* Extra7161 EFS encryption at rest check
* Added check_extra7162 which checks if Log groups have 365 days retention
* fixed code to handle all regions and formatted output
* changed check title, resource type and service name as well as making the code more dynamic
* Extra7161 EFS encryption at rest check
* New check_extra7163 Secrets Manager key rotation enabled
* New check7160 Enabled AutomaticVersionUpgrade on RedShift Cluster
* Update ProwlerRole.yaml to have same permissions as util/org-multi-account/ProwlerRole.yaml
* Fix link to quicksight dashboard
* Install detect-secrets (e.g. for check_extra742)
* Updating check_extra7163 with requested changes
* fix(assumed-role): Check if -T and -A options are set
* docs(Readme): `-T` option is not mandatory
* fix(assume-role): Handle AWS STS CLI errors
* fix(assume-role): Handle AWS STS CLI errors
* Update group25_FTR
When trying to run the group 25 (Amazon FTR related security checks) nothing happens, after looking at the code there is a misconfiguration in 2 params: GROUP_RUN_BY_DEFAULT[9] and GROUP_CHECKS[9]. Updating values to 25 fixed the issue.
* Update README.md
broken link for capital letters in group file (group25_FTR)
* #938 issue assume_role multiple times should be fixed
* Label 2.7.0-1December2021 for tests
* Fixed error that appeared if the number of findings was very high.
* Adjusted the batch to only do 50 at a time. 100 caused capacity issues. Also added a check for an edge case where if the updated findings was a multiple of the batch size, it would throw an error for attempting to import 0 findings.
* Added line to delete the temp folder after everything is done.
* New check 7164 Check if Cloudwatch log groups are protected by AWS KMS@maisenhe
* updated CHECK_RISK
* Added checks extra7160,extra7161,extra7162,extra7163 to group Extras
* Added checks extra7160,extra7161,extra7162,extra7163 to group Extras
* Added issue templates
* New check 7165 DynamoDB: DAX encrypted at rest @Daniel-Peladeau
* New check 7165 DynamoDB: DAX encrypted at rest @Daniel-Peladeau
* Fix#963 check 792 to force json in ELB queries
* Fix#957 check 763 had us-east-1 region hardcoded
* Fix#962 check 7147 ALTERNATE NAME
* Fix#940 handling error when can not list functions
* Added new checks 7164 and 7165 to group extras
* Added invalid check or group id to the error message #962
* Fix Broken Link
* Add docker volume example to README.md
* Updated Dockerfile to use amazonlinux container
* Updated Dockerfile with AWS cli v2
* Added upgrade to the RUN
* Added cache purge to Dockerfile
* Backup AWS Credentials before AssumeRole and Restore them before CopyToS3
* exporting the ENV variables
* fixed bracket
* Improved documentation for install process
* fix checks with comma issues
* Added -D option to copy to S3 with the initial AWS credentials
* Cosmetic variable name change
* Added $PROFILE_OPT to CopyToS3 commands
* remove commas
* removed file as it is not needed
* Improved help usage options -h
* Fixed CIS LEVEL on 7163 through 7165
* When performing a restoreInitialAWSCredentials, unset the credentials ENV variables if they were never set
* New check 7166 Elastic IP addresses with associations are protected by AWS Shield Advanced
* New check 7167 Cloudfront distributions are protected by AWS Shield Advanced
* New check 7168 Route53 hosted zones are protected by AWS Shield Advanced
* New check 7169 Global accelerators are protected by AWS Shield Advanced
* New check 7170 Application load balancers are protected by AWS Shield Advanced
* New check 7171 Classic load balancers are protected by AWS Shield Advanced
* Include example for global resources
* Add AWS Advance Shield protection checks corrections
* Added Shield actions GetSubscriptionState and DescribeProtection
* Added Shield actions GetSubscriptionState and DescribeProtection
