#!/usr/bin/env bash

# Prowler - the handy cloud security tool (copyright 2020) by Toni de la Fuente
#
# Licensed under the Apache License, Version 2.0 (the "License"); you may not
# use this file except in compliance with the License. You may obtain a copy
# of the License at http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software distributed
# under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR
# CONDITIONS OF ANY KIND, either express or implied. See the License for the
# specific language governing permissions and limitations under the License.

GROUP_ID[18]='iso27001'
GROUP_NUMBER[18]='18.0'
GROUP_TITLE[18]='ISO 27001:2013 Readiness - ONLY AS REFERENCE - [iso27001] *****'
GROUP_RUN_BY_DEFAULT[18]='N' # run it when execute_all is called
GROUP_CHECKS[18]='check11,check110,check111,check112,check113,check114,check115,check116,check119,check12,check122,check13,check14,check15,check16,check17,check18,check19,check21,check22,check23,check24,check25,check26,check27,check28,check29,check31,check310,check311,check312,check313,check314,check32,check33,check34,check35,check36,check37,check38,check39,check41,check42,check43,check44,extra71,extra710,extra7100,extra711,extra7113,extra7123,extra7125,extra7126,extra7128,extra7129,extra713,extra714,extra7130,extra718,extra719,extra72,extra720,extra721,extra722,extra723,extra724,extra725,extra726,extra727,extra728,extra729,extra731,extra73,extra731,extra735,extra739,extra74,extra741,extra747,extra748,extra75,extra757,extra758,extra759,extra76,extra760,extra761,extra762,extra763,extra764,extra765,extra767,extra768,extra769,extra77,extra771,extra772,extra774,extra776,extra777,extra778,extra78,extra789,extra79,extra790,extra792,extra793,extra794,extra795,extra796,extra798'

# #	Category	Objective ID	Objective Name	Prowler check ID	Check Summary
# 1		A.9 Access Control	A.9.2	User Access Management	check122	Ensure IAM policies that allow full "*:*" administrative privileges are not created.
# 2		A.9 Access Control	A.9.2	User Access Management	check111	Ensure IAM password policy expires passwords within 90 days or less
# 3		A.9 Access Control	A.9.2	User Access Management	check110	Ensure IAM password policy prevents password reuse
# 4		A.9 Access Control	A.9.2	User Access Management	check19	Ensure IAM password policy requires minimum length of 14 or greater
# 5		A.9 Access Control	A.9.2	User Access Management	check18	Ensure IAM password policy require at least one number
# 6		A.9 Access Control	A.9.2	User Access Management	check17	Ensure IAM password policy require at least one symbol
# 7		A.9 Access Control	A.9.2	User Access Management	check16	Ensure IAM password policy require at least one lowercase letter
# 8		A.9 Access Control	A.9.2	User Access Management	check15	Ensure IAM password policy requires at least one uppercase letter
# 9		A.9 Access Control	A.9.2	User Access Management	check11	Avoid the use of the 'root' account
# 10	A.9 Access Control	A.9.2	User Access Management	check116	Ensure IAM policies are attached only to groups or roles
# 11	A.9 Access Control	A.9.2	User Access Management	check12	Ensure multi-factor authentication (MFA) is enabled for all IAM users that have console access
# 12	A.9 Access Control	A.9.2	User Access Management	check114	Ensure MFA is enabled for the 'root' account
# 13	A.9 Access Control	A.9.2	User Access Management	check115	 Ensure security questions are registered in the AWS account
# 14	A.9 Access Control	A.9.2	User Access Management	check14	Ensure access keys are rotated every 90 days or less
# 15	A.9 Access Control	A.9.2	User Access Management	check13	Ensure credentials unused for 90 days or greater are disabled
# 16	A.9 Access Control	A.9.2	User Access Management	check112	Ensure no root account access key exists
# 17	A.9 Access Control	A.9.2	User Access Management	check119	Ensure IAM instance roles are used for AWS resource access from instances
# 18	A.9 Access Control	A.9.2	User Access Management	extra71	Ensure users of groups with AdministratorAccess policy have MFA tokens enabled
# 19	A.9 Access Control	A.9.2	User Access Management	extra7100	Ensure that no custom policies exist which allow permissive role assumption (e.g. sts:AssumeRole on *)
# 20	A.9 Access Control	A.9.2	User Access Management	extra7123	Check if IAM users have two active access keys
# 21	A.9 Access Control	A.9.2	User Access Management	extra7125	Check if IAM users have Hardware MFA enabled.
# 22	A.9 Access Control	A.9.2	User Access Management	extra769	Check if IAM Access Analyzer is enabled and its findings
# 23	A.9 Access Control	A.9.2	User Access Management	extra774	Ensure credentials unused for 30 days or greater are disabled.
