From e4edb5e39e11cb27cd332987e2d74344ba1ec345 Mon Sep 17 00:00:00 2001 From: Pepe Fagoaga Date: Fri, 12 Nov 2021 18:30:52 +0100 Subject: [PATCH 1/7] fix(iam-role): IAM assumed role session duration --- include/assume_role | 9 ++++++++- 1 file changed, 8 insertions(+), 1 deletion(-) diff --git a/include/assume_role b/include/assume_role index 75521329..53158ec6 100644 --- a/include/assume_role +++ b/include/assume_role @@ -21,6 +21,9 @@ assume_role(){ # In some cases you will need more than 1h. if [[ -z $SESSION_DURATION_TO_ASSUME ]]; then SESSION_DURATION_TO_ASSUME="3600" + elif [[ "${SESSION_DURATION_TO_ASSUME}" -gt "43200" ]] || [[ "${SESSION_DURATION_TO_ASSUME}" -lt "900" ]]; then + echo "$OPTRED ERROR!$OPTNORMAL - Role session duration must be more than 900 seconds and less than 4300 seconds" + exit 1 fi # temporary file where to store credentials @@ -52,6 +55,11 @@ assume_role(){ rm -f $TEMP_STS_ASSUMED_FILE EXITCODE=1 exit $EXITCODE + elif [[ "$(grep MaxSessionDuration $TEMP_STS_ASSUMED_FILE)" ]]; then + textFail "The requested DurationSeconds exceeds the MaxSessionDuration set for the role ${PROWLER_ROLE}" + rm -f $TEMP_STS_ASSUMED_FILE + EXITCODE=1 + exit $EXITCODE fi # assume role command @@ -80,4 +88,3 @@ assume_role(){ export AWS_SESSION_EXPIRATION=$(cat $TEMP_STS_ASSUMED_FILE | jq -r '.Credentials.Expiration | sub("\\+00:00";"Z") | fromdateiso8601') rm -fr $TEMP_STS_ASSUMED_FILE } - From 32e5738c46e66a504756d8745eec97f98360c8db Mon Sep 17 00:00:00 2001 From: Victor GRENU Date: Sat, 13 Nov 2021 14:48:16 +0100 Subject: [PATCH 2/7] fix readme for terraform kickstarter --- util/terraform-kickstarter/readme.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/util/terraform-kickstarter/readme.md b/util/terraform-kickstarter/readme.md index 3637cfb4..5590a9ab 100644 --- a/util/terraform-kickstarter/readme.md +++ b/util/terraform-kickstarter/readme.md @@ -18,7 +18,7 @@ Installing Prowler with Terraform is simple and can be completed in under 1 minu sudo yum install -y yum-utils sudo yum-config-manager --add-repo https://rpm.releases.hashicorp.com/AmazonLinux/hashicorp.repo sudo yum -y install terraform - cd terraform-kickstarter + cd util/terraform-kickstarter ``` - Issue a `terraform init` From 563cd7106022bbe42c0a750d48896d69d9581d49 Mon Sep 17 00:00:00 2001 From: Pepe Fagoaga Date: Fri, 12 Nov 2021 19:33:22 +0100 Subject: [PATCH 3/7] fix(iam-role): Delete temporary prowler.sts_assumed* if error --- include/assume_role | 8 +++++--- include/credentials_report | 1 + 2 files changed, 6 insertions(+), 3 deletions(-) diff --git a/include/assume_role b/include/assume_role index 53158ec6..95bd3e00 100644 --- a/include/assume_role +++ b/include/assume_role @@ -52,12 +52,10 @@ assume_role(){ fi if [[ $(grep AccessDenied $TEMP_STS_ASSUMED_FILE) ]]; then textFail "Access Denied assuming role $PROWLER_ROLE" - rm -f $TEMP_STS_ASSUMED_FILE EXITCODE=1 exit $EXITCODE elif [[ "$(grep MaxSessionDuration $TEMP_STS_ASSUMED_FILE)" ]]; then textFail "The requested DurationSeconds exceeds the MaxSessionDuration set for the role ${PROWLER_ROLE}" - rm -f $TEMP_STS_ASSUMED_FILE EXITCODE=1 exit $EXITCODE fi @@ -86,5 +84,9 @@ assume_role(){ export AWS_SECRET_ACCESS_KEY=$(cat $TEMP_STS_ASSUMED_FILE | jq -r '.Credentials.SecretAccessKey') export AWS_SESSION_TOKEN=$(cat $TEMP_STS_ASSUMED_FILE | jq -r '.Credentials.SessionToken') export AWS_SESSION_EXPIRATION=$(cat $TEMP_STS_ASSUMED_FILE | jq -r '.Credentials.Expiration | sub("\\+00:00";"Z") | fromdateiso8601') - rm -fr $TEMP_STS_ASSUMED_FILE + cleanSTSAssumeFile } + +cleanSTSAssumeFile() { + rm -fr "${TEMP_STS_ASSUMED_FILE}" +} \ No newline at end of file diff --git a/include/credentials_report b/include/credentials_report index 3741e89a..51f145f9 100644 --- a/include/credentials_report +++ b/include/credentials_report @@ -43,6 +43,7 @@ cleanTemp(){ if [[ $KEEPCREDREPORT -ne 1 ]]; then rm -fr $TEMP_REPORT_FILE fi + cleanSTSAssumeFile } # Delete the temporary report file if we get interrupted/terminated From a6ba5803447bdd253e29cacf2417c042ce8e84eb Mon Sep 17 00:00:00 2001 From: Toni de la Fuente Date: Mon, 15 Nov 2021 15:45:33 +0100 Subject: [PATCH 4/7] Fix severity case variable --- checks/check_extra7154 | 2 +- checks/check_extra7155 | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/checks/check_extra7154 b/checks/check_extra7154 index 2fc74a6f..8ea2efe6 100644 --- a/checks/check_extra7154 +++ b/checks/check_extra7154 @@ -23,7 +23,7 @@ CHECK_ID_extra7154="7.154" CHECK_TITLE_extra7154="[extra7154] Enable termination protection for Cloudformation Stacks" CHECK_SCORED_extra7154="NOT_SCORED" CHECK_CIS_LEVEL_extra7154="EXTRA" -CHECK_SEVERITY_extra7154="MEDIUM" +CHECK_SEVERITY_extra7154="Medium" CHECK_ASFF_RESOURCE_TYPE_extra7154="AwsCloudFormationStack" CHECK_ALTERNATE_check7154="extra7154" CHECK_SERVICENAME_extra7154="cloudformation" diff --git a/checks/check_extra7155 b/checks/check_extra7155 index c51d6669..7c663886 100644 --- a/checks/check_extra7155 +++ b/checks/check_extra7155 @@ -22,7 +22,7 @@ CHECK_ID_extra7155="7.155" CHECK_TITLE_extra7155="[extra7155] Check whether the Application Load Balancer is configured with defensive or strictest desync mitigation mode" CHECK_SCORED_extra7155="NOT_SCORED" CHECK_CIS_LEVEL_extra7155="EXTRA" -CHECK_SEVERITY_extra7155="MEDIUM" +CHECK_SEVERITY_extra7155="Medium" CHECK_ASFF_RESOURCE_TYPE_extra7155="AwsElasticLoadBalancingV2LoadBalancer" CHECK_ALTERNATE_check7155="extra7155" CHECK_SERVICENAME_extra7155="elb" From 50de9f2ab4b15d80970859c9e12c4404f8573f54 Mon Sep 17 00:00:00 2001 From: Toni de la Fuente Date: Mon, 15 Nov 2021 15:49:33 +0100 Subject: [PATCH 5/7] Fix output for checks check3x when no CW group is in place --- include/check3x | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/include/check3x b/include/check3x index 9d8f97f2..ea29047e 100644 --- a/include/check3x +++ b/include/check3x @@ -18,7 +18,7 @@ check3x(){ # be based only on CloudTrail tail with CloudWatchLog configuration. DESCRIBE_TRAILS_CACHE=$($AWSCLI cloudtrail describe-trails $PROFILE_OPT --region "$REGION" --query 'trailList[?CloudWatchLogsLogGroupArn != `null`]' 2>&1) if [[ $(echo "$DESCRIBE_TRAILS_CACHE" | grep AccessDenied) ]]; then - textFail "$REGION: Access Denied trying to describe trails in $REGION" "$REGION" "$group" + textFail "$REGION: Access Denied trying to describe trails in $REGION" "$REGION" return fi @@ -92,6 +92,6 @@ check3x(){ done fi else - textFail "$REGION: No CloudWatch group found for CloudTrail events" "$REGION" "$group" + textFail "$REGION: No CloudWatch group found for CloudTrail events" "$REGION" fi } From b251f31da92fc0bef0892f84ae6696ebdea2483a Mon Sep 17 00:00:00 2001 From: Toni de la Fuente Date: Mon, 15 Nov 2021 15:59:13 +0100 Subject: [PATCH 6/7] Fix issue #925 replace sensible by sensitive --- checks/check_extra711 | 2 +- checks/check_extra7116 | 2 +- checks/check_extra7117 | 2 +- checks/check_extra7118 | 2 +- checks/check_extra7119 | 2 +- checks/check_extra7120 | 2 +- checks/check_extra7121 | 2 +- checks/check_extra7122 | 2 +- checks/check_extra7130 | 2 +- checks/check_extra7143 | 2 +- checks/check_extra7147 | 2 +- checks/check_extra716 | 2 +- checks/check_extra723 | 2 +- checks/check_extra727 | 2 +- checks/check_extra728 | 2 +- checks/check_extra731 | 2 +- checks/check_extra735 | 2 +- checks/check_extra738 | 2 +- checks/check_extra761 | 2 +- checks/check_extra763 | 2 +- checks/check_extra767 | 2 +- checks/check_extra78 | 2 +- checks/check_extra79 | 2 +- checks/check_extra795 | 2 +- checks/check_extra798 | 2 +- 25 files changed, 25 insertions(+), 25 deletions(-) diff --git a/checks/check_extra711 b/checks/check_extra711 index 34e2947a..a7c7b798 