ensure this repository and its contents should be publicly accessible.'
|
||||
CHECK_DOC_extra71='https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_mfa_enable_virtual.html'
|
||||
CHECK_CAF_EPIC_extra71='Infrastructure Security'
|
||||
|
||||
extra71(){
|
||||
# "Ensure users of groups with AdministratorAccess policy have MFA tokens enabled (Not Scored) (Not part of CIS benchmark)"
|
||||
|
||||
@@ -19,6 +19,10 @@ CHECK_ASFF_RESOURCE_TYPE_extra710="AwsEc2Instance"
|
||||
CHECK_ALTERNATE_check710="extra710"
|
||||
CHECK_ASFF_COMPLIANCE_TYPE_extra710="ens-mp.com.4.aws.vpc.1"
|
||||
CHECK_SERVICENAME_extra710="ec2"
|
||||
CHECK_RISK_extra710='Exposing an EC2 directly to internet increases the attack surface and therefore the risk of compromise.'
|
||||
CHECK_REMEDIATION_extra710='Use an ALB and apply WAF ACL.'
|
||||
CHECK_DOC_extra710='https://aws.amazon.com/blogs/aws/aws-web-application-firewall-waf-for-application-load-balancers/'
|
||||
CHECK_CAF_EPIC_extra710='Infrastructure Security'
|
||||
|
||||
extra710(){
|
||||
# "Check for internet facing EC2 Instances (Not Scored) (Not part of CIS benchmark)"
|
||||
|
||||
@@ -23,6 +23,10 @@ CHECK_ASFF_RESOURCE_TYPE_extra7100="AwsIamPolicy"
|
||||
CHECK_ALTERNATE_check7100="extra7100"
|
||||
CHECK_ASFF_COMPLIANCE_TYPE_extra7100="ens-op.acc.2.aws.iam.1"
|
||||
CHECK_SERVICENAME_extra7100="iam"
|
||||
CHECK_RISK_extra7100='If not restricted unintended access could happen.'
|
||||
CHECK_REMEDIATION_extra7100='Use the least privilege principle when granting permissions.'
|
||||
CHECK_DOC_extra7100='https://docs.aws.amazon.com/STS/latest/APIReference/API_AssumeRole.html'
|
||||
CHECK_CAF_EPIC_extra7100='IAM'
|
||||
|
||||
extra7100(){
|
||||
# "Ensure that no custom policies exist which permit assuming any role (e.g. sts:AssumeRole on *)"
|
||||
|
||||
@@ -10,6 +10,7 @@
|
||||
# under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR
|
||||
# CONDITIONS OF ANY KIND, either express or implied. See the License for the
|
||||
# specific language governing permissions and limitations under the License.
|
||||
|
||||
CHECK_ID_extra7101="7.101"
|
||||
CHECK_TITLE_extra7101="[extra7101] Check if Amazon Elasticsearch Service (ES) domains have audit logging enabled"
|
||||
CHECK_SCORED_extra7101="NOT_SCORED"
|
||||
@@ -18,14 +19,10 @@ CHECK_SEVERITY_extra7101="Low"
|
||||
CHECK_ASFF_RESOURCE_TYPE_extra7101="AwsElasticsearchDomain"
|
||||
CHECK_ALTERNATE_check7101="extra7101"
|
||||
CHECK_SERVICENAME_extra7101="es"
|
||||
|
||||
# More info
|
||||
# Works for Amazon Elasticsearch Service domains (version 6.7+) with Fine Grained Access Control enabled
|
||||
# https://aws.amazon.com/about-aws/whats-new/2020/09/audit-logs-launch/
|
||||
# https://docs.aws.amazon.com/elasticsearch-service/latest/developerguide/audit-logs.html
|
||||
|
||||
# Remediation
|
||||
# aws es update-elasticsearch-domain-config --domain-name test1 --log-publishing-options "AUDIT_LOGS={CloudWatchLogsLogGroupArn=arn:aws:logs:us-east-1:123456789012:log-group:my-log-group,Enabled=true}" --region eu-west-1
|
||||
CHECK_RISK_extra7101='If logs are not enabled; monitoring of service use and threat analysis is not possible.'
|
||||
CHECK_REMEDIATION_extra7101='Make sure you are logging information about Amazon Elasticsearch Service operations.'
|
||||
CHECK_DOC_extra7101='https://docs.aws.amazon.com/elasticsearch-service/latest/developerguide/audit-logs.html'
|
||||
CHECK_CAF_EPIC_extra7101='Logging and Monitoring'
|
||||
|
||||
extra7101(){
|
||||
for regx in $REGIONS; do
|
||||
|
||||
@@ -18,6 +18,10 @@ CHECK_SEVERITY_extra7102="High"
|
||||
CHECK_ASFF_RESOURCE_TYPE_extra7102="AwsEc2Eip"
|
||||
CHECK_ALTERNATE_check7102="extra7102"
|
||||
CHECK_SERVICENAME_extra7102="ec2"
|
||||
CHECK_RISK_extra7102='Sites like Shodan index exposed systems and further expose them to wider audiences as a quick way to find exploitable systems.'
|
||||
CHECK_REMEDIATION_extra7102='Check Identified IPs; consider changing them to private ones and delete them from Shodan.'
|
||||
CHECK_DOC_extra7102='https://www.shodan.io/'
|
||||
CHECK_CAF_EPIC_extra7102='Infrastructure Security'
|
||||
|
||||
# Watch out, always use Shodan API key, if you use `curl https://www.shodan.io/host/{ip}` massively
|
||||
# your IP will be banned by Shodan
|
||||
@@ -25,7 +29,6 @@ CHECK_SERVICENAME_extra7102="ec2"
|
||||
# This is the right way to do so
|
||||
# curl -ks https://api.shodan.io/shodan/host/{ip}?key={YOUR_API_KEY}
|
||||
|
||||
|
||||
# Each finding will be saved in prowler/output folder for further review.
|
||||
|
||||
extra7102(){
|
||||
@@ -33,7 +36,7 @@ extra7102(){
|
||||
textInfo "[extra7102] Requires a Shodan API key to work. Use -N <shodan_api_key>"
|
||||
else
|
||||
for regx in $REGIONS; do
|
||||
LIST_OF_EIP=$($AWSCLI $PROFILE_OPT --region $regx ec2 describe-addresses --query 'Addresses[*].PublicIp' --output text)
|
||||
LIST_OF_EIP=$($AWSCLI $PROFILE_OPT --region $regx ec2 describe-network-interfaces --query 'NetworkInterfaces[*].Association.PublicIp' --output text)
|
||||
if [[ $LIST_OF_EIP ]]; then
|
||||
for ip in $LIST_OF_EIP;do
|
||||
SHODAN_QUERY=$(curl -ks https://api.shodan.io/shodan/host/$ip?key=$SHODAN_API_KEY)
|
||||
|
||||
@@ -19,6 +19,10 @@ CHECK_ASFF_RESOURCE_TYPE_extra7103="AwsSageMakerNotebookInstance"
|
||||
CHECK_ALTERNATE_check7103="extra7103"
|
||||
CHECK_SEVERITY_extra7103="Medium"
|
||||
CHECK_SERVICENAME_extra7103="sagemaker"
|
||||
CHECK_RISK_extra7103='Users with root access have administrator privileges; users can access and edit all files on a notebook instance with root access enabled.'
