Added check extra718 bucket server access logging

README.md

@@ -25,7 +25,7 @@ It covers hardening and security best practices for all AWS regions related to:
 - Logging (8 checks)
 - Monitoring (15 checks)
 - Networking (5 checks)
-- Extras (17 checks) *see Extras section
+- Extras (18 checks) *see Extras section
 - Forensics related checks  
 
 For a comprehesive list and resolution look at the guide on the link above.
@@ -345,6 +345,7 @@ At this moment we have 16 extra checks:
 - 7.15 (`extra715`) Check if Elasticsearch Service domains have logging enabled (Not Scored) (Not part of CIS benchmark)
 - 7.16 (`extra716`) Check if Elasticsearch Service domains allow open access (Not Scored) (Not part of CIS benchmark)
 - 7.17 (`extra717`) Check if Elastic Load Balancers have logging enabled (Not Scored) (Not part of CIS benchmark)
+- 7.18 (`extra718`) Check if S3 buckets have server access logging enabled (Not Scored) (Not part of CIS benchmark)
 
 
 To check all extras in one command:
@@ -372,6 +373,7 @@ With this group of checks, Prowler looks if each service with logging or audit c
 - 7.14  Check if CloudFront distributions have logging enabled (Not Scored) (Not part of CIS benchmark)
 - 7.15  Check if Elasticsearch Service domains have logging enabled (Not Scored) (Not part of CIS benchmark)
 - 7.17  Check if Elastic Load Balancers have logging enabled (Not Scored) (Not part of CIS benchmark)
+- 7.18  Check if S3 buckets have server access logging enabled (Not Scored) (Not part of CIS benchmark)
 
 The `forensics-ready` group of checks uses existing and extra checks. To get a forensics readiness report, run this command:
 ```

prowler

@@ -502,6 +502,8 @@ ID716="7.16,7.16"
 TITLE716="Check if Elasticsearch Service domains allow open access (Not Scored) (Not part of CIS benchmark)"
 ID717="7.17,7.17"
 TITLE717="Check if Elastic Load Balancers have logging enabled (Not Scored) (Not part of CIS benchmark)"
+ID718="7.18,7.18"
+TITLE718="Check if S3 buckets have server access logging enabled (Not Scored) (Not part of CIS benchmark)"
 
 printCsvHeader() {
   >&2 echo ""
@@ -2009,6 +2011,24 @@ extra717(){
   done
 }
 
+extra718(){
+  # "Check if S3 buckets have server access logging enabled (Not Scored) (Not part of CIS benchmark)"
+  textTitle "$ID718" "$TITLE718" "NOT_SCORED" "EXTRA"
+  LIST_OF_BUCKETS=$($AWSCLI s3api list-buckets $PROFILE_OPT --query Buckets[*].Name --output text|xargs -n1)
+  if [[ $LIST_OF_BUCKETS ]]; then
+    for bucket in $LIST_OF_BUCKETS;do
+      BUCKET_SERVER_LOG_ENABLED=$($AWSCLI s3api get-bucket-logging --bucket $bucket $PROFILE_OPT --query [LoggingEnabled] --output text|grep -v "^None$")
+      if [[ $BUCKET_SERVER_LOG_ENABLED ]];then
+        textOK "Bucket $bucket has server access logging enabled"
+      else
+        textWarn "Bucket $bucket has server access logging disabled!"
+      fi
+    done
+  else
+    textNotice "No S3 Buckets found"
+  fi
+}
+
 callCheck(){
   if [[ $CHECKNUMBER ]];then
     case "$CHECKNUMBER" in
@@ -2081,6 +2101,7 @@ callCheck(){
       extra715|extra715 ) extra715;;
       extra716|extra716 ) extra716;;
       extra717|extra717 ) extra717;;
+      extra718|extra718 ) extra718;;
 
       ## Groups of Checks
       check1 )
@@ -2118,12 +2139,12 @@ callCheck(){
       extras )
         extra71;extra72;extra73;extra74;extra75;extra76;extra77;extra78;
         extra79;extra710;extra711;extra712;extra713;extra714;extra715;extra716;
-        extra717
+        extra717;extra718
         ;;
       forensics-ready )
         check21;check22;check23;check24;check25;check26;check27;
         check43;
-        extra712;extra713;extra714;extra715;extra717
+        extra712;extra713;extra714;extra715;extra717;extra718
         ;;
       * )
         textWarn "ERROR! Use a valid check name (i.e. check41 or extra71)\n";
@@ -2211,6 +2232,7 @@ if [[ $PRINTCHECKSONLY == "1" ]]; then
   textTitle "$ID715" "$TITLE715" "NOT_SCORED" "EXTRA"
   textTitle "$ID716" "$TITLE716" "NOT_SCORED" "EXTRA"
   textTitle "$ID717" "$TITLE717" "NOT_SCORED" "EXTRA"
+  textTitle "$ID718" "$TITLE718" "NOT_SCORED" "EXTRA"
   exit $EXITCODE
 fi
 
@@ -2304,6 +2326,7 @@ extra714
 extra715
 extra716
 extra717
+extra718
 
 cleanTemp
 exit $EXITCODE