100644 --- a/checks/check_extra711 +++ b/checks/check_extra711 @@ -18,7 +18,7 @@ CHECK_SEVERITY_extra711="High" CHECK_ASFF_RESOURCE_TYPE_extra711="AwsRedshiftCluster" CHECK_ALTERNATE_check711="extra711" CHECK_SERVICENAME_extra711="redshift" -CHECK_RISK_extra711='Publicly accessible services could expose sensible data to bad actors.' +CHECK_RISK_extra711='Publicly accessible services could expose sensitive data to bad actors.' CHECK_REMEDIATION_extra711='List all shared Redshift clusters and make sure there is a business reason for them.' CHECK_DOC_extra711='https://docs.aws.amazon.com/redshift/latest/mgmt/managing-clusters-vpc.html' CHECK_CAF_EPIC_extra711='Data Protection' diff --git a/checks/check_extra7116 b/checks/check_extra7116 index 77f4eee8..d18ab6f2 100644 --- a/checks/check_extra7116 +++ b/checks/check_extra7116 @@ -18,7 +18,7 @@ CHECK_SEVERITY_extra7116="Medium" CHECK_ASFF_RESOURCE_TYPE_extra7116="AwsGlue" CHECK_ALTERNATE_check7116="extra7116" CHECK_SERVICENAME_extra7116="glue" -CHECK_RISK_extra7116='If not enabled sensible information at rest is not protected.' +CHECK_RISK_extra7116='If not enabled sensitive information at rest is not protected.' CHECK_REMEDIATION_extra7116='Enable Encryption. Use a CMK where possible. It will provide additional management and privacy benefits.' CHECK_DOC_extra7116='https://docs.aws.amazon.com/glue/latest/dg/encrypt-glue-data-catalog.html' CHECK_CAF_EPIC_extra7116='Data Protection' diff --git a/checks/check_extra7117 b/checks/check_extra7117 index ce2ebcab..6091a71c 100644 --- a/checks/check_extra7117 +++ b/checks/check_extra7117 @@ -18,7 +18,7 @@ CHECK_SEVERITY_extra7117="Medium" CHECK_ASFF_RESOURCE_TYPE_extra7117="AwsGlue" CHECK_ALTERNATE_check7117="extra7117" CHECK_SERVICENAME_extra7117="glue" -CHECK_RISK_extra7117='If not enabled sensible information at rest is not protected.' +CHECK_RISK_extra7117='If not enabled sensitive information at rest is not protected.' CHECK_REMEDIATION_extra7117='On the AWS Glue console; you can enable this option on the Data catalog settings page.' CHECK_DOC_extra7117='https://docs.aws.amazon.com/glue/latest/dg/encrypt-connection-passwords.html' CHECK_CAF_EPIC_extra7117='Data Protection' diff --git a/checks/check_extra7118 b/checks/check_extra7118 index a55996ec..0b70fcab 100644 --- a/checks/check_extra7118 +++ b/checks/check_extra7118 @@ -18,7 +18,7 @@ CHECK_SEVERITY_extra7118="Medium" CHECK_ASFF_RESOURCE_TYPE_extra7118="AwsGlue" CHECK_ALTERNATE_check7118="extra7118" CHECK_SERVICENAME_extra7118="glue" -CHECK_RISK_extra7118='If not enabled sensible information at rest is not protected.' +CHECK_RISK_extra7118='If not enabled sensitive information at rest is not protected.' CHECK_REMEDIATION_extra7118='Provide the encryption properties that are used by crawlers; jobs; and development endpoints.' CHECK_DOC_extra7118='https://docs.aws.amazon.com/glue/latest/dg/console-security-configurations.html' CHECK_CAF_EPIC_extra7118='Data Protection' diff --git a/checks/check_extra7119 b/checks/check_extra7119 index a6a0a4f2..a3ca4a10 100644 --- a/checks/check_extra7119 +++ b/checks/check_extra7119 @@ -19,7 +19,7 @@ CHECK_SEVERITY_extra7119="Medium" CHECK_ASFF_RESOURCE_TYPE_extra7119="AwsGlue" CHECK_ALTERNATE_check7119="extra7119" CHECK_SERVICENAME_extra7119="glue" -CHECK_RISK_extra7119='If not enabled sensible information at rest is not protected.' +CHECK_RISK_extra7119='If not enabled sensitive information at rest is not protected.' CHECK_REMEDIATION_extra7119='Enable Encryption in the Security configurations.' CHECK_DOC_extra7119='https://docs.aws.amazon.com/glue/latest/dg/console-security-configurations.html' CHECK_CAF_EPIC_extra7119='Logging and Monitoring' diff --git a/checks/check_extra7120 b/checks/check_extra7120 index 37cd3094..93907c93 100644 --- a/checks/check_extra7120 +++ b/checks/check_extra7120 @@ -18,7 +18,7 @@ CHECK_SEVERITY_extra7120="Medium" CHECK_ASFF_RESOURCE_TYPE_extra7120="AwsGlue" CHECK_ALTERNATE_check7120="extra7120" CHECK_SERVICENAME_extra7120="glue" -CHECK_RISK_extra7120='If not enabled sensible information at rest is not protected.' +CHECK_RISK_extra7120='If not enabled sensitive information at rest is not protected.' CHECK_REMEDIATION_extra7120='Enable Encryption in the Security configurations.' CHECK_DOC_extra7120='https://docs.aws.amazon.com/glue/latest/dg/console-security-configurations.html' CHECK_CAF_EPIC_extra7120='Logging and Monitoring' diff --git a/checks/check_extra7121 b/checks/check_extra7121 index 26087e05..13259770 100644 --- a/checks/check_extra7121 +++ b/checks/check_extra7121 @@ -19,7 +19,7 @@ CHECK_SEVERITY_extra7121="Medium" CHECK_ASFF_RESOURCE_TYPE_extra7121="AwsGlue" CHECK_ALTERNATE_check7121="extra7121" CHECK_SERVICENAME_extra7121="glue" -CHECK_RISK_extra7121='If not enabled sensible information at rest is not protected.' +CHECK_RISK_extra7121='If not enabled sensitive information at rest is not protected.' CHECK_REMEDIATION_extra7121='Enable Encryption in the Security configurations.' CHECK_DOC_extra7121='https://docs.aws.amazon.com/glue/latest/dg/console-security-configurations.html' CHECK_CAF_EPIC_extra7121='Data Protection' diff --git a/checks/check_extra7122 b/checks/check_extra7122 index ac163833..9f50bb71 100644 --- a/checks/check_extra7122 +++ b/checks/check_extra7122 @@ -18,7 +18,7 @@ CHECK_SEVERITY_extra7122="Medium" CHECK_ASFF_RESOURCE_TYPE_extra7122="AwsGlue" CHECK_ALTERNATE_check7122="extra7122" CHECK_SERVICENAME_extra7122="glue" -CHECK_RISK_extra7122='If not enabled sensible information at rest is not protected.' +CHECK_RISK_extra7122='If not enabled sensitive information at rest is not protected.' CHECK_REMEDIATION_extra7122='Enable Encryption in the Security configurations.' CHECK_DOC_extra7122='https://docs.aws.amazon.com/glue/latest/dg/console-security-configurations.html' CHECK_CAF_EPIC_extra7122='Data Protection' diff --git a/checks/check_extra7130 b/checks/check_extra7130 index 251f6c5d..f1641516 100644 --- a/checks/check_extra7130 +++ b/checks/check_extra7130 @@ -19,7 +19,7 @@ CHECK_SEVERITY_extra7130="Medium" CHECK_ASFF_RESOURCE_TYPE_extra7130="AwsSnsTopic" CHECK_ALTERNATE_check7130="extra7130" CHECK_SERVICENAME_extra7130="sns" -CHECK_RISK_extra7130='If not enabled sensible information at rest is not protected.' +CHECK_RISK_extra7130='If not enabled sensitive information at rest is not protected.' CHECK_REMEDIATION_extra7130='Use Amazon SNS with AWS KMS.' CHECK_DOC_extra7130='https://docs.aws.amazon.com/sns/latest/dg/sns-server-side-encryption.html' CHECK_CAF_EPIC_extra7130='Data Protection' diff --git a/checks/check_extra7143 b/checks/check_extra7143 index a4bdac62..7d3ee0eb 100644 --- a/checks/check_extra7143 +++ b/checks/check_extra7143 @@ -18,7 +18,7 @@ CHECK_SEVERITY_extra7143="Critical" CHECK_ASFF_RESOURCE_TYPE_extra7143="AwsEFS" CHECK_ALTERNATE_check7143="extra7143" CHECK_SERVICENAME_extra7143="efs" -CHECK_RISK_extra7143='EFS accessible to everyone could expose sensible data to bad actors' +CHECK_RISK_extra7143='EFS accessible to everyone could expose sensitive data to bad actors' CHECK_REMEDIATION_extra7143='Ensure efs has some policy but it does not have principle as *' CHECK_DOC_extra7143='https://docs.aws.amazon.com/efs/latest/ug/access-control-block-public-access.html' CHECK_CAF_EPIC_extra7143='Data Protection' diff --git a/checks/check_extra7147 b/checks/check_extra7147 index f14e1949..4e8c16e3 100644 --- a/checks/check_extra7147 +++ b/checks/check_extra7147 @@ -18,7 +18,7 @@ CHECK_SEVERITY_extra7147="Critical" CHECK_ASFF_RESOURCE_TYPE_extra7147="AwsGlacierVault" CHECK_ALTERNATE_check7147="extra7142" CHECK_SERVICENAME_extra7147="glacier" -CHECK_RISK_extra7147='Vaults accessible