mirror of
https://github.com/ghndrx/prowler.git
synced 2026-02-10 23:05:05 +00:00
Added service name to all checks
This commit is contained in:
Toni de la Fuente
@@ -15,6 +15,7 @@ CHECK_TYPE_check11="LEVEL1"
|
||||
CHECK_SEVERITY_check11="High"
|
||||
CHECK_ASFF_TYPE_check11="Software and Configuration Checks/Industry and Regulatory Standards/CIS AWS Foundations Benchmark"
|
||||
CHECK_ALTERNATE_check101="check11"
|
||||
CHECK_SERVICENAME_check11="iam"
|
||||
|
||||
check11(){
|
||||
# "Avoid the use of the root account (Scored)."
|
||||
|
||||
@@ -15,6 +15,7 @@ CHECK_TYPE_check110="LEVEL1"
|
||||
CHECK_SEVERITY_check110="Medium"
|
||||
CHECK_ASFF_TYPE_check110="Software and Configuration Checks/Industry and Regulatory Standards/CIS AWS Foundations Benchmark"
|
||||
CHECK_ALTERNATE_check110="check110"
|
||||
CHECK_SERVICENAME_check110="iam"
|
||||
|
||||
check110(){
|
||||
# "Ensure IAM password policy prevents password reuse: 24 or greater (Scored)"
|
||||
|
||||
@@ -15,6 +15,7 @@ CHECK_TYPE_check111="LEVEL1"
|
||||
CHECK_SEVERITY_check111="Medium"
|
||||
CHECK_ASFF_TYPE_check111="Software and Configuration Checks/Industry and Regulatory Standards/CIS AWS Foundations Benchmark"
|
||||
CHECK_ALTERNATE_check111="check111"
|
||||
CHECK_SERVICENAME_check111="iam"
|
||||
|
||||
check111(){
|
||||
# "Ensure IAM password policy expires passwords within 90 days or less (Scored)"
|
||||
|
||||
@@ -15,6 +15,7 @@ CHECK_TYPE_check112="LEVEL1"
|
||||
CHECK_SEVERITY_check112="Critical"
|
||||
CHECK_ASFF_TYPE_check112="Software and Configuration Checks/Industry and Regulatory Standards/CIS AWS Foundations Benchmark"
|
||||
CHECK_ALTERNATE_check112="check112"
|
||||
CHECK_SERVICENAME_check112="iam"
|
||||
|
||||
check112(){
|
||||
# "Ensure no root account access key exists (Scored)"
|
||||
|
||||
@@ -15,6 +15,7 @@ CHECK_TYPE_check113="LEVEL1"
|
||||
CHECK_SEVERITY_check113="Critical"
|
||||
CHECK_ASFF_TYPE_check113="Software and Configuration Checks/Industry and Regulatory Standards/CIS AWS Foundations Benchmark"
|
||||
CHECK_ALTERNATE_check113="check113"
|
||||
CHECK_SERVICENAME_check113="iam"
|
||||
|
||||
check113(){
|
||||
# "Ensure MFA is enabled for the root account (Scored)"
|
||||
|
||||
@@ -15,6 +15,7 @@ CHECK_TYPE_check114="LEVEL2"
|
||||
CHECK_SEVERITY_check114="Critical"
|
||||
CHECK_ASFF_TYPE_check114="Software and Configuration Checks/Industry and Regulatory Standards/CIS AWS Foundations Benchmark"
|
||||
CHECK_ALTERNATE_check114="check114"
|
||||
CHECK_SERVICENAME_check114="iam"
|
||||
|
||||
check114(){
|
||||
# "Ensure hardware MFA is enabled for the root account (Scored)"
|
||||
|
||||
@@ -15,6 +15,7 @@ CHECK_TYPE_check115="LEVEL1"
|
||||
CHECK_SEVERITY_check115="Medium"
|
||||
CHECK_ASFF_TYPE_check115="Software and Configuration Checks/Industry and Regulatory Standards/CIS AWS Foundations Benchmark"
|
||||
CHECK_ALTERNATE_check115="check115"
|
||||
CHECK_SERVICENAME_check115="support"
|
||||
|
||||
check115(){
|
||||
# "Ensure security questions are registered in the AWS account (Not Scored)"
|
||||
|
||||
@@ -17,6 +17,7 @@ CHECK_ASFF_TYPE_check116="Software and Configuration Checks/Industry and Regulat
|
||||
CHECK_ASFF_RESOURCE_TYPE_check116="AwsIamUser"
|
||||
CHECK_ALTERNATE_check116="check116"
|
||||
CHECK_ASFF_COMPLIANCE_TYPE_check116="ens-op.acc.3.aws.iam.1"
|
||||
CHECK_SERVICENAME_check116="iam"
|
||||
|
||||
check116(){
|
||||
# "Ensure IAM policies are attached only to groups or roles (Scored)"
|
||||
|
||||
@@ -15,6 +15,7 @@ CHECK_TYPE_check117="LEVEL1"
|
||||
CHECK_SEVERITY_check117="Medium"
|
||||
CHECK_ASFF_TYPE_check117="Software and Configuration Checks/Industry and Regulatory Standards/CIS AWS Foundations Benchmark"
|
||||
CHECK_ALTERNATE_check117="check117"
|
||||
CHECK_SERVICENAME_check117="support"
|
||||
|
||||
check117(){
|
||||
# "Maintain current contact details (Scored)"
|
||||
|
||||
@@ -15,6 +15,7 @@ CHECK_TYPE_check118="LEVEL1"
|
||||
CHECK_SEVERITY_check118="Medium"
|
||||
CHECK_ASFF_TYPE_check118="Software and Configuration Checks/Industry and Regulatory Standards/CIS AWS Foundations Benchmark"
|
||||
CHECK_ALTERNATE_check118="check118"
|
||||
CHECK_SERVICENAME_check118="support"
|
||||
|
||||
check118(){
|
||||
# "Ensure security contact information is registered (Scored)"
|
||||
|
||||
@@ -16,6 +16,7 @@ CHECK_SEVERITY_check119="Medium"
|
||||
CHECK_ASFF_TYPE_check119="Software and Configuration Checks/Industry and Regulatory Standards/CIS AWS Foundations Benchmark"
|
||||
CHECK_ASFF_RESOURCE_TYPE_check119="AwsEc2Instance"
|
||||
CHECK_ALTERNATE_check119="check119"
|
||||
CHECK_SERVICENAME_check119="ec2"
|
||||
|
||||
check119(){
|
||||
for regx in $REGIONS; do
|
||||
|
||||
@@ -17,6 +17,7 @@ CHECK_ASFF_TYPE_check12="Software and Configuration Checks/Industry and Regulato
|
||||
CHECK_ASFF_RESOURCE_TYPE_check12="AwsIamUser"
|
||||
CHECK_ALTERNATE_check102="check12"
|
||||
CHECK_ASFF_COMPLIANCE_TYPE_check12="ens-op.acc.5.aws.iam.1"
|
||||
CHECK_SERVICENAME_check12="iam"
|
||||
|
||||
check12(){
|
||||
# "Ensure multi-factor authentication (MFA) is enabled for all IAM users that have a console password (Scored)"
|
||||
|
||||
@@ -17,6 +17,7 @@ CHECK_ASFF_TYPE_check120="Software and Configuration Checks/Industry and Regulat
|
||||
CHECK_ASFF_RESOURCE_TYPE_check120="AwsIamRole"
|
||||
CHECK_ALTERNATE_check120="check120"
|
||||
CHECK_ASFF_COMPLIANCE_TYPE_check120="ens-op.acc.1.aws.iam.4"
|
||||
CHECK_SERVICENAME_check120="iam"
|
||||
|
||||
check120(){
|
||||
# "Ensure a support role has been created to manage incidents with AWS Support (Scored)"
|
||||
|
||||
@@ -17,6 +17,7 @@ CHECK_ASFF_TYPE_check121="Software and Configuration Checks/Industry and Regulat
|
||||
CHECK_ASFF_RESOURCE_TYPE_check121="AwsIamUser"
|
||||
CHECK_ALTERNATE_check121="check121"
|
||||
CHECK_ASFF_COMPLIANCE_TYPE_check121="ens-op.acc.1.aws.iam.5"
|
||||
CHECK_SERVICENAME_check121="iam"
|
||||
|
||||
check121(){
|
||||
# "Do not setup access keys during initial user setup for all IAM users that have a console password (Not Scored)"
|
||||
|
||||
@@ -16,6 +16,7 @@ CHECK_SEVERITY_check122="Medium"
|
||||
CHECK_ASFF_TYPE_check122="Software and Configuration Checks/Industry and Regulatory Standards/CIS AWS Foundations Benchmark"
|
||||
CHECK_ASFF_RESOURCE_TYPE_check122="AwsIamPolicy"
|
||||
CHECK_ALTERNATE_check122="check122"
|
||||
CHECK_SERVICENAME_check122="iam"
|
||||
|
||||
check122(){
|
||||
# "Ensure IAM policies that allow full \"*:*\" administrative privileges are not created (Scored)"
|
