mirror of
https://github.com/ghndrx/prowler.git
synced 2026-02-10 14:55:00 +00:00
Toni de la Fuente
@@ -18,7 +18,7 @@ CHECK_SEVERITY_extra711="High"
|
||||
CHECK_ASFF_RESOURCE_TYPE_extra711="AwsRedshiftCluster"
|
||||
CHECK_ALTERNATE_check711="extra711"
|
||||
CHECK_SERVICENAME_extra711="redshift"
|
||||
CHECK_RISK_extra711='Publicly accessible services could expose sensible data to bad actors.'
|
||||
CHECK_RISK_extra711='Publicly accessible services could expose sensitive data to bad actors.'
|
||||
CHECK_REMEDIATION_extra711='List all shared Redshift clusters and make sure there is a business reason for them.'
|
||||
CHECK_DOC_extra711='https://docs.aws.amazon.com/redshift/latest/mgmt/managing-clusters-vpc.html'
|
||||
CHECK_CAF_EPIC_extra711='Data Protection'
|
||||
|
||||
@@ -18,7 +18,7 @@ CHECK_SEVERITY_extra7116="Medium"
|
||||
CHECK_ASFF_RESOURCE_TYPE_extra7116="AwsGlue"
|
||||
CHECK_ALTERNATE_check7116="extra7116"
|
||||
CHECK_SERVICENAME_extra7116="glue"
|
||||
CHECK_RISK_extra7116='If not enabled sensible information at rest is not protected.'
|
||||
CHECK_RISK_extra7116='If not enabled sensitive information at rest is not protected.'
|
||||
CHECK_REMEDIATION_extra7116='Enable Encryption. Use a CMK where possible. It will provide additional management and privacy benefits.'
|
||||
CHECK_DOC_extra7116='https://docs.aws.amazon.com/glue/latest/dg/encrypt-glue-data-catalog.html'
|
||||
CHECK_CAF_EPIC_extra7116='Data Protection'
|
||||
|
||||
@@ -18,7 +18,7 @@ CHECK_SEVERITY_extra7117="Medium"
|
||||
CHECK_ASFF_RESOURCE_TYPE_extra7117="AwsGlue"
|
||||
CHECK_ALTERNATE_check7117="extra7117"
|
||||
CHECK_SERVICENAME_extra7117="glue"
|
||||
CHECK_RISK_extra7117='If not enabled sensible information at rest is not protected.'
|
||||
CHECK_RISK_extra7117='If not enabled sensitive information at rest is not protected.'
|
||||
CHECK_REMEDIATION_extra7117='On the AWS Glue console; you can enable this option on the Data catalog settings page.'
|
||||
CHECK_DOC_extra7117='https://docs.aws.amazon.com/glue/latest/dg/encrypt-connection-passwords.html'
|
||||
CHECK_CAF_EPIC_extra7117='Data Protection'
|
||||
|
||||
@@ -18,7 +18,7 @@ CHECK_SEVERITY_extra7118="Medium"
|
||||
CHECK_ASFF_RESOURCE_TYPE_extra7118="AwsGlue"
|
||||
CHECK_ALTERNATE_check7118="extra7118"
|
||||
CHECK_SERVICENAME_extra7118="glue"
|
||||
CHECK_RISK_extra7118='If not enabled sensible information at rest is not protected.'
|
||||
CHECK_RISK_extra7118='If not enabled sensitive information at rest is not protected.'
|
||||
CHECK_REMEDIATION_extra7118='Provide the encryption properties that are used by crawlers; jobs; and development endpoints.'
|
||||
CHECK_DOC_extra7118='https://docs.aws.amazon.com/glue/latest/dg/console-security-configurations.html'
|
||||
CHECK_CAF_EPIC_extra7118='Data Protection'
|
||||
|
||||
@@ -19,7 +19,7 @@ CHECK_SEVERITY_extra7119="Medium"
|
||||
CHECK_ASFF_RESOURCE_TYPE_extra7119="AwsGlue"
|
||||
CHECK_ALTERNATE_check7119="extra7119"
|
||||
CHECK_SERVICENAME_extra7119="glue"
|
||||
CHECK_RISK_extra7119='If not enabled sensible information at rest is not protected.'
