mirror of
https://github.com/ghndrx/prowler.git
synced 2026-02-10 06:45:08 +00:00
feat(compliance): Loader and Execute (#1465)
This commit is contained in:
Pepe Fagoaga
@@ -2,7 +2,9 @@
|
||||
"Provider": "aws",
|
||||
"CheckID": "iam_administrator_access_with_mfa",
|
||||
"CheckTitle": "Ensure users of groups with AdministratorAccess policy have MFA tokens enabled",
|
||||
"CheckType": ["Infrastructure Security"],
|
||||
"CheckType": [
|
||||
"Infrastructure Security"
|
||||
],
|
||||
"ServiceName": "iam",
|
||||
"SubServiceName": "",
|
||||
"ResourceIdTemplate": "arn:partition:service:region:account-id:resource-id",
|
||||
@@ -30,6 +32,5 @@
|
||||
},
|
||||
"DependsOn": [],
|
||||
"RelatedTo": [],
|
||||
"Notes": "",
|
||||
"Compliance": []
|
||||
"Notes": ""
|
||||
}
|
||||
|
||||
@@ -8,7 +8,7 @@ class iam_administrator_access_with_mfa(Check):
|
||||
response = iam_client.groups
|
||||
|
||||
for group in response:
|
||||
report = Check_Report(self.metadata)
|
||||
report = Check_Report(self.metadata())
|
||||
report.resource_id = group.name
|
||||
report.resource_arn = group.arn
|
||||
report.region = iam_client.region
|
||||
|
||||
@@ -2,7 +2,11 @@
|
||||
"Provider": "aws",
|
||||
"CheckID": "iam_avoid_root_usage",
|
||||
"CheckTitle": "Avoid the use of the root accounts",
|
||||
"CheckType": ["Software and Configuration Checks", "Industry and Regulatory Standards" ,"CIS AWS Foundations Benchmark"],
|
||||
"CheckType": [
|
||||
"Software and Configuration Checks",
|
||||
"Industry and Regulatory Standards",
|
||||
"CIS AWS Foundations Benchmark"
|
||||
],
|
||||
"ServiceName": "iam",
|
||||
"SubServiceName": "",
|
||||
"ResourceIdTemplate": "arn:partition:service:region:account-id:resource-id",
|
||||
@@ -30,17 +34,5 @@
|
||||
},
|
||||
"DependsOn": [],
|
||||
"RelatedTo": [],
|
||||
"Notes": "",
|
||||
"Compliance": [
|
||||
{
|
||||
"Control": [
|
||||
"1.1"
|
||||
],
|
||||
"Framework": "CIS-AWS",
|
||||
"Group": [
|
||||
"level1"
|
||||
],
|
||||
"Version": "1.4"
|
||||
}
|
||||
]
|
||||
"Notes": ""
|
||||
}
|
||||
|
||||
@@ -13,7 +13,7 @@ class iam_avoid_root_usage(Check):
|
||||
|
||||
for user in response:
|
||||
if user["user"] == "<root_account>":
|
||||
report = Check_Report(self.metadata)
|
||||
report = Check_Report(self.metadata())
|
||||
report.region = iam_client.region
|
||||
report.resource_id = user["user"]
|
||||
report.resource_arn = user["arn"]
|
||||
|
||||
@@ -1,35 +1,38 @@
|
||||
{
|
||||
"Provider": "aws",
|
||||
"CheckID": "iam-check-saml-providers-sts",
|
||||
"CheckTitle": "Check if there are SAML Providers then STS can be used",
|
||||
"CheckType": ["Software and Configuration Checks", "Industry and Regulatory Standards" ,"CIS AWS Foundations Benchmark"],
|
||||
"ServiceName": "iam",
|
||||
"SubServiceName": "",
|
||||
"ResourceIdTemplate": "arn:partition:service:region:account-id:resource-id",
|
||||
"Severity": "low",
|
||||
"ResourceType": "Other",
|
||||
"Description": "Check if there are SAML Providers then STS can be used",
|
||||
"Risk": "Without SAML provider users with AWS CLI or AWS API access can use IAM static credentials. SAML helps users to assume role by default each time they authenticate.",
|
||||
"RelatedUrl": "",
|
||||
"Remediation": {
|
||||
"Code": {
|
||||
"CLI": "",
|
||||
"NativeIaC": "",
|
||||
"Other": "",
|
||||
"Terraform": ""
|
||||
},
|
||||
"Recommendation": {
|
||||
"Text": "Enable SAML provider and use temporary credentials. You can use temporary security credentials to make programmatic requests for AWS resources using the AWS CLI or AWS API (using the AWS SDKs ). The temporary credentials provide the same permissions that you have with use long-term security credentials such as IAM user credentials. In case of not having SAML provider capabilities prevent usage of long-lived credentials.",
|
||||
"Url": "https://docs.aws.amazon.com/STS/latest/APIReference/API_AssumeRoleWithSAML.html"
|
||||
}
|
||||
"Provider": "aws",
|
||||
"CheckID": "iam_check_saml_providers_sts",
|
||||
"CheckTitle": "Check if there are SAML Providers then STS can be used",
|
||||
"CheckType": [
|
||||
"Software and Configuration Checks",
|
||||
"Industry and Regulatory Standards",
|
||||
"CIS AWS Foundations Benchmark"
|
||||
],
|
||||
"ServiceName": "iam",
|
||||
"SubServiceName": "",
|
||||
"ResourceIdTemplate": "arn:partition:service:region:account-id:resource-id",
|
||||
"Severity": "low",
|
||||
"ResourceType": "Other",
|
||||
"Description": "Check if there are SAML Providers then STS can be used",
|
||||
"Risk": "Without SAML provider users with AWS CLI or AWS API access can use IAM static credentials. SAML helps users to assume role by default each time they authenticate.",
|
||||
"RelatedUrl": "",
|
||||
"Remediation": {
|
||||
"Code": {
|
||||
"CLI": "",
|
||||
"NativeIaC": "",
|
||||
"Other": "",
|
||||
"Terraform": ""
|
||||
},
|
||||
"Categories": [],
|
||||
"Tags": {
|
||||
"Tag1Key": "value",
|
||||
"Tag2Key": "value"
|
||||
},
|
||||
"DependsOn": [],
|
||||
"RelatedTo": [],
|
||||
"Notes": "",
|
||||
"Compliance": []
|
||||
}
|
||||
"Recommendation": {
|
||||
"Text": "Enable SAML provider and use temporary credentials. You can use temporary security credentials to make programmatic requests for AWS resources using the AWS CLI or AWS API (using the AWS SDKs ). The temporary credentials provide the same permissions that you have with use long-term security credentials such as IAM user credentials. In case of not having SAML provider capabilities prevent usage of long-lived credentials.",
|
||||
"Url": "https://docs.aws.amazon.com/STS/latest/APIReference/API_AssumeRoleWithSAML.html"
|
||||
}
|
||||
},
|
||||
"Categories": [],
|
||||
"Tags": {
|
||||
"Tag1Key": "value",
|
||||
"Tag2Key": "value"
|
||||
},
|
||||
"DependsOn": [],
|
||||
"RelatedTo": [],
|
||||
"Notes": ""
|
||||
}
|
||||
|
||||
@@ -6,7 +6,7 @@ class iam_check_saml_providers_sts(Check):
|
||||
def execute(self) -> Check_Report:
|
||||
findings = []
|
||||
for provider in iam_client.saml_providers:
|
||||
report = Check_Report(self.metadata)
|
||||
report = Check_Report(self.metadata())
|
||||
provider_name = provider["Arn"].split("/")[1]
|
||||
