mirror of
https://github.com/ghndrx/prowler.git
synced 2026-02-10 23:05:05 +00:00
125 lines
9.7 KiB
Bash
125 lines
9.7 KiB
Bash
#!/usr/bin/env bash
|
|
|
|
# Prowler - the handy cloud security tool (copyright 2019) by Toni de la Fuente
|
|
#
|
|
# Licensed under the Apache License, Version 2.0 (the "License"); you may not
|
|
# use this file except in compliance with the License. You may obtain a copy
|
|
# of the License at http://www.apache.org/licenses/LICENSE-2.0
|
|
#
|
|
# Unless required by applicable law or agreed to in writing, software distributed
|
|
# under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR
|
|
# CONDITIONS OF ANY KIND, either express or implied. See the License for the
|
|
# specific language governing permissions and limitations under the License.
|
|
|
|
|
|
CHECK_ID_extra7177="7.177"
|
|
CHECK_TITLE_extra7177="[extra7177] Publicly accessible EMR Cluster"
|
|
CHECK_SCORED_extra7177="NOT_SCORED"
|
|
CHECK_CIS_LEVEL_extra7177="EXTRA"
|
|
CHECK_SEVERITY_extra7177="High"
|
|
CHECK_ASFF_TYPE_extra7177="AwsEMR"
|
|
CHECK_ALTERNATE_check7177="extra7177"
|
|
CHECK_SERVICENAME_extra7177="emr"
|
|
CHECK_RISK_extra7177='EMR Clusters should not be publicly accessible'
|
|
CHECK_REMEDIATION_extra7177='Only make acceptable EMR clusters public'
|
|
CHECK_DOC_extra7177='https://docs.aws.amazon.com/emr/latest/ManagementGuide/emr-block-public-access.html'
|
|
CHECK_CAF_EPIC_extra7177='Infrastructure Security'
|
|
|
|
extra7177(){
|
|
for regx in ${REGIONS}; do
|
|
# List only EMR clusters with the following states: STARTING, BOOTSTRAPPING, RUNNING, WAITING, TERMINATING
|
|
# [NOT TERMINATED AND TERMINATED_WITH_ERRORS]
|
|
LIST_OF_CLUSTERS=$("${AWSCLI}" emr list-clusters ${PROFILE_OPT} --region "${regx}" --query 'Clusters[?(Status.State!=`TERMINATED` && Status.State!=`TERMINATED_WITH_ERRORS`)].Id' --output text 2>&1)
|
|
if grep -q -E 'AccessDenied|UnauthorizedOperation|AuthorizationError' <<< "${LIST_OF_CLUSTERS}"; then
|
|
textInfo "${regx}: Access Denied trying to list EMR clusters" "${regx}"
|
|
continue
|
|
fi
|
|
if [[ "${LIST_OF_CLUSTERS}" ]]
|
|
then
|
|
for cluster_id in ${LIST_OF_CLUSTERS}; do
|
|
master_public_dns=$("${AWSCLI}" emr describe-cluster ${PROFILE_OPT} --cluster-id "${cluster_id}" --query 'Cluster.MasterPublicDnsName' --region "${regx}" --output text 2>&1)
|
|
if grep -q -E 'AccessDenied|UnauthorizedOperation|AuthorizationError' <<< "${master_public_dns}"; then
|
|
textInfo "${regx}: Access Denied trying to describe EMR cluster" "${regx}" "${cluster_id}"
|
|
continue
|
|
fi
|
|
if [[ $master_public_dns != None && $master_public_dns != *.internal ]];then
|
|
# If EMR cluster is Public, it is required to check their Security Groups for the Master, the Slaves and the additional ones
|
|
|
|
# Retrive EMR Master Node Security Groups rules
|
|
master_node_sg=$("${AWSCLI}" emr describe-cluster --cluster-id "${cluster_id}" ${PROFILE_OPT} --region "${regx}" --query 'Cluster.Ec2InstanceAttributes.EmrManagedMasterSecurityGroup' --output text 2>&1)
|
|
if grep -q -E 'AccessDenied|UnauthorizedOperation|AuthorizationError' <<< "${master_node_sg}"; then
|
|
textInfo "${regx}: Access Denied trying to describe EMR cluster" "${regx}" "${cluster_id}"
|
|
continue
|
|
fi
|
|
master_node_sg_internet_open=$("${AWSCLI}" ec2 describe-security-groups --group-ids "${master_node_sg}" --query 'SecurityGroups[?length(IpPermissions[?(contains(IpRanges[].CidrIp, `0.0.0.0/0`) || contains(Ipv6Ranges[].CidrIpv6, `::/0`))]) > `0`].{GroupId:GroupId}' ${PROFILE_OPT} --region "${regx}" --output text 2>&1)
|
|
if grep -q -E 'AccessDenied|UnauthorizedOperation|AuthorizationError' <<< "${master_node_sg_internet_open}"; then
|
|
textInfo "$regx: Access Denied trying to describe security groups" "$regx"
|
|
continue
|
|
fi
|
|
|
|
# Retrive EMR Slave Node Security Groups rules
|
|
slave_node_sg=$("${AWSCLI}" emr describe-cluster --cluster-id "${cluster_id}" ${PROFILE_OPT} --region "${regx}" --query 'Cluster.Ec2InstanceAttributes.EmrManagedSlaveSecurityGroup' --output text 2>&1)
|
|
if grep -q -E 'AccessDenied|UnauthorizedOperation|AuthorizationError' <<< "${slave_node_sg}"; then
|
|
textInfo "${regx}: Access Denied trying to describe EMR cluster" "${regx}" "${cluster_id}"
|
|
continue
|
|
fi
|
|
