ghndrx/prowler
1
0
Fork 0
mirror of https://github.com/ghndrx/prowler.git synced 2026-02-10 14:55:00 +00:00
Code Issues Packages Projects Releases Wiki Activity

feat(reorganize_folders): Merge checks. (#1196)

Browse Source 
Co-authored-by: sergargar <sergio@verica.io>
This commit is contained in:
Sergio Garcia
2022-06-14 13:10:26 +02:00
committed by GitHub
parent 36fcab17f3
commit eb679f50f1
238 changed files with 0 additions and 549 deletions
Download Patch File Download Diff File Expand all files Collapse all files

53
providers/aws/services/lambda/check_extra7145 Normal file
View File

@@ -0,0 +1,53 @@
#!/usr/bin/env bash
# Prowler - the handy cloud security tool (copyright 2018) by Toni de la Fuente
#
# Licensed under the Apache License, Version 2.0 (the "License"); you may not
# use this file except in compliance with the License. You may obtain a copy
# of the License at http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software distributed
# under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR
# CONDITIONS OF ANY KIND, either express or implied. See the License for the
# specific language governing permissions and limitations under the License.
CHECK_ID_extra7145="7.145"
CHECK_TITLE_extra7145="[extra7145] Check if Lambda functions have policies which allow access to any AWS account"
CHECK_SCORED_extra7145="NOT_SCORED"
CHECK_CIS_LEVEL_extra7145="EXTRA"
CHECK_SEVERITY_extra7145="Critical"
CHECK_ASFF_RESOURCE_TYPE_extra7145="AwsLambda"
CHECK_ALTERNATE_check7145="extra7145"
CHECK_SERVICENAME_extra7145="lambda"
CHECK_RISK_extra7145='Lambda function access to any AWS account may result security issues'
CHECK_REMEDIATION_extra7145='Ensure Lambda function policiy does not allow access to any account'
CHECK_DOC_extra7145='https://docs.aws.amazon.com/lambda/latest/dg/access-control-resource-based.html'
CHECK_CAF_EPIC_extra7145='IAM'
extra7145(){
# "Check if lambda functions have policies which allow access to every aws account (Not Scored) (Not part of CIS benchmark)"
for regx in $REGIONS; do
LIST_OF_LAMBDA_FUNCTIONS=$($AWSCLI lambda list-functions $PROFILE_OPT --region $regx --query Functions[*].FunctionName --output text 2>&1)
if [[ $(echo "$LIST_OF_LAMBDA_FUNCTIONS" | grep -E 'AccessDenied|UnauthorizedOperation|AuthorizationError') ]]; then
textInfo "$regx: Access Denied trying to list functions" "$regx"
continue
fi
if [[ $LIST_OF_LAMBDA_FUNCTIONS ]]; then
for lambdaFunction in $LIST_OF_LAMBDA_FUNCTIONS;do
FUNCTION_POLICY_STATEMENTS=$($AWSCLI lambda $PROFILE_OPT get-policy --region $regx --function-name $lambdaFunction --output json --query Policy 2>&1)
if [[ $FUNCTION_POLICY_STATEMENTS == *ResourceNotFoundException* ]]; then
textInfo "$regx: Lambda function $lambdaFunction doesn't have any policy" "$regx" "$lambdaFunction"
else
FUNCTION_POLICY_BAD_STATEMENTS=$(echo $FUNCTION_POLICY_STATEMENTS | jq '. | fromjson' | jq '.Statement[] | select(.Effect=="Allow") | select(.Principal=="*" or .Principal.AWS=="*" or .Principal.CanonicalUser=="*")')
if [[ $FUNCTION_POLICY_BAD_STATEMENTS != "" ]]; then
textFail "$regx: Lambda function $lambdaFunction allows public access to any AWS account" "$regx" "$lambdaFunction"
else
textPass "$regx: Lambda function $lambdaFunction has policy which doesn't allow access to everyone having an AWS account" "$regx" "$lambdaFunction"
fi
fi
done
else
textInfo "$regx: No lambda functions found" "$regx"
fi
done
}

68
providers/aws/services/lambda/check_extra7179 Normal file
View File

@@ -0,0 +1,68 @@
#!/usr/bin/env bash
# Prowler - the handy cloud security tool (copyright 2019) by Toni de la Fuente
#
# Licensed under the Apache License, Version 2.0 (the "License"); you may not
# use this file except in compliance with the License. You may obtain a copy
# of the License at http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software distributed
# under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR
# CONDITIONS OF ANY KIND, either express or implied. See the License for the
# specific language governing permissions and limitations under the License.
CHECK_ID_extra7179="7.179"
CHECK_TITLE_extra7179="[extra7179] Check Public Lambda Function URL"
CHECK_SCORED_extra7179="NOT_SCORED"
CHECK_CIS_LEVEL_extra7179="EXTRA"
CHECK_SEVERITY_extra7179="High"
CHECK_ASFF_RESOURCE_TYPE_extra7179="AwsLambdaFunction"
CHECK_ALTERNATE_check7179="extra7179"
CHECK_SERVICENAME_extra7179="lambda"
CHECK_RISK_extra7179='Publicly accessible services could expose sensitive data to bad actors.'
CHECK_REMEDIATION_extra7179='Grant usage permission on a per-resource basis and applying least privilege principle.'
CHECK_DOC_extra7179='https://docs.aws.amazon.com/secretsmanager/latest/userguide/lambda-functions.html'
CHECK_CAF_EPIC_extra7179='Infrastructure Security'
extra7179(){
# Check if Lambda function URL is public
# None --> Public
local PUBLIC_AUTH_TYPE="NONE"
# AWS_IAM --> Private
local PRIVATE_AUTH_TYPE="AWS_IAM"
for regx in ${REGIONS}; do
LIST_OF_FUNCTIONS=$("${AWSCLI}" lambda list-functions ${PROFILE_OPT} \
--region "${regx}" \
--query 'Functions[*].FunctionName' \
--output text 2>&1)
# Check errors
if grep -q -E 'AccessDenied|UnauthorizedOperation|AuthorizationError' <<< "${LIST_OF_FUNCTIONS}"; then
textInfo "${regx}: Access Denied trying to list Lambda functions" "${regx}"
continue
fi
if [[ -n "${LIST_OF_FUNCTIONS}" && $(tr '[:upper:]' '[:lower:]' <<< "${LIST_OF_FUNCTIONS}") != "none" ]]; then
for lambda_function in ${LIST_OF_FUNCTIONS}; do
AUTH_TYPE=$("${AWSCLI}" lambda list-function-url-configs ${PROFILE_OPT} \
--function-name "${lambda_function}" \
--region "${regx}" \
--query 'FunctionUrlConfigs[0].AuthType' \
--output text)
# Check errors
if grep -q -E 'AccessDenied|UnauthorizedOperation|AuthorizationError' <<< "${AUTH_TYPE}"; then
textInfo "${regx}: Access Denied trying to get Lambda functions URLs configuration" "${regx}"
continue
fi
if [[ "${AUTH_TYPE}" == "${PUBLIC_AUTH_TYPE}" ]]; then
textFail "${regx}: Lambda function ${lambda_function} has a publicly accessible function URL" "${regx}" "${lambda_function}"
elif [[ "${AUTH_TYPE}" == "${PRIVATE_AUTH_TYPE}" ]]; then
textPass "${regx}: Lambda function ${lambda_function} has not a publicly accessible function URL" "${regx}" "${lambda_function}"
else
textInfo "${regx}: Lambda function ${lambda_function} has not a function URL" "${regx}" "${lambda_function}"
fi
done
else
textInfo "${regx}: No Lambda functions found" "${regx}"
fi
done
}