report.resource_id = provider_name
|
||||
report.resource_arn = provider["Arn"]
|
||||
|
||||
@@ -2,7 +2,9 @@
|
||||
"Provider": "aws",
|
||||
"CheckID": "iam_disable_30_days_credentials",
|
||||
"CheckTitle": "Ensure credentials unused for 30 days or greater are disabled",
|
||||
"CheckType": ["Software and Configuration Checks"],
|
||||
"CheckType": [
|
||||
"Software and Configuration Checks"
|
||||
],
|
||||
"ServiceName": "iam",
|
||||
"SubServiceName": "",
|
||||
"ResourceIdTemplate": "arn:partition:service:region:account-id:resource-id",
|
||||
@@ -30,6 +32,5 @@
|
||||
},
|
||||
"DependsOn": [],
|
||||
"RelatedTo": [],
|
||||
"Notes": "",
|
||||
"Compliance": []
|
||||
"Notes": ""
|
||||
}
|
||||
|
||||
@@ -12,7 +12,7 @@ class iam_disable_30_days_credentials(Check):
|
||||
response = iam_client.users
|
||||
|
||||
for user in response:
|
||||
report = Check_Report(self.metadata)
|
||||
report = Check_Report(self.metadata())
|
||||
report.resource_id = user.name
|
||||
report.resource_arn = user.arn
|
||||
report.region = iam_client.region
|
||||
|
||||
@@ -2,7 +2,9 @@
|
||||
"Provider": "aws",
|
||||
"CheckID": "iam_disable_45_days_credentials",
|
||||
"CheckTitle": "Ensure credentials unused for 45 days or greater are disabled",
|
||||
"CheckType": ["Software and Configuration Checks"],
|
||||
"CheckType": [
|
||||
"Software and Configuration Checks"
|
||||
],
|
||||
"ServiceName": "iam",
|
||||
"SubServiceName": "",
|
||||
"ResourceIdTemplate": "arn:partition:service:region:account-id:resource-id",
|
||||
@@ -30,6 +32,5 @@
|
||||
},
|
||||
"DependsOn": [],
|
||||
"RelatedTo": [],
|
||||
"Notes": "",
|
||||
"Compliance": []
|
||||
"Notes": ""
|
||||
}
|
||||
|
||||
@@ -12,7 +12,7 @@ class iam_disable_45_days_credentials(Check):
|
||||
response = iam_client.users
|
||||
|
||||
for user in response:
|
||||
report = Check_Report(self.metadata)
|
||||
report = Check_Report(self.metadata())
|
||||
report.resource_id = user.name
|
||||
report.resource_arn = user.arn
|
||||
report.region = iam_client.region
|
||||
|
||||
@@ -2,18 +2,8 @@
|
||||
"Categories": [],
|
||||
"CheckID": "iam_disable_90_days_credentials",
|
||||
"CheckTitle": "Ensure credentials unused for 90 days or greater are disabled",
|
||||
"CheckType": ["Software and Configuration Checks"],
|
||||
"Compliance": [
|
||||
{
|
||||
"Control": [
|
||||
"1.3"
|
||||
],
|
||||
"Framework": "CIS-AWS",
|
||||
"Group": [
|
||||
"level1"
|
||||
],
|
||||
"Version": "1.4"
|
||||
}
|
||||
"CheckType": [
|
||||
"Software and Configuration Checks"
|
||||
],
|
||||
"DependsOn": [],
|
||||
"Description": "Ensure credentials unused for 90 days or greater are disabled",
|
||||
|
||||
@@ -12,7 +12,7 @@ class iam_disable_90_days_credentials(Check):
|
||||
response = iam_client.users
|
||||
|
||||
for user in response:
|
||||
report = Check_Report(self.metadata)
|
||||
report = Check_Report(self.metadata())
|
||||
report.region = iam_client.region
|
||||
report.resource_id = user.name
|
||||
report.resource_arn = user.arn
|
||||
|
||||
@@ -1,35 +1,36 @@
|
||||
{
|
||||
"Provider": "aws",
|
||||
"CheckID": "iam_no_custom_policy_permissive_role_assumption",
|
||||
"CheckTitle": "Ensure that no custom IAM policies exist which allow permissive role assumption (e.g. sts:AssumeRole on *)",
|
||||
"CheckType": ["Software and Configuration Checks"],
|
||||
"ServiceName": "iam",
|
||||
"SubServiceName": "",
|
||||
"ResourceIdTemplate": "arn:partition:service:region:account-id:resource-id",
|
||||
"Severity": "critical",
|
||||
"ResourceType": "AwsIamPolicy",
|
||||
"Description": "Ensure that no custom IAM policies exist which allow permissive role assumption (e.g. sts:AssumeRole on *)",
|
||||
"Risk": "If not restricted unintended access could happen.",
|
||||
"RelatedUrl": "",
|
||||
"Remediation": {
|
||||
"Code": {
|
||||
"CLI": "",
|
||||
"NativeIaC": "",
|
||||
"Other": "",
|
||||
"Terraform": ""
|
||||
},
|
||||
"Recommendation": {
|
||||
"Text": "Use the least privilege principle when granting permissions.",
|
||||
"Url": "https://docs.aws.amazon.com/STS/latest/APIReference/API_AssumeRole.html"
|
||||
}
|
||||
"Provider": "aws",
|
||||
"CheckID": "iam_no_custom_policy_permissive_role_assumption",
|
||||
"CheckTitle": "Ensure that no custom IAM policies exist which allow permissive role assumption (e.g. sts:AssumeRole on *)",
|
||||
"CheckType": [
|
||||
"Software and Configuration Checks"
|
||||
],
|
||||
"ServiceName": "iam",
|
||||
"SubServiceName": "",
|
||||
"ResourceIdTemplate": "arn:partition:service:region:account-id:resource-id",
|
||||
"Severity": "critical",
|
||||
"ResourceType": "AwsIamPolicy",
|
||||
"Description": "Ensure that no custom IAM policies exist which allow permissive role assumption (e.g. sts:AssumeRole on *)",
|
||||
"Risk": "If not restricted unintended access could happen.",
|
||||
"RelatedUrl": "",
|
||||
"Remediation": {
|
||||
"Code": {
|
||||
"CLI": "",
|
||||
"NativeIaC": "",
|
||||
"Other": "",
|
||||
"Terraform": ""
|
||||
},
|
||||
"Categories": [],
|
||||
"Tags": {
|
||||
"Tag1Key": "value",
|
||||
"Tag2Key": "value"
|
||||
},
|
||||
"DependsOn": [],
|
||||
"RelatedTo": [],
|
||||
"Notes": "CAF Security Epic: IAM",
|
||||
"Compliance": []
|
||||
}
|
||||
"Recommendation": {
|
||||
"Text": "Use the least privilege principle when granting permissions.",
|
||||
"Url": "https://docs.aws.amazon.com/STS/latest/APIReference/API_AssumeRole.html"
|
||||
}
|
||||
},
|
||||
"Categories": [],
|
||||
"Tags": {
|
||||
"Tag1Key": "value",
|
||||
"Tag2Key": "value"
|
||||
},
|
||||
"DependsOn": [],
|
||||
"RelatedTo": [],
|
||||
"Notes": "CAF Security Epic: IAM"
|
||||
}
|
||||
|
||||
@@ -6,7 +6,7 @@ class iam_no_custom_policy_permissive_role_assumption(Check):
|
||||
def execute(self) -> Check_Report:
|
||||
findings = []
|
||||
for index, policy_document in enumerate(iam_client.list_policies_version):
|
||||
report = Check_Report(self.metadata)
|
||||
report = Check_Report(self.metadata())
|
||||
report.region = iam_client.region
|
||||
report.resource_arn = iam_client.policies[index]["Arn"]
|
||||
report.resource_id = iam_client.policies[index]["PolicyName"]
|
||||
|
||||
@@ -2,7 +2,11 @@
|
||||
