Merge pull request #156 from sidewinder12s/extra-check-710

Extra check 710

README.md

@@ -24,7 +24,7 @@ It covers hardening and security best practices for all AWS regions related to:
 - Logging (8 checks)
 - Monitoring (15 checks)
 - Networking (5 checks)
-- Extras (9 checks) *see Extras section
+- Extras (10 checks) *see Extras section
 
 For a comprehesive list and resolution look at the guide on the link above.
 
@@ -578,7 +578,7 @@ The `aws iam create-access-key` command will output the secret access key and th
 
 ## Extras
 We are adding additional checks to improve the information gather from each account, these checks are out of the scope of the CIS benchmark for AWS but we consider them very helpful to get to know each AWS account set up and find issues on it.
-At this moment we have 9 extra checks:
+At this moment we have 10 extra checks:
 
 - 7.1 (`extra71`) Ensure users with AdministratorAccess policy have MFA tokens enabled (Not Scored) (Not part of CIS benchmark)
 - 7.2 (`extra72`) Ensure there are no EBS Snapshots set as Public (Not Scored) (Not part of CIS benchmark)
@@ -588,7 +588,8 @@ At this moment we have 9 extra checks:
 - 7.6 (`extra76`) Ensure there are no EC2 AMIs set as Public (Not Scored) (Not part of CIS benchmark)
 - 7.7 (`extra77`) Ensure there are no ECR repositories set as Public (Not Scored) (Not part of CIS benchmark)
 - 7.8 (`extra78`) Ensure there are no Public Accessible RDS instances (Not Scored) (Not part of CIS benchmark)
-- 7.9 (`extra79`) Check for internet accessible Elastic Load Blancers (Not Scored) (Not part of CIS benchmark)
+- 7.9 (`extra79`) Check for internet facing Elastic Load Blancers (Not Scored) (Not part of CIS benchmark)
+- 7.10 (`extra710`) Check for internet facing EC2 Instances (Not Scored) (Not part of CIS benchmark)
 
 To check all extras in one command:
 ```

prowler

@@ -482,6 +482,8 @@ ID78="7.8,7.08"
 TITLE78="Ensure there are no Public Accessible RDS instances (Not Scored) (Not part of CIS benchmark)"
 ID79="7.9,7.09"
 TITLE79="Check for internet facing Elastic Load Balancers (Not Scored) (Not part of CIS benchmark)"
+ID710="7.10,7.10"
+TITLE710="Check for internet facing EC2 Instances (Not Scored) (Not part of CIS benchmark)"
 
 
 printCsvHeader() {
@@ -1785,6 +1787,22 @@ extra79(){
   done
 }
 
+extra710(){
+  # "Check for internet facing EC2 Instances (Not Scored) (Not part of CIS benchmark)"
+  textTitle "$ID710" "$TITLE710" "NOT_SCORED" "EXTRA"
+  textNotice "Looking for instances in all regions...  "
+  for regx in $REGIONS; do
+    LIST_OF_PUBLIC_INSTANCES=$($AWSCLI ec2 describe-instances $PROFILE_OPT --region $regx --query 'Reservations[*].Instances[?PublicIpAddress].[InstanceId]' --output text)
+    if [[ $LIST_OF_PUBLIC_INSTANCES ]];then
+      for instance in $(echo $LIST_OF_PUBLIC_INSTANCES);do
+        textWarn "$regx: Instance: $instance is internet-facing!" "$regx"
+      done
+      else
+        textOK "$regx: no Internet Facing EC2 Instances found" "$regx"
+    fi
+  done
+}
+
 callCheck(){
   if [[ $CHECKNUMBER ]];then
     case "$CHECKNUMBER" in
@@ -1849,6 +1867,7 @@ callCheck(){
       extra77|extra707 ) extra77;;
       extra78|extra708 ) extra78;;
       extra79|extra709 ) extra79;;
+      extra710|extra710 ) extra710;;
 
       ## Groups of Checks
       check1 )
@@ -1884,7 +1903,8 @@ callCheck(){
         check43;check44;check45
         ;;
       extras )
-        extra71;extra72;extra73;extra74;extra75;extra76;extra77;extra78;extra79
+        extra71;extra72;extra73;extra74;extra75;extra76;extra77;extra78;
+        extra79;extra710
         ;;
       * )
         textWarn "ERROR! Use a valid check name (i.e. check41 or extra71)\n";
@@ -1964,6 +1984,7 @@ if [[ $PRINTCHECKSONLY == "1" ]]; then
   textTitle "$ID77" "$TITLE77" "NOT_SCORED" "EXTRA"
   textTitle "$ID78" "$TITLE78" "NOT_SCORED" "EXTRA"
   textTitle "$ID79" "$TITLE79" "NOT_SCORED" "EXTRA"
+  textTitle "$ID710" "$TITLE710" "NOT_SCORED" "EXTRA"
   exit $EXITCODE
 fi
 
@@ -2049,6 +2070,7 @@ extra76
 extra77
 extra78
 extra79
+extra710
 
 cleanTemp
 exit $EXITCODE