mirror of
https://github.com/ghndrx/prowler.git
synced 2026-02-10 14:55:00 +00:00
Fix issue #925 replace sensible by sensitive
This commit is contained in:
Toni de la Fuente
@@ -18,7 +18,7 @@ CHECK_SEVERITY_extra711="High"
|
||||
CHECK_ASFF_RESOURCE_TYPE_extra711="AwsRedshiftCluster"
|
||||
CHECK_ALTERNATE_check711="extra711"
|
||||
CHECK_SERVICENAME_extra711="redshift"
|
||||
CHECK_RISK_extra711='Publicly accessible services could expose sensible data to bad actors.'
|
||||
CHECK_RISK_extra711='Publicly accessible services could expose sensitive data to bad actors.'
|
||||
CHECK_REMEDIATION_extra711='List all shared Redshift clusters and make sure there is a business reason for them.'
|
||||
CHECK_DOC_extra711='https://docs.aws.amazon.com/redshift/latest/mgmt/managing-clusters-vpc.html'
|
||||
CHECK_CAF_EPIC_extra711='Data Protection'
|
||||
|
||||
@@ -18,7 +18,7 @@ CHECK_SEVERITY_extra7116="Medium"
|
||||
CHECK_ASFF_RESOURCE_TYPE_extra7116="AwsGlue"
|
||||
CHECK_ALTERNATE_check7116="extra7116"
|
||||
CHECK_SERVICENAME_extra7116="glue"
|
||||
CHECK_RISK_extra7116='If not enabled sensible information at rest is not protected.'
|
||||
CHECK_RISK_extra7116='If not enabled sensitive information at rest is not protected.'
|
||||
CHECK_REMEDIATION_extra7116='Enable Encryption. Use a CMK where possible. It will provide additional management and privacy benefits.'
|
||||
CHECK_DOC_extra7116='https://docs.aws.amazon.com/glue/latest/dg/encrypt-glue-data-catalog.html'
|
||||
CHECK_CAF_EPIC_extra7116='Data Protection'
|
||||
|
||||
@@ -18,7 +18,7 @@ CHECK_SEVERITY_extra7117="Medium"
|
||||
CHECK_ASFF_RESOURCE_TYPE_extra7117="AwsGlue"
|
||||
CHECK_ALTERNATE_check7117="extra7117"
|
||||
CHECK_SERVICENAME_extra7117="glue"
|
||||
CHECK_RISK_extra7117='If not enabled sensible information at rest is not protected.'
|
||||
CHECK_RISK_extra7117='If not enabled sensitive information at rest is not protected.'
|
||||
CHECK_REMEDIATION_extra7117='On the AWS Glue console; you can enable this option on the Data catalog settings page.'
|
||||
CHECK_DOC_extra7117='https://docs.aws.amazon.com/glue/latest/dg/encrypt-connection-passwords.html'
|
||||
CHECK_CAF_EPIC_extra7117='Data Protection'
|
||||
|
||||
@@ -18,7 +18,7 @@ CHECK_SEVERITY_extra7118="Medium"
|
||||
CHECK_ASFF_RESOURCE_TYPE_extra7118="AwsGlue"
|
||||
CHECK_ALTERNATE_check7118="extra7118"
|
||||
CHECK_SERVICENAME_extra7118="glue"
|
||||
CHECK_RISK_extra7118='If not enabled sensible information at rest is not protected.'
|
||||
CHECK_RISK_extra7118='If not enabled sensitive information at rest is not protected.'
|
||||
CHECK_REMEDIATION_extra7118='Provide the encryption properties that are used by crawlers; jobs; and development endpoints.'