# 24	A.9 Access Control	A.9.3	User Responsibilities	check111	Ensure IAM password policy expires passwords within 90 days or less
# 25	A.9 Access Control	A.9.3	User Responsibilities	check110	Ensure IAM password policy prevents password reuse
# 26	A.9 Access Control	A.9.3	User Responsibilities	check19	Ensure IAM password policy requires minimum length of 14 or greater
# 27	A.9 Access Control	A.9.3	User Responsibilities	check18	Ensure IAM password policy require at least one number
# 28	A.9 Access Control	A.9.3	User Responsibilities	check17	Ensure IAM password policy require at least one symbol
# 29	A.9 Access Control	A.9.3	User Responsibilities	check16	Ensure IAM password policy require at least one lowercase letter
# 30	A.9 Access Control	A.9.3	User Responsibilities	check15	Ensure IAM password policy requires at least one uppercase letter
# 31	A.9 Access Control	A.9.3	User Responsibilities	check12	Ensure multi-factor authentication (MFA) is enabled for all IAM users that have console access
# 32	A.9 Access Control	A.9.3	User Responsibilities	check14	Ensure access keys are rotated every 90 days or less
# 33	A.9 Access Control	A.9.3	User Responsibilities	check13	Ensure credentials unused for 90 days or greater are disabled
# 34	A.9 Access Control	A.9.4	System and Application Access Control	check122	Ensure IAM policies that allow full "*:*" administrative privileges are not created.
# 35	A.9 Access Control	A.9.4	System and Application Access Control	check111	Ensure IAM password policy expires passwords within 90 days or less
# 36	A.9 Access Control	A.9.4	System and Application Access Control	check110	Ensure IAM password policy prevents password reuse
# 37	A.9 Access Control	A.9.4	System and Application Access Control	check19	Ensure IAM password policy requires minimum length of 14 or greater
# 38	A.9 Access Control	A.9.4	System and Application Access Control	check18	Ensure IAM password policy require at least one number
# 39	A.9 Access Control	A.9.4	System and Application Access Control	check17	Ensure IAM password policy require at least one symbol
# 40	A.9 Access Control	A.9.4	System and Application Access Control	check16	Ensure IAM password policy require at least one lowercase letter
# 41	A.9 Access Control	A.9.4	System and Application Access Control	check15	Ensure IAM password policy requires at least one uppercase letter
# 42	A.9 Access Control	A.9.4	System and Application Access Control	check11	Avoid the use of the 'root' account
# 43	A.9 Access Control	A.9.4	System and Application Access Control	check116	Ensure IAM policies are attached only to groups or roles
# 44	A.9 Access Control	A.9.4	System and Application Access Control	check12	Ensure multi-factor authentication (MFA) is enabled for all IAM users that have console access
# 45	A.9 Access Control	A.9.4	System and Application Access Control	check113	Ensure MFA is enabled for the 'root' account
# 46	A.9 Access Control	A.9.4	System and Application Access Control	check14	Ensure access keys are rotated every 90 days or less
# 47	A.9 Access Control	A.9.4	System and Application Access Control	check13	Ensure credentials unused for 90 days or greater are disabled
# 48	A.9 Access Control	A.9.4	System and Application Access Control	check112	Ensure no root account access key exists
# 55    A.9 Access Control	A.9.4	System and Application Access Control	extra711	Check if Redshift cluster is Public Accessible
# 49	A.9 Access Control	A.9.4	System and Application Access Control	extra7113	Check if RDS instances have deletion protection enabled
# 50	A.9 Access Control	A.9.4	System and Application Access Control	extra72	Ensure there are no EBS Snapshots set as Public
# 51	A.9 Access Control	A.9.4	System and Application Access Control	extra723	Check if RDS Snapshots and Cluster Snapshots are public
# 52    A.9 Access Control	A.9.4	System and Application Access Control	extra727	Check if SQS queues have policy set as Public
# 53    A.9 Access Control	A.9.4	System and Application Access Control	extra73	Ensure