diff --git a/checks/check11 b/checks/check11 index 1776614e..c6cf4aef 100644 --- a/checks/check11 +++ b/checks/check11 @@ -15,6 +15,7 @@ CHECK_TYPE_check11="LEVEL1" CHECK_SEVERITY_check11="High" CHECK_ASFF_TYPE_check11="Software and Configuration Checks/Industry and Regulatory Standards/CIS AWS Foundations Benchmark" CHECK_ALTERNATE_check101="check11" +CHECK_SERVICENAME_check11="iam" check11(){ # "Avoid the use of the root account (Scored)." diff --git a/checks/check110 b/checks/check110 index d483a650..9c6e4a85 100644 --- a/checks/check110 +++ b/checks/check110 @@ -15,6 +15,7 @@ CHECK_TYPE_check110="LEVEL1" CHECK_SEVERITY_check110="Medium" CHECK_ASFF_TYPE_check110="Software and Configuration Checks/Industry and Regulatory Standards/CIS AWS Foundations Benchmark" CHECK_ALTERNATE_check110="check110" +CHECK_SERVICENAME_check110="iam" check110(){ # "Ensure IAM password policy prevents password reuse: 24 or greater (Scored)" diff --git a/checks/check111 b/checks/check111 index 805ab9b6..71c44c65 100644 --- a/checks/check111 +++ b/checks/check111 @@ -15,6 +15,7 @@ CHECK_TYPE_check111="LEVEL1" CHECK_SEVERITY_check111="Medium" CHECK_ASFF_TYPE_check111="Software and Configuration Checks/Industry and Regulatory Standards/CIS AWS Foundations Benchmark" CHECK_ALTERNATE_check111="check111" +CHECK_SERVICENAME_check111="iam" check111(){ # "Ensure IAM password policy expires passwords within 90 days or less (Scored)" diff --git a/checks/check112 b/checks/check112 index e202e249..9dd95dbf 100644 --- a/checks/check112 +++ b/checks/check112 @@ -15,6 +15,7 @@ CHECK_TYPE_check112="LEVEL1" CHECK_SEVERITY_check112="Critical" CHECK_ASFF_TYPE_check112="Software and Configuration Checks/Industry and Regulatory Standards/CIS AWS Foundations Benchmark" CHECK_ALTERNATE_check112="check112" +CHECK_SERVICENAME_check112="iam" check112(){ # "Ensure no root account access key exists (Scored)" diff --git a/checks/check113 b/checks/check113 index 04716f5d..752fe67b 100644 --- a/checks/check113 +++ b/checks/check113 @@ -15,6 +15,7 @@ CHECK_TYPE_check113="LEVEL1" CHECK_SEVERITY_check113="Critical" CHECK_ASFF_TYPE_check113="Software and Configuration Checks/Industry and Regulatory Standards/CIS AWS Foundations Benchmark" CHECK_ALTERNATE_check113="check113" +CHECK_SERVICENAME_check113="iam" check113(){ # "Ensure MFA is enabled for the root account (Scored)" diff --git a/checks/check114 b/checks/check114 index 43be863c..4348a8ce 100644 --- a/checks/check114 +++ b/checks/check114 @@ -15,6 +15,7 @@ CHECK_TYPE_check114="LEVEL2" CHECK_SEVERITY_check114="Critical" CHECK_ASFF_TYPE_check114="Software and Configuration Checks/Industry and Regulatory Standards/CIS AWS Foundations Benchmark" CHECK_ALTERNATE_check114="check114" +CHECK_SERVICENAME_check114="iam" check114(){ # "Ensure hardware MFA is enabled for the root account (Scored)" diff --git a/checks/check115 b/checks/check115 index dd30979c..461ba08c 100644 --- a/checks/check115 +++ b/checks/check115 @@ -15,6 +15,7 @@ CHECK_TYPE_check115="LEVEL1" CHECK_SEVERITY_check115="Medium" CHECK_ASFF_TYPE_check115="Software and Configuration Checks/Industry and Regulatory Standards/CIS AWS Foundations Benchmark" CHECK_ALTERNATE_check115="check115" +CHECK_SERVICENAME_check115="support" check115(){ # "Ensure security questions are registered in the AWS account (Not Scored)" diff --git a/checks/check116 b/checks/check116 index 8b049496..1088ca4f 100644 --- a/checks/check116 +++ b/checks/check116 @@ -17,6 +17,7 @@ CHECK_ASFF_TYPE_check116="Software and Configuration Checks/Industry and Regulat CHECK_ASFF_RESOURCE_TYPE_check116="AwsIamUser" CHECK_ALTERNATE_check116="check116" CHECK_ASFF_COMPLIANCE_TYPE_check116="ens-op.acc.3.aws.iam.1" +CHECK_SERVICENAME_check116="iam" check116(){ # "Ensure IAM policies are attached only to groups or roles (Scored)" diff --git a/checks/check117 b/checks/check117 index ed1fcff5..0369eda1 100644 --- a/checks/check117 +++ b/checks/check117 @@ -15,6 +15,7 @@ CHECK_TYPE_check117="LEVEL1" CHECK_SEVERITY_check117="Medium" CHECK_ASFF_TYPE_check117="Software and Configuration Checks/Industry and Regulatory Standards/CIS AWS Foundations Benchmark" CHECK_ALTERNATE_check117="check117" +CHECK_SERVICENAME_check117="support" check117(){ # "Maintain current contact details (Scored)" diff --git a/checks/check118 b/checks/check118 index 821972eb..3e23d54c 100644 --- a/checks/check118 +++ b/checks/check118 @@ -15,6 +15,7 @@ CHECK_TYPE_check118="LEVEL1" CHECK_SEVERITY_check118="Medium" CHECK_ASFF_TYPE_check118="Software and Configuration Checks/Industry and Regulatory Standards/CIS AWS Foundations Benchmark" CHECK_ALTERNATE_check118="check118" +CHECK_SERVICENAME_check118="support" check118(){ # "Ensure security contact information is registered (Scored)" diff --git a/checks/check119 b/checks/check119 index 63557bbe..96a540b1 100644 --- a/checks/check119 +++ b/checks/check119 @@ -16,6 +16,7 @@ CHECK_SEVERITY_check119="Medium" CHECK_ASFF_TYPE_check119="Software and Configuration Checks/Industry and Regulatory Standards/CIS AWS Foundations Benchmark" CHECK_ASFF_RESOURCE_TYPE_check119="AwsEc2Instance" CHECK_ALTERNATE_check119="check119" +CHECK_SERVICENAME_check119="ec2" check119(){ for regx in $REGIONS; do diff --git a/checks/check12 b/checks/check12 index 77620418..6d1a1975 100644 --- a/checks/check12 +++ b/checks/check12 @@ -17,6 +17,7 @@ CHECK_ASFF_TYPE_check12="Software and Configuration Checks/Industry and Regulato CHECK_ASFF_RESOURCE_TYPE_check12="AwsIamUser" CHECK_ALTERNATE_check102="check12" CHECK_ASFF_COMPLIANCE_TYPE_check12="ens-op.acc.5.aws.iam.1" +CHECK_SERVICENAME_check12="iam" check12(){ # "Ensure multi-factor authentication (MFA) is enabled for all IAM users that have a console password (Scored)" diff --git a/checks/check120 b/checks/check120 index ae25a345..fecf7c0e 100644 --- a/checks/check120 +++ b/checks/check120 @@ -17,6 +17,7 @@ CHECK_ASFF_TYPE_check120="Software and Configuration Checks/Industry and Regulat CHECK_ASFF_RESOURCE_TYPE_check120="AwsIamRole" CHECK_ALTERNATE_check120="check120" CHECK_ASFF_COMPLIANCE_TYPE_check120="ens-op.acc.1.aws.iam.4" +CHECK_SERVICENAME_check120="iam" check120(){ # "Ensure a support role has been created to manage incidents with AWS Support (Scored)" diff --git a/checks/check121 b/checks/check121 index 530a98e7..af53ff18 100644 --- a/checks/check121 +++ b/checks/check121 @@ -17,6 +17,7 @@ CHECK_ASFF_TYPE_check121="Software and Configuration Checks/Industry and Regulat CHECK_ASFF_RESOURCE_TYPE_check121="AwsIamUser" CHECK_ALTERNATE_check121="check121" CHECK_ASFF_COMPLIANCE_TYPE_check121="ens-op.acc.1.aws.iam.5" +CHECK_SERVICENAME_check121="iam" check121(){ # "Do not setup access keys during initial user setup for all IAM users that have a console password (Not Scored)" diff --git a/checks/check122 b/checks/check122 index ec13a27e..013dafe8 100644 --- a/checks/check122 +++ b/checks/check122 @@ -16,6 +16,7 @@ CHECK_SEVERITY_check122="Medium" CHECK_ASFF_TYPE_check122="Software and Configuration Checks/Industry and Regulatory Standards/CIS AWS Foundations Benchmark" CHECK_ASFF_RESOURCE_TYPE_check122="AwsIamPolicy" CHECK_ALTERNATE_check122="check122" +CHECK_SERVICENAME_check122="iam" check122(){ # "Ensure IAM policies that allow full \"*:*\" administrative privileges are not created (Scored)" diff --git a/checks/check13 b/checks/check13 index a6228207..14da7201 100644 --- a/checks/check13 +++ b/checks/check13 @@ -16,7 +16,8 @@ CHECK_SEVERITY_check13="Medium" CHECK_ASFF_TYPE_check13="Software and Configuration Checks/Industry and Regulatory Standards/CIS AWS Foundations Benchmark" CHECK_ASFF_RESOURCE_TYPE_check13="AwsIamUser" CHECK_ALTERNATE_check103="check13" -CHECK_ASFF_COMPLIANCE_TYPE_check13="ens-op.acc.1.aws.iam.3,ens-op.acc.5.aws.iam.4" +CHECK_ASFF_COMPLIANCE_TYPE_check13="ens-op.acc.1.aws.iam.3 ens-op.acc.5.aws.iam.4" +CHECK_SERVICENAME_check13="iam" check13(){ check_creds_used_in_last_days 90 diff --git a/checks/check14 b/checks/check14 index 91971a59..8743d08c 100644 --- a/checks/check14 +++ b/checks/check14 @@ -16,7 +16,8 @@ CHECK_SEVERITY_check14="Medium" CHECK_ASFF_TYPE_check14="Software and Configuration Checks/Industry and Regulatory Standards/CIS AWS Foundations Benchmark" CHECK_ASFF_RESOURCE_TYPE_check14="AwsIamUser" CHECK_ALTERNATE_check104="check14" -CHECK_ASFF_COMPLIANCE_TYPE_check14="ens-op.acc.1.aws.iam.4,ens-op.acc.5.aws.iam.3" +CHECK_ASFF_COMPLIANCE_TYPE_check14="ens-op.acc.1.aws.iam.4 ens-op.acc.5.aws.iam.3" +CHECK_SERVICENAME_check14="iam" check14(){ # "Ensure access keys are rotated every 90 days or less (Scored)" # also checked by Security Monkey diff --git a/checks/check15 b/checks/check15 index 9ee8159a..49a35d45 100644 --- a/checks/check15 +++ b/checks/check15 @@ -15,6 +15,7 @@ CHECK_TYPE_check15="LEVEL1" CHECK_SEVERITY_check15="Medium" CHECK_ASFF_TYPE_check15="Software and Configuration Checks/Industry and Regulatory Standards/CIS AWS Foundations Benchmark" CHECK_ALTERNATE_check105="check15" +CHECK_SERVICENAME_check15="iam" check15(){ # "Ensure IAM password policy requires at least one uppercase letter (Scored)" diff --git a/checks/check16 b/checks/check16 index 7dfb17d1..7e682b48 100644 --- a/checks/check16 +++ b/checks/check16 @@ -12,9 +12,10 @@ CHECK_ID_check16="1.6" CHECK_TITLE_check16="[check16] Ensure IAM password policy require at least one lowercase letter (Scored)" CHECK_SCORED_check16="SCORED" CHECK_TYPE_check16="LEVEL1" -CHECK_SEVERITY_check16="medium" +CHECK_SEVERITY_check16="Medium" CHECK_ASFF_TYPE_check16="Software and Configuration Checks/Industry and Regulatory Standards/CIS AWS Foundations Benchmark" CHECK_ALTERNATE_check106="check16" +CHECK_SERVICENAME_check16="iam" check16(){ # "Ensure IAM password policy require at least one lowercase letter (Scored)" diff --git a/checks/check17 b/checks/check17 index dd7d03f3..1afe6fab 100644 --- a/checks/check17 +++ b/checks/check17 @@ -15,6 +15,7 @@ CHECK_TYPE_check17="LEVEL1" CHECK_SEVERITY_check17="Medium" CHECK_ASFF_TYPE_check17="Software and Configuration Checks/Industry and Regulatory Standards/CIS AWS Foundations Benchmark" CHECK_ALTERNATE_check107="check17" +CHECK_SERVICENAME_check17="iam" check17(){ # "Ensure IAM password policy require at least one symbol (Scored)" diff --git a/checks/check18 b/checks/check18 index 676281fc..7749128a 100644 --- a/checks/check18 +++ b/checks/check18 @@ -15,6 +15,7 @@ CHECK_TYPE_check18="LEVEL1" CHECK_SEVERITY_check18="Medium" CHECK_ASFF_TYPE_check18="Software and Configuration Checks/Industry and Regulatory Standards/CIS AWS Foundations Benchmark" CHECK_ALTERNATE_check108="check18" +CHECK_SERVICENAME_check18="iam" check18(){ # "Ensure IAM password policy require at least one number (Scored)" diff --git a/checks/check19 b/checks/check19 index bb81398f..42fe5bdf 100644 --- a/checks/check19 +++ b/checks/check19 @@ -15,6 +15,7 @@ CHECK_TYPE_check19="LEVEL1" CHECK_SEVERITY_check19="Medium" CHECK_ASFF_TYPE_check19="Software and Configuration Checks/Industry and Regulatory Standards/CIS AWS Foundations Benchmark" CHECK_ALTERNATE_check109="check19" +CHECK_SERVICENAME_check19="iam" check19(){ # "Ensure IAM password policy requires minimum length of 14 or greater (Scored)" diff --git a/checks/check21 b/checks/check21 index eed98f61..d011cc1e 100644 --- a/checks/check21 +++ b/checks/check21 @@ -16,32 +16,34 @@ CHECK_SEVERITY_check21="High" CHECK_ASFF_TYPE_check21="Software and Configuration Checks/Industry and Regulatory Standards/CIS AWS Foundations Benchmark" CHECK_ASFF_RESOURCE_TYPE_check21="AwsCloudTrailTrail" CHECK_ALTERNATE_check201="check21" -CHECK_ASFF_COMPLIANCE_TYPE_check21="ens-op.acc.7.aws.iam.1,ens-op.mon.1.aws.trail.1" +CHECK_ASFF_COMPLIANCE_TYPE_check21="ens-op.acc.7.aws.iam.1 ens-op.mon.1.aws.trail.1" +CHECK_SERVICENAME_check21="cloudtrail" check21(){ trail_count=0 # "Ensure CloudTrail is enabled in all regions (Scored)" - for regx in $REGIONS; do - LIST_OF_TRAILS=$($AWSCLI cloudtrail describe-trails $PROFILE_OPT --region $regx --query 'trailList[*].Name' --output text --no-include-shadow-trails) - if [[ $LIST_OF_TRAILS ]];then - for trail in $LIST_OF_TRAILS;do - trail_count=$((trail_count + 1)) - MULTIREGION_TRAIL_STATUS=$($AWSCLI cloudtrail describe-trails $PROFILE_OPT --region $regx --query 'trailList[*].IsMultiRegionTrail' --output text --trail-name-list $trail) - if [[ "$MULTIREGION_TRAIL_STATUS" == 'False' ]];then - textFail "$trail trail in $regx is not enabled in multi region mode" - else - textPass "$trail trail in $regx is enabled for all regions" - fi - done - fi - done + for regx in $REGIONS; do + TRAILS_AND_REGIONS=$($AWSCLI cloudtrail describe-trails $PROFILE_OPT --region $regx --query 'trailList[*].{Name:TrailARN, HomeRegion:HomeRegion}' --output text | tr " " ',') + if [[ $TRAILS_AND_REGIONS ]]; then + for reg_trail in $TRAILS_AND_REGIONS; do + TRAIL_REGION=$(echo $reg_trail | cut -d',' -f1) + if [ $TRAIL_REGION != $regx ]; then # Only report trails once in home region + continue + fi + trail=$(echo $reg_trail | cut -d',' -f2) + trail_count=$((trail_count + 1)) - if [[ $trail_count == 0 ]]; then - ORG_TRAIL=$($AWSCLI cloudtrail describe-trails $PROFILE_OPT --region us-east-1 | jq '.trailList[] | select(.IsMultiRegionTrail and .IsOrganizationTrail) | .Name' | sed 's/"//g') - if [[ $ORG_TRAIL != "" ]]; then - textPass "$ORG_TRAIL trail in $regx is enabled for all regions" - else - textFail "No CloudTrail trails were found in the account" + MULTIREGION_TRAIL_STATUS=$($AWSCLI cloudtrail describe-trails $PROFILE_OPT --region $TRAIL_REGION --query 'trailList[*].IsMultiRegionTrail' --output text --trail-name-list $trail) + if [[ "$MULTIREGION_TRAIL_STATUS" == 'False' ]];then + textFail "Trail $trail in $regx is not enabled for all regions" + else + textPass "Trail $trail in $regx is enabled for all regions" + fi + + done fi + done + if [[ $trail_count == 0 ]]; then + textFail "No CloudTrail trails were found in the account" fi -} \ No newline at end of file +} diff --git a/checks/check22 b/checks/check22 index 9deeb4c9..27250905 100644 --- a/checks/check22 +++ b/checks/check22 @@ -17,21 +17,33 @@ CHECK_ASFF_TYPE_check22="Software and Configuration Checks/Industry and Regulato CHECK_ASFF_RESOURCE_TYPE_check22="AwsCloudTrailTrail" CHECK_ALTERNATE_check202="check22" CHECK_ASFF_COMPLIANCE_TYPE_check22="ens-op.exp.10.aws.trail.1" +CHECK_SERVICENAME_check22="cloudtrail" check22(){ + trail_count=0 # "Ensure CloudTrail log file validation is enabled (Scored)" + for regx in $REGIONS; do + TRAILS_AND_REGIONS=$($AWSCLI cloudtrail describe-trails $PROFILE_OPT --region $regx --query 'trailList[*].{Name:TrailARN, HomeRegion:HomeRegion}' --output text | tr " " ',') + if [[ $TRAILS_AND_REGIONS ]]; then + for reg_trail in $TRAILS_AND_REGIONS; do + TRAIL_REGION=$(echo $reg_trail | cut -d',' -f1) + if [ $TRAIL_REGION != $regx ]; then # Only report trails once in home region + continue + fi + trail=$(echo $reg_trail | cut -d',' -f2) + trail_count=$((trail_count + 1)) - for regx in $REGIONS; do - LIST_OF_TRAILS=$($AWSCLI cloudtrail describe-trails $PROFILE_OPT --region $regx --query 'trailList[*].Name' --output text --no-include-shadow-trails) - if [[ $LIST_OF_TRAILS ]];then - for trail in $LIST_OF_TRAILS;do - LOGFILEVALIDATION_TRAIL_STATUS=$($AWSCLI cloudtrail describe-trails $PROFILE_OPT --region $regx --query 'trailList[*].LogFileValidationEnabled' --output text --trail-name-list $trail) - if [[ "$LOGFILEVALIDATION_TRAIL_STATUS" == 'False' ]];then - textFail "$trail trail in $regx has not log file validation enabled" - else - textPass "$trail trail in $regx has log file validation enabled" - fi - done - fi - done + LOGFILEVALIDATION_TRAIL_STATUS=$($AWSCLI cloudtrail describe-trails $PROFILE_OPT --region $TRAIL_REGION --query 'trailList[*].LogFileValidationEnabled' --output text --trail-name-list $trail) + if [[ "$LOGFILEVALIDATION_TRAIL_STATUS" == 'False' ]];then + textFail "Trail $trail in $regx has not log file validation enabled" + else + textPass "Trail $trail in $regx has log file validation enabled" + fi + + done + fi + done + if [[ $trail_count == 0 ]]; then + textFail "No CloudTrail trails were found in the account" + fi } diff --git a/checks/check23 b/checks/check23 index 00d7dae6..237fdf68 100644 --- a/checks/check23 +++ b/checks/check23 @@ -16,7 +16,8 @@ CHECK_SEVERITY_check23="Critical" CHECK_ASFF_TYPE_check23="Software and Configuration Checks/Industry and Regulatory Standards/CIS AWS Foundations Benchmark" CHECK_ASFF_RESOURCE_TYPE_check23="AwsS3Bucket" CHECK_ALTERNATE_check203="check23" -CHECK_ASFF_COMPLIANCE_TYPE_check23="ens-op.exp.10.aws.trail.3,ens-op.exp.10.aws.trail.4" +CHECK_ASFF_COMPLIANCE_TYPE_check23="ens-op.exp.10.aws.trail.3 ens-op.exp.10.aws.trail.4" +CHECK_SERVICENAME_check23="cloudtrail" check23(){ # "Ensure the S3 bucket CloudTrail logs to is not publicly accessible (Scored)" diff --git a/checks/check24 b/checks/check24 index 16f7cf7f..0e018afd 100644 --- a/checks/check24 +++ b/checks/check24 @@ -17,28 +17,39 @@ CHECK_ASFF_TYPE_check24="Software and Configuration Checks/Industry and Regulato CHECK_ASFF_RESOURCE_TYPE_check24="AwsCloudTrailTrail" CHECK_ALTERNATE_check204="check24" CHECK_ASFF_COMPLIANCE_TYPE_check24="ens-op.exp.8.aws.cw.1" +CHECK_SERVICENAME_check24="cloudtrail" check24(){ + trail_count=0 # "Ensure CloudTrail trails are integrated with CloudWatch Logs (Scored)" - TRAILS_AND_REGIONS=$($AWSCLI cloudtrail describe-trails $PROFILE_OPT --region $REGION --query 'trailList[*].