From f85845c26b5a836a41efa512dd7ee2f7bf7f6f28 Mon Sep 17 00:00:00 2001 From: Toni de la Fuente Date: Fri, 22 Jan 2021 00:19:45 +0100 Subject: [PATCH] Added service name to all checks --- checks/check11 | 1 + checks/check110 | 1 + checks/check111 | 1 + checks/check112 | 1 + checks/check113 | 1 + checks/check114 | 1 + checks/check115 | 1 + checks/check116 | 1 + checks/check117 | 1 + checks/check118 | 1 + checks/check119 | 1 + checks/check12 | 1 + checks/check120 | 1 + checks/check121 | 1 + checks/check122 | 1 + checks/check13 | 3 ++- checks/check14 | 3 ++- checks/check15 | 1 + checks/check16 | 1 + checks/check17 | 1 + checks/check18 | 1 + checks/check19 | 1 + checks/check21 | 3 ++- checks/check22 | 1 + checks/check23 | 3 ++- checks/check24 | 1 + checks/check25 | 1 + checks/check26 | 1 + checks/check27 | 1 + checks/check28 | 3 ++- checks/check29 | 1 + checks/check31 | 1 + checks/check310 | 1 + checks/check311 | 1 + checks/check312 | 1 + checks/check313 | 1 + checks/check314 | 1 + checks/check32 | 1 + checks/check33 | 1 + checks/check34 | 1 + checks/check35 | 1 + checks/check36 | 1 + checks/check37 | 3 ++- checks/check38 | 1 + checks/check39 | 1 + checks/check41 | 1 + checks/check42 | 1 + checks/check43 | 1 + checks/check44 | 1 + checks/check_extra71 | 1 + checks/check_extra710 | 1 + checks/check_extra7100 | 1 + checks/check_extra7101 | 1 + checks/check_extra7102 | 1 + checks/check_extra7103 | 1 + checks/check_extra7104 | 1 + checks/check_extra7105 | 1 + checks/check_extra7106 | 1 + checks/check_extra7107 | 1 + checks/check_extra7108 | 1 + checks/check_extra7109 | 1 + checks/check_extra711 | 1 + checks/check_extra7110 | 1 + checks/check_extra7111 | 1 + checks/check_extra7112 | 1 + checks/check_extra7113 | 1 + checks/check_extra7114 | 1 + checks/check_extra7115 | 1 + checks/check_extra7116 | 1 + checks/check_extra7117 | 1 + checks/check_extra7118 | 1 + checks/check_extra7119 | 1 + checks/check_extra712 | 2 ++ checks/check_extra7120 | 1 + checks/check_extra7121 | 1 + checks/check_extra7122 | 1 + checks/check_extra7123 | 1 + checks/check_extra7124 | 5 +++-- checks/check_extra7125 | 1 + checks/check_extra7126 | 1 + checks/check_extra7127 | 5 +++-- checks/check_extra7128 | 1 + checks/check_extra7129 | 1 + checks/check_extra713 | 2 ++ checks/check_extra7130 | 1 + checks/check_extra7131 | 1 + checks/check_extra714 | 1 + checks/check_extra715 | 1 + checks/check_extra716 | 1 + checks/check_extra717 | 1 + checks/check_extra718 | 1 + checks/check_extra719 | 2 ++ checks/check_extra72 | 1 + checks/check_extra720 | 1 + checks/check_extra721 | 1 + checks/check_extra722 | 1 + checks/check_extra723 | 1 + checks/check_extra724 | 1 + checks/check_extra725 | 2 ++ checks/check_extra726 | 1 + checks/check_extra727 | 1 + checks/check_extra728 | 1 + checks/check_extra729 | 2 ++ checks/check_extra73 | 1 + checks/check_extra730 | 1 + checks/check_extra731 | 1 + checks/check_extra732 | 1 + checks/check_extra733 | 1 + checks/check_extra734 | 1 + checks/check_extra735 | 1 + checks/check_extra736 | 1 + checks/check_extra737 | 1 + checks/check_extra738 | 1 + checks/check_extra739 | 1 + checks/check_extra74 | 1 + checks/check_extra740 | 1 + checks/check_extra741 | 1 + checks/check_extra742 | 1 + checks/check_extra743 | 1 + checks/check_extra744 | 1 + checks/check_extra745 | 1 + checks/check_extra746 | 1 + checks/check_extra747 | 1 + checks/check_extra748 | 1 + checks/check_extra749 | 1 + checks/check_extra75 | 1 + checks/check_extra750 | 1 + checks/check_extra751 | 1 + checks/check_extra752 | 1 + checks/check_extra753 | 1 + checks/check_extra754 | 1 + checks/check_extra755 | 1 + checks/check_extra756 | 1 + checks/check_extra757 | 1 + checks/check_extra758 | 1 + checks/check_extra759 | 1 + checks/check_extra76 | 1 + checks/check_extra760 | 1 + checks/check_extra761 | 1 + checks/check_extra762 | 1 + checks/check_extra763 | 1 + checks/check_extra764 | 1 + checks/check_extra765 | 1 + checks/check_extra767 | 1 + checks/check_extra768 | 1 + checks/check_extra769 | 1 + checks/check_extra77 | 1 + checks/check_extra770 | 1 + checks/check_extra771 | 1 + checks/check_extra772 | 1 + checks/check_extra773 | 1 + checks/check_extra774 | 1 + checks/check_extra775 | 1 + checks/check_extra776 | 1 + checks/check_extra777 | 1 + checks/check_extra778 | 1 + checks/check_extra779 | 1 + checks/check_extra78 | 1 + checks/check_extra780 | 1 + checks/check_extra781 | 1 + checks/check_extra782 | 1 + checks/check_extra783 | 1 + checks/check_extra784 | 1 + checks/check_extra785 | 1 + checks/check_extra786 | 1 + checks/check_extra787 | 1 + checks/check_extra788 | 1 + checks/check_extra789 | 1 + checks/check_extra79 | 2 ++ checks/check_extra790 | 1 + checks/check_extra791 | 1 + checks/check_extra792 | 1 + checks/check_extra793 | 1 + checks/check_extra794 | 1 + checks/check_extra795 | 1 + checks/check_extra796 | 1 + checks/check_extra797 | 1 + checks/check_extra798 | 1 + checks/check_extra799 | 1 + 179 files changed, 195 insertions(+), 10 deletions(-) diff --git a/checks/check11 b/checks/check11 index 1776614e..c6cf4aef 100644 --- a/checks/check11 +++ b/checks/check11 @@ -15,6 +15,7 @@ CHECK_TYPE_check11="LEVEL1" CHECK_SEVERITY_check11="High" CHECK_ASFF_TYPE_check11="Software and Configuration Checks/Industry and Regulatory Standards/CIS AWS Foundations Benchmark" CHECK_ALTERNATE_check101="check11" +CHECK_SERVICENAME_check11="iam" check11(){ # "Avoid the use of the root account (Scored)." diff --git a/checks/check110 b/checks/check110 index d483a650..9c6e4a85 100644 --- a/checks/check110 +++ b/checks/check110 @@ -15,6 +15,7 @@ CHECK_TYPE_check110="LEVEL1" CHECK_SEVERITY_check110="Medium" CHECK_ASFF_TYPE_check110="Software and Configuration Checks/Industry and Regulatory Standards/CIS AWS Foundations Benchmark" CHECK_ALTERNATE_check110="check110" +CHECK_SERVICENAME_check110="iam" check110(){ # "Ensure IAM password policy prevents password reuse: 24 or greater (Scored)" diff --git a/checks/check111 b/checks/check111 index 805ab9b6..71c44c65 100644 --- a/checks/check111 +++ b/checks/check111 @@ -15,6 +15,7 @@ CHECK_TYPE_check111="LEVEL1" CHECK_SEVERITY_check111="Medium" CHECK_ASFF_TYPE_check111="Software and Configuration Checks/Industry and Regulatory Standards/CIS AWS Foundations Benchmark" CHECK_ALTERNATE_check111="check111" +CHECK_SERVICENAME_check111="iam" check111(){ # "Ensure IAM password policy expires passwords within 90 days or less (Scored)" diff --git a/checks/check112 b/checks/check112 index e202e249..9dd95dbf 100644 --- a/checks/check112 +++ b/checks/check112 @@ -15,6 +15,7 @@ CHECK_TYPE_check112="LEVEL1" CHECK_SEVERITY_check112="Critical" CHECK_ASFF_TYPE_check112="Software and Configuration Checks/Industry and Regulatory Standards/CIS AWS Foundations Benchmark" CHECK_ALTERNATE_check112="check112" +CHECK_SERVICENAME_check112="iam" check112(){ # "Ensure no root account access key exists (Scored)" diff --git a/checks/check113 b/checks/check113 index 04716f5d..752fe67b 100644 --- a/checks/check113 +++ b/checks/check113 @@ -15,6 +15,7 @@ CHECK_TYPE_check113="LEVEL1" CHECK_SEVERITY_check113="Critical" CHECK_ASFF_TYPE_check113="Software and Configuration Checks/Industry and Regulatory Standards/CIS AWS Foundations Benchmark" CHECK_ALTERNATE_check113="check113" +CHECK_SERVICENAME_check113="iam" check113(){ # "Ensure MFA is enabled for the root account (Scored)" diff --git a/checks/check114 b/checks/check114 index 43be863c..4348a8ce 100644 --- a/checks/check114 +++ b/checks/check114 @@ -15,6 +15,7 @@ CHECK_TYPE_check114="LEVEL2" CHECK_SEVERITY_check114="Critical" CHECK_ASFF_TYPE_check114="Software and Configuration Checks/Industry and Regulatory Standards/CIS AWS Foundations Benchmark" CHECK_ALTERNATE_check114="check114" +CHECK_SERVICENAME_check114="iam" check114(){ # "Ensure hardware MFA is enabled for the root account (Scored)" diff --git a/checks/check115 b/checks/check115 index dd30979c..461ba08c 100644 --- a/checks/check115 +++ b/checks/check115 @@ -15,6 +15,7 @@ CHECK_TYPE_check115="LEVEL1" CHECK_SEVERITY_check115="Medium" CHECK_ASFF_TYPE_check115="Software and Configuration Checks/Industry and Regulatory Standards/CIS AWS Foundations Benchmark" CHECK_ALTERNATE_check115="check115" +CHECK_SERVICENAME_check115="support" check115(){ # "Ensure security questions are registered in the AWS account (Not Scored)" diff --git a/checks/check116 b/checks/check116 index 8b049496..1088ca4f 100644 --- a/checks/check116 +++ b/checks/check116 @@ -17,6 +17,7 @@ CHECK_ASFF_TYPE_check116="Software and Configuration Checks/Industry and Regulat CHECK_ASFF_RESOURCE_TYPE_check116="AwsIamUser" CHECK_ALTERNATE_check116="check116" CHECK_ASFF_COMPLIANCE_TYPE_check116="ens-op.acc.3.aws.iam.1" +CHECK_SERVICENAME_check116="iam" check116(){ # "Ensure IAM policies are attached only to groups or roles (Scored)" diff --git a/checks/check117 b/checks/check117 index ed1fcff5..0369eda1 100644 --- a/checks/check117 +++ b/checks/check117 @@ -15,6 +15,7 @@ CHECK_TYPE_check117="LEVEL1" CHECK_SEVERITY_check117="Medium" CHECK_ASFF_TYPE_check117="Software and Configuration Checks/Industry and Regulatory Standards/CIS AWS Foundations Benchmark" CHECK_ALTERNATE_check117="check117" +CHECK_SERVICENAME_check117="support" check117(){ # "Maintain current contact details (Scored)" diff --git a/checks/check118 b/checks/check118 index 821972eb..3e23d54c 100644 --- a/checks/check118 +++ b/checks/check118 @@ -15,6 +15,7 @@ CHECK_TYPE_check118="LEVEL1" CHECK_SEVERITY_check118="Medium" CHECK_ASFF_TYPE_check118="Software and Configuration Checks/Industry and Regulatory Standards/CIS AWS Foundations Benchmark" CHECK_ALTERNATE_check118="check118" +CHECK_SERVICENAME_check118="support" check118(){ # "Ensure security contact information is registered (Scored)" diff --git a/checks/check119 b/checks/check119 index 63557bbe..96a540b1 100644 --- a/checks/check119 +++ b/checks/check119 @@ -16,6 +16,7 @@ CHECK_SEVERITY_check119="Medium" CHECK_ASFF_TYPE_check119="Software and Configuration Checks/Industry and Regulatory Standards/CIS AWS Foundations Benchmark" CHECK_ASFF_RESOURCE_TYPE_check119="AwsEc2Instance" CHECK_ALTERNATE_check119="check119" +CHECK_SERVICENAME_check119="ec2" check119(){ for regx in $REGIONS; do diff --git a/checks/check12 b/checks/check12 index 77620418..6d1a1975 100644 --- a/checks/check12 +++ b/checks/check12 @@ -17,6 +17,7 @@ CHECK_ASFF_TYPE_check12="Software and Configuration Checks/Industry and Regulato CHECK_ASFF_RESOURCE_TYPE_check12="AwsIamUser" CHECK_ALTERNATE_check102="check12" CHECK_ASFF_COMPLIANCE_TYPE_check12="ens-op.acc.5.aws.iam.1" +CHECK_SERVICENAME_check12="iam" check12(){ # "Ensure multi-factor authentication (MFA) is enabled for all IAM users that have a console password (Scored)" diff --git a/checks/check120 b/checks/check120 index ae25a345..fecf7c0e 100644 --- a/checks/check120 +++ b/checks/check120 @@ -17,6 +17,7 @@ CHECK_ASFF_TYPE_check120="Software and Configuration Checks/Industry and Regulat CHECK_ASFF_RESOURCE_TYPE_check120="AwsIamRole" CHECK_ALTERNATE_check120="check120" CHECK_ASFF_COMPLIANCE_TYPE_check120="ens-op.acc.1.aws.iam.4" +CHECK_SERVICENAME_check120="iam" check120(){ # "Ensure a support role has been created to manage incidents with AWS Support (Scored)" diff --git a/checks/check121 b/checks/check121 index 530a98e7..af53ff18 100644 --- a/checks/check121 +++ b/checks/check121 @@ -17,6 +17,7 @@ CHECK_ASFF_TYPE_check121="Software and Configuration Checks/Industry and Regulat CHECK_ASFF_RESOURCE_TYPE_check121="AwsIamUser" CHECK_ALTERNATE_check121="check121" CHECK_ASFF_COMPLIANCE_TYPE_check121="ens-op.acc.1.aws.iam.5" +CHECK_SERVICENAME_check121="iam" check121(){ # "Do not setup access keys during initial user setup for all IAM users that have a console password (Not Scored)" diff --git a/checks/check122 b/checks/check122 index ec13a27e..013dafe8 100644 --- a/checks/check122 +++ b/checks/check122 @@ -16,6 +16,7 @@ CHECK_SEVERITY_check122="Medium" CHECK_ASFF_TYPE_check122="Software and Configuration Checks/Industry and Regulatory Standards/CIS AWS Foundations Benchmark" CHECK_ASFF_RESOURCE_TYPE_check122="AwsIamPolicy" CHECK_ALTERNATE_check122="check122" +CHECK_SERVICENAME_check122="iam" check122(){ # "Ensure IAM policies that allow full \"*:*\" administrative privileges are not created (Scored)" diff --git a/checks/check13 b/checks/check13 index a6228207..14da7201 100644 --- a/checks/check13 +++ b/checks/check13 @@ -16,7 +16,8 @@ CHECK_SEVERITY_check13="Medium" CHECK_ASFF_TYPE_check13="Software and Configuration Checks/Industry and Regulatory Standards/CIS AWS Foundations Benchmark" CHECK_ASFF_RESOURCE_TYPE_check13="AwsIamUser" CHECK_ALTERNATE_check103="check13" -CHECK_ASFF_COMPLIANCE_TYPE_check13="ens-op.acc.1.aws.iam.3,ens-op.acc.5.aws.iam.4" +CHECK_ASFF_COMPLIANCE_TYPE_check13="ens-op.acc.1.aws.iam.3 ens-op.acc.5.aws.iam.4" +CHECK_SERVICENAME_check13="iam" check13(){ check_creds_used_in_last_days 90 diff --git a/checks/check14 b/checks/check14 index 91971a59..8743d08c 100644 --- a/checks/check14 +++ b/checks/check14 @@ -16,7 +16,8 @@ CHECK_SEVERITY_check14="Medium" CHECK_ASFF_TYPE_check14="Software and Configuration Checks/Industry and Regulatory Standards/CIS AWS Foundations Benchmark" CHECK_ASFF_RESOURCE_TYPE_check14="AwsIamUser" CHECK_ALTERNATE_check104="check14" -CHECK_ASFF_COMPLIANCE_TYPE_check14="ens-op.acc.1.aws.iam.4,ens-op.acc.5.aws.iam.3" +CHECK_ASFF_COMPLIANCE_TYPE_check14="ens-op.acc.1.aws.iam.4 ens-op.acc.5.aws.iam.3" +CHECK_SERVICENAME_check14="iam" check14(){ # "Ensure access keys are rotated every 90 days or less (Scored)" # also checked by Security Monkey diff --git a/checks/check15 b/checks/check15 index 9ee8159a..49a35d45 100644 --- a/checks/check15 +++ b/checks/check15 @@ -15,6 +15,7 @@ CHECK_TYPE_check15="LEVEL1" CHECK_SEVERITY_check15="Medium" CHECK_ASFF_TYPE_check15="Software and Configuration Checks/Industry and Regulatory Standards/CIS AWS Foundations Benchmark" CHECK_ALTERNATE_check105="check15" +CHECK_SERVICENAME_check15="iam" check15(){ # "Ensure IAM password policy requires at least one uppercase letter (Scored)" diff --git a/checks/check16 b/checks/check16 index 5545ad20..7e682b48 100644 --- a/checks/check16 +++ b/checks/check16 @@ -15,6 +15,7 @@ CHECK_TYPE_check16="LEVEL1" CHECK_SEVERITY_check16="Medium" CHECK_ASFF_TYPE_check16="Software and Configuration Checks/Industry and Regulatory Standards/CIS AWS Foundations Benchmark" CHECK_ALTERNATE_check106="check16" +CHECK_SERVICENAME_check16="iam" check16(){ # "Ensure IAM password policy require at least one lowercase letter (Scored)" diff --git a/checks/check17 b/checks/check17 index dd7d03f3..1afe6fab 100644 --- a/checks/check17 +++ b/checks/check17 @@ -15,6 +15,7 @@ CHECK_TYPE_check17="LEVEL1" CHECK_SEVERITY_check17="Medium" CHECK_ASFF_TYPE_check17="Software and Configuration Checks/Industry and Regulatory Standards/CIS AWS Foundations Benchmark" CHECK_ALTERNATE_check107="check17" +CHECK_SERVICENAME_check17="iam" check17(){ # "Ensure IAM password policy require at least one symbol (Scored)" diff --git a/checks/check18 b/checks/check18 index 676281fc..7749128a 100644 --- a/checks/check18 +++ b/checks/check18 @@ -15,6 +15,7 @@ CHECK_TYPE_check18="LEVEL1" CHECK_SEVERITY_check18="Medium" CHECK_ASFF_TYPE_check18="Software and Configuration Checks/Industry and Regulatory Standards/CIS AWS Foundations Benchmark" CHECK_ALTERNATE_check108="check18" +CHECK_SERVICENAME_check18="iam" check18(){ # "Ensure IAM password policy require at least one number (Scored)" diff --git a/checks/check19 b/checks/check19 index bb81398f..42fe5bdf 100644 --- a/checks/check19 +++ b/checks/check19 @@ -15,6 +15,7 @@ CHECK_TYPE_check19="LEVEL1" CHECK_SEVERITY_check19="Medium" CHECK_ASFF_TYPE_check19="Software and Configuration Checks/Industry and Regulatory Standards/CIS AWS Foundations Benchmark" CHECK_ALTERNATE_check109="check19" +CHECK_SERVICENAME_check19="iam" check19(){ # "Ensure IAM password policy requires minimum length of 14 or greater (Scored)" diff --git a/checks/check21 b/checks/check21 index d89c14cb..d011cc1e 100644 --- a/checks/check21 +++ b/checks/check21 @@ -16,7 +16,8 @@ CHECK_SEVERITY_check21="High" CHECK_ASFF_TYPE_check21="Software and Configuration Checks/Industry and Regulatory Standards/CIS AWS Foundations Benchmark" CHECK_ASFF_RESOURCE_TYPE_check21="AwsCloudTrailTrail" CHECK_ALTERNATE_check201="check21" -CHECK_ASFF_COMPLIANCE_TYPE_check21="ens-op.acc.7.aws.iam.1,ens-op.mon.1.aws.trail.1" +CHECK_ASFF_COMPLIANCE_TYPE_check21="ens-op.acc.7.aws.iam.1 ens-op.mon.1.aws.trail.1" +CHECK_SERVICENAME_check21="cloudtrail" check21(){ trail_count=0 diff --git a/checks/check22 b/checks/check22 index 3acc072c..27250905 100644 --- a/checks/check22 +++ b/checks/check22 @@ -17,6 +17,7 @@ CHECK_ASFF_TYPE_check22="Software and Configuration Checks/Industry and Regulato CHECK_ASFF_RESOURCE_TYPE_check22="AwsCloudTrailTrail" CHECK_ALTERNATE_check202="check22" CHECK_ASFF_COMPLIANCE_TYPE_check22="ens-op.exp.10.aws.trail.1" +CHECK_SERVICENAME_check22="cloudtrail" check22(){ trail_count=0 diff --git a/checks/check23 b/checks/check23 index 00d7dae6..237fdf68 100644 --- a/checks/check23 +++ b/checks/check23 @@ -16,7 +16,8 @@ CHECK_SEVERITY_check23="Critical" CHECK_ASFF_TYPE_check23="Software and Configuration Checks/Industry and Regulatory Standards/CIS AWS Foundations Benchmark" CHECK_ASFF_RESOURCE_TYPE_check23="AwsS3Bucket" CHECK_ALTERNATE_check203="check23" -CHECK_ASFF_COMPLIANCE_TYPE_check23="ens-op.exp.10.aws.trail.3,ens-op.exp.10.aws.trail.4" +CHECK_ASFF_COMPLIANCE_TYPE_check23="ens-op.exp.10.aws.trail.3 ens-op.exp.10.aws.trail.4" +CHECK_SERVICENAME_check23="cloudtrail" check23(){ # "Ensure the S3 bucket CloudTrail logs to is not publicly accessible (Scored)" diff --git a/checks/check24 b/checks/check24 index 8ce255d3..0e018afd 100644 --- a/checks/check24 +++ b/checks/check24 @@ -17,6 +17,7 @@ CHECK_ASFF_TYPE_check24="Software and Configuration Checks/Industry and Regulato CHECK_ASFF_RESOURCE_TYPE_check24="AwsCloudTrailTrail" CHECK_ALTERNATE_check204="check24" CHECK_ASFF_COMPLIANCE_TYPE_check24="ens-op.exp.8.aws.cw.1" +CHECK_SERVICENAME_check24="cloudtrail" check24(){ trail_count=0 diff --git a/checks/check25 b/checks/check25 index 8b008c89..bdeaabba 100644 --- a/checks/check25 +++ b/checks/check25 @@ -16,6 +16,7 @@ CHECK_SEVERITY_check25="Medium" CHECK_ASFF_TYPE_check25="Software and Configuration Checks/Industry and Regulatory Standards/CIS AWS Foundations Benchmark" CHECK_ALTERNATE_check205="check25" CHECK_ASFF_COMPLIANCE_TYPE_check25="ens-op.exp.1.aws.cfg.1" +CHECK_SERVICENAME_check25="configservice" check25(){ # "Ensure AWS Config is enabled in all regions (Scored)" diff --git a/checks/check26 b/checks/check26 index 757a352d..8b7c5fd4 100644 --- a/checks/check26 +++ b/checks/check26 @@ -16,6 +16,7 @@ CHECK_SEVERITY_check26="Medium" CHECK_ASFF_TYPE_check26="Software and Configuration Checks/Industry and Regulatory Standards/CIS AWS Foundations Benchmark" CHECK_ASFF_RESOURCE_TYPE_check26="AwsS3Bucket" CHECK_ALTERNATE_check206="check26" +CHECK_SERVICENAME_check26="s3" check26(){ # "Ensure S3 bucket access logging is enabled on the CloudTrail S3 bucket (Scored)" diff --git a/checks/check27 b/checks/check27 index fc1779bc..bba7a604 100644 --- a/checks/check27 +++ b/checks/check27 @@ -17,6 +17,7 @@ CHECK_ASFF_TYPE_check27="Software and Configuration Checks/Industry and Regulato CHECK_ASFF_RESOURCE_TYPE_check27="AwsCloudTrailTrail" CHECK_ALTERNATE_check207="check27" CHECK_ASFF_COMPLIANCE_TYPE_check27="ens-op.exp.10.aws.trail.5" +CHECK_SERVICENAME_check27="cloudtrail" check27(){ trail_count=0 diff --git a/checks/check28 b/checks/check28 index 36f21dd2..d15e9fec 100644 --- a/checks/check28 +++ b/checks/check28 @@ -9,13 +9,14 @@ # work. If not, see . CHECK_ID_check28="2.8" -CHECK_TITLE_check28="[check28] Ensure rotation for customer created CMKs is enabled (Scored)" +CHECK_TITLE_check28="[check28] Ensure rotation for customer created KMS CMKs is enabled (Scored)" CHECK_SCORED_check28="SCORED" CHECK_TYPE_check28="LEVEL2" CHECK_SEVERITY_check28="Medium" CHECK_ASFF_TYPE_check28="Software and Configuration Checks/Industry and Regulatory Standards/CIS AWS Foundations Benchmark" CHECK_ASFF_RESOURCE_TYPE_check28="AwsKmsKey" CHECK_ALTERNATE_check208="check28" +CHECK_SERVICENAME_check28="kms" check28(){ # "Ensure rotation for customer created CMKs is enabled (Scored)" diff --git a/checks/check29 b/checks/check29 index 2546e341..9c93d50a 100644 --- a/checks/check29 +++ b/checks/check29 @@ -17,6 +17,7 @@ CHECK_ASFF_TYPE_check29="Software and Configuration Checks/Industry and Regulato CHECK_ASFF_RESOURCE_TYPE_check29="AwsEc2Vpc" CHECK_ALTERNATE_check209="check29" CHECK_ASFF_COMPLIANCE_TYPE_check29="ens-op.mon.1.aws.flow.1" +CHECK_SERVICENAME_check29="vpc" check29(){ # "Ensure VPC Flow Logging is Enabled in all VPCs (Scored)" diff --git a/checks/check31 b/checks/check31 index 469dc0c6..4677be39 100644 --- a/checks/check31 +++ b/checks/check31 @@ -42,6 +42,7 @@ CHECK_ASFF_TYPE_check31="Software and Configuration Checks/Industry and Regulato CHECK_ASFF_RESOURCE_TYPE_check31="AwsCloudTrailTrail" CHECK_ALTERNATE_check301="check31" CHECK_ASFF_COMPLIANCE_TYPE_check31="ens-op.exp.8.aws.trail.2" +CHECK_SERVICENAME_check31="iam" check31(){ check3x '\$\.errorCode\s*=\s*"\*UnauthorizedOperation".+\$\.errorCode\s*=\s*"AccessDenied\*"' diff --git a/checks/check310 b/checks/check310 index 0e2f6bd4..f53ac698 100644 --- a/checks/check310 +++ b/checks/check310 @@ -41,6 +41,7 @@ CHECK_SEVERITY_check310="Medium" CHECK_ASFF_TYPE_check310="Software and Configuration Checks/Industry and Regulatory Standards/CIS AWS Foundations Benchmark" CHECK_ASFF_RESOURCE_TYPE_check310="AwsCloudTrailTrail" CHECK_ALTERNATE_check310="check310" +CHECK_SERVICENAME_check310="ec2" check310(){ check3x '\$\.eventName\s*=\s*AuthorizeSecurityGroupIngress.+\$\.eventName\s*=\s*AuthorizeSecurityGroupEgress.+\$\.eventName\s*=\s*RevokeSecurityGroupIngress.+\$\.eventName\s*=\s*RevokeSecurityGroupEgress.+\$\.eventName\s*=\s*CreateSecurityGroup.+\$\.eventName\s*=\s*DeleteSecurityGroup' diff --git a/checks/check311 b/checks/check311 index ac6fac4c..dcd53b24 100644 --- a/checks/check311 +++ b/checks/check311 @@ -41,6 +41,7 @@ CHECK_SEVERITY_check311="Medium" CHECK_ASFF_TYPE_check311="Software and Configuration Checks/Industry and Regulatory Standards/CIS AWS Foundations Benchmark" CHECK_ASFF_RESOURCE_TYPE_check311="AwsCloudTrailTrail" CHECK_ALTERNATE_check311="check311" +CHECK_SERVICENAME_check311="vpc" check311(){ check3x '\$\.eventName\s*=\s*CreateNetworkAcl.