#!/usr/bin/env bash

# Prowler - the handy cloud security tool (copyright 2018) by Toni de la Fuente
#
# Licensed under the Apache License, Version 2.0 (the "License"); you may not
# use this file except in compliance with the License. You may obtain a copy
# of the License at http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software distributed
# under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR
# CONDITIONS OF ANY KIND, either express or implied. See the License for the
# specific language governing permissions and limitations under the License.
CHECK_ID_extra723="7.23"
CHECK_TITLE_extra723="[extra723] Check if RDS Snapshots and Cluster Snapshots are public (Not Scored) (Not part of CIS benchmark)"
CHECK_SCORED_extra723="NOT_SCORED"
CHECK_TYPE_extra723="EXTRA"
CHECK_SEVERITY_extra723="Critical"
CHECK_ASFF_RESOURCE_TYPE_extra723="AwsRdsDbSnapshot"
CHECK_ALTERNATE_check723="extra723"
CHECK_SERVICENAME_extra723="rds"
CHECK_RISK_extra723='Publicly accessible services could expose sensible data to bad actors. t is recommended that your RDS snapshots should not be public in order to prevent potential leak or misuse of sensitive data or any other kind of security threat. If your RDS snapshot is public; then the data which is backed up in that snapshot is accessible to all other AWS accounts.'
CHECK_REMEDIATION_extra723='Use AWS Config to identify any sanpshot that is public.'
CHECK_DOC_extra723='https://docs.aws.amazon.com/config/latest/developerguide/rds-snapshots-public-prohibited.html'
CHECK_CAF_EPIC_extra723='Data Protection'

extra723(){
  # "Check if RDS Snapshots are public (Not Scored) (Not part of CIS benchmark)"
  for regx in $REGIONS; do
    # RDS snapshots
    LIST_OF_RDS_SNAPSHOTS=$($AWSCLI rds describe-db-snapshots $PROFILE_OPT --region $regx --query DBSnapshots[*].DBSnapshotIdentifier --output text)
    if [[ $LIST_OF_RDS_SNAPSHOTS ]]; then
      for rdssnapshot in $LIST_OF_RDS_SNAPSHOTS;do
        SNAPSHOT_IS_PUBLIC=$($AWSCLI rds describe-db-snapshot-attributes $PROFILE_OPT --region $regx --db-snapshot-identifier $rdssnapshot --query DBSnapshotAttributesResult.DBSnapshotAttributes[*] --output text|grep ^ATTRIBUTEVALUES|cut -f2|grep all)
        if [[ $SNAPSHOT_IS_PUBLIC ]];then
          textFail "$regx: RDS Snapshot $rdssnapshot is public!" "$regx"
        else
          textPass "$regx: RDS Snapshot $rdssnapshot is not shared" "$regx"
        fi
      done
    else
      textInfo "$regx: No RDS Snapshots found" "$regx"
    fi
    # RDS cluster snapshots
    LIST_OF_RDS_CLUSTER_SNAPSHOTS=$($AWSCLI rds describe-db-cluster-snapshots $PROFILE_OPT --region $regx --query DBClusterSnapshots[*].DBClusterSnapshotIdentifier --output text)
    if [[ $LIST_OF_RDS_CLUSTER_SNAPSHOTS ]]; then
      for rdsclustersnapshot in $LIST_OF_RDS_CLUSTER_SNAPSHOTS;do
        CLUSTER_SNAPSHOT_IS_PUBLIC=$($AWSCLI rds describe-db-cluster-snapshot-attributes $PROFILE_OPT --region $regx --db-cluster-snapshot-identifier $rdsclustersnapshot --query DBClusterSnapshotAttributesResult.DBClusterSnapshotAttributes[*] --output text|grep ^ATTRIBUTEVALUES|cut -f2|grep all)
        if [[ $CLUSTER_SNAPSHOT_IS_PUBLIC ]];then
          textFail "$regx: RDS Cluster Snapshot $rdsclustersnapshot is public!" "$regx"
        else
          textPass "$regx: RDS Cluster Snapshot $rdsclustersnapshot is not shared" "$regx"
        fi
      done
    else
      textInfo "$regx: No RDS Cluster Snapshots found" "$regx"
    fi
  done
}