ghndrx/prowler
1
0
Fork 0
mirror of https://github.com/ghndrx/prowler.git synced 2026-02-11 07:15:15 +00:00
Code Issues Packages Projects Releases Wiki Activity
Files
fa5c5773f7733aa6441cf3395dc8e56c08d40791
prowler/checks/check_extra723
Toni de la Fuente c09385976a Consolidated titles and outputs including resource ID in ASFF
2021-07-05 20:17:27 +02:00

59 lines
3.5 KiB
Bash
Raw Blame History

#!/usr/bin/env bash
# Prowler - the handy cloud security tool (copyright 2018) by Toni de la Fuente
#
# Licensed under the Apache License, Version 2.0 (the "License"); you may not
# use this file except in compliance with the License. You may obtain a copy
# of the License at http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software distributed
# under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR
# CONDITIONS OF ANY KIND, either express or implied. See the License for the
# specific language governing permissions and limitations under the License.
CHECK_ID_extra723="7.23"
CHECK_TITLE_extra723="[extra723] Check if RDS Snapshots and Cluster Snapshots are public"
CHECK_SCORED_extra723="NOT_SCORED"
CHECK_TYPE_extra723="EXTRA"
CHECK_SEVERITY_extra723="Critical"
CHECK_ASFF_RESOURCE_TYPE_extra723="AwsRdsDbSnapshot"
CHECK_ALTERNATE_check723="extra723"
CHECK_SERVICENAME_extra723="rds"
CHECK_RISK_extra723='Publicly accessible services could expose sensible data to bad actors. t is recommended that your RDS snapshots should not be public in order to prevent potential leak or misuse of sensitive data or any other kind of security threat. If your RDS snapshot is public; then the data which is backed up in that snapshot is accessible to all other AWS accounts.'
CHECK_REMEDIATION_extra723='Use AWS Config to identify any sanpshot that is public.'
CHECK_DOC_extra723='https://docs.aws.amazon.com/config/latest/developerguide/rds-snapshots-public-prohibited.html'
CHECK_CAF_EPIC_extra723='Data Protection'
extra723(){
# "Check if RDS Snapshots are public "
for regx in $REGIONS; do
# RDS snapshots
LIST_OF_RDS_SNAPSHOTS=$($AWSCLI rds describe-db-snapshots $PROFILE_OPT --region $regx --query DBSnapshots[*].DBSnapshotIdentifier --output text)
if [[ $LIST_OF_RDS_SNAPSHOTS ]]; then
for rdssnapshot in $LIST_OF_RDS_SNAPSHOTS;do
SNAPSHOT_IS_PUBLIC=$($AWSCLI rds describe-db-snapshot-attributes $PROFILE_OPT --region $regx --db-snapshot-identifier $rdssnapshot --query DBSnapshotAttributesResult.DBSnapshotAttributes[*] --output text|grep ^ATTRIBUTEVALUES|cut -f2|grep all)
if [[ $SNAPSHOT_IS_PUBLIC ]];then
textFail "$regx: RDS Snapshot $rdssnapshot is public!" "$regx" "$rdssnapshot"
else
textPass "$regx: RDS Snapshot $rdssnapshot is not shared" "$regx" "$rdssnapshot"
fi
done
else
textInfo "$regx: No RDS Snapshots found" "$regx" "$rdssnapshot"
fi
# RDS cluster snapshots
LIST_OF_RDS_CLUSTER_SNAPSHOTS=$($AWSCLI rds describe-db-cluster-snapshots $PROFILE_OPT --region $regx --query DBClusterSnapshots[*].DBClusterSnapshotIdentifier --output text)
if [[ $LIST_OF_RDS_CLUSTER_SNAPSHOTS ]]; then
for rdsclustersnapshot in $LIST_OF_RDS_CLUSTER_SNAPSHOTS;do
CLUSTER_SNAPSHOT_IS_PUBLIC=$($AWSCLI rds describe-db-cluster-snapshot-attributes $PROFILE_OPT --region $regx --db-cluster-snapshot-identifier $rdsclustersnapshot --query DBClusterSnapshotAttributesResult.DBClusterSnapshotAttributes[*] --output text|grep ^ATTRIBUTEVALUES|cut -f2|grep all)
if [[ $CLUSTER_SNAPSHOT_IS_PUBLIC ]];then
textFail "$regx: RDS Cluster Snapshot $rdsclustersnapshot is public!" "$regx" "$rdsclustersnapshot"
else
textPass "$regx: RDS Cluster Snapshot $rdsclustersnapshot is not shared" "$regx" "$rdsclustersnapshot"
fi
done
else
textInfo "$regx: No RDS Cluster Snapshots found" "$regx" "$rdsclustersnapshot"
fi
done
}
Reference in New Issue View Git Blame Copy Permalink