+\$\.eventName\s*=\s*CreateNetworkAclEntry.+\$\.eventName\s*=\s*DeleteNetworkAcl.+\$\.eventName\s*=\s*DeleteNetworkAclEntry.+\$\.eventName\s*=\s*ReplaceNetworkAclEntry.+\$\.eventName\s*=\s*ReplaceNetworkAclAssociation' diff --git a/checks/check312 b/checks/check312 index 548fd97c..2761159b 100644 --- a/checks/check312 +++ b/checks/check312 @@ -41,6 +41,7 @@ CHECK_SEVERITY_check312="Medium" CHECK_ASFF_TYPE_check312="Software and Configuration Checks/Industry and Regulatory Standards/CIS AWS Foundations Benchmark" CHECK_ASFF_RESOURCE_TYPE_check312="AwsCloudTrailTrail" CHECK_ALTERNATE_check312="check312" +CHECK_SERVICENAME_check312="vpc" check312(){ check3x '\$\.eventName\s*=\s*CreateCustomerGateway.+\$\.eventName\s*=\s*DeleteCustomerGateway.+\$\.eventName\s*=\s*AttachInternetGateway.+\$\.eventName\s*=\s*CreateInternetGateway.+\$\.eventName\s*=\s*DeleteInternetGateway.+\$\.eventName\s*=\s*DetachInternetGateway' diff --git a/checks/check313 b/checks/check313 index d08ce15a..ac014d8b 100644 --- a/checks/check313 +++ b/checks/check313 @@ -41,6 +41,7 @@ CHECK_SEVERITY_check313="Medium" CHECK_ASFF_TYPE_check313="Software and Configuration Checks/Industry and Regulatory Standards/CIS AWS Foundations Benchmark" CHECK_ASFF_RESOURCE_TYPE_check313="AwsCloudTrailTrail" CHECK_ALTERNATE_check313="check313" +CHECK_SERVICENAME_check313="vpc" check313(){ check3x '\$\.eventName\s*=\s*CreateRoute.+\$\.eventName\s*=\s*CreateRouteTable.+\$\.eventName\s*=\s*ReplaceRoute.+\$\.eventName\s*=\s*ReplaceRouteTableAssociation.+\$\.eventName\s*=\s*DeleteRouteTable.+\$\.eventName\s*=\s*DeleteRoute.+\$\.eventName\s*=\s*DisassociateRouteTable' diff --git a/checks/check314 b/checks/check314 index 4161f855..a30a0d8e 100644 --- a/checks/check314 +++ b/checks/check314 @@ -41,6 +41,7 @@ CHECK_SEVERITY_check314="Medium" CHECK_ASFF_TYPE_check314="Software and Configuration Checks/Industry and Regulatory Standards/CIS AWS Foundations Benchmark" CHECK_ASFF_RESOURCE_TYPE_check314="AwsCloudTrailTrail" CHECK_ALTERNATE_check314="check314" +CHECK_SERVICENAME_check314="vpc" check314(){ check3x '\$\.eventName\s*=\s*CreateVpc.+\$\.eventName\s*=\s*DeleteVpc.+\$\.eventName\s*=\s*ModifyVpcAttribute.+\$\.eventName\s*=\s*AcceptVpcPeeringConnection.+\$\.eventName\s*=\s*CreateVpcPeeringConnection.+\$\.eventName\s*=\s*DeleteVpcPeeringConnection.+\$\.eventName\s*=\s*RejectVpcPeeringConnection.+\$\.eventName\s*=\s*AttachClassicLinkVpc.+\$\.eventName\s*=\s*DetachClassicLinkVpc.+\$\.eventName\s*=\s*DisableVpcClassicLink.+\$\.eventName\s*=\s*EnableVpcClassicLink' diff --git a/checks/check32 b/checks/check32 index c6f5acad..73fe480b 100644 --- a/checks/check32 +++ b/checks/check32 @@ -42,6 +42,7 @@ CHECK_ASFF_TYPE_check32="Software and Configuration Checks/Industry and Regulato CHECK_ASFF_RESOURCE_TYPE_check32="AwsCloudTrailTrail" CHECK_ALTERNATE_check302="check32" CHECK_ASFF_COMPLIANCE_TYPE_check32="ens-op.exp.8.aws.trail.4" +CHECK_SERVICENAME_check32="iam" check32(){ check3x '\$\.eventName\s*=\s*"ConsoleLogin".+\$\.additionalEventData\.MFAUsed\s*!=\s*"Yes"' diff --git a/checks/check33 b/checks/check33 index 779d95a1..8044ebe0 100644 --- a/checks/check33 +++ b/checks/check33 @@ -42,6 +42,7 @@ CHECK_ASFF_TYPE_check33="Software and Configuration Checks/Industry and Regulato CHECK_ASFF_RESOURCE_TYPE_check33="AwsCloudTrailTrail" CHECK_ALTERNATE_check303="check33" CHECK_ASFF_COMPLIANCE_TYPE_check33="ens-op.exp.8.aws.trail.5" +CHECK_SERVICENAME_check33="iam" check33(){ check3x '\$\.userIdentity\.type\s*=\s*"Root".+\$\.userIdentity\.invokedBy NOT EXISTS.+\$\.eventType\s*!=\s*"AwsServiceEvent"' diff --git a/checks/check34 b/checks/check34 index 2765f92e..ed272edd 100644 --- a/checks/check34 +++ b/checks/check34 @@ -42,6 +42,7 @@ CHECK_ASFF_TYPE_check34="Software and Configuration Checks/Industry and Regulato CHECK_ASFF_RESOURCE_TYPE_check34="AwsCloudTrailTrail" CHECK_ALTERNATE_check304="check34" CHECK_ASFF_COMPLIANCE_TYPE_check34="ens-op.exp.8.aws.trail.6" +CHECK_SERVICENAME_check34="iam" check34(){ check3x '\$\.eventName\s*=\s*DeleteGroupPolicy.+\$\.eventName\s*=\s*DeleteRolePolicy.+\$\.eventName\s*=\s*DeleteUserPolicy.+\$\.eventName\s*=\s*PutGroupPolicy.+\$\.eventName\s*=\s*PutRolePolicy.+\$\.eventName\s*=\s*PutUserPolicy.+\$\.eventName\s*=\s*CreatePolicy.+\$\.eventName\s*=\s*DeletePolicy.+\$\.eventName\s*=\s*CreatePolicyVersion.+\$\.eventName\s*=\s*DeletePolicyVersion.+\$\.eventName\s*=\s*AttachRolePolicy.+\$\.eventName\s*=\s*DetachRolePolicy.+\$\.eventName\s*=\s*AttachUserPolicy.+\$\.eventName\s*=\s*DetachUserPolicy.+\$\.eventName\s*=\s*AttachGroupPolicy.+\$\.eventName\s*=\s*DetachGroupPolicy' diff --git a/checks/check35 b/checks/check35 index 50c09212..8157a6a4 100644 --- a/checks/check35 +++ b/checks/check35 @@ -42,6 +42,7 @@ CHECK_ASFF_TYPE_check35="Software and Configuration Checks/Industry and Regulato CHECK_ASFF_RESOURCE_TYPE_check35="AwsCloudTrailTrail" CHECK_ALTERNATE_check305="check35" CHECK_ASFF_COMPLIANCE_TYPE_check35="ens-op.exp.8.aws.trail.1" +CHECK_SERVICENAME_check35="cloudtrail" check35(){ check3x '\$\.eventName\s*=\s*CreateTrail.+\$\.eventName\s*=\s*UpdateTrail.+\$\.eventName\s*=\s*DeleteTrail.+\$\.eventName\s*=\s*StartLogging.+\$\.eventName\s*=\s*StopLogging' diff --git a/checks/check36 b/checks/check36 index 89d4f2ab..c17ffe87 100644 --- a/checks/check36 +++ b/checks/check36 @@ -42,6 +42,7 @@ CHECK_ASFF_TYPE_check36="Software and Configuration Checks/Industry and Regulato CHECK_ASFF_RESOURCE_TYPE_check36="AwsCloudTrailTrail" CHECK_ALTERNATE_check306="check36" CHECK_ASFF_COMPLIANCE_TYPE_check36="ens-op.exp.8.aws.trail.3" +CHECK_SERVICENAME_check36="iam" check36(){ check3x '\$\.eventName\s*=\s*ConsoleLogin.+\$\.errorMessage\s*=\s*"Failed authentication"' diff --git a/checks/check37 b/checks/check37 index e9b63524..c6466039 100644 --- a/checks/check37 +++ b/checks/check37 @@ -34,7 +34,7 @@ # --alarm-actions arn:aws:sns:us-east-1:123456789012:CloudWatchAlarmTopic CHECK_ID_check37="3.7" -CHECK_TITLE_check37="[check37] Ensure a log metric filter and alarm exist for disabling or scheduled deletion of customer created CMKs (Scored)" +CHECK_TITLE_check37="[check37] Ensure a log metric filter and alarm exist for disabling or scheduled deletion of customer created KMS CMKs (Scored)" CHECK_SCORED_check37="SCORED" CHECK_TYPE_check37="LEVEL2" CHECK_SEVERITY_check37="Medium" @@ -42,6 +42,7 @@ CHECK_ASFF_TYPE_check37="Software and Configuration Checks/Industry and Regulato CHECK_ASFF_RESOURCE_TYPE_check37="AwsCloudTrailTrail" CHECK_ALTERNATE_check307="check37" CHECK_ASFF_COMPLIANCE_TYPE_check37="ens-op.exp.11.aws.kms.1" +CHECK_SERVICENAME_check37="kms" check37(){ check3x '\$\.eventSource\s*=\s*kms.amazonaws.com.+\$\.eventName\s*=\s*DisableKey.+\$\.eventName\s*=\s*ScheduleKeyDeletion' diff --git a/checks/check38 b/checks/check38 index eaf90120..22b55710 100644 --- a/checks/check38 +++ b/checks/check38 @@ -41,6 +41,7 @@ CHECK_SEVERITY_check38="Medium" CHECK_ASFF_TYPE_check38="Software and Configuration Checks/Industry and Regulatory Standards/CIS AWS Foundations Benchmark" CHECK_ASFF_RESOURCE_TYPE_check38="AwsCloudTrailTrail" CHECK_ALTERNATE_check308="check38" +CHECK_SERVICENAME_check38="s3" check38(){ check3x '\$\.eventSource\s*=\s*s3.amazonaws.com.+\$\.eventName\s*=\s*PutBucketAcl.+\$\.eventName\s*=\s*PutBucketPolicy.+\$\.eventName\s*=\s*PutBucketCors.+\$\.eventName\s*=\s*PutBucketLifecycle.+\$\.eventName\s*=\s*PutBucketReplication.+\$\.eventName\s*=\s*DeleteBucketPolicy.+\$\.eventName\s*=\s*DeleteBucketCors.+\$\.eventName\s*=\s*DeleteBucketLifecycle.+\$\.eventName\s*=\s*DeleteBucketReplication' diff --git a/checks/check39 b/checks/check39 index 84450b2c..531a3bdc 100644 --- a/checks/check39 +++ b/checks/check39 @@ -41,6 +41,7 @@ CHECK_SEVERITY_check39="Medium" CHECK_ASFF_TYPE_check39="Software and Configuration Checks/Industry and Regulatory Standards/CIS AWS Foundations Benchmark" CHECK_ASFF_RESOURCE_TYPE_check39="AwsCloudTrailTrail" CHECK_ALTERNATE_check309="check39" +CHECK_SERVICENAME_check39="configservice" check39(){ check3x '\$\.eventSource\s*=\s*config.amazonaws.com.+\$\.eventName\s*=\s*StopConfigurationRecorder.+\$\.eventName\s*=\s*DeleteDeliveryChannel.+\$\.eventName\s*=\s*PutDeliveryChannel.+\$\.eventName\s*=\s*PutConfigurationRecorder' diff --git a/checks/check41 b/checks/check41 index 5863a2a9..06ee469c 100644 --- a/checks/check41 +++ b/checks/check41 @@ -17,6 +17,7 @@ CHECK_ASFF_TYPE_check41="Software and Configuration Checks/Industry and Regulato CHECK_ASFF_RESOURCE_TYPE_check41="AwsEc2SecurityGroup" CHECK_ALTERNATE_check401="check41" CHECK_ASFF_COMPLIANCE_TYPE_check41="ens-mp.com.4.aws.sg.4" +CHECK_SERVICENAME_check41="ec2" check41(){ # "Ensure no security groups allow ingress from 0.0.0.0/0 or ::/0 to port 22 (Scored)" diff --git a/checks/check42 b/checks/check42 index 3e88d26f..7edfc12a 100644 --- a/checks/check42 +++ b/checks/check42 @@ -17,6 +17,7 @@ CHECK_ASFF_TYPE_check42="Software and Configuration Checks/Industry and Regulato CHECK_ASFF_RESOURCE_TYPE_check42="AwsEc2SecurityGroup" CHECK_ALTERNATE_check402="check42" CHECK_ASFF_COMPLIANCE_TYPE_check42="ens-mp.com.4.aws.sg.5" +CHECK_SERVICENAME_check42="ec2" check42(){ # "Ensure no security groups allow ingress from 0.0.0.0/0 or ::/0 to port 3389 (Scored)" diff --git a/checks/check43 b/checks/check43 index 78c47f92..fa5d18f5 100644 --- a/checks/check43 +++ b/checks/check43 @@ -17,6 +17,7 @@ CHECK_ASFF_TYPE_check43="Software and Configuration Checks/Industry and Regulato CHECK_ASFF_RESOURCE_TYPE_check43="AwsEc2SecurityGroup" CHECK_ALTERNATE_check403="check43" CHECK_ASFF_COMPLIANCE_TYPE_check43="ens-mp.com.4.aws.sg.1" +CHECK_SERVICENAME_check43="ec2" check43(){ # "Ensure the default security group of every VPC restricts all traffic (Scored)" diff --git a/checks/check44 b/checks/check44 index 67a1abc1..f84d31ab 100644 --- a/checks/check44 +++ b/checks/check44 @@ -16,6 +16,7 @@ CHECK_SEVERITY_check44="Medium" CHECK_ASFF_TYPE_check44="Software and Configuration Checks/Industry and Regulatory Standards/CIS AWS Foundations Benchmark" CHECK_ASFF_RESOURCE_TYPE_check44="AwsEc2Vpc" CHECK_ALTERNATE_check404="check44" +CHECK_SERVICENAME_check44="vpc" check44(){ # "Ensure routing tables for VPC peering are \"least access\" (Not Scored)" diff --git a/checks/check_extra71 b/checks/check_extra71 index bcd016a1..96f367fd 100644 --- a/checks/check_extra71 +++ b/checks/check_extra71 @@ -20,6 +20,7 @@ CHECK_ALTERNATE_extra701="extra71" CHECK_ALTERNATE_check71="extra71" CHECK_ALTERNATE_check701="extra71" CHECK_ASFF_COMPLIANCE_TYPE_extra71="ens-op.exp.10.aws.trail.2" +CHECK_SERVICENAME_extra71="iam" extra71(){ # "Ensure users of groups with AdministratorAccess policy have MFA tokens enabled (Not Scored) (Not part of CIS benchmark)" diff --git a/checks/check_extra710 b/checks/check_extra710 index a126dfca..fccbce46 100644 --- a/checks/check_extra710 +++ b/checks/check_extra710 @@ -18,6 +18,7 @@ CHECK_SEVERITY_extra710="Medium" CHECK_ASFF_RESOURCE_TYPE_extra710="AwsEc2Instance" CHECK_ALTERNATE_check710="extra710" CHECK_ASFF_COMPLIANCE_TYPE_extra710="ens-mp.com.4.aws.vpc.1" +CHECK_SERVICENAME_extra710="ec2" extra710(){ # "Check for internet facing EC2 Instances (Not Scored) (Not part of CIS benchmark)" diff --git a/checks/check_extra7100 b/checks/check_extra7100 index 36e05f8e..07a32a6f 100644 --- a/checks/check_extra7100 +++ b/checks/check_extra7100 @@ -22,6 +22,7 @@ CHECK_SEVERITY_extra7100="Critical" CHECK_ASFF_RESOURCE_TYPE_extra7100="AwsIamPolicy" CHECK_ALTERNATE_check7100="extra7100" CHECK_ASFF_COMPLIANCE_TYPE_extra7100="ens-op.acc.2.aws.iam.1" +CHECK_SERVICENAME_extra7100="iam" extra7100(){ # "Ensure that no custom policies exist which permit assuming any role (e.g. sts:AssumeRole on *)" diff --git a/checks/check_extra7101 b/checks/check_extra7101 index 0ab870c3..8646d914 100644 --- a/checks/check_extra7101 +++ b/checks/check_extra7101 @@ -17,6 +17,7 @@ CHECK_TYPE_extra7101="EXTRA" CHECK_SEVERITY_extra7101="Low" CHECK_ASFF_RESOURCE_TYPE_extra7101="AwsElasticsearchDomain" CHECK_ALTERNATE_check7101="extra7101" +CHECK_SERVICENAME_extra7101="es" # More info # Works for Amazon Elasticsearch Service domains (version 6.7+) with Fine Grained Access Control enabled diff --git a/checks/check_extra7102 b/checks/check_extra7102 index d8bdd33d..8f1cb17a 100644 --- a/checks/check_extra7102 +++ b/checks/check_extra7102 @@ -17,6 +17,7 @@ CHECK_TYPE_extra7102="EXTRA" CHECK_SEVERITY_extra7102="Medium" CHECK_ASFF_RESOURCE_TYPE_extra7102="AwsEc2Eip" CHECK_ALTERNATE_check7102="extra7102" +CHECK_SERVICENAME_extra7102="ec2" # Watch out, always use Shodan API key, if you use `curl https://www.shodan.io/host/{ip}` massively # your IP will be banned by Shodan diff --git a/checks/check_extra7103 b/checks/check_extra7103 index 18247bdf..3a6feac9 100644 --- a/checks/check_extra7103 +++ b/checks/check_extra7103 @@ -18,6 +18,7 @@ CHECK_TYPE_extra7103="EXTRA" CHECK_ASFF_RESOURCE_TYPE_extra7103="AwsSageMakerNotebookInstance" CHECK_ALTERNATE_check7103="extra7103" CHECK_SEVERITY_extra7103="Medium" +CHECK_SERVICENAME_extra7103="sagemaker" extra7103(){ for regx in ${REGIONS}; do diff --git a/checks/check_extra7104 b/checks/check_extra7104 index 6d15fbc1..1009d23b 100644 --- a/checks/check_extra7104 +++ b/checks/check_extra7104 @@ -18,6 +18,7 @@ CHECK_TYPE_extra7104="EXTRA" CHECK_ASFF_RESOURCE_TYPE_extra7104="AwsSageMakerNotebookInstance" CHECK_ALTERNATE_check7104="extra7104" CHECK_SEVERITY_extra7104="Medium" +CHECK_SERVICENAME_extra7104="sagemaker" extra7104(){ for regx in ${REGIONS}; do diff --git a/checks/check_extra7105 b/checks/check_extra7105 index e76b8d9b..b62e9732 100644 --- a/checks/check_extra7105 +++ b/checks/check_extra7105 @@ -18,6 +18,7 @@ CHECK_TYPE_extra7105="EXTRA" CHECK_ASFF_RESOURCE_TYPE_extra7105="AwsSageMakerModel" CHECK_ALTERNATE_check7105="extra7105" CHECK_SEVERITY_extra7105="Medium" +CHECK_SERVICENAME_extra7105="sagemaker" extra7105(){ for regx in ${REGIONS}; do diff --git a/checks/check_extra7106 b/checks/check_extra7106 index d4907513..1f91d7aa 100644 --- a/checks/check_extra7106 +++ b/checks/check_extra7106 @@ -18,6 +18,7 @@ CHECK_TYPE_extra7106="EXTRA" CHECK_ASFF_RESOURCE_TYPE_extra7106="AwsSageMakerModel" CHECK_ALTERNATE_check7106="extra7106" CHECK_SEVERITY_extra7106="Medium" +CHECK_SERVICENAME_extra7106="sagemaker" extra7106(){ for regx in ${REGIONS}; do diff --git a/checks/check_extra7107 b/checks/check_extra7107 index db2fd2a5..0bd75d45 100644 --- a/checks/check_extra7107 +++ b/checks/check_extra7107 @@ -18,6 +18,7 @@ CHECK_TYPE_extra7107="EXTRA" CHECK_ASFF_RESOURCE_TYPE_extra7107="AwsSageMakerNotebookInstance" CHECK_ALTERNATE_check7107="extra7107" CHECK_SEVERITY_extra7107="Medium" +CHECK_SERVICENAME_extra7107="sagemaker" extra7107(){ for regx in ${REGIONS}; do diff --git a/checks/check_extra7108 b/checks/check_extra7108 index 25ac1379..7b3161cb 100644 --- a/checks/check_extra7108 +++ b/checks/check_extra7108 @@ -18,6 +18,7 @@ CHECK_TYPE_extra7108="EXTRA" CHECK_ASFF_RESOURCE_TYPE_extra7108="AwsSageMakerNotebookInstance" CHECK_ALTERNATE_check7108="extra7108" CHECK_SEVERITY_extra7108="Medium" +CHECK_SERVICENAME_extra7108="sagemaker" extra7108(){ for regx in ${REGIONS}; do diff --git a/checks/check_extra7109 b/checks/check_extra7109 index 9abedf47..eba6a4cb 100644 --- a/checks/check_extra7109 +++ b/checks/check_extra7109 @@ -18,6 +18,7 @@ CHECK_TYPE_extra7109="EXTRA" CHECK_ASFF_RESOURCE_TYPE_extra7109="AwsSageMakerNotebookInstance" CHECK_ALTERNATE_check7109="extra7109" CHECK_SEVERITY_extra7109="Medium" +CHECK_SERVICENAME_extra7109="sagemaker" extra7109(){ for regx in ${REGIONS}; do diff --git a/checks/check_extra711 b/checks/check_extra711 index aa3347a1..04a3a60c 100644 --- a/checks/check_extra711 +++ b/checks/check_extra711 @@ -17,6 +17,7 @@ CHECK_TYPE_extra711="EXTRA" CHECK_SEVERITY_extra711="High" CHECK_ASFF_RESOURCE_TYPE_extra711="AwsRedshiftCluster" CHECK_ALTERNATE_check711="extra711" +CHECK_SERVICENAME_extra711="redshift" extra711(){ # "Check for Publicly Accessible Redshift Clusters (Not Scored) (Not part of CIS benchmark)" diff --git a/checks/check_extra7110 b/checks/check_extra7110 index 8a0755bb..d9406a38 100644 --- a/checks/check_extra7110 +++ b/checks/check_extra7110 @@ -18,6 +18,7 @@ CHECK_TYPE_extra7110="EXTRA" CHECK_ASFF_RESOURCE_TYPE_extra7110="AwsSageMakerNotebookInstance" CHECK_ALTERNATE_check7110="extra7110" CHECK_SEVERITY_extra7110="Medium" +CHECK_SERVICENAME_extra7110="sagemaker" extra7110(){ for regx in ${REGIONS}; do diff --git a/checks/check_extra7111 b/checks/check_extra7111 index 2abb5d51..d3f25dfc 100644 --- a/checks/check_extra7111 +++ b/checks/check_extra7111 @@ -18,6 +18,7 @@ CHECK_TYPE_extra7111="EXTRA" CHECK_ASFF_RESOURCE_TYPE_extra7111="AwsSageMakerNotebookInstance" CHECK_ALTERNATE_check7111="extra7111" CHECK_SEVERITY_extra7111="Medium" +CHECK_SERVICENAME_extra7111="sagemaker" extra7111(){ for regx in ${REGIONS}; do diff --git a/checks/check_extra7112 b/checks/check_extra7112 index f1f46e32..ffa6da15 100644 --- a/checks/check_extra7112 +++ b/checks/check_extra7112 @@ -18,6 +18,7 @@ CHECK_TYPE_extra7112="EXTRA" CHECK_ASFF_RESOURCE_TYPE_extra7112="AwsSageMakerNotebookInstance" CHECK_ALTERNATE_check7112="extra7112" CHECK_SEVERITY_extra7112="Medium" +CHECK_SERVICENAME_extra7112="sagemaker" extra7112(){ for regx in ${REGIONS}; do diff --git a/checks/check_extra7113 b/checks/check_extra7113 index aede9db7..3cbe45a8 100644 --- a/checks/check_extra7113 +++ b/checks/check_extra7113 @@ -29,6 +29,7 @@ CHECK_TYPE_extra7113="EXTRA" CHECK_SEVERITY_extra7113="Medium" CHECK_ASFF_RESOURCE_TYPE_extra7113="AwsRdsDbInstance" CHECK_ALTERNATE_check7113="extra7113" +CHECK_SERVICENAME_extra7113="rds" extra7113(){ textInfo "Looking for RDS Volumes in all regions... " diff --git a/checks/check_extra7114 b/checks/check_extra7114 index a728c83f..fe22a405 100644 --- a/checks/check_extra7114 +++ b/checks/check_extra7114 @@ -18,6 +18,7 @@ CHECK_TYPE_extra7114="EXTRA" CHECK_SEVERITY_extra7114="Medium" CHECK_ASFF_RESOURCE_TYPE_extra7114="AwsGlue" CHECK_ALTERNATE_check7114="extra7114" +CHECK_SERVICENAME_extra7114="glue" extra7114(){ for regx in $REGIONS; do diff --git a/checks/check_extra7115 b/checks/check_extra7115 index da606669..08beee45 100644 --- a/checks/check_extra7115 +++ b/checks/check_extra7115 @@ -17,6 +17,7 @@ CHECK_TYPE_extra7115="EXTRA" CHECK_SEVERITY_extra7115="Medium" CHECK_ASFF_RESOURCE_TYPE_extra7115="AwsGlue" CHECK_ALTERNATE_check7115="extra7115" +CHECK_SERVICENAME_extra7115="glue" extra7115(){ for regx in $REGIONS; do diff --git a/checks/check_extra7116 b/checks/check_extra7116 index 2dee0295..610741a5 100644 --- a/checks/check_extra7116 +++ b/checks/check_extra7116 @@ -17,6 +17,7 @@ CHECK_TYPE_extra7116="EXTRA" CHECK_SEVERITY_extra7116="Medium" CHECK_ASFF_RESOURCE_TYPE_extra7116="AwsGlue" CHECK_ALTERNATE_check7116="extra7116" +CHECK_SERVICENAME_extra7116="glue" extra7116(){ for regx in $REGIONS; do diff --git a/checks/check_extra7117 b/checks/check_extra7117 index 686cd729..62da7ab9 100644 --- a/checks/check_extra7117 +++ b/checks/check_extra7117 @@ -17,6 +17,7 @@ CHECK_TYPE_extra7117="EXTRA" CHECK_SEVERITY_extra7117="Medium" CHECK_ASFF_RESOURCE_TYPE_extra7117="AwsGlue" CHECK_ALTERNATE_check7117="extra7117" +CHECK_SERVICENAME_extra7117="glue" extra7117(){ for regx in $REGIONS; do diff --git a/checks/check_extra7118 b/checks/check_extra7118 index aa39907f..614d8130 100644 --- a/checks/check_extra7118 +++ b/checks/check_extra7118 @@ -17,6 +17,7 @@ CHECK_TYPE_extra7118="EXTRA" CHECK_SEVERITY_extra7118="Medium" CHECK_ASFF_RESOURCE_TYPE_extra7118="AwsGlue" CHECK_ALTERNATE_check7118="extra7118" +CHECK_SERVICENAME_extra7118="glue" extra7118(){ for regx in $REGIONS; do diff --git a/checks/check_extra7119 b/checks/check_extra7119 index e8d60488..33162563 100644 --- a/checks/check_extra7119 +++ b/checks/check_extra7119 @@ -18,6 +18,7 @@ CHECK_TYPE_extra7119="EXTRA" CHECK_SEVERITY_extra7119="Medium" CHECK_ASFF_RESOURCE_TYPE_extra7119="AwsGlue" CHECK_ALTERNATE_check7119="extra7119" +CHECK_SERVICENAME_extra7119="glue" extra7119(){ for regx in $REGIONS; do diff --git a/checks/check_extra712 b/checks/check_extra712 index b27880ab..39e0e3c2 100644 --- a/checks/check_extra712 +++ b/checks/check_extra712 @@ -16,6 +16,8 @@ CHECK_SCORED_extra712="NOT_SCORED" CHECK_TYPE_extra712="EXTRA" CHECK_SEVERITY_extra712="Low" CHECK_ALTERNATE_check712="extra712" +CHECK_ASFF_RESOURCE_TYPE_extra712="AwsMacieSession" +CHECK_SERVICENAME_extra712="macie" extra712(){ textInfo "No API commands available to check if Macie is enabled," diff --git a/checks/check_extra7120 b/checks/check_extra7120 index 69695b7f..d51e0208 100644 --- a/checks/check_extra7120 +++ b/checks/check_extra7120 @@ -17,6 +17,7 @@ CHECK_TYPE_extra7120="EXTRA" CHECK_SEVERITY_extra7120="Medium" CHECK_ASFF_RESOURCE_TYPE_extra7120="AwsGlue" CHECK_ALTERNATE_check7120="extra7120" +CHECK_SERVICENAME_extra7120="glue" extra7120(){ for regx in $REGIONS; do diff --git a/checks/check_extra7121 b/checks/check_extra7121 index 0dd83446..1324f7b8 100644 --- a/checks/check_extra7121 +++ b/checks/check_extra7121 @@ -18,6 +18,7 @@ CHECK_TYPE_extra7121="EXTRA" CHECK_SEVERITY_extra7121="Medium" CHECK_ASFF_RESOURCE_TYPE_extra7121="AwsGlue" CHECK_ALTERNATE_check7121="extra7121" +CHECK_SERVICENAME_extra7121="glue" extra7121(){ for regx in $REGIONS; do diff --git a/checks/check_extra7122 b/checks/check_extra7122 index 618181c4..dba88dd5 100644 --- a/checks/check_extra7122 +++ b/checks/check_extra7122 @@ -17,6 +17,7 @@ CHECK_TYPE_extra7122="EXTRA" CHECK_SEVERITY_extra7122="Medium" CHECK_ASFF_RESOURCE_TYPE_extra7122="AwsGlue" CHECK_ALTERNATE_check7122="extra7122" +CHECK_SERVICENAME_extra7122="glue" extra7122(){ for regx in $REGIONS; do diff --git a/checks/check_extra7123 b/checks/check_extra7123 index 45c3a0ca..b9af0aaa 100644 --- a/checks/check_extra7123 +++ b/checks/check_extra7123 @@ -19,6 +19,7 @@ CHECK_ASFF_TYPE_extra7123="Software and Configuration Checks/Industry and Regula CHECK_ASFF_RESOURCE_TYPE_extra7123="AwsIamUser" CHECK_ALTERNATE_check7123="extra7123" CHECK_ASFF_COMPLIANCE_TYPE_extra7123="ens-op.acc.1.aws.iam.2" +CHECK_SERVICENAME_extra7123="iam" extra7123(){ LIST_OF_USERS_WITH_2ACCESS_KEYS=$(cat $TEMP_REPORT_FILE| awk -F, '{ print $1, $9, $14 }' |grep "\ true\ true" | awk '{ print $1 }') diff --git a/checks/check_extra7124 b/checks/check_extra7124 index 7fa835dd..3828164f 100644 --- a/checks/check_extra7124 +++ b/checks/check_extra7124 @@ -17,7 +17,8 @@ CHECK_TYPE_extra7124="EXTRA" CHECK_SEVERITY_extra7124="Medium" CHECK_ASFF_RESOURCE_TYPE_extra7124="AwsEc2Instance" CHECK_ALTERNATE_check7124="extra7124" -CHECK_ASFF_COMPLIANCE_TYPE_extra7124="ens-op.exp.1.aws.sys.1,ens-op.acc.4.aws.sys.1" +CHECK_ASFF_COMPLIANCE_TYPE_extra7124="ens-op.exp.1.aws.sys.1 ens-op.acc.4.aws.sys.1" +CHECK_SERVICENAME_extra7124="ssm" extra7124(){ for regx in $REGIONS; do @@ -40,4 +41,4 @@ extra7124(){ textInfo "$regx: No EC2 instances running found" "$regx" fi done -} \ No newline at end of file +} diff --git a/checks/check_extra7125 b/checks/check_extra7125 index c859738a..007947e4 100644 --- a/checks/check_extra7125 +++ b/checks/check_extra7125 @@ -18,6 +18,7 @@ CHECK_SEVERITY_extra7125="Medium" CHECK_ASFF_RESOURCE_TYPE_extra7125="AwsIamUser" CHECK_ALTERNATE_check7125="extra7125" CHECK_ASFF_COMPLIANCE_TYPE_extra7125="ens-op.acc.5.aws.iam.2" +CHECK_SERVICENAME_extra7125="iam" extra7125(){ LIST_USERS=$($AWSCLI iam list-users --query 'Users[*].UserName' --output text $PROFILE_OPT --region $REGION) diff --git a/checks/check_extra7126 b/checks/check_extra7126 index 0098a661..4c089e27 100644 --- a/checks/check_extra7126 +++ b/checks/check_extra7126 @@ -18,6 +18,7 @@ CHECK_SEVERITY_extra7126="Medium" CHECK_ASFF_RESOURCE_TYPE_extra7126="AwsKmsKey" CHECK_ALTERNATE_check7126="extra7126" CHECK_ASFF_COMPLIANCE_TYPE_extra7126="op.exp.11.aws.kms.2" +CHECK_SERVICENAME_extra7126="kms" extra7126(){ for regx in $REGIONS; do diff --git a/checks/check_extra7127 b/checks/check_extra7127 index 549027a4..65566690 100644 --- a/checks/check_extra7127 +++ b/checks/check_extra7127 @@ -18,7 +18,8 @@ CHECK_SEVERITY_extra7127="Medium" CHECK_ASFF_RESOURCE_TYPE_extra7127="AwsEc2Instance" CHECK_ASFF_TYPE_extra7127="Software and Configuration Checks/ENS op.exp.4.aws.sys.1" CHECK_ALTERNATE_check7127="extra7127" -CHECK_ASFF_COMPLIANCE_TYPE_extra7127="ens-op.exp.1.aws.sys.1,ens-op.exp.4.aws.sys.1" +CHECK_ASFF_COMPLIANCE_TYPE_extra7127="ens-op.exp.1.aws.sys.1 ens-op.exp.4.aws.sys.1" +CHECK_SERVICENAME_extra7127="ssm" extra7127(){ @@ -40,4 +41,4 @@ extra7127(){ textInfo "$regx: No EC2 managed instances found" "$regx" fi done -} \ No newline at end of file +} diff --git a/checks/check_extra7128 b/checks/check_extra7128 index 0cc417e2..13bc161c 100644 --- a/checks/check_extra7128 +++ b/checks/check_extra7128 @@ -18,6 +18,7 @@ CHECK_SEVERITY_extra7128="Medium" CHECK_ASFF_RESOURCE_TYPE_extra7128="AwsDynamoDBTable" CHECK_ALTERNATE_check7128="extra7128" CHECK_ASFF_COMPLIANCE_TYPE_extra7128="ens-mp.info.3.aws.dyndb.1" +CHECK_SERVICENAME_extra7128="dynamodb" extra7128(){ for regx in $REGIONS; do diff --git a/checks/check_extra7129 b/checks/check_extra7129 index cf3e5d7b..d6a55d8e 100644 --- a/checks/check_extra7129 +++ b/checks/check_extra7129 @@ -18,6 +18,7 @@ CHECK_SEVERITY_extra7129="Medium" CHECK_ASFF_RESOURCE_TYPE_extra7129="AwsElasticLoadBalancingV2LoadBalancer" CHECK_ALTERNATE_check7129="extra7129" CHECK_ASFF_COMPLIANCE_TYPE_extra7129="ens-mp.s.2.aws.waf.3" +CHECK_SERVICENAME_extra7129="elb" extra7129(){ for regx in $REGIONS; do diff --git a/checks/check_extra713 b/checks/check_extra713 index 3d5975b9..49606523 100644 --- a/checks/check_extra713 +++ b/checks/check_extra713 @@ -17,6 +17,8 @@ CHECK_TYPE_extra713="EXTRA" CHECK_SEVERITY_extra713="High" CHECK_ALTERNATE_check713="extra713" CHECK_ASFF_COMPLIANCE_TYPE_extra713="ens-op.mon.1.aws.duty.1" +CHECK_ASFF_RESOURCE_TYPE_extra713="AwsGuardDutyDetector" +CHECK_SERVICENAME_extra713="guardduty" extra713(){ # "Check if GuardDuty is enabled (Not Scored) (Not part of CIS benchmark)" diff --git a/checks/check_extra7130 b/checks/check_extra7130 index 0894e2f9..7165a5fe 100644 --- a/checks/check_extra7130 +++ b/checks/check_extra7130 @@ -18,6 +18,7 @@ CHECK_TYPE_extra7130="EXTRA" CHECK_SEVERITY_extra7130="Medium" CHECK_ASFF_RESOURCE_TYPE_extra7130="AwsSnsTopic" CHECK_ALTERNATE_check7130="extra7130" +CHECK_SERVICENAME_extra7130="sns" extra7130(){ textInfo "Looking for SNS Topics in all regions... " diff --git a/checks/check_extra7131 b/checks/check_extra7131 index ca64c8d4..3f85c2a9 100644 --- a/checks/check_extra7131 +++ b/checks/check_extra7131 @@ -17,6 +17,7 @@ CHECK_TYPE_extra7131="EXTRA" CHECK_SEVERITY_extra7131="Low" CHECK_ASFF_RESOURCE_TYPE_extra7131="AwsRdsDbInstance" CHECK_ALTERNATE_check7131="extra7131" +CHECK_SERVICENAME_extra7131="rds" extra7131(){ for regx in $REGIONS; do diff --git a/checks/check_extra714 b/checks/check_extra714 index 542cdce2..362b69c0 100644 --- a/checks/check_extra714 +++ b/checks/check_extra714 @@ -17,6 +17,7 @@ CHECK_TYPE_extra714="EXTRA" CHECK_SEVERITY_extra714="Medium" CHECK_ASFF_RESOURCE_TYPE_extra714="AwsCloudFrontDistribution" CHECK_ALTERNATE_check714="extra714" +CHECK_SERVICENAME_extra714="cloudfront" extra714(){ # "Check if CloudFront distributions have logging enabled (Not Scored) (Not part of CIS benchmark)" diff --git a/checks/check_extra715 b/checks/check_extra715 index 3dae4809..e848e78b 100644 --- a/checks/check_extra715 +++ b/checks/check_extra715 @@ -17,6 +17,7 @@ CHECK_TYPE_extra715="EXTRA" CHECK_SEVERITY_extra715="Medium" CHECK_ASFF_RESOURCE_TYPE_extra715="AwsElasticsearchDomain" CHECK_ALTERNATE_check715="extra715" +CHECK_SERVICENAME_extra715="es" extra715(){ for regx in $REGIONS; do diff --git a/checks/check_extra716 b/checks/check_extra716 index 96014d22..cc6a88c3 100644 --- a/checks/check_extra716 +++ b/checks/check_extra716 @@ -17,6 +17,7 @@ CHECK_TYPE_extra716="EXTRA" CHECK_SEVERITY_extra716="Critical" CHECK_ASFF_RESOURCE_TYPE_extra716="AwsElasticsearchDomain" CHECK_ALTERNATE_check716="extra716" +CHECK_SERVICENAME_extra716="es" extra716(){ for regx in $REGIONS; do diff --git a/checks/check_extra717 b/checks/check_extra717 index cdb9e1b2..1c7a6a22 100644 --- a/checks/check_extra717 +++ b/checks/check_extra717 @@ -17,6 +17,7 @@ CHECK_TYPE_extra717="EXTRA" CHECK_SEVERITY_extra717="Medium" CHECK_ASFF_RESOURCE_TYPE_extra717="AwsElbLoadBalancer" CHECK_ALTERNATE_check717="extra717" +CHECK_SERVICENAME_extra717="elb" extra717(){ # "Check if Elastic Load Balancers have logging enabled (Not Scored) (Not part of CIS benchmark)" diff --git a/checks/check_extra718 b/checks/check_extra718 index 6e8d8f50..738fc59e 100644 --- a/checks/check_extra718 +++ b/checks/check_extra718 @@ -17,6 +17,7 @@ CHECK_TYPE_extra718="EXTRA" CHECK_SEVERITY_extra718="Medium" CHECK_ASFF_RESOURCE_TYPE_extra718="AwsS3Bucket" CHECK_ALTERNATE_check718="extra718" +CHECK_SERVICENAME_extra718="s3" extra718(){ # "Check if S3 buckets have server access logging enabled (Not Scored) (Not part of CIS benchmark)" diff --git a/checks/check_extra719 b/checks/check_extra719 index 306c3b07..9578ccd6 100644 --- a/checks/check_extra719 +++ b/checks/check_extra719 @@ -16,6 +16,8 @@ CHECK_SCORED_extra719="NOT_SCORED" CHECK_TYPE_extra719="EXTRA" CHECK_SEVERITY_extra719="Medium" CHECK_ALTERNATE_check719="extra719" +CHECK_ASFF_RESOURCE_TYPE_extra719="AwsRoute53HostedZone" +CHECK_SERVICENAME_extra719="route53" extra719(){ # You can't create a query logging config for a private hosted zone. diff --git a/checks/check_extra72 b/checks/check_extra72 index e03d4f1d..07ff9393 100644 --- a/checks/check_extra72 +++ b/checks/check_extra72 @@ -19,6 +19,7 @@ CHECK_ASFF_RESOURCE_TYPE_extra72="AwsEc2Snapshot" CHECK_ALTERNATE_extra702="extra72" CHECK_ALTERNATE_check72="extra72" CHECK_ALTERNATE_check702="extra72" +CHECK_SERVICENAME_check72="ec2" extra72(){ # "Ensure there are no EBS Snapshots set as Public (Not Scored) (Not part of CIS benchmark)" diff --git a/checks/check_extra720 b/checks/check_extra720 index 2768bb3c..8e0647fd 100644 --- a/checks/check_extra720 +++ b/checks/check_extra720 @@ -17,6 +17,7 @@ CHECK_TYPE_extra720="EXTRA" CHECK_SEVERITY_extra720="Low" CHECK_ASFF_RESOURCE_TYPE_extra720="AwsLambdaFunction" CHECK_ALTERNATE_check720="extra720" +CHECK_SERVICENAME_extra720="lambda" extra720(){ # "Check if Lambda functions invoke API operations are being recorded by CloudTrail (Not Scored) (Not part of CIS benchmark)" diff --git a/checks/check_extra721 b/checks/check_extra721 index 82d78d6b..5e2b6f89 100644 --- a/checks/check_extra721 +++ b/checks/check_extra721 @@ -17,6 +17,7 @@ CHECK_TYPE_extra721="EXTRA" CHECK_SEVERITY_extra721="Medium" CHECK_ASFF_RESOURCE_TYPE_extra721="AwsRedshiftCluster" CHECK_ALTERNATE_check721="extra721" +CHECK_SERVICENAME_extra721="redshift" extra721(){ # "Check if Redshift cluster has audit logging enabled (Not Scored) (Not part of CIS benchmark)" diff --git a/checks/check_extra722 b/checks/check_extra722 index 019478dd..e9ff44c8 100644 --- a/checks/check_extra722 +++ b/checks/check_extra722 @@ -17,6 +17,7 @@ CHECK_TYPE_extra722="EXTRA" CHECK_SEVERITY_extra722="Medium" CHECK_ASFF_RESOURCE_TYPE_extra722="AwsApiGatewayRestApi" CHECK_ALTERNATE_check722="extra722" +CHECK_SERVICENAME_extra722="apigateway" extra722(){ # "Check if API Gateway has logging enabled (Not Scored) (Not part of CIS benchmark)" diff --git a/checks/check_extra723 b/checks/check_extra723 index db32777b..6051282b 100644 --- a/checks/check_extra723 +++ b/checks/check_extra723 @@ -17,6 +17,7 @@ CHECK_TYPE_extra723="EXTRA" CHECK_SEVERITY_extra723="Critical" CHECK_ASFF_RESOURCE_TYPE_extra723="AwsRdsDbSnapshot" CHECK_ALTERNATE_check723="extra723" +CHECK_SERVICENAME_extra723="rds" extra723(){ # "Check if RDS Snapshots are public (Not Scored) (Not part of CIS benchmark)" diff --git a/checks/check_extra724 b/checks/check_extra724 index 03b2dad2..ac0c501a 100644 --- a/checks/check_extra724 +++ b/checks/check_extra724 @@ -17,6 +17,7 @@ CHECK_TYPE_extra724="EXTRA" CHECK_SEVERITY_extra724="Medium" CHECK_ASFF_RESOURCE_TYPE_extra724="AwsCertificateManagerCertificate" CHECK_ALTERNATE_check724="extra724" +CHECK_SERVICENAME_extra724="acm" extra724(){ # "Check if ACM certificates have Certificate Transparency logging enabled (Not Scored) (Not part of CIS benchmark)" diff --git a/checks/check_extra725 b/checks/check_extra725 index 65c76a85..28d2557f 100644 --- a/checks/check_extra725 +++ b/checks/check_extra725 @@ -18,6 +18,8 @@ CHECK_TYPE_extra725="EXTRA" CHECK_SEVERITY_extra725="Medium" CHECK_ASFF_RESOURCE_TYPE_extra725="AwsS3Bucket" CHECK_ALTERNATE_check725="extra725" +CHECK_SERVICENAME_extra725="s3" + # per Object-level logging is not configured at Bucket level but at CloudTrail trail level extra725(){ diff --git a/checks/check_extra726 b/checks/check_extra726 index 5790fcd8..f4762623 100644 --- a/checks/check_extra726 +++ b/checks/check_extra726 @@ -17,6 +17,7 @@ CHECK_SCORED_extra726="NOT_SCORED" CHECK_TYPE_extra726="EXTRA" CHECK_SEVERITY_extra726="Medium" CHECK_ALTERNATE_check726="extra726" +CHECK_SERVICENAME_extra726="trustedadvisor" extra726(){ trap "exit" INT diff --git a/checks/check_extra727 b/checks/check_extra727 index 596f174a..d618b0bd 100644 --- a/checks/check_extra727 +++ b/checks/check_extra727 @@ -18,6 +18,7 @@ CHECK_TYPE_extra727="EXTRA" CHECK_SEVERITY_extra727="Critical" CHECK_ASFF_RESOURCE_TYPE_extra727="AwsSqsQueue" CHECK_ALTERNATE_check727="extra727" +CHECK_SERVICENAME_extra727="sqs" extra727(){ for regx in $REGIONS; do diff --git a/checks/check_extra728 b/checks/check_extra728 index 640ee876..bde576a1 100644 --- a/checks/check_extra728 +++ b/checks/check_extra728 @@ -19,6 +19,7 @@ CHECK_SEVERITY_extra728="Medium" CHECK_ASFF_RESOURCE_TYPE_extra728="AwsSqsQueue" CHECK_ALTERNATE_check728="extra728" CHECK_ASFF_COMPLIANCE_TYPE_extra728="ens-mp.info.3.sns.1" +CHECK_SERVICENAME_extra728="sqs" extra728(){ for regx in $REGIONS; do diff --git a/checks/check_extra729 b/checks/check_extra729 index e841503b..58bf6e40 100644 --- a/checks/check_extra729 +++ b/checks/check_extra729 @@ -19,6 +19,8 @@ CHECK_SEVERITY_extra729="Medium" CHECK_ASFF_RESOURCE_TYPE_extra729="AwsEc2Volume" CHECK_ALTERNATE_check729="extra729" CHECK_ASFF_COMPLIANCE_TYPE_extra729="ens-mp.info.3.aws.ebs.1" +CHECK_SERVICENAME_extra729="ec2" + extra729(){ # "Ensure there are no EBS Volumes unencrypted (Not Scored) (Not part of CIS benchmark)" diff --git a/checks/check_extra73 b/checks/check_extra73 index d007b1fd..669686ac 100644 --- a/checks/check_extra73 +++ b/checks/check_extra73 @@ -20,6 +20,7 @@ CHECK_ASFF_RESOURCE_TYPE_extra73="AwsS3Bucket" CHECK_ALTERNATE_extra703="extra73" CHECK_ALTERNATE_check73="extra73" CHECK_ALTERNATE_check703="extra73" +CHECK_SERVICENAME_check73="s3" # Verified with AWS support that if get-bucket-acl doesn't return a grant # for All and get-bucket-policy-status returns IsPublic false or bad request diff --git a/checks/check_extra730 b/checks/check_extra730 index c2f7fc76..1b3ed3fe 100644 --- a/checks/check_extra730 +++ b/checks/check_extra730 @@ -20,6 +20,7 @@ CHECK_TYPE_extra730="EXTRA" CHECK_SEVERITY_extra730="High" CHECK_ASFF_RESOURCE_TYPE_extra730="AwsCertificateManagerCertificate" CHECK_ALTERNATE_check730="extra730" +CHECK_SERVICENAME_extra730="acm" extra730(){ # "Check if ACM Certificates are about to expire in $DAYS_TO_EXPIRE_THRESHOLD days or less" diff --git a/checks/check_extra731 b/checks/check_extra731 index 7474ea44..49e4a9d0 100644 --- a/checks/check_extra731 +++ b/checks/check_extra731 @@ -18,6 +18,7 @@ CHECK_TYPE_extra731="EXTRA" CHECK_SEVERITY_extra731="Critical" CHECK_ASFF_RESOURCE_TYPE_extra731="AwsSnsTopic" CHECK_ALTERNATE_check731="extra731" +CHECK_SERVICENAME_extra731="sns" extra731(){ for regx in $REGIONS; do diff --git a/checks/check_extra732 b/checks/check_extra732 index 811fed10..0e38ee9d 100644 --- a/checks/check_extra732 +++ b/checks/check_extra732 @@ -18,6 +18,7 @@ CHECK_TYPE_extra732="EXTRA" CHECK_SEVERITY_extra732="Low" CHECK_ASFF_RESOURCE_TYPE_extra732="AwsCloudFrontDistribution" CHECK_ALTERNATE_check732="extra732" +CHECK_SERVICENAME_extra732="cloudfront" extra732(){ LIST_DISTRIBUTIONS=$($AWSCLI cloudfront list-distributions $PROFILE_OPT --query 'DistributionList.Items[*].Id' --output text |grep -v ^None) diff --git a/checks/check_extra733 b/checks/check_extra733 index ce0bfcd9..40de63d6 100644 --- a/checks/check_extra733 +++ b/checks/check_extra733 @@ -18,6 +18,7 @@ CHECK_TYPE_extra733="EXTRA" CHECK_SEVERITY_extra733="Low" CHECK_ALTERNATE_check733="extra733" CHECK_ASFF_COMPLIANCE_TYPE_extra733="ens-op.acc.1.aws.iam.1" +CHECK_SERVICENAME_extra733="iam" extra733(){ LIST_SAML_PROV=$($AWSCLI iam list-saml-providers $PROFILE_OPT --query 'SAMLProviderList[*].Arn' --output text |grep -v ^None) diff --git a/checks/check_extra734 b/checks/check_extra734 index 86760d9d..a4cc58c5 100644 --- a/checks/check_extra734 +++ b/checks/check_extra734 @@ -18,6 +18,7 @@ CHECK_SEVERITY_extra734="Medium" CHECK_ASFF_RESOURCE_TYPE_extra734="AwsS3Bucket" CHECK_ALTERNATE_check734="extra734" CHECK_ASFF_COMPLIANCE_TYPE_extra734="ens-mp.info.3.s3.1" +CHECK_SERVICENAME_extra734="s3" extra734(){ LIST_OF_BUCKETS=$($AWSCLI s3api list-buckets $PROFILE_OPT --region $REGION --query Buckets[*].Name --output text|xargs -n1) diff --git a/checks/check_extra735 b/checks/check_extra735 index 7c0c29f1..409e08a4 100644 --- a/checks/check_extra735 +++ b/checks/check_extra735 @@ -18,6 +18,7 @@ CHECK_SEVERITY_extra735="Medium" CHECK_ASFF_RESOURCE_TYPE_extra735="AwsRdsDbInstance" CHECK_ALTERNATE_check735="extra735" CHECK_ASFF_COMPLIANCE_TYPE_extra735="ens-mp.info.3.aws.rds.1" +CHECK_SERVICENAME_extra735="rds" extra735(){ textInfo "Looking for RDS Volumes in all regions... " diff --git a/checks/check_extra736 b/checks/check_extra736 index 2d8c48f5..291d971d 100644 --- a/checks/check_extra736 +++ b/checks/check_extra736 @@ -18,6 +18,7 @@ CHECK_SEVERITY_extra736="Critical" CHECK_ASFF_RESOURCE_TYPE_extra736="AwsKmsKey" CHECK_ALTERNATE_check736="extra736" CHECK_ASFF_COMPLIANCE_TYPE_extra736="ens-op.exp.11.aws.kms.2" +CHECK_SERVICENAME_extra736="kms" extra736(){ textInfo "Looking for KMS keys in all regions... " diff --git a/checks/check_extra737 b/checks/check_extra737 index e2c32e87..1dc12679 100644 --- a/checks/check_extra737 +++ b/checks/check_extra737 @@ -18,6 +18,7 @@ CHECK_SEVERITY_extra737="Medium" CHECK_ASFF_RESOURCE_TYPE_extra737="AwsKmsKey" CHECK_ALTERNATE_check737="extra737" CHECK_ASFF_COMPLIANCE_TYPE_extra737="ens-op.exp.11.aws.kms.3" +CHECK_SERVICENAME_extra737="kms" extra737(){ textInfo "Looking for KMS keys in all regions... " diff --git a/checks/check_extra738 b/checks/check_extra738 index 42c178a2..566b715e 100644 --- a/checks/check_extra738 +++ b/checks/check_extra738 @@ -18,6 +18,7 @@ CHECK_SEVERITY_extra738="Medium" CHECK_ASFF_RESOURCE_TYPE_extra738="AwsCloudFrontDistribution" CHECK_ALTERNATE_check738="extra738" CHECK_ASFF_COMPLIANCE_TYPE_extra738="ens-mp.com.2.aws.front.1" +CHECK_SERVICENAME_extra738="cloudfront" extra738(){ LIST_OF_DISTRIBUTIONS=$($AWSCLI cloudfront list-distributions --query 'DistributionList.Items[*].Id' $PROFILE_OPT --output text|grep -v ^None) diff --git a/checks/check_extra739 b/checks/check_extra739 index 5ef3c92f..c0aec8b3 100644 --- a/checks/check_extra739 +++ b/checks/check_extra739 @@ -17,6 +17,7 @@ CHECK_TYPE_extra739="EXTRA" CHECK_SEVERITY_extra739="Medium" CHECK_ASFF_RESOURCE_TYPE_extra739="AwsRdsDbInstance" CHECK_ALTERNATE_check739="extra739" +CHECK_SERVICENAME_extra739="rds" extra739(){ for regx in $REGIONS; do diff --git a/checks/check_extra74 b/checks/check_extra74 index 73e9b343..5061bb4d 100644 --- a/checks/check_extra74 +++ b/checks/check_extra74 @@ -20,6 +20,7 @@ CHECK_ALTERNATE_extra704="extra74" CHECK_ALTERNATE_check74="extra74" CHECK_ALTERNATE_check704="extra74" CHECK_ASFF_COMPLIANCE_TYPE_extra74="ens-mp.com.4.aws.sg.2" +CHECK_SERVICENAME_extra74="ec2" extra74(){ # "Ensure there are no Security Groups without ingress filtering being used (Not Scored) (Not part of CIS benchmark)" diff --git a/checks/check_extra740 b/checks/check_extra740 index 2b8906db..c1c8fe22 100644 --- a/checks/check_extra740 +++ b/checks/check_extra740 @@ -18,6 +18,7 @@ CHECK_SEVERITY_extra740="Medium" CHECK_ASFF_RESOURCE_TYPE_extra740="AwsEc2Snapshot" CHECK_ALTERNATE_check740="extra740" CHECK_ASFF_COMPLIANCE_TYPE_extra740="ens-mp.info.3.aws.ebs.3" +CHECK_SERVICENAME_extra740="ec2" extra740(){ textInfo "Examining EBS Volume Snapshots ..." diff --git a/checks/check_extra741 b/checks/check_extra741 index 3245ce0c..7643e512 100644 --- a/checks/check_extra741 +++ b/checks/check_extra741 @@ -17,6 +17,7 @@ CHECK_TYPE_extra741="EXTRA" CHECK_SEVERITY_extra741="Medium" CHECK_ASFF_RESOURCE_TYPE_extra741="AwsEc2Instance" CHECK_ALTERNATE_check741="extra741" +CHECK_SERVICENAME_extra741="ec2" extra741(){ SECRETS_TEMP_FOLDER="$PROWLER_DIR/secrets-$ACCOUNT_NUM" diff --git a/checks/check_extra742 b/checks/check_extra742 index f9ac6868..1aa2adda 100644 --- a/checks/check_extra742 +++ b/checks/check_extra742 @@ -17,6 +17,7 @@ CHECK_TYPE_extra742="EXTRA" CHECK_SEVERITY_extra742="Medium" CHECK_ASFF_RESOURCE_TYPE_extra742="AwsCloudFormationStack" CHECK_ALTERNATE_check742="extra742" +CHECK_SERVICENAME_extra742="cloudformation" extra742(){ SECRETS_TEMP_FOLDER="$PROWLER_DIR/secrets-$ACCOUNT_NUM" diff --git a/checks/check_extra743 b/checks/check_extra743 index 322b0d57..38c80447 100644 --- a/checks/check_extra743 +++ b/checks/check_extra743 @@ -17,6 +17,7 @@ CHECK_TYPE_extra743="EXTRA" CHECK_SEVERITY_extra743="Medium" CHECK_ASFF_RESOURCE_TYPE_extra743="AwsApiGatewayRestApi" CHECK_ALTERNATE_check743="extra743" +CHECK_SERVICENAME_extra743="apigateway" extra743(){ for regx in $REGIONS; do diff --git a/checks/check_extra744 b/checks/check_extra744 index c08c4a5f..2c495108 100644 --- a/checks/check_extra744 +++ b/checks/check_extra744 @@ -18,6 +18,7 @@ CHECK_SEVERITY_extra744="Medium" CHECK_ASFF_RESOURCE_TYPE_extra744="AwsApiGatewayRestApi" CHECK_ALTERNATE_check744="extra744" CHECK_ASFF_COMPLIANCE_TYPE_extra744="ens-mp.s.2.aws.waf.2" +CHECK_SERVICENAME_extra744="apigateway" extra744(){ for regx in $REGIONS; do diff --git a/checks/check_extra745 b/checks/check_extra745 index d05a262a..2148dcaf 100644 --- a/checks/check_extra745 +++ b/checks/check_extra745 @@ -17,6 +17,7 @@ CHECK_TYPE_extra745="EXTRA" CHECK_SEVERITY_extra745="Medium" CHECK_ASFF_RESOURCE_TYPE_extra745="AwsApiGatewayRestApi" CHECK_ALTERNATE_check745="extra745" +CHECK_SERVICENAME_extra745="apigateway" extra745(){ for regx in $REGIONS; do diff --git a/checks/check_extra746 b/checks/check_extra746 index 2b817b32..0599d2e8 100644 --- a/checks/check_extra746 +++ b/checks/check_extra746 @@ -17,6 +17,7 @@ CHECK_TYPE_extra746="EXTRA" CHECK_SEVERITY_extra746="Medium" CHECK_ASFF_RESOURCE_TYPE_extra746="AwsApiGatewayRestApi" CHECK_ALTERNATE_check746="extra746" +CHECK_SERVICENAME_extra746="apigateway" extra746(){ for regx in $REGIONS; do diff --git a/checks/check_extra747 b/checks/check_extra747 index 2f1f9915..9e16b1fb 100644 --- a/checks/check_extra747 +++ b/checks/check_extra747 @@ -17,6 +17,7 @@ CHECK_TYPE_extra747="EXTRA" CHECK_SEVERITY_extra747="Medium" CHECK_ASFF_RESOURCE_TYPE_extra747="AwsRdsDbInstance" CHECK_ALTERNATE_check747="extra747" +CHECK_SERVICENAME_extra747="rds" extra747(){ for regx in $REGIONS; do diff --git a/checks/check_extra748 b/checks/check_extra748 index b7905d09..3dc303ce 100644 --- a/checks/check_extra748 +++ b/checks/check_extra748 @@ -17,6 +17,7 @@ CHECK_TYPE_extra748="EXTRA" CHECK_SEVERITY_extra748="High" CHECK_ASFF_RESOURCE_TYPE_extra748="AwsEc2SecurityGroup" CHECK_ALTERNATE_check748="extra748" +CHECK_SERVICENAME_extra748="ec2" extra748(){ for regx in $REGIONS; do diff --git a/checks/check_extra749 b/checks/check_extra749 index a9ac7510..922e9c3d 100644 --- a/checks/check_extra749 +++ b/checks/check_extra749 @@ -18,6 +18,7 @@ CHECK_SEVERITY_extra749="High" CHECK_ASFF_RESOURCE_TYPE_extra749="AwsEc2SecurityGroup" CHECK_ALTERNATE_check749="extra749" CHECK_ASFF_COMPLIANCE_TYPE_extra749="ens-mp.com.4.aws.sg.6" +CHECK_SERVICENAME_extra749="ec2" extra749(){ for regx in $REGIONS; do diff --git a/checks/check_extra75 b/checks/check_extra75 index a25fc784..a28cd3a3 100644 --- a/checks/check_extra75 +++ b/checks/check_extra75 @@ -20,6 +20,7 @@ CHECK_ALTERNATE_extra705="extra75" CHECK_ALTERNATE_check75="extra75" CHECK_ALTERNATE_check705="extra75" CHECK_ASFF_COMPLIANCE_TYPE_extra75="ens-mp.com.4.aws.sg.3" +CHECK_SERVICENAME_extra75="ec2" extra75(){ # "Ensure there are no Security Groups not being used (Not Scored) (Not part of CIS benchmark)" diff --git a/checks/check_extra750 b/checks/check_extra750 index dcc4b098..061acde1 100644 --- a/checks/check_extra750 +++ b/checks/check_extra750 @@ -18,6 +18,7 @@ CHECK_SEVERITY_extra750="High" CHECK_ASFF_RESOURCE_TYPE_extra750="AwsEc2SecurityGroup" CHECK_ALTERNATE_check750="extra750" CHECK_ASFF_COMPLIANCE_TYPE_extra750="ens-mp.com.4.aws.sg.7" +CHECK_SERVICENAME_extra750="ec2" extra750(){ for regx in $REGIONS; do diff --git a/checks/check_extra751 b/checks/check_extra751 index 8f711bd0..8b4c67e1 100644 --- a/checks/check_extra751 +++ b/checks/check_extra751 @@ -18,6 +18,7 @@ CHECK_SEVERITY_extra751="High" CHECK_ASFF_RESOURCE_TYPE_extra751="AwsEc2SecurityGroup" CHECK_ALTERNATE_check751="extra751" CHECK_ASFF_COMPLIANCE_TYPE_extra751="ens-mp.com.4.aws.sg.8" +CHECK_SERVICENAME_extra751="ec2" extra751(){ for regx in $REGIONS; do diff --git a/checks/check_extra752 b/checks/check_extra752 index 0189a6ba..06c95baa 100644 --- a/checks/check_extra752 +++ b/checks/check_extra752 @@ -18,6 +18,7 @@ CHECK_SEVERITY_extra752="High" CHECK_ASFF_RESOURCE_TYPE_extra752="AwsEc2SecurityGroup" CHECK_ALTERNATE_check752="extra752" CHECK_ASFF_COMPLIANCE_TYPE_extra752="ens-mp.com.4.aws.sg.9" +CHECK_SERVICENAME_extra752="ec2" extra752(){ for regx in $REGIONS; do diff --git a/checks/check_extra753 b/checks/check_extra753 index 75950a67..81270cdc 100644 --- a/checks/check_extra753 +++ b/checks/check_extra753 @@ -18,6 +18,7 @@ CHECK_SEVERITY_extra753="High" CHECK_ASFF_RESOURCE_TYPE_extra753="AwsEc2SecurityGroup" CHECK_ALTERNATE_check753="extra753" CHECK_ASFF_COMPLIANCE_TYPE_extra753="ens-mp.com.4.aws.sg.10" +CHECK_SERVICENAME_extra753="ec2" extra753(){ for regx in $REGIONS; do diff --git a/checks/check_extra754 b/checks/check_extra754 index 84b8e377..3316f152 100644 --- a/checks/check_extra754 +++ b/checks/check_extra754 @@ -18,6 +18,7 @@ CHECK_SEVERITY_extra754="High" CHECK_ASFF_RESOURCE_TYPE_extra754="AwsEc2SecurityGroup" CHECK_ALTERNATE_check754="extra754" CHECK_ASFF_COMPLIANCE_TYPE_extra754="ens-mp.com.4.aws.sg.11" +CHECK_SERVICENAME_extra754="ec2" extra754(){ for regx in $REGIONS; do diff --git a/checks/check_extra755 b/checks/check_extra755 index a04819e2..6c746702 100644 --- a/checks/check_extra755 +++ b/checks/check_extra755 @@ -18,6 +18,7 @@ CHECK_SEVERITY_extra755="High" CHECK_ASFF_RESOURCE_TYPE_extra755="AwsEc2SecurityGroup" CHECK_ALTERNATE_check755="extra755" CHECK_ASFF_COMPLIANCE_TYPE_extra755="ens-mp.com.4.aws.sg.12" +CHECK_SERVICENAME_extra755="ec2" extra755(){ for regx in $REGIONS; do diff --git a/checks/check_extra756 b/checks/check_extra756 index 5c831c2a..ffcab810 100644 --- a/checks/check_extra756 +++ b/checks/check_extra756 @@ -17,6 +17,7 @@ CHECK_TYPE_extra756="EXTRA" CHECK_SEVERITY_extra756="High" CHECK_ASFF_RESOURCE_TYPE_extra756="AwsRedshiftCluster" CHECK_ALTERNATE_check756="extra756" +CHECK_SERVICENAME_extra756="redshift" extra756(){ for regx in $REGIONS; do diff --git a/checks/check_extra757 b/checks/check_extra757 index 97e2e3c9..757ab819 100644 --- a/checks/check_extra757 +++ b/checks/check_extra757 @@ -17,6 +17,7 @@ CHECK_TYPE_extra757="EXTRA" CHECK_SEVERITY_extra757="Medium" CHECK_ASFF_RESOURCE_TYPE_extra757="AwsEc2Instance" CHECK_ALTERNATE_check757="extra757" +CHECK_SERVICENAME_extra757="ec2" extra757(){ OLDAGE="$(get_date_previous_than_months 6)" diff --git a/checks/check_extra758 b/checks/check_extra758 index 42603535..bda9e922 100644 --- a/checks/check_extra758 +++ b/checks/check_extra758 @@ -17,6 +17,7 @@ CHECK_TYPE_extra758="EXTRA" CHECK_SEVERITY_extra758="Medium" CHECK_ASFF_RESOURCE_TYPE_extra758="AwsEc2Instance" CHECK_ALTERNATE_check758="extra758" +CHECK_SERVICENAME_extra758="ec2" extra758(){ OLDAGE="$(get_date_previous_than_months 12)" diff --git a/checks/check_extra759 b/checks/check_extra759 index 6caad4f7..4414712b 100644 --- a/checks/check_extra759 +++ b/checks/check_extra759 @@ -17,6 +17,7 @@ CHECK_TYPE_extra759="EXTRA" CHECK_SEVERITY_extra759="High" CHECK_ASFF_RESOURCE_TYPE_extra759="AwsLambdaFunction" CHECK_ALTERNATE_check759="extra759" +CHECK_SERVICENAME_extra759="lambda" extra759(){ SECRETS_TEMP_FOLDER="$PROWLER_DIR/secrets-$ACCOUNT_NUM" diff --git a/checks/check_extra76 b/checks/check_extra76 index b1667948..898b5a09 100644 --- a/checks/check_extra76 +++ b/checks/check_extra76 @@ -18,6 +18,7 @@ CHECK_SEVERITY_extra76="Critical" CHECK_ALTERNATE_extra706="extra76" CHECK_ALTERNATE_check76="extra76" CHECK_ALTERNATE_check706="extra76" +CHECK_SERVICENAME_extra76="ec2" extra76(){ # "Ensure there are no EC2 AMIs set as Public (Not Scored) (Not part of CIS benchmark)" diff --git a/checks/check_extra760 b/checks/check_extra760 index a6c9d07e..5a3b0ece 100644 --- a/checks/check_extra760 +++ b/checks/check_extra760 @@ -17,6 +17,7 @@ CHECK_TYPE_extra760="EXTRA" CHECK_SEVERITY_extra760="Medium" CHECK_ASFF_RESOURCE_TYPE_extra760="AwsLambdaFunction" CHECK_ALTERNATE_check760="extra760" +CHECK_SERVICENAME_extra760="lambda" extra760(){ SECRETS_TEMP_FOLDER="$PROWLER_DIR/secrets-$ACCOUNT_NUM" diff --git a/checks/check_extra761 b/checks/check_extra761 index 4c2fcb6a..a0ad91f7 100644 --- a/checks/check_extra761 +++ b/checks/check_extra761 @@ -17,6 +17,7 @@ CHECK_TYPE_extra761="EXTRA" CHECK_SEVERITY_extra761="Medium" CHECK_ALTERNATE_check761="extra761" CHECK_ASFF_COMPLIANCE_TYPE_extra761="ens-mp.info.3.aws.ebs.2" +CHECK_SERVICENAME_extra761="ec2" extra761(){ textInfo "Looking for EBS Default Encryption activation in all regions... " diff --git a/checks/check_extra762 b/checks/check_extra762 index eb40aa30..16143008 100644 --- a/checks/check_extra762 +++ b/checks/check_extra762 @@ -17,6 +17,7 @@ CHECK_TYPE_extra762="EXTRA" CHECK_SEVERITY_extra762="Medium" CHECK_ASFF_RESOURCE_TYPE_extra762="AwsLambdaFunction" CHECK_ALTERNATE_check762="extra762" +CHECK_SERVICENAME_extra762="lambda" extra762(){ diff --git a/checks/check_extra763 b/checks/check_extra763 index a86c7a52..a420df22 100644 --- a/checks/check_extra763 +++ b/checks/check_extra763 @@ -17,6 +17,7 @@ CHECK_TYPE_extra763="EXTRA" CHECK_SEVERITY_extra763="Medium" CHECK_ASFF_RESOURCE_TYPE_extra763="AwsS3Bucket" CHECK_ALTERNATE_check763="extra763" +CHECK_SERVICENAME_extra763="s3" extra763(){ # "Check if S3 buckets have object versioning enabled (Not Scored) (Not part of CIS benchmark)" diff --git a/checks/check_extra764 b/checks/check_extra764 index e7f2d8b2..673de716 100644 --- a/checks/check_extra764 +++ b/checks/check_extra764 @@ -18,6 +18,7 @@ CHECK_SEVERITY_extra764="Medium" CHECK_ASFF_RESOURCE_TYPE_extra764="AwsS3Bucket" CHECK_ALTERNATE_check764="extra764" CHECK_ASFF_COMPLIANCE_TYPE_extra764="ens-mp.com.2.aws.s3.1" +CHECK_SERVICENAME_extra764="s3" extra764(){ LIST_OF_BUCKETS=$($AWSCLI s3api list-buckets $PROFILE_OPT --query Buckets[*].Name --output text --region $REGION|xargs -n1) diff --git a/checks/check_extra765 b/checks/check_extra765 index cfc1a839..8dce6fb7 100644 --- a/checks/check_extra765 +++ b/checks/check_extra765 @@ -26,6 +26,7 @@ CHECK_SCORED_extra765="NOT_SCORED" CHECK_TYPE_extra765="EXTRA" CHECK_SEVERITY_extra765="Medium" CHECK_ALTERNATE_check765="extra765" +CHECK_SERVICENAME_extra765="ecr" extra765(){ for region in $REGIONS; do diff --git a/checks/check_extra767 b/checks/check_extra767 index d82b5586..403c8947 100644 --- a/checks/check_extra767 +++ b/checks/check_extra767 @@ -17,6 +17,7 @@ CHECK_TYPE_extra767="EXTRA" CHECK_SEVERITY_extra767="Low" CHECK_ASFF_RESOURCE_TYPE_extra767="AwsCloudFrontDistribution" CHECK_ALTERNATE_check767="extra767" +CHECK_SERVICENAME_extra767="cloudfront" extra767(){ LIST_OF_DISTRIBUTIONS=$($AWSCLI cloudfront list-distributions --query 'DistributionList.Items[*].Id' $PROFILE_OPT --output text|grep -v ^None) diff --git a/checks/check_extra768 b/checks/check_extra768 index 1468ec2f..e82b98a5 100644 --- a/checks/check_extra768 +++ b/checks/check_extra768 @@ -17,6 +17,7 @@ CHECK_TYPE_extra768="EXTRA" CHECK_SEVERITY_extra768="Medium" CHECK_ASFF_RESOURCE_TYPE_extra768="AwsEcsTaskDefinition" CHECK_ALTERNATE_check768="extra768" +CHECK_SERVICENAME_extra768="ecs" extra768(){ SECRETS_TEMP_FOLDER="$PROWLER_DIR/secrets-$ACCOUNT_NUM" diff --git a/checks/check_extra769 b/checks/check_extra769 index 43b18b31..e56196d4 100644 --- a/checks/check_extra769 +++ b/checks/check_extra769 @@ -17,6 +17,7 @@ CHECK_SCORED_extra769="NOT_SCORED" CHECK_TYPE_extra769="EXTRA" CHECK_SEVERITY_extra769="High" CHECK_ALTERNATE_check769="extra769" +CHECK_SERVICENAME_extra769="accessanalyzer" extra769(){ for regx in $REGIONS; do diff --git a/checks/check_extra77 b/checks/check_extra77 index 5278f18f..ef3f9a91 100644 --- a/checks/check_extra77 +++ b/checks/check_extra77 @@ -19,6 +19,7 @@ CHECK_SEVERITY_extra77="Critical" CHECK_ALTERNATE_extra707="extra77" CHECK_ALTERNATE_check77="extra77" CHECK_ALTERNATE_check707="extra77" +CHECK_SERVICENAME_extra77="ecr" extra77(){ # "Ensure there are no ECR repositories set as Public (Not Scored) (Not part of CIS benchmark)" diff --git a/checks/check_extra770 b/checks/check_extra770 index 0c624274..f2f9e218 100644 --- a/checks/check_extra770 +++ b/checks/check_extra770 @@ -17,6 +17,7 @@ CHECK_TYPE_extra770="EXTRA" CHECK_SEVERITY_extra770="Medium" CHECK_ASFF_RESOURCE_TYPE_extra770="AwsEc2Instance" CHECK_ALTERNATE_check770="extra770" +CHECK_SERVICENAME_extra770="ec2" extra770(){ # "Check for internet facing EC2 Instances (Not Scored) (Not part of CIS benchmark)" diff --git a/checks/check_extra771 b/checks/check_extra771 index b30a2c20..c109d059 100644 --- a/checks/check_extra771 +++ b/checks/check_extra771 @@ -17,6 +17,7 @@ CHECK_TYPE_extra771="EXTRA" CHECK_SEVERITY_extra771="Critical" CHECK_ASFF_RESOURCE_TYPE_extra771="AwsS3Bucket" CHECK_ALTERNATE_check771="extra771" +CHECK_SERVICENAME_extra771="s3" extra771(){ LIST_OF_BUCKETS=$($AWSCLI s3api list-buckets $PROFILE_OPT --region $REGION --query Buckets[*].Name --output text|xargs -n1) diff --git a/checks/check_extra772 b/checks/check_extra772 index 47564d79..87a1c528 100644 --- a/checks/check_extra772 +++ b/checks/check_extra772 @@ -17,6 +17,7 @@ CHECK_TYPE_extra772="EXTRA" CHECK_SEVERITY_extra772="Low" CHECK_ASFF_RESOURCE_TYPE_extra772="AwsEc2Eip" CHECK_ALTERNATE_check772="extra772" +CHECK_SERVICENAME_extra772="ec2" extra772(){ for region in $REGIONS; do diff --git a/checks/check_extra773 b/checks/check_extra773 index 93298073..20068495 100644 --- a/checks/check_extra773 +++ b/checks/check_extra773 @@ -18,6 +18,7 @@ CHECK_SEVERITY_extra773="Medium" CHECK_ASFF_RESOURCE_TYPE_extra773="AwsCloudFrontDistribution" CHECK_ALTERNATE_check773="extra773" CHECK_ASFF_COMPLIANCE_TYPE_extra773="ens-mp.s.2.aws.waf.1" +CHECK_SERVICENAME_extra773="cloudfront" extra773(){ # "Check if CloudFront distributions have logging enabled (Not Scored) (Not part of CIS benchmark)" diff --git a/checks/check_extra774 b/checks/check_extra774 index a81f3e1c..9f167514 100644 --- a/checks/check_extra774 +++ b/checks/check_extra774 @@ -17,6 +17,7 @@ CHECK_TYPE_extra774="EXTRA" CHECK_SEVERITY_extra774="Medium" CHECK_ASFF_RESOURCE_TYPE_extra774="AwsIamUser" CHECK_ALTERNATE_check774="extra774" +CHECK_SERVICENAME_extra774="iam" extra774(){ check_creds_used_in_last_days 30 diff --git a/checks/check_extra775 b/checks/check_extra775 index 5864f227..1cbefab0 100644 --- a/checks/check_extra775 +++ b/checks/check_extra775 @@ -16,6 +16,7 @@ CHECK_SCORED_extra775="NOT_SCORED" CHECK_TYPE_extra775="EXTRA" CHECK_SEVERITY_extra775="Medium" CHECK_ALTERNATE_check775="extra775" +CHECK_SERVICENAME_extra775="autoscaling" extra775(){ SECRETS_TEMP_FOLDER="$PROWLER_DIR/secrets-$ACCOUNT_NUM" diff --git a/checks/check_extra776 b/checks/check_extra776 index 98f261e3..9f14cd04 100644 --- a/checks/check_extra776 +++ b/checks/check_extra776 @@ -31,6 +31,7 @@ CHECK_SCORED_extra776="NOT_SCORED" CHECK_TYPE_extra776="EXTRA" CHECK_SEVERITY_extra776="Medium" CHECK_ALTERNATE_check776="extra776" +CHECK_SERVICENAME_extra776="ecr" extra776(){ for region in $REGIONS; do diff --git a/checks/check_extra777 b/checks/check_extra777 index e4021339..3120963d 100644 --- a/checks/check_extra777 +++ b/checks/check_extra777 @@ -21,6 +21,7 @@ CHECK_TYPE_extra777="EXTRA" CHECK_SEVERITY_extra777="Medium" CHECK_ASFF_RESOURCE_TYPE_extra777="AwsEc2SecurityGroup" CHECK_ALTERNATE_check777="extra777" +CHECK_SERVICENAME_extra777="ec2" extra777(){ THRESHOLD=50 diff --git a/checks/check_extra778 b/checks/check_extra778 index b7a63b23..59d60335 100644 --- a/checks/check_extra778 +++ b/checks/check_extra778 @@ -18,6 +18,7 @@ CHECK_TYPE_extra778="EXTRA" CHECK_SEVERITY_extra778="Medium" CHECK_ASFF_RESOURCE_TYPE_extra778="AwsEc2SecurityGroup" CHECK_ALTERNATE_check778="extra778" +CHECK_SERVICENAME_extra778="ec2" extra778(){ CIDR_THRESHOLD=24 diff --git a/checks/check_extra779 b/checks/check_extra779 index ffa79939..cfd8ebc9 100644 --- a/checks/check_extra779 +++ b/checks/check_extra779 @@ -17,6 +17,7 @@ CHECK_TYPE_extra779="EXTRA" CHECK_SEVERITY_extra779="High" CHECK_ASFF_RESOURCE_TYPE_extra779="AwsEc2SecurityGroup" CHECK_ALTERNATE_check779="extra779" +CHECK_SERVICENAME_extra779="ec2" extra779(){ ES_API_PORT="9200" diff --git a/checks/check_extra78 b/checks/check_extra78 index b1d9c2ea..064cf6cc 100644 --- a/checks/check_extra78 +++ b/checks/check_extra78 @@ -19,6 +19,7 @@ CHECK_ASFF_RESOURCE_TYPE_extra78="AwsRdsDbInstance" CHECK_ALTERNATE_extra708="extra78" CHECK_ALTERNATE_check78="extra78" CHECK_ALTERNATE_check708="extra78" +CHECK_SERVICENAME_extra78="rds" extra78(){ # "Ensure there are no Public Accessible RDS instances (Not Scored) (Not part of CIS benchmark)" diff --git a/checks/check_extra780 b/checks/check_extra780 index 28a77104..688e9b94 100644 --- a/checks/check_extra780 +++ b/checks/check_extra780 @@ -17,6 +17,7 @@ CHECK_TYPE_extra780="EXTRA" CHECK_SEVERITY_extra780="High" CHECK_ASFF_RESOURCE_TYPE_extra780="AwsElasticsearchDomain" CHECK_ALTERNATE_check780="extra780" +CHECK_SERVICENAME_extra780="es" extra780(){ for regx in $REGIONS; do diff --git a/checks/check_extra781 b/checks/check_extra781 index 12d5f484..40968fdc 100644 --- a/checks/check_extra781 +++ b/checks/check_extra781 @@ -18,6 +18,7 @@ CHECK_SEVERITY_extra781="Medium" CHECK_ASFF_RESOURCE_TYPE_extra781="AwsElasticsearchDomain" CHECK_ALTERNATE_check781="extra781" CHECK_ASFF_COMPLIANCE_TYPE_extra781="ens-mp.info.3.aws.au.1" +CHECK_SERVICENAME_extra781="es" extra781(){ for regx in $REGIONS; do diff --git a/checks/check_extra782 b/checks/check_extra782 index daa5b4b2..ecb9b3b0 100644 --- a/checks/check_extra782 +++ b/checks/check_extra782 @@ -17,6 +17,7 @@ CHECK_TYPE_extra782="EXTRA" CHECK_SEVERITY_extra782="Medium" CHECK_ASFF_RESOURCE_TYPE_extra782="AwsElasticsearchDomain" CHECK_ALTERNATE_check782="extra782" +CHECK_SERVICENAME_extra782="es" extra782(){ for regx in $REGIONS; do diff --git a/checks/check_extra783 b/checks/check_extra783 index 49f554b5..09ffe99e 100644 --- a/checks/check_extra783 +++ b/checks/check_extra783 @@ -17,6 +17,7 @@ CHECK_TYPE_extra783="EXTRA" CHECK_SEVERITY_extra783="Medium" CHECK_ASFF_RESOURCE_TYPE_extra783="AwsElasticsearchDomain" CHECK_ALTERNATE_check783="extra783" +CHECK_SERVICENAME_extra783="es" extra783(){ for regx in $REGIONS; do diff --git a/checks/check_extra784 b/checks/check_extra784 index 62040df3..ea4fa4d9 100644 --- a/checks/check_extra784 +++ b/checks/check_extra784 @@ -17,6 +17,7 @@ CHECK_TYPE_extra784="EXTRA" CHECK_SEVERITY_extra784="Medium" CHECK_ASFF_RESOURCE_TYPE_extra784="AwsElasticsearchDomain" CHECK_ALTERNATE_check784="extra784" +CHECK_SERVICENAME_extra784="es" extra784(){ for regx in $REGIONS; do diff --git a/checks/check_extra785 b/checks/check_extra785 index a7fb27aa..31483ae9 100644 --- a/checks/check_extra785 +++ b/checks/check_extra785 @@ -17,6 +17,7 @@ CHECK_TYPE_extra785="EXTRA" CHECK_SEVERITY_extra785="Low" CHECK_ASFF_RESOURCE_TYPE_extra785="AwsElasticsearchDomain" CHECK_ALTERNATE_check785="extra785" +CHECK_SERVICENAME_extra785="es" # NOTE! # API does not properly shows if an update is available while it is a new version available diff --git a/checks/check_extra786 b/checks/check_extra786 index 7491539d..04570dfc 100644 --- a/checks/check_extra786 +++ b/checks/check_extra786 @@ -17,6 +17,7 @@ CHECK_TYPE_extra786="EXTRA" CHECK_SEVERITY_extra786="Medium" CHECK_ASFF_RESOURCE_TYPE_extra786="AwsEc2Instance" CHECK_ALTERNATE_check786="extra786" +CHECK_SERVICENAME_extra786="ec2" extra786(){ for regx in $REGIONS; do diff --git a/checks/check_extra787 b/checks/check_extra787 index ce5e6f9f..b85b3969 100644 --- a/checks/check_extra787 +++ b/checks/check_extra787 @@ -17,6 +17,7 @@ CHECK_TYPE_extra787="EXTRA" CHECK_SEVERITY_extra787="Critical" CHECK_ASFF_RESOURCE_TYPE_extra787="AwsEc2Instance" CHECK_ALTERNATE_check787="extra787" +CHECK_SERVICENAME_extra787="es" extra787(){ # Prowler will try to access each ElasticSearch server to port: diff --git a/checks/check_extra788 b/checks/check_extra788 index 6821fd5e..9bd0e819 100644 --- a/checks/check_extra788 +++ b/checks/check_extra788 @@ -17,6 +17,7 @@ CHECK_TYPE_extra788="EXTRA" CHECK_SEVERITY_extra788="Critical" CHECK_ASFF_RESOURCE_TYPE_extra788="AwsElasticsearchDomain" CHECK_ALTERNATE_check788="extra788" +CHECK_SERVICENAME_extra788="es" extra788(){ # Prowler will try to access each ElasticSearch server to the public URI endpoint. diff --git a/checks/check_extra789 b/checks/check_extra789 index 7f6126ae..f289785a 100644 --- a/checks/check_extra789 +++ b/checks/check_extra789 @@ -18,6 +18,7 @@ CHECK_TYPE_extra789="EXTRA" CHECK_SEVERITY_extra789="Medium" CHECK_ASFF_RESOURCE_TYPE_extra789="AwsEc2Vpc" CHECK_ALTERNATE_extra789="extra789" +CHECK_SERVICENAME_extra789="vpc" extra789(){ TRUSTED_ACCOUNT_IDS=$( echo "${ACCOUNT_NUM} ${GROUP_TRUSTBOUNDARIES_TRUSTED_ACCOUNT_IDS}" | xargs ) diff --git a/checks/check_extra79 b/checks/check_extra79 index 9b428bc0..c3ce2166 100644 --- a/checks/check_extra79 +++ b/checks/check_extra79 @@ -19,6 +19,8 @@ CHECK_ASFF_RESOURCE_TYPE_extra79="AwsElbLoadBalancer" CHECK_ALTERNATE_extra709="extra79" CHECK_ALTERNATE_check79="extra79" CHECK_ALTERNATE_check709="extra79" +CHECK_SERVICENAME_extra79="elb" + extra79(){ # "Check for internet facing Elastic Load Balancers (Not Scored) (Not part of CIS benchmark)" diff --git a/checks/check_extra790 b/checks/check_extra790 index 83857889..5278365c 100644 --- a/checks/check_extra790 +++ b/checks/check_extra790 @@ -18,6 +18,7 @@ CHECK_TYPE_extra790="EXTRA" CHECK_SEVERITY_extra790="Medium" CHECK_ASFF_RESOURCE_TYPE_extra790="AwsEc2Vpc" CHECK_ALTERNATE_extra790="extra790" +CHECK_SERVICENAME_extra790="vpc" extra790(){ TRUSTED_ACCOUNT_IDS=$( echo "${ACCOUNT_NUM} ${GROUP_TRUSTBOUNDARIES_TRUSTED_ACCOUNT_IDS}" | xargs ) diff --git a/checks/check_extra791 b/checks/check_extra791 index b52aa248..a6ca4f9d 100644 --- a/checks/check_extra791 +++ b/checks/check_extra791 @@ -17,6 +17,7 @@ CHECK_TYPE_extra791="EXTRA" CHECK_SEVERITY_extra791="Medium" CHECK_ASFF_RESOURCE_TYPE_extra791="AwsCloudFrontDistribution" CHECK_ALTERNATE_check791="extra791" +CHECK_SERVICENAME_extra791="cloudfront" extra791(){ LIST_OF_DISTRIBUTIONS=$($AWSCLI cloudfront list-distributions --query 'DistributionList.Items[*].Id' $PROFILE_OPT --output text|grep -v ^None) diff --git a/checks/check_extra792 b/checks/check_extra792 index b6497042..23f0d03d 100644 --- a/checks/check_extra792 +++ b/checks/check_extra792 @@ -18,6 +18,7 @@ CHECK_SEVERITY_extra792="Medium" CHECK_ASFF_RESOURCE_TYPE_extra792="AwsElbLoadBalancer" CHECK_ALTERNATE_check792="extra792" CHECK_ASFF_COMPLIANCE_TYPE_extra792="ens-mp.com.2.aws.elb.2" +CHECK_SERVICENAME_extra792="elb" extra792(){ # "Check if Elastic Load Balancers have insecure SSL ciphers (Not Scored) (Not part of CIS benchmark)" diff --git a/checks/check_extra793 b/checks/check_extra793 index 0a45f313..7ffc6df6 100644 --- a/checks/check_extra793 +++ b/checks/check_extra793 @@ -18,6 +18,7 @@ CHECK_SEVERITY_extra793="Medium" CHECK_ASFF_RESOURCE_TYPE_extra793="AwsElbLoadBalancer" CHECK_ALTERNATE_check793="extra793" CHECK_ASFF_COMPLIANCE_TYPE_extra793="ens-mp.com.2.aws.elb.1" +CHECK_SERVICENAME_extra793="elb" extra793(){ # "Check if Elastic Load Balancers have encrypted listeners (Not Scored) (Not part of CIS benchmark)" diff --git a/checks/check_extra794 b/checks/check_extra794 index 9c276106..fd763765 100644 --- a/checks/check_extra794 +++ b/checks/check_extra794 @@ -17,6 +17,7 @@ CHECK_TYPE_extra794="EXTRA" CHECK_SEVERITY_extra794="Medium" CHECK_ASFF_RESOURCE_TYPE_extra794="AwsEksCluster" CHECK_ALTERNATE_check794="extra794" +CHECK_SERVICENAME_extra794="eks" extra794(){ textInfo "Looking for control plane logging enabled for EKS clusters across all regions... " diff --git a/checks/check_extra795 b/checks/check_extra795 index 3a385c4b..4196456e 100644 --- a/checks/check_extra795 +++ b/checks/check_extra795 @@ -17,6 +17,7 @@ CHECK_TYPE_extra795="EXTRA" CHECK_SEVERITY_extra795="High" CHECK_ASFF_RESOURCE_TYPE_extra795="AwsEksCluster" CHECK_ALTERNATE_check795="extra795" +CHECK_SERVICENAME_extra795="eks" extra795(){ textInfo "Looking for public access enabled for EKS clusters across all regions... " diff --git a/checks/check_extra796 b/checks/check_extra796 index be24a340..d4134b35 100644 --- a/checks/check_extra796 +++ b/checks/check_extra796 @@ -17,6 +17,7 @@ CHECK_TYPE_extra796="EXTRA" CHECK_SEVERITY_extra796="High" CHECK_ASFF_RESOURCE_TYPE_extra796="AwsEksCluster" CHECK_ALTERNATE_check796="extra796" +CHECK_SERVICENAME_extra796="eks" extra796(){ textInfo "Looking for public access CIDRs for EKS clusters across all regions... " diff --git a/checks/check_extra797 b/checks/check_extra797 index 6a1f696e..cafe95b4 100644 --- a/checks/check_extra797 +++ b/checks/check_extra797 @@ -17,6 +17,7 @@ CHECK_TYPE_extra797="EXTRA" CHECK_SEVERITY_extra797="Medium" CHECK_ASFF_RESOURCE_TYPE_extra797="AwsEksCluster" CHECK_ALTERNATE_check797="extra797" +CHECK_SERVICENAME_extra797="eks" extra797(){ textInfo "Looking for encryption config for EKS clusters across all regions... " diff --git a/checks/check_extra798 b/checks/check_extra798 index a70b9d0b..136c85e5 100644 --- a/checks/check_extra798 +++ b/checks/check_extra798 @@ -18,6 +18,7 @@ CHECK_TYPE_extra798="EXTRA" CHECK_SEVERITY_extra798="Critical" CHECK_ASFF_RESOURCE_TYPE_extra798="AwsLambdaFunction" CHECK_ALTERNATE_check798="extra798" +CHECK_SERVICENAME_extra798="lambda" extra798(){ for regx in $REGIONS; do diff --git a/checks/check_extra799 b/checks/check_extra799 index 9b4be8eb..75a391ec 100644 --- a/checks/check_extra799 +++ b/checks/check_extra799 @@ -18,6 +18,7 @@ CHECK_TYPE_extra799="EXTRA" CHECK_SEVERITY_extra799="High" CHECK_ASFF_RESOURCE_TYPE_extra799="AwsSecurityHubHub" CHECK_ALTERNATE_check799="extra799" +CHECK_SERVICENAME_extra799="securityhub" extra799(){ for regx in $REGIONS; do