"Provider": "aws",
|
||||
"CheckID": "iam_no_expired_server_certificates_stored",
|
||||
"CheckTitle": "Ensure that all the expired SSL/TLS certificates stored in AWS IAM are removed.",
|
||||
"CheckType": ["Software and Configuration Checks", "Industry and Regulatory Standards" ,"CIS AWS Foundations Benchmark"],
|
||||
"CheckType": [
|
||||
"Software and Configuration Checks",
|
||||
"Industry and Regulatory Standards",
|
||||
"CIS AWS Foundations Benchmark"
|
||||
],
|
||||
"ServiceName": "iam",
|
||||
"SubServiceName": "",
|
||||
"ResourceIdTemplate": "arn:partition:service:region:account-id:resource-id",
|
||||
@@ -30,6 +34,5 @@
|
||||
},
|
||||
"DependsOn": [],
|
||||
"RelatedTo": [],
|
||||
"Notes": "Data Protection",
|
||||
"Compliance": []
|
||||
"Notes": "Data Protection"
|
||||
}
|
||||
|
||||
@@ -9,7 +9,7 @@ class iam_no_expired_server_certificates_stored(Check):
|
||||
findings = []
|
||||
|
||||
for certificate in iam_client.server_certificates:
|
||||
report = Check_Report(self.metadata)
|
||||
report = Check_Report(self.metadata())
|
||||
report.region = iam_client.region
|
||||
report.resource_id = certificate.id
|
||||
report.resource_arn = certificate.arn
|
||||
|
||||
@@ -2,7 +2,11 @@
|
||||
"Provider": "aws",
|
||||
"CheckID": "iam_no_root_access_key",
|
||||
"CheckTitle": "Ensure no root account access key exists",
|
||||
"CheckType": ["Software and Configuration Checks", "Industry and Regulatory Standards" ,"CIS AWS Foundations Benchmark"],
|
||||
"CheckType": [
|
||||
"Software and Configuration Checks",
|
||||
"Industry and Regulatory Standards",
|
||||
"CIS AWS Foundations Benchmark"
|
||||
],
|
||||
"ServiceName": "iam",
|
||||
"SubServiceName": "",
|
||||
"ResourceIdTemplate": "arn:partition:service:region:account-id:resource-id",
|
||||
@@ -30,17 +34,5 @@
|
||||
},
|
||||
"DependsOn": [],
|
||||
"RelatedTo": [],
|
||||
"Notes": "",
|
||||
"Compliance": [
|
||||
{
|
||||
"Control": [
|
||||
"1.12"
|
||||
],
|
||||
"Framework": "CIS-AWS",
|
||||
"Group": [
|
||||
"level1"
|
||||
],
|
||||
"Version": "1.4"
|
||||
}
|
||||
]
|
||||
"Notes": ""
|
||||
}
|
||||
|
||||
@@ -9,7 +9,7 @@ class iam_no_root_access_key(Check):
|
||||
|
||||
for user in response:
|
||||
if user["user"] == "<root_account>":
|
||||
report = Check_Report(self.metadata)
|
||||
report = Check_Report(self.metadata())
|
||||
report.region = iam_client.region
|
||||
report.resource_id = user["user"]
|
||||
report.resource_arn = user["arn"]
|
||||
|
||||
@@ -1,8 +1,12 @@
|
||||
{
|
||||
"Provider": "aws",
|
||||
"CheckID": "iam-password-policy-expires-passwords-within-90-days-or-less",
|
||||
"CheckID": "iam_password_policy_expires_passwords_within_90_days_or_less",
|
||||
"CheckTitle": "Ensure IAM password policy expires passwords within 90 days or less",
|
||||
"CheckType": ["Software and Configuration Checks", "Industry and Regulatory Standards" ,"CIS AWS Foundations Benchmark"],
|
||||
"CheckType": [
|
||||
"Software and Configuration Checks",
|
||||
"Industry and Regulatory Standards",
|
||||
"CIS AWS Foundations Benchmark"
|
||||
],
|
||||
"ServiceName": "iam",
|
||||
"SubServiceName": "",
|
||||
"ResourceIdTemplate": "arn:partition:service:region:account-id:resource-id",
|
||||
@@ -30,17 +34,5 @@
|
||||
},
|
||||
"DependsOn": [],
|
||||
"RelatedTo": [],
|
||||
"Notes": "",
|
||||
"Compliance": [
|
||||
{
|
||||
"Control": [
|
||||
"1.11"
|
||||
],
|
||||
"Framework": "CIS-AWS",
|
||||
"Group": [
|
||||
"level1"
|
||||
],
|
||||
"Version": "1.4"
|
||||
}
|
||||
]
|
||||
"Notes": ""
|
||||
}
|
||||
|
||||
@@ -5,7 +5,7 @@ from providers.aws.services.iam.iam_client import iam_client
|
||||
class iam_password_policy_expires_passwords_within_90_days_or_less(Check):
|
||||
def execute(self) -> Check_Report:
|
||||
findings = []
|
||||
report = Check_Report(self.metadata)
|
||||
report = Check_Report(self.metadata())
|
||||
report.region = iam_client.region
|
||||
report.resource_id = "password_policy"
|
||||
# Check if password policy exists
|
||||
|
||||
@@ -2,7 +2,11 @@
|
||||
"Provider": "aws",
|
||||
"CheckID": "iam_password_policy_lowercase",
|
||||
"CheckTitle": "Ensure IAM password policy require at least one lowercase letter",
|
||||
"CheckType": ["Software and Configuration Checks", "Industry and Regulatory Standards" ,"CIS AWS Foundations Benchmark"],
|
||||
"CheckType": [
|
||||
"Software and Configuration Checks",
|
||||
"Industry and Regulatory Standards",
|
||||
"CIS AWS Foundations Benchmark"
|
||||
],
|
||||
"ServiceName": "iam",
|
||||
"SubServiceName": "",
|
||||
"ResourceIdTemplate": "arn:partition:service:region:account-id:resource-id",
|
||||
@@ -30,17 +34,5 @@
|
||||
},
|
||||
"DependsOn": [],
|
||||
"RelatedTo": [],
|
||||
"Notes": "",
|
||||
"Compliance": [
|
||||
{
|
||||
"Control": [
|
||||
"1.6"
|
||||
],
|
||||
"Framework": "CIS-AWS",
|
||||
"Group": [
|
||||
"level1"
|
||||
],
|
||||
"Version": "1.4"
|
||||
}
|
||||
]
|
||||
"Notes": ""
|
||||
}
|
||||
|
||||
@@ -5,7 +5,7 @@ from providers.aws.services.iam.iam_client import iam_client
|
||||
class iam_password_policy_lowercase(Check):
|
||||
def execute(self) -> Check_Report:
|
||||
findings = []
|
||||
report = Check_Report(self.metadata)
|
||||
report = Check_Report(self.metadata())
|
||||
report.region = iam_client.region
|
||||
report.resource_id = "password_policy"
|
||||
# Check if password policy exists
|
||||
|
||||
@@ -2,7 +2,11 @@
|
||||
"Provider": "aws",
|
||||
"CheckID": "iam_password_policy_minimum_length_14",
|
||||
"CheckTitle": "Ensure IAM password policy requires minimum length of 14 or greater",
|
||||
"CheckType": ["Software and Configuration Checks", "Industry and Regulatory Standards" ,"CIS AWS Foundations Benchmark"],
|
||||
"CheckType": [
|
||||
"Software and Configuration Checks",
|
||||
"Industry and Regulatory Standards",
|
||||
"CIS AWS Foundations Benchmark"
|
||||
],
|
||||
"ServiceName": "iam",
|
||||
"SubServiceName": "",
|
||||
"ResourceIdTemplate": "arn:partition:service:region:account-id:resource-id",
|
||||
@@ -30,17 +34,5 @@
|
||||
},
|
||||
"DependsOn": [],
|
||||
"RelatedTo": [],
|
||||
"Notes": "",
|
||||
"Compliance": [
|
||||
{
|
||||
"Control": [
|
||||