81
providers/aws/services/lambda/check_extra7180 Normal file
View File

@@ -0,0 +1,81 @@
#!/usr/bin/env bash
# Prowler - the handy cloud security tool (copyright 2019) by Toni de la Fuente
#
# Licensed under the Apache License, Version 2.0 (the "License"); you may not
# use this file except in compliance with the License. You may obtain a copy
# of the License at http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software distributed
# under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR
# CONDITIONS OF ANY KIND, either express or implied. See the License for the
# specific language governing permissions and limitations under the License.
CHECK_ID_extra7180="7.180"
CHECK_TITLE_extra7180="[extra7180] Check Lambda Function URL CORS configuration"
CHECK_SCORED_extra7180="NOT_SCORED"
CHECK_CIS_LEVEL_extra7180="EXTRA"
CHECK_SEVERITY_extra7180="Medium"
CHECK_ASFF_RESOURCE_TYPE_extra7180="AwsLambdaFunction"
CHECK_ALTERNATE_check7180="extra7180"
CHECK_SERVICENAME_extra7180="lambda"
CHECK_RISK_extra7180='Publicly accessible services could expose sensitive data to bad actors.'
CHECK_REMEDIATION_extra7180='Grant usage permission on a per-resource basis and applying least privilege principle.'
CHECK_DOC_extra7180='https://docs.aws.amazon.com/secretsmanager/latest/userguide/lambda-functions.html'
CHECK_CAF_EPIC_extra7180='Infrastructure Security'
extra7180(){
for regx in ${REGIONS}; do
LIST_OF_FUNCTIONS=$("${AWSCLI}" lambda list-functions ${PROFILE_OPT} \
--region "${regx}" \
--query 'Functions[*].FunctionName' \
--output text 2>&1)
# Check errors
if grep -q -E 'AccessDenied|UnauthorizedOperation|AuthorizationError' <<< "${LIST_OF_FUNCTIONS}"; then
textInfo "${regx}: Access Denied trying to list Lambda functions" "${regx}"
continue
fi
if [[ -n "${LIST_OF_FUNCTIONS}" && $(tr '[:upper:]' '[:lower:]' <<< "${LIST_OF_FUNCTIONS}") != "none" ]]; then
for lambda_function in ${LIST_OF_FUNCTIONS}; do
# Check if Lambda function has an URL
LAMBDA_FUNCTION_URL=$("${AWSCLI}" lambda list-function-url-configs ${PROFILE_OPT} \
--function-name "${lambda_function}" \
--region "${regx}" \
--query 'FunctionUrlConfigs[0].[FunctionUrl]' \
--output text)
# Check errors
if grep -q -E 'AccessDenied|UnauthorizedOperation|AuthorizationError' <<< "${AUTH_TYPE}"; then
textInfo "${regx}: Access Denied trying to get Lambda functions URLs" "${regx}"
continue
fi
if [[ "${LAMBDA_FUNCTION_URL}" != "None" ]]; then
# Check CORS configuration
CORS_ALLOW_ORIGINS=$("${AWSCLI}" lambda get-function-url-config ${PROFILE_OPT} \
--function-name "${lambda_function}" \
--region "${regx}" \
--query 'Cors.AllowOrigins' \
--output text)
# Check errors
if grep -q -E 'AccessDenied|UnauthorizedOperation|AuthorizationError' <<< "${AUTH_TYPE}"; then
textInfo "${regx}: Access Denied trying to get Lambda functions URLs configuration" "${regx}"
continue
fi
# The * is on purpose to check allowed origins
if [[ "${CORS_ALLOW_ORIGINS}" =~ "*" ]]; then
textFail "$regx: Lambda function ${lambda_function} URL has a wide CORS configuration" "${regx}" "${lambda_function}"
elif [[ "${CORS_ALLOW_ORIGINS}" == "None" ]]; then
textFail "${regx}: Lambda function ${lambda_function} URL has not CORS configured" "${regx}" "${lambda_function}"
else
textPass "${regx}: Lambda function ${lambda_function} has not a wide CORS configuration" "${regx}" "${lambda_function}"
fi
else
textInfo "${regx}: Lambda function ${lambda_function} has not a function URL" "${regx}" "${lambda_function}"
fi
done
else
textInfo "${regx}: No Lambda functions found" "${regx}"
fi
done
}

