mirror of
https://github.com/ghndrx/prowler.git
synced 2026-02-10 23:05:05 +00:00
55 KiB
Executable File
55 KiB
Executable File
#!/bin/bash
# Prowler is a tool that provides automate auditing and hardening guidance of an AWS account.
# It is based on AWS-CLI commands. It follows guidelines present in the CIS Amazon
# Web Services Foundations Benchmark at:
# https://d0.awsstatic.com/whitepapers/compliance/AWS_CIS_Foundations_Benchmark.pdf
# This work is licensed under a Creative Commons Attribution-NonCommercial-ShareAlike 4.0
# International Public License. The link to the license terms can be found at
# https://creativecommons.org/licenses/by-nc-sa/4.0/legalcode
#
# Author: Toni de la Fuente - @ToniBlyx / Alfresco Software Inc.
# Prowler - Iron Maiden
#
# Walking through the city, looking oh so pretty
# I've just got to find my way
# See the ladies flashing
# All there legs and lashes
# I've just got to find my way...
# Exit if a pipeline results in an error.
# set -ue
# set -o pipefail
# set -vx
# Exits if any error is found
# set -e
OPTRED=""
OPTNORMAL=""
# Set the defaults for these getopts variables
PROFILE="default"
REGION="us-east-1"
FILTERREGION=""
MAXITEMS=100
MONOCHROME=0
MODE="text"
# Command usage menu
usage(){
echo "
USAGE:
`basename $0` -p <profile> -r <region> [ -h ]
Options:
-p <profile> specify your AWS profile to use (i.e.: default)
-r <region> specify an AWS region to direct API requests to (i.e.: us-east-1)
-c <checknum> specify a check number or group from the AWS CIS benchmark (i.e.: check11 for check 1.1 or check3 for entire section 3)
-f <filterregion> specify an AWS region to run checks against (i.e.: us-west-1)
-m <maxitems> specify the maximum number of items to return for long-running requests (default: 100)
-b do not use colors in the output
-M <mode> output mode: text (defalut), mono, csv
-h this help
"
exit
}
while getopts ":hbp:r:c:f:m:M:" OPTION; do
case $OPTION in
h )
usage
exit 1
;;
b )
MONOCHROME=1
;;
p )
PROFILE=$OPTARG
;;
r )
REGION=$OPTARG
;;
c )
CHECKNUMBER=$OPTARG
;;
f )
FILTERREGION=$OPTARG
;;
m )
MAXITEMS=$OPTARG
;;
M )
MODE=$OPTARG
;;
: )
echo ""
echo "$OPTRED ERROR!$OPTNORMAL -$OPTARG requires an argument"
usage
exit 1
;;
? )
echo ""
echo "$OPTRED ERROR!$OPTNORMAL Invalid option"
usage
exit 1
;;
esac
done
if [[ $MODE != "mono" && $MODE != "text" && $MODE != "csv" ]]; then
echo ""
echo "$OPTRED ERROR!$OPTNORMAL Invalid output mode. Choose text, mono, or csv."
usage
exit 1
fi
if [[ $MODE == "mono" ]]; then
MONOCHROME=1
fi
if [[ $MONOCHROME -eq 1 ]]; then
# Colors
NORMAL=''
WARNING='' # Bad (red)
SECTION='' # Section (yellow)
NOTICE='' # Notice (yellow)
OK='' # Ok (green)
BAD='' # Bad (red)
CYAN=''
BLUE=''
BROWN=''
DARKGRAY=''
GRAY=''
GREEN=''
MAGENTA=''
PURPLE=''
RED=''
YELLOW=''
WHITE=''
else
# Colors
# NOTE: Your editor may NOT show the 0x1b / escape character left of the '['
NORMAL=""
WARNING="" # Bad (red)
SECTION="" # Section (yellow)
NOTICE="" # Notice (yellow)
OK="" # Ok (green)
BAD="" # Bad (red)
CYAN=""
BLUE=""
BROWN=""
DARKGRAY=""
GRAY=""
GREEN=""
MAGENTA=""
PURPLE=""
RED=""
YELLOW=""
WHITE=""
fi
# Functions to manage dates depending on OS
if [[ "$OSTYPE" == "linux-gnu" ]]; then
# function to compare in days, usage how_older_from_today date
# date format %Y-%m-%d
how_older_from_today()
{
DATE_TO_COMPARE=$1
TODAY_IN_DAYS=$(date -d "$(date +%Y-%m-%d)" +%s)
DATE_FROM_IN_DAYS=$(date -d $DATE_TO_COMPARE +%s)
DAYS_SINCE=$((($TODAY_IN_DAYS - $DATE_FROM_IN_DAYS )/60/60/24))
echo $DAYS_SINCE
}
# function to convert from timestamp to date, usage timestamp_to_date timestamp
# output date format %Y-%m-%d
timestamp_to_date()
{
# remove fractions of a second
TIMESTAMP_TO_CONVERT=$(echo $1 | cut -f1 -d".")
OUTPUT_DATE=$(date -d @$TIMESTAMP_TO_CONVERT +'%Y-%m-%d')
echo $OUTPUT_DATE
}
decode_report()
{
base64 -d
}
elif [[ "$OSTYPE" == "darwin"* ]]; then
# BSD/OSX coommands compatibility
how_older_from_today()
{
DATE_TO_COMPARE=$1
TODAY_IN_DAYS=$(date +%s)
DATE_FROM_IN_DAYS=$(date -jf %Y-%m-%d $DATE_TO_COMPARE +%s)
DAYS_SINCE=$((($TODAY_IN_DAYS - $DATE_FROM_IN_DAYS )/60/60/24))
echo $DAYS_SINCE
}
timestamp_to_date()
{
# remove fractions of a second
TIMESTAMP_TO_CONVERT=$(echo $1 | cut -f1 -d".")
OUTPUT_DATE=$(date -r $TIMESTAMP_TO_CONVERT +'%Y-%m-%d')
echo $OUTPUT_DATE
}
decode_report()
{
base64 -D
}
elif [[ "$OSTYPE" == "cygwin" ]]; then
# POSIX compatibility layer and Linux environment emulation for Windows
how_older_from_today()
{
DATE_TO_COMPARE=$1
TODAY_IN_DAYS=$(date -d "$(date +%Y-%m-%d)" +%s)
DATE_FROM_IN_DAYS=$(date -d $DATE_TO_COMPARE +%s)
DAYS_SINCE=$((($TODAY_IN_DAYS - $DATE_FROM_IN_DAYS )/60/60/24))
echo $DAYS_SINCE
}
timestamp_to_date()
{
# remove fractions of a second
TIMESTAMP_TO_CONVERT=$(echo $1 | cut -f1 -d".")
OUTPUT_DATE=$(date -d @$TIMESTAMP_TO_CONVERT +'%Y-%m-%d')
echo $OUTPUT_DATE
}
decode_report()
{
base64 -d
}
else
echo "Unknown Operating System"
exit
fi
if [[ ! -f ~/.aws/credentials ]]; then
echo -e "\n$RED ERROR!$NORMAL AWS credentials file not found (~/.aws/credentials). Run 'aws configure' first. \n"
return 1
fi
# AWS-CLI variables
AWSCLI=$(which aws)
if [ -z "${AWSCLI}" ]; then
echo -e "\n$RED ERROR!$NORMAL AWS-CLI (aws command) not found. Make sure it is installed correctly and in your \$PATH\n"
exit
fi
# if this script runs in an AWS instance
# INSTANCE_PROFILE=$(curl http://169.254.169.254/latest/meta-data/iam/security-credentials/)
# AWS_ACCESS_KEY_ID=$(curl http://169.254.169.254/latest/meta-data/iam/security-credentials/${INSTANCE_PROFILE} | grep AccessKeyId | cut -d':' -f2 | sed 's/[^0-9A-Z]*//g')
# AWS_SECRET_ACCESS_KEY_ID=$(curl http://169.254.169.254/latest/meta-data/iam/security-credentials/${INSTANCE_PROFILE} | grep SecretAccessKey | cut -d':' -f2 | sed 's/[^0-9A-Za-z/+=]*//g')
# AWS_ACCESS_KEY_ID=${AWS_ACCESS_KEY_ID}
# AWS_SECRET_ACCESS_KEY=${AWS_SECRET_ACCESS_KEY_ID}
TITLE_ID=""
## Output formatting functions
text_ok(){
echo " $TITLE_ID $OK OK! $NORMAL $@"
}
text_notice(){
echo " $TITLE_ID $NOTICE INFO! $@ $NORMAL"
}
text_warn(){
echo " $TITLE_ID $BAD WARNING! $@ $NORMAL"
}
text_title(){
TITLE_ID=$1
echo -e "\n$BLUE $TITLE_ID $NORMAL ${@:2}"
}
prowlerBanner() {
echo -e "$CYAN _"
echo -e " _ __ _ __ _____ _| | ___ _ __"
echo -e " | '_ \| '__/ _ \ \ /\ / / |/ _ \ '__|"
echo -e " | |_) | | | (_) \ V V /| | __/ |"
echo -e " | .__/|_| \___/ \_/\_/ |_|\___|_|"
echo -e " |_|$NORMAL$BLUE CIS based AWS Account Hardening Tool$NORMAL\n"
}
# Get whoami in AWS, who is the user running this shell script
getWhoami(){
echo ""
echo "This report is being generated using credentials below:"
echo ""
echo -e "AWS-CLI Profile: $NOTICE[$PROFILE]$NORMAL AWS API Region: $NOTICE[$REGION]$NORMAL AWS Filter Region: $NOTICE[${FILTERREGION:-all}]$NORMAL\n"
if [[ $MONOCHROME -eq 1 ]]; then
$AWSCLI sts get-caller-identity --output json --profile $PROFILE --region $REGION | grep ':'
else
echo "Caller Identity:"
$AWSCLI sts get-caller-identity --output table --profile $PROFILE --region $REGION
echo ""
fi
}
printCurrentDate(){
text_notice "Date: $(date)"
}
printColorsCode(){
if [[ $MONOCHROME -eq 0 ]]; then
echo -e "\nColors Code for results: $NOTICE INFORMATIVE$NORMAL,$OK OK (RECOMMENDED VALUE)$NORMAL, $BAD WARNING (FIX REQUIRED)$NORMAL \n"
fi
}
# Generate Credential Report
genCredReport() {
echo -en '\nGenerating AWS IAM Credential Report...'
until $AWSCLI iam generate-credential-report --output text --query 'State' --profile $PROFILE --region $REGION |grep -m 1 "COMPLETE"; do
sleep 1
echo -n "."
done
}
# Save report to a file, decode it, deletion at finish and after every single check, acb stands for AWS CIS Benchmark
saveReport(){
TEMP_REPORT_FILE=/tmp/.acb
$AWSCLI iam get-credential-report --query 'Content' --output text --profile $PROFILE --region $REGION | decode_report > $TEMP_REPORT_FILE
}
# Delete temporary report file
cleanTemp(){
rm -fr $TEMP_REPORT_FILE
}
# Get a list of all available AWS Regions
REGIONS=$($AWSCLI ec2 describe-regions --query 'Regions[].RegionName' \
--output text \
--profile $PROFILE \
--region $REGION \
--region-names $FILTERREGION)
infoReferenceLong(){
# Report review note:
text_notice "For more information:"
text_notice "https://benchmarks.cisecurity.org/tools2/amazon/CIS_Amazon_Web_Services_Foundations_Benchmark_v1.1.0.pdf"
text_notice "For bugs or feedback:"
text_notice "https://github.com/Alfresco/aws-cis-security-benchmark/issues"
}
infoReferenceShort(){
# Report review note:
text_notice "http://bit.ly/2g3PEf7"
}
check11(){
ID11="1.1"
TITLE11="Avoid the use of the root account (Scored)."
COMMAND11=$(cat $TEMP_REPORT_FILE| grep '<root_account>' | cut -d, -f5,11,16 | sed 's/,/,\ /g')
text_title "$ID11" "$TITLE11"
text_notice "Root account last accessed (password, key_1, key_2): $COMMAND11"
}
check12(){
ID12="1.2"
TITLE12="Ensure multi-factor authentication (MFA) is enabled for all IAM users that have a console password (Scored)"
# List users with password enabled
COMMAND12_LIST_USERS_WITH_PASSWORD_ENABLED=$(cat $TEMP_REPORT_FILE|awk -F, '{ print $1,$4 }' |grep true | awk '{ print $1 }')
COMMAND12=$(
for i in $COMMAND12_LIST_USERS_WITH_PASSWORD_ENABLED; do
cat $TEMP_REPORT_FILE|awk -F, '{ print $1,$8 }' |grep -w $i| grep false | awk '{ print $1 }'
done)
text_title "$ID12" "$TITLE12"
if [[ $COMMAND12 ]]; then
for u in $COMMAND12; do
text_warn "User $u has Password enabled but MFA disabled"
done
else
text_ok "No users found with Password enabled and MFA disabled"
fi
}
check13(){
ID13="1.3"
TITLE13="Ensure credentials unused for 90 days or greater are disabled (Scored)"
text_title "$ID13" "$TITLE13"
COMMAND12_LIST_USERS_WITH_PASSWORD_ENABLED=$(cat $TEMP_REPORT_FILE|awk -F, '{ print $1,$4 }' |grep true | awk '{ print $1 }')
if [[ $COMMAND12_LIST_USERS_WITH_PASSWORD_ENABLED ]]; then
COMMAND13=$(
for i in $COMMAND12_LIST_USERS_WITH_PASSWORD_ENABLED; do
cat $TEMP_REPORT_FILE|awk -F, '{ print $1,$5 }' |grep $i| awk '{ print $1 }'|tr '\n' ' ';
done)
# list of users that have used password
USERS_PASSWORD_USED=$($AWSCLI iam list-users --query "Users[?PasswordLastUsed].UserName" --output text --profile $PROFILE --region $REGION)
if [[ $USERS_PASSWORD_USED ]]; then
# look for users with a password last used more or equal to 90 days
for i in $USERS_PASSWORD_USED; do
DATEUSED=$($AWSCLI iam list-users --query "Users[?UserName=='$i'].PasswordLastUsed" --output text --profile $PROFILE --region $REGION | cut -d'T' -f1)
HOWOLDER=$(how_older_from_today $DATEUSED)
if [ $HOWOLDER -gt "90" ];then
text_warn "User \"$i\" has not logged in during the last 90 days "
else
text_ok "User \"$i\" found with credentials used in the last 90 days"
fi
done
fi
else
text_ok "No users found with password enabled"
fi
}
check14(){
ID14="1.4"
TITLE14="Ensure access keys are rotated every 90 days or less (Scored)" # also checked by Security Monkey
LIST_OF_USERS_WITH_ACCESS_KEY1=$(cat $TEMP_REPORT_FILE| awk -F, '{ print $1, $9 }' |grep "\ true" | awk '{ print $1 }')
LIST_OF_USERS_WITH_ACCESS_KEY2=$(cat $TEMP_REPORT_FILE| awk -F, '{ print $1, $14 }' |grep "\ true" | awk '{ print $1 }')
text_title "$ID14" "$TITLE14"
C14_NUM_USERS1=0
C14_NUM_USERS2=0
# $(expr $C116_NUM_USERS + 1)
if [[ $LIST_OF_USERS_WITH_ACCESS_KEY1 ]]; then
# text_warn "Users with access key 1 older than 90 days:"
for user in $LIST_OF_USERS_WITH_ACCESS_KEY1; do
# check access key 1
DATEROTATED1=$(cat $TEMP_REPORT_FILE | grep $user| awk -F, '{ print $10 }' | grep -v "N/A" | awk -F"T" '{ print $1 }')
HOWOLDER=$(how_older_from_today $DATEROTATED1)
if [ $HOWOLDER -gt "90" ];then
text_warn " $user has not rotated access key1 in over 90 days "
C14_NUM_USERS1 = $(expr $C14_NUM_USERS1 + 1)
fi
done
if [[ $C14_NUM_USERS1 -eq 0 ]]; then
text_ok "No users with access key 1 older than 90 days."
fi
else
text_ok "No users with access key 1."
