From c8e9cf2e77af3d284eed5a4ee01fda527a25620e Mon Sep 17 00:00:00 2001 From: Toni de la Fuente Date: Tue, 10 Aug 2021 17:00:18 +0200 Subject: [PATCH] Tested new checks 7143 to 7147 --- checks/check_extra7142 | 60 ++++++++++++++++++++---------------------- checks/check_extra7143 | 16 +++++------ checks/check_extra7144 | 8 +++--- checks/check_extra7145 | 22 ++++++++-------- checks/check_extra7146 | 42 ++++++++++++++--------------- checks/check_extra7147 | 47 +++++++++++++++++++++++++++++++++ groups/group7_extras | 4 +-- 7 files changed, 121 insertions(+), 78 deletions(-) create mode 100644 checks/check_extra7147 diff --git a/checks/check_extra7142 b/checks/check_extra7142 index c246aa2d..5fbd6922 100644 --- a/checks/check_extra7142 +++ b/checks/check_extra7142 @@ -10,39 +10,35 @@ # under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR # CONDITIONS OF ANY KIND, either express or implied. See the License for the # specific language governing permissions and limitations under the License. -CHECK_ID_extra7147="7.147" -CHECK_TITLE_extra7147="[extra7147] Check if S3 Glacier vaults have policies which allow access to everyone" -CHECK_SCORED_extra7147="NOT_SCORED" -CHECK_TYPE_extra7147="EXTRA" -CHECK_SEVERITY_extra7147="Critical" -CHECK_ASFF_RESOURCE_TYPE_extra7147="AwsS3Glacier" -CHECK_ALTERNATE_check7147="extra7142" -CHECK_SERVICENAME_extra7147="s3glacier" -CHECK_RISK_extra7147='Vaults accessible to everyone could expose sensible data to bad actors' -CHECK_REMEDIATION_extra7147='Ensure vault policy does not have principle as *' -CHECK_DOC_extra7147='https://docs.aws.amazon.com/amazonglacier/latest/dev/access-control-overview.html' -CHECK_CAF_EPIC_extra7147='Data Protection' +CHECK_ID_extra7142="7.142" +CHECK_TITLE_extra7142="[extra7142] Check if Application Load Balancer is dropping invalid packets to prevent header based http request smuggling" +CHECK_SCORED_extra7142="NOT_SCORED" +CHECK_TYPE_extra7142="EXTRA" +CHECK_SEVERITY_extra7142="Medium" +CHECK_ASFF_RESOURCE_TYPE_extra7142="AwsElasticLoadBalancingV2LoadBalancer" +CHECK_ALTERNATE_check7142="extra7142" +CHECK_ASFF_COMPLIANCE_TYPE_extra7142="" +CHECK_SERVICENAME_extra7142="elb" +CHECK_RISK_extra7142='ALB can be target of actors sendingn bad http headers' +CHECK_REMEDIATION_extra7142='Ensure Application Load Balancer is configured for HTTP headers with header fields that are not valid are removed by the load balancer (true)' +CHECK_DOC_extra7142='https://docs.aws.amazon.com/elasticloadbalancing/latest/application/application-load-balancers.html#desync-mitigation-mode' +CHECK_CAF_EPIC_extra7142='Data Protection' -extra7147(){ + +extra7142(){ for regx in $REGIONS; do - LIST_OF_VAULTS=$($AWSCLI glacier list-vaults $PROFILE_OPT --region $regx --account-id $ACCOUNT_NUM --query VaultList[*].VaultName --output text|xargs -n1) - if [[ $LIST_OF_VAULTS ]]; then - for vault in $LIST_OF_VAULTS;do - VAULT_POLICY_STATEMENTS=$($AWSCLI glacier $PROFILE_OPT get-vault-access-policy --region $regx --account-id $ACCOUNT_NUM --vault-name $vault --output json --query policy.Policy 2>&1) - if [[ $VAULT_POLICY_STATEMENTS == *GetVaultAccessPolicy* ]]; then - textInfo "$regx: Vault $vault doesn't have any policy" "$regx" "$vault" - else - VAULT_POLICY_BAD_STATEMENTS=$(echo $VAULT_POLICY_STATEMENTS | jq '. | fromjson' | jq '.Statement[] | select(.Effect=="Allow") | select(.Principal=="*" or .Principal.AWS=="*" or .Principal.CanonicalUser=="*")') - if [[ $VAULT_POLICY_BAD_STATEMENTS != "" ]]; then - textFail "$regx: Vault $vault has policy which allows access to everyone" "$regx" "$vault" + LIST_OF_ELBSV2=$($AWSCLI elbv2 describe-load-balancers $PROFILE_OPT --region $regx --query 'LoadBalancers[?Type == `application`].