{Name:Name, HomeRegion:HomeRegion}' --output text | tr " " ',') - if [[ $TRAILS_AND_REGIONS ]];then - for reg_trail in $TRAILS_AND_REGIONS;do - trail=$(echo $reg_trail | cut -d',' -f2) - TRAIL_REGION=$(echo $reg_trail | cut -d',' -f1) - LATESTDELIVERY_TIMESTAMP=$($AWSCLI cloudtrail get-trail-status --name $trail $PROFILE_OPT --region $TRAIL_REGION --query 'LatestCloudWatchLogsDeliveryTime' --output text|grep -v None) - if [[ ! $LATESTDELIVERY_TIMESTAMP ]];then - textFail "$trail trail is not logging in the last 24h or not configured (it is in $TRAIL_REGION)" - else - LATESTDELIVERY_DATE=$(timestamp_to_date $LATESTDELIVERY_TIMESTAMP) - HOWOLDER=$(how_older_from_today $LATESTDELIVERY_DATE) - if [ $HOWOLDER -gt "1" ];then + for regx in $REGIONS; do + TRAILS_AND_REGIONS=$($AWSCLI cloudtrail describe-trails $PROFILE_OPT --region $regx --query 'trailList[*].{Name:TrailARN, HomeRegion:HomeRegion}' --output text | tr " " ',') + if [[ $TRAILS_AND_REGIONS ]]; then + for reg_trail in $TRAILS_AND_REGIONS; do + TRAIL_REGION=$(echo $reg_trail | cut -d',' -f1) + if [ $TRAIL_REGION != $regx ]; then # Only report trails once in home region + continue + fi + trail=$(echo $reg_trail | cut -d',' -f2) + trail_count=$((trail_count + 1)) + + LATESTDELIVERY_TIMESTAMP=$($AWSCLI cloudtrail get-trail-status --name $trail $PROFILE_OPT --region $TRAIL_REGION --query 'LatestCloudWatchLogsDeliveryTime' --output text|grep -v None) + if [[ ! $LATESTDELIVERY_TIMESTAMP ]];then textFail "$trail trail is not logging in the last 24h or not configured (it is in $TRAIL_REGION)" else - textPass "$trail trail has been logging during the last 24h (it is in $TRAIL_REGION)" + LATESTDELIVERY_DATE=$(timestamp_to_date $LATESTDELIVERY_TIMESTAMP) + HOWOLDER=$(how_older_from_today $LATESTDELIVERY_DATE) + if [ $HOWOLDER -gt "1" ];then + textFail "$trail trail is not logging in the last 24h or not configured (it is in $TRAIL_REGION)" + else + textPass "$trail trail has been logging during the last 24h (it is in $TRAIL_REGION)" + fi fi - fi - done - else - textFail "No CloudTrail trails found!" + + done + fi + done + if [[ $trail_count == 0 ]]; then + textFail "No CloudTrail trails were found in the account" fi } diff --git a/checks/check25 b/checks/check25 index 8b008c89..bdeaabba 100644 --- a/checks/check25 +++ b/checks/check25 @@ -16,6 +16,7 @@ CHECK_SEVERITY_check25="Medium" CHECK_ASFF_TYPE_check25="Software and Configuration Checks/Industry and Regulatory Standards/CIS AWS Foundations Benchmark" CHECK_ALTERNATE_check205="check25" CHECK_ASFF_COMPLIANCE_TYPE_check25="ens-op.exp.1.aws.cfg.1" +CHECK_SERVICENAME_check25="configservice" check25(){ # "Ensure AWS Config is enabled in all regions (Scored)" diff --git a/checks/check26 b/checks/check26 index 757a352d..8b7c5fd4 100644 --- a/checks/check26 +++ b/checks/check26 @@ -16,6 +16,7 @@ CHECK_SEVERITY_check26="Medium" CHECK_ASFF_TYPE_check26="Software and Configuration Checks/Industry and Regulatory Standards/CIS AWS Foundations Benchmark" CHECK_ASFF_RESOURCE_TYPE_check26="AwsS3Bucket" CHECK_ALTERNATE_check206="check26" +CHECK_SERVICENAME_check26="s3" check26(){ # "Ensure S3 bucket access logging is enabled on the CloudTrail S3 bucket (Scored)" diff --git a/checks/check27 b/checks/check27 index ba9caa83..bba7a604 100644 --- a/checks/check27 +++ b/checks/check27 @@ -17,18 +17,32 @@ CHECK_ASFF_TYPE_check27="Software and Configuration Checks/Industry and Regulato CHECK_ASFF_RESOURCE_TYPE_check27="AwsCloudTrailTrail" CHECK_ALTERNATE_check207="check27" CHECK_ASFF_COMPLIANCE_TYPE_check27="ens-op.exp.10.aws.trail.5" +CHECK_SERVICENAME_check27="cloudtrail" check27(){ + trail_count=0 # "Ensure CloudTrail logs are encrypted at rest using KMS CMKs (Scored)" - $AWSCLI cloudtrail describe-trails --query 'trailList[].[Name,KmsKeyId]' --output text $PROFILE_OPT --region $REGION | while read trail key; do - if [[ "$trail" ]] ; then - if [[ "$key" != "None" ]] ; then - textPass "KMS key found for $trail" - else - textFail "Encryption is not enabled in your CloudTrail trail $trail (KMS key not found)!" + for regx in $REGIONS; do + TRAILS_AND_REGIONS=$($AWSCLI cloudtrail describe-trails $PROFILE_OPT --region $regx --query 'trailList[*].{Name:TrailARN, HomeRegion:HomeRegion}' --output text | tr " " ',') + if [[ $TRAILS_AND_REGIONS ]]; then + for reg_trail in $TRAILS_AND_REGIONS; do + TRAIL_REGION=$(echo $reg_trail | cut -d',' -f1) + if [ $TRAIL_REGION != $regx ]; then # Only report trails once in home region + continue fi - else - textFail "CloudTrail bucket doesn't exist!" + trail=$(echo $reg_trail | cut -d',' -f2) + trail_count=$((trail_count + 1)) + + KMSKEYID=$($AWSCLI cloudtrail describe-trails $PROFILE_OPT --region $TRAIL_REGION --query 'trailList[*].KmsKeyId' --output text --trail-name-list $trail) + if [[ "$KMSKEYID" ]];then + textPass "Trail $trail in $regx has encryption enabled" + else + textFail "Trail $trail in $regx has encryption disabled" + fi + done fi done + if [[ $trail_count == 0 ]]; then + textFail "No CloudTrail trails were found in the account" + fi } diff --git a/checks/check28 b/checks/check28 index 36f21dd2..d15e9fec 100644 --- a/checks/check28 +++ b/checks/check28 @@ -9,13 +9,14 @@ # work. If not, see . CHECK_ID_check28="2.8" -CHECK_TITLE_check28="[check28] Ensure rotation for customer created CMKs is enabled (Scored)" +CHECK_TITLE_check28="[check28] Ensure rotation for customer created KMS CMKs is enabled (Scored)" CHECK_SCORED_check28="SCORED" CHECK_TYPE_check28="LEVEL2" CHECK_SEVERITY_check28="Medium" CHECK_ASFF_TYPE_check28="Software and Configuration Checks/Industry and Regulatory Standards/CIS AWS Foundations Benchmark" CHECK_ASFF_RESOURCE_TYPE_check28="AwsKmsKey" CHECK_ALTERNATE_check208="check28" +CHECK_SERVICENAME_check28="kms" check28(){ # "Ensure rotation for customer created CMKs is enabled (Scored)" diff --git a/checks/check29 b/checks/check29 index 2546e341..9c93d50a 100644 --- a/checks/check29 +++ b/checks/check29 @@ -17,6 +17,7 @@ CHECK_ASFF_TYPE_check29="Software and Configuration Checks/Industry and Regulato CHECK_ASFF_RESOURCE_TYPE_check29="AwsEc2Vpc" CHECK_ALTERNATE_check209="check29" CHECK_ASFF_COMPLIANCE_TYPE_check29="ens-op.mon.1.aws.flow.1" +CHECK_SERVICENAME_check29="vpc" check29(){ # "Ensure VPC Flow Logging is Enabled in all VPCs (Scored)" diff --git a/checks/check31 b/checks/check31 index 469dc0c6..4677be39 100644 --- a/checks/check31 +++ b/checks/check31 @@ -42,6 +42,7 @@ CHECK_ASFF_TYPE_check31="Software and Configuration Checks/Industry and Regulato CHECK_ASFF_RESOURCE_TYPE_check31="AwsCloudTrailTrail" CHECK_ALTERNATE_check301="check31" CHECK_ASFF_COMPLIANCE_TYPE_check31="ens-op.exp.8.aws.trail.2" +CHECK_SERVICENAME_check31="iam" check31(){ check3x '\$\.errorCode\s*=\s*"\*UnauthorizedOperation".+\$\.errorCode\s*=\s*"AccessDenied\*"' diff --git a/checks/check310 b/checks/check310 index 0e2f6bd4..f53ac698 100644 --- a/checks/check310 +++ b/checks/check310 @@ -41,6 +41,7 @@ CHECK_SEVERITY_check310="Medium" CHECK_ASFF_TYPE_check310="Software and Configuration Checks/Industry and Regulatory Standards/CIS AWS Foundations Benchmark" CHECK_ASFF_RESOURCE_TYPE_check310="AwsCloudTrailTrail" CHECK_ALTERNATE_check310="check310" +CHECK_SERVICENAME_check310="ec2" check310(){ check3x '\$\.eventName\s*=\s*AuthorizeSecurityGroupIngress.+\$\.eventName\s*=\s*AuthorizeSecurityGroupEgress.+\$\.eventName\s*=\s*RevokeSecurityGroupIngress.+\$\.eventName\s*=\s*RevokeSecurityGroupEgress.+\$\.eventName\s*=\s*CreateSecurityGroup.+\$\.eventName\s*=\s*DeleteSecurityGroup' diff --git a/checks/check311 b/checks/check311 index ac6fac4c..dcd53b24 100644 --- a/checks/check311 +++ b/checks/check311 @@ -41,6 +41,7 @@ CHECK_SEVERITY_check311="Medium" CHECK_ASFF_TYPE_check311="Software and Configuration Checks/Industry and Regulatory Standards/CIS AWS Foundations Benchmark" CHECK_ASFF_RESOURCE_TYPE_check311="AwsCloudTrailTrail" CHECK_ALTERNATE_check311="check311" +CHECK_SERVICENAME_check311="vpc" check311(){ check3x '\$\.eventName\s*=\s*CreateNetworkAcl.+\$\.eventName\s*=\s*CreateNetworkAclEntry.+\$\.eventName\s*=\s*DeleteNetworkAcl.+\$\.eventName\s*=\s*DeleteNetworkAclEntry.+\$\.eventName\s*=\s*ReplaceNetworkAclEntry.+\$\.eventName\s*=\s*ReplaceNetworkAclAssociation' diff --git a/checks/check312 b/checks/check312 index 548fd97c..2761159b 100644 --- a/checks/check312 +++ b/checks/check312 @@ -41,6 +41,7 @@ CHECK_SEVERITY_check312="Medium" CHECK_ASFF_TYPE_check312="Software and Configuration Checks/Industry and Regulatory Standards/CIS AWS Foundations Benchmark" CHECK_ASFF_RESOURCE_TYPE_check312="AwsCloudTrailTrail" CHECK_ALTERNATE_check312="check312" +CHECK_SERVICENAME_check312="vpc" check312(){ check3x '\$\.eventName\s*=\s*CreateCustomerGateway.+\$\.eventName\s*=\s*DeleteCustomerGateway.+\$\.eventName\s*=\s*AttachInternetGateway.+\$\.eventName\s*=\s*CreateInternetGateway.+\$\.eventName\s*=\s*DeleteInternetGateway.+\$\.eventName\s*=\s*DetachInternetGateway' diff --git a/checks/check313 b/checks/check313 index d08ce15a..ac014d8b 100644 --- a/checks/check313 +++ b/checks/check313 @@ -41,6 +41,7 @@ CHECK_SEVERITY_check313="Medium" CHECK_ASFF_TYPE_check313="Software and Configuration Checks/Industry and Regulatory Standards/CIS AWS Foundations Benchmark" CHECK_ASFF_RESOURCE_TYPE_check313="AwsCloudTrailTrail" CHECK_ALTERNATE_check313="check313" +CHECK_SERVICENAME_check313="vpc" check313(){ check3x '\$\.eventName\s*=\s*CreateRoute.+\$\.eventName\s*=\s*CreateRouteTable.+\$\.eventName\s*=\s*ReplaceRoute.+\$\.eventName\s*=\s*ReplaceRouteTableAssociation.+\$\.eventName\s*=\s*DeleteRouteTable.+\$\.eventName\s*=\s*DeleteRoute.+\$\.eventName\s*=\s*DisassociateRouteTable' diff --git a/checks/check314 b/checks/check314 index 4161f855..a30a0d8e 100644 --- a/checks/check314 +++ b/checks/check314 @@ -41,6 +41,7 @@ CHECK_SEVERITY_check314="Medium" CHECK_ASFF_TYPE_check314="Software and Configuration Checks/Industry and Regulatory Standards/CIS AWS Foundations Benchmark" CHECK_ASFF_RESOURCE_TYPE_check314="AwsCloudTrailTrail" CHECK_ALTERNATE_check314="check314" +CHECK_SERVICENAME_check314="vpc" check314(){ check3x '\$\.eventName\s*=\s*CreateVpc.+\$\.eventName\s*=\s*DeleteVpc.+\$\.eventName\s*=\s*ModifyVpcAttribute.+\$\.eventName\s*=\s*AcceptVpcPeeringConnection.+\$\.eventName\s*=\s*CreateVpcPeeringConnection.+\$\.eventName\s*=\s*DeleteVpcPeeringConnection.+\$\.eventName\s*=\s*RejectVpcPeeringConnection.+\$\.eventName\s*=\s*AttachClassicLinkVpc.+\$\.eventName\s*=\s*DetachClassicLinkVpc.+\$\.eventName\s*=\s*DisableVpcClassicLink.+\$\.eventName\s*=\s*EnableVpcClassicLink' diff --git a/checks/check32 b/checks/check32 index c6f5acad..73fe480b 100644 --- a/checks/check32 +++ b/checks/check32 @@ -42,6 +42,7 @@ CHECK_ASFF_TYPE_check32="Software and Configuration Checks/Industry and Regulato CHECK_ASFF_RESOURCE_TYPE_check32="AwsCloudTrailTrail" CHECK_ALTERNATE_check302="check32" CHECK_ASFF_COMPLIANCE_TYPE_check32="ens-op.exp.8.aws.trail.4" +CHECK_SERVICENAME_check32="iam" check32(){ check3x '\$\.eventName\s*=\s*"ConsoleLogin".+\$\.additionalEventData\.MFAUsed\s*!=\s*"Yes"' diff --git a/checks/check33 b/checks/check33 index 779d95a1..8044ebe0 100644 --- a/checks/check33 +++ b/checks/check33 @@ -42,6 +42,7 @@ CHECK_ASFF_TYPE_check33="Software and Configuration Checks/Industry and Regulato CHECK_ASFF_RESOURCE_TYPE_check33="AwsCloudTrailTrail" CHECK_ALTERNATE_check303="check33" CHECK_ASFF_COMPLIANCE_TYPE_check33="ens-op.exp.8.aws.trail.5" +CHECK_SERVICENAME_check33="iam" check33(){ check3x '\$\.userIdentity\.type\s*=\s*"Root".+\$\.userIdentity\.invokedBy NOT EXISTS.+\$\.eventType\s*!=\s*"AwsServiceEvent"' diff --git a/checks/check34 b/checks/check34 index 2765f92e..ed272edd 100644 --- a/checks/check34 +++ b/checks/check34 @@ -42,6 +42,7 @@ CHECK_ASFF_TYPE_check34="Software and Configuration Checks/Industry and Regulato CHECK_ASFF_RESOURCE_TYPE_check34="AwsCloudTrailTrail" CHECK_ALTERNATE_check304="check34" CHECK_ASFF_COMPLIANCE_TYPE_check34="ens-op.exp.8.aws.trail.6" +CHECK_SERVICENAME_check34="iam" check34(){ check3x '\$\.eventName\s*=\s*DeleteGroupPolicy.+\$\.eventName\s*=\s*DeleteRolePolicy.+\$\.eventName\s*=\s*DeleteUserPolicy.+\$\.eventName\s*=\s*PutGroupPolicy.+\$\.eventName\s*=\s*PutRolePolicy.+\$\.eventName\s*=\s*PutUserPolicy.+\$\.eventName\s*=\s*CreatePolicy.+\$\.eventName\s*=\s*DeletePolicy.+\$\.eventName\s*=\s*CreatePolicyVersion.+\$\.eventName\s*=\s*DeletePolicyVersion.+\$\.eventName\s*=\s*AttachRolePolicy.+\$\.eventName\s*=\s*DetachRolePolicy.+\$\.eventName\s*=\s*AttachUserPolicy.+\$\.eventName\s*=\s*DetachUserPolicy.+\$\.eventName\s*=\s*AttachGroupPolicy.+\$\.eventName\s*=\s*DetachGroupPolicy' diff --git a/checks/check35 b/checks/check35 index 50c09212..8157a6a4 100644 --- a/checks/check35 +++ b/checks/check35 @@ -42,6 +42,7 @@ CHECK_ASFF_TYPE_check35="Software and Configuration Checks/Industry and Regulato CHECK_ASFF_RESOURCE_TYPE_check35="AwsCloudTrailTrail" CHECK_ALTERNATE_check305="check35" CHECK_ASFF_COMPLIANCE_TYPE_check35="ens-op.exp.8.aws.trail.1" +CHECK_SERVICENAME_check35="cloudtrail" check35(){ check3x '\$\.eventName\s*=\s*CreateTrail.+\$\.eventName\s*=\s*UpdateTrail.+\$\.eventName\s*=\s*DeleteTrail.+\$\.eventName\s*=\s*StartLogging.+\$\.eventName\s*=\s*StopLogging' diff --git a/checks/check36 b/checks/check36 index 89d4f2ab..c17ffe87 100644 --- a/checks/check36 +++ b/checks/check36 @@ -42,6 +42,7 @@ CHECK_ASFF_TYPE_check36="Software and Configuration Checks/Industry and Regulato CHECK_ASFF_RESOURCE_TYPE_check36="AwsCloudTrailTrail" CHECK_ALTERNATE_check306="check36" CHECK_ASFF_COMPLIANCE_TYPE_check36="ens-op.exp.8.aws.trail.3" +CHECK_SERVICENAME_check36="iam" check36(){ check3x '\$\.eventName\s*=\s*ConsoleLogin.+\$\.errorMessage\s*=\s*"Failed authentication"' diff --git a/checks/check37 b/checks/check37 index e9b63524..c6466039 100644 --- a/checks/check37 +++ b/checks/check37 @@ -34,7 +34,7 @@ # --alarm-actions arn:aws:sns:us-east-1:123456789012:CloudWatchAlarmTopic CHECK_ID_check37="3.7" -CHECK_TITLE_check37="[check37] Ensure a log metric filter and alarm exist for disabling or scheduled deletion of customer created CMKs (Scored)" +CHECK_TITLE_check37="[check37] Ensure a log metric filter and alarm exist for disabling or scheduled deletion of customer created KMS CMKs (Scored)" CHECK_SCORED_check37="SCORED" CHECK_TYPE_check37="LEVEL2" CHECK_SEVERITY_check37="Medium" @@ -42,6 +42,7 @@ CHECK_ASFF_TYPE_check37="Software and Configuration Checks/Industry and Regulato CHECK_ASFF_RESOURCE_TYPE_check37="AwsCloudTrailTrail" CHECK_ALTERNATE_check307="check37" CHECK_ASFF_COMPLIANCE_TYPE_check37="ens-op.exp.11.aws.kms.1" +CHECK_SERVICENAME_check37="kms" check37(){ check3x '\$\.eventSource\s*=\s*kms.amazonaws.com.+\$\.eventName\s*=\s*DisableKey.