||||
|
||||
@@ -16,7 +16,8 @@ CHECK_SEVERITY_check13="Medium"
|
||||
CHECK_ASFF_TYPE_check13="Software and Configuration Checks/Industry and Regulatory Standards/CIS AWS Foundations Benchmark"
|
||||
CHECK_ASFF_RESOURCE_TYPE_check13="AwsIamUser"
|
||||
CHECK_ALTERNATE_check103="check13"
|
||||
CHECK_ASFF_COMPLIANCE_TYPE_check13="ens-op.acc.1.aws.iam.3,ens-op.acc.5.aws.iam.4"
|
||||
CHECK_ASFF_COMPLIANCE_TYPE_check13="ens-op.acc.1.aws.iam.3 ens-op.acc.5.aws.iam.4"
|
||||
CHECK_SERVICENAME_check13="iam"
|
||||
|
||||
check13(){
|
||||
check_creds_used_in_last_days 90
|
||||
|
||||
@@ -16,7 +16,8 @@ CHECK_SEVERITY_check14="Medium"
|
||||
CHECK_ASFF_TYPE_check14="Software and Configuration Checks/Industry and Regulatory Standards/CIS AWS Foundations Benchmark"
|
||||
CHECK_ASFF_RESOURCE_TYPE_check14="AwsIamUser"
|
||||
CHECK_ALTERNATE_check104="check14"
|
||||
CHECK_ASFF_COMPLIANCE_TYPE_check14="ens-op.acc.1.aws.iam.4,ens-op.acc.5.aws.iam.3"
|
||||
CHECK_ASFF_COMPLIANCE_TYPE_check14="ens-op.acc.1.aws.iam.4 ens-op.acc.5.aws.iam.3"
|
||||
CHECK_SERVICENAME_check14="iam"
|
||||
|
||||
check14(){
|
||||
# "Ensure access keys are rotated every 90 days or less (Scored)" # also checked by Security Monkey
|
||||
|
||||
@@ -15,6 +15,7 @@ CHECK_TYPE_check15="LEVEL1"
|
||||
CHECK_SEVERITY_check15="Medium"
|
||||
CHECK_ASFF_TYPE_check15="Software and Configuration Checks/Industry and Regulatory Standards/CIS AWS Foundations Benchmark"
|
||||
CHECK_ALTERNATE_check105="check15"
|
||||
CHECK_SERVICENAME_check15="iam"
|
||||
|
||||
check15(){
|
||||
# "Ensure IAM password policy requires at least one uppercase letter (Scored)"
|
||||
|
||||
@@ -15,6 +15,7 @@ CHECK_TYPE_check16="LEVEL1"
|
||||
CHECK_SEVERITY_check16="Medium"
|
||||
CHECK_ASFF_TYPE_check16="Software and Configuration Checks/Industry and Regulatory Standards/CIS AWS Foundations Benchmark"
|
||||
CHECK_ALTERNATE_check106="check16"
|
||||
CHECK_SERVICENAME_check16="iam"
|
||||
|
||||
check16(){
|
||||
# "Ensure IAM password policy require at least one lowercase letter (Scored)"
|
||||
|
||||
@@ -15,6 +15,7 @@ CHECK_TYPE_check17="LEVEL1"
|
||||
CHECK_SEVERITY_check17="Medium"
|
||||
CHECK_ASFF_TYPE_check17="Software and Configuration Checks/Industry and Regulatory Standards/CIS AWS Foundations Benchmark"
|
||||
CHECK_ALTERNATE_check107="check17"
|
||||
CHECK_SERVICENAME_check17="iam"
|
||||
|
||||
check17(){
|
||||
# "Ensure IAM password policy require at least one symbol (Scored)"
|
||||
|
||||
@@ -15,6 +15,7 @@ CHECK_TYPE_check18="LEVEL1"
|
||||
CHECK_SEVERITY_check18="Medium"
|
||||
CHECK_ASFF_TYPE_check18="Software and Configuration Checks/Industry and Regulatory Standards/CIS AWS Foundations Benchmark"
|
||||
CHECK_ALTERNATE_check108="check18"
|
||||
CHECK_SERVICENAME_check18="iam"
|
||||
|
||||
check18(){
|
||||
# "Ensure IAM password policy require at least one number (Scored)"
|
||||
|
||||
@@ -15,6 +15,7 @@ CHECK_TYPE_check19="LEVEL1"
|
||||
CHECK_SEVERITY_check19="Medium"
|
||||
CHECK_ASFF_TYPE_check19="Software and Configuration Checks/Industry and Regulatory Standards/CIS AWS Foundations Benchmark"
|
||||
CHECK_ALTERNATE_check109="check19"
|
||||
CHECK_SERVICENAME_check19="iam"
|
||||
|
||||
check19(){
|
||||
# "Ensure IAM password policy requires minimum length of 14 or greater (Scored)"
|
||||
|
||||
@@ -16,7 +16,8 @@ CHECK_SEVERITY_check21="High"
|
||||
CHECK_ASFF_TYPE_check21="Software and Configuration Checks/Industry and Regulatory Standards/CIS AWS Foundations Benchmark"
|
||||
CHECK_ASFF_RESOURCE_TYPE_check21="AwsCloudTrailTrail"
|
||||
CHECK_ALTERNATE_check201="check21"
|
||||
CHECK_ASFF_COMPLIANCE_TYPE_check21="ens-op.acc.7.aws.iam.1,ens-op.mon.1.aws.trail.1"
|
||||
CHECK_ASFF_COMPLIANCE_TYPE_check21="ens-op.acc.7.aws.iam.1 ens-op.mon.1.aws.trail.1"
|
||||
CHECK_SERVICENAME_check21="cloudtrail"
|
||||
|
||||
check21(){
|
||||
trail_count=0
|
||||
|
||||
@@ -17,6 +17,7 @@ CHECK_ASFF_TYPE_check22="Software and Configuration Checks/Industry and Regulato
|
||||
CHECK_ASFF_RESOURCE_TYPE_check22="AwsCloudTrailTrail"
|
||||
CHECK_ALTERNATE_check202="check22"
|
||||
CHECK_ASFF_COMPLIANCE_TYPE_check22="ens-op.exp.10.aws.trail.1"
|
||||
CHECK_SERVICENAME_check22="cloudtrail"
|
||||
|
||||
check22(){
|
||||
trail_count=0
|
||||
|
||||
@@ -16,7 +16,8 @@ CHECK_SEVERITY_check23="Critical"
|
||||
CHECK_ASFF_TYPE_check23="Software and Configuration Checks/Industry and Regulatory Standards/CIS AWS Foundations Benchmark"
|
||||
CHECK_ASFF_RESOURCE_TYPE_check23="AwsS3Bucket"
|
||||
CHECK_ALTERNATE_check203="check23"
|
||||
CHECK_ASFF_COMPLIANCE_TYPE_check23="ens-op.exp.10.aws.trail.3,ens-op.exp.10.aws.trail.4"
|
||||
CHECK_ASFF_COMPLIANCE_TYPE_check23="ens-op.exp.10.aws.trail.3 ens-op.exp.10.aws.trail.4"
|
||||
CHECK_SERVICENAME_check23="cloudtrail"
|
||||
|
||||
check23(){
|
||||
# "Ensure the S3 bucket CloudTrail logs to is not publicly accessible (Scored)"
|
||||
|
||||
@@ -17,6 +17,7 @@ CHECK_ASFF_TYPE_check24="Software and Configuration Checks/Industry and Regulato
|
||||
CHECK_ASFF_RESOURCE_TYPE_check24="AwsCloudTrailTrail"
|
||||
CHECK_ALTERNATE_check204="check24"
|
||||
CHECK_ASFF_COMPLIANCE_TYPE_check24="ens-op.exp.8.aws.cw.1"
|
||||
CHECK_SERVICENAME_check24="cloudtrail"
|
||||
|
||||
check24(){
|
||||
trail_count=0
|
||||
|
||||
@@ -16,6 +16,7 @@ CHECK_SEVERITY_check25="Medium"
|
||||
CHECK_ASFF_TYPE_check25="Software and Configuration Checks/Industry and Regulatory Standards/CIS AWS Foundations Benchmark"
|
||||
CHECK_ALTERNATE_check205="check25"
|
||||
CHECK_ASFF_COMPLIANCE_TYPE_check25="ens-op.exp.1.aws.cfg.1"
|
||||
CHECK_SERVICENAME_check25="configservice"
|
||||
|
||||
check25(){
|
||||
# "Ensure AWS Config is enabled in all regions (Scored)"
|
||||
|
||||
@@ -16,6 +16,7 @@ CHECK_SEVERITY_check26="Medium"
|
||||
CHECK_ASFF_TYPE_check26="Software and Configuration Checks/Industry and Regulatory Standards/CIS AWS Foundations Benchmark"
|
||||
CHECK_ASFF_RESOURCE_TYPE_check26="AwsS3Bucket"
|
||||
CHECK_ALTERNATE_check206="check26"
|
||||
CHECK_SERVICENAME_check26="s3"
|
||||
|
||||
check26(){
|
||||
# "Ensure S3 bucket access logging is enabled on the CloudTrail S3 bucket (Scored)"
|
||||
|
||||
@@ -17,6 +17,7 @@ CHECK_ASFF_TYPE_check27="Software and Configuration Checks/Industry and Regulato
|
||||
CHECK_ASFF_RESOURCE_TYPE_check27="AwsCloudTrailTrail"
|
||||
CHECK_ALTERNATE_check207="check27"
|
||||
CHECK_ASFF_COMPLIANCE_TYPE_check27="ens-op.exp.10.aws.trail.5"
|
||||
CHECK_SERVICENAME_check27="cloudtrail"
