mirror of
https://github.com/ghndrx/prowler.git
synced 2026-02-10 14:55:00 +00:00
55 lines
3.7 KiB
Bash
55 lines
3.7 KiB
Bash
#!/usr/bin/env bash
|
|
|
|
# Prowler - the handy cloud security tool (copyright 2019) by Toni de la Fuente
|
|
#
|
|
# Licensed under the Apache License, Version 2.0 (the "License"); you may not
|
|
# use this file except in compliance with the License. You may obtain a copy
|
|
# of the License at http://www.apache.org/licenses/LICENSE-2.0
|
|
#
|
|
# Unless required by applicable law or agreed to in writing, software distributed
|
|
# under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR
|
|
# CONDITIONS OF ANY KIND, either express or implied. See the License for the
|
|
# specific language governing permissions and limitations under the License.
|
|
|
|
CHECK_ID_check121="1.21"
|
|
CHECK_TITLE_check121="[check121] Do not setup access keys during initial user setup for all IAM users that have a console password"
|
|
CHECK_SCORED_check121="NOT_SCORED"
|
|
CHECK_TYPE_check121="LEVEL1"
|
|
CHECK_SEVERITY_check121="Medium"
|
|
CHECK_ASFF_TYPE_check121="Software and Configuration Checks/Industry and Regulatory Standards/CIS AWS Foundations Benchmark"
|
|
CHECK_ASFF_RESOURCE_TYPE_check121="AwsIamUser"
|
|
CHECK_ALTERNATE_check121="check121"
|
|
CHECK_ASFF_COMPLIANCE_TYPE_check121="ens-op.acc.1.aws.iam.5"
|
|
CHECK_SERVICENAME_check121="iam"
|
|
CHECK_RISK_check121='AWS console defaults the checkbox for creating access keys to enabled. This results in many access keys being generated unnecessarily. In addition to unnecessary credentials; it also generates unnecessary management work in auditing and rotating these keys. Requiring that additional steps be taken by the user after their profile has been created will give a stronger indication of intent that access keys are (a) necessary for their work and (b) once the access key is established on an account that the keys may be in use somewhere in the organization.'
|
|
CHECK_REMEDIATION_check121='From the IAM console: generate credential report and disable not required keys.'
|
|
CHECK_DOC_check121='https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_getting-report.html'
|
|
CHECK_CAF_EPIC_check121='IAM'
|
|
|
|
check121(){
|
|
# "Do not setup access keys during initial user setup for all IAM users that have a console password (Not Scored)"
|
|
LIST_USERS=$($AWSCLI iam list-users --query 'Users[*].UserName' --output text $PROFILE_OPT --region $REGION)
|
|
# List of USERS with KEY1 last_used_date as N/A
|
|
LIST_USERS_KEY1_NA=$(for user in $LIST_USERS; do grep "^${user}," $TEMP_REPORT_FILE|awk -F, '{ print $1,$11 }'|grep N/A |awk '{ print $1 }'; done)
|
|
# List of USERS with KEY1 active, last_used_date as N/A and have a console password
|
|
LIST_USERS_KEY1_ACTIVE=$(for user in $LIST_USERS_KEY1_NA; do grep "^${user}," $TEMP_REPORT_FILE|awk -F, '{ print $1,$4,$9 }'|grep "true true$"|awk '{ print $1 }'|sed 's/[[:blank:]]+/,/g' ; done)
|
|
if [[ $LIST_USERS_KEY1_ACTIVE ]]; then
|
|
for user in $LIST_USERS_KEY1_ACTIVE; do
|
|
textFail "$REGION: User $user has never used access key 1" "$REGION" "$user"
|
|
done
|
|
else
|
|
textPass "$REGION: No users found with access key 1 never used" "$REGION" "$user"
|
|
fi
|
|
# List of USERS with KEY2 last_used_date as N/A
|
|
LIST_USERS_KEY2_NA=$(for user in $LIST_USERS; do grep "^${user}," $TEMP_REPORT_FILE|awk -F, '{ print $1,$16 }'|grep N/A |awk '{ print $1 }' ; done)
|
|
# List of USERS with KEY2 active, last_used_date as N/A and have a console password
|
|
LIST_USERS_KEY2_ACTIVE=$(for user in $LIST_USERS_KEY2_NA; do grep "^${user}," $TEMP_REPORT_FILE|awk -F, '{ print $1,$4,$14 }'|grep "true true$" |awk '{ print $1 }' ; done)
|
|
if [[ $LIST_USERS_KEY2_ACTIVE ]]; then
|
|
for user in $LIST_USERS_KEY2_ACTIVE; do
|
|
textFail "$REGION: User $user has never used access key 2" "$REGION" "$user"
|
|
done
|
|
else
|
|
textPass "$REGION: No users found with access key 2 never used" "$REGION" "$user"
|
|
fi
|
|
}
|