"1.9"
|
||||
],
|
||||
"Framework": "CIS-AWS",
|
||||
"Group": [
|
||||
"level1"
|
||||
],
|
||||
"Version": "1.4"
|
||||
}
|
||||
]
|
||||
"Notes": ""
|
||||
}
|
||||
|
||||
@@ -5,7 +5,7 @@ from providers.aws.services.iam.iam_client import iam_client
|
||||
class iam_password_policy_minimum_length_14(Check):
|
||||
def execute(self) -> Check_Report:
|
||||
findings = []
|
||||
report = Check_Report(self.metadata)
|
||||
report = Check_Report(self.metadata())
|
||||
report.region = iam_client.region
|
||||
report.resource_id = "password_policy"
|
||||
# Check if password policy exists
|
||||
|
||||
@@ -2,7 +2,11 @@
|
||||
"Provider": "aws",
|
||||
"CheckID": "iam_password_policy_number",
|
||||
"CheckTitle": "Ensure IAM password policy require at least one number",
|
||||
"CheckType": ["Software and Configuration Checks", "Industry and Regulatory Standards" ,"CIS AWS Foundations Benchmark"],
|
||||
"CheckType": [
|
||||
"Software and Configuration Checks",
|
||||
"Industry and Regulatory Standards",
|
||||
"CIS AWS Foundations Benchmark"
|
||||
],
|
||||
"ServiceName": "iam",
|
||||
"SubServiceName": "",
|
||||
"ResourceIdTemplate": "arn:partition:service:region:account-id:resource-id",
|
||||
@@ -30,17 +34,5 @@
|
||||
},
|
||||
"DependsOn": [],
|
||||
"RelatedTo": [],
|
||||
"Notes": "",
|
||||
"Compliance": [
|
||||
{
|
||||
"Control": [
|
||||
"1.8"
|
||||
],
|
||||
"Framework": "CIS-AWS",
|
||||
"Group": [
|
||||
"level1"
|
||||
],
|
||||
"Version": "1.4"
|
||||
}
|
||||
]
|
||||
"Notes": ""
|
||||
}
|
||||
|
||||
@@ -5,7 +5,7 @@ from providers.aws.services.iam.iam_client import iam_client
|
||||
class iam_password_policy_number(Check):
|
||||
def execute(self) -> Check_Report:
|
||||
findings = []
|
||||
report = Check_Report(self.metadata)
|
||||
report = Check_Report(self.metadata())
|
||||
report.region = iam_client.region
|
||||
report.resource_id = "password_policy"
|
||||
# Check if password policy exists
|
||||
|
||||
@@ -2,7 +2,11 @@
|
||||
"Provider": "aws",
|
||||
"CheckID": "iam_password_policy_reuse_24",
|
||||
"CheckTitle": "Ensure IAM password policy prevents password reuse: 24 or greater",
|
||||
"CheckType": ["Software and Configuration Checks", "Industry and Regulatory Standards" ,"CIS AWS Foundations Benchmark"],
|
||||
"CheckType": [
|
||||
"Software and Configuration Checks",
|
||||
"Industry and Regulatory Standards",
|
||||
"CIS AWS Foundations Benchmark"
|
||||
],
|
||||
"ServiceName": "iam",
|
||||
"SubServiceName": "",
|
||||
"ResourceIdTemplate": "arn:partition:service:region:account-id:resource-id",
|
||||
@@ -30,17 +34,5 @@
|
||||
},
|
||||
"DependsOn": [],
|
||||
"RelatedTo": [],
|
||||
"Notes": "",
|
||||
"Compliance": [
|
||||
{
|
||||
"Control": [
|
||||
"1.10"
|
||||
],
|
||||
"Framework": "CIS-AWS",
|
||||
"Group": [
|
||||
"level1"
|
||||
],
|
||||
"Version": "1.4"
|
||||
}
|
||||
]
|
||||
"Notes": ""
|
||||
}
|
||||
|
||||
@@ -5,7 +5,7 @@ from providers.aws.services.iam.iam_client import iam_client
|
||||
class iam_password_policy_reuse_24(Check):
|
||||
def execute(self) -> Check_Report:
|
||||
findings = []
|
||||
report = Check_Report(self.metadata)
|
||||
report = Check_Report(self.metadata())
|
||||
report.region = iam_client.region
|
||||
report.resource_id = "password_policy"
|
||||
# Check if password policy exists
|
||||
|
||||
@@ -2,7 +2,11 @@
|
||||
"Provider": "aws",
|
||||
"CheckID": "iam_password_policy_symbol",
|
||||
"CheckTitle": "Ensure IAM password policy require at least one symbol",
|
||||
"CheckType": ["Software and Configuration Checks", "Industry and Regulatory Standards" ,"CIS AWS Foundations Benchmark"],
|
||||
"CheckType": [
|
||||
"Software and Configuration Checks",
|
||||
"Industry and Regulatory Standards",
|
||||
"CIS AWS Foundations Benchmark"
|
||||
],
|
||||
"ServiceName": "iam",
|
||||
"SubServiceName": "",
|
||||
"ResourceIdTemplate": "arn:partition:service:region:account-id:resource-id",
|
||||
@@ -30,17 +34,5 @@
|
||||
},
|
||||
"DependsOn": [],
|
||||
"RelatedTo": [],
|
||||
"Notes": "",
|
||||
"Compliance": [
|
||||
{
|
||||
"Control": [
|
||||
"1.7"
|
||||
],
|
||||
"Framework": "CIS-AWS",
|
||||
"Group": [
|
||||
"level1"
|
||||
],
|
||||
"Version": "1.4"
|
||||
}
|
||||
]
|
||||
"Notes": ""
|
||||
}
|
||||
|
||||
@@ -5,7 +5,7 @@ from providers.aws.services.iam.iam_client import iam_client
|
||||
class iam_password_policy_symbol(Check):
|
||||
def execute(self) -> Check_Report:
|
||||
findings = []
|
||||
report = Check_Report(self.metadata)
|
||||
report = Check_Report(self.metadata())
|
||||
report.region = iam_client.region
|
||||
report.resource_id = "password_policy"
|
||||
# Check if password policy exists
|
||||
|
||||
@@ -2,7 +2,11 @@
|
||||
"Provider": "aws",
|
||||
"CheckID": "iam_password_policy_uppercase",
|
||||
"CheckTitle": "Ensure IAM password policy requires at least one uppercase letter",
|
||||
"CheckType": ["Software and Configuration Checks", "Industry and Regulatory Standards" ,"CIS AWS Foundations Benchmark"],
|
||||
"CheckType": [
|
||||
"Software and Configuration Checks",
|
||||
"Industry and Regulatory Standards",
|
||||
"CIS AWS Foundations Benchmark"
|
||||
],
|
||||
"ServiceName": "iam",
|
||||
"SubServiceName": "",
|
||||
"ResourceIdTemplate": "arn:partition:service:region:account-id:resource-id",
|
||||
@@ -30,17 +34,5 @@
|
||||
},
|
||||
"DependsOn": [],
|
||||
"RelatedTo": [],
|
||||
"Notes": "",
|
||||
"Compliance": [
|
||||
{
|
||||
"Control": [
|
||||
"1.5"
|
||||
],
|
||||
"Framework": "CIS-AWS",
|
||||
"Group": [
|
||||
"level1"
|
||||
],
|
||||
"Version": "1.4"
|
||||
}
|
||||
]
|
||||
"Notes": ""
|
||||
}
|
||||
|
||||
@@ -5,7 +5,7 @@ from providers.aws.services.iam.iam_client import iam_client
|
||||
class iam_password_policy_uppercase(Check):
|
||||
def execute(self) -> Check_Report:
|
||||
findings = []
|
||||
report = Check_Report(self.metadata)
|
||||
report = Check_Report(self.metadata())
|
||||
report.region = iam_client.region
|
||||
report.resource_id = "password_policy"
|
||||
# Check if password policy exists
|
||||
|
||||
@@ -2,7 +2,11 @@
|
||||
"Provider": "aws",
|
||||
"CheckID": "iam_policy_allows_privilege_escalation",
|
||||