+\$\.eventName\s*=\s*ScheduleKeyDeletion' diff --git a/checks/check38 b/checks/check38 index eaf90120..22b55710 100644 --- a/checks/check38 +++ b/checks/check38 @@ -41,6 +41,7 @@ CHECK_SEVERITY_check38="Medium" CHECK_ASFF_TYPE_check38="Software and Configuration Checks/Industry and Regulatory Standards/CIS AWS Foundations Benchmark" CHECK_ASFF_RESOURCE_TYPE_check38="AwsCloudTrailTrail" CHECK_ALTERNATE_check308="check38" +CHECK_SERVICENAME_check38="s3" check38(){ check3x '\$\.eventSource\s*=\s*s3.amazonaws.com.+\$\.eventName\s*=\s*PutBucketAcl.+\$\.eventName\s*=\s*PutBucketPolicy.+\$\.eventName\s*=\s*PutBucketCors.+\$\.eventName\s*=\s*PutBucketLifecycle.+\$\.eventName\s*=\s*PutBucketReplication.+\$\.eventName\s*=\s*DeleteBucketPolicy.+\$\.eventName\s*=\s*DeleteBucketCors.+\$\.eventName\s*=\s*DeleteBucketLifecycle.+\$\.eventName\s*=\s*DeleteBucketReplication' diff --git a/checks/check39 b/checks/check39 index 84450b2c..531a3bdc 100644 --- a/checks/check39 +++ b/checks/check39 @@ -41,6 +41,7 @@ CHECK_SEVERITY_check39="Medium" CHECK_ASFF_TYPE_check39="Software and Configuration Checks/Industry and Regulatory Standards/CIS AWS Foundations Benchmark" CHECK_ASFF_RESOURCE_TYPE_check39="AwsCloudTrailTrail" CHECK_ALTERNATE_check309="check39" +CHECK_SERVICENAME_check39="configservice" check39(){ check3x '\$\.eventSource\s*=\s*config.amazonaws.com.+\$\.eventName\s*=\s*StopConfigurationRecorder.+\$\.eventName\s*=\s*DeleteDeliveryChannel.+\$\.eventName\s*=\s*PutDeliveryChannel.+\$\.eventName\s*=\s*PutConfigurationRecorder' diff --git a/checks/check41 b/checks/check41 index 5863a2a9..06ee469c 100644 --- a/checks/check41 +++ b/checks/check41 @@ -17,6 +17,7 @@ CHECK_ASFF_TYPE_check41="Software and Configuration Checks/Industry and Regulato CHECK_ASFF_RESOURCE_TYPE_check41="AwsEc2SecurityGroup" CHECK_ALTERNATE_check401="check41" CHECK_ASFF_COMPLIANCE_TYPE_check41="ens-mp.com.4.aws.sg.4" +CHECK_SERVICENAME_check41="ec2" check41(){ # "Ensure no security groups allow ingress from 0.0.0.0/0 or ::/0 to port 22 (Scored)" diff --git a/checks/check42 b/checks/check42 index 3e88d26f..7edfc12a 100644 --- a/checks/check42 +++ b/checks/check42 @@ -17,6 +17,7 @@ CHECK_ASFF_TYPE_check42="Software and Configuration Checks/Industry and Regulato CHECK_ASFF_RESOURCE_TYPE_check42="AwsEc2SecurityGroup" CHECK_ALTERNATE_check402="check42" CHECK_ASFF_COMPLIANCE_TYPE_check42="ens-mp.com.4.aws.sg.5" +CHECK_SERVICENAME_check42="ec2" check42(){ # "Ensure no security groups allow ingress from 0.0.0.0/0 or ::/0 to port 3389 (Scored)" diff --git a/checks/check43 b/checks/check43 index 9c1f5d49..fa5d18f5 100644 --- a/checks/check43 +++ b/checks/check43 @@ -17,13 +17,14 @@ CHECK_ASFF_TYPE_check43="Software and Configuration Checks/Industry and Regulato CHECK_ASFF_RESOURCE_TYPE_check43="AwsEc2SecurityGroup" CHECK_ALTERNATE_check403="check43" CHECK_ASFF_COMPLIANCE_TYPE_check43="ens-mp.com.4.aws.sg.1" +CHECK_SERVICENAME_check43="ec2" check43(){ # "Ensure the default security group of every VPC restricts all traffic (Scored)" for regx in $REGIONS; do CHECK_SGDEFAULT_IDS=$($AWSCLI ec2 describe-security-groups $PROFILE_OPT --region $regx --filters Name=group-name,Values='default' --query 'SecurityGroups[*].GroupId[]' --output text) for CHECK_SGDEFAULT_ID in $CHECK_SGDEFAULT_IDS; do - CHECK_SGDEFAULT_ID_OPEN=$($AWSCLI ec2 describe-security-groups $PROFILE_OPT --region $regx --group-ids $CHECK_SGDEFAULT_ID --query 'SecurityGroups[*].{IpPermissions:IpPermissions,IpPermissionsEgress:IpPermissionsEgress,GroupId:GroupId}' --output text |egrep '0.0.0.0|\:\:\/0') + CHECK_SGDEFAULT_ID_OPEN=$($AWSCLI ec2 describe-security-groups $PROFILE_OPT --region $regx --group-ids $CHECK_SGDEFAULT_ID --query 'SecurityGroups[*].{IpPermissions:IpPermissions,IpPermissionsEgress:IpPermissionsEgress,GroupId:GroupId}' --output text |egrep ' 0.0.0.0|\:\:\/0') if [[ $CHECK_SGDEFAULT_ID_OPEN ]];then textFail "Default Security Groups ($CHECK_SGDEFAULT_ID) found that allow 0.0.0.0 IN or OUT traffic in Region $regx" "$regx" else diff --git a/checks/check44 b/checks/check44 index 67a1abc1..f84d31ab 100644 --- a/checks/check44 +++ b/checks/check44 @@ -16,6 +16,7 @@ CHECK_SEVERITY_check44="Medium" CHECK_ASFF_TYPE_check44="Software and Configuration Checks/Industry and Regulatory Standards/CIS AWS Foundations Benchmark" CHECK_ASFF_RESOURCE_TYPE_check44="AwsEc2Vpc" CHECK_ALTERNATE_check404="check44" +CHECK_SERVICENAME_check44="vpc" check44(){ # "Ensure routing tables for VPC peering are \"least access\" (Not Scored)" diff --git a/checks/check_extra71 b/checks/check_extra71 index bcd016a1..96f367fd 100644 --- a/checks/check_extra71 +++ b/checks/check_extra71 @@ -20,6 +20,7 @@ CHECK_ALTERNATE_extra701="extra71" CHECK_ALTERNATE_check71="extra71" CHECK_ALTERNATE_check701="extra71" CHECK_ASFF_COMPLIANCE_TYPE_extra71="ens-op.exp.10.aws.trail.2" +CHECK_SERVICENAME_extra71="iam" extra71(){ # "Ensure users of groups with AdministratorAccess policy have MFA tokens enabled (Not Scored) (Not part of CIS benchmark)" diff --git a/checks/check_extra710 b/checks/check_extra710 index a126dfca..fccbce46 100644 --- a/checks/check_extra710 +++ b/checks/check_extra710 @@ -18,6 +18,7 @@ CHECK_SEVERITY_extra710="Medium" CHECK_ASFF_RESOURCE_TYPE_extra710="AwsEc2Instance" CHECK_ALTERNATE_check710="extra710" CHECK_ASFF_COMPLIANCE_TYPE_extra710="ens-mp.com.4.aws.vpc.1" +CHECK_SERVICENAME_extra710="ec2" extra710(){ # "Check for internet facing EC2 Instances (Not Scored) (Not part of CIS benchmark)" diff --git a/checks/check_extra7100 b/checks/check_extra7100 index 36e05f8e..07a32a6f 100644 --- a/checks/check_extra7100 +++ b/checks/check_extra7100 @@ -22,6 +22,7 @@ CHECK_SEVERITY_extra7100="Critical" CHECK_ASFF_RESOURCE_TYPE_extra7100="AwsIamPolicy" CHECK_ALTERNATE_check7100="extra7100" CHECK_ASFF_COMPLIANCE_TYPE_extra7100="ens-op.acc.2.aws.iam.1" +CHECK_SERVICENAME_extra7100="iam" extra7100(){ # "Ensure that no custom policies exist which permit assuming any role (e.g. sts:AssumeRole on *)" diff --git a/checks/check_extra7101 b/checks/check_extra7101 index 0ab870c3..8646d914 100644 --- a/checks/check_extra7101 +++ b/checks/check_extra7101 @@ -17,6 +17,7 @@ CHECK_TYPE_extra7101="EXTRA" CHECK_SEVERITY_extra7101="Low" CHECK_ASFF_RESOURCE_TYPE_extra7101="AwsElasticsearchDomain" CHECK_ALTERNATE_check7101="extra7101" +CHECK_SERVICENAME_extra7101="es" # More info # Works for Amazon Elasticsearch Service domains (version 6.7+) with Fine Grained Access Control enabled diff --git a/checks/check_extra7102 b/checks/check_extra7102 index d8bdd33d..8f1cb17a 100644 --- a/checks/check_extra7102 +++ b/checks/check_extra7102 @@ -17,6 +17,7 @@ CHECK_TYPE_extra7102="EXTRA" CHECK_SEVERITY_extra7102="Medium" CHECK_ASFF_RESOURCE_TYPE_extra7102="AwsEc2Eip" CHECK_ALTERNATE_check7102="extra7102" +CHECK_SERVICENAME_extra7102="ec2" # Watch out, always use Shodan API key, if you use `curl https://www.shodan.io/host/{ip}` massively # your IP will be banned by Shodan diff --git a/checks/check_extra7103 b/checks/check_extra7103 index 18247bdf..3a6feac9 100644 --- a/checks/check_extra7103 +++ b/checks/check_extra7103 @@ -18,6 +18,7 @@ CHECK_TYPE_extra7103="EXTRA" CHECK_ASFF_RESOURCE_TYPE_extra7103="AwsSageMakerNotebookInstance" CHECK_ALTERNATE_check7103="extra7103" CHECK_SEVERITY_extra7103="Medium" +CHECK_SERVICENAME_extra7103="sagemaker" extra7103(){ for regx in ${REGIONS}; do diff --git a/checks/check_extra7104 b/checks/check_extra7104 index 6d15fbc1..1009d23b 100644 --- a/checks/check_extra7104 +++ b/checks/check_extra7104 @@ -18,6 +18,7 @@ CHECK_TYPE_extra7104="EXTRA" CHECK_ASFF_RESOURCE_TYPE_extra7104="AwsSageMakerNotebookInstance" CHECK_ALTERNATE_check7104="extra7104" CHECK_SEVERITY_extra7104="Medium" +CHECK_SERVICENAME_extra7104="sagemaker" extra7104(){ for regx in ${REGIONS}; do diff --git a/checks/check_extra7105 b/checks/check_extra7105 index e76b8d9b..b62e9732 100644 --- a/checks/check_extra7105 +++ b/checks/check_extra7105 @@ -18,6 +18,7 @@ CHECK_TYPE_extra7105="EXTRA" CHECK_ASFF_RESOURCE_TYPE_extra7105="AwsSageMakerModel" CHECK_ALTERNATE_check7105="extra7105" CHECK_SEVERITY_extra7105="Medium" +CHECK_SERVICENAME_extra7105="sagemaker" extra7105(){ for regx in ${REGIONS}; do diff --git a/checks/check_extra7106 b/checks/check_extra7106 index d4907513..1f91d7aa 100644 --- a/checks/check_extra7106 +++ b/checks/check_extra7106 @@ -18,6 +18,7 @@ CHECK_TYPE_extra7106="EXTRA" CHECK_ASFF_RESOURCE_TYPE_extra7106="AwsSageMakerModel" CHECK_ALTERNATE_check7106="extra7106" CHECK_SEVERITY_extra7106="Medium" +CHECK_SERVICENAME_extra7106="sagemaker" extra7106(){ for regx in ${REGIONS}; do diff --git a/checks/check_extra7107 b/checks/check_extra7107 index db2fd2a5..0bd75d45 100644 --- a/checks/check_extra7107 +++ b/checks/check_extra7107 @@ -18,6 +18,7 @@ CHECK_TYPE_extra7107="EXTRA" CHECK_ASFF_RESOURCE_TYPE_extra7107="AwsSageMakerNotebookInstance" CHECK_ALTERNATE_check7107="extra7107" CHECK_SEVERITY_extra7107="Medium" +CHECK_SERVICENAME_extra7107="sagemaker" extra7107(){ for regx in ${REGIONS}; do diff --git a/checks/check_extra7108 b/checks/check_extra7108 index 25ac1379..7b3161cb 100644 --- a/checks/check_extra7108 +++ b/checks/check_extra7108 @@ -18,6 +18,7 @@ CHECK_TYPE_extra7108="EXTRA" CHECK_ASFF_RESOURCE_TYPE_extra7108="AwsSageMakerNotebookInstance" CHECK_ALTERNATE_check7108="extra7108" CHECK_SEVERITY_extra7108="Medium" +CHECK_SERVICENAME_extra7108="sagemaker" extra7108(){ for regx in ${REGIONS}; do diff --git a/checks/check_extra7109 b/checks/check_extra7109 index 9abedf47..eba6a4cb 100644 --- a/checks/check_extra7109 +++ b/checks/check_extra7109 @@ -18,6 +18,7 @@ CHECK_TYPE_extra7109="EXTRA" CHECK_ASFF_RESOURCE_TYPE_extra7109="AwsSageMakerNotebookInstance" CHECK_ALTERNATE_check7109="extra7109" CHECK_SEVERITY_extra7109="Medium" +CHECK_SERVICENAME_extra7109="sagemaker" extra7109(){ for regx in ${REGIONS}; do diff --git a/checks/check_extra711 b/checks/check_extra711 index aa3347a1..04a3a60c 100644 --- a/checks/check_extra711 +++ b/checks/check_extra711 @@ -17,6 +17,7 @@ CHECK_TYPE_extra711="EXTRA" CHECK_SEVERITY_extra711="High" CHECK_ASFF_RESOURCE_TYPE_extra711="AwsRedshiftCluster" CHECK_ALTERNATE_check711="extra711" +CHECK_SERVICENAME_extra711="redshift" extra711(){ # "Check for Publicly Accessible Redshift Clusters (Not Scored) (Not part of CIS benchmark)" diff --git a/checks/check_extra7110 b/checks/check_extra7110 index 8a0755bb..d9406a38 100644 --- a/checks/check_extra7110 +++ b/checks/check_extra7110 @@ -18,6 +18,7 @@ CHECK_TYPE_extra7110="EXTRA" CHECK_ASFF_RESOURCE_TYPE_extra7110="AwsSageMakerNotebookInstance" CHECK_ALTERNATE_check7110="extra7110" CHECK_SEVERITY_extra7110="Medium" +CHECK_SERVICENAME_extra7110="sagemaker" extra7110(){ for regx in ${REGIONS}; do diff --git a/checks/check_extra7111 b/checks/check_extra7111 index 2abb5d51..d3f25dfc 100644 --- a/checks/check_extra7111 +++ b/checks/check_extra7111 @@ -18,6 +18,7 @@ CHECK_TYPE_extra7111="EXTRA" CHECK_ASFF_RESOURCE_TYPE_extra7111="AwsSageMakerNotebookInstance" CHECK_ALTERNATE_check7111="extra7111" CHECK_SEVERITY_extra7111="Medium" +CHECK_SERVICENAME_extra7111="sagemaker" extra7111(){ for regx in ${REGIONS}; do diff --git a/checks/check_extra7112 b/checks/check_extra7112 index f1f46e32..ffa6da15 100644 --- a/checks/check_extra7112 +++ b/checks/check_extra7112 @@ -18,6 +18,7 @@ CHECK_TYPE_extra7112="EXTRA" CHECK_ASFF_RESOURCE_TYPE_extra7112="AwsSageMakerNotebookInstance" CHECK_ALTERNATE_check7112="extra7112" CHECK_SEVERITY_extra7112="Medium" +CHECK_SERVICENAME_extra7112="sagemaker" extra7112(){ for regx in ${REGIONS}; do diff --git a/checks/check_extra7113 b/checks/check_extra7113 index aede9db7..3cbe45a8 100644 --- a/checks/check_extra7113 +++ b/checks/check_extra7113 @@ -29,6 +29,7 @@ CHECK_TYPE_extra7113="EXTRA" CHECK_SEVERITY_extra7113="Medium" CHECK_ASFF_RESOURCE_TYPE_extra7113="AwsRdsDbInstance" CHECK_ALTERNATE_check7113="extra7113" +CHECK_SERVICENAME_extra7113="rds" extra7113(){ textInfo "Looking for RDS Volumes in all regions... " diff --git a/checks/check_extra7114 b/checks/check_extra7114 index a728c83f..fe22a405 100644 --- a/checks/check_extra7114 +++ b/checks/check_extra7114 @@ -18,6 +18,7 @@ CHECK_TYPE_extra7114="EXTRA" CHECK_SEVERITY_extra7114="Medium" CHECK_ASFF_RESOURCE_TYPE_extra7114="AwsGlue" CHECK_ALTERNATE_check7114="extra7114" +CHECK_SERVICENAME_extra7114="glue" extra7114(){ for regx in $REGIONS; do diff --git a/checks/check_extra7115 b/checks/check_extra7115 index da606669..08beee45 100644 --- a/checks/check_extra7115 +++ b/checks/check_extra7115 @@ -17,6 +17,7 @@ CHECK_TYPE_extra7115="EXTRA" CHECK_SEVERITY_extra7115="Medium" CHECK_ASFF_RESOURCE_TYPE_extra7115="AwsGlue" CHECK_ALTERNATE_check7115="extra7115" +CHECK_SERVICENAME_extra7115="glue" extra7115(){ for regx in $REGIONS; do diff --git a/checks/check_extra7116 b/checks/check_extra7116 index 2dee0295..610741a5 100644 --- a/checks/check_extra7116 +++ b/checks/check_extra7116 @@ -17,6 +17,7 @@ CHECK_TYPE_extra7116="EXTRA" CHECK_SEVERITY_extra7116="Medium" CHECK_ASFF_RESOURCE_TYPE_extra7116="AwsGlue" CHECK_ALTERNATE_check7116="extra7116" +CHECK_SERVICENAME_extra7116="glue" extra7116(){ for regx in $REGIONS; do diff --git a/checks/check_extra7117 b/checks/check_extra7117 index 686cd729..62da7ab9 100644 --- a/checks/check_extra7117 +++ b/checks/check_extra7117 @@ -17,6 +17,7 @@ CHECK_TYPE_extra7117="EXTRA" CHECK_SEVERITY_extra7117="Medium" CHECK_ASFF_RESOURCE_TYPE_extra7117="AwsGlue" CHECK_ALTERNATE_check7117="extra7117" +CHECK_SERVICENAME_extra7117="glue" extra7117(){ for regx in $REGIONS; do diff --git a/checks/check_extra7118 b/checks/check_extra7118 index aa39907f..614d8130 100644 --- a/checks/check_extra7118 +++ b/checks/check_extra7118 @@ -17,6 +17,7 @@ CHECK_TYPE_extra7118="EXTRA" CHECK_SEVERITY_extra7118="Medium" CHECK_ASFF_RESOURCE_TYPE_extra7118="AwsGlue" CHECK_ALTERNATE_check7118="extra7118" +CHECK_SERVICENAME_extra7118="glue" extra7118(){ for regx in $REGIONS; do diff --git a/checks/check_extra7119 b/checks/check_extra7119 index e8d60488..33162563 100644 --- a/checks/check_extra7119 +++ b/checks/check_extra7119 @@ -18,6 +18,7 @@ CHECK_TYPE_extra7119="EXTRA" CHECK_SEVERITY_extra7119="Medium" CHECK_ASFF_RESOURCE_TYPE_extra7119="AwsGlue" CHECK_ALTERNATE_check7119="extra7119" +CHECK_SERVICENAME_extra7119="glue" extra7119(){ for regx in $REGIONS; do diff --git a/checks/check_extra712 b/checks/check_extra712 index b27880ab..39e0e3c2 100644 --- a/checks/check_extra712 +++ b/checks/check_extra712 @@ -16,6 +16,8 @@ CHECK_SCORED_extra712="NOT_SCORED" CHECK_TYPE_extra712="EXTRA" CHECK_SEVERITY_extra712="Low" CHECK_ALTERNATE_check712="extra712" +CHECK_ASFF_RESOURCE_TYPE_extra712="AwsMacieSession" +CHECK_SERVICENAME_extra712="macie" extra712(){ textInfo "No API commands available to check if Macie is enabled," diff --git a/checks/check_extra7120 b/checks/check_extra7120 index 69695b7f..d51e0208 100644 --- a/checks/check_extra7120 +++ b/checks/check_extra7120 @@ -17,6 +17,7 @@ CHECK_TYPE_extra7120="EXTRA" CHECK_SEVERITY_extra7120="Medium" CHECK_ASFF_RESOURCE_TYPE_extra7120="AwsGlue" CHECK_ALTERNATE_check7120="extra7120" +CHECK_SERVICENAME_extra7120="glue" extra7120(){ for regx in $REGIONS; do diff --git a/checks/check_extra7121 b/checks/check_extra7121 index 0dd83446..1324f7b8 100644 --- a/checks/check_extra7121 +++ b/checks/check_extra7121 @@ -18,6 +18,7 @@ CHECK_TYPE_extra7121="EXTRA" CHECK_SEVERITY_extra7121="Medium" CHECK_ASFF_RESOURCE_TYPE_extra7121="AwsGlue" CHECK_ALTERNATE_check7121="extra7121" +CHECK_SERVICENAME_extra7121="glue" extra7121(){ for regx in $REGIONS; do diff --git a/checks/check_extra7122 b/checks/check_extra7122 index 618181c4..dba88dd5 100644 --- a/checks/check_extra7122 +++ b/checks/check_extra7122 @@ -17,6 +17,7 @@ CHECK_TYPE_extra7122="EXTRA" CHECK_SEVERITY_extra7122="Medium" CHECK_ASFF_RESOURCE_TYPE_extra7122="AwsGlue" CHECK_ALTERNATE_check7122="extra7122" +CHECK_SERVICENAME_extra7122="glue" extra7122(){ for regx in $REGIONS; do diff --git a/checks/check_extra7123 b/checks/check_extra7123 index 45c3a0ca..b9af0aaa 100644 --- a/checks/check_extra7123 +++ b/checks/check_extra7123 @@ -19,6 +19,7 @@ CHECK_ASFF_TYPE_extra7123="Software and Configuration Checks/Industry and Regula CHECK_ASFF_RESOURCE_TYPE_extra7123="AwsIamUser" CHECK_ALTERNATE_check7123="extra7123" CHECK_ASFF_COMPLIANCE_TYPE_extra7123="ens-op.acc.1.aws.iam.2" +CHECK_SERVICENAME_extra7123="iam" extra7123(){ LIST_OF_USERS_WITH_2ACCESS_KEYS=$(cat $TEMP_REPORT_FILE| awk -F, '{ print $1, $9, $14 }' |grep "\ true\ true" | awk '{ print $1 }') diff --git a/checks/check_extra7124 b/checks/check_extra7124 index 7fa835dd..3828164f 100644 --- a/checks/check_extra7124 +++ b/checks/check_extra7124 @@ -17,7 +17,8 @@ CHECK_TYPE_extra7124="EXTRA" CHECK_SEVERITY_extra7124="Medium" CHECK_ASFF_RESOURCE_TYPE_extra7124="AwsEc2Instance" CHECK_ALTERNATE_check7124="extra7124" -CHECK_ASFF_COMPLIANCE_TYPE_extra7124="ens-op.exp.1.aws.sys.1,ens-op.acc.4.aws.sys.1" +CHECK_ASFF_COMPLIANCE_TYPE_extra7124="ens-op.exp.1.aws.sys.1 ens-op.acc.4.aws.sys.1" +CHECK_SERVICENAME_extra7124="ssm" extra7124(){ for regx in $REGIONS; do @@ -40,4 +41,4 @@ extra7124(){ textInfo "$regx: No EC2 instances running found" "$regx" fi done -} \ No newline at end of file +} diff --git a/checks/check_extra7125 b/checks/check_extra7125 index c859738a..007947e4 100644 --- a/checks/check_extra7125 +++ b/checks/check_extra7125 @@ -18,6 +18,7 @@ CHECK_SEVERITY_extra7125="Medium" CHECK_ASFF_RESOURCE_TYPE_extra7125="AwsIamUser" CHECK_ALTERNATE_check7125="extra7125" CHECK_ASFF_COMPLIANCE_TYPE_extra7125="ens-op.acc.5.aws.iam.2" +CHECK_SERVICENAME_extra7125="iam" extra7125(){ LIST_USERS=$($AWSCLI iam list-users --query 'Users[*].UserName' --output text $PROFILE_OPT --region $REGION) diff --git a/checks/check_extra7126 b/checks/check_extra7126 index 0098a661..4c089e27 100644 --- a/checks/check_extra7126 +++ b/checks/check_extra7126 @@ -18,6 +18,7 @@ CHECK_SEVERITY_extra7126="Medium" CHECK_ASFF_RESOURCE_TYPE_extra7126="AwsKmsKey" CHECK_ALTERNATE_check7126="extra7126" CHECK_ASFF_COMPLIANCE_TYPE_extra7126="op.exp.11.aws.kms.2" +CHECK_SERVICENAME_extra7126="kms" extra7126(){ for regx in $REGIONS; do diff --git a/checks/check_extra7127 b/checks/check_extra7127 index 549027a4..65566690 100644 --- a/checks/check_extra7127 +++ b/checks/check_extra7127 @@ -18,7 +18,8 @@ CHECK_SEVERITY_extra7127="Medium" CHECK_ASFF_RESOURCE_TYPE_extra7127="AwsEc2Instance" CHECK_ASFF_TYPE_extra7127="Software and Configuration Checks/ENS op.exp.4.aws.sys.1" CHECK_ALTERNATE_check7127="extra7127" -CHECK_ASFF_COMPLIANCE_TYPE_extra7127="ens-op.exp.1.aws.sys.1,ens-op.exp.4.aws.sys.1" +CHECK_ASFF_COMPLIANCE_TYPE_extra7127="ens-op.exp.1.aws.sys.1 ens-op.exp.4.aws.sys.1" +CHECK_SERVICENAME_extra7127="ssm" extra7127(){ @@ -40,4 +41,4 @@ extra7127(){ textInfo "$regx: No EC2 managed instances found" "$regx" fi done -} \ No newline at end of file +} diff --git a/checks/check_extra7128 b/checks/check_extra7128 index 0cc417e2..13bc161c 100644 --- a/checks/check_extra7128 +++ b/checks/check_extra7128 @@ -18,6 +18,7 @@ CHECK_SEVERITY_extra7128="Medium" CHECK_ASFF_RESOURCE_TYPE_extra7128="AwsDynamoDBTable" CHECK_ALTERNATE_check7128="extra7128" CHECK_ASFF_COMPLIANCE_TYPE_extra7128="ens-mp.info.3.aws.dyndb.1" +CHECK_SERVICENAME_extra7128="dynamodb" extra7128(){ for regx in $REGIONS; do diff --git a/checks/check_extra7129 b/checks/check_extra7129 index cf3e5d7b..d6a55d8e 100644 --- a/checks/check_extra7129 +++ b/checks/check_extra7129 @@ -18,6 +18,7 @@ CHECK_SEVERITY_extra7129="Medium" CHECK_ASFF_RESOURCE_TYPE_extra7129="AwsElasticLoadBalancingV2LoadBalancer" CHECK_ALTERNATE_check7129="extra7129" CHECK_ASFF_COMPLIANCE_TYPE_extra7129="ens-mp.s.2.aws.waf.3" +CHECK_SERVICENAME_extra7129="elb" extra7129(){ for regx in $REGIONS; do diff --git a/checks/check_extra713 b/checks/check_extra713 index 3d5975b9..49606523 100644 --- a/checks/check_extra713 +++ b/checks/check_extra713 @@ -17,6 +17,8 @@ CHECK_TYPE_extra713="EXTRA" CHECK_SEVERITY_extra713="High" CHECK_ALTERNATE_check713="extra713" CHECK_ASFF_COMPLIANCE_TYPE_extra713="ens-op.mon.1.aws.duty.1" +CHECK_ASFF_RESOURCE_TYPE_extra713="AwsGuardDutyDetector" +CHECK_SERVICENAME_extra713="guardduty" extra713(){ # "Check if GuardDuty is enabled (Not Scored) (Not part of CIS benchmark)" diff --git a/checks/check_extra7130 b/checks/check_extra7130 new file mode 100644 index 00000000..7165a5fe --- /dev/null +++ b/checks/check_extra7130 @@ -0,0 +1,41 @@ +#!/usr/bin/env bash + +# Prowler - the handy cloud security tool (copyright 2018) by Toni de la Fuente +# +# Licensed under the Apache License, Version 2.0 (the "License"); you may not +# use this file except in compliance with the License. You may obtain a copy +# of the License at http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software distributed +# under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR +# CONDITIONS OF ANY KIND, either express or implied. See the License for the +# specific language governing permissions and limitations under the License. + +CHECK_ID_extra7130="7.130" +CHECK_TITLE_extra7130="[extra7130] Ensure there are no SNS Topics unencrypted" +CHECK_SCORED_extra7130="NOT_SCORED" +CHECK_TYPE_extra7130="EXTRA" +CHECK_SEVERITY_extra7130="Medium" +CHECK_ASFF_RESOURCE_TYPE_extra7130="AwsSnsTopic" +CHECK_ALTERNATE_check7130="extra7130" +CHECK_SERVICENAME_extra7130="sns" + +extra7130(){ + textInfo "Looking for SNS Topics in all regions... " + for regx in $REGIONS; do + LIST_SNS=$($AWSCLI sns list-topics $PROFILE_OPT --region $regx --query 'Topics[*].TopicArn' --output text) + if [[ $LIST_SNS ]];then + for topic in $LIST_SNS; do + SHORT_TOPIC=$(echo $topic | awk -F ":" '{print $NF}') + SNS_ENCRYPTION=$($AWSCLI sns get-topic-attributes $PROFILE_OPT --region $regx --topic-arn $topic --query 'Attributes.KmsMasterKeyId' --output text) + if [[ "None" == $SNS_ENCRYPTION ]]; then + textFail "$regx: $SHORT_TOPIC is not encrypted!" "$regx" + else + textPass "$regx: $SHORT_TOPIC is encrypted" "$regx" + fi + done + else + textInfo "$regx: No SNS topic found" "$regx" + fi + done +} diff --git a/checks/check_extra7131 b/checks/check_extra7131 new file mode 100644 index 00000000..3f85c2a9 --- /dev/null +++ b/checks/check_extra7131 @@ -0,0 +1,40 @@ +#!/usr/bin/env bash + +# Prowler - the handy cloud security tool (copyright 2018) by Toni de la Fuente +# +# Licensed under the Apache License, Version 2.0 (the "License"); you may not +# use this file except in compliance with the License. You may obtain a copy +# of the License at http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software distributed +# under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR +# CONDITIONS OF ANY KIND, either express or implied. See the License for the +# specific language governing permissions and limitations under the License. +CHECK_ID_extra7131="7.131" +CHECK_TITLE_extra7131="[extra7131] Ensure RDS instances have minor version upgrade enabled" +CHECK_SCORED_extra7131="NOT_SCORED" +CHECK_TYPE_extra7131="EXTRA" +CHECK_SEVERITY_extra7131="Low" +CHECK_ASFF_RESOURCE_TYPE_extra7131="AwsRdsDbInstance" +CHECK_ALTERNATE_check7131="extra7131" +CHECK_SERVICENAME_extra7131="rds" + +extra7131(){ + for regx in $REGIONS; do + # LIST_OF_RDS_PUBLIC_INSTANCES=$($AWSCLI rds describe-db-instances $PROFILE_OPT --region $regx --query 'DBInstances[?PubliclyAccessible==`true` && DBInstanceStatus==`"available"`].[DBInstanceIdentifier,Endpoint.Address]' --output text) + LIST_OF_RDS_INSTANCES=$($AWSCLI rds describe-db-instances $PROFILE_OPT --region $regx --query 'DBInstances[*].[DBInstanceIdentifier,AutoMinorVersionUpgrade]' --output text) + if [[ $LIST_OF_RDS_INSTANCES ]];then + while read -r rds_instance;do + RDS_NAME=$(echo $rds_instance | awk '{ print $1; }') + RDS_AUTOMINORUPGRADE_FLAG=$(echo $rds_instance | awk '{ print $2; }') + if [[ $RDS_AUTOMINORUPGRADE_FLAG == "True" ]];then + textPass "$regx: RDS instance: $RDS_NAME is has minor version upgrade enabled" "$regx" + else + textFail "$regx: RDS instance: $RDS_NAME does not have minor version upgrade enabled" "$regx" + fi + done <<< "$LIST_OF_RDS_INSTANCES" + else + textInfo "$regx: no RDS instances found" "$regx" + fi + done +} diff --git a/checks/check_extra714 b/checks/check_extra714 index 542cdce2..362b69c0 100644 --- a/checks/check_extra714 +++ b/checks/check_extra714 @@ -17,6 +17,7 @@ CHECK_TYPE_extra714="EXTRA" CHECK_SEVERITY_extra714="Medium" CHECK_ASFF_RESOURCE_TYPE_extra714="AwsCloudFrontDistribution" CHECK_ALTERNATE_check714="extra714" +CHECK_SERVICENAME_extra714="cloudfront" extra714(){ # "Check if CloudFront distributions have logging enabled (Not Scored) (Not part of CIS benchmark)" diff --git a/checks/check_extra715 b/checks/check_extra715 index 3dae4809..e848e78b 100644 --- a/checks/check_extra715 +++ b/checks/check_extra715 @@ -17,6 +17,7 @@ CHECK_TYPE_extra715="EXTRA" CHECK_SEVERITY_extra715="Medium" CHECK_ASFF_RESOURCE_TYPE_extra715="AwsElasticsearchDomain" CHECK_ALTERNATE_check715="extra715" +CHECK_SERVICENAME_extra715="es" extra715(){ for regx in $REGIONS; do diff --git a/checks/check_extra716 b/checks/check_extra716 index 96014d22..cc6a88c3 100644 --- a/checks/check_extra716 +++ b/checks/check_extra716 @@ -17,6 +17,7 @@ CHECK_TYPE_extra716="EXTRA" CHECK_SEVERITY_extra716="Critical" CHECK_ASFF_RESOURCE_TYPE_extra716="AwsElasticsearchDomain" CHECK_ALTERNATE_check716="extra716" +CHECK_SERVICENAME_extra716="es" extra716(){ for regx in $REGIONS; do diff --git a/checks/check_extra717 b/checks/check_extra717 index cdb9e1b2..1c7a6a22 100644 --- a/checks/check_extra717 +++ b/checks/check_extra717 @@ -17,6 +17,7 @@ CHECK_TYPE_extra717="EXTRA" CHECK_SEVERITY_extra717="Medium" CHECK_ASFF_RESOURCE_TYPE_extra717="AwsElbLoadBalancer" CHECK_ALTERNATE_check717="extra717" +CHECK_SERVICENAME_extra717="elb" extra717(){ # "Check if Elastic Load Balancers have logging enabled (Not Scored) (Not part of CIS benchmark)" diff --git a/checks/check_extra718 b/checks/check_extra718 index 6e8d8f50..738fc59e 100644 --- a/checks/check_extra718 +++ b/checks/check_extra718 @@ -17,6 +17,7 @@ CHECK_TYPE_extra718="EXTRA" CHECK_SEVERITY_extra718="Medium" CHECK_ASFF_RESOURCE_TYPE_extra718="AwsS3Bucket" CHECK_ALTERNATE_check718="extra718" +CHECK_SERVICENAME_extra718="s3" extra718(){ # "Check if S3 buckets have server access logging enabled (Not Scored) (Not part of CIS benchmark)" diff --git a/checks/check_extra719 b/checks/check_extra719 index 306c3b07..9578ccd6 100644 --- a/checks/check_extra719 +++ b/checks/check_extra719 @@ -16,6 +16,8 @@ CHECK_SCORED_extra719="NOT_SCORED" CHECK_TYPE_extra719="EXTRA" CHECK_SEVERITY_extra719="Medium" CHECK_ALTERNATE_check719="extra719" +CHECK_ASFF_RESOURCE_TYPE_extra719="AwsRoute53HostedZone" +CHECK_SERVICENAME_extra719="route53" extra719(){ # You can't create a query logging config for a private hosted zone. diff --git a/checks/check_extra72 b/checks/check_extra72 index e03d4f1d..07ff9393 100644 --- a/checks/check_extra72 +++ b/checks/check_extra72 @@ -19,6 +19,7 @@ CHECK_ASFF_RESOURCE_TYPE_extra72="AwsEc2Snapshot" CHECK_ALTERNATE_extra702="extra72" CHECK_ALTERNATE_check72="extra72" CHECK_ALTERNATE_check702="extra72" +CHECK_SERVICENAME_check72="ec2" extra72(){ # "Ensure there are no EBS Snapshots set as Public (Not Scored) (Not part of CIS benchmark)" diff --git a/checks/check_extra720 b/checks/check_extra720 index 2768bb3c..8e0647fd 100644 --- a/checks/check_extra720 +++ b/checks/check_extra720 @@ -17,6 +17,7 @@ CHECK_TYPE_extra720="EXTRA" CHECK_SEVERITY_extra720="Low" CHECK_ASFF_RESOURCE_TYPE_extra720="AwsLambdaFunction" CHECK_ALTERNATE_check720="extra720" +CHECK_SERVICENAME_extra720="lambda" extra720(){ # "Check if Lambda functions invoke API operations are being recorded by CloudTrail (Not Scored) (Not part of CIS benchmark)" diff --git a/checks/check_extra721 b/checks/check_extra721 index 82d78d6b..5e2b6f89 100644 --- a/checks/check_extra721 +++ b/checks/check_extra721 @@ -17,6 +17,7 @@ CHECK_TYPE_extra721="EXTRA" CHECK_SEVERITY_extra721="Medium" CHECK_ASFF_RESOURCE_TYPE_extra721="AwsRedshiftCluster" CHECK_ALTERNATE_check721="extra721" +CHECK_SERVICENAME_extra721="redshift" extra721(){ # "Check if Redshift cluster has audit logging enabled (Not Scored) (Not part of CIS benchmark)" diff --git a/checks/check_extra722 b/checks/check_extra722 index 019478dd..e9ff44c8 100644 --- a/checks/check_extra722 +++ b/checks/check_extra722 @@ -17,6 +17,7 @@ CHECK_TYPE_extra722="EXTRA" CHECK_SEVERITY_extra722="Medium" CHECK_ASFF_RESOURCE_TYPE_extra722="AwsApiGatewayRestApi" CHECK_ALTERNATE_check722="extra722" +CHECK_SERVICENAME_extra722="apigateway" extra722(){ # "Check if API Gateway has logging enabled (Not Scored) (Not part of CIS benchmark)" diff --git a/checks/check_extra723 b/checks/check_extra723 index db32777b..6051282b 100644 --- a/checks/check_extra723 +++ b/checks/check_extra723 @@ -17,6 +17,7 @@ CHECK_TYPE_extra723="EXTRA" CHECK_SEVERITY_extra723="Critical" CHECK_ASFF_RESOURCE_TYPE_extra723="AwsRdsDbSnapshot" CHECK_ALTERNATE_check723="extra723" +CHECK_SERVICENAME_extra723="rds" extra723(){ # "Check if RDS Snapshots are public (Not Scored) (Not part of CIS benchmark)" diff --git a/checks/check_extra724 b/checks/check_extra724 index 03b2dad2..ac0c501a 100644 --- a/checks/check_extra724 +++ b/checks/check_extra724 @@ -17,6 +17,7 @@ CHECK_TYPE_extra724="EXTRA" CHECK_SEVERITY_extra724="Medium" CHECK_ASFF_RESOURCE_TYPE_extra724="AwsCertificateManagerCertificate" CHECK_ALTERNATE_check724="extra724" +CHECK_SERVICENAME_extra724="acm" extra724(){ # "Check if ACM certificates have Certificate Transparency logging enabled (Not Scored) (Not part of CIS benchmark)" diff --git a/checks/check_extra725 b/checks/check_extra725 index 65c76a85..28d2557f 100644 --- a/checks/check_extra725 +++ b/checks/check_extra725 @@ -18,6 +18,8 @@ CHECK_TYPE_extra725="EXTRA" CHECK_SEVERITY_extra725="Medium" CHECK_ASFF_RESOURCE_TYPE_extra725="AwsS3Bucket" CHECK_ALTERNATE_check725="extra725" +CHECK_SERVICENAME_extra725="s3" + # per Object-level logging is not configured at Bucket level but at CloudTrail trail level extra725(){ diff --git a/checks/check_extra726 b/checks/check_extra726 index 5790fcd8..f4762623 100644 --- a/checks/check_extra726 +++ b/checks/check_extra726 @@ -17,6 +17,7 @@ CHECK_SCORED_extra726="NOT_SCORED" CHECK_TYPE_extra726="EXTRA" CHECK_SEVERITY_extra726="Medium" CHECK_ALTERNATE_check726="extra726" +CHECK_SERVICENAME_extra726="trustedadvisor" extra726(){ trap "exit" INT diff --git a/checks/check_extra727 b/checks/check_extra727 index 596f174a..d618b0bd 100644 --- a/checks/check_extra727 +++ b/checks/check_extra727 @@ -18,6 +18,7 @@ CHECK_TYPE_extra727="EXTRA" CHECK_SEVERITY_extra727="Critical" CHECK_ASFF_RESOURCE_TYPE_extra727="AwsSqsQueue" CHECK_ALTERNATE_check727="extra727" +CHECK_SERVICENAME_extra727="sqs" extra727(){ for regx in $REGIONS; do diff --git a/checks/check_extra728 b/checks/check_extra728 index 640ee876..bde576a1 100644 --- a/checks/check_extra728 +++ b/checks/check_extra728 @@ -19,6 +19,7 @@ CHECK_SEVERITY_extra728="Medium" CHECK_ASFF_RESOURCE_TYPE_extra728="AwsSqsQueue" CHECK_ALTERNATE_check728="extra728" CHECK_ASFF_COMPLIANCE_TYPE_extra728="ens-mp.info.3.sns.1" +CHECK_SERVICENAME_extra728="sqs" extra728(){ for regx in $REGIONS; do diff --git a/checks/check_extra729 b/checks/check_extra729 index e841503b..58bf6e40 100644 --- a/checks/check_extra729 +++ b/checks/check_extra729 @@ -19,6 +19,8 @@ CHECK_SEVERITY_extra729="Medium" CHECK_ASFF_RESOURCE_TYPE_extra729="AwsEc2Volume" CHECK_ALTERNATE_check729="extra729" CHECK_ASFF_COMPLIANCE_TYPE_extra729="ens-mp.info.3.aws.ebs.1" +CHECK_SERVICENAME_extra729="ec2" + extra729(){ # "Ensure there are no EBS Volumes unencrypted (Not Scored) (Not part of CIS benchmark)" diff --git a/checks/check_extra73 b/checks/check_extra73 index 0e92f1d7..b8c81961 100644 --- a/checks/check_extra73 +++ b/checks/check_extra73 @@ -22,7 +22,6 @@ CHECK_ALTERNATE_check73="extra73" CHECK_ALTERNATE_check703="extra73" CHECK_SERVICENAME_extra73="s3" - # Verified with AWS support that if get-bucket-acl doesn't return a grant # for All and get-bucket-policy-status returns IsPublic false or bad request # (no policy) then the bucket