#!/usr/bin/env bash # Prowler - the handy cloud security tool (c) by Toni de la Fuente # # This Prowler check is licensed under a # Creative Commons Attribution-NonCommercial-ShareAlike 4.0 International License. # # You should have received a copy of the license along with this # work. If not, see . CHECK_ID_check33="3.3,3.03" CHECK_TITLE_check33="[check33] Ensure a log metric filter and alarm exist for usage of root account (Scored)" CHECK_SCORED_check33="SCORED" CHECK_ALTERNATE_check303="check33" check33(){ # "Ensure a log metric filter and alarm exist for usage of root account (Scored)" CLOUDWATCH_GROUP=$($AWSCLI cloudtrail describe-trails $PROFILE_OPT --region $REGION --query 'trailList[*].CloudWatchLogsLogGroupArn' --output text | tr ' ' ' ' | awk -F: '{ print $7 }') if [[ $CLOUDWATCH_GROUP ]];then for group in $CLOUDWATCH_GROUP; do CLOUDWATCH_LOGGROUP_REGION=$($AWSCLI cloudtrail describe-trails $PROFILE_OPT --region $REGION --query 'trailList[*].CloudWatchLogsLogGroupArn' --output text | awk -F: '{ print $4 }') METRICFILTER_SET=$($AWSCLI logs describe-metric-filters --log-group-name $group $PROFILE_OPT --region $CLOUDWATCH_LOGGROUP_REGION |grep -E 'userIdentity.*Root.*AwsServiceEvent') if [[ $METRICFILTER_SET ]];then HAS_ALARM_ASSOCIATED=$($AWSCLI cloudwatch describe-alarms $PROFILE_OPT --region $CLOUDWATCH_LOGGROUP_REGION --query 'MetricAlarms[].MetricName' --output text | tr '[:upper:]' '[:lower:]'| grep -Ei 'userIdentity|Root|AwsServiceEvent') if [[ $HAS_ALARM_ASSOCIATED ]];then textPass "CloudWatch group $group found with metric filters and alarms set for usage of root account" else textFail "CloudWatch group $group found with metric filters but no alarms associated" fi else textFail "CloudWatch group $group found but no metric filters or alarms associated" fi done else textFail "No CloudWatch group found for CloudTrail events" fi }