to everyone could expose sensible data to bad actors' +CHECK_RISK_extra7147='Vaults accessible to everyone could expose sensitive data to bad actors' CHECK_REMEDIATION_extra7147='Ensure vault policy does not have principle as *' CHECK_DOC_extra7147='https://docs.aws.amazon.com/amazonglacier/latest/dev/access-control-overview.html' CHECK_CAF_EPIC_extra7147='Data Protection' diff --git a/checks/check_extra716 b/checks/check_extra716 index 08f2271d..87980aea 100644 --- a/checks/check_extra716 +++ b/checks/check_extra716 @@ -18,7 +18,7 @@ CHECK_SEVERITY_extra716="Critical" CHECK_ASFF_RESOURCE_TYPE_extra716="AwsElasticsearchDomain" CHECK_ALTERNATE_check716="extra716" CHECK_SERVICENAME_extra716="es" -CHECK_RISK_extra716='Publicly accessible services could expose sensible data to bad actors.' +CHECK_RISK_extra716='Publicly accessible services could expose sensitive data to bad actors.' CHECK_REMEDIATION_extra716='Use VPC endpoints for internal services.' CHECK_DOC_extra716='https://docs.aws.amazon.com/elasticsearch-service/latest/developerguide/es-vpc.html' CHECK_CAF_EPIC_extra716='Infrastructure Security' diff --git a/checks/check_extra723 b/checks/check_extra723 index 11a746ec..94833c23 100644 --- a/checks/check_extra723 +++ b/checks/check_extra723 @@ -18,7 +18,7 @@ CHECK_SEVERITY_extra723="Critical" CHECK_ASFF_RESOURCE_TYPE_extra723="AwsRdsDbSnapshot" CHECK_ALTERNATE_check723="extra723" CHECK_SERVICENAME_extra723="rds" -CHECK_RISK_extra723='Publicly accessible services could expose sensible data to bad actors. t is recommended that your RDS snapshots should not be public in order to prevent potential leak or misuse of sensitive data or any other kind of security threat. If your RDS snapshot is public; then the data which is backed up in that snapshot is accessible to all other AWS accounts.' +CHECK_RISK_extra723='Publicly accessible services could expose sensitive data to bad actors. t is recommended that your RDS snapshots should not be public in order to prevent potential leak or misuse of sensitive data or any other kind of security threat. If your RDS snapshot is public; then the data which is backed up in that snapshot is accessible to all other AWS accounts.' CHECK_REMEDIATION_extra723='Use AWS Config to identify any sanpshot that is public.' CHECK_DOC_extra723='https://docs.aws.amazon.com/config/latest/developerguide/rds-snapshots-public-prohibited.html' CHECK_CAF_EPIC_extra723='Data Protection' diff --git a/checks/check_extra727 b/checks/check_extra727 index e66962be..86f5dfbd 100644 --- a/checks/check_extra727 +++ b/checks/check_extra727 @@ -19,7 +19,7 @@ CHECK_SEVERITY_extra727="Critical" CHECK_ASFF_RESOURCE_TYPE_extra727="AwsSqsQueue" CHECK_ALTERNATE_check727="extra727" CHECK_SERVICENAME_extra727="sqs" -CHECK_RISK_extra727='Sensible information could be disclosed.' +CHECK_RISK_extra727='Sensitive information could be disclosed.' CHECK_REMEDIATION_extra727='Review service with overly permissive policies. Adhere to Principle of Least Privilege.' CHECK_DOC_extra727='https://docs.aws.amazon.com/AWSSimpleQueueService/latest/SQSDeveloperGuide/sqs-basic-examples-of-sqs-policies.html' CHECK_CAF_EPIC_extra727='Infrastructure Security' diff --git a/checks/check_extra728 b/checks/check_extra728 index 629d6029..10ad0e0c 100644 --- a/checks/check_extra728 +++ b/checks/check_extra728 @@ -20,7 +20,7 @@ CHECK_ASFF_RESOURCE_TYPE_extra728="AwsSqsQueue" CHECK_ALTERNATE_check728="extra728" CHECK_ASFF_COMPLIANCE_TYPE_extra728="ens-mp.info.3.sns.1" CHECK_SERVICENAME_extra728="sqs" -CHECK_RISK_extra728='If not enabled sensible information in transit is not protected.' +CHECK_RISK_extra728='If not enabled sensitive information in transit is not protected.' CHECK_REMEDIATION_extra728='Enable Encryption. Use a CMK where possible. It will provide additional management and privacy