[bugfix] check122 has to check not only string but also array values of the Action field (#2796)

checks/check122

@@ -32,7 +32,7 @@ check122(){
     for policy in $LIST_CUSTOM_POLICIES; do
       POLICY_ARN=$(awk 'BEGIN{FS=OFS=","}{NF--; print}' <<< "${policy}")
       POLICY_VERSION=$(awk -F ',' '{print $(NF)}' <<< "${policy}")
-      POLICY_WITH_FULL=$($AWSCLI iam get-policy-version --output text --policy-arn $POLICY_ARN --version-id $POLICY_VERSION --query "[PolicyVersion.Document.Statement] | [] | [?Action!=null] | [?Effect == 'Allow' && Resource == '*' && Action == '*']" $PROFILE_OPT --region $REGION)
+      POLICY_WITH_FULL=$($AWSCLI iam get-policy-version --output text --policy-arn $POLICY_ARN --version-id $POLICY_VERSION --query "[PolicyVersion.Document.Statement] | [] | [?Action!=null] | [?Effect == 'Allow' && Resource == '*' && contains(Action, '*')]" $PROFILE_OPT --region $REGION)
       if [[ $POLICY_WITH_FULL ]]; then
         POLICIES_ALLOW_LIST="$POLICIES_ALLOW_LIST $POLICY_ARN"
       else

checks/check_extra7131

@@ -18,15 +18,15 @@ CHECK_SEVERITY_extra7131="Low"
 CHECK_ASFF_RESOURCE_TYPE_extra7131="AwsRdsDbInstance"
 CHECK_ALTERNATE_check7131="extra7131"
 CHECK_SERVICENAME_extra7131="rds"
-CHECK_RISK_extra7131='Auto Minor Version Upgrade is a feature that you can enable to have your database automatically upgraded when a new minor database engine version is available. Minor version upgrades often patch security vulnerabilities and fix bugs; and therefor should be applied.'
-CHECK_REMEDIATION_extra7131='Enable auto minor version upgrade for all databases and environments.'
+CHECK_RISK_extra7131='Auto Minor Version Upgrade is a feature that you can enable to have your relational database automatically upgraded when a new minor database engine version is available. Minor version upgrades often patch security vulnerabilities and fix bugs; and therefor should be applied.'
+CHECK_REMEDIATION_extra7131='Enable auto minor version upgrade for all relational databases and environments.'
 CHECK_DOC_extra7131='https://aws.amazon.com/blogs/database/best-practices-for-upgrading-amazon-rds-to-major-and-minor-versions-of-postgresql/'
 CHECK_CAF_EPIC_extra7131='Infrastructure Security'
 
 extra7131(){
   for regx in $REGIONS; do
     # LIST_OF_RDS_PUBLIC_INSTANCES=$($AWSCLI rds describe-db-instances $PROFILE_OPT --region $regx --query 'DBInstances[?PubliclyAccessible==`true` && DBInstanceStatus==`"available"`].[DBInstanceIdentifier,Endpoint.Address]' --output text)
-    LIST_OF_RDS_INSTANCES=$($AWSCLI rds describe-db-instances $PROFILE_OPT --region $regx --query 'DBInstances[*].[DBInstanceIdentifier,AutoMinorVersionUpgrade]'  --output text 2>&1)
+    LIST_OF_RDS_INSTANCES=$($AWSCLI rds describe-db-instances $PROFILE_OPT --region $regx --query "DBInstances[?Engine != 'docdb'].[DBInstanceIdentifier,AutoMinorVersionUpgrade]"  --output text 2>&1)
     if [[ $(echo "$LIST_OF_RDS_INSTANCES" | grep -E 'AccessDenied|UnauthorizedOperation|AuthorizationError') ]]; then
         textInfo "$regx: Access Denied trying to describe DB instances" "$regx"
         continue

iam/create_role_to_assume_cfn.yaml

@@ -56,20 +56,27 @@ Resources:
             - Effect: Allow
               Action:
                 - 'account:Get*'
-                - 'appstream:DescribeFleets'
+                - 'appstream:Describe*'
+                - 'codeartifact:List*'
+                - 'codebuild:BatchGet*'
                 - 'ds:Get*'
                 - 'ds:Describe*'
                 - 'ds:List*'
                 - 'ec2:GetEbsEncryptionByDefault'
                 - 'ecr:Describe*'
                 - 'elasticfilesystem:DescribeBackupPolicy'
+                - 'eks:List*'
                 - 'glue:GetConnections'
                 - 'glue:GetSecurityConfiguration'
                 - 'glue:SearchTables'
                 - 'lambda:GetFunction'
+                - 'macie2:GetMacieSession'
                 - 's3:GetAccountPublicAccessBlock'
+                - 's3:GetEncryptionConfiguration'
+                - 's3:GetPublicAccessBlock'
                 - 'shield:DescribeProtection'
                 - 'shield:GetSubscriptionState'
+                - 'securityhub:BatchImportFindings'
                 - 'ssm:GetDocument'
                 - 'support:Describe*'
                 - 'tag:GetTagKeys'

iam/prowler-additions-policy.json

@@ -4,15 +4,16 @@
         {
             "Action": [
                 "account:Get*",
-                "appstream:DescribeFleets",
-                "codeartifact:ListRepositories",
-                "codebuild:BatchGetBuilds",
+                "appstream:Describe*",
+                "codeartifact:List*",
+                "codebuild:BatchGet*",
                 "ds:Get*",
                 "ds:Describe*",
                 "ds:List*",
                 "ec2:GetEbsEncryptionByDefault",
                 "ecr:Describe*",
                 "elasticfilesystem:DescribeBackupPolicy",
+                "eks:List*",
                 "glue:GetConnections",
                 "glue:GetSecurityConfiguration",
                 "glue:SearchTables",
@@ -23,6 +24,7 @@
                 "s3:GetPublicAccessBlock",
                 "shield:DescribeProtection",
                 "shield:GetSubscriptionState",
+                "securityhub:BatchImportFindings",
                 "ssm:GetDocument",
                 "support:Describe*",
                 "tag:GetTagKeys"

include/validate_options

@@ -248,7 +248,7 @@ validate_database() {
         then
             db_exit_abnormally "postgresql" "Database not exists, please check ${HOME}/.pgpass file - EXITING!"
         # and finally, if database exists -> table exists ?
-        elif ! psql -U "${POSTGRES_USER}" -h "${POSTGRES_HOST}" "${POSTGRES_DB}"  -c "SELECT * FROM ${POSTGRES_TABLE};" > /dev/null  2>&1
+        elif ! psql -U "${POSTGRES_USER}" -h "${POSTGRES_HOST}" "${POSTGRES_DB}"  -c "SELECT * FROM ${POSTGRES_TABLE} limit 1;" > /dev/null  2>&1
         then
             db_exit_abnormally "postgresql" "Table ${POSTGRES_TABLE} not exists, please check ${HOME}/.pgpass file - EXITING!"
         fi