|
||||
CHECK_REMEDIATION_extra7103='set the RootAccess field to Disabled. You can also disable root access for users when you create or update a notebook instance in the Amazon SageMaker console.'
|
||||
CHECK_DOC_extra7103='https://docs.aws.amazon.com/sagemaker/latest/dg/nbi-root-access.html'
|
||||
CHECK_CAF_EPIC_extra7103='IAM'
|
||||
|
||||
extra7103(){
|
||||
for regx in ${REGIONS}; do
|
||||
|
||||
@@ -19,6 +19,10 @@ CHECK_ASFF_RESOURCE_TYPE_extra7104="AwsSageMakerNotebookInstance"
|
||||
CHECK_ALTERNATE_check7104="extra7104"
|
||||
CHECK_SEVERITY_extra7104="Medium"
|
||||
CHECK_SERVICENAME_extra7104="sagemaker"
|
||||
CHECK_RISK_extra7104='This could provide an avenue for unauthorized access to your data.'
|
||||
CHECK_REMEDIATION_extra7104='Restrict which traffic can access by launching Studio in a Virtual Private Cloud (VPC) of your choosing.'
|
||||
CHECK_DOC_extra7104='https://docs.aws.amazon.com/sagemaker/latest/dg/studio-notebooks-and-internet-access.html'
|
||||
CHECK_CAF_EPIC_extra7104='Infrastructure Security'
|
||||
|
||||
extra7104(){
|
||||
for regx in ${REGIONS}; do
|
||||
|
||||
@@ -19,6 +19,10 @@ CHECK_ASFF_RESOURCE_TYPE_extra7105="AwsSageMakerModel"
|
||||
CHECK_ALTERNATE_check7105="extra7105"
|
||||
CHECK_SEVERITY_extra7105="Medium"
|
||||
CHECK_SERVICENAME_extra7105="sagemaker"
|
||||
CHECK_RISK_extra7105='This could provide an avenue for unauthorized access to your data.'
|
||||
CHECK_REMEDIATION_extra7105='Restrict which traffic can access by launching Studio in a Virtual Private Cloud (VPC) of your choosing.'
|
||||
CHECK_DOC_extra7105='https://docs.aws.amazon.com/sagemaker/latest/dg/studio-notebooks-and-internet-access.html'
|
||||
CHECK_CAF_EPIC_extra7105='Infrastructure Security'
|
||||
|
||||
extra7105(){
|
||||
for regx in ${REGIONS}; do
|
||||
|
||||
@@ -19,6 +19,10 @@ CHECK_ASFF_RESOURCE_TYPE_extra7106="AwsSageMakerModel"
|
||||
CHECK_ALTERNATE_check7106="extra7106"
|
||||
CHECK_SEVERITY_extra7106="Medium"
|
||||
CHECK_SERVICENAME_extra7106="sagemaker"
|
||||
CHECK_RISK_extra7106='This could provide an avenue for unauthorized access to your data.'
|
||||
CHECK_REMEDIATION_extra7106='Restrict which traffic can access by launching Studio in a Virtual Private Cloud (VPC) of your choosing.'
|
||||
CHECK_DOC_extra7106='https://docs.aws.amazon.com/sagemaker/latest/dg/studio-notebooks-and-internet-access.html'
|
||||
CHECK_CAF_EPIC_extra7106='Infrastructure Security'
|
||||
|
||||
extra7106(){
|
||||
for regx in ${REGIONS}; do
|
||||
|
||||
@@ -19,6 +19,10 @@ CHECK_ASFF_RESOURCE_TYPE_extra7107="AwsSageMakerNotebookInstance"
|
||||
CHECK_ALTERNATE_check7107="extra7107"
|
||||
CHECK_SEVERITY_extra7107="Medium"
|
||||
CHECK_SERVICENAME_extra7107="sagemaker"
|
||||
CHECK_RISK_extra7107='If not restricted unintended access could happen.'
|
||||
CHECK_REMEDIATION_extra7107='Internetwork communications support TLS 1.2 encryption between all components and clients.'
|
||||
CHECK_DOC_extra7107='https://docs.aws.amazon.com/sagemaker/latest/dg/interface-vpc-endpoint.html'
|
||||
CHECK_CAF_EPIC_extra7107='Data Protection'
|
||||
|
||||
extra7107(){
|
||||
for regx in ${REGIONS}; do
|
||||
|
||||
@@ -19,6 +19,10 @@ CHECK_ASFF_RESOURCE_TYPE_extra7108="AwsSageMakerNotebookInstance"
|
||||
CHECK_ALTERNATE_check7108="extra7108"
|
||||
CHECK_SEVERITY_extra7108="Medium"
|
||||
CHECK_SERVICENAME_extra7108="sagemaker"
|
||||
CHECK_RISK_extra7108='Data exfiltration could happen if information is not protected. KMS keys provide additional security level to IAM policies.'
|
||||
CHECK_REMEDIATION_extra7108='Specify AWS KMS keys to use for input and output from S3 and EBS.'
|
||||
CHECK_DOC_extra7108='https://docs.aws.amazon.com/sagemaker/latest/dg/key-management.html'
|
||||
CHECK_CAF_EPIC_extra7108='Data Protection'
|
||||
|
||||
extra7108(){
|
||||
for regx in ${REGIONS}; do
|
||||
|
||||
@@ -19,6 +19,10 @@ CHECK_ASFF_RESOURCE_TYPE_extra7109="AwsSageMakerNotebookInstance"
|
||||
CHECK_ALTERNATE_check7109="extra7109"
|
||||
CHECK_SEVERITY_extra7109="Medium"
|
||||
CHECK_SERVICENAME_extra7109="sagemaker"
|
||||
CHECK_RISK_extra7109='This could provide an avenue for unauthorized access to your data.'