fi
if [[ $LIST_OF_USERS_WITH_ACCESS_KEY2 ]]; then
# text_warn "Users with access key 2 older than 90 days:"
for user in $LIST_OF_USERS_WITH_ACCESS_KEY2; do
# check access key 2
DATEROTATED2=$(cat $TEMP_REPORT_FILE | grep $user| awk -F, '{ print $10 }' | grep -v "N/A" | awk -F"T" '{ print $1 }')
HOWOLDER=$(how_older_from_today $DATEROTATED2)
if [ $HOWOLDER -gt "90" ];then
text_warn " $user has not rotated access key2. "
C14_NUM_USERS2 = $(expr $C14_NUM_USERS2 + 1)
fi
done
if [[ $C14_NUM_USERS2 -eq 0 ]]; then
text_ok "No users with access key 2 older than 90 days."
fi
else
text_ok "No users with access key 2."
fi
}
check15(){
ID15="1.5"
TITLE15="Ensure IAM password policy requires at least one uppercase letter (Scored)"
COMMAND15=$($AWSCLI iam get-account-password-policy --profile $PROFILE --region $REGION --query 'PasswordPolicy.RequireUppercaseCharacters') # must be true
text_title "$ID15" "$TITLE15"
if [[ $COMMAND15 == "true" ]];then
text_ok "Password Policy requires upper case"
else
text_warn "Password Policy missing upper-case requirement"
fi
}
check16(){
ID16="1.6"
TITLE16="Ensure IAM password policy require at least one lowercase letter (Scored)"
COMMAND16=$($AWSCLI iam get-account-password-policy --profile $PROFILE --region $REGION --query 'PasswordPolicy.RequireLowercaseCharacters') # must be true
text_title "$ID16" "$TITLE16"
if [[ $COMMAND16 == "true" ]];then
text_ok "Password Policy requires lower case"
else
text_warn "Password Policy missing lower-case requirement"
fi
}
check17(){
ID17="1.7"
TITLE17="Ensure IAM password policy require at least one symbol (Scored)"
COMMAND17=$($AWSCLI iam get-account-password-policy --profile $PROFILE --region $REGION --query 'PasswordPolicy.RequireSymbols') # must be true
text_title "$ID17" "$TITLE17"
if [[ $COMMAND17 == "true" ]];then
text_ok "Password Policy requires symbol"
else
text_warn "Password Policy missing symbol requirement"
fi
}
check18(){
ID18="1.8"
TITLE18="Ensure IAM password policy require at least one number (Scored)"
COMMAND18=$($AWSCLI iam get-account-password-policy --profile $PROFILE --region $REGION --query 'PasswordPolicy.RequireNumbers') # must be true
text_title "$ID18" "$TITLE18"
if [[ $COMMAND18 == "true" ]];then
text_ok "Password Policy requires number"
else
text_warn "Password Policy missing number requirement"
fi
}
check19(){
ID19="1.9"
TITLE19="Ensure IAM password policy requires minimum length of 14 or greater (Scored)"
COMMAND19=$($AWSCLI iam get-account-password-policy --profile $PROFILE --region $REGION --query 'PasswordPolicy.MinimumPasswordLength')
text_title "$ID19" "$TITLE19"
if [[ $COMMAND19 -gt "13" ]];then
text_ok "Password Policy requires more than 13 characters"
else
text_warn "Password Policy missing or weak length requirement"
fi
}
check110(){
ID110="1.10"
TITLE110="Ensure IAM password policy prevents password reuse (Scored)"
COMMAND110=$($AWSCLI iam get-account-password-policy --profile $PROFILE --region $REGION --query 'PasswordPolicy.PasswordReusePrevention' --output text)
text_title "$ID110" "$TITLE110"
if [[ $COMMAND110 ]];then
if [[ $COMMAND110 -gt "23" ]];then
text_ok "Password Policy limits reuse"
else
text_warn "Password Policy has weak reuse requirment (lower than 24)"
fi
else
text_warn "Password Policy missing reuse requirement"
fi
}
check111(){
ID111="1.11"
TITLE111="Ensure IAM password policy expires passwords within 90 days or less (Scored)"
COMMAND111=$($AWSCLI iam get-account-password-policy --profile $PROFILE --region $REGION | grep MaxPasswordAge | awk -F: '{ print $2 }'|sed 's/\ //g'|sed 's/,/ /g')
text_title "$ID111" "$TITLE111"
if [[ $COMMAND111 ]];then
if [ $COMMAND111 == "90" ];then
text_ok "Password Policy includes expiration"
fi
else
text_warn "Passowrd expiration not set or set greater than 90 days "
fi
}
check112(){
ID112="1.12"
TITLE112="Ensure no root account access key exists (Scored)"
# ensure the access_key_1_active and access_key_2_active fields are set to FALSE.
ROOTKEY1=$(cat $TEMP_REPORT_FILE |grep root_account|awk -F',' '{ print $9 }')
ROOTKEY2=$(cat $TEMP_REPORT_FILE |grep root_account|awk -F',' '{ print $14 }')
text_title "$ID112" "$TITLE112"
if [ $ROOTKEY1 == "false" ];then
text_ok "No access key 1 found for root"
else
text_warn "Found access key 1 for root "
fi
if [ $ROOTKEY2 == "false" ];then
text_ok "No access key 2 found for root"
else
text_warn "Found access key 2 for root "
fi
}
check113(){
ID113="1.13"
TITLE113="Ensure MFA is enabled for the root account (Scored)"
COMMAND113=$($AWSCLI iam get-account-summary --profile $PROFILE --region $REGION |grep AccountMFAEnabled | awk -F': ' '{ print $2 }'|sed 's/,//')
text_title "$ID113" "$TITLE113"
if [ $COMMAND113 == "1" ]; then
text_ok "Virtual MFA is enabled for root"
else
text_warn "MFA is not ENABLED for root account "
fi
}
check114(){
ID114="1.14"
TITLE114="Ensure hardware MFA is enabled for the root account (Scored)"
COMMAND113=$($AWSCLI iam get-account-summary --profile $PROFILE --region $REGION |grep AccountMFAEnabled | awk -F': ' '{ print $2 }'|sed 's/,//')
text_title "$ID114" "$TITLE114"
if [ $COMMAND113 == "1" ]; then
COMMAND114=$($AWSCLI iam list-virtual-mfa-devices --profile $PROFILE --region $REGION --query 'VirtualMFADevices' --output text|grep :root |wc -l)
if [ $COMMAND114 == "1" ]; then
text_ok "Virtual MFA is enabled for root"
else
text_ok "Hardware MFA is enabled for root "
fi
else
text_warn "MFA is not ENABLED for root account "
fi
}
check115(){
ID115="1.15"
TITLE115="Ensure security questions are registered in the AWS account (Not Scored)"
# No command available
text_title "$ID115" "$TITLE115"
text_notice "No command available for check 1.15 "
text_notice "Login to the AWS Console as root, click on the Account "
text_notice "Name -> My Account -> Configure Security Challenge Questions "
}
check116(){
ID116="1.16"
TITLE116="Ensure IAM policies are attached only to groups or roles (Scored)"
text_title "$ID116" "$TITLE116"
LIST_USERS=$($AWSCLI iam list-users --query 'Users[*].UserName' --output text --profile $PROFILE --region $REGION)
C116_NUM_USERS=0
for user in $LIST_USERS;do
USER_POLICY=$($AWSCLI iam list-attached-user-policies --output text --profile $PROFILE --region $REGION --user-name $user)
if [[ $USER_POLICY ]]; then
text_warn "$user has policy directly attached "
C116_NUM_USERS=$(expr $C116_NUM_USERS + 1)
fi
done
if [[ $C116_NUM_USERS -eq 0 ]]; then
text_ok "No policies attached to users."
fi
}
check117(){
ID117="1.17"
TITLE117="Enable detailed billing (Scored)"
# No command available
text_title "$ID117" "$TITLE117"
text_notice "No command available for check 1.17 "
text_notice "See section 1.17 on the CIS Benchmark guide for details "
infoReferenceShort
}
check118(){
ID118="1.18"
TITLE118="Ensure IAM Master and IAM Manager roles are active (Scored)"
text_title "$ID118" "$TITLE118"
FINDMASTERANDMANAGER=$($AWSCLI iam list-roles --profile $PROFILE --region $REGION --query "Roles[*].{RoleName:RoleName}" --output text | grep -E 'Master|Manager'| tr '\n' ' ')
if [[ $FINDMASTERANDMANAGER ]];then
text_notice "Found next roles as possible IAM Master and IAM Manager candidates: "
text_notice "$FINDMASTERANDMANAGER "
text_notice "run the commands below to check their policies with section 1.18 in the guide..."
for role in $FINDMASTERANDMANAGER;do
# find inline policies in found roles
INLINEPOLICIES=$($AWSCLI iam list-role-policies --role-name $role --profile $PROFILE --region $REGION --query "PolicyNames[*]" --output text)
for policy in $INLINEPOLICIES;do
text_notice "$AWSCLI iam get-role-policy --role-name $role --policy-name $policy --profile $PROFILE --region $REGION"
done
# find attached policies in found roles
ATTACHEDPOLICIES=$($AWSCLI iam list-attached-role-policies --role-name $role --profile $PROFILE --region $REGION --query "AttachedPolicies[*]" --output text)
for policy in $ATTACHEDPOLICIES;do
text-notice "$AWSCLI iam get-role-policy --role-name $role --policy-name $policy --profile $PROFILE --region $REGION"
done
done
else
text_warn "IAM Master and IAM Manager roles not found"
fi
}
check119(){
ID119="1.19"
TITLE119="Maintain current contact details (Scored)"
# No command available
text_title "$ID119" "$TITLE119"
text_notice "No command available for check 1.19 "
text_notice "See section 1.19 on the CIS Benchmark guide for details "
infoReferenceShort
}
check120(){
ID120="1.20"
TITLE120="Ensure security contact information is registered (Scored)"
# No command available
text_title "$ID120" "$TITLE120"
text_notice "No command available for check 1.20 "
text_notice "See section 1.20 on the CIS Benchmark guide for details "
infoReferenceShort
}
check121(){
ID121="1.21"
TITLE121="Ensure IAM instance roles are used for AWS resource access from instances (Not Scored)"
text_title "$ID121" "$TITLE121"
text_notice "No command available for check 1.21 "
text_notice "See section 1.21 on the CIS Benchmark guide for details "
infoReferenceShort
}
check122(){
ID122="1.22"
TITLE122="Ensure a support role has been created to manage incidents with AWS Support (Scored)"
text_title "$ID122" "$TITLE122"
SUPPORTPOLICYARN=$($AWSCLI iam list-policies --query "Policies[?PolicyName == 'AWSSupportAccess'].Arn" --profile $PROFILE --region $REGION --output text)
if [[ $SUPPORTPOLICYARN ]];then
for policyarn in $SUPPORTPOLICYARN;do
POLICYTOSHOW=$($AWSCLI iam list-entities-for-policy --policy-arn $SUPPORTPOLICYARN --profile $PROFILE --region $REGION --output text)
if [[ $POLICYTOSHOW ]];then
text_ok "Support Policy attached to $POLICYTOSHOW"
text_notice "Make sure your team can create a Support case with AWS "
else
text_warn "Support Policy not applied to any Group, User or Role "
fi
done
else
text_warn "No Support Policy found"
fi
}
check123(){
ID123="1.23"
TITLE123="Do not setup access keys during initial user setup for all IAM users that have a console password (Not Scored)"
text_title "$ID123" "$TITLE123"
LIST_USERS=$($AWSCLI iam list-users --query 'Users[*].UserName' --output text --profile $PROFILE --region $REGION)
# List of USERS with KEY1 last_used_date as N/A
LIST_USERS_KEY1_NA=$(for user in $LIST_USERS; do grep $user $TEMP_REPORT_FILE|awk -F, '{ print $1,$11 }'|grep N/A |awk '{ print $1 }'; done)
LIST_USERS_KEY1_ACTIVE=$(for user in $LIST_USERS_KEY1_NA; do grep $user $TEMP_REPORT_FILE|awk -F, '{ print $1,$9 }'|grep "true$"|awk '{ print $1 }'|sed 's/[:blank:]+/,/g' ; done)
if [[ $LIST_USERS_KEY1_ACTIVE ]]; then
# text_notice "List of users with Access Key 1 never used:"
text_notice "Users who never used Access Key 1: $LIST_USERS_KEY1_ACTIVE"
else
text_ok "No users found with Access Key 1 never used"
fi
# List of USERS with KEY2 last_used_date as N/A
LIST_USERS_KEY2_NA=$(for user in $LIST_USERS; do grep $user $TEMP_REPORT_FILE|awk -F, '{ print $1,$16 }'|grep N/A |awk '{ print $1 }' ; done)
LIST_USERS_KEY2_ACTIVE=$(for user in $LIST_USERS_KEY2_NA; do grep $user $TEMP_REPORT_FILE|awk -F, '{ print $1,$14 }'|grep "true$" |awk '{ print $1 }' ; done)
if [[ $LIST_USERS_KEY2_ACTIVE ]]; then
# text_notice "List of users with Access Key 2 never used:"
text_notice "Users who never used Access Key 2: $LIST_USERS_KEY2_ACTIVE"
else
text_ok "No users found with Access Key 2 never used"
fi
}
check124(){
ID124="1.24"
TITLE124="Ensure IAM policies that allow full \"*:*\" administrative privileges are not created (Scored)"
text_title "$ID124" "$TITLE124"
LIST_CUSTOM_POLICIES=$($AWSCLI iam list-policies --output text --profile $PROFILE --region $REGION|grep 'arn:aws:iam::[0-9]\{12\}:'|awk '{ print $2 }')
if [[ $LIST_CUSTOM_POLICIES ]]; then
text_notice "Looking for custom policies: (skipping default policies, it may take few seconds...)"
for policy in $LIST_CUSTOM_POLICIES; do
POLICY_VERSION=$($AWSCLI iam list-policies --profile $PROFILE --region $REGION --query 'Policies[*].[Arn,DefaultVersionId]' --output text|grep -w $policy |awk '{ print $2}')
POLICY_WITH_FULL=$($AWSCLI iam get-policy-version --output text --policy-arn $policy --version-id $POLICY_VERSION --query "PolicyVersion.Document.Statement[?Effect == 'Allow' && contains(Resource, '*') && contains (Action, '*')]" --profile $PROFILE --region $REGION)
if [[ $POLICY_WITH_FULL ]]; then
POLICIES_ALLOW_LIST="$POLICIES_ALLOW_LIST $policy"
fi
done
if [[ $POLICIES_ALLOW_LIST ]]; then
text_notice "List of custom policies: "
for policy in $POLICIES_ALLOW_LIST; do
text_notice "Policy $policy allows \"*:*\""
done
else
text_ok "No custom policy found that allow full \"*:*\" administrative privileges"
fi
else
text_ok "No custom policies found"
fi
}
check21(){
ID21="2.1"
TITLE21="Ensure CloudTrail is enabled in all regions (Scored)"
text_title "$ID21" "$TITLE21"
LIST_OF_TRAILS=$($AWSCLI cloudtrail describe-trails --profile $PROFILE --region $REGION --query 'trailList[*].Name' --output text)
if [[ $LIST_OF_TRAILS ]];then
for trail in $LIST_OF_TRAILS;do
MULTIREGION_TRAIL_STATUS=$($AWSCLI cloudtrail describe-trails --profile $PROFILE --region $REGION --query 'trailList[*].IsMultiRegionTrail' --output text --trail-name-list $trail)
if [[ $MULTIREGION_TRAIL_STATUS == 'False' ]];then
text_warn "$trail trail in $REGION is not enabled in multi region mode"
else
text_ok "$trail trail in $REGION is enabled for all regions"
fi
done
else
text_warn "No CloudTrail trails found!"
fi
}
check22(){
ID22="2.2"
TITLE22="Ensure CloudTrail log file validation is enabled (Scored)"
text_title "$ID22" "$TITLE22"
LIST_OF_TRAILS=$($AWSCLI cloudtrail describe-trails --profile $PROFILE --region $REGION --query 'trailList[*].Name' --output text)
if [[ $LIST_OF_TRAILS ]];then
for trail in $LIST_OF_TRAILS;do
LOGFILEVALIDATION_TRAIL_STATUS=$($AWSCLI cloudtrail describe-trails --profile $PROFILE --region $REGION --query 'trailList[*].LogFileValidationEnabled' --output text --trail-name-list $trail)
if [[ $LOGFILEVALIDATION_TRAIL_STATUS == 'False' ]];then
text_warn "$trail trail in $REGION has not log file validation enabled"
else
text_ok "$trail trail in $REGION has log file validation enabled"
fi
done
else
text_warn "No CloudTrail trails found!"
