* feat(check): iam-policy-allows-privilege-escalation
* feat(metadata): Enrich check metadata
Co-authored-by: Toni de la Fuente <toni@blyx.com>
Co-authored-by: Toni de la Fuente <toni@blyx.com>
* test(pre-commit): Include security checks
* test(pre-commit): Include dependencies
* test(aws-provider): First unit tests
* test(arn-parsing): Include first tests
* chore(providers): Remove old comments
* chore(csv): first version csv output
* chore(pytest): added pytest dependency
* chore(outputs): organizations demo
* chore(compliance): Added new dataclass for each compliance framework
* fix(test org values): deleted test values in orgs instantiation
* fix(csv): formatted to match output format
* fix(csv output): Reformulation of check report and minor changes
* fix(minor issues): Fix various issues coming from PR comments
* fix(csv): Renamed csv output data model
* fix(output dir): create default if not present
* fix(typo): remove s
* fix(oldcode)
* fix(typo)
* fix(output): Only send to csv when -M is passed
Co-authored-by: sergargar <sergio@verica.io>
Co-authored-by: Pepe Fagoaga <pepe@verica.io>
* fix(audit info): Common data structure for current audit
* fix(iam): iam session audit fixed
* feat(aws_session): Include else block
Co-authored-by: Pepe Fagoaga <pepe@verica.io>
* feat(checks): Select checks to run
* feat(checks): Include tests
* feat(checks): Exclude checks with -e
* fix(checks): Include missing path
* fix(checks): Include comments
* chore(assuming role): assume role logic and exceptions demo
* chore(exceptions): Exception handling
* fix(get_caller_identity): Deleted duplicate get_caller_identity and add info entries
* chore(creds renewal): Added support to credential renewal
* chore(assume options): Added condition for -I/-T options
* fix(typo/comments): Deleted f in logger config and comments
* chore(session_duration): limits for -T option
* fix(log messages): Changed -A/-R log messages
* fix(critical error): Errors in input options are critical
* fix(ClientError): IAM service ClientError exception support
* feat(actions): Upload Prowler latest to dockerhub
* feat(upload-container): Action to Public Registries
* feat(upload-container): Include env secrets
* feat(actions): Include Docker linters
* feat(linters): include pre-commit
* fix(names)
* feat(add_prowler_pro_banner): include Prowler Pro banner in README
Context
Include Prowler Pro banner in README.md
Description
Add Prowler Pro banner in README.md for giving visibility to the Enterprise version of Prowler.
License
By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.
* Update README.md
* check empty array in SECURITYGROUPS object
Logic is only checking an object to see if it is null. This should be checking for the array in the object to see if it is empty.
* Replace new conditional with the old one
* Update check_extra75
Co-authored-by: Sergio Garcia <38561120+sergargar@users.noreply.github.com>
+ use primary repository rather than fork.
+ use default branch.
+ fixed a missing character typos.
+ remove blank end-of-line spaces.
@singergs: thanks for adding this code and the video.
* new check
* added check to group
* fixed name
* added testpass logic
* Fixed a few issues
* Fixed more issues
* Updated to add extended information
* Added new line at end of file
* Fixed Spelling
* fix(title): Update title name
* refactor(style): Minor changes
Co-authored-by: Andrea Di Fabio <adifabio@amazon.com>
* regions separated by a comma deliminator
* Update README.md
Co-authored-by: Toni de la Fuente <toni@blyx.com>
* Update README.md
Co-authored-by: David Childs <d.childs@elsevier.com>
Co-authored-by: Pepe Fagoaga <pepe@verica.io>
Co-authored-by: Toni de la Fuente <toni@blyx.com>
* Add support for organizations accounts metadata part 1
* Add support for organizations accounts metadata part 2
* Add gathering account metadata from org
* chore(prowler): get accounts metadata
Use assume_role backing up normal assumed credentials to assume management account and then restore it to old ones
* fix(orgs metadata): deleted assume_role_orgs
* refactor(organization_metadata)
Reformulate to extract AWS Organizations metadata
* doc(org_metadata): include required -R in usage
* docs(org-metadata): Update README
Co-authored-by: n4ch04 <nachor1992@gmail.com>
Co-authored-by: Pepe Fagoaga <pepe@verica.io>
* fix(extra715): Change lower case from bash variable expansion to tr command
* fix: Change from bash variable expansion to tr command
* Change the way to handle lower case
* fix: not to flag as finding for account without cloudfront distributions
* fix: output empty for None from cloudfront list-distributions
* fix: extra7167 Advanced Shield and CloudFront bug parsing None output without distributions
Co-authored-by: moo.xin.foo <moo.xin.foo@accenture.com>
* fix: not to flag as finding for account without cloudfront distributions
* fix: output empty for None from cloudfront list-distributions
Co-authored-by: moo.xin.foo <moo.xin.foo@accenture.com>
* Fix error handling and policy output
* Fix jq filter when Action is an array
Fix jq select condition to handle Action as string or as array.
Add error handling.
When fail, print policies as just one line.
* Double quote variables to prevent globbing and word splitting
* Replace comma character from json by word comma
* Fix CLI query and add error handling
Check extra781, extra782, extra783, extra784 and extra785
* Fix CLI query, add error handling, combine AWS CLI calls when possible
Checks related to Opensearch/ElasticSearch.
* Fix CLI query, add error handling, combine AWS CLI calls when possible
Checks related to Opensearch/ElasticSearch.
* fix(check41/42): Added tcp protocol filter to query
* Include {} in vars
Co-authored-by: Pepe Fagoaga <pepe@verica.io>
* Include {} in vars
Co-authored-by: Pepe Fagoaga <pepe@verica.io>
Co-authored-by: Pepe Fagoaga <pepe@verica.io>
* Fix AccessDenied issue when get document
Add check to validate access denied when get document from SSM.
Add missing action permission to allow ssm:GetDocument.
* Double quote variables to prevent globbing and word splitting
* added check7172 for s3 bucket acls
* Added more errors to error handling and an access check for s3
* Removed extra api call
Co-authored-by: Jeff Maley <jeff.maley@symmetry-systems.com>
Since 2.7.0 this template failed:
```
An error occurred (AccessDeniedException) when calling the GetSubscriptionState operation: User: arn:aws:sts::863046042023:assumed-role/prowler-codebuild-role/AWSCodeBuild-2c3151c9-7c5d-4618-94e5-0234bddce775 is not authorized to perform: shield:GetSubscriptionState on resource: arn:aws:shield::863046042023:subscription/* because no identity-based policy allows the shield:GetSubscriptionState action
INFO! No AWS Shield Advanced subscription found. Skipping check.