|
||||
CHECK_REMEDIATION_extra7109='Restrict which traffic can access by launching Studio in a Virtual Private Cloud (VPC) of your choosing.'
|
||||
CHECK_DOC_extra7109='https://docs.aws.amazon.com/sagemaker/latest/dg/interface-vpc-endpoint.html'
|
||||
CHECK_CAF_EPIC_extra7109='Infrastructure Security'
|
||||
|
||||
extra7109(){
|
||||
for regx in ${REGIONS}; do
|
||||
|
||||
@@ -18,6 +18,10 @@ CHECK_SEVERITY_extra711="High"
|
||||
CHECK_ASFF_RESOURCE_TYPE_extra711="AwsRedshiftCluster"
|
||||
CHECK_ALTERNATE_check711="extra711"
|
||||
CHECK_SERVICENAME_extra711="redshift"
|
||||
CHECK_RISK_extra711='Publicly accessible services could expose sensible data to bad actors.'
|
||||
CHECK_REMEDIATION_extra711='List all shared Redshift clusters and make sure there is a business reason for them.'
|
||||
CHECK_DOC_extra711='https://docs.aws.amazon.com/redshift/latest/mgmt/managing-clusters-vpc.html'
|
||||
CHECK_CAF_EPIC_extra711='Data Protection'
|
||||
|
||||
extra711(){
|
||||
# "Check for Publicly Accessible Redshift Clusters (Not Scored) (Not part of CIS benchmark)"
|
||||
|
||||
@@ -19,6 +19,10 @@ CHECK_ASFF_RESOURCE_TYPE_extra7110="AwsSageMakerNotebookInstance"
|
||||
CHECK_ALTERNATE_check7110="extra7110"
|
||||
CHECK_SEVERITY_extra7110="Medium"
|
||||
CHECK_SERVICENAME_extra7110="sagemaker"
|
||||
CHECK_RISK_extra7110='This could provide an avenue for unauthorized access to your data.'
|
||||
CHECK_REMEDIATION_extra7110='Restrict which traffic can access by launching Studio in a Virtual Private Cloud (VPC) of your choosing.'
|
||||
CHECK_DOC_extra7110='https://docs.aws.amazon.com/sagemaker/latest/dg/interface-vpc-endpoint.html'
|
||||
CHECK_CAF_EPIC_extra7110='Infrastructure Security'
|
||||
|
||||
extra7110(){
|
||||
for regx in ${REGIONS}; do
|
||||
|
||||
@@ -19,6 +19,10 @@ CHECK_ASFF_RESOURCE_TYPE_extra7111="AwsSageMakerNotebookInstance"
|
||||
CHECK_ALTERNATE_check7111="extra7111"
|
||||
CHECK_SEVERITY_extra7111="Medium"
|
||||
CHECK_SERVICENAME_extra7111="sagemaker"
|
||||
CHECK_RISK_extra7111='This could provide an avenue for unauthorized access to your data.'
|
||||
CHECK_REMEDIATION_extra7111='Restrict which traffic can access by launching Studio in a Virtual Private Cloud (VPC) of your choosing.'
|
||||
CHECK_DOC_extra7111='https://docs.aws.amazon.com/sagemaker/latest/dg/interface-vpc-endpoint.html'
|
||||
CHECK_CAF_EPIC_extra7111='Infrastructure Security'
|
||||
|
||||
extra7111(){
|
||||
for regx in ${REGIONS}; do
|
||||
|
||||
@@ -19,6 +19,10 @@ CHECK_ASFF_RESOURCE_TYPE_extra7112="AwsSageMakerNotebookInstance"
|
||||
CHECK_ALTERNATE_check7112="extra7112"
|
||||
CHECK_SEVERITY_extra7112="Medium"
|
||||
CHECK_SERVICENAME_extra7112="sagemaker"
|
||||
CHECK_RISK_extra7112='Data exfiltration could happen if information is not protected. KMS keys provide additional security level to IAM policies.'
|
||||
CHECK_REMEDIATION_extra7112='Specify AWS KMS keys to use for input and output from S3 and EBS.'
|
||||
CHECK_DOC_extra7112='https://docs.aws.amazon.com/sagemaker/latest/dg/key-management.html'
|
||||
CHECK_CAF_EPIC_extra7112='Data Protection'
|
||||
|
||||
extra7112(){
|
||||
for regx in ${REGIONS}; do
|
||||
|
||||
@@ -30,6 +30,10 @@ CHECK_SEVERITY_extra7113="Medium"
|
||||
CHECK_ASFF_RESOURCE_TYPE_extra7113="AwsRdsDbInstance"
|
||||
CHECK_ALTERNATE_check7113="extra7113"
|
||||
CHECK_SERVICENAME_extra7113="rds"
|
||||
CHECK_RISK_extra7113='You can only delete instances that do not have deletion protection enabled.'
|
||||
CHECK_REMEDIATION_extra7113='Enable deletion protection using the AWS Management Console for production DB instances.'
|
||||
CHECK_DOC_extra7113='https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/USER_DeleteInstance.html'
|
||||
CHECK_CAF_EPIC_extra7113='Data Protection'
|
||||
|
||||
extra7113(){
|
||||
textInfo "Looking for RDS Volumes in all regions... "
|
||||
|
||||
@@ -19,6 +19,10 @@ CHECK_SEVERITY_extra7114="Medium"
|
||||
CHECK_ASFF_RESOURCE_TYPE_extra7114="AwsGlue"
|
||||
CHECK_ALTERNATE_check7114="extra7114"
|
||||
CHECK_SERVICENAME_extra7114="glue"
|
||||
CHECK_RISK_extra7114='Data exfiltration could happen if information is not protected. KMS keys provide additional security level to IAM policies.'
|
||||
CHECK_REMEDIATION_extra7114='Specify AWS KMS keys to use for input and output from S3 and EBS.'
|
||||
CHECK_DOC_extra7114='https://docs.aws.amazon.com/glue/latest/dg/encryption-security-configuration.html'
|
||||
CHECK_CAF_EPIC_extra7114='Data Protection'
|
||||
|
||||
extra7114(){
|
||||
for regx in $REGIONS; do
|
||||
|
||||
@@ -18,6 +18,10 @@ CHECK_SEVERITY_extra7115="Medium"
|
||||
CHECK_ASFF_RESOURCE_TYPE_extra7115="AwsGlue"
|
||||
CHECK_ALTERNATE_check7115="extra7115"
|
||||
CHECK_SERVICENAME_extra7115="glue"
|
||||
CHECK_RISK_extra7115='Data exfiltration could happen if information is not protected in transit.'