72
providers/aws/services/lambda/check_extra720 Normal file
View File

@@ -0,0 +1,72 @@
#!/usr/bin/env bash
# Prowler - the handy cloud security tool (copyright 2018) by Toni de la Fuente
#
# Licensed under the Apache License, Version 2.0 (the "License"); you may not
# use this file except in compliance with the License. You may obtain a copy
# of the License at http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software distributed
# under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR
# CONDITIONS OF ANY KIND, either express or implied. See the License for the
# specific language governing permissions and limitations under the License.
CHECK_ID_extra720="7.20"
CHECK_TITLE_extra720="[extra720] Check if Lambda functions invoke API operations are being recorded by CloudTrail"
CHECK_SCORED_extra720="NOT_SCORED"
CHECK_CIS_LEVEL_extra720="EXTRA"
CHECK_SEVERITY_extra720="Low"
CHECK_ASFF_RESOURCE_TYPE_extra720="AwsLambdaFunction"
CHECK_ALTERNATE_check720="extra720"
CHECK_SERVICENAME_extra720="lambda"
CHECK_RISK_extra720='If logs are not enabled; monitoring of service use and threat analysis is not possible.'
CHECK_REMEDIATION_extra720='Make sure you are logging information about Lambda operations. Create a lifecycle and use cases for each trail.'
CHECK_DOC_extra720='https://docs.aws.amazon.com/lambda/latest/dg/logging-using-cloudtrail.html'
CHECK_CAF_EPIC_extra720='Logging and Monitoring'
extra720(){
# "Check if Lambda functions invoke API operations are being recorded by CloudTrail "
for regx in $REGIONS; do
LIST_OF_FUNCTIONS=$($AWSCLI lambda list-functions $PROFILE_OPT --region $regx --query 'Functions[*].FunctionName' --output text 2>&1)
if [[ $(echo "$LIST_OF_FUNCTIONS" | grep AccessDenied) ]]; then
textInfo "$regx: Access Denied trying to list functions" "$regx"
continue
fi
if [[ $LIST_OF_FUNCTIONS ]]; then
LIST_OF_TRAILS=$($AWSCLI cloudtrail describe-trails $PROFILE_OPT --region $regx --query 'trailList[*].TrailARN' --output text 2>&1)
if [[ $(echo "$LIST_OF_TRAILS" | grep AccessDenied) ]]; then
textInfo "$regx: Access Denied trying to describe trails" "$regx"
continue
fi
for lambdafunction in $LIST_OF_FUNCTIONS; do
if [[ $LIST_OF_TRAILS ]]; then
for trail in $LIST_OF_TRAILS; do
FUNCTION_ENABLED_IN_TRAIL=$($AWSCLI cloudtrail get-event-selectors $PROFILE_OPT --trail-name $trail --region $regx --query "EventSelectors[*].DataResources[?Type == \`AWS::Lambda::Function\`].Values" --output text |xargs -n1| grep -E "^arn:${AWS_PARTITION}:lambda.*function:$lambdafunction$|^arn:${AWS_PARTITION}:lambda$")
if [[ $FUNCTION_ENABLED_IN_TRAIL ]]; then
textPass "$regx: Lambda function $lambdafunction enabled in trail $trail" "$regx" "$trail"
else
textFail "$regx: Lambda function $lambdafunction NOT enabled in trail $trail" "$regx" "$trail"
fi
done
# LIST_OF_MULTIREGION_TRAILS=$($AWSCLI cloudtrail describe-trails $PROFILE_OPT --region $regx --query "trailList[?IsMultiRegionTrail == \`true\`].Name" --output text)
# if [[ $LIST_OF_MULTIREGION_TRAILS ]]; then
# for trail in $LIST_OF_MULTIREGION_TRAILS; do
# REGION_OF_TRAIL=$($AWSCLI cloudtrail describe-trails $PROFILE_OPT --region $regx --query "trailList[?IsMultiRegionTrail == \`true\` && Name == \`$trail\` ].HomeRegion" --output text)
# FUNCTION_ENABLED_IN_THIS_REGION=$($AWSCLI cloudtrail get-event-selectors $PROFILE_OPT --trail-name $trail --region $REGION_OF_TRAIL --query "EventSelectors[*].DataResources[?Type == \`AWS::Lambda::Function\`].Values" --output text |xargs -n1| grep -E "^arn:aws:lambda.*function:$lambdafunction$")
# if [[ $FUNCTION_ENABLED_IN_THIS_REGION ]]; then
# textPass "$regx: Lambda function $lambdafunction enabled in trail $trail" "$regx"
# else
# textFail "$regx: Lambda function $lambdafunction NOT enabled in trail $trail" "$regx"
# fi
# done
# else
# textFail "$regx: Lambda function $lambdafunction is not being recorded!" "$regx"
# fi
else
textFail "$regx: Lambda function $lambdafunction is not being recorded no CloudTrail found!" "$regx" "$trail"
fi
done
else
textInfo "$regx: No Lambda functions found" "$regx"
fi
done
}

