#!/usr/bin/env bash # Prowler - the handy cloud security tool (copyright 2020) by Toni de la Fuente # # Licensed under the Apache License, Version 2.0 (the "License"); you may not # use this file except in compliance with the License. You may obtain a copy # of the License at http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software distributed # under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR # CONDITIONS OF ANY KIND, either express or implied. See the License for the # specific language governing permissions and limitations under the License. GROUP_ID[15]='pci' GROUP_NUMBER[15]='15.0' GROUP_TITLE[15]='PCI-DSS v3.2.1 Readiness - ONLY AS REFERENCE - [pci] **********' GROUP_RUN_BY_DEFAULT[15]='N' # run it when execute_all is called GROUP_CHECKS[15]='check11,check12,check13,check14,check15,check16,check17,check18,check19,check110,check112,check113,check114,check116,check21,check23,check25,check26,check27,check28,check29,check314,check36,check38,check43,extra713,extra717,extra718,extra72,extra729,extra735,extra738,extra740,extra744,extra748,extra75,extra750,extra751,extra753,extra754,extra755,extra756,extra773,extra78,extra780,extra781,extra782,extra783,extra784,extra785,extra787,extra788,extra798' # Resources: # https://github.com/toniblyx/prowler/issues/296 # List of checks based on PCI v3.2.1 # 3.1 Requirement: Install and Maintain a Firewall Configuration to Protect Cardholder Data # Ensure no security groups allow ingress from 0.0.0.0/0 to all ports and protocols extra748 # Ensure no security groups allow ingress from 0.0.0.0/0 to RDP (TCP 3389) check42 # Ensure no security groups allow ingress from 0.0.0.0/0 to SSH (TCP 22) check41 # Ensure no security groups allow ingress from 0.0.0.0/0 to Oracle (TCP 1521) extra749 # Ensure no security groups allow ingress from 0.0.0.0/0 to Oracle (TCP and UDP 2483) extra749 # Ensure no security groups allow ingress from 0.0.0.0/0 to Oracle (UDP 2483) extra749 # Ensure no security groups allow ingress from 0.0.0.0/0 to MySQL (TCP 3306) extra750 # Ensure no security groups allow ingress from 0.0.0.0/0 to Postgres (TCP 5432) extra751 # Ensure no security groups allow ingress from 0.0.0.0/0 to Redis (TCP 6379)extra752 # Ensure no security groups allow ingress from 0.0.0.0/0 to MongoDB (TCP 27017 and 27018) extra753 # Ensure no security groups allow ingress from 0.0.0.0/0 to Cassandra (TCP 7199, 9160 and 8888) extra754 # Ensure no security groups allow ingress from 0.0.0.0/0 to Memcached (TCP and UDP 11211) extra755 # Ensure no security groups allow ingress from 0.0.0.0/0 to Elasticsearch ports (TCP 9200/9300/5601) extra779 # Ensure the default security group restricts all traffic check43 # Remove unused security groups extra75 # RDS should not have Public interface open to a public scope extra78 # Check for Publicly Accessible Redshift Clusters extra756 # Ensure Lambda Functions are not publicly accessible extra798 # 3.2 Requirement 2: Do Not Use Vendor-Supplied Defaults for System Passwords and Other Security Parameters # Instance with administrative service: SSH (TCP:22) is exposed to the public Internet check41 # Instance with administrative service: RDP (TCP:3389) is exposed to the public Internet check42 # Instance with unencrypted Redis: (TCP:6379) is exposed to the public Internet extra752 # 3.3 Requirement 3: Protect Stored Cardholder Data # S3 Buckets Server Side encryption at rest extra734 # Ensure ECS Cluster At-rest encryption TODO # Ensure DynamoDB -Server Side Encryption DONE (default behavior) # Check if RDS instances storage is encrypted extra735 # Ensure there are no EBS Volumes unencrypted extra729 # Ensure CloudTrail logs are encrypted at rest using KMS CMKs check27 # Ensure rotation for customer created CMKs is enabled check28 # Check if EBS snapshots are encrypted extra740 # Ensure there are no EBS Snapshots set as Public extra72 # Ensure there is no Fargate containers in use (/aws/containers-roadmap/issues/314) TODO # 3.4 Requirement 4: Encrypt Transmission of Cardholder Data Across Open, Public Networks # Use encrypted connections between CloudFront and origin server extra738 and TODO # Ensure that S3 Buckets only allow data transfer using SSL/TLS extra734 # ELB is setup with SSL for secure communications TODO # Ensure the access keys are rotated every 90 days or less check14 # Network Load Balancer with unencrypted service: ElasticSearch (TCP:9200) is exposed to the public Internet TODO? ELB on SSL should be enough extra779 and extra716 # Network Load Balancer with unencrypted service: ElasticSearch (TCP:9300) is exposed to the public Internet TODO? ELB on SSL should be enough extra779 and extra716 # Network Load Balancer with unencrypted service: LDAP (UDP:389) is exposed to the public Internet TODO? ELB on SSL should be enough # Network Load Balancer with unencrypted service: LDAP (TCP:389) is exposed to the public Internet TODO? ELB on SSL should be enough # Instance with unencrypted service: ElasticSearch (TCP:9200) is exposed to the public Internet extra779 and extra716 # Instance with unencrypted service: ElasticSearch (TCP:9300) is exposed to the public Internet extra779 and extra716 # Instance with unencrypted service: LDAP (UDP:389) is exposed to the public Internet # Instance with unencrypted service: LDAP (TCP:389) is exposed to the public Internet # Instance with unencrypted Redis: (TCP:6379) is exposed to the public Internet # 3.5. Requirement 5: Protect All Systems Against Malware and Regularly Update Anti-Virus Software or Programs # N/A # 3.6. Requirement 6: Develop and Maintain Secure Systems and Applications # Ensure Inspector has Assessment Targets TODO # Ensure Inspector has a Scheduled Assessment Template TODO # Check for WAF IPSet TODO # Check for WAF Constraint Sets TODO # Check for WAF Web ACL extra744,extra773 # 3.7. Requirement 7: Restrict Access to Cardholder Data By Business Need To Know # Credentials (access keys) unused for 90 days or more should be disabled check13 # Credentials (password enabled) unused for 90 days or more should be disabled check111 # Ensure IAM policies are attached only to groups or roles check116 # 3.8. Requirement 8: Identify and Authenticate Access to System Components # Enforce password policy: IAM (check15, check16, check17, check18, check19, check110, check111) # Ensure that MFA is enabled for root account check113 # Ensure MFA is enabled for all IAM users that have a console password check12 # Ensure no root account access key exist check112 # Ensure hardware MFA is enabled for the root account check114 # Avoid the use of root account. check11 # 3.9 Requirement 9: Restrict Physical Access to Cardholder Data # N/A # 3.10. Requirement 10: Track and Monitor All Access to Network Resources and Cardholder Data # Ensure CloudTrail is enabled in all regions check21 # Ensure VPC Flow Logging is enabled in all the applicable Regions check29 # Ensure S3 Buckets access logging is enabled on the CloudTrail S3 bucket check26 # ELB is created with access logs enabled extra717 # S3 bucket should have server access logging enabled extra718 # Ensure AWS Config in all regions check25 # S3 bucket CloudTrail logs should not have public accessible check23 # S3 buckets should not be world-listable extra73 # S3 buckets should not be world-writable extra73 # S3 buckets should not be world-readable extra73 # Ensure a log metric filter and alarm exist for S3 bucket policy changes check38 # Ensure a log metric exist for AWS Management console authentication failures check36 # Ensure a log metric exist for VPC changes check314 # 3.11. Requirement 11: Regularly Test Security Systems and Processes # Ensure AWS GuarDduty is enabled extra713 # Ensure Inspector has Assessment Targets # Ensure Inspector has a Scheduled Assessment Template # Requirement 12: Maintain a Policy That Addresses Information Security For All Personnel # N/A