From e1958270c0dbc600686c01ef133d8cc1e0314df0 Mon Sep 17 00:00:00 2001
From: Toni de la Fuente <toni.delafuente@alfresco.com>
Date: Fri, 20 Apr 2018 14:42:54 -0400
Subject: [PATCH] added new checks for SQS extra727 and 728

---
 checks/check_extra726 | 44 +------------------------------------------
 checks/check_extra727 | 34 +++++++++++++++++++++++++++++++++
 checks/check_extra728 | 36 +++++++++++++++++++++++++++++++++++
 3 files changed, 71 insertions(+), 43 deletions(-)
 create mode 100644 checks/check_extra727
 create mode 100644 checks/check_extra728

diff --git a/checks/check_extra726 b/checks/check_extra726
index 025ad41c..fa879f6e 100644
--- a/checks/check_extra726
+++ b/checks/check_extra726
@@ -25,48 +25,6 @@ extra726(){
     if [[ $QUERY_RESULT_NO_OK ]]; then
       TA_CHECKS_NAME=$($AWSCLI support describe-trusted-advisor-checks --language en $PROFILE_OPT --region us-east-1 --query "checks[?id==\`$checkid\`].{name:name}[*]"  --output text)
       textFail "Trusted Advisor check $TA_CHECKS_NAME is in state $QUERY_RESULT_NO_OK"
-    fi 
+    fi
   done
 }
-
-
-#
-# extra726(){
-#   # "Check if Lambda functions invoke API operations are being recorded by CloudTrail (Not Scored) (Not part of CIS benchmark)"
-#   for regx in $REGIONS; do
-#     LIST_OF_FUNCTIONS=$($AWSCLI lambda list-functions $PROFILE_OPT --region $regx --query Functions[*].FunctionName --output text)
-#     if [[ $LIST_OF_FUNCTIONS ]]; then
-#       for lambdafunction in $LIST_OF_FUNCTIONS;do
-#         LIST_OF_TRAILS=$($AWSCLI cloudtrail describe-trails $PROFILE_OPT --region $regx --query trailList[?HomeRegion==\`$regx\`].Name --output text)
-#         if [[ $LIST_OF_TRAILS ]]; then
-#           for trail in $LIST_OF_TRAILS; do
-#             FUNCTION_ENABLED_IN_TRAIL=$($AWSCLI cloudtrail get-event-selectors $PROFILE_OPT --trail-name $trail --region $regx --query "EventSelectors[*].DataResources[?Type == \`AWS::Lambda::Function\`].Values" --output text |xargs -n1| grep -E "^arn:aws:lambda.*function:$lambdafunction$")
-#             if [[ $FUNCTION_ENABLED_IN_TRAIL ]]; then
-#               textPass "$regx: Lambda function $lambdafunction enabled in trail $trail" "$regx"
-#             else
-#               textFail "$regx: Lambda function $lambdafunction NOT enabled in trail $trail" "$regx"
-#             fi
-#           done
-#           # LIST_OF_MULTIREGION_TRAILS=$($AWSCLI cloudtrail describe-trails $PROFILE_OPT --region $regx --query "trailList[?IsMultiRegionTrail == \`true\`].Name" --output text)
-#           # if [[ $LIST_OF_MULTIREGION_TRAILS ]]; then
-#           #   for trail in $LIST_OF_MULTIREGION_TRAILS; do
-#           #     REGION_OF_TRAIL=$($AWSCLI cloudtrail describe-trails $PROFILE_OPT --region $regx --query "trailList[?IsMultiRegionTrail == \`true\` && Name == \`$trail\` ].HomeRegion" --output text)
-#           #     FUNCTION_ENABLED_IN_THIS_REGION=$($AWSCLI cloudtrail get-event-selectors $PROFILE_OPT --trail-name $trail --region $REGION_OF_TRAIL --query "EventSelectors[*].DataResources[?Type == \`AWS::Lambda::Function\`].Values" --output text |xargs -n1| grep -E "^arn:aws:lambda.*function:$lambdafunction$")
-#           #     if [[ $FUNCTION_ENABLED_IN_THIS_REGION ]]; then
-#           #       textPass "$regx: Lambda function $lambdafunction enabled in trail $trail" "$regx"
-#           #     else
-#           #       textFail "$regx: Lambda function $lambdafunction NOT enabled in trail $trail" "$regx"
-#           #     fi
-#           #   done
-#           # else
-#           #   textFail "$regx: Lambda function $lambdafunction is not being recorded!" "$regx"
-#           # fi
-#         else
-#           textFail "$regx: Lambda function $lambdafunction is not being recorded no CloudTrail found!" "$regx"
-#         fi
-#       done
-#     else
-#       textInfo "$regx: No Lambda functions found" "$regx"
-#     fi
-#   done
-# }
diff --git a/checks/check_extra727 b/checks/check_extra727
new file mode 100644
index 00000000..2f752d66
--- /dev/null
+++ b/checks/check_extra727
@@ -0,0 +1,34 @@
+#!/usr/bin/env bash
+
+# Prowler - the handy cloud security tool (copyright 2018) by Toni de la Fuente
+#
+# Licensed under the Apache License, Version 2.0 (the "License"); you may not
+# use this file except in compliance with the License. You may obtain a copy
+# of the License at http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software distributed
+# under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR
+# CONDITIONS OF ANY KIND, either express or implied. See the License for the
+# specific language governing permissions and limitations under the License.
+
+CHECK_ID_extra727="7.27"
+CHECK_TITLE_extra727="[extra727] Check if SQS queues have policy set as Public (Not Scored) (Not part of CIS benchmark)"
+CHECK_SCORED_extra727="NOT_SCORED"
+CHECK_ALTERNATE_check727="extra727"
+
+extra727(){
+  for regx in $REGIONS; do
+    LIST_SQS=$($AWSCLI sqs list-queues $PROFILE_OPT --region $regx --query QueueUrls --output text |grep -v ^None)
+    if [[ $LIST_SQS ]]; then
+      for queue in $LIST_SQS; do
+        # check if the policy has Principal as *
+        PUBLIC_SQS=$($AWSCLI sqs get-queue-attributes --queue-url $queue --region $regx --attribute-names All --query Attributes.Policy --output text | awk -v k="text" '{n=split($0,a,","); for (i=1; i<=n; i++) print a[i]}' | awk '/Principal/ && !skip { print } { skip = /Deny/} '|grep \"Principal|grep \*)
+        if [[ $PUBLIC_SQS ]]; then
+          textFail "$regx: SQS queue $queue seems to be public (Principal: \"*\")" "$regx"
+        else
+          textInfo "$regx: SQS queue $queue seems correct" "$regx"
+        fi
+      done
+    fi
+  done
+}
diff --git a/checks/check_extra728 b/checks/check_extra728
new file mode 100644
index 00000000..4d03d64f
--- /dev/null
+++ b/checks/check_extra728
@@ -0,0 +1,36 @@
+#!/usr/bin/env bash
+
+# Prowler - the handy cloud security tool (copyright 2018) by Toni de la Fuente
+#
+# Licensed under the Apache License, Version 2.0 (the "License"); you may not
+# use this file except in compliance with the License. You may obtain a copy
+# of the License at http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software distributed
+# under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR
+# CONDITIONS OF ANY KIND, either express or implied. See the License for the
+# specific language governing permissions and limitations under the License.
+
+CHECK_ID_extra728="7.28"
+CHECK_TITLE_extra728="[extra728] Check if SQS queues have Server Side Encryption enabled (Not Scored) (Not part of CIS benchmark)"
+CHECK_SCORED_extra728="NOT_SCORED"
+CHECK_ALTERNATE_check728="extra728"
+
+extra728(){
+  for regx in $REGIONS; do
+    LIST_SQS=$($AWSCLI sqs list-queues $PROFILE_OPT --region $regx --query QueueUrls --output text |grep -v ^None)
+    if [[ $LIST_SQS ]]; then
+      for queue in $LIST_SQS; do
+        # check if the policy has KmsMasterKeyId therefore SSE enabled
+        SSE_ENABLED_QUEUE=$($AWSCLI sqs get-queue-attributes --queue-url $queue --region $regx --attribute-names All --query Attributes.KmsMasterKeyId --output text|grep -v ^None)
+        if [[ $SSE_ENABLED_QUEUE ]]; then
+          textPass "$regx: SQS queue $queue is using Server Side Encryption" "$regx"
+        else
+          textFail "$regx: SQS queue $queue is not using Server Side Encryption" "$regx"
+        fi
+      done
+    else
+      textInfo "$regx: No SQS queues found" "$regx"
+    fi
+  done
+}