there are no S3 buckets open to Everyone or Any AWS user
# 54    A.9 Access Control	A.9.4	System and Application Access Control	extra731	Check if SNS topics have policy set as Public
# 56    A.9 Access Control	A.9.4	System and Application Access Control	extra76	Ensure there are no EC2 AMIs set as Public
# 57    A.9 Access Control	A.9.4	System and Application Access Control	extra77 Ensure there are no ECR repositories set as Public
# 58    A.9 Access Control	A.9.4	System and Application Access Control	extra771 Check if S3 buckets have policies which allow WRITE access
# 59    A.9 Access Control	A.9.4	System and Application Access Control	extra795 Ensure EKS Clusters are created with Private Endpoint Enabled and Public Access Disabled
# 60    A.9 Access Control	A.9.4	System and Application Access Control	extra796 Restrict Access to the EKS Control Plane Endpoint
# 61	A.10 Cryptography	A.10.1	Cryptographic Controls	extra735	Setup Encryption at rest for RDS instances
# 62	A.10 Cryptography	A.10.1	Cryptographic Controls	extra792	Check if Elastic Load Balancers have insecure SSL ciphers
# 63	A.10 Cryptography	A.10.1	Cryptographic Controls	check37	Detect Customer Master Keys (CMKs) scheduled for deletion
# 64	A.10 Cryptography	A.10.1	Cryptographic Controls	check27	Ensure CloudTrail logs are encrypted at rest using KMS CMKs
# 65	A.10 Cryptography	A.10.1	Cryptographic Controls	check28	Ensure rotation for customer created KMS CMKs is enabled
# 66	A.10 Cryptography	A.10.1	Cryptographic Controls	extra7126	Check if there are CMK KMS keys not used
# 67	A.10 Cryptography	A.10.1	Cryptographic Controls	extra7128	Check if DynamoDB table has encryption at rest enabled using CMK KMS
# 68	A.10 Cryptography	A.10.1	Cryptographic Controls	extra7130	Ensure there are no SNS Topics unencrypted
# 69	A.10 Cryptography	A.10.1	Cryptographic Controls	extra724	Check if ACM certificates have Certificate Transparency logging enabled
# 70	A.10 Cryptography	A.10.1	Cryptographic Controls	extra728	Check if SQS queues have Server Side Encryption enabled
# 71	A.10 Cryptography	A.10.1	Cryptographic Controls	extra729	Ensure there are no EBS Volumes unencrypted
# 72	A.10 Cryptography	A.10.1	Cryptographic Controls	extra761	Check if EBS Default Encryption is activated
# 73	A.10 Cryptography	A.10.1	Cryptographic Controls	extra764	Check if S3 buckets have secure transport policy
# 74	A.10 Cryptography	A.10.1	Cryptographic Controls	extra767	Check if CloudFront distributions have Field Level Encryption enabled
# 75	A.10 Cryptography	A.10.1	Cryptographic Controls	extra791	Check if CloudFront distributions are using deprecated SSL protocols
# 76	A.10 Cryptography	A.10.1	Cryptographic Controls	extra793	Check if Elastic Load Balancers have SSL listeners
# 77	A.12 Operations Security	A.12.3	Information Backup	extra739	Check if RDS instances have backup enabled
# 78	A.12 Operations Security	A.12.4	Logging and Monitoring	check314	Ensure a log metric filter and alarm exist for VPC changes
# 79	A.12 Operations Security	A.12.4	Logging and Monitoring	check313	Ensure a log metric filter and alarm exist for route table changes
# 80	A.12 Operations Security	A.12.4	Logging and Monitoring	check312	Ensure a log metric filter and alarm exist for changes to network gateways
# 81	A.12 Operations Security	A.12.4	Logging and Monitoring	check311	Ensure a log metric filter and alarm exist for changes to Network Access Control Lists (NACL)
# 82	A.12 Operations Security	A.12.4	Logging and Monitoring	check310	Ensure a log metric filter and alarm exist for security group changes
# 83	A.12 Operations Security	A.12.4	Logging and Monitoring	check39	Ensure a log metric filter and alarm exist for AWS Config configuration changes
# 84	A.12 Operations Security	A.12.4	Logging and Monitoring	check39	Check if CloudFront distributions have logging enabled
# 85	A.12 Operations Security	A.12.4	Logging and Monitoring	extra719	Check if Route53 public hosted zones are logging queries to CloudWatch Logs
# 86	A.12 Operations Security	