|
||||
CHECK_DOC_extra7118='https://docs.aws.amazon.com/glue/latest/dg/console-security-configurations.html'
|
||||
CHECK_CAF_EPIC_extra7118='Data Protection'
|
||||
|
||||
@@ -19,7 +19,7 @@ CHECK_SEVERITY_extra7119="Medium"
|
||||
CHECK_ASFF_RESOURCE_TYPE_extra7119="AwsGlue"
|
||||
CHECK_ALTERNATE_check7119="extra7119"
|
||||
CHECK_SERVICENAME_extra7119="glue"
|
||||
CHECK_RISK_extra7119='If not enabled sensible information at rest is not protected.'
|
||||
CHECK_RISK_extra7119='If not enabled sensitive information at rest is not protected.'
|
||||
CHECK_REMEDIATION_extra7119='Enable Encryption in the Security configurations.'
|
||||
CHECK_DOC_extra7119='https://docs.aws.amazon.com/glue/latest/dg/console-security-configurations.html'
|
||||
CHECK_CAF_EPIC_extra7119='Logging and Monitoring'
|
||||
|
||||
@@ -18,7 +18,7 @@ CHECK_SEVERITY_extra7120="Medium"
|
||||
CHECK_ASFF_RESOURCE_TYPE_extra7120="AwsGlue"
|
||||
CHECK_ALTERNATE_check7120="extra7120"
|
||||
CHECK_SERVICENAME_extra7120="glue"
|
||||
CHECK_RISK_extra7120='If not enabled sensible information at rest is not protected.'
|
||||
CHECK_RISK_extra7120='If not enabled sensitive information at rest is not protected.'
|
||||
CHECK_REMEDIATION_extra7120='Enable Encryption in the Security configurations.'
|
||||
CHECK_DOC_extra7120='https://docs.aws.amazon.com/glue/latest/dg/console-security-configurations.html'
|
||||
CHECK_CAF_EPIC_extra7120='Logging and Monitoring'
|
||||
|
||||
@@ -19,7 +19,7 @@ CHECK_SEVERITY_extra7121="Medium"
|
||||
CHECK_ASFF_RESOURCE_TYPE_extra7121="AwsGlue"
|
||||
CHECK_ALTERNATE_check7121="extra7121"
|
||||
CHECK_SERVICENAME_extra7121="glue"
|
||||
CHECK_RISK_extra7121='If not enabled sensible information at rest is not protected.'
|
||||
CHECK_RISK_extra7121='If not enabled sensitive information at rest is not protected.'
|
||||
CHECK_REMEDIATION_extra7121='Enable Encryption in the Security configurations.'
|
||||
CHECK_DOC_extra7121='https://docs.aws.amazon.com/glue/latest/dg/console-security-configurations.html'
|
||||
CHECK_CAF_EPIC_extra7121='Data Protection'
|
||||
|
||||
@@ -18,7 +18,7 @@ CHECK_SEVERITY_extra7122="Medium"
|
||||
CHECK_ASFF_RESOURCE_TYPE_extra7122="AwsGlue"
|
||||
CHECK_ALTERNATE_check7122="extra7122"
|
||||
CHECK_SERVICENAME_extra7122="glue"
|
||||
CHECK_RISK_extra7122='If not enabled sensible information at rest is not protected.'
|
||||
CHECK_RISK_extra7122='If not enabled sensitive information at rest is not protected.'
|
||||
CHECK_REMEDIATION_extra7122='Enable Encryption in the Security configurations.'
|
||||
CHECK_DOC_extra7122='https://docs.aws.amazon.com/glue/latest/dg/console-security-configurations.html'
|
||||
CHECK_CAF_EPIC_extra7122='Data Protection'
|
||||
|
||||
@@ -19,7 +19,7 @@ CHECK_SEVERITY_extra7130="Medium"
|
||||
CHECK_ASFF_RESOURCE_TYPE_extra7130="AwsSnsTopic"
|
||||
CHECK_ALTERNATE_check7130="extra7130"
|
||||
CHECK_SERVICENAME_extra7130="sns"
|
||||
CHECK_RISK_extra7130='If not enabled sensible information at rest is not protected.'
|
||||
CHECK_RISK_extra7130='If not enabled sensitive information at rest is not protected.'