|
||||
CHECK_RISK_extra7119='If not enabled sensitive information at rest is not protected.'
|
||||
CHECK_REMEDIATION_extra7119='Enable Encryption in the Security configurations.'
|
||||
CHECK_DOC_extra7119='https://docs.aws.amazon.com/glue/latest/dg/console-security-configurations.html'
|
||||
CHECK_CAF_EPIC_extra7119='Logging and Monitoring'
|
||||
|
||||
@@ -18,7 +18,7 @@ CHECK_SEVERITY_extra7120="Medium"
|
||||
CHECK_ASFF_RESOURCE_TYPE_extra7120="AwsGlue"
|
||||
CHECK_ALTERNATE_check7120="extra7120"
|
||||
CHECK_SERVICENAME_extra7120="glue"
|
||||
CHECK_RISK_extra7120='If not enabled sensible information at rest is not protected.'
|
||||
CHECK_RISK_extra7120='If not enabled sensitive information at rest is not protected.'
|
||||
CHECK_REMEDIATION_extra7120='Enable Encryption in the Security configurations.'
|
||||
CHECK_DOC_extra7120='https://docs.aws.amazon.com/glue/latest/dg/console-security-configurations.html'
|
||||
CHECK_CAF_EPIC_extra7120='Logging and Monitoring'
|
||||
|
||||
@@ -19,7 +19,7 @@ CHECK_SEVERITY_extra7121="Medium"
|
||||
CHECK_ASFF_RESOURCE_TYPE_extra7121="AwsGlue"
|
||||
CHECK_ALTERNATE_check7121="extra7121"
|
||||
CHECK_SERVICENAME_extra7121="glue"
|
||||
CHECK_RISK_extra7121='If not enabled sensible information at rest is not protected.'
|
||||
CHECK_RISK_extra7121='If not enabled sensitive information at rest is not protected.'
|
||||
CHECK_REMEDIATION_extra7121='Enable Encryption in the Security configurations.'
|
||||
CHECK_DOC_extra7121='https://docs.aws.amazon.com/glue/latest/dg/console-security-configurations.html'
|
||||
CHECK_CAF_EPIC_extra7121='Data Protection'
|
||||
|
||||
@@ -18,7 +18,7 @@ CHECK_SEVERITY_extra7122="Medium"
|
||||
CHECK_ASFF_RESOURCE_TYPE_extra7122="AwsGlue"
|
||||
CHECK_ALTERNATE_check7122="extra7122"
|
||||
CHECK_SERVICENAME_extra7122="glue"
|
||||
CHECK_RISK_extra7122='If not enabled sensible information at rest is not protected.'
|
||||
CHECK_RISK_extra7122='If not enabled sensitive information at rest is not protected.'
|
||||
CHECK_REMEDIATION_extra7122='Enable Encryption in the Security configurations.'
|
||||
CHECK_DOC_extra7122='https://docs.aws.amazon.com/glue/latest/dg/console-security-configurations.html'
|
||||
CHECK_CAF_EPIC_extra7122='Data Protection'
|
||||
|
||||
@@ -19,7 +19,7 @@ CHECK_SEVERITY_extra7130="Medium"
|
||||
CHECK_ASFF_RESOURCE_TYPE_extra7130="AwsSnsTopic"
|
||||
CHECK_ALTERNATE_check7130="extra7130"
|
||||
CHECK_SERVICENAME_extra7130="sns"
|
||||
CHECK_RISK_extra7130='If not enabled sensible information at rest is not protected.'
|
||||
CHECK_RISK_extra7130='If not enabled sensitive information at rest is not protected.'
|
||||
CHECK_REMEDIATION_extra7130='Use Amazon SNS with AWS KMS.'