fi
}
check23(){
ID23="2.3"
TITLE23="Ensure the S3 bucket CloudTrail logs to is not publicly accessible (Scored)"
text_title "$ID23" "$TITLE23"
CLOUDTRAILBUCKET=$($AWSCLI cloudtrail describe-trails --query 'trailList[*].S3BucketName' --output text --profile $PROFILE --region $REGION)
if [[ $CLOUDTRAILBUCKET ]];then
for bucket in $CLOUDTRAILBUCKET;do
CLOUDTRAILBUCKET_HASALLPERMISIONS=$($AWSCLI s3api get-bucket-acl --bucket $bucket --query 'Grants[?Grantee.URI==`http://acs.amazonaws.com/groups/global/AllUsers`]' --profile $PROFILE --region $REGION --output text)
if [[ $CLOUDTRAILBUCKET_HASALLPERMISIONS ]];then
text_warn "check your $bucket CloudTrail bucket ACL and Policy!"
else
text_ok "Bucket $bucket is set correctly"
fi
done
else
text_warn "No CloudTrail bucket found!"
fi
}
check24(){
ID24="2.4"
TITLE24="Ensure CloudTrail trails are integrated with CloudWatch Logs (Scored)"
text_title "$ID24" "$TITLE24"
TRAILS_AND_REGIONS=$($AWSCLI cloudtrail describe-trails --profile $PROFILE --region $REGION --query 'trailList[*].{Name:Name, HomeRegion:HomeRegion}' --output text | tr "\t" ',')
if [[ $TRAILS_AND_REGIONS ]];then
for reg_trail in $TRAILS_AND_REGIONS;do
trail=$(echo $reg_trail | cut -d',' -f2)
TRAIL_REGION=$(echo $reg_trail | cut -d',' -f1)
LATESTDELIVERY_TIMESTAMP=$($AWSCLI cloudtrail get-trail-status --name $trail --profile $PROFILE --region $TRAIL_REGION --query 'LatestCloudWatchLogsDeliveryTime' --output text|grep -v None)
if [[ ! $LATESTDELIVERY_TIMESTAMP ]];then
text_warn "$trail trail is not logging in the last 24h or not configured (it is in $TRAIL_REGION)"
else
LATESTDELIVERY_DATE=$(timestamp_to_date $LATESTDELIVERY_TIMESTAMP)
HOWOLDER=$(how_older_from_today $LATESTDELIVERY_DATE)
if [ $HOWOLDER -gt "1" ];then
text_warn "$trail trail is not logging in the last 24h or not configured (it is in $TRAIL_REGION)"
else
text_ok "$trail trail has been logging during the last 24h (it is in $TRAIL_REGION)"
fi
fi
done
else
text_warn "No CloudTrail trails found!"
fi
}
check25(){
ID25="2.5"
TITLE25="Ensure AWS Config is enabled in all regions (Scored)"
text_title "$ID25" "$TITLE25"
for regx in $REGIONS; do
CHECK_AWSCONFIG_STATUS=$($AWSCLI configservice get-status --profile $PROFILE --region $regx | grep "recorder: ON")
if [[ $CHECK_AWSCONFIG_STATUS ]];then
text_ok "Region $regx has AWS Config recorder: ON "
else
text_warn "Region $regx has AWS Config disabled or not configured"
fi
done
}
check26(){
ID26="2.6"
TITLE26="Ensure S3 bucket access logging is enabled on the CloudTrail S3 bucket (Scored)"
text_title "$ID26" "$TITLE26"
CLOUDTRAILBUCKET=$($AWSCLI cloudtrail describe-trails --query 'trailList[*].S3BucketName' --output text --profile $PROFILE --region $REGION)
if [[ $CLOUDTRAILBUCKET ]];then
for bucket in $CLOUDTRAILBUCKET;do
CLOUDTRAILBUCKET_LOGENABLED=$($AWSCLI s3api get-bucket-logging --bucket $bucket --profile $PROFILE --region $REGION --query 'LoggingEnabled.TargetBucket' --output text|grep -v None)
if [[ $CLOUDTRAILBUCKET_LOGENABLED ]];then
text_ok "Bucket access logging enabled in $bucket"
else
text_warn "access logging is not enabled in $bucket CloudTrail S3 bucket!"
fi
done
else
text_warn "CloudTrail bucket not found!"
fi
}
check27(){
ID27="2.7"
TITLE27="Ensure CloudTrail logs are encrypted at rest using KMS CMKs (Scored)"
text_title "$ID27" "$TITLE27"
CLOUDTRAILNAME=$($AWSCLI cloudtrail describe-trails --query 'trailList[*].Name' --output text --profile $PROFILE --region $REGION)
if [[ $CLOUDTRAILNAME ]];then
for trail in $CLOUDTRAILNAME;do
CLOUDTRAILENC_ENABLED=$($AWSCLI cloudtrail describe-trails --profile $PROFILE --region $REGION --trail $trail --query 'trailList[*].KmsKeyId' --output text)
if [[ $CLOUDTRAILENC_ENABLED ]];then
text_ok "KMS key found for $trail"
else
text_warn "encryption is not enabled in your CloudTrail trail $trail, KMS key not found!"
fi
done
else
text_warn "CloudTrail bucket doesn't exist!"
fi
}
check28(){
ID28="2.8"
TITLE28="Ensure rotation for customer created CMKs is enabled (Scored)"
text_title "$ID28" "$TITLE28"
for regx in $REGIONS; do
CHECK_KMS_KEYLIST=$($AWSCLI kms list-keys --profile $PROFILE --region $regx --output text --query 'Keys[*].KeyId')
if [[ $CHECK_KMS_KEYLIST ]];then
CHECK_KMS_KEYLIST_NO_DEFAULT=$(for key in $CHECK_KMS_KEYLIST ; do $AWSCLI kms describe-key --key-id $key --profile $PROFILE --region $regx --output text|grep -v 'Default master key that protects my ACM private keys when no other key is defined'|awk '{ print $3 }'|awk -F'/' '{ print $2 }'; done)
for key in $CHECK_KMS_KEYLIST_NO_DEFAULT; do
CHECK_KMS_KEY_TYPE=$($AWSCLI kms describe-key --key-id $key --profile $PROFILE --region $regx --query 'KeyMetadata.Origin' | sed 's/["]//g')
if [[ $CHECK_KMS_KEY_TYPE == "EXTERNAL" ]];then
text_ok "Key $key in Region $regx Customer Uploaded Key Material."
else
CHECK_KMS_KEY_ROTATION=$($AWSCLI kms get-key-rotation-status --key-id $key --profile $PROFILE --region $regx --output text)
#CHECK_KMS_DEFAULT_KEY=$($AWSCLI kms describe-key --key-id $key --profile $PROFILE --region $regx --query 'KeyMetadata.Description' | sed -n '/Default master key that protects my ACM private keys when no other key is defined /p'|| echo "False")
if [[ $CHECK_KMS_KEY_ROTATION == "True" ]];then
text_ok "Key $key in Region $regx is set correctly"
elif [[ $CHECK_KMS_KEY_ROTATION == "False" && $CHECK_KMS_DEFAULT_KEY ]];then
text_notice "Region $regx key $key is an AWS default master key and cannot be deleted nor modified."
else
text_warn "Key $key in Region $regx is not set to rotate!!!"
fi
fi
done
else
text_notice "Region $regx doesn't have encryption keys "
fi
done
}
check31(){
ID31="3.1"
TITLE31="Ensure a log metric filter and alarm exist for unauthorized API calls (Scored)"
text_title "$ID31" "$TITLE31"
CLOUDWATCH_GROUP=$($AWSCLI cloudtrail describe-trails --profile $PROFILE --region $REGION --query 'trailList[*].CloudWatchLogsLogGroupArn' --output text | awk -F: '{ print $7 }')
if [[ $CLOUDWATCH_GROUP ]];then
METRICFILTER_SET=$($AWSCLI logs describe-metric-filters --log-group-name $CLOUDWATCH_GROUP --profile $PROFILE --region $REGION --query 'metricFilters' | grep AccessDenied)
if [[ $METRICFILTER_SET ]];then
text_ok "CloudWatch group found, and metric filters for Access Denied enabled"
else
text_warn "CloudWatch group found, but no metric filters or alarms associated"
fi
else
text_warn "No CloudWatch group found, no metric filters or alarms associated"
fi
}
check32(){
ID32="3.2"
TITLE32="Ensure a log metric filter and alarm exist for Management Console sign-in without MFA (Scored)"
text_title "$ID32" "$TITLE32"
CLOUDWATCH_GROUP=$($AWSCLI cloudtrail describe-trails --profile $PROFILE --region $REGION --query 'trailList[*].CloudWatchLogsLogGroupArn' --output text | awk -F: '{ print $7 }')
if [[ $CLOUDWATCH_GROUP ]];then
METRICFILTER_SET=$($AWSCLI logs describe-metric-filters --log-group-name $CLOUDWATCH_GROUP --profile $PROFILE --region $REGION --query 'metricFilters' | grep -E 'userIdentity.sessionContext.attributes.mfaAuthenticated.*true')
if [[ $METRICFILTER_SET ]];then
text_ok "CloudWatch group found, and metric filters for sign-in Console without MFA enabled"
else
text_warn "CloudWatch group found, but no metric filters or alarms associated"
fi
else
text_warn "No CloudWatch group found, no metric filters or alarms associated"
fi
}
check33(){
ID33="3.3"
TITLE33="Ensure a log metric filter and alarm exist for usage of root account (Scored)"
text_title "$ID33" "$TITLE33"
CLOUDWATCH_GROUP=$($AWSCLI cloudtrail describe-trails --profile $PROFILE --region $REGION --query 'trailList[*].CloudWatchLogsLogGroupArn' --output text | awk -F: '{ print $7 }')
if [[ $CLOUDWATCH_GROUP ]];then
METRICFILTER_SET=$($AWSCLI logs describe-metric-filters --log-group-name $CLOUDWATCH_GROUP --profile $PROFILE --region $REGION |grep -E 'userIdentity.*Root.*AwsServiceEvent')
if [[ $METRICFILTER_SET ]];then
text_ok "CloudWatch group found, and metric filters for usage of root account enabled"
else
text_warn "CloudWatch group found, but no metric filters or alarms associated"
fi
else
text_warn "No CloudWatch group found, no metric filters or alarms associated"
fi
}
check34(){
ID34="3.4"
TITLE34="Ensure a log metric filter and alarm exist for IAM policy changes (Scored)"
text_title "$ID34" "$TITLE34"
CLOUDWATCH_GROUP=$($AWSCLI cloudtrail describe-trails --profile $PROFILE --region $REGION --query 'trailList[*].CloudWatchLogsLogGroupArn' --output text | awk -F: '{ print $7 }')
if [[ $CLOUDWATCH_GROUP ]];then
METRICFILTER_SET=$($AWSCLI logs describe-metric-filters --log-group-name $CLOUDWATCH_GROUP --profile $PROFILE --region $REGION --query 'metricFilters' | grep -E 'DeleteGroupPolicy.*DeleteRolePolicy.*DeleteUserPolicy.*PutGroupPolicy.*PutRolePolicy.*PutUserPolicy.*CreatePolicy.*DeletePolicy.*CreatePolicyVersion.*DeletePolicyVersion.*AttachRolePolicy.*DetachRolePolicy.*AttachUserPolicy.*DetachUserPolicy.*AttachGroupPolicy.*DetachGroupPolicy')
if [[ $METRICFILTER_SET ]];then
text_ok "CloudWatch group found, and metric filters for IAM policy changes enabled"
else
text_warn "CloudWatch group found, but no metric filters or alarms associated"
fi
else
text_warn "No CloudWatch group found, no metric filters or alarms associated"
fi
}
check35(){
ID35="3.5"
TITLE35="Ensure a log metric filter and alarm exist for CloudTrail configuration changes (Scored)"
text_title "$ID35" "$TITLE35"
CLOUDWATCH_GROUP=$($AWSCLI cloudtrail describe-trails --profile $PROFILE --region $REGION --query 'trailList[*].CloudWatchLogsLogGroupArn' --output text | awk -F: '{ print $7 }')
if [[ $CLOUDWATCH_GROUP ]];then
METRICFILTER_SET=$($AWSCLI logs describe-metric-filters --log-group-name $CLOUDWATCH_GROUP --profile $PROFILE --region $REGION --query 'metricFilters' | grep -E 'CreateTrail.*UpdateTrail.*DeleteTrail.*StartLogging.*StopLogging')
if [[ $METRICFILTER_SET ]];then
text_ok "CloudWatch group found, and metric filters for CloudTrail configuration changes enabled"
else
text_warn "CloudWatch group found, but no metric filters or alarms associated"
fi
else
text_warn "No CloudWatch group found, no metric filters or alarms associated"
fi
}
check36(){
ID36="3.6"
TITLE36="Ensure a log metric filter and alarm exist for AWS Management Console authentication failures (Scored)"
text_title "$ID36" "$TITLE36"
CLOUDWATCH_GROUP=$($AWSCLI cloudtrail describe-trails --profile $PROFILE --region $REGION --query 'trailList[*].CloudWatchLogsLogGroupArn' --output text | awk -F: '{ print $7 }')
if [[ $CLOUDWATCH_GROUP ]];then
METRICFILTER_SET=$($AWSCLI logs describe-metric-filters --log-group-name $CLOUDWATCH_GROUP --profile $PROFILE --region $REGION --query 'metricFilters' | grep -E 'ConsoleLogin.*Failed')
if [[ $METRICFILTER_SET ]];then
text_ok "CloudWatch group found, and metric filters for usage of root account enabled"
else
text_warn "CloudWatch group found, but no metric filters or alarms associated"
fi
else
text_warn "No CloudWatch group found, no metric filters or alarms associated"
fi
}
check37(){
ID37="3.7"
TITLE37="Ensure a log metric filter and alarm exist for disabling or scheduled deletion of customer created CMKs (Scored)"
text_title "$ID37" "$TITLE37"
CLOUDWATCH_GROUP=$($AWSCLI cloudtrail describe-trails --profile $PROFILE --region $REGION --query 'trailList[*].CloudWatchLogsLogGroupArn' --output text | awk -F: '{ print $7 }')
if [[ $CLOUDWATCH_GROUP ]];then
METRICFILTER_SET=$($AWSCLI logs describe-metric-filters --log-group-name $CLOUDWATCH_GROUP --profile $PROFILE --region $REGION --query 'metricFilters' | grep -E 'kms.amazonaws.com.*DisableKey.*ScheduleKeyDeletion')
if [[ $METRICFILTER_SET ]];then
text_ok "CloudWatch group found, and metric filters enabled"
else
text_warn "CloudWatch group found, but no metric filters or alarms associated"
fi
else
text_warn "No CloudWatch group found, no metric filters or alarms associated"
fi
}
check38(){
ID38="3.8"
TITLE38="Ensure a log metric filter and alarm exist for S3 bucket policy changes (Scored)"
text_title "$ID38" "$TITLE38"
CLOUDWATCH_GROUP=$($AWSCLI cloudtrail describe-trails --profile $PROFILE --region $REGION --query 'trailList[*].CloudWatchLogsLogGroupArn' --output text | awk -F: '{ print $7 }')
if [[ $CLOUDWATCH_GROUP ]];then
METRICFILTER_SET=$($AWSCLI logs describe-metric-filters --log-group-name $CLOUDWATCH_GROUP --profile $PROFILE --region $REGION --query 'metricFilters' | grep -E 's3.amazonaws.com.*PutBucketAcl.*PutBucketPolicy.*PutBucketCors.*PutBucketLifecycle.*PutBucketReplication.*DeleteBucketPolicy.*DeleteBucketCors.*DeleteBucketLifecycle.*DeleteBucketReplication')
if [[ $METRICFILTER_SET ]];then
text_ok "CloudWatch group found, and metric filters enabled"
else
text_warn "CloudWatch group found, but no metric filters or alarms associated"
fi
else
text_warn "No CloudWatch group found, no metric filters or alarms associated"
fi
}
check39(){
ID39="3.9"
TITLE39="Ensure a log metric filter and alarm exist for AWS Config configuration changes (Scored)"
text_title "$ID39" "$TITLE39"
