From f875cd05be11563b0e1bc9de7f626e88af12111a Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Pedro=20Mart=C3=ADn?= Date: Tue, 20 Jun 2023 16:57:28 +0200 Subject: [PATCH] feat(compliance): add ISO27001 compliance framework (#2517) Co-authored-by: Sergio Garcia --- prowler/compliance/aws/iso27001_aws.json | 1273 ++++++++++++++++++++++ prowler/lib/check/compliance_models.py | 11 + prowler/lib/cli/parser.py | 2 +- prowler/lib/outputs/compliance.py | 39 +- prowler/lib/outputs/file_descriptors.py | 11 + prowler/lib/outputs/models.py | 20 + 6 files changed, 1352 insertions(+), 4 deletions(-) create mode 100644 prowler/compliance/aws/iso27001_aws.json diff --git a/prowler/compliance/aws/iso27001_aws.json b/prowler/compliance/aws/iso27001_aws.json new file mode 100644 index 00000000..82ef8fcf --- /dev/null +++ b/prowler/compliance/aws/iso27001_aws.json @@ -0,0 +1,1273 @@ +{ + "Framework": "ISO27001", + "Version": "", + "Provider": "AWS", + "Description": "ISO (the International Organization for Standardization) and IEC (the International Electrotechnical Commission) form the specialized system for worldwide standardization. National bodies that are members of ISO or IEC participate in the development of International Standards through technical committees established by the respective organization to deal with particular fields of technical activity. ISO and IEC technical committees collaborate in fields of mutual interest. Other international organizations, governmental and non-governmental, in liaison with ISO and IEC, also take part in the work.", + "Requirements": [ + { + "Id": "A.10.1", + "Description": "Setup Encryption at rest for RDS instances", + "Name": "Cryptographic Controls", + "Attributes": [ + { + "Category": "A.10 Cryptography", + "Objetive_ID": "A.10.1", + "Objetive_Name": "Cryptographic Controls", + "Check_Summary": "Setup Encryption at rest for RDS instances" + } + ], + "Checks": [ + "rds_instance_storage_encrypted" + ] + }, + { + "Id": "A.10.1", + "Description": "Detect use of insecure ciphers on ELBs", + "Name": "Cryptographic Controls", + "Attributes": [ + { + "Category": "A.10 Cryptography", + "Objetive_ID": "A.10.1", + "Objetive_Name": "Cryptographic Controls", + "Check_Summary": "Detect use of insecure ciphers on ELBs" + } + ], + "Checks": [ + "elb_insecure_ssl_ciphers", + "elbv2_insecure_ssl_ciphers" + ] + }, + { + "Id": "A.10.1", + "Description": "Detect Customer Master Keys (CMKs) scheduled for deletion", + "Name": "Cryptographic Controls", + "Attributes": [ + { + "Category": "A.10 Cryptography", + "Objetive_ID": "A.10.1", + "Objetive_Name": "Cryptographic Controls", + "Check_Summary": "Detect Customer Master Keys (CMKs) scheduled for deletion" + } + ], + "Checks": [ + "cloudwatch_log_metric_filter_disable_or_scheduled_deletion_of_kms_cmk" + ] + }, + { + "Id": "A.12.4", + "Description": "Ensure a log metric filter and alarm exist for VPC changes", + "Name": "Logging and Monitoring", + "Attributes": [ + { + "Category": "A.12 Operations Security", + "Objetive_ID": "A.12.4", + "Objetive_Name": "Logging and Monitoring", + "Check_Summary": "Ensure a log metric filter and alarm exist for VPC changes" + } + ], + "Checks": [ + "cloudwatch_changes_to_vpcs_alarm_configured" + ] + }, + { + "Id": "A.12.4", + "Description": "Ensure a log metric filter and alarm exist for route table changes", + "Name": "Logging and Monitoring", + "Attributes": [ + { + "Category": "A.12 Operations Security", + "Objetive_ID": "A.12.4", + "Objetive_Name": "Logging and Monitoring", + "Check_Summary": "Ensure a log metric filter and alarm exist for route table changes" + } + ], + "Checks": [ + "cloudwatch_changes_to_network_route_tables_alarm_configured" + ] + }, + { + "Id": "A.12.4", + "Description": "Ensure a log metric filter and alarm exist for changes to network gateways", + "Name": "Logging and Monitoring", + "Attributes": [ + { + "Category": "A.12 Operations Security", + "Objetive_ID": "A.12.4", + "Objetive_Name": "Logging and Monitoring", + "Check_Summary": "Ensure a log metric filter and alarm exist for changes to network gateways" + } + ], + "Checks": [ + "cloudwatch_changes_to_network_gateways_alarm_configured" + ] + }, + { + "Id": "A.12.4", + "Description": "Ensure a log metric filter and alarm exist for changes to Network Access Control Lists (NACL)", + "Name": "Logging and Monitoring", + "Attributes": [ + { + "Category": "A.12 Operations Security", + "Objetive_ID": "A.12.4", + "Objetive_Name": "Logging and Monitoring", + "Check_Summary": "Ensure a log metric filter and alarm exist for changes to Network Access Control Lists (NACL)" + } + ], + "Checks": [ + "cloudwatch_changes_to_network_acls_alarm_configured" + ] + }, + { + "Id": "A.12.4", + "Description": "Ensure a log metric filter and alarm exist for security group changes", + "Name": "Logging and Monitoring", + "Attributes": [ + { + "Category": "A.12 Operations Security", + "Objetive_ID": "A.12.4", + "Objetive_Name": "Logging and Monitoring", + "Check_Summary": "Ensure a log metric filter and alarm exist for security group changes" + } + ], + "Checks": [ + "cloudwatch_log_metric_filter_security_group_changes" + ] + }, + { + "Id": "A.12.4", + "Description": "Ensure a log metric filter and alarm exist