|
||||
CHECK_REMEDIATION_extra7115='Configure encryption settings for crawlers; ETL jobs; and development endpoints using security configurations in AWS Glue.'
|
||||
CHECK_DOC_extra7115='https://docs.aws.amazon.com/glue/latest/dg/encryption-in-transit.html'
|
||||
CHECK_CAF_EPIC_extra7115='Data Protection'
|
||||
|
||||
extra7115(){
|
||||
for regx in $REGIONS; do
|
||||
|
||||
@@ -18,6 +18,10 @@ CHECK_SEVERITY_extra7116="Medium"
|
||||
CHECK_ASFF_RESOURCE_TYPE_extra7116="AwsGlue"
|
||||
CHECK_ALTERNATE_check7116="extra7116"
|
||||
CHECK_SERVICENAME_extra7116="glue"
|
||||
CHECK_RISK_extra7116='If not enabled sensible information at rest is not protected.'
|
||||
CHECK_REMEDIATION_extra7116='Enable Encryption. Use a CMK where possible. It will provide additional management and privacy benefits.'
|
||||
CHECK_DOC_extra7116='https://docs.aws.amazon.com/glue/latest/dg/encrypt-glue-data-catalog.html'
|
||||
CHECK_CAF_EPIC_extra7116='Data Protection'
|
||||
|
||||
extra7116(){
|
||||
for regx in $REGIONS; do
|
||||
|
||||
@@ -18,6 +18,10 @@ CHECK_SEVERITY_extra7117="Medium"
|
||||
CHECK_ASFF_RESOURCE_TYPE_extra7117="AwsGlue"
|
||||
CHECK_ALTERNATE_check7117="extra7117"
|
||||
CHECK_SERVICENAME_extra7117="glue"
|
||||
CHECK_RISK_extra7117='If not enabled sensible information at rest is not protected.'
|
||||
CHECK_REMEDIATION_extra7117='On the AWS Glue console; you can enable this option on the Data catalog settings page.'
|
||||
CHECK_DOC_extra7117='https://docs.aws.amazon.com/glue/latest/dg/encrypt-connection-passwords.html'
|
||||
CHECK_CAF_EPIC_extra7117='Data Protection'
|
||||
|
||||
extra7117(){
|
||||
for regx in $REGIONS; do
|
||||
|
||||
@@ -18,6 +18,10 @@ CHECK_SEVERITY_extra7118="Medium"
|
||||
CHECK_ASFF_RESOURCE_TYPE_extra7118="AwsGlue"
|
||||
CHECK_ALTERNATE_check7118="extra7118"
|
||||
CHECK_SERVICENAME_extra7118="glue"
|
||||
CHECK_RISK_extra7118='If not enabled sensible information at rest is not protected.'
|
||||
CHECK_REMEDIATION_extra7118='Provide the encryption properties that are used by crawlers; jobs; and development endpoints.'
|
||||
CHECK_DOC_extra7118='https://docs.aws.amazon.com/glue/latest/dg/console-security-configurations.html'
|
||||
CHECK_CAF_EPIC_extra7118='Data Protection'
|
||||
|
||||
extra7118(){
|
||||
for regx in $REGIONS; do
|
||||
|
||||
@@ -19,6 +19,10 @@ CHECK_SEVERITY_extra7119="Medium"
|
||||
CHECK_ASFF_RESOURCE_TYPE_extra7119="AwsGlue"
|
||||
CHECK_ALTERNATE_check7119="extra7119"
|
||||
CHECK_SERVICENAME_extra7119="glue"
|
||||
CHECK_RISK_extra7119='If not enabled sensible information at rest is not protected.'
|
||||
CHECK_REMEDIATION_extra7119='Enable Encryption in the Security configurations.'
|
||||
CHECK_DOC_extra7119='https://docs.aws.amazon.com/glue/latest/dg/console-security-configurations.html'
|
||||
CHECK_CAF_EPIC_extra7119='Logging and Monitoring'
|
||||
|
||||
extra7119(){
|
||||
for regx in $REGIONS; do
|
||||
|
||||
@@ -18,10 +18,14 @@ CHECK_SEVERITY_extra712="Low"
|
||||
CHECK_ALTERNATE_check712="extra712"
|
||||
CHECK_ASFF_RESOURCE_TYPE_extra712="AwsMacieSession"
|
||||
CHECK_SERVICENAME_extra712="macie"
|
||||
CHECK_RISK_extra712='Amazon Macie is a fully managed data security and data privacy service that uses machine learning and pattern matching to help you discover; monitor; and protect your sensitive data in AWS.'
|
||||
CHECK_REMEDIATION_extra712='Enable Amazon Macie and create appropriate jobs to discover sensitive data.'
|
||||
CHECK_DOC_extra712='https://docs.aws.amazon.com/macie/latest/user/getting-started.html'
|
||||
CHECK_CAF_EPIC_extra712='Data Protection'
|
||||
|
||||
extra712(){
|
||||
textInfo "No API commands available to check if Macie is enabled,"
|
||||
textInfo "just looking if IAM Macie related permissions exist. "
|
||||
# textInfo "No API commands available to check if Macie is enabled,"
|
||||
# textInfo "just looking if IAM Macie related permissions exist. "
|
||||
MACIE_IAM_ROLES_CREATED=$($AWSCLI iam list-roles $PROFILE_OPT --query 'Roles[*].Arn'|grep AWSMacieServiceCustomer|wc -l)
|
||||
if [[ $MACIE_IAM_ROLES_CREATED -eq 2 ]];then
|
||||
textPass "Macie related IAM roles exist so it might be enabled. Check it out manually"
|
||||
|
||||
@@ -18,6 +18,10 @@ CHECK_SEVERITY_extra7120="Medium"
|
||||
CHECK_ASFF_RESOURCE_TYPE_extra7120="AwsGlue"
|
||||
CHECK_ALTERNATE_check7120="extra7120"
|
||||
CHECK_SERVICENAME_extra7120="glue"
|
||||
CHECK_RISK_extra7120='If not enabled sensible information at rest is not protected.'
|
||||
CHECK_REMEDIATION_extra7120='Enable Encryption in the Security configurations.'
|
||||
CHECK_DOC_extra7120='https://docs.aws.amazon.com/glue/latest/dg/console-security-configurations.html'
|
||||
CHECK_CAF_EPIC_extra7120='Logging and Monitoring'
|
||||
|
||||
extra7120(){
|
||||
for regx in $REGIONS; do
|
||||
|
||||
@@ -19,6 +19,10 @@ CHECK_SEVERITY_extra7121="Medium"
|
||||
CHECK_ASFF_RESOURCE_TYPE_extra7121="AwsGlue"
|
||||
CHECK_ALTERNATE_check7121="extra7121"
|
||||
CHECK_SERVICENAME_extra7121="glue"
|
||||
CHECK_RISK_extra7121='If not enabled sensible information at rest is not protected.'
