diff --git a/README.md b/README.md index 4a7e629a..bd7d0fb3 100644 --- a/README.md +++ b/README.md @@ -88,8 +88,269 @@ USAGE: ## Screenshot +- Sample screenshot of report first lines: screenshot 2016-09-13 16 05 42 +- Sample screnshot of single check for check 3.3: +screenshot 2016-09-14 13 20 46 + +- Sample of a full report: + +``` +$ ./prowler + _ + _ __ _ __ _____ _| | ___ _ __ + | '_ \| '__/ _ \ \ /\ / / |/ _ \ '__| + | |_) | | | (_) \ V V /| | __/ | + | .__/|_| \___/ \_/\_/ |_|\___|_| + |_| CIS based AWS Account Hardening Tool + + +Date: Wed Sep 14 13:30:13 EDT 2016 + +This report is being generated using credentials below: + +AWS-CLI Profile: [default] AWS Region: [us-east-1] + +-------------------------------------------------------------------------------------- +| GetCallerIdentity | ++--------------+-------------------------------------------+-------------------------+ +| Account | Arn | UserId | ++--------------+-------------------------------------------+-------------------------+ +| XXXXXXXXXXXX| arn:aws:iam::XXXXXXXXXXXX:user/toni | XXXXXXXXXXXXXXXXXXXXX | ++--------------+-------------------------------------------+-------------------------+ + +Colors Code for results: INFORMATIVE, OK (RECOMMENDED VALUE), CRITICAL (FIX REQUIRED) + + +Generating AWS IAM Credential Report....COMPLETE + + + 1 Identity and Access Management ********************************* + + 1.1 Avoid the use of the root account (Scored). Last time root account was used + (password last used, access_key_1_last_used, access_key_2_last_used): + 2016-08-11T20:59:27+00:00, N/A, N/A + + 1.2 Ensure multi-factor authentication (MFA) is enabled for all IAM users that have a console password (Scored) + List of users with Password enabled but MFA disabled: + toni + + 1.3 Ensure credentials unused for 90 days or greater are disabled (Scored) + User list: + toni + + 1.4 Ensure access keys are rotated every 90 days or less (Scored) + Users with access key 1 older than 90 days: + + Users with access key 2 older than 90 days: + + 1.5 Ensure IAM password policy requires at least one uppercase letter (Scored) + FALSE + + 1.6 Ensure IAM password policy require at least one lowercase letter (Scored) + FALSE + + 1.7 Ensure IAM password policy require at least one symbol (Scored) + FALSE + + 1.8 Ensure IAM password policy require at least one number (Scored) + FALSE + + 1.9 Ensure IAM password policy requires minimum length of 14 or greater (Scored) + FALSE + + 1.10 Ensure IAM password policy prevents password reuse (Scored) + FALSE + + 1.11 Ensure IAM password policy expires passwords within 90 days or less (Scored) + FALSE + + 1.12 Ensure no root account access key exists (Scored) + Found access key 1 + OK No access key 2 found + + 1.13 Ensure hardware MFA is enabled for the root account (Scored) + OK + + 1.14 Ensure security questions are registered in the AWS account (Not Scored) + No command available for check 1.14 + Login to the AWS Console as root, click on the Account + Name -> My Account -> Configure Security Challenge Questions + + 1.15 Ensure IAM policies are attached only to groups or roles (Scored) + Users with policy attached to them instead to groups: (it may take few seconds...) + toni + + + 2 Logging ******************************************************** + + 2.1 Ensure CloudTrail is enabled in all regions (Scored) + FALSE + + 2.2 Ensure CloudTrail log file validation is enabled (Scored) + FALSE + + 2.3 Ensure the S3 bucket CloudTrail logs to is not publicly accessible (Scored) + WARNING! CloudTrail bucket doesn't exist! + + 2.4 Ensure CloudTrail trails are integrated with CloudWatch Logs (Scored) + WARNING! No CloudTrail trails found! + + 2.5 Ensure AWS Config is enabled in all regions (Scored) + WARNING! Region ap-south-1 has AWS Config disabled or not configured + WARNING! Region eu-west-1 has AWS Config disabled or not configured + WARNING! Region ap-southeast-1 has AWS Config disabled or not configured + WARNING! Region ap-southeast-2 has AWS Config disabled or not configured + WARNING! Region eu-central-1 has AWS Config disabled or not configured + WARNING! Region ap-northeast-2 has AWS Config disabled or not configured + WARNING! Region ap-northeast-1 has AWS Config disabled or not configured + WARNING! Region us-east-1 has