can be considered not public - though @@ -47,7 +46,7 @@ extra73(){ # ACCOUNT_PUBLIC_ACCESS_BLOCK=$($AWSCLI s3control get-public-access-block $PROFILE_OPT --region $REGION --account-id $ACCOUNT_NUM --output json 2>&1) if [[ $(echo "$ACCOUNT_PUBLIC_ACCESS_BLOCK" | grep AccessDenied) ]]; then - textFail "Access Denied Trying to Get Public Access Block for $bucket" + textFail "Access Denied getting PublicAccessBlock configuration for AWS account" return fi if [[ $(echo "$ACCOUNT_PUBLIC_ACCESS_BLOCK" | grep NoSuchPublicAccessBlockConfiguration) ]]; then @@ -82,18 +81,17 @@ extra73(){ # must be made to S3 endpoints in the same region as the bucket was # created. # - BUCKET_LOCATION=$($AWSCLI s3api get-bucket-location --bucket $bucket $PROFILE_OPT --output text 2>&1) + BUCKET_LOCATION=$($AWSCLI s3api get-bucket-location $PROFILE_OPT --region $REGION --bucket $bucket --output text 2>&1) if [[ $(echo "$BUCKET_LOCATION" | grep AccessDenied) ]]; then textFail "Access Denied Trying to Get Bucket Location for $bucket" continue fi - if [[ "None" == $BUCKET_LOCATION ]]; then + if [[ $BUCKET_LOCATION == "None" ]]; then BUCKET_LOCATION="us-east-1" fi - if [[ "EU" == $BUCKET_LOCATION ]]; then + if [[ $BUCKET_LOCATION == "EU" ]]; then BUCKET_LOCATION="eu-west-1" fi - # # If public ACLs disabled at bucket level then look no further # diff --git a/checks/check_extra730 b/checks/check_extra730 index c2f7fc76..1b3ed3fe 100644 --- a/checks/check_extra730 +++ b/checks/check_extra730 @@ -20,6 +20,7 @@ CHECK_TYPE_extra730="EXTRA" CHECK_SEVERITY_extra730="High" CHECK_ASFF_RESOURCE_TYPE_extra730="AwsCertificateManagerCertificate" CHECK_ALTERNATE_check730="extra730" +CHECK_SERVICENAME_extra730="acm" extra730(){ # "Check if ACM Certificates are about to expire in $DAYS_TO_EXPIRE_THRESHOLD days or less" diff --git a/checks/check_extra731 b/checks/check_extra731 index 7474ea44..49e4a9d0 100644 --- a/checks/check_extra731 +++ b/checks/check_extra731 @@ -18,6 +18,7 @@ CHECK_TYPE_extra731="EXTRA" CHECK_SEVERITY_extra731="Critical" CHECK_ASFF_RESOURCE_TYPE_extra731="AwsSnsTopic" CHECK_ALTERNATE_check731="extra731" +CHECK_SERVICENAME_extra731="sns" extra731(){ for regx in $REGIONS; do diff --git a/checks/check_extra732 b/checks/check_extra732 index 811fed10..0e38ee9d 100644 --- a/checks/check_extra732 +++ b/checks/check_extra732 @@ -18,6 +18,7 @@ CHECK_TYPE_extra732="EXTRA" CHECK_SEVERITY_extra732="Low" CHECK_ASFF_RESOURCE_TYPE_extra732="AwsCloudFrontDistribution" CHECK_ALTERNATE_check732="extra732" +CHECK_SERVICENAME_extra732="cloudfront" extra732(){ LIST_DISTRIBUTIONS=$($AWSCLI cloudfront list-distributions $PROFILE_OPT --query 'DistributionList.Items[*].Id' --output text |grep -v ^None) diff --git a/checks/check_extra733 b/checks/check_extra733 index ce0bfcd9..40de63d6 100644 --- a/checks/check_extra733 +++ b/checks/check_extra733 @@ -18,6 +18,7 @@ CHECK_TYPE_extra733="EXTRA" CHECK_SEVERITY_extra733="Low" CHECK_ALTERNATE_check733="extra733" CHECK_ASFF_COMPLIANCE_TYPE_extra733="ens-op.acc.1.aws.iam.1" +CHECK_SERVICENAME_extra733="iam" extra733(){ LIST_SAML_PROV=$($AWSCLI iam list-saml-providers $PROFILE_OPT --query 'SAMLProviderList[*].Arn' --output text |grep -v ^None) diff --git a/checks/check_extra734 b/checks/check_extra734 index f7ce12db..a4cc58c5 100644 --- a/checks/check_extra734 +++ b/checks/check_extra734 @@ -18,23 +18,27 @@ CHECK_SEVERITY_extra734="Medium" CHECK_ASFF_RESOURCE_TYPE_extra734="AwsS3Bucket" CHECK_ALTERNATE_check734="extra734" CHECK_ASFF_COMPLIANCE_TYPE_extra734="ens-mp.info.3.s3.1" +CHECK_SERVICENAME_extra734="s3" extra734(){ LIST_OF_BUCKETS=$($AWSCLI s3api list-buckets $PROFILE_OPT --region $REGION --query Buckets[*].Name --output text|xargs -n1) if [[ $LIST_OF_BUCKETS ]]; then for bucket in $LIST_OF_BUCKETS;do - BUCKET_LOCATION=$($AWSCLI s3api get-bucket-location $PROFILE_OPT --region $REGION --bucket $bucket --output text) - # For this test to pass one of the following must be present: - # - Configure ServerSideEncryptionConfiguration rule for AES256 or aws:kms - # OR - # - Have bucket policy denying s3:PutObject when s3:x-amz-server-side-encryption is absent - + BUCKET_LOCATION=$($AWSCLI s3api get-bucket-location $PROFILE_OPT --region $REGION --bucket $bucket --output text 2>&1) + if [[ $(echo "$BUCKET_LOCATION" | grep AccessDenied) ]]; then + textFail "Access Denied Trying to Get Bucket Location for $bucket" + continue + fi if [[ $BUCKET_LOCATION == "None" ]]; then BUCKET_LOCATION="us-east-1" fi if [[ $BUCKET_LOCATION == "EU" ]]; then BUCKET_LOCATION="eu-west-1" fi + # For this test to pass one of the following must be present: + # - Configure ServerSideEncryptionConfiguration rule for AES256 or aws:kms + # OR + # - Have bucket policy denying s3:PutObject when s3:x-amz-server-side-encryption is absent # query to get if has encryption enabled or not RESULT=$($AWSCLI s3api get-bucket-encryption $PROFILE_OPT --region $BUCKET_LOCATION --bucket $bucket --query ServerSideEncryptionConfiguration.Rules[].ApplyServerSideEncryptionByDefault[].SSEAlgorithm --output text 2>&1) if [[ $(echo "$RESULT" | grep AccessDenied) ]]; then diff --git a/checks/check_extra735 b/checks/check_extra735 index 7c0c29f1..409e08a4 100644 --- a/checks/check_extra735 +++ b/checks/check_extra735 @@ -18,6 +18,7 @@ CHECK_SEVERITY_extra735="Medium" CHECK_ASFF_RESOURCE_TYPE_extra735="AwsRdsDbInstance" CHECK_ALTERNATE_check735="extra735" CHECK_ASFF_COMPLIANCE_TYPE_extra735="ens-mp.info.3.aws.rds.1" +CHECK_SERVICENAME_extra735="rds" extra735(){ textInfo "Looking for RDS Volumes in all regions... " diff --git a/checks/check_extra736 b/checks/check_extra736 index 2d8c48f5..291d971d 100644 --- a/checks/check_extra736 +++ b/checks/check_extra736 @@ -18,6 +18,7 @@ CHECK_SEVERITY_extra736="Critical" CHECK_ASFF_RESOURCE_TYPE_extra736="AwsKmsKey" CHECK_ALTERNATE_check736="extra736" CHECK_ASFF_COMPLIANCE_TYPE_extra736="ens-op.exp.11.aws.kms.2" +CHECK_SERVICENAME_extra736="kms" extra736(){ textInfo "Looking for KMS keys in all regions... " diff --git a/checks/check_extra737 b/checks/check_extra737 index e2c32e87..1dc12679 100644 --- a/checks/check_extra737 +++ b/checks/check_extra737 @@ -18,6 +18,7 @@ CHECK_SEVERITY_extra737="Medium" CHECK_ASFF_RESOURCE_TYPE_extra737="AwsKmsKey" CHECK_ALTERNATE_check737="extra737" CHECK_ASFF_COMPLIANCE_TYPE_extra737="ens-op.exp.11.aws.kms.3" +CHECK_SERVICENAME_extra737="kms" extra737(){ textInfo "Looking for KMS keys in all regions... " diff --git a/checks/check_extra738 b/checks/check_extra738 index 42c178a2..566b715e 100644 --- a/checks/check_extra738 +++ b/checks/check_extra738 @@ -18,6 +18,7 @@ CHECK_SEVERITY_extra738="Medium" CHECK_ASFF_RESOURCE_TYPE_extra738="AwsCloudFrontDistribution" CHECK_ALTERNATE_check738="extra738" CHECK_ASFF_COMPLIANCE_TYPE_extra738="ens-mp.com.2.aws.front.1" +CHECK_SERVICENAME_extra738="cloudfront" extra738(){ LIST_OF_DISTRIBUTIONS=$($AWSCLI cloudfront list-distributions --query 'DistributionList.Items[*].Id' $PROFILE_OPT --output text|grep -v ^None) diff --git a/checks/check_extra739 b/checks/check_extra739 index 5ef3c92f..c0aec8b3 100644 --- a/checks/check_extra739 +++ b/checks/check_extra739 @@ -17,6 +17,7 @@ CHECK_TYPE_extra739="EXTRA" CHECK_SEVERITY_extra739="Medium" CHECK_ASFF_RESOURCE_TYPE_extra739="AwsRdsDbInstance" CHECK_ALTERNATE_check739="extra739" +CHECK_SERVICENAME_extra739="rds" extra739(){ for regx in $REGIONS; do diff --git a/checks/check_extra74 b/checks/check_extra74 index 73e9b343..5061bb4d 100644 --- a/checks/check_extra74 +++ b/checks/check_extra74 @@ -20,6 +20,7 @@ CHECK_ALTERNATE_extra704="extra74" CHECK_ALTERNATE_check74="extra74" CHECK_ALTERNATE_check704="extra74" CHECK_ASFF_COMPLIANCE_TYPE_extra74="ens-mp.com.4.aws.sg.2" +CHECK_SERVICENAME_extra74="ec2" extra74(){ # "Ensure there are no Security Groups without ingress filtering being used (Not Scored) (Not part of CIS benchmark)" diff --git a/checks/check_extra740 b/checks/check_extra740 index 2b8906db..c1c8fe22 100644 --- a/checks/check_extra740 +++ b/checks/check_extra740 @@ -18,6 +18,7 @@ CHECK_SEVERITY_extra740="Medium" CHECK_ASFF_RESOURCE_TYPE_extra740="AwsEc2Snapshot" CHECK_ALTERNATE_check740="extra740" CHECK_ASFF_COMPLIANCE_TYPE_extra740="ens-mp.info.3.aws.ebs.3" +CHECK_SERVICENAME_extra740="ec2" extra740(){ textInfo "Examining EBS Volume Snapshots ..." diff --git a/checks/check_extra741 b/checks/check_extra741 index 3245ce0c..7643e512 100644 --- a/checks/check_extra741 +++ b/checks/check_extra741 @@ -17,6 +17,7 @@ CHECK_TYPE_extra741="EXTRA" CHECK_SEVERITY_extra741="Medium" CHECK_ASFF_RESOURCE_TYPE_extra741="AwsEc2Instance" CHECK_ALTERNATE_check741="extra741" +CHECK_SERVICENAME_extra741="ec2" extra741(){ SECRETS_TEMP_FOLDER="$PROWLER_DIR/secrets-$ACCOUNT_NUM" diff --git a/checks/check_extra742 b/checks/check_extra742 index f9ac6868..1aa2adda 100644 --- a/checks/check_extra742 +++ b/checks/check_extra742 @@ -17,6 +17,7 @@ CHECK_TYPE_extra742="EXTRA" CHECK_SEVERITY_extra742="Medium" CHECK_ASFF_RESOURCE_TYPE_extra742="AwsCloudFormationStack" CHECK_ALTERNATE_check742="extra742" +CHECK_SERVICENAME_extra742="cloudformation" extra742(){ SECRETS_TEMP_FOLDER="$PROWLER_DIR/secrets-$ACCOUNT_NUM" diff --git a/checks/check_extra743 b/checks/check_extra743 index 322b0d57..38c80447 100644 --- a/checks/check_extra743 +++ b/checks/check_extra743 @@ -17,6 +17,7 @@ CHECK_TYPE_extra743="EXTRA" CHECK_SEVERITY_extra743="Medium" CHECK_ASFF_RESOURCE_TYPE_extra743="AwsApiGatewayRestApi" CHECK_ALTERNATE_check743="extra743" +CHECK_SERVICENAME_extra743="apigateway" extra743(){ for regx in $REGIONS; do diff --git a/checks/check_extra744 b/checks/check_extra744 index c08c4a5f..2c495108 100644 --- a/checks/check_extra744 +++ b/checks/check_extra744 @@ -18,6 +18,7 @@ CHECK_SEVERITY_extra744="Medium" CHECK_ASFF_RESOURCE_TYPE_extra744="AwsApiGatewayRestApi" CHECK_ALTERNATE_check744="extra744" CHECK_ASFF_COMPLIANCE_TYPE_extra744="ens-mp.s.2.aws.waf.2" +CHECK_SERVICENAME_extra744="apigateway" extra744(){ for regx in $REGIONS; do diff --git a/checks/check_extra745 b/checks/check_extra745 index d05a262a..2148dcaf 100644 --- a/checks/check_extra745 +++ b/checks/check_extra745 @@ -17,6 +17,7 @@ CHECK_TYPE_extra745="EXTRA" CHECK_SEVERITY_extra745="Medium" CHECK_ASFF_RESOURCE_TYPE_extra745="AwsApiGatewayRestApi" CHECK_ALTERNATE_check745="extra745" +CHECK_SERVICENAME_extra745="apigateway" extra745(){ for regx in $REGIONS; do diff --git a/checks/check_extra746 b/checks/check_extra746 index 2b817b32..0599d2e8 100644 --- a/checks/check_extra746 +++ b/checks/check_extra746 @@ -17,6 +17,7 @@ CHECK_TYPE_extra746="EXTRA" CHECK_SEVERITY_extra746="Medium" CHECK_ASFF_RESOURCE_TYPE_extra746="AwsApiGatewayRestApi" CHECK_ALTERNATE_check746="extra746" +CHECK_SERVICENAME_extra746="apigateway" extra746(){ for regx in $REGIONS; do diff --git a/checks/check_extra747 b/checks/check_extra747 index 2f1f9915..9e16b1fb 100644 --- a/checks/check_extra747 +++ b/checks/check_extra747 @@ -17,6 +17,7 @@ CHECK_TYPE_extra747="EXTRA" CHECK_SEVERITY_extra747="Medium" CHECK_ASFF_RESOURCE_TYPE_extra747="AwsRdsDbInstance" CHECK_ALTERNATE_check747="extra747" +CHECK_SERVICENAME_extra747="rds" extra747(){ for regx in $REGIONS; do diff --git a/checks/check_extra748 b/checks/check_extra748 index b7905d09..3dc303ce 100644 --- a/checks/check_extra748 +++ b/checks/check_extra748 @@ -17,6 +17,7 @@ CHECK_TYPE_extra748="EXTRA" CHECK_SEVERITY_extra748="High" CHECK_ASFF_RESOURCE_TYPE_extra748="AwsEc2SecurityGroup" CHECK_ALTERNATE_check748="extra748" +CHECK_SERVICENAME_extra748="ec2" extra748(){ for regx in $REGIONS; do diff --git a/checks/check_extra749 b/checks/check_extra749 index a9ac7510..922e9c3d 100644 --- a/checks/check_extra749 +++ b/checks/check_extra749 @@ -18,6 +18,7 @@ CHECK_SEVERITY_extra749="High" CHECK_ASFF_RESOURCE_TYPE_extra749="AwsEc2SecurityGroup" CHECK_ALTERNATE_check749="extra749" CHECK_ASFF_COMPLIANCE_TYPE_extra749="ens-mp.com.4.aws.sg.6" +CHECK_SERVICENAME_extra749="ec2" extra749(){ for regx in $REGIONS; do diff --git a/checks/check_extra75 b/checks/check_extra75 index a25fc784..a28cd3a3 100644 --- a/checks/check_extra75 +++ b/checks/check_extra75 @@ -20,6 +20,7 @@ CHECK_ALTERNATE_extra705="extra75" CHECK_ALTERNATE_check75="extra75" CHECK_ALTERNATE_check705="extra75" CHECK_ASFF_COMPLIANCE_TYPE_extra75="ens-mp.com.4.aws.sg.3" +CHECK_SERVICENAME_extra75="ec2" extra75(){ # "Ensure there are no Security Groups not being used (Not Scored) (Not part of CIS benchmark)" diff --git a/checks/check_extra750 b/checks/check_extra750 index dcc4b098..061acde1 100644 --- a/checks/check_extra750 +++ b/checks/check_extra750 @@ -18,6 +18,7 @@ CHECK_SEVERITY_extra750="High" CHECK_ASFF_RESOURCE_TYPE_extra750="AwsEc2SecurityGroup" CHECK_ALTERNATE_check750="extra750" CHECK_ASFF_COMPLIANCE_TYPE_extra750="ens-mp.com.4.aws.sg.7" +CHECK_SERVICENAME_extra750="ec2" extra750(){ for regx in $REGIONS; do diff --git a/checks/check_extra751 b/checks/check_extra751 index 8f711bd0..8b4c67e1 100644 --- a/checks/check_extra751 +++ b/checks/check_extra751 @@ -18,6 +18,7 @@ CHECK_SEVERITY_extra751="High" CHECK_ASFF_RESOURCE_TYPE_extra751="AwsEc2SecurityGroup" CHECK_ALTERNATE_check751="extra751" CHECK_ASFF_COMPLIANCE_TYPE_extra751="ens-mp.com.4.aws.sg.8" +CHECK_SERVICENAME_extra751="ec2" extra751(){ for regx in $REGIONS; do diff --git a/checks/check_extra752 b/checks/check_extra752 index 0189a6ba..06c95baa 100644 --- a/checks/check_extra752 +++ b/checks/check_extra752 @@ -18,6 +18,7 @@ CHECK_SEVERITY_extra752="High" CHECK_ASFF_RESOURCE_TYPE_extra752="AwsEc2SecurityGroup" CHECK_ALTERNATE_check752="extra752" CHECK_ASFF_COMPLIANCE_TYPE_extra752="ens-mp.com.4.aws.sg.9" +CHECK_SERVICENAME_extra752="ec2" extra752(){ for regx in $REGIONS; do diff --git a/checks/check_extra753 b/checks/check_extra753 index 75950a67..81270cdc 100644 --- a/checks/check_extra753 +++ b/checks/check_extra753 @@ -18,6 +18,7 @@ CHECK_SEVERITY_extra753="High" CHECK_ASFF_RESOURCE_TYPE_extra753="AwsEc2SecurityGroup" CHECK_ALTERNATE_check753="extra753" CHECK_ASFF_COMPLIANCE_TYPE_extra753="ens-mp.com.4.aws.sg.10" +CHECK_SERVICENAME_extra753="ec2" extra753(){ for regx in $REGIONS; do diff --git a/checks/check_extra754 b/checks/check_extra754 index 84b8e377..3316f152 100644 --- a/checks/check_extra754 +++ b/checks/check_extra754 @@ -18,6 +18,7 @@ CHECK_SEVERITY_extra754="High" CHECK_ASFF_RESOURCE_TYPE_extra754="AwsEc2SecurityGroup" CHECK_ALTERNATE_check754="extra754" CHECK_ASFF_COMPLIANCE_TYPE_extra754="ens-mp.com.4.aws.sg.11" +CHECK_SERVICENAME_extra754="ec2" extra754(){ for regx in $REGIONS; do diff --git a/checks/check_extra755 b/checks/check_extra755 index a04819e2..6c746702 100644 --- a/checks/check_extra755 +++ b/checks/check_extra755 @@ -18,6 +18,7 @@ CHECK_SEVERITY_extra755="High" CHECK_ASFF_RESOURCE_TYPE_extra755="AwsEc2SecurityGroup" CHECK_ALTERNATE_check755="extra755" CHECK_ASFF_COMPLIANCE_TYPE_extra755="ens-mp.com.4.aws.sg.12" +CHECK_SERVICENAME_extra755="ec2" extra755(){ for regx in $REGIONS; do diff --git a/checks/check_extra756 b/checks/check_extra756 index 5c831c2a..ffcab810 100644 --- a/checks/check_extra756 +++ b/checks/check_extra756 @@ -17,6 +17,7 @@ CHECK_TYPE_extra756="EXTRA" CHECK_SEVERITY_extra756="High" CHECK_ASFF_RESOURCE_TYPE_extra756="AwsRedshiftCluster" CHECK_ALTERNATE_check756="extra756" +CHECK_SERVICENAME_extra756="redshift" extra756(){ for regx in $REGIONS; do diff --git a/checks/check_extra757 b/checks/check_extra757 index 97e2e3c9..757ab819 100644 --- a/checks/check_extra757 +++ b/checks/check_extra757 @@ -17,6 +17,7 @@ CHECK_TYPE_extra757="EXTRA" CHECK_SEVERITY_extra757="Medium" CHECK_ASFF_RESOURCE_TYPE_extra757="AwsEc2Instance" CHECK_ALTERNATE_check757="extra757" +CHECK_SERVICENAME_extra757="ec2" extra757(){ OLDAGE="$(get_date_previous_than_months 6)" diff --git a/checks/check_extra758 b/checks/check_extra758 index 42603535..bda9e922 100644 --- a/checks/check_extra758 +++ b/checks/check_extra758 @@ -17,6 +17,7 @@ CHECK_TYPE_extra758="EXTRA" CHECK_SEVERITY_extra758="Medium" CHECK_ASFF_RESOURCE_TYPE_extra758="AwsEc2Instance" CHECK_ALTERNATE_check758="extra758" +CHECK_SERVICENAME_extra758="ec2" extra758(){ OLDAGE="$(get_date_previous_than_months 12)" diff --git a/checks/check_extra759 b/checks/check_extra759 index 6caad4f7..4414712b 100644 --- a/checks/check_extra759 +++ b/checks/check_extra759 @@ -17,6 +17,7 @@ CHECK_TYPE_extra759="EXTRA" CHECK_SEVERITY_extra759="High" CHECK_ASFF_RESOURCE_TYPE_extra759="AwsLambdaFunction" CHECK_ALTERNATE_check759="extra759" +CHECK_SERVICENAME_extra759="lambda" extra759(){ SECRETS_TEMP_FOLDER="$PROWLER_DIR/secrets-$ACCOUNT_NUM" diff --git a/checks/check_extra76 b/checks/check_extra76 index b1667948..898b5a09 100644 --- a/checks/check_extra76 +++ b/checks/check_extra76 @@ -18,6 +18,7 @@ CHECK_SEVERITY_extra76="Critical" CHECK_ALTERNATE_extra706="extra76" CHECK_ALTERNATE_check76="extra76" CHECK_ALTERNATE_check706="extra76" +CHECK_SERVICENAME_extra76="ec2" extra76(){ # "Ensure there are no EC2 AMIs set as Public (Not Scored) (Not part of CIS benchmark)" diff --git a/checks/check_extra760 b/checks/check_extra760 index a6c9d07e..5a3b0ece 100644 --- a/checks/check_extra760 +++ b/checks/check_extra760 @@ -17,6 +17,7 @@ CHECK_TYPE_extra760="EXTRA" CHECK_SEVERITY_extra760="Medium" CHECK_ASFF_RESOURCE_TYPE_extra760="AwsLambdaFunction" CHECK_ALTERNATE_check760="extra760" +CHECK_SERVICENAME_extra760="lambda" extra760(){ SECRETS_TEMP_FOLDER="$PROWLER_DIR/secrets-$ACCOUNT_NUM" diff --git a/checks/check_extra761 b/checks/check_extra761 index 4c2fcb6a..a0ad91f7 100644 --- a/checks/check_extra761 +++ b/checks/check_extra761 @@ -17,6 +17,7 @@ CHECK_TYPE_extra761="EXTRA" CHECK_SEVERITY_extra761="Medium" CHECK_ALTERNATE_check761="extra761" CHECK_ASFF_COMPLIANCE_TYPE_extra761="ens-mp.info.3.aws.ebs.2" +CHECK_SERVICENAME_extra761="ec2" extra761(){ textInfo "Looking for EBS Default Encryption activation in all regions... " diff --git a/checks/check_extra762 b/checks/check_extra762 index eb40aa30..16143008 100644 --- a/checks/check_extra762 +++ b/checks/check_extra762 @@ -17,6 +17,7 @@ CHECK_TYPE_extra762="EXTRA" CHECK_SEVERITY_extra762="Medium" CHECK_ASFF_RESOURCE_TYPE_extra762="AwsLambdaFunction" CHECK_ALTERNATE_check762="extra762" +CHECK_SERVICENAME_extra762="lambda" extra762(){ diff --git a/checks/check_extra763 b/checks/check_extra763 index a86c7a52..a420df22 100644 --- a/checks/check_extra763 +++ b/checks/check_extra763 @@ -17,6 +17,7 @@ CHECK_TYPE_extra763="EXTRA" CHECK_SEVERITY_extra763="Medium" CHECK_ASFF_RESOURCE_TYPE_extra763="AwsS3Bucket" CHECK_ALTERNATE_check763="extra763" +CHECK_SERVICENAME_extra763="s3" extra763(){ # "Check if S3 buckets have object versioning enabled (Not Scored) (Not part of CIS benchmark)" diff --git a/checks/check_extra764 b/checks/check_extra764 index 10ae9606..673de716 100644 --- a/checks/check_extra764 +++ b/checks/check_extra764 @@ -18,17 +18,22 @@ CHECK_SEVERITY_extra764="Medium" CHECK_ASFF_RESOURCE_TYPE_extra764="AwsS3Bucket" CHECK_ALTERNATE_check764="extra764" CHECK_ASFF_COMPLIANCE_TYPE_extra764="ens-mp.com.2.aws.s3.1" +CHECK_SERVICENAME_extra764="s3" extra764(){ LIST_OF_BUCKETS=$($AWSCLI s3api list-buckets $PROFILE_OPT --query Buckets[*].Name --output text --region $REGION|xargs -n1) if [[ $LIST_OF_BUCKETS ]]; then for bucket in $LIST_OF_BUCKETS;do TEMP_STP_POLICY_FILE=$(mktemp -t prowler-${ACCOUNT_NUM}-${bucket}.policy.XXXXXXXXXX) - BUCKET_LOCATION=$($AWSCLI s3api get-bucket-location $PROFILE_OPT --region $REGION --bucket $bucket --output text) - if [[ "None" == $BUCKET_LOCATION ]]; then + BUCKET_LOCATION=$($AWSCLI s3api get-bucket-location $PROFILE_OPT --region $REGION --bucket $bucket --output text 2>&1) + if [[ $(echo "$BUCKET_LOCATION" | grep AccessDenied) ]]; then + textFail "Access Denied Trying to Get Bucket Location for $bucket" + continue + fi + if [[ $BUCKET_LOCATION == "None" ]]; then BUCKET_LOCATION="us-east-1" fi - if [[ "EU" == $BUCKET_LOCATION ]]; then + if [[ $BUCKET_LOCATION == "EU" ]]; then BUCKET_LOCATION="eu-west-1" fi # get bucket policy diff --git a/checks/check_extra765 b/checks/check_extra765 index cfc1a839..8dce6fb7 100644 --- a/checks/check_extra765 +++ b/checks/check_extra765 @@ -26,6 +26,7 @@ CHECK_SCORED_extra765="NOT_SCORED" CHECK_TYPE_extra765="EXTRA" CHECK_SEVERITY_extra765="Medium" CHECK_ALTERNATE_check765="extra765" +CHECK_SERVICENAME_extra765="ecr" extra765(){ for region in $REGIONS; do diff --git a/checks/check_extra767 b/checks/check_extra767 index d82b5586..403c8947 100644 --- a/checks/check_extra767 +++ b/checks/check_extra767 @@ -17,6 +17,7 @@ CHECK_TYPE_extra767="EXTRA" CHECK_SEVERITY_extra767="Low" CHECK_ASFF_RESOURCE_TYPE_extra767="AwsCloudFrontDistribution" CHECK_ALTERNATE_check767="extra767" +CHECK_SERVICENAME_extra767="cloudfront" extra767(){ LIST_OF_DISTRIBUTIONS=$($AWSCLI cloudfront list-distributions --query 'DistributionList.Items[*].Id' $PROFILE_OPT --output text|grep -v ^None) diff --git a/checks/check_extra768 b/checks/check_extra768 index 1468ec2f..e82b98a5 100644 --- a/checks/check_extra768 +++ b/checks/check_extra768 @@ -17,6 +17,7 @@ CHECK_TYPE_extra768="EXTRA" CHECK_SEVERITY_extra768="Medium" CHECK_ASFF_RESOURCE_TYPE_extra768="AwsEcsTaskDefinition" CHECK_ALTERNATE_check768="extra768" +CHECK_SERVICENAME_extra768="ecs" extra768(){ SECRETS_TEMP_FOLDER="$PROWLER_DIR/secrets-$ACCOUNT_NUM" diff --git a/checks/check_extra769 b/checks/check_extra769 index 43b18b31..e56196d4 100644 --- a/checks/check_extra769 +++ b/checks/check_extra769 @@ -17,6 +17,7 @@ CHECK_SCORED_extra769="NOT_SCORED" CHECK_TYPE_extra769="EXTRA" CHECK_SEVERITY_extra769="High" CHECK_ALTERNATE_check769="extra769" +CHECK_SERVICENAME_extra769="accessanalyzer" extra769(){ for regx in $REGIONS; do diff --git a/checks/check_extra77 b/checks/check_extra77 index 5278f18f..ef3f9a91 100644 --- a/checks/check_extra77 +++ b/checks/check_extra77 @@ -19,6 +19,7 @@ CHECK_SEVERITY_extra77="Critical" CHECK_ALTERNATE_extra707="extra77" CHECK_ALTERNATE_check77="extra77" CHECK_ALTERNATE_check707="extra77" +CHECK_SERVICENAME_extra77="ecr" extra77(){ # "Ensure there are no ECR repositories set as Public (Not Scored) (Not part of CIS benchmark)" diff --git a/checks/check_extra770 b/checks/check_extra770 index 0c624274..f2f9e218 100644 --- a/checks/check_extra770 +++ b/checks/check_extra770 @@ -17,6 +17,7 @@ CHECK_TYPE_extra770="EXTRA" CHECK_SEVERITY_extra770="Medium" CHECK_ASFF_RESOURCE_TYPE_extra770="AwsEc2Instance" CHECK_ALTERNATE_check770="extra770" +CHECK_SERVICENAME_extra770="ec2" extra770(){ # "Check for internet facing EC2 Instances (Not Scored) (Not part of CIS benchmark)" diff --git a/checks/check_extra771 b/checks/check_extra771 index b30a2c20..c109d059 100644 --- a/checks/check_extra771 +++ b/checks/check_extra771 @@ -17,6 +17,7 @@ CHECK_TYPE_extra771="EXTRA" CHECK_SEVERITY_extra771="Critical" CHECK_ASFF_RESOURCE_TYPE_extra771="AwsS3Bucket" CHECK_ALTERNATE_check771="extra771" +CHECK_SERVICENAME_extra771="s3" extra771(){ LIST_OF_BUCKETS=$($AWSCLI s3api list-buckets $PROFILE_OPT --region $REGION --query Buckets[*].Name --output text|xargs -n1) diff --git a/checks/check_extra772 b/checks/check_extra772 index 47564d79..87a1c528 100644 --- a/checks/check_extra772 +++ b/checks/check_extra772 @@ -17,6 +17,7 @@ CHECK_TYPE_extra772="EXTRA" CHECK_SEVERITY_extra772="Low" CHECK_ASFF_RESOURCE_TYPE_extra772="AwsEc2Eip" CHECK_ALTERNATE_check772="extra772" +CHECK_SERVICENAME_extra772="ec2" extra772(){ for region in $REGIONS; do diff --git a/checks/check_extra773 b/checks/check_extra773 index 93298073..20068495 100644 --- a/checks/check_extra773 +++ b/checks/check_extra773 @@ -18,6 +18,7 @@ CHECK_SEVERITY_extra773="Medium" CHECK_ASFF_RESOURCE_TYPE_extra773="AwsCloudFrontDistribution" CHECK_ALTERNATE_check773="extra773" CHECK_ASFF_COMPLIANCE_TYPE_extra773="ens-mp.s.2.aws.waf.1" +CHECK_SERVICENAME_extra773="cloudfront" extra773(){ # "Check if CloudFront distributions have logging enabled (Not Scored) (Not part of CIS benchmark)" diff --git a/checks/check_extra774 b/checks/check_extra774 index a81f3e1c..9f167514 100644 --- a/checks/check_extra774 +++ b/checks/check_extra774 @@ -17,6 +17,7 @@ CHECK_TYPE_extra774="EXTRA" CHECK_SEVERITY_extra774="Medium" CHECK_ASFF_RESOURCE_TYPE_extra774="AwsIamUser" CHECK_ALTERNATE_check774="extra774" +CHECK_SERVICENAME_extra774="iam" extra774(){ check_creds_used_in_last_days 30 diff --git a/checks/check_extra775 b/checks/check_extra775 index 5864f227..1cbefab0 100644 --- a/checks/check_extra775 +++ b/checks/check_extra775 @@ -16,6 +16,7 @@ CHECK_SCORED_extra775="NOT_SCORED" CHECK_TYPE_extra775="EXTRA" CHECK_SEVERITY_extra775="Medium" CHECK_ALTERNATE_check775="extra775" +CHECK_SERVICENAME_extra775="autoscaling" extra775(){ SECRETS_TEMP_FOLDER="$PROWLER_DIR/secrets-$ACCOUNT_NUM" diff --git a/checks/check_extra776 b/checks/check_extra776 index 98f261e3..9f14cd04 100644 --- a/checks/check_extra776 +++ b/checks/check_extra776 @@ -31,6 +31,7 @@ CHECK_SCORED_extra776="NOT_SCORED" CHECK_TYPE_extra776="EXTRA" CHECK_SEVERITY_extra776="Medium" CHECK_ALTERNATE_check776="extra776" +CHECK_SERVICENAME_extra776="ecr" extra776(){ for region in $REGIONS; do diff --git a/checks/check_extra777 b/checks/check_extra777 index e4021339..3120963d 100644 --- a/checks/check_extra777 +++ b/checks/check_extra777 @@ -21,6 +21,7 @@ CHECK_TYPE_extra777="EXTRA" CHECK_SEVERITY_extra777="Medium" CHECK_ASFF_RESOURCE_TYPE_extra777="AwsEc2SecurityGroup" CHECK_ALTERNATE_check777="extra777" +CHECK_SERVICENAME_extra777="ec2" extra777(){ THRESHOLD=50 diff --git a/checks/check_extra778 b/checks/check_extra778 index b7a63b23..59d60335 100644 --- a/checks/check_extra778 +++ b/checks/check_extra778 @@ -18,6 +18,7 @@ CHECK_TYPE_extra778="EXTRA" CHECK_SEVERITY_extra778="Medium" CHECK_ASFF_RESOURCE_TYPE_extra778="AwsEc2SecurityGroup" CHECK_ALTERNATE_check778="extra778" +CHECK_SERVICENAME_extra778="ec2" extra778(){ CIDR_THRESHOLD=24 diff --git a/checks/check_extra779 b/checks/check_extra779 index ffa79939..cfd8ebc9 100644 --- a/checks/check_extra779 +++ b/checks/check_extra779 @@ -17,6 +17,7 @@ CHECK_TYPE_extra779="EXTRA" CHECK_SEVERITY_extra779="High" CHECK_ASFF_RESOURCE_TYPE_extra779="AwsEc2SecurityGroup" CHECK_ALTERNATE_check779="extra779" +CHECK_SERVICENAME_extra779="ec2" extra779(){ ES_API_PORT="9200" diff --git a/checks/check_extra78 b/checks/check_extra78 index b1d9c2ea..064cf6cc 100644 --- a/checks/check_extra78 +++ b/checks/check_extra78 @@ -19,6 +19,7 @@ CHECK_ASFF_RESOURCE_TYPE_extra78="AwsRdsDbInstance" CHECK_ALTERNATE_extra708="extra78" CHECK_ALTERNATE_check78="extra78" CHECK_ALTERNATE_check708="extra78" +CHECK_SERVICENAME_extra78="rds" extra78(){ # "Ensure there are no Public Accessible RDS instances (Not Scored) (Not part of CIS benchmark)" diff --git a/checks/check_extra780 b/checks/check_extra780 index 28a77104..688e9b94 100644 --- a/checks/check_extra780 +++ b/checks/check_extra780 @@ -17,6 +17,7 @@ CHECK_TYPE_extra780="EXTRA" CHECK_SEVERITY_extra780="High" CHECK_ASFF_RESOURCE_TYPE_extra780="AwsElasticsearchDomain" CHECK_ALTERNATE_check780="extra780" +CHECK_SERVICENAME_extra780="es" extra780(){ for regx in $REGIONS; do diff --git a/checks/check_extra781 b/checks/check_extra781 index 12d5f484..40968fdc 100644 --- a/checks/check_extra781 +++ b/checks/check_extra781 @@ -18,6 +18,7 @@ CHECK_SEVERITY_extra781="Medium" CHECK_ASFF_RESOURCE_TYPE_extra781="AwsElasticsearchDomain" CHECK_ALTERNATE_check781="extra781" CHECK_ASFF_COMPLIANCE_TYPE_extra781="ens-mp.info.3.aws.au.1" +CHECK_SERVICENAME_extra781="es" extra781(){ for regx in $REGIONS; do diff --git a/checks/check_extra782 b/checks/check_extra782 index daa5b4b2..ecb9b3b0 100644 --- a/checks/check_extra782 +++ b/checks/check_extra782 @@ -17,6 +17,7 @@ CHECK_TYPE_extra782="EXTRA" CHECK_SEVERITY_extra782="Medium" CHECK_ASFF_RESOURCE_TYPE_extra782="AwsElasticsearchDomain" CHECK_ALTERNATE_check782="extra782" +CHECK_SERVICENAME_extra782="es" extra782(){ for regx in $REGIONS; do diff --git a/checks/check_extra783 b/checks/check_extra783 index 49f554b5..09ffe99e 100644 --- a/checks/check_extra783 +++ b/checks/check_extra783 @@ -17,6 +17,7 @@ CHECK_TYPE_extra783="EXTRA" CHECK_SEVERITY_extra783="Medium" CHECK_ASFF_RESOURCE_TYPE_extra783="AwsElasticsearchDomain" CHECK_ALTERNATE_check783="extra783" +CHECK_SERVICENAME_extra783="es" extra783(){ for regx in $REGIONS; do diff --git a/checks/check_extra784 b/checks/check_extra784 index 62040df3..ea4fa4d9 100644 --- a/checks/check_extra784 +++ b/checks/check_extra784 @@ -17,6 +17,7 @@ CHECK_TYPE_extra784="EXTRA" CHECK_SEVERITY_extra784="Medium" CHECK_ASFF_RESOURCE_TYPE_extra784="AwsElasticsearchDomain" CHECK_ALTERNATE_check784="extra784" +CHECK_SERVICENAME_extra784="es" extra784(){ for regx in $REGIONS; do diff --git a/checks/check_extra785 b/checks/check_extra785 index a7fb27aa..31483ae9 100644 --- a/checks/check_extra785 +++ b/checks/check_extra785 @@ -17,6 +17,7 @@ CHECK_TYPE_extra785="EXTRA" CHECK_SEVERITY_extra785="Low" CHECK_ASFF_RESOURCE_TYPE_extra785="AwsElasticsearchDomain" CHECK_ALTERNATE_check785="extra785" +CHECK_SERVICENAME_extra785="es" # NOTE! # API does not properly shows if an update is available while it is a new version available diff --git a/checks/check_extra786 b/checks/check_extra786 index 7491539d..04570dfc 100644 --- a/checks/check_extra786 +++ b/checks/check_extra786 @@ -17,6 +17,7 @@ CHECK_TYPE_extra786="EXTRA" CHECK_SEVERITY_extra786="Medium" CHECK_ASFF_RESOURCE_TYPE_extra786="AwsEc2Instance" CHECK_ALTERNATE_check786="extra786" +CHECK_SERVICENAME_extra786="ec2" extra786(){ for regx in $REGIONS; do diff --git a/checks/check_extra787 b/checks/check_extra787 index ce5e6f9f..b85b3969 100644 --- a/checks/check_extra787 +++ b/checks/check_extra787 @@ -17,6 +17,7 @@ CHECK_TYPE_extra787="EXTRA" CHECK_SEVERITY_extra787="Critical" CHECK_ASFF_RESOURCE_TYPE_extra787="AwsEc2Instance" CHECK_ALTERNATE_check787="extra787" +CHECK_SERVICENAME_extra787="es" extra787(){ # Prowler will try to access each ElasticSearch server to port: diff --git a/checks/check_extra788 b/checks/check_extra788 index 6821fd5e..9bd0e819 100644 --- a/checks/check_extra788 +++ b/checks/check_extra788 @@ -17,6 +17,7 @@ CHECK_TYPE_extra788="EXTRA" CHECK_SEVERITY_extra788="Critical" CHECK_ASFF_RESOURCE_TYPE_extra788="AwsElasticsearchDomain" CHECK_ALTERNATE_check788="extra788" +CHECK_SERVICENAME_extra788="es" extra788(){ # Prowler will try to access each ElasticSearch server to the public URI endpoint. diff --git a/checks/check_extra789 b/checks/check_extra789 index 3a7e84c1..f289785a 100644 --- a/checks/check_extra789 +++ b/checks/check_extra789 @@ -15,9 +15,10 @@ CHECK_ID_extra789="7.89" CHECK_TITLE_extra789="[extra789] Find trust boundaries in VPC endpoint services connections" CHECK_SCORED_extra789="NOT_SCORED" CHECK_TYPE_extra789="EXTRA" - CHECK_SEVERITY_extra789="Medium" +CHECK_SEVERITY_extra789="Medium" CHECK_ASFF_RESOURCE_TYPE_extra789="AwsEc2Vpc" CHECK_ALTERNATE_extra789="extra789" +CHECK_SERVICENAME_extra789="vpc" extra789(){ TRUSTED_ACCOUNT_IDS=$( echo "${ACCOUNT_NUM} ${GROUP_TRUSTBOUNDARIES_TRUSTED_ACCOUNT_IDS}" | xargs ) diff --git a/checks/check_extra79 b/checks/check_extra79 index 9b428bc0..377ffeae 100644 --- a/checks/check_extra79 +++ b/checks/check_extra79 @@ -19,6 +19,7 @@ CHECK_ASFF_RESOURCE_TYPE_extra79="AwsElbLoadBalancer" CHECK_ALTERNATE_extra709="extra79" CHECK_ALTERNATE_check79="extra79" CHECK_ALTERNATE_check709="extra79" +CHECK_SERVICENAME_extra79="elb" extra79(){ # "Check for internet facing Elastic Load Balancers (Not Scored) (Not part of CIS benchmark)" diff --git a/checks/check_extra790 b/checks/check_extra790 index 83857889..5278365c 100644 --- a/checks/check_extra790 +++ b/checks/check_extra790 @@ -18,6 +18,7 @@ CHECK_TYPE_extra790="EXTRA" CHECK_SEVERITY_extra790="Medium" CHECK_ASFF_RESOURCE_TYPE_extra790="AwsEc2Vpc" CHECK_ALTERNATE_extra790="extra790" +CHECK_SERVICENAME_extra790="vpc" extra790(){ TRUSTED_ACCOUNT_IDS=$( echo "${ACCOUNT_NUM} ${GROUP_TRUSTBOUNDARIES_TRUSTED_ACCOUNT_IDS}" | xargs ) diff --git a/checks/check_extra791 b/checks/check_extra791 index b52aa248..a6ca4f9d 100644 --- a/checks/check_extra791 +++ b/checks/check_extra791 @@ -17,6 +17,7 @@ CHECK_TYPE_extra791="EXTRA" CHECK_SEVERITY_extra791="Medium" CHECK_ASFF_RESOURCE_TYPE_extra791="AwsCloudFrontDistribution" CHECK_ALTERNATE_check791="extra791" +CHECK_SERVICENAME_extra791="cloudfront" extra791(){ LIST_OF_DISTRIBUTIONS=$($AWSCLI cloudfront list-distributions --query 'DistributionList.Items[*].Id' $PROFILE_OPT --output text|grep -v ^None) diff --git a/checks/check_extra792 b/checks/check_extra792 index f9f67dcc..23f0d03d 100644 --- a/checks/check_extra792 +++ b/checks/check_extra792 @@ -18,6 +18,7 @@ CHECK_SEVERITY_extra792="Medium" CHECK_ASFF_RESOURCE_TYPE_extra792="AwsElbLoadBalancer" CHECK_ALTERNATE_check792="extra792" CHECK_ASFF_COMPLIANCE_TYPE_extra792="ens-mp.com.2.aws.elb.2" +CHECK_SERVICENAME_extra792="elb" extra792(){ # "Check if Elastic Load Balancers have insecure SSL ciphers (Not Scored) (Not part of CIS benchmark)" @@ -73,7 +74,8 @@ extra792(){ if [[ $LIST_OF_ELBSV2 ]]; then # NOTE - ALBs do NOT support custom security policies # https://docs.aws.amazon.com/elasticloadbalancing/latest/application/create-https-listener.html - ELBV2SECUREPOLICIES=("ELBSecurityPolicy-2016-08" "ELBSecurityPolicy-TLS-1-1-2017-01" "ELBSecurityPolicy-TLS-1-2-2017-01" "ELBSecurityPolicy-TLS-1-2-Ext-2018-06" "ELBSecurityPolicy-FS-2018-06" "ELBSecurityPolicy-FS-1-1-2019-08" "ELBSecurityPolicy-FS-1-2-2019-08" "ELBSecurityPolicy-FS-1-2-Res-2019-08" "ELBSecurityPolicy-2015-05") + ELBV2SECUREPOLICIES=("ELBSecurityPolicy-2016-08" "ELBSecurityPolicy-TLS-1-1-2017-01" "ELBSecurityPolicy-TLS-1-2-2017-01" "ELBSecurityPolicy-TLS-1-2-Ext-2018-06" "ELBSecurityPolicy-FS-2018-06" "ELBSecurityPolicy-FS-1-1-2019-08" "ELBSecurityPolicy-FS-1-2-2019-08" "ELBSecurityPolicy-FS-1-2-Res-2019-08" "ELBSecurityPolicy-FS-1-2-Res-2020-10" "ELBSecurityPolicy-2015-05") + for elbarn in $LIST_OF_ELBSV2; do passed=true if [[ $(echo $elbarn | grep "loadbalancer/app/") ]]; then diff --git a/checks/check_extra793 b/checks/check_extra793 index 0a45f313..7ffc6df6 100644 --- a/checks/check_extra793 +++ b/checks/check_extra793 @@ -18,6 +18,7 @@ CHECK_SEVERITY_extra793="Medium" CHECK_ASFF_RESOURCE_TYPE_extra793="AwsElbLoadBalancer" CHECK_ALTERNATE_check793="extra793" CHECK_ASFF_COMPLIANCE_TYPE_extra793="ens-mp.com.2.aws.elb.1" +CHECK_SERVICENAME_extra793="elb" extra793(){ # "Check if Elastic Load Balancers have encrypted listeners (Not Scored) (Not part of CIS benchmark)" diff --git a/checks/check_extra794 b/checks/check_extra794 index 281dca35..fd763765 100644 --- a/checks/check_extra794 +++ b/checks/check_extra794 @@ -17,16 +17,12 @@ CHECK_TYPE_extra794="EXTRA" CHECK_SEVERITY_extra794="Medium" CHECK_ASFF_RESOURCE_TYPE_extra794="AwsEksCluster" CHECK_ALTERNATE_check794="extra794" +CHECK_SERVICENAME_extra794="eks" extra794(){ textInfo "Looking for control plane logging enabled for EKS clusters across all regions... " for regx in $REGIONS; do - # Get a list of EKS clusters (Unless us-west-1 which doesn't support EKS): - if [[ $regx == "us-west-1" ]]; then - textInfo "$regx: EKS not supported in this region" "$regx" - else - CLUSTERS=$($AWSCLI eks list-clusters $PROFILE_OPT --region $regx --query 'clusters[]' --output text) - fi + CLUSTERS=$($AWSCLI eks list-clusters $PROFILE_OPT --region $regx --query 'clusters[]' --output text) if [[ $CLUSTERS ]]; then for CLUSTER in $CLUSTERS;do CLUSTERDEF=$($AWSCLI eks describe-cluster $PROFILE_OPT --region $regx --name $CLUSTER --query 'cluster.logging.clusterLogging[0]') @@ -43,9 +39,7 @@ extra794(){ fi done else - if [[ $regx != "us-west-1" ]]; then - textInfo "$regx: No EKS clusters found" "$regx" - fi + textInfo "$regx: No EKS clusters found" "$regx" fi done } diff --git a/checks/check_extra795 b/checks/check_extra795 index fbfa3059..4196456e 100644 --- a/checks/check_extra795 +++ b/checks/check_extra795 @@ -17,16 +17,12 @@ CHECK_TYPE_extra795="EXTRA" CHECK_SEVERITY_extra795="High" CHECK_ASFF_RESOURCE_TYPE_extra795="AwsEksCluster" CHECK_ALTERNATE_check795="extra795" +CHECK_SERVICENAME_extra795="eks" extra795(){ textInfo "Looking for public access enabled for EKS clusters across all regions... " for regx in $REGIONS; do - # Get a list of EKS clusters (Unless us-west-1 which doesn't support EKS): - if [[ $regx == "us-west-1" ]]; then - textInfo "$regx: EKS not supported in this region" "$regx" - else - CLUSTERS=$($AWSCLI eks list-clusters $PROFILE_OPT --region $regx --query 'clusters[]' --output text) - fi + CLUSTERS=$($AWSCLI eks list-clusters $PROFILE_OPT --region $regx --query 'clusters[]' --output text) if [[ $CLUSTERS ]]; then for CLUSTER in $CLUSTERS;do CLUSTERDEF=$($AWSCLI eks describe-cluster $PROFILE_OPT --region $regx --name $CLUSTER --query 'cluster.resourcesVpcConfig') @@ -40,9 +36,7 @@ extra795(){ fi done else - if [[ $regx != "us-west-1" ]]; then - textInfo "$regx: No EKS clusters found" "$regx" - fi + textInfo "$regx: No EKS clusters found" "$regx" fi done } diff --git a/checks/check_extra796 b/checks/check_extra796 index 601712e0..d4134b35 100644 --- a/checks/check_extra796 +++ b/checks/check_extra796 @@ -17,16 +17,12 @@ CHECK_TYPE_extra796="EXTRA" CHECK_SEVERITY_extra796="High" CHECK_ASFF_RESOURCE_TYPE_extra796="AwsEksCluster" CHECK_ALTERNATE_check796="extra796" +CHECK_SERVICENAME_extra796="eks" extra796(){ textInfo "Looking for public access CIDRs for EKS clusters across all regions... " for regx in $REGIONS; do - # Get a list of EKS clusters (Unless us-west-1 which doesn't support EKS): - if [[ $regx == "us-west-1" ]]; then - textInfo "$regx: EKS not supported in this region" "$regx" - else - CLUSTERS=$($AWSCLI eks list-clusters $PROFILE_OPT --region $regx --query 'clusters[]' --output text) - fi + CLUSTERS=$($AWSCLI eks list-clusters $PROFILE_OPT --region $regx --query 'clusters[]' --output text) if [[ $CLUSTERS ]]; then for CLUSTER in $CLUSTERS;do CLUSTERDEF=$($AWSCLI eks describe-cluster $PROFILE_OPT --region $regx --name $CLUSTER --query 'cluster.resourcesVpcConfig') @@ -45,9 +41,7 @@ extra796(){ fi done else - if [[ $regx != "us-west-1" ]]; then - textInfo "$regx: No EKS clusters found" "$regx" - fi + textInfo "$regx: No EKS clusters found" "$regx" fi done } diff --git a/checks/check_extra797 b/checks/check_extra797 index 1eca9888..cafe95b4 100644 --- a/checks/check_extra797 +++ b/checks/check_extra797 @@ -17,16 +17,12 @@ CHECK_TYPE_extra797="EXTRA" CHECK_SEVERITY_extra797="Medium" CHECK_ASFF_RESOURCE_TYPE_extra797="AwsEksCluster" CHECK_ALTERNATE_check797="extra797" +CHECK_SERVICENAME_extra797="eks" extra797(){ textInfo "Looking for encryption config for EKS clusters across all regions... " for regx in $REGIONS; do - # Get a list of EKS clusters (Unless us-west-1 which doesn't support EKS): - if [[ $regx == "us-west-1" ]]; then - textInfo "$regx: EKS not supported in this region" "$regx" - else - CLUSTERS=$($AWSCLI eks list-clusters $PROFILE_OPT --region $regx --query 'clusters[]' --output text) - fi + CLUSTERS=$($AWSCLI eks list-clusters $PROFILE_OPT --region $regx --query 'clusters[]' --output text) if [[ $CLUSTERS ]]; then for CLUSTER in $CLUSTERS;do ENC_CONFIG=$($AWSCLI eks describe-cluster $PROFILE_OPT --region $regx --name $CLUSTER --query 'cluster.encryptionConfig') @@ -38,9 +34,7 @@ extra797(){ fi done else - if [[ $regx != "us-west-1" ]]; then - textInfo "$regx: No EKS clusters found" "$regx" - fi + textInfo "$regx: No EKS clusters found" "$regx" fi done } diff --git a/checks/check_extra798 b/checks/check_extra798 index a70b9d0b..136c85e5 100644 --- a/checks/check_extra798 +++ b/checks/check_extra798 @@ -18,6 +18,7 @@ CHECK_TYPE_extra798="EXTRA" CHECK_SEVERITY_extra798="Critical" CHECK_ASFF_RESOURCE_TYPE_extra798="AwsLambdaFunction" CHECK_ALTERNATE_check798="extra798" +CHECK_SERVICENAME_extra798="lambda" extra798(){ for regx in $REGIONS; do diff --git a/checks/check_extra799 b/checks/check_extra799 index 9b4be8eb..75a391ec 100644 --- a/checks/check_extra799 +++ b/checks/check_extra799 @@ -18,6 +18,7 @@ CHECK_TYPE_extra799="EXTRA" CHECK_SEVERITY_extra799="High" CHECK_ASFF_RESOURCE_TYPE_extra799="AwsSecurityHubHub" CHECK_ALTERNATE_check799="extra799" +CHECK_SERVICENAME_extra799="securityhub" extra799(){ for regx in $REGIONS; do diff --git a/checks/check_sample b/checks/check_sample index 71b2b67c..99057dd7 100644 --- a/checks/check_sample +++ b/checks/check_sample @@ -31,6 +31,7 @@ # CHECK_SEVERITY_check="Medium" # CHECK_ASFF_RESOURCE_TYPE_checkN="AwsAccount" # Choose appropriate value from https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-findings-format.html#asff-resources # CHECK_ALTERNATE_checkN="extraN" +# CHECK_SERVICENAME_checkN="service" # get service short name from `curl -s https://api.regional-table.region-services.aws.a2z.com/index.json | jq -r '.prices[] | .id' | awk -F: '{ print $1 }' | sort -u` # # extraN(){ # # "Description (Not Scored) (Not part of CIS benchmark)" diff --git a/groups/group13_rds b/groups/group13_rds index bf1445b5..e684654b 100644 --- a/groups/group13_rds +++ b/groups/group13_rds @@ -15,4 +15,4 @@ GROUP_ID[13]='rds' GROUP_NUMBER[13]='13.0' GROUP_TITLE[13]='RDS security checks - [rds] ***********************************' GROUP_RUN_BY_DEFAULT[13]='N' # run it when execute_all is called -GROUP_CHECKS[13]='extra78,extra723,extra735,extra739,extra747,extra7113' +GROUP_CHECKS[13]='extra78,extra723,extra735,extra739,extra747,extra7113,extra7131' diff --git a/groups/group7_extras b/groups/group7_extras index 1f92489a..e95fd308 100644 --- a/groups/group7_extras +++ b/groups/group7_extras @@ -15,7 +15,7 @@ GROUP_ID[7]='extras' GROUP_NUMBER[7]='7.0' GROUP_TITLE[7]='Extras - all non CIS specific checks - [extras] ****************' GROUP_RUN_BY_DEFAULT[7]='Y' # run it when execute_all is called -GROUP_CHECKS[7]='extra71,extra72,extra73,extra74,extra75,extra76,extra77,extra78,extra79,extra710,extra711,extra712,extra713,extra714,extra715,extra716,extra717,extra718,extra719,extra720,extra721,extra722,extra723,extra724,extra725,extra726,extra727,extra728,extra729,extra730,extra731,extra732,extra733,extra734,extra735,extra736,extra737,extra738,extra739,extra740,extra741,extra742,extra743,extra744,extra745,extra746,extra747,extra748,extra749,extra750,extra751,extra752,extra753,extra754,extra755,extra756,extra757,extra758,extra761,extra762,extra763,extra764,extra765,extra767,extra768,extra769,extra770,extra771,extra772,extra773,extra774,extra775,extra776,extra777,extra778,extra779,extra780,extra781,extra782,extra783,extra784,extra785,extra786,extra787,extra788,extra791,extra792,extra793,extra794,extra795,extra796,extra797,extra798,extra799,extra7100,extra7101,extra7102,extra7103,extra7104,extra7105,extra7106,extra7107,extra7108,extra7109,extra7110,extra7111,extra7112,extra7113,extra7114,extra7115,extra7116,extra7117,extra7118,extra7119,extra7120,extra7121,extra7122,extra7123,extra7124,extra7125,extra7126,extra7127,extra7128,extra7129' +GROUP_CHECKS[7]='extra71,extra72,extra73,extra74,extra75,extra76,extra77,extra78,extra79,extra710,extra711,extra712,extra713,extra714,extra715,extra716,extra717,extra718,extra719,extra720,extra721,extra722,extra723,extra724,extra725,extra726,extra727,extra728,extra729,extra730,extra731,extra732,extra733,extra734,extra735,extra736,extra737,extra738,extra739,extra740,extra741,extra742,extra743,extra744,extra745,extra746,extra747,extra748,extra749,extra750,extra751,extra752,extra753,extra754,extra755,extra756,extra757,extra758,extra761,extra762,extra763,extra764,extra765,extra767,extra768,extra769,extra770,extra771,extra772,extra773,extra774,extra775,extra776,extra777,extra778,extra779,extra780,extra781,extra782,extra783,extra784,extra785,extra786,extra787,extra788,extra791,extra792,extra793,extra794,extra795,extra796,extra797,extra798,extra799,extra7100,extra7101,extra7102,extra7103,extra7104,extra7105,extra7106,extra7107,extra7108,extra7109,extra7110,extra7111,extra7112,extra7113,extra7114,extra7115,extra7116,extra7117,extra7118,extra7119,extra7120,extra7121,extra7122,extra7123,extra7124,extra7125,extra7126,extra7127,extra7128,extra7129,extra7130,extra7131' # Extras 759 and 760 (lambda variables and code secrets finder are not included) # to run detect-secrets use `./prowler -g secrets` diff --git a/include/assume_role b/include/assume_role index 462e0062..2921563f 100644 --- a/include/assume_role +++ b/include/assume_role @@ -11,13 +11,13 @@ # CONDITIONS OF ANY KIND, either express or implied. See the License for the # specific language governing permissions and limitations under the License. -# both variables are mandatory to be set together +# both variables are mandatory to be set together assume_role(){ if [[ -z $ROLE_TO_ASSUME ]]; then echo "$OPTRED ERROR!$OPTNORMAL - Both Account ID (-A) and IAM Role to assume (-R) must be set" exit 1 - fi - # if not session duration set with -T, then will be 1h. + fi + # if not session duration set with -T, then will be 1h. # In some cases you will need more than 1h. if [[ -z $SESSION_DURATION_TO_ASSUME ]]; then SESSION_DURATION_TO_ASSUME="3600" @@ -25,31 +25,37 @@ assume_role(){ # temporary file where to store credentials TEMP_STS_ASSUMED_FILE=$(mktemp -t prowler.sts_assumed-XXXXXX) - + #Check if external ID has bee provided if so execute with external ID if not ignore if [[ -z $ROLE_EXTERNAL_ID ]]; then # assume role command $AWSCLI $PROFILE_OPT sts assume-role --role-arn arn:${AWS_PARTITION}:iam::$ACCOUNT_TO_ASSUME:role/$ROLE_TO_ASSUME \ --role-session-name ProwlerAssessmentSession \ --region $REGION_FOR_STS \ - --duration-seconds $SESSION_DURATION_TO_ASSUME > $TEMP_STS_ASSUMED_FILE - else + --duration-seconds $SESSION_DURATION_TO_ASSUME > $TEMP_STS_ASSUMED_FILE 2>&1 + else $AWSCLI $PROFILE_OPT sts assume-role --role-arn arn:${AWS_PARTITION}:iam::$ACCOUNT_TO_ASSUME:role/$ROLE_TO_ASSUME \ --role-session-name ProwlerAssessmentSession \ --duration-seconds $SESSION_DURATION_TO_ASSUME \ --region $REGION_FOR_STS \ - --external-id $ROLE_EXTERNAL_ID > $TEMP_STS_ASSUMED_FILE - fi + --external-id $ROLE_EXTERNAL_ID > $TEMP_STS_ASSUMED_FILE 2>&1 + fi + if [[ $(grep AccessDenied $TEMP_STS_ASSUMED_FILE) ]]; then + textFail "Access Denied assuming role arn:${AWS_PARTITION}:iam::${ACCOUNT_TO_ASSUME}:role/${ROLE_TO_ASSUME}" + rm -f $TEMP_STS_ASSUMED_FILE + EXITCODE=1 + exit $EXITCODE + fi # assume role command #$AWSCLI $PROFILE_OPT sts assume-role --role-arn arn:${AWS_PARTITION}:iam::$ACCOUNT_TO_ASSUME:role/$ROLE_TO_ASSUME \ # --role-session-name ProwlerAssessmentSession \ - # --duration-seconds $SESSION_DURATION_TO_ASSUME > $TEMP_STS_ASSUMED_FILE + # --duration-seconds $SESSION_DURATION_TO_ASSUME > $TEMP_STS_ASSUMED_FILE # if previous command fails exit with the given error from aws-cli - # this is likely to be due to session duration limit of 1h in case + # this is likely to be due to session duration limit of 1h in case # of assume role chaining: - # "The requested DurationSeconds exceeds the 1 hour session limit + # "The requested DurationSeconds exceeds the 1 hour session limit # for roles assumed by role chaining." # https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use.html if [[ $? != 0 ]];then diff --git a/include/awscli_detector b/include/awscli_detector index 40fb03ba..6a1fd6b1 100644 --- a/include/awscli_detector +++ b/include/awscli_detector @@ -12,8 +12,11 @@ # specific language governing permissions and limitations under the License. # AWS-CLI detector variable -AWSCLI=$(which aws) -if [ -z "${AWSCLI}" ]; then +if [ ! -z $(which aws) ]; then + AWSCLI=$(which aws) +elif [ ! -z $(type -p aws) ]; then + AWSCLI=$(type -p aws) +else echo -e "\n$RED ERROR!$NORMAL AWS-CLI (aws command) not found. Make sure it is installed correctly and in your \$PATH\n" EXITCODE=1 exit $EXITCODE diff --git a/include/check3x b/include/check3x index cabe626a..bfbba6b3 100644 --- a/include/check3x +++ b/include/check3x @@ -17,16 +17,19 @@ check3x(){ # In order to make all these checks work properly logs and alarms have to # be based only on CloudTrail tail with CloudWatchLog configuration. DESCRIBE_TRAILS_CACHE=$($AWSCLI cloudtrail describe-trails $PROFILE_OPT --region "$REGION" --query 'trailList[?CloudWatchLogsLogGroupArn != `null`]') - TRAIL_LIST=$(echo $DESCRIBE_TRAILS_CACHE | jq -r '. |@base64') + TRAIL_LIST=$(echo $DESCRIBE_TRAILS_CACHE | jq -r -c '.