benefits.' CHECK_DOC_extra728='https://docs.aws.amazon.com/AWSSimpleQueueService/latest/SQSDeveloperGuide/sqs-configure-sse-existing-queue.html' CHECK_CAF_EPIC_extra728='Data Protection' diff --git a/checks/check_extra731 b/checks/check_extra731 index fcda11fa..a22d8492 100644 --- a/checks/check_extra731 +++ b/checks/check_extra731 @@ -19,7 +19,7 @@ CHECK_SEVERITY_extra731="Critical" CHECK_ASFF_RESOURCE_TYPE_extra731="AwsSnsTopic" CHECK_ALTERNATE_check731="extra731" CHECK_SERVICENAME_extra731="sns" -CHECK_RISK_extra731='Publicly accessible services could expose sensible data to bad actors.' +CHECK_RISK_extra731='Publicly accessible services could expose sensitive data to bad actors.' CHECK_REMEDIATION_extra731='Ensure there is a business requirement for service to be public.' CHECK_DOC_extra731='https://docs.aws.amazon.com/config/latest/developerguide/sns-topic-policy.html' CHECK_CAF_EPIC_extra731='Infrastructure Security' diff --git a/checks/check_extra735 b/checks/check_extra735 index 0d7a88aa..6b86cc52 100644 --- a/checks/check_extra735 +++ b/checks/check_extra735 @@ -19,7 +19,7 @@ CHECK_ASFF_RESOURCE_TYPE_extra735="AwsRdsDbInstance" CHECK_ALTERNATE_check735="extra735" CHECK_ASFF_COMPLIANCE_TYPE_extra735="ens-mp.info.3.aws.rds.1" CHECK_SERVICENAME_extra735="rds" -CHECK_RISK_extra735='If not enabled sensible information at rest is not protected.' +CHECK_RISK_extra735='If not enabled sensitive information at rest is not protected.' CHECK_REMEDIATION_extra735='Enable Encryption. Use a CMK where possible. It will provide additional management and privacy benefits.' CHECK_DOC_extra735='https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/Overview.Encryption.html' CHECK_CAF_EPIC_extra735='Data Protection' diff --git a/checks/check_extra738 b/checks/check_extra738 index 10b97118..32116eba 100644 --- a/checks/check_extra738 +++ b/checks/check_extra738 @@ -19,7 +19,7 @@ CHECK_ASFF_RESOURCE_TYPE_extra738="AwsCloudFrontDistribution" CHECK_ALTERNATE_check738="extra738" CHECK_ASFF_COMPLIANCE_TYPE_extra738="ens-mp.com.2.aws.front.1" CHECK_SERVICENAME_extra738="cloudfront" -CHECK_RISK_extra738='If not enabled sensible information in transit is not protected. Surveillance and other threats are risks may exists.' +CHECK_RISK_extra738='If not enabled sensitive information in transit is not protected. Surveillance and other threats are risks may exists.' CHECK_REMEDIATION_extra738='Use HTTPS everywhere possible. It will enforce privacy and protect against account hijacking and other threats.' CHECK_DOC_extra738='https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/using-https.html' CHECK_CAF_EPIC_extra738='Data Protection' diff --git a/checks/check_extra761 b/checks/check_extra761 index 6d10e7e1..7189b473 100644 --- a/checks/check_extra761 +++ b/checks/check_extra761 @@ -18,7 +18,7 @@ CHECK_SEVERITY_extra761="Medium" CHECK_ALTERNATE_check761="extra761" CHECK_ASFF_COMPLIANCE_TYPE_extra761="ens-mp.info.3.aws.ebs.2" CHECK_SERVICENAME_extra761="ec2" -CHECK_RISK_extra761='If not enabled sensible information at rest is not protected.' +CHECK_RISK_extra761='If not enabled sensitive information at rest is not protected.' CHECK_REMEDIATION_extra761='Enable Encryption. Use a CMK where possible. It will provide additional management and privacy benefits.' CHECK_DOC_extra761='https://aws.amazon.com/premiumsupport/knowledge-center/ebs-automatic-encryption/' CHECK_CAF_EPIC_extra761='Data Protection' diff --git a/checks/check_extra763 b/checks/check_extra763 index 765755ce..6cbf5b28 100644 --- a/checks/check_extra763 +++ b/checks/check_extra763 @@ -19,7 +19,7 @@ CHECK_ASFF_RESOURCE_TYPE_extra763="AwsS3Bucket" CHECK_ALTERNATE_check763="extra763" CHECK_SERVICENAME_extra763="s3" CHECK_RISK_extra763=' With versioning; you can easily recover from both unintended user actions and application