-
Notifications
You must be signed in to change notification settings - Fork 1.5k
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Merge branch 'master' into PRWLR-4859-review-logic-for-public-resources
- Loading branch information
Showing
35 changed files
with
1,447 additions
and
638 deletions.
There are no files selected for viewing
Empty file.
35 changes: 35 additions & 0 deletions
35
...ild/codebuild_project_s3_logs_encrypted/codebuild_project_s3_logs_encrypted.metadata.json
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,35 @@ | ||
{ | ||
"Provider": "aws", | ||
"CheckID": "codebuild_project_s3_logs_encrypted", | ||
"CheckTitle": "Ensure S3 Logs for CodeBuild Projects are encrypted at rest.", | ||
"CheckType": [ | ||
"Effects/Data Exposure" | ||
], | ||
"ServiceName": "codebuild", | ||
"SubServiceName": "", | ||
"ResourceIdTemplate": "arn:partition:service:region:account-id:resource-id", | ||
"Severity": "low", | ||
"ResourceType": "AwsCodeBuildProject", | ||
"Description": "Ensure that the S3 logs for CodeBuild projects are encrypted at rest.", | ||
"Risk": "If the logs are not encrypted, sensitive information could be exposed to unauthorized users.", | ||
"RelatedUrl": "https://docs.aws.amazon.com/codebuild/latest/userguide/change-project.html#change-project-console-logs", | ||
"Remediation": { | ||
"Code": { | ||
"CLI": "aws codebuild update-project --name <project-name> --logs-config \"s3Logs={status=ENABLED, location=<bucket-name>/<path>, encryptionDisabled=false\"}", | ||
"NativeIaC": "", | ||
"Other": "https://docs.aws.amazon.com/securityhub/latest/userguide/codebuild-controls.html#codebuild-3", | ||
"Terraform": "" | ||
}, | ||
"Recommendation": { | ||
"Text": "Ensure that the CodeBuild project's S3 logs are encrypted at rest by setting the `encryptionDisabled` parameter to `false` in the `s3Logs` configuration.", | ||
"Url": "https://docs.aws.amazon.com/codebuild/latest/userguide/change-project.html#change-project-console-logs" | ||
} | ||
}, | ||
"Categories": [ | ||
"encryption", | ||
"logging" | ||
], | ||
"DependsOn": [], | ||
"RelatedTo": [], | ||
"Notes": "" | ||
} |
23 changes: 23 additions & 0 deletions
23
...ices/codebuild/codebuild_project_s3_logs_encrypted/codebuild_project_s3_logs_encrypted.py
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,23 @@ | ||
from prowler.lib.check.models import Check, Check_Report_AWS | ||
from prowler.providers.aws.services.codebuild.codebuild_client import codebuild_client | ||
|
||
|
||
class codebuild_project_s3_logs_encrypted(Check): | ||
def execute(self): | ||
findings = [] | ||
for project in codebuild_client.projects.values(): | ||
if project.s3_logs.enabled: | ||
report = Check_Report_AWS(self.metadata()) | ||
report.resource_id = project.name | ||
report.resource_arn = project.arn | ||
report.region = project.region | ||
report.resource_tags = project.tags | ||
report.status = "PASS" | ||
report.status_extended = f"CodeBuild project {project.name} has encrypted S3 logs stored in {project.s3_logs.bucket_location}." | ||
if not project.s3_logs.encrypted: | ||
report.status = "FAIL" | ||
report.status_extended = f"CodeBuild project {project.name} does not have encrypted S3 logs stored in {project.s3_logs.bucket_location}." | ||
|
||
findings.append(report) | ||
|
||
return findings |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Empty file.
Oops, something went wrong.