7.167 [extra7167] Check if Cloudfront distributions are protected by AWS Shield Advanced - shield [Medium]
```
I aligned it with https://github.com/prowler-cloud/prowler/blob/master/iam/prowler-additions-policy.json#L19 .
* fix(inlcude/outputs) Whitelist logic reformulated to exactly match input
* fix(include/outputs): Changed name of iterative variable that browses whitelisted values
* fix(include/outputs): Deleted missing echo and include and put variables in brackets
* Fix: when prowler exits with a non-zero status, the remainder of the block is not executed
* Fix: do not trigger exit code 3 on failed checks, so that the remainder of the block is executed
* Extra7161 EFS encryption at rest check
* Added check_extra7162 which checks if Log groups have 365 days retention
* fixed code to handle all regions and formatted output
* changed check title, resource type and service name as well as making the code more dynamic
* Extra7161 EFS encryption at rest check
* New check_extra7163 Secrets Manager key rotation enabled
* New check7160 Enabled AutomaticVersionUpgrade on RedShift Cluster
* Update ProwlerRole.yaml to have same permissions as util/org-multi-account/ProwlerRole.yaml
* Fix link to quicksight dashboard
* Install detect-secrets (e.g. for check_extra742)
* Updating check_extra7163 with requested changes
* fix(assumed-role): Check if -T and -A options are set
* docs(Readme): `-T` option is not mandatory
* fix(assume-role): Handle AWS STS CLI errors
* fix(assume-role): Handle AWS STS CLI errors
* Update group25_FTR
When trying to run the group 25 (Amazon FTR related security checks) nothing happens, after looking at the code there is a misconfiguration in 2 params: GROUP_RUN_BY_DEFAULT[9] and GROUP_CHECKS[9]. Updating values to 25 fixed the issue.
* Update README.md
broken link for capital letters in group file (group25_FTR)
* #938 issue assume_role multiple times should be fixed
* Label 2.7.0-1December2021 for tests
* Fixed error that appeared if the number of findings was very high.
* Adjusted the batch to only do 50 at a time. 100 caused capacity issues. Also added a check for an edge case where if the updated findings was a multiple of the batch size, it would throw an error for attempting to import 0 findings.
* Added line to delete the temp folder after everything is done.
* New check 7164 Check if Cloudwatch log groups are protected by AWS KMS@maisenhe
* updated CHECK_RISK
* Added checks extra7160,extra7161,extra7162,extra7163 to group Extras
* Added checks extra7160,extra7161,extra7162,extra7163 to group Extras
* Added issue templates
* New check 7165 DynamoDB: DAX encrypted at rest @Daniel-Peladeau
* New check 7165 DynamoDB: DAX encrypted at rest @Daniel-Peladeau
* Fix#963 check 792 to force json in ELB queries
* Fix#957 check 763 had us-east-1 region hardcoded
* Fix#962 check 7147 ALTERNATE NAME
* Fix#940 handling error when can not list functions
* Added new checks 7164 and 7165 to group extras
* Added invalid check or group id to the error message #962
* Fix Broken Link
* Add docker volume example to README.md
* Updated Dockerfile to use amazonlinux container
* Updated Dockerfile with AWS cli v2
* Added upgrade to the RUN
* Added cache purge to Dockerfile
* Backup AWS Credentials before AssumeRole and Restore them before CopyToS3
* exporting the ENV variables
* fixed bracket
* Improved documentation for install process
* fix checks with comma issues
* Added -D option to copy to S3 with the initial AWS credentials
* Cosmetic variable name change
* Added $PROFILE_OPT to CopyToS3 commands
* remove commas
* removed file as it is not needed
* Improved help usage options -h
* Fixed CIS LEVEL on 7163 through 7165
* When performing a restoreInitialAWSCredentials, unset the credentials ENV variables if they were never set
* New check 7166 Elastic IP addresses with associations are protected by AWS Shield Advanced
* New check 7167 Cloudfront distributions are protected by AWS Shield Advanced
* New check 7168 Route53 hosted zones are protected by AWS Shield Advanced
* New check 7169 Global accelerators are protected by AWS Shield Advanced
* New check 7170 Application load balancers are protected by AWS Shield Advanced
* New check 7171 Classic load balancers are protected by AWS Shield Advanced
* Include example for global resources
* Add AWS Advance Shield protection checks corrections
* Added Shield actions GetSubscriptionState and DescribeProtection
* Added Shield actions GetSubscriptionState and DescribeProtection
* docs(templates): Improve bug template with more info (#982)
* Removed echoes after role chaining fix
* Changed Route53 checks7152 and 7153 to INFO when no domains found
* Changed Route53 checks 7152 and 7153 title to clarify
* Added passed security groups in output to check 778
* Added passed security groups and updated title to check 777
* Added FAIL as error handling when SCP prevents queries to regions
* Label version 2.7.0-6January2022
* Updated .dockerignore with .github/
* Fix: issue #758 and #984
* Fix: issue #741 CloudFront and real-time logs
* Fix issues #971 set all as INFO instead of FAIL when no access to resource
* Fix: issue #986
* Add additional action permissions for Glue and Shield Advanced checks @lazize
* Add extra shield action permission
Allows the shield:GetSubscriptionState action
* Add permission actions
Make sure all files where permission actions are necessary will have the same actions
* Fix: Credential chaining from environment variables @lazize #996f
If profile is not defined, restore original credentials from environment variables,
if they exists, before assume-role
* Lable version 2.7.0-24January2022
Co-authored-by: Lee Myers <ichilegend@gmail.com>
Co-authored-by: Chinedu Obiakara <obiakac@amazon.com>
Co-authored-by: Daniel Peladeau <dcpeladeau@gmail.com>
Co-authored-by: Jonathan Lozano <jonloza@amazon.com>
Co-authored-by: Daniel Lorch <dlorch@gmail.com>
Co-authored-by: Pepe Fagoaga <jose.fagoaga@smartprotection.com>
Co-authored-by: Israel <6672089+lopmoris@users.noreply.github.com>
Co-authored-by: root <halfluke@gmail.com>
Co-authored-by: nikirby <nikirby@amazon.com>
Co-authored-by: Joel Maisenhelder <maisenhe@gmail.com>
Co-authored-by: RT <35173068+rtcms@users.noreply.github.com>
Co-authored-by: Andrea Di Fabio <39841198+sectoramen@users.noreply.github.com>
