mirror of
https://github.com/prowler-cloud/prowler.git
synced 2026-07-18 18:11:57 +00:00
66df5f7a1c
Co-authored-by: Sergio Garcia <hello@mistercloudsec.com> Co-authored-by: Andoni Alonso <14891798+andoniaf@users.noreply.github.com>
85 lines
5.6 KiB
YAML
85 lines
5.6 KiB
YAML
CustomChecksMetadata:
|
|
aws:
|
|
Checks:
|
|
s3_bucket_level_public_access_block:
|
|
Severity: high
|
|
CheckTitle: S3 Bucket Level Public Access Block
|
|
Description: This check ensures that the S3 bucket level public access block is enabled.
|
|
Risk: This check is important because it ensures that the S3 bucket level public access block is enabled.
|
|
RelatedUrl: https://docs.aws.amazon.com/AmazonS3/latest/dev/access-control-block-public-access.html
|
|
Remediation:
|
|
Code:
|
|
CLI: aws s3api put-public-access-block --bucket <bucket-name> --public-access-block-configuration BlockPublicAcls=true,IgnorePublicAcls=true,BlockPublicPolicy=true,RestrictPublicBuckets=true
|
|
NativeIaC: https://aws.amazon.com/es/s3/features/block-public-access/
|
|
Other: https://docs.aws.amazon.com/AmazonS3/latest/userguide/access-control-block-public-access.html
|
|
Terraform: https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_public_access_block
|
|
Recommendation:
|
|
Text: Enable the S3 bucket level public access block.
|
|
Url: https://docs.aws.amazon.com/AmazonS3/latest/dev/access-control-block-public-access.html
|
|
s3_bucket_no_mfa_delete:
|
|
Severity: high
|
|
CheckTitle: S3 Bucket No MFA Delete
|
|
Description: This check ensures that the S3 bucket does not allow delete operations without MFA.
|
|
Risk: This check is important because it ensures that the S3 bucket does not allow delete operations without MFA.
|
|
RelatedUrl: https://docs.aws.amazon.com/AmazonS3/latest/dev/Versioning.html
|
|
Remediation:
|
|
Code:
|
|
CLI: aws s3api put-bucket-versioning --bucket <bucket-name> --versioning-configuration Status=Enabled
|
|
NativeIaC: https://aws.amazon.com/es/s3/features/versioning/
|
|
Other: https://docs.aws.amazon.com/AmazonS3/latest/dev/Versioning.html
|
|
Terraform: https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_versioning
|
|
Recommendation:
|
|
Text: Enable versioning on the S3 bucket.
|
|
Url: https://docs.aws.amazon.com/AmazonS3/latest/dev/Versioning.html
|
|
azure:
|
|
Checks:
|
|
storage_infrastructure_encryption_is_enabled:
|
|
Severity: medium
|
|
CheckTitle: Storage Infrastructure Encryption Is Enabled
|
|
Description: This check ensures that storage infrastructure encryption is enabled.
|
|
Risk: This check is important because it ensures that storage infrastructure encryption is enabled.
|
|
RelatedUrl: https://docs.microsoft.com/en-us/azure/storage/common/storage-service-encryption
|
|
Remediation:
|
|
Code:
|
|
CLI: az storage account update --name <storage-account-name> --resource-group <resource-group-name> --set properties.encryption.services.blob.enabled=true properties.encryption.services.file.enabled=true properties.encryption.services.queue.enabled=true properties.encryption.services.table.enabled=true
|
|
NativeIaC: https://docs.microsoft.com/en-us/azure/templates/microsoft.storage/storageaccounts
|
|
Other: https://docs.microsoft.com/en-us/azure/storage/common/storage-service-encryption
|
|
Terraform: https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/storage_account
|
|
Recommendation:
|
|
Text: Enable storage infrastructure encryption.
|
|
Url: https://docs.microsoft.com/en-us/azure/storage/common/storage-service-encryption
|
|
gcp:
|
|
Checks:
|
|
compute_instance_public_ip:
|
|
Severity: critical
|
|
CheckTitle: Compute Instance Public IP
|
|
Description: This check ensures that the compute instance does not have a public IP.
|
|
Risk: This check is important because it ensures that the compute instance does not have a public IP.
|
|
RelatedUrl: https://cloud.google.com/compute/docs/ip-addresses/reserve-static-external-ip-address
|
|
Remediation:
|
|
Code:
|
|
CLI: gcloud compute instances describe INSTANCE_NAME --zone=ZONE
|
|
NativeIaC: https://cloud.google.com/compute/docs/reference/rest/v1/instances
|
|
Other: https://cloud.google.com/compute/docs/ip-addresses/reserve-static-external-ip-address
|
|
Terraform: https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/compute_instance
|
|
Recommendation:
|
|
Text: Remove the public IP from the compute instance.
|
|
Url: https://cloud.google.com/compute/docs/ip-addresses/reserve-static-external-ip-address
|
|
kubernetes:
|
|
Checks:
|
|
apiserver_anonymous_requests:
|
|
Severity: low
|
|
CheckTitle: APIServer Anonymous Requests
|
|
Description: This check ensures that anonymous requests to the APIServer are disabled.
|
|
Risk: This check is important because it ensures that anonymous requests to the APIServer are disabled.
|
|
RelatedUrl: https://kubernetes.io/docs/reference/access-authn-authz/authentication/
|
|
Remediation:
|
|
Code:
|
|
CLI: --anonymous-auth=false
|
|
NativeIaC: https://docs.prowler.com/checks/kubernetes/kubernetes-policy-index/ensure-that-the-anonymous-auth-argument-is-set-to-false-1#kubernetes
|
|
Other: https://kubernetes.io/docs/reference/access-authn-authz/authentication/
|
|
Terraform: https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/cluster_role_binding
|
|
Recommendation:
|
|
Text: Disable anonymous requests to the APIServer.
|
|
Url: https://kubernetes.io/docs/reference/access-authn-authz/authentication/
|