69
providers/aws/services/lambda/check_extra759 Normal file
View File

@@ -0,0 +1,69 @@
#!/usr/bin/env bash
# Prowler - the handy cloud security tool (copyright 2019) by Toni de la Fuente
#
# Licensed under the Apache License, Version 2.0 (the "License"); you may not
# use this file except in compliance with the License. You may obtain a copy
# of the License at http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software distributed
# under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR
# CONDITIONS OF ANY KIND, either express or implied. See the License for the
# specific language governing permissions and limitations under the License.
CHECK_ID_extra759="7.59"
CHECK_TITLE_extra759="[extra759] Find secrets in Lambda functions variables "
CHECK_SCORED_extra759="NOT_SCORED"
CHECK_CIS_LEVEL_extra759="EXTRA"
CHECK_SEVERITY_extra759="Critical"
CHECK_ASFF_RESOURCE_TYPE_extra759="AwsLambdaFunction"
CHECK_ALTERNATE_check759="extra759"
CHECK_SERVICENAME_extra759="lambda"
CHECK_RISK_extra759='The use of a hard-coded password increases the possibility of password guessing. If hard-coded passwords are used; it is possible that malicious users gain access through the account in question.'
CHECK_REMEDIATION_extra759='Use Secrets Manager to securely provide database credentials to Lambda functions and secure the databases as well as use the credentials to connect and query them without hardcoding the secrets in code or passing them through environmental variables. '
CHECK_DOC_extra759='https://docs.aws.amazon.com/secretsmanager/latest/userguide/lambda-functions.html'
CHECK_CAF_EPIC_extra759='IAM'
extra759(){
SECRETS_TEMP_FOLDER="$PROWLER_DIR/secrets-$ACCOUNT_NUM-$PROWLER_START_TIME"
if [[ ! -d $SECRETS_TEMP_FOLDER ]]; then
# this folder is deleted once this check is finished
mkdir $SECRETS_TEMP_FOLDER
fi
for regx in $REGIONS; do
CHECK_DETECT_SECRETS_INSTALLATION=$(secretsDetector)
if [[ $? -eq 241 ]]; then
textInfo "$regx: python library detect-secrets not found. Make sure it is installed correctly." "$regx"
else
LIST_OF_FUNCTIONS=$($AWSCLI lambda list-functions $PROFILE_OPT --region $regx --query Functions[*].FunctionName --output text 2>&1)
if [[ $(echo "$LIST_OF_FUNCTIONS" | grep -E 'AccessDenied|UnauthorizedOperation|AuthorizationError') ]]; then
textInfo "$regx: Access Denied trying to list functions" "$regx"
continue
fi
if [[ $LIST_OF_FUNCTIONS ]]; then
for lambdafunction in $LIST_OF_FUNCTIONS;do
LAMBDA_FUNCTION_VARIABLES_FILE="$SECRETS_TEMP_FOLDER/extra759-$lambdafunction-$regx-variables.txt"
LAMBDA_FUNCTION_VARIABLES=$($AWSCLI lambda $PROFILE_OPT --region $regx get-function-configuration --function-name $lambdafunction --query 'Environment.Variables' --output json > $LAMBDA_FUNCTION_VARIABLES_FILE)
if [ -s $LAMBDA_FUNCTION_VARIABLES_FILE ];then
# Implementation using https://github.com/Yelp/detect-secrets
FINDINGS=$(secretsDetector file $LAMBDA_FUNCTION_VARIABLES_FILE)
if [[ $FINDINGS -eq 0 ]]; then
textPass "$regx: No secrets found in Lambda function $lambdafunction variables" "$regx" "$lambdafunction"
# delete file if nothing interesting is there
rm -f $LAMBDA_FUNCTION_VARIABLES_FILE
else
textFail "$regx: Potential secret found in Lambda function $lambdafunction variables" "$regx" "$lambdafunction"
# delete file to not leave trace, user must look at the function
rm -f $LAMBDA_FUNCTION_VARIABLES_FILE
fi
else
textInfo "$regx: Lambda function $stalambdafunction has not variables" "$regx"
fi
done
else
textInfo "$regx: No Lambda functions found" "$regx"
fi
fi
done
rm -rf $SECRETS_TEMP_FOLDER
}

