diff --git a/README.md b/README.md index b06ffbef..1bfab97d 100644 --- a/README.md +++ b/README.md @@ -25,7 +25,7 @@ It covers hardening and security best practices for all AWS regions related to: - Logging (8 checks) - Monitoring (15 checks) - Networking (5 checks) -- Extras (12 checks) *see Extras section +- Extras (17 checks) *see Extras section - Forensics related checks For a comprehesive list and resolution look at the guide on the link above. @@ -150,263 +150,6 @@ USAGE: - Sample screnshot of single check for check 3.3: screenshot 2016-09-14 13 20 46 -- Sample of a full report: - -``` -$ ./prowler - _ - _ __ _ __ _____ _| | ___ _ __ - | '_ \| '__/ _ \ \ /\ / / |/ _ \ '__| - | |_) | | | (_) \ V V /| | __/ | - | .__/|_| \___/ \_/\_/ |_|\___|_| - |_| CIS based AWS Account Hardening Tool - - -Date: Wed Sep 14 13:30:13 EDT 2016 - -This report is being generated using credentials below: - -AWS-CLI Profile: [default] AWS Region: [us-east-1] - --------------------------------------------------------------------------------------- -| GetCallerIdentity | -+--------------+-------------------------------------------+-------------------------+ -| Account | Arn | UserId | -+--------------+-------------------------------------------+-------------------------+ -| XXXXXXXXXXXX| arn:aws:iam::XXXXXXXXXXXX:user/toni | XXXXXXXXXXXXXXXXXXXXX | -+--------------+-------------------------------------------+-------------------------+ - -Colors Code for results: INFORMATIVE, OK (RECOMMENDED VALUE), CRITICAL (FIX REQUIRED) - - -Generating AWS IAM Credential Report....COMPLETE - - - 1 Identity and Access Management ********************************* - - 1.1 Avoid the use of the root account (Scored). Last time root account was used - (password last used, access_key_1_last_used, access_key_2_last_used): - 2016-08-11T20:59:27+00:00, N/A, N/A - - 1.2 Ensure multi-factor authentication (MFA) is enabled for all IAM users that have a console password (Scored) - List of users with Password enabled but MFA disabled: - toni - - 1.3 Ensure credentials unused for 90 days or greater are disabled (Scored) - User list: - toni - - 1.4 Ensure access keys are rotated every 90 days or less (Scored) - Users with access key 1 older than 90 days: - - Users with access key 2 older than 90 days: - - 1.5 Ensure IAM password policy requires at least one uppercase letter (Scored) - FALSE - - 1.6 Ensure IAM password policy require at least one lowercase letter (Scored) - FALSE - - 1.7 Ensure IAM password policy require at least one symbol (Scored) - FALSE - - 1.8 Ensure IAM password policy require at least one number (Scored) - FALSE - - 1.9 Ensure IAM password policy requires minimum length of 14 or greater (Scored) - FALSE - - 1.10 Ensure IAM password policy prevents password reuse (Scored) - FALSE - - 1.11 Ensure IAM password policy expires passwords within 90 days or less (Scored) - FALSE - - 1.12 Ensure no root account access key exists (Scored) - Found access key 1 - OK No access key 2 found - - 1.13 Ensure hardware MFA is enabled for the root account (Scored) - OK - - 1.14 Ensure security questions are registered in the AWS account (Not Scored) - No command available for check 1.14 - Login to the AWS Console as root, click on the Account - Name -> My Account -> Configure Security Challenge Questions - - 1.15 Ensure IAM policies are attached only to groups or roles (Scored) - Users with policy attached to them instead to groups: (it may take few seconds...) - toni - - - 2 Logging ******************************************************** - - 2.1 Ensure CloudTrail is enabled in all regions (Scored) - FALSE - - 2.2 Ensure CloudTrail log file validation is enabled (Scored) - FALSE - - 2.3 Ensure the S3 bucket CloudTrail logs to is not publicly accessible (Scored) - WARNING! CloudTrail bucket doesn't exist! - - 2.4 Ensure CloudTrail trails are integrated with CloudWatch Logs (Scored) - WARNING! No CloudTrail trails found! - - 2.5 Ensure AWS Config is enabled in all regions (Scored) - WARNING! Region ap-south-1 has AWS Config disabled or not configured - WARNING! Region eu-west-1 has AWS Config disabled or not configured - WARNING! Region ap-southeast-1 has AWS Config disabled or not configured - WARNING! Region ap-southeast-2 has AWS Config disabled or not configured - WARNING! Region eu-central-1 has AWS Config disabled or not configured - WARNING! Region ap-northeast-2 has AWS Config disabled or not configured - WARNING! Region ap-northeast-1 has AWS Config disabled or not configured - WARNING! Region us-east-1 has AWS Config disabled or not configured - WARNING! Region sa-east-1 has AWS Config disabled or not configured - WARNING! Region us-west-1 has AWS Config disabled or not configured - WARNING! Region us-west-2 has AWS Config disabled or not configured - - 2.6 Ensure S3 bucket access logging is enabled on the CloudTrail S3 bucket (Scored) - WARNING! CloudTrail bucket doesn't exist! - - 2.7 Ensure CloudTrail logs are encrypted at rest using KMS CMKs (Scored) - WARNING! CloudTrail bucket doesn't exist! - - 2.8 Ensure rotation for customer created CMKs is enabled (Scored) - Region ap-south-1 doesn't have encryption keys - Region eu-west-1 doesn't have encryption keys - Region ap-southeast-1 doesn't have encryption keys - Region ap-southeast-2 doesn't have encryption keys - Region eu-central-1 doesn't have encryption keys - Region ap-northeast-2 doesn't have encryption keys - Region ap-northeast-1 doesn't have encryption keys - WARNING! Key a0e988df-bc84-423f-996c-XXXX in Region us-east-1 is not set to rotate! - Region sa-east-1 doesn't have encryption keys - Region us-west-1 doesn't have encryption keys - Region us-west-2 doesn't have encryption keys - - - 3 Monitoring ***************************************************** - - 3.1 Ensure a log metric filter and alarm exist for unauthorized API calls (Scored) - WARNING! No CloudWatch group found, no metric filters or alarms associated - - 3.2 Ensure a log metric filter and alarm exist for Management Console sign-in without MFA (Scored) - WARNING! No CloudWatch group found, no metric filters or alarms associated - - 3.3 Ensure a log metric filter and alarm exist for usage of root account (Scored) - WARNING! No CloudWatch group found, no metric filters or alarms associated - - 3.4 Ensure a log metric filter and alarm exist for IAM policy changes (Scored) - WARNING! No CloudWatch group found, no metric filters or alarms associated - - 3.5 Ensure a log metric filter and alarm exist for CloudTrail configuration changes (Scored) - WARNING! No CloudWatch group found, no metric filters or alarms associated - - 3.6 Ensure a log metric filter and alarm exist for AWS Management Console authentication failures (Scored) - WARNING! No CloudWatch group found, no metric filters or alarms associated - - 3.7 Ensure a log metric filter and alarm exist for disabling or scheduled deletion of customer created CMKs (Scored) - WARNING! No CloudWatch group found, no metric filters or alarms associated - - 3.8 Ensure a log metric filter and alarm exist for S3 bucket policy changes (Scored) - WARNING! No CloudWatch group found, no metric filters or alarms associated - - 3.9 Ensure a log metric filter and alarm exist for AWS Config configuration changes (Scored) - WARNING! No CloudWatch group found, no metric filters or alarms associated - - 3.10 Ensure a log metric filter and alarm exist for security group changes (Scored) - WARNING! No CloudWatch group found, no metric filters or alarms associated - - 3.11 Ensure a log metric filter and alarm exist for changes to Network Access Control Lists (NACL) (Scored) - WARNING! No CloudWatch group found, no metric filters or alarms associated - - 3.12 Ensure a log metric filter and alarm exist for changes to network gateways (Scored) - WARNING! No CloudWatch group found, no metric filters or alarms associated - - 3.13 Ensure a log metric filter and alarm exist for route table changes (Scored) - WARNING! No CloudWatch group found, no metric filters or alarms associated - - 3.14 Ensure a log metric filter and alarm exist for VPC changes (Scored) - WARNING! No CloudWatch group found, no metric filters or alarms associated - - 3.15 Ensure security contact information is registered (Scored) - No command available for check 3.15 - Login to the AWS Console, click on My Account - Go to Alternate Contacts -> make sure Security section is filled - - 3.16 Ensure appropriate subscribers to each SNS topic (Not Scored) - Region ap-south-1 doesn't have topics - Region eu-west-1 doesn't have topics - Region ap-southeast-1 doesn't have topics - Region ap-southeast-2 doesn't have topics - Region eu-central-1 doesn't have topics - Region ap-northeast-2 doesn't have topics - Region ap-northeast-1 doesn't have topics - Region us-east-1 doesn't have topics - Region sa-east-1 doesn't have topics - Region us-west-1 doesn't have topics - Region us-west-2 doesn't have topics - - - 4 Networking ************************************************** - - 4.1 Ensure no security groups allow ingress from 0.0.0.0/0 to port 22 (Scored) - OK, No Security Groups found in ap-south-1 with port 22 TCP open to 0.0.0.0/0 - OK, No Security Groups found in eu-west-1 with port 22 TCP open to 0.0.0.0/0 - OK, No Security Groups found in ap-southeast-1 with port 22 TCP open to 0.0.0.0/0 - OK, No Security Groups found in ap-southeast-2 with port 22 TCP open to 0.0.0.0/0 - OK, No Security Groups found in eu-central-1 with port 22 TCP open to 0.0.0.0/0 - OK, No Security Groups found in ap-northeast-2 with port 22 TCP open to 0.0.0.0/0 - OK, No Security Groups found in ap-northeast-1 with port 22 TCP open to 0.0.0.0/0 - OK, No Security Groups found in us-east-1 with port 22 TCP open to 0.0.0.0/0 - OK, No Security Groups found in sa-east-1 with port 22 TCP open to 0.0.0.0/0 - OK, No Security Groups found in us-west-1 with port 22 TCP open to 0.0.0.0/0 - OK, No Security Groups found in us-west-2 with port 22 TCP open to 0.0.0.0/0 - - 4.2 Ensure no security groups allow ingress from 0.0.0.0/0 to port 3389 (Scored) - OK, No Security Groups found in ap-south-1 with port 3389 TCP open to 0.0.0.0/0 - OK, No Security Groups found in eu-west-1 with port 3389 TCP open to 0.0.0.0/0 - OK, No Security Groups found in ap-southeast-1 with port 3389 TCP open to 0.0.0.0/0 - OK, No Security Groups found in ap-southeast-2 with port 3389 TCP open to 0.0.0.0/0 - OK, No Security Groups found in eu-central-1 with port 3389 TCP open to 0.0.0.0/0 - OK, No Security Groups found in ap-northeast-2 with port 3389 TCP open to 0.0.0.0/0 - OK, No Security Groups found in ap-northeast-1 with port 3389 TCP open to 0.0.0.0/0 - OK, No Security Groups found in us-east-1 with port 3389 TCP open to 0.0.0.0/0 - OK, No Security Groups found in sa-east-1 with port 3389 TCP open to 0.0.0.0/0 - OK, No Security Groups found in us-west-1 with port 3389 TCP open to 0.0.0.0/0 - OK, No Security Groups found in us-west-2 with port 3389 TCP open to 0.0.0.0/0 - - 4.3 Ensure VPC Flow Logging is Enabled in all Applicable Regions (Scored) - WARNING! no VPCFlowLog has been found in Region ap-south-1 - WARNING! no VPCFlowLog has been found in Region eu-west-1 - WARNING! no VPCFlowLog has been found in Region ap-southeast-1 - WARNING! no VPCFlowLog has been found in Region ap-southeast-2 - WARNING! no VPCFlowLog has been found in Region eu-central-1 - WARNING! no VPCFlowLog has been found in Region ap-northeast-2 - WARNING! no VPCFlowLog has been found in Region ap-northeast-1 - WARNING! no VPCFlowLog has been found in Region us-east-1 - WARNING! no VPCFlowLog has been found in Region sa-east-1 - WARNING! no VPCFlowLog has been found in Region us-west-1 - WARNING! no VPCFlowLog has been found in Region us-west-2 - - 4.4 Ensure the default security group restricts all traffic (Scored) - WARNING! Default Security Groups found that allow 0.0.0.0 IN or OUT traffic in Region ap-south-1 - WARNING! Default Security Groups found that allow 0.0.0.0 IN or OUT traffic in Region eu-west-1 - WARNING! Default Security Groups found that allow 0.0.0.0 IN or OUT traffic in Region ap-southeast-1 - WARNING! Default Security Groups found that allow 0.0.0.0 IN or OUT traffic in Region ap-southeast-2 - WARNING! Default Security Groups found that allow 0.0.0.0 IN or OUT traffic in Region eu-central-1 - WARNING! Default Security Groups found that allow 0.0.0.0 IN or OUT traffic in Region ap-northeast-2 - WARNING! Default Security Groups found that allow 0.0.0.0 IN or OUT traffic in Region ap-northeast-1 - OK, no Default Security Groups open to 0.0.0.0 found in Region us-east-1 - WARNING! Default Security Groups found that allow 0.0.0.0 IN or OUT traffic in Region sa-east-1 - WARNING! Default Security Groups found that allow 0.0.0.0 IN or OUT traffic in Region us-west-1 - OK, no Default Security Groups open to 0.0.0.0 found in Region us-west-2 - - - For more information and reference: - https://d0.awsstatic.com/whitepapers/compliance/AWS_CIS_Foundations_Benchmark.pdf -``` - ## Troubleshooting ### STS expired token @@ -601,6 +344,7 @@ At this moment we have 16 extra checks: - 7.14 (`extra714`) Check if CloudFront distributions have logging enabled (Not Scored) (Not part of CIS benchmark) - 7.15 (`extra715`) Check if Elasticsearch Service domains have logging enabled (Not Scored) (Not part of CIS benchmark) - 7.16 (`extra716`) Check if Elasticsearch Service domains allow open access (Not Scored) (Not part of CIS benchmark) +- 7.17 (`extra717`) Check if Elastic Load Balancers have logging enabled (Not Scored) (Not part of CIS benchmark) To check all extras in one command: @@ -627,6 +371,7 @@ With this group of checks, Prowler looks if each service with logging or audit c - 7.13 Check if GuardDuty is enabled (Not Scored) (Not part of CIS benchmark) - 7.14 Check if CloudFront distributions have logging enabled (Not Scored) (Not part of CIS benchmark) - 7.15 Check if Elasticsearch Service domains have logging enabled (Not Scored) (Not part of CIS benchmark) +- 7.17 Check if Elastic Load Balancers have logging enabled (Not Scored) (Not part of CIS benchmark) The `forensics-ready` group of checks uses existing and extra checks. To get a forensics readiness report, run this command: ``` diff --git a/prowler b/prowler index 6a24f653..8decceb6 100755 --- a/prowler +++ b/prowler @@ -500,7 +500,8 @@ ID715="7.15,7.15" TITLE715="Check if Elasticsearch Service domains have logging enabled (Not Scored) (Not part of CIS benchmark)" ID716="7.16,7.16" TITLE716="Check if Elasticsearch Service domains allow open access (Not Scored) (Not part of CIS benchmark)" - +ID717="7.17,7.17" +TITLE717="Check if Elastic Load Balancers have logging enabled (Not Scored) (Not part of CIS benchmark)" printCsvHeader() { >&2 echo "" @@ -1816,12 +1817,15 @@ extra79(){ textNotice "Looking for Elastic Load Balancers in all regions... " for regx in $REGIONS; do LIST_OF_PUBLIC_ELBS=$($AWSCLI elb describe-load-balancers $PROFILE_OPT --region $regx --query 'LoadBalancerDescriptions[?Scheme == `internet-facing`].[LoadBalancerName,DNSName]' --output text) - if [[ $LIST_OF_PUBLIC_ELBS ]];then + LIST_OF_PUBLIC_ELBSV2=$($AWSCLI elbv2 describe-load-balancers $PROFILE_OPT --region $regx --query 'LoadBalancers[?Scheme == `internet-facing`].[LoadBalancerName,DNSName]' --output text) + LIST_OF_ALL_ELBS=$( echo $LIST_OF_PUBLIC_ELBS; echo $LIST_OF_PUBLIC_ELBSV2) + LIST_OF_ALL_ELBS_PER_LINE=$( echo $LIST_OF_ALL_ELBS| xargs -n2 ) + if [[ $LIST_OF_ALL_ELBS ]];then while read -r elb;do ELB_NAME=$(echo $elb | awk '{ print $1; }') ELB_DNSNAME=$(echo $elb | awk '{ print $2; }') textWarn "$regx: ELB: $ELB_NAME at DNS: $ELB_DNSNAME is internet-facing!" "$regx" - done <<< "$LIST_OF_PUBLIC_ELBS" + done <<< "$LIST_OF_ALL_ELBS_PER_LINE" else textOK "$regx: no Internet Facing ELBs found" "$regx" fi @@ -1873,7 +1877,7 @@ extra712(){ if [[ $MACIE_IAM_ROLES_CREATED -eq 2 ]];then textOK "Macie related IAM roles exist, so it might be enabled. Check it out manually." else - textWarn "No Macie related IAM roles found. It is most likely not be enabled" + textWarn "No Macie related IAM roles found. It is most likely not to be enabled" fi } @@ -1912,7 +1916,7 @@ extra714(){ fi done else - textOK "$regx: CDN not configured" "$regx" + textNotice "$regx: No CDN configured" "$regx" fi done } @@ -1938,7 +1942,7 @@ extra715(){ fi done else - textOK "$regx: No Elasticsearch Service domain found" "$regx" + textNotice "$regx: No Elasticsearch Service domain found" "$regx" fi done } @@ -1966,11 +1970,45 @@ extra716(){ fi done fi - textOK "$regx: No Elasticsearch Service domain found" "$regx" + textNotice "$regx: No Elasticsearch Service domain found" "$regx" rm -fr $TEMP_POLICY_FILE done } +extra717(){ + # "Check if Elastic Load Balancers have logging enabled (Not Scored) (Not part of CIS benchmark)" + textTitle "$ID717" "$TITLE717" "NOT_SCORED" "EXTRA" + for regx in $REGIONS; do + LIST_OF_ELBS=$($AWSCLI elb describe-load-balancers $PROFILE_OPT --region $regx --query 'LoadBalancerDescriptions[*].LoadBalancerName' --output text|xargs -n1) + LIST_OF_ELBSV2=$($AWSCLI elbv2 describe-load-balancers $PROFILE_OPT --region $regx --query 'LoadBalancers[*].LoadBalancerArn' --output text|xargs -n1) + if [[ $LIST_OF_ELBS || $LIST_OF_ELBSV2 ]]; then + if [[ $LIST_OF_ELBS ]]; then + for elb in $LIST_OF_ELBS; do + CHECK_ELBS_LOG_ENABLED=$($AWSCLI elb describe-load-balancer-attributes $PROFILE_OPT --region $regx --load-balancer-name $elb --query 'LoadBalancerAttributes.AccessLog.Enabled'|grep "^true") + if [[ $CHECK_ELBS_LOG_ENABLED ]]; then + textOK "$regx: $elb has access logs to S3 configured" "$regx" + else + textWarn "$regx: $elb has not access logs configured" "$regx" + fi + done + fi + if [[ $LIST_OF_ELBSV2 ]]; then + for elbarn in $LIST_OF_ELBSV2; do + CHECK_ELBSV2_LOG_ENABLED=$($AWSCLI elbv2 describe-load-balancer-attributes $PROFILE_OPT --region $regx --load-balancer-arn $elbarn --query Attributes[*] --output text|grep "^access_logs.s3.enabled"|cut -f2|grep true) + ELBV2_NAME=$(echo $elbarn|cut -d\/ -f3) + if [[ $CHECK_ELBSV2_LOG_ENABLED ]]; then + textOK "$regx: $ELBV2_NAME has access logs to S3 configured" "$regx" + else + textWarn "$regx: $ELBV2_NAME has not access logs configured" "$regx" + fi + done + fi + else + textNotice "$regx: No ELBs found" "$regx" + fi + done +} + callCheck(){ if [[ $CHECKNUMBER ]];then case "$CHECKNUMBER" in @@ -2042,6 +2080,7 @@ callCheck(){ extra714|extra714 ) extra714;; extra715|extra715 ) extra715;; extra716|extra716 ) extra716;; + extra717|extra717 ) extra717;; ## Groups of Checks check1 ) @@ -2078,12 +2117,13 @@ callCheck(){ ;; extras ) extra71;extra72;extra73;extra74;extra75;extra76;extra77;extra78; - extra79;extra710;extra711;extra712;extra713;extra714;extra715;extra716 + extra79;extra710;extra711;extra712;extra713;extra714;extra715;extra716; + extra717 ;; forensics-ready ) check21;check22;check23;check24;check25;check26;check27; check43; - extra712;extra713;extra714;extra715 + extra712;extra713;extra714;extra715;extra717 ;; * ) textWarn "ERROR! Use a valid check name (i.e. check41 or extra71)\n"; @@ -2170,6 +2210,7 @@ if [[ $PRINTCHECKSONLY == "1" ]]; then textTitle "$ID714" "$TITLE714" "NOT_SCORED" "EXTRA" textTitle "$ID715" "$TITLE715" "NOT_SCORED" "EXTRA" textTitle "$ID716" "$TITLE716" "NOT_SCORED" "EXTRA" + textTitle "$ID717" "$TITLE717" "NOT_SCORED" "EXTRA" exit $EXITCODE fi @@ -2262,6 +2303,7 @@ extra713 extra714 extra715 extra716 +extra717 cleanTemp exit $EXITCODE