[] |@base64') # this treats each array element as its own line CURRENT_ACCOUNT_ID=$($AWSCLI sts $PROFILE_OPT get-caller-identity --region "$REGION" --query Account --output text) CLOUDWATCH_LOGGROUP=$($AWSCLI cloudtrail describe-trails $PROFILE_OPT --region "$REGION" --query 'trailList[*].CloudWatchLogsLogGroupArn' --output text| tr '\011' '\012' | awk -F: '{print $7}') if [[ $CLOUDWATCH_LOGGROUP != "" ]]; then for group_obj_enc in $TRAIL_LIST; do + group_obj_raw=$(echo $group_obj_enc | decode_report) - CLOUDWATCH_LOGGROUP_NAME=$(echo $group_obj_raw | jq -r '.[] | .CloudWatchLogsLogGroupArn|split(":")[6]') - CLOUDWATCH_LOGGROUP_REGION=$(echo $group_obj_raw | jq -r '.[] | .CloudWatchLogsLogGroupArn|split(":")[3]') - CLOUDWATCH_LOGGROUP_ACCOUNT=$(echo $group_obj_raw | jq -r '.[] | .CloudWatchLogsLogGroupArn|split(":")[4]') + + CLOUDWATCH_LOGGROUP_NAME=$(echo $group_obj_raw | jq -r '.CloudWatchLogsLogGroupArn|split(":")[6]') + CLOUDWATCH_LOGGROUP_REGION=$(echo $group_obj_raw | jq -r '.CloudWatchLogsLogGroupArn|split(":")[3]') + CLOUDWATCH_LOGGROUP_ACCOUNT=$(echo $group_obj_raw | jq -r '.CloudWatchLogsLogGroupArn|split(":")[4]') + if [ "$CLOUDWATCH_LOGGROUP_ACCOUNT" == "$CURRENT_ACCOUNT_ID" ];then # Filter control and whitespace from .metricFilters[*].filterPattern for easier matching later METRICFILTER_CACHE=$($AWSCLI logs describe-metric-filters --log-group-name "$CLOUDWATCH_LOGGROUP_NAME" $PROFILE_OPT --region "$CLOUDWATCH_LOGGROUP_REGION"|jq '.metricFilters|=map(.filterPattern|=gsub("[[:space:]]+"; " "))') @@ -69,7 +72,7 @@ check3x(){ fi if [[ $CHECK_CROSS_ACCOUNT_WARN ]]; then for group in $CHECK_CROSS_ACCOUNT_WARN; do - textInfo "CloudWatch group $group is not in this account" + textInfo "CloudWatch group $group is not in this account" done fi else diff --git a/include/credentials_report b/include/credentials_report index cb51cd4d..8a98e2de 100644 --- a/include/credentials_report +++ b/include/credentials_report @@ -14,9 +14,19 @@ # Generate Credential Report genCredReport() { textTitle "0.1" "Generating AWS IAM Credential Report..." "NOT_SCORED" "SUPPORT" - until $( $AWSCLI iam generate-credential-report --output text --query 'State' $PROFILE_OPT --region $REGION |grep -q -m 1 "COMPLETE") ; do + for i in $(seq 1 60); do + GENERATECREDENTIALREPORTOUTPUT=$($AWSCLI iam generate-credential-report --output text --query 'State' $PROFILE_OPT --region $REGION 2>&1) + if [[ $(echo "$GENERATECREDENTIALREPORTOUTPUT" | grep AccessDenied) ]]; then + textFail "Access Denied trying to generate credential report" + exit 1 + fi + if [[ "$GENERATECREDENTIALREPORTOUTPUT" == "COMPLETE" ]]; then + return + fi sleep 1 done + textFail "Generate credential report unsuccessful" + exit 1 } # Save report to a file, decode it, deletion at finish and after every single check diff --git a/include/csv_header b/include/csv_header index 67230dda..2c4c81fc 100644 --- a/include/csv_header +++ b/include/csv_header @@ -15,5 +15,5 @@ printCsvHeader() { >&2 echo "" >&2 echo "Generating \"${SEP}\" delimited report on stdout for profile $PROFILE, account $ACCOUNT_NUM" - echo "PROFILE${SEP}ACCOUNT_NUM${SEP}REGION${SEP}TITLE_ID${SEP}RESULT${SEP}SCORED${SEP}LEVEL${SEP}TITLE_TEXT${SEP}NOTES${SEP}COMPLIANCE" | tee -a $OUTPUT_FILE_NAME.$EXTENSION_CSV + echo "PROFILE${SEP}ACCOUNT_NUM${SEP}REGION${SEP}TITLE_ID${SEP}RESULT${SEP}SCORED${SEP}LEVEL${SEP}TITLE_TEXT${SEP}NOTES${SEP}COMPLIANCE${SEP}SEVERITY${SEP}SERVICENAME" | tee -a $OUTPUT_FILE_NAME.$EXTENSION_CSV } diff --git a/include/html_report b/include/html_report index 251c0255..e2c513f0 100644 --- a/include/html_report +++ b/include/html_report @@ -98,10 +98,11 @@ addHtmlHeader() { Status Result + Severity AccountID Region Compliance - Group + Service CheckID Check Title Check Output diff --git a/include/os_detector b/include/os_detector index 3d0cc2ee..a6667cbe 100644 --- a/include/os_detector +++ b/include/os_detector @@ -109,7 +109,11 @@ bsd_get_iso8601_timestamp() { } gnu_convert_date_to_timestamp() { - date -d "$1" +%s + # if [ "$OSTYPE" == "linux-musl" ]; then + # date -D "%Y-%m-%dT%H:%M:%SZ" -d "$1" +%s + # else + date -d "$1" +%s + # fi } bsd_convert_date_to_timestamp() { diff --git a/include/outputs b/include/outputs index 58669e19..18342128 100644 --- a/include/outputs +++ b/include/outputs @@ -51,7 +51,7 @@ textPass(){ REPREGION=$REGION fi if [[ "${MODES[@]}" =~ "csv" ]]; then - echo "$PROFILE${SEP}$ACCOUNT_NUM${SEP}$REPREGION${SEP}$TITLE_ID${SEP}PASS${SEP}$ITEM_SCORED${SEP}$ITEM_LEVEL${SEP}$TITLE_TEXT${SEP}$1${SEP}$ASFF_COMPLIANCE_TYPE" | tee -a ${OUTPUT_FILE_NAME}.$EXTENSION_CSV + echo "$PROFILE${SEP}$ACCOUNT_NUM${SEP}$REPREGION${SEP}$TITLE_ID${SEP}PASS${SEP}$ITEM_SCORED${SEP}$ITEM_LEVEL${SEP}$TITLE_TEXT${SEP}$1${SEP}$ASFF_COMPLIANCE_TYPE${SEP}$CHECK_SEVERITY${SEP}$CHECK_SERVICENAME" | tee -a ${OUTPUT_FILE_NAME}.$EXTENSION_CSV fi if [[ "${MODES[@]}" =~ "json" ]]; then generateJsonOutput "$1" "Pass" | tee -a ${OUTPUT_FILE_NAME}.$EXTENSION_JSON @@ -88,7 +88,7 @@ textInfo(){ REPREGION=$REGION fi if [[ "${MODES[@]}" =~ "csv" ]]; then - echo "$PROFILE${SEP}$ACCOUNT_NUM${SEP}$REPREGION${SEP}$TITLE_ID${SEP}INFO${SEP}$ITEM_SCORED${SEP}$ITEM_LEVEL${SEP}$TITLE_TEXT${SEP}$1${SEP}$ASFF_COMPLIANCE_TYPE" | tee -a ${OUTPUT_FILE_NAME}.${EXTENSION_CSV} + echo "$PROFILE${SEP}$ACCOUNT_NUM${SEP}$REPREGION${SEP}$TITLE_ID${SEP}INFO${SEP}$ITEM_SCORED${SEP}$ITEM_LEVEL${SEP}$TITLE_TEXT${SEP}$1${SEP}$ASFF_COMPLIANCE_TYPE${SEP}$CHECK_SEVERITY${SEP}$CHECK_SERVICENAME" | tee -a ${OUTPUT_FILE_NAME}.${EXTENSION_CSV} fi if [[ "${MODES[@]}" =~ "json" ]]; then generateJsonOutput "$1" "Info" | tee -a ${OUTPUT_FILE_NAME}.${EXTENSION_JSON} @@ -140,7 +140,7 @@ textFail(){ fi if [[ "${MODES[@]}" =~ "csv" ]]; then - echo "$PROFILE${SEP}$ACCOUNT_NUM${SEP}$REPREGION${SEP}$TITLE_ID${SEP}${level}${SEP}$ITEM_SCORED${SEP}$ITEM_LEVEL${SEP}$TITLE_TEXT${SEP}$1${SEP}$ASFF_COMPLIANCE_TYPE" | tee -a ${OUTPUT_FILE_NAME}.${EXTENSION_CSV} + echo "$PROFILE${SEP}$ACCOUNT_NUM${SEP}$REPREGION${SEP}$TITLE_ID${SEP}${level}${SEP}$ITEM_SCORED${SEP}$ITEM_LEVEL${SEP}$TITLE_TEXT${SEP}$1${SEP}$ASFF_COMPLIANCE_TYPE${SEP}$CHECK_SEVERITY${SEP}$CHECK_SERVICENAME" | tee -a ${OUTPUT_FILE_NAME}.${EXTENSION_CSV} fi if [[ "${MODES[@]}" =~ "json" ]]; then generateJsonOutput "$1" "${level}" | tee -a ${OUTPUT_FILE_NAME}.${EXTENSION_JSON} @@ -234,6 +234,7 @@ generateJsonOutput(){ --arg REPREGION "$REPREGION" \ --arg TYPE "$ASFF_COMPLIANCE_TYPE" \ --arg TIMESTAMP "$(get_iso8601_timestamp)" \ + --arg SERVICENAME "$CHECK_SERVICENAME" \ -n '{ "Profile": $PROFILE, "Account Number": $ACCOUNT_NUM, @@ -246,7 +247,8 @@ generateJsonOutput(){ "Control ID": $TITLE_ID, "Region": $REPREGION, "Timestamp": $TIMESTAMP, - "Compliance": $TYPE + "Compliance": $TYPE, + "Service": $SERVICENAME }' } @@ -319,10 +321,11 @@ generateHtmlOutput(){ echo '' >> ${OUTPUT_FILE_NAME}.$EXTENSION_HTML echo '' >> ${OUTPUT_FILE_NAME}.$EXTENSION_HTML echo 'INFO' >> ${OUTPUT_FILE_NAME}.$EXTENSION_HTML + echo ''$CHECK_SEVERITY'' >> ${OUTPUT_FILE_NAME}.$EXTENSION_HTML echo ''$ACCOUNT_NUM'' >> ${OUTPUT_FILE_NAME}.$EXTENSION_HTML echo ''$REPREGION'' >> ${OUTPUT_FILE_NAME}.$EXTENSION_HTML echo ''$ASFF_COMPLIANCE_TYPE'' >> ${OUTPUT_FILE_NAME}.$EXTENSION_HTML - echo ''$ITEM_LEVEL'' >> ${OUTPUT_FILE_NAME}.$EXTENSION_HTML + echo ''$CHECK_SERVICENAME'' >> ${OUTPUT_FILE_NAME}.$EXTENSION_HTML echo ''$TITLE_ID'' >> ${OUTPUT_FILE_NAME}.$EXTENSION_HTML echo ''$TITLE_TEXT'' >> ${OUTPUT_FILE_NAME}.$EXTENSION_HTML echo ''$message'' >> ${OUTPUT_FILE_NAME}.$EXTENSION_HTML @@ -332,10 +335,11 @@ generateHtmlOutput(){ echo '' >> ${OUTPUT_FILE_NAME}.$EXTENSION_HTML echo '' >> ${OUTPUT_FILE_NAME}.$EXTENSION_HTML echo 'PASS' >> ${OUTPUT_FILE_NAME}.$EXTENSION_HTML + echo ''$CHECK_SEVERITY'' >> ${OUTPUT_FILE_NAME}.$EXTENSION_HTML echo ''$ACCOUNT_NUM'' >> ${OUTPUT_FILE_NAME}.$EXTENSION_HTML echo ''$REPREGION'' >> ${OUTPUT_FILE_NAME}.$EXTENSION_HTML echo ''$ASFF_COMPLIANCE_TYPE'' >> ${OUTPUT_FILE_NAME}.$EXTENSION_HTML - echo ''$ITEM_LEVEL'' >> ${OUTPUT_FILE_NAME}.$EXTENSION_HTML + echo ''$CHECK_SERVICENAME'' >> ${OUTPUT_FILE_NAME}.$EXTENSION_HTML echo ''$TITLE_ID'' >> ${OUTPUT_FILE_NAME}.$EXTENSION_HTML echo ''$TITLE_TEXT'' >> ${OUTPUT_FILE_NAME}.$EXTENSION_HTML echo ''$message'' >> ${OUTPUT_FILE_NAME}.$EXTENSION_HTML @@ -345,10 +349,11 @@ generateHtmlOutput(){ echo '' >> ${OUTPUT_FILE_NAME}.$EXTENSION_HTML echo ' ' >> ${OUTPUT_FILE_NAME}.$EXTENSION_HTML echo 'FAIL' >> ${OUTPUT_FILE_NAME}.$EXTENSION_HTML + echo ''$CHECK_SEVERITY'' >> ${OUTPUT_FILE_NAME}.$EXTENSION_HTML echo ''$ACCOUNT_NUM'' >> ${OUTPUT_FILE_NAME}.$EXTENSION_HTML echo ''$REPREGION'' >> ${OUTPUT_FILE_NAME}.$EXTENSION_HTML echo ''$ASFF_COMPLIANCE_TYPE'' >> ${OUTPUT_FILE_NAME}.$EXTENSION_HTML - echo ''$ITEM_LEVEL'' >> ${OUTPUT_FILE_NAME}.$EXTENSION_HTML + echo ''$CHECK_SERVICENAME'' >> ${OUTPUT_FILE_NAME}.$EXTENSION_HTML echo ''$TITLE_ID'' >> ${OUTPUT_FILE_NAME}.$EXTENSION_HTML echo ''$TITLE_TEXT'' >> ${OUTPUT_FILE_NAME}.$EXTENSION_HTML echo ''$message'' >> ${OUTPUT_FILE_NAME}.$EXTENSION_HTML @@ -358,10 +363,11 @@ generateHtmlOutput(){ echo '' >> ${OUTPUT_FILE_NAME}.$EXTENSION_HTML echo '' >> ${OUTPUT_FILE_NAME}.$EXTENSION_HTML echo 'WARN' >> ${OUTPUT_FILE_NAME}.$EXTENSION_HTML + echo ''$CHECK_SEVERITY'' >> ${OUTPUT_FILE_NAME}.$EXTENSION_HTML echo ''$ACCOUNT_NUM'' >> ${OUTPUT_FILE_NAME}.$EXTENSION_HTML echo ''$REPREGION'' >> ${OUTPUT_FILE_NAME}.$EXTENSION_HTML echo ''$ASFF_COMPLIANCE_TYPE'' >> ${OUTPUT_FILE_NAME}.$EXTENSION_HTML - echo ''$ITEM_LEVEL'' >> ${OUTPUT_FILE_NAME}.$EXTENSION_HTML + echo ''$CHECK_SERVICENAME'' >> ${OUTPUT_FILE_NAME}.$EXTENSION_HTML echo ''$TITLE_ID'' >> ${OUTPUT_FILE_NAME}.$EXTENSION_HTML echo ''$TITLE_TEXT'' >> ${OUTPUT_FILE_NAME}.$EXTENSION_HTML echo ''$message'' >> ${OUTPUT_FILE_NAME}.$EXTENSION_HTML diff --git a/prowler b/prowler index 558bfdb0..7f0698d3 100755 --- a/prowler +++ b/prowler @@ -32,7 +32,7 @@ OPTRED="" OPTNORMAL="" # Set the defaults variables -PROWLER_VERSION=2.3.0-18122020 +PROWLER_VERSION=2.3.0-22012021 PROWLER_DIR=$(dirname "$0") REGION="" @@ -216,6 +216,9 @@ trap clean_up EXIT # Clean up and exit if Ctrl-C occurs. Required to allow Ctrl-C to stop Prowler when running in Docker trap handle_ctrl_c INT +# Environment variable takes precedence over command line +unset AWS_DEFAULT_OUTPUT + . $PROWLER_DIR/include/colors . $PROWLER_DIR/include/os_detector . $PROWLER_DIR/include/aws_profile_loader @@ -237,7 +240,12 @@ trap handle_ctrl_c INT . $PROWLER_DIR/include/junit_integration # Get list of regions based on include/whoami -REGIONS=$($AWSCLI ec2 describe-regions --query 'Regions[].RegionName' --output text $PROFILE_OPT --region $REGION_FOR_STS --region-names $FILTERREGION) +REGIONS=$($AWSCLI ec2 describe-regions --query 'Regions[].RegionName' --output text $PROFILE_OPT --region $REGION_FOR_STS --region-names $FILTERREGION 2>&1) +if [[ $(echo "$REGIONS" | grep AccessDenied) ]]; then + echo "Access Denied trying to describe regions" + EXITCODE=1 + exit $EXITCODE +fi # Pre-process whitelist file if supplied if [[ -n "$WHITELIST_FILE" ]]; then @@ -339,9 +347,11 @@ execute_check() { local severity_var=CHECK_SEVERITY_$1 - CHECK_SEVERITY="${!severity_var}" + local servicename_var=CHECK_SERVICENAME_$1 + CHECK_SERVICENAME="${!servicename_var}" + CHECK_ID="$1" ASFF_TYPE="${!asff_type_var:-Software and Configuration Checks}" @@ -437,7 +447,6 @@ execute_group() { # Function to execute group by name execute_group_by_id() { - for i in "${!GROUP_ID[@]}"; do if [ "${GROUP_ID[$i]}" == "$1" ]; then execute_group ${i} $2 @@ -447,14 +456,14 @@ execute_group_by_id() { # Function to execute all checks in all groups except extras if -e is invoked execute_all() { - for i in "${!GROUP_TITLE[@]}"; do + for i in "${!GROUP_TITLE[@]}"; do if [[ $EXTRAS ]]; then GROUP_RUN_BY_DEFAULT[7]='N' fi if [ "${GROUP_RUN_BY_DEFAULT[$i]}" == "Y" ]; then execute_group $i fi - done + done } # Function to show the titles of either all checks or only those in the specified group diff --git a/util/html/generate-html-from-csv.sh b/util/html/generate-html-from-csv.sh index 7c745020..47433366 100755 --- a/util/html/generate-html-from-csv.sh +++ b/util/html/generate-html-from-csv.sh @@ -122,9 +122,11 @@ addHtmlHeader() { Status Result + Severity AccountID Region - Group + Compliance + Service CheckID Check Title Check Output @@ -166,16 +168,17 @@ EOF unset HTML_REPORT_INIT } - addHtmlHeader > ${OUTPUT_FILE_NAME}.$EXTENSION_HTML -while read PROFILE ACCOUNT_NUM REGION TITLE_ID RESULT SCORED LEVEL TITLE_TEXT NOTES;do +while IFS=, read -r PROFILE ACCOUNT_NUM REPREGION TITLE_ID RESULT SCORED LEVEL TITLE_TEXT NOTES ASFF_COMPLIANCE_TYPE CHECK_SEVERITY CHECK_SERVICENAME;do if [[ $RESULT == "INFO" ]]; then echo '' >> ${OUTPUT_FILE_NAME}.$EXTENSION_HTML echo '' >> ${OUTPUT_FILE_NAME}.$EXTENSION_HTML echo 'INFO' >> ${OUTPUT_FILE_NAME}.$EXTENSION_HTML + echo ''$CHECK_SEVERITY'' >> ${OUTPUT_FILE_NAME}.$EXTENSION_HTML echo ''$ACCOUNT_NUM'' >> ${OUTPUT_FILE_NAME}.$EXTENSION_HTML - echo ''$REGION'' >> ${OUTPUT_FILE_NAME}.$EXTENSION_HTML - echo ''$LEVEL'' >> ${OUTPUT_FILE_NAME}.$EXTENSION_HTML + echo ''$REPREGION'' >> ${OUTPUT_FILE_NAME}.$EXTENSION_HTML + echo ''$ASFF_COMPLIANCE_TYPE'' >> ${OUTPUT_FILE_NAME}.$EXTENSION_HTML + echo ''$CHECK_SERVICENAME'' >> ${OUTPUT_FILE_NAME}.$EXTENSION_HTML echo ''$TITLE_ID'' >> ${OUTPUT_FILE_NAME}.$EXTENSION_HTML echo ''$TITLE_TEXT'' >> ${OUTPUT_FILE_NAME}.$EXTENSION_HTML echo ''$NOTES'' >> ${OUTPUT_FILE_NAME}.$EXTENSION_HTML @@ -185,9 +188,11 @@ while read PROFILE ACCOUNT_NUM REGION TITLE_ID RESULT SCORED LEVEL TITLE_TEXT NO echo '' >> ${OUTPUT_FILE_NAME}.$EXTENSION_HTML echo '' >> ${OUTPUT_FILE_NAME}.$EXTENSION_HTML echo 'PASS' >> ${OUTPUT_FILE_NAME}.$EXTENSION_HTML + echo ''$CHECK_SEVERITY'' >> ${OUTPUT_FILE_NAME}.$EXTENSION_HTML echo ''$ACCOUNT_NUM'' >> ${OUTPUT_FILE_NAME}.$EXTENSION_HTML - echo ''$REGION'' >> ${OUTPUT_FILE_NAME}.$EXTENSION_HTML - echo ''$LEVEL'' >> ${OUTPUT_FILE_NAME}.$EXTENSION_HTML + echo ''$REPREGION'' >> ${OUTPUT_FILE_NAME}.$EXTENSION_HTML + echo ''$ASFF_COMPLIANCE_TYPE'' >> ${OUTPUT_FILE_NAME}.$EXTENSION_HTML + echo ''$CHECK_SERVICENAME'' >> ${OUTPUT_FILE_NAME}.$EXTENSION_HTML echo ''$TITLE_ID'' >> ${OUTPUT_FILE_NAME}.$EXTENSION_HTML echo ''$TITLE_TEXT'' >> ${OUTPUT_FILE_NAME}.$EXTENSION_HTML echo ''$NOTES'' >> ${OUTPUT_FILE_NAME}.$EXTENSION_HTML @@ -197,9 +202,11 @@ while read PROFILE ACCOUNT_NUM REGION TITLE_ID RESULT SCORED LEVEL TITLE_TEXT NO echo '' >> ${OUTPUT_FILE_NAME}.$EXTENSION_HTML echo ' ' >> ${OUTPUT_FILE_NAME}.$EXTENSION_HTML echo 'FAIL' >> ${OUTPUT_FILE_NAME}.$EXTENSION_HTML + echo ''$CHECK_SEVERITY'' >> ${OUTPUT_FILE_NAME}.$EXTENSION_HTML echo ''$ACCOUNT_NUM'' >> ${OUTPUT_FILE_NAME}.$EXTENSION_HTML - echo ''$REGION'' >> ${OUTPUT_FILE_NAME}.$EXTENSION_HTML - echo ''$LEVEL'' >> ${OUTPUT_FILE_NAME}.$EXTENSION_HTML + echo ''$REPREGION'' >> ${OUTPUT_FILE_NAME}.$EXTENSION_HTML + echo ''$ASFF_COMPLIANCE_TYPE'' >> ${OUTPUT_FILE_NAME}.$EXTENSION_HTML + echo ''$CHECK_SERVICENAME'' >> ${OUTPUT_FILE_NAME}.$EXTENSION_HTML echo ''$TITLE_ID'' >> ${OUTPUT_FILE_NAME}.$EXTENSION_HTML echo ''$TITLE_TEXT'' >> ${OUTPUT_FILE_NAME}.$EXTENSION_HTML echo ''$NOTES'' >> ${OUTPUT_FILE_NAME}.$EXTENSION_HTML @@ -209,9 +216,11 @@ while read PROFILE ACCOUNT_NUM REGION TITLE_ID RESULT SCORED LEVEL TITLE_TEXT NO echo '' >> ${OUTPUT_FILE_NAME}.$EXTENSION_HTML echo '' >> ${OUTPUT_FILE_NAME}.$EXTENSION_HTML echo 'WARN' >> ${OUTPUT_FILE_NAME}.$EXTENSION_HTML + echo ''$CHECK_SEVERITY'' >> ${OUTPUT_FILE_NAME}.$EXTENSION_HTML echo ''$ACCOUNT_NUM'' >> ${OUTPUT_FILE_NAME}.$EXTENSION_HTML - echo ''$REGION'' >> ${OUTPUT_FILE_NAME}.$EXTENSION_HTML - echo ''$LEVEL'' >> ${OUTPUT_FILE_NAME}.$EXTENSION_HTML + echo ''$REPREGION'' >> ${OUTPUT_FILE_NAME}.$EXTENSION_HTML + echo ''$ASFF_COMPLIANCE_TYPE'' >> ${OUTPUT_FILE_NAME}.$EXTENSION_HTML + echo ''$CHECK_SERVICENAME'' >> ${OUTPUT_FILE_NAME}.$EXTENSION_HTML echo ''$TITLE_ID'' >> ${OUTPUT_FILE_NAME}.$EXTENSION_HTML echo ''$TITLE_TEXT'' >> ${OUTPUT_FILE_NAME}.$EXTENSION_HTML echo ''$NOTES'' >> ${OUTPUT_FILE_NAME}.$EXTENSION_HTML