mirror of
https://github.com/ghndrx/prowler.git
synced 2026-02-10 14:55:00 +00:00
53 lines
2.9 KiB
Bash
53 lines
2.9 KiB
Bash
#!/usr/bin/env bash
|
|
|
|
# Prowler - the handy cloud security tool (c) by Toni de la Fuente
|
|
#
|
|
# This Prowler check is licensed under a
|
|
# Creative Commons Attribution-NonCommercial-ShareAlike 4.0 International License.
|
|
#
|
|
# You should have received a copy of the license along with this
|
|
# work. If not, see <http://creativecommons.org/licenses/by-nc-sa/4.0/>.
|
|
#
|
|
# Remediation:
|
|
#
|
|
# https://d1.awsstatic.com/whitepapers/compliance/AWS_CIS_Foundations_Benchmark.pdf
|
|
#
|
|
# aws logs put-metric-filter \
|
|
# --region us-east-1 \
|
|
# --log-group-name CloudTrail/CloudWatchLogGroup \
|
|
# --filter-name AWSConfigChanges \
|
|
# --filter-pattern '{ ($.eventSource = config.amazonaws.com) && (($.eventName = StopConfigurationRecorder)||($.eventName = DeleteDeliveryChannel)||($.eventName = PutDeliveryChannel)||($.eventName = PutConfigurationRecorder)) }' \
|
|
# --metric-transformations metricName=ConfigEventCount,metricNamespace=CloudTrailMetrics,metricValue=1
|
|
#
|
|
# aws cloudwatch put-metric-alarm \
|
|
# --region us-east-1 \
|
|
# --alarm-name AWSConfigChangesAlarm \
|
|
# --alarm-description "Triggered by AWS Config changes." \
|
|
# --metric-name ConfigEventCount \
|
|
# --namespace CloudTrailMetrics \
|
|
# --statistic Sum \
|
|
# --comparison-operator GreaterThanOrEqualToThreshold \
|
|
# --evaluation-periods 1 \
|
|
# --period 300 \
|
|
# --threshold 1 \
|
|
# --actions-enabled \
|
|
# --alarm-actions arn:aws:sns:us-east-1:123456789012:CloudWatchAlarmTopic
|
|
|
|
CHECK_ID_check39="3.9"
|
|
CHECK_TITLE_check39="[check39] Ensure a log metric filter and alarm exist for AWS Config configuration changes (Scored)"
|
|
CHECK_SCORED_check39="SCORED"
|
|
CHECK_TYPE_check39="LEVEL2"
|
|
CHECK_SEVERITY_check39="Medium"
|
|
CHECK_ASFF_TYPE_check39="Software and Configuration Checks/Industry and Regulatory Standards/CIS AWS Foundations Benchmark"
|
|
CHECK_ASFF_RESOURCE_TYPE_check39="AwsCloudTrailTrail"
|
|
CHECK_ALTERNATE_check309="check39"
|
|
CHECK_SERVICENAME_check39="configservice"
|
|
CHECK_RISK_check39='If not enabled important changes to accounts could go unnoticed or difficult to find.'
|
|
CHECK_REMEDIATION_check39='Use this service as a complement to implement detective controls that cannot be prevented. (e.g. a Security Group is modified to open to internet without restrictions or route changed to avoid going thru the network firewall). Ensure AWS Config is enabled in all regions in order to detect any not intended action. On the other hand if sufficient preventive controls to make changes in critical services are in place; the rating on this finding can be lowered or discarded depending on residual risk.'
|
|
CHECK_DOC_check39='https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudwatch-alarms-for-cloudtrail.html'
|
|
CHECK_CAF_EPIC_check39='Logging and Monitoring'
|
|
|
|
check39(){
|
|
check3x '\$\.eventSource\s*=\s*config.amazonaws.com.+\$\.eventName\s*=\s*StopConfigurationRecorder.+\$\.eventName\s*=\s*DeleteDeliveryChannel.+\$\.eventName\s*=\s*PutDeliveryChannel.+\$\.eventName\s*=\s*PutConfigurationRecorder'
|
|
}
|