CLOUDWATCH_GROUP=$($AWSCLI cloudtrail describe-trails --profile $PROFILE --region $REGION --query 'trailList[*].CloudWatchLogsLogGroupArn' --output text | awk -F: '{ print $7 }')
if [[ $CLOUDWATCH_GROUP ]];then
METRICFILTER_SET=$($AWSCLI logs describe-metric-filters --log-group-name $CLOUDWATCH_GROUP --profile $PROFILE --region $REGION --query 'metricFilters' | grep -E 'config.amazonaws.com.*StopConfigurationRecorder.*DeleteDeliveryChannel.*PutDeliveryChannel.*PutConfigurationRecorder')
if [[ $METRICFILTER_SET ]];then
text_ok "CloudWatch group found, and metric filters enabled"
else
text_warn "CloudWatch group found, but no metric filters or alarms associated"
fi
else
text_warn "No CloudWatch group found, no metric filters or alarms associated"
fi
}
check310(){
ID310="3.10"
TITLE310="Ensure a log metric filter and alarm exist for security group changes (Scored)"
text_title "$ID310" "$TITLE310"
CLOUDWATCH_GROUP=$($AWSCLI cloudtrail describe-trails --profile $PROFILE --region $REGION --query 'trailList[*].CloudWatchLogsLogGroupArn' --output text | awk -F: '{ print $7 }')
if [[ $CLOUDWATCH_GROUP ]];then
METRICFILTER_SET=$($AWSCLI logs describe-metric-filters --log-group-name $CLOUDWATCH_GROUP --profile $PROFILE --region $REGION --query 'metricFilters' | grep -E 'AuthorizeSecurityGroupIngress.*AuthorizeSecurityGroupEgress.*RevokeSecurityGroupIngress.*RevokeSecurityGroupEgress.*CreateSecurityGroup.*DeleteSecurityGroup')
if [[ $METRICFILTER_SET ]];then
text_ok "CloudWatch group found, and metric filters enabled"
else
text_warn "CloudWatch group found, but no metric filters or alarms associated"
fi
else
text_warn "No CloudWatch group found, no metric filters or alarms associated"
fi
}
check311(){
ID311="3.11"
TITLE311="Ensure a log metric filter and alarm exist for changes to Network Access Control Lists (NACL) (Scored)"
text_title "$ID311" "$TITLE311"
CLOUDWATCH_GROUP=$($AWSCLI cloudtrail describe-trails --profile $PROFILE --region $REGION --query 'trailList[*].CloudWatchLogsLogGroupArn' --output text | awk -F: '{ print $7 }')
if [[ $CLOUDWATCH_GROUP ]];then
METRICFILTER_SET=$($AWSCLI logs describe-metric-filters --log-group-name $CLOUDWATCH_GROUP --profile $PROFILE --region $REGION --query 'metricFilters' | grep -E 'CreateNetworkAcl.*CreateNetworkAclEntry.*DeleteNetworkAcl.*DeleteNetworkAclEntry.*ReplaceNetworkAclEntry.*ReplaceNetworkAclAssociation')
if [[ $METRICFILTER_SET ]];then
text_ok "CloudWatch group found, and metric filters enabled"
else
text_warn "CloudWatch group found, but no metric filters or alarms associated"
fi
else
text_warn "No CloudWatch group found, no metric filters or alarms associated"
fi
}
check312(){
ID312="3.12"
TITLE312="Ensure a log metric filter and alarm exist for changes to network gateways (Scored)"
text_title "$ID312" "$TITLE312"
CLOUDWATCH_GROUP=$($AWSCLI cloudtrail describe-trails --profile $PROFILE --region $REGION --query 'trailList[*].CloudWatchLogsLogGroupArn' --output text | awk -F: '{ print $7 }')
if [[ $CLOUDWATCH_GROUP ]];then
METRICFILTER_SET=$($AWSCLI logs describe-metric-filters --log-group-name $CLOUDWATCH_GROUP --profile $PROFILE --region $REGION --query 'metricFilters' | grep -E 'CreateCustomerGateway.*DeleteCustomerGateway.*AttachInternetGateway.*CreateInternetGateway.*DeleteInternetGateway.*DetachInternetGateway')
if [[ $METRICFILTER_SET ]];then
text_ok "CloudWatch group found, and metric filters enabled"
else
text_warn "CloudWatch group found, but no metric filters or alarms associated"
fi
else
text_warn "No CloudWatch group found, no metric filters or alarms associated"
fi
}
check313(){
ID313="3.13"
TITLE313="Ensure a log metric filter and alarm exist for route table changes (Scored)"
text_title "$ID313" "$TITLE313"
CLOUDWATCH_GROUP=$($AWSCLI cloudtrail describe-trails --profile $PROFILE --region $REGION --query 'trailList[*].CloudWatchLogsLogGroupArn' --output text | awk -F: '{ print $7 }')
if [[ $CLOUDWATCH_GROUP ]];then
METRICFILTER_SET=$($AWSCLI logs describe-metric-filters --log-group-name $CLOUDWATCH_GROUP --profile $PROFILE --region $REGION --query 'metricFilters' | grep -E 'CreateRoute.*CreateRouteTable.*ReplaceRoute.*ReplaceRouteTableAssociation.*DeleteRouteTable.*DeleteRoute.*DisassociateRouteTable')
if [[ $METRICFILTER_SET ]];then
text_ok "CloudWatch group found, and metric filters enabled"
else
text_warn "CloudWatch group found, but no metric filters or alarms associated"
fi
else
text_warn "No CloudWatch group found, no metric filters or alarms associated"
fi
}
check314(){
ID314="3.14"
TITLE314="Ensure a log metric filter and alarm exist for VPC changes (Scored)"
text_title "$ID314" "$TITLE314"
CLOUDWATCH_GROUP=$($AWSCLI cloudtrail describe-trails --profile $PROFILE --region $REGION --query 'trailList[*].CloudWatchLogsLogGroupArn' --output text | awk -F: '{ print $7 }')
if [[ $CLOUDWATCH_GROUP ]];then
METRICFILTER_SET=$($AWSCLI logs describe-metric-filters --log-group-name $CLOUDWATCH_GROUP --profile $PROFILE --region $REGION --query 'metricFilters' | grep -E 'CreateVpc.*DeleteVpc.*ModifyVpcAttribute.*AcceptVpcPeeringConnection.*CreateVpcPeeringConnection.*DeleteVpcPeeringConnection.*RejectVpcPeeringConnection.*AttachClassicLinkVpc.*DetachClassicLinkVpc.*DisableVpcClassicLink.*EnableVpcClassicLink')
if [[ $METRICFILTER_SET ]];then
text_ok "CloudWatch group found, and metric filters enabled"
else
text_warn "CloudWatch group found, but no metric filters or alarms associated"
fi
else
text_warn "No CloudWatch group found, no metric filters or alarms associated"
fi
}
check315(){
ID315="3.15"
TITLE315="Ensure appropriate subscribers to each SNS topic (Not Scored)"
text_title "$ID315" "$TITLE315"
for regx in $REGIONS; do
TOPICS_LIST=$($AWSCLI sns list-topics --profile $PROFILE --region $regx --output text --query 'Topics[*].TopicArn')
if [[ $TOPICS_LIST ]];then
for topic in $TOPICS_LIST; do
CHECK_TOPIC_LIST=$($AWSCLI sns list-subscriptions-by-topic --topic-arn $topic --profile $PROFILE --region $regx --query 'Subscriptions[*].{Endpoint:Endpoint,Protocol:Protocol}' --output text --max-items $MAXITEMS | grep -v "None")
if [[ $CHECK_TOPIC_LIST ]]; then
TOPIC_SHORT=$(echo $topic | awk -F: '{ print $7 }')
text_notice "Region $regx with Topic $TOPIC_SHORT: "
text_notice "- Suscription: $CHECK_TOPIC_LIST "
else
text_warn "No suscription found in: Region $regx and Topic $topic "
text_warn " - Region $regx and Topic $topic "
fi
done
else
text_notice "Region $regx doesn't have topics "
fi
done
}
check41(){
ID41="4.1"
TITLE41="Ensure no security groups allow ingress from 0.0.0.0/0 to port 22 (Scored)"
text_title "$ID41" "$TITLE41"
for regx in $REGIONS; do
SG_LIST=$($AWSCLI ec2 describe-security-groups --filters "Name=ip-permission.to-port,Values=22" --query 'SecurityGroups[?length(IpPermissions[?ToPort==`22` && contains(IpRanges[].CidrIp, `0.0.0.0/0`)]) > `0`].{GroupName: GroupName}' --profile $PROFILE --region $regx --output text)
if [[ $SG_LIST ]];then
for SG in $SG_LIST;do
text_warn "Found Security Group: $SG open to 0.0.0.0/0 in Region $regx "
done
else
text_ok "No Security Groups found in $regx with port 22 TCP open to 0.0.0.0/0 "
fi
done
}
check42(){
ID42="4.2"
TITLE42="Ensure no security groups allow ingress from 0.0.0.0/0 to port 3389 (Scored)"
text_title "$ID42" "$TITLE42"
for regx in $REGIONS; do
SG_LIST=$($AWSCLI ec2 describe-security-groups --filters "Name=ip-permission.to-port,Values=3389" --query 'SecurityGroups[?length(IpPermissions[?ToPort==`3389` && contains(IpRanges[].CidrIp, `0.0.0.0/0`)]) > `0`].{GroupName: GroupName}' --profile $PROFILE --region $regx --output text)
if [[ $SG_LIST ]];then
for SG in $SG_LIST;do
text_warn "Found Security Group: $SG open to 0.0.0.0/0 in Region $regx "
done
else
text_ok "No Security Groups found in $regx with port 3389 TCP open to 0.0.0.0/0 "
fi
done
}
check43(){
ID43="4.3"
TITLE43="Ensure VPC Flow Logging is Enabled in all VPCs (Scored)"
text_title "$ID43" "$TITLE43"
for regx in $REGIONS; do
CHECK_FL=$($AWSCLI ec2 describe-flow-logs --profile $PROFILE --region $regx --query 'FlowLogs[?FlowLogStatus==`ACTIVE`].LogGroupName' --output text)
if [[ $CHECK_FL ]];then
for FL in $CHECK_FL;do
text_ok "VPCFlowLog is enabled for LogGroupName: $FL in Region $regx "
done
else
text_warn "No VPCFlowLog has been found in Region $regx "
fi
done
}
check44(){
ID44="4.4"
TITLE44="Ensure the default security group of every VPC restricts all traffic (Scored)"
text_title "$ID44" "$TITLE44"
for regx in $REGIONS; do
CHECK_SGDEFAULT=$($AWSCLI ec2 describe-security-groups --profile $PROFILE --region $regx --filters Name=group-name,Values='default' --query 'SecurityGroups[*].{IpPermissions:IpPermissions,IpPermissionsEgress:IpPermissionsEgress,GroupId:GroupId}' --output text |grep 0.0.0.0)
if [[ $CHECK_SGDEFAULT ]];then
text_warn "Default Security Groups found that allow 0.0.0.0 IN or OUT traffic in Region $regx"
else
text_ok "No Default Security Groups open to 0.0.0.0 found in Region $regx "
fi
done
}
check45(){
#set -xe
ID45="4.5"
TITLE45="Ensure routing tables for VPC peering are \"least access\" (Not Scored)"
text_title "$ID45" "$TITLE45"
text_notice "Looking for VPC peering in all regions... "
for regx in $REGIONS; do
LIST_OF_VPCS_PEERING_CONNECTIONS=$($AWSCLI ec2 describe-vpc-peering-connections --output text --profile $PROFILE --region $regx --query 'VpcPeeringConnections[*].VpcPeeringConnectionId')
if [[ $LIST_OF_VPCS_PEERING_CONNECTIONS ]];then
text_notice "$regx: $LIST_OF_VPCS_PEERING_CONNECTIONS, review its routing tables "
#LIST_OF_VPCS=$($AWSCLI ec2 describe-vpcs --profile $PROFILE --region $regx --query 'Vpcs[*].VpcId' --output text)
#aws ec2 describe-route-tables --filter "Name=vpc-id,Values=vpc-0213e864" --query "RouteTables[*].{RouteTableId:RouteTableId, VpcId:VpcId, Routes:Routes, AssociatedSubnets:Associations[*].SubnetId}" --profile $PROFILE --region $regx
# for vpc in $LIST_OF_VPCS; do
# VPCS_WITH_PEERING=$($AWSCLI ec2 describe-route-tables --filter "Name=vpc-id,Values=$vpc" --profile $PROFILE --region $regx --query "RouteTables[*].{RouteTableId:RouteTableId, VpcId:VpcId, Routes:Routes, AssociatedSubnets:Associations[*].SubnetId}" |grep GatewayId|grep pcx-)
# done
#echo $VPCS_WITH_PEERING
else
text_ok "$regx: No VPC peering found "
fi
done
}
callCheck(){
if [[ $CHECKNUMBER ]];then
case "$CHECKNUMBER" in
check11 ) check11;;
check12 ) check12;;
check13 ) check13;;
check14 ) check14;;
check15 ) check15;;
check16 ) check16;;
check17 ) check17;;
check18 ) check18;;
check19 ) check19;;
check110 ) check110;;
check111 ) check111;;
check112 ) check112;;
check113 ) check113;;
check114 ) check114;;
check115 ) check115;;
check116 ) check116;;
check117 ) check117;;
check118 ) check118;;
check119 ) check119;;
check120 ) check120;;
check121 ) check121;;
check122 ) check122;;
check123 ) check123;;
check124 ) check124;;
check21 ) check21;;
check22 ) check22;;
check23 ) check23;;
check24 ) check24;;
check25 ) check25;;
check26 ) check26;;
check27 ) check27;;
check28 ) check28;;
check31 ) check31;;
check32 ) check32;;
check33 ) check33;;
check34 ) check34;;
check35 ) check35;;
check36 ) check36;;
check37 ) check37;;
check38 ) check38;;
check39 ) check39;;
check310 ) check310;;
check311 ) check311;;
check312 ) check312;;
check313 ) check313;;
check314 ) check314;;
check315 ) check315;;
check41 ) check41;;
check42 ) check42;;
check43 ) check43;;
check44 ) check44;;
check45 ) check45;;
check1 )
check11;check12;check13;check14;check15;check16;check17;check18;
check19;check110;check111;check112;check113;check114;check115;
check116;check117;check118;check119;check120;check121;check122;
check123;check124;
;;
check2 )
check21;check22;check23;check24;check25;check26;check27;check28
;;
check3 )
check31;check32;check33;check34;check35;check36;check37;check38;
check39;check310;check311;check312;check313;check314;check315
;;
check4 )
check41;check42;check43;check44;check45
;;
* )
text_warn "ERROR! Use a valid check name (i.e. check41)\n";
esac
cleanTemp
exit
fi
}
### All functions defined above ... run the workflow
prowlerBanner
printCurrentDate
getWhoami
printColorsCode
genCredReport
saveReport
callCheck
TITLE1="$BLUE 1 Identity and Access Management *********************************$NORMAL"
echo -e "\n\n$TITLE1"
check11
check12
check13
check14
check15
check16
check17
check18
check19
check110
check111
check112
check113
check114
check115
check116
check117
check118
check119
check120
check121
check122
check123
check124
TITLE2="$BLUE 2 Logging ********************************************************$NORMAL"
echo -e "\n\n$TITLE2"
check21
check22
check23
check24
check25
check26
check27
check28
TITLE3="$BLUE 3 Monitoring *****************************************************"
echo -e "\n\n$TITLE3"
# 3 Monitoring check commands / Mostly covered by SecurityMonkey
check31
check32
check33
check34
check35
check36
check37
check38
check39
check310
check311
check312
check313
check314
check315
TITLE4="$BLUE 4 Networking **************************************************$NORMAL"
echo -e "\n\n$TITLE4"