|
||||
CHECK_REMEDIATION_extra7130='Use Amazon SNS with AWS KMS.'
|
||||
CHECK_DOC_extra7130='https://docs.aws.amazon.com/sns/latest/dg/sns-server-side-encryption.html'
|
||||
CHECK_CAF_EPIC_extra7130='Data Protection'
|
||||
|
||||
@@ -18,7 +18,7 @@ CHECK_SEVERITY_extra7143="Critical"
|
||||
CHECK_ASFF_RESOURCE_TYPE_extra7143="AwsEFS"
|
||||
CHECK_ALTERNATE_check7143="extra7143"
|
||||
CHECK_SERVICENAME_extra7143="efs"
|
||||
CHECK_RISK_extra7143='EFS accessible to everyone could expose sensible data to bad actors'
|
||||
CHECK_RISK_extra7143='EFS accessible to everyone could expose sensitive data to bad actors'
|
||||
CHECK_REMEDIATION_extra7143='Ensure efs has some policy but it does not have principle as *'
|
||||
CHECK_DOC_extra7143='https://docs.aws.amazon.com/efs/latest/ug/access-control-block-public-access.html'
|
||||
CHECK_CAF_EPIC_extra7143='Data Protection'
|
||||
|
||||
@@ -18,7 +18,7 @@ CHECK_SEVERITY_extra7147="Critical"
|
||||
CHECK_ASFF_RESOURCE_TYPE_extra7147="AwsGlacierVault"
|
||||
CHECK_ALTERNATE_check7147="extra7142"
|
||||
CHECK_SERVICENAME_extra7147="glacier"
|
||||
CHECK_RISK_extra7147='Vaults accessible to everyone could expose sensible data to bad actors'
|
||||
CHECK_RISK_extra7147='Vaults accessible to everyone could expose sensitive data to bad actors'
|
||||
CHECK_REMEDIATION_extra7147='Ensure vault policy does not have principle as *'
|
||||
CHECK_DOC_extra7147='https://docs.aws.amazon.com/amazonglacier/latest/dev/access-control-overview.html'
|
||||
CHECK_CAF_EPIC_extra7147='Data Protection'
|
||||
|
||||
@@ -18,7 +18,7 @@ CHECK_SEVERITY_extra716="Critical"
|
||||
CHECK_ASFF_RESOURCE_TYPE_extra716="AwsElasticsearchDomain"
|
||||
CHECK_ALTERNATE_check716="extra716"
|
||||
CHECK_SERVICENAME_extra716="es"
|
||||
CHECK_RISK_extra716='Publicly accessible services could expose sensible data to bad actors.'
|
||||
CHECK_RISK_extra716='Publicly accessible services could expose sensitive data to bad actors.'
|
||||
CHECK_REMEDIATION_extra716='Use VPC endpoints for internal services.'
|
||||
CHECK_DOC_extra716='https://docs.aws.amazon.com/elasticsearch-service/latest/developerguide/es-vpc.html'
|
||||
CHECK_CAF_EPIC_extra716='Infrastructure Security'
|
||||
|
||||
@@ -18,7 +18,7 @@ CHECK_SEVERITY_extra723="Critical"
|
||||
CHECK_ASFF_RESOURCE_TYPE_extra723="AwsRdsDbSnapshot"
|
||||
CHECK_ALTERNATE_check723="extra723"
|
||||
CHECK_SERVICENAME_extra723="rds"
|
||||
CHECK_RISK_extra723='Publicly accessible services could expose sensible data to bad actors. t is recommended that your RDS snapshots should not be public in order to prevent potential leak or misuse of sensitive data or any other kind of security threat. If your RDS snapshot is public; then the data which is backed up in that snapshot is accessible to all other AWS accounts.'
|
||||
CHECK_RISK_extra723='Publicly accessible services could expose sensitive data to bad actors. t is recommended that your RDS snapshots should not be public in order to prevent potential leak or misuse of sensitive data or any other kind of security threat. If your RDS snapshot is public; then the data which is backed up in that snapshot is accessible to all other AWS accounts.'