[LoadBalancerArn]' --output text) + if [[ $LIST_OF_ELBSV2 ]];then + for alb in $LIST_OF_ELBSV2;do + CHECK_IF_DROP_INVALID_HEADER_FIELDS=$($AWSCLI elbv2 describe-load-balancer-attributes $PROFILE_OPT --region $regx --load-balancer-arn $alb --query 'Attributes[6]' --output text|grep -i true) + if [[ $CHECK_IF_DROP_INVALID_HEADER_FIELDS ]];then + textPass "$regx: Application Load Balancer $alb is dropping invalid header fields." "$regx" "$alb" else - textPass "$regx: Vault $vault has policy which does not allow access to everyone" "$regx" "$vault" + textFail "$regx: Application Load Balancer $alb is not dropping invalid header fields" "$regx" "$alb" fi - fi - done - - else - textInfo "$regx: No Glacier vaults found" "$regx" - fi - done -} \ No newline at end of file + done + else + textInfo "$regx: no ALBs found" + fi + done +} diff --git a/checks/check_extra7143 b/checks/check_extra7143 index fbd1c324..09f24131 100644 --- a/checks/check_extra7143 +++ b/checks/check_extra7143 @@ -11,7 +11,7 @@ # CONDITIONS OF ANY KIND, either express or implied. See the License for the # specific language governing permissions and limitations under the License. CHECK_ID_extra7143="7.143" -CHECK_TITLE_extra7143="[extra7143] Check if EFS have policies which allow access to everyone (Not Scored) (Not part of CIS benchmark)" +CHECK_TITLE_extra7143="[extra7143] Check if EFS have policies which allow access to everyone" CHECK_SCORED_extra7143="NOT_SCORED" CHECK_TYPE_extra7143="EXTRA" CHECK_SEVERITY_extra7143="Critical" @@ -25,25 +25,25 @@ CHECK_CAF_EPIC_extra7143='Data Protection' extra7143(){ # "Check if EFS have policies which allow access to everyone (Not Scored) (Not part of CIS benchmark)" - for region in $REGIONS; do - LIST_OF_EFS_IDS=$($AWSCLI efs describe-file-systems $PROFILE_OPT --region $region --query FileSystems[*].FileSystemId --output text|xargs -n1) + for regx in $REGIONS; do + LIST_OF_EFS_IDS=$($AWSCLI efs describe-file-systems $PROFILE_OPT --region $regx --query FileSystems[*].FileSystemId --output text|xargs -n1) if [[ $LIST_OF_EFS_IDS ]]; then for efsId in $LIST_OF_EFS_IDS;do - EFS_POLICY_STATEMENTS=$($AWSCLI efs $PROFILE_OPT describe-file-system-policy --region $region --file-system-id $efsId --output json --query Policy 2>&1) + EFS_POLICY_STATEMENTS=$($AWSCLI efs $PROFILE_OPT describe-file-system-policy --region $regx --file-system-id $efsId --output json --query Policy 2>&1) if [[ $EFS_POLICY_STATEMENTS == *PolicyNotFound* ]]; then - textFail "$region: EFS: $efsId doesn't have any policy which means it grants full access to any client" "$region" "$efsId" + textFail "$regx: EFS: $efsId doesn't have any policy which means it grants full access to any client" "$regx" "$efsId" else EFS_POLICY_BAD_STATEMENTS=$(echo $EFS_POLICY_STATEMENTS | jq '. | fromjson' | jq '.Statement[] | select(.Effect=="Allow") | select(.Principal=="*" or .Principal.AWS=="*" or .Principal.CanonicalUser=="*")') if [[ $EFS_POLICY_BAD_STATEMENTS != "" ]]; then - textFail "$region: EFS: $efsId has policy which allows access to everyone" "$region" "$efsId" + textFail "$regx: EFS $efsId has policy which allows access to everyone" "$regx" "$efsId" else - textPass "$region: EFS: $efsId has policy which does not allow access to everyone" "$region" "$efsId" + textPass "$regx: EFS $efsId has policy which does not allow access to everyone" "$regx" "$efsId" fi fi done else - textInfo "$region: No EFS found" "$region" + textInfo "$regx: No EFS found" "$regx" fi done } diff --git a/checks/check_extra7144 b/checks/check_extra7144 index 7f8192e9..5fc9a270 100644 --- a/checks/check_extra7144 +++ b/checks/check_extra7144 @@ -11,7 +11,7 @@ # CONDITIONS OF ANY KIND, either express or implied. See the License for the # specific language governing permissions and limitations under the License. CHECK_ID_extra7144="7.144" -CHECK_TITLE_extra7144="[extra7144] Check if aws cloudwatch has allowed sharing with other accounts (Not Scored) (Not part of CIS benchmark)" +CHECK_TITLE_extra7144="[extra7144] Check if CloudWatch has allowed cross-account sharing" CHECK_SCORED_extra7144="NOT_SCORED" CHECK_TYPE_extra7144="EXTRA" CHECK_SEVERITY_extra7144="Medium" @@ -21,15 +21,15 @@ CHECK_SERVICENAME_extra7144="cloudwatch" CHECK_RISK_extra7144='' CHECK_REMEDIATION_extra7144='' CHECK_DOC_extra7144='https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/Cross-Account-Cross-Region.html' -CHECK_CAF_EPIC_extra7144='' +CHECK_CAF_EPIC_extra7144='Logging and Monitoring' extra7144(){ # "Check if aws cloudwatch has allowed sharing with other accounts (Not Scored) (Not part of CIS benchmark)" CLOUDWATCH_CROSS_ACCOUNT_ROLE=$($AWSCLI iam get-role $PROFILE_OPT --role-name=CloudWatch-CrossAccountSharingRole --output json --query Role 2>&1) if [[ $CLOUDWATCH_CROSS_ACCOUNT_ROLE != *NoSuchEntity* ]]; then CLOUDWATCH_POLICY_BAD_STATEMENTS=$(echo $CLOUDWATCH_CROSS_ACCOUNT_ROLE | jq '.AssumeRolePolicyDocument') - textInfo "Cloudwatch has allowed cross account sharing" + textInfo "$REGION: CloudWatch has allowed cross-account sharing" "$REGION" else - textPass "CloudWatch doesn't allows cross account sharing" + textPass "$REGION: CloudWatch doesn't allows cross-account sharing" "$REGION" fi } diff --git a/checks/check_extra7145 b/checks/check_extra7145 index d608d8c4..fa74b27b 100644 --- a/checks/check_extra7145 +++ b/checks/check_extra7145 @@ -11,39 +11,39 @@ # CONDITIONS OF ANY KIND, either express or implied. See the License for the # specific language governing permissions and limitations under the License. CHECK_ID_extra7145="7.145" -CHECK_TITLE_extra7145="[extra7145] Check if lambda functions have policies which allow access to every aws account (Not Scored) (Not part of CIS benchmark)" +CHECK_TITLE_extra7145="[extra7145] Check if Lambda functions have policies which allow access to any AWS account" CHECK_SCORED_extra7145="NOT_SCORED" CHECK_TYPE_extra7145="EXTRA" CHECK_SEVERITY_extra7145="Critical" CHECK_ASFF_RESOURCE_TYPE_extra7145="AwsLambda" CHECK_ALTERNATE_check7145="extra7145" CHECK_SERVICENAME_extra7145="lambda" -CHECK_RISK_extra7145='Lambda function access to any aws account may result security issues' -CHECK_REMEDIATION_extra7145='Ensure lambda function policiy does not allow access to any account' +CHECK_RISK_extra7145='Lambda function access to any AWS account may result security issues' +CHECK_REMEDIATION_extra7145='Ensure Lambda function policiy does not allow access to any account' CHECK_DOC_extra7145='https://docs.aws.amazon.com/lambda/latest/dg/access-control-resource-based.html' -CHECK_CAF_EPIC_extra7145='' +CHECK_CAF_EPIC_extra7145='IAM' extra7145(){ # "Check if lambda functions have policies which allow access to every aws account (Not Scored) (Not part of CIS benchmark)" - for region in $REGIONS; do - LIST_OF_LAMBDA_FUNCTIONS=$($AWSCLI lambda list-functions $PROFILE_OPT --region $region --query Functions[*].FunctionName --output text) + for regx in $REGIONS; do + LIST_OF_LAMBDA_FUNCTIONS=$($AWSCLI lambda list-functions $PROFILE_OPT --region $regx --query Functions[*].FunctionName --output text) if [[ $LIST_OF_LAMBDA_FUNCTIONS ]]; then