Merge pull request #16 from Alfresco/master

get all changes from main repo
2026-02-10 14:55:00 +00:00 · 2018-02-05 21:44:11 -05:00
parent 4f6972c9cd 9b1451aff1
commit fbbb1dd904
2 changed files with 53 additions and 20 deletions
--- a/README.md
+++ b/README.md
@@ -24,7 +24,7 @@ It covers hardening and security best practices for all AWS regions related to:
 - Logging (8 checks)
 - Monitoring (15 checks)
 - Networking (5 checks)
- Extras (10 checks) *see Extras section
+- Extras (11 checks) *see Extras section

 For a comprehesive list and resolution look at the guide on the link above.

@@ -577,8 +577,11 @@ unset ACCOUNT_ID AWS_DEFAULT_PROFILE
 The `aws iam create-access-key` command will output the secret access key and the key id; keep these somewhere safe, and add them to ~/.aws/credentials with an appropriate profile name to use them with prowler. This is the only time they secret key will be shown.  If you loose it, you will need to generate a replacement.

 ## Extras
-We are adding additional checks to improve the information gather from each account, these checks are out of the scope of the CIS benchmark for AWS but we consider them very helpful to get to know each AWS account set up and find issues on it.
-At this moment we have 10 extra checks:
+We are adding additional checks to improve the information gather from each account, these checks are out of the scope of the CIS benchmark for AWS but we consider them very helpful to get to know each AWS account set up and find issues on it. 
+
+Note: Some of these checks for publicly facing resources may not actually be fully public due to other layered controls like S3 Bucket Policies, Security Groups or Network ACLs.
+
+At this moment we have 11 extra checks:

 - 7.1 (`extra71`) Ensure users with AdministratorAccess policy have MFA tokens enabled (Not Scored) (Not part of CIS benchmark)
 - 7.2 (`extra72`) Ensure there are no EBS Snapshots set as Public (Not Scored) (Not part of CIS benchmark)
@@ -590,6 +593,7 @@ At this moment we have 10 extra checks:
 - 7.8 (`extra78`) Ensure there are no Public Accessible RDS instances (Not Scored) (Not part of CIS benchmark)
 - 7.9 (`extra79`) Check for internet facing Elastic Load Blancers (Not Scored) (Not part of CIS benchmark)
 - 7.10 (`extra710`) Check for internet facing EC2 Instances (Not Scored) (Not part of CIS benchmark)
+- 7.11 (`extra711`) Check for Publicly Accessible Redshift Clusters (Not Scored) (Not part of CIS benchmark)