|
||||
CHECK_REMEDIATION_extra723='Use AWS Config to identify any sanpshot that is public.'
|
||||
CHECK_DOC_extra723='https://docs.aws.amazon.com/config/latest/developerguide/rds-snapshots-public-prohibited.html'
|
||||
CHECK_CAF_EPIC_extra723='Data Protection'
|
||||
|
||||
@@ -19,7 +19,7 @@ CHECK_SEVERITY_extra727="Critical"
|
||||
CHECK_ASFF_RESOURCE_TYPE_extra727="AwsSqsQueue"
|
||||
CHECK_ALTERNATE_check727="extra727"
|
||||
CHECK_SERVICENAME_extra727="sqs"
|
||||
CHECK_RISK_extra727='Sensible information could be disclosed.'
|
||||
CHECK_RISK_extra727='Sensitive information could be disclosed.'
|
||||
CHECK_REMEDIATION_extra727='Review service with overly permissive policies. Adhere to Principle of Least Privilege.'
|
||||
CHECK_DOC_extra727='https://docs.aws.amazon.com/AWSSimpleQueueService/latest/SQSDeveloperGuide/sqs-basic-examples-of-sqs-policies.html'
|
||||
CHECK_CAF_EPIC_extra727='Infrastructure Security'
|
||||
|
||||
@@ -20,7 +20,7 @@ CHECK_ASFF_RESOURCE_TYPE_extra728="AwsSqsQueue"
|
||||
CHECK_ALTERNATE_check728="extra728"
|
||||
CHECK_ASFF_COMPLIANCE_TYPE_extra728="ens-mp.info.3.sns.1"
|
||||
CHECK_SERVICENAME_extra728="sqs"
|
||||
CHECK_RISK_extra728='If not enabled sensible information in transit is not protected.'
|
||||
CHECK_RISK_extra728='If not enabled sensitive information in transit is not protected.'
|
||||
CHECK_REMEDIATION_extra728='Enable Encryption. Use a CMK where possible. It will provide additional management and privacy benefits.'
|
||||
CHECK_DOC_extra728='https://docs.aws.amazon.com/AWSSimpleQueueService/latest/SQSDeveloperGuide/sqs-configure-sse-existing-queue.html'
|
||||
CHECK_CAF_EPIC_extra728='Data Protection'
|
||||
|
||||
@@ -19,7 +19,7 @@ CHECK_SEVERITY_extra731="Critical"
|
||||
CHECK_ASFF_RESOURCE_TYPE_extra731="AwsSnsTopic"
|
||||
CHECK_ALTERNATE_check731="extra731"
|
||||
CHECK_SERVICENAME_extra731="sns"
|
||||
CHECK_RISK_extra731='Publicly accessible services could expose sensible data to bad actors.'
|
||||
CHECK_RISK_extra731='Publicly accessible services could expose sensitive data to bad actors.'
|
||||
CHECK_REMEDIATION_extra731='Ensure there is a business requirement for service to be public.'
|
||||
CHECK_DOC_extra731='https://docs.aws.amazon.com/config/latest/developerguide/sns-topic-policy.html'
|
||||
CHECK_CAF_EPIC_extra731='Infrastructure Security'
|
||||
|
||||
@@ -19,7 +19,7 @@ CHECK_ASFF_RESOURCE_TYPE_extra735="AwsRdsDbInstance"
|
||||
CHECK_ALTERNATE_check735="extra735"
|
||||
CHECK_ASFF_COMPLIANCE_TYPE_extra735="ens-mp.info.3.aws.rds.1"
|
||||
CHECK_SERVICENAME_extra735="rds"
|
||||
CHECK_RISK_extra735='If not enabled sensible information at rest is not protected.'
|
||||
CHECK_RISK_extra735='If not enabled sensitive information at rest is not protected.'