AWS Config disabled or not configured + WARNING! Region sa-east-1 has AWS Config disabled or not configured + WARNING! Region us-west-1 has AWS Config disabled or not configured + WARNING! Region us-west-2 has AWS Config disabled or not configured + + 2.6 Ensure S3 bucket access logging is enabled on the CloudTrail S3 bucket (Scored) + WARNING! CloudTrail bucket doesn't exist! + + 2.7 Ensure CloudTrail logs are encrypted at rest using KMS CMKs (Scored) + WARNING! CloudTrail bucket doesn't exist! + + 2.8 Ensure rotation for customer created CMKs is enabled (Scored) + Region ap-south-1 doesn't have encryption keys + Region eu-west-1 doesn't have encryption keys + Region ap-southeast-1 doesn't have encryption keys + Region ap-southeast-2 doesn't have encryption keys + Region eu-central-1 doesn't have encryption keys + Region ap-northeast-2 doesn't have encryption keys + Region ap-northeast-1 doesn't have encryption keys + WARNING! Key a0e988df-bc84-423f-996c-XXXX in Region us-east-1 is not set to rotate! + Region sa-east-1 doesn't have encryption keys + Region us-west-1 doesn't have encryption keys + Region us-west-2 doesn't have encryption keys + + + 3 Monitoring ***************************************************** + + 3.1 Ensure a log metric filter and alarm exist for unauthorized API calls (Scored) + WARNING! No CloudWatch group found, no metric filters or alarms associated + + 3.2 Ensure a log metric filter and alarm exist for Management Console sign-in without MFA (Scored) + WARNING! No CloudWatch group found, no metric filters or alarms associated + + 3.3 Ensure a log metric filter and alarm exist for usage of root account (Scored) + WARNING! No CloudWatch group found, no metric filters or alarms associated + + 3.4 Ensure a log metric filter and alarm exist for IAM policy changes (Scored) + WARNING! No CloudWatch group found, no metric filters or alarms associated + + 3.5 Ensure a log metric filter and alarm exist for CloudTrail configuration changes (Scored) + WARNING! No CloudWatch group found, no metric filters or alarms associated + + 3.6 Ensure a log metric filter and alarm exist for AWS Management Console authentication failures (Scored) + WARNING! No CloudWatch group found, no metric filters or alarms associated + + 3.7 Ensure a log metric filter and alarm exist for disabling or scheduled deletion of customer created CMKs (Scored) + WARNING! No CloudWatch group found, no metric filters or alarms associated + + 3.8 Ensure a log metric filter and alarm exist for S3 bucket policy changes (Scored) + WARNING! No CloudWatch group found, no metric filters or alarms associated + + 3.9 Ensure a log metric filter and alarm exist for AWS Config configuration changes (Scored) + WARNING! No CloudWatch group found, no metric filters or alarms associated + + 3.10 Ensure a log metric filter and alarm exist for security group changes (Scored) + WARNING! No CloudWatch group found, no metric filters or alarms associated + + 3.11 Ensure a log metric filter and alarm exist for changes to Network Access Control Lists (NACL) (Scored) + WARNING! No CloudWatch group found, no metric filters or alarms associated + + 3.12 Ensure a log metric filter and alarm exist for changes to network gateways (Scored) + WARNING! No CloudWatch group found, no metric filters or alarms associated + + 3.13 Ensure a log metric filter and alarm exist for route table changes (Scored) + WARNING! No CloudWatch group found, no metric filters or alarms associated + + 3.14 Ensure a log metric filter and alarm exist for VPC changes (Scored) + WARNING! No CloudWatch group found, no metric filters or alarms associated + + 3.15 Ensure security contact information is registered (Scored) + No command available for check 3.15 + Login to the AWS Console, click on My Account + Go to Alternate Contacts -> make sure Security section is filled + + 3.16 Ensure appropriate subscribers to each SNS topic (Not Scored) + Region ap-south-1 doesn't have topics + Region eu-west-1 doesn't have topics + Region ap-southeast-1 doesn't have topics + Region ap-southeast-2 doesn't have topics + Region eu-central-1 doesn't have topics + Region ap-northeast-2 doesn't have topics + Region ap-northeast-1 doesn't have topics + Region us-east-1 doesn't have topics + Region sa-east-1 