failures.' -CHECK_REMEDIATION_extra763='Configure versioning using the Amazon console or API for buckets with sensible information that is changing frecuently; and backup may not be enough to capture all the changes.' +CHECK_REMEDIATION_extra763='Configure versioning using the Amazon console or API for buckets with sensitive information that is changing frecuently; and backup may not be enough to capture all the changes.' CHECK_DOC_extra763='https://docs.aws.amazon.com/AmazonS3/latest/dev-retired/Versioning.html' CHECK_CAF_EPIC_extra763='Data Protection' diff --git a/checks/check_extra767 b/checks/check_extra767 index 1b7d76d5..77bb0de4 100644 --- a/checks/check_extra767 +++ b/checks/check_extra767 @@ -19,7 +19,7 @@ CHECK_ASFF_RESOURCE_TYPE_extra767="AwsCloudFrontDistribution" CHECK_ALTERNATE_check767="extra767" CHECK_SERVICENAME_extra767="cloudfront" CHECK_RISK_extra767='Allows you protect specific data throughout system processing so that only certain applications can see it.' -CHECK_REMEDIATION_extra767='Check if applicable to any sensible data. This encryption ensures that only applications that need the data—and have the credentials to decrypt it - are able to do so.' +CHECK_REMEDIATION_extra767='Check if applicable to any sensitive data. This encryption ensures that only applications that need the data—and have the credentials to decrypt it - are able to do so.' CHECK_DOC_extra767='https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/field-level-encryption.html' CHECK_CAF_EPIC_extra767='Data Protection' diff --git a/checks/check_extra78 b/checks/check_extra78 index ce5e34ef..bc32dc1c 100644 --- a/checks/check_extra78 +++ b/checks/check_extra78 @@ -20,7 +20,7 @@ CHECK_ALTERNATE_extra708="extra78" CHECK_ALTERNATE_check78="extra78" CHECK_ALTERNATE_check708="extra78" CHECK_SERVICENAME_extra78="rds" -CHECK_RISK_extra78='Publicly accessible databases could expose sensible data to bad actors.' +CHECK_RISK_extra78='Publicly accessible databases could expose sensitive data to bad actors.' CHECK_REMEDIATION_extra78='Using an AWS Config rule check for RDS public instances periodically and check there is a business reason for it.' CHECK_DOC_extra78='https://docs.amazonaws.cn/en_us/config/latest/developerguide/rds-instance-public-access-check.html' CHECK_CAF_EPIC_extra78='Data Protection' diff --git a/checks/check_extra79 b/checks/check_extra79 index 894dd0f9..bcb414bb 100644 --- a/checks/check_extra79 +++ b/checks/check_extra79 @@ -20,7 +20,7 @@ CHECK_ALTERNATE_extra709="extra79" CHECK_ALTERNATE_check79="extra79" CHECK_ALTERNATE_check709="extra79" CHECK_SERVICENAME_extra79="elb" -CHECK_RISK_extra79='Publicly accessible load balancers could expose sensible data to bad actors.' +CHECK_RISK_extra79='Publicly accessible load balancers could expose sensitive data to bad actors.' CHECK_REMEDIATION_extra79='Ensure the load balancer should be publicly accessible. If publiccly exposed ensure a WAF ACL is implemented.' CHECK_DOC_extra79='https://docs.aws.amazon.com/waf/latest/developerguide/web-acl-associating-aws-resource.html' CHECK_CAF_EPIC_extra79='Data Protection' diff --git a/checks/check_extra795 b/checks/check_extra795 index d71370e0..7030d741 100644 --- a/checks/check_extra795 +++ b/checks/check_extra795 @@ -18,7 +18,7 @@ CHECK_SEVERITY_extra795="High" CHECK_ASFF_RESOURCE_TYPE_extra795="AwsEksCluster" CHECK_ALTERNATE_check795="extra795" CHECK_SERVICENAME_extra795="eks" -CHECK_RISK_extra795='Publicly accessible services could expose sensible data to bad actors.' +CHECK_RISK_extra795='Publicly accessible services could expose sensitive data to bad actors.' CHECK_REMEDIATION_extra795='Enable private access to the Kubernetes API server so that all communication between your nodes and the API server stays within your VPC. Disable internet access to the API