97
providers/aws/services/lambda/check_extra760 Normal file
View File

@@ -0,0 +1,97 @@
#!/usr/bin/env bash
# Prowler - the handy cloud security tool (copyright 2019) by Toni de la Fuente
#
# Licensed under the Apache License, Version 2.0 (the "License"); you may not
# use this file except in compliance with the License. You may obtain a copy
# of the License at http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software distributed
# under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR
# CONDITIONS OF ANY KIND, either express or implied. See the License for the
# specific language governing permissions and limitations under the License.
CHECK_ID_extra760="7.60"
CHECK_TITLE_extra760="[extra760] Find secrets in Lambda functions code "
CHECK_SCORED_extra760="NOT_SCORED"
CHECK_CIS_LEVEL_extra760="EXTRA"
CHECK_SEVERITY_extra760="Critical"
CHECK_ASFF_RESOURCE_TYPE_extra760="AwsLambdaFunction"
CHECK_ALTERNATE_check760="extra760"
CHECK_SERVICENAME_extra760="lambda"
CHECK_RISK_extra760='The use of a hard-coded password increases the possibility of password guessing. If hard-coded passwords are used; it is possible that malicious users gain access through the account in question.'
CHECK_REMEDIATION_extra760='Use Secrets Manager to securely provide database credentials to Lambda functions and secure the databases as well as use the credentials to connect and query them without hardcoding the secrets in code or passing them through environmental variables. '
CHECK_DOC_extra760='https://docs.aws.amazon.com/secretsmanager/latest/userguide/lambda-functions.html'
CHECK_CAF_EPIC_extra760='IAM'
extra760(){
SECRETS_TEMP_FOLDER="${PROWLER_DIR}/secrets-${ACCOUNT_NUM}-${PROWLER_START_TIME}"
if [[ ! -d "${SECRETS_TEMP_FOLDER}" ]]; then
# this folder is deleted once this check is finished
mkdir "${SECRETS_TEMP_FOLDER}"
fi
for regx in ${REGIONS}; do
CHECK_DETECT_SECRETS_INSTALLATION=$(secretsDetector)
if [[ $? -eq 241 ]]; then
textInfo "$regx: python library detect-secrets not found. Make sure it is installed correctly." "$regx"
else
LIST_OF_FUNCTIONS=$("${AWSCLI}" lambda list-functions ${PROFILE_OPT} --region "${regx}" --query 'Functions[*].FunctionName' --output text 2>&1)
if grep -q -E 'AccessDenied|UnauthorizedOperation|AuthorizationError' <<< "${LIST_OF_FUNCTIONS}"; then
textInfo "${regx}: Access Denied trying to list Lambda functions" "${regx}"
continue
fi
if [[ -n "${LIST_OF_FUNCTIONS}" && $(tr '[:upper:]' '[:lower:]' <<< "${LIST_OF_FUNCTIONS}") != "none" ]]; then
for lambdafunction in ${LIST_OF_FUNCTIONS}; do
LAMBDA_FUNCTION_FOLDER="${SECRETS_TEMP_FOLDER}/extra760-${lambdafunction}-${regx}"
LAMBDA_FUNCTION_FILE="${lambdafunction}-code.zip"
LAMBDA_CODE_LOCATION=$("${AWSCLI}" lambda get-function ${PROFILE_OPT} --region "${regx}" --function-name "${lambdafunction}" --query 'Code.Location' --output text 2>&1)
if grep -q -E 'AccessDenied|UnauthorizedOperation|AuthorizationError' <<< "${LAMBDA_CODE_LOCATION}"; then
textInfo "${regx}: Access Denied trying to get Lambda functions" "${regx}" "${lambdafunction}"
continue
fi
mkdir "${LAMBDA_FUNCTION_FOLDER}"
# DOWNLOAD the code in a zip file
CURL_ERROR=$(curl -s --show-error "${LAMBDA_CODE_LOCATION}" -o "${LAMBDA_FUNCTION_FOLDER}/${LAMBDA_FUNCTION_FILE}" 2>&1)
if [[ -n "${CURL_ERROR}" ]]; then
textInfo "${regx}: Error trying to get Lambda function code for ${lambdafunction} - ${CURL_ERROR}" "${regx}" "${lambdafunction}"
# delete files to not leave trace, user must look at the function
if [[ -d "${LAMBDA_FUNCTION_FOLDER}" ]]; then
rm -fr "${LAMBDA_FUNCTION_FOLDER}"
fi
continue
fi
if ! grep -q 'Zip archive data' <(file "${LAMBDA_FUNCTION_FOLDER}/${LAMBDA_FUNCTION_FILE}"); then
textInfo "${regx}: Error trying to get Lambda function code for ${lambdafunction}. File is not a Zip" "${regx}" "${lambdafunction}"
# delete files to not leave trace, user must look at the function
if [[ -d "${LAMBDA_FUNCTION_FOLDER}" ]]; then
rm -fr "${LAMBDA_FUNCTION_FOLDER}"
fi
continue
fi
unzip -qq "${LAMBDA_FUNCTION_FOLDER}/${LAMBDA_FUNCTION_FILE}" -d "${LAMBDA_FUNCTION_FOLDER}" && {
FINDINGS=$(secretsDetector folder "${LAMBDA_FUNCTION_FOLDER}")
if [[ ${FINDINGS} -eq 0 ]]; then
textPass "${regx}: No secrets found in Lambda function ${lambdafunction} code" "${regx}" "${lambdafunction}"
else
textFail "${regx}: Potential secret found in Lambda function ${lambdafunction} code" "${regx}" "${lambdafunction}"
fi
}
# delete files to not leave trace, user must look at the function
if [[ -d "${LAMBDA_FUNCTION_FOLDER}" ]]; then
rm -fr "${LAMBDA_FUNCTION_FOLDER}"
fi
done
else
textInfo "${regx}: No Lambda functions found" "${regx}"
fi
fi
done
if [[ -d "${SECRETS_TEMP_FOLDER}" ]]; then
rm -fr "${SECRETS_TEMP_FOLDER}"
fi
}