A.12.4	Logging and Monitoring	extra720	 Check if Lambda functions invoke API operations are being recorded by CloudTrail 
# 87	A.12 Operations Security	A.12.4	Logging and Monitoring	extra722	 Check if API Gateway has logging enabled
# 88	A.12 Operations Security	A.12.4	Logging and Monitoring	check38	Ensure a log metric filter and alarm exist for S3 bucket policy changes
# 89	A.12 Operations Security	A.12.4	Logging and Monitoring	check37	Ensure a log metric filter and alarm exist for disabling or scheduled deletion of customer created CMKs
# 90	A.12 Operations Security	A.12.4	Logging and Monitoring	check36	Ensure a log metric filter and alarm exist for AWS Management Console authentication failures
# 91	A.12 Operations Security	A.12.4	Logging and Monitoring	check35	Ensure a log metric filter and alarm exist for CloudTrail configuration changes
# 92	A.12 Operations Security	A.12.4	Logging and Monitoring	check34	Ensure a log metric filter and alarm exist for IAM policy changes
# 93	A.12 Operations Security	A.12.4	Logging and Monitoring	check33	Ensure a log metric filter and alarm exist for usage of "root" account
# 94	A.12 Operations Security	A.12.4	Logging and Monitoring	check32	Ensure a log metric filter and alarm exist for Management Console sign-in without MFA
# 95	A.12 Operations Security	A.12.4	Logging and Monitoring	check31	Ensure a log metric filter and alarm exist for unauthorized API calls
# 96	A.12 Operations Security	A.12.4	Logging and Monitoring	check26	Ensure S3 bucket access logging is enabled on the CloudTrail S3 bucket
# 97	A.12 Operations Security	A.12.4	Logging and Monitoring	check25	Ensure AWS Config is enabled in all regions
# 98	A.12 Operations Security	A.12.4	Logging and Monitoring	check24	Ensure CloudTrail trails are integrated with CloudWatch Logs
# 99	A.12 Operations Security	A.12.4	Logging and Monitoring	check29	Ensure VPC flow logging is enabled in all VPCs
#100 	A.12 Operations Security	A.12.4	Logging and Monitoring	check23	Ensure the S3 bucket CloudTrail logs to is not publicly accessible
#101	A.12 Operations Security	A.12.4	Logging and Monitoring	check21	Ensure CloudTrail is enabled in all regions
#102	A.12 Operations Security	A.12.4	Logging and Monitoring	check21	Ensure CloudTrail is enabled in all regions
#103	A.12 Operations Security	A.12.4	Logging and Monitoring	extra725	Check if S3 buckets have Object-level logging enabled in CloudTrail
#104	A.12 Operations Security	A.12.4	Logging and Monitoring	extra794	Ensure EKS Control Plane Audit Logging is enabled for all log types
#105	A.12 Operations Security	A.12.4	Logging and Monitoring	extra747	Check if RDS instances is integrated with CloudWatch Logs
#106	A.12 Operations Security	A.12.4	Logging and Monitoring	extra718	Check if S3 buckets have server access logging enabled
#107	A.12 Operations Security	A.12.6	Technical Vulnerability Management	check43	Ensure the default security group of every VPC restricts all traffic
#108	A.12 Operations Security	A.12.6	Technical Vulnerability Management	check42	Ensure no security groups allow ingress from 0.0.0.0/0 to port 3389
#109	A.12 Operations Security	A.12.6	Technical Vulnerability Management	check41	Ensure no security groups allow ingress from 0.0.0.0/0 to port 22
#110	A.12 Operations Security	A.12.6	Technical Vulnerability Management	extra76	Check for publicly shared AMIs
#111	A.12 Operations Security	A.12.6	Technical Vulnerability Management	extra72	Ensure EBS snapshots are not publicly accessible
#112	A.12 Operations Security	A.12.6	Technical Vulnerability Management	extra731	Ensure SNS topics do not allow global send or subscribe
#113	A.12 Operations Security	A.12.6	Technical Vulnerability Management	extra711	Ensure Redshift clusters do not have a public endpoint
#114	A.12 Operations Security	A.12.6	Technical Vulnerability Management	extra723	Ensure RDS snapshots are not publicly accessible
#115	A.12 Operations Security	A.12.6	Technical Vulnerability Management	extra78	Ensure RDS instances are not accessible to the world.