"CheckTitle": "Ensure no Customer Managed IAM policies allow actions that may lead into Privilege Escalation",
|
||||
"CheckType": ["Software and Configuration Checks", "Industry and Regulatory Standards" ,"CIS AWS Foundations Benchmark"],
|
||||
"CheckType": [
|
||||
"Software and Configuration Checks",
|
||||
"Industry and Regulatory Standards",
|
||||
"CIS AWS Foundations Benchmark"
|
||||
],
|
||||
"ServiceName": "iam",
|
||||
"SubServiceName": "",
|
||||
"ResourceIdTemplate": "arn:partition:service:region:account-id:resource-id",
|
||||
@@ -30,6 +34,5 @@
|
||||
},
|
||||
"DependsOn": [],
|
||||
"RelatedTo": [],
|
||||
"Notes": "CAF Security Epic: IAM",
|
||||
"Compliance": []
|
||||
"Notes": "CAF Security Epic: IAM"
|
||||
}
|
||||
|
||||
@@ -61,7 +61,7 @@ class iam_policy_allows_privilege_escalation(Check):
|
||||
}
|
||||
findings = []
|
||||
for policy in iam_client.customer_managed_policies:
|
||||
report = Check_Report(self.metadata)
|
||||
report = Check_Report(self.metadata())
|
||||
report.resource_id = policy["PolicyName"]
|
||||
report.resource_arn = policy["Arn"]
|
||||
report.region = iam_client.region
|
||||
|
||||
@@ -2,7 +2,11 @@
|
||||
"Provider": "aws",
|
||||
"CheckID": "iam_policy_attached_only_to_group_or_roles",
|
||||
"CheckTitle": "Ensure IAM policies are attached only to groups or roles",
|
||||
"CheckType": ["Software and Configuration Checks", "Industry and Regulatory Standards" ,"CIS AWS Foundations Benchmark"],
|
||||
"CheckType": [
|
||||
"Software and Configuration Checks",
|
||||
"Industry and Regulatory Standards",
|
||||
"CIS AWS Foundations Benchmark"
|
||||
],
|
||||
"ServiceName": "iam",
|
||||
"SubServiceName": "",
|
||||
"ResourceIdTemplate": "arn:partition:service:region:account-id:resource-id",
|
||||
@@ -30,17 +34,5 @@
|
||||
},
|
||||
"DependsOn": [],
|
||||
"RelatedTo": [],
|
||||
"Notes": "CAF Security Epic: IAM",
|
||||
"Compliance": [
|
||||
{
|
||||
"Control": [
|
||||
"1.16"
|
||||
],
|
||||
"Framework": "CIS-AWS",
|
||||
"Group": [
|
||||
"level1"
|
||||
],
|
||||
"Version": "1.4"
|
||||
}
|
||||
]
|
||||
"Notes": "CAF Security Epic: IAM"
|
||||
}
|
||||
|
||||
@@ -7,14 +7,14 @@ class iam_policy_attached_only_to_group_or_roles(Check):
|
||||
findings = []
|
||||
if iam_client.users:
|
||||
for user in iam_client.users:
|
||||
report = Check_Report(self.metadata)
|
||||
report = Check_Report(self.metadata())
|
||||
report.region = iam_client.region
|
||||
report.resource_id = user.name
|
||||
report.resource_arn = user.arn
|
||||
if user.attached_policies or user.inline_policies:
|
||||
if user.attached_policies:
|
||||
for policy in user.attached_policies:
|
||||
report = Check_Report(self.metadata)
|
||||
report = Check_Report(self.metadata())
|
||||
report.region = iam_client.region
|
||||
report.status = "FAIL"
|
||||
report.status_extended = f"User {user.name} has attached the following policy {policy['PolicyName']}"
|
||||
@@ -22,7 +22,7 @@ class iam_policy_attached_only_to_group_or_roles(Check):
|
||||
findings.append(report)
|
||||
if user.inline_policies:
|
||||
for policy in user.inline_policies:
|
||||
report = Check_Report(self.metadata)
|
||||
report = Check_Report(self.metadata())
|
||||
report.region = iam_client.region
|
||||
report.status = "FAIL"
|
||||
report.status_extended = f"User {user.name} has the following inline policy {policy}"
|
||||
|
||||
@@ -1,46 +1,38 @@
|
||||
{
|
||||
"Provider": "aws",
|
||||
"CheckID": "iam_policy_no_administrative_privileges",
|
||||
"CheckTitle": "Ensure IAM policies that allow full \"*:*\" administrative privileges are not created",
|
||||
"CheckType": ["Software and Configuration Checks", "Industry and Regulatory Standards" ,"CIS AWS Foundations Benchmark"],
|
||||
"ServiceName": "iam",
|
||||
"SubServiceName": "",
|
||||
"ResourceIdTemplate": "arn:partition:service:region:account-id:resource-id",
|
||||
"Severity": "medium",
|
||||
"ResourceType": "AwsIamPolicy",
|
||||
"Description": "Ensure IAM policies that allow full \"*:*\" administrative privileges are not created",
|
||||
"Risk": "IAM policies are the means by which privileges are granted to users; groups; or roles. It is recommended and considered a standard security advice to grant least privilege—that is; granting only the permissions required to perform a task. Determine what users need to do and then craft policies for them that let the users perform only those tasks instead of allowing full administrative privileges. Providing full administrative privileges instead of restricting to the minimum set of permissions that the user is required to do exposes the resources to potentially unwanted actions.",
|
||||
"RelatedUrl": "",
|
||||
"Remediation": {
|
||||
"Code": {
|
||||
"CLI": "https://docs.bridgecrew.io/docs/iam_47#cli-command",
|
||||
"NativeIaC": "",
|
||||
"Other": "https://docs.bridgecrew.io/docs/iam_47#aws-console",
|
||||
"Terraform": "https://docs.bridgecrew.io/docs/iam_47#terraform"
|
||||
},
|
||||
"Recommendation": {
|
||||
"Text": "It is more secure to start with a minimum set of permissions and grant additional permissions as necessary; rather than starting with permissions that are too lenient and then trying to tighten them later. List policies an analyze if permissions are the least possible to conduct business activities.",
|
||||
"Url": "http://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html"
|
||||
}
|
||||
"Provider": "aws",
|
||||
"CheckID": "iam_policy_no_administrative_privileges",
|
||||
"CheckTitle": "Ensure IAM policies that allow full \"*:*\" administrative privileges are not created",
|
||||
"CheckType": [
|
||||
"Software and Configuration Checks",
|
||||
"Industry and Regulatory Standards",
|
||||
"CIS AWS Foundations Benchmark"
|
||||
],
|
||||
"ServiceName": "iam",
|
||||
"SubServiceName": "",
|
||||
"ResourceIdTemplate": "arn:partition:service:region:account-id:resource-id",
|
||||
"Severity": "medium",
|
||||
"ResourceType": "AwsIamPolicy",
|
||||
"Description": "Ensure IAM policies that allow full \"*:*\" administrative privileges are not created",
|
||||
