mirror of
https://github.com/ghndrx/prowler.git
synced 2026-02-11 07:15:15 +00:00
4961498562
Added a third parameter to checks textFail and textPass to identify resource name in finding.
52 lines
3.3 KiB
Bash
52 lines
3.3 KiB
Bash
#!/usr/bin/env bash
|
|
|
|
# Prowler - the handy cloud security tool (c) by Toni de la Fuente
|
|
#
|
|
# This Prowler check is licensed under a
|
|
# Creative Commons Attribution-NonCommercial-ShareAlike 4.0 International License.
|
|
#
|
|
# You should have received a copy of the license along with this
|
|
# work. If not, see <http://creativecommons.org/licenses/by-nc-sa/4.0/>.
|
|
|
|
CHECK_ID_check121="1.21"
|
|
CHECK_TITLE_check121="[check121] Do not setup access keys during initial user setup for all IAM users that have a console password (Not Scored)"
|
|
CHECK_SCORED_check121="NOT_SCORED"
|
|
CHECK_TYPE_check121="LEVEL1"
|
|
CHECK_SEVERITY_check121="Medium"
|
|
CHECK_ASFF_TYPE_check121="Software and Configuration Checks/Industry and Regulatory Standards/CIS AWS Foundations Benchmark"
|
|
CHECK_ASFF_RESOURCE_TYPE_check121="AwsIamUser"
|
|
CHECK_ALTERNATE_check121="check121"
|
|
CHECK_ASFF_COMPLIANCE_TYPE_check121="ens-op.acc.1.aws.iam.5"
|
|
CHECK_SERVICENAME_check121="iam"
|
|
CHECK_RISK_check121='AWS console defaults the checkbox for creating access keys to enabled. This results in many access keys being generated unnecessarily. In addition to unnecessary credentials; it also generates unnecessary management work in auditing and rotating these keys. Requiring that additional steps be taken by the user after their profile has been created will give a stronger indication of intent that access keys are (a) necessary for their work and (b) once the access key is established on an account that the keys may be in use somewhere in the organization.'
|
|
CHECK_REMEDIATION_check121='From the IAM console: generate credential report and disable not required keys.'
|
|
CHECK_DOC_check121='https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_getting-report.html'
|
|
CHECK_CAF_EPIC_check121='IAM'
|
|
|
|
check121(){
|
|
# "Do not setup access keys during initial user setup for all IAM users that have a console password (Not Scored)"
|
|
LIST_USERS=$($AWSCLI iam list-users --query 'Users[*].UserName' --output text $PROFILE_OPT --region $REGION)
|
|
# List of USERS with KEY1 last_used_date as N/A
|
|
LIST_USERS_KEY1_NA=$(for user in $LIST_USERS; do grep "^${user}," $TEMP_REPORT_FILE|awk -F, '{ print $1,$11 }'|grep N/A |awk '{ print $1 }'; done)
|
|
# List of USERS with KEY1 active, last_used_date as N/A and have a console password
|
|
LIST_USERS_KEY1_ACTIVE=$(for user in $LIST_USERS_KEY1_NA; do grep "^${user}," $TEMP_REPORT_FILE|awk -F, '{ print $1,$4,$9 }'|grep "true true$"|awk '{ print $1 }'|sed 's/[[:blank:]]+/,/g' ; done)
|
|
if [[ $LIST_USERS_KEY1_ACTIVE ]]; then
|
|
for user in $LIST_USERS_KEY1_ACTIVE; do
|
|
textFail "User $user has never used access key 1" "us-east-1" "$user"
|
|
done
|
|
else
|
|
textPass "No users found with access key 1 never used"
|
|
fi
|
|
# List of USERS with KEY2 last_used_date as N/A
|
|
LIST_USERS_KEY2_NA=$(for user in $LIST_USERS; do grep "^${user}," $TEMP_REPORT_FILE|awk -F, '{ print $1,$16 }'|grep N/A |awk '{ print $1 }' ; done)
|
|
# List of USERS with KEY2 active, last_used_date as N/A and have a console password
|
|
LIST_USERS_KEY2_ACTIVE=$(for user in $LIST_USERS_KEY2_NA; do grep "^${user}," $TEMP_REPORT_FILE|awk -F, '{ print $1,$4,$14 }'|grep "true true$" |awk '{ print $1 }' ; done)
|
|
if [[ $LIST_USERS_KEY2_ACTIVE ]]; then
|
|
for user in $LIST_USERS_KEY2_ACTIVE; do
|
|
textFail "User $user has never used access key 2"
|
|
done
|
|
else
|
|
textPass "No users found with access key 2 never used"
|
|
fi
|
|
}
|