ghndrx/prowler
1
0
Fork 0
mirror of https://github.com/ghndrx/prowler.git synced 2026-02-10 06:45:08 +00:00
Code Issues Packages Projects Releases Wiki Activity

feat(reorganize_folders): Merge checks. (#1196)

Browse Source 
Co-authored-by: sergargar <sergio@verica.io>
This commit is contained in:
Sergio Garcia
2022-06-14 13:10:26 +02:00
committed by GitHub
parent 36fcab17f3
commit eb679f50f1
238 changed files with 0 additions and 549 deletions
Download Patch File Download Diff File Expand all files Collapse all files

51
providers/aws/services/iam/check11 Normal file
View File

@@ -0,0 +1,51 @@
#!/usr/bin/env bash
# Prowler - the handy cloud security tool (copyright 2019) by Toni de la Fuente
#
# Licensed under the Apache License, Version 2.0 (the "License"); you may not
# use this file except in compliance with the License. You may obtain a copy
# of the License at http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software distributed
# under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR
# CONDITIONS OF ANY KIND, either express or implied. See the License for the
# specific language governing permissions and limitations under the License.
CHECK_ID_check11="1.1"
CHECK_TITLE_check11="[check11] Avoid the use of the root account"
CHECK_SCORED_check11="SCORED"
CHECK_CIS_LEVEL_check11="LEVEL1"
CHECK_SEVERITY_check11="High"
CHECK_ASFF_TYPE_check11="Software and Configuration Checks/Industry and Regulatory Standards/CIS AWS Foundations Benchmark"
CHECK_ALTERNATE_check101="check11"
CHECK_SERVICENAME_check11="iam"
CHECK_RISK_check11='The "root" account has unrestricted access to all resources in the AWS account. It is highly recommended that the use of this account be avoided.'
CHECK_REMEDIATION_check11='Follow the remediation instructions of the Ensure IAM policies are attached only to groups or roles recommendation.'
CHECK_DOC_check11='http://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html'
CHECK_CAF_EPIC_check11='IAM'
check11(){
if [[ "${REGION}" == "us-gov-west-1" || "${REGION}" == "us-gov-east-1" ]]; then
textInfo "${REGION}: This is an AWS GovCloud account and there is no root account to perform checks."
else
# "Avoid the use of the root account (Scored)."
MAX_DAYS=-1
last_login_dates=$(cat $TEMP_REPORT_FILE | awk -F, '{ print $1,$5,$11,$16 }' | grep '<root_account>' | cut -d' ' -f2,3,4)
failures=0
for date in $last_login_dates; do
if [[ ${date%T*} =~ ^[0-9]{4}-[0-9]{2}-[0-9]{2}$ ]];then
days_not_in_use=$(how_many_days_from_today ${date%T*})
if [ "$days_not_in_use" -gt "$MAX_DAYS" ];then
failures=1
textFail "$REGION: Root user in the account was last accessed ${MAX_DAYS#-} day ago" "$REGION" "root"
break
fi
fi
done
if [[ $failures == 0 ]]; then
textPass "$REGION: Root user in the account wasn't accessed in the last ${MAX_DAYS#-} days" "$REGION" "root"
fi
fi
}

39
providers/aws/services/iam/check110 Normal file
View File

@@ -0,0 +1,39 @@
#!/usr/bin/env bash
# Prowler - the handy cloud security tool (copyright 2019) by Toni de la Fuente
#
# Licensed under the Apache License, Version 2.0 (the "License"); you may not
# use this file except in compliance with the License. You may obtain a copy
# of the License at http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software distributed
# under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR
# CONDITIONS OF ANY KIND, either express or implied. See the License for the
# specific language governing permissions and limitations under the License.
CHECK_ID_check110="1.10"
CHECK_TITLE_check110="[check110] Ensure IAM password policy prevents password reuse: 24 or greater"
CHECK_SCORED_check110="SCORED"
CHECK_CIS_LEVEL_check110="LEVEL1"
CHECK_SEVERITY_check110="Medium"
CHECK_ASFF_TYPE_check110="Software and Configuration Checks/Industry and Regulatory Standards/CIS AWS Foundations Benchmark"
CHECK_ALTERNATE_check110="check110"
CHECK_SERVICENAME_check110="iam"
CHECK_RISK_check110='Password policies are used to enforce password complexity requirements. IAM password policies can be used to ensure password are comprised of different character sets. It is recommended that the password policy require at least one uppercase letter.'
CHECK_REMEDIATION_check110='Ensure "Number of passwords to remember" is set to 24.'
CHECK_DOC_check110='https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_passwords_account-policy.html'
CHECK_CAF_EPIC_check110='IAM'
check110(){
# "Ensure IAM password policy prevents password reuse: 24 or greater (Scored)"
COMMAND110=$($AWSCLI iam get-account-password-policy $PROFILE_OPT --region $REGION --query 'PasswordPolicy.PasswordReusePrevention' --output text 2> /dev/null)
if [[ $COMMAND110 ]];then
if [[ $COMMAND110 -gt "23" ]];then
textPass "$REGION: Password Policy limits reuse" "$REGION" "password policy"
else
textFail "$REGION: Password Policy has weak reuse requirement (lower than 24)" "$REGION" "password policy"
fi
else
textFail "$REGION: Password Policy missing reuse requirement" "$REGION" "password policy"
fi
}

39
providers/aws/services/iam/check111 Normal file
View File

@@ -0,0 +1,39 @@
#!/usr/bin/env bash
# Prowler - the handy cloud security tool (copyright 2019) by Toni de la Fuente
#
# Licensed under the Apache License, Version 2.0 (the "License"); you may not
# use this file except in compliance with the License. You may obtain a copy
# of the License at http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software distributed
# under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR
# CONDITIONS OF ANY KIND, either express or implied. See the License for the
# specific language governing permissions and limitations under the License.
CHECK_ID_check111="1.11"
CHECK_TITLE_check111="[check111] Ensure IAM password policy expires passwords within 90 days or less"
CHECK_SCORED_check111="SCORED"
CHECK_CIS_LEVEL_check111="LEVEL1"
CHECK_SEVERITY_check111="Medium"
CHECK_ASFF_TYPE_check111="Software and Configuration Checks/Industry and Regulatory Standards/CIS AWS Foundations Benchmark"
CHECK_ALTERNATE_check111="check111"
CHECK_SERVICENAME_check111="iam"
CHECK_RISK_check111='Password policies are used to enforce password complexity requirements. IAM password policies can be used to ensure password are comprised of different character sets. It is recommended that the password policy require at least one uppercase letter.'
CHECK_REMEDIATION_check111='Ensure "Password expiration period (in days):" is set to 90 or less.'
CHECK_DOC_check111='https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_passwords_account-policy.html'
CHECK_CAF_EPIC_check111='IAM'
check111(){
# "Ensure IAM password policy expires passwords within 90 days or less (Scored)"
COMMAND111=$($AWSCLI iam get-account-password-policy $PROFILE_OPT --region $REGION --query PasswordPolicy.MaxPasswordAge --output text 2> /dev/null)
if [[ $COMMAND111 == [0-9]* ]];then
if [[ "$COMMAND111" -le "90" ]];then
textPass "$REGION: Password Policy includes expiration (Value: $COMMAND111)" "$REGION" "password policy"
else
textFail "$REGION: Password expiration is set greater than 90 days" "$REGION" "password policy"
fi
else
textFail "$REGION: Password expiration is not set" "$REGION" "password policy"
fi
}

42
providers/aws/services/iam/check112 Normal file
View File

@@ -0,0 +1,42 @@
#!/usr/bin/env bash
# Prowler - the handy cloud security tool (copyright 2019) by Toni de la Fuente
#
# Licensed under the Apache License, Version 2.0 (the "License"); you may not
# use this file except in compliance with the License. You may obtain a copy
# of the License at http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software distributed
# under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR
# CONDITIONS OF ANY KIND, either express or implied. See the License for the
# specific language governing permissions and limitations under the License.
CHECK_ID_check112="1.12"
CHECK_TITLE_check112="[check112] Ensure no root account access key exists"
CHECK_SCORED_check112="SCORED"
CHECK_CIS_LEVEL_check112="LEVEL1"
CHECK_SEVERITY_check112="Critical"
CHECK_ASFF_TYPE_check112="Software and Configuration Checks/Industry and Regulatory Standards/CIS AWS Foundations Benchmark"
CHECK_ALTERNATE_check112="check112"
CHECK_SERVICENAME_check112="iam"
CHECK_RISK_check112='The root account is the most privileged user in an AWS account. AWS Access Keys provide programmatic access to a given AWS account. It is recommended that all access keys associated with the root account be removed. Removing access keys associated with the root account limits vectors by which the account can be compromised. Removing the root access keys encourages the creation and use of role based accounts that are least privileged.'
CHECK_REMEDIATION_check112='Use the credential report to that the user and ensure the access_key_1_active and access_key_2_active fields are set to FALSE .'
CHECK_DOC_check112='https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_getting-report.html'
CHECK_CAF_EPIC_check112='IAM'
check112(){
# "Ensure no root account access key exists (Scored)"
# ensure the access_key_1_active and access_key_2_active fields are set to FALSE.
ROOTKEY1=$(cat $TEMP_REPORT_FILE |grep root_account|awk -F',' '{ print $9 }')
ROOTKEY2=$(cat $TEMP_REPORT_FILE |grep root_account|awk -F',' '{ print $14 }')
if [ "$ROOTKEY1" == "false" ];then
textPass "$REGION: No access key 1 found for root" "$REGION" "root access key1"
else
textFail "$REGION: Found access key 1 for root" "$REGION" "root access key1"
fi
if [ "$ROOTKEY2" == "false" ];then
textPass "$REGION: No access key 2 found for root" "$REGION" "root access key2"
else
textFail "$REGION: Found access key 2 for root" "$REGION" "root access key2"
fi
}