slave_node_sg_internet_open=$("${AWSCLI}" ec2 describe-security-groups --group-ids "${slave_node_sg}" --query 'SecurityGroups[?length(IpPermissions[?(contains(IpRanges[].CidrIp, `0.0.0.0/0`) || contains(Ipv6Ranges[].CidrIpv6, `::/0`))]) > `0`].{GroupId:GroupId}' ${PROFILE_OPT} --region "${regx}" --output text 2>&1)
|
|
if grep -q -E 'AccessDenied|UnauthorizedOperation|AuthorizationError' <<< "${slave_node_sg_internet_open}"; then
|
|
textInfo "$regx: Access Denied trying to describe security groups" "$regx"
|
|
continue
|
|
fi
|
|
|
|
# Retrive EMR Additional Master node Security Groups rules
|
|
additional_master_node_sg_list=$("${AWSCLI}" emr describe-cluster --cluster-id "${cluster_id}" ${PROFILE_OPT} --region "${regx}" --query 'Cluster.Ec2InstanceAttributes.AdditionalMasterSecurityGroups' --output text 2>&1)
|
|
if grep -q -E 'AccessDenied|UnauthorizedOperation|AuthorizationError' <<< "${slave_node_sg}"; then
|
|
textInfo "${regx}: Access Denied trying to describe EMR cluster" "${regx}" "${cluster_id}"
|
|
continue
|
|
fi
|
|
local additional_master_node_sg_internet_open_list
|
|
if [[ "${additional_master_node_sg_list}" != "None" ]]; then
|
|
for additional_master_node_sg in ${additional_master_node_sg_list}; do
|
|
additional_master_node_sg_internet_open=$("${AWSCLI}" ec2 describe-security-groups --group-ids "${additional_master_node_sg}" --query 'SecurityGroups[?length(IpPermissions[?(contains(IpRanges[].CidrIp, `0.0.0.0/0`) || contains(Ipv6Ranges[].CidrIpv6, `::/0`))]) > `0`].{GroupId:GroupId}' ${PROFILE_OPT} --region "${regx}" --output text 2>&1)
|
|
if grep -q -E 'AccessDenied|UnauthorizedOperation|AuthorizationError' <<< "${slave_node_sg_internet_open}"; then
|
|
textInfo "$regx: Access Denied trying to describe security groups" "$regx"
|
|
continue
|
|
fi
|
|
# Store additional master node security groups that allows access from the internet
|
|
additional_master_node_sg_internet_open_list+=( "${additional_master_node_sg_internet_open}" )
|
|
done
|
|
fi
|
|
|
|
# Retrive EMR Additional Slave node Security Groups rules
|
|
additional_slave_node_sg_list=$("${AWSCLI}" emr describe-cluster --cluster-id "${cluster_id}" ${PROFILE_OPT} --region "${regx}" --query 'Cluster.Ec2InstanceAttributes.AdditionalSlaveSecurityGroups' --output text 2>&1)
|
|
if grep -q -E 'AccessDenied|UnauthorizedOperation|AuthorizationError' <<< "${slave_node_sg}"; then
|
|
textInfo "${regx}: Access Denied trying to describe EMR cluster" "${regx}" "${cluster_id}"
|
|
continue
|
|
fi
|
|
local additional_slave_node_sg_internet_open_list
|
|
if [[ "${additional_slave_node_sg_list}" != "None" ]]; then
|
|
for additional_slave_node_sg in ${additional_master_node_sg_list}; do
|
|
additional_slave_node_sg_internet_open=$("${AWSCLI}" ec2 describe-security-groups --group-ids "${additional_slave_node_sg}" --query 'SecurityGroups[?length(IpPermissions[?(contains(IpRanges[].CidrIp, `0.0.0.0/0`) || contains(Ipv6Ranges[].CidrIpv6, `::/0`))]) > `0`].{GroupId:GroupId}' ${PROFILE_OPT} --region "${regx}" --output text 2>&1)
|
|
if grep -q -E 'AccessDenied|UnauthorizedOperation|AuthorizationError' <<< "${additional_slave_node_sg_internet_open}"; then
|
|
textInfo "$regx: Access Denied trying to describe security groups" "$regx"
|
|
continue
|
|
fi
|
|
# Store additional slave node security groups that allows access from the internet
|
|
additional_slave_node_sg_internet_open_list+=( "${additional_slave_node_sg_internet_open}" )
|
|
done
|
|
fi
|
|
|
|
# Check if EMR Cluster is publicly accessible through a Security Group
|
|
if [[ -n "${master_node_sg_internet_open}" || -n "${slave_node_sg_internet_open}" || "${#additional_master_node_sg_internet_open_list[@]}" -ne 0 || "${#additional_slave_node_sg_internet_open_list[@]}" -ne 0 ]]; then
|
|
textFail "${regx}: EMR Cluster ${cluster_id} is publicly accessible through the following Security Groups: Master Node ${master_node_sg_internet_open} ${additional_master_node_sg_internet_open_list[*]} -- Slaves Nodes ${slave_node_sg_internet_open} ${additional_slave_node_sg_internet_open_list[*]}" "${regx}" "${cluster_id}"
|
|
else
|
|
textPass "${regx}: EMR Cluster ${cluster_id} is not publicly accessible" "${regx}" "${cluster_id}"
|
|
fi
|
|
else
|
|
textPass "${regx}: EMR Cluster ${cluster_id} is not publicly accessible" "${regx}" "${cluster_id}"
|
|
fi
|
|
done
|
|
else
|
|
textInfo "${regx}: No EMR Clusters found" "${regx}"
|
|
fi
|
|
done
|
|
}
|