|
||||
CHECK_REMEDIATION_extra7121='Enable Encryption in the Security configurations.'
|
||||
CHECK_DOC_extra7121='https://docs.aws.amazon.com/glue/latest/dg/console-security-configurations.html'
|
||||
CHECK_CAF_EPIC_extra7121='Data Protection'
|
||||
|
||||
extra7121(){
|
||||
for regx in $REGIONS; do
|
||||
|
||||
@@ -18,6 +18,10 @@ CHECK_SEVERITY_extra7122="Medium"
|
||||
CHECK_ASFF_RESOURCE_TYPE_extra7122="AwsGlue"
|
||||
CHECK_ALTERNATE_check7122="extra7122"
|
||||
CHECK_SERVICENAME_extra7122="glue"
|
||||
CHECK_RISK_extra7122='If not enabled sensible information at rest is not protected.'
|
||||
CHECK_REMEDIATION_extra7122='Enable Encryption in the Security configurations.'
|
||||
CHECK_DOC_extra7122='https://docs.aws.amazon.com/glue/latest/dg/console-security-configurations.html'
|
||||
CHECK_CAF_EPIC_extra7122='Data Protection'
|
||||
|
||||
extra7122(){
|
||||
for regx in $REGIONS; do
|
||||
|
||||
@@ -20,6 +20,10 @@ CHECK_ASFF_RESOURCE_TYPE_extra7123="AwsIamUser"
|
||||
CHECK_ALTERNATE_check7123="extra7123"
|
||||
CHECK_ASFF_COMPLIANCE_TYPE_extra7123="ens-op.acc.1.aws.iam.2"
|
||||
CHECK_SERVICENAME_extra7123="iam"
|
||||
CHECK_RISK_extra7123='Access Keys could be lost or stolen. It creates a critical risk.'
|
||||
CHECK_REMEDIATION_extra7123='Avoid using long lived access keys.'
|
||||
CHECK_DOC_extra7123='https://docs.aws.amazon.com/IAM/latest/APIReference/API_ListAccessKeys.html'
|
||||
CHECK_CAF_EPIC_extra7123='IAM'
|
||||
|
||||
extra7123(){
|
||||
LIST_OF_USERS_WITH_2ACCESS_KEYS=$(cat $TEMP_REPORT_FILE| awk -F, '{ print $1, $9, $14 }' |grep "\ true\ true" | awk '{ print $1 }')
|
||||
|
||||
@@ -19,6 +19,10 @@ CHECK_ASFF_RESOURCE_TYPE_extra7124="AwsEc2Instance"
|
||||
CHECK_ALTERNATE_check7124="extra7124"
|
||||
CHECK_ASFF_COMPLIANCE_TYPE_extra7124="ens-op.exp.1.aws.sys.1 ens-op.acc.4.aws.sys.1"
|
||||
CHECK_SERVICENAME_extra7124="ssm"
|
||||
CHECK_RISK_extra7124='AWS Config provides AWS Managed Rules; which are predefined; customizable rules that AWS Config uses to evaluate whether your AWS resource configurations comply with common best practices.'
|
||||
CHECK_REMEDIATION_extra7124='Verify and apply Systems Manager Prerequisites.'
|
||||
CHECK_DOC_extra7124='https://docs.aws.amazon.com/systems-manager/latest/userguide/managed_instances.html'
|
||||
CHECK_CAF_EPIC_extra7124='Infrastructure Security'
|
||||
|
||||
extra7124(){
|
||||
for regx in $REGIONS; do
|
||||
|
||||
@@ -19,6 +19,10 @@ CHECK_ASFF_RESOURCE_TYPE_extra7125="AwsIamUser"
|
||||
CHECK_ALTERNATE_check7125="extra7125"
|
||||
CHECK_ASFF_COMPLIANCE_TYPE_extra7125="ens-op.acc.5.aws.iam.2"
|
||||
CHECK_SERVICENAME_extra7125="iam"
|
||||
CHECK_RISK_extra7125='Hardware MFA is preferred over virtual MFA.'
|
||||
CHECK_REMEDIATION_extra7125='Enable hardware MFA device for an IAM user from the AWS Management Console; the command line; or the IAM API.'
|
||||
CHECK_DOC_extra7125='https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_mfa_enable_physical.html'
|
||||
CHECK_CAF_EPIC_extra7125='IAM'
|
||||
|
||||
extra7125(){
|
||||
LIST_USERS=$($AWSCLI iam list-users --query 'Users[*].UserName' --output text $PROFILE_OPT --region $REGION)
|
||||
|
||||
@@ -19,6 +19,10 @@ CHECK_ASFF_RESOURCE_TYPE_extra7126="AwsKmsKey"
|
||||
CHECK_ALTERNATE_check7126="extra7126"
|
||||
CHECK_ASFF_COMPLIANCE_TYPE_extra7126="op.exp.11.aws.kms.2"
|
||||
CHECK_SERVICENAME_extra7126="kms"
|
||||
CHECK_RISK_extra7126='Unused keys may increase service cost.'
|
||||
CHECK_REMEDIATION_extra7126='Before deleting a customer master key (CMK); you might want to know how many cipher-texts were encrypted under that key. '
|
||||
CHECK_DOC_extra7126='https://docs.aws.amazon.com/kms/latest/developerguide/deleting-keys-determining-usage.html'
|
||||
CHECK_CAF_EPIC_extra7126='Data Protection'
|
||||
|
||||
extra7126(){
|
||||
for regx in $REGIONS; do
|
||||
|
||||
@@ -20,7 +20,10 @@ CHECK_ASFF_TYPE_extra7127="Software and Configuration Checks/ENS op.exp.4.aws.sy
|
||||
CHECK_ALTERNATE_check7127="extra7127"
|
||||
CHECK_ASFF_COMPLIANCE_TYPE_extra7127="ens-op.exp.1.aws.sys.1 ens-op.exp.4.aws.sys.1"
|
||||
CHECK_SERVICENAME_extra7127="ssm"
|
||||
|
||||
CHECK_RISK_extra7127='Without the most recent security patches your system is potentially vulnerable to cyberattacks. Even the best-designed software can not anticipate every future threat to cybersecurity. Poor patch management can leave an organizations data exposed subjecting them to malware and ransomware attacks.'