39
providers/aws/services/iam/check113 Normal file
View File

@@ -0,0 +1,39 @@
#!/usr/bin/env bash
# Prowler - the handy cloud security tool (copyright 2019) by Toni de la Fuente
#
# Licensed under the Apache License, Version 2.0 (the "License"); you may not
# use this file except in compliance with the License. You may obtain a copy
# of the License at http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software distributed
# under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR
# CONDITIONS OF ANY KIND, either express or implied. See the License for the
# specific language governing permissions and limitations under the License.
CHECK_ID_check113="1.13"
CHECK_TITLE_check113="[check113] Ensure MFA is enabled for the root account"
CHECK_SCORED_check113="SCORED"
CHECK_CIS_LEVEL_check113="LEVEL1"
CHECK_SEVERITY_check113="Critical"
CHECK_ASFF_TYPE_check113="Software and Configuration Checks/Industry and Regulatory Standards/CIS AWS Foundations Benchmark"
CHECK_ALTERNATE_check113="check113"
CHECK_SERVICENAME_check113="iam"
CHECK_RISK_check113='The root account is the most privileged user in an AWS account. MFA adds an extra layer of protection on top of a user name and password. With MFA enabled when a user signs in to an AWS website they will be prompted for their user name and password as well as for an authentication code from their AWS MFA device. When virtual MFA is used for root accounts it is recommended that the device used is NOT a personal device but rather a dedicated mobile device (tablet or phone) that is managed to be kept charged and secured independent of any individual personal devices. ("non-personal virtual MFA") This lessens the risks of losing access to the MFA due to device loss / trade-in or if the individual owning the device is no longer employed at the company.'
CHECK_REMEDIATION_check113='Using IAM console navigate to Dashboard and expand Activate MFA on your root account.'
CHECK_DOC_check113='https://docs.aws.amazon.com/IAM/latest/UserGuide/id_root-user.html#id_root-user_manage_mfa'
CHECK_CAF_EPIC_check113='IAM'
check113(){
if [[ "${REGION}" == "us-gov-west-1" || "${REGION}" == "us-gov-east-1" ]]; then
textInfo "${REGION}: This is an AWS GovCloud account and there is no root account to perform checks."
else
# "Ensure MFA is enabled for the root account (Scored)"
COMMAND113=$($AWSCLI iam get-account-summary $PROFILE_OPT --region $REGION --output json --query 'SummaryMap.AccountMFAEnabled')
if [ "$COMMAND113" == "1" ]; then
textPass "$REGION: Virtual MFA is enabled for root" "$REGION" "MFA"
else
textFail "$REGION: MFA is not ENABLED for root account" "$REGION" "MFA"
fi
fi
}

44
providers/aws/services/iam/check114 Normal file
View File

@@ -0,0 +1,44 @@
#!/usr/bin/env bash
# Prowler - the handy cloud security tool (copyright 2019) by Toni de la Fuente
#
# Licensed under the Apache License, Version 2.0 (the "License"); you may not
# use this file except in compliance with the License. You may obtain a copy
# of the License at http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software distributed
# under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR
# CONDITIONS OF ANY KIND, either express or implied. See the License for the
# specific language governing permissions and limitations under the License.
CHECK_ID_check114="1.14"
CHECK_TITLE_check114="[check114] Ensure hardware MFA is enabled for the root account"
CHECK_SCORED_check114="SCORED"
CHECK_CIS_LEVEL_check114="LEVEL2"
CHECK_SEVERITY_check114="Critical"
CHECK_ASFF_TYPE_check114="Software and Configuration Checks/Industry and Regulatory Standards/CIS AWS Foundations Benchmark"
CHECK_ALTERNATE_check114="check114"
CHECK_SERVICENAME_check114="iam"
CHECK_RISK_check114='The root account is the most privileged user in an AWS account. MFA adds an extra layer of protection on top of a user name and password. With MFA enabled when a user signs in to an AWS website they will be prompted for their user name and password as well as for an authentication code from their AWS MFA device. For Level 2 it is recommended that the root account be protected with a hardware MFA.'
CHECK_REMEDIATION_check114='Using IAM console navigate to Dashboard and expand Activate MFA on your root account.'
CHECK_DOC_check114='https://docs.aws.amazon.com/IAM/latest/UserGuide/id_root-user.html#id_root-user_manage_mfa'
CHECK_CAF_EPIC_check114='IAM'
check114(){
if [[ "${REGION}" == "us-gov-west-1" || "${REGION}" == "us-gov-east-1" ]]; then
textInfo "${REGION}: This is an AWS GovCloud account and there is no root account to perform checks."
else
# "Ensure hardware MFA is enabled for the root account (Scored)"
COMMAND113=$($AWSCLI iam get-account-summary $PROFILE_OPT --region $REGION --output json --query 'SummaryMap.AccountMFAEnabled')
if [ "$COMMAND113" == "1" ]; then
COMMAND114=$($AWSCLI iam list-virtual-mfa-devices $PROFILE_OPT --region $REGION --output text --assignment-status Assigned --query 'VirtualMFADevices[*].[SerialNumber]' | grep "^arn:${AWS_PARTITION}:iam::[0-9]\{12\}:mfa/root-account-mfa-device$")
if [[ "$COMMAND114" ]]; then
textFail "$REGION: Only Virtual MFA is enabled for root" "$REGION" "MFA"
else
textPass "$REGION: Hardware MFA is enabled for root" "$REGION" "MFA"
fi
else
textFail "$REGION: MFA is not ENABLED for root account" "$REGION" "MFA"
fi
fi
}

49
providers/aws/services/iam/check116 Normal file
View File

@@ -0,0 +1,49 @@
#!/usr/bin/env bash
# Prowler - the handy cloud security tool (copyright 2019) by Toni de la Fuente
#
# Licensed under the Apache License, Version 2.0 (the "License"); you may not
# use this file except in compliance with the License. You may obtain a copy
# of the License at http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software distributed
# under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR
# CONDITIONS OF ANY KIND, either express or implied. See the License for the
# specific language governing permissions and limitations under the License.
CHECK_ID_check116="1.16"
CHECK_TITLE_check116="[check116] Ensure IAM policies are attached only to groups or roles"
CHECK_SCORED_check116="SCORED"
CHECK_CIS_LEVEL_check116="LEVEL1"
CHECK_SEVERITY_check116="Low"
CHECK_ASFF_TYPE_check116="Software and Configuration Checks/Industry and Regulatory Standards/CIS AWS Foundations Benchmark"
CHECK_ASFF_RESOURCE_TYPE_check116="AwsIamUser"
CHECK_ALTERNATE_check116="check116"
CHECK_ASFF_COMPLIANCE_TYPE_check116="ens-op.acc.3.aws.iam.1"
CHECK_SERVICENAME_check116="iam"
CHECK_RISK_check116='By default IAM users; groups; and roles have no access to AWS resources. IAM policies are the means by which privileges are granted to users; groups; or roles. It is recommended that IAM policies be applied directly to groups and roles but not users. Assigning privileges at the group or role level reduces the complexity of access management as the number of users grow. Reducing access management complexity may in-turn reduce opportunity for a principal to inadvertently receive or retain excessive privileges.'
CHECK_REMEDIATION_check116='Remove any policy attached directly to the user. Use groups or roles instead.'
CHECK_DOC_check116='https://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html'
CHECK_CAF_EPIC_check116='IAM'
check116(){
# "Ensure IAM policies are attached only to groups or roles (Scored)"
LIST_USERS=$($AWSCLI iam list-users --query 'Users[*].UserName' --output text $PROFILE_OPT --region $REGION)
for user in $LIST_USERS;do
USER_ATTACHED_POLICY=$($AWSCLI iam list-attached-user-policies --output text $PROFILE_OPT --region $REGION --user-name $user)
USER_INLINE_POLICY=$($AWSCLI iam list-user-policies --output text $PROFILE_OPT --region $REGION --user-name $user)
if [[ $USER_ATTACHED_POLICY ]] || [[ $USER_INLINE_POLICY ]]
then
if [[ $USER_ATTACHED_POLICY ]]
then
textFail "$REGION: $user has managed policy directly attached" "$REGION" "$user"
fi
if [[ $USER_INLINE_POLICY ]]
then
textFail "$REGION: $user has inline policy directly attached" "$REGION" "$user"
fi
else
textPass "$REGION: No policies attached to user $user" "$REGION" "$user"
fi
done
}

44
providers/aws/services/iam/check12 Normal file
View File

@@ -0,0 +1,44 @@
#!/usr/bin/env bash
# Prowler - the handy cloud security tool (copyright 2019) by Toni de la Fuente
#
# Licensed under the Apache License, Version 2.0 (the "License"); you may not
# use this file except in compliance with the License. You may obtain a copy
# of the License at http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software distributed
# under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR
# CONDITIONS OF ANY KIND, either express or implied. See the License for the
# specific language governing permissions and limitations under the License.
CHECK_ID_check12="1.2"
CHECK_TITLE_check12="[check12] Ensure multi-factor authentication (MFA) is enabled for all IAM users that have a console password"
CHECK_SCORED_check12="SCORED"
CHECK_CIS_LEVEL_check12="LEVEL1"
CHECK_SEVERITY_check12="High"
CHECK_ASFF_TYPE_check12="Software and Configuration Checks/Industry and Regulatory Standards/CIS AWS Foundations Benchmark"
CHECK_ASFF_RESOURCE_TYPE_check12="AwsIamUser"
CHECK_ALTERNATE_check102="check12"
CHECK_ASFF_COMPLIANCE_TYPE_check12="ens-op.acc.5.aws.iam.1"
CHECK_SERVICENAME_check12="iam"
CHECK_RISK_check12='Unauthorized access to this critical account if password is not secure or it is disclosed in any way.'
CHECK_REMEDIATION_check12='Enable MFA for root account. MFA is a simple best practice that adds an extra layer of protection on top of your user name and password. Recommended to use hardware keys over virtual MFA.'
CHECK_DOC_check12='https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_mfa_enable_virtual.html'
CHECK_CAF_EPIC_check12='IAM'
check12(){
# "Ensure multi-factor authentication (MFA) is enabled for all IAM users that have a console password (Scored)"
# List users with password enabled
COMMAND12_LIST_USERS_WITH_PASSWORD_ENABLED=$(cat $TEMP_REPORT_FILE|awk -F, '{ print $1,$4 }' |grep 'true$' | awk '{ print $1 }')
COMMAND12=$(
for i in $COMMAND12_LIST_USERS_WITH_PASSWORD_ENABLED; do
cat $TEMP_REPORT_FILE|awk -F, '{ print $1,$8 }' |grep "^$i " |grep false | awk '{ print $1 }'
done)
if [[ $COMMAND12 ]]; then
for u in $COMMAND12; do
textFail "$REGION: User $u has Password enabled but MFA disabled" "$REGION" "$u"
done
else
textPass "$REGION: No users found with Password enabled and MFA disabled" "$REGION" "$u"
fi
}