 To check all extras in one command:
 ```
--- a/63
+++ b/63
@@ -241,7 +241,7 @@ fi

 # It checks -p optoin first and use it as profile, if not -p provided then
 # check environment variables and if not, it checks and loads credentials from
-# instance profile (metadata server) if runs in an EC2 instance 
+# instance profile (metadata server) if runs in an EC2 instance

 if [[ $PROFILE ]]; then
  PROFILE_OPT="--profile $PROFILE"
@@ -484,6 +484,8 @@ ID79="7.9,7.09"
 TITLE79="Check for internet facing Elastic Load Balancers (Not Scored) (Not part of CIS benchmark)"
 ID710="7.10,7.10"
 TITLE710="Check for internet facing EC2 Instances (Not Scored) (Not part of CIS benchmark)"
+ID711="7.11,7.11"
+TITLE711="Check for Publicly Accessible Redshift Clusters (Not Scored) (Not part of CIS benchmark)"


 printCsvHeader() {
@@ -817,9 +819,9 @@ check114(){
  COMMAND113=$($AWSCLI iam get-account-summary $PROFILE_OPT --region $REGION --output json --query 'SummaryMap.AccountMFAEnabled')
  textTitle "$ID114" "$TITLE114" "SCORED" "LEVEL1"
  if [ "$COMMAND113" == "1" ]; then
-    COMMAND114=$($AWSCLI iam list-virtual-mfa-devices $PROFILE_OPT --region $REGION --query 'VirtualMFADevices' --output text|grep :root |wc -l)
-    if [ "$COMMAND114" == "1" ]; then
-      textOK "Virtual MFA is enabled for root"
+    COMMAND114=$($AWSCLI iam list-virtual-mfa-devices $PROFILE_OPT --region $REGION --output text --assignment-status Assigned --query 'VirtualMFADevices[*].[SerialNumber]' | grep '^arn:aws:iam::[0-9]\{12\}:mfa/root-account-mfa-device$')
+    if [[ "$COMMAND114" ]]; then
+      textWarn "Only Virtual MFA is enabled for root"
    else
      textOK "Hardware MFA is enabled for root "
    fi
@@ -1760,11 +1762,13 @@ extra78(){
  textTitle "$ID78" "$TITLE78" "NOT_SCORED" "EXTRA"
  textNotice "Looking for RDS instances in all regions...  "
  for regx in $REGIONS; do
-    LIST_OF_RDS_PUBLIC_INSTANCES=$($AWSCLI rds describe-db-instances $PROFILE_OPT --region $regx --query 'DBInstances[?PubliclyAccessible==`true`].{id:DBInstanceIdentifier}' --output text)
+    LIST_OF_RDS_PUBLIC_INSTANCES=$($AWSCLI rds describe-db-instances $PROFILE_OPT --region $regx --query 'DBInstances[?PubliclyAccessible==`true`].[DBInstanceIdentifier,Endpoint.Address]' --output text)
    if [[ $LIST_OF_RDS_PUBLIC_INSTANCES ]];then
-      for rds_instance in $(echo $LIST_OF_RDS_PUBLIC_INSTANCES);do
-        textWarn "$regx: RDS instance $rds_instance is set as Publicly Accessible!" "$regx"
-      done
+      while read -r rds_instance;do
+        RDS_NAME=$(echo $rds_instance | awk '{ print $1; }')
+        RDS_DNSNAME=$(echo $rds_instance | awk '{ print $2; }')
+        textWarn "$regx: RDS instance: $RDS_NAME at $RDS_DNSNAME is set as Publicly Accessible!" "$regx"
+      done <<< "$LIST_OF_RDS_PUBLIC_INSTANCES"
      else
        textOK "$regx: no Publicly Accessible RDS instances found" "$regx"
    fi
@@ -1776,11 +1780,13 @@ extra79(){
  textTitle "$ID79" "$TITLE79" "NOT_SCORED" "EXTRA"
  textNotice "Looking for Elastic Load Balancers in all regions...  "
  for regx in $REGIONS; do
-    LIST_OF_PUBLIC_ELBS=$($AWSCLI elb describe-load-balancers $PROFILE_OPT --region $regx --query 'LoadBalancerDescriptions[?Scheme == `internet-facing`].LoadBalancerName' --output text)
+    LIST_OF_PUBLIC_ELBS=$($AWSCLI elb describe-load-balancers $PROFILE_OPT --region $regx --query 'LoadBalancerDescriptions[?Scheme == `internet-facing`].[LoadBalancerName,DNSName]' --output text)
    if [[ $LIST_OF_PUBLIC_ELBS ]];then
-      for elb in $(echo $LIST_OF_PUBLIC_ELBS);do
-        textWarn "$regx: ELB: $elb is internet-facing!" "$regx"
-      done
+      while read -r elb;do
+        ELB_NAME=$(echo $elb | awk '{ print $1; }')
+        ELB_DNSNAME=$(echo $elb | awk '{ print $2; }')
+        textWarn "$regx: ELB: $ELB_NAME at DNS: $ELB_DNSNAME is internet-facing!" "$regx"
+      done <<< "$LIST_OF_PUBLIC_ELBS"
      else
        textOK "$regx: no Internet Facing ELBs found" "$regx"
    fi
@@ -1792,17 +1798,37 @@ extra710(){
  textTitle "$ID710" "$TITLE710" "NOT_SCORED" "EXTRA"
  textNotice "Looking for instances in all regions...  "
  for regx in $REGIONS; do
-    LIST_OF_PUBLIC_INSTANCES=$($AWSCLI ec2 describe-instances $PROFILE_OPT --region $regx --query 'Reservations[*].Instances[?PublicIpAddress].[InstanceId]' --output text)
+    LIST_OF_PUBLIC_INSTANCES=$($AWSCLI ec2 describe-instances $PROFILE_OPT --region $regx --query 'Reservations[*].Instances[?PublicIpAddress].[InstanceId,PublicIpAddress]' --output text)
    if [[ $LIST_OF_PUBLIC_INSTANCES ]];then
-      for instance in $(echo $LIST_OF_PUBLIC_INSTANCES);do
-        textWarn "$regx: Instance: $instance is internet-facing!" "$regx"
-      done
+      while read -r instance;do
+        INSTANCE_ID=$(echo $instance | awk '{ print $1; }')
+        PUBLIC_IP=$(echo $instance | awk '{ print $2; }')
+        textWarn "$regx: Instance: $INSTANCE_ID at IP: $PUBLIC_IP is internet-facing!" "$regx"
+      done <<< "$LIST_OF_PUBLIC_INSTANCES"
      else
        textOK "$regx: no Internet Facing EC2 Instances found" "$regx"
    fi
  done
 }

+extra711(){
+  # "Check for Publicly Accessible Redshift Clusters (Not Scored) (Not part of CIS benchmark)"
+  textTitle "$ID711" "$TITLE711" "NOT_SCORED" "EXTRA"
+  textNotice "Looking for Reshift clusters in all regions...  "
+  for regx in $REGIONS; do
+    LIST_OF_PUBLIC_REDSHIFT_CLUSTERS=$($AWSCLI redshift describe-clusters $PROFILE_OPT --region $regx --query 'Clusters[?PubliclyAccessible == `true`].[ClusterIdentifier,Endpoint.Address]' --output text)
+    if [[ $LIST_OF_PUBLIC_REDSHIFT_CLUSTERS ]];then
+      while read -r cluster;do
+        CLUSTER_ID=$(echo $cluster | awk '{ print $1; }')
+        CLUSTER_ENDPOINT=$(echo $cluster | awk '{ print $2; }')
+        textWarn "$regx: Cluster: $CLUSTER_ID at Endpoint: $CLUSTER_ENDPOINT is publicly accessible!" "$regx"
+      done <<< "$LIST_OF_PUBLIC_REDSHIFT_CLUSTERS"
+      else
+        textOK "$regx: no Publicly Accessible Redshift Clusters found" "$regx"
+    fi
+  done
+}
+
 callCheck(){
  if [[ $CHECKNUMBER ]];then
    case "$CHECKNUMBER" in
@@ -1868,6 +1894,7 @@ callCheck(){
      extra78|extra708 ) extra78;;
      extra79|extra709 ) extra79;;
      extra710|extra710 ) extra710;;
+      extra711|extra711 ) extra711;;

      ## Groups of Checks
      check1 )
@@ -1904,7 +1931,7 @@ callCheck(){
        ;;
      extras )
        extra71;extra72;extra73;extra74;extra75;extra76;extra77;extra78;
-        extra79;extra710
+        extra79;extra710;extra711
        ;;
      * )
        textWarn "ERROR! Use a valid check name (i.e. check41 or extra71)\n";
@@ -1985,6 +2012,7 @@ if [[ $PRINTCHECKSONLY == "1" ]]; then
  textTitle "$ID78" "$TITLE78" "NOT_SCORED" "EXTRA"
  textTitle "$ID79" "$TITLE79" "NOT_SCORED" "EXTRA"
  textTitle "$ID710" "$TITLE710" "NOT_SCORED" "EXTRA"
+  textTitle "$ID711" "$TITLE711" "NOT_SCORED" "EXTRA"
  exit $EXITCODE
 fi

@@ -2071,6 +2099,7 @@ extra77
 extra78
 extra79
 extra710
+extra711

 cleanTemp
 exit $EXITCODE