for lambdaFunction in $LIST_OF_LAMBDA_FUNCTIONS;do - FUNCTION_POLICY_STATEMENTS=$($AWSCLI lambda $PROFILE_OPT get-policy --region $region --function-name $lambdaFunction --output json --query Policy 2>&1) + FUNCTION_POLICY_STATEMENTS=$($AWSCLI lambda $PROFILE_OPT get-policy --region $regx --function-name $lambdaFunction --output json --query Policy 2>&1) if [[ $FUNCTION_POLICY_STATEMENTS == *ResourceNotFoundException* ]]; then - textInfo "$region : Lambda function: $lambdaFunction doesn't have any policy" "$region" "$lambdaFunction" + textInfo "$regx: Lambda function $lambdaFunction doesn't have any policy" "$regx" "$lambdaFunction" else FUNCTION_POLICY_BAD_STATEMENTS=$(echo $FUNCTION_POLICY_STATEMENTS | jq '. | fromjson' | jq '.Statement[] | select(.Effect=="Allow") | select(.Principal=="*" or .Principal.AWS=="*" or .Principal.CanonicalUser=="*")') if [[ $FUNCTION_POLICY_BAD_STATEMENTS != "" ]]; then - textFail "$region: Lambda function: $lambdaFunction allows public access to every aws account" "$region" "$lambdaFunction" + textFail "$regx: Lambda function $lambdaFunction allows public access to any AWS account" "$regx" "$lambdaFunction" else - textPass "$region: Lambda function: $lambdaFunction has policy which doesn't allow access to everyone having an aws account" "$region" "$lambdaFunction" + textPass "$regx: Lambda function $lambdaFunction has policy which doesn't allow access to everyone having an AWS account" "$regx" "$lambdaFunction" fi fi done else - textInfo "$region: No lambda functions found" "$region" + textInfo "$regx: No lambda functions found" "$regx" fi done } diff --git a/checks/check_extra7146 b/checks/check_extra7146 index 980b9fa4..92ffb813 100644 --- a/checks/check_extra7146 +++ b/checks/check_extra7146 @@ -11,33 +11,33 @@ # CONDITIONS OF ANY KIND, either express or implied. See the License for the # specific language governing permissions and limitations under the License. CHECK_ID_extra7146="7.146" -CHECK_TITLE_extra7146="[extra7146] Check if there is any unassigned elastic ip's (Not Scored) (Not part of CIS benchmark)" +CHECK_TITLE_extra7146="[extra7146] Check if there is any unassigned Elastic IP" CHECK_SCORED_extra7146="NOT_SCORED" CHECK_TYPE_extra7146="EXTRA" -CHECK_SEVERITY_extra7146="Medium" +CHECK_SEVERITY_extra7146="Low" CHECK_ASFF_RESOURCE_TYPE_extra7146="AwsElasticIPs" CHECK_ALTERNATE_check7146="extra7146" -CHECK_SERVICENAME_extra7146="elasticip" -CHECK_RISK_extra7146='Unassigned elastic ips may result in extra cost' -CHECK_REMEDIATION_extra7146='Ensure elastic ips are not unassigned' +CHECK_SERVICENAME_extra7146="ec2" +CHECK_RISK_extra7146='Unassigned Elastic IPs may result in extra cost' +CHECK_REMEDIATION_extra7146='Ensure Elastic IPs are not unassigned' CHECK_DOC_extra7146='https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/elastic-ip-addresses-eip.html' -CHECK_CAF_EPIC_extra7146='' +CHECK_CAF_EPIC_extra7146='Infrastructure Security' extra7146(){ # "Check if there is any unassigned elastic ip (Not Scored) (Not part of CIS benchmark)" - for region in $REGIONS; do - ELASTIC_IP_ADDRESSES=$($AWSCLI ec2 describe-addresses $PROFILE_OPT --region $region --query Addresses --output json) - if [[ $ELASTIC_IP_ADDRESSES != [] ]]; then - LIST_OF_ASSOCIATED_IPS=$(echo $ELASTIC_IP_ADDRESSES | jq -r '.[] | select(.AssociationId!=null) | .PublicIp') - LIST_OF_UNASSOCIATED_IPS=$(echo $ELASTIC_IP_ADDRESSES | jq -r '.