52
providers/aws/services/lambda/check_extra762 Normal file
View File

@@ -0,0 +1,52 @@
#!/usr/bin/env bash
# Prowler - the handy cloud security tool (copyright 2019) by Toni de la Fuente
#
# Licensed under the Apache License, Version 2.0 (the "License"); you may not
# use this file except in compliance with the License. You may obtain a copy
# of the License at http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software distributed
# under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR
# CONDITIONS OF ANY KIND, either express or implied. See the License for the
# specific language governing permissions and limitations under the License.
CHECK_ID_extra762="7.62"
CHECK_TITLE_extra762="[extra762] Find obsolete Lambda runtimes "
CHECK_SCORED_extra762="NOT_SCORED"
CHECK_CIS_LEVEL_extra762="EXTRA"
CHECK_SEVERITY_extra762="Medium"
CHECK_ASFF_RESOURCE_TYPE_extra762="AwsLambdaFunction"
CHECK_ALTERNATE_check762="extra762"
CHECK_SERVICENAME_extra762="lambda"
CHECK_RISK_extra762='If you have functions running on a runtime that will be deprecated in the next 60 days; Lambda notifies you by email that you should prepare by migrating your function to a supported runtime. In some cases; such as security issues that require a backwards-incompatible update; or software that does not support a long-term support (LTS) schedule; advance notice might not be possible. After a runtime is deprecated; Lambda might retire it completely at any time by disabling invocation. Deprecated runtimes are not eligible for security updates or technical support.'
CHECK_REMEDIATION_extra762='Test new runtimes as they are made available. Implement them in production as soon as possible.'
CHECK_DOC_extra762='https://docs.aws.amazon.com/lambda/latest/dg/runtime-support-policy.html'
CHECK_CAF_EPIC_extra762='Infrastructure Security'
extra762(){
# regex to match OBSOLETE runtimes in string functionName%runtime
# https://docs.aws.amazon.com/lambda/latest/dg/runtime-support-policy.html
OBSOLETE='%(nodejs4.3|nodejs4.3-edge|nodejs6.10|nodejs8.10|dotnetcore1.0|dotnetcore2.0)'
for regx in $REGIONS; do
LIST_OF_FUNCTIONS=$($AWSCLI lambda list-functions $PROFILE_OPT --region $regx --output text --query 'Functions[*].{R:Runtime,N:FunctionName}' 2>&1| tr "\t" "%" )
if [[ $(echo "$LIST_OF_FUNCTIONS" | grep -E 'AccessDenied|UnauthorizedOperation|AuthorizationError') ]]; then
textInfo "$regx: Access Denied trying to list functions" "$regx"
continue
fi
if [[ $LIST_OF_FUNCTIONS ]]; then
for lambdafunction in $LIST_OF_FUNCTIONS;do
fname=$(echo "$lambdafunction" | cut -d'%' -f1)
runtime=$(echo "$lambdafunction" | cut -d'%' -f2)
if echo "$lambdafunction" | grep -Eq $OBSOLETE ; then
textFail "$regx: Obsolete runtime: ${runtime} used by: ${fname}" "$regx" "${fname}"
else
textPass "$regx: Supported runtime: ${runtime} used by: ${fname}" "$regx" "${fname}"
fi
done
else
textInfo "$regx: No Lambda functions found" "$regx"
fi
done
}