"Risk": "IAM policies are the means by which privileges are granted to users; groups; or roles. It is recommended and considered a standard security advice to grant least privilege—that is; granting only the permissions required to perform a task. Determine what users need to do and then craft policies for them that let the users perform only those tasks instead of allowing full administrative privileges. Providing full administrative privileges instead of restricting to the minimum set of permissions that the user is required to do exposes the resources to potentially unwanted actions.",
|
||||
"RelatedUrl": "",
|
||||
"Remediation": {
|
||||
"Code": {
|
||||
"CLI": "https://docs.bridgecrew.io/docs/iam_47#cli-command",
|
||||
"NativeIaC": "",
|
||||
"Other": "https://docs.bridgecrew.io/docs/iam_47#aws-console",
|
||||
"Terraform": "https://docs.bridgecrew.io/docs/iam_47#terraform"
|
||||
},
|
||||
"Categories": [],
|
||||
"Tags": {
|
||||
"Tag1Key": "value",
|
||||
"Tag2Key": "value"
|
||||
},
|
||||
"DependsOn": [],
|
||||
"RelatedTo": [],
|
||||
"Notes": "CAF Security Epic: IAM",
|
||||
"Compliance": [
|
||||
{
|
||||
"Control": [
|
||||
"1.22"
|
||||
],
|
||||
"Framework": "CIS-AWS",
|
||||
"Group": [
|
||||
"level1"
|
||||
],
|
||||
"Version": "1.4"
|
||||
}
|
||||
]
|
||||
}
|
||||
"Recommendation": {
|
||||
"Text": "It is more secure to start with a minimum set of permissions and grant additional permissions as necessary; rather than starting with permissions that are too lenient and then trying to tighten them later. List policies an analyze if permissions are the least possible to conduct business activities.",
|
||||
"Url": "http://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html"
|
||||
}
|
||||
},
|
||||
"Categories": [],
|
||||
"Tags": {
|
||||
"Tag1Key": "value",
|
||||
"Tag2Key": "value"
|
||||
},
|
||||
"DependsOn": [],
|
||||
"RelatedTo": [],
|
||||
"Notes": "CAF Security Epic: IAM"
|
||||
}
|
||||
|
||||
@@ -6,7 +6,7 @@ class iam_policy_no_administrative_privileges(Check):
|
||||
def execute(self) -> Check_Report:
|
||||
findings = []
|
||||
for index, policy_document in enumerate(iam_client.list_policies_version):
|
||||
report = Check_Report(self.metadata)
|
||||
report = Check_Report(self.metadata())
|
||||
report.region = iam_client.region
|
||||
report.resource_arn = iam_client.policies[index]["Arn"]
|
||||
report.resource_id = iam_client.policies[index]["PolicyName"]
|
||||
|
||||
@@ -2,7 +2,11 @@
|
||||
"Provider": "aws",
|
||||
"CheckID": "iam_root_hardware_mfa_enabled",
|
||||
"CheckTitle": "Ensure hardware MFA is enabled for the root account",
|
||||
"CheckType": ["Software and Configuration Checks", "Industry and Regulatory Standards" ,"CIS AWS Foundations Benchmark"],
|
||||
"CheckType": [
|
||||
"Software and Configuration Checks",
|
||||
"Industry and Regulatory Standards",
|
||||
"CIS AWS Foundations Benchmark"
|
||||
],
|
||||
"ServiceName": "iam",
|
||||
"SubServiceName": "",
|
||||
"ResourceIdTemplate": "arn:partition:service:region:account-id:resource-id",
|
||||
@@ -30,17 +34,5 @@
|
||||
},
|
||||
"DependsOn": [],
|
||||
"RelatedTo": [],
|
||||
"Notes": "",
|
||||
"Compliance": [
|
||||
{
|
||||
"Control": [
|
||||
"1.14"
|
||||
],
|
||||
"Framework": "CIS-AWS",
|
||||
"Group": [
|
||||
"level1"
|
||||
],
|
||||
"Version": "1.4"
|
||||
}
|
||||
]
|
||||
"Notes": ""
|
||||
}
|
||||
|
||||
@@ -6,7 +6,7 @@ class iam_root_hardware_mfa_enabled(Check):
|
||||
def execute(self) -> Check_Report:
|
||||
findings = []
|
||||
virtual_mfa = False
|
||||
report = Check_Report(self.metadata)
|
||||
report = Check_Report(self.metadata())
|
||||
report.region = iam_client.region
|
||||
report.resource_id = "root"
|
||||
report.resource_arn = f"arn:aws:iam::{iam_client.account}:root"
|
||||
|
||||
@@ -2,7 +2,11 @@
|
||||
"Provider": "aws",
|
||||
"CheckID": "iam_root_mfa_enabled",
|
||||
"CheckTitle": "Ensure MFA is enabled for the root account",
|
||||
"CheckType": ["Software and Configuration Checks", "Industry and Regulatory Standards" ,"CIS AWS Foundations Benchmark"],
|
||||
"CheckType": [
|
||||
"Software and Configuration Checks",
|
||||
"Industry and Regulatory Standards",
|
||||
"CIS AWS Foundations Benchmark"
|
||||
],
|
||||
"ServiceName": "iam",
|
||||
"SubServiceName": "",
|
||||
"ResourceIdTemplate": "arn:partition:service:region:account-id:resource-id",
|
||||
@@ -30,17 +34,5 @@
|
||||
},
|
||||
"DependsOn": [],
|
||||
"RelatedTo": [],
|
||||
"Notes": "",
|
||||
"Compliance": [
|
||||
{
|
||||
"Control": [
|
||||
"1.13"
|
||||
],
|
||||
"Framework": "CIS-AWS",
|
||||
"Group": [
|
||||
"level1"
|
||||
],
|
||||
"Version": "1.4"
|
||||
}
|
||||
]
|
||||
"Notes": ""
|
||||
}
|
||||
|
||||
@@ -8,7 +8,7 @@ class iam_root_mfa_enabled(Check):
|
||||
|
||||
for user in iam_client.credential_report:
|
||||
if user["user"] == "<root_account>":
|
||||
report = Check_Report(self.metadata)
|
||||
report = Check_Report(self.metadata())
|
||||
report.region = iam_client.region
|
||||
report.resource_id = user["user"]
|
||||
report.resource_arn = user["arn"]
|
||||
|
||||
@@ -2,7 +2,11 @@
|
||||
"Provider": "aws",
|
||||
"CheckID": "iam_rotate_access_key_90_days",
|
||||
"CheckTitle": "Ensure access keys are rotated every 90 days or less",
|
||||
"CheckType": ["Software and Configuration Checks", "Industry and Regulatory Standards" ,"CIS AWS Foundations Benchmark"],
|
||||
"CheckType": [
|
||||
"Software and Configuration Checks",
|
||||
"Industry and Regulatory Standards",
|
||||
"CIS AWS Foundations Benchmark"
|
||||
],
|
||||
"ServiceName": "iam",
|
||||
"SubServiceName": "",
|
||||
"ResourceIdTemplate": "arn:partition:service:region:account-id:resource-id",
|
||||
@@ -30,17 +34,5 @@
|
||||
},
|
||||
"DependsOn": [],
|
||||
"RelatedTo": [],
|
||||
"Notes": "",
|
||||
"Compliance": [
|
||||
{
|
||||
"Control": [
|
||||
"1.4"
|
||||
],
|
||||
"Framework": "CIS-AWS",
|
||||
"Group": [
|
||||
"level1"
|
||||
],
|
||||
"Version": "1.4"
|
||||
}
|
||||
]
|
||||
"Notes": ""
|
||||
}
|
||||
|
||||
@@ -12,7 +12,7 @@ class iam_rotate_access_key_90_days(Check):
|
||||
response = iam_client.credential_report
|
||||
|
||||
for user in response:
|
||||
report = Check_Report(self.metadata)
|
||||
report = Check_Report(self.metadata())