Co-authored-by: Joseph de CLERCK <clerckj@amazon.fr>
Co-authored-by: Michael Dickinson <45626543+michael-dickinson-sainsburys@users.noreply.github.com>
Co-authored-by: Pepe Fagoaga <pepe@verica.io>
Co-authored-by: Leonardo Azize Martins <lazize@users.noreply.github.com>
Key id is in position 6 in aws cli version 2.2.5, but in position 4 in aws cli 1.x
Use --query to select only the data necessary and output in a consistent format
Instead of looking for a fixed error string, it uses error codes from aws cli
Previos condition was not catching this error message:
An error occurred (ExpiredToken) when calling the GetCallerIdentity operation: The security token included in the request is expired
Also forced the output of the command to json. In some tests I was doing was failing becuase it was sending output as text
* feat(aws-securitygroups): include new control to test ingress from 0.0.0.0/0 or ::/0 to FTP ports 20 or 21
* feat(aws-securitygroups): include extra control 7134 in extra group
* feat(aws-securitygroups): include new control to test ingress from 0.0.0.0/0 or ::/0 to Kafka port 9092
* feat(aws-securitygroups): include new control to test ingress from 0.0.0.0/0 or ::/0 to Telnet port 23
* feat(aws-securitygroups): include new control to test ingress from 0.0.0.0/0 or ::/0 to Microsoft SQL Server ports 1433 or 1434
* feat(aws-securitygroups): include extra controls 7135, 7136 and 7137 in extra and internet-exposed groups
The `ELBSecurityPolicy-FS-1-2-Res-2020-10` policy is the most
restrictive TLS v1.2 only SSL/TLS security policy available, and is a
subset of the already accepted `ELBSecurityPolicy-FS-1-2-Res-2019-08`
policy - this commit adds `ELBSecurityPolicy-FS-1-2-Res-2020-10` to
the list of acceptable "secure" security policies.
`ELBSecurityPolicy-FS-1-2-Res-2020-10` has a very limited set of
ciphers, is TLS v1.2 only and supports Forward Secrecy.
Current SSL Labs tests gives it an "A" rating for another source of
confirmation.
As per this bug report:
https://github.com/toniblyx/prowler/issues/693
Add detection for freebsd releases which should be similar to darwin
in that it will use GNU coreutils for date and base64.
Following the merge of #651, prowler now calls the GetFindings API when using Security Hub integration - this action needs to be added to the required policy
Custom checks in folder are not being sourced. `./prowler -c extra800 -x custom` results in empty EXTERNAL_CHECKS_PATH variables due to missing colon.
The fix was tested in both OSX and toniblyx/prowler:latest Docker.
Regards,
Force the batch-import-findings AWS CLI call to be directed at the region the currently reporting resource is located in, as Security Hub enforces this requirement
When checking that Security Hub is enabled, check for all regions that are in scope, e.g. all regions, unless '-f <region>' is used
Fixes#618
Write output files (CSV, JSON, etc.) to an `output` directory that is relative to prowler itself, no matter where prowler is invoked from.
Simplify Dockerfile by specifying a WORKDIR
Replace ADD command with the more recommended COPY command
Update README to cover how to run in Docker and access saved reports
Add a .dockerignore file to ignore .git and output directories
This partially addresses #570 - previously, within Docker, Prowler was attempting to write
reports to the root `/` directory in the container, which it did not have permission to do.
Instead, reports are now written to a path relative to Prowler
Continue to show (unwhitelisted) failed checks as failures in JUnit output, but rather than exclude failing whitelisted checks from JUnit, mark them as skipped
Fixes#590
Create `include/check_creds_last_used` and move all logic for checking last usages of passwords and access keys there
Modify check13 and extra774 to call new function, specifying time-range of last 90 days and last 30 days respectively
Modify messages in check14 and check121 so that all mentions of 'access key's are consistent
Fixes#496
Change `-l` flag to print a unique list of every single check (assuming none are orphaned outside of all groups)
Allow `-g <group_id>` to be specified in combination with `-l`, to only print checks that are referenced by the specified group
When listing all checks with `-l` only, print out all groups that reference each check
Fixes: #545
Rearrange output functions so they support outputting text alongside other formats, if specified
Add a convenience function for checking if JUnit output is enabled
Move monochrome setting into loop so it better supports multiple formats
Update README
If the -J flag is passed, generate JUnit XML reports for each check, in-line with how Java tools generate JUnit reports.
Check section numbers equate to 'root packages', checks are second-level packages, each check equates to a testsuite (mirroring Java where each test class is a testsuite) and each pass/fail of a check equates to a testcase
Time the execution of each check and include this in the report
Include properties (Prowler version, check level etc.) in-line with standard JUnit files
XML escape all strings for safety
Detect if a user has GNU coreutils installed on Mac OS X, but not as their default, switching to using gdate for date commands if so, as it has more features, including getting dates in milliseconds
Add prowler-output, junit-reports and VSCode files to .gitignore
Update README to include JUnit info, address markdownlint warnings
Remove unused arguments to jq in generateJsonAsffOutput
Fixes#537
Remove the second entry in any comma-separated check IDs from each check, formatting
the check ID with leading zeros in `include/outputs` if the `-n` flag is active
Replace the use of `sort -u` to remove duplicate checks, which has the side-effect of reordering checks alphabetically when one or more are excluded with awk, which preserves the check order
Adjust indentation and formatting to be more consistent with the rest of the file
Fixes#492
According to the benchmark, only users with a console password should be considered for this check,
therefore filter out any users who do not have a console password
Fixes#513
As some users may have installed GNU coreutils on Mac OS X, e.g. `brew install coreutils`, it's possible that
the `date` command uses the GNU version, instead of the standard BSD version.