#116	A.12 Operations Security	A.12.6	Technical Vulnerability Management	check23	Ensure the S3 bucket CloudTrail logs to is not publicly accessible
#117	A.12 Operations Security	A.12.6	Technical Vulnerability Management	extra713	Check if GuardDuty is enabled
#118	A.12 Operations Security	A.12.6	Technical Vulnerability Management	extra726	Check Trusted Advisor for errors and warnings
#119	A.12 Operations Security	A.12.6	Technical Vulnerability Management	extra776	Check if ECR image scan found vulnerabilities in the newest image version 
#120	A.13 Communications Security	A.13.1	Network Security Management	check43	Ensure the default security group of every VPC restricts all traffic
#121	A.13 Communications Security	A.13.1	Network Security Management	check42	Ensure no security groups allow ingress from 0.0.0.0/0 to port 3389
#122	A.13 Communications Security	A.13.1	Network Security Management	check41	Ensure no security groups allow ingress from 0.0.0.0/0 to port 22
#123	A.13 Communications Security	A.13.1	Network Security Management	extra72	Ensure EBS snapshots are not publicly accessible
#124	A.13 Communications Security	A.13.1	Network Security Management	extra731	Ensure SNS topics do not allow global send or subscribe
#125	A.13 Communications Security	A.13.1	Network Security Management	extra711	Ensure Redshift clusters do not have a public endpoint
#126	A.13 Communications Security	A.13.1	Network Security Management	extra723	Ensure RDS snapshots are not publicly accessible
#127	A.13 Communications Security	A.13.1	Network Security Management	extra78	Ensure RDS instances are not accessible to the world.
#128	A.13 Communications Security	A.13.1	Network Security Management	extra798	Ensure Lambda Functions are not publicly accessible
#129	A.13 Communications Security	A.13.1	Network Security Management	check44	Ensure routing tables for VPC peering are \"least access\"
#130	A.13 Communications Security	A.13.1	Network Security Management	extra710	Check for internet facing EC2 Instances
#131	A.13 Communications Security	A.13.1	Network Security Management	extra711	Check for Publicly Accessible Redshift Clusters
#132	A.13 Communications Security	A.13.1	Network Security Management	extra748	Ensure no security groups allow ingress from 0.0.0.0/0 or ::/0 to any port
#133	A.13 Communications Security	A.13.1	Network Security Management	extra7129	Check if Application Load Balancer has a WAF ACL attached
#134	A.13 Communications Security	A.13.1	Network Security Management	extra74	Ensure there are no Security Groups without ingress filtering being used
#135	A.13 Communications Security	A.13.1	Network Security Management	extra777	Find VPC security groups with many ingress or egress rules
#136	A.13 Communications Security	A.13.1	Network Security Management	extra778	Find VPC security groups with wide-open public IPv4 CIDR ranges (non-RFC1918)
#137	A.13 Communications Security	A.13.1	Network Security Management	extra789	Find trust boundaries in VPC endpoint services connections
#138	A.13 Communications Security	A.13.1	Network Security Management	extra79	Check for internet facing Elastic Load Balancers
#139	A.13 Communications Security	A.13.1	Network Security Management	extra790	Find trust boundaries in VPC endpoint services whitelisted principles
#140	A.13 Communications Security	A.13.1	Network Security Management	extra78	Ensure there are no Public Accessible RDS instances
#141    A.14 System acquisition, dev & maintenance A.14.2 Security in Dev & Support	extra731 Check if SNS topics have policy set as Public
#142    A.14 System acquisition, dev & maintenance A.14.2 Security in Dev & Support	extra741 Find secrets in EC2 User Data
#143    A.14 System acquisition, dev & maintenance A.14.2 Security in Dev & Support	extra75 Ensure there are no Security Groups not being used
#144    A.14 System acquisition, dev & maintenance A.14.2 Security in Dev & Support	extra757 Check EC2 Instances older than 6 months
#145    A.14 System acquisition, dev & maintenance A.14.2 Security in Dev & Support	extra758 Check EC2 Instances older than 12 months
#146    A.14 System acquisition, dev & maintenance A.14.2 Security in Dev & Support	extra759 Find secrets in Lambda functions variables
#147    A.14 System acquisition, dev & maintenance A.14.2 Security in Dev & Support	extra760 Find secrets in Lambda functions code
#148    A.14 System acquisition, dev & maintenance A.14.2 Security in Dev & Support	extra762 Find obsolete Lambda runtimes
#149    A.14 System acquisition, dev & maintenance A.14.2 Security in Dev & Support	extra765 Check if ECR image scan on push is enabled
#150    A.14 System acquisition, dev & maintenance A.14.2 Security in Dev & Support	extra768 Find secrets in ECS task definitions variables
#151    A.14 System acquisition, dev & maintenance A.14.2 Security in Dev & Support	extra772 Check if elastic IPs are unused
#152    A.18 Compliance	A.18.1	Compliance with Legal and Regulatory Reqs	check22 Ensure CloudTrail log file validation is enabled
#153    A.18 Compliance	A.18.1	Compliance with Legal and Regulatory Reqs	extra721 Check if Redshift cluster has audit logging enabled
#154    A.18 Compliance	A.18.1	Compliance with Legal and Regulatory Reqs	extra763 Check if S3 buckets have object versioning enabled