|
||||
report.region = iam_client.region
|
||||
report.resource_id = user["user"]
|
||||
report.resource_arn = user["arn"]
|
||||
|
||||
@@ -1,47 +1,38 @@
|
||||
{
|
||||
"Provider": "aws",
|
||||
"CheckID": "iam_support_role_created",
|
||||
"CheckTitle": "Ensure a support role has been created to manage incidents with AWS Support",
|
||||
"CheckType": ["Software and Configuration Checks", "Industry and Regulatory Standards" ,"CIS AWS Foundations Benchmark"],
|
||||
"ServiceName": "iam",
|
||||
"SubServiceName": "",
|
||||
"ResourceIdTemplate": "arn:partition:service:region:account-id:resource-id",
|
||||
"Severity": "medium",
|
||||
"ResourceType": "AwsIamRole",
|
||||
"Description": "Ensure a support role has been created to manage incidents with AWS Support",
|
||||
"Risk": "AWS provides a support center that can be used for incident notification and response; as well as technical support and customer services. Create an IAM Role to allow authorized users to manage incidents with AWS Support.",
|
||||
"RelatedUrl": "",
|
||||
"Remediation": {
|
||||
"Code": {
|
||||
"CLI": "",
|
||||
"NativeIaC": "",
|
||||
"Other": "",
|
||||
"Terraform": ""
|
||||
},
|
||||
"Recommendation": {
|
||||
"Text": "Create an IAM role for managing incidents with AWS.",
|
||||
"Url": "https://docs.aws.amazon.com/awssupport/latest/user/using-service-linked-roles-sup.html"
|
||||
}
|
||||
"Provider": "aws",
|
||||
"CheckID": "iam_support_role_created",
|
||||
"CheckTitle": "Ensure a support role has been created to manage incidents with AWS Support",
|
||||
"CheckType": [
|
||||
"Software and Configuration Checks",
|
||||
"Industry and Regulatory Standards",
|
||||
"CIS AWS Foundations Benchmark"
|
||||
],
|
||||
"ServiceName": "iam",
|
||||
"SubServiceName": "",
|
||||
"ResourceIdTemplate": "arn:partition:service:region:account-id:resource-id",
|
||||
"Severity": "medium",
|
||||
"ResourceType": "AwsIamRole",
|
||||
"Description": "Ensure a support role has been created to manage incidents with AWS Support",
|
||||
"Risk": "AWS provides a support center that can be used for incident notification and response; as well as technical support and customer services. Create an IAM Role to allow authorized users to manage incidents with AWS Support.",
|
||||
"RelatedUrl": "",
|
||||
"Remediation": {
|
||||
"Code": {
|
||||
"CLI": "",
|
||||
"NativeIaC": "",
|
||||
"Other": "",
|
||||
"Terraform": ""
|
||||
},
|
||||
"Categories": [],
|
||||
"Tags": {
|
||||
"Tag1Key": "value",
|
||||
"Tag2Key": "value"
|
||||
},
|
||||
"DependsOn": [],
|
||||
"RelatedTo": [],
|
||||
"Notes": "CAF Security Epic: IAM",
|
||||
"Compliance": [
|
||||
{
|
||||
"Control": [
|
||||
"1.20"
|
||||
],
|
||||
"Framework": "CIS-AWS",
|
||||
"Group": [
|
||||
"level1"
|
||||
],
|
||||
"Version": "1.4"
|
||||
}
|
||||
]
|
||||
}
|
||||
|
||||
"Recommendation": {
|
||||
"Text": "Create an IAM role for managing incidents with AWS.",
|
||||
"Url": "https://docs.aws.amazon.com/awssupport/latest/user/using-service-linked-roles-sup.html"
|
||||
}
|
||||
},
|
||||
"Categories": [],
|
||||
"Tags": {
|
||||
"Tag1Key": "value",
|
||||
"Tag2Key": "value"
|
||||
},
|
||||
"DependsOn": [],
|
||||
"RelatedTo": [],
|
||||
"Notes": "CAF Security Epic: IAM"
|
||||
}
|
||||
|
||||
@@ -5,7 +5,7 @@ from providers.aws.services.iam.iam_client import iam_client
|
||||
class iam_support_role_created(Check):
|
||||
def execute(self) -> Check_Report:
|
||||
findings = []
|
||||
report = Check_Report(self.metadata)
|
||||
report = Check_Report(self.metadata())
|
||||
report.region = iam_client.region
|
||||
report.resource_id = "AWSSupportServiceRolePolicy"
|
||||
report.resource_arn = (
|
||||
|
||||
@@ -2,7 +2,11 @@
|
||||
"Provider": "aws",
|
||||
"CheckID": "iam_user_hardware_mfa_enabled",
|
||||
"CheckTitle": "Check if IAM users have Hardware MFA enabled.",
|
||||
"CheckType": ["Software and Configuration Checks", "Industry and Regulatory Standards" ,"CIS AWS Foundations Benchmark"],
|
||||
"CheckType": [
|
||||
"Software and Configuration Checks",
|
||||
"Industry and Regulatory Standards",
|
||||
"CIS AWS Foundations Benchmark"
|
||||
],
|
||||
"ServiceName": "iam",
|
||||
"SubServiceName": "",
|
||||
"ResourceIdTemplate": "arn:partition:service:region:account-id:resource-id",
|
||||
@@ -30,6 +34,5 @@
|
||||
},
|
||||
"DependsOn": [],
|
||||
"RelatedTo": [],
|
||||
"Notes": "",
|
||||
"Compliance": []
|
||||
"Notes": ""
|
||||
}
|
||||
|
||||
@@ -8,7 +8,7 @@ class iam_user_hardware_mfa_enabled(Check):
|
||||
response = iam_client.users
|
||||
|
||||
for user in response:
|
||||
report = Check_Report(self.metadata)
|
||||
report = Check_Report(self.metadata())
|
||||
report.resource_id = user.name
|
||||
report.resource_arn = user.arn
|
||||
report.region = iam_client.region
|
||||
|
||||
@@ -2,7 +2,11 @@
|
||||
"Provider": "aws",
|
||||
"CheckID": "iam_user_mfa_enabled_console_access",
|
||||
"CheckTitle": "Ensure multi-factor authentication (MFA) is enabled for all IAM users that have a console password.",
|
||||
"CheckType": ["Software and Configuration Checks", "Industry and Regulatory Standards" ,"CIS AWS Foundations Benchmark"],
|
||||
"CheckType": [
|
||||
"Software and Configuration Checks",
|
||||
"Industry and Regulatory Standards",
|
||||
"CIS AWS Foundations Benchmark"
|
||||
],
|
||||
"ServiceName": "iam",
|
||||
"SubServiceName": "",
|
||||
"ResourceIdTemplate": "arn:partition:service:region:account-id:resource-id",
|
||||
@@ -30,6 +34,5 @@
|
||||
},
|
||||
"DependsOn": [],
|
||||
"RelatedTo": [],
|
||||
"Notes": "",
|
||||
"Compliance": []
|
||||
"Notes": ""
|
||||
}
|
||||
|
||||
@@ -7,7 +7,7 @@ class iam_user_mfa_enabled_console_access(Check):
|
||||
findings = []
|
||||
response = iam_client.credential_report
|
||||
for user in response:
|
||||
report = Check_Report(self.metadata)
|
||||
report = Check_Report(self.metadata())
|
||||
report.resource_id = user["user"]
|
||||
report.resource_arn = user["arn"]
|
||||
report.region = iam_client.region
|
||||
|
||||
@@ -1,46 +1,38 @@
|
||||
{
|
||||
"Provider": "aws",
|
||||
"CheckID": "iam_user_no_setup_initial_access_key",
|
||||
