-
Notifications
You must be signed in to change notification settings - Fork 1.5k
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Merge branch 'master' into PRWLR-4452-ensure-aws-waf-classic-regional…
…-rule-groups-have-at-least-one-rule
- Loading branch information
Showing
64 changed files
with
4,064 additions
and
101 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
|
@@ -11,7 +11,7 @@ jobs: | |
with: | ||
fetch-depth: 0 | ||
- name: TruffleHog OSS | ||
uses: trufflesecurity/[email protected].8 | ||
uses: trufflesecurity/[email protected].9 | ||
with: | ||
path: ./ | ||
base: ${{ github.event.repository.default_branch }} | ||
|
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Empty file.
32 changes: 32 additions & 0 deletions
32
...ing_group_multiple_instance_types/autoscaling_group_multiple_instance_types.metadata.json
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,32 @@ | ||
{ | ||
"Provider": "aws", | ||
"CheckID": "autoscaling_group_multiple_instance_types", | ||
"CheckTitle": "EC2 Auto Scaling Group should use multiple instance types in multiple Availability Zones.", | ||
"CheckType": [ | ||
"Software and Configuration Checks/AWS Security Best Practices" | ||
], | ||
"ServiceName": "autoscaling", | ||
"SubServiceName": "", | ||
"ResourceIdTemplate": "arn:partition:autoscaling:region:account-id:autoScalingGroupName/resource-name", | ||
"Severity": "medium", | ||
"ResourceType": "AwsAutoScalingAutoScalingGroup", | ||
"Description": "This control checks whether an Amazon EC2 Auto Scaling group uses multiple instance types in all the Availability Zones, meaning that there should be multiple Availability Zones with multiple instances on each one. The control fails if the Auto Scaling group has only one instance type defined.", | ||
"Risk": "Using only one instance type in an Auto Scaling group reduces the flexibility to launch new instances when there is insufficient capacity for that specific type, potentially affecting the availability of the application.", | ||
"RelatedUrl": "https://docs.aws.amazon.com/autoscaling/ec2/userguide/ec2-auto-scaling-mixed-instances-groups.html", | ||
"Remediation": { | ||
"Code": { | ||
"CLI": "aws autoscaling create-auto-scaling-group --mixed-instances-policy ...", | ||
"NativeIaC": "", | ||
"Other": "https://docs.aws.amazon.com/securityhub/latest/userguide/autoscaling-controls.html#autoscaling-6", | ||
"Terraform": "" | ||
}, | ||
"Recommendation": { | ||
"Text": "Configure your EC2 Auto Scaling group to use multiple instance types across multiple Availability Zones.", | ||
"Url": "https://www.trendmicro.com/cloudoneconformity/knowledge-base/aws/AutoScaling/asg-multiple-instance-type-az.html" | ||
} | ||
}, | ||
"Categories": [], | ||
"DependsOn": [], | ||
"RelatedTo": [], | ||
"Notes": "" | ||
} |
34 changes: 34 additions & 0 deletions
34
...ng/autoscaling_group_multiple_instance_types/autoscaling_group_multiple_instance_types.py
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,34 @@ | ||
from prowler.lib.check.models import Check, Check_Report_AWS | ||
from prowler.providers.aws.services.autoscaling.autoscaling_client import ( | ||
autoscaling_client, | ||
) | ||
|
||
|
||
class autoscaling_group_multiple_instance_types(Check): | ||
def execute(self): | ||
findings = [] | ||
for group in autoscaling_client.groups: | ||
report = Check_Report_AWS(self.metadata()) | ||
report.region = group.region | ||
report.resource_id = group.name | ||
report.resource_arn = group.arn | ||
report.resource_tags = group.tags | ||
report.status = "FAIL" | ||
report.status_extended = f"Autoscaling group {group.name} does not have multiple instance types in multiple Availability Zones." | ||
|
||
failing_azs = [] | ||
|
||
for az, types in group.az_instance_types.items(): | ||
if len(types) < 2: | ||
failing_azs.append(az) | ||
|
||
if not failing_azs and len(group.az_instance_types) > 1: | ||
report.status = "PASS" | ||
report.status_extended = f"Autoscaling group {group.name} has multiple instance types in each of its Availability Zones." | ||
elif failing_azs: | ||
azs_str = ", ".join(failing_azs) | ||
report.status_extended = f"Autoscaling group {group.name} has only one or no instance types in Availability Zone(s): {azs_str}." | ||
|
||
findings.append(report) | ||
|
||
return findings |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Empty file.