|
||||
CHECK_DOC_extra7130='https://docs.aws.amazon.com/sns/latest/dg/sns-server-side-encryption.html'
|
||||
CHECK_CAF_EPIC_extra7130='Data Protection'
|
||||
|
||||
@@ -18,7 +18,7 @@ CHECK_SEVERITY_extra7143="Critical"
|
||||
CHECK_ASFF_RESOURCE_TYPE_extra7143="AwsEFS"
|
||||
CHECK_ALTERNATE_check7143="extra7143"
|
||||
CHECK_SERVICENAME_extra7143="efs"
|
||||
CHECK_RISK_extra7143='EFS accessible to everyone could expose sensible data to bad actors'
|
||||
CHECK_RISK_extra7143='EFS accessible to everyone could expose sensitive data to bad actors'
|
||||
CHECK_REMEDIATION_extra7143='Ensure efs has some policy but it does not have principle as *'
|
||||
CHECK_DOC_extra7143='https://docs.aws.amazon.com/efs/latest/ug/access-control-block-public-access.html'
|
||||
CHECK_CAF_EPIC_extra7143='Data Protection'
|
||||
|
||||
@@ -18,7 +18,7 @@ CHECK_SEVERITY_extra7147="Critical"
|
||||
CHECK_ASFF_RESOURCE_TYPE_extra7147="AwsGlacierVault"
|
||||
CHECK_ALTERNATE_check7147="extra7142"
|
||||
CHECK_SERVICENAME_extra7147="glacier"
|
||||
CHECK_RISK_extra7147='Vaults accessible to everyone could expose sensible data to bad actors'
|
||||
CHECK_RISK_extra7147='Vaults accessible to everyone could expose sensitive data to bad actors'
|
||||
CHECK_REMEDIATION_extra7147='Ensure vault policy does not have principle as *'
|
||||
CHECK_DOC_extra7147='https://docs.aws.amazon.com/amazonglacier/latest/dev/access-control-overview.html'
|
||||
CHECK_CAF_EPIC_extra7147='Data Protection'
|
||||
|
||||
@@ -23,7 +23,7 @@ CHECK_ID_extra7154="7.154"
|
||||
CHECK_TITLE_extra7154="[extra7154] Enable termination protection for Cloudformation Stacks"
|
||||
CHECK_SCORED_extra7154="NOT_SCORED"
|
||||
CHECK_CIS_LEVEL_extra7154="EXTRA"
|
||||
CHECK_SEVERITY_extra7154="MEDIUM"
|
||||
CHECK_SEVERITY_extra7154="Medium"
|
||||
CHECK_ASFF_RESOURCE_TYPE_extra7154="AwsCloudFormationStack"
|
||||
CHECK_ALTERNATE_check7154="extra7154"
|
||||
CHECK_SERVICENAME_extra7154="cloudformation"
|
||||
|
||||
@@ -22,7 +22,7 @@ CHECK_ID_extra7155="7.155"
|
||||
CHECK_TITLE_extra7155="[extra7155] Check whether the Application Load Balancer is configured with defensive or strictest desync mitigation mode"
|
||||
CHECK_SCORED_extra7155="NOT_SCORED"
|
||||
CHECK_CIS_LEVEL_extra7155="EXTRA"
|
||||
CHECK_SEVERITY_extra7155="MEDIUM"
|
||||
CHECK_SEVERITY_extra7155="Medium"
|
||||
CHECK_ASFF_RESOURCE_TYPE_extra7155="AwsElasticLoadBalancingV2LoadBalancer"
|
||||
CHECK_ALTERNATE_check7155="extra7155"
|
||||
CHECK_SERVICENAME_extra7155="elb"
|
||||
|
||||
@@ -18,7 +18,7 @@ CHECK_SEVERITY_extra716="Critical"
|
||||
CHECK_ASFF_RESOURCE_TYPE_extra716="AwsElasticsearchDomain"
|
||||
CHECK_ALTERNATE_check716="extra716"
|
||||
CHECK_SERVICENAME_extra716="es"
|
||||
CHECK_RISK_extra716='Publicly accessible services could expose sensible data to bad actors.'
|
||||
CHECK_RISK_extra716='Publicly accessible services could expose sensitive data to bad actors.'
|
||||
CHECK_REMEDIATION_extra716='Use VPC endpoints for internal services.'