[] | select(.AssociationId==null) | .PublicIp') - for ass_ip in $LIST_OF_ASSOCIATED_IPS; do - textPass "$region: Elastic IP: $ass_ip is associated with an instance or network interface" "$region" "$ass_ip" - done - for unass_ip in $LIST_OF_UNASSOCIATED_IPS; do - textInfo "$region: Elastic IP: $unass_ip is not associated with any instance or network interface, it may incurr extra cost" "$region" "$unass_ip" - done - else - textInfo "$region: No elastic ip's found" "$region" - fi - done + for regx in $REGIONS; do + ELASTIC_IP_ADDRESSES=$($AWSCLI ec2 describe-addresses $PROFILE_OPT --region $regx --query Addresses --output json) + if [[ $ELASTIC_IP_ADDRESSES != [] ]]; then + LIST_OF_ASSOCIATED_IPS=$(echo $ELASTIC_IP_ADDRESSES | jq -r '.[] | select(.AssociationId!=null) | .PublicIp') + LIST_OF_UNASSOCIATED_IPS=$(echo $ELASTIC_IP_ADDRESSES | jq -r '.[] | select(.AssociationId==null) | .PublicIp') + for ass_ip in $LIST_OF_ASSOCIATED_IPS; do + textPass "$regx: Elastic IP $ass_ip is associated with an instance or network interface" "$regx" "$ass_ip" + done + for unass_ip in $LIST_OF_UNASSOCIATED_IPS; do + textInfo "$regx: Elastic IP $unass_ip is not associated with any instance or network interface and it may incurr extra cost" "$regx" "$unass_ip" + done + else + textInfo "$regx: No Elastic IPs found" "$regx" + fi + done } diff --git a/checks/check_extra7147 b/checks/check_extra7147 new file mode 100644 index 00000000..cff62c59 --- /dev/null +++ b/checks/check_extra7147 @@ -0,0 +1,47 @@ +#!/usr/bin/env bash + +# Prowler - the handy cloud security tool (copyright 2018) by Toni de la Fuente +# +# Licensed under the Apache License, Version 2.0 (the "License"); you may not +# use this file except in compliance with the License. You may obtain a copy +# of the License at http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software distributed +# under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR +# CONDITIONS OF ANY KIND, either express or implied. See the License for the +# specific language governing permissions and limitations under the License. +CHECK_ID_extra7147="7.147" +CHECK_TITLE_extra7147="[extra7147] Check if S3 Glacier vaults have policies which allow access to everyone" +CHECK_SCORED_extra7147="NOT_SCORED" +CHECK_TYPE_extra7147="EXTRA" +CHECK_SEVERITY_extra7147="Critical" +CHECK_ASFF_RESOURCE_TYPE_extra7147="AwsGlacierVault" +CHECK_ALTERNATE_check7147="extra7142" +CHECK_SERVICENAME_extra7147="glacier" +CHECK_RISK_extra7147='Vaults accessible to everyone could expose sensible data to bad actors' +CHECK_REMEDIATION_extra7147='Ensure vault policy does not have principle as *' +CHECK_DOC_extra7147='https://docs.aws.amazon.com/amazonglacier/latest/dev/access-control-overview.html' +CHECK_CAF_EPIC_extra7147='Data Protection' + +extra7147(){ + for regx in $REGIONS; do + LIST_OF_VAULTS=$($AWSCLI glacier list-vaults $PROFILE_OPT --region $regx --account-id $ACCOUNT_NUM --query VaultList[*].VaultName --output text|xargs -n1) + if [[ $LIST_OF_VAULTS ]]; then + for vault in $LIST_OF_VAULTS;do + VAULT_POLICY_STATEMENTS=$($AWSCLI glacier $PROFILE_OPT get-vault-access-policy --region $regx --account-id $ACCOUNT_NUM --vault-name $vault --output json --query policy.Policy 2>&1) + if [[ $VAULT_POLICY_STATEMENTS == *GetVaultAccessPolicy* ]]; then + textInfo "$regx: Vault $vault doesn't have any policy" "$regx" "$vault" + else + VAULT_POLICY_BAD_STATEMENTS=$(echo $VAULT_POLICY_STATEMENTS | jq '. | fromjson' | jq '.Statement[] | select(.Effect=="Allow") | select(.Principal=="*" or .Principal.AWS=="*" or .Principal.CanonicalUser=="*")') + if [[ $VAULT_POLICY_BAD_STATEMENTS != "" ]]; then + textFail "$regx: Vault $vault has policy which allows access to everyone" "$regx" "$vault" + else + textPass "$regx: Vault $vault has policy which does not