check41
check42
check43
check44
check45
infoReferenceLong
cleanTemp
# Prowler is a tool that provides automate auditing and hardening guidance of an AWS account.
# It is based on AWS-CLI commands. It follows guidelines present in the CIS Amazon
# Web Services Foundations Benchmark at:
# https://d0.awsstatic.com/whitepapers/compliance/AWS_CIS_Foundations_Benchmark.pdf
# This work is licensed under a Creative Commons Attribution-NonCommercial-ShareAlike 4.0
# International Public License. The link to the license terms can be found at
# https://creativecommons.org/licenses/by-nc-sa/4.0/legalcode
#
# Author: Toni de la Fuente - @ToniBlyx / Alfresco Software Inc.
# Prowler - Iron Maiden
#
# Walking through the city, looking oh so pretty
# I've just got to find my way
# See the ladies flashing
# All there legs and lashes
# I've just got to find my way...
# Exit if a pipeline results in an error.
# set -ue
# set -o pipefail
# set -vx
# Exits if any error is found
# set -e
OPTRED=""
OPTNORMAL=""
# Set the defaults for these getopts variables
PROFILE="default"
REGION="us-east-1"
FILTERREGION=""
MAXITEMS=100
MONOCHROME=0
MODE="text"
# Command usage menu
usage(){
echo "
USAGE:
`basename $0` -p <profile> -r <region> [ -h ]
Options:
-p <profile> specify your AWS profile to use (i.e.: default)
-r <region> specify an AWS region to direct API requests to (i.e.: us-east-1)
-c <checknum> specify a check number or group from the AWS CIS benchmark (i.e.: check11 for check 1.1 or check3 for entire section 3)
-f <filterregion> specify an AWS region to run checks against (i.e.: us-west-1)
-m <maxitems> specify the maximum number of items to return for long-running requests (default: 100)
-b do not use colors in the output
-M <mode> output mode: text (defalut), mono, csv
-h this help
"
exit
}
while getopts ":hbp:r:c:f:m:M:" OPTION; do
case $OPTION in
h )
usage
exit 1
;;
b )
MONOCHROME=1
;;
p )
PROFILE=$OPTARG
;;
r )
REGION=$OPTARG
;;
c )
CHECKNUMBER=$OPTARG
;;
f )
FILTERREGION=$OPTARG
;;
m )
MAXITEMS=$OPTARG
;;
M )
MODE=$OPTARG
;;
: )
echo ""
echo "$OPTRED ERROR!$OPTNORMAL -$OPTARG requires an argument"
usage
exit 1
;;
? )
echo ""
echo "$OPTRED ERROR!$OPTNORMAL Invalid option"
usage
exit 1
;;
esac
done
if [[ $MODE != "mono" && $MODE != "text" && $MODE != "csv" ]]; then
echo ""
echo "$OPTRED ERROR!$OPTNORMAL Invalid output mode. Choose text, mono, or csv."
usage
exit 1
fi
if [[ $MODE == "mono" ]]; then
MONOCHROME=1
fi
if [[ $MONOCHROME -eq 1 ]]; then
# Colors
NORMAL=''
WARNING='' # Bad (red)
SECTION='' # Section (yellow)
NOTICE='' # Notice (yellow)
OK='' # Ok (green)
BAD='' # Bad (red)
CYAN=''
BLUE=''
BROWN=''
DARKGRAY=''
GRAY=''
GREEN=''
MAGENTA=''
PURPLE=''
RED=''
YELLOW=''
WHITE=''
else
# Colors
# NOTE: Your editor may NOT show the 0x1b / escape character left of the '['
NORMAL=""
WARNING="" # Bad (red)
SECTION="" # Section (yellow)
NOTICE="" # Notice (yellow)
OK="" # Ok (green)
BAD="" # Bad (red)
CYAN=""
BLUE=""
BROWN=""
DARKGRAY=""
GRAY=""
GREEN=""
MAGENTA=""
PURPLE=""
RED=""
YELLOW=""
WHITE=""
fi
# Functions to manage dates depending on OS
if [[ "$OSTYPE" == "linux-gnu" ]]; then
# function to compare in days, usage how_older_from_today date
# date format %Y-%m-%d
how_older_from_today()
{
DATE_TO_COMPARE=$1
TODAY_IN_DAYS=$(date -d "$(date +%Y-%m-%d)" +%s)
DATE_FROM_IN_DAYS=$(date -d $DATE_TO_COMPARE +%s)
DAYS_SINCE=$((($TODAY_IN_DAYS - $DATE_FROM_IN_DAYS )/60/60/24))
echo $DAYS_SINCE
}
# function to convert from timestamp to date, usage timestamp_to_date timestamp
# output date format %Y-%m-%d
timestamp_to_date()
{
# remove fractions of a second
TIMESTAMP_TO_CONVERT=$(echo $1 | cut -f1 -d".")
OUTPUT_DATE=$(date -d @$TIMESTAMP_TO_CONVERT +'%Y-%m-%d')
echo $OUTPUT_DATE
}
decode_report()
{
base64 -d
}
elif [[ "$OSTYPE" == "darwin"* ]]; then
# BSD/OSX coommands compatibility
how_older_from_today()
{
DATE_TO_COMPARE=$1
TODAY_IN_DAYS=$(date +%s)
DATE_FROM_IN_DAYS=$(date -jf %Y-%m-%d $DATE_TO_COMPARE +%s)
DAYS_SINCE=$((($TODAY_IN_DAYS - $DATE_FROM_IN_DAYS )/60/60/24))
echo $DAYS_SINCE
}
timestamp_to_date()
{
# remove fractions of a second
TIMESTAMP_TO_CONVERT=$(echo $1 | cut -f1 -d".")
OUTPUT_DATE=$(date -r $TIMESTAMP_TO_CONVERT +'%Y-%m-%d')
echo $OUTPUT_DATE
}
decode_report()
{
base64 -D
}
elif [[ "$OSTYPE" == "cygwin" ]]; then
# POSIX compatibility layer and Linux environment emulation for Windows
how_older_from_today()
{
DATE_TO_COMPARE=$1
TODAY_IN_DAYS=$(date -d "$(date +%Y-%m-%d)" +%s)
DATE_FROM_IN_DAYS=$(date -d $DATE_TO_COMPARE +%s)
DAYS_SINCE=$((($TODAY_IN_DAYS - $DATE_FROM_IN_DAYS )/60/60/24))
echo $DAYS_SINCE
}
timestamp_to_date()
{
# remove fractions of a second
TIMESTAMP_TO_CONVERT=$(echo $1 | cut -f1 -d".")
OUTPUT_DATE=$(date -d @$TIMESTAMP_TO_CONVERT +'%Y-%m-%d')
echo $OUTPUT_DATE
}
decode_report()
{
base64 -d
}
else
echo "Unknown Operating System"
exit
fi
if [[ ! -f ~/.aws/credentials ]]; then
echo -e "\n$RED ERROR!$NORMAL AWS credentials file not found (~/.aws/credentials). Run 'aws configure' first. \n"
return 1
fi
# AWS-CLI variables
AWSCLI=$(which aws)
if [ -z "${AWSCLI}" ]; then
echo -e "\n$RED ERROR!$NORMAL AWS-CLI (aws command) not found. Make sure it is installed correctly and in your \$PATH\n"
exit
fi
# if this script runs in an AWS instance
# INSTANCE_PROFILE=$(curl http://169.254.169.254/latest/meta-data/iam/security-credentials/)
# AWS_ACCESS_KEY_ID=$(curl http://169.254.169.254/latest/meta-data/iam/security-credentials/${INSTANCE_PROFILE} | grep AccessKeyId | cut -d':' -f2 | sed 's/[^0-9A-Z]*//g')
# AWS_SECRET_ACCESS_KEY_ID=$(curl http://169.254.169.254/latest/meta-data/iam/security-credentials/${INSTANCE_PROFILE} | grep SecretAccessKey | cut -d':' -f2 | sed 's/[^0-9A-Za-z/+=]*//g')
# AWS_ACCESS_KEY_ID=${AWS_ACCESS_KEY_ID}
# AWS_SECRET_ACCESS_KEY=${AWS_SECRET_ACCESS_KEY_ID}
TITLE_ID=""
## Output formatting functions
text_ok(){
echo " $TITLE_ID $OK OK! $NORMAL $@"
}
text_notice(){
echo " $TITLE_ID $NOTICE INFO! $@ $NORMAL"
}
text_warn(){
echo " $TITLE_ID $BAD WARNING! $@ $NORMAL"
}
text_title(){
TITLE_ID=$1
echo -e "\n$BLUE $TITLE_ID $NORMAL ${@:2}"
}
prowlerBanner() {
echo -e "$CYAN _"
echo -e " _ __ _ __ _____ _| | ___ _ __"
echo -e " | '_ \| '__/ _ \ \ /\ / / |/ _ \ '__|"
echo -e " | |_) | | | (_) \ V V /| | __/ |"
echo -e " | .__/|_| \___/ \_/\_/ |_|\___|_|"
echo -e " |_|$NORMAL$BLUE CIS based AWS Account Hardening Tool$NORMAL\n"
}
# Get whoami in AWS, who is the user running this shell script
getWhoami(){
echo ""
echo "This report is being generated using credentials below:"
echo ""
echo -e "AWS-CLI Profile: $NOTICE[$PROFILE]$NORMAL AWS API Region: $NOTICE[$REGION]$NORMAL AWS Filter Region: $NOTICE[${FILTERREGION:-all}]$NORMAL\n"
if [[ $MONOCHROME -eq 1 ]]; then
$AWSCLI sts get-caller-identity --output json --profile $PROFILE --region $REGION | grep ':'
else
echo "Caller Identity:"
$AWSCLI sts get-caller-identity --output table --profile $PROFILE --region $REGION
echo ""
fi
}
printCurrentDate(){
text_notice "Date: $(date)"
}
printColorsCode(){
if [[ $MONOCHROME -eq 0 ]]; then
echo -e "\nColors Code for results: $NOTICE INFORMATIVE$NORMAL,$OK OK (RECOMMENDED VALUE)$NORMAL, $BAD WARNING (FIX REQUIRED)$NORMAL \n"
fi
}
# Generate Credential Report
genCredReport() {
echo -en '\nGenerating AWS IAM Credential Report...'
until $AWSCLI iam generate-credential-report --output text --query 'State' --profile $PROFILE --region $REGION |grep -m 1 "COMPLETE"; do
sleep 1
echo -n "."
done
}
# Save report to a file, decode it, deletion at finish and after every single check, acb stands for AWS CIS Benchmark
saveReport(){
TEMP_REPORT_FILE=/tmp/.acb
$AWSCLI iam get-credential-report --query 'Content' --output text --profile $PROFILE --region $REGION | decode_report > $TEMP_REPORT_FILE
}
# Delete temporary report file
cleanTemp(){
rm -fr $TEMP_REPORT_FILE
}
# Get a list of all available AWS Regions
REGIONS=$($AWSCLI ec2 describe-regions --query 'Regions[].RegionName' \
--output text \
--profile $PROFILE \
--region $REGION \
--region-names $FILTERREGION)
infoReferenceLong(){
# Report review note:
text_notice "For more information:"
text_notice "https://benchmarks.cisecurity.org/tools2/amazon/CIS_Amazon_Web_Services_Foundations_Benchmark_v1.1.0.pdf"
text_notice "For bugs or feedback:"
text_notice "https://github.com/Alfresco/aws-cis-security-benchmark/issues"
}
infoReferenceShort(){
# Report review note:
text_notice "http://bit.ly/2g3PEf7"
}
check11(){
ID11="1.1"
TITLE11="Avoid the use of the root account (Scored)."
COMMAND11=$(cat $TEMP_REPORT_FILE| grep '<root_account>' | cut -d, -f5,11,16 | sed 's/,/,\ /g')
text_title "$ID11" "$TITLE11"
text_notice "Root account last accessed (password, key_1, key_2): $COMMAND11"
}
check12(){
ID12="1.2"
TITLE12="Ensure multi-factor authentication (MFA) is enabled for all IAM users that have a console password (Scored)"
# List users with password enabled
COMMAND12_LIST_USERS_WITH_PASSWORD_ENABLED=$(cat $TEMP_REPORT_FILE|awk -F, '{ print $1,$4 }' |grep true | awk '{ print $1 }')
COMMAND12=$(
for i in $COMMAND12_LIST_USERS_WITH_PASSWORD_ENABLED; do
cat $TEMP_REPORT_FILE|awk -F, '{ print $1,$8 }' |grep -w $i| grep false | awk '{ print $1 }'
done)
text_title "$ID12" "$TITLE12"
if [[ $COMMAND12 ]]; then
for u in $COMMAND12; do
text_warn "User $u has Password enabled but MFA disabled"
done
else
text_ok "No users found with Password enabled and MFA disabled"
fi
}
check13(){
ID13="1.3"
TITLE13="Ensure credentials unused for 90 days or greater are disabled (Scored)"
text_title "$ID13" "$TITLE13"
COMMAND12_LIST_USERS_WITH_PASSWORD_ENABLED=$(cat $TEMP_REPORT_FILE|awk -F, '{ print $1,$4 }' |grep true | awk '{ print $1 }')
if [[ $COMMAND12_LIST_USERS_WITH_PASSWORD_ENABLED ]]; then
COMMAND13=$(
for i in $COMMAND12_LIST_USERS_WITH_PASSWORD_ENABLED; do
cat $TEMP_REPORT_FILE|awk -F, '{ print $1,$5 }' |grep $i| awk '{ print $1 }'|tr '\n' ' ';
done)
# list of users that have used password
USERS_PASSWORD_USED=$($AWSCLI iam list-users --query "Users[?PasswordLastUsed].UserName" --output text --profile $PROFILE --region $REGION)
if [[ $USERS_PASSWORD_USED ]]; then
# look for users with a password last used more or equal to 90 days
for i in $USERS_PASSWORD_USED; do
DATEUSED=$($AWSCLI iam list-users --query "Users[?UserName=='$i'].PasswordLastUsed" --output text --profile $PROFILE --region $REGION | cut -d'T' -f1)
HOWOLDER=$(how_older_from_today $DATEUSED)
if [ $HOWOLDER -gt "90" ];then
text_warn "User \"$i\" has not logged in during the last 90 days "
else
text_ok "User \"$i\" found with credentials used in the last 90 days"
fi
done
fi
else
text_ok "No users found with password enabled"
fi
}
check14(){
ID14="1.4"
TITLE14="Ensure access keys are rotated every 90 days or less (Scored)" # also checked by Security Monkey
LIST_OF_USERS_WITH_ACCESS_KEY1=$(cat $TEMP_REPORT_FILE| awk -F, '{ print $1, $9 }' |grep "\ true" | awk '{ print $1 }')
LIST_OF_USERS_WITH_ACCESS_KEY2=$(cat $TEMP_REPORT_FILE| awk -F, '{ print $1, $14 }' |grep "\ true" | awk '{ print $1 }')
text_title "$ID14" "$TITLE14"
C14_NUM_USERS1=0
C14_NUM_USERS2=0
# $(expr $C116_NUM_USERS + 1)
if [[ $LIST_OF_USERS_WITH_ACCESS_KEY1 ]]; then
# text_warn "Users with access key 1 older than 90 days:"
for user in $LIST_OF_USERS_WITH_ACCESS_KEY1; do
# check access key 1
DATEROTATED1=$(cat $TEMP_REPORT_FILE | grep $user| awk -F, '{ print $10 }' | grep -v "N/A" | awk -F"T" '{ print $1 }')
HOWOLDER=$(how_older_from_today $DATEROTATED1)
if [ $HOWOLDER -gt "90" ];then
text_warn " $user has not rotated access key1 in over 90 days "
C14_NUM_USERS1 = $(expr $C14_NUM_USERS1 + 1)
fi
done
if [[ $C14_NUM_USERS1 -eq 0 ]]; then
text_ok "No users with access key 1 older than 90 days."
fi
else
text_ok "No users with access key 1."
fi
if [[ $LIST_OF_USERS_WITH_ACCESS_KEY2 ]]; then
# text_warn "Users with access key 2 older than 90 days:"
for user in $LIST_OF_USERS_WITH_ACCESS_KEY2; do
# check access key 2
DATEROTATED2=$(cat $TEMP_REPORT_FILE | grep $user| awk -F, '{ print $10 }' | grep -v "N/A" | awk -F"T" '{ print $1 }')
HOWOLDER=$(how_older_from_today $DATEROTATED2)
if [ $HOWOLDER -gt "90" ];then
text_warn " $user has not rotated access key2. "
C14_NUM_USERS2 = $(expr $C14_NUM_USERS2 + 1)
fi
done
if [[ $C14_NUM_USERS2 -eq 0 ]]; then
text_ok "No users with access key 2 older than 90 days."
fi
else
text_ok "No users with access key 2."
fi
}
check15(){
ID15="1.5"
TITLE15="Ensure IAM password policy requires at least one uppercase letter (Scored)"
COMMAND15=$($AWSCLI iam get-account-password-policy --profile $PROFILE --region $REGION --query 'PasswordPolicy.RequireUppercaseCharacters') # must be true
text_title "$ID15" "$TITLE15"
if [[ $COMMAND15 == "true" ]];then
text_ok "Password Policy requires upper case"
else
text_warn "Password Policy missing upper-case requirement"
fi
}
check16(){
ID16="1.6"
TITLE16="Ensure IAM password policy require at least one lowercase letter (Scored)"
COMMAND16=$($AWSCLI iam get-account-password-policy --profile $PROFILE --region $REGION --query 'PasswordPolicy.RequireLowercaseCharacters') # must be true
text_title "$ID16" "$TITLE16"
if [[ $COMMAND16 == "true" ]];then
text_ok "Password Policy requires lower case"
else
text_warn "Password Policy missing lower-case requirement"
fi
}
check17(){
ID17="1.7"
TITLE17="Ensure IAM password policy require at least one symbol (Scored)"
COMMAND17=$($AWSCLI iam get-account-password-policy --profile $PROFILE --region $REGION --query 'PasswordPolicy.RequireSymbols') # must be true
text_title "$ID17" "$TITLE17"
if [[ $COMMAND17 == "true" ]];then
text_ok "Password Policy requires symbol"
else
text_warn "Password Policy missing symbol requirement"
fi
}
check18(){
ID18="1.8"
TITLE18="Ensure IAM password policy require at least one number (Scored)"
COMMAND18=$($AWSCLI iam get-account-password-policy --profile $PROFILE --region $REGION --query 'PasswordPolicy.RequireNumbers') # must be true
text_title "$ID18" "$TITLE18"
if [[ $COMMAND18 == "true" ]];then
text_ok "Password Policy requires number"
else
text_warn "Password Policy missing number requirement"
fi
}
check19(){
ID19="1.9"
TITLE19="Ensure IAM password policy requires minimum length of 14 or greater (Scored)"
COMMAND19=$($AWSCLI iam get-account-password-policy --profile $PROFILE --region $REGION --query 'PasswordPolicy.MinimumPasswordLength')
text_title "$ID19" "$TITLE19"
if [[ $COMMAND19 -gt "13" ]];then
text_ok "Password Policy requires more than 13 characters"
else
text_warn "Password Policy missing or weak length requirement"
fi
}
check110(){
ID110="1.10"
TITLE110="Ensure IAM password policy prevents password reuse (Scored)"
COMMAND110=$($AWSCLI iam get-account-password-policy --profile $PROFILE --region $REGION --query 'PasswordPolicy.PasswordReusePrevention' --output text)
text_title "$ID110" "$TITLE110"
if [[ $COMMAND110 ]];then
if [[ $COMMAND110 -gt "23" ]];then
text_ok "Password Policy limits reuse"
else
text_warn "Password Policy has weak reuse requirment (lower than 24)"
fi
else
text_warn "Password Policy missing reuse requirement"
fi
}
check111(){
ID111="1.11"
TITLE111="Ensure IAM password policy expires passwords within 90 days or less (Scored)"
COMMAND111=$($AWSCLI iam get-account-password-policy --profile $PROFILE --region $REGION | grep MaxPasswordAge | awk -F: '{ print $2 }'|sed 's/\ //g'|sed 's/,/ /g')
text_title "$ID111" "$TITLE111"
if [[ $COMMAND111 ]];then
if [ $COMMAND111 == "90" ];then
text_ok "Password Policy includes expiration"
fi
else
text_warn "Passowrd expiration not set or set greater than 90 days "
fi
}
check112(){
ID112="1.12"
TITLE112="Ensure no root account access key exists (Scored)"
# ensure the access_key_1_active and access_key_2_active fields are set to FALSE.
ROOTKEY1=$(cat $TEMP_REPORT_FILE |grep root_account|awk -F',' '{ print $9 }')
ROOTKEY2=$(cat $TEMP_REPORT_FILE |grep root_account|awk -F',' '{ print $14 }')
text_title "$ID112" "$TITLE112"
if [ $ROOTKEY1 == "false" ];then
text_ok "No access key 1 found for root"
else
text_warn "Found access key 1 for root "
fi
if [ $ROOTKEY2 == "false" ];then
text_ok "No access key 2 found for root"
else
text_warn "Found access key 2 for root "
fi
}
check113(){
ID113="1.13"
TITLE113="Ensure MFA is enabled for the root account (Scored)"
COMMAND113=$($AWSCLI iam get-account-summary --profile $PROFILE --region $REGION |grep AccountMFAEnabled | awk -F': ' '{ print $2 }'|sed 's/,//')
text_title "$ID113" "$TITLE113"
if [ $COMMAND113 == "1" ]; then
text_ok "Virtual MFA is enabled for root"
else
text_warn "MFA is not ENABLED for root account "
fi
}
check114(){
ID114="1.14"
TITLE114="Ensure hardware MFA is enabled for the root account (Scored)"
COMMAND113=$($AWSCLI iam get-account-summary --profile $PROFILE --region $REGION |grep AccountMFAEnabled | awk -F': ' '{ print $2 }'|sed 's/,//')
text_title "$ID114" "$TITLE114"
if [ $COMMAND113 == "1" ]; then
COMMAND114=$($AWSCLI iam list-virtual-mfa-devices --profile $PROFILE --region $REGION --query 'VirtualMFADevices' --output text|grep :root |wc -l)
if [ $COMMAND114 == "1" ]; then
text_ok "Virtual MFA is enabled for root"
else
text_ok "Hardware MFA is enabled for root "
fi
else
text_warn "MFA is not ENABLED for root account "
fi
}
check115(){
ID115="1.15"
TITLE115="Ensure security questions are registered in the AWS account (Not Scored)"
# No command available
text_title "$ID115" "$TITLE115"
text_notice "No command available for check 1.15 "
text_notice "Login to the AWS Console as root, click on the Account "
text_notice "Name -> My Account -> Configure Security Challenge Questions "
}
check116(){
ID116="1.16"
TITLE116="Ensure IAM policies are attached only to groups or roles (Scored)"
text_title "$ID116" "$TITLE116"
LIST_USERS=$($AWSCLI iam list-users --query 'Users[*].UserName' --output text --profile $PROFILE --region $REGION)
C116_NUM_USERS=0
for user in $LIST_USERS;do
USER_POLICY=$($AWSCLI iam list-attached-user-policies --output text --profile $PROFILE --region $REGION --user-name $user)
if [[ $USER_POLICY ]]; then
text_warn "$user has policy directly attached "
C116_NUM_USERS=$(expr $C116_NUM_USERS + 1)
fi
done
if [[ $C116_NUM_USERS -eq 0 ]]; then
text_ok "No policies attached to users."
fi
}
check117(){
ID117="1.17"
TITLE117="Enable detailed billing (Scored)"
# No command available
text_title "$ID117" "$TITLE117"
text_notice "No command available for check 1.17 "
text_notice "See section 1.17 on the CIS Benchmark guide for details "
infoReferenceShort
}
check118(){
ID118="1.18"
TITLE118="Ensure IAM Master and IAM Manager roles are active (Scored)"
text_title "$ID118" "$TITLE118"
FINDMASTERANDMANAGER=$($AWSCLI iam list-roles --profile $PROFILE --region $REGION --query "Roles[*].{RoleName:RoleName}" --output text | grep -E 'Master|Manager'| tr '\n' ' ')
if [[ $FINDMASTERANDMANAGER ]];then
text_notice "Found next roles as possible IAM Master and IAM Manager candidates: "
text_notice "$FINDMASTERANDMANAGER "
text_notice "run the commands below to check their policies with section 1.18 in the guide..."
for role in $FINDMASTERANDMANAGER;do
# find inline policies in found roles
INLINEPOLICIES=$($AWSCLI iam list-role-policies --role-name $role --profile $PROFILE --region $REGION --query "PolicyNames[*]" --output text)
for policy in $INLINEPOLICIES;do
text_notice "$AWSCLI iam get-role-policy --role-name $role --policy-name $policy --profile $PROFILE --region $REGION"
done
# find attached policies in found roles
ATTACHEDPOLICIES=$($AWSCLI iam list-attached-role-policies --role-name $role --profile $PROFILE --region $REGION --query "AttachedPolicies[*]" --output text)
for policy in $ATTACHEDPOLICIES;do
text-notice "$AWSCLI iam get-role-policy --role-name $role --policy-name $policy --profile $PROFILE --region $REGION"
done
done
else
text_warn "IAM Master and IAM Manager roles not found"
fi
}
check119(){
ID119="1.19"
TITLE119="Maintain current contact details (Scored)"
# No command available
text_title "$ID119" "$TITLE119"
text_notice "No command available for check 1.19 "
text_notice "See section 1.19 on the CIS Benchmark guide for details "
infoReferenceShort
}
check120(){
ID120="1.20"
TITLE120="Ensure security contact information is registered (Scored)"
# No command available
text_title "$ID120" "$TITLE120"
text_notice "No command available for check 1.20 "
text_notice "See section 1.20 on the CIS Benchmark guide for details "
infoReferenceShort
}
check121(){
ID121="1.21"
TITLE121="Ensure IAM instance roles are used for AWS resource access from instances (Not Scored)"
text_title "$ID121" "$TITLE121"
text_notice "No command available for check 1.21 "
text_notice "See section 1.21 on the CIS Benchmark guide for details "
infoReferenceShort
}
check122(){
ID122="1.22"
TITLE122="Ensure a support role has been created to manage incidents with AWS Support (Scored)"
text_title "$ID122" "$TITLE122"
SUPPORTPOLICYARN=$($AWSCLI iam list-policies --query "Policies[?PolicyName == 'AWSSupportAccess'].Arn" --profile $PROFILE --region $REGION --output text)
if [[ $SUPPORTPOLICYARN ]];then
for policyarn in $SUPPORTPOLICYARN;do
POLICYTOSHOW=$($AWSCLI iam list-entities-for-policy --policy-arn $SUPPORTPOLICYARN --profile $PROFILE --region $REGION --output text)
if [[ $POLICYTOSHOW ]];then
text_ok "Support Policy attached to $POLICYTOSHOW"
text_notice "Make sure your team can create a Support case with AWS "
else
text_warn "Support Policy not applied to any Group, User or Role "
fi
done
else
text_warn "No Support Policy found"
fi
}
check123(){
ID123="1.23"
TITLE123="Do not setup access keys during initial user setup for all IAM users that have a console password (Not Scored)"
text_title "$ID123" "$TITLE123"
LIST_USERS=$($AWSCLI iam list-users --query 'Users[*].UserName' --output text --profile $PROFILE --region $REGION)
# List of USERS with KEY1 last_used_date as N/A
LIST_USERS_KEY1_NA=$(for user in $LIST_USERS; do grep $user $TEMP_REPORT_FILE|awk -F, '{ print $1,$11 }'|grep N/A |awk '{ print $1 }'; done)
LIST_USERS_KEY1_ACTIVE=$(for user in $LIST_USERS_KEY1_NA; do grep $user $TEMP_REPORT_FILE|awk -F, '{ print $1,$9 }'|grep "true$"|awk '{ print $1 }'|sed 's/[:blank:]+/,/g' ; done)
if [[ $LIST_USERS_KEY1_ACTIVE ]]; then
# text_notice "List of users with Access Key 1 never used:"
text_notice "Users who never used Access Key 1: $LIST_USERS_KEY1_ACTIVE"
else
text_ok "No users found with Access Key 1 never used"
fi
# List of USERS with KEY2 last_used_date as N/A
LIST_USERS_KEY2_NA=$(for user in $LIST_USERS; do grep $user $TEMP_REPORT_FILE|awk -F, '{ print $1,$16 }'|grep N/A |awk '{ print $1 }' ; done)
LIST_USERS_KEY2_ACTIVE=$(for user in $LIST_USERS_KEY2_NA; do grep $user $TEMP_REPORT_FILE|awk -F, '{ print $1,$14 }'|grep "true$" |awk '{ print $1 }' ; done)
if [[ $LIST_USERS_KEY2_ACTIVE ]]; then
# text_notice "List of users with Access Key 2 never used:"
text_notice "Users who never used Access Key 2: $LIST_USERS_KEY2_ACTIVE"
else
text_ok "No users found with Access Key 2 never used"
fi
}
check124(){
ID124="1.24"
TITLE124="Ensure IAM policies that allow full \"*:*\" administrative privileges are not created (Scored)"
text_title "$ID124" "$TITLE124"
LIST_CUSTOM_POLICIES=$($AWSCLI iam list-policies --output text --profile $PROFILE --region $REGION|grep 'arn:aws:iam::[0-9]\{12\}:'|awk '{ print $2 }')
if [[ $LIST_CUSTOM_POLICIES ]]; then
text_notice "Looking for custom policies: (skipping default policies, it may take few seconds...)"
for policy in $LIST_CUSTOM_POLICIES; do
POLICY_VERSION=$($AWSCLI iam list-policies --profile $PROFILE --region $REGION --query 'Policies[*].[Arn,DefaultVersionId]' --output text|grep -w $policy |awk '{ print $2}')
POLICY_WITH_FULL=$($AWSCLI iam get-policy-version --output text --policy-arn $policy --version-id $POLICY_VERSION --query "PolicyVersion.Document.Statement[?Effect == 'Allow' && contains(Resource, '*') && contains (Action, '*')]" --profile $PROFILE --region $REGION)
if [[ $POLICY_WITH_FULL ]]; then
POLICIES_ALLOW_LIST="$POLICIES_ALLOW_LIST $policy"
fi
done
if [[ $POLICIES_ALLOW_LIST ]]; then
text_notice "List of custom policies: "
for policy in $POLICIES_ALLOW_LIST; do
text_notice "Policy $policy allows \"*:*\""
done
else
text_ok "No custom policy found that allow full \"*:*\" administrative privileges"
fi
else
text_ok "No custom policies found"
fi
}
check21(){
ID21="2.1"
TITLE21="Ensure CloudTrail is enabled in all regions (Scored)"
text_title "$ID21" "$TITLE21"
LIST_OF_TRAILS=$($AWSCLI cloudtrail describe-trails --profile $PROFILE --region $REGION --query 'trailList[*].Name' --output text)
if [[ $LIST_OF_TRAILS ]];then
for trail in $LIST_OF_TRAILS;do
MULTIREGION_TRAIL_STATUS=$($AWSCLI cloudtrail describe-trails --profile $PROFILE --region $REGION --query 'trailList[*].IsMultiRegionTrail' --output text --trail-name-list $trail)
if [[ $MULTIREGION_TRAIL_STATUS == 'False' ]];then
text_warn "$trail trail in $REGION is not enabled in multi region mode"
else
text_ok "$trail trail in $REGION is enabled for all regions"
fi
done
else
text_warn "No CloudTrail trails found!"
fi
}
check22(){
ID22="2.2"
TITLE22="Ensure CloudTrail log file validation is enabled (Scored)"
text_title "$ID22" "$TITLE22"
LIST_OF_TRAILS=$($AWSCLI cloudtrail describe-trails --profile $PROFILE --region $REGION --query 'trailList[*].Name' --output text)
if [[ $LIST_OF_TRAILS ]];then
for trail in $LIST_OF_TRAILS;do
LOGFILEVALIDATION_TRAIL_STATUS=$($AWSCLI cloudtrail describe-trails --profile $PROFILE --region $REGION --query 'trailList[*].LogFileValidationEnabled' --output text --trail-name-list $trail)
if [[ $LOGFILEVALIDATION_TRAIL_STATUS == 'False' ]];then
text_warn "$trail trail in $REGION has not log file validation enabled"
else
text_ok "$trail trail in $REGION has log file validation enabled"
fi
done
else
text_warn "No CloudTrail trails found!"