|
||||
CHECK_DOC_extra716='https://docs.aws.amazon.com/elasticsearch-service/latest/developerguide/es-vpc.html'
|
||||
CHECK_CAF_EPIC_extra716='Infrastructure Security'
|
||||
|
||||
@@ -18,7 +18,7 @@ CHECK_SEVERITY_extra723="Critical"
|
||||
CHECK_ASFF_RESOURCE_TYPE_extra723="AwsRdsDbSnapshot"
|
||||
CHECK_ALTERNATE_check723="extra723"
|
||||
CHECK_SERVICENAME_extra723="rds"
|
||||
CHECK_RISK_extra723='Publicly accessible services could expose sensible data to bad actors. t is recommended that your RDS snapshots should not be public in order to prevent potential leak or misuse of sensitive data or any other kind of security threat. If your RDS snapshot is public; then the data which is backed up in that snapshot is accessible to all other AWS accounts.'
|
||||
CHECK_RISK_extra723='Publicly accessible services could expose sensitive data to bad actors. t is recommended that your RDS snapshots should not be public in order to prevent potential leak or misuse of sensitive data or any other kind of security threat. If your RDS snapshot is public; then the data which is backed up in that snapshot is accessible to all other AWS accounts.'
|
||||
CHECK_REMEDIATION_extra723='Use AWS Config to identify any sanpshot that is public.'
|
||||
CHECK_DOC_extra723='https://docs.aws.amazon.com/config/latest/developerguide/rds-snapshots-public-prohibited.html'
|
||||
CHECK_CAF_EPIC_extra723='Data Protection'
|
||||
|
||||
@@ -19,7 +19,7 @@ CHECK_SEVERITY_extra727="Critical"
|
||||
CHECK_ASFF_RESOURCE_TYPE_extra727="AwsSqsQueue"
|
||||
CHECK_ALTERNATE_check727="extra727"
|
||||
CHECK_SERVICENAME_extra727="sqs"
|
||||
CHECK_RISK_extra727='Sensible information could be disclosed.'
|
||||
CHECK_RISK_extra727='Sensitive information could be disclosed.'
|
||||
CHECK_REMEDIATION_extra727='Review service with overly permissive policies. Adhere to Principle of Least Privilege.'
|
||||
CHECK_DOC_extra727='https://docs.aws.amazon.com/AWSSimpleQueueService/latest/SQSDeveloperGuide/sqs-basic-examples-of-sqs-policies.html'
|
||||
CHECK_CAF_EPIC_extra727='Infrastructure Security'
|
||||
|
||||
@@ -20,7 +20,7 @@ CHECK_ASFF_RESOURCE_TYPE_extra728="AwsSqsQueue"
|
||||
CHECK_ALTERNATE_check728="extra728"
|
||||
CHECK_ASFF_COMPLIANCE_TYPE_extra728="ens-mp.info.3.sns.1"
|
||||
CHECK_SERVICENAME_extra728="sqs"
|
||||
CHECK_RISK_extra728='If not enabled sensible information in transit is not protected.'
|
||||
CHECK_RISK_extra728='If not enabled sensitive information in transit is not protected.'
|
||||
CHECK_REMEDIATION_extra728='Enable Encryption. Use a CMK where possible. It will provide additional management and privacy benefits.'
|
||||
CHECK_DOC_extra728='https://docs.aws.amazon.com/AWSSimpleQueueService/latest/SQSDeveloperGuide/sqs-configure-sse-existing-queue.html'
|
||||
CHECK_CAF_EPIC_extra728='Data Protection'
|
||||
|
||||
@@ -19,7 +19,7 @@ CHECK_SEVERITY_extra731="Critical"
|
||||
CHECK_ASFF_RESOURCE_TYPE_extra731="AwsSnsTopic"
|
||||
CHECK_ALTERNATE_check731="extra731"
|
||||
CHECK_SERVICENAME_extra731="sns"
|
||||
CHECK_RISK_extra731='Publicly accessible services could expose sensible data to bad actors.'
|
||||
CHECK_RISK_extra731='Publicly accessible services could expose sensitive data to bad actors.'
|
||||
CHECK_REMEDIATION_extra731='Ensure there is a business requirement for service to be public.'