|
||||
CHECK_REMEDIATION_extra7127='Consider using SSM in all accounts and services to at least monitor for missing patches on servers. Use a robust process to apply security fixes as soon as they are made available. Patch compliance data from Patch Manager can be sent to AWS Security Hub to centralize security issues.'
|
||||
CHECK_DOC_extra7127='https://docs.aws.amazon.com/systems-manager/latest/userguide/patch-compliance-identify.html'
|
||||
CHECK_CAF_EPIC_extra7127='Infrastructure Security'
|
||||
|
||||
extra7127(){
|
||||
for regx in $REGIONS; do
|
||||
|
||||
@@ -19,6 +19,10 @@ CHECK_ASFF_RESOURCE_TYPE_extra7128="AwsDynamoDBTable"
|
||||
CHECK_ALTERNATE_check7128="extra7128"
|
||||
CHECK_ASFF_COMPLIANCE_TYPE_extra7128="ens-mp.info.3.aws.dyndb.1"
|
||||
CHECK_SERVICENAME_extra7128="dynamodb"
|
||||
CHECK_RISK_extra7128='All user data stored in Amazon DynamoDB is fully encrypted at rest. This functionality helps reduce the operational burden and complexity involved in protecting sensitive data.'
|
||||
CHECK_REMEDIATION_extra7128='Specify an encryption key when you create a new table or switch the encryption keys on an existing table by using the AWS Management Console.'
|
||||
CHECK_DOC_extra7128='https://docs.aws.amazon.com/amazondynamodb/latest/developerguide/EncryptionAtRest.html'
|
||||
CHECK_CAF_EPIC_extra7128='Data Protection'
|
||||
|
||||
extra7128(){
|
||||
for regx in $REGIONS; do
|
||||
|
||||
@@ -19,6 +19,10 @@ CHECK_ASFF_RESOURCE_TYPE_extra7129="AwsElasticLoadBalancingV2LoadBalancer"
|
||||
CHECK_ALTERNATE_check7129="extra7129"
|
||||
CHECK_ASFF_COMPLIANCE_TYPE_extra7129="ens-mp.s.2.aws.waf.3"
|
||||
CHECK_SERVICENAME_extra7129="elb"
|
||||
CHECK_RISK_extra7129='If not WAF ACL is attached risk of web attacks increases.'
|
||||
CHECK_REMEDIATION_extra7129='Using the AWS Management Console open the AWS WAF console to attach an ACL.'
|
||||
CHECK_DOC_extra7129='https://docs.aws.amazon.com/waf/latest/developerguide/web-acl-associating-aws-resource.html'
|
||||
CHECK_CAF_EPIC_extra7129='Infrastructure Security'
|
||||
|
||||
extra7129(){
|
||||
for regx in $REGIONS; do
|
||||
|
||||
@@ -19,6 +19,10 @@ CHECK_ALTERNATE_check713="extra713"
|
||||
CHECK_ASFF_COMPLIANCE_TYPE_extra713="ens-op.mon.1.aws.duty.1"
|
||||
CHECK_ASFF_RESOURCE_TYPE_extra713="AwsGuardDutyDetector"
|
||||
CHECK_SERVICENAME_extra713="guardduty"
|
||||
CHECK_RISK_extra713='Amazon GuardDuty is a continuous security monitoring service that analyzes and processes several datasources.'
|
||||
CHECK_REMEDIATION_extra713='Enable GuardDuty and analyze its findings.'
|
||||
CHECK_DOC_extra713='https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_settingup.html'
|
||||
CHECK_CAF_EPIC_extra713='Data Protection'
|
||||
|
||||
extra713(){
|
||||
# "Check if GuardDuty is enabled (Not Scored) (Not part of CIS benchmark)"
|
||||
|
||||
@@ -19,6 +19,10 @@ CHECK_SEVERITY_extra7130="Medium"
|
||||
CHECK_ASFF_RESOURCE_TYPE_extra7130="AwsSnsTopic"
|
||||
CHECK_ALTERNATE_check7130="extra7130"
|
||||
CHECK_SERVICENAME_extra7130="sns"
|
||||
CHECK_RISK_extra7130='If not enabled sensible information at rest is not protected.'
|
||||
CHECK_REMEDIATION_extra7130='Use Amazon SNS with AWS KMS.'
|
||||
CHECK_DOC_extra7130='https://docs.aws.amazon.com/sns/latest/dg/sns-server-side-encryption.html'
|
||||
CHECK_CAF_EPIC_extra7130='Data Protection'
|
||||
|
||||
extra7130(){
|
||||
textInfo "Looking for SNS Topics in all regions... "
|
||||
|
||||
@@ -18,6 +18,10 @@ CHECK_SEVERITY_extra7131="Low"
|
||||
CHECK_ASFF_RESOURCE_TYPE_extra7131="AwsRdsDbInstance"
|
||||
CHECK_ALTERNATE_check7131="extra7131"
|
||||
CHECK_SERVICENAME_extra7131="rds"
|
||||
CHECK_RISK_extra7131='Auto Minor Version Upgrade is a feature that you can enable to have your database automatically upgraded when a new minor database engine version is available. Minor version upgrades often patch security vulnerabilities and fix bugs; and therefor should be applied.'
|
||||
CHECK_REMEDIATION_extra7131='Enable auto minor version upgrade for all databases and environments.'
|
||||
CHECK_DOC_extra7131='https://aws.amazon.com/blogs/database/best-practices-for-upgrading-amazon-rds-to-major-and-minor-versions-of-postgresql/'
|
||||
CHECK_CAF_EPIC_extra7131='Infrastructure Security'
|
||||
|
||||
extra7131(){
|
||||
for regx in $REGIONS; do
|
||||
|
||||
@@ -18,6 +18,10 @@ CHECK_SEVERITY_extra7132="Low"
|
||||
CHECK_ASFF_RESOURCE_TYPE_extra7132="AwsRdsDbInstance"
|
||||
CHECK_ALTERNATE_check7132="extra7132"
|
||||
CHECK_SERVICENAME_extra7132="rds"
|
||||
CHECK_RISK_extra7132='A smaller monitoring interval results in more frequent reporting of OS metrics.'
|
||||
CHECK_REMEDIATION_extra7132='To use Enhanced Monitoring; you must create an IAM role; and then enable Enhanced Monitoring.'
|
||||
CHECK_DOC_extra7132='https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/USER_Monitoring.OS.html'
|
||||
CHECK_CAF_EPIC_extra7132='Logging and Monitoring'
|
||||
|
||||
extra7132(){
|
||||
for regx in $REGIONS; do
|
||||
|
||||
@@ -18,8 +18,10 @@ CHECK_SEVERITY_extra7133="Medium"
|
||||
CHECK_ASFF_RESOURCE_TYPE_extra7133="AwsRdsDbInstance"
|
||||
CHECK_ALTERNATE_check7133="extra7133"
|
||||
CHECK_SERVICENAME_extra7133="rds"
|
||||
CHECK_RISK_extra7133="In case of failure with a single-AZ deployment configuration should an availability zone specific database failure occur Amazon RDS can not automatically fail over to the standby availability zone."
|
||||
CHECK_REMEDIATION_extra7133="Enable multi-AZ deployment for production databases. More here: https://aws.amazon.com/rds/features/multi-az/."
|
||||
CHECK_RISK_extra7133='In case of failure; with a single-AZ deployment configuration; should an availability zone specific database failure occur; Amazon RDS can not automatically fail over to the standby availability zone.'
|
||||
CHECK_REMEDIATION_extra7133='Enable multi-AZ deployment for production databases.'
|
||||
CHECK_DOC_extra7133='https://aws.amazon.com/rds/features/multi-az/'
|
||||
CHECK_CAF_EPIC_extra7133='Data Protection'
|
||||
|
||||
extra7133(){
|
||||
for regx in $REGIONS; do
|
||||
|
||||
@@ -18,6 +18,10 @@ CHECK_SEVERITY_extra714="Medium"
|
||||
CHECK_ASFF_RESOURCE_TYPE_extra714="AwsCloudFrontDistribution"
|
||||
CHECK_ALTERNATE_check714="extra714"
|
||||
CHECK_SERVICENAME_extra714="cloudfront"
|
||||
CHECK_RISK_extra714='If not enabled monitoring of service use is not possible.'
|
||||
CHECK_REMEDIATION_extra714='Real-time monitoring can be achieved by directing CloudTrail Logs to CloudWatch Logs and establishing corresponding metric filters and alarms. Enable logging for services with defined log rotation. This logs are useful for Incident Response and forensics investigation among other use cases.'
|
||||
CHECK_DOC_extra714='https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/AccessLogs.html'
|
||||
CHECK_CAF_EPIC_extra714='Logging and Monitoring'
|
||||
|
||||
extra714(){
|
||||
# "Check if CloudFront distributions have logging enabled (Not Scored) (Not part of CIS benchmark)"
|
||||
|
||||
@@ -18,6 +18,10 @@ CHECK_SEVERITY_extra715="Medium"
|
||||
CHECK_ASFF_RESOURCE_TYPE_extra715="AwsElasticsearchDomain"
|
||||
CHECK_ALTERNATE_check715="extra715"
|
||||
CHECK_SERVICENAME_extra715="es"
|
||||
CHECK_RISK_extra715='Amazon ES exposes four Elasticsearch logs through Amazon CloudWatch Logs: error logs; search slow logs; index slow logs; and audit logs. '
|
||||
CHECK_REMEDIATION_extra715='Enable Elasticsearch log. Create use cases for them. Using audit logs check for access denied events.'
|
||||
CHECK_DOC_extra715='https://docs.aws.amazon.com/elasticsearch-service/latest/developerguide/es-createdomain-configure-slow-logs.html'
|
||||
CHECK_CAF_EPIC_extra715='Logging and Monitoring'
|
||||
|
||||
extra715(){
|
||||
for regx in $REGIONS; do
|
||||
|
||||
@@ -18,6 +18,10 @@ CHECK_SEVERITY_extra716="Critical"
|
||||
CHECK_ASFF_RESOURCE_TYPE_extra716="AwsElasticsearchDomain"
|
||||
CHECK_ALTERNATE_check716="extra716"
|
||||
CHECK_SERVICENAME_extra716="es"
|
||||
CHECK_RISK_extra716='Publicly accessible services could expose sensible data to bad actors.'
|
||||
CHECK_REMEDIATION_extra716='Use VPC endpoints for internal services.'
|
||||
CHECK_DOC_extra716='https://docs.aws.amazon.com/elasticsearch-service/latest/developerguide/es-vpc.html'
|
||||
CHECK_CAF_EPIC_extra716='Infrastructure Security'
|
||||
|
||||
extra716(){
|
||||
for regx in $REGIONS; do
|
||||
|
||||
@@ -18,6 +18,10 @@ CHECK_SEVERITY_extra717="Medium"
|
||||
CHECK_ASFF_RESOURCE_TYPE_extra717="AwsElbLoadBalancer"
|
||||
CHECK_ALTERNATE_check717="extra717"
|
||||
CHECK_SERVICENAME_extra717="elb"
|
||||
CHECK_RISK_extra717='If logs are not enabled monitoring of service use and threat analysis is not possible.'
|
||||
CHECK_REMEDIATION_extra717='Enable ELB logging; create la log lifecycle and define use cases.'
|
||||
CHECK_DOC_extra717='https://docs.aws.amazon.com/elasticloadbalancing/latest/application/load-balancer-access-logs.html'
|
||||
CHECK_CAF_EPIC_extra717='Logging and Monitoring'
|
||||
|
||||
extra717(){
|
||||
# "Check if Elastic Load Balancers have logging enabled (Not Scored) (Not part of CIS benchmark)"
|
||||
|
||||
@@ -18,6 +18,10 @@ CHECK_SEVERITY_extra718="Medium"
|
||||
CHECK_ASFF_RESOURCE_TYPE_extra718="AwsS3Bucket"
|
||||
CHECK_ALTERNATE_check718="extra718"
|
||||
CHECK_SERVICENAME_extra718="s3"
|
||||
CHECK_RISK_extra718='Server access logs can assist you in security and access audits; help you learn about your customer base; and understand your Amazon S3 bill.'
|
||||
CHECK_REMEDIATION_extra718='Ensure that S3 buckets have Logging enabled. CloudTrail data events can be used in place of S3 bucket logging. If that is the case; this finding can be considered a false positive.'
|
||||
CHECK_DOC_extra718='https://docs.aws.amazon.com/AmazonS3/latest/dev/security-best-practices.html'
|
||||
CHECK_CAF_EPIC_extra718='Logging and Monitoring'
|
||||
|
||||
extra718(){
|
||||
# "Check if S3 buckets have server access logging enabled (Not Scored) (Not part of CIS benchmark)"
|
||||
|
||||
@@ -18,6 +18,10 @@ CHECK_SEVERITY_extra719="Medium"
|
||||
CHECK_ALTERNATE_check719="extra719"
|
||||
CHECK_ASFF_RESOURCE_TYPE_extra719="AwsRoute53HostedZone"
|
||||
CHECK_SERVICENAME_extra719="route53"
|
||||
CHECK_RISK_extra719='If logs are not enabled; monitoring of service use and threat analysis is not possible.'
