From d1d0f9edf012ff9ffb44fba0f6f1ff34489a08c1 Mon Sep 17 00:00:00 2001 From: Ben Allen Date: Thu, 6 Jul 2017 14:14:57 -0500 Subject: [PATCH 1/4] update output for check 1.22 to handle multiple users --- prowler | 11 +++++++---- 1 file changed, 7 insertions(+), 4 deletions(-) diff --git a/prowler b/prowler index d623447b..7fa5f15b 100755 --- a/prowler +++ b/prowler @@ -733,10 +733,13 @@ check122(){ SUPPORTPOLICYARN=$($AWSCLI iam list-policies --query "Policies[?PolicyName == 'AWSSupportAccess'].Arn" --profile $PROFILE --region $REGION --output text) if [[ $SUPPORTPOLICYARN ]];then for policyarn in $SUPPORTPOLICYARN;do - POLICYTOSHOW=$($AWSCLI iam list-entities-for-policy --policy-arn $SUPPORTPOLICYARN --profile $PROFILE --region $REGION --output text) - if [[ $POLICYTOSHOW ]];then - textOK "Support Policy attached to $POLICYTOSHOW" - textNotice "Make sure your team can create a Support case with AWS " + POLICYUSERS=$($AWSCLI iam list-entities-for-policy --policy-arn $SUPPORTPOLICYARN --profile $PROFILE --region $REGION --output json) + if [[ $POLICYUSERS ]];then + textOK "Support Policy attached to $policyarn" + for user in $(echo "$POLICYUSERS" | grep UserName | cut -d'"' -f4) ; do + textNotice "User $user has support access via $policyarn" + done + # textNotice "Make sure your team can create a Support case with AWS " else textWarn "Support Policy not applied to any Group / User / Role " fi From 1e3985d3b41dc4cc47c069a4ede5081e3cb44461 Mon Sep 17 00:00:00 2001 From: Ben Allen Date: Fri, 7 Jul 2017 16:33:42 -0500 Subject: [PATCH 2/4] change name of temp file so that it's random Allows multiple instances of prowler to run in parallel (eg. via xargs -P ). Also, add trap handler to remove temp file if interrupted. --- prowler | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/prowler b/prowler index d623447b..8ea33149 100755 --- a/prowler +++ b/prowler @@ -362,7 +362,7 @@ genCredReport() { # Save report to a file, decode it, deletion at finish and after every single check, acb stands for AWS CIS Benchmark saveReport(){ - TEMP_REPORT_FILE=/tmp/.acb + TEMP_REPORT_FILE=$(mktemp -t prowler-XXXXX.cred_report ) $AWSCLI iam get-credential-report --query 'Content' --output text --profile $PROFILE --region $REGION | decode_report > $TEMP_REPORT_FILE } @@ -371,6 +371,9 @@ cleanTemp(){ rm -fr $TEMP_REPORT_FILE } +# Delete the temporary report file if we get interrupted/terminated +trap cleanTemp SIGHUP SIGINT SIGTERM + # Get a list of all available AWS Regions REGIONS=$($AWSCLI ec2 describe-regions --query 'Regions[].RegionName' \ --output text \ From cdbcac5251816ddcc12143353e4b39e0d85bc7fd Mon Sep 17 00:00:00 2001 From: Ben Allen Date: Fri, 7 Jul 2017 16:35:32 -0500 Subject: [PATCH 3/4] add account number to CSV output. --- prowler | 11 ++++++----- 1 file changed, 6 insertions(+), 5 deletions(-) diff --git a/prowler b/prowler index 8ea33149..60450f50 100755 --- a/prowler +++ b/prowler @@ -250,7 +250,7 @@ textOK(){ else REPREGION=$REGION fi - echo "$PROFILE${SEP}$REPREGION${SEP}$TITLE_ID${SEP}PASS${SEP}$ITEM_SCORED${SEP}$TITLE_TEXT${SEP}$1" + echo "$PROFILE${SEP}$ACCOUNT_NUM${SEP}$REPREGION${SEP}$TITLE_ID${SEP}PASS${SEP}$ITEM_SCORED${SEP}$TITLE_TEXT${SEP}$1" else echo " $OK OK! $NORMAL $1" fi @@ -263,7 +263,7 @@ textNotice(){ else REPREGION=$REGION fi - echo "$PROFILE${SEP}$REPREGION${SEP}$TITLE_ID${SEP}INFO${SEP}$ITEM_SCORED${SEP}$TITLE_TEXT${SEP}$1" + echo "$PROFILE${SEP}$ACCOUNT_NUM${SEP}$REPREGION${SEP}$TITLE_ID${SEP}INFO${SEP}$ITEM_SCORED${SEP}$TITLE_TEXT${SEP}$1" else echo " $NOTICE INFO! $1 $NORMAL" fi @@ -276,7 +276,7 @@ textWarn(){ else REPREGION=$REGION fi - echo "$PROFILE${SEP}$REPREGION${SEP}$TITLE_ID${SEP}WARNING${SEP}$ITEM_SCORED${SEP}$TITLE_TEXT${SEP}$1" + echo "$PROFILE${SEP}$ACCOUNT_NUM${SEP}$REPREGION${SEP}$TITLE_ID${SEP}WARNING${SEP}$ITEM_SCORED${SEP}$TITLE_TEXT${SEP}$1" else echo " $BAD WARNING! $1 $NORMAL" fi @@ -307,9 +307,9 @@ printCsvHeader() { >&2 echo "" >&2 echo "" >&2 echo "Generating \"${SEP}\" delimited report on stdout; Diagnostics on stderr." - >&2 echo " Using Profile $PROFILE" + >&2 echo " Using Profile $PROFILE, Account $ACCOUNT_NUM" >&2 echo "" - echo "PROFILE${SEP}REGION${SEP}TITLE_ID${SEP}RESULT${SEP}SCORED${SEP}TITLE_TEXT${SEP}NOTES" + echo "PROFILE${SEP}ACCOUNT_NUM${SEP}REGION${SEP}TITLE_ID${SEP}RESULT${SEP}SCORED${SEP}TITLE_TEXT${SEP}NOTES" } prowlerBanner() { @@ -323,6 +323,7 @@ prowlerBanner() { # Get whoami in AWS, who is the user running this shell script getWhoami(){ + ACCOUNT_NUM=$($AWSCLI sts get-caller-identity --output json --profile $PROFILE --region $REGION --query "Account" | tr -d '"') if [[ $MODE == "csv" ]]; then CALLER_ARN=$($AWSCLI sts get-caller-identity --output json --profile $PROFILE --region $REGION --query "Arn" | tr -d '"') textTitle "0.0" "Show report generation info" From 52f88abd3313e692fc8179d816fc3f8eb1a496d9 Mon Sep 17 00:00:00 2001 From: Toni de la Fuente Date: Tue, 11 Jul 2017 16:50:55 -0400 Subject: [PATCH 4/4] Update README.md Added short list of features and parallel command from @MrSecure --- README.md | 21 ++++++++++++++++++--- 1 file changed, 18 insertions(+), 3 deletions(-) diff --git a/README.md b/README.md index 0fbda960..55caac6d 100644 --- a/README.md +++ b/README.md @@ -2,9 +2,11 @@ ## Description -Tool based on AWS-CLI commands for AWS account hardening, following guidelines of the [CIS Amazon Web Services Foundations Benchmark 1.1 ](https://benchmarks.cisecurity.org/tools2/amazon/CIS_Amazon_Web_Services_Foundations_Benchmark_v1.1.0.pdf) +Tool based on AWS-CLI commands for AWS account security assessment and hardening, following guidelines of the [CIS Amazon Web Services Foundations Benchmark 1.1 ](https://benchmarks.cisecurity.org/tools2/amazon/CIS_Amazon_Web_Services_Foundations_Benchmark_v1.1.0.pdf) -It covers hardening and security best practices for all regions related to: +## Features + +It covers hardening and security best practices for all AWS regions related to: - Identity and Access Management (24 checks) - Logging (8 checks) @@ -13,6 +15,12 @@ It covers hardening and security best practices for all regions related to: For a comprehesive list and resolution look at the guide on the link above. +With Prowler you can: +- get a colourish or monochrome report +- a CSV format report for diff +- run specific checks without having to run the entire report +- check multiple AWS accounts in parallel + ## Requirements This script has been written in bash using AWS-CLI and it works in Linux and OSX. @@ -84,7 +92,14 @@ or if you want a pipe-delimited report file, do: ./prowler -M csv > output.psv ``` -5 - For help use: +5 - If you want to run Prowler to check multiple AWS accounts in parallel (runs up to 4 simultaneously `-P 4`): + +``` +grep -E '^\[([0-9A-Aa-z_-]+)\]' ~/.aws/credentials | tr -d '][' | shuf | \ +xargs -n 1 -L 1 -I @ -r -P 4 ./prowler -p @ -M csv 2> /dev/null >> all-accounts.csv +``` + +6 - For help use: ``` ./prowler -h