|
||||
CHECK_DOC_extra731='https://docs.aws.amazon.com/config/latest/developerguide/sns-topic-policy.html'
|
||||
CHECK_CAF_EPIC_extra731='Infrastructure Security'
|
||||
|
||||
@@ -19,7 +19,7 @@ CHECK_ASFF_RESOURCE_TYPE_extra735="AwsRdsDbInstance"
|
||||
CHECK_ALTERNATE_check735="extra735"
|
||||
CHECK_ASFF_COMPLIANCE_TYPE_extra735="ens-mp.info.3.aws.rds.1"
|
||||
CHECK_SERVICENAME_extra735="rds"
|
||||
CHECK_RISK_extra735='If not enabled sensible information at rest is not protected.'
|
||||
CHECK_RISK_extra735='If not enabled sensitive information at rest is not protected.'
|
||||
CHECK_REMEDIATION_extra735='Enable Encryption. Use a CMK where possible. It will provide additional management and privacy benefits.'
|
||||
CHECK_DOC_extra735='https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/Overview.Encryption.html'
|
||||
CHECK_CAF_EPIC_extra735='Data Protection'
|
||||
|
||||
@@ -19,7 +19,7 @@ CHECK_ASFF_RESOURCE_TYPE_extra738="AwsCloudFrontDistribution"
|
||||
CHECK_ALTERNATE_check738="extra738"
|
||||
CHECK_ASFF_COMPLIANCE_TYPE_extra738="ens-mp.com.2.aws.front.1"
|
||||
CHECK_SERVICENAME_extra738="cloudfront"
|
||||
CHECK_RISK_extra738='If not enabled sensible information in transit is not protected. Surveillance and other threats are risks may exists.'
|
||||
CHECK_RISK_extra738='If not enabled sensitive information in transit is not protected. Surveillance and other threats are risks may exists.'
|
||||
CHECK_REMEDIATION_extra738='Use HTTPS everywhere possible. It will enforce privacy and protect against account hijacking and other threats.'
|
||||
CHECK_DOC_extra738='https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/using-https.html'
|
||||
CHECK_CAF_EPIC_extra738='Data Protection'
|
||||
|
||||
@@ -18,7 +18,7 @@ CHECK_SEVERITY_extra761="Medium"
|
||||
CHECK_ALTERNATE_check761="extra761"
|
||||
CHECK_ASFF_COMPLIANCE_TYPE_extra761="ens-mp.info.3.aws.ebs.2"
|
||||
CHECK_SERVICENAME_extra761="ec2"
|
||||
CHECK_RISK_extra761='If not enabled sensible information at rest is not protected.'
|
||||
CHECK_RISK_extra761='If not enabled sensitive information at rest is not protected.'
|
||||
CHECK_REMEDIATION_extra761='Enable Encryption. Use a CMK where possible. It will provide additional management and privacy benefits.'
|
||||
CHECK_DOC_extra761='https://aws.amazon.com/premiumsupport/knowledge-center/ebs-automatic-encryption/'
|
||||
CHECK_CAF_EPIC_extra761='Data Protection'
|
||||
|
||||
@@ -19,7 +19,7 @@ CHECK_ASFF_RESOURCE_TYPE_extra763="AwsS3Bucket"
|
||||
CHECK_ALTERNATE_check763="extra763"
|
||||
CHECK_SERVICENAME_extra763="s3"
|
||||
CHECK_RISK_extra763=' With versioning; you can easily recover from both unintended user actions and application failures.'
|
||||
CHECK_REMEDIATION_extra763='Configure versioning using the Amazon console or API for buckets with sensible information that is changing frecuently; and backup may not be enough to capture all the changes.'
|
||||
CHECK_REMEDIATION_extra763='Configure versioning using the Amazon console or API for buckets with sensitive information that is changing frecuently; and backup may not be enough to capture all the changes.'
|
||||
CHECK_DOC_extra763='https://docs.aws.amazon.com/AmazonS3/latest/dev-retired/Versioning.html'
|
||||
CHECK_CAF_EPIC_extra763='Data Protection'
|
||||
|
||||
|
||||
@@ -19,7 +19,7 @@ CHECK_ASFF_RESOURCE_TYPE_extra767="AwsCloudFrontDistribution"
|
||||
CHECK_ALTERNATE_check767="extra767"
|
||||
CHECK_SERVICENAME_extra767="cloudfront"
|
||||
CHECK_RISK_extra767='Allows you protect specific data throughout system processing so that only certain applications can see it.'