allow access to everyone" "$regx" "$vault" + fi + fi + done + else + textInfo "$regx: No Glacier vaults found" "$regx" + fi + done +} \ No newline at end of file diff --git a/groups/group7_extras b/groups/group7_extras index 0276affc..9cc03fa8 100644 --- a/groups/group7_extras +++ b/groups/group7_extras @@ -15,11 +15,11 @@ GROUP_ID[7]='extras' GROUP_NUMBER[7]='7.0' GROUP_TITLE[7]='Extras - all non CIS specific checks - [extras] ****************' GROUP_RUN_BY_DEFAULT[7]='Y' # run it when execute_all is called -GROUP_CHECKS[7]='extra71,extra72,extra73,extra74,extra75,extra76,extra77,extra78,extra79,extra710,extra711,extra712,extra713,extra714,extra715,extra716,extra717,extra718,extra719,extra720,extra721,extra722,extra723,extra724,extra725,extra726,extra727,extra728,extra729,extra730,extra731,extra732,extra733,extra734,extra735,extra736,extra738,extra739,extra740,extra741,extra742,extra743,extra744,extra745,extra746,extra747,extra748,extra749,extra750,extra751,extra752,extra753,extra754,extra755,extra756,extra757,extra758,extra761,extra762,extra763,extra764,extra765,extra767,extra768,extra769,extra770,extra771,extra772,extra773,extra774,extra775,extra776,extra777,extra778,extra779,extra780,extra781,extra782,extra783,extra784,extra785,extra786,extra787,extra788,extra791,extra792,extra793,extra794,extra795,extra796,extra797,extra798,extra799,extra7100,extra7101,extra7102,extra7103,extra7104,extra7105,extra7106,extra7107,extra7108,extra7109,extra7110,extra7111,extra7112,extra7113,extra7114,extra7115,extra7116,extra7117,extra7118,extra7119,extra7120,extra7121,extra7122,extra7123,extra7124,extra7125,extra7126,extra7127,extra7128,extra7129,extra7130,extra7131,extra7132,extra7133,extra7134,extra7135,extra7136,extra7137,extra7138,extra7139,extra7140,extra7141,extra7142,extra7143,extra7144,extra7145,extra7146' +GROUP_CHECKS[7]='extra71,extra72,extra73,extra74,extra75,extra76,extra77,extra78,extra79,extra710,extra711,extra712,extra713,extra714,extra715,extra716,extra717,extra718,extra719,extra720,extra721,extra722,extra723,extra724,extra725,extra726,extra727,extra728,extra729,extra730,extra731,extra732,extra733,extra734,extra735,extra736,extra738,extra739,extra740,extra741,extra742,extra743,extra744,extra745,extra746,extra747,extra748,extra749,extra750,extra751,extra752,extra753,extra754,extra755,extra757,extra758,extra761,extra762,extra763,extra764,extra765,extra767,extra768,extra769,extra770,extra771,extra772,extra773,extra774,extra775,extra776,extra777,extra778,extra779,extra780,extra781,extra782,extra783,extra784,extra785,extra786,extra787,extra788,extra791,extra792,extra793,extra794,extra795,extra796,extra797,extra798,extra799,extra7100,extra7101,extra7102,extra7103,extra7104,extra7105,extra7106,extra7107,extra7108,extra7109,extra7110,extra7111,extra7112,extra7113,extra7114,extra7115,extra7116,extra7117,extra7118,extra7119,extra7120,extra7121,extra7122,extra7123,extra7124,extra7125,extra7126,extra7127,extra7128,extra7129,extra7130,extra7131,extra7132,extra7133,extra7134,extra7135,extra7136,extra7137,extra7138,extra7139,extra7140,extra7141,extra7142,extra7143,extra7144,extra7145,extra7146,extra7147' # Extras 759 and 760 (lambda variables and code secrets finder are not included) # to run detect-secrets use `./prowler -g secrets` # Extras 789 and 790 VPC trust boundaries are not included by default in Extras # to run trust-boundaries use `./prowler -g trustboundaries` -# read more in https://github.com/toniblyx/prowler/#trust-boundaries-checks \ No newline at end of file +# read more in https://github.com/toniblyx/prowler/#trust-boundaries-checks