fi
}
check23(){
ID23="2.3"
TITLE23="Ensure the S3 bucket CloudTrail logs to is not publicly accessible (Scored)"
text_title "$ID23" "$TITLE23"
CLOUDTRAILBUCKET=$($AWSCLI cloudtrail describe-trails --query 'trailList[*].S3BucketName' --output text --profile $PROFILE --region $REGION)
if [[ $CLOUDTRAILBUCKET ]];then
for bucket in $CLOUDTRAILBUCKET;do
CLOUDTRAILBUCKET_HASALLPERMISIONS=$($AWSCLI s3api get-bucket-acl --bucket $bucket --query 'Grants[?Grantee.URI==`http://acs.amazonaws.com/groups/global/AllUsers`]' --profile $PROFILE --region $REGION --output text)
if [[ $CLOUDTRAILBUCKET_HASALLPERMISIONS ]];then
text_warn "check your $bucket CloudTrail bucket ACL and Policy!"
else
text_ok "Bucket $bucket is set correctly"
fi
done
else
text_warn "No CloudTrail bucket found!"
fi
}
check24(){
ID24="2.4"
TITLE24="Ensure CloudTrail trails are integrated with CloudWatch Logs (Scored)"
text_title "$ID24" "$TITLE24"
TRAILS_AND_REGIONS=$($AWSCLI cloudtrail describe-trails --profile $PROFILE --region $REGION --query 'trailList[*].{Name:Name, HomeRegion:HomeRegion}' --output text | tr "\t" ',')
if [[ $TRAILS_AND_REGIONS ]];then
for reg_trail in $TRAILS_AND_REGIONS;do
trail=$(echo $reg_trail | cut -d',' -f2)
TRAIL_REGION=$(echo $reg_trail | cut -d',' -f1)
LATESTDELIVERY_TIMESTAMP=$($AWSCLI cloudtrail get-trail-status --name $trail --profile $PROFILE --region $TRAIL_REGION --query 'LatestCloudWatchLogsDeliveryTime' --output text|grep -v None)
if [[ ! $LATESTDELIVERY_TIMESTAMP ]];then
text_warn "$trail trail is not logging in the last 24h or not configured (it is in $TRAIL_REGION)"
else
LATESTDELIVERY_DATE=$(timestamp_to_date $LATESTDELIVERY_TIMESTAMP)
HOWOLDER=$(how_older_from_today $LATESTDELIVERY_DATE)
if [ $HOWOLDER -gt "1" ];then
text_warn "$trail trail is not logging in the last 24h or not configured (it is in $TRAIL_REGION)"
else
text_ok "$trail trail has been logging during the last 24h (it is in $TRAIL_REGION)"
fi
fi
done
else
text_warn "No CloudTrail trails found!"
fi
}
check25(){
ID25="2.5"
TITLE25="Ensure AWS Config is enabled in all regions (Scored)"
text_title "$ID25" "$TITLE25"
for regx in $REGIONS; do
CHECK_AWSCONFIG_STATUS=$($AWSCLI configservice get-status --profile $PROFILE --region $regx | grep "recorder: ON")
if [[ $CHECK_AWSCONFIG_STATUS ]];then
text_ok "Region $regx has AWS Config recorder: ON "
else
text_warn "Region $regx has AWS Config disabled or not configured"
fi
done
}
check26(){
ID26="2.6"
TITLE26="Ensure S3 bucket access logging is enabled on the CloudTrail S3 bucket (Scored)"
text_title "$ID26" "$TITLE26"
CLOUDTRAILBUCKET=$($AWSCLI cloudtrail describe-trails --query 'trailList[*].S3BucketName' --output text --profile $PROFILE --region $REGION)
if [[ $CLOUDTRAILBUCKET ]];then
for bucket in $CLOUDTRAILBUCKET;do
CLOUDTRAILBUCKET_LOGENABLED=$($AWSCLI s3api get-bucket-logging --bucket $bucket --profile $PROFILE --region $REGION --query 'LoggingEnabled.TargetBucket' --output text|grep -v None)
if [[ $CLOUDTRAILBUCKET_LOGENABLED ]];then
text_ok "Bucket access logging enabled in $bucket"
else
text_warn "access logging is not enabled in $bucket CloudTrail S3 bucket!"
fi
done
else
text_warn "CloudTrail bucket not found!"
fi
}
check27(){
ID27="2.7"
TITLE27="Ensure CloudTrail logs are encrypted at rest using KMS CMKs (Scored)"
text_title "$ID27" "$TITLE27"
CLOUDTRAILNAME=$($AWSCLI cloudtrail describe-trails --query 'trailList[*].Name' --output text --profile $PROFILE --region $REGION)
if [[ $CLOUDTRAILNAME ]];then
for trail in $CLOUDTRAILNAME;do
CLOUDTRAILENC_ENABLED=$($AWSCLI cloudtrail describe-trails --profile $PROFILE --region $REGION --trail $trail --query 'trailList[*].KmsKeyId' --output text)
if [[ $CLOUDTRAILENC_ENABLED ]];then
text_ok "KMS key found for $trail"
else
text_warn "encryption is not enabled in your CloudTrail trail $trail, KMS key not found!"
fi
done
else
text_warn "CloudTrail bucket doesn't exist!"
fi
}
check28(){
ID28="2.8"
TITLE28="Ensure rotation for customer created CMKs is enabled (Scored)"
text_title "$ID28" "$TITLE28"
for regx in $REGIONS; do
CHECK_KMS_KEYLIST=$($AWSCLI kms list-keys --profile $PROFILE --region $regx --output text --query 'Keys[*].KeyId')
if [[ $CHECK_KMS_KEYLIST ]];then
CHECK_KMS_KEYLIST_NO_DEFAULT=$(for key in $CHECK_KMS_KEYLIST ; do $AWSCLI kms describe-key --key-id $key --profile $PROFILE --region $regx --output text|grep -v 'Default master key that protects my ACM private keys when no other key is defined'|awk '{ print $3 }'|awk -F'/' '{ print $2 }'; done)
for key in $CHECK_KMS_KEYLIST_NO_DEFAULT; do
CHECK_KMS_KEY_TYPE=$($AWSCLI kms describe-key --key-id $key --profile $PROFILE --region $regx --query 'KeyMetadata.Origin' | sed 's/["]//g')
if [[ $CHECK_KMS_KEY_TYPE == "EXTERNAL" ]];then
text_ok "Key $key in Region $regx Customer Uploaded Key Material."
else
CHECK_KMS_KEY_ROTATION=$($AWSCLI kms get-key-rotation-status --key-id $key --profile $PROFILE --region $regx --output text)
#CHECK_KMS_DEFAULT_KEY=$($AWSCLI kms describe-key --key-id $key --profile $PROFILE --region $regx --query 'KeyMetadata.Description' | sed -n '/Default master key that protects my ACM private keys when no other key is defined /p'|| echo "False")
if [[ $CHECK_KMS_KEY_ROTATION == "True" ]];then
text_ok "Key $key in Region $regx is set correctly"
elif [[ $CHECK_KMS_KEY_ROTATION == "False" && $CHECK_KMS_DEFAULT_KEY ]];then
text_notice "Region $regx key $key is an AWS default master key and cannot be deleted nor modified."
else
text_warn "Key $key in Region $regx is not set to rotate!!!"
fi
fi
done
else
text_notice "Region $regx doesn't have encryption keys "
fi
done
}
check31(){
ID31="3.1"
TITLE31="Ensure a log metric filter and alarm exist for unauthorized API calls (Scored)"
text_title "$ID31" "$TITLE31"
CLOUDWATCH_GROUP=$($AWSCLI cloudtrail describe-trails --profile $PROFILE --region $REGION --query 'trailList[*].CloudWatchLogsLogGroupArn' --output text | awk -F: '{ print $7 }')
if [[ $CLOUDWATCH_GROUP ]];then
METRICFILTER_SET=$($AWSCLI logs describe-metric-filters --log-group-name $CLOUDWATCH_GROUP --profile $PROFILE --region $REGION --query 'metricFilters' | grep AccessDenied)
if [[ $METRICFILTER_SET ]];then
text_ok "CloudWatch group found, and metric filters for Access Denied enabled"
else
text_warn "CloudWatch group found, but no metric filters or alarms associated"
fi
else
text_warn "No CloudWatch group found, no metric filters or alarms associated"
fi
}
check32(){
ID32="3.2"
TITLE32="Ensure a log metric filter and alarm exist for Management Console sign-in without MFA (Scored)"
text_title "$ID32" "$TITLE32"
CLOUDWATCH_GROUP=$($AWSCLI cloudtrail describe-trails --profile $PROFILE --region $REGION --query 'trailList[*].CloudWatchLogsLogGroupArn' --output text | awk -F: '{ print $7 }')
if [[ $CLOUDWATCH_GROUP ]];then
METRICFILTER_SET=$($AWSCLI logs describe-metric-filters --log-group-name $CLOUDWATCH_GROUP --profile $PROFILE --region $REGION --query 'metricFilters' | grep -E 'userIdentity.sessionContext.attributes.mfaAuthenticated.*true')
if [[ $METRICFILTER_SET ]];then
text_ok "CloudWatch group found, and metric filters for sign-in Console without MFA enabled"
else
text_warn "CloudWatch group found, but no metric filters or alarms associated"
fi
else
text_warn "No CloudWatch group found, no metric filters or alarms associated"
fi
}
check33(){
ID33="3.3"
TITLE33="Ensure a log metric filter and alarm exist for usage of root account (Scored)"
text_title "$ID33" "$TITLE33"
CLOUDWATCH_GROUP=$($AWSCLI cloudtrail describe-trails --profile $PROFILE --region $REGION --query 'trailList[*].CloudWatchLogsLogGroupArn' --output text | awk -F: '{ print $7 }')
if [[ $CLOUDWATCH_GROUP ]];then
METRICFILTER_SET=$($AWSCLI logs describe-metric-filters --log-group-name $CLOUDWATCH_GROUP --profile $PROFILE --region $REGION |grep -E 'userIdentity.*Root.*AwsServiceEvent')
if [[ $METRICFILTER_SET ]];then
text_ok "CloudWatch group found, and metric filters for usage of root account enabled"
else
text_warn "CloudWatch group found, but no metric filters or alarms associated"
fi
else
text_warn "No CloudWatch group found, no metric filters or alarms associated"
fi
}
check34(){
ID34="3.4"
TITLE34="Ensure a log metric filter and alarm exist for IAM policy changes (Scored)"
text_title "$ID34" "$TITLE34"
CLOUDWATCH_GROUP=$($AWSCLI cloudtrail describe-trails --profile $PROFILE --region $REGION --query 'trailList[*].CloudWatchLogsLogGroupArn' --output text | awk -F: '{ print $7 }')
if [[ $CLOUDWATCH_GROUP ]];then
METRICFILTER_SET=$($AWSCLI logs describe-metric-filters --log-group-name $CLOUDWATCH_GROUP --profile $PROFILE --region $REGION --query 'metricFilters' | grep -E 'DeleteGroupPolicy.*DeleteRolePolicy.*DeleteUserPolicy.*PutGroupPolicy.*PutRolePolicy.*PutUserPolicy.*CreatePolicy.*DeletePolicy.*CreatePolicyVersion.*DeletePolicyVersion.*AttachRolePolicy.*DetachRolePolicy.*AttachUserPolicy.*DetachUserPolicy.*AttachGroupPolicy.*DetachGroupPolicy')
if [[ $METRICFILTER_SET ]];then
text_ok "CloudWatch group found, and metric filters for IAM policy changes enabled"
else
text_warn "CloudWatch group found, but no metric filters or alarms associated"
fi
else
text_warn "No CloudWatch group found, no metric filters or alarms associated"
fi
}
check35(){
ID35="3.5"
TITLE35="Ensure a log metric filter and alarm exist for CloudTrail configuration changes (Scored)"
text_title "$ID35" "$TITLE35"
CLOUDWATCH_GROUP=$($AWSCLI cloudtrail describe-trails --profile $PROFILE --region $REGION --query 'trailList[*].CloudWatchLogsLogGroupArn' --output text | awk -F: '{ print $7 }')
if [[ $CLOUDWATCH_GROUP ]];then
METRICFILTER_SET=$($AWSCLI logs describe-metric-filters --log-group-name $CLOUDWATCH_GROUP --profile $PROFILE --region $REGION --query 'metricFilters' | grep -E 'CreateTrail.*UpdateTrail.*DeleteTrail.*StartLogging.*StopLogging')
if [[ $METRICFILTER_SET ]];then
text_ok "CloudWatch group found, and metric filters for CloudTrail configuration changes enabled"
else
text_warn "CloudWatch group found, but no metric filters or alarms associated"
fi
else
text_warn "No CloudWatch group found, no metric filters or alarms associated"
fi
}
check36(){
ID36="3.6"
TITLE36="Ensure a log metric filter and alarm exist for AWS Management Console authentication failures (Scored)"
text_title "$ID36" "$TITLE36"
CLOUDWATCH_GROUP=$($AWSCLI cloudtrail describe-trails --profile $PROFILE --region $REGION --query 'trailList[*].CloudWatchLogsLogGroupArn' --output text | awk -F: '{ print $7 }')
if [[ $CLOUDWATCH_GROUP ]];then
METRICFILTER_SET=$($AWSCLI logs describe-metric-filters --log-group-name $CLOUDWATCH_GROUP --profile $PROFILE --region $REGION --query 'metricFilters' | grep -E 'ConsoleLogin.*Failed')
if [[ $METRICFILTER_SET ]];then
text_ok "CloudWatch group found, and metric filters for usage of root account enabled"
else
text_warn "CloudWatch group found, but no metric filters or alarms associated"
fi
else
text_warn "No CloudWatch group found, no metric filters or alarms associated"
fi
}
check37(){
ID37="3.7"
TITLE37="Ensure a log metric filter and alarm exist for disabling or scheduled deletion of customer created CMKs (Scored)"
text_title "$ID37" "$TITLE37"
CLOUDWATCH_GROUP=$($AWSCLI cloudtrail describe-trails --profile $PROFILE --region $REGION --query 'trailList[*].CloudWatchLogsLogGroupArn' --output text | awk -F: '{ print $7 }')
if [[ $CLOUDWATCH_GROUP ]];then
METRICFILTER_SET=$($AWSCLI logs describe-metric-filters --log-group-name $CLOUDWATCH_GROUP --profile $PROFILE --region $REGION --query 'metricFilters' | grep -E 'kms.amazonaws.com.*DisableKey.*ScheduleKeyDeletion')
if [[ $METRICFILTER_SET ]];then
text_ok "CloudWatch group found, and metric filters enabled"
else
text_warn "CloudWatch group found, but no metric filters or alarms associated"
fi
else
text_warn "No CloudWatch group found, no metric filters or alarms associated"
fi
}
check38(){
ID38="3.8"
TITLE38="Ensure a log metric filter and alarm exist for S3 bucket policy changes (Scored)"
text_title "$ID38" "$TITLE38"
CLOUDWATCH_GROUP=$($AWSCLI cloudtrail describe-trails --profile $PROFILE --region $REGION --query 'trailList[*].CloudWatchLogsLogGroupArn' --output text | awk -F: '{ print $7 }')
if [[ $CLOUDWATCH_GROUP ]];then
METRICFILTER_SET=$($AWSCLI logs describe-metric-filters --log-group-name $CLOUDWATCH_GROUP --profile $PROFILE --region $REGION --query 'metricFilters' | grep -E 's3.amazonaws.com.*PutBucketAcl.*PutBucketPolicy.*PutBucketCors.*PutBucketLifecycle.*PutBucketReplication.*DeleteBucketPolicy.*DeleteBucketCors.*DeleteBucketLifecycle.*DeleteBucketReplication')
if [[ $METRICFILTER_SET ]];then
text_ok "CloudWatch group found, and metric filters enabled"
else
text_warn "CloudWatch group found, but no metric filters or alarms associated"
fi
else
text_warn "No CloudWatch group found, no metric filters or alarms associated"
fi
}
check39(){
ID39="3.9"
TITLE39="Ensure a log metric filter and alarm exist for AWS Config configuration changes (Scored)"
text_title "$ID39" "$TITLE39"