|
||||
|
||||
check27(){
|
||||
trail_count=0
|
||||
|
||||
@@ -9,13 +9,14 @@
|
||||
# work. If not, see <http://creativecommons.org/licenses/by-nc-sa/4.0/>.
|
||||
|
||||
CHECK_ID_check28="2.8"
|
||||
CHECK_TITLE_check28="[check28] Ensure rotation for customer created CMKs is enabled (Scored)"
|
||||
CHECK_TITLE_check28="[check28] Ensure rotation for customer created KMS CMKs is enabled (Scored)"
|
||||
CHECK_SCORED_check28="SCORED"
|
||||
CHECK_TYPE_check28="LEVEL2"
|
||||
CHECK_SEVERITY_check28="Medium"
|
||||
CHECK_ASFF_TYPE_check28="Software and Configuration Checks/Industry and Regulatory Standards/CIS AWS Foundations Benchmark"
|
||||
CHECK_ASFF_RESOURCE_TYPE_check28="AwsKmsKey"
|
||||
CHECK_ALTERNATE_check208="check28"
|
||||
CHECK_SERVICENAME_check28="kms"
|
||||
|
||||
check28(){
|
||||
# "Ensure rotation for customer created CMKs is enabled (Scored)"
|
||||
|
||||
@@ -17,6 +17,7 @@ CHECK_ASFF_TYPE_check29="Software and Configuration Checks/Industry and Regulato
|
||||
CHECK_ASFF_RESOURCE_TYPE_check29="AwsEc2Vpc"
|
||||
CHECK_ALTERNATE_check209="check29"
|
||||
CHECK_ASFF_COMPLIANCE_TYPE_check29="ens-op.mon.1.aws.flow.1"
|
||||
CHECK_SERVICENAME_check29="vpc"
|
||||
|
||||
check29(){
|
||||
# "Ensure VPC Flow Logging is Enabled in all VPCs (Scored)"
|
||||
|
||||
@@ -42,6 +42,7 @@ CHECK_ASFF_TYPE_check31="Software and Configuration Checks/Industry and Regulato
|
||||
CHECK_ASFF_RESOURCE_TYPE_check31="AwsCloudTrailTrail"
|
||||
CHECK_ALTERNATE_check301="check31"
|
||||
CHECK_ASFF_COMPLIANCE_TYPE_check31="ens-op.exp.8.aws.trail.2"
|
||||
CHECK_SERVICENAME_check31="iam"
|
||||
|
||||
check31(){
|
||||
check3x '\$\.errorCode\s*=\s*"\*UnauthorizedOperation".+\$\.errorCode\s*=\s*"AccessDenied\*"'
|
||||
|
||||
@@ -41,6 +41,7 @@ CHECK_SEVERITY_check310="Medium"
|
||||
CHECK_ASFF_TYPE_check310="Software and Configuration Checks/Industry and Regulatory Standards/CIS AWS Foundations Benchmark"
|
||||
CHECK_ASFF_RESOURCE_TYPE_check310="AwsCloudTrailTrail"
|
||||
CHECK_ALTERNATE_check310="check310"
|
||||
CHECK_SERVICENAME_check310="ec2"
|
||||
|
||||
check310(){
|
||||
check3x '\$\.eventName\s*=\s*AuthorizeSecurityGroupIngress.+\$\.eventName\s*=\s*AuthorizeSecurityGroupEgress.+\$\.eventName\s*=\s*RevokeSecurityGroupIngress.+\$\.eventName\s*=\s*RevokeSecurityGroupEgress.+\$\.eventName\s*=\s*CreateSecurityGroup.+\$\.eventName\s*=\s*DeleteSecurityGroup'
|
||||
|
||||
@@ -41,6 +41,7 @@ CHECK_SEVERITY_check311="Medium"
|
||||
CHECK_ASFF_TYPE_check311="Software and Configuration Checks/Industry and Regulatory Standards/CIS AWS Foundations Benchmark"
|
||||
CHECK_ASFF_RESOURCE_TYPE_check311="AwsCloudTrailTrail"
|
||||
CHECK_ALTERNATE_check311="check311"
|
||||
CHECK_SERVICENAME_check311="vpc"
|
||||
|
||||
check311(){
|
||||
check3x '\$\.eventName\s*=\s*CreateNetworkAcl.+\$\.eventName\s*=\s*CreateNetworkAclEntry.+\$\.eventName\s*=\s*DeleteNetworkAcl.+\$\.eventName\s*=\s*DeleteNetworkAclEntry.+\$\.eventName\s*=\s*ReplaceNetworkAclEntry.+\$\.eventName\s*=\s*ReplaceNetworkAclAssociation'
|
||||
|
||||
@@ -41,6 +41,7 @@ CHECK_SEVERITY_check312="Medium"
|
||||
CHECK_ASFF_TYPE_check312="Software and Configuration Checks/Industry and Regulatory Standards/CIS AWS Foundations Benchmark"
|
||||
CHECK_ASFF_RESOURCE_TYPE_check312="AwsCloudTrailTrail"
|
||||
CHECK_ALTERNATE_check312="check312"
|
||||
CHECK_SERVICENAME_check312="vpc"
|
||||
|
||||
check312(){
|
||||
check3x '\$\.eventName\s*=\s*CreateCustomerGateway.+\$\.eventName\s*=\s*DeleteCustomerGateway.+\$\.eventName\s*=\s*AttachInternetGateway.+\$\.eventName\s*=\s*CreateInternetGateway.+\$\.eventName\s*=\s*DeleteInternetGateway.+\$\.eventName\s*=\s*DetachInternetGateway'
|
||||
|
||||
@@ -41,6 +41,7 @@ CHECK_SEVERITY_check313="Medium"
|
||||
CHECK_ASFF_TYPE_check313="Software and Configuration Checks/Industry and Regulatory Standards/CIS AWS Foundations Benchmark"
|
||||
CHECK_ASFF_RESOURCE_TYPE_check313="AwsCloudTrailTrail"
|
||||
CHECK_ALTERNATE_check313="check313"
|
||||
CHECK_SERVICENAME_check313="vpc"
|
||||
|
||||
check313(){
|
||||
check3x '\$\.eventName\s*=\s*CreateRoute.+\$\.eventName\s*=\s*CreateRouteTable.+\$\.eventName\s*=\s*ReplaceRoute.+\$\.eventName\s*=\s*ReplaceRouteTableAssociation.+\$\.eventName\s*=\s*DeleteRouteTable.+\$\.eventName\s*=\s*DeleteRoute.+\$\.eventName\s*=\s*DisassociateRouteTable'
|
||||
|
||||
@@ -41,6 +41,7 @@ CHECK_SEVERITY_check314="Medium"
|
||||
CHECK_ASFF_TYPE_check314="Software and Configuration Checks/Industry and Regulatory Standards/CIS AWS Foundations Benchmark"
|
||||
CHECK_ASFF_RESOURCE_TYPE_check314="AwsCloudTrailTrail"
|
||||
CHECK_ALTERNATE_check314="check314"
|
||||
CHECK_SERVICENAME_check314="vpc"
|
||||
|
||||
check314(){
|
||||
check3x '\$\.eventName\s*=\s*CreateVpc.+\$\.eventName\s*=\s*DeleteVpc.+\$\.eventName\s*=\s*ModifyVpcAttribute.+\$\.eventName\s*=\s*AcceptVpcPeeringConnection.+\$\.eventName\s*=\s*CreateVpcPeeringConnection.+\$\.eventName\s*=\s*DeleteVpcPeeringConnection.+\$\.eventName\s*=\s*RejectVpcPeeringConnection.+\$\.eventName\s*=\s*AttachClassicLinkVpc.+\$\.eventName\s*=\s*DetachClassicLinkVpc.+\$\.eventName\s*=\s*DisableVpcClassicLink.+\$\.eventName\s*=\s*EnableVpcClassicLink'
|
||||
|
||||
@@ -42,6 +42,7 @@ CHECK_ASFF_TYPE_check32="Software and Configuration Checks/Industry and Regulato
|
||||
CHECK_ASFF_RESOURCE_TYPE_check32="AwsCloudTrailTrail"
|
||||
CHECK_ALTERNATE_check302="check32"
|
||||
CHECK_ASFF_COMPLIANCE_TYPE_check32="ens-op.exp.8.aws.trail.4"
|
||||
CHECK_SERVICENAME_check32="iam"
|
||||
|
||||
check32(){
|
||||
check3x '\$\.eventName\s*=\s*"ConsoleLogin".+\$\.additionalEventData\.MFAUsed\s*!=\s*"Yes"'
|
||||
|
||||
@@ -42,6 +42,7 @@ CHECK_ASFF_TYPE_check33="Software and Configuration Checks/Industry and Regulato
|
||||
CHECK_ASFF_RESOURCE_TYPE_check33="AwsCloudTrailTrail"
|
||||
CHECK_ALTERNATE_check303="check33"
|
||||
CHECK_ASFF_COMPLIANCE_TYPE_check33="ens-op.exp.8.aws.trail.5"
|
||||
CHECK_SERVICENAME_check33="iam"
|
||||
|
||||
check33(){
|
||||
check3x '\$\.userIdentity\.type\s*=\s*"Root".+\$\.userIdentity\.invokedBy NOT EXISTS.+\$\.eventType\s*!=\s*"AwsServiceEvent"'
|
||||
|
||||
@@ -42,6 +42,7 @@ CHECK_ASFF_TYPE_check34="Software and Configuration Checks/Industry and Regulato
|
||||
CHECK_ASFF_RESOURCE_TYPE_check34="AwsCloudTrailTrail"
|
||||
CHECK_ALTERNATE_check304="check34"
|
||||
CHECK_ASFF_COMPLIANCE_TYPE_check34="ens-op.exp.8.aws.trail.6"
|
||||
CHECK_SERVICENAME_check34="iam"
|
||||
|
||||
check34(){
|
||||
check3x '\$\.eventName\s*=\s*DeleteGroupPolicy.+\$\.eventName\s*=\s*DeleteRolePolicy.+\$\.eventName\s*=\s*DeleteUserPolicy.+\$\.eventName\s*=\s*PutGroupPolicy.+\$\.eventName\s*=\s*PutRolePolicy.+\$\.eventName\s*=\s*PutUserPolicy.+\$\.eventName\s*=\s*CreatePolicy.+\$\.eventName\s*=\s*DeletePolicy.+\$\.eventName\s*=\s*CreatePolicyVersion.+\$\.eventName\s*=\s*DeletePolicyVersion.+\$\.eventName\s*=\s*AttachRolePolicy.+\$\.eventName\s*=\s*DetachRolePolicy.+\$\.eventName\s*=\s*AttachUserPolicy.+\$\.eventName\s*=\s*DetachUserPolicy.+\$\.eventName\s*=\s*AttachGroupPolicy.+\$\.eventName\s*=\s*DetachGroupPolicy'
|
||||
|
||||
@@ -42,6 +42,7 @@ CHECK_ASFF_TYPE_check35="Software and Configuration Checks/Industry and Regulato
|
||||
CHECK_ASFF_RESOURCE_TYPE_check35="AwsCloudTrailTrail"
|
||||
CHECK_ALTERNATE_check305="check35"
|
||||
CHECK_ASFF_COMPLIANCE_TYPE_check35="ens-op.exp.8.aws.trail.1"
|
||||
CHECK_SERVICENAME_check35="cloudtrail"
|
||||
|
||||
check35(){
|
||||
check3x '\$\.eventName\s*=\s*CreateTrail.+\$\.eventName\s*=\s*UpdateTrail.+\$\.eventName\s*=\s*DeleteTrail.+\$\.eventName\s*=\s*StartLogging.+\$\.eventName\s*=\s*StopLogging'
|
||||
|
||||
@@ -42,6 +42,7 @@ CHECK_ASFF_TYPE_check36="Software and Configuration Checks/Industry and Regulato
|
||||
CHECK_ASFF_RESOURCE_TYPE_check36="AwsCloudTrailTrail"
|
||||
CHECK_ALTERNATE_check306="check36"
|
||||
CHECK_ASFF_COMPLIANCE_TYPE_check36="ens-op.exp.8.aws.trail.3"
|
||||
CHECK_SERVICENAME_check36="iam"
|
||||
|
||||
check36(){
|
||||
check3x '\$\.eventName\s*=\s*ConsoleLogin.+\$\.errorMessage\s*=\s*"Failed authentication"'
|
||||
|
||||
@@ -34,7 +34,7 @@
|
||||
# --alarm-actions arn:aws:sns:us-east-1:123456789012:CloudWatchAlarmTopic
|
||||
|
||||
CHECK_ID_check37="3.7"
|
||||
CHECK_TITLE_check37="[check37] Ensure a log metric filter and alarm exist for disabling or scheduled deletion of customer created CMKs (Scored)"
|
||||
CHECK_TITLE_check37="[check37] Ensure a log metric filter and alarm exist for disabling or scheduled deletion of customer created KMS CMKs (Scored)"
|
||||
CHECK_SCORED_check37="SCORED"
|
||||
CHECK_TYPE_check37="LEVEL2"
|
||||
CHECK_SEVERITY_check37="Medium"
|
||||
@@ -42,6 +42,7 @@ CHECK_ASFF_TYPE_check37="Software and Configuration Checks/Industry and Regulato
|
||||
CHECK_ASFF_RESOURCE_TYPE_check37="AwsCloudTrailTrail"
|
||||
CHECK_ALTERNATE_check307="check37"
|
||||
CHECK_ASFF_COMPLIANCE_TYPE_check37="ens-op.exp.11.aws.kms.1"
|
||||
CHECK_SERVICENAME_check37="kms"
|
||||
|
||||
check37(){
|
||||
check3x '\$\.eventSource\s*=\s*kms.amazonaws.com.+\$\.eventName\s*=\s*DisableKey.+\$\.eventName\s*=\s*ScheduleKeyDeletion'
|
||||
|
||||
@@ -41,6 +41,7 @@ CHECK_SEVERITY_check38="Medium"
|
||||
CHECK_ASFF_TYPE_check38="Software and Configuration Checks/Industry and Regulatory Standards/CIS AWS Foundations Benchmark"
|
||||
CHECK_ASFF_RESOURCE_TYPE_check38="AwsCloudTrailTrail"
|
||||
CHECK_ALTERNATE_check308="check38"
|
||||
CHECK_SERVICENAME_check38="s3"
|
||||
|
||||
check38(){
|
||||
check3x '\$\.eventSource\s*=\s*s3.amazonaws.com.+\$\.eventName\s*=\s*PutBucketAcl.+\$\.eventName\s*=\s*PutBucketPolicy.+\$\.eventName\s*=\s*PutBucketCors.+\$\.eventName\s*=\s*PutBucketLifecycle.+\$\.eventName\s*=\s*PutBucketReplication.+\$\.eventName\s*=\s*DeleteBucketPolicy.+\$\.eventName\s*=\s*DeleteBucketCors.+\$\.eventName\s*=\s*DeleteBucketLifecycle.+\$\.eventName\s*=\s*DeleteBucketReplication'
|
||||
|
||||
@@ -41,6 +41,7 @@ CHECK_SEVERITY_check39="Medium"
|
||||
CHECK_ASFF_TYPE_check39="Software and Configuration Checks/Industry and Regulatory Standards/CIS AWS Foundations Benchmark"
|
||||
CHECK_ASFF_RESOURCE_TYPE_check39="AwsCloudTrailTrail"
|
||||
CHECK_ALTERNATE_check309="check39"
|
||||
CHECK_SERVICENAME_check39="configservice"
|
||||
|
||||
check39(){
|
||||
check3x '\$\.eventSource\s*=\s*config.amazonaws.com.+\$\.eventName\s*=\s*StopConfigurationRecorder.+\$\.eventName\s*=\s*DeleteDeliveryChannel.+\$\.eventName\s*=\s*PutDeliveryChannel.+\$\.eventName\s*=\s*PutConfigurationRecorder'
|
||||
|
||||
@@ -17,6 +17,7 @@ CHECK_ASFF_TYPE_check41="Software and Configuration Checks/Industry and Regulato
|
||||
CHECK_ASFF_RESOURCE_TYPE_check41="AwsEc2SecurityGroup"
|
||||
CHECK_ALTERNATE_check401="check41"
|
||||
CHECK_ASFF_COMPLIANCE_TYPE_check41="ens-mp.com.4.aws.sg.4"
|
||||
CHECK_SERVICENAME_check41="ec2"
|
||||
|
||||
check41(){
|
||||
# "Ensure no security groups allow ingress from 0.0.0.0/0 or ::/0 to port 22 (Scored)"
|
||||
|
||||
@@ -17,6 +17,7 @@ CHECK_ASFF_TYPE_check42="Software and Configuration Checks/Industry and Regulato
|
||||
CHECK_ASFF_RESOURCE_TYPE_check42="AwsEc2SecurityGroup"
|
||||
CHECK_ALTERNATE_check402="check42"
|
||||
CHECK_ASFF_COMPLIANCE_TYPE_check42="ens-mp.com.4.aws.sg.5"
|
||||
CHECK_SERVICENAME_check42="ec2"
|
||||
|
||||
check42(){
|
||||
# "Ensure no security groups allow ingress from 0.0.0.0/0 or ::/0 to port 3389 (Scored)"
|
||||
|
||||
@@ -17,6 +17,7 @@ CHECK_ASFF_TYPE_check43="Software and Configuration Checks/Industry and Regulato
|
||||
CHECK_ASFF_RESOURCE_TYPE_check43="AwsEc2SecurityGroup"
|
||||
CHECK_ALTERNATE_check403="check43"
|
||||
CHECK_ASFF_COMPLIANCE_TYPE_check43="ens-mp.com.4.aws.sg.1"
|
||||
CHECK_SERVICENAME_check43="ec2"
|
||||
|
||||
check43(){
|
||||
# "Ensure the default security group of every VPC restricts all traffic (Scored)"
|
||||
|
||||
@@ -16,6 +16,7 @@ CHECK_SEVERITY_check44="Medium"
|
||||
CHECK_ASFF_TYPE_check44="Software and Configuration Checks/Industry and Regulatory Standards/CIS AWS Foundations Benchmark"
|
||||
CHECK_ASFF_RESOURCE_TYPE_check44="AwsEc2Vpc"
|
||||
CHECK_ALTERNATE_check404="check44"
|
||||
CHECK_SERVICENAME_check44="vpc"
|
||||
|
||||
check44(){
|
||||
# "Ensure routing tables for VPC peering are \"least access\" (Not Scored)"
|
||||
|
||||
@@ -20,6 +20,7 @@ CHECK_ALTERNATE_extra701="extra71"
|
||||
CHECK_ALTERNATE_check71="extra71"
|
||||
CHECK_ALTERNATE_check701="extra71"
|
||||
CHECK_ASFF_COMPLIANCE_TYPE_extra71="ens-op.exp.10.aws.trail.2"
|
||||
CHECK_SERVICENAME_extra71="iam"
|
||||
|
||||
extra71(){
|
||||
# "Ensure users of groups with AdministratorAccess policy have MFA tokens enabled (Not Scored) (Not part of CIS benchmark)"
|
||||
|
||||
@@ -18,6 +18,7 @@ CHECK_SEVERITY_extra710="Medium"
|
||||
CHECK_ASFF_RESOURCE_TYPE_extra710="AwsEc2Instance"
|
||||
CHECK_ALTERNATE_check710="extra710"
|
||||
CHECK_ASFF_COMPLIANCE_TYPE_extra710="ens-mp.com.4.aws.vpc.1"
|
||||
CHECK_SERVICENAME_extra710="ec2"
|
||||
|
||||
extra710(){
|
||||
# "Check for internet facing EC2 Instances (Not Scored) (Not part of CIS benchmark)"
|
||||
|
||||
@@ -22,6 +22,7 @@ CHECK_SEVERITY_extra7100="Critical"
|
||||
CHECK_ASFF_RESOURCE_TYPE_extra7100="AwsIamPolicy"
|
||||
CHECK_ALTERNATE_check7100="extra7100"
|
||||
CHECK_ASFF_COMPLIANCE_TYPE_extra7100="ens-op.acc.2.aws.iam.1"
|
||||
CHECK_SERVICENAME_extra7100="iam"
|
||||
|
||||
extra7100(){
|
||||
# "Ensure that no custom policies exist which permit assuming any role (e.g. sts:AssumeRole on *)"
|
||||
|
||||
@@ -17,6 +17,7 @@ CHECK_TYPE_extra7101="EXTRA"
|
||||
CHECK_SEVERITY_extra7101="Low"
|
||||
CHECK_ASFF_RESOURCE_TYPE_extra7101="AwsElasticsearchDomain"
|
||||
CHECK_ALTERNATE_check7101="extra7101"
|
||||
CHECK_SERVICENAME_extra7101="es"
|
||||
|
||||
# More info
|
||||
# Works for Amazon Elasticsearch Service domains (version 6.7+) with Fine Grained Access Control enabled
|
||||
|
||||
@@ -17,6 +17,7 @@ CHECK_TYPE_extra7102="EXTRA"
|
||||
CHECK_SEVERITY_extra7102="Medium"
|
||||
CHECK_ASFF_RESOURCE_TYPE_extra7102="AwsEc2Eip"
|
||||
CHECK_ALTERNATE_check7102="extra7102"
|
||||
CHECK_SERVICENAME_extra7102="ec2"
|
||||
|
||||
# Watch out, always use Shodan API key, if you use `curl https://www.shodan.io/host/{ip}` massively
|
||||
# your IP will be banned by Shodan
|
||||
|
||||
@@ -18,6 +18,7 @@ CHECK_TYPE_extra7103="EXTRA"
|
||||
CHECK_ASFF_RESOURCE_TYPE_extra7103="AwsSageMakerNotebookInstance"
|
||||
CHECK_ALTERNATE_check7103="extra7103"
|
||||
CHECK_SEVERITY_extra7103="Medium"
|
||||
CHECK_SERVICENAME_extra7103="sagemaker"
|
||||
|
||||
extra7103(){
|
||||
for regx in ${REGIONS}; do
|
||||
|
||||
@@ -18,6 +18,7 @@ CHECK_TYPE_extra7104="EXTRA"
|
||||
CHECK_ASFF_RESOURCE_TYPE_extra7104="AwsSageMakerNotebookInstance"
|
||||
CHECK_ALTERNATE_check7104="extra7104"
|
||||
CHECK_SEVERITY_extra7104="Medium"
|
||||
CHECK_SERVICENAME_extra7104="sagemaker"
|
||||
|
||||
extra7104(){
|
||||
for regx in ${REGIONS}; do
|
||||
|
||||
@@ -18,6 +18,7 @@ CHECK_TYPE_extra7105="EXTRA"
|
||||
CHECK_ASFF_RESOURCE_TYPE_extra7105="AwsSageMakerModel"
|
||||
CHECK_ALTERNATE_check7105="extra7105"
|
||||
CHECK_SEVERITY_extra7105="Medium"
|
||||
CHECK_SERVICENAME_extra7105="sagemaker"
|
||||
|
||||
extra7105(){
|
||||
for regx in ${REGIONS}; do
|
||||
|
||||
@@ -18,6 +18,7 @@ CHECK_TYPE_extra7106="EXTRA"
|
||||
CHECK_ASFF_RESOURCE_TYPE_extra7106="AwsSageMakerModel"
|
||||
CHECK_ALTERNATE_check7106="extra7106"
|
||||
CHECK_SEVERITY_extra7106="Medium"
|
||||
CHECK_SERVICENAME_extra7106="sagemaker"
|
||||
|
||||
extra7106(){
|
||||
for regx in ${REGIONS}; do
|
||||
|
||||
@@ -18,6 +18,7 @@ CHECK_TYPE_extra7107="EXTRA"
|
||||
CHECK_ASFF_RESOURCE_TYPE_extra7107="AwsSageMakerNotebookInstance"
|
||||
CHECK_ALTERNATE_check7107="extra7107"
|
||||
CHECK_SEVERITY_extra7107="Medium"
|
||||
CHECK_SERVICENAME_extra7107="sagemaker"
|
||||
|
||||
extra7107(){
|
||||
for regx in ${REGIONS}; do
|
||||
|
||||
@@ -18,6 +18,7 @@ CHECK_TYPE_extra7108="EXTRA"
|
||||
CHECK_ASFF_RESOURCE_TYPE_extra7108="AwsSageMakerNotebookInstance"
|
||||
CHECK_ALTERNATE_check7108="extra7108"
|
||||
CHECK_SEVERITY_extra7108="Medium"
|
||||
CHECK_SERVICENAME_extra7108="sagemaker"
|
||||
|
||||
extra7108(){
|
||||
for regx in ${REGIONS}; do
|
||||
|
||||
@@ -18,6 +18,7 @@ CHECK_TYPE_extra7109="EXTRA"
|
||||
CHECK_ASFF_RESOURCE_TYPE_extra7109="AwsSageMakerNotebookInstance"
|
||||
CHECK_ALTERNATE_check7109="extra7109"
|
||||
CHECK_SEVERITY_extra7109="Medium"
|
||||
CHECK_SERVICENAME_extra7109="sagemaker"
|
||||
|
||||
extra7109(){
|
||||
for regx in ${REGIONS}; do
|
||||
|
||||
@@ -17,6 +17,7 @@ CHECK_TYPE_extra711="EXTRA"
|
||||
CHECK_SEVERITY_extra711="High"
|
||||
CHECK_ASFF_RESOURCE_TYPE_extra711="AwsRedshiftCluster"
|
||||
CHECK_ALTERNATE_check711="extra711"
|
||||
CHECK_SERVICENAME_extra711="redshift"
|
||||
|
||||
extra711(){
|
||||
# "Check for Publicly Accessible Redshift Clusters (Not Scored) (Not part of CIS benchmark)"
|
||||
|
||||
@@ -18,6 +18,7 @@ CHECK_TYPE_extra7110="EXTRA"
|
||||
CHECK_ASFF_RESOURCE_TYPE_extra7110="AwsSageMakerNotebookInstance"
|
||||
CHECK_ALTERNATE_check7110="extra7110"
|
||||
CHECK_SEVERITY_extra7110="Medium"
|
||||
CHECK_SERVICENAME_extra7110="sagemaker"
|
||||
|
||||
extra7110(){
|
||||
for regx in ${REGIONS}; do
|
||||
|
||||
@@ -18,6 +18,7 @@ CHECK_TYPE_extra7111="EXTRA"
|
||||
CHECK_ASFF_RESOURCE_TYPE_extra7111="AwsSageMakerNotebookInstance"
|
||||
CHECK_ALTERNATE_check7111="extra7111"
|
||||
CHECK_SEVERITY_extra7111="Medium"
|
||||
CHECK_SERVICENAME_extra7111="sagemaker"
|
||||
|
||||
extra7111(){
|
||||
for regx in ${REGIONS}; do
|
||||
|
||||
@@ -18,6 +18,7 @@ CHECK_TYPE_extra7112="EXTRA"
|
||||
CHECK_ASFF_RESOURCE_TYPE_extra7112="AwsSageMakerNotebookInstance"
|
||||
CHECK_ALTERNATE_check7112="extra7112"
|
||||
CHECK_SEVERITY_extra7112="Medium"
|
||||
CHECK_SERVICENAME_extra7112="sagemaker"
|
||||
|
||||
extra7112(){
|
||||
for regx in ${REGIONS}; do
|
||||
|
||||
@@ -29,6 +29,7 @@ CHECK_TYPE_extra7113="EXTRA"
|
||||
CHECK_SEVERITY_extra7113="Medium"
|
||||
CHECK_ASFF_RESOURCE_TYPE_extra7113="AwsRdsDbInstance"
|
||||
CHECK_ALTERNATE_check7113="extra7113"
|
||||
CHECK_SERVICENAME_extra7113="rds"
|
||||
|
||||
extra7113(){
|
||||
textInfo "Looking for RDS Volumes in all regions... "
|
||||
|
||||
@@ -18,6 +18,7 @@ CHECK_TYPE_extra7114="EXTRA"
|
||||
CHECK_SEVERITY_extra7114="Medium"
|
||||
CHECK_ASFF_RESOURCE_TYPE_extra7114="AwsGlue"
|
||||
CHECK_ALTERNATE_check7114="extra7114"
|
||||
CHECK_SERVICENAME_extra7114="glue"
|
||||
|
||||
extra7114(){
|
||||
for regx in $REGIONS; do
|
||||
|
||||
@@ -17,6 +17,7 @@ CHECK_TYPE_extra7115="EXTRA"
|
||||
CHECK_SEVERITY_extra7115="Medium"
|
||||
CHECK_ASFF_RESOURCE_TYPE_extra7115="AwsGlue"
|
||||
CHECK_ALTERNATE_check7115="extra7115"
|
||||
CHECK_SERVICENAME_extra7115="glue"
|
||||
|
||||
extra7115(){
|
||||
for regx in $REGIONS; do
|
||||
|
||||
@@ -17,6 +17,7 @@ CHECK_TYPE_extra7116="EXTRA"
|
||||
CHECK_SEVERITY_extra7116="Medium"
|
||||
CHECK_ASFF_RESOURCE_TYPE_extra7116="AwsGlue"
|
||||
CHECK_ALTERNATE_check7116="extra7116"
|
||||
CHECK_SERVICENAME_extra7116="glue"
|
||||
|
||||
extra7116(){
|
||||
for regx in $REGIONS; do
|
||||
|
||||
@@ -17,6 +17,7 @@ CHECK_TYPE_extra7117="EXTRA"
|
||||
CHECK_SEVERITY_extra7117="Medium"
|
||||
CHECK_ASFF_RESOURCE_TYPE_extra7117="AwsGlue"
|
||||
CHECK_ALTERNATE_check7117="extra7117"
|
||||
CHECK_SERVICENAME_extra7117="glue"
|
||||
|
||||
extra7117(){
|
||||
for regx in $REGIONS; do
|
||||
|
||||
@@ -17,6 +17,7 @@ CHECK_TYPE_extra7118="EXTRA"
|
||||
CHECK_SEVERITY_extra7118="Medium"
|
||||
CHECK_ASFF_RESOURCE_TYPE_extra7118="AwsGlue"
|
||||
CHECK_ALTERNATE_check7118="extra7118"
|
||||
CHECK_SERVICENAME_extra7118="glue"
|
||||
|
||||
extra7118(){
|
||||
for regx in $REGIONS; do
|
||||
|
||||
@@ -18,6 +18,7 @@ CHECK_TYPE_extra7119="EXTRA"
|
||||
CHECK_SEVERITY_extra7119="Medium"
|
||||
CHECK_ASFF_RESOURCE_TYPE_extra7119="AwsGlue"
|
||||
CHECK_ALTERNATE_check7119="extra7119"
|
||||
CHECK_SERVICENAME_extra7119="glue"
|
||||
|
||||
extra7119(){
|
||||
for regx in $REGIONS; do
|
||||
|
||||
@@ -16,6 +16,8 @@ CHECK_SCORED_extra712="NOT_SCORED"
|
||||
CHECK_TYPE_extra712="EXTRA"
|
||||
CHECK_SEVERITY_extra712="Low"
|
||||
CHECK_ALTERNATE_check712="extra712"
|
||||
CHECK_ASFF_RESOURCE_TYPE_extra712="AwsMacieSession"
|
||||
CHECK_SERVICENAME_extra712="macie"
|
||||
|
||||
extra712(){
|
||||
textInfo "No API commands available to check if Macie is enabled,"
|
||||
|
||||
@@ -17,6 +17,7 @@ CHECK_TYPE_extra7120="EXTRA"
|
||||
CHECK_SEVERITY_extra7120="Medium"
|
||||
CHECK_ASFF_RESOURCE_TYPE_extra7120="AwsGlue"
|
||||
CHECK_ALTERNATE_check7120="extra7120"
|
||||
CHECK_SERVICENAME_extra7120="glue"
|
||||
|
||||
extra7120(){
|
||||
for regx in $REGIONS; do
|
||||
|
||||
@@ -18,6 +18,7 @@ CHECK_TYPE_extra7121="EXTRA"
|
||||
CHECK_SEVERITY_extra7121="Medium"
|
||||
CHECK_ASFF_RESOURCE_TYPE_extra7121="AwsGlue"
|
||||
CHECK_ALTERNATE_check7121="extra7121"
|
||||
CHECK_SERVICENAME_extra7121="glue"
|
||||
|
||||
extra7121(){
|
||||
for regx in $REGIONS; do
|
||||
|
||||
@@ -17,6 +17,7 @@ CHECK_TYPE_extra7122="EXTRA"
|
||||
CHECK_SEVERITY_extra7122="Medium"
|
||||
CHECK_ASFF_RESOURCE_TYPE_extra7122="AwsGlue"
|
||||
CHECK_ALTERNATE_check7122="extra7122"
|
||||
CHECK_SERVICENAME_extra7122="glue"
|
||||
|
||||
extra7122(){
|
||||
for regx in $REGIONS; do
|
||||
|
||||
@@ -19,6 +19,7 @@ CHECK_ASFF_TYPE_extra7123="Software and Configuration Checks/Industry and Regula
|
||||
CHECK_ASFF_RESOURCE_TYPE_extra7123="AwsIamUser"
|
||||
CHECK_ALTERNATE_check7123="extra7123"
|
||||
CHECK_ASFF_COMPLIANCE_TYPE_extra7123="ens-op.acc.1.aws.iam.2"
|
||||
CHECK_SERVICENAME_extra7123="iam"
|
||||
|
||||
extra7123(){
|
||||
LIST_OF_USERS_WITH_2ACCESS_KEYS=$(cat $TEMP_REPORT_FILE| awk -F, '{ print $1, $9, $14 }' |grep "\ true\ true" | awk '{ print $1 }')
|
||||
|
||||
@@ -17,7 +17,8 @@ CHECK_TYPE_extra7124="EXTRA"
|
||||
CHECK_SEVERITY_extra7124="Medium"
|
||||
CHECK_ASFF_RESOURCE_TYPE_extra7124="AwsEc2Instance"
|
||||
CHECK_ALTERNATE_check7124="extra7124"
|
||||
CHECK_ASFF_COMPLIANCE_TYPE_extra7124="ens-op.exp.1.aws.sys.1,ens-op.acc.4.aws.sys.1"
|
||||
CHECK_ASFF_COMPLIANCE_TYPE_extra7124="ens-op.exp.1.aws.sys.1 ens-op.acc.4.aws.sys.1"
|
||||
CHECK_SERVICENAME_extra7124="ssm"
|
||||
|
||||
extra7124(){
|
||||
for regx in $REGIONS; do
|
||||
@@ -40,4 +41,4 @@ extra7124(){
|
||||
textInfo "$regx: No EC2 instances running found" "$regx"
|
||||
fi
|
||||
done
|
||||
}
|
||||
}
|
||||
|
||||
@@ -18,6 +18,7 @@ CHECK_SEVERITY_extra7125="Medium"
|
||||
CHECK_ASFF_RESOURCE_TYPE_extra7125="AwsIamUser"
|
||||
CHECK_ALTERNATE_check7125="extra7125"
|
||||
CHECK_ASFF_COMPLIANCE_TYPE_extra7125="ens-op.acc.5.aws.iam.2"
|
||||
CHECK_SERVICENAME_extra7125="iam"
|
||||
|
||||
extra7125(){
|
||||
LIST_USERS=$($AWSCLI iam list-users --query 'Users[*].UserName' --output text $PROFILE_OPT --region $REGION)
|
||||
|
||||
@@ -18,6 +18,7 @@ CHECK_SEVERITY_extra7126="Medium"
|
||||
CHECK_ASFF_RESOURCE_TYPE_extra7126="AwsKmsKey"
|
||||
CHECK_ALTERNATE_check7126="extra7126"
|
||||
CHECK_ASFF_COMPLIANCE_TYPE_extra7126="op.exp.11.aws.kms.2"
|
||||
CHECK_SERVICENAME_extra7126="kms"
|
||||
|
||||
extra7126(){
|
||||
for regx in $REGIONS; do
|
||||
|
||||
@@ -18,7 +18,8 @@ CHECK_SEVERITY_extra7127="Medium"
|
||||
CHECK_ASFF_RESOURCE_TYPE_extra7127="AwsEc2Instance"
|
||||
CHECK_ASFF_TYPE_extra7127="Software and Configuration Checks/ENS op.exp.4.aws.sys.1"
|
||||
CHECK_ALTERNATE_check7127="extra7127"
|
||||
CHECK_ASFF_COMPLIANCE_TYPE_extra7127="ens-op.exp.1.aws.sys.1,ens-op.exp.4.aws.sys.1"
|
||||
CHECK_ASFF_COMPLIANCE_TYPE_extra7127="ens-op.exp.1.aws.sys.1 ens-op.exp.4.aws.sys.1"
|
||||
CHECK_SERVICENAME_extra7127="ssm"
|
||||
|
||||
|
||||
extra7127(){
|
||||
@@ -40,4 +41,4 @@ extra7127(){
|
||||
textInfo "$regx: No EC2 managed instances found" "$regx"
|
||||
fi
|
||||
done
|
||||
}
|
||||
}
|
||||
|
||||
@@ -18,6 +18,7 @@ CHECK_SEVERITY_extra7128="Medium"
|
||||
CHECK_ASFF_RESOURCE_TYPE_extra7128="AwsDynamoDBTable"
|
||||
CHECK_ALTERNATE_check7128="extra7128"
|
||||
CHECK_ASFF_COMPLIANCE_TYPE_extra7128="ens-mp.info.3.aws.dyndb.1"
|
||||
CHECK_SERVICENAME_extra7128="dynamodb"
|
||||
|
||||
extra7128(){
|
||||
for regx in $REGIONS; do
|
||||
|
||||
@@ -18,6 +18,7 @@ CHECK_SEVERITY_extra7129="Medium"
|
||||
CHECK_ASFF_RESOURCE_TYPE_extra7129="AwsElasticLoadBalancingV2LoadBalancer"
|
||||
CHECK_ALTERNATE_check7129="extra7129"
|
||||
CHECK_ASFF_COMPLIANCE_TYPE_extra7129="ens-mp.s.2.aws.waf.3"
|
||||
CHECK_SERVICENAME_extra7129="elb"
|
||||
|
||||
extra7129(){
|
||||
for regx in $REGIONS; do
|
||||
|
||||
@@ -17,6 +17,8 @@ CHECK_TYPE_extra713="EXTRA"
|
||||
CHECK_SEVERITY_extra713="High"
|
||||
CHECK_ALTERNATE_check713="extra713"
|
||||
CHECK_ASFF_COMPLIANCE_TYPE_extra713="ens-op.mon.1.aws.duty.1"
|
||||
CHECK_ASFF_RESOURCE_TYPE_extra713="AwsGuardDutyDetector"
|
||||
CHECK_SERVICENAME_extra713="guardduty"
|
||||
|
||||
extra713(){
|
||||
# "Check if GuardDuty is enabled (Not Scored) (Not part of CIS benchmark)"
|
||||
|
||||
@@ -18,6 +18,7 @@ CHECK_TYPE_extra7130="EXTRA"
|
||||
CHECK_SEVERITY_extra7130="Medium"
|
||||
CHECK_ASFF_RESOURCE_TYPE_extra7130="AwsSnsTopic"
|
||||
CHECK_ALTERNATE_check7130="extra7130"
|
||||
CHECK_SERVICENAME_extra7130="sns"
|
||||
|
||||
extra7130(){
|
||||
textInfo "Looking for SNS Topics in all regions... "
|
||||
|
||||
@@ -17,6 +17,7 @@ CHECK_TYPE_extra7131="EXTRA"
|
||||
CHECK_SEVERITY_extra7131="Low"
|
||||
CHECK_ASFF_RESOURCE_TYPE_extra7131="AwsRdsDbInstance"
|
||||
CHECK_ALTERNATE_check7131="extra7131"
|
||||
CHECK_SERVICENAME_extra7131="rds"
|
||||
|
||||
extra7131(){
|
||||
for regx in $REGIONS; do
|
||||
|
||||
@@ -17,6 +17,7 @@ CHECK_TYPE_extra714="EXTRA"
|
||||
CHECK_SEVERITY_extra714="Medium"