for AWS Config configuration changes", + "Name": "Logging and Monitoring", + "Attributes": [ + { + "Category": "A.12 Operations Security", + "Objetive_ID": "A.12.4", + "Objetive_Name": "Logging and Monitoring", + "Check_Summary": "Ensure a log metric filter and alarm exist for AWS Config configuration changes" + } + ], + "Checks": [ + "cloudwatch_log_metric_filter_and_alarm_for_aws_config_configuration_changes_enabled" + ] + }, + { + "Id": "A.12.4", + "Description": "Ensure a log metric filter and alarm exist for S3 bucket policy changes", + "Name": "Logging and Monitoring", + "Attributes": [ + { + "Category": "A.12 Operations Security", + "Objetive_ID": "A.12.4", + "Objetive_Name": "Logging and Monitoring", + "Check_Summary": "Ensure a log metric filter and alarm exist for S3 bucket policy changes" + } + ], + "Checks": [ + "cloudwatch_log_metric_filter_for_s3_bucket_policy_changes" + ] + }, + { + "Id": "A.12.4", + "Description": "Ensure a log metric filter and alarm exist for disabling or scheduled deletion of customer created CMKs", + "Name": "Logging and Monitoring", + "Attributes": [ + { + "Category": "A.12 Operations Security", + "Objetive_ID": "A.12.4", + "Objetive_Name": "Logging and Monitoring", + "Check_Summary": "Ensure a log metric filter and alarm exist for disabling or scheduled deletion of customer created CMKs" + } + ], + "Checks": [ + "cloudwatch_log_metric_filter_disable_or_scheduled_deletion_of_kms_cmk" + ] + }, + { + "Id": "A.12.4", + "Description": "Ensure a log metric filter and alarm exist for AWS Management Console authentication failures", + "Name": "Logging and Monitoring", + "Attributes": [ + { + "Category": "A.12 Operations Security", + "Objetive_ID": "A.12.4", + "Objetive_Name": "Logging and Monitoring", + "Check_Summary": "Ensure a log metric filter and alarm exist for AWS Management Console authentication failures" + } + ], + "Checks": [ + "cloudwatch_log_metric_filter_authentication_failures" + ] + }, + { + "Id": "A.12.4", + "Description": "Ensure a log metric filter and alarm exist for CloudTrail configuration changes", + "Name": "Logging and Monitoring", + "Attributes": [ + { + "Category": "A.12 Operations Security", + "Objetive_ID": "A.12.4", + "Objetive_Name": "Logging and Monitoring", + "Check_Summary": "Ensure a log metric filter and alarm exist for CloudTrail configuration changes" + } + ], + "Checks": [ + "cloudwatch_log_metric_filter_and_alarm_for_cloudtrail_configuration_changes_enabled" + ] + }, + { + "Id": "A.12.4", + "Description": "Ensure a log metric filter and alarm exist for IAM policy changes", + "Name": "Logging and Monitoring", + "Attributes": [ + { + "Category": "A.12 Operations Security", + "Objetive_ID": "A.12.4", + "Objetive_Name": "Logging and Monitoring", + "Check_Summary": "Ensure a log metric filter and alarm exist for IAM policy changes" + } + ], + "Checks": [ + "cloudwatch_log_metric_filter_policy_changes" + ] + }, + { + "Id": "A.12.4", + "Description": "Ensure a log metric filter and alarm exist for usage of root account", + "Name": "Logging and Monitoring", + "Attributes": [ + { + "Category": "A.12 Operations Security", + "Objetive_ID": "A.12.4", + "Objetive_Name": "Logging and Monitoring", + "Check_Summary": "Ensure a log metric filter and alarm exist for usage of root account" + } + ], + "Checks": [ + "cloudwatch_log_metric_filter_root_usage" + ] + }, + { + "Id": "A.12.4", + "Description": "Ensure a log metric filter and alarm exist for Management Console sign-in without MFA", + "Name": "Logging and Monitoring", + "Attributes": [ + { + "Category": "A.12 Operations Security", + "Objetive_ID": "A.12.4", + "Objetive_Name": "Logging and Monitoring", + "Check_Summary": "Ensure a log metric filter and alarm exist for Management Console sign-in without MFA" + } + ], + "Checks": [ + "cloudwatch_log_metric_filter_sign_in_without_mfa" + ] + }, + { + "Id": "A.12.4", + "Description": "Ensure a log metric filter and alarm exist for unauthorized API calls", + "Name": "Logging and Monitoring", + "Attributes": [ + { + "Category": "A.12 Operations Security", + "Objetive_ID": "A.12.4", + "Objetive_Name": "Logging and Monitoring", + "Check_Summary": "Ensure a log metric filter and alarm exist for unauthorized API calls" + } + ], + "Checks": [ + "cloudwatch_log_metric_filter_unauthorized_api_calls" + ] + }, + { + "Id": "A.12.4", + "Description": "Ensure S3 bucket access logging is enabled on the CloudTrail S3 bucket", + "Name": "Logging and Monitoring", + "Attributes": [ + { + "Category": "A.12 Operations Security", + "Objetive_ID": "A.12.4", + "Objetive_Name": "Logging and Monitoring", + "Check_Summary": "Ensure S3 bucket access logging is enabled on the CloudTrail S3 bucket" + } + ], + "Checks": [ + "cloudtrail_logs_s3_bucket_access_logging_enabled" + ] + }, + { + "Id": "A.12.4", + "Description": "Ensure AWS Config is enabled in all regions", + "Name": "Logging and Monitoring", + "Attributes": [ + { + "Category": "A.12 Operations Security", + "Objetive_ID": "A.12.4", + "Objetive_Name": "Logging and Monitoring", + "Check_Summary": "Ensure AWS Config is enabled in all regions" + } + ], + "Checks": [ + "config_recorder_all_regions_enabled" + ] + }, + { + "Id": "A.12.4", + "Description": "Ensure CloudTrail trails