CLOUDWATCH_GROUP=$($AWSCLI cloudtrail describe-trails --profile $PROFILE --region $REGION --query 'trailList[*].CloudWatchLogsLogGroupArn' --output text | awk -F: '{ print $7 }')
if [[ $CLOUDWATCH_GROUP ]];then
METRICFILTER_SET=$($AWSCLI logs describe-metric-filters --log-group-name $CLOUDWATCH_GROUP --profile $PROFILE --region $REGION --query 'metricFilters' | grep -E 'config.amazonaws.com.*StopConfigurationRecorder.*DeleteDeliveryChannel.*PutDeliveryChannel.*PutConfigurationRecorder')
if [[ $METRICFILTER_SET ]];then
text_ok "CloudWatch group found, and metric filters enabled"
else
text_warn "CloudWatch group found, but no metric filters or alarms associated"
fi
else
text_warn "No CloudWatch group found, no metric filters or alarms associated"
fi
}
check310(){
ID310="3.10"
TITLE310="Ensure a log metric filter and alarm exist for security group changes (Scored)"
text_title "$ID310" "$TITLE310"
CLOUDWATCH_GROUP=$($AWSCLI cloudtrail describe-trails --profile $PROFILE --region $REGION --query 'trailList[*].CloudWatchLogsLogGroupArn' --output text | awk -F: '{ print $7 }')
if [[ $CLOUDWATCH_GROUP ]];then
METRICFILTER_SET=$($AWSCLI logs describe-metric-filters --log-group-name $CLOUDWATCH_GROUP --profile $PROFILE --region $REGION --query 'metricFilters' | grep -E 'AuthorizeSecurityGroupIngress.*AuthorizeSecurityGroupEgress.*RevokeSecurityGroupIngress.*RevokeSecurityGroupEgress.*CreateSecurityGroup.*DeleteSecurityGroup')
if [[ $METRICFILTER_SET ]];then
text_ok "CloudWatch group found, and metric filters enabled"
else
text_warn "CloudWatch group found, but no metric filters or alarms associated"
fi
else
text_warn "No CloudWatch group found, no metric filters or alarms associated"
fi
}
check311(){
ID311="3.11"
TITLE311="Ensure a log metric filter and alarm exist for changes to Network Access Control Lists (NACL) (Scored)"
text_title "$ID311" "$TITLE311"
CLOUDWATCH_GROUP=$($AWSCLI cloudtrail describe-trails --profile $PROFILE --region $REGION --query 'trailList[*].CloudWatchLogsLogGroupArn' --output text | awk -F: '{ print $7 }')
if [[ $CLOUDWATCH_GROUP ]];then
METRICFILTER_SET=$($AWSCLI logs describe-metric-filters --log-group-name $CLOUDWATCH_GROUP --profile $PROFILE --region $REGION --query 'metricFilters' | grep -E 'CreateNetworkAcl.*CreateNetworkAclEntry.*DeleteNetworkAcl.*DeleteNetworkAclEntry.*ReplaceNetworkAclEntry.*ReplaceNetworkAclAssociation')
if [[ $METRICFILTER_SET ]];then
text_ok "CloudWatch group found, and metric filters enabled"
else
text_warn "CloudWatch group found, but no metric filters or alarms associated"
fi
else
text_warn "No CloudWatch group found, no metric filters or alarms associated"
fi
}
check312(){
ID312="3.12"
TITLE312="Ensure a log metric filter and alarm exist for changes to network gateways (Scored)"
text_title "$ID312" "$TITLE312"
CLOUDWATCH_GROUP=$($AWSCLI cloudtrail describe-trails --profile $PROFILE --region $REGION --query 'trailList[*].CloudWatchLogsLogGroupArn' --output text | awk -F: '{ print $7 }')
if [[ $CLOUDWATCH_GROUP ]];then
METRICFILTER_SET=$($AWSCLI logs describe-metric-filters --log-group-name $CLOUDWATCH_GROUP --profile $PROFILE --region $REGION --query 'metricFilters' | grep -E 'CreateCustomerGateway.*DeleteCustomerGateway.*AttachInternetGateway.*CreateInternetGateway.*DeleteInternetGateway.*DetachInternetGateway')
if [[ $METRICFILTER_SET ]];then
text_ok "CloudWatch group found, and metric filters enabled"
else
text_warn "CloudWatch group found, but no metric filters or alarms associated"
fi
else
text_warn "No CloudWatch group found, no metric filters or alarms associated"
fi
}
check313(){
ID313="3.13"
TITLE313="Ensure a log metric filter and alarm exist for route table changes (Scored)"
text_title "$ID313" "$TITLE313"
CLOUDWATCH_GROUP=$($AWSCLI cloudtrail describe-trails --profile $PROFILE --region $REGION --query 'trailList[*].CloudWatchLogsLogGroupArn' --output text | awk -F: '{ print $7 }')
if [[ $CLOUDWATCH_GROUP ]];then
METRICFILTER_SET=$($AWSCLI logs describe-metric-filters --log-group-name $CLOUDWATCH_GROUP --profile $PROFILE --region $REGION --query 'metricFilters' | grep -E 'CreateRoute.*CreateRouteTable.*ReplaceRoute.*ReplaceRouteTableAssociation.*DeleteRouteTable.*DeleteRoute.*DisassociateRouteTable')
if [[ $METRICFILTER_SET ]];then
text_ok "CloudWatch group found, and metric filters enabled"
else
text_warn "CloudWatch group found, but no metric filters or alarms associated"
fi
else
text_warn "No CloudWatch group found, no metric filters or alarms associated"
fi
}
check314(){
ID314="3.14"
TITLE314="Ensure a log metric filter and alarm exist for VPC changes (Scored)"
text_title "$ID314" "$TITLE314"
CLOUDWATCH_GROUP=$($AWSCLI cloudtrail describe-trails --profile $PROFILE --region $REGION --query 'trailList[*].CloudWatchLogsLogGroupArn' --output text | awk -F: '{ print $7 }')
if [[ $CLOUDWATCH_GROUP ]];then
METRICFILTER_SET=$($AWSCLI logs describe-metric-filters --log-group-name $CLOUDWATCH_GROUP --profile $PROFILE --region $REGION --query 'metricFilters' | grep -E 'CreateVpc.*DeleteVpc.*ModifyVpcAttribute.*AcceptVpcPeeringConnection.*CreateVpcPeeringConnection.*DeleteVpcPeeringConnection.*RejectVpcPeeringConnection.*AttachClassicLinkVpc.*DetachClassicLinkVpc.*DisableVpcClassicLink.*EnableVpcClassicLink')
if [[ $METRICFILTER_SET ]];then
text_ok "CloudWatch group found, and metric filters enabled"
else
text_warn "CloudWatch group found, but no metric filters or alarms associated"
fi
else
text_warn "No CloudWatch group found, no metric filters or alarms associated"
fi
}
check315(){
ID315="3.15"
TITLE315="Ensure appropriate subscribers to each SNS topic (Not Scored)"
text_title "$ID315" "$TITLE315"
for regx in $REGIONS; do
TOPICS_LIST=$($AWSCLI sns list-topics --profile $PROFILE --region $regx --output text --query 'Topics[*].TopicArn')
if [[ $TOPICS_LIST ]];then
for topic in $TOPICS_LIST; do
CHECK_TOPIC_LIST=$($AWSCLI sns list-subscriptions-by-topic --topic-arn $topic --profile $PROFILE --region $regx --query 'Subscriptions[*].{Endpoint:Endpoint,Protocol:Protocol}' --output text --max-items $MAXITEMS | grep -v "None")
if [[ $CHECK_TOPIC_LIST ]]; then
TOPIC_SHORT=$(echo $topic | awk -F: '{ print $7 }')
text_notice "Region $regx with Topic $TOPIC_SHORT: "
text_notice "- Suscription: $CHECK_TOPIC_LIST "
else
text_warn "No suscription found in: Region $regx and Topic $topic "
text_warn " - Region $regx and Topic $topic "
fi
done
else
text_notice "Region $regx doesn't have topics "
fi
done
}
check41(){
ID41="4.1"
TITLE41="Ensure no security groups allow ingress from 0.0.0.0/0 to port 22 (Scored)"
text_title "$ID41" "$TITLE41"
for regx in $REGIONS; do
SG_LIST=$($AWSCLI ec2 describe-security-groups --filters "Name=ip-permission.to-port,Values=22" --query 'SecurityGroups[?length(IpPermissions[?ToPort==`22` && contains(IpRanges[].CidrIp, `0.0.0.0/0`)]) > `0`].{GroupName: GroupName}' --profile $PROFILE --region $regx --output text)
if [[ $SG_LIST ]];then
for SG in $SG_LIST;do
text_warn "Found Security Group: $SG open to 0.0.0.0/0 in Region $regx "
done
else
text_ok "No Security Groups found in $regx with port 22 TCP open to 0.0.0.0/0 "
fi
done
}
check42(){
ID42="4.2"
TITLE42="Ensure no security groups allow ingress from 0.0.0.0/0 to port 3389 (Scored)"
text_title "$ID42" "$TITLE42"
for regx in $REGIONS; do
SG_LIST=$($AWSCLI ec2 describe-security-groups --filters "Name=ip-permission.to-port,Values=3389" --query 'SecurityGroups[?length(IpPermissions[?ToPort==`3389` && contains(IpRanges[].CidrIp, `0.0.0.0/0`)]) > `0`].{GroupName: GroupName}' --profile $PROFILE --region $regx --output text)
if [[ $SG_LIST ]];then
for SG in $SG_LIST;do
text_warn "Found Security Group: $SG open to 0.0.0.0/0 in Region $regx "
done
else
text_ok "No Security Groups found in $regx with port 3389 TCP open to 0.0.0.0/0 "
fi
done
}
check43(){
ID43="4.3"
TITLE43="Ensure VPC Flow Logging is Enabled in all VPCs (Scored)"
text_title "$ID43" "$TITLE43"
for regx in $REGIONS; do
CHECK_FL=$($AWSCLI ec2 describe-flow-logs --profile $PROFILE --region $regx --query 'FlowLogs[?FlowLogStatus==`ACTIVE`].LogGroupName' --output text)
if [[ $CHECK_FL ]];then
for FL in $CHECK_FL;do
text_ok "VPCFlowLog is enabled for LogGroupName: $FL in Region $regx "
done
else
text_warn "No VPCFlowLog has been found in Region $regx "
fi
done
}
check44(){
ID44="4.4"
TITLE44="Ensure the default security group of every VPC restricts all traffic (Scored)"
text_title "$ID44" "$TITLE44"
for regx in $REGIONS; do
CHECK_SGDEFAULT=$($AWSCLI ec2 describe-security-groups --profile $PROFILE --region $regx --filters Name=group-name,Values='default' --query 'SecurityGroups[*].{IpPermissions:IpPermissions,IpPermissionsEgress:IpPermissionsEgress,GroupId:GroupId}' --output text |grep 0.0.0.0)
if [[ $CHECK_SGDEFAULT ]];then
text_warn "Default Security Groups found that allow 0.0.0.0 IN or OUT traffic in Region $regx"
else
text_ok "No Default Security Groups open to 0.0.0.0 found in Region $regx "
fi
done
}
check45(){
#set -xe
ID45="4.5"
TITLE45="Ensure routing tables for VPC peering are \"least access\" (Not Scored)"
text_title "$ID45" "$TITLE45"
text_notice "Looking for VPC peering in all regions... "
for regx in $REGIONS; do
LIST_OF_VPCS_PEERING_CONNECTIONS=$($AWSCLI ec2 describe-vpc-peering-connections --output text --profile $PROFILE --region $regx --query 'VpcPeeringConnections[*].VpcPeeringConnectionId')
if [[ $LIST_OF_VPCS_PEERING_CONNECTIONS ]];then
text_notice "$regx: $LIST_OF_VPCS_PEERING_CONNECTIONS, review its routing tables "
#LIST_OF_VPCS=$($AWSCLI ec2 describe-vpcs --profile $PROFILE --region $regx --query 'Vpcs[*].VpcId' --output text)
#aws ec2 describe-route-tables --filter "Name=vpc-id,Values=vpc-0213e864" --query "RouteTables[*].{RouteTableId:RouteTableId, VpcId:VpcId, Routes:Routes, AssociatedSubnets:Associations[*].SubnetId}" --profile $PROFILE --region $regx
# for vpc in $LIST_OF_VPCS; do
# VPCS_WITH_PEERING=$($AWSCLI ec2 describe-route-tables --filter "Name=vpc-id,Values=$vpc" --profile $PROFILE --region $regx --query "RouteTables[*].{RouteTableId:RouteTableId, VpcId:VpcId, Routes:Routes, AssociatedSubnets:Associations[*].SubnetId}" |grep GatewayId|grep pcx-)
# done
#echo $VPCS_WITH_PEERING
else
text_ok "$regx: No VPC peering found "
fi
done
}
callCheck(){
if [[ $CHECKNUMBER ]];then
case "$CHECKNUMBER" in
check11 ) check11;;
check12 ) check12;;
check13 ) check13;;
check14 ) check14;;
check15 ) check15;;
check16 ) check16;;
check17 ) check17;;
check18 ) check18;;
check19 ) check19;;
check110 ) check110;;
check111 ) check111;;
check112 ) check112;;
check113 ) check113;;
check114 ) check114;;
check115 ) check115;;
check116 ) check116;;
check117 ) check117;;
check118 ) check118;;
check119 ) check119;;
check120 ) check120;;
check121 ) check121;;
check122 ) check122;;
check123 ) check123;;
check124 ) check124;;
check21 ) check21;;
check22 ) check22;;
check23 ) check23;;
check24 ) check24;;
check25 ) check25;;
check26 ) check26;;
check27 ) check27;;
check28 ) check28;;
check31 ) check31;;
check32 ) check32;;
check33 ) check33;;
check34 ) check34;;
check35 ) check35;;
check36 ) check36;;
check37 ) check37;;
check38 ) check38;;
check39 ) check39;;
check310 ) check310;;
check311 ) check311;;
check312 ) check312;;
check313 ) check313;;
check314 ) check314;;
check315 ) check315;;
check41 ) check41;;
check42 ) check42;;
check43 ) check43;;
check44 ) check44;;
check45 ) check45;;
check1 )
check11;check12;check13;check14;check15;check16;check17;check18;
check19;check110;check111;check112;check113;check114;check115;
check116;check117;check118;check119;check120;check121;check122;
check123;check124;
;;
check2 )
check21;check22;check23;check24;check25;check26;check27;check28
;;
check3 )
check31;check32;check33;check34;check35;check36;check37;check38;
check39;check310;check311;check312;check313;check314;check315
;;
check4 )
check41;check42;check43;check44;check45
;;
* )
text_warn "ERROR! Use a valid check name (i.e. check41)\n";
esac
cleanTemp
exit
fi
}
### All functions defined above ... run the workflow
prowlerBanner
printCurrentDate
getWhoami
printColorsCode
genCredReport
saveReport
callCheck
TITLE1="$BLUE 1 Identity and Access Management *********************************$NORMAL"
echo -e "\n\n$TITLE1"
check11
check12
check13
check14
check15
check16
check17
check18
check19
check110
check111
check112
check113
check114
check115
check116
check117
check118
check119
check120
check121
check122
check123
check124
TITLE2="$BLUE 2 Logging ********************************************************$NORMAL"
echo -e "\n\n$TITLE2"
check21
check22
check23
check24
check25
check26
check27
check28
TITLE3="$BLUE 3 Monitoring *****************************************************"
echo -e "\n\n$TITLE3"
# 3 Monitoring check commands / Mostly covered by SecurityMonkey
check31
check32
check33
check34
check35
check36
check37
check38
check39
check310
check311
check312
check313
check314
check315
TITLE4="$BLUE 4 Networking **************************************************$NORMAL"
echo -e "\n\n$TITLE4"
check41
check42
check43
check44
check45
infoReferenceLong
cleanTemp