32 changes: 32 additions & 0 deletions
32
...ions_alarm_state_configured/cloudwatch_alarm_actions_alarm_state_configured.metadata.json
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,32 @@ | ||
{ | ||
"Provider": "aws", | ||
"CheckID": "cloudwatch_alarm_actions_alarm_state_configured", | ||
"CheckTitle": "Check if CloudWatch alarms have specified actions configured for the ALARM state.", | ||
"CheckType": [ | ||
"Software and Configuration Checks/AWS Security Best Practices" | ||
], | ||
"ServiceName": "cloudwatch", | ||
"SubServiceName": "", | ||
"ResourceIdTemplate": "arn:aws:cloudwatch:region:account-id:alarm/alarm-name", | ||
"Severity": "high", | ||
"ResourceType": "AwsCloudWatchAlarm", | ||
"Description": "This control checks whether an Amazon CloudWatch alarm has at least one action configured for the ALARM state. The control fails if the alarm doesn't have an action configured for the ALARM state.", | ||
"Risk": "Without an action configured for the ALARM state, the CloudWatch alarm will not notify you or take any predefined action when a monitored metric goes beyond the defined threshold, potentially delaying responses to critical events.", | ||
"RelatedUrl": "https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/AlarmThatSendsEmail.html#alarms-and-actions", | ||
"Remediation": { | ||
"Code": { | ||
"CLI": "aws cloudwatch put-metric-alarm --alarm-name <alarm-name> --alarm-actions <action-arn>", | ||
"NativeIaC": "", | ||
"Other": "https://docs.aws.amazon.com/securityhub/latest/userguide/cloudwatch-controls.html#cloudwatch-15", | ||
"Terraform": "" | ||
}, | ||
"Recommendation": { | ||
"Text": "Configure your CloudWatch alarms to trigger actions, such as sending notifications via Amazon SNS, when the alarm state changes to ALARM.", | ||
"Url": "https://www.trendmicro.com/cloudoneconformity/knowledge-base/aws/CloudWatch/cloudwatch-alarm-action.html" | ||
} | ||
}, | ||
"Categories": [], | ||
"DependsOn": [], | ||
"RelatedTo": [], | ||
"Notes": "" | ||
} |
22 changes: 22 additions & 0 deletions
22
...h_alarm_actions_alarm_state_configured/cloudwatch_alarm_actions_alarm_state_configured.py
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,22 @@ | ||
from prowler.lib.check.models import Check, Check_Report_AWS | ||
from prowler.providers.aws.services.cloudwatch.cloudwatch_client import ( | ||
cloudwatch_client, | ||
) | ||
|
||
|
||
class cloudwatch_alarm_actions_alarm_state_configured(Check): | ||
def execute(self): | ||
findings = [] | ||
for metric_alarm in cloudwatch_client.metric_alarms: | ||
report = Check_Report_AWS(self.metadata()) | ||
report.region = metric_alarm.region | ||
report.resource_id = metric_alarm.name | ||
report.resource_arn = metric_alarm.arn | ||
report.resource_tags = metric_alarm.tags | ||
report.status = "PASS" | ||
report.status_extended = f"CloudWatch metric alarm {metric_alarm.name} has actions configured for the ALARM state." | ||
if not metric_alarm.alarm_actions: | ||
report.status = "FAIL" | ||
report.status_extended = f"CloudWatch metric alarm {metric_alarm.name} does not have actions configured for the ALARM state." | ||
findings.append(report) | ||
return findings |
Empty file.
32 changes: 32 additions & 0 deletions
32
...loudwatch/cloudwatch_alarm_actions_enabled/cloudwatch_alarm_actions_enabled.metadata.json
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,32 @@ | ||
{ | ||
"Provider": "aws", | ||
"CheckID": "cloudwatch_alarm_actions_enabled", | ||
"CheckTitle": "Check if CloudWatch alarms have actions enabled", | ||
"CheckType": [ | ||
"Software and Configuration Checks/AWS Security Best Practices" | ||
], | ||
"ServiceName": "cloudwatch", | ||
"SubServiceName": "", | ||
"ResourceIdTemplate": "arn:aws:cloudwatch:region:account-id:alarm/alarm-name", | ||
"Severity": "high", | ||
"ResourceType": "AwsCloudWatchAlarm", | ||
"Description": "Alarm actions automatically alert you when a monitored metric is outside the defined threshold. If the alarm action is deactivated, no actions are run when the alarm changes state, and you won't be alerted to changes in monitored metrics. We recommend activating CloudWatch alarm actions to help you quickly respond to security and operational issues.", | ||
"Risk": "Without active alarm actions, you may not be alerted to security or operational issues, potentially leading to delayed responses and increased risk.", | ||
"RelatedUrl": "https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/AlarmThatSendsEmail.html#alarms-and-actions", | ||
"Remediation": { | ||
"Code": { | ||
"CLI": "aws cloudwatch enable-alarm-actions --alarm-names <alarm-name>", | ||
"NativeIaC": "", | ||
"Other": "https://docs.aws.amazon.com/securityhub/latest/userguide/cloudwatch-controls.html#cloudwatch-17", | ||
"Terraform": "" | ||
}, | ||
"Recommendation": { | ||
"Text": "Ensure that all CloudWatch alarms have at least one action configured. This can include sending notifications to SNS topics, invoking Lambda functions, or triggering other AWS services.", | ||
"Url": "https://www.trendmicro.com/cloudoneconformity/knowledge-base/aws/CloudWatch/cloudwatch-alarm-action-activated.html" | ||
} | ||
}, | ||
"Categories": [], | ||
"DependsOn": [], | ||
"RelatedTo": [], | ||
"Notes": "" | ||
} |
24 changes: 24 additions & 0 deletions
24
.../services/cloudwatch/cloudwatch_alarm_actions_enabled/cloudwatch_alarm_actions_enabled.py
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,24 @@ | ||
from prowler.lib.check.models import Check, Check_Report_AWS | ||
from prowler.providers.aws.services.cloudwatch.cloudwatch_client import ( | ||
cloudwatch_client, | ||
) | ||
|
||
|
||
class cloudwatch_alarm_actions_enabled(Check): | ||
def execute(self): | ||
findings = [] | ||
for metric_alarm in cloudwatch_client.metric_alarms: | ||
report = Check_Report_AWS(self.metadata()) | ||
report.region = metric_alarm.region | ||
report.resource_id = metric_alarm.name | ||
report.resource_arn = metric_alarm.arn | ||
report.resource_tags = metric_alarm.tags | ||
report.status = "PASS" | ||
report.status_extended = ( | ||
f"CloudWatch metric alarm {metric_alarm.name} has actions enabled." | ||
) | ||
if not metric_alarm.actions_enabled: | ||
report.status = "FAIL" | ||
report.status_extended = f"CloudWatch metric alarm {metric_alarm.name} does not have actions enabled." | ||
findings.append(report) | ||
return findings |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Empty file.