49
providers/aws/services/iam/check120 Normal file
View File

@@ -0,0 +1,49 @@
#!/usr/bin/env bash
# Prowler - the handy cloud security tool (copyright 2019) by Toni de la Fuente
#
# Licensed under the Apache License, Version 2.0 (the "License"); you may not
# use this file except in compliance with the License. You may obtain a copy
# of the License at http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software distributed
# under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR
# CONDITIONS OF ANY KIND, either express or implied. See the License for the
# specific language governing permissions and limitations under the License.
CHECK_ID_check120="1.20"
CHECK_TITLE_check120="[check120] Ensure a support role has been created to manage incidents with AWS Support"
CHECK_SCORED_check120="SCORED"
CHECK_CIS_LEVEL_check120="LEVEL1"
CHECK_SEVERITY_check120="Medium"
CHECK_ASFF_TYPE_check120="Software and Configuration Checks/Industry and Regulatory Standards/CIS AWS Foundations Benchmark"
CHECK_ASFF_RESOURCE_TYPE_check120="AwsIamRole"
CHECK_ALTERNATE_check120="check120"
CHECK_ASFF_COMPLIANCE_TYPE_check120="ens-op.acc.1.aws.iam.4"
CHECK_SERVICENAME_check120="iam"
CHECK_RISK_check120='AWS provides a support center that can be used for incident notification and response; as well as technical support and customer services. Create an IAM Role to allow authorized users to manage incidents with AWS Support.'
CHECK_REMEDIATION_check120='Create an IAM role for managing incidents with AWS.'
CHECK_DOC_check120='https://docs.aws.amazon.com/awssupport/latest/user/using-service-linked-roles-sup.html'
CHECK_CAF_EPIC_check120='IAM'
check120(){
# "Ensure a support role has been created to manage incidents with AWS Support (Scored)"
SUPPORTPOLICYARN=$($AWSCLI iam list-policies --query "Policies[?PolicyName == 'AWSSupportAccess'].Arn" $PROFILE_OPT --region $REGION --output text)
if [[ $SUPPORTPOLICYARN ]];then
for policyarn in $SUPPORTPOLICYARN;do
POLICYROLES=$($AWSCLI iam list-entities-for-policy --policy-arn $policyarn $PROFILE_OPT --region $REGION --output text | awk -F$'\t' '{ print $3 }')
if [[ $POLICYROLES ]];then
for name in $POLICYROLES; do
textPass "$REGION: Support Policy attached to $name" "$REGION" "$name"
done
# for user in $(echo "$POLICYUSERS" | grep UserName | cut -d'"' -f4) ; do
# textInfo "User $user has support access via $policyarn"
# done
else
textFail "$REGION: Support Policy not applied to any Role" "$REGION" "$name"
fi
done
else
textFail "$REGION: No Support Policy found" "$REGION" "$name"
fi
}

54
providers/aws/services/iam/check121 Normal file
View File

@@ -0,0 +1,54 @@
#!/usr/bin/env bash
# Prowler - the handy cloud security tool (copyright 2019) by Toni de la Fuente
#
# Licensed under the Apache License, Version 2.0 (the "License"); you may not
# use this file except in compliance with the License. You may obtain a copy
# of the License at http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software distributed
# under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR
# CONDITIONS OF ANY KIND, either express or implied. See the License for the
# specific language governing permissions and limitations under the License.
CHECK_ID_check121="1.21"
CHECK_TITLE_check121="[check121] Do not setup access keys during initial user setup for all IAM users that have a console password"
CHECK_SCORED_check121="NOT_SCORED"
CHECK_CIS_LEVEL_check121="LEVEL1"
CHECK_SEVERITY_check121="Medium"
CHECK_ASFF_TYPE_check121="Software and Configuration Checks/Industry and Regulatory Standards/CIS AWS Foundations Benchmark"
CHECK_ASFF_RESOURCE_TYPE_check121="AwsIamUser"
CHECK_ALTERNATE_check121="check121"
CHECK_ASFF_COMPLIANCE_TYPE_check121="ens-op.acc.1.aws.iam.5"
CHECK_SERVICENAME_check121="iam"
CHECK_RISK_check121='AWS console defaults the checkbox for creating access keys to enabled. This results in many access keys being generated unnecessarily. In addition to unnecessary credentials; it also generates unnecessary management work in auditing and rotating these keys. Requiring that additional steps be taken by the user after their profile has been created will give a stronger indication of intent that access keys are (a) necessary for their work and (b) once the access key is established on an account that the keys may be in use somewhere in the organization.'
CHECK_REMEDIATION_check121='From the IAM console: generate credential report and disable not required keys.'
CHECK_DOC_check121='https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_getting-report.html'
CHECK_CAF_EPIC_check121='IAM'
check121(){
# "Do not setup access keys during initial user setup for all IAM users that have a console password (Not Scored)"
LIST_USERS=$($AWSCLI iam list-users --query 'Users[*].UserName' --output text $PROFILE_OPT --region $REGION)
# List of USERS with KEY1 last_used_date as N/A
LIST_USERS_KEY1_NA=$(for user in $LIST_USERS; do grep "^${user}," $TEMP_REPORT_FILE|awk -F, '{ print $1,$11 }'|grep N/A |awk '{ print $1 }'; done)
# List of USERS with KEY1 active, last_used_date as N/A and have a console password
LIST_USERS_KEY1_ACTIVE=$(for user in $LIST_USERS_KEY1_NA; do grep "^${user}," $TEMP_REPORT_FILE|awk -F, '{ print $1,$4,$9 }'|grep "true true$"|awk '{ print $1 }'|sed 's/[[:blank:]]+/,/g' ; done)
if [[ $LIST_USERS_KEY1_ACTIVE ]]; then
for user in $LIST_USERS_KEY1_ACTIVE; do
textFail "$REGION: User $user has never used access key 1" "$REGION" "$user"
done
else
textPass "$REGION: No users found with access key 1 never used" "$REGION" "$user"
fi
# List of USERS with KEY2 last_used_date as N/A
LIST_USERS_KEY2_NA=$(for user in $LIST_USERS; do grep "^${user}," $TEMP_REPORT_FILE|awk -F, '{ print $1,$16 }'|grep N/A |awk '{ print $1 }' ; done)
# List of USERS with KEY2 active, last_used_date as N/A and have a console password
LIST_USERS_KEY2_ACTIVE=$(for user in $LIST_USERS_KEY2_NA; do grep "^${user}," $TEMP_REPORT_FILE|awk -F, '{ print $1,$4,$14 }'|grep "true true$" |awk '{ print $1 }' ; done)
if [[ $LIST_USERS_KEY2_ACTIVE ]]; then
for user in $LIST_USERS_KEY2_ACTIVE; do
textFail "$REGION: User $user has never used access key 2" "$REGION" "$user"
done
else
textPass "$REGION: No users found with access key 2 never used" "$REGION" "$user"
fi
}

50
providers/aws/services/iam/check122 Normal file
View File

@@ -0,0 +1,50 @@
#!/usr/bin/env bash
# Prowler - the handy cloud security tool (copyright 2019) by Toni de la Fuente
#
# Licensed under the Apache License, Version 2.0 (the "License"); you may not
# use this file except in compliance with the License. You may obtain a copy
# of the License at http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software distributed
# under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR
# CONDITIONS OF ANY KIND, either express or implied. See the License for the
# specific language governing permissions and limitations under the License.
CHECK_ID_check122="1.22"
CHECK_TITLE_check122="[check122] Ensure IAM policies that allow full \"*:*\" administrative privileges are not created"
CHECK_SCORED_check122="SCORED"
CHECK_CIS_LEVEL_check122="LEVEL1"
CHECK_SEVERITY_check122="Medium"
CHECK_ASFF_TYPE_check122="Software and Configuration Checks/Industry and Regulatory Standards/CIS AWS Foundations Benchmark"
CHECK_ASFF_RESOURCE_TYPE_check122="AwsIamPolicy"
CHECK_ALTERNATE_check122="check122"
CHECK_SERVICENAME_check122="iam"
CHECK_RISK_check122='IAM policies are the means by which privileges are granted to users; groups; or roles. It is recommended and considered a standard security advice to grant least privilege—that is; granting only the permissions required to perform a task. Determine what users need to do and then craft policies for them that let the users perform only those tasks instead of allowing full administrative privileges. Providing full administrative privileges instead of restricting to the minimum set of permissions that the user is required to do exposes the resources to potentially unwanted actions.'
CHECK_REMEDIATION_check122='It is more secure to start with a minimum set of permissions and grant additional permissions as necessary; rather than starting with permissions that are too lenient and then trying to tighten them later. List policies an analyze if permissions are the least possible to conduct business activities.'
CHECK_DOC_check122='http://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html'
CHECK_CAF_EPIC_check122='IAM'
check122(){
# "Ensure IAM policies that allow full \"*:*\" administrative privileges are not created (Scored)"
LIST_CUSTOM_POLICIES=$($AWSCLI iam list-policies --output text $PROFILE_OPT --region $REGION --scope Local --query 'Policies[*].[Arn,DefaultVersionId]' | grep -v -e '^None$' | awk -F '\t' '{print $1","$2"\n"}')
if [[ $LIST_CUSTOM_POLICIES ]]; then
for policy in $LIST_CUSTOM_POLICIES; do
POLICY_ARN=$(awk 'BEGIN{FS=OFS=","}{NF--; print}' <<< "${policy}")
POLICY_VERSION=$(awk -F ',' '{print $(NF)}' <<< "${policy}")
POLICY_WITH_FULL=$($AWSCLI iam get-policy-version --output text --policy-arn $POLICY_ARN --version-id $POLICY_VERSION --query "[PolicyVersion.Document.Statement] | [] | [?Action!=null] | [?Effect == 'Allow' && Resource == '*' && Action == '*']" $PROFILE_OPT --region $REGION)
if [[ $POLICY_WITH_FULL ]]; then
POLICIES_ALLOW_LIST="$POLICIES_ALLOW_LIST $POLICY_ARN"
else
textPass "$REGION: Policy ${policy//,/[comma]} that does not allow full \"*:*\" administrative privileges" "${REGION}" "${policy}"
fi
done
if [[ $POLICIES_ALLOW_LIST ]]; then
for policy in $POLICIES_ALLOW_LIST; do
textFail "$REGION: Policy ${policy//,/[comma]} allows \"*:*\"" "${REGION}" "${policy}"
done
fi
else
textPass "$REGION: No custom policies found" "$REGION"
fi
}