|
||||
CHECK_REMEDIATION_extra735='Enable Encryption. Use a CMK where possible. It will provide additional management and privacy benefits.'
|
||||
CHECK_DOC_extra735='https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/Overview.Encryption.html'
|
||||
CHECK_CAF_EPIC_extra735='Data Protection'
|
||||
|
||||
@@ -19,7 +19,7 @@ CHECK_ASFF_RESOURCE_TYPE_extra738="AwsCloudFrontDistribution"
|
||||
CHECK_ALTERNATE_check738="extra738"
|
||||
CHECK_ASFF_COMPLIANCE_TYPE_extra738="ens-mp.com.2.aws.front.1"
|
||||
CHECK_SERVICENAME_extra738="cloudfront"
|
||||
CHECK_RISK_extra738='If not enabled sensible information in transit is not protected. Surveillance and other threats are risks may exists.'
|
||||
CHECK_RISK_extra738='If not enabled sensitive information in transit is not protected. Surveillance and other threats are risks may exists.'
|
||||
CHECK_REMEDIATION_extra738='Use HTTPS everywhere possible. It will enforce privacy and protect against account hijacking and other threats.'
|
||||
CHECK_DOC_extra738='https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/using-https.html'
|
||||
CHECK_CAF_EPIC_extra738='Data Protection'
|
||||
|
||||
@@ -18,7 +18,7 @@ CHECK_SEVERITY_extra761="Medium"
|
||||
CHECK_ALTERNATE_check761="extra761"
|
||||
CHECK_ASFF_COMPLIANCE_TYPE_extra761="ens-mp.info.3.aws.ebs.2"
|
||||
CHECK_SERVICENAME_extra761="ec2"
|
||||
CHECK_RISK_extra761='If not enabled sensible information at rest is not protected.'
|
||||
CHECK_RISK_extra761='If not enabled sensitive information at rest is not protected.'
|
||||
CHECK_REMEDIATION_extra761='Enable Encryption. Use a CMK where possible. It will provide additional management and privacy benefits.'
|
||||
CHECK_DOC_extra761='https://aws.amazon.com/premiumsupport/knowledge-center/ebs-automatic-encryption/'
|
||||
CHECK_CAF_EPIC_extra761='Data Protection'
|
||||
|
||||
@@ -19,7 +19,7 @@ CHECK_ASFF_RESOURCE_TYPE_extra763="AwsS3Bucket"
|
||||
CHECK_ALTERNATE_check763="extra763"
|
||||
CHECK_SERVICENAME_extra763="s3"
|
||||
CHECK_RISK_extra763=' With versioning; you can easily recover from both unintended user actions and application failures.'
|
||||
CHECK_REMEDIATION_extra763='Configure versioning using the Amazon console or API for buckets with sensible information that is changing frecuently; and backup may not be enough to capture all the changes.'
|
||||
CHECK_REMEDIATION_extra763='Configure versioning using the Amazon console or API for buckets with sensitive information that is changing frecuently; and backup may not be enough to capture all the changes.'
|
||||
CHECK_DOC_extra763='https://docs.aws.amazon.com/AmazonS3/latest/dev-retired/Versioning.html'
|
||||
CHECK_CAF_EPIC_extra763='Data Protection'
|
||||
|
||||
|
||||
@@ -19,7 +19,7 @@ CHECK_ASFF_RESOURCE_TYPE_extra767="AwsCloudFrontDistribution"
|
||||
CHECK_ALTERNATE_check767="extra767"
|
||||
CHECK_SERVICENAME_extra767="cloudfront"
|
||||
CHECK_RISK_extra767='Allows you protect specific data throughout system processing so that only certain applications can see it.'
|
||||
CHECK_REMEDIATION_extra767='Check if applicable to any sensible data. This encryption ensures that only applications that need the data—and have the credentials to decrypt it - are able to do so.'
|
||||
CHECK_REMEDIATION_extra767='Check if applicable to any sensitive data. This encryption ensures that only applications that need the data—and have the credentials to decrypt it - are able to do so.'
|
||||
CHECK_DOC_extra767='https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/field-level-encryption.html'
|
||||
CHECK_CAF_EPIC_extra767='Data Protection'
|
||||
|
||||
|
||||
@@ -20,7 +20,7 @@ CHECK_ALTERNATE_extra708="extra78"
|
||||
CHECK_ALTERNATE_check78="extra78"
|
||||
CHECK_ALTERNATE_check708="extra78"
|
||||
CHECK_SERVICENAME_extra78="rds"
|
||||
CHECK_RISK_extra78='Publicly accessible databases could expose sensible data to bad actors.'
|
||||
CHECK_RISK_extra78='Publicly accessible databases could expose sensitive data to bad actors.'
|
||||
CHECK_REMEDIATION_extra78='Using an AWS Config rule check for RDS public instances periodically and check there is a business reason for it.'
|
||||
CHECK_DOC_extra78='https://docs.amazonaws.cn/en_us/config/latest/developerguide/rds-instance-public-access-check.html'
|
||||
CHECK_CAF_EPIC_extra78='Data Protection'
|
||||
|
||||
@@ -20,7 +20,7 @@ CHECK_ALTERNATE_extra709="extra79"
|
||||
CHECK_ALTERNATE_check79="extra79"
|
||||
CHECK_ALTERNATE_check709="extra79"
|
||||
CHECK_SERVICENAME_extra79="elb"
|
||||
CHECK_RISK_extra79='Publicly accessible load balancers could expose sensible data to bad actors.'
|
||||
CHECK_RISK_extra79='Publicly accessible load balancers could expose sensitive data to bad actors.'
|
||||
CHECK_REMEDIATION_extra79='Ensure the load balancer should be publicly accessible. If publiccly exposed ensure a WAF ACL is implemented.'
|
||||
CHECK_DOC_extra79='https://docs.aws.amazon.com/waf/latest/developerguide/web-acl-associating-aws-resource.html'
|
||||
CHECK_CAF_EPIC_extra79='Data Protection'
|
||||
|
||||
@@ -18,7 +18,7 @@ CHECK_SEVERITY_extra795="High"
|
||||
CHECK_ASFF_RESOURCE_TYPE_extra795="AwsEksCluster"
|
||||
CHECK_ALTERNATE_check795="extra795"
|
||||
CHECK_SERVICENAME_extra795="eks"
|
||||
CHECK_RISK_extra795='Publicly accessible services could expose sensible data to bad actors.'
|
||||
CHECK_RISK_extra795='Publicly accessible services could expose sensitive data to bad actors.'
|
||||
CHECK_REMEDIATION_extra795='Enable private access to the Kubernetes API server so that all communication between your nodes and the API server stays within your VPC. Disable internet access to the API server.'
|
||||
CHECK_DOC_extra795='https://docs.aws.amazon.com/eks/latest/userguide/infrastructure-security.html'
|
||||
CHECK_CAF_EPIC_extra795='Infrastructure Security'
|
||||
|
||||
@@ -19,7 +19,7 @@ CHECK_SEVERITY_extra798="Critical"
|
||||
CHECK_ASFF_RESOURCE_TYPE_extra798="AwsLambdaFunction"
|
||||
CHECK_ALTERNATE_check798="extra798"
|
||||
CHECK_SERVICENAME_extra798="lambda"
|
||||
CHECK_RISK_extra798='Publicly accessible services could expose sensible data to bad actors.'
|
||||
CHECK_RISK_extra798='Publicly accessible services could expose sensitive data to bad actors.'
|
||||
CHECK_REMEDIATION_extra798='Grant usage permission on a per-resource basis and applying least privilege principle.'
|
||||
CHECK_DOC_extra798='https://docs.aws.amazon.com/lambda/latest/dg/access-control-resource-based.html'
|
||||
CHECK_CAF_EPIC_extra798='Infrastructure Security'
|
||||
|
||||
Reference in New Issue
Block a user