- Detect if GNU coreutils is installed on Mac and if it is, use the GNU variants of date functions
- Reduce some of the duplication in the file, which resolves a bug where the cygwin version of `how_many_days_from_today()`
had the operands switched around, leading to a positive result instead of negative
- Add test_tcp_connectivity function for cygwin (uses the GNU variant)
Fixes#534
A user who has never logged into the console, or not logged in since Oct 2014 will present as 'no_information' in the
'password_last_used' column of the credential report. Handle this scenario and output a failed message if it has been
more than MAX_DAYS days since the user was created, or an info message if it is less than MAX_DAYS
Fixes#501
- Move Security Hub related code to a dedicated include/securityhub_integration file
- Check that Security Hub is enabled in the target region before beginning checks when -S is specified
- Add error handling to the batch-import-findings call
- Add CHECK_ASFF_TYPE variables to all CIS checks to override the default
- Add support for CHECK_ASFF_RESOURCE_TYPE variables which override the default 'AwsAccount' value for the resource a finding relates to.
- Add CHECK_ASFF_RESOURCE_TYPE variables to all checks where there is a suitable value in the schema
- Remove json-asff output for info messages as they are not appropriate for possible submission to Security Hub
- Update the README to cover Security Hub integration
- Add an IAM policy JSON document that provides the necessary BatchImportFindings permission for Security Hub
- Remove trailing whitespace and periods in pass/fail messages to be consistent with the majority of messages, to prevent future tidy-up from changing the finding IDs
Buckets that log to one or more trails are logged as `PASS!` for each trail they are associated with.
Buckets that aren't associated with any trails are logged as `FAIL!` once.
```
...
PASS! : S3 bucket bucket-one has Object-level logging enabled in trails: arn:aws:cloudtrail:eu-west-2:123456789012:trail/central-trail
PASS! : S3 bucket bucket-two has Object-level logging enabled in trails: arn:aws:cloudtrail:eu-west-2:9876543210989:trail/trail-two
PASS! : S3 bucket bucket-two has Object-level logging enabled in trails: arn:aws:cloudtrail:eu-west-2:123456789012:trail/central-trail
PASS! : S3 bucket bucket-three has Object-level logging enabled in trails: arn:aws:cloudtrail:eu-west-2:123456789012:trail/central-trail
...
```
This change should also address #387
json-asff mode outputs JSON, similar to the standard 'json' mode with one check per line, but in AWS Security Finding Format - used by AWS Security Hub
Currently uses a generic Type, Resources and ProductArn value, but sets the Id to a unique value that includes the details of the message, in order to separate out checks that run against multiple resources and output one result per resource per check. This ensures that findings can be updated, should the resource move in or out of compliance
securityhub mode generates the ASFF JSON and then passes it to an 'aws securityhub batch-import-findings' call, once per resource per check. Output to the screen is similar to the standard mode, but prints whether or not the finding was submitted successfully
Fixes#524
- Add ISLOGGING_STATUS, INCLUDEMANAGEMENTEVENTS_STATUS, READWRITETYPE_STATUS to check
- Remove ` --no-include-shadow-trails ` from CLI
2.1 Ensure CloudTrail is enabled in all regions (Scored):
Via CLI
1. ` aws cloudtrail describe-trails `
Ensure `IsMultiRegionTrail` is set to true
2. `aws cloudtrail get-trail-status --name <trailname shown in describe-trails>`
Ensure `IsLogging` is set to true
3. `aws cloudtrail get-event-selectors --trail-name <trailname shown in describetrails>`
Ensure there is at least one Event Selector for a Trail with `IncludeManagementEvents` set to
`true` and `ReadWriteType` set to `All`
Please use this template to create your bug report. By providing as much info as possible you help us understand the issue, reproduce it and resolve it for you quicker. Therefore, take a couple of extra minutes to make sure you have provided all info needed.
PROTIP: record your screen and attach it as a gif to showcase the issue.
- How to record and attach gif: https://bit.ly/2Mi8T6K
-->
**What happened?**
A clear and concise description of what the bug is or what is not working as expected
**How to reproduce it**
Steps to reproduce the behavior:
1. What command are you running?
2. Cloud provider you are launching
3. Environment you have like single account, multi-account, organizations, multi or single subsctiption, etc.
4. See error
**Expected behavior**
A clear and concise description of what you expected to happen.
**Screenshots or Logs**
If applicable, add screenshots to help explain your problem.
Also, you can add logs (anonymize them first!). Here a command that may help to share a log
`prowler <your arguments> --log-level DEBUG --log-file $(date +%F)_debug.log` then attach here the log file.
# For most projects, this workflow file will not need changing; you simply need
# to commit it to your repository.
#
# You may wish to alter this file to override the set of languages analyzed,
# or to provide custom queries or build logic.
#
# ******** NOTE ********
# We have attempted to detect the languages in your repository. Please check
# the `language` matrix defined below to confirm you have the correct set of
# supported CodeQL languages.
#
name:"CodeQL"
on:
push:
branches:["master",prowler-2, prowler-3.0-dev ]
pull_request:
# The branches below must be a subset of the branches above
branches:["master"]
schedule:
- cron:'00 12 * * *'
jobs:
analyze:
name:Analyze
runs-on:ubuntu-latest
permissions:
actions:read
contents:read
security-events:write
strategy:
fail-fast:false
matrix:
language:['python']
# Learn more about CodeQL language support at https://aka.ms/codeql-docs/language-support
steps:
- name:Checkout repository
uses:actions/checkout@v3
# Initializes the CodeQL tools for scanning.
- name:Initialize CodeQL
uses:github/codeql-action/init@v2
with:
languages:${{ matrix.language }}
# If you wish to specify custom queries, you can do so here or in a config file.
# By default, queries listed here will override any specified in a config file.
# Prefix the list here with "+" to use these queries and those in the config file.
# Details on CodeQL's query packs refer to : https://docs.github.com/en/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/configuring-code-scanning#using-queries-in-ql-packs
- [Third Party Integrations](#third-party-integrations)
- [Full list of checks and groups](/LIST_OF_CHECKS_AND_GROUPS.md)
- [License](#license)
`Prowler` is an Open Source security tool to perform AWS and Azure security best practices assessments, audits, incident response, continuous monitoring, hardening and forensics readiness.
## Description
It contains hundreds of controls covering CIS, PCI-DSS, ISO27001, GDPR, HIPAA, FFIEC, SOC2, AWS FTR, ENS and custom security frameworks.
Prowler is a command line tool for AWS Security Best Practices Assessment, Auditing, Hardening and Forensics Readiness Tool.
## Looking for Prowler v2 documentation?
For Prowler v2 Documentation, please go to https://github.com/prowler-cloud/prowler/tree/2.12.1.