"CheckTitle": "Do not setup access keys during initial user setup for all IAM users that have a console password",
|
||||
"CheckType": ["Software and Configuration Checks", "Industry and Regulatory Standards" ,"CIS AWS Foundations Benchmark"],
|
||||
"ServiceName": "iam",
|
||||
"SubServiceName": "",
|
||||
"ResourceIdTemplate": "arn:partition:service:region:account-id:resource-id",
|
||||
"Severity": "medium",
|
||||
"ResourceType": "AwsIamUser",
|
||||
"Description": "Do not setup access keys during initial user setup for all IAM users that have a console password",
|
||||
"Risk": "AWS console defaults the checkbox for creating access keys to enabled. This results in many access keys being generated unnecessarily. In addition to unnecessary credentials; it also generates unnecessary management work in auditing and rotating these keys. Requiring that additional steps be taken by the user after their profile has been created will give a stronger indication of intent that access keys are (a) necessary for their work and (b) once the access key is established on an account that the keys may be in use somewhere in the organization.",
|
||||
"RelatedUrl": "",
|
||||
"Remediation": {
|
||||
"Code": {
|
||||
"CLI": "",
|
||||
"NativeIaC": "",
|
||||
"Other": "",
|
||||
"Terraform": ""
|
||||
},
|
||||
"Recommendation": {
|
||||
"Text": "From the IAM console: generate credential report and disable not required keys.",
|
||||
"Url": "https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_getting-report.html"
|
||||
}
|
||||
"Provider": "aws",
|
||||
"CheckID": "iam_user_no_setup_initial_access_key",
|
||||
"CheckTitle": "Do not setup access keys during initial user setup for all IAM users that have a console password",
|
||||
"CheckType": [
|
||||
"Software and Configuration Checks",
|
||||
"Industry and Regulatory Standards",
|
||||
"CIS AWS Foundations Benchmark"
|
||||
],
|
||||
"ServiceName": "iam",
|
||||
"SubServiceName": "",
|
||||
"ResourceIdTemplate": "arn:partition:service:region:account-id:resource-id",
|
||||
"Severity": "medium",
|
||||
"ResourceType": "AwsIamUser",
|
||||
"Description": "Do not setup access keys during initial user setup for all IAM users that have a console password",
|
||||
"Risk": "AWS console defaults the checkbox for creating access keys to enabled. This results in many access keys being generated unnecessarily. In addition to unnecessary credentials; it also generates unnecessary management work in auditing and rotating these keys. Requiring that additional steps be taken by the user after their profile has been created will give a stronger indication of intent that access keys are (a) necessary for their work and (b) once the access key is established on an account that the keys may be in use somewhere in the organization.",
|
||||
"RelatedUrl": "",
|
||||
"Remediation": {
|
||||
"Code": {
|
||||
"CLI": "",
|
||||
"NativeIaC": "",
|
||||
"Other": "",
|
||||
"Terraform": ""
|
||||
},
|
||||
"Categories": [],
|
||||
"Tags": {
|
||||
"Tag1Key": "value",
|
||||
"Tag2Key": "value"
|
||||
},
|
||||
"DependsOn": [],
|
||||
"RelatedTo": [],
|
||||
"Notes": "CAF Security Epic: IAM",
|
||||
"Compliance": [
|
||||
{
|
||||
"Control": [
|
||||
"1.21"
|
||||
],
|
||||
"Framework": "CIS-AWS",
|
||||
"Group": [
|
||||
"level1"
|
||||
],
|
||||
"Version": "1.4"
|
||||
}
|
||||
]
|
||||
}
|
||||
"Recommendation": {
|
||||
"Text": "From the IAM console: generate credential report and disable not required keys.",
|
||||
"Url": "https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_getting-report.html"
|
||||
}
|
||||
},
|
||||
"Categories": [],
|
||||
"Tags": {
|
||||
"Tag1Key": "value",
|
||||
"Tag2Key": "value"
|
||||
},
|
||||
"DependsOn": [],
|
||||
"RelatedTo": [],
|
||||
"Notes": "CAF Security Epic: IAM"
|
||||
}
|
||||
|
||||
@@ -20,7 +20,7 @@ class iam_user_no_setup_initial_access_key(Check):
|
||||
and user_record["access_key_1_last_used_date"] == "N/A"
|
||||
and user_record["password_enabled"] == "true"
|
||||
):
|
||||
report = Check_Report(self.metadata)
|
||||
report = Check_Report(self.metadata())
|
||||
report.region = iam_client.region
|
||||
report.resource_id = user_record["user"]
|
||||
report.resource_arn = user_record["arn"]
|
||||
@@ -34,7 +34,7 @@ class iam_user_no_setup_initial_access_key(Check):
|
||||
and user_record["access_key_2_last_used_date"] == "N/A"
|
||||
and user_record["password_enabled"] == "true"
|
||||
):
|
||||
report = Check_Report(self.metadata)
|
||||
report = Check_Report(self.metadata())
|
||||
report.region = iam_client.region
|
||||
report.resource_id = user_record["user"]
|
||||
report.resource_arn = user_record["arn"]
|
||||
@@ -44,7 +44,7 @@ class iam_user_no_setup_initial_access_key(Check):
|
||||
)
|
||||
findings.append(report)
|
||||
else:
|
||||
report = Check_Report(self.metadata)
|
||||
report = Check_Report(self.metadata())
|
||||
report.region = iam_client.region
|
||||
report.resource_id = user_record["user"]
|
||||
report.resource_arn = user_record["arn"]
|
||||
|
||||
@@ -2,7 +2,11 @@
|
||||
"Provider": "aws",
|
||||
"CheckID": "iam_user_two_active_access_key",
|
||||
"CheckTitle": "Check if IAM users have two active access keys",
|
||||
"CheckType": ["Software and Configuration Checks", "Industry and Regulatory Standards" ,"CIS AWS Foundations Benchmark"],
|
||||
"CheckType": [
|
||||
"Software and Configuration Checks",
|
||||
"Industry and Regulatory Standards",
|
||||
"CIS AWS Foundations Benchmark"
|
||||
],
|
||||
"ServiceName": "iam",
|
||||
"SubServiceName": "",
|
||||
"ResourceIdTemplate": "arn:partition:service:region:account-id:resource-id",
|
||||
@@ -30,6 +34,5 @@
|
||||
},
|
||||
"DependsOn": [],
|
||||
"RelatedTo": [],
|
||||
"Notes": "",
|
||||
"Compliance": []
|
||||
"Notes": ""
|
||||
}
|
||||
|
||||
@@ -9,7 +9,7 @@ class iam_user_two_active_access_key(Check):
|
||||
findings = []
|
||||
response = iam_client.credential_report
|
||||
for user in response:
|
||||
report = Check_Report(self.metadata)
|
||||
report = Check_Report(self.metadata())
|
||||
report.resource_id = user["user"]
|
||||
report.resource_arn = user["arn"]
|
||||
report.region = iam_client.region
|
||||
|
||||
Reference in New Issue
Block a user