32 changes: 32 additions & 0 deletions
32
...debuild/codebuild_project_logging_enabled/codebuild_project_logging_enabled.metadata.json
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,32 @@ | ||
{ | ||
"Provider": "aws", | ||
"CheckID": "codebuild_project_logging_enabled", | ||
"CheckTitle": "Ensure that CodeBuild projects have S3 or CloudWatch logging enabled", | ||
"CheckType": [], | ||
"ServiceName": "codebuild", | ||
"SubServiceName": "", | ||
"ResourceIdTemplate": "arn:partition:service:region:account-id:resource-id", | ||
"Severity": "medium", | ||
"ResourceType": "AwsCodeBuildProject", | ||
"Description": "Ensure that CodeBuild projects have S3 or CloudWatch logging enabled.", | ||
"Risk": "Without logging, tracking and investigating security incidents in CodeBuild projects becomes challenging, reducing confidence in threat detections.", | ||
"RelatedUrl": "https://docs.aws.amazon.com/codebuild/latest/userguide/change-project.html#change-project-console-logs", | ||
"Remediation": { | ||
"Code": { | ||
"CLI": "aws codebuild update-project --name <project-name> --logs-config \"cloudWatchLogs={status=ENABLED},s3Logs={status=ENABLED\"}", | ||
"NativeIaC": "", | ||
"Other": "https://docs.aws.amazon.com/securityhub/latest/userguide/codebuild-controls.html#codebuild-4", | ||
"Terraform": "" | ||
}, | ||
"Recommendation": { | ||
"Text": "Enable logging for CodeBuild projects to capture build events and logs for future analysis and incident response.", | ||
"Url": "https://docs.aws.amazon.com/codebuild/latest/userguide/change-project.html#change-project-console-logs" | ||
} | ||
}, | ||
"Categories": [ | ||
"logging" | ||
], | ||
"DependsOn": [], | ||
"RelatedTo": [], | ||
"Notes": "" | ||
} |
30 changes: 30 additions & 0 deletions
30
...services/codebuild/codebuild_project_logging_enabled/codebuild_project_logging_enabled.py
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,30 @@ | ||
from prowler.lib.check.models import Check, Check_Report_AWS | ||
from prowler.providers.aws.services.codebuild.codebuild_client import codebuild_client | ||
|
||
|
||
class codebuild_project_logging_enabled(Check): | ||
def execute(self): | ||
findings = [] | ||
for project in codebuild_client.projects.values(): | ||
report = Check_Report_AWS(self.metadata()) | ||
report.resource_id = project.name | ||
report.resource_arn = project.arn | ||
report.region = project.region | ||
report.resource_tags = project.tags | ||
report.status = "PASS" | ||
|
||
if project.cloudwatch_logs.enabled and project.s3_logs.enabled: | ||
report.status_extended = f"CodeBuild project {project.name} has enabled CloudWartch logs in log group {project.cloudwatch_logs.group_name} and S3 logs in bucket {project.s3_logs.bucket_location}." | ||
elif project.cloudwatch_logs.enabled: | ||
report.status_extended = f"CodeBuild project {project.name} has CloudWatch logging enabled in log group {project.cloudwatch_logs.group_name}." | ||
elif project.s3_logs.enabled: | ||
report.status_extended = f"CodeBuild project {project.name} has S3 logging enabled in bucket {project.s3_logs.bucket_location}." | ||
else: | ||
report.status = "FAIL" | ||
report.status_extended = ( | ||
f"CodeBuild project {project.name} does not have logging enabled." | ||
) | ||
|
||
findings.append(report) | ||
|
||
return findings |
Empty file.
Oops, something went wrong.