ghndrx/prowler
1
0
Fork 0
mirror of https://github.com/ghndrx/prowler.git synced 2026-02-12 07:45:16 +00:00
Code Issues Packages Projects Releases Wiki Activity
Files
e0a8e0f31840a4ed827d62985de5bfcc75bc5c65
prowler/checks/check_extra7124
dlpzx e0a8e0f318 checks for glue - 7119, 7121, 7123,7124,7125
2020-11-09 18:48:11 +01:00

51 lines
2.3 KiB
Bash
Raw Blame History

#!/usr/bin/env bash
# Prowler - the handy cloud security tool (copyright 2018) by Toni de la Fuente
#
# Licensed under the Apache License, Version 2.0 (the "License"); you may not
# use this file except in compliance with the License. You may obtain a copy
# of the License at http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software distributed
# under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR
# CONDITIONS OF ANY KIND, either express or implied. See the License for the
# specific language governing permissions and limitations under the License.
# Remediation:
#
# https://www.cloudconformity.com/knowledge-base/aws/RDS/instance-deletion-protection.html
# https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/Overview.DBInstance.Modifying.html
#
# aws rds modify-db-instance \
# --region us-east-1 \
# --db-instance-identifier test-db \
# --deletion-protection \
# [--apply-immediately | --no-apply-immediately]
CHECK_ID_extra7124="7.124"
CHECK_TITLE_extra7124="[extra7124] Check if ETL Job Server-side encryption (Enables Amazon S3-managed encryption of the data at the target, SSE-S3) is enabled."
CHECK_SCORED_extra7124="NOT_SCORED"
CHECK_TYPE_extra7124="EXTRA"
CHECK_SEVERITY_extra7124="Medium"
CHECK_ASFF_RESOURCE_TYPE_extra7124="AwsGlue"
CHECK_ALTERNATE_check7124="extra7124"
extra7124(){
textInfo "Looking for ETL Jobs in all regions... "
for regx in $REGIONS; do
LIST_GLUE_SC=$($AWSCLI glue get-jobs $PROFILE_OPT --region $regx --query 'Jobs[*].SecurityConfiguration'--output text)
if [[ $LIST_GLUE_SC ]]; then
for sc in $(echo '${LIST_GLUE_SC}'| jq -r '.[] | @base64');do
textInfo "$ENDPOINT_SECURITY"
ENDPOINT_SC_ENCRYPTION=$($AWSCLI $PROFILE_OPT --region $regx glue get-security-configurations $sc --query 'SecurityConfiguration.EncryptionConfiguration.JobBookmarksEncryption.JobBookmarksEncryptionMode' --output text)
if [[ENDPOINT_SC_ENCRYPTION == "SSE-S3" ]]; then
textFail "$regx: ETL Job Security Configuration $sc has (SSE-S3) encryption enabled" "$regx"
else
textPass "$regx: ETL Job Security Configuration $sc has (SSE-S3) encryption is not enabled!" "$regx"
fi
done
else
textInfo "$regx: No ETL Development endpoints found" "$regx"
fi
done
}
Reference in New Issue View Git Blame Copy Permalink