doesn't have topics + Region us-west-1 doesn't have topics + Region us-west-2 doesn't have topics + + + 4 Networking ************************************************** + + 4.1 Ensure no security groups allow ingress from 0.0.0.0/0 to port 22 (Scored) + OK, No Security Groups found in ap-south-1 with port 22 TCP open to 0.0.0.0/0 + OK, No Security Groups found in eu-west-1 with port 22 TCP open to 0.0.0.0/0 + OK, No Security Groups found in ap-southeast-1 with port 22 TCP open to 0.0.0.0/0 + OK, No Security Groups found in ap-southeast-2 with port 22 TCP open to 0.0.0.0/0 + OK, No Security Groups found in eu-central-1 with port 22 TCP open to 0.0.0.0/0 + OK, No Security Groups found in ap-northeast-2 with port 22 TCP open to 0.0.0.0/0 + OK, No Security Groups found in ap-northeast-1 with port 22 TCP open to 0.0.0.0/0 + OK, No Security Groups found in us-east-1 with port 22 TCP open to 0.0.0.0/0 + OK, No Security Groups found in sa-east-1 with port 22 TCP open to 0.0.0.0/0 + OK, No Security Groups found in us-west-1 with port 22 TCP open to 0.0.0.0/0 + OK, No Security Groups found in us-west-2 with port 22 TCP open to 0.0.0.0/0 + + 4.2 Ensure no security groups allow ingress from 0.0.0.0/0 to port 3389 (Scored) + OK, No Security Groups found in ap-south-1 with port 3389 TCP open to 0.0.0.0/0 + OK, No Security Groups found in eu-west-1 with port 3389 TCP open to 0.0.0.0/0 + OK, No Security Groups found in ap-southeast-1 with port 3389 TCP open to 0.0.0.0/0 + OK, No Security Groups found in ap-southeast-2 with port 3389 TCP open to 0.0.0.0/0 + OK, No Security Groups found in eu-central-1 with port 3389 TCP open to 0.0.0.0/0 + OK, No Security Groups found in ap-northeast-2 with port 3389 TCP open to 0.0.0.0/0 + OK, No Security Groups found in ap-northeast-1 with port 3389 TCP open to 0.0.0.0/0 + OK, No Security Groups found in us-east-1 with port 3389 TCP open to 0.0.0.0/0 + OK, No Security Groups found in sa-east-1 with port 3389 TCP open to 0.0.0.0/0 + OK, No Security Groups found in us-west-1 with port 3389 TCP open to 0.0.0.0/0 + OK, No Security Groups found in us-west-2 with port 3389 TCP open to 0.0.0.0/0 + + 4.3 Ensure VPC Flow Logging is Enabled in all Applicable Regions (Scored) + WARNING! no VPCFlowLog has been found in Region ap-south-1 + WARNING! no VPCFlowLog has been found in Region eu-west-1 + WARNING! no VPCFlowLog has been found in Region ap-southeast-1 + WARNING! no VPCFlowLog has been found in Region ap-southeast-2 + WARNING! no VPCFlowLog has been found in Region eu-central-1 + WARNING! no VPCFlowLog has been found in Region ap-northeast-2 + WARNING! no VPCFlowLog has been found in Region ap-northeast-1 + WARNING! no VPCFlowLog has been found in Region us-east-1 + WARNING! no VPCFlowLog has been found in Region sa-east-1 + WARNING! no VPCFlowLog has been found in Region us-west-1 + WARNING! no VPCFlowLog has been found in Region us-west-2 + + 4.4 Ensure the default security group restricts all traffic (Scored) + WARNING! Default Security Groups found that allow 0.0.0.0 IN or OUT traffic in Region ap-south-1 + WARNING! Default Security Groups found that allow 0.0.0.0 IN or OUT traffic in Region eu-west-1 + WARNING! Default Security Groups found that allow 0.0.0.0 IN or OUT traffic in Region ap-southeast-1 + WARNING! Default Security Groups found that allow 0.0.0.0 IN or OUT traffic in Region ap-southeast-2 + WARNING! Default Security Groups found that allow 0.0.0.0 IN or OUT traffic in Region eu-central-1 + WARNING! Default Security Groups found that allow 0.0.0.0 IN or OUT traffic in Region ap-northeast-2 + WARNING! Default Security Groups found that allow 0.0.0.0 IN or OUT traffic in Region ap-northeast-1 + OK, no Default Security Groups open to 0.0.0.0 found in Region us-east-1 + WARNING! Default Security Groups found that allow 0.0.0.0 IN or OUT traffic in Region sa-east-1 + WARNING! Default Security Groups found that allow 0.0.0.0 IN or OUT traffic in Region us-west-1 + OK, no Default Security Groups open to 0.0.0.0 found in Region us-west-2 + + - For more information and reference: + https://d0.awsstatic.com/whitepapers/compliance/AWS_CIS_Foundations_Benchmark.pdf +``` + ## Troubleshooting If you are using an STS token for AWS-CLI and your session is expired you probably get this error: