ben.carrasco/prowler
1
0
Fork 0
mirror of https://github.com/prowler-cloud/prowler.git synced 2026-01-25 02:08:11 +00:00
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #2 from toniblyx/master

Browse Source 
Added more screenshots and report samples
This commit is contained in:
Toni de la Fuente
2016-09-14 13:36:18 -04:00
committed by GitHub
parent 666aa2cb3b 0dbecef562
commit f6b9d3f1c5
1 changed files with 261 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

261
README.md
View File

@@ -88,8 +88,269 @@ USAGE:
## Screenshot
- Sample screenshot of report first lines:
<img width="1125" alt="screenshot 2016-09-13 16 05 42" src="https://cloud.githubusercontent.com/assets/3985464/18489640/50fe6824-79cc-11e6-8a9c-e788b88a8a6b.png">
- Sample screnshot of single check for check 3.3:
<img width="1006" alt="screenshot 2016-09-14 13 20 46" src="https://cloud.githubusercontent.com/assets/3985464/18522590/a04ca9a6-7a7e-11e6-8730-b545c9204990.png">
- Sample of a full report:
```
$ ./prowler
_
_ __ _ __ _____ _| | ___ _ __
| '_ \| '__/ _ \ \ /\ / / |/ _ \ '__|
| |_) | | | (_) \ V V /| | __/ |
| .__/|_| \___/ \_/\_/ |_|\___|_|
|_| CIS based AWS Account Hardening Tool
Date: Wed Sep 14 13:30:13 EDT 2016
This report is being generated using credentials below:
AWS-CLI Profile: [default] AWS Region: [us-east-1]
--------------------------------------------------------------------------------------
| GetCallerIdentity |
+--------------+-------------------------------------------+-------------------------+
| Account | Arn | UserId |
+--------------+-------------------------------------------+-------------------------+
| XXXXXXXXXXXX| arn:aws:iam::XXXXXXXXXXXX:user/toni | XXXXXXXXXXXXXXXXXXXXX |
+--------------+-------------------------------------------+-------------------------+
Colors Code for results: INFORMATIVE, OK (RECOMMENDED VALUE), CRITICAL (FIX REQUIRED)
Generating AWS IAM Credential Report....COMPLETE
1 Identity and Access Management *********************************
1.1 Avoid the use of the root account (Scored). Last time root account was used
(password last used, access_key_1_last_used, access_key_2_last_used):
2016-08-11T20:59:27+00:00, N/A, N/A
1.2 Ensure multi-factor authentication (MFA) is enabled for all IAM users that have a console password (Scored)
List of users with Password enabled but MFA disabled:
toni
1.3 Ensure credentials unused for 90 days or greater are disabled (Scored)
User list:
toni
1.4 Ensure access keys are rotated every 90 days or less (Scored)
Users with access key 1 older than 90 days:
<root_account>
Users with access key 2 older than 90 days:
1.5 Ensure IAM password policy requires at least one uppercase letter (Scored)
FALSE
1.6 Ensure IAM password policy require at least one lowercase letter (Scored)
FALSE
1.7 Ensure IAM password policy require at least one symbol (Scored)
FALSE
1.8 Ensure IAM password policy require at least one number (Scored)
FALSE
1.9 Ensure IAM password policy requires minimum length of 14 or greater (Scored)
FALSE
1.10 Ensure IAM password policy prevents password reuse (Scored)
FALSE
1.11 Ensure IAM password policy expires passwords within 90 days or less (Scored)
FALSE
1.12 Ensure no root account access key exists (Scored)
Found access key 1
OK No access key 2 found
1.13 Ensure hardware MFA is enabled for the root account (Scored)
OK
1.14 Ensure security questions are registered in the AWS account (Not Scored)
No command available for check 1.14
Login to the AWS Console as root, click on the Account
Name -> My Account -> Configure Security Challenge Questions
1.15 Ensure IAM policies are attached only to groups or roles (Scored)
Users with policy attached to them instead to groups: (it may take few seconds...)
toni
2 Logging ********************************************************
2.1 Ensure CloudTrail is enabled in all regions (Scored)
FALSE
2.2 Ensure CloudTrail log file validation is enabled (Scored)
FALSE
2.3 Ensure the S3 bucket CloudTrail logs to is not publicly accessible (Scored)
WARNING! CloudTrail bucket doesn't exist!
2.4 Ensure CloudTrail trails are integrated with CloudWatch Logs (Scored)
WARNING! No CloudTrail trails found!
2.5 Ensure AWS Config is enabled in all regions (Scored)
WARNING! Region ap-south-1 has AWS Config disabled or not configured
WARNING! Region eu-west-1 has AWS Config disabled or not configured
WARNING! Region ap-southeast-1 has AWS Config disabled or not configured
WARNING! Region ap-southeast-2 has AWS Config disabled or not configured
WARNING! Region eu-central-1 has AWS Config disabled or not configured
WARNING! Region ap-northeast-2 has AWS Config disabled or not configured
WARNING! Region ap-northeast-1 has AWS Config disabled or not configured
WARNING! Region us-east-1 has AWS Config disabled or not configured
WARNING! Region sa-east-1 has AWS Config disabled or not configured
WARNING! Region us-west-1 has AWS Config disabled or not configured
WARNING! Region us-west-2 has AWS Config disabled or not configured
2.6 Ensure S3 bucket access logging is enabled on the CloudTrail S3 bucket (Scored)
WARNING! CloudTrail bucket doesn't exist!
2.7 Ensure CloudTrail logs are encrypted at rest using KMS CMKs (Scored)
WARNING! CloudTrail bucket doesn't exist!
2.8 Ensure rotation for customer created CMKs is enabled (Scored)
Region ap-south-1 doesn't have encryption keys
Region eu-west-1 doesn't have encryption keys
Region ap-southeast-1 doesn't have encryption keys
Region ap-southeast-2 doesn't have encryption keys
Region eu-central-1 doesn't have encryption keys
Region ap-northeast-2 doesn't have encryption keys
Region ap-northeast-1 doesn't have encryption keys
WARNING! Key a0e988df-bc84-423f-996c-XXXX in Region us-east-1 is not set to rotate!
Region sa-east-1 doesn't have encryption keys
Region us-west-1 doesn't have encryption keys
Region us-west-2 doesn't have encryption keys
3 Monitoring *****************************************************
3.1 Ensure a log metric filter and alarm exist for unauthorized API calls (Scored)
WARNING! No CloudWatch group found, no metric filters or alarms associated
3.2 Ensure a log metric filter and alarm exist for Management Console sign-in without MFA (Scored)
WARNING! No CloudWatch group found, no metric filters or alarms associated
3.3 Ensure a log metric filter and alarm exist for usage of root account (Scored)
WARNING! No CloudWatch group found, no metric filters or alarms associated
3.4 Ensure a log metric filter and alarm exist for IAM policy changes (Scored)
WARNING! No CloudWatch group found, no metric filters or alarms associated
3.5 Ensure a log metric filter and alarm exist for CloudTrail configuration changes (Scored)
WARNING! No CloudWatch group found, no metric filters or alarms associated
3.6 Ensure a log metric filter and alarm exist for AWS Management Console authentication failures (Scored)
WARNING! No CloudWatch group found, no metric filters or alarms associated
3.7 Ensure a log metric filter and alarm exist for disabling or scheduled deletion of customer created CMKs (Scored)
WARNING! No CloudWatch group found, no metric filters or alarms associated
3.8 Ensure a log metric filter and alarm exist for S3 bucket policy changes (Scored)
WARNING! No CloudWatch group found, no metric filters or alarms associated
3.9 Ensure a log metric filter and alarm exist for AWS Config configuration changes (Scored)
WARNING! No CloudWatch group found, no metric filters or alarms associated
3.10 Ensure a log metric filter and alarm exist for security group changes (Scored)
WARNING! No CloudWatch group found, no metric filters or alarms associated
3.11 Ensure a log metric filter and alarm exist for changes to Network Access Control Lists (NACL) (Scored)
WARNING! No CloudWatch group found, no metric filters or alarms associated
3.12 Ensure a log metric filter and alarm exist for changes to network gateways (Scored)
WARNING! No CloudWatch group found, no metric filters or alarms associated
3.13 Ensure a log metric filter and alarm exist for route table changes (Scored)
WARNING! No CloudWatch group found, no metric filters or alarms associated
3.14 Ensure a log metric filter and alarm exist for VPC changes (Scored)
WARNING! No CloudWatch group found, no metric filters or alarms associated
3.15 Ensure security contact information is registered (Scored)
No command available for check 3.15
Login to the AWS Console, click on My Account
Go to Alternate Contacts -> make sure Security section is filled
3.16 Ensure appropriate subscribers to each SNS topic (Not Scored)
Region ap-south-1 doesn't have topics
Region eu-west-1 doesn't have topics
Region ap-southeast-1 doesn't have topics
Region ap-southeast-2 doesn't have topics
Region eu-central-1 doesn't have topics
Region ap-northeast-2 doesn't have topics
Region ap-northeast-1 doesn't have topics
Region us-east-1 doesn't have topics
Region sa-east-1 doesn't have topics
Region us-west-1 doesn't have topics
Region us-west-2 doesn't have topics
4 Networking **************************************************
4.1 Ensure no security groups allow ingress from 0.0.0.0/0 to port 22 (Scored)
OK, No Security Groups found in ap-south-1 with port 22 TCP open to 0.0.0.0/0
OK, No Security Groups found in eu-west-1 with port 22 TCP open to 0.0.0.0/0
OK, No Security Groups found in ap-southeast-1 with port 22 TCP open to 0.0.0.0/0
OK, No Security Groups found in ap-southeast-2 with port 22 TCP open to 0.0.0.0/0
OK, No Security Groups found in eu-central-1 with port 22 TCP open to 0.0.0.0/0
OK, No Security Groups found in ap-northeast-2 with port 22 TCP open to 0.0.0.0/0
OK, No Security Groups found in ap-northeast-1 with port 22 TCP open to 0.0.0.0/0
OK, No Security Groups found in us-east-1 with port 22 TCP open to 0.0.0.0/0
OK, No Security Groups found in sa-east-1 with port 22 TCP open to 0.0.0.0/0
OK, No Security Groups found in us-west-1 with port 22 TCP open to 0.0.0.0/0
OK, No Security Groups found in us-west-2 with port 22 TCP open to 0.0.0.0/0
4.2 Ensure no security groups allow ingress from 0.0.0.0/0 to port 3389 (Scored)
OK, No Security Groups found in ap-south-1 with port 3389 TCP open to 0.0.0.0/0
OK, No Security Groups found in eu-west-1 with port 3389 TCP open to 0.0.0.0/0
OK, No Security Groups found in ap-southeast-1 with port 3389 TCP open to 0.0.0.0/0
OK, No Security Groups found in ap-southeast-2 with port 3389 TCP open to 0.0.0.0/0
OK, No Security Groups found in eu-central-1 with port 3389 TCP open to 0.0.0.0/0
OK, No Security Groups found in ap-northeast-2 with port 3389 TCP open to 0.0.0.0/0
OK, No Security Groups found in ap-northeast-1 with port 3389 TCP open to 0.0.0.0/0
OK, No Security Groups found in us-east-1 with port 3389 TCP open to 0.0.0.0/0
OK, No Security Groups found in sa-east-1 with port 3389 TCP open to 0.0.0.0/0
OK, No Security Groups found in us-west-1 with port 3389 TCP open to 0.0.0.0/0
OK, No Security Groups found in us-west-2 with port 3389 TCP open to 0.0.0.0/0
4.3 Ensure VPC Flow Logging is Enabled in all Applicable Regions (Scored)
WARNING! no VPCFlowLog has been found in Region ap-south-1
WARNING! no VPCFlowLog has been found in Region eu-west-1
WARNING! no VPCFlowLog has been found in Region ap-southeast-1
WARNING! no VPCFlowLog has been found in Region ap-southeast-2
WARNING! no VPCFlowLog has been found in Region eu-central-1
WARNING! no VPCFlowLog has been found in Region ap-northeast-2
WARNING! no VPCFlowLog has been found in Region ap-northeast-1
WARNING! no VPCFlowLog has been found in Region us-east-1
WARNING! no VPCFlowLog has been found in Region sa-east-1
WARNING! no VPCFlowLog has been found in Region us-west-1
WARNING! no VPCFlowLog has been found in Region us-west-2
4.4 Ensure the default security group restricts all traffic (Scored)
WARNING! Default Security Groups found that allow 0.0.0.0 IN or OUT traffic in Region ap-south-1
WARNING! Default Security Groups found that allow 0.0.0.0 IN or OUT traffic in Region eu-west-1
WARNING! Default Security Groups found that allow 0.0.0.0 IN or OUT traffic in Region ap-southeast-1
WARNING! Default Security Groups found that allow 0.0.0.0 IN or OUT traffic in Region ap-southeast-2
WARNING! Default Security Groups found that allow 0.0.0.0 IN or OUT traffic in Region eu-central-1
WARNING! Default Security Groups found that allow 0.0.0.0 IN or OUT traffic in Region ap-northeast-2
WARNING! Default Security Groups found that allow 0.0.0.0 IN or OUT traffic in Region ap-northeast-1
OK, no Default Security Groups open to 0.0.0.0 found in Region us-east-1
WARNING! Default Security Groups found that allow 0.0.0.0 IN or OUT traffic in Region sa-east-1
WARNING! Default Security Groups found that allow 0.0.0.0 IN or OUT traffic in Region us-west-1
OK, no Default Security Groups open to 0.0.0.0 found in Region us-west-2
- For more information and reference:
https://d0.awsstatic.com/whitepapers/compliance/AWS_CIS_Foundations_Benchmark.pdf
```
## Troubleshooting
If you are using an STS token for AWS-CLI and your session is expired you probably get this error: