diff --git a/prowler b/prowler index 0babb90b..35a4fd23 100755 --- a/prowler +++ b/prowler @@ -45,23 +45,28 @@ RED="" YELLOW="" WHITE="" -DEFULT_AWS_PROFILE="default" -DEFAULT_AWS_REGION="us-east-1" +# Set the defaults for these getopts variables +PROFILE="default" +REGION="us-east-1" +FILTERREGION="" +MAXITEMS=100 # Command usage menu usage(){ echo -e "\nUSAGE: `basename $0` -p -r [ -h ] Options: - -p specify your AWS profile to use (i.e.: default) - -r specify a desired AWS region to use (i.e.: us-east-1) - -c specify a check number or group from the AWS CIS benchmark (i.e.: check11 for check 1.1 or check3 for entire section 3) - -h this help + -p specify your AWS profile to use (i.e.: default) + -r specify an AWS region to direct API requests to (i.e.: us-east-1) + -c specify a check number or group from the AWS CIS benchmark (i.e.: check11 for check 1.1 or check3 for entire section 3) + -f specify an AWS region to run checks against (i.e.: us-west-1) + -m specify the maximum number of items to return for long-running requests (default: 100) + -h this help " exit } -while getopts "hp:r:c:" OPTION; do +while getopts "hp:r:c:f:m:" OPTION; do case $OPTION in h ) usage @@ -76,6 +81,12 @@ while getopts "hp:r:c:" OPTION; do c ) CHECKNUMBER=$OPTARG ;; + f ) + FILTERREGION=$OPTARG + ;; + m ) + MAXITEMS=$OPTARG + ;; : ) echo -e "\n$RED ERROR!$NORMAL -$OPTARG requires an argument\n" exit 1 @@ -160,11 +171,6 @@ else exit fi -if [[ "$#" -le 2 ]]; then - PROFILE=$DEFULT_AWS_PROFILE - REGION=$DEFAULT_AWS_REGION -fi - if [[ ! -f ~/.aws/credentials ]]; then echo -e "\n$RED ERROR!$NORMAL AWS credentials file not found (~/.aws/credentials). Run 'aws configure' first. \n" return 1 @@ -196,7 +202,7 @@ echo -e " |_|$NORMAL$BLUE CIS based AWS Account Hardening Tool$NORMAL\n" # Get whoami in AWS, who is the user running this shell script getWhoami() { echo -e "\nThis report is being generated using credentials below:\n" - echo -e "AWS-CLI Profile: $NOTICE[$PROFILE]$NORMAL AWS Region: $NOTICE[$REGION]$NORMAL\n" + echo -e "AWS-CLI Profile: $NOTICE[$PROFILE]$NORMAL AWS API Region: $NOTICE[$REGION]$NORMAL AWS Filter Region: $NOTICE[${FILTERREGION:-all}]\n" $AWSCLI sts get-caller-identity --output table --profile $PROFILE --region $REGION } @@ -232,7 +238,8 @@ cleanTemp(){ REGIONS=$($AWSCLI ec2 describe-regions --query 'Regions[].RegionName' \ --output text \ --profile $PROFILE \ - --region $REGION) + --region $REGION \ + --region-names $FILTERREGION) infoReferenceLong(){ # Report review note: @@ -1002,7 +1009,7 @@ check315(){ TOPICS_LIST=$($AWSCLI sns list-topics --profile $PROFILE --region $regx --output text --query 'Topics[*].TopicArn') if [[ $TOPICS_LIST ]];then for topic in $TOPICS_LIST; do - CHECK_TOPIC_LIST=$($AWSCLI sns list-subscriptions-by-topic --topic-arn $topic --profile $PROFILE --region $regx --query 'Subscriptions[*].{Endpoint:Endpoint,Protocol:Protocol}' --output text) + CHECK_TOPIC_LIST=$($AWSCLI sns list-subscriptions-by-topic --topic-arn $topic --profile $PROFILE --region $regx --query 'Subscriptions[*].{Endpoint:Endpoint,Protocol:Protocol}' --output text --max-items $MAXITEMS | grep -v "None") if [[ $CHECK_TOPIC_LIST ]]; then TOPIC_SHORT=$(echo $topic | awk -F: '{ print $7 }') echo -e " $NOTICE Region $regx with Topic $TOPIC_SHORT: $NORMAL "