|
||||
CHECK_REMEDIATION_extra767='Check if applicable to any sensible data. This encryption ensures that only applications that need the data—and have the credentials to decrypt it - are able to do so.'
|
||||
CHECK_REMEDIATION_extra767='Check if applicable to any sensitive data. This encryption ensures that only applications that need the data—and have the credentials to decrypt it - are able to do so.'
|
||||
CHECK_DOC_extra767='https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/field-level-encryption.html'
|
||||
CHECK_CAF_EPIC_extra767='Data Protection'
|
||||
|
||||
|
||||
@@ -32,8 +32,9 @@ CHECK_CIS_LEVEL_extra776="EXTRA"
|
||||
CHECK_SEVERITY_extra776="Medium"
|
||||
CHECK_ALTERNATE_check776="extra776"
|
||||
CHECK_SERVICENAME_extra776="ecr"
|
||||
CHECK_ASFF_RESOURCE_TYPE_extra776="AwsEcrRepository"
|
||||
CHECK_RISK_extra776='Amazon ECR image scanning helps in identifying software vulnerabilities in your container images. Amazon ECR uses the Common Vulnerabilities and Exposures (CVEs) database from the open-source Clair project and provides a list of scan findings. '
|
||||
CHECK_REMEDIATION_extra776='Open the Amazon ECR console. look for vulnerabilities and fix them.'
|
||||
CHECK_REMEDIATION_extra776='Open the Amazon ECR console. Then look for vulnerabilities and fix them.'
|
||||
CHECK_DOC_extra776='https://docs.aws.amazon.com/AmazonECR/latest/userguide/image-scanning.html#describe-scan-findings'
|
||||
CHECK_CAF_EPIC_extra776='Logging and Monitoring'
|
||||
|
||||
@@ -75,18 +76,18 @@ extra776(){
|
||||
fi
|
||||
SEVERITY_LOW=$(echo "$FINDINGS_COUNT" | jq -r '.LOW' )
|
||||
if [[ "$SEVERITY_LOW" != "null" ]]; then
|
||||
textInfo "$region: ECR repository $repo has imageTag $IMAGE_TAG with LOW ($SEVERITY_LOW) findings" "$region"
|
||||
textInfo "$region: ECR repository $repo has imageTag $IMAGE_TAG with LOW ($SEVERITY_LOW) findings" "$region" "$repo"
|
||||
fi
|
||||
SEVERITY_INFORMATIONAL=$(echo "$FINDINGS_COUNT" | jq -r '.INFORMATIONAL' )
|
||||
if [[ "$SEVERITY_INFORMATIONAL" != "null" ]]; then
|
||||
textInfo "$region: ECR repository $repo has imageTag $IMAGE_TAG with INFORMATIONAL ($SEVERITY_INFORMATIONAL) findings" "$region"
|
||||
textInfo "$region: ECR repository $repo has imageTag $IMAGE_TAG with INFORMATIONAL ($SEVERITY_INFORMATIONAL) findings" "$region" "$repo"
|
||||
fi
|
||||
SEVERITY_UNDEFINED=$(echo "$FINDINGS_COUNT" | jq -r '.UNDEFINED' )
|
||||
if [[ "$SEVERITY_UNDEFINED" != "null" ]]; then
|
||||
textInfo "$region: ECR repository $repo has imageTag $IMAGE_TAG with UNDEFINED ($SEVERITY_UNDEFINED) findings" "$region"
|
||||
textInfo "$region: ECR repository $repo has imageTag $IMAGE_TAG with UNDEFINED ($SEVERITY_UNDEFINED) findings" "$region" "$repo"
|
||||
fi
|
||||
else
|
||||
textPass "$region: ECR repository $repo has imageTag $IMAGE_TAG without findings" "$region"
|
||||
textPass "$region: ECR repository $repo has imageTag $IMAGE_TAG without findings" "$region" "$repo"
|
||||
fi
|
||||
fi
|
||||
fi
|
||||
@@ -95,7 +96,7 @@ extra776(){
|
||||
textInfo "$region: ECR repository $repo has no images" "$region"
|
||||
fi
|
||||
else
|
||||
textInfo "$region: ECR repository $repo has no scanOnPush not enabled" "$region"
|
||||
textInfo "$region: ECR repository $repo has scanOnPush not enabled" "$region" "$repo"
|
||||
fi
|
||||
done
|
||||
else
|
||||
|
||||
@@ -20,7 +20,7 @@ CHECK_ALTERNATE_extra708="extra78"
|
||||
CHECK_ALTERNATE_check78="extra78"
|
||||
CHECK_ALTERNATE_check708="extra78"
|
||||
CHECK_SERVICENAME_extra78="rds"
|
||||
CHECK_RISK_extra78='Publicly accessible databases could expose sensible data to bad actors.'
|
||||
CHECK_RISK_extra78='Publicly accessible databases could expose sensitive data to bad actors.'
|
||||
CHECK_REMEDIATION_extra78='Using an AWS Config rule check for RDS public instances periodically and check there is a business reason for it.'
|
||||
CHECK_DOC_extra78='https://docs.amazonaws.cn/en_us/config/latest/developerguide/rds-instance-public-access-check.html'
|
||||
CHECK_CAF_EPIC_extra78='Data Protection'
|
||||
|
||||
@@ -20,7 +20,7 @@ CHECK_ALTERNATE_extra709="extra79"
|
||||
CHECK_ALTERNATE_check79="extra79"
|
||||
CHECK_ALTERNATE_check709="extra79"
|
||||
CHECK_SERVICENAME_extra79="elb"
|
||||
CHECK_RISK_extra79='Publicly accessible load balancers could expose sensible data to bad actors.'
|
||||
CHECK_RISK_extra79='Publicly accessible load balancers could expose sensitive data to bad actors.'
|
||||
CHECK_REMEDIATION_extra79='Ensure the load balancer should be publicly accessible. If publiccly exposed ensure a WAF ACL is implemented.'
|
||||
CHECK_DOC_extra79='https://docs.aws.amazon.com/waf/latest/developerguide/web-acl-associating-aws-resource.html'
|
||||
CHECK_CAF_EPIC_extra79='Data Protection'
|
||||
|
||||
@@ -18,7 +18,7 @@ CHECK_SEVERITY_extra795="High"
|
||||
CHECK_ASFF_RESOURCE_TYPE_extra795="AwsEksCluster"
|
||||
CHECK_ALTERNATE_check795="extra795"
|
||||
CHECK_SERVICENAME_extra795="eks"
|
||||
CHECK_RISK_extra795='Publicly accessible services could expose sensible data to bad actors.'
|
||||
CHECK_RISK_extra795='Publicly accessible services could expose sensitive data to bad actors.'
|
||||
CHECK_REMEDIATION_extra795='Enable private access to the Kubernetes API server so that all communication between your nodes and the API server stays within your VPC. Disable internet access to the API server.'
|
||||
CHECK_DOC_extra795='https://docs.aws.amazon.com/eks/latest/userguide/infrastructure-security.html'
|
||||
CHECK_CAF_EPIC_extra795='Infrastructure Security'
|
||||
|
||||
@@ -19,7 +19,7 @@ CHECK_SEVERITY_extra798="Critical"
|
||||
CHECK_ASFF_RESOURCE_TYPE_extra798="AwsLambdaFunction"
|
||||
CHECK_ALTERNATE_check798="extra798"
|
||||
CHECK_SERVICENAME_extra798="lambda"
|
||||
CHECK_RISK_extra798='Publicly accessible services could expose sensible data to bad actors.'
|
||||
CHECK_RISK_extra798='Publicly accessible services could expose sensitive data to bad actors.'
|
||||
CHECK_REMEDIATION_extra798='Grant usage permission on a per-resource basis and applying least privilege principle.'
|
||||
CHECK_DOC_extra798='https://docs.aws.amazon.com/lambda/latest/dg/access-control-resource-based.html'
|
||||
CHECK_CAF_EPIC_extra798='Infrastructure Security'
|
||||
|
||||
@@ -21,6 +21,9 @@ assume_role(){
|
||||
# In some cases you will need more than 1h.
|
||||
if [[ -z $SESSION_DURATION_TO_ASSUME ]]; then
|
||||
SESSION_DURATION_TO_ASSUME="3600"
|
||||
elif [[ "${SESSION_DURATION_TO_ASSUME}" -gt "43200" ]] || [[ "${SESSION_DURATION_TO_ASSUME}" -lt "900" ]]; then
|
||||
echo "$OPTRED ERROR!$OPTNORMAL - Role session duration must be more than 900 seconds and less than 4300 seconds"
|
||||
exit 1
|
||||
fi
|
||||
|
||||
# temporary file where to store credentials
|
||||
@@ -49,7 +52,10 @@ assume_role(){
|
||||
fi
|
||||
if [[ $(grep AccessDenied $TEMP_STS_ASSUMED_FILE) ]]; then
|
||||
textFail "Access Denied assuming role $PROWLER_ROLE"
|
||||
rm -f $TEMP_STS_ASSUMED_FILE
|
||||
EXITCODE=1
|
||||
exit $EXITCODE
|
||||
elif [[ "$(grep MaxSessionDuration $TEMP_STS_ASSUMED_FILE)" ]]; then
|
||||
textFail "The requested DurationSeconds exceeds the MaxSessionDuration set for the role ${PROWLER_ROLE}"
|
||||
EXITCODE=1
|
||||
exit $EXITCODE
|
||||
fi
|
||||
@@ -78,6 +84,9 @@ assume_role(){
|
||||
export AWS_SECRET_ACCESS_KEY=$(cat $TEMP_STS_ASSUMED_FILE | jq -r '.Credentials.SecretAccessKey')
|
||||
export AWS_SESSION_TOKEN=$(cat $TEMP_STS_ASSUMED_FILE | jq -r '.Credentials.SessionToken')
|
||||
export AWS_SESSION_EXPIRATION=$(cat $TEMP_STS_ASSUMED_FILE | jq -r '.Credentials.Expiration | sub("\\+00:00";"Z") | fromdateiso8601')
|
||||
rm -fr $TEMP_STS_ASSUMED_FILE
|
||||
cleanSTSAssumeFile
|
||||
}
|
||||
|
||||
cleanSTSAssumeFile() {
|
||||
rm -fr "${TEMP_STS_ASSUMED_FILE}"
|
||||
}
|
||||
@@ -18,7 +18,7 @@ check3x(){
|
||||
# be based only on CloudTrail tail with CloudWatchLog configuration.
|
||||
DESCRIBE_TRAILS_CACHE=$($AWSCLI cloudtrail describe-trails $PROFILE_OPT --region "$REGION" --query 'trailList[?CloudWatchLogsLogGroupArn != `null`]' 2>&1)
|
||||
if [[ $(echo "$DESCRIBE_TRAILS_CACHE" | grep AccessDenied) ]]; then
|
||||
textFail "$REGION: Access Denied trying to describe trails in $REGION" "$REGION" "$group"
|
||||
textFail "$REGION: Access Denied trying to describe trails in $REGION" "$REGION"
|
||||
return
|
||||
fi
|
||||
|
||||
@@ -92,6 +92,6 @@ check3x(){
|
||||
done
|
||||
fi
|
||||
else
|
||||
textFail "$REGION: No CloudWatch group found for CloudTrail events" "$REGION" "$group"
|
||||
textFail "$REGION: No CloudWatch group found for CloudTrail events" "$REGION"
|
||||
fi
|
||||
}
|
||||
|
||||
@@ -43,6 +43,7 @@ cleanTemp(){
|
||||
if [[ $KEEPCREDREPORT -ne 1 ]]; then
|
||||
rm -fr $TEMP_REPORT_FILE
|
||||
fi
|
||||
cleanSTSAssumeFile
|
||||
}
|
||||
|
||||
# Delete the temporary report file if we get interrupted/terminated
|
||||
|
||||
@@ -18,7 +18,7 @@ Installing Prowler with Terraform is simple and can be completed in under 1 minu
|
||||
sudo yum install -y yum-utils
|
||||
sudo yum-config-manager --add-repo https://rpm.releases.hashicorp.com/AmazonLinux/hashicorp.repo
|
||||
sudo yum -y install terraform
|
||||
cd terraform-kickstarter
|
||||
cd util/terraform-kickstarter
|
||||
```
|
||||
- Issue a `terraform init`
|
||||
|
||||
|
||||
Reference in New Issue
Block a user