|
||||
CHECK_REMEDIATION_extra719='Enable CloudWatch logs and define metrics and uses cases for the events recorded.'
|
||||
CHECK_DOC_extra719='https://docs.aws.amazon.com/Route53/latest/DeveloperGuide/monitoring-hosted-zones-with-cloudwatch.html'
|
||||
CHECK_CAF_EPIC_extra719='Logging and Monitoring'
|
||||
|
||||
extra719(){
|
||||
# You can't create a query logging config for a private hosted zone.
|
||||
|
||||
@@ -19,7 +19,11 @@ CHECK_ASFF_RESOURCE_TYPE_extra72="AwsEc2Snapshot"
|
||||
CHECK_ALTERNATE_extra702="extra72"
|
||||
CHECK_ALTERNATE_check72="extra72"
|
||||
CHECK_ALTERNATE_check702="extra72"
|
||||
CHECK_SERVICENAME_check72="ec2"
|
||||
CHECK_SERVICENAME_extra72="ec2"
|
||||
CHECK_RISK_extra72='When you share a snapshot; you are giving others access to all of the data on the snapshot. Share snapshots only with people with whom you want to share all of your snapshot data.'
|
||||
CHECK_REMEDIATION_extra72='Ensure the snapshot should be shared.'
|
||||
CHECK_DOC_extra72='https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ebs-modifying-snapshot-permissions.html'
|
||||
CHECK_CAF_EPIC_extra72='Data Protection'
|
||||
|
||||
extra72(){
|
||||
# "Ensure there are no EBS Snapshots set as Public (Not Scored) (Not part of CIS benchmark)"
|
||||
|
||||
@@ -18,6 +18,10 @@ CHECK_SEVERITY_extra720="Low"
|
||||
CHECK_ASFF_RESOURCE_TYPE_extra720="AwsLambdaFunction"
|
||||
CHECK_ALTERNATE_check720="extra720"
|
||||
CHECK_SERVICENAME_extra720="lambda"
|
||||
CHECK_RISK_extra720='If logs are not enabled; monitoring of service use and threat analysis is not possible.'
|
||||
CHECK_REMEDIATION_extra720='Make sure you are logging information about Lambda operations. Create a lifecycle and use cases for each trail.'
|
||||
CHECK_DOC_extra720='https://docs.aws.amazon.com/lambda/latest/dg/logging-using-cloudtrail.html'
|
||||
CHECK_CAF_EPIC_extra720='Logging and Monitoring'
|
||||
|
||||
extra720(){
|
||||
# "Check if Lambda functions invoke API operations are being recorded by CloudTrail (Not Scored) (Not part of CIS benchmark)"
|
||||
|
||||
@@ -18,6 +18,10 @@ CHECK_SEVERITY_extra721="Medium"
|
||||
CHECK_ASFF_RESOURCE_TYPE_extra721="AwsRedshiftCluster"
|
||||
CHECK_ALTERNATE_check721="extra721"
|
||||
CHECK_SERVICENAME_extra721="redshift"
|
||||
CHECK_RISK_extra721='If logs are not enabled; monitoring of service use and threat analysis is not possible.'
|
||||
CHECK_REMEDIATION_extra721='Enable logs. Create an S3 lifecycle policy. Define use cases; metrics and automated responses where applicable.'
|
||||
CHECK_DOC_extra721='https://docs.aws.amazon.com/redshift/latest/mgmt/db-auditing.html'
|
||||
CHECK_CAF_EPIC_extra721='Logging and Monitoring'
|
||||
|
||||
extra721(){
|
||||
# "Check if Redshift cluster has audit logging enabled (Not Scored) (Not part of CIS benchmark)"
|
||||
|
||||
@@ -18,6 +18,10 @@ CHECK_SEVERITY_extra722="Medium"
|
||||
CHECK_ASFF_RESOURCE_TYPE_extra722="AwsApiGatewayRestApi"
|
||||
CHECK_ALTERNATE_check722="extra722"
|
||||
CHECK_SERVICENAME_extra722="apigateway"
|
||||
CHECK_RISK_extra722='If not enabled; monitoring of service use is not possible. Real-time monitoring of API calls can be achieved by directing CloudTrail Logs to CloudWatch Logs and establishing corresponding metric filters and alarms.'
|
||||
CHECK_REMEDIATION_extra722='Monitoring is an important part of maintaining the reliability; availability; and performance of API Gateway and your AWS solutions. You should collect monitoring data from all of the parts of your AWS solution. CloudTrail provides a record of actions taken by a user; role; or an AWS service in API Gateway. Using the information collected by CloudTrail; you can determine the request that was made to API Gateway; the IP address from which the request was made; who made the request; etc.'
|
||||
CHECK_DOC_extra722='https://docs.aws.amazon.com/apigateway/latest/developerguide/security-monitoring.html'
|
||||
CHECK_CAF_EPIC_extra722='Logging and Monitoring'
|
||||
|
||||
extra722(){
|
||||
# "Check if API Gateway has logging enabled (Not Scored) (Not part of CIS benchmark)"
|
||||
|
||||
@@ -18,6 +18,10 @@ CHECK_SEVERITY_extra723="Critical"
|
||||
CHECK_ASFF_RESOURCE_TYPE_extra723="AwsRdsDbSnapshot"
|
||||
CHECK_ALTERNATE_check723="extra723"
|
||||
CHECK_SERVICENAME_extra723="rds"
|
||||
CHECK_RISK_extra723='Publicly accessible services could expose sensible data to bad actors. t is recommended that your RDS snapshots should not be public in order to prevent potential leak or misuse of sensitive data or any other kind of security threat. If your RDS snapshot is public; then the data which is backed up in that snapshot is accessible to all other AWS accounts.'
|
||||
CHECK_REMEDIATION_extra723='Use AWS Config to identify any sanpshot that is public.'
|
||||
CHECK_DOC_extra723='https://docs.aws.amazon.com/config/latest/developerguide/rds-snapshots-public-prohibited.html'
|
||||
CHECK_CAF_EPIC_extra723='Data Protection'
|
||||
|
||||
extra723(){
|
||||
# "Check if RDS Snapshots are public (Not Scored) (Not part of CIS benchmark)"
|
||||
|
||||
Some files were not shown because too many files have changed in this diff Show More
Reference in New Issue
Block a user