* docs(templates): Improve bug template with more info (#982)
* Removed echoes after role chaining fix
* Changed Route53 checks7152 and 7153 to INFO when no domains found
* Changed Route53 checks 7152 and 7153 title to clarify
* Added passed security groups in output to check 778
* Added passed security groups and updated title to check 777
* Added FAIL as error handling when SCP prevents queries to regions
* Label version 2.7.0-6January2022
* Updated .dockerignore with .github/
* Fix: issue #758 and #984
* Fix: issue #741 CloudFront and real-time logs
* Fix issues #971 set all as INFO instead of FAIL when no access to resource
* Fix: issue #986
* Add additional action permissions for Glue and Shield Advanced checks @lazize
* Add extra shield action permission
Allows the shield:GetSubscriptionState action
* Add permission actions
Make sure all files where permission actions are necessary will have the same actions
* Fix: Credential chaining from environment variables @lazize #996f
If profile is not defined, restore original credentials from environment variables,
if they exists, before assume-role
* Lable version 2.7.0-24January2022
Co-authored-by: Lee Myers <ichilegend@gmail.com>
Co-authored-by: Chinedu Obiakara <obiakac@amazon.com>
Co-authored-by: Daniel Peladeau <dcpeladeau@gmail.com>
Co-authored-by: Jonathan Lozano <jonloza@amazon.com>
Co-authored-by: Daniel Lorch <dlorch@gmail.com>
Co-authored-by: Pepe Fagoaga <jose.fagoaga@smartprotection.com>
Co-authored-by: Israel <6672089+lopmoris@users.noreply.github.com>
Co-authored-by: root <halfluke@gmail.com>
Co-authored-by: nikirby <nikirby@amazon.com>
Co-authored-by: Joel Maisenhelder <maisenhe@gmail.com>
Co-authored-by: RT <35173068+rtcms@users.noreply.github.com>
Co-authored-by: Andrea Di Fabio <39841198+sectoramen@users.noreply.github.com>
Co-authored-by: Joseph de CLERCK <clerckj@amazon.fr>
Co-authored-by: Michael Dickinson <45626543+michael-dickinson-sainsburys@users.noreply.github.com>
Co-authored-by: Pepe Fagoaga <pepe@verica.io>
Co-authored-by: Leonardo Azize Martins <lazize@users.noreply.github.com>
- Move Security Hub related code to a dedicated include/securityhub_integration file
- Check that Security Hub is enabled in the target region before beginning checks when -S is specified
- Add error handling to the batch-import-findings call
- Add CHECK_ASFF_TYPE variables to all CIS checks to override the default
- Add support for CHECK_ASFF_RESOURCE_TYPE variables which override the default 'AwsAccount' value for the resource a finding relates to.
- Add CHECK_ASFF_RESOURCE_TYPE variables to all checks where there is a suitable value in the schema
- Remove json-asff output for info messages as they are not appropriate for possible submission to Security Hub
- Update the README to cover Security Hub integration
- Add an IAM policy JSON document that provides the necessary BatchImportFindings permission for Security Hub
- Remove trailing whitespace and periods in pass/fail messages to be consistent with the majority of messages, to prevent future tidy-up from changing the finding IDs
Buckets that log to one or more trails are logged as `PASS!` for each trail they are associated with.
Buckets that aren't associated with any trails are logged as `FAIL!` once.
```
...
PASS! : S3 bucket bucket-one has Object-level logging enabled in trails: arn:aws:cloudtrail:eu-west-2:123456789012:trail/central-trail
PASS! : S3 bucket bucket-two has Object-level logging enabled in trails: arn:aws:cloudtrail:eu-west-2:9876543210989:trail/trail-two
PASS! : S3 bucket bucket-two has Object-level logging enabled in trails: arn:aws:cloudtrail:eu-west-2:123456789012:trail/central-trail
PASS! : S3 bucket bucket-three has Object-level logging enabled in trails: arn:aws:cloudtrail:eu-west-2:123456789012:trail/central-trail
...
```
This change should also address #387