are integrated with CloudWatch Logs", + "Name": "Logging and Monitoring", + "Attributes": [ + { + "Category": "A.12 Operations Security", + "Objetive_ID": "A.12.4", + "Objetive_Name": "Logging and Monitoring", + "Check_Summary": "Ensure CloudTrail trails are integrated with CloudWatch Logs" + } + ], + "Checks": [ + "cloudtrail_cloudwatch_logging_enabled" + ] + }, + { + "Id": "A.12.4", + "Description": "Ensure VPC flow logging is enabled in all VPCs", + "Name": "Logging and Monitoring", + "Attributes": [ + { + "Category": "A.12 Operations Security", + "Objetive_ID": "A.12.4", + "Objetive_Name": "Logging and Monitoring", + "Check_Summary": "Ensure VPC flow logging is enabled in all VPCs" + } + ], + "Checks": [ + "vpc_flow_logs_enabled" + ] + }, + { + "Id": "A.12.4", + "Description": "Ensure the S3 bucket CloudTrail logs to is not publicly accessible", + "Name": "Logging and Monitoring", + "Attributes": [ + { + "Category": "A.12 Operations Security", + "Objetive_ID": "A.12.4", + "Objetive_Name": "Logging and Monitoring", + "Check_Summary": "Ensure the S3 bucket CloudTrail logs to is not publicly accessible" + } + ], + "Checks": [ + "cloudtrail_logs_s3_bucket_is_not_publicly_accessible" + ] + }, + { + "Id": "A.12.4", + "Description": "Ensure CloudTrail is enabled in all regions", + "Name": "Logging and Monitoring", + "Attributes": [ + { + "Category": "A.12 Operations Security", + "Objetive_ID": "A.12.4", + "Objetive_Name": "Logging and Monitoring", + "Check_Summary": "Ensure CloudTrail is enabled in all regions" + } + ], + "Checks": [ + "cloudtrail_multi_region_enabled" + ] + }, + { + "Id": "A.12.6", + "Description": "Ensure the default security group of every VPC restricts all traffic", + "Name": "Technical Vulnerability Management", + "Attributes": [ + { + "Category": "A.12 Operations Security", + "Objetive_ID": "A.12.6", + "Objetive_Name": "Technical Vulnerability Management", + "Check_Summary": "Ensure the default security group of every VPC restricts all traffic" + } + ], + "Checks": [ + "ec2_securitygroup_default_restrict_traffic" + ] + }, + { + "Id": "A.12.6", + "Description": "Ensure no security groups allow ingress from 0.0.0.0/0 to port 3389", + "Name": "Technical Vulnerability Management", + "Attributes": [ + { + "Category": "A.12 Operations Security", + "Objetive_ID": "A.12.6", + "Objetive_Name": "Technical Vulnerability Management", + "Check_Summary": "Ensure no security groups allow ingress from 0.0.0.0/0 to port 3389" + } + ], + "Checks": [ + "ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_3389" + ] + }, + { + "Id": "A.12.6", + "Description": "Ensure no security groups allow ingress from 0.0.0.0/0 to port 22", + "Name": "Technical Vulnerability Management", + "Attributes": [ + { + "Category": "A.12 Operations Security", + "Objetive_ID": "A.12.6", + "Objetive_Name": "Technical Vulnerability Management", + "Check_Summary": "Ensure no security groups allow ingress from 0.0.0.0/0 to port 22" + } + ], + "Checks": [ + "ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_22" + ] + }, + { + "Id": "A.12.6", + "Description": "Check for publicly shared AMIs", + "Name": "Technical Vulnerability Management", + "Attributes": [ + { + "Category": "A.12 Operations Security", + "Objetive_ID": "A.12.6", + "Objetive_Name": "Technical Vulnerability Management", + "Check_Summary": "Check for publicly shared AMIs" + } + ], + "Checks": [ + "ec2_ami_public" + ] + }, + { + "Id": "A.12.6", + "Description": "Ensure EBS snapshots are not publicly accessible", + "Name": "Technical Vulnerability Management", + "Attributes": [ + { + "Category": "A.12 Operations Security", + "Objetive_ID": "A.12.6", + "Objetive_Name": "Technical Vulnerability Management", + "Check_Summary": "Ensure EBS snapshots are not publicly accessible" + } + ], + "Checks": [ + "ec2_ebs_public_snapshot" + ] + }, + { + "Id": "A.12.6", + "Description": "Ensure SNS topics do not allow global send or subscribe", + "Name": "Technical Vulnerability Management", + "Attributes": [ + { + "Category": "A.12 Operations Security", + "Objetive_ID": "A.12.6", + "Objetive_Name": "Technical Vulnerability Management", + "Check_Summary": "Ensure SNS topics do not allow global send or subscribe" + } + ], + "Checks": [ + "sns_topics_not_publicly_accessible" + ] + }, + { + "Id": "A.12.6", + "Description": "Ensure Redshift clusters do not have a public endpoint", + "Name": "Technical Vulnerability Management", + "Attributes": [ + { + "Category": "A.12 Operations Security", + "Objetive_ID": "A.12.6", + "Objetive_Name": "Technical Vulnerability Management", + "Check_Summary": "Ensure Redshift clusters do not have a public endpoint" + } + ], + "Checks": [ + "redshift_cluster_public_access" + ] + }, + { + "Id": "A.12.6", + "Description": "Ensure RDS snapshots are not publicly accessible", + "Name": "Technical Vulnerability Management", + "Attributes": [ + { + "Category": "A.12 Operations Security", + "Objetive_ID": "A.12.6", + "Objetive_Name": "Technical Vulnerability Management", + "Check_Summary": "Ensure RDS snapshots are not publicly accessible" + } + ], + "Checks": [ + "rds_snapshots_public_access" + ] + }, + { + "Id": "A.12.6", + "Description": "Ensure RDS instances are not accessible to the world.", + "Name": "Technical Vulnerability Management", + "Attributes": [ + { + "Category": "A.12 Operations Security", + "Objetive_ID": "A.12.6", + "Objetive_Name": "Technical Vulnerability Management", + "Check_Summary": "Ensure RDS instances are not accessible to the world." + } + ], + "Checks": [ + "rds_instance_no_public_access" + ] + }, + { + "Id": "A.12.6", + "Description": "Ensure the S3 bucket CloudTrail logs to is not publicly accessible", + "Name": "Technical Vulnerability Management", + "Attributes": [ + { + "Category": "A.12 Operations Security", + "Objetive_ID": "A.12.6", + "Objetive_Name": "Technical Vulnerability Management", + "Check_Summary": "Ensure the S3 bucket CloudTrail logs to is not publicly accessible" + } + ], + "Checks": [ + "cloudtrail_logs_s3_bucket_is_not_publicly_accessible" + ] + }, + { + "Id": "A.13.1", + "Description": "Ensure the default security group of every VPC restricts all traffic", + "Name": "Network Security Management", + "Attributes": [ + { + "Category": "A.13 Communications Security", + "Objetive_ID": "A.13.1", + "Objetive_Name": "Network Security Management", + "Check_Summary": "Ensure the default security group of every VPC restricts all traffic" + } + ], + "Checks": [ + "ec2_securitygroup_default_restrict_traffic" + ] + }, + { + "Id": "A.13.1", + "Description": "Ensure no security groups allow ingress from 0.0.0.0/0 to port 3389", + "Name": "Network Security Management", + "Attributes": [ + { + "Category": "A.13 Communications Security", + "Objetive_ID": "A.13.1", + "Objetive_Name": "Network Security Management", + "Check_Summary": "Ensure no security groups allow ingress from 0.0.0.0/0 to port 3389" + } + ], + "Checks": [ + "ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_3389" + ] + }, + { + "Id": "A.13.1", + "Description": "Ensure no security groups allow ingress from 0.0.0.0/0 to port 22", + "Name": "Network Security Management", + "Attributes": [ + { + "Category": "A.13 Communications Security", + "Objetive_ID": "A.13.1", + "Objetive_Name": "Network Security Management", + "Check_Summary": "Ensure no security groups allow ingress from 0.0.0.0/0 to port 22" + } + ], + "Checks": [ + "ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_22" + ] + }, + { + "Id": "A.13.1", + "Description": "Ensure EBS snapshots are not publicly accessible", + "Name": "Network Security Management", + "Attributes": [ + { + "Category": "A.13 Communications Security", + "Objetive_ID": "A.13.1", + "Objetive_Name": "Network Security Management", + "Check_Summary": "Ensure EBS snapshots are not publicly accessible" + } + ], + "Checks": [ + "ec2_ebs_public_snapshot" + ] + }, + { + "Id": "A.13.1", + "Description": "Ensure SNS topics do not allow global send or subscribe", + "Name": "Network Security Management", + "Attributes": [ + { + "Category": "A.13 Communications Security", + "Objetive_ID": "A.13.1", + "Objetive_Name": "Network Security Management", + "Check_Summary": "Ensure SNS topics do not allow global send or subscribe" + } + ], + "Checks": [ + "sns_topics_not_publicly_accessible" + ] + }, + { + "Id": "A.13.1", + "Description": "Ensure Redshift clusters do not have a public endpoint", + "Name": "Network Security Management", + "Attributes": [ + { + "Category": "A.13 Communications Security", + "Objetive_ID": "A.13.1", + "Objetive_Name": "Network Security Management", + "Check_Summary": "Ensure Redshift clusters do not have a public endpoint" + } + ], + "Checks": [ + "redshift_cluster_public_access" + ] + }, + { + "Id": "A.13.1", + "Description": "Ensure RDS snapshots are not publicly accessible", + "Name": "Network Security Management", + "Attributes": [ + { + "Category": "A.13 Communications Security", + "Objetive_ID": "A.13.1", + "Objetive_Name": "Network Security Management", + "Check_Summary": "Ensure RDS snapshots are not publicly accessible" + } + ], + "Checks": [ + "rds_snapshots_public_access" + ] + }, + { + "Id": "A.13.1", + "Description": "Ensure RDS instances are not accessible to the world.", + "Name": "Network Security Management", + "Attributes": [ + { + "Category": "A.13 Communications Security", + "Objetive_ID": "A.13.1", + "Objetive_Name": "Network Security Management", + "Check_Summary": "Ensure RDS instances are not accessible to the world." + } + ], + "Checks": [ + "rds_instance_no_public_access" + ] + }, + { + "Id": "A.9.2", + "Description": "Ensure IAM password policy expires passwords within 90 days or less", + "Name": "User Access Management", + "Attributes": [ + { + "Category": "A.9 Access Control", + "Objetive_ID": "A.9.2", + "Objetive_Name": "User Access Management", + "Check_Summary": "Ensure IAM password policy expires passwords within 90 days or less" + } + ], + "Checks": [ + "iam_password_policy_expires_passwords_within_90_days_or_less" + ] + }, + { + "Id": "A.9.2", + "Description": "Ensure IAM password policy prevents password reuse", + "Name": "User Access Management", + "Attributes": [ + { + "Category": "A.9 Access Control", + "Objetive_ID": "A.9.2", + "Objetive_Name": "User Access Management", + "Check_Summary": "Ensure IAM password policy prevents password reuse" + } + ], + "Checks": [ + "iam_password_policy_reuse_24" + ] + }, + { + "Id": "A.9.2", + "Description": "Ensure IAM password policy requires minimum length of 14 or greater", + "Name": "User Access Management", + "Attributes": [ + { + "Category": "A.9 Access Control", + "Objetive_ID": "A.9.2", + "Objetive_Name": "User Access Management", + "Check_Summary": "Ensure IAM password policy requires minimum length of 14 or greater" + } + ], + "Checks": [ + "iam_password_policy_minimum_length_14" + ] + }, + { + "Id": "A.9.2", + "Description": "Ensure IAM password policy require at least one number", + "Name": "User Access Management", + "Attributes": [ + { + "Category": "A.9 Access Control", + "Objetive_ID": "A.9.2", + "Objetive_Name": "User Access Management", + "Check_Summary": "Ensure IAM password policy require at least one number" + } + ], + "Checks": [ + "iam_password_policy_number" + ] + }, + { + "Id": "A.9.2", + "Description": "Ensure IAM password policy require at least one symbol", + "Name": "User Access Management", + "Attributes": [ + { + "Category": "A.9 Access Control", + "Objetive_ID": "A.9.2", + "Objetive_Name": "User Access Management", + "Check_Summary": "Ensure IAM password policy require at least one symbol" + } + ], + "Checks": [ + "iam_password_policy_symbol" + ] + }, + { + "Id": "A.9.2", + "Description": "Ensure IAM password policy require at least one lowercase letter", + "Name": "User Access Management", + "Attributes": [ + { + "Category": "A.9 Access Control", + "Objetive_ID": "A.9.2", + "Objetive_Name": "User Access Management", + "Check_Summary": "Ensure IAM password policy require at least one lowercase letter" + } + ], + "Checks": [ + "iam_password_policy_lowercase" + ] + }, + { + "Id": "A.9.2", + "Description": "Ensure IAM password policy requires at least one uppercase letter", + "Name": "User Access Management", + "Attributes": [ + { + "Category": "A.9 Access Control", + "Objetive_ID": "A.9.2", + "Objetive_Name": "User Access Management", + "Check_Summary": "Ensure IAM password policy requires at least one uppercase letter" + } + ], + "Checks": [ + "iam_password_policy_uppercase" + ] + }, + { + "Id": "A.9.2", + "Description": "Avoid the use of the 'root' account", + "Name": "User Access Management", + "Attributes": [ + { + "Category": "A.9 Access Control", + "Objetive_ID": "A.9.2", + "Objetive_Name": "User Access Management", + "Check_Summary": "Avoid the use of the 'root' account" + } + ], + "Checks": [ + "iam_avoid_root_usage" + ] + }, + { + "Id": "A.9.2", + "Description": "Ensure IAM policies are attached only to groups or roles", + "Name": "User Access Management", + "Attributes": [ + { + "Category": "A.9 Access Control", + "Objetive_ID": "A.9.2", + "Objetive_Name": "User Access Management", + "Check_Summary": "Ensure IAM policies are attached only to groups or roles" + } + ], + "Checks": [ + "iam_policy_attached_only_to_group_or_roles" + ] + }, + { + "Id": "A.9.2", + "Description": "Ensure multi-factor authentication (MFA) is enabled for all IAM users that have console access", + "Name": "User Access Management", + "Attributes": [ + { + "Category": "A.9 Access Control", + "Objetive_ID": "A.9.2", + "Objetive_Name": "User Access Management", + "Check_Summary": "Ensure multi-factor authentication (MFA) is enabled for all IAM users that have console access" + } + ], + "Checks": [ + "iam_user_mfa_enabled_console_access" + ] + }, + { + "Id": "A.9.2", + "Description": "Ensure MFA is enabled for the 'root' account", + "Name": "User Access Management", + "Attributes": [ + { + "Category": "A.9 Access Control", + "Objetive_ID": "A.9.2", + "Objetive_Name": "User Access Management", + "Check_Summary": "Ensure MFA is enabled for the 'root' account" + } + ], + "Checks": [ + "iam_root_mfa_enabled" + ] + }, + { + "Id": "A.9.2", + "Description": "Ensure access keys are rotated every 90 days or less", + "Name": "User Access Management", + "Attributes": [ + { + "Category": "A.9 Access Control", + "Objetive_ID": "A.9.2", + "Objetive_Name": "User Access Management", + "Check_Summary": "Ensure access keys are rotated every 90 days or less" + } + ], + "Checks": [ + "iam_rotate_access_key_90_days" + ] + }, + { + "Id": "A.9.2", + "Description": "Ensure credentials unused for 90 days or greater are disabled", + "Name": "User Access Management", + "Attributes": [ + { + "Category": "A.9 Access Control", + "Objetive_ID": "A.9.2", + "Objetive_Name": "User Access Management", + "Check_Summary": "Ensure credentials unused for 90 days or greater are disabled" + } + ], + "Checks": [ + "iam_disable_90_days_credentials" + ] + }, + { + "Id": "A.9.2", + "Description": "Ensure no root account access key exists", + "Name": "User Access Management", + "Attributes": [ + { + "Category": "A.9 Access Control", + "Objetive_ID": "A.9.2", + "Objetive_Name": "User Access Management", + "Check_Summary": "Ensure no root account access key exists" + } + ], + "Checks": [ + "iam_no_root_access_key" + ] + }, + { + "Id": "A.9.3", + "Description": "Ensure IAM password policy expires passwords within 90 days or less", + "Name": "User Responsibilities", + "Attributes": [ + { + "Category": "A.9 Access Control", + "Objetive_ID": "A.9.3", + "Objetive_Name": "User Responsibilities", + "Check_Summary": "Ensure IAM password policy expires passwords within 90 days or less" + } + ], + "Checks": [ + "iam_password_policy_expires_passwords_within_90_days_or_less" + ] + }, + { + "Id": "A.9.3", + "Description": "Ensure IAM password policy prevents password reuse", + "Name": "User Responsibilities", + "Attributes": [ + { + "Category": "A.9 Access Control", + "Objetive_ID": "A.9.3", + "Objetive_Name": "User Responsibilities", + "Check_Summary": "Ensure IAM password policy prevents password reuse" + } + ], + "Checks": [ + "iam_password_policy_reuse_24" + ] + }, + { + "Id": "A.9.3", + "Description": "Ensure IAM password policy requires minimum length of 14 or greater", + "Name": "User Responsibilities", + "Attributes": [ + { + "Category": "A.9 Access Control", + "Objetive_ID": "A.9.3", + "Objetive_Name": "User Responsibilities", + "Check_Summary": "Ensure IAM password policy requires minimum length of 14 or greater" + } + ], + "Checks": [ + "iam_password_policy_minimum_length_14" + ] + }, + { + "Id": "A.9.3", + "Description": "Ensure IAM password policy require at least one number", + "Name": "User Responsibilities", + "Attributes": [ + { + "Category": "A.9 Access Control", + "Objetive_ID": "A.9.3", + "Objetive_Name": "User Responsibilities", + "Check_Summary": "Ensure IAM password policy require at least one number" + } + ], + "Checks": [ + "iam_password_policy_number" + ] + }, + { + "Id": "A.9.3", + "Description": "Ensure IAM password policy require at least one symbol", + "Name": "User Responsibilities", + "Attributes": [ + { + "Category": "A.9 Access Control", + "Objetive_ID": "A.9.3", + "Objetive_Name": "User Responsibilities", + "Check_Summary": "Ensure IAM password policy require at least one symbol" + } + ], + "Checks": [ + "iam_password_policy_symbol" + ] + }, + { + "Id": "A.9.3", + "Description": "Ensure IAM password policy require at least one lowercase letter", + "Name": "User Responsibilities", + "Attributes": [ + { + "Category": "A.9 Access Control", + "Objetive_ID": "A.9.3", + "Objetive_Name": "User Responsibilities", + "Check_Summary": "Ensure IAM password policy require at least one lowercase letter" + } + ], + "Checks": [ + "iam_password_policy_lowercase" + ] + }, + { + "Id": "A.9.3", + "Description": "Ensure IAM password policy requires at least one uppercase letter", + "Name": "User Responsibilities", + "Attributes": [ + { + "Category": "A.9 Access Control", + "Objetive_ID": "A.9.3", + "Objetive_Name": "User Responsibilities", + "Check_Summary": "Ensure IAM password policy requires at least one uppercase letter" + } + ], + "Checks": [ + "iam_password_policy_uppercase" + ] + }, + { + "Id": "A.9.3", + "Description": "Ensure multi-factor authentication (MFA) is enabled for all IAM users that have console access", + "Name": "User Responsibilities", + "Attributes": [ + { + "Category": "A.9 Access Control", + "Objetive_ID": "A.9.3", + "Objetive_Name": "User Responsibilities", + "Check_Summary": "Ensure multi-factor authentication (MFA) is enabled for all IAM users that have console access" + } + ], + "Checks": [ + "iam_user_mfa_enabled_console_access" + ] + }, + { + "Id": "A.9.3", + "Description": "Ensure access keys are rotated every 90 days or less", + "Name": "User Responsibilities", + "Attributes": [ + { + "Category": "A.9 Access Control", + "Objetive_ID": "A.9.3", + "Objetive_Name": "User Responsibilities", + "Check_Summary": "Ensure access keys are rotated every 90 days or less" + } + ], + "Checks": [ + "iam_rotate_access_key_90_days" + ] + }, + { + "Id": "A.9.3", + "Description": "Ensure credentials unused for 90 days or greater are disabled", + "Name": "User Responsibilities", + "Attributes": [ + { + "Category": "A.9 Access Control", + "Objetive_ID": "A.9.3", + "Objetive_Name": "User Responsibilities", + "Check_Summary": "Ensure credentials unused for 90 days or greater are disabled" + } + ], + "Checks": [ + "iam_disable_90_days_credentials" + ] + }, + { + "Id": "A.9.4", + "Description": "Ensure IAM password policy expires passwords within 90 days or less", + "Name": "System and Application Access Control", + "Attributes": [ + { + "Category": "A.9 Access Control", + "Objetive_ID": "A.9.4", + "Objetive_Name": "System and Application Access Control", + "Check_Summary": "Ensure IAM password policy expires passwords within 90 days or less" + } + ], + "Checks": [ + "iam_password_policy_expires_passwords_within_90_days_or_less" + ] + }, + { + "Id": "A.9.4", + "Description": "Ensure IAM password policy prevents password reuse", + "Name": "System and Application Access Control", + "Attributes": [ + { + "Category": "A.9 Access Control", + "Objetive_ID": "A.9.4", + "Objetive_Name": "System and Application Access Control", + "Check_Summary": "Ensure IAM password policy prevents password reuse" + } + ], + "Checks": [ + "iam_password_policy_reuse_24" + ] + }, + { + "Id": "A.9.4", + "Description": "Ensure IAM password policy requires minimum length of 14 or greater", + "Name": "System and Application Access Control", + "Attributes": [ + { + "Category": "A.9 Access Control", + "Objetive_ID": "A.9.4", + "Objetive_Name": "System and Application Access Control", + "Check_Summary": "Ensure IAM password policy requires minimum length of 14 or greater" + } + ], + "Checks": [ + "iam_password_policy_minimum_length_14" + ] + }, + { + "Id": "A.9.4", + "Description": "Ensure IAM password policy require at least one number", + "Name": "System and Application Access Control", + "Attributes": [ + { + "Category": "A.9 Access Control", + "Objetive_ID": "A.9.4", + "Objetive_Name": "System and Application Access Control", + "Check_Summary": "Ensure IAM password policy require at least one number" + } + ], + "Checks": [ + "iam_password_policy_number" + ] + }, + { + "Id": "A.9.4", + "Description": "Ensure IAM password policy require at least one symbol", + "Name": "System and Application Access Control", + "Attributes": [ + { + "Category": "A.9 Access Control", + "Objetive_ID": "A.9.4", + "Objetive_Name": "System and Application Access Control", + "Check_Summary": "Ensure IAM password policy require at least one symbol" + } + ], + "Checks": [ + "iam_password_policy_symbol" + ] + }, + { + "Id": "A.9.4", + "Description": "Ensure IAM password policy require at least one lowercase letter", + "Name": "System and Application Access Control", + "Attributes": [ + { + "Category": "A.9 Access Control", + "Objetive_ID": "A.9.4", + "Objetive_Name": "System and Application Access Control", + "Check_Summary": "Ensure IAM password policy require at least one lowercase letter" + } + ], + "Checks": [ + "iam_password_policy_lowercase" + ] + }, + { + "Id": "A.9.4", + "Description": "Ensure IAM password policy requires at least one uppercase letter", + "Name": "System and Application Access Control", + "Attributes": [ + { + "Category": "A.9 Access Control", + "Objetive_ID": "A.9.4", + "Objetive_Name": "System and Application Access Control", + "Check_Summary": "Ensure IAM password policy requires at least one uppercase letter" + } + ], + "Checks": [ + "iam_password_policy_uppercase" + ] + }, + { + "Id": "A.9.4", + "Description": "Avoid the use of the 'root' account", + "Name": "System and Application Access Control", + "Attributes": [ + { + "Category": "A.9 Access Control", + "Objetive_ID": "A.9.4", + "Objetive_Name": "System and Application Access Control", + "Check_Summary": "Avoid the use of the 'root' account" + } + ], + "Checks": [ + "iam_avoid_root_usage" + ] + }, + { + "Id": "A.9.4", + "Description": "Ensure IAM policies are attached only to groups or roles", + "Name": "System and Application Access Control", + "Attributes": [ + { + "Category": "A.9 Access Control", + "Objetive_ID": "A.9.4", + "Objetive_Name": "System and Application Access Control", + "Check_Summary": "Ensure IAM policies are attached only to groups or roles" + } + ], + "Checks": [ + "iam_policy_attached_only_to_group_or_roles" + ] + }, + { + "Id": "A.9.4", + "Description": "Ensure multi-factor authentication (MFA) is enabled for all IAM users that have console access", + "Name": "System and Application Access Control", + "Attributes": [ + { + "Category": "A.9 Access Control", + "Objetive_ID": "A.9.4", + "Objetive_Name": "System and Application Access Control", + "Check_Summary": "Ensure multi-factor authentication (MFA) is enabled for all IAM users that have console access" + } + ], + "Checks": [ + "iam_user_mfa_enabled_console_access" + ] + }, + { + "Id": "A.9.4", + "Description": "Ensure MFA is enabled for the 'root' account", + "Name": "System and Application Access Control", + "Attributes": [ + { + "Category": "A.9 Access Control", + "Objetive_ID": "A.9.4", + "Objetive_Name": "System and Application Access Control", + "Check_Summary": "Ensure MFA is enabled for the 'root' account" + } + ], + "Checks": [ + "iam_root_mfa_enabled" + ] + }, + { + "Id": "A.9.4", + "Description": "Ensure access keys are rotated every 90 days or less", + "Name": "System and Application Access Control", + "Attributes": [ + { + "Category": "A.9 Access Control", + "Objetive_ID": "A.9.4", + "Objetive_Name": "System and Application Access Control", + "Check_Summary": "Ensure access keys are rotated every 90 days or less" + } + ], + "Checks": [ + "iam_rotate_access_key_90_days" + ] + }, + { + "Id": "A.9.4", + "Description": "Ensure credentials unused for 90 days or greater are disabled", + "Name": "System and Application Access Control", + "Attributes": [ + { + "Category": "A.9 Access Control", + "Objetive_ID": "A.9.4", + "Objetive_Name": "System and Application Access Control", + "Check_Summary": "Ensure credentials unused for 90 days or greater are disabled" + } + ], + "Checks": [ + "iam_disable_90_days_credentials" + ] + }, + { + "Id": "A.9.4", + "Description": "Ensure no root account access key exists", + "Name": "System and Application Access Control", + "Attributes": [ + { + "Category": "A.9 Access Control", + "Objetive_ID": "A.9.4", + "Objetive_Name": "System and Application Access Control", + "Check_Summary": "Ensure no root account access key exists" + } + ], + "Checks": [ + "iam_no_root_access_key" + ] + } + ] +} diff --git a/prowler/lib/check/compliance_models.py b/prowler/lib/check/compliance_models.py index 7836482d..a79bff56 100644 --- a/prowler/lib/check/compliance_models.py +++ b/prowler/lib/check/compliance_models.py @@ -105,6 +105,16 @@ class AWS_Well_Architected_Requirements(BaseModel): ImplementationGuidanceUrl: str +# ISO27001 Requirements +class ISO27001_Requirements(BaseModel): + """ISO27001 Requirements""" + + Category: str + Objetive_ID: str + Objetive_Name: str + Check_Summary: str + + # Base Compliance Model class Compliance_Requirement(BaseModel): """Compliance_Requirement holds the base model for every requirement within a compliance framework""" @@ -117,6 +127,7 @@ class Compliance_Requirement(BaseModel): CIS_Requirements, ENS_Requirements, Generic_Compliance_Requirements, + ISO27001_Requirements, AWS_Well_Architected_Requirements, ] ] diff --git a/prowler/lib/cli/parser.py b/prowler/lib/cli/parser.py index e521f4a7..7c311991 100644 --- a/prowler/lib/cli/parser.py +++ b/prowler/lib/cli/parser.py @@ -258,7 +258,7 @@ Detailed documentation at https://docs.prowler.cloud list_group.add_argument( "--list-compliance-requirements", nargs="+", - help="List compliance requirements for a given requirement", + help="List compliance requirements for a given compliance framework", choices=available_compliance_frameworks, ) list_group.add_argument( diff --git a/prowler/lib/outputs/compliance.py b/prowler/lib/outputs/compliance.py index 05e3f67e..a2546876 100644 --- a/prowler/lib/outputs/compliance.py +++ b/prowler/lib/outputs/compliance.py @@ -8,6 +8,7 @@ from prowler.config.config import orange_color, timestamp from prowler.lib.check.models import Check_Report from prowler.lib.logger import logger from prowler.lib.outputs.models import ( + Check_Output_CSV_AWS_ISO27001, Check_Output_CSV_AWS_Well_Architected, Check_Output_CSV_CIS, Check_Output_CSV_ENS_RD2022, @@ -159,6 +160,40 @@ def fill_compliance(output_options, finding, audit_info, file_descriptors): csv_header = generate_csv_fields(Check_Output_CSV_AWS_Well_Architected) + elif compliance.Framework == "ISO27001" and compliance.Provider == "AWS": + compliance_output = compliance.Framework + if compliance.Version != "": + compliance_output += "_" + compliance.Version + if compliance.Provider != "": + compliance_output += "_" + compliance.Provider + + compliance_output = compliance_output.lower().replace("-", "_") + if compliance_output in output_options.output_modes: + for requirement in compliance.Requirements: + requirement_description = requirement.Description + requirement_id = requirement.Id + requirement.Name + for attribute in requirement.Attributes: + compliance_row = Check_Output_CSV_AWS_ISO27001( + Provider=finding.check_metadata.Provider, + Description=compliance.Description, + AccountId=audit_info.audited_account, + Region=finding.region, + AssessmentDate=timestamp.isoformat(), + Requirements_Id=requirement_id, + Requirements_Description=requirement_description, + Requirements_Attributes_Category=attribute.Category, + Requirements_Attributes_Objetive_ID=attribute.Objetive_ID, + Requirements_Attributes_Objetive_Name=attribute.Objetive_Name, + Requirements_Attributes_Check_Summary=attribute.Check_Summary, + Status=finding.status, + StatusExtended=finding.status_extended, + ResourceId=finding.resource_id, + CheckId=finding.check_metadata.CheckID, + ) + + csv_header = generate_csv_fields(Check_Output_CSV_AWS_ISO27001) + else: compliance_output = compliance.Framework if compliance.Version != "": @@ -191,9 +226,7 @@ def fill_compliance(output_options, finding, audit_info, file_descriptors): CheckId=finding.check_metadata.CheckID, ) - csv_header = generate_csv_fields( - Check_Output_CSV_Generic_Compliance - ) + csv_header = generate_csv_fields(Check_Output_CSV_Generic_Compliance) if compliance_row: csv_writer = DictWriter( diff --git a/prowler/lib/outputs/file_descriptors.py b/prowler/lib/outputs/file_descriptors.py index fb699802..53be28a5 100644 --- a/prowler/lib/outputs/file_descriptors.py +++ b/prowler/lib/outputs/file_descriptors.py @@ -14,6 +14,7 @@ from prowler.lib.outputs.html import add_html_header from prowler.lib.outputs.models import ( Aws_Check_Output_CSV, Azure_Check_Output_CSV, + Check_Output_CSV_AWS_ISO27001, Check_Output_CSV_AWS_Well_Architected, Check_Output_CSV_CIS, Check_Output_CSV_ENS_RD2022, @@ -163,6 +164,16 @@ def fill_file_descriptors(output_modes, output_directory, output_filename, audit ) file_descriptors.update({output_mode: file_descriptor}) + elif output_mode == "iso27001_aws": + filename = f"{output_directory}/{output_filename}_iso27001_aws{csv_file_suffix}" + file_descriptor = initialize_file_descriptor( + filename, + output_mode, + audit_info, + Check_Output_CSV_AWS_ISO27001, + ) + file_descriptors.update({output_mode: file_descriptor}) + else: # Generic Compliance framework filename = f"{output_directory}/{output_filename}_{output_mode}{csv_file_suffix}" diff --git a/prowler/lib/outputs/models.py b/prowler/lib/outputs/models.py index 343b4dd7..2b43e61a 100644 --- a/prowler/lib/outputs/models.py +++ b/prowler/lib/outputs/models.py @@ -588,6 +588,26 @@ class Check_Output_CSV_AWS_Well_Architected(BaseModel): CheckId: str +class Check_Output_CSV_AWS_ISO27001(BaseModel): + """ + Check_Output_CSV_AWS_ISO27001 generates a finding's output in CSV AWS ISO27001 Compliance format. + """ + + Provider: str + Description: str + AccountId: str + Region: str + AssessmentDate: str + Requirements_Attributes_Category: str + Requirements_Attributes_Objetive_ID: str + Requirements_Attributes_Objetive_Name: str + Requirements_Attributes_Check_Summary: str + Status: str + StatusExtended: str + ResourceId: str + CheckId: str + + # JSON ASFF Output class ProductFields(BaseModel): ProviderName: str = "Prowler"