54
providers/aws/services/lambda/check_extra798 Normal file
View File

@@ -0,0 +1,54 @@
#!/usr/bin/env bash
# Prowler - the handy cloud security tool (copyright 2018) by Toni de la Fuente
#
# Licensed under the Apache License, Version 2.0 (the "License"); you may not
# use this file except in compliance with the License. You may obtain a copy
# of the License at http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software distributed
# under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR
# CONDITIONS OF ANY KIND, either express or implied. See the License for the
# specific language governing permissions and limitations under the License.
CHECK_ID_extra798="7.98"
CHECK_TITLE_extra798="[extra798] Check if Lambda functions have resource-based policy set as Public"
CHECK_SCORED_extra798="NOT_SCORED"
CHECK_CIS_LEVEL_extra798="EXTRA"
CHECK_SEVERITY_extra798="Critical"
CHECK_ASFF_RESOURCE_TYPE_extra798="AwsLambdaFunction"
CHECK_ALTERNATE_check798="extra798"
CHECK_SERVICENAME_extra798="lambda"
CHECK_RISK_extra798='Publicly accessible services could expose sensitive data to bad actors.'
CHECK_REMEDIATION_extra798='Grant usage permission on a per-resource basis and applying least privilege principle.'
CHECK_DOC_extra798='https://docs.aws.amazon.com/lambda/latest/dg/access-control-resource-based.html'
CHECK_CAF_EPIC_extra798='Infrastructure Security'
extra798(){
for regx in $REGIONS; do
LIST_OF_FUNCTIONS=$($AWSCLI lambda list-functions $PROFILE_OPT --region $regx --output text --query 'Functions[*].FunctionName' 2>&1)
if [[ $(echo "$LIST_OF_FUNCTIONS" | grep -E 'AccessDenied|UnauthorizedOperation|AuthorizationError') ]]; then
textInfo "$regx: Access Denied trying to list functions" "$regx"
continue
fi
if [[ $LIST_OF_FUNCTIONS ]]; then
for lambdafunction in $LIST_OF_FUNCTIONS; do
# get the policy per function
FUNCTION_POLICY=$($AWSCLI lambda get-policy $PROFILE_OPT --region $regx --function-name $lambdafunction --query Policy --output text 2>/dev/null)
if [[ $FUNCTION_POLICY ]]; then
FUNCTION_POLICY_ALLOW_ALL=$(echo $FUNCTION_POLICY \
| jq '.Statement[] | select(.Effect=="Allow") | select(.Principal=="*" or .Principal.AWS=="*" or .Principal.CanonicalUser=="*")')
if [[ $FUNCTION_POLICY_ALLOW_ALL ]]; then
textFail "$regx: Lambda function $lambdafunction has a policy with public access" "$regx" "$lambdafunction"
else
textPass "$regx: Lambda function $lambdafunction has a policy resource-based policy and is not public" "$regx" "$lambdafunction"
fi
else
textPass "$regx: Lambda function $lambdafunction does not have resource-based policy" "$regx" "$lambdafunction"
fi
done
else
textInfo "$regx: No Lambda functions found" "$regx"
fi
done
}