server.' CHECK_DOC_extra795='https://docs.aws.amazon.com/eks/latest/userguide/infrastructure-security.html' CHECK_CAF_EPIC_extra795='Infrastructure Security' diff --git a/checks/check_extra798 b/checks/check_extra798 index 1d8e00ef..0e14d22a 100644 --- a/checks/check_extra798 +++ b/checks/check_extra798 @@ -19,7 +19,7 @@ CHECK_SEVERITY_extra798="Critical" CHECK_ASFF_RESOURCE_TYPE_extra798="AwsLambdaFunction" CHECK_ALTERNATE_check798="extra798" CHECK_SERVICENAME_extra798="lambda" -CHECK_RISK_extra798='Publicly accessible services could expose sensible data to bad actors.' +CHECK_RISK_extra798='Publicly accessible services could expose sensitive data to bad actors.' CHECK_REMEDIATION_extra798='Grant usage permission on a per-resource basis and applying least privilege principle.' CHECK_DOC_extra798='https://docs.aws.amazon.com/lambda/latest/dg/access-control-resource-based.html' CHECK_CAF_EPIC_extra798='Infrastructure Security' From cee6437ae1c65b712a2a65ebe5e23173141addb8 Mon Sep 17 00:00:00 2001 From: Toni de la Fuente Date: Mon, 15 Nov 2021 16:49:40 +0100 Subject: [PATCH 7/7] Fix issue #926 resource id and remediation typo --- checks/check_extra776 | 13 +++++++------ 1 file changed, 7 insertions(+), 6 deletions(-) diff --git a/checks/check_extra776 b/checks/check_extra776 index 97e9b7b1..9212d084 100644 --- a/checks/check_extra776 +++ b/checks/check_extra776 @@ -32,8 +32,9 @@ CHECK_CIS_LEVEL_extra776="EXTRA" CHECK_SEVERITY_extra776="Medium" CHECK_ALTERNATE_check776="extra776" CHECK_SERVICENAME_extra776="ecr" +CHECK_ASFF_RESOURCE_TYPE_extra776="AwsEcrRepository" CHECK_RISK_extra776='Amazon ECR image scanning helps in identifying software vulnerabilities in your container images. Amazon ECR uses the Common Vulnerabilities and Exposures (CVEs) database from the open-source Clair project and provides a list of scan findings. ' -CHECK_REMEDIATION_extra776='Open the Amazon ECR console. look for vulnerabilities and fix them.' +CHECK_REMEDIATION_extra776='Open the Amazon ECR console. Then look for vulnerabilities and fix them.' CHECK_DOC_extra776='https://docs.aws.amazon.com/AmazonECR/latest/userguide/image-scanning.html#describe-scan-findings' CHECK_CAF_EPIC_extra776='Logging and Monitoring' @@ -75,18 +76,18 @@ extra776(){ fi SEVERITY_LOW=$(echo "$FINDINGS_COUNT" | jq -r '.LOW' ) if [[ "$SEVERITY_LOW" != "null" ]]; then - textInfo "$region: ECR repository $repo has imageTag $IMAGE_TAG with LOW ($SEVERITY_LOW) findings" "$region" + textInfo "$region: ECR repository $repo has imageTag $IMAGE_TAG with LOW ($SEVERITY_LOW) findings" "$region" "$repo" fi SEVERITY_INFORMATIONAL=$(echo "$FINDINGS_COUNT" | jq -r '.INFORMATIONAL' ) if [[ "$SEVERITY_INFORMATIONAL" != "null" ]]; then - textInfo "$region: ECR repository $repo has imageTag $IMAGE_TAG with INFORMATIONAL ($SEVERITY_INFORMATIONAL) findings" "$region" + textInfo "$region: ECR repository $repo has imageTag $IMAGE_TAG with INFORMATIONAL ($SEVERITY_INFORMATIONAL) findings" "$region" "$repo" fi SEVERITY_UNDEFINED=$(echo "$FINDINGS_COUNT" | jq -r '.UNDEFINED' ) if [[ "$SEVERITY_UNDEFINED" != "null" ]]; then - textInfo "$region: ECR repository $repo has imageTag $IMAGE_TAG with UNDEFINED ($SEVERITY_UNDEFINED) findings" "$region" + textInfo "$region: ECR repository $repo has imageTag $IMAGE_TAG with UNDEFINED ($SEVERITY_UNDEFINED) findings" "$region" "$repo" fi else - textPass "$region: ECR repository $repo has imageTag $IMAGE_TAG without findings" "$region" + textPass "$region: ECR repository $repo has imageTag $IMAGE_TAG without findings" "$region" "$repo" fi fi fi @@ -95,7 +96,7 @@ extra776(){ textInfo "$region: ECR repository $repo has no images" "$region" fi else - textInfo "$region: ECR repository $repo has no scanOnPush not enabled" "$region" + textInfo "$region: ECR repository $repo has scanOnPush not enabled" "$region" "$repo" fi done else