# ⚙️ Install
It follows guidelines of the CIS Amazon Web Services Foundations Benchmark (49 checks) and has 40 additional checks including related to GDPR and HIPAA.
## Pip package
Prowler is available as a project in [PyPI](https://pypi.org/project/prowler-cloud/), thus can be installed using pip with Python >= 3.9:
Read more about [CIS Amazon Web Services Foundations Benchmark v1.2.0 - 05-23-2018](https://d0.awsstatic.com/whitepapers/compliance/AWS_CIS_Foundations_Benchmark.pdf)
## Features
It covers hardening and security best practices for all AWS regions related to the next groups:
- Identity and Access Management (22 checks) [group1]
- Forensics related group of checks [forensics-ready]
- GDPR [gdpr] Read more [here](#gdpr-checks)
- HIPAA [hipaa] Read more [here](#hipaa-checks)
For a comprehensive list and resolution look at the guide on the link above.
With Prowler you can:
- get a colorful or monochrome report
- a CSV format report for diff
- run specific checks without having to run the entire report
- check multiple AWS accounts in parallel
## Requirements and Installation
This script has been written in bash using AWS-CLI and it works in Linux and OSX.
- Make sure the latest version of AWS-CLI is installed on your workstation, and other components needed, with Python pip already installed:
```sh
pip install awscli ansi2html detect-secrets
```
AWS-CLI can be also installed it using "brew", "apt", "yum" or manually from <https://aws.amazon.com/cli/>, but `ansi2html` and `detect-secrets` has to be installed using `pip`. You will need to install `jq` to get more accuracy in some checks.
- Make sure jq is installed (example below with "apt" but use a valid package manager for your OS):
```sh
sudo apt install jq
```
- Previous steps, from your workstation:
```sh
git clone https://github.com/toniblyx/prowler
cd prowler
```
- Make sure you have properly configured your AWS-CLI with a valid Access Key and Region or declare AWS variables properly (or intance profile):
```sh
aws configure
```
or
```sh
export AWS_ACCESS_KEY_ID="ASXXXXXXX"
export AWS_SECRET_ACCESS_KEY="XXXXXXXXX"
export AWS_SESSION_TOKEN="XXXXXXXXX"
```
- Those credentials must be associated to a user or role with proper permissions to do all checks. To make sure add SecurityAuditor default policy to your user. Policy ARN is
```sh
arn:aws:iam::aws:policy/SecurityAudit
```
> Additional permissions needed: to make sure Prowler can scan all services included in the group *Extras*, make sure you attach also the custom policy [prowler-additions-policy.json](https://github.com/toniblyx/prowler/blob/master/iam/prowler-additions-policy.json) to the role you are using.
## Usage
1. Run the `prowler` command without options (it will use your environment variable credentials if they exist or will default to using the `~/.aws/credentials` file and run checks over all regions when needed. The default region is us-east-1):
```sh
./prowler
```
Use `-l` to list all available checks and group of checks (sections)
If you want to avoid installing dependences run it using Docker:
1. To perform an assessment based on CIS Profile Definitions you can use cislevel1 or cislevel2 with `-g` flag, more information about this [here, page 8](https://d0.awsstatic.com/whitepapers/compliance/AWS_CIS_Foundations_Benchmark.pdf):
```sh
./prowler -g cislevel1
```
1. If you want to run Prowler to check multiple AWS accounts in parallel (runs up to 4 simultaneously `-P 4`):
-p <profile> specify your AWS profile to use (i.e.: default)
-r <region> specify an AWS region to direct API requests to
(i.e.: us-east-1), all regions are checked anyway if the check requires it
-c <check_id> specify a check id, to see all available checks use -l option
(i.e.: check11 for check 1.1 or extra71 for extra check 71)
-g <group_id> specify a group of checks by id, to see all available group of checks use -L
(i.e.: check3 for entire section 3, cislevel1 for CIS Level 1 Profile Definitions or forensics-ready)
-f <filterregion> specify an AWS region to run checks against
(i.e.: us-west-1)
-m <maxitems> specify the maximum number of items to return for long-running requests (default: 100)
-M <mode> output mode: text (default), mono, json, csv (separator is ,; data is on stdout; progress on stderr)
-k keep the credential report
-n show check numbers to sort easier
(i.e.: 1.01 instead of 1.1)
-l list all available checks only (does not perform any check)
-L list all groups (does not perform any check)
-e exclude group extras
-E execute all tests except a list of specified checks separated by comma (i.e. check21,check31)
-b do not print Prowler banner
-V show version number & exit
-s show scoring report
-x specify external directory with custom checks (i.e. /my/own/checks, files must start by check)
-q suppress info messages and passing test output
-A account id for the account where to assume a role, requires -R and -T
(i.e.: 123456789012)
-R role name to assume in the account, requires -A and -T
(i.e.: ProwlerRole)
-T session durantion given to that role credentials in seconds, default 1h (3600) recommended 12h, requires -R and -T
(i.e.: 43200)
-h this help
```
## Advanced Usage
### Assume Role:
Prowler uses the AWS CLI underneath so it uses the same authentication methods. However, there are few ways to run Prowler against multiple accounts using IAM Assume Role feature depending on eachg use case. You can just set up your custom profile inside `~/.aws/config` with all needed information about the role to assume then call it with `./prowler -p your-custom-profile`. Additionally you can use `-A 123456789012` and `-R RemoteRoleToAssume` and Prowler will get those temporary credentials using `aws sts assume-role`, set them up as environment variables and run against that given account.
```
./prowler -A 123456789012 -R ProwlerRole
```console
pip install prowler
prowler -v
```
> *NOTE 1 about Session Duration*: By default it gets credentials valid for 1 hour (3600 seconds). Depending on the mount of checks you run and the size of your infrastructure, Prowler may require more than 1 hour to finish. Use option `-T <seconds>` to allow up to 12h (43200 seconds). To allow more than 1h you need to modify *"Maximum CLI/API session duration"* for that particular role, read more [here](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use.html#id_roles_use_view-role-max-session).
## Containers
> *NOTE 2 about Session Duration*: Bear in mind that if you are using roles assumed by role chaining there is a hard limit of 1 hour so consider not using role chaining if possible, read more about that, in foot note 1 below the table [here](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use.html).