|
||||
CHECK_ASFF_RESOURCE_TYPE_extra714="AwsCloudFrontDistribution"
|
||||
CHECK_ALTERNATE_check714="extra714"
|
||||
CHECK_SERVICENAME_extra714="cloudfront"
|
||||
|
||||
extra714(){
|
||||
# "Check if CloudFront distributions have logging enabled (Not Scored) (Not part of CIS benchmark)"
|
||||
|
||||
@@ -17,6 +17,7 @@ CHECK_TYPE_extra715="EXTRA"
|
||||
CHECK_SEVERITY_extra715="Medium"
|
||||
CHECK_ASFF_RESOURCE_TYPE_extra715="AwsElasticsearchDomain"
|
||||
CHECK_ALTERNATE_check715="extra715"
|
||||
CHECK_SERVICENAME_extra715="es"
|
||||
|
||||
extra715(){
|
||||
for regx in $REGIONS; do
|
||||
|
||||
@@ -17,6 +17,7 @@ CHECK_TYPE_extra716="EXTRA"
|
||||
CHECK_SEVERITY_extra716="Critical"
|
||||
CHECK_ASFF_RESOURCE_TYPE_extra716="AwsElasticsearchDomain"
|
||||
CHECK_ALTERNATE_check716="extra716"
|
||||
CHECK_SERVICENAME_extra716="es"
|
||||
|
||||
extra716(){
|
||||
for regx in $REGIONS; do
|
||||
|
||||
@@ -17,6 +17,7 @@ CHECK_TYPE_extra717="EXTRA"
|
||||
CHECK_SEVERITY_extra717="Medium"
|
||||
CHECK_ASFF_RESOURCE_TYPE_extra717="AwsElbLoadBalancer"
|
||||
CHECK_ALTERNATE_check717="extra717"
|
||||
CHECK_SERVICENAME_extra717="elb"
|
||||
|
||||
extra717(){
|
||||
# "Check if Elastic Load Balancers have logging enabled (Not Scored) (Not part of CIS benchmark)"
|
||||
|
||||
@@ -17,6 +17,7 @@ CHECK_TYPE_extra718="EXTRA"
|
||||
CHECK_SEVERITY_extra718="Medium"
|
||||
CHECK_ASFF_RESOURCE_TYPE_extra718="AwsS3Bucket"
|
||||
CHECK_ALTERNATE_check718="extra718"
|
||||
CHECK_SERVICENAME_extra718="s3"
|
||||
|
||||
extra718(){
|
||||
# "Check if S3 buckets have server access logging enabled (Not Scored) (Not part of CIS benchmark)"
|
||||
|
||||
@@ -16,6 +16,8 @@ CHECK_SCORED_extra719="NOT_SCORED"
|
||||
CHECK_TYPE_extra719="EXTRA"
|
||||
CHECK_SEVERITY_extra719="Medium"
|
||||
CHECK_ALTERNATE_check719="extra719"
|
||||
CHECK_ASFF_RESOURCE_TYPE_extra719="AwsRoute53HostedZone"
|
||||
CHECK_SERVICENAME_extra719="route53"
|
||||
|
||||
extra719(){
|
||||
# You can't create a query logging config for a private hosted zone.
|
||||
|
||||
@@ -19,6 +19,7 @@ CHECK_ASFF_RESOURCE_TYPE_extra72="AwsEc2Snapshot"
|
||||
CHECK_ALTERNATE_extra702="extra72"
|
||||
CHECK_ALTERNATE_check72="extra72"
|
||||
CHECK_ALTERNATE_check702="extra72"
|
||||
CHECK_SERVICENAME_check72="ec2"
|
||||
|
||||
extra72(){
|
||||
# "Ensure there are no EBS Snapshots set as Public (Not Scored) (Not part of CIS benchmark)"
|
||||
|
||||
@@ -17,6 +17,7 @@ CHECK_TYPE_extra720="EXTRA"
|
||||
CHECK_SEVERITY_extra720="Low"
|
||||
CHECK_ASFF_RESOURCE_TYPE_extra720="AwsLambdaFunction"
|
||||
CHECK_ALTERNATE_check720="extra720"
|
||||
CHECK_SERVICENAME_extra720="lambda"
|
||||
|
||||
extra720(){
|
||||
# "Check if Lambda functions invoke API operations are being recorded by CloudTrail (Not Scored) (Not part of CIS benchmark)"
|
||||
|
||||
@@ -17,6 +17,7 @@ CHECK_TYPE_extra721="EXTRA"
|
||||
CHECK_SEVERITY_extra721="Medium"
|
||||
CHECK_ASFF_RESOURCE_TYPE_extra721="AwsRedshiftCluster"
|
||||
CHECK_ALTERNATE_check721="extra721"
|
||||
CHECK_SERVICENAME_extra721="redshift"
|
||||
|
||||
extra721(){
|
||||
# "Check if Redshift cluster has audit logging enabled (Not Scored) (Not part of CIS benchmark)"
|
||||
|
||||
@@ -17,6 +17,7 @@ CHECK_TYPE_extra722="EXTRA"
|
||||
CHECK_SEVERITY_extra722="Medium"
|
||||
CHECK_ASFF_RESOURCE_TYPE_extra722="AwsApiGatewayRestApi"
|
||||
CHECK_ALTERNATE_check722="extra722"
|
||||
CHECK_SERVICENAME_extra722="apigateway"
|
||||
|
||||
extra722(){
|
||||
# "Check if API Gateway has logging enabled (Not Scored) (Not part of CIS benchmark)"
|
||||
|
||||
@@ -17,6 +17,7 @@ CHECK_TYPE_extra723="EXTRA"
|
||||
CHECK_SEVERITY_extra723="Critical"
|
||||
CHECK_ASFF_RESOURCE_TYPE_extra723="AwsRdsDbSnapshot"
|
||||
CHECK_ALTERNATE_check723="extra723"
|
||||
CHECK_SERVICENAME_extra723="rds"
|
||||
|
||||
extra723(){
|
||||
# "Check if RDS Snapshots are public (Not Scored) (Not part of CIS benchmark)"
|
||||
|
||||
@@ -17,6 +17,7 @@ CHECK_TYPE_extra724="EXTRA"
|
||||
CHECK_SEVERITY_extra724="Medium"
|
||||
CHECK_ASFF_RESOURCE_TYPE_extra724="AwsCertificateManagerCertificate"
|
||||
CHECK_ALTERNATE_check724="extra724"
|
||||
CHECK_SERVICENAME_extra724="acm"
|
||||
|
||||
extra724(){
|
||||
# "Check if ACM certificates have Certificate Transparency logging enabled (Not Scored) (Not part of CIS benchmark)"
|
||||
|
||||
@@ -18,6 +18,8 @@ CHECK_TYPE_extra725="EXTRA"
|
||||
CHECK_SEVERITY_extra725="Medium"
|
||||
CHECK_ASFF_RESOURCE_TYPE_extra725="AwsS3Bucket"
|
||||
CHECK_ALTERNATE_check725="extra725"
|
||||
CHECK_SERVICENAME_extra725="s3"
|
||||
|
||||
|
||||
# per Object-level logging is not configured at Bucket level but at CloudTrail trail level
|
||||
extra725(){
|
||||
|
||||
@@ -17,6 +17,7 @@ CHECK_SCORED_extra726="NOT_SCORED"
|
||||
CHECK_TYPE_extra726="EXTRA"
|
||||
CHECK_SEVERITY_extra726="Medium"
|
||||
CHECK_ALTERNATE_check726="extra726"
|
||||
CHECK_SERVICENAME_extra726="trustedadvisor"
|
||||
|
||||
extra726(){
|
||||
trap "exit" INT
|
||||
|
||||
Some files were not shown because too many files have changed in this diff Show More
Reference in New Issue
Block a user