added new checks for SQS extra727 and 728

2026-02-10 23:05:05 +00:00 · 2018-04-20 14:42:54 -04:00
parent 5efd2669fa
commit e1958270c0
3 changed files with 71 additions and 43 deletions
--- a/checks/check_extra726
+++ b/checks/check_extra726
@@ -25,48 +25,6 @@ extra726(){
    if [[ $QUERY_RESULT_NO_OK ]]; then
      TA_CHECKS_NAME=$($AWSCLI support describe-trusted-advisor-checks --language en $PROFILE_OPT --region us-east-1 --query "checks[?id==\`$checkid\`].{name:name}[*]"  --output text)
      textFail "Trusted Advisor check $TA_CHECKS_NAME is in state $QUERY_RESULT_NO_OK"
-    fi 
+    fi
  done
 }
-
-
-#
-# extra726(){
-#   # "Check if Lambda functions invoke API operations are being recorded by CloudTrail (Not Scored) (Not part of CIS benchmark)"
-#   for regx in $REGIONS; do
-#     LIST_OF_FUNCTIONS=$($AWSCLI lambda list-functions $PROFILE_OPT --region $regx --query Functions[*].FunctionName --output text)
-#     if [[ $LIST_OF_FUNCTIONS ]]; then
-#       for lambdafunction in $LIST_OF_FUNCTIONS;do
-#         LIST_OF_TRAILS=$($AWSCLI cloudtrail describe-trails $PROFILE_OPT --region $regx --query trailList[?HomeRegion==\`$regx\`].Name --output text)
-#         if [[ $LIST_OF_TRAILS ]]; then
-#           for trail in $LIST_OF_TRAILS; do
-#             FUNCTION_ENABLED_IN_TRAIL=$($AWSCLI cloudtrail get-event-selectors $PROFILE_OPT --trail-name $trail --region $regx --query "EventSelectors[*].DataResources[?Type == \`AWS::Lambda::Function\`].Values" --output text |xargs -n1| grep -E "^arn:aws:lambda.*function:$lambdafunction$")
-#             if [[ $FUNCTION_ENABLED_IN_TRAIL ]]; then
-#               textPass "$regx: Lambda function $lambdafunction enabled in trail $trail" "$regx"
-#             else
-#               textFail "$regx: Lambda function $lambdafunction NOT enabled in trail $trail" "$regx"
-#             fi
-#           done
-#           # LIST_OF_MULTIREGION_TRAILS=$($AWSCLI cloudtrail describe-trails $PROFILE_OPT --region $regx --query "trailList[?IsMultiRegionTrail == \`true\`].Name" --output text)
-#           # if [[ $LIST_OF_MULTIREGION_TRAILS ]]; then
-#           #   for trail in $LIST_OF_MULTIREGION_TRAILS; do
-#           #     REGION_OF_TRAIL=$($AWSCLI cloudtrail describe-trails $PROFILE_OPT --region $regx --query "trailList[?IsMultiRegionTrail == \`true\` && Name == \`$trail\` ].HomeRegion" --output text)
-#           #     FUNCTION_ENABLED_IN_THIS_REGION=$($AWSCLI cloudtrail get-event-selectors $PROFILE_OPT --trail-name $trail --region $REGION_OF_TRAIL --query "EventSelectors[*].DataResources[?Type == \`AWS::Lambda::Function\`].Values" --output text |xargs -n1| grep -E "^arn:aws:lambda.*function:$lambdafunction$")
-#           #     if [[ $FUNCTION_ENABLED_IN_THIS_REGION ]]; then
-#           #       textPass "$regx: Lambda function $lambdafunction enabled in trail $trail" "$regx"
-#           #     else
-#           #       textFail "$regx: Lambda function $lambdafunction NOT enabled in trail $trail" "$regx"
-#           #     fi
-#           #   done
-#           # else
-#           #   textFail "$regx: Lambda function $lambdafunction is not being recorded!" "$regx"
-#           # fi
-#         else
-#           textFail "$regx: Lambda function $lambdafunction is not being recorded no CloudTrail found!" "$regx"
-#         fi
-#       done
-#     else
-#       textInfo "$regx: No Lambda functions found" "$regx"
-#     fi
-#   done
-# }
--- a/checks/check_extra727
+++ b/checks/check_extra727
@@ -0,0 +1,34 @@
+#!/usr/bin/env bash
+
+# Prowler - the handy cloud security tool (copyright 2018) by Toni de la Fuente
+#
+# Licensed under the Apache License, Version 2.0 (the "License"); you may not
+# use this file except in compliance with the License. You may obtain a copy
+# of the License at http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software distributed
+# under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR
+# CONDITIONS OF ANY KIND, either express or implied. See the License for the
+# specific language governing permissions and limitations under the License.
+
+CHECK_ID_extra727="7.27"
+CHECK_TITLE_extra727="[extra727] Check if SQS queues have policy set as Public (Not Scored) (Not part of CIS benchmark)"
+CHECK_SCORED_extra727="NOT_SCORED"
+CHECK_ALTERNATE_check727="extra727"
+
+extra727(){
+  for regx in $REGIONS; do
+    LIST_SQS=$($AWSCLI sqs list-queues $PROFILE_OPT --region $regx --query QueueUrls --output text |grep -v ^None)
+    if [[ $LIST_SQS ]]; then
+      for queue in $LIST_SQS; do
+        # check if the policy has Principal as *
+        PUBLIC_SQS=$($AWSCLI sqs get-queue-attributes --queue-url $queue --region $regx --attribute-names All --query Attributes.Policy --output text | awk -v k="text" '{n=split($0,a,","); for (i=1; i<=n; i++) print a[i]}' | awk '/Principal/ && !skip { print } { skip = /Deny/} '|grep \"Principal|grep \*)
+        if [[ $PUBLIC_SQS ]]; then
+          textFail "$regx: SQS queue $queue seems to be public (Principal: \"*\")" "$regx"
+        else
+          textInfo "$regx: SQS queue $queue seems correct" "$regx"
+        fi
+      done
+    fi
+  done
+}
--- a/checks/check_extra728
+++ b/checks/check_extra728
@@ -0,0 +1,36 @@
+#!/usr/bin/env bash
+
+# Prowler - the handy cloud security tool (copyright 2018) by Toni de la Fuente
+#
+# Licensed under the Apache License, Version 2.0 (the "License"); you may not
+# use this file except in compliance with the License. You may obtain a copy
+# of the License at http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software distributed
+# under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR
+# CONDITIONS OF ANY KIND, either express or implied. See the License for the
+# specific language governing permissions and limitations under the License.
+
+CHECK_ID_extra728="7.28"
+CHECK_TITLE_extra728="[extra728] Check if SQS queues have Server Side Encryption enabled (Not Scored) (Not part of CIS benchmark)"
+CHECK_SCORED_extra728="NOT_SCORED"
+CHECK_ALTERNATE_check728="extra728"
+
+extra728(){
+  for regx in $REGIONS; do
+    LIST_SQS=$($AWSCLI sqs list-queues $PROFILE_OPT --region $regx --query QueueUrls --output text |grep -v ^None)
+    if [[ $LIST_SQS ]]; then
+      for queue in $LIST_SQS; do
+        # check if the policy has KmsMasterKeyId therefore SSE enabled
+        SSE_ENABLED_QUEUE=$($AWSCLI sqs get-queue-attributes --queue-url $queue --region $regx --attribute-names All --query Attributes.KmsMasterKeyId --output text|grep -v ^None)
+        if [[ $SSE_ENABLED_QUEUE ]]; then
+          textPass "$regx: SQS queue $queue is using Server Side Encryption" "$regx"
+        else
+          textFail "$regx: SQS queue $queue is not using Server Side Encryption" "$regx"
+        fi
+      done
+    else
+      textInfo "$regx: No SQS queues found" "$regx"
+    fi
+  done
+}