31
providers/aws/services/iam/check13 Normal file
View File

@@ -0,0 +1,31 @@
#!/usr/bin/env bash
# Prowler - the handy cloud security tool (copyright 2019) by Toni de la Fuente
#
# Licensed under the Apache License, Version 2.0 (the "License"); you may not
# use this file except in compliance with the License. You may obtain a copy
# of the License at http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software distributed
# under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR
# CONDITIONS OF ANY KIND, either express or implied. See the License for the
# specific language governing permissions and limitations under the License.
CHECK_ID_check13="1.3"
CHECK_TITLE_check13="[check13] Ensure credentials unused for 90 days or greater are disabled"
CHECK_SCORED_check13="SCORED"
CHECK_CIS_LEVEL_check13="LEVEL1"
CHECK_SEVERITY_check13="Medium"
CHECK_ASFF_TYPE_check13="Software and Configuration Checks/Industry and Regulatory Standards/CIS AWS Foundations Benchmark"
CHECK_ASFF_RESOURCE_TYPE_check13="AwsIamUser"
CHECK_ALTERNATE_check103="check13"
CHECK_ASFF_COMPLIANCE_TYPE_check13="ens-op.acc.1.aws.iam.3 ens-op.acc.5.aws.iam.4"
CHECK_SERVICENAME_check13="iam"
CHECK_RISK_check13='AWS IAM users can access AWS resources using different types of credentials (passwords or access keys). It is recommended that all credentials that have been unused in 90 or greater days be removed or deactivated.'
CHECK_REMEDIATION_check13='Use the credential report to ensure password_last_changed is less than 90 days ago.'
CHECK_DOC_check13='https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_getting-report.html'
CHECK_CAF_EPIC_check13='IAM'
check13(){
check_creds_used_in_last_days 90
}

71
providers/aws/services/iam/check14 Normal file
View File

@@ -0,0 +1,71 @@
#!/usr/bin/env bash
# Prowler - the handy cloud security tool (copyright 2019) by Toni de la Fuente
#
# Licensed under the Apache License, Version 2.0 (the "License"); you may not
# use this file except in compliance with the License. You may obtain a copy
# of the License at http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software distributed
# under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR
# CONDITIONS OF ANY KIND, either express or implied. See the License for the
# specific language governing permissions and limitations under the License.
CHECK_ID_check14="1.4"
CHECK_TITLE_check14="[check14] Ensure access keys are rotated every 90 days or less"
CHECK_SCORED_check14="SCORED"
CHECK_CIS_LEVEL_check14="LEVEL1"
CHECK_SEVERITY_check14="Medium"
CHECK_ASFF_TYPE_check14="Software and Configuration Checks/Industry and Regulatory Standards/CIS AWS Foundations Benchmark"
CHECK_ASFF_RESOURCE_TYPE_check14="AwsIamUser"
CHECK_ALTERNATE_check104="check14"
CHECK_ASFF_COMPLIANCE_TYPE_check14="ens-op.acc.1.aws.iam.4 ens-op.acc.5.aws.iam.3"
CHECK_SERVICENAME_check14="iam"
CHECK_RISK_check14='Access keys consist of an access key ID and secret access key which are used to sign programmatic requests that you make to AWS. AWS users need their own access keys to make programmatic calls to AWS from the AWS Command Line Interface (AWS CLI)- Tools for Windows PowerShell- the AWS SDKs- or direct HTTP calls using the APIs for individual AWS services. It is recommended that all access keys be regularly rotated.'
CHECK_REMEDIATION_check14='Use the credential report to ensure access_key_X_last_rotated is less than 90 days ago.'
CHECK_DOC_check14='https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_getting-report.html'
CHECK_CAF_EPIC_check14='IAM'
check14(){
# "Ensure access keys are rotated every 90 days or less (Scored)" # also checked by Security Monkey
LIST_OF_USERS_WITH_ACCESS_KEY1=$(cat $TEMP_REPORT_FILE| awk -F, '{ print $1, $9 }' |grep "\ true" | awk '{ print $1 }')
LIST_OF_USERS_WITH_ACCESS_KEY2=$(cat $TEMP_REPORT_FILE| awk -F, '{ print $1, $14 }' |grep "\ true" | awk '{ print $1 }')
C14_NUM_USERS1=0
C14_NUM_USERS2=0
if [[ $LIST_OF_USERS_WITH_ACCESS_KEY1 ]]; then
# textFail "Users with access key 1 older than 90 days:"
for user in $LIST_OF_USERS_WITH_ACCESS_KEY1; do
# check access key 1
DATEROTATED1=$(cat $TEMP_REPORT_FILE | grep -v user_creation_time | grep "^${user},"| awk -F, '{ print $10 }' | grep -v "N/A" | awk -F"T" '{ print $1 }')
HOWOLDER=$(how_older_from_today $DATEROTATED1)
if [ $HOWOLDER -gt "90" ];then
textFail "$REGION: $user has not rotated access key 1 in over 90 days" "$REGION" "$user"
C14_NUM_USERS1=$(expr $C14_NUM_USERS1 + 1)
fi
done
if [[ $C14_NUM_USERS1 -eq 0 ]]; then
textPass "$REGION: No users with access key 1 older than 90 days" "$REGION" "$user"
fi
else
textPass "$REGION: No users with access key 1" "$REGION" "$user"
fi
if [[ $LIST_OF_USERS_WITH_ACCESS_KEY2 ]]; then
# textFail "Users with access key 2 older than 90 days:"
for user in $LIST_OF_USERS_WITH_ACCESS_KEY2; do
# check access key 2
DATEROTATED2=$(cat $TEMP_REPORT_FILE | grep -v user_creation_time | grep "^${user},"| awk -F, '{ print $15 }' | grep -v "N/A" | awk -F"T" '{ print $1 }')
HOWOLDER=$(how_older_from_today $DATEROTATED2)
if [ $HOWOLDER -gt "90" ];then
textFail "$REGION: $user has not rotated access key 2 in over 90 days" "$REGION" "$user"
C14_NUM_USERS2=$(expr $C14_NUM_USERS2 + 1)
fi
done
if [[ $C14_NUM_USERS2 -eq 0 ]]; then
textPass "$REGION: No users with access key 2 older than 90 days" "$REGION" "$user"
fi
else
textPass "$REGION: No users with access key 2" "$REGION" "$user"
fi
}

35
providers/aws/services/iam/check15 Normal file
View File

@@ -0,0 +1,35 @@
#!/usr/bin/env bash
# Prowler - the handy cloud security tool (copyright 2019) by Toni de la Fuente
#
# Licensed under the Apache License, Version 2.0 (the "License"); you may not
# use this file except in compliance with the License. You may obtain a copy
# of the License at http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software distributed
# under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR
# CONDITIONS OF ANY KIND, either express or implied. See the License for the
# specific language governing permissions and limitations under the License.
CHECK_ID_check15="1.5"
CHECK_TITLE_check15="[check15] Ensure IAM password policy requires at least one uppercase letter"
CHECK_SCORED_check15="SCORED"
CHECK_CIS_LEVEL_check15="LEVEL1"
CHECK_SEVERITY_check15="Medium"
CHECK_ASFF_TYPE_check15="Software and Configuration Checks/Industry and Regulatory Standards/CIS AWS Foundations Benchmark"
CHECK_ALTERNATE_check105="check15"
CHECK_SERVICENAME_check15="iam"
CHECK_RISK_check15='Password policies are used to enforce password complexity requirements. IAM password policies can be used to ensure password are comprised of different character sets. It is recommended that the password policy require at least one uppercase letter.'
CHECK_REMEDIATION_check15='Ensure "Requires at least one uppercase letter" is checked under "Password Policy".'
CHECK_DOC_check15='https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_passwords_account-policy.html'
CHECK_CAF_EPIC_check15='IAM'
check15(){
# "Ensure IAM password policy requires at least one uppercase letter (Scored)"
COMMAND15=$($AWSCLI iam get-account-password-policy $PROFILE_OPT --region $REGION --output json --query 'PasswordPolicy.RequireUppercaseCharacters' 2> /dev/null) # must be true
if [[ "$COMMAND15" == "true" ]];then
textPass "$REGION: Password Policy requires upper case" "$REGION" "password policy"
else
textFail "$REGION: Password Policy missing upper-case requirement" "$REGION" "password policy"
fi
}

35
providers/aws/services/iam/check16 Normal file
View File

@@ -0,0 +1,35 @@
#!/usr/bin/env bash
# Prowler - the handy cloud security tool (copyright 2019) by Toni de la Fuente
#
# Licensed under the Apache License, Version 2.0 (the "License"); you may not
# use this file except in compliance with the License. You may obtain a copy
# of the License at http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software distributed
# under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR
# CONDITIONS OF ANY KIND, either express or implied. See the License for the
# specific language governing permissions and limitations under the License.
CHECK_ID_check16="1.6"
CHECK_TITLE_check16="[check16] Ensure IAM password policy require at least one lowercase letter"
CHECK_SCORED_check16="SCORED"
CHECK_CIS_LEVEL_check16="LEVEL1"
CHECK_SEVERITY_check16="Medium"
CHECK_ASFF_TYPE_check16="Software and Configuration Checks/Industry and Regulatory Standards/CIS AWS Foundations Benchmark"
CHECK_ALTERNATE_check106="check16"
CHECK_SERVICENAME_check16="iam"
CHECK_RISK_check16='Password policies are used to enforce password complexity requirements. IAM password policies can be used to ensure password are comprised of different character sets. It is recommended that the password policy require at least one uppercase letter.'
CHECK_REMEDIATION_check16='Ensure "Requires at least one lowercase letter" is checked under "Password Policy".'
CHECK_DOC_check16='https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_passwords_account-policy.html'
CHECK_CAF_EPIC_check16='IAM'
check16(){
# "Ensure IAM password policy require at least one lowercase letter (Scored)"
COMMAND16=$($AWSCLI iam get-account-password-policy $PROFILE_OPT --region $REGION --output json --query 'PasswordPolicy.RequireLowercaseCharacters' 2> /dev/null) # must be true
if [[ "$COMMAND16" == "true" ]];then
textPass "$REGION: Password Policy requires lower case" "$REGION" "password policy"
else
textFail "$REGION: Password Policy missing lower-case requirement" "$REGION" "password policy"
fi
}

35
providers/aws/services/iam/check17 Normal file
View File

@@ -0,0 +1,35 @@
#!/usr/bin/env bash
# Prowler - the handy cloud security tool (copyright 2019) by Toni de la Fuente
#
# Licensed under the Apache License, Version 2.0 (the "License"); you may not
# use this file except in compliance with the License. You may obtain a copy
# of the License at http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software distributed
# under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR
# CONDITIONS OF ANY KIND, either express or implied. See the License for the
# specific language governing permissions and limitations under the License.
CHECK_ID_check17="1.7"
CHECK_TITLE_check17="[check17] Ensure IAM password policy require at least one symbol"
CHECK_SCORED_check17="SCORED"
CHECK_CIS_LEVEL_check17="LEVEL1"
CHECK_SEVERITY_check17="Medium"
CHECK_ASFF_TYPE_check17="Software and Configuration Checks/Industry and Regulatory Standards/CIS AWS Foundations Benchmark"
CHECK_ALTERNATE_check107="check17"
CHECK_SERVICENAME_check17="iam"
CHECK_RISK_check17='Password policies are used to enforce password complexity requirements. IAM password policies can be used to ensure password are comprised of different character sets. It is recommended that the password policy require at least one uppercase letter.'
CHECK_REMEDIATION_check17='Ensure "Require at least one non-alphanumeric character" is checked under "Password Policy".'
CHECK_DOC_check17='https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_passwords_account-policy.html'
CHECK_CAF_EPIC_check17='IAM'
check17(){
# "Ensure IAM password policy require at least one symbol (Scored)"
COMMAND17=$($AWSCLI iam get-account-password-policy $PROFILE_OPT --region $REGION --output json --query 'PasswordPolicy.RequireSymbols' 2> /dev/null) # must be true
if [[ "$COMMAND17" == "true" ]];then
textPass "$REGION: Password Policy requires symbol" "$REGION" "password policy"
else
textFail "$REGION: Password Policy missing symbol requirement" "$REGION" "password policy"
fi
}

35
providers/aws/services/iam/check18 Normal file
View File

@@ -0,0 +1,35 @@
#!/usr/bin/env bash
# Prowler - the handy cloud security tool (copyright 2019) by Toni de la Fuente
#
# Licensed under the Apache License, Version 2.0 (the "License"); you may not
# use this file except in compliance with the License. You may obtain a copy
# of the License at http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software distributed
# under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR
# CONDITIONS OF ANY KIND, either express or implied. See the License for the
# specific language governing permissions and limitations under the License.
CHECK_ID_check18="1.8"
CHECK_TITLE_check18="[check18] Ensure IAM password policy require at least one number"
CHECK_SCORED_check18="SCORED"
CHECK_CIS_LEVEL_check18="LEVEL1"
CHECK_SEVERITY_check18="Medium"
CHECK_ASFF_TYPE_check18="Software and Configuration Checks/Industry and Regulatory Standards/CIS AWS Foundations Benchmark"
CHECK_ALTERNATE_check108="check18"
CHECK_SERVICENAME_check18="iam"
CHECK_RISK_check18='Password policies are used to enforce password complexity requirements. IAM password policies can be used to ensure password are comprised of different character sets. It is recommended that the password policy require at least one uppercase letter.'
CHECK_REMEDIATION_check18='Ensure "Require at least one number " is checked under "Password Policy".'
CHECK_DOC_check18='https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_passwords_account-policy.html'
CHECK_CAF_EPIC_check18='IAM'
check18(){
# "Ensure IAM password policy require at least one number (Scored)"
COMMAND18=$($AWSCLI iam get-account-password-policy $PROFILE_OPT --region $REGION --output json --query 'PasswordPolicy.RequireNumbers' 2> /dev/null) # must be true
if [[ "$COMMAND18" == "true" ]];then
textPass "$REGION: Password Policy requires number" "$REGION" "password policy"
else
textFail "$REGION: Password Policy missing number requirement" "$REGION" "password policy"
fi
}

35
providers/aws/services/iam/check19 Normal file
View File

@@ -0,0 +1,35 @@
#!/usr/bin/env bash
# Prowler - the handy cloud security tool (copyright 2019) by Toni de la Fuente
#
# Licensed under the Apache License, Version 2.0 (the "License"); you may not
# use this file except in compliance with the License. You may obtain a copy
# of the License at http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software distributed
# under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR
# CONDITIONS OF ANY KIND, either express or implied. See the License for the
# specific language governing permissions and limitations under the License.
CHECK_ID_check19="1.9"
CHECK_TITLE_check19="[check19] Ensure IAM password policy requires minimum length of 14 or greater"
CHECK_SCORED_check19="SCORED"
CHECK_CIS_LEVEL_check19="LEVEL1"
CHECK_SEVERITY_check19="Medium"
CHECK_ASFF_TYPE_check19="Software and Configuration Checks/Industry and Regulatory Standards/CIS AWS Foundations Benchmark"
CHECK_ALTERNATE_check109="check19"
CHECK_SERVICENAME_check19="iam"
CHECK_RISK_check19='Password policies are used to enforce password complexity requirements. IAM password policies can be used to ensure password are comprised of different character sets. It is recommended that the password policy require at least one uppercase letter.'
CHECK_REMEDIATION_check19='Ensure "Minimum password length" is set to 14 or greater.'
CHECK_DOC_check19='https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_passwords_account-policy.html'
CHECK_CAF_EPIC_check19='IAM'
check19(){
# "Ensure IAM password policy requires minimum length of 14 or greater (Scored)"
COMMAND19=$($AWSCLI iam get-account-password-policy $PROFILE_OPT --region $REGION --output json --query 'PasswordPolicy.MinimumPasswordLength' 2> /dev/null)
if [[ $COMMAND19 -gt "13" ]];then
textPass "$REGION: Password Policy requires more than 13 characters" "$REGION" "password policy"
else
textFail "$REGION: Password Policy missing or weak length requirement" "$REGION" "password policy"
fi
}

56
providers/aws/services/iam/check31 Normal file
View File

@@ -0,0 +1,56 @@
#!/usr/bin/env bash
# Prowler - the handy cloud security tool (copyright 2019) by Toni de la Fuente
#
# Licensed under the Apache License, Version 2.0 (the "License"); you may not
# use this file except in compliance with the License. You may obtain a copy
# of the License at http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software distributed
# under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR
# CONDITIONS OF ANY KIND, either express or implied. See the License for the
# specific language governing permissions and limitations under the License.
#
# Remediation:
#
# https://d1.awsstatic.com/whitepapers/compliance/AWS_CIS_Foundations_Benchmark.pdf
#
# aws logs put-metric-filter \
# --region us-east-1 \
# --log-group-name CloudTrail/MyCloudTrailLG \
# --filter-name AWSAuthorizationFailures \
# --filter-pattern '{ $.errorCode = "*UnauthorizedOperation" || $.errorCode = "AccessDenied*" }' \
# --metric-transformations metricName=AuthorizationFailureCount,metricNamespace=CloudTrailMetrics,metricValue=1
#
# aws cloudwatch put-metric-alarm \
# --region us-east-1 \
# --alarm-name "Authorization Failures" \
# --alarm-description "Alarm triggered when unauthorized API calls are made" \
# --metric-name AuthorizationFailureCount \
# --namespace CloudTrailMetrics \
# --statistic Sum \
# --comparison-operator GreaterThanOrEqualToThreshold \
# --evaluation-periods 1 \
# --period 300 \
# --threshold 1 \
# --actions-enabled \
# --alarm-actions arn:aws:sns:us-east-1:123456789012:CloudWatchAlarmTopic
CHECK_ID_check31="3.1"
CHECK_TITLE_check31="[check31] Ensure a log metric filter and alarm exist for unauthorized API calls"
CHECK_SCORED_check31="SCORED"
CHECK_CIS_LEVEL_check31="LEVEL1"
CHECK_SEVERITY_check31="Medium"
CHECK_ASFF_TYPE_check31="Software and Configuration Checks/Industry and Regulatory Standards/CIS AWS Foundations Benchmark"
CHECK_ASFF_RESOURCE_TYPE_check31="AwsCloudTrailTrail"
CHECK_ALTERNATE_check301="check31"
CHECK_ASFF_COMPLIANCE_TYPE_check31="ens-op.exp.8.aws.trail.2"
CHECK_SERVICENAME_check31="iam"
CHECK_RISK_check31='Monitoring unauthorized API calls will help reveal application errors and may reduce time to detect malicious activity.'
CHECK_REMEDIATION_check31='It is recommended that a metric filter and alarm be established for unauthorized requests.'
CHECK_DOC_check31='https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudwatch-alarms-for-cloudtrail.html'
CHECK_CAF_EPIC_check31='Logging and Monitoring'
check31(){
check3x '\$\.errorCode\s*=\s*"\*UnauthorizedOperation".+\$\.errorCode\s*=\s*"AccessDenied\*"'
}

56
providers/aws/services/iam/check32 Normal file
View File

@@ -0,0 +1,56 @@
#!/usr/bin/env bash
# Prowler - the handy cloud security tool (copyright 2019) by Toni de la Fuente
#
# Licensed under the Apache License, Version 2.0 (the "License"); you may not
# use this file except in compliance with the License. You may obtain a copy
# of the License at http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software distributed
# under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR
# CONDITIONS OF ANY KIND, either express or implied. See the License for the
# specific language governing permissions and limitations under the License.
#
# Remediation:
#
# https://d1.awsstatic.com/whitepapers/compliance/AWS_CIS_Foundations_Benchmark.pdf
#
# aws logs put-metric-filter \
# --region us-east-1 \
# --log-group-name CloudTrail/CloudWatchLogGroup \
# --filter-name ConsoleSignInWithoutMfaCount \
# --filter-pattern '{ $.eventName = "ConsoleLogin" && $.additionalEventData.MFAUsed != "Yes" }' \
# --metric-transformations metricName=ConsoleSignInWithoutMfaCount,metricNamespace=CloudTrailMetrics,metricValue=1
#
# aws cloudwatch put-metric-alarm \
# --region us-east-1 \
# --alarm-name ConsoleSignInWithoutMfaAlarm \
# --alarm-description "Triggered by sign-in requests made without MFA." \
# --metric-name ConsoleSignInWithoutMfaCount \
# --namespace CloudTrailMetrics \
# --statistic Sum \
# --comparison-operator GreaterThanOrEqualToThreshold \
# --evaluation-periods 1 \
# --period 300 \
# --threshold 1 \
# --actions-enabled \
# --alarm-actions arn:aws:sns:us-east-1:123456789012:CloudWatchAlarmTopic
CHECK_ID_check32="3.2"
CHECK_TITLE_check32="[check32] Ensure a log metric filter and alarm exist for Management Console sign-in without MFA"
CHECK_SCORED_check32="SCORED"
CHECK_CIS_LEVEL_check32="LEVEL1"
CHECK_SEVERITY_check32="Medium"
CHECK_ASFF_TYPE_check32="Software and Configuration Checks/Industry and Regulatory Standards/CIS AWS Foundations Benchmark"
CHECK_ASFF_RESOURCE_TYPE_check32="AwsCloudTrailTrail"
CHECK_ALTERNATE_check302="check32"
CHECK_ASFF_COMPLIANCE_TYPE_check32="ens-op.exp.8.aws.trail.4"
CHECK_SERVICENAME_check32="iam"
CHECK_RISK_check32='Monitoring unauthorized API calls will help reveal application errors and may reduce time to detect malicious activity.'
CHECK_REMEDIATION_check32='It is recommended that a metric filter and alarm be established for unauthorized requests.'
CHECK_DOC_check32='https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudwatch-alarms-for-cloudtrail.html'
CHECK_CAF_EPIC_check32='Logging and Monitoring'
check32(){
check3x '\$\.eventName\s*=\s*"ConsoleLogin".+\$\.additionalEventData\.MFAUsed\s*!=\s*"Yes"'
}

60
providers/aws/services/iam/check33 Normal file
View File

@@ -0,0 +1,60 @@
#!/usr/bin/env bash
# Prowler - the handy cloud security tool (copyright 2019) by Toni de la Fuente
#
# Licensed under the Apache License, Version 2.0 (the "License"); you may not
# use this file except in compliance with the License. You may obtain a copy
# of the License at http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software distributed
# under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR
# CONDITIONS OF ANY KIND, either express or implied. See the License for the
# specific language governing permissions and limitations under the License.
#
# Remediation:
#
# https://d1.awsstatic.com/whitepapers/compliance/AWS_CIS_Foundations_Benchmark.pdf
#
# aws logs put-metric-filter \
# --region us-east-1 \
# --log-group-name CloudTrail/CloudWatchLogGroup \
# --filter-name RootAccountUsage \
# --filter-pattern '{ $.userIdentity.type = "Root" && $.userIdentity.invokedBy NOT EXISTS && $.eventType != "AwsServiceEvent" }' \
# --metric-transformations metricName=RootAccountUsageEventCount,metricNamespace=CloudTrailMetrics,metricValue=1 \
#
# aws cloudwatch put-metric-alarm \
# --region us-east-1 \
# --alarm-name RootAccountUsageAlarm \
# --alarm-description "Triggered by AWS Root Account usage." \
# --metric-name RootAccountUsageEventCount \
# --namespace CloudTrailMetrics \
# --statistic \
# --comparison-operator GreaterThanOrEqualToThreshold \
# --evaluation-periods 1 \
# --period 300 \
# --threshold 1 \
# --actions-enabled \
# --alarm-actions arn:aws:sns:us-east-1:123456789012:CloudWatchAlarmTopic
CHECK_ID_check33="3.3"
CHECK_TITLE_check33="[check33] Ensure a log metric filter and alarm exist for usage of root account"
CHECK_SCORED_check33="SCORED"
CHECK_CIS_LEVEL_check33="LEVEL1"
CHECK_SEVERITY_check33="Medium"
CHECK_ASFF_TYPE_check33="Software and Configuration Checks/Industry and Regulatory Standards/CIS AWS Foundations Benchmark"
CHECK_ASFF_RESOURCE_TYPE_check33="AwsCloudTrailTrail"
CHECK_ALTERNATE_check303="check33"
CHECK_ASFF_COMPLIANCE_TYPE_check33="ens-op.exp.8.aws.trail.5"
CHECK_SERVICENAME_check33="iam"
CHECK_RISK_check33='Monitoring unauthorized API calls will help reveal application errors and may reduce time to detect malicious activity.'
CHECK_REMEDIATION_check33='It is recommended that a metric filter and alarm be established for unauthorized requests.'
CHECK_DOC_check33='https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudwatch-alarms-for-cloudtrail.html'
CHECK_CAF_EPIC_check33='Logging and Monitoring'
check33(){
if [[ "${REGION}" == "us-gov-west-1" || "${REGION}" == "us-gov-east-1" ]]; then
textInfo "${REGION}: This is an AWS GovCloud account and there is no root account to perform checks."
else
check3x '\$\.userIdentity\.type\s*=\s*"Root".+\$\.userIdentity\.invokedBy NOT EXISTS.+\$\.eventType\s*!=\s*"AwsServiceEvent"'
fi
}

56
providers/aws/services/iam/check34 Normal file
View File

@@ -0,0 +1,56 @@
#!/usr/bin/env bash
# Prowler - the handy cloud security tool (copyright 2019) by Toni de la Fuente
#
# Licensed under the Apache License, Version 2.0 (the "License"); you may not
# use this file except in compliance with the License. You may obtain a copy
# of the License at http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software distributed
# under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR
# CONDITIONS OF ANY KIND, either express or implied. See the License for the
# specific language governing permissions and limitations under the License.
#
# Remediation:
#
# https://d1.awsstatic.com/whitepapers/compliance/AWS_CIS_Foundations_Benchmark.pdf
#
# aws logs put-metric-filter \
# --region us-east-1 \
# --log-group-name CloudTrail/CloudWatchLogGroup \
# --filter-name IAMAuthConfigChanges \
# --filter-pattern '{ ($.eventName = DeleteGroupPolicy) || ($.eventName = DeleteRolePolicy) || ($.eventName = DeleteUserPolicy) || ($.eventName = PutGroupPolicy) || ($.eventName = PutRolePolicy) || ($.eventName = PutUserPolicy) || ($.eventName = CreatePolicy) || ($.eventName = DeletePolicy) || ($.eventName = CreatePolicyVersion) || ($.eventName = DeletePolicyVersion) || ($.eventName = AttachRolePolicy) || ($.eventName = DetachRolePolicy) || ($.eventName = AttachUserPolicy) || ($.eventName = DetachUserPolicy) || ($.eventName = AttachGroupPolicy) || ($.eventName = DetachGroupPolicy) }' \
# --metric-transformations metricName=IAMPolicyEventCount,metricNamespace=CloudTrailMetrics,metricValue=1
#
# aws cloudwatch put-metric-alarm \
# --region us-east-1 \
# --alarm-name IAMAuthorizationActivityAlarm \
# --alarm-description "Triggered by AWS IAM authorization config changes." \
# --metric-name IAMPolicyEventCount \
# --namespace CloudTrailMetrics \
# --statistic Sum \
# --comparison-operator GreaterThanOrEqualToThreshold \
# --evaluation-periods 1 \
# --period 300 \
# --threshold 1 \
# --actions-enabled \
# --alarm-actions arn:aws:sns:us-east-1:123456789012:CloudWatchAlarmTopic
CHECK_ID_check34="3.4"
CHECK_TITLE_check34="[check34] Ensure a log metric filter and alarm exist for IAM policy changes"
CHECK_SCORED_check34="SCORED"
CHECK_CIS_LEVEL_check34="LEVEL1"
CHECK_SEVERITY_check34="Medium"
CHECK_ASFF_TYPE_check34="Software and Configuration Checks/Industry and Regulatory Standards/CIS AWS Foundations Benchmark"
CHECK_ASFF_RESOURCE_TYPE_check34="AwsCloudTrailTrail"
CHECK_ALTERNATE_check304="check34"
CHECK_ASFF_COMPLIANCE_TYPE_check34="ens-op.exp.8.aws.trail.6"
CHECK_SERVICENAME_check34="iam"
CHECK_RISK_check34='Monitoring unauthorized API calls will help reveal application errors and may reduce time to detect malicious activity.'
CHECK_REMEDIATION_check34='It is recommended that a metric filter and alarm be established for unauthorized requests.'
CHECK_DOC_check34='https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudwatch-alarms-for-cloudtrail.html'
CHECK_CAF_EPIC_check34='IAM'
check34(){
check3x '\$\.eventName\s*=\s*DeleteGroupPolicy.+\$\.eventName\s*=\s*DeleteRolePolicy.+\$\.eventName\s*=\s*DeleteUserPolicy.+\$\.eventName\s*=\s*PutGroupPolicy.+\$\.eventName\s*=\s*PutRolePolicy.+\$\.eventName\s*=\s*PutUserPolicy.+\$\.eventName\s*=\s*CreatePolicy.+\$\.eventName\s*=\s*DeletePolicy.+\$\.eventName\s*=\s*CreatePolicyVersion.+\$\.eventName\s*=\s*DeletePolicyVersion.+\$\.eventName\s*=\s*AttachRolePolicy.+\$\.eventName\s*=\s*DetachRolePolicy.+\$\.eventName\s*=\s*AttachUserPolicy.+\$\.eventName\s*=\s*DetachUserPolicy.+\$\.eventName\s*=\s*AttachGroupPolicy.+\$\.eventName\s*=\s*DetachGroupPolicy'
}

56
providers/aws/services/iam/check36 Normal file
View File

@@ -0,0 +1,56 @@
#!/usr/bin/env bash
# Prowler - the handy cloud security tool (copyright 2019) by Toni de la Fuente
#
# Licensed under the Apache License, Version 2.0 (the "License"); you may not
# use this file except in compliance with the License. You may obtain a copy
# of the License at http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software distributed
# under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR
# CONDITIONS OF ANY KIND, either express or implied. See the License for the
# specific language governing permissions and limitations under the License.
#
# Remediation:
#
# https://d1.awsstatic.com/whitepapers/compliance/AWS_CIS_Foundations_Benchmark.pdf
#
# aws logs put-metric-filter \
# --region us-east-1 \
# --log-group-name CloudTrail/MyCloudTrailLG \
# --filter-name AWSConsoleSignInFailures \
# --filter-pattern '{ ($.eventName = ConsoleLogin) && ($.errorMessage = "Failed authentication") }' \
# --metric-transformations metricName=ConsoleSigninFailureCount,metricNamespace=CloudTrailMetrics,metricValue=1
#
# aws cloudwatch put-metric-alarm \
# --region us-east-1 \
# --alarm-name "Console Sign-in Failures" \
# --alarm-description "AWS Management Console Sign-in Failure Alarm." \
# --metric-name ConsoleSigninFailureCount \
# --namespace CloudTrailMetrics \
# --statistic Sum \
# --comparison-operator GreaterThanOrEqualToThreshold \
# --evaluation-periods 1 \
# --period 300 \
# --threshold 3 \
# --actions-enabled \
# --alarm-actions arn:aws:sns:us-east-1:123456789012:CloudWatchAlarmTopic
CHECK_ID_check36="3.6"
CHECK_TITLE_check36="[check36] Ensure a log metric filter and alarm exist for AWS Management Console authentication failures"
CHECK_SCORED_check36="SCORED"
CHECK_CIS_LEVEL_check36="LEVEL2"
CHECK_SEVERITY_check36="Medium"
CHECK_ASFF_TYPE_check36="Software and Configuration Checks/Industry and Regulatory Standards/CIS AWS Foundations Benchmark"
CHECK_ASFF_RESOURCE_TYPE_check36="AwsCloudTrailTrail"
CHECK_ALTERNATE_check306="check36"
CHECK_ASFF_COMPLIANCE_TYPE_check36="ens-op.exp.8.aws.trail.3"
CHECK_SERVICENAME_check36="iam"
CHECK_RISK_check36='Monitoring unauthorized API calls will help reveal application errors and may reduce time to detect malicious activity.'
CHECK_REMEDIATION_check36='It is recommended that a metric filter and alarm be established for unauthorized requests.'
CHECK_DOC_check36='https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudwatch-alarms-for-cloudtrail.html'
CHECK_CAF_EPIC_check36='Logging and Monitoring'
check36(){
check3x '\$\.eventName\s*=\s*ConsoleLogin.+\$\.errorMessage\s*=\s*"Failed authentication"'
}

56
providers/aws/services/iam/check_extra71 Normal file
View File

@@ -0,0 +1,56 @@
#!/usr/bin/env bash
# Prowler - the handy cloud security tool (copyright 2018) by Toni de la Fuente
#
# Licensed under the Apache License, Version 2.0 (the "License"); you may not
# use this file except in compliance with the License. You may obtain a copy
# of the License at http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software distributed
# under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR
# CONDITIONS OF ANY KIND, either express or implied. See the License for the
# specific language governing permissions and limitations under the License.
CHECK_ID_extra71="7.1"
CHECK_TITLE_extra71="[extra71] Ensure users of groups with AdministratorAccess policy have MFA tokens enabled"
CHECK_SCORED_extra71="NOT_SCORED"
CHECK_CIS_LEVEL_extra71="EXTRA"
CHECK_SEVERITY_extra71="High"
CHECK_ASFF_RESOURCE_TYPE_extra71="AwsIamUser"
CHECK_ALTERNATE_extra701="extra71"
CHECK_ALTERNATE_check71="extra71"
CHECK_ALTERNATE_check701="extra71"
CHECK_ASFF_COMPLIANCE_TYPE_extra71="ens-op.exp.10.aws.trail.2"
CHECK_SERVICENAME_extra71="iam"
CHECK_RISK_extra71='Policy "may" allow Anonymous users to perform actions.'
CHECK_REMEDIATION_extra71='Ensure this repository and its contents should be publicly accessible.'
CHECK_DOC_extra71='https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_mfa_enable_virtual.html'
CHECK_CAF_EPIC_extra71='Infrastructure Security'
extra71(){
# "Ensure users of groups with AdministratorAccess policy have MFA tokens enabled "
ADMIN_GROUPS=''
AWS_GROUPS=$($AWSCLI $PROFILE_OPT iam list-groups --output text --region $REGION --query 'Groups[].GroupName')
for grp in $AWS_GROUPS; do
# aws --profile onlinetraining iam list-attached-group-policies --group-name Administrators --query 'AttachedPolicies[].PolicyArn' | grep 'arn:aws:iam::aws:policy/AdministratorAccess'
# list-attached-group-policies
CHECK_ADMIN_GROUP=$($AWSCLI $PROFILE_OPT --region $REGION iam list-attached-group-policies --group-name $grp --output json --query 'AttachedPolicies[].PolicyArn' | grep "arn:${AWS_PARTITION}:iam::aws:policy/AdministratorAccess")
if [[ $CHECK_ADMIN_GROUP ]]; then
ADMIN_GROUPS="$ADMIN_GROUPS $grp"
textInfo "$REGION: $grp group provides administrative access" "$REGION" "$grp"
ADMIN_USERS=$($AWSCLI $PROFILE_OPT iam get-group --region $REGION --group-name $grp --output json --query 'Users[].UserName' | grep '"' | cut -d'"' -f2 )
for auser in $ADMIN_USERS; do
# users in group are Administrators
# users
# check for user MFA device in credential report
USER_MFA_ENABLED=$( cat $TEMP_REPORT_FILE | grep "^$auser," | cut -d',' -f8)
if [[ "true" == $USER_MFA_ENABLED ]]; then
textPass "$REGION: $auser / MFA Enabled / admin via group $grp" "$REGION" "$grp"
else
textFail "$REGION: $auser / MFA DISABLED / admin via group $grp" "$REGION" "$grp"
fi
done
else
textInfo "$REGION: $grp group provides non-administrative access" "$REGION" "$grp"
fi
done
}

82
providers/aws/services/iam/check_extra7100 Normal file
View File

@@ -0,0 +1,82 @@
#!/usr/bin/env bash
# Prowler - the handy cloud security tool (copyright 2019) by Toni de la Fuente
#
# This check was contributed by Nick Malcolm (github.com/nickmalcolm), building
# on the hard work of others.
#
# Licensed under the Apache License, Version 2.0 (the "License"); you may not
# use this file except in compliance with the License. You may obtain a copy
# of the License at http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software distributed
# under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR
# CONDITIONS OF ANY KIND, either express or implied. See the License for the
# specific language governing permissions and limitations under the License.
CHECK_ID_extra7100="7.100"
CHECK_TITLE_extra7100="[extra7100] Ensure that no custom IAM policies exist which allow permissive role assumption (e.g. sts:AssumeRole on *)"
CHECK_SCORED_extra7100="NOT_SCORED"
CHECK_CIS_LEVEL_extra7100="EXTRA"
CHECK_SEVERITY_extra7100="Critical"
CHECK_ASFF_RESOURCE_TYPE_extra7100="AwsIamPolicy"
CHECK_ALTERNATE_check7100="extra7100"
CHECK_ASFF_COMPLIANCE_TYPE_extra7100="ens-op.acc.2.aws.iam.1"
CHECK_SERVICENAME_extra7100="iam"
CHECK_RISK_extra7100='If not restricted unintended access could happen.'
CHECK_REMEDIATION_extra7100='Use the least privilege principle when granting permissions.'
CHECK_DOC_extra7100='https://docs.aws.amazon.com/STS/latest/APIReference/API_AssumeRole.html'
CHECK_CAF_EPIC_extra7100='IAM'
extra7100(){
# "Ensure that no custom policies exist which permit assuming any role (e.g. sts:AssumeRole on *)"
#
# A permissive STS Role assumption policy is one where the Resource (ARN) is not explicitly defined
# This is most often seen as sts:assumeRole on *, but can take other forms.
#
# Learn more: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use_permissions-to-switch.html#roles-usingrole-createpolicy
LIST_CUSTOM_POLICIES=$($AWSCLI iam list-policies --output text $PROFILE_OPT --region $REGION --scope Local --query 'Policies[*].[Arn,DefaultVersionId]' | grep -v -e '^None$' | awk -F '\t' '{print $1","$2"\n"}')
if [[ $LIST_CUSTOM_POLICIES ]]; then
for policy in $LIST_CUSTOM_POLICIES; do
POLICY_ARN=$(echo $policy | awk -F ',' '{print $1}')
POLICY_VERSION=$(echo $policy | awk -F ',' '{print $2}')
POLICY_STATEMENTS_WITH_ALLOW=$($AWSCLI iam get-policy-version \
--output json \
--policy-arn $POLICY_ARN \
--version-id $POLICY_VERSION \
--query "[PolicyVersion.Document.Statement] | [] | [?Effect == 'Allow']" \
$PROFILE_OPT \
--region $REGION
)
# Identify permissive policies by:
# 1 & 2) Casting all the Resource and Action keys to Arrays (sometimes they're a single string)
# 3) Iterate over the policy statements
# 4) Narrow the scope to Actions which are sts:* or sts:assumeRole(WithSAML|WithWebIdentity)
# 5) Narrow the scope to Resources (IAM Roles) which include a wildcard
POLICY_WITH_PERMISSIVE_STS=$(echo $POLICY_STATEMENTS_WITH_ALLOW \
| jq 'map( .Resource |= (if type=="array" then . else [.] end) )' \
| jq 'map( .Action |= (if type=="array" then . else [.] end) )' \
| jq '.[]' \
| jq 'select(.Action[] | contains("sts:AssumeRole") or contains("sts:*"))' \
| jq 'select(.Resource[] | contains("*"))')
if [[ $POLICY_WITH_PERMISSIVE_STS ]]; then
PERMISSIVE_POLICIES_LIST="$PERMISSIVE_POLICIES_LIST $POLICY_ARN"
fi
done
if [[ $PERMISSIVE_POLICIES_LIST ]]; then
textInfo "STS AssumeRole Policies should only include the complete ARNs for the Roles that the user needs"
textInfo "Learn more: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use_permissions-to-switch.html#roles-usingrole-createpolicy"
for policy in $PERMISSIVE_POLICIES_LIST; do
textFail "$REGION: Policy $policy allows permissive STS Role assumption" "$REGION" "$policy"
done
else
textPass "$REGION: No custom policies found that allow permissive STS Role assumption" "$REGION"
fi
else
textPass "$REGION: No custom policies found" "$REGION"
fi
}

38
providers/aws/services/iam/check_extra7123 Normal file
View File

@@ -0,0 +1,38 @@
#!/usr/bin/env bash
# Prowler - the handy cloud security tool (copyright 2018) by Toni de la Fuente
#
# Licensed under the Apache License, Version 2.0 (the "License"); you may not
# use this file except in compliance with the License. You may obtain a copy
# of the License at http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software distributed
# under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR
# CONDITIONS OF ANY KIND, either express or implied. See the License for the
# specific language governing permissions and limitations under the License.
CHECK_ID_extra7123="7.123"
CHECK_TITLE_extra7123="[extra7123] Check if IAM users have two active access keys"
CHECK_SCORED_extra7123="NOT_SCORED"
CHECK_CIS_LEVEL_extra7123="EXTRA"
CHECK_SEVERITY_extra7123="Medium"
CHECK_ASFF_TYPE_extra7123="Software and Configuration Checks/Industry and Regulatory Standards/CIS AWS Foundations Benchmark"
CHECK_ASFF_RESOURCE_TYPE_extra7123="AwsIamUser"
CHECK_ALTERNATE_check7123="extra7123"
CHECK_ASFF_COMPLIANCE_TYPE_extra7123="ens-op.acc.1.aws.iam.2"
CHECK_SERVICENAME_extra7123="iam"
CHECK_RISK_extra7123='Access Keys could be lost or stolen. It creates a critical risk.'
CHECK_REMEDIATION_extra7123='Avoid using long lived access keys.'
CHECK_DOC_extra7123='https://docs.aws.amazon.com/IAM/latest/APIReference/API_ListAccessKeys.html'
CHECK_CAF_EPIC_extra7123='IAM'
extra7123(){
LIST_OF_USERS_WITH_2ACCESS_KEYS=$(cat $TEMP_REPORT_FILE| awk -F, '{ print $1, $9, $14 }' |grep "\ true\ true" | awk '{ print $1 }')
if [[ $LIST_OF_USERS_WITH_2ACCESS_KEYS ]]; then
# textFail "Users with access key 1 older than 90 days:"
for user in $LIST_OF_USERS_WITH_2ACCESS_KEYS; do
textFail "User $user has 2 active access keys" "$REGION" "$user"
done
else
textPass "No users with 2 active access keys"
fi
}

45
providers/aws/services/iam/check_extra7125 Normal file
View File

@@ -0,0 +1,45 @@
#!/usr/bin/env bash
# Prowler - the handy cloud security tool (copyright 2018) by Toni de la Fuente
#
# Licensed under the Apache License, Version 2.0 (the "License"); you may not
# use this file except in compliance with the License. You may obtain a copy
# of the License at http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software distributed
# under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR
# CONDITIONS OF ANY KIND, either express or implied. See the License for the
# specific language governing permissions and limitations under the License.
CHECK_ID_extra7125="7.125"
CHECK_TITLE_extra7125="[extra7125] Check if IAM users have Hardware MFA enabled."
CHECK_SCORED_extra7125="NOT_SCORED"
CHECK_CIS_LEVEL_extra7125="EXTRA"
CHECK_SEVERITY_extra7125="Medium"
CHECK_ASFF_RESOURCE_TYPE_extra7125="AwsIamUser"
CHECK_ALTERNATE_check7125="extra7125"
CHECK_ASFF_COMPLIANCE_TYPE_extra7125="ens-op.acc.5.aws.iam.2"
CHECK_SERVICENAME_extra7125="iam"
CHECK_RISK_extra7125='Hardware MFA is preferred over virtual MFA.'
CHECK_REMEDIATION_extra7125='Enable hardware MFA device for an IAM user from the AWS Management Console; the command line; or the IAM API.'
CHECK_DOC_extra7125='https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_mfa_enable_physical.html'
CHECK_CAF_EPIC_extra7125='IAM'
extra7125(){
LIST_USERS=$($AWSCLI iam list-users --query 'Users[*].UserName' --output text $PROFILE_OPT --region $REGION)
if [[ $LIST_USERS ]]; then
# textFail "Users with access key 1 older than 90 days:"
for user in $LIST_USERS; do
# Would be virtual if sms-mfa or mfa, hardware is u2f or different.
MFA_TYPE=$($AWSCLI iam list-mfa-devices --user-name $user $PROFILE_OPT --region $REGION --query MFADevices[].SerialNumber --output text | awk -F':' '{ print $6 }'| awk -F'/' '{ print $1 }')
if [[ $MFA_TYPE == "mfa" || $MFA_TYPE == "sms-mfa" ]]; then
textInfo "User $user has virtual MFA enabled"
elif [[ $MFA_TYPE == "" ]]; then
textFail "User $user has not hardware MFA enabled" "$REGION" "$user"
else
textPass "User $user has hardware MFA enabled" "$REGION" "$user"
fi
done
else
textPass "No users found"
fi
}

37
providers/aws/services/iam/check_extra733 Normal file
View File

@@ -0,0 +1,37 @@
#!/usr/bin/env bash
# Prowler - the handy cloud security tool (copyright 2018) by Toni de la Fuente
#
# Licensed under the Apache License, Version 2.0 (the "License"); you may not
# use this file except in compliance with the License. You may obtain a copy
# of the License at http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software distributed
# under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR
# CONDITIONS OF ANY KIND, either express or implied. See the License for the
# specific language governing permissions and limitations under the License.
CHECK_ID_extra733="7.33"
CHECK_TITLE_extra733="[extra733] Check if there are SAML Providers then STS can be used"
CHECK_SCORED_extra733="NOT_SCORED"
CHECK_CIS_LEVEL_extra733="EXTRA"
CHECK_SEVERITY_extra733="Low"
CHECK_ALTERNATE_check733="extra733"
CHECK_ASFF_COMPLIANCE_TYPE_extra733="ens-op.acc.1.aws.iam.1"
CHECK_SERVICENAME_extra733="iam"
CHECK_RISK_extra733='Without SAML provider users with AWS CLI or AWS API access can use IAM static credentials. SAML helps users to assume role by default each time they authenticate.'
CHECK_REMEDIATION_extra733='Enable SAML provider and use temporary credentials. You can use temporary security credentials to make programmatic requests for AWS resources using the AWS CLI or AWS API (using the AWS SDKs ). The temporary credentials provide the same permissions that you have with use long-term security credentials such as IAM user credentials. In case of not having SAML provider capabilities prevent usage of long-lived credentials.'
CHECK_DOC_extra733='https://docs.aws.amazon.com/STS/latest/APIReference/API_AssumeRoleWithSAML.html'
CHECK_CAF_EPIC_extra733='IAM'
extra733(){
LIST_SAML_PROV=$($AWSCLI iam list-saml-providers $PROFILE_OPT --query 'SAMLProviderList[*].Arn' --output text |grep -v ^None)
if [[ $LIST_SAML_PROV ]]; then
for provider in $LIST_SAML_PROV; do
PROVIDER_NAME=$(echo $provider| cut -d/ -f2)
textInfo "$REGION: SAML Provider $PROVIDER_NAME has been found" "$REGION" "$PROVIDER_NAME"
done
else
textFail "$REGION: No SAML Provider found. Add one and use STS" "$REGION" "$PROVIDER_NAME"
fi
}

28
providers/aws/services/iam/check_extra774 Normal file
View File

@@ -0,0 +1,28 @@
#!/usr/bin/env bash
# Prowler - the handy cloud security tool (copyright 2018) by Toni de la Fuente
#
# Licensed under the Apache License, Version 2.0 (the "License"); you may not
# use this file except in compliance with the License. You may obtain a copy
# of the License at http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software distributed
# under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR
# CONDITIONS OF ANY KIND, either express or implied. See the License for the
# specific language governing permissions and limitations under the License.
CHECK_ID_extra774="7.74"
CHECK_TITLE_extra774="[extra774] Ensure credentials unused for 30 days or greater are disabled"
CHECK_SCORED_extra774="NOT_SCORED"
CHECK_CIS_LEVEL_extra774="EXTRA"
CHECK_SEVERITY_extra774="Medium"
CHECK_ASFF_RESOURCE_TYPE_extra774="AwsIamUser"
CHECK_ALTERNATE_check774="extra774"
CHECK_SERVICENAME_extra774="iam"
CHECK_RISK_extra774='To increase the security of your AWS account; remove IAM user credentials (that is; passwords and access keys) that are not needed. For example; when users leave your organization or no longer need AWS access.'
CHECK_REMEDIATION_extra774='Find the credentials that they were using and ensure that they are no longer operational. Ideally; you delete credentials if they are no longer needed. You can always recreate them at a later date if the need arises. At the very least; you should change the password or deactivate the access keys so that the former users no longer have access.'
CHECK_DOC_extra774='https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_finding-unused.html'
CHECK_CAF_EPIC_extra774='IAM'
extra774(){
check_creds_used_in_last_days 30
}