The available versions of Prowler are the following:
For example, if you want to get only the fails in CSV format from all checks regarding RDS without banner from the AWS Account 123456789012 assuming the role RemoteRoleToAssume and set a fixed session duration of 1h:
-`latest`: in sync with master branch (bearin mind that it is not a stable version)
-`<x.y.z>` (release): you can find the releases [here](https://github.com/prowler-cloud/prowler/releases), those are stable releases.
-`stable`: this tag always point to the latest release.
Flag `-x /my/own/checks` will include any check in that particular directory. To see how to write checks see [Add Custom Checks](#add-custom-checks) section.
The full documentation can now be found at [https://docs.prowler.cloud](https://docs.prowler.cloud)
### Show or log only FAILs
In order to remove noise and get only FAIL findings there is a `-q` flag that makes Prowler to show and log only FAILs. It can be combined with any other option.
# 📐✏️ High level architecture
```
./prowler -q -M csv -b
You can run Prowler from your workstation, an EC2 instance, Fargate or any other container, Codebuild, CloudShell and Cloud9.
Prowler has been written in Python using the [AWS SDK (Boto3)](https://boto3.amazonaws.com/v1/documentation/api/latest/index.html#) and [Azure SDK](https://azure.github.io/azure-sdk-for-python/).
## AWS
Since Prowler uses AWS Credentials under the hood, you can follow any authentication method as described [here](https://docs.aws.amazon.com/cli/latest/userguide/cli-configure-quickstart.html#cli-configure-quickstart-precedence).
Make sure you have properly configured your AWS-CLI with a valid Access Key and Region or declare AWS variables properly (or instance profile/role):
```console
aws configure
```
or
```console
export AWS_ACCESS_KEY_ID="ASXXXXXXX"
export AWS_SECRET_ACCESS_KEY="XXXXXXXXX"
export AWS_SESSION_TOKEN="XXXXXXXXX"
```
Those credentials must be associated to a user or role with proper permissions to do all checks. To make sure, add the following AWS managed policies to the user or role being used:
> Moreover, some read-only additional permissions are needed for several checks, make sure you attach also the custom policy [prowler-additions-policy.json](https://github.com/prowler-cloud/prowler/blob/master/permissions/prowler-additions-policy.json) to the role you are using.
> If you want Prowler to send findings to [AWS Security Hub](https://aws.amazon.com/security-hub), make sure you also attach the custom policy [prowler-security-hub.json](https://github.com/prowler-cloud/prowler/blob/master/permissions/prowler-security-hub.json).
## Azure
Prowler for Azure supports the following authentication types:
- Service principal authentication by environment variables (Enterprise Application)
- Current az cli credentials stored
- Interactive browser authentication
- Managed identity authentication
### Service Principal authentication
To allow Prowler assume the service principal identity to start the scan, it is needed to configure the following environment variables:
```console
export AZURE_CLIENT_ID="XXXXXXXXX"
export AZURE_TENANT_ID="XXXXXXXXX"
export AZURE_CLIENT_SECRET="XXXXXXX"
```
If you try to execute Prowler with the `--sp-env-auth` flag and those variables are empty or not exported, the execution is going to fail.
### AZ CLI / Browser / Managed Identity authentication
## How to fix every FAIL
The other three cases do not need additional configuration, `--az-cli-auth` and `--managed-identity-auth` are automated options, `--browser-auth` needs the user to authenticate using the default browser to start the scan.
Check your report and fix the issues following all specific guidelines per check in <https://d0.awsstatic.com/whitepapers/compliance/AWS_CIS_Foundations_Benchmark.pdf>
### Permissions
## Screenshots
To use each one, you need to pass the proper flag to the execution. Prowler for Azure handles two types of permission scopes, which are:
- Sample screenshot of report first lines:
- **Azure Active Directory permissions**: Used to retrieve metadata from the identity assumed by Prowler and future AAD checks (not mandatory to have access to execute the tool)
- **Subscription scope permissions**: Required to launch the checks against your resources, mandatory to launch the tool.
Azure Active Directory (AAD) permissions required by the tool are the following:
## Troubleshooting
- `Directory.Read.All`
- `Policy.Read.All`
### STS expired token
If you are using an STS token for AWS-CLI and your session is expired you probably get this error:
#### Subscriptions scope
```
A client error (ExpiredToken) occurred when calling the GenerateCredentialReport operation: The security token included in the request is expired
Regarding the subscription scope, Prowler by default scans all the subscriptions that is able to list, so it is required to add the following RBAC builtin roles per subscription to the entity that is going to be assumed by the tool:
- `Security Reader`
- `Reader`
# 💻 Basic Usage
To run prowler, you will need to specify the provider (e.g aws or azure):
```console
prowler <provider>
```
To fix it, please renew your token by authenticating again to the AWS API, see next section below if you use MFA.
> Running the `prowler` command without options will use your environment variable credentials.
To run Prowler using a profile that requires MFA you just need to get the session token before hand. Just make sure you use this command:
By default, prowler will generate a CSV, a JSON and a HTML report, however you can generate JSON-ASFF (only for AWS Security Hub) report with `-M` or `--output-modes`:
Once you get your token you can export it as environment variable:
```
export AWS_PROFILE=YOUR_AWS_PROFILE
export AWS_SESSION_TOKEN=YOUR_NEW_TOKEN
AWS_SECRET_ACCESS_KEY=YOUR_SECRET
export AWS_ACCESS_KEY_ID=YOUR_KEY
```
or set manually up your `~/.aws/credentials` file properly.
There are some helpfull tools to save time in this process like [aws-mfa-script](https://github.com/asagage/aws-mfa-script) or [aws-cli-mfa](https://github.com/sweharris/aws-cli-mfa).
### Custom IAM Policy
Some new and specific checks require Prowler to inherit more permissions than SecurityAudit to work properly. In addition to the AWS managed policy "SecurityAudit" for the role you use for checks you may need to create a custom policy with a few more permissions (get and list and additional services mostly). Here you go a good example for a "ProwlerReadOnlyPolicy" (see below bootstrap script for set it up):
> Note: Action `ec2:get*` is included in "ProwlerReadOnlyPolicy" policy above, that includes `get-password-data`, type `aws ec2 get-password-data help` to better understand its implications.
### Bootstrap Script
Quick bash script to set up a "prowler" IAM user with "SecurityAudit" group with the required permissions (including "ProwlerReadOnlyPolicy"). To run the script below, you need user with administrative permissions; set the `AWS_DEFAULT_PROFILE` to use that account:
aws iam create-policy --policy-name ProwlerReadOnlyPolicy --policy-document file://$(pwd)/iam/prowler-additions-policy.json
aws iam attach-group-policy --group-name SecurityAudit --policy-arn arn:aws:iam::aws:policy/SecurityAudit
aws iam attach-group-policy --group-name SecurityAudit --policy-arn arn:aws:iam::${ACCOUNT_ID}:policy/ProwlerReadOnlyPolicy
aws iam create-user --user-name prowler
aws iam add-user-to-group --user-name prowler --group-name SecurityAudit
aws iam create-access-key --user-name prowler
unset ACCOUNT_ID AWS_DEFAULT_PROFILE
```console
prowler <provider> -M csv json json-asff html
```
The `aws iam create-access-key` command will output the secret access key and the key id; keep these somewhere safe, and add them to `~/.aws/credentials` with an appropriate profile name to use them with prowler. This is the only time they secret key will be shown. If you lose it, you will need to generate a replacement.
The html report will be located in the `output` directory as the other files and it will look like:
We are adding additional checks to improve the information gather from each account, these checks are out of the scope of the CIS benchmark for AWS but we consider them very helpful to get to know each AWS account set up and find issues on it.
You can use `-l`/`--list-checks` or `--list-services` to list all available checks or services within the provider.
Some of these checks look for publicly facing resources may not actually be fully public due to other layered controls like S3 Bucket Policies, Security Groups or Network ACLs.
To list all existing checks please run the command below:
```
./prowler -l
```console
prowler <provider> --list-checks
prowler <provider> --list-services
```
>There are some checks not included in that list, they are experimental or checks that takes long to run like `extra759` and `extra760` (search for secrets in Lambda function variables and code).
For executing specific checks or services you can use options `-c`/`--checks` or `-s`/`--services`:
To check all extras in one command:
```sh
./prowler -g extras
```console
prowler aws --checks s3_bucket_public_access
prowler aws --services s3 ec2
```
or to run just one of the checks:
Also, checks and services can be excluded with options `-e`/`--excluded-checks` or `--excluded-services`:
You can always use `-h`/`--help` to access to the usage information and all the possible options:
With this group of checks, Prowler looks if each service with logging or audit capabilities has them enabled to ensure all needed evidences are recorded and collected for an eventual digital forensic investigation in case of incident. List of checks part of this group (you can also see all groups with `./prowler -L`). The list of checks can be seen in the group file at:
The `forensics-ready` group of checks uses existing and extra checks. To get a forensics readiness report, run this command:
```sh
./prowler -g forensics-ready
```console
prowler -h
```
## GDPR Checks
With this group of checks, Prowler shows result of checks related to GDPR, more information [here](https://github.com/toniblyx/prowler/issues/189). The list of checks can be seen in the group file at:
[groups/group9_gdpr](groups/group9_gdpr)
The `gdpr` group of checks uses existing and extra checks. To get a GDPR report, run this command:
```sh
./prowler -g gdpr
## Checks Configurations
Several Prowler's checks have user configurable variables that can be modified in a common **configuration file**.
This file can be found in the following path:
```
prowler/config/config.yaml
```
## HIPAA Checks
## AWS
With this group of checks, Prowler shows results of controls related to the "Security Rule" of the Health Insurance Portability and Accountability Act aka [HIPAA](https://www.hhs.gov/hipaa/for-professionals/security/index.html) as defined in [45 CFR Subpart C - Security Standards for the Protection of Electronic Protected Health Information](https://www.law.cornell.edu/cfr/text/45/part-164/subpart-C) within [PART 160 - GENERAL ADMINISTRATIVE REQUIREMENTS](https://www.law.cornell.edu/cfr/text/45/part-160) and [Subpart A](https://www.law.cornell.edu/cfr/text/45/part-164/subpart-A) and [Subpart C](https://www.law.cornell.edu/cfr/text/45/part-164/subpart-C) of PART 164 - SECURITY AND PRIVACY
Use a custom AWS profile with `-p`/`--profile` and/or AWS regions which you want to audit with `-f`/`--filter-region`:
More information on the original PR is [here](https://github.com/toniblyx/prowler/issues/227).
### Note on Business Associate Addendum's (BAA)
Under the HIPAA regulations, cloud service providers (CSPs) such as AWS are considered business associates. The Business Associate Addendum (BAA) is an AWS contract that is required under HIPAA rules to ensure that AWS appropriately safeguards protected health information (PHI). The BAA also serves to clarify and limit, as appropriate, the permissible uses and disclosures of PHI by AWS, based on the relationship between AWS and our customers, and the activities or services being performed by AWS. Customers may use any AWS service in an account designated as a HIPAA account, but they should only process, store, and transmit protected health information (PHI) in the HIPAA-eligible services defined in the Business Associate Addendum (BAA). For the latest list of HIPAA-eligible AWS services, see [HIPAA Eligible Services Reference](https://aws.amazon.com/compliance/hipaa-eligible-services-reference/).
More information on AWS & HIPAA can be found [here](https://aws.amazon.com/compliance/hipaa-compliance/)
The list of checks showed by this group is as follows, they will be mostly relevant for Subsections [164.306 Security standards: General rules](https://www.law.cornell.edu/cfr/text/45/164.306) and [164.312 Technical safeguards](https://www.law.cornell.edu/cfr/text/45/164.312). Prowler is only able to make checks in the spirit of the technical requirements outlined in these Subsections, and cannot cover all procedural controls required. They be found in the group file at:
[groups/group10_hipaa](groups/group10_hipaa)
The `hipaa` group of checks uses existing and extra checks. To get a HIPAA report, run this command:
> By default, `prowler` will scan all Azure subscriptions.
## Add Custom Groups
# 🎉 New Features
1. Follow structure in file `groups/groupN_sample`
1. Name your group with a non existing number
1. Save changes and run it as `./prowler -g extraNN`
1. Send me a pull request! :)
- Python: we got rid of all bash and it is now all in Python.
- Faster: huge performance improvements (same account from 2.5 hours to 4 minutes).
- Developers and community: we have made it easier to contribute with new checks and new compliance frameworks. We also included unit tests.
- Multi-cloud: in addition to AWS, we have added Azure, we plan to include GCP and OCI soon, let us know if you want to contribute!
- You can also create a group with only the checks that you want to perform in your company, for instance a group named `group9_mycompany` with only the list of checks that you care or your particular compliance applies.
# 📃 License
## Third Party Integrations
### AWS Security Hub
There is a blog post about that integration in the AWS Security blog here <https://aws.amazon.com/blogs/security/use-aws-fargate-prowler-send-security-configuration-findings-about-aws-services-security-hub/>
### Telegram
Javier Pecete has done an awesome job integrating Prowler with Telegram, you have more details here <https://github.com/i4specete/ServerTelegramBot>
### Cloud Security Suite
The guys of SecurityFTW have added Prowler in their Cloud Security Suite along with other cool security tools <https://github.com/SecurityFTW/cs-suite>
## License
All CIS based checks in the checks folder are licensed under a Creative Commons Attribution-NonCommercial-ShareAlike 4.0 International Public License.
Any other piece of code is licensed as Apache License 2.0 as specified in each file. You may obtain a copy of the License at
Prowler is licensed as Apache License 2.0 as specified in each file. You may obtain a copy of the License at
<http://www.apache.org/licenses/LICENSE-2.0>
NOTE: If you are interested in using Prowler for commercial purposes remember that due to the CC4.0 license “The distributors or partners that are interested and using Prowler would need to enroll as CIS SecureSuite Members to incorporate this product, which includes references to CIS resources, in their offering.". Information about CIS pricing for vendors here: <https://www.cisecurity.org/cis-securesuite/pricing-and-categories/product-vendor/>
**I'm not related anyhow with CIS organization, I just write and maintain Prowler to help companies over the world to make their cloud infrastructure more secure.**
If you want to contact me visit <https://blyx.com/contact>
As an **AWS Partner** and we have passed the [AWS Foundation Technical Review (FTR)](https://aws.amazon.com/partners/foundational-technical-review/) and we use the following tools and automation to make sure our code is secure and dependencies up-to-dated:
-`bandit` for code security review.
-`safety` and `dependabot` for dependencies.
-`hadolint` and `dockle` for our containers security.
-`snyk` in Docker Hub.
-`clair` in Amazon ECR.
-`vulture`, `flake8`, `black` and `pylint` for formatting and best practices.
## Reporting a Vulnerability
If you would like to report a vulnerability or have a security concern regarding Prowler Open Source or ProwlerPro service, please submit the information by contacting to help@prowler.pro.
The information you share with Verica as part of this process is kept confidential within Verica and the Prowler team. We will only share this information with a third party if the vulnerability you report is found to affect a third-party product, in which case we will share this information with the third-party product's author or manufacturer. Otherwise, we will only share this information as permitted by you.
We will review the submitted report, and assign it a tracking number. We will then respond to you, acknowledging receipt of the report, and outline the next steps in the process.
You will receive a non-automated response to your initial contact within 24 hours, confirming receipt of your reported vulnerability.
We will coordinate public notification of any validated vulnerability with you. Where possible, we prefer that our respective public disclosures be posted simultaneously.
# Prowler - the handy cloud security tool (copyright 2018) by Toni de la Fuente
#
# Licensed under the Apache License, Version 2.0 (the "License"); you may not
# use this file except in compliance with the License. You may obtain a copy
# of the License at http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software distributed
# under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR
# CONDITIONS OF ANY KIND, either express or implied. See the License for the
# specific language governing permissions and limitations under the License.
CHECK_ID_extra71="7.1,7.01"
CHECK_TITLE_extra71="[extra71] Ensure users of groups with AdministratorAccess policy have MFA tokens enabled (Not Scored) (Not part of CIS benchmark)"
CHECK_SCORED_extra71="NOT_SCORED"
CHECK_TYPE_extra71="EXTRA"
CHECK_ALTERNATE_extra701="extra71"
CHECK_ALTERNATE_check71="extra71"
CHECK_ALTERNATE_check701="extra71"
extra71(){
# "Ensure users of groups with AdministratorAccess policy have MFA tokens enabled (Not Scored) (Not part of CIS benchmark)"
ADMIN_GROUPS=''
AWS_GROUPS=$($AWSCLI $PROFILE_OPT iam list-groups --output text --query 'Groups[].GroupName')
# Prowler - the handy cloud security tool (copyright 2018) by Toni de la Fuente
#
# Licensed under the Apache License, Version 2.0 (the "License"); you may not
# use this file except in compliance with the License. You may obtain a copy
# of the License at http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software distributed
# under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR
# CONDITIONS OF ANY KIND, either express or implied. See the License for the
# specific language governing permissions and limitations under the License.
CHECK_ID_extra720="7.20"
CHECK_TITLE_extra720="[extra720] Check if Lambda functions invoke API operations are being recorded by CloudTrail (Not Scored) (Not part of CIS benchmark)"
CHECK_SCORED_extra720="NOT_SCORED"
CHECK_TYPE_extra720="EXTRA"
CHECK_ALTERNATE_check720="extra720"
extra720(){
# "Check if Lambda functions invoke API operations are being recorded by CloudTrail (Not Scored) (Not part of CIS benchmark)"
# Prowler - the handy cloud security tool (copyright 2018) by Toni de la Fuente
#
# Licensed under the Apache License, Version 2.0 (the "License"); you may not
# use this file except in compliance with the License. You may obtain a copy
# of the License at http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software distributed
# under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR
# CONDITIONS OF ANY KIND, either express or implied. See the License for the
# specific language governing permissions and limitations under the License.
DAYS_TO_EXPIRE_THRESHOLD="7"
CHECK_ID_extra730="7.30"
CHECK_TITLE_extra730="[extra730] Check if ACM Certificates are about to expire in $DAYS_TO_EXPIRE_THRESHOLD days or less (Not Scored) (Not part of CIS benchmark)"
CHECK_SCORED_extra730="NOT_SCORED"
CHECK_TYPE_extra730="EXTRA"
CHECK_ALTERNATE_check730="extra730"
extra730(){
# "Check if ACM Certificates are about to expire in $DAYS_TO_EXPIRE_THRESHOLD days or less"
textFail "CloudFront distribution $dist has not Geo restrictions"
else
textPass "CloudFront distribution $dist has Geo restrictions enabled"
fi
done
else
textInfo "No CloudFront distributions found"
fi
}
Some files were not shown because too many files have changed in this diff
Show More
Reference in New Issue
Block a user
Blocking a user prevents them